diff --git a/.git-crypt/.gitattributes b/.git-crypt/.gitattributes new file mode 100644 index 0000000..665b10e --- /dev/null +++ b/.git-crypt/.gitattributes @@ -0,0 +1,4 @@ +# Do not edit this file. To specify the files to encrypt, create your own +# .gitattributes file in the directory where your files are. +* !filter !diff +*.gpg binary diff --git a/.git-crypt/keys/default/0/33F2CAC8C05FEA1E32DE943509102CB8DF00D3CD.gpg b/.git-crypt/keys/default/0/33F2CAC8C05FEA1E32DE943509102CB8DF00D3CD.gpg new file mode 100644 index 0000000..5ffe65f Binary files /dev/null and b/.git-crypt/keys/default/0/33F2CAC8C05FEA1E32DE943509102CB8DF00D3CD.gpg differ diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..ad09729 --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +secrets.nix filter=git-crypt diff=git-crypt \ No newline at end of file diff --git a/.gitignore b/.gitignore index 38156aa..f8e3d19 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -keys \ No newline at end of file +/keys \ No newline at end of file diff --git a/common/generic-vm.nix b/common/generic-vm.nix new file mode 100644 index 0000000..de73208 --- /dev/null +++ b/common/generic-vm.nix @@ -0,0 +1,14 @@ +{ lib, ... }: { + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.useDHCP = false; + networking.interfaces.ens18.useDHCP = lib.mkDefault true; + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + services.openssh.permitRootLogin = lib.mkDefault "yes"; + + # Enable qemu guest agent + services.qemuGuest.enable = true; +} diff --git a/common/users/default.nix b/common/users/default.nix index d9eebfa..9bad622 100644 --- a/common/users/default.nix +++ b/common/users/default.nix @@ -4,6 +4,7 @@ environment.systemPackages = with pkgs; [ fzf git htop rsync ripgrep zoxide ]; programs.neovim.enable = true; programs.neovim.viAlias = true; + programs.fish.shellInit = "set -U fish_greeting"; users.defaultUserShell = pkgs.fish; diff --git a/flake.lock b/flake.lock index aa57138..daaff8e 100644 --- a/flake.lock +++ b/flake.lock @@ -54,16 +54,16 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1636787152, - "narHash": "sha256-plWieAm8r965NfqORxcrq79eK5edUrHqXXgPZdLPE3M=", + "lastModified": 1636623366, + "narHash": "sha256-jOQMlv9qFSj0U66HB+ujZoapty0UbewmSNbX8+3ujUQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6147e5d3177d63171970d27fc28698a9624c62bc", + "rev": "c5ed8beb478a8ca035f033f659b60c89500a3034", "type": "github" }, "original": { "owner": "NixOS", - "ref": "master", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } diff --git a/flake.nix b/flake.nix index 72d66eb..41ffcdd 100644 --- a/flake.nix +++ b/flake.nix @@ -2,30 +2,118 @@ description = "Memes"; inputs.deploy-rs.url = "github:serokell/deploy-rs"; - inputs.nixpkgs.url = "github:NixOS/nixpkgs/master"; + inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; outputs = { self, nixpkgs, deploy-rs }: { - nixosConfigurations.base = nixpkgs.lib.nixosSystem { + nixosConfigurations.nginx = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; modules = [ "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" - ./hosts/base/configuration.nix + ./hosts/nginx/configuration.nix ]; }; - deploy.nodes.base = { - hostname = "10.42.20.1"; + nixosConfigurations.gitea = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" + ./hosts/gitea/configuration.nix + ]; + }; + + nixosConfigurations.vaultwarden = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" + ./hosts/vaultwarden/configuration.nix + ]; + }; + + nixosConfigurations.k3s = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ ./hosts/k3s/configuration.nix ]; + }; + + nixosConfigurations.minio = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" + ./hosts/minio/configuration.nix + ]; + }; + + nixosConfigurations.registry = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" + ./hosts/registry/configuration.nix + ]; + }; + + deploy.nodes.nginx = { + hostname = "10.42.20.2"; fastConnection = true; profiles.system = { user = "root"; path = deploy-rs.lib.x86_64-linux.activate.nixos - self.nixosConfigurations.base; + self.nixosConfigurations.nginx; + }; + }; + + deploy.nodes.gitea = { + hostname = "10.42.20.3"; + fastConnection = true; + profiles.system = { + user = "root"; + path = deploy-rs.lib.x86_64-linux.activate.nixos + self.nixosConfigurations.gitea; + }; + }; + + deploy.nodes.vaultwarden = { + hostname = "10.42.20.4"; + fastConnection = true; + profiles.system = { + user = "root"; + path = deploy-rs.lib.x86_64-linux.activate.nixos + self.nixosConfigurations.vaultwarden; + }; + }; + + deploy.nodes.k3s = { + hostname = "10.42.20.5"; + fastConnection = true; + profiles.system = { + user = "root"; + path = deploy-rs.lib.x86_64-linux.activate.nixos + self.nixosConfigurations.k3s; + }; + }; + + deploy.nodes.minio = { + hostname = "10.42.20.6"; + fastConnection = true; + profiles.system = { + user = "root"; + path = deploy-rs.lib.x86_64-linux.activate.nixos + self.nixosConfigurations.minio; + }; + }; + + deploy.nodes.registry = { + hostname = "10.42.20.7"; + fastConnection = true; + profiles.system = { + user = "root"; + path = deploy-rs.lib.x86_64-linux.activate.nixos + self.nixosConfigurations.registry; }; }; checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; + }; } diff --git a/hosts/gitea/configuration.nix b/hosts/gitea/configuration.nix new file mode 100644 index 0000000..78013e8 --- /dev/null +++ b/hosts/gitea/configuration.nix @@ -0,0 +1,53 @@ +{ config, pkgs, ... }: +let + secrets = import ./secrets.nix; +in { + imports = [ + # Import common config + ../../common/generic-lxc.nix + ../../common + ]; + + networking.hostName = "gitea"; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "21.11"; # Did you read the comment? + + environment.systemPackages = with pkgs; [ ]; + + networking.firewall.enable = false; + networking.firewall.allowedTCPPorts = [ 3000 ]; + services.openssh.permitRootLogin = "no"; + services.openssh.passwordAuthentication = false; + + environment.etc.giteaPass = { + enable = true; + text = "x"; + user = "gitea2"; + }; + + services.gitea = { + enable = true; + ssh = { + clonePort = 4321; + }; + lfs.enable = true; + appName = "Voidcorp Gitea"; + domain = "git.voidcorp.nl"; + rootUrl = "https://git.voidcorp.nl/"; + database = secrets.database; + # TODO: Figure out how to do this + # dump = { + # enable = true; + # interval = "weekly"; + # backupDir = "/mnt/storage/backup/gitea"; + # }; + cookieSecure = true; + disableRegistration = true; + }; +} diff --git a/hosts/gitea/secrets.nix b/hosts/gitea/secrets.nix new file mode 100644 index 0000000..859a637 Binary files /dev/null and b/hosts/gitea/secrets.nix differ diff --git a/hosts/k3s/configuration.nix b/hosts/k3s/configuration.nix new file mode 100644 index 0000000..608a41f --- /dev/null +++ b/hosts/k3s/configuration.nix @@ -0,0 +1,56 @@ +{ config, pkgs, lib, ... }: { + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + # Import common config + ../../common/generic-vm.nix + ../../common + ]; + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + # networking.hostName = "nixos"; # Define your hostname. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + + # Set your time zone. + time.timeZone = "Europe/Amsterdam"; + + networking.hostName = "k3s-1"; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "21.11"; # Did you read the comment? + + # Additional packages + environment.systemPackages = with pkgs; [ iptables vim ]; + + # Disable the firewall as we need all the ports + networking.firewall.enable = false; + + # Force-enable Cgroupv2 + systemd.enableUnifiedCgroupHierarchy = lib.mkForce true; + + # Ensure `mount` and `grep` are available + systemd.services.k3s.path = [ pkgs.gnugrep pkgs.utillinux ]; + + # Enable k3s as a master node + # services.k3s = { + # enable = true; + # role = "server"; + + # extraFlags = builtins.toString [ + # "--data-dir=/var/lib/k3s" # Set data dir to var lib + # "--cluster-init" # Enable embedded etcd + # "--disable=servicelb" # disable servicelb + # "--no-deploy=traefik" # we want to configure traefik ourselves (or use nginx instead) + # "--cluster-cidr=10.69.0.0/16" # the default of 10.42.0.0/16 clashes with my own network + # ]; + # }; + virtualisation.docker.enable = true; + users.users.jdejeu.extraGroups = [ "docker" ]; +} diff --git a/hosts/k3s/hardware-configuration.nix b/hosts/k3s/hardware-configuration.nix new file mode 100644 index 0000000..0c2d968 --- /dev/null +++ b/hosts/k3s/hardware-configuration.nix @@ -0,0 +1,30 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/39b4124e-4210-444e-9698-bb4a22dba53e"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/8510-F08C"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/bc3a4714-928f-451a-a149-e324a83fb844"; } + ]; + +} \ No newline at end of file diff --git a/hosts/base/configuration.nix b/hosts/minio/configuration.nix similarity index 54% rename from hosts/base/configuration.nix rename to hosts/minio/configuration.nix index 4aeffa9..f17b584 100644 --- a/hosts/base/configuration.nix +++ b/hosts/minio/configuration.nix @@ -1,11 +1,13 @@ -{ config, pkgs, ... }: { +{ config, pkgs, ... }: +let