fi/nix-infra
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add valkyrie host

Browse source
This commit is contained in:
yuri 2023-09-16 20:05:33 +02:00
commit 34b8dcef9c
12 changed files with 211 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

4
config/common/default.nix
View file

@ -1,4 +1,4 @@
{ pkgs, ... }:
{ pkgs, lib, ... }:
{
imports = [
./prometheus-node-exporter.nix
@ -41,7 +41,7 @@
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = "no";
PermitRootLogin = lib.mkForce "no";
};
};

8
config/environments/openstack-vm/default.nix Normal file
View file

@ -0,0 +1,8 @@
{ lib, ... }:
{
imports = [
./hardware-configuration.nix
];
users.users.root.initialPassword = lib.mkForce null;
}

24
config/environments/openstack-vm/hardware-configuration.nix Normal file
View file

@ -0,0 +1,24 @@
{ ... }:
{
fileSystems."/" = {
device = "/dev/disk/by-label/nixos";
fsType = "ext4";
autoResize = true;
};
boot = {
growPartition = true;
kernelParams = [ "console=tty1" ];
loader.grub = {
enable = true;
device = "/dev/vda";
extraConfig = ''
serial --unit=1 --speed=115200 --word=8 --parity=no --stop=1
terminal_output console serial
terminal_input console serial
'';
};
};
systemd.services."serial-getty@tty1".enable = true;
}

51
config/hosts/valkyrie/configuration.nix Normal file
View file

@ -0,0 +1,51 @@
{ ... }:
{
boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true;
networking = {
hostName = "valkyrie";
nftables.enable = true;
firewall = {
enable = true;
allowedTCPPorts = [ 80 443 ];
allowedUDPPorts = [ 51820 51827 51828 ];
};
wireguard = {
enable = true;
interfaces.wg0 = {
listenPort = 51820;
ips = [
"10.203.10.3/24"
];
peers = [
{
name = "site1-grzb";
publicKey = "SJ8xCRb4hWm5EnXoV4FnwgbiaxmY2wI+xzfk+3HXERg=";
presharedKeyFile = "/secrets/wireguard-valkyrie-site1-grzb-psk.secret";
endpoint = "site1.grzb.de:51826";
allowedIPs = [ "10.203.10.1/32" "10.201.0.0/16" ];
}
{
name = "site2-grzb";
publicKey = "BbNeBTe6HwQuHPK+ZQXWYRZJJMPdS0h81n07omYyRl4=";
presharedKeyFile = "/secrets/wireguard-valkyrie-site2-grzb-psk.secret";
endpoint = "site2.grzb.de:51826";
allowedIPs = [ "10.203.10.2/32" "10.202.0.0/16" ];
}
{
name = "site2-jsts";
publicKey = "u9h+D8XZ62ABnetBRKnf6tjs+tJwM8fQ4d6ipOCLFyE=";
presharedKeyFile = "/secrets/wireguard-valkyrie-site1-jsts-psk.secret";
endpoint = "site1.jsts.xyz:51823";
allowedIPs = [ "10.203.10.4/32" ];
}
];
privateKeyFile = "/secrets/wireguard-valkyrie-wg0-privatekey.secret";
};
};
};
services.prometheus.exporters.node.enable = false;
system.stateVersion = "23.05";
}

14
config/hosts/valkyrie/containers/uptime-kuma/default.nix Normal file
View file

@ -0,0 +1,14 @@
{ nixpkgs-unstable, ... }:
{
containers.uptime-kuma = {
nixpkgs = nixpkgs-unstable;
autoStart = true;
config = { ... }: {
services.uptime-kuma = {
enable = true;
};
system.stateVersion = "23.05";
};
};
}

8
config/hosts/valkyrie/default.nix Normal file
View file

@ -0,0 +1,8 @@
{ ... }:
{
imports = [
./configuration.nix
./nginx.nix
./containers/uptime-kuma
];
}

25
config/hosts/valkyrie/nginx.nix Normal file
View file

@ -0,0 +1,25 @@
{ ... }:
{
services.nginx = {
enable = true;
virtualHosts."status.nekover.se" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
];
locations."/" = {
proxyPass = "http://localhost:3001";
proxyWebsockets = true;
};
};
};
}

35
config/hosts/valkyrie/secrets.nix Normal file
View file

@ -0,0 +1,35 @@
{ ... }:
{
deployment.keys."wireguard-valkyrie-wg0-privatekey.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-wg0-privatekey" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
deployment.keys."wireguard-valkyrie-site1-grzb-psk.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-site1-grzb/psk" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
deployment.keys."wireguard-valkyrie-site2-grzb-psk.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-site2-grzb/psk" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
deployment.keys."wireguard-valkyrie-site1-jsts-psk.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-site1-jsts/psk" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
}

21
config/nixos-generators/default.nix
View file

@ -10,26 +10,5 @@
firewall.enable = true;
};
proxmox = {
qemuConf = {
ostype = "l26";
cores = 2;
memory = 1024;
bios = "seabios";
# Option not available in 23.05
# diskSize = "8096";
virtio0 = "local-zfs:base-disk-0,discard=on";
boot = "order=virtio0";
net0 = "tag=999,virtio=00:00:00:00:00:00,bridge=vmbr0,firewall=1";
agent = true;
};
qemuExtraConf = {
cpu = "cputype=host,flags=+aes";
onboot = 1;
machine = "q35";
template = 1;
};
};
system.stateVersion = "23.05";
}

23
config/nixos-generators/proxmox.nix Normal file
View file

@ -0,0 +1,23 @@
{ ... }:
{
proxmox = {
qemuConf = {
ostype = "l26";
cores = 2;
memory = 1024;
bios = "seabios";
# Option not available in 23.05
# diskSize = "8096";
virtio0 = "local-zfs:base-disk-0,discard=on";
boot = "order=virtio0";
net0 = "tag=999,virtio=00:00:00:00:00:00,bridge=vmbr0,firewall=1";
agent = true;
};
qemuExtraConf = {
cpu = "cputype=host,flags=+aes";
onboot = 1;
machine = "q35";
template = 1;
};
};
}