home/nixos-servers
home/nixos-servers
2
0
Fork 0
Code Issues 8 Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'master' of ssh://git.kun.is:56287/home/nixos-servers

Browse source
This commit is contained in:
Niels Kunis 2024-03-26 20:31:35 +01:00
commit 6aec465750
10 changed files with 452 additions and 76 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
docker_swarm/playbooks/stacks.yml
View file

@ -3,6 +3,7 @@
hosts: manager hosts: manager
roles: roles:
- {role: traefik, tags: traefik} - {role: traefik, tags: traefik}
- {role: freshrss, tags: freshrss}
- {role: forgejo, tags: forgejo} - {role: forgejo, tags: forgejo}
- {role: radicale, tags: radicale} - {role: radicale, tags: radicale}
- {role: hedgedoc, tags: hedgedoc} - {role: hedgedoc, tags: hedgedoc}

4
docker_swarm/roles/traefik/services.yml
View file

@ -3,7 +3,9 @@ http:
k3s: k3s:
loadBalancer: loadBalancer:
servers: servers:
- url: http://jefke.dmz # TODO: This WILL break when the cluster is reprovisioned and another IP addrss is chosen.
# The load balancer service for Traefik is automatically provisioned by k3s, unsure how to statically assign the IP address.
- url: http://192.168.40.101
esrom: esrom:
loadBalancer: loadBalancer:
servers: servers:

198
flake.lock
View file

@ -189,6 +189,41 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils_4": {
"inputs": {
"systems": "systems_6"
},
"locked": {
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github"
},
"original": {
"id": "flake-utils",
"type": "indirect"
}
},
"flake-utils_5": {
"inputs": {
"systems": "systems_7"
},
"locked": {
"lastModified": 1694529238,
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -220,15 +255,16 @@
"treefmt": "treefmt" "treefmt": "treefmt"
}, },
"locked": { "locked": {
"lastModified": 1705801181, "lastModified": 1711308696,
"narHash": "sha256-vH+n5qMnwFCx3LMON2hQMi9PjMpmTraGYXe1czJTfAg=", "narHash": "sha256-Epx4yztlFp3mNPhMKWgiiSp6Q067pxW9o50ak6WFwxg=",
"owner": "hall", "owner": "pizzapim",
"repo": "kubenix", "repo": "kubenix",
"rev": "76b8053b27b062b11f0c9b495050cc55606ac9dc", "rev": "4ee31f48510b89743d83b7681faea1077fe925b7",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "hall", "owner": "pizzapim",
"ref": "fix-protocol",
"repo": "kubenix", "repo": "kubenix",
"type": "github" "type": "github"
} }
@ -255,6 +291,66 @@
"type": "github" "type": "github"
} }
}, },
"nix-github-actions": {
"inputs": {
"nixpkgs": [
"nixhelm",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1698974481,
"narHash": "sha256-yPncV9Ohdz1zPZxYHQf47S8S0VrnhV7nNhCawY46hDA=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "4bb5e752616262457bc7ca5882192a564c0472d2",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"type": "github"
}
},
"nix-kube-generators": {
"locked": {
"lastModified": 1702548734,
"narHash": "sha256-2pREm/iZ1FyyFuukt/B3nud2NYTUImy5vqc2tESoP9g=",
"owner": "farcaller",
"repo": "nix-kube-generators",
"rev": "fb7a70a8cd76aa76fdf3281123582693aec486a7",
"type": "github"
},
"original": {
"owner": "farcaller",
"repo": "nix-kube-generators",
"type": "github"
}
},
"nixhelm": {
"inputs": {
"flake-utils": "flake-utils_4",
"nix-kube-generators": "nix-kube-generators",
"nixpkgs": [
"nixpkgs"
],
"poetry2nix": "poetry2nix"
},
"locked": {
"lastModified": 1711242197,
"narHash": "sha256-UWOb8Aj10O8XshwKA6xVivU0wFfQwVNqLERocVXRgUk=",
"owner": "farcaller",
"repo": "nixhelm",
"rev": "8523ddbdf40f833d3c1421546767513ca57bceea",
"type": "github"
},
"original": {
"owner": "farcaller",
"repo": "nixhelm",
"type": "github"
}
},
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1710783728, "lastModified": 1710783728,
@ -319,6 +415,31 @@
"type": "github" "type": "github"
} }
}, },
"poetry2nix": {
"inputs": {
"flake-utils": "flake-utils_5",
"nix-github-actions": "nix-github-actions",
"nixpkgs": [
"nixhelm",
"nixpkgs"
],
"systems": "systems_8",
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1702365004,
"narHash": "sha256-IRFvmyP1uk1hchRVxaXTqu6YoZCvMM/NVtUf2hD2Tag=",
"owner": "nix-community",
"repo": "poetry2nix",
"rev": "c12ac880114d52a3cad5fa02b00f2e2090e89982",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "poetry2nix",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix", "agenix": "agenix",
@ -328,6 +449,7 @@
"flake-utils": "flake-utils_2", "flake-utils": "flake-utils_2",
"kubenix": "kubenix", "kubenix": "kubenix",
"microvm": "microvm", "microvm": "microvm",
"nixhelm": "nixhelm",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_2", "nixpkgs": "nixpkgs_2",
"nixpkgs-unstable": "nixpkgs-unstable" "nixpkgs-unstable": "nixpkgs-unstable"
@ -423,6 +545,50 @@
"type": "github" "type": "github"
} }
}, },
"systems_6": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_7": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_8": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"id": "systems",
"type": "indirect"
}
},
"treefmt": { "treefmt": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -444,6 +610,28 @@
"type": "github" "type": "github"
} }
}, },
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"nixhelm",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1699786194,
"narHash": "sha256-3h3EH1FXQkIeAuzaWB+nK0XK54uSD46pp+dMD3gAcB4=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "e82f32aa7f06bbbd56d7b12186d555223dc399d1",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"utils": { "utils": {
"inputs": { "inputs": {
"systems": "systems_2" "systems": "systems_2"

9
flake.nix
View file

@ -29,7 +29,12 @@
}; };
kubenix = { kubenix = {
url = "github:hall/kubenix"; url = "github:pizzapim/kubenix/fix-protocol";
inputs.nixpkgs.follows = "nixpkgs";
};
nixhelm = {
url = "github:farcaller/nixhelm";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
}; };
@ -47,7 +52,7 @@
./nix/flake/checks.nix ./nix/flake/checks.nix
./nix/flake/deploy.nix ./nix/flake/deploy.nix
./nix/flake/nixos.nix ./nix/flake/nixos.nix
./nix/flake/kubenix.nix ./nix/flake/kubenix
] // (flake-utils.lib.eachDefaultSystem (system: { ] // (flake-utils.lib.eachDefaultSystem (system: {
formