fi/nix-infra
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add valkyrie host

Browse source
This commit is contained in:
fi 2023-09-16 20:05:33 +02:00
commit 667b1c256b
Signed by: fi
SSH key fingerprint: SHA256:d+6fQoDPMbSFK95zRVflRKZLRKF4cPSQb7VIxYkhFsA
12 changed files with 211 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

4
config/common/default.nix
View file

@ -1,4 +1,4 @@
{ pkgs, ... }:
{ pkgs, lib, ... }:
{
imports = [
./prometheus-node-exporter.nix
@ -41,7 +41,7 @@
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = "no";
PermitRootLogin = lib.mkForce "no";
};
};

8
config/environments/openstack-vm/default.nix Normal file
View file

@ -0,0 +1,8 @@
{ lib, ... }:
{
imports = [
./hardware-configuration.nix
];
users.users.root.initialPassword = lib.mkForce null;
}

24
config/environments/openstack-vm/hardware-configuration.nix Normal file
View file

@ -0,0 +1,24 @@
{ ... }:
{
fileSystems."/" = {
device = "/dev/disk/by-label/nixos";
fsType = "ext4";
autoResize = true;
};
boot = {
growPartition = true;
kernelParams = [ "console=tty1" ];
loader.grub = {
enable = true;
device = "/dev/vda";
extraConfig = ''
serial --unit=1 --speed=115200 --word=8 --parity=no --stop=1
terminal_output console serial
terminal_input console serial
'';
};
};
systemd.services."serial-getty@tty1".enable = true;
}

51
config/hosts/valkyrie/configuration.nix Normal file
View file

@ -0,0 +1,51 @@
{ ... }:
{
boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true;
networking = {
hostName = "valkyrie";
nftables.enable = true;
firewall = {
enable = true;
allowedTCPPorts = [ 80 443 ];
allowedUDPPorts = [ 51820 51827 51828 ];
};
wireguard = {
enable = true;
interfaces.wg0 = {
listenPort = 51820;
ips = [
"10.203.10.3/24"
];
peers = [
{
name = "site1-grzb";
publicKey = "SJ8xCRb4hWm5EnXoV4FnwgbiaxmY2wI+xzfk+3HXERg=";
presharedKeyFile = "/secrets/wireguard-valkyrie-site1-grzb-psk.secret";
endpoint = "site1.grzb.de:51826";
allowedIPs = [ "10.203.10.1/32" "10.201.0.0/16" ];
}
{
name = "site2-grzb";
publicKey = "BbNeBTe6HwQuHPK+ZQXWYRZJJMPdS0h81n07omYyRl4=";
presharedKeyFile = "/secrets/wireguard-valkyrie-site2-grzb-psk.secret";
endpoint = "site2.grzb.de:51826";
allowedIPs = [ "10.203.10.2/32" "10.202.0.0/16" ];
}
{
name = "site2-jsts";
publicKey = "u9h+D8XZ62ABnetBRKnf6tjs+tJwM8fQ4d6ipOCLFyE=";
presharedKeyFile = "/secrets/wireguard-valkyrie-site1-jsts-psk.secret";
endpoint = "site1.jsts.xyz:51823";
allowedIPs = [ "10.203.10.4/32" ];
}
];
privateKeyFile = "/secrets/wireguard-valkyrie-wg0-privatekey.secret";
};
};
};
services.prometheus.exporters.node.enable = false;
system.stateVersion = "23.05";
}

14
config/hosts/valkyrie/containers/uptime-kuma/default.nix Normal file
View file

@ -0,0 +1,14 @@
{ nixpkgs-unstable, ... }:
{
containers.uptime-kuma = {
nixpkgs = nixpkgs-unstable;
autoStart = true;
config = { ... }: {
services.uptime-kuma = {
enable = true;
};
system.stateVersion = "23.05";
};
};
}

8
config/hosts/valkyrie/default.nix Normal file
View file

@ -0,0 +1,8 @@
{ ... }:
{
imports = [
./configuration.nix
./nginx.nix
./containers/uptime-kuma
];
}

