Actual initial commit

.git-crypt/.gitattributes

@@ -0,0 +1,4 @@
+# Do not edit this file.  To specify the files to encrypt, create your own
+# .gitattributes file in the directory where your files are.
+* !filter !diff
+*.gpg binary

.gitattributes

@@ -0,0 +1 @@
+secrets.nix filter=git-crypt diff=git-crypt

.gitignore

@@ -1 +1 @@
-keys
+/keys

common/generic-vm.nix

@@ -0,0 +1,14 @@
+{ lib, ... }: {
+  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
+  # Per-interface useDHCP will be mandatory in the future, so this generated config
+  # replicates the default behaviour.
+  networking.useDHCP = false;
+  networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+
+  # Enable the OpenSSH daemon.
+  services.openssh.enable = true;
+  services.openssh.permitRootLogin = lib.mkDefault "yes";
+
+  # Enable qemu guest agent
+  services.qemuGuest.enable = true;
+}

common/users/default.nix

@@ -4,6 +4,7 @@
   environment.systemPackages = with pkgs; [ fzf git htop rsync ripgrep zoxide ];
   programs.neovim.enable = true;
   programs.neovim.viAlias = true;
+  programs.fish.shellInit = "set -U fish_greeting";
 
   users.defaultUserShell = pkgs.fish;
 

flake.lock

@@ -54,16 +54,16 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1636787152,
+        "lastModified": 1636623366,
-        "narHash": "sha256-plWieAm8r965NfqORxcrq79eK5edUrHqXXgPZdLPE3M=",
+        "narHash": "sha256-jOQMlv9qFSj0U66HB+ujZoapty0UbewmSNbX8+3ujUQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "6147e5d3177d63171970d27fc28698a9624c62bc",
+        "rev": "c5ed8beb478a8ca035f033f659b60c89500a3034",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "master",
+        "ref": "nixos-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }

flake.nix

@@ -2,30 +2,118 @@
   description = "Memes";
 
   inputs.deploy-rs.url = "github:serokell/deploy-rs";
-  inputs.nixpkgs.url = "github:NixOS/nixpkgs/master";
+  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
 
   outputs = { self, nixpkgs, deploy-rs }: {
 
-    nixosConfigurations.base = nixpkgs.lib.nixosSystem {
+    nixosConfigurations.nginx = nixpkgs.lib.nixosSystem {
       system = "x86_64-linux";
       modules = [
         "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
-        ./hosts/base/configuration.nix
+        ./hosts/nginx/configuration.nix
       ];
     };
 
-    deploy.nodes.base = {
+    nixosConfigurations.gitea = nixpkgs.lib.nixosSystem {
-      hostname = "10.42.20.1";
+      system = "x86_64-linux";
+      modules = [
+        "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
+        ./hosts/gitea/configuration.nix
+      ];
+    };
+
+    nixosConfigurations.vaultwarden = nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      modules = [
+        "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
+        ./hosts/vaultwarden/configuration.nix
+      ];
+    };
+
+    nixosConfigurations.k3s = nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      modules = [ ./hosts/k3s/configuration.nix ];
+    };
+
+    nixosConfigurations.minio = nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      modules = [
+        "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
+        ./hosts/minio/configuration.nix
+      ];
+    };
+
+    nixosConfigurations.registry = nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      modules = [
+        "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
+        ./hosts/registry/configuration.nix
+      ];
+    };
+
+    deploy.nodes.nginx = {
+      hostname = "10.42.20.2";
       fastConnection = true;
       profiles.system = {
         user = "root";
         path = deploy-rs.lib.x86_64-linux.activate.nixos
-          self.nixosConfigurations.base;
+          self.nixosConfigurations.nginx;
+      };
+    };
+
+    deploy.nodes.gitea = {
+      hostname = "10.42.20.3";
+      fastConnection = true;
+      profiles.system = {
+        user = "root";
+        path = deploy-rs.lib.x86_64-linux.activate.nixos
+          self.nixosConfigurations.gitea;
+      };
+    };
+
+    deploy.nodes.vaultwarden = {
+      hostname = "10.42.20.4";
+      fastConnection = true;
+      profiles.system = {
+        user = "root";
+        path = deploy-rs.lib.x86_64-linux.activate.nixos
+          self.nixosConfigurations.vaultwarden;
+      };
+    };
+
+    deploy.nodes.k3s = {
+      hostname = "10.42.20.5";
+      fastConnection = true;
+      profiles.system = {
+        user = "root";
+        path = deploy-rs.lib.x86_64-linux.activate.nixos
+          self.nixosConfigurations.k3s;
+      };
+    };
+
+    deploy.nodes.minio = {
+      hostname = "10.42.20.6";
+      fastConnection = true;
+      profiles.system = {
+        user = "root";
+        path = deploy-rs.lib.x86_64-linux.activate.nixos
+          self.nixosConfigurations.minio;
+      };
+    };
+
+    deploy.nodes.registry = {
+      hostname = "10.42.20.7";
+      fastConnection = true;
+      profiles.system = {
+        user = "root";
+        path = deploy-rs.lib.x86_64-linux.activate.nixos
+          self.nixosConfigurations.registry;
       };
     };
 
