colmena + multi location #64
26 changed files with 138 additions and 175 deletions
86
flake.lock
86
flake.lock
|
@ -26,23 +26,20 @@
|
||||||
"deploy-rs": {
|
"deploy-rs": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"flake-compat": "flake-compat_2",
|
"flake-compat": "flake-compat_2",
|
||||||
"nixpkgs": [
|
"nixpkgs": "nixpkgs_2",
|
||||||
"nixpkgs"
|
"utils": "utils_3"
|
||||||
],
|
|
||||||
"utils": "utils_2"
|
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1653594315,
|
"lastModified": 1648475189,
|
||||||
"narHash": "sha256-kJ0ENmnQJ4qL2FeYKZba9kvv1KmIuB3NVpBwMeI7AJQ=",
|
"narHash": "sha256-gAGAS6IagwoUr1B0ohE3iR6sZ8hP4LSqzYLC8Mq3WGU=",
|
||||||
"owner": "serokell",
|
"owner": "serokell",
|
||||||
"repo": "deploy-rs",
|
"repo": "deploy-rs",
|
||||||
"rev": "184349d8149436748986d1bdba087e4149e9c160",
|
"rev": "83e0c78291cd08cb827ba0d553ad9158ae5a95c3",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "serokell",
|
"id": "deploy-rs",
|
||||||
"repo": "deploy-rs",
|
"type": "indirect"
|
||||||
"type": "github"
|
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"flake-compat": {
|
"flake-compat": {
|
||||||
|
@ -203,7 +200,7 @@
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
"nixpkgs"
|
"nixpkgs"
|
||||||
],
|
],
|
||||||
"utils": "utils_3"
|
"utils": "utils_2"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1659144434,
|
"lastModified": 1659144434,
|
||||||
|
@ -222,7 +219,7 @@
|
||||||
"nix": {
|
"nix": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"lowdown-src": "lowdown-src",
|
"lowdown-src": "lowdown-src",
|
||||||
"nixpkgs": "nixpkgs_2"
|
"nixpkgs": "nixpkgs_3"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1633098935,
|
"lastModified": 1633098935,
|
||||||
|
@ -240,7 +237,7 @@
|
||||||
"nix_2": {
|
"nix_2": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"lowdown-src": "lowdown-src_2",
|
"lowdown-src": "lowdown-src_2",
|
||||||
"nixpkgs": "nixpkgs_3"
|
"nixpkgs": "nixpkgs_4"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1633098935,
|
"lastModified": 1633098935,
|
||||||
|
@ -273,17 +270,18 @@
|
||||||
},
|
},
|
||||||
"nixpkgs_2": {
|
"nixpkgs_2": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1632864508,
|
"lastModified": 1648219316,
|
||||||
"narHash": "sha256-d127FIvGR41XbVRDPVvozUPQ/uRHbHwvfyKHwEt5xFM=",
|
"narHash": "sha256-Ctij+dOi0ZZIfX5eMhgwugfvB+WZSrvVNAyAuANOsnQ=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "82891b5e2c2359d7e58d08849e4c89511ab94234",
|
"rev": "30d3d79b7d3607d56546dd2a6b49e156ba0ec634",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"id": "nixpkgs",
|
"owner": "NixOS",
|
||||||
"ref": "nixos-21.05-small",
|
"ref": "nixpkgs-unstable",
|
||||||
"type": "indirect"
|
"repo": "nixpkgs",
|
||||||
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"nixpkgs_3": {
|
"nixpkgs_3": {
|
||||||
|
@ -301,10 +299,24 @@
|
||||||
"type": "indirect"
|
"type": "indirect"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"nixpkgs_4": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1632864508,
|
||||||
|
"narHash": "sha256-d127FIvGR41XbVRDPVvozUPQ/uRHbHwvfyKHwEt5xFM=",
|
||||||
|
"owner": "NixOS",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "82891b5e2c2359d7e58d08849e4c89511ab94234",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"id": "nixpkgs",
|
||||||
|
"ref": "nixos-21.05-small",
|
||||||
|
"type": "indirect"
|
||||||
|
}
|
||||||
|
},
|
||||||
"root": {
|
"root": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"colmena": "colmena",
|
"colmena": "colmena",
|
||||||
"deploy-rs": "deploy-rs",
|
|
||||||
"minecraft-servers": "minecraft-servers",
|
"minecraft-servers": "minecraft-servers",
|
||||||
"nixpkgs": "nixpkgs",
|
"nixpkgs": "nixpkgs",
|
||||||
"serokell-nix": "serokell-nix",
|
"serokell-nix": "serokell-nix",
|
||||||
|
@ -313,9 +325,7 @@
|
||||||
},
|
},
|
||||||
"serokell-nix": {
|
"serokell-nix": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"deploy-rs": [
