diff --git a/config/common/default.nix b/config/common/default.nix index 8634acf..ea3ccf2 100644 --- a/config/common/default.nix +++ b/config/common/default.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ pkgs, lib, ... }: { imports = [ ./prometheus-node-exporter.nix @@ -41,7 +41,7 @@ settings = { PasswordAuthentication = false; KbdInteractiveAuthentication = false; - PermitRootLogin = "no"; + PermitRootLogin = lib.mkForce "no"; }; }; diff --git a/config/environments/openstack-vm/default.nix b/config/environments/openstack-vm/default.nix new file mode 100644 index 0000000..8edb909 --- /dev/null +++ b/config/environments/openstack-vm/default.nix @@ -0,0 +1,8 @@ +{ lib, ... }: +{ + imports = [ + ./hardware-configuration.nix + ]; + + users.users.root.initialPassword = lib.mkForce null; +} diff --git a/config/environments/openstack-vm/hardware-configuration.nix b/config/environments/openstack-vm/hardware-configuration.nix new file mode 100644 index 0000000..cf5fdd0 --- /dev/null +++ b/config/environments/openstack-vm/hardware-configuration.nix @@ -0,0 +1,24 @@ +{ ... }: +{ + fileSystems."/" = { + device = "/dev/disk/by-label/nixos"; + fsType = "ext4"; + autoResize = true; + }; + + boot = { + growPartition = true; + kernelParams = [ "console=tty1" ]; + loader.grub = { + enable = true; + device = "/dev/vda"; + extraConfig = '' + serial --unit=1 --speed=115200 --word=8 --parity=no --stop=1 + terminal_output console serial + terminal_input console serial + ''; + }; + }; + + systemd.services."serial-getty@tty1".enable = true; +} diff --git a/config/hosts/valkyrie/configuration.nix b/config/hosts/valkyrie/configuration.nix new file mode 100644 index 0000000..1d73f92 --- /dev/null +++ b/config/hosts/valkyrie/configuration.nix @@ -0,0 +1,51 @@ +{ ... }: +{ + boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true; + + networking = { + hostName = "valkyrie"; + nftables.enable = true; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + allowedUDPPorts = [ 51820 51827 51828 ]; + }; + wireguard = { + enable = true; + interfaces.wg0 = { + listenPort = 51820; + ips = [ + "10.203.10.3/24" + ]; + peers = [ + { + name = "site1-grzb"; + publicKey = "SJ8xCRb4hWm5EnXoV4FnwgbiaxmY2wI+xzfk+3HXERg="; + presharedKeyFile = "/secrets/wireguard-valkyrie-site1-grzb-psk.secret"; + endpoint = "site1.grzb.de:51826"; + allowedIPs = [ "10.203.10.1/32" "10.201.0.0/16" ]; + } + { + name = "site2-grzb"; + publicKey = "BbNeBTe6HwQuHPK+ZQXWYRZJJMPdS0h81n07omYyRl4="; + presharedKeyFile = "/secrets/wireguard-valkyrie-site2-grzb-psk.secret"; + endpoint = "site2.grzb.de:51826"; + allowedIPs = [ "10.203.10.2/32" "10.202.0.0/16" ]; + } + { + name = "site2-jsts"; + publicKey = "u9h+D8XZ62ABnetBRKnf6tjs+tJwM8fQ4d6ipOCLFyE="; + presharedKeyFile = "/secrets/wireguard-valkyrie-site1-jsts-psk.secret"; + endpoint = "site1.jsts.xyz:51823"; + allowedIPs = [ "10.203.10.4/32" ]; + } + ]; + privateKeyFile = "/secrets/wireguard-valkyrie-wg0-privatekey.secret"; + }; + }; + }; + + services.prometheus.exporters.node.enable = false; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/valkyrie/containers/uptime-kuma/default.nix b/config/hosts/valkyrie/containers/uptime-kuma/default.nix new file mode 100644 index 0000000..2939abd --- /dev/null +++ b/config/hosts/valkyrie/containers/uptime-kuma/default.nix @@ -0,0 +1,14 @@ +{ nixpkgs-unstable, ... }: +{ + containers.uptime-kuma = { + nixpkgs = nixpkgs-unstable; + autoStart = true; + config = { ... }: { + services.uptime-kuma = { + enable = true; + }; + + system.stateVersion = "23.05"; + }; + }; +} diff --git a/config/hosts/valkyrie/default.nix b/config/hosts/valkyrie/default.nix new file mode 100644 index 0000000..b8c16ea --- /dev/null +++ b/config/hosts/valkyrie/default.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./nginx.nix + ./containers/uptime-kuma + ]; +} diff --git a/config/hosts/valkyrie/nginx.nix b/config/hosts/valkyrie/nginx.nix new file mode 100644 index 0000000..ada3379 --- /dev/null +++ b/config/hosts/valkyrie/nginx.nix @@ -0,0 +1,25 @@ +{ ... }: +{ + services.nginx = { + enable = true; + virtualHosts."status.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + locations."