     checks =
       builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy)
       deploy-rs.lib;
+
   };
 }

hosts/gitea/configuration.nix

@@ -0,0 +1,53 @@
+{ config, pkgs, ... }:
+let
+  secrets = import ./secrets.nix;
+in {
+  imports = [
+    # Import common config
+    ../../common/generic-lxc.nix
+    ../../common
+  ];
+
+  networking.hostName = "gitea";
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "21.11"; # Did you read the comment?
+
+  environment.systemPackages = with pkgs; [ ];
+
+  networking.firewall.enable = false;
+  networking.firewall.allowedTCPPorts = [ 3000 ];
+  services.openssh.permitRootLogin = "no";
+  services.openssh.passwordAuthentication = false;
+
+  environment.etc.giteaPass = {
+    enable = true;
+    text = "x";
+    user = "gitea2";
+  };
+
+  services.gitea = {
+    enable = true;
+    ssh = {
+      clonePort = 4321;
+    };
+    lfs.enable = true;
+    appName = "Voidcorp Gitea";
+    domain = "git.voidcorp.nl";
+    rootUrl = "https://git.voidcorp.nl/";
+    database = secrets.database;
+    # TODO: Figure out how to do this
+    # dump = {
+    #   enable = true;
+    #   interval = "weekly";
+    #   backupDir = "/mnt/storage/backup/gitea";
+    # };
+    cookieSecure = true;
+    disableRegistration = true;
+  };
+}

hosts/k3s/configuration.nix

@@ -0,0 +1,56 @@
+{ config, pkgs, lib, ... }: {
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    # Import common config
+    ../../common/generic-vm.nix
+    ../../common
+  ];
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  # networking.hostName = "nixos"; # Define your hostname.
+  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
+
+  # Set your time zone.
+  time.timeZone = "Europe/Amsterdam";
+
+  networking.hostName = "k3s-1";
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "21.11"; # Did you read the comment?
+
+  # Additional packages
+  environment.systemPackages = with pkgs; [ iptables vim ];
+
+  # Disable the firewall as we need all the ports
+  networking.firewall.enable = false;
+
+  # Force-enable Cgroupv2
+  systemd.enableUnifiedCgroupHierarchy = lib.mkForce true;
+
+  # Ensure `mount` and `grep` are available 
+  systemd.services.k3s.path = [ pkgs.gnugrep pkgs.utillinux ];
+
+  # Enable k3s as a master node
+  # services.k3s = {
+  #   enable = true;
+  #   role = "server";
+
+  #   extraFlags = builtins.toString [
+  #     "--data-dir=/var/lib/k3s" # Set data dir to var lib
+  #     "--cluster-init" # Enable embedded etcd
+  #     "--disable=servicelb" # disable servicelb
+  #     "--no-deploy=traefik" # we want to configure traefik ourselves (or use nginx instead)
+  #     "--cluster-cidr=10.69.0.0/16" # the default of 10.42.0.0/16 clashes with my own network
+  #   ];
+  # };
+  virtualisation.docker.enable = true;
+  users.users.jdejeu.extraGroups = [ "docker" ];
+}

hosts/k3s/hardware-configuration.nix

@@ -0,0 +1,30 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/39b4124e-4210-444e-9698-bb4a22dba53e";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/8510-F08C";
+      fsType = "vfat";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/bc3a4714-928f-451a-a149-e324a83fb844"; }
+    ];
+
+}

hosts/minio/configuration.nix

@@ -1,11 +1,13 @@
-{ config, pkgs, ... }: {
+{ config, pkgs, ... }:
+let secrets = import ./secrets.nix;
+in {
   imports = [
     # Import common config
     ../../common/generic-lxc.nix
     ../../common
   ];
 
