diff --git a/common/users/default.nix b/common/users/default.nix index 9bad622..109b4f3 100644 --- a/common/users/default.nix +++ b/common/users/default.nix @@ -15,7 +15,8 @@ extraGroups = [ "wheel" ]; shell = pkgs.fish; openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJBY9eQlR/JRnjVC2wKWQ+o02wDlGUlSgN/4e3i6ans" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJBY9eQlR/JRnjVC2wKWQ+o02wDlGUlSgN/4e3i6ans PC" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINrSvbUoRc7K47cD6TIZUdVjExuNpv6JUzjvUwRtRVj9 Laptop" ]; }; diff --git a/flake.nix b/flake.nix index b0ad559..b0115b5 100644 --- a/flake.nix +++ b/flake.nix @@ -4,151 +4,57 @@ inputs.deploy-rs.url = "github:serokell/deploy-rs"; inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; - outputs = { self, nixpkgs, deploy-rs }: { - - nixosConfigurations.nginx = nixpkgs.lib.nixosSystem { + outputs = { self, nixpkgs, deploy-rs }@inputs: + let system = "x86_64-linux"; - modules = [ - "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" - ./hosts/nginx/configuration.nix - ]; - }; - - nixosConfigurations.gitea = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ - "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" - ./hosts/gitea/configuration.nix - ]; - }; - - nixosConfigurations.vaultwarden = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ - "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" - ./hosts/vaultwarden/configuration.nix - ]; - }; - - nixosConfigurations.k3s = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ ./hosts/k3s/configuration.nix ]; - }; - - nixosConfigurations.minio = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ - "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" - ./hosts/minio/configuration.nix - ]; - }; - - nixosConfigurations.registry = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ - "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" - ./hosts/registry/configuration.nix - ]; - }; - - nixosConfigurations.postgresql = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ - "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" - ./hosts/postgresql/configuration.nix - ]; - }; - nixosConfigurations.grafana = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ - "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" - ./hosts/grafana/configuration.nix - ]; - }; - - deploy.nodes.nginx = { - hostname = "10.42.20.2"; - fastConnection = true; - profiles.system = { - user = "root"; - path = deploy-rs.lib.x86_64-linux.activate.nixos - self.nixosConfigurations.nginx; + mkConfig = { name, lxc ? true }: + nixpkgs.lib.nixosSystem { + inherit system; + modules = (if lxc then + [ "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" ] + else + # this is probably the ugliest fix ever, but it + # makes both nix/deploy.rs and the formatter work so it's fine + [ ]) ++ [ "${./.}/hosts/${name}/configuration.nix" ]; + specialArgs = { inputs = inputs; }; + }; + mkDeploy = profile: hostname: { + hostname = hostname; + fastConnection = true; + profiles.system = { + user = "root"; + path = deploy-rs.lib.${system}.activate.nixos + self.nixosConfigurations.${profile}; + }; }; - }; - deploy.nodes.gitea = { - hostname = "10.42.20.3"; - fastConnection = true; - profiles.system = { - user = "root"; - path = deploy-rs.lib.x86_64-linux.activate.nixos - self.nixosConfigurations.gitea; + in { + + nixosConfigurations.nginx = mkConfig { name = "nginx"; }; + nixosConfigurations.gitea = mkConfig { name = "gitea"; }; + nixosConfigurations.vaultwarden = mkConfig { name = "vaultwarden"; }; + nixosConfigurations.k3s = mkConfig { + name = "k3s"; + lxc = false; }; + nixosConfigurations.minio = mkConfig { name = "minio"; }; + nixosConfigurations.registry = mkConfig { name = "registry"; }; + nixosConfigurations.postgresql = mkConfig { name = "postgresql"; }; + nixosConfigurations.grafana = mkConfig { name = "grafana"; }; + nixosConfigurations.dns = mkConfig { name = "dns"; }; + + deploy.nodes.nginx = mkDeploy "nginx" "10.42.20.2"; + deploy.nodes.gitea = mkDeploy "gitea" "10.42.20.3"; + deploy.nodes.vaultwarden = mkDeploy "vaultwarden" "10.42.20.4"; + deploy.nodes.k3s = mkDeploy "k3s" "10.42.20.5"; + deploy.nodes.minio = mkDeploy "minio" "10.42.20.6"; + deploy.nodes.registry = mkDeploy "registry" "10.42.20.7"; + deploy.nodes.postgresql = mkDeploy "postgresql" "10.42.20.8"; + deploy.nodes.grafana = mkDeploy "grafana" "10.42.20.9"; + deploy.nodes.dns = mkDeploy "dns" "10.42.20.10"; + + checks = builtins.mapAttrs + (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; + }; - - deploy.nodes.vaultwarden = { - hostname = "10.42.20.4"; - fastConnection = true; - profiles.system = { - user = "root"; - path = deploy-rs.lib.x86_64-linux.activate.nixos - self.nixosConfigurations.vaultwarden; - }; - }; - - deploy.nodes.k3s = { - hostname = "10.42.20.5"; - fastConnection = true; - profiles.system = { - user = "root"; - path = deploy-rs.lib.x86_64-linux.activate.nixos - self.nixosConfigurations.k3s; - }; - }; - - deploy.nodes.minio = { - hostname = "10.42.20.6"; - fastConnection = true; - profiles.system = { - user = "root"; - path = deploy-rs.lib.x86_64-linux.activate.nixos - self.nixosConfigurations.minio; - }; - }; - - deploy.nodes.registry = { - hostname = "10.42.20.7"; - fastConnection = true; - profiles.system = { - user = "root"; - path = deploy-rs.lib.x86_64-linux.activate.nixos - self.nixosConfigurations.registry; - }; - }; - - deploy.nodes.postgresql = { - hostname = "10.42.20.8"; - fastConnection = true; - profiles.system = { - user = "root"; - path = deploy-rs.lib.x86_64-linux.activate.nixos - self.nixosConfigurations.postgresql; - }; - }; - - deploy.nodes.grafana = { - hostname = "10.42.20.9"; - fastConnection = true; - profiles.system = { - user = "root"; - path = deploy-rs.lib.x86_64-linux.activate.nixos - self.nixosConfigurations.grafana; - }; - }; - - checks = - builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) - deploy-rs.lib; - - }; } diff --git a/hosts/dns/configuration.nix b/hosts/dns/configuration.nix new file mode 100644 index 0000000..1986d47 --- /dev/null +++ b/hosts/dns/configuration.nix @@ -0,0 +1,182 @@ +{ config, pkgs, ... }: +let + +in { + imports = [ + # Import common config + ../../common/generic-lxc.nix + ../../common + ]; + + networking.hostName = "dns"; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "21.11"; # Did you read the comment? + + environment.systemPackages = with pkgs; [ dig ]; + + networking.firewall.enable = true; + networking.firewall.allowedTCPPorts = [ 53 ]; + networking.firewall.allowedUDPPorts = [ 53 ]; + + services.unbound = { + enable = true; + settings = { + server = let + localData = hostname: ip: ''"${hostname}.voidlocal. A ${ip}"''; + localData' = { hostname, ip }: localData hostname ip; + ptrData = hostname: ip: ''"${ip} ${hostname}.voidlocal"''; + ptrData' = { hostname, ip }: ptrData hostname ip; + + hosts = [ + { + hostname = "localhost"; + ip = "127.0.0.1"; + } + { + hostname = "pfsense"; + ip = "10.42.0.1"; + } + { + hostname = "pve"; + ip = "10.42.1.1"; + } + { + hostname = "idrac"; + ip = "10.42.1.2"; + } + { + hostname = "pve-storage"; + ip = "10.42.1.4"; + } + { + hostname = "arch-base"; + ip = "10.42.2.1"; + } + { + hostname = "gitlab-host"; + ip = "10.42.2.2"; + } + { + hostname = "storage-host"; + ip = "10.42.2.4"; + } + { + hostname = "cdn-host"; + ip = "10.42.2.6"; + } + { + hostname = "arch-torrent"; + ip = "10.42.2.7"; + } + { + hostname = "postgres"; + ip = "10.42.2.19"; + } + { + hostname = "thelounge"; + ip = "10.42.2.21"; + } + { + hostname = "unifi"; + ip = "10.42.2.27"; + } + { + hostname = "ssh-host"; + ip = "10.42.2.28"; + } + { + hostname = "k8s-1"; + ip = "10.42.3.1"; + } + { + hostname = "k8s-2"; + ip = "10.42.3.2"; + } + { + hostname = "k8s-3"; + ip = "10.42.3.3"; + } + { + hostname = "nginx"; + ip = "10.42.20.2"; + } + { + hostname = "gitea"; + ip = "10.42.20.3"; + } + { + hostname = "vaultwarden"; + ip = "10.42.20.4"; + } + { + hostname = "k3s-1"; + ip = "10.42.20.5"; + } + { + hostname = "minio"; + ip = "10.42.20.6"; + } + { + hostname = "registry"; + ip = "10.42.20.7"; + } + { + hostname = "postgresql"; + ip = "10.42.20.8"; + } + { + hostname = "grafana"; + ip = "10.42.20.9"; + } + { + hostname = "dns"; + ip = "10.42.20.10"; + } + ]; + + in { + use-syslog = "yes"; + module-config = ''"validator iterator"''; + interface-automatic = "yes"; + interface = [ "0.0.0.0" "::0" ]; + + local-zone = ''"voidlocal." transparent''; + local-data = map localData' hosts; + local-data-ptr = map ptrData' hosts; + access-control = [ + "127.0.0.1/32 allow_snoop" + "::1 allow_snoop" + "10.42.0.0/16 allow" + "127.0.0.0/8 allow" + "192.168.2.0/24 allow" + "::1/128 allow" + ]; + private-address = [ + "127.0.0.0/8" + "10.0.0.0/8" + "::ffff:a00:0/104" + "172.16.0.0/12" + "::ffff:ac10:0/108" + "169.254.0.0/16" + "::ffff:a9fe:0/112" + "192.168.0.0/16" + "::ffff:c0a8:0/112" + "fd00::/8" + "fe80::/10" + ]; + # addLocal "10.42.0.1" "pfsense"; + }; + forward-zone = { + name = ''"."''; + forward-addr = [ "8.8.8.8" "9.9.9.9" ]; + }; + }; + }; + +} diff --git a/hosts/grafana/configuration.nix b/hosts/grafana/configuration.nix index b80de61..69c9391 100644 --- a/hosts/grafana/configuration.nix +++ b/hosts/grafana/configuration.nix @@ -28,8 +28,8 @@ in { enable = true; text = secrets.secretKey; }; - - networking.firewall.allowedTCPPorts = [ 3000 ]; + + networking.firewall.allowedTCPPorts = [ 3000 9001 ]; services.grafana = { enable = true; @@ -52,4 +52,16 @@ in { analytics.reporting.enable = false; }; + services.prometheus = { + enable = true; + port = 9001; + # scrapeConfigs = [{ + # job_name = "nginx"; + # static_configs = [ + # { targets = [ "10.42.20.2:9000" ]; } + # { targets = [ "10.42.20.2:9001" ]; } + # ]; + # }]; + }; + } diff --git a/hosts/nginx/configuration.nix b/hosts/nginx/configuration.nix index 5854ab2..ca1e324 100644 --- a/hosts/nginx/configuration.nix +++ b/hosts/nginx/configuration.nix @@ -29,7 +29,7 @@ in { environment.systemPackages = with pkgs; [ ]; networking.firewall.enable = true; - networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall.allowedTCPPorts = [ 80 443 9000 9001 ]; services.nginx = { enable = true; @@ -38,8 +38,6 @@ in { recommendedProxySettings = true; recommendedTlsSettings = true; - virtualHosts."voidcorp.nl" = k8s_proxy; - virtualHosts."harbor.voidcorp.nl" = k8s_proxy; virtualHosts."cdn.voidcorp.nl" = proxy "http://10.42.2.6:80/"; virtualHosts."git.voidcorp.nl" = proxy "http://gitea.voidlocal:3000/"; @@ -58,6 +56,13 @@ in { virtualHosts."gitlab.voidcorp.nl" = proxy "http://10.42.2.2:80/"; }; + # services.prometheus.exporters = { + # nginxLog = { + # enable = true; + # port = 9000; + # }; + # }; + security.acme.email = "acme@voidcorp.nl"; security.acme.acceptTerms = true; }