diff --git a/nixos/flake.nix b/nixos/flake.nix index efac27b..61b429e 100644 --- a/nixos/flake.nix +++ b/nixos/flake.nix @@ -45,6 +45,28 @@ ''; }; + packages.x86_64-linux.vm = let + vm = nixos-generators.nixosGenerate { + pkgs = pkgs; + modules = [ ./machines/base ]; + format = "qcow"; + }; + metadata = nixos-generators.nixosGenerate { + pkgs = pkgs; + modules = [ ./machines/base ]; + format = "lxc-metadata"; + }; + in with import nixpkgs { system = "x86_64-linux"; }; + stdenv.mkDerivation { + name = "make-nixos-vm"; + buildInputs = [ ]; + src = self; + buildPhase = + "mkdir -p $out; ln -s ${vm} $out/vm; ln -s ${metadata} $out/metadata"; + installPhase = + "ln -s $out/vm/nixos.qcow2 $out/nixos.qcow2;ln -s $out/metadata/tarball/nixos-system-x86_64-linux.tar.xz $out/metadata.tar.xz;"; + }; + colmena = { meta = { nixpkgs = import nixpkgs { system = "x86_64-linux"; }; }; nginx = { @@ -78,6 +100,28 @@ }; }; + k3s = { + imports = [ ./machines/k3s ]; + deployment = { + targetHost = "k3s.lxd"; + tags = [ "system" ]; + }; + }; + + minio = { + imports = [ ./machines/minio ]; + deployment = { + targetHost = "minio.lxd"; + tags = [ "system" ]; + keys."minioSettings" = { + keyCommand = [ "vault" "kv" "get" "-field=settings" "kv/minio" ]; + destDir = "/var/lib/keys"; + user = "minio"; + group = "minio"; + }; + }; + }; + # k3s = { # imports = [ ./machines/k3s ]; # deployment = { diff --git a/nixos/machines/minio/default.nix b/nixos/machines/minio/default.nix new file mode 100644 index 0000000..581cfcd --- /dev/null +++ b/nixos/machines/minio/default.nix @@ -0,0 +1,13 @@ +{ config, pkgs, ... }: { + imports = [ ../../common ../../common/lxc.nix ]; + networking.hostName = "minio"; + system.stateVersion = "21.11"; + + networking.firewall.enable = false; + networking.firewall.allowedTCPPorts = [ 9000 9001 ]; + + services.minio = { + enable = true; + rootCredentialsFile = "/var/lib/keys/minioSettings"; + }; +} diff --git a/nixos/machines/nginx/default.nix b/nixos/machines/nginx/default.nix index 5ecce48..249f796 100644 --- a/nixos/machines/nginx/default.nix +++ b/nixos/machines/nginx/default.nix @@ -1,4 +1,28 @@ -{ config, pkgs, ... }: { +{ config, pkgs, ... }: +let + proxy = path: { + + forceSSL = true; + enableACME = true; + http2 = true; + locations."/" = { + proxyPass = path; + proxyWebsockets = true; + }; + }; + bigProxy = path: { + forceSSL = true; + enableACME = true; + http2 = true; + locations."/" = { + proxyPass = path; + proxyWebsockets = true; + extraConfig = '' + client_max_body_size 0; + ''; + }; + }; +in { imports = [ ../../common ../../common/lxc.nix ]; networking.hostName = "nginx"; system.stateVersion = "21.11"; @@ -17,24 +41,10 @@ enableACME = true; root = "/etc/main"; }; - virtualHosts."git.asraphiel.dev" = { - forceSSL = true; - enableACME = true; - http2 = true; - locations."/" = { - proxyPass = "http://gitea.lxd:3000/"; - proxyWebsockets = true; - }; - }; - virtualHosts."vault.asraphiel.dev" = { - forceSSL = true; - enableACME = true; - http2 = true; - locations."/" = { - proxyPass = "http://vault.lxd:8200/"; - proxyWebsockets = true; - }; - }; + virtualHosts."git.asraphiel.dev" = proxy "http://gitea.lxd:3000/"; + virtualHosts."vault.asraphiel.dev" = proxy "http://vault.lxd:8200/"; + virtualHosts."s3.asraphiel.dev" = bigProxy "http://minio.lxd:9000/"; + virtualHosts."shell.s3.asraphiel.dev" = proxy "http://minio.lxd:9001/"; }; security.acme.email = "acme@voidcorp.nl"; security.acme.acceptTerms = true; diff --git a/nixos/machines/postgres/default.nix b/nixos/machines/postgres/default.nix index 64b7618..a6d2244 100644 --- a/nixos/machines/postgres/default.nix +++ b/nixos/machines/postgres/default.nix @@ -15,7 +15,7 @@ authentication = '' local all all trust host all all 10.0.0.0/8 trust - host all all fd42:14c:5baf:51ec:216:3eff:fe6e:32a7/96 trust + host all all fd42:8db7:2e6b:8e9b:216:3eff::/96 trust ''; ensureDatabases = [ "gitea" "vault" ]; ensureUsers = [