-  networking.hostName = "base";
+  networking.hostName = "minio";
 
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
@@ -13,5 +15,20 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "21.05"; # Did you read the comment?
+  system.stateVersion = "21.11"; # Did you read the comment?
+
+  environment.systemPackages = with pkgs; [ ];
+
+  environment.etc.minioSettings = {
+    enable = true;
+    text = secrets.content;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 9000 9001 ];
+
+  services.minio = {
+    enable = true;
+    rootCredentialsFile = "/etc/minioSettings";
+  };
+
 }

hosts/nginx/configuration.nix

@@ -0,0 +1,58 @@
+{ config, pkgs, ... }:
+let
+  proxy = url: {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = url;
+      proxyWebsockets = true;
+    };
+  };
+  k8s_proxy = proxy "https://k8s-1.voidlocal:443/";
+in {
+  imports = [
+    # Import common config
+    ../../common/generic-lxc.nix
+    ../../common
+  ];
+
+  networking.hostName = "nginx";
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "21.11"; # Did you read the comment?
+
+  environment.systemPackages = with pkgs; [ ];
+
+  networking.firewall.enable = true;
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    virtualHosts."voidcorp.nl" = k8s_proxy;
+    virtualHosts."harbor.voidcorp.nl" = k8s_proxy;
+    virtualHosts."cdn.voidcorp.nl" = proxy "http://10.42.2.6:80/";
+
+    virtualHosts."git.voidcorp.nl" = proxy "http://gitea.voidlocal:3000/";
+
+    virtualHosts."galerievanslagmaat.nl" = proxy "http://10.42.0.124:5667/";
+
+    virtualHosts."vaultwarden.voidcorp.nl" = proxy "http://10.42.20.4:8000/";
+
+    virtualHosts."s3.voidcorp.nl" = proxy "http://10.42.20.6:9000/";
+    virtualHosts."explore.s3.voidcorp.nl" = proxy "http://10.42.20.6:9001/";
+    virtualHosts."registry.voidcorp.nl" = proxy "http://10.42.20.7:5000/";
+  };
+
+  security.acme.email = "acme@voidcorp.nl";
+  security.acme.acceptTerms = true;
+}

hosts/registry/configuration.nix

@@ -0,0 +1,37 @@
+{ config, pkgs, lib, ... }:
+let secrets = import ./secrets.nix;
+in {
+  imports = [ ../../common ../../common/generic-lxc.nix ];
+
+  # the registry port and metrics port
+  networking.firewall.allowedTCPPorts = [ config.services.dockerRegistry.port ];
+
+  environment.etc.htpasswd = {
+    enable = true;
+    text = secrets.htpasswd;
+  };
+
+  services.dockerRegistry = {
+    enable = true;
+    enableDelete = true;
+    enableGarbageCollect = true;
+    listenAddress = "0.0.0.0";
+    storagePath = null; # We want to store in s3
+    garbageCollectDates = "weekly";
+
+    extraConfig = {
+      # S3 Storages
+      storage.s3 = {
+        accesskey = secrets.access;
+        secretkey = secrets.secret;
+        regionendpoint = "https://s3.voidcorp.nl";
+        bucket = "docker";
+        region = "us-east-1"; # Fake but needed
+      };
+      auth.htpasswd = {
+        realm = "Voidcorp Registry";
+        path = "/etc/htpasswd";
+      };
+    };
+  };
+}

hosts/vaultwarden/configuration.nix

@@ -0,0 +1,35 @@
+{ config, pkgs, ... }:
+let secrets = import ./secrets.nix;
+in {
+  imports = [
+    # Import common config
+    ../../common/generic-lxc.nix
+    ../../common
+  ];
+
+  networking.hostName = "vaultwarden";
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "21.11"; # Did you read the comment?
+
+  environment.systemPackages = with pkgs; [ ];
+
+  networking.firewall.allowedTCPPorts = [ 8000 ];
+
+  services.vaultwarden = {
+    enable = true;
+    dbBackend = "postgresql";
+    config = {
+      databaseUrl = secrets.databaseUrl;
+      domain = "https://vaultwarden.voidcorp.nl";
+      signupsDomainsWhitelist = "voidcorp.nl";
+      rocketPort = 8000;
+    };
+  };
+
+}