secrets = import ./secrets.nix; +in { imports = [ # Import common config ../../common/generic-lxc.nix ../../common ]; - networking.hostName = "base"; + networking.hostName = "minio"; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions @@ -13,5 +15,20 @@ # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "21.05"; # Did you read the comment? + system.stateVersion = "21.11"; # Did you read the comment? + + environment.systemPackages = with pkgs; [ ]; + + environment.etc.minioSettings = { + enable = true; + text = secrets.content; + }; + + networking.firewall.allowedTCPPorts = [ 9000 9001 ]; + + services.minio = { + enable = true; + rootCredentialsFile = "/etc/minioSettings"; + }; + } diff --git a/hosts/minio/secrets.nix b/hosts/minio/secrets.nix new file mode 100644 index 0000000..d20e910 Binary files /dev/null and b/hosts/minio/secrets.nix differ diff --git a/hosts/nginx/configuration.nix b/hosts/nginx/configuration.nix new file mode 100644 index 0000000..80a947e --- /dev/null +++ b/hosts/nginx/configuration.nix @@ -0,0 +1,58 @@ +{ config, pkgs, ... }: +let + proxy = url: { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = url; + proxyWebsockets = true; + }; + }; + k8s_proxy = proxy "https://k8s-1.voidlocal:443/"; +in { + imports = [ + # Import common config + ../../common/generic-lxc.nix + ../../common + ]; + + networking.hostName = "nginx"; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "21.11"; # Did you read the comment? + + environment.systemPackages = with pkgs; [ ]; + + networking.firewall.enable = true; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + virtualHosts."voidcorp.nl" = k8s_proxy; + virtualHosts."harbor.voidcorp.nl" = k8s_proxy; + virtualHosts."cdn.voidcorp.nl" = proxy "http://10.42.2.6:80/"; + + virtualHosts."git.voidcorp.nl" = proxy "http://gitea.voidlocal:3000/"; + + virtualHosts."galerievanslagmaat.nl" = proxy "http://10.42.0.124:5667/"; + + virtualHosts."vaultwarden.voidcorp.nl" = proxy "http://10.42.20.4:8000/"; + + virtualHosts."s3.voidcorp.nl" = proxy "http://10.42.20.6:9000/"; + virtualHosts."explore.s3.voidcorp.nl" = proxy "http://10.42.20.6:9001/"; + virtualHosts."registry.voidcorp.nl" = proxy "http://10.42.20.7:5000/"; + }; + + security.acme.email = "acme@voidcorp.nl"; + security.acme.acceptTerms = true; +} diff --git a/hosts/registry/configuration.nix b/hosts/registry/configuration.nix new file mode 100644 index 0000000..a19951f --- /dev/null +++ b/hosts/registry/configuration.nix @@ -0,0 +1,37 @@ +{ config, pkgs, lib, ... }: +let secrets = import ./secrets.nix; +in { + imports = [ ../../common ../../common/generic-lxc.nix ]; + + # the registry port and metrics port + networking.firewall.allowedTCPPorts = [ config.services.dockerRegistry.port ]; + + environment.etc.htpasswd = { + enable = true; + text = secrets.htpasswd; + }; + + services.dockerRegistry = { + enable = true; + enableDelete = true; + enableGarbageCollect = true; + listenAddress = "0.0.0.0"; + storagePath = null; # We want to store in s3 + garbageCollectDates = "weekly"; + + extraConfig = { + # S3 Storages + storage.s3 = { + accesskey = secrets.access; + secretkey = secrets.secret; + regionendpoint = "https://s3.voidcorp.nl"; + bucket = "docker"; + region = "us-east-1"; # Fake but needed + }; + auth.htpasswd = { + realm = "Voidcorp Registry"; + path = "/etc/htpasswd"; + }; + }; + }; +} diff --git a/hosts/registry/secrets.nix b/hosts/registry/secrets.nix new file mode 100644 index 0000000..1e0cabf Binary files /dev/null and b/hosts/registry/secrets.nix differ diff --git a/hosts/vaultwarden/configuration.nix b/hosts/vaultwarden/configuration.nix new file mode 100644 index 0000000..430244f --- /dev/null +++ b/hosts/vaultwarden/configuration.nix @@ -0,0 +1,35 @@ +{ config, pkgs, ... }: +let secrets = import ./secrets.nix; +in { + imports = [ + # Import common config + ../../common/generic-lxc.nix + ../../common + ]; + + networking.hostName = "vaultwarden"; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "21.11"; # Did you read the comment? + + environment.systemPackages = with pkgs; [ ]; + + networking.firewall.allowedTCPPorts = [ 8000 ]; + + services.vaultwarden = { + enable = true; + dbBackend = "postgresql"; + config = { + databaseUrl = secrets.databaseUrl; + domain = "https://vaultwarden.voidcorp.nl"; + signupsDomainsWhitelist = "voidcorp.nl"; + rocketPort = 8000; + }; + }; + +} diff --git a/hosts/vaultwarden/secrets.nix b/hosts/vaultwarden/secrets.nix new file mode 100644 index 0000000..e5fb981 Binary files /dev/null and b/hosts/vaultwarden/secrets.nix differ