|
"deploy-rs": "deploy-rs",
|
||||||
"deploy-rs"
|
|
||||||
],
|
|
||||||
"flake-compat": "flake-compat_3",
|
"flake-compat": "flake-compat_3",
|
||||||
"flake-utils": "flake-utils_2",
|
"flake-utils": "flake-utils_2",
|
||||||
"gitignore-nix": "gitignore-nix",
|
"gitignore-nix": "gitignore-nix",
|
||||||
|
@ -370,21 +380,6 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"utils_2": {
|
"utils_2": {
|
||||||
"locked": {
|
|
||||||
"lastModified": 1648297722,
|
|
||||||
"narHash": "sha256-W+qlPsiZd8F3XkzXOzAoR+mpFqzm3ekQkJNa+PIh1BQ=",
|
|
||||||
"owner": "numtide",
|
|
||||||
"repo": "flake-utils",
|
|
||||||
"rev": "0f8662f1319ad6abf89b3380dd2722369fc51ade",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "numtide",
|
|
||||||
"repo": "flake-utils",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"utils_3": {
|
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"flake-utils": "flake-utils"
|
"flake-utils": "flake-utils"
|
||||||
},
|
},
|
||||||
|
@ -402,6 +397,21 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"utils_3": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1648297722,
|
||||||
|
"narHash": "sha256-W+qlPsiZd8F3XkzXOzAoR+mpFqzm3ekQkJNa+PIh1BQ=",
|
||||||
|
"owner": "numtide",
|
||||||
|
"repo": "flake-utils",
|
||||||
|
"rev": "0f8662f1319ad6abf89b3380dd2722369fc51ade",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "numtide",
|
||||||
|
"repo": "flake-utils",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"vault-secrets": {
|
"vault-secrets": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"flake-compat": "flake-compat_4",
|
"flake-compat": "flake-compat_4",
|
||||||
|
|
132
flake.nix
132
flake.nix
|
@ -8,15 +8,11 @@
|
||||||
inputs = {
|
inputs = {
|
||||||
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
|
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
|
||||||
|
|
||||||
deploy-rs.url = "github:serokell/deploy-rs";
|
|
||||||
deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
|
|
||||||
|
|
||||||
colmena.url = "github:zhaofengli/colmena";
|
colmena.url = "github:zhaofengli/colmena";
|
||||||
colmena.inputs.nixpkgs.follows = "nixpkgs";
|
colmena.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
|
||||||
serokell-nix.url = "github:serokell/serokell.nix";
|
serokell-nix.url = "github:serokell/serokell.nix";
|
||||||
serokell-nix.inputs.nixpkgs.follows = "nixpkgs";
|
serokell-nix.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
serokell-nix.inputs.deploy-rs.follows = "deploy-rs";
|
|
||||||
|
|
||||||
vault-secrets.url = "github:serokell/vault-secrets";
|
vault-secrets.url = "github:serokell/vault-secrets";
|
||||||
vault-secrets.inputs.nixpkgs.follows = "nixpkgs";
|
vault-secrets.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
@ -26,87 +22,73 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs =
|
outputs =
|
||||||
{ self, nixpkgs, deploy-rs, vault-secrets, serokell-nix, ... }@inputs:
|
{ self, nixpkgs, vault-secrets, serokell-nix, minecraft-servers, colmena, ... }@inputs:
|
||||||
let
|
let
|
||||||
inherit (nixpkgs) lib;
|
inherit (nixpkgs) lib;
|
||||||
inherit (builtins) filter mapAttrs;
|
inherit (builtins) filter mapAttrs attrValues concatLists;
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
hosts = import ./hosts.nix;
|
# import and add location qualifier to all hosts
|
||||||
|
hosts = mapAttrs (location: lhosts: map ({ tags ? [ ], ... }@x: x // { tags = [ location ] ++ tags; inherit location; }) lhosts) (import ./nixos/hosts);
|
||||||
|
# flatten hosts to single list
|
||||||
|
flat_hosts = concatLists (attrValues hosts);
|
||||||
|
# Filter all nixos host definitions that are actual nix machines
|
||||||
|
nixHosts = filter ({ nix ? true, ... }: nix) flat_hosts;
|
||||||
|
# Define args each module gets access to (access to hosts is useful for DNS/DHCP)
|
||||||
|
specialArgs = { inherit hosts flat_hosts inputs; };