/" = { + proxyPass = "http://localhost:3001"; + proxyWebsockets = true; + }; + }; + }; +} diff --git a/config/hosts/valkyrie/secrets.nix b/config/hosts/valkyrie/secrets.nix new file mode 100644 index 0000000..7e7512c --- /dev/null +++ b/config/hosts/valkyrie/secrets.nix @@ -0,0 +1,35 @@ +{ ... }: +{ + deployment.keys."wireguard-valkyrie-wg0-privatekey.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-wg0-privatekey" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + deployment.keys."wireguard-valkyrie-site1-grzb-psk.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-site1-grzb/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + deployment.keys."wireguard-valkyrie-site2-grzb-psk.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-site2-grzb/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + deployment.keys."wireguard-valkyrie-site1-jsts-psk.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-site1-jsts/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/config/nixos-generators/default.nix b/config/nixos-generators/default.nix index e392d53..2cda85e 100644 --- a/config/nixos-generators/default.nix +++ b/config/nixos-generators/default.nix @@ -10,26 +10,5 @@ firewall.enable = true; }; - proxmox = { - qemuConf = { - ostype = "l26"; - cores = 2; - memory = 1024; - bios = "seabios"; - # Option not available in 23.05 - # diskSize = "8096"; - virtio0 = "local-zfs:base-disk-0,discard=on"; - boot = "order=virtio0"; - net0 = "tag=999,virtio=00:00:00:00:00:00,bridge=vmbr0,firewall=1"; - agent = true; - }; - qemuExtraConf = { - cpu = "cputype=host,flags=+aes"; - onboot = 1; - machine = "q35"; - template = 1; - }; - }; - system.stateVersion = "23.05"; } diff --git a/config/nixos-generators/proxmox.nix b/config/nixos-generators/proxmox.nix new file mode 100644 index 0000000..196f802 --- /dev/null +++ b/config/nixos-generators/proxmox.nix @@ -0,0 +1,23 @@ +{ ... }: +{ + proxmox = { + qemuConf = { + ostype = "l26"; + cores = 2; + memory = 1024; + bios = "seabios"; + # Option not available in 23.05 + # diskSize = "8096"; + virtio0 = "local-zfs:base-disk-0,discard=on"; + boot = "order=virtio0"; + net0 = "tag=999,virtio=00:00:00:00:00:00,bridge=vmbr0,firewall=1"; + agent = true; + }; + qemuExtraConf = { + cpu = "cputype=host,flags=+aes"; + onboot = 1; + machine = "q35"; + template = 1; + }; + }; +} diff --git a/flake.nix b/flake.nix index 2a78e5b..4b25dcb 100644 --- a/flake.nix +++ b/flake.nix @@ -26,13 +26,15 @@ nodeNixpkgs = builtins.mapAttrs (name: host: host.pkgs) hosts; specialArgs = { - inherit hosts simple-nixos-mailserver; + inherit nixpkgs-unstable hosts simple-nixos-mailserver; }; }; } // builtins.mapAttrs (helper.generateColmenaHost) hosts; hydraJobs = { - nixConfigurations = builtins.mapAttrs (host: helper.generateNixConfiguration host { inherit hosts simple-nixos-mailserver; }) hosts; + nixConfigurations = builtins.mapAttrs ( + host: helper.generateNixConfiguration host { inherit nixpkgs-unstable hosts simple-nixos-mailserver; } + ) hosts; }; # Generate a base VM image for Proxmox with `nix build .#base-proxmox` @@ -42,10 +44,20 @@ modules = [ ./config/common ./config/nixos-generators + ./config/nixos-generators/proxmox.nix ./config/environments/proxmox-vm ]; format = "proxmox"; }; + base-openstack = nixos-generators.nixosGenerate { + system = "x86_64-linux"; + modules = [ + ./config/common + ./config/nixos-generators + ./config/environments/openstack-vm + ]; + format = "openstack"; + }; }; # Binary cache hint diff --git a/hosts.nix b/hosts.nix index 6d496d4..472ac92 100644 --- a/hosts.nix +++ b/hosts.nix @@ -5,6 +5,9 @@ let "proxmox" = [ ./config/environments/proxmox-vm ]; + "openstack" = [ + ./config/environments/openstack-vm + ]; }; generateDefaults = hosts: builtins.mapAttrs (name: { hostNixpkgs ? nixpkgs, @@ -25,7 +28,6 @@ in generateDefaults { #fee = { # site = "wg"; - # environment = "bare-metal"; #}; hydra = { site = "vs"; @@ -79,6 +81,10 @@ in site = "vs"; environment = "proxmox"; }; + valkyrie = { + site = "af"; + environment = "openstack"; + }; web-public-2 = { hostNixpkgs = nixpkgs-unstable; site = "vs";