25
config/hosts/valkyrie/nginx.nix Normal file
View file

@ -0,0 +1,25 @@
{ ... }:
{
services.nginx = {
enable = true;
virtualHosts."status.nekover.se" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
];
locations."/" = {
proxyPass = "http://localhost:3001";
proxyWebsockets = true;
};
};
};
}

35
config/hosts/valkyrie/secrets.nix Normal file
View file

@ -0,0 +1,35 @@
{ ... }:
{
deployment.keys."wireguard-valkyrie-wg0-privatekey.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-wg0-privatekey" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
deployment.keys."wireguard-valkyrie-site1-grzb-psk.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-site1-grzb/psk" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
deployment.keys."wireguard-valkyrie-site2-grzb-psk.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-site2-grzb/psk" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
deployment.keys."wireguard-valkyrie-site1-jsts-psk.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-site1-jsts/psk" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
}

21
config/nixos-generators/default.nix
View file

@ -10,26 +10,5 @@
firewall.enable = true;
};
proxmox = {
qemuConf = {
ostype = "l26";
cores = 2;
memory = 1024;
bios = "seabios";
# Option not available in 23.05
# diskSize = "8096";
virtio0 = "local-zfs:base-disk-0,discard=on";
boot = "order=virtio0";
net0 = "tag=999,virtio=00:00:00:00:00:00,bridge=vmbr0,firewall=1";
agent = true;
};
qemuExtraConf = {
cpu = "cputype=host,flags=+aes";
onboot = 1;
machine = "q35";
template = 1;
};
};
system.stateVersion = "23.05";
}

23
config/nixos-generators/proxmox.nix Normal file
View file

@ -0,0 +1,23 @@
{ ... }:
{
proxmox = {
qemuConf = {
ostype = "l26";
cores = 2;
memory = 1024;
bios = "seabios";
# Option not available in 23.05
# diskSize = "8096";
virtio0 = "local-zfs:base-disk-0,discard=on";
boot = "order=virtio0";
net0 = "tag=999,virtio=00:00:00:00:00:00,bridge=vmbr0,firewall=1";
agent = true;
};
qemuExtraConf = {
cpu = "cputype=host,flags=+aes";
onboot = 1;
machine = "q35";
template = 1;
};
};
}

16
flake.nix
View file

@ -26,13 +26,15 @@
nodeNixpkgs = builtins.mapAttrs (name: host: host.pkgs) hosts;
specialArgs = {
inherit hosts simple-nixos-mailserver;
inherit nixpkgs-unstable hosts simple-nixos-mailserver;
};
};
} // builtins.mapAttrs (helper.generateColmenaHost) hosts;
hydraJobs = {
nixConfigurations = builtins.mapAttrs (host: helper.generateNixConfiguration host { inherit hosts simple-nixos-mailserver; }) hosts;
nixConfigurations = builtins.mapAttrs (
host: helper.generateNixConfiguration host { inherit nixpkgs-unstable hosts simple-nixos-mailserver; }
) hosts;
};
# Generate a base VM image for Proxmox with `nix build .#base-proxmox`
@ -42,10 +44,20 @@
modules = [
./config/common
./config/nixos-generators
./config/nixos-generators/proxmox.nix
./config/environments/proxmox-vm
];
format = "proxmox";
};
base-openstack = nixos-generators.nixosGenerate {
system = "x86_64-linux";
modules = [
./config/common
./config/nixos-generators
./config/environments/openstack-vm
];
format = "openstack";
};
};
# Binary cache hint

8
hosts.nix
View file

@ -5,6 +5,9 @@ let
"proxmox" = [
./config/environments/proxmox-vm
];
"openstack" = [
./config/environments/openstack-vm
];
};
generateDefaults = hosts: builtins.mapAttrs (name: {
hostNixpkgs ? nixpkgs,
@ -25,7 +28,6 @@ in
generateDefaults {
#fee = {
# site = "wg";
# environment = "bare-metal";
#};
hydra = {
site = "vs";
@ -79,6 +81,10 @@ in
site = "vs";
environment = "proxmox";
};
valkyrie = {
site = "af";
environment = "openstack";
};
web-public-2 = {
hostNixpkgs = nixpkgs-unstable;
site = "vs";