|
||||||
|
|
||||||
# Create a nixosConfiguration based on a foldername (nixname) and if the host is an LXC container or a VM.
|
# Resolve imports based on a foldername (nixname) and if the host is an LXC container or a VM.
|
||||||
mkConfig = { hostname, profile ? hostname, lxc ? true, ... }: {
|
resolveImports = { hostname, location, profile ? hostname, lxc ? true, ... }: [
|
||||||
"${profile}" = lib.nixosSystem {
|
./nixos/common
|
||||||
inherit system;
|
"${./.}/nixos/hosts/${location}/${profile}/configuration.nix"
|
||||||
modules = [
|
] ++ (if lxc then [
|
||||||
./nixos/common
|
"${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
|
||||||
"${./.}/nixos/hosts/${profile}/configuration.nix"
|
./nixos/common/generic-lxc.nix
|
||||||
] ++ (if lxc then [
|
]
|
||||||
"${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
|
else [ ./nixos/common/generic-vm.nix ]);
|
||||||
./nixos/common/generic-lxc.nix
|
|
||||||
] else
|
mkConfig = { hostname, ... }@host: {
|
||||||
[ ./nixos/common/generic-vm.nix ]);
|
"${hostname}" = lib.nixosSystem {
|
||||||
specialArgs = { inherit hosts inputs; };
|
inherit system specialArgs;
|
||||||
|
modules = resolveImports host;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# Same as above, but for the nodes part of deploy.
|
mkColmenaHost = { ip, hostname, tags, location, ... }@host: {
|
||||||
mkDeploy = { ip, hostname, profile ? hostname, ... }: {
|
|
||||||
"${hostname}" = {
|
"${hostname}" = {
|
||||||
hostname = ip;
|
imports = resolveImports host;
|
||||||
fastConnection = true;
|
networking = {
|
||||||
profiles.system = {
|
hostName = hostname;
|
||||||
user = "root";
|
domain = location;
|
||||||
path = deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.${profile};
|
};
|
||||||
|
deployment = {
|
||||||
|
inherit tags;
|
||||||
|
targetHost = ip;
|
||||||
|
targetUser = null; # Defaults to $USER
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# Generates hosts.auto.tfvars.json for Terraform
|
|
||||||
genTFVars =
|
|
||||||
let
|
|
||||||
hostToVar = z@{ hostname, mac, ... }: {
|
|
||||||
"${hostname}" = { inherit mac; };
|
|
||||||
};
|
|
||||||
hostSet = lib.foldr (el: acc: acc // hostToVar el) { } hosts;
|
|
||||||
json = builtins.toJSON { hosts = hostSet; };
|
|
||||||
in
|
|
||||||
pkgs.writeScriptBin "gen-tf-vars" ''
|
|
||||||
echo '${json}' | ${pkgs.jq}/bin/jq > terraform/hosts.auto.tfvars.json;
|
|
||||||
echo "Generated Terraform Variables";
|
|
||||||
'';
|
|
||||||
|
|
||||||
# Import all nixos host definitions that are actual nix machines
|
|
||||||
nixHosts = filter ({ nix ? true, ... }: nix) hosts;
|
|
||||||
|
|
||||||
pkgs = serokell-nix.lib.pkgsWith nixpkgs.legacyPackages.${system} [ vault-secrets.overlay ];
|
pkgs = serokell-nix.lib.pkgsWith nixpkgs.legacyPackages.${system} [ vault-secrets.overlay ];
|
||||||
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
# Make the config and deploy sets
|
# Make the nixosConfigurations, mostly for vault-secrets
|
||||||
nixosConfigurations = lib.foldr (el: acc: acc // mkConfig el) { } nixHosts;
|
nixosConfigurations = lib.foldr (el: acc: acc // mkConfig el) { } nixHosts;
|
||||||
deploy.nodes = lib.foldr (el: acc: acc // mkDeploy el) { } nixHosts;
|
|
||||||
|
|
||||||
|
# Make the coleman configuration
|
||||||
apps.${system} = rec {
|
colmena = lib.foldr (el: acc: acc // mkColmenaHost el)
|
||||||
default = deploy;
|
{
|
||||||
deploy = {
|
meta = {
|
||||||
type = "app";
|
nixpkgs = import nixpkgs {
|
||||||
program = "${deploy-rs.packages.${system}.deploy-rs}/bin/deploy";
|
inherit system;
|
||||||
};
|
overlays = [
|
||||||
vault-push-approles = {
|
(import ./nixos/pkgs)
|
||||||
type = "app";
|
minecraft-servers.overlays.default
|
||||||
program = "${pkgs.vault-push-approles self}/bin/vault-push-approles";
|
];
|
||||||
};
|
};
|
||||||
vault-push-approle-envs = {
|
inherit specialArgs;
|
||||||
type = "app";
|
};
|
||||||
program =
|
}
|
||||||
"${pkgs.vault-push-approle-envs self}/bin/vault-push-approle-envs";
|
nixHosts;
|
||||||
};
|
|
||||||
tfvars = {
|
|
||||||
type = "app";
|
|
||||||
program = "${genTFVars}/bin/gen-tf-vars";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
# Use by running `nix develop`
|
# Use by running `nix develop`
|
||||||
devShells.${system}.default = pkgs.mkShell {
|
devShells.${system}.default = pkgs.mkShell {
|
||||||
|
@ -114,7 +96,7 @@
|
||||||
# This only support bash so just execute zsh in bash as a workaround :/
|
# This only support bash so just execute zsh in bash as a workaround :/
|
||||||
shellHook = "zsh; exit $?";
|
shellHook = "zsh; exit $?";
|
||||||
buildInputs = with pkgs; [
|
buildInputs = with pkgs; [
|
||||||
deploy-rs.packages.${system}.deploy-rs
|
colmena.packages.x86_64-linux.colmena
|
||||||
fluxcd
|
fluxcd
|
||||||
k9s
|
k9s
|
||||||
kubectl
|
kubectl
|
||||||
|
@ -123,17 +105,9 @@
|
||||||
nixfmt
|
nixfmt
|
||||||
nixUnstable
|
nixUnstable
|
||||||
vault
|
vault
|
||||||
# (vault-push-approles self { })
|
(vault-push-approle-envs self)
|
||||||
# (vault-push-approle-envs self { })
|
(vault-push-approle-approles self)
|
||||||
genTFVars
|
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
# Filter out non-system checks: https://github.com/NixOS/nixpkgs/issues/175875#issuecomment-1152996862
|
|
||||||
checks = lib.filterAttrs
|
|
||||||
(a: _: a == system)
|
|
||||||
(builtins.mapAttrs
|
|
||||||
(system: deployLib: deployLib.deployChecks self.deploy)
|
|
||||||
deploy-rs.lib);
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ config, inputs, pkgs, ... }:
|
{ config, lib, pkgs, inputs, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
|
@ -24,12 +24,19 @@
|
||||||
"https://cachix.cachix.org"
|
"https://cachix.cachix.org"
|
||||||
"https://nix-community.cachix.org"
|
"https://nix-community.cachix.org"
|
||||||
"https://nixpkgs-review-bot.cachix.org"
|
"https://nixpkgs-review-bot.cachix.org"
|
||||||
|
"https://colmena.cachix.org"
|
||||||
];
|
];
|
||||||
trusted-public-keys = [
|
trusted-public-keys = [
|
||||||
"cachix.cachix.org-1:eWNHQldwUO7G2VkjpnjDbWwy4KQ/HNxht7H4SSoMckM="
|
"cachix.cachix.org-1:eWNHQldwUO7G2VkjpnjDbWwy4KQ/HNxht7H4SSoMckM="
|
||||||
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
|
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
|
||||||
"nixpkgs-review-bot.cachix.org-1:eppgiDjPk7Hkzzz7XlUesk3rcEHqNDozGOrcLc8IqwE="
|
"nixpkgs-review-bot.cachix.org-1:eppgiDjPk7Hkzzz7XlUesk3rcEHqNDozGOrcLc8IqwE="
|
||||||
|
"colmena.cachix.org-1:7BzpDnjjH8ki2CT3f6GdOk7QAzPOl+1t3LvTLXqYcSg="
|
||||||
];
|
];
|
||||||
|
# Also use zsh for root;
|
||||||
|
};
|
||||||
|
optimise = {
|
||||||
|
automatic = true;
|
||||||
|
dates = [ "weekly" ];
|
||||||
};
|
};
|
||||||
extraOptions = ''
|
extraOptions = ''
|
||||||
experimental-features = nix-command flakes
|
experimental-features = nix-command flakes
|
||||||
|
@ -37,10 +44,6 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
nixpkgs.config.allowUnfree = true;
|
nixpkgs.config.allowUnfree = true;
|
||||||
nixpkgs.overlays = [
|
|
||||||
(import ../pkgs)
|
|
||||||
inputs.minecraft-servers.overlays.default
|
|
||||||
];
|
|
||||||
|
|
||||||
# Limit the systemd journal to 100 MB of disk or the
|
# Limit the systemd journal to 100 MB of disk or the
|
||||||
# last 7 days of logs, whichever happens first.
|
# last 7 days of logs, whichever happens first.
|
||||||
|
@ -56,7 +59,7 @@
|
||||||
permitRootLogin = "no";
|
permitRootLogin = "no";
|
||||||
};
|
};
|
||||||
|
|
||||||
vault-secrets = {
|
vault-secrets = lib.mkIf (config.networking.domain == "olympus") {
|
||||||
vaultPrefix = "secrets/nixos";
|
vaultPrefix = "secrets/nixos";
|
||||||
vaultAddress = "http://vault.olympus:8200/";
|
vaultAddress = "http://vault.olympus:8200/";
|
||||||
approlePrefix = "olympus-${config.networking.hostName}";
|
approlePrefix = "olympus-${config.networking.hostName}";
|
||||||
|
|
|
@ -48,13 +48,13 @@
|
||||||
];
|
];
|
||||||
|
|
||||||
# Make me admin
|
# Make me admin
|
||||||
extraGroups = [ "wheel" ];
|
extraGroups = [ "systemd-journal" "wheel" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
# Configure the root account
|
# Configure the root account
|
||||||
users.extraUsers.root = {
|
users.extraUsers.root = {
|
||||||
# Allow my SSH keys for logging in as root.
|
# Allow my SSH keys for logging in as root.
|
||||||
openssh.authorizedKeys.keys = config.users.users.victor.openssh.authorizedKeys.keys;
|
openssh.authorizedKeys.keys = config.users.extraUsers.victor.openssh.authorizedKeys.keys;
|
||||||
# Also use zsh for root
|
# Also use zsh for root
|
||||||
shell = pkgs.zsh;
|
shell = pkgs.zsh;
|
||||||
};
|
};
|
||||||
|
|
4
nixos/hosts/default.nix
Normal file
4
nixos/hosts/default.nix
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
{
|
||||||
|
hades = import ./hades;
|
||||||
|
olympus = import ./olympus;
|
||||||
|
}
|
1
nixos/hosts/hades/default.nix
Normal file
1
nixos/hosts/hades/default.nix
Normal file
|
@ -0,0 +1 @@
|
||||||
|
[]
|
|
@ -7,8 +7,6 @@
|
||||||
{
|
{
|
||||||
imports = [ ];
|
imports = [ ];
|
||||||
|
|
||||||
networking.hostName = "template";
|
|
||||||
|
|
||||||
# This value determines the NixOS release from which the default
|
# This value determines the NixOS release from which the default
|
||||||
# settings for stateful data, like file locations and database versions
|
# settings for stateful data, like file locations and database versions
|
||||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
# on your system were taken. It‘s perfectly fine and recommended to leave
|
|
@ -28,8 +28,6 @@ in {
|
||||||
boot.loader.grub.version = 2;
|
boot.loader.grub.version = 2;
|
||||||
boot.loader.grub.device = "/dev/sda";
|
boot.loader.grub.device = "/dev/sda";
|
||||||
|
|
||||||
networking.hostName = "bastion";
|
|
||||||
|
|
||||||
# This value determines the NixOS release from which the default
|
# This value determines the NixOS release from which the default
|
||||||
# settings for stateful data, like file locations and database versions
|
# settings for stateful data, like file locations and database versions
|
||||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||||||
|
@ -45,7 +43,6 @@ in {
|
||||||
# Additional packages
|
# Additional packages
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
binutils
|
binutils
|
||||||
checkov
|
|
||||||
fix-vscode
|
fix-vscode
|
||||||
fluxcd
|
fluxcd
|
||||||
k9s
|
k9s
|
|
@ -9,8 +9,6 @@ in
|
||||||
{
|
{
|
||||||
imports = [ ];
|
imports = [ ];
|
||||||
|
|
||||||
networking.hostName = "database";
|
|
||||||
|
|
||||||
# This value determines the NixOS release from which the default
|
# This value determines the NixOS release from which the default
|
||||||
# settings for stateful data, like file locations and database versions
|
# settings for stateful data, like file locations and database versions
|
||||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
# on your system were taken. It‘s perfectly fine and recommended to leave
|
|
@ -46,6 +46,7 @@
|
||||||
ip = "10.42.42.9";
|
ip = "10.42.42.9";
|
||||||
ip6 = "2001:41f0:9639:1:68c2:89ff:fe85:cfa6";
|
ip6 = "2001:41f0:9639:1:68c2:89ff:fe85:cfa6";
|
||||||
mac = "6A:C2:89:85:CF:A6";
|
mac = "6A:C2:89:85:CF:A6";
