fi/nix-infra
1
1
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Work on hydra config, fix tor relay config, prepare web-public-2 host

Browse source
This commit is contained in:
yuri 2023-07-18 17:23:46 +02:00
parent 8eb9538485
commit e8afd2b667
15 changed files with 176 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
configuration/common/default.nix
View file

@ -1,7 +1,8 @@
{ config, pkgs, ... }: { pkgs, ... }:
{ {
imports = [ imports = [
./prometheus-node-exporter.nix ./prometheus-node-exporter.nix
./nginx.nix
../../users/colmena-deploy ../../users/colmena-deploy
../../users/yuri ../../users/yuri
]; ];
@ -36,6 +37,7 @@
services.openssh = { services.openssh = {
enable = true; enable = true;
openFirewall = true;
settings = { settings = {
PasswordAuthentication = false; PasswordAuthentication = false;
KbdInteractiveAuthentication = false; KbdInteractiveAuthentication = false;
@ -43,5 +45,10 @@
}; };
}; };
security.acme = {
defaults.email = "acme@grzb.de";
acceptTerms = true;
};
services.fstrim.enable = true; services.fstrim.enable = true;
} }

9
configuration/common/nginx.nix Normal file
View file

@ -0,0 +1,9 @@
{ ... }: {
services.nginx = {
enableReload = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
};
}

6
flake.lock
View file

@ -2,11 +2,11 @@
"nodes": { "nodes": {
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1689373857, "lastModified": 1689534811,
"narHash": "sha256-mtBksyvhhT98Zsm9tYHuMKuLwUKDwv+BGTl6K5nOGhY=", "narHash": "sha256-jnSUdzD/414d94plCyNlvTJJtiTogTep6t7ZgIKIHiE=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "dfdbcc428f365071f0ca3888f6ec8c25c3792885", "rev": "6cee3b5893090b0f5f0a06b4cf42ca4e60e5d222",
"type": "github" "type": "github"
}, },
"original": { "original": {

31
flake.nix
View file

@ -17,6 +17,9 @@
jackett = { jackett = {
site = "vs"; site = "vs";
}; };
#hydra = {
# site = "vs";
#};
}; };
generateColmenaHost = name: host : { generateColmenaHost = name: host : {
@ -39,5 +42,33 @@
}; };
}; };
} // builtins.mapAttrs (self.generateColmenaHost) self.hosts; } // builtins.mapAttrs (self.generateColmenaHost) self.hosts;
/* generateNixosSystem = {
name,
system ? "x86_64-linux",
group ? null,
modules ? [],
}:
let localNixpkgs = nixpkgs.lib.attrByPath [ "nixpkgs-${name}" ] nixpkgs inputs;
in localNixpkgs.lib.nixosSystem {
modules = modules ++ [
./configuration/common
./users/yuri
./users/colmena-deploy
(./hosts + "/${name}")
];
}; */
hydraJobs = {
nixConfigurations.nitter = let system = "x86_64-linux";
in nixpkgs.lib.nixosSystem {
inherit system;
modules = [
./configuration/common
./configuration/proxmox-vm
./hosts/nitter
];
};
};
}; };
} }

14
hosts/hydra/configuration.nix Normal file
View file

@ -0,0 +1,14 @@
{ ... }:
{
boot.loader.grub = {
enable = true;
device = "/dev/vda";
};
networking = {
hostName = "hydra";
firewall.enable = false;
};
system.stateVersion = "23.05";
}

10
hosts/hydra/default.nix Normal file
View file

@ -0,0 +1,10 @@
{ ... }:
{
imports = [
./configuration.nix
./secrets.nix
./hydra.nix
./nix-serve.nix
./nginx.nix
];
}

14
hosts/hydra/hydra.nix Normal file
View file

@ -0,0 +1,14 @@
{ ... }:
{
services.hydra = {
enable = true;
hydraURL = "https://hydra.nekover.se";
listenHost = "localhost";
port = 3001;
useSubstitutes = true;
notificationSender = "hydra@robot.grzb.de";
extraConfig = "
binary_cache_public_uri = https://nix-cache.nekover.se
";
};
}

33
hosts/hydra/nginx.nix Normal file
View file

@ -0,0 +1,33 @@
{ ... }:
{
services.nginx = {
enable = true;
virtualHosts = {
"hydra.nekover.se" = {
enableACME = true;
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
}];
locations."/" = {
proxyPass = "http://localhost:3001";
};
};
"nix-cache.nekover.se" = {
enableACME = true;
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
}];
locations."/" = {
proxyPass = "http://localhost:5005";
};
};
};
};
}

9
hosts/hydra/nix-serve.nix Normal file
View file

@ -0,0 +1,9 @@
{ ... }:
{
services.nix-serve = {
enable = true;
port = 5005;
bindAddress = "localhost";
secretKeyFile = "/secrets/signing-key.secret";
};
}

11
hosts/hydra/secrets.nix Normal file
View file

@ -0,0 +1,11 @@
{ ... }:
{
deployment.keys."signing-key.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "hydra/signing-key" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
}

2
hosts/netbox/configuration.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }: { ... }:
{ {
imports = [ imports = [

10
hosts/tor-relay/tor.nix
View file

@ -3,16 +3,18 @@
services.tor = { services.tor = {
enable = true; enable = true;
relay = {
enable = true;
role = "relay";
};
settings = { settings = {
Nickname = "vsm"; Nickname = "vsm";
ORPort = 9001; ORPort = 9001;
ExitRelay = false; DirPort = 9030;
SOCKSPort = 0;
ControlSocket = null;
ContactInfo = "admin@grzb.de"; ContactInfo = "admin@grzb.de";
RelayBandwidthRate = "40 MBits"; RelayBandwidthRate = "40 MBits";
RelayBandwidthBurst = "50 Mbits"; RelayBandwidthBurst = "50 Mbits";
DirPort = 9030;
}; };
}; };
} }

14
hosts/web-public-2/configuration.nix Normal file
View file

@ -0,0 +1,14 @@
{ ... }:
{
boot.loader.grub = {
enable = true;
device = "/dev/vda";
};
networking = {
hostName = "web-public-02";
firewall.enable = false;
};
system.stateVersion = "23.05";
}

7
hosts/web-public-2/default.nix Normal file
View file

@ -0,0 +1,7 @@
{ ... }:
{
imports = [
./configuration.nix
./nginx.nix
];
}

6
hosts/web-public-2/nginx.nix Normal file
View file

@ -0,0 +1,6 @@
{ ... }:
{
services.nginx = {
enable = true;
};
}