From 903f9917b3acd3179743cff6fa5349c01413ccd6 Mon Sep 17 00:00:00 2001 From: Julius de Jeu Date: Sun, 14 Nov 2021 13:17:32 +0100 Subject: [PATCH] Actual initial commit --- .git-crypt/.gitattributes | 4 + ...F2CAC8C05FEA1E32DE943509102CB8DF00D3CD.gpg | Bin 0 -> 597 bytes .gitattributes | 1 + .gitignore | 2 +- common/generic-vm.nix | 14 +++ common/users/default.nix | 1 + flake.lock | 8 +- flake.nix | 100 ++++++++++++++++-- hosts/gitea/configuration.nix | 53 ++++++++++ hosts/gitea/secrets.nix | Bin 0 -> 222 bytes hosts/k3s/configuration.nix | 56 ++++++++++ hosts/k3s/hardware-configuration.nix | 30 ++++++ hosts/{base => minio}/configuration.nix | 23 +++- hosts/minio/secrets.nix | Bin 0 -> 132 bytes hosts/nginx/configuration.nix | 58 ++++++++++ hosts/registry/configuration.nix | 37 +++++++ hosts/registry/secrets.nix | Bin 0 -> 199 bytes hosts/vaultwarden/configuration.nix | 35 ++++++ hosts/vaultwarden/secrets.nix | Bin 0 -> 105 bytes 19 files changed, 408 insertions(+), 14 deletions(-) create mode 100644 .git-crypt/.gitattributes create mode 100644 .git-crypt/keys/default/0/33F2CAC8C05FEA1E32DE943509102CB8DF00D3CD.gpg create mode 100644 .gitattributes create mode 100644 common/generic-vm.nix create mode 100644 hosts/gitea/configuration.nix create mode 100644 hosts/gitea/secrets.nix create mode 100644 hosts/k3s/configuration.nix create mode 100644 hosts/k3s/hardware-configuration.nix rename hosts/{base => minio}/configuration.nix (54%) create mode 100644 hosts/minio/secrets.nix create mode 100644 hosts/nginx/configuration.nix create mode 100644 hosts/registry/configuration.nix create mode 100644 hosts/registry/secrets.nix create mode 100644 hosts/vaultwarden/configuration.nix create mode 100644 hosts/vaultwarden/secrets.nix diff --git a/.git-crypt/.gitattributes b/.git-crypt/.gitattributes new file mode 100644 index 0000000..665b10e --- /dev/null +++ b/.git-crypt/.gitattributes @@ -0,0 +1,4 @@ +# Do not edit this file. To specify the files to encrypt, create your own +# .gitattributes file in the directory where your files are. +* !filter !diff +*.gpg binary diff --git a/.git-crypt/keys/default/0/33F2CAC8C05FEA1E32DE943509102CB8DF00D3CD.gpg b/.git-crypt/keys/default/0/33F2CAC8C05FEA1E32DE943509102CB8DF00D3CD.gpg new file mode 100644 index 0000000000000000000000000000000000000000..5ffe65f8b7cf1afda2ddcb9707f20d4de1695800 GIT binary patch literal 597 zcmV-b0;>Im0gM9@GKuwnbe;bJ3;#`pz8p1t6_x3`PT04;bWTr=Zl6A?9*|4HutShx1P{UO)c{z(W&t0zNV@Ip5jjA(b zRJhTaH#9ol@(h6gf3sHsF7SOwR3v;15(lpY>SzNSLvK(<(Te9nnneo($%Rh)vJZ0} zvR#$2+{{ZN1twBM&N$$9L_e9v?hfvxKWvuCxJApCS}~J~(VY(b1H+Osoca$CipVz2 z_A_^o4s0HCSqqHdbLo9&T2{WfKLS~z6s$y8>zSq$!6^v#Q6c^3&RqX_fY=CSIlNdZe;+tt(Mwq>nabo`S7d(Hn-H$^=B7o30{Zg1`SUD$E9w;dUka_d%(D0Jm jL7Rng8=nSZ;muI)M8V+n+XP#i!wwDu;9Z3ho%)jxeX%IR literal 0 HcmV?d00001 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..ad09729 --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +secrets.nix filter=git-crypt diff=git-crypt \ No newline at end of file diff --git a/.gitignore b/.gitignore index 38156aa..f8e3d19 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -keys \ No newline at end of file +/keys \ No newline at end of file diff --git a/common/generic-vm.nix b/common/generic-vm.nix new file mode 100644 index 0000000..de73208 --- /dev/null +++ b/common/generic-vm.nix @@ -0,0 +1,14 @@ +{ lib, ... }: { + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.useDHCP = false; + networking.interfaces.ens18.useDHCP = lib.mkDefault true; + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + services.openssh.permitRootLogin = lib.mkDefault "yes"; + + # Enable qemu guest agent + services.qemuGuest.enable = true; +} diff --git a/common/users/default.nix b/common/users/default.nix index d9eebfa..9bad622 100644 --- a/common/users/default.nix +++ b/common/users/default.nix @@ -4,6 +4,7 @@ environment.systemPackages = with pkgs; [ fzf git htop rsync ripgrep zoxide ]; programs.neovim.enable = true; programs.neovim.viAlias = true; + programs.fish.shellInit = "set -U fish_greeting"; users.defaultUserShell = pkgs.fish; diff --git a/flake.lock b/flake.lock index aa57138..daaff8e 100644 --- a/flake.lock +++ b/flake.lock @@ -54,16 +54,16 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1636787152, - "narHash": "sha256-plWieAm8r965NfqORxcrq79eK5edUrHqXXgPZdLPE3M=", + "lastModified": 1636623366, + "narHash": "sha256-jOQMlv9qFSj0U66HB+ujZoapty0UbewmSNbX8+3ujUQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6147e5d3177d63171970d27fc28698a9624c62bc", + "rev": "c5ed8beb478a8ca035f033f659b60c89500a3034", "type": "github" }, "original": { "owner": "NixOS", - "ref": "master", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } diff --git a/flake.nix b/flake.nix index 72d66eb..41ffcdd 100644 --- a/flake.nix +++ b/flake.nix @@ -2,30 +2,118 @@ description = "Memes"; inputs.deploy-rs.url = "github:serokell/deploy-rs"; - inputs.nixpkgs.url = "github:NixOS/nixpkgs/master"; + inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; outputs = { self, nixpkgs, deploy-rs }: { - nixosConfigurations.base = nixpkgs.lib.nixosSystem { + nixosConfigurations.nginx = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; modules = [ "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" - ./hosts/base/configuration.nix + ./hosts/nginx/configuration.nix ]; }; - deploy.nodes.base = { - hostname = "10.42.20.1"; + nixosConfigurations.gitea = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" + ./hosts/gitea/configuration.nix + ]; + }; + + nixosConfigurations.vaultwarden = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" + ./hosts/vaultwarden/configuration.nix + ]; + }; + + nixosConfigurations.k3s = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ ./hosts/k3s/configuration.nix ]; + }; + + nixosConfigurations.minio = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" + ./hosts/minio/configuration.nix + ]; + }; + + nixosConfigurations.registry = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" + ./hosts/registry/configuration.nix + ]; + }; + + deploy.nodes.nginx = { + hostname = "10.42.20.2"; fastConnection = true; profiles.system = { user = "root"; path = deploy-rs.lib.x86_64-linux.activate.nixos - self.nixosConfigurations.base; + self.nixosConfigurations.nginx; + }; + }; + + deploy.nodes.gitea = { + hostname = "10.42.20.3"; + fastConnection = true; + profiles.system = { + user = "root"; + path = deploy-rs.lib.x86_64-linux.activate.nixos + self.nixosConfigurations.gitea; + }; + }; + + deploy.nodes.vaultwarden = { + hostname = "10.42.20.4"; + fastConnection = true; + profiles.system = { + user = "root"; + path = deploy-rs.lib.x86_64-linux.activate.nixos + self.nixosConfigurations.vaultwarden; + }; + }; + + deploy.nodes.k3s = { + hostname = "10.42.20.5"; + fastConnection = true; + profiles.system = { + user = "root"; + path = deploy-rs.lib.x86_64-linux.activate.nixos + self.nixosConfigurations.k3s; + }; + }; + + deploy.nodes.minio = { + hostname = "10.42.20.6"; + fastConnection = true; + profiles.system = { + user = "root"; + path = deploy-rs.lib.x86_64-linux.activate.nixos + self.nixosConfigurations.minio; + }; + }; + + deploy.nodes.registry = { + hostname = "10.42.20.7"; + fastConnection = true; + profiles.system = { + user = "root"; + path = deploy-rs.lib.x86_64-linux.activate.nixos + self.nixosConfigurations.registry; }; }; checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; + }; } diff --git a/hosts/gitea/configuration.nix b/hosts/gitea/configuration.nix new file mode 100644 index 0000000..78013e8 --- /dev/null +++ b/hosts/gitea/configuration.nix @@ -0,0 +1,53 @@ +{ config, pkgs, ... }: +let + secrets = import ./secrets.nix; +in { + imports = [ + # Import common config + ../../common/generic-lxc.nix + ../../common + ]; + + networking.hostName = "gitea"; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "21.11"; # Did you read the comment? + + environment.systemPackages = with pkgs; [ ]; + + networking.firewall.enable = false; + networking.firewall.allowedTCPPorts = [ 3000 ]; + services.openssh.permitRootLogin = "no"; + services.openssh.passwordAuthentication = false; + + environment.etc.giteaPass = { + enable = true; + text = "x"; + user = "gitea2"; + }; + + services.gitea = { + enable = true; + ssh = { + clonePort = 4321; + }; + lfs.enable = true; + appName = "Voidcorp Gitea"; + domain = "git.voidcorp.nl"; + rootUrl = "https://git.voidcorp.nl/"; + database = secrets.database; + # TODO: Figure out how to do this + # dump = { + # enable = true; + # interval = "weekly"; + # backupDir = "/mnt/storage/backup/gitea"; + # }; + cookieSecure = true; + disableRegistration = true; + }; +} diff --git a/hosts/gitea/secrets.nix b/hosts/gitea/secrets.nix new file mode 100644 index 0000000000000000000000000000000000000000..859a6377ba5021eeac6f0c4a5ade29533b71aa95 GIT binary patch literal 222 zcmV<403rVXM@dveQdv+`0Py2oJ~$6}qjneS5zW&IoeuOY@>ZMe9Ct8sDn0QL!*kD~ zQ;=ot=WudkHOV-vHi#7c7fUa?J0QIghr{N?;yX({(y(s_T$^mZsCh5f;`wrFBIKX7 zsp{>3px3^v^90@J<3OzOK)&IlStoOFAclUrQTNfB<12RFoxagDd1pm0sFjpt1lRe% zhc0i^?2@?SSkwgnI37o}UO>QT+@v2bVVC>al5B?E&Vxr%Plh@Mp0l+_p_=rr3hX7k Yj0QGRZ3;sK=$8;?&bUg4m``9p();OfNdN!< literal 0 HcmV?d00001 diff --git a/hosts/k3s/configuration.nix b/hosts/k3s/configuration.nix new file mode 100644 index 0000000..608a41f --- /dev/null +++ b/hosts/k3s/configuration.nix @@ -0,0 +1,56 @@ +{ config, pkgs, lib, ... }: { + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + # Import common config + ../../common/generic-vm.nix + ../../common + ]; + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + # networking.hostName = "nixos"; # Define your hostname. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + + # Set your time zone. + time.timeZone = "Europe/Amsterdam"; + + networking.hostName = "k3s-1"; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "21.11"; # Did you read the comment? + + # Additional packages + environment.systemPackages = with pkgs; [ iptables vim ]; + + # Disable the firewall as we need all the ports + networking.firewall.enable = false; + + # Force-enable Cgroupv2 + systemd.enableUnifiedCgroupHierarchy = lib.mkForce true; + + # Ensure `mount` and `grep` are available + systemd.services.k3s.path = [ pkgs.gnugrep pkgs.utillinux ]; + + # Enable k3s as a master node + # services.k3s = { + # enable = true; + # role = "server"; + + # extraFlags = builtins.toString [ + # "--data-dir=/var/lib/k3s" # Set data dir to var lib + # "--cluster-init" # Enable embedded etcd + # "--disable=servicelb" # disable servicelb + # "--no-deploy=traefik" # we want to configure traefik ourselves (or use nginx instead) + # "--cluster-cidr=10.69.0.0/16" # the default of 10.42.0.0/16 clashes with my own network + # ]; + # }; + virtualisation.docker.enable = true; + users.users.jdejeu.extraGroups = [ "docker" ]; +} diff --git a/hosts/k3s/hardware-configuration.nix b/hosts/k3s/hardware-configuration.nix new file mode 100644 index 0000000..0c2d968 --- /dev/null +++ b/hosts/k3s/hardware-configuration.nix @@ -0,0 +1,30 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/39b4124e-4210-444e-9698-bb4a22dba53e"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/8510-F08C"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/bc3a4714-928f-451a-a149-e324a83fb844"; } + ]; + +} \ No newline at end of file diff --git a/hosts/base/configuration.nix b/hosts/minio/configuration.nix similarity index 54% rename from hosts/base/configuration.nix rename to hosts/minio/configuration.nix index 4aeffa9..f17b584 100644 --- a/hosts/base/configuration.nix +++ b/hosts/minio/configuration.nix @@ -1,11 +1,13 @@ -{ config, pkgs, ... }: { +{ config, pkgs, ... }: +let secrets = import ./secrets.nix; +in { imports = [ # Import common config ../../common/generic-lxc.nix ../../common ]; - networking.hostName = "base"; + networking.hostName = "minio"; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions @@ -13,5 +15,20 @@ # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "21.05"; # Did you read the comment? + system.stateVersion = "21.11"; # Did you read the comment? + + environment.systemPackages = with pkgs; [ ]; + + environment.etc.minioSettings = { + enable = true; + text = secrets.content; + }; + + networking.firewall.allowedTCPPorts = [ 9000 9001 ]; + + services.minio = { + enable = true; + rootCredentialsFile = "/etc/minioSettings"; + }; + } diff --git a/hosts/minio/secrets.nix b/hosts/minio/secrets.nix new file mode 100644 index 0000000000000000000000000000000000000000..d20e910f2288cd098e61dddcc9fc0645d1f244cb GIT binary patch literal 132 zcmV-~0DJ!cM@dveQdv+`05BC`6iyK01__|M3q7B$mwtpg_pmx7$AjfBrUyNZjVvRt zc}U6YD_%ca$h|hB!E1GXH?nS%~$^_fi6S m0cqpI$kZ&~uNB?kJ=UTVpyiwg>Zbjw5uBg}_<1*Y15Dh{c|O1Z literal 0 HcmV?d00001 diff --git a/hosts/nginx/configuration.nix b/hosts/nginx/configuration.nix new file mode 100644 index 0000000..80a947e --- /dev/null +++ b/hosts/nginx/configuration.nix @@ -0,0 +1,58 @@ +{ config, pkgs, ... }: +let + proxy = url: { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = url; + proxyWebsockets = true; + }; + }; + k8s_proxy = proxy "https://k8s-1.voidlocal:443/"; +in { + imports = [ + # Import common config + ../../common/generic-lxc.nix + ../../common + ]; + + networking.hostName = "nginx"; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "21.11"; # Did you read the comment? + + environment.systemPackages = with pkgs; [ ]; + + networking.firewall.enable = true; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + virtualHosts."voidcorp.nl" = k8s_proxy; + virtualHosts."harbor.voidcorp.nl" = k8s_proxy; + virtualHosts."cdn.voidcorp.nl" = proxy "http://10.42.2.6:80/"; + + virtualHosts."git.voidcorp.nl" = proxy "http://gitea.voidlocal:3000/"; + + virtualHosts."galerievanslagmaat.nl" = proxy "http://10.42.0.124:5667/"; + + virtualHosts."vaultwarden.voidcorp.nl" = proxy "http://10.42.20.4:8000/"; + + virtualHosts."s3.voidcorp.nl" = proxy "http://10.42.20.6:9000/"; + virtualHosts."explore.s3.voidcorp.nl" = proxy "http://10.42.20.6:9001/"; + virtualHosts."registry.voidcorp.nl" = proxy "http://10.42.20.7:5000/"; + }; + + security.acme.email = "acme@voidcorp.nl"; + security.acme.acceptTerms = true; +} diff --git a/hosts/registry/configuration.nix b/hosts/registry/configuration.nix new file mode 100644 index 0000000..a19951f --- /dev/null +++ b/hosts/registry/configuration.nix @@ -0,0 +1,37 @@ +{ config, pkgs, lib, ... }: +let secrets = import ./secrets.nix; +in { + imports = [ ../../common ../../common/generic-lxc.nix ]; + + # the registry port and metrics port + networking.firewall.allowedTCPPorts = [ config.services.dockerRegistry.port ]; + + environment.etc.htpasswd = { + enable = true; + text = secrets.htpasswd; + }; + + services.dockerRegistry = { + enable = true; + enableDelete = true; + enableGarbageCollect = true; + listenAddress = "0.0.0.0"; + storagePath = null; # We want to store in s3 + garbageCollectDates = "weekly"; + + extraConfig = { + # S3 Storages + storage.s3 = { + accesskey = secrets.access; + secretkey = secrets.secret; + regionendpoint = "https://s3.voidcorp.nl"; + bucket = "docker"; + region = "us-east-1"; # Fake but needed + }; + auth.htpasswd = { + realm = "Voidcorp Registry"; + path = "/etc/htpasswd"; + }; + }; + }; +} diff --git a/hosts/registry/secrets.nix b/hosts/registry/secrets.nix new file mode 100644 index 0000000000000000000000000000000000000000..1e0cabfc09a698142fdad1ec1d57a2452a08085a GIT binary patch literal 199 zcmV;&066~uM@dveQdv+`09~8-eVT+hUuLVJ;ITru{@K6@)pJd|4S(HbjSGGJH#0^Y z5{XiodMoPmhMMa03&4RjorXEvcszqsp_aPinnTn2PJzKRT&S4dyQ}c+S$V>YBl-hp z=ZN9y=#Xz}>(%E94NVD3bpVRzbBC|o`GV0Ef70emP5wZ0AT8wZ>S4-0pEqLzELI(+ z;WC+n7qaf~0G#8+;wj{^p7#!>c?X9Omh1xikwt&NspWj-Q4EbvyD$ho_^B9_0YIL- BW*-0m literal 0 HcmV?d00001 diff --git a/hosts/vaultwarden/configuration.nix b/hosts/vaultwarden/configuration.nix new file mode 100644 index 0000000..430244f --- /dev/null +++ b/hosts/vaultwarden/configuration.nix @@ -0,0 +1,35 @@ +{ config, pkgs, ... }: +let secrets = import ./secrets.nix; +in { + imports = [ + # Import common config + ../../common/generic-lxc.nix + ../../common + ]; + + networking.hostName = "vaultwarden"; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "21.11"; # Did you read the comment? + + environment.systemPackages = with pkgs; [ ]; + + networking.firewall.allowedTCPPorts = [ 8000 ]; + + services.vaultwarden = { + enable = true; + dbBackend = "postgresql"; + config = { + databaseUrl = secrets.databaseUrl; + domain = "https://vaultwarden.voidcorp.nl"; + signupsDomainsWhitelist = "voidcorp.nl"; + rocketPort = 8000; + }; + }; + +} diff --git a/hosts/vaultwarden/secrets.nix b/hosts/vaultwarden/secrets.nix new file mode 100644 index 0000000000000000000000000000000000000000..e5fb9813b35729832d971a8624dfdcfa0762bdc3 GIT binary patch literal 105 zcmV-v0G9s%M@dveQdv+`0Jy>@6%F!TL50(U)3+~(%E9hYZYRiKI6sE8#zlrUn?;34 z{$X9!Yzom5gdHi)jtud_^he;cYmI45`