|
||||||
|
tags = [ "web" ];
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
hostname = "k3s-node1";
|
hostname = "k3s-node1";
|
||||||
|
@ -97,7 +98,6 @@
|
||||||
hostname = "minecraft";
|
hostname = "minecraft";
|
||||||
ip = "10.42.42.21";
|
ip = "10.42.42.21";
|
||||||
mac = "EA:30:73:E4:B6:69";
|
mac = "EA:30:73:E4:B6:69";
|
||||||
nix = false;
|
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
hostname = "gitea";
|
hostname = "gitea";
|
|
@ -5,11 +5,12 @@ let
|
||||||
hostName = hostname;
|
hostName = hostname;
|
||||||
ipAddress = ip;
|
ipAddress = ip;
|
||||||
};
|
};
|
||||||
|
localDomain = config.networking.domain;
|
||||||
|
hosts' = hosts.${localDomain};
|
||||||
in {
|
in {
|
||||||
imports = [ ];
|
imports = [ ];
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
hostName = "dhcp";
|
|
||||||
defaultGateway = "10.42.42.1";
|
defaultGateway = "10.42.42.1";
|
||||||
nameservers = [ "10.42.42.15" "10.42.42.16" ];
|
nameservers = [ "10.42.42.15" "10.42.42.16" ];
|
||||||
interfaces.eth0 = {
|
interfaces.eth0 = {
|
||||||
|
@ -41,12 +42,12 @@ in {
|
||||||
option broadcast-address 10.42.43.255;
|
option broadcast-address 10.42.43.255;
|
||||||
option routers 10.42.42.1;
|
option routers 10.42.42.1;
|
||||||
option domain-name-servers 10.42.42.15, 10.42.42.16;
|
option domain-name-servers 10.42.42.15, 10.42.42.16;
|
||||||
option domain-name "olympus";
|
option domain-name "${localDomain}";
|
||||||
option domain-search "olympus";
|
option domain-search "${localDomain}";
|
||||||
subnet 10.42.42.0 netmask 255.255.254.0 {
|
subnet 10.42.42.0 netmask 255.255.254.0 {
|
||||||
range 10.42.43.1 10.42.43.254;
|
range 10.42.43.1 10.42.43.254;
|
||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
machines = map hostToDhcp hosts;
|
machines = map hostToDhcp hosts';
|
||||||
};
|
};
|
||||||
}
|
}
|
|
@ -1,18 +1,18 @@
|
||||||
{ config, pkgs, hosts, ... }:
|
{ config, pkgs, hosts, flat_hosts, ... }:
|
||||||
let
|
let
|
||||||
inherit (builtins) filter hasAttr;
|
inherit (builtins) filter hasAttr attrNames;
|
||||||
localdomain = "olympus";
|
hosts' = flat_hosts;
|
||||||
ipv6Hosts = filter (hasAttr "ip6") hosts;
|
domains = attrNames hosts;
|
||||||
|
|
||||||
localData = { hostname, ip, ... }: ''"${hostname}.${localdomain}. A ${ip}"'';
|
ipv6Hosts = filter (hasAttr "ip6") hosts';
|
||||||
local6Data = { hostname, ip6, ... }: ''"${hostname}.${localdomain}. AAAA ${ip6}"'';
|
|
||||||
ptrData = { hostname, ip, ... }: ''"${ip} ${hostname}.${localdomain}"'';
|
localData = { hostname, location, ip, ... }: ''"${hostname}.${location}. A ${ip}"'';
|
||||||
ptr6Data = { hostname, ip6, ... }: ''"${ip6} ${hostname}.${localdomain}"'';
|
local6Data = { hostname, location, ip6, ... }: ''"${hostname}.${location}. AAAA ${ip6}"'';
|
||||||
|
ptrData = { hostname, location, ip, ... }: ''"${ip} ${hostname}.${location}"'';
|
||||||
|
ptr6Data = { hostname, location, ip6, ... }: ''"${ip6} ${hostname}.${location}"'';
|
||||||
in {
|
in {
|
||||||
imports = [ ];
|
imports = [ ];
|
||||||
|
|
||||||
networking.hostName = "dns";
|
|
||||||
|
|
||||||
# This value determines the NixOS release from which the default
|
# This value determines the NixOS release from which the default
|
||||||
# settings for stateful data, like file locations and database versions
|
# settings for stateful data, like file locations and database versions
|
||||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||||||
|
@ -37,15 +37,16 @@ in {
|
||||||
interface-automatic = "yes";
|
interface-automatic = "yes";
|
||||||
interface = [ "0.0.0.0" "::0" ];
|
interface = [ "0.0.0.0" "::0" ];
|
||||||
|
|
||||||
local-zone = ''"${localdomain}." transparent'';
|
local-zone = map (localdomain: ''"${localdomain}}." transparent'') domains;
|
||||||
local-data = (map localData hosts) ++ (map local6Data ipv6Hosts);
|
local-data = (map localData hosts') ++ (map local6Data ipv6Hosts);
|
||||||
local-data-ptr = (map ptrData hosts) ++ (map ptr6Data ipv6Hosts);
|
local-data-ptr = (map ptrData hosts') ++ (map ptr6Data ipv6Hosts);
|
||||||
|
|
||||||
access-control = [
|
access-control = [
|
||||||
"127.0.0.1/32 allow_snoop"
|
"127.0.0.1/32 allow_snoop"
|
||||||
"::1 allow_snoop"
|
"::1 allow_snoop"
|
||||||
"10.42.0.0/16 allow"
|
"10.42.0.0/16 allow"
|
||||||
"127.0.0.0/8 allow"
|
"127.0.0.0/8 allow"
|
||||||
|
"192.168.0.0/23 allow"
|
||||||
"192.168.2.0/24 allow"
|
"192.168.2.0/24 allow"
|
||||||
"::1/128 allow"
|
"::1/128 allow"
|
||||||
];
|
];
|
|
@ -6,8 +6,6 @@
|
||||||
{
|
{
|
||||||
imports = [ ];
|
imports = [ ];
|
||||||
|
|
||||||
networking.hostName = "gitea";
|
|
||||||
|
|
||||||
# This value determines the NixOS release from which the default
|
# This value determines the NixOS release from which the default
|
||||||
# settings for stateful data, like file locations and database versions
|
# settings for stateful data, like file locations and database versions
|
||||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
# on your system were taken. It‘s perfectly fine and recommended to leave
|
|
@ -11,8 +11,6 @@ in
|
||||||
{
|
{
|
||||||
imports = [ ];
|
imports = [ ];
|
||||||
|
|
||||||
networking.hostName = "hedgedoc";
|
|
||||||
|
|
||||||
# This value determines the NixOS release from which the default
|
# This value determines the NixOS release from which the default
|
||||||
# settings for stateful data, like file locations and database versions
|
# settings for stateful data, like file locations and database versions
|
||||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
# on your system were taken. It‘s perfectly fine and recommended to leave
|
|
@ -14,8 +14,6 @@
|
||||||
boot.kernel.sysctl."fs.inotify.max_user_instances" = 2147483647; # INT_MAX, dynamically limited based on available memory
|
boot.kernel.sysctl."fs.inotify.max_user_instances" = 2147483647; # INT_MAX, dynamically limited based on available memory
|
||||||
boot.kernel.sysctl."fs.inotify.max_user_watches" = 1048576;
|
boot.kernel.sysctl."fs.inotify.max_user_watches" = 1048576;
|
||||||
|
|
||||||
networking.hostName = "k3s-node1";
|
|
||||||
|
|
||||||
# This value determines the NixOS release from which the default
|
# This value determines the NixOS release from which the default
|
||||||
# settings for stateful data, like file locations and database versions
|
# settings for stateful data, like file locations and database versions
|
||||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
# on your system were taken. It‘s perfectly fine and recommended to leave
|
|
@ -6,8 +6,6 @@
|
||||||
{
|
{
|
||||||
imports = [ ];
|
imports = [ ];
|
||||||
|
|
||||||
networking.hostName = "minecraft";
|
|
||||||
|
|
||||||
# This value determines the NixOS release from which the default
|
# This value determines the NixOS release from which the default
|
||||||
# settings for stateful data, like file locations and database versions
|
# settings for stateful data, like file locations and database versions
|
||||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||||||
|
@ -24,7 +22,7 @@
|
||||||
networking.firewall.allowedTCPPorts = [ ];
|
networking.firewall.allowedTCPPorts = [ ];
|
||||||
|
|
||||||
services.minecraft-server = {
|
services.minecraft-server = {
|
||||||
enable = true;
|
enable = false;
|
||||||
package = pkgs.minecraftServers.purpur_1_18;
|
package = pkgs.minecraftServers.purpur_1_18;
|
||||||
jvmOpts = "--add-modules=jdk.incubator.vector -Xmx2048M -Xms2048M";
|
jvmOpts = "--add-modules=jdk.incubator.vector -Xmx2048M -Xms2048M";
|
||||||
|
|
|
@ -10,8 +10,6 @@ let
|
||||||
in {
|
in {
|
||||||
imports = [ ];
|
imports = [ ];
|
||||||
|
|
||||||
networking.hostName = "minio";
|
|
||||||
|
|
||||||
# This value determines the NixOS release from which the default
|
# This value determines the NixOS release from which the default
|
||||||
# settings for stateful data, like file locations and database versions
|
# settings for stateful data, like file locations and database versions
|
||||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
# on your system were taken. It‘s perfectly fine and recommended to leave
|
|
@ -8,8 +8,6 @@ in
|
||||||
{
|
{
|
||||||
imports = [ ];
|
imports = [ ];
|
||||||
|
|
||||||
networking.hostName = "mosquitto";
|
|
||||||
|
|
||||||
# This value determines the NixOS release from which the default
|
# This value determines the NixOS release from which the default
|
||||||
# settings for stateful data, like file locations and database versions
|
# settings for stateful data, like file locations and database versions
|
||||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
# on your system were taken. It‘s perfectly fine and recommended to leave
|
|
@ -24,8 +24,6 @@ let
|
||||||
'';
|
'';
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
networking.hostName = "nginx";
|
|
||||||
|
|
||||||
# This value determines the NixOS release from which the default
|
# This value determines the NixOS release from which the default
|
||||||
# settings for stateful data, like file locations and database versions
|
# settings for stateful data, like file locations and database versions
|
||||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
# on your system were taken. It‘s perfectly fine and recommended to leave
|
|
@ -11,8 +11,6 @@ in
|
||||||
{
|
{
|
||||||
imports = [ ];
|
imports = [ ];
|
||||||
|
|
||||||
networking.hostName = "synapse";
|
|
||||||
|
|
||||||
# This value determines the NixOS release from which the default
|
# This value determines the NixOS release from which the default
|
||||||
# settings for stateful data, like file locations and database versions
|
# settings for stateful data, like file locations and database versions
|
||||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
# on your system were taken. It‘s perfectly fine and recommended to leave
|
|
@ -7,8 +7,6 @@
|
||||||
{
|
{
|
||||||
imports = [ ];
|
imports = [ ];
|
||||||
|
|
||||||
networking.hostName = "unifi";
|
|
||||||
|
|
||||||
# This value determines the NixOS release from which the default
|
# This value determines the NixOS release from which the default
|
||||||
# settings for stateful data, like file locations and database versions
|
# settings for stateful data, like file locations and database versions
|
||||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
# on your system were taken. It‘s perfectly fine and recommended to leave
|
|
@ -5,8 +5,6 @@
|
||||||
{ config, pkgs, ... }:
|
{ config, pkgs, ... }:
|
||||||
let port = 8200;
|
let port = 8200;
|
||||||
in {
|
in {
|
||||||
networking.hostName = "vault";
|
|
||||||
|
|
||||||
# This value determines the NixOS release from which the default
|
# This value determines the NixOS release from which the default
|
||||||
# settings for stateful data, like file locations and database versions
|
# settings for stateful data, like file locations and database versions
|
||||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
# on your system were taken. It‘s perfectly fine and recommended to leave
|
|
@ -10,8 +10,6 @@ in
|
||||||
{
|
{
|
||||||
imports = [ ];
|
imports = [ ];
|
||||||
|
|
||||||
networking.hostName = "victoriametrics";
|
|
||||||
|
|
||||||
# This value determines the NixOS release from which the default
|
# This value determines the NixOS release from which the default
|
||||||
# settings for stateful data, like file locations and database versions
|
# settings for stateful data, like file locations and database versions
|
||||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
# on your system were taken. It‘s perfectly fine and recommended to leave
|
|
@ -7,8 +7,6 @@ let vs = config.vault-secrets.secrets; in
|
||||||
{
|
{
|
||||||
imports = [ ];
|
imports = [ ];
|
||||||
|
|
||||||
networking.hostName = "wireguard";
|
|
||||||
|
|
||||||
# This value determines the NixOS release from which the default
|
# This value determines the NixOS release from which the default
|
||||||
# settings for stateful data, like file locations and database versions
|
# settings for stateful data, like file locations and database versions
|
||||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
# on your system were taken. It‘s perfectly fine and recommended to leave
|
Loading…
Reference in a new issue