fi/nix-infra
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add valkyrie host

Browse source
This commit is contained in:
yuri 2023-09-16 20:05:33 +02:00
commit 34b8dcef9c
12 changed files with 211 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

51
config/hosts/valkyrie/configuration.nix Normal file
View file

@ -0,0 +1,51 @@
{ ... }:
{
boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true;
networking = {
hostName = "valkyrie";
nftables.enable = true;
firewall = {
enable = true;
allowedTCPPorts = [ 80 443 ];
allowedUDPPorts = [ 51820 51827 51828 ];
};
wireguard = {
enable = true;
interfaces.wg0 = {
listenPort = 51820;
ips = [
"10.203.10.3/24"
];
peers = [
{
name = "site1-grzb";
publicKey = "SJ8xCRb4hWm5EnXoV4FnwgbiaxmY2wI+xzfk+3HXERg=";
presharedKeyFile = "/secrets/wireguard-valkyrie-site1-grzb-psk.secret";
endpoint = "site1.grzb.de:51826";
allowedIPs = [ "10.203.10.1/32" "10.201.0.0/16" ];
}
{
name = "site2-grzb";
publicKey = "BbNeBTe6HwQuHPK+ZQXWYRZJJMPdS0h81n07omYyRl4=";
presharedKeyFile = "/secrets/wireguard-valkyrie-site2-grzb-psk.secret";
endpoint = "site2.grzb.de:51826";
allowedIPs = [ "10.203.10.2/32" "10.202.0.0/16" ];
}
{
name = "site2-jsts";
publicKey = "u9h+D8XZ62ABnetBRKnf6tjs+tJwM8fQ4d6ipOCLFyE=";
presharedKeyFile = "/secrets/wireguard-valkyrie-site1-jsts-psk.secret";
endpoint = "site1.jsts.xyz:51823";
allowedIPs = [ "10.203.10.4/32" ];
}
];
privateKeyFile = "/secrets/wireguard-valkyrie-wg0-privatekey.secret";
};
};
};
services.prometheus.exporters.node.enable = false;
system.stateVersion = "23.05";
}

14
config/hosts/valkyrie/containers/uptime-kuma/default.nix Normal file
View file

@ -0,0 +1,14 @@
{ nixpkgs-unstable, ... }:
{
containers.uptime-kuma = {
nixpkgs = nixpkgs-unstable;
autoStart = true;
config = { ... }: {
services.uptime-kuma = {
enable = true;
};
system.stateVersion = "23.05";
};
};
}

8
config/hosts/valkyrie/default.nix Normal file
View file

@ -0,0 +1,8 @@
{ ... }:
{
imports = [
./configuration.nix
./nginx.nix
./containers/uptime-kuma
];
}

25
config/hosts/valkyrie/nginx.nix Normal file
View file

@ -0,0 +1,25 @@
{ ... }:
{
services.nginx = {
enable = true;
virtualHosts."status.nekover.se" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
];
locations."/" = {
proxyPass = "http://localhost:3001";
proxyWebsockets = true;
};
};
};
}

35
config/hosts/valkyrie/secrets.nix Normal file
View file

@ -0,0 +1,35 @@
{ ... }:
{
deployment.keys."wireguard-valkyrie-wg0-privatekey.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-wg0-privatekey" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
deployment.keys."wireguard-valkyrie-site1-grzb-psk.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-site1-grzb/psk" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
deployment.keys."wireguard-valkyrie-site2-grzb-psk.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-site2-grzb/psk" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
deployment.keys."wireguard-valkyrie-site1-jsts-psk.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-site1-jsts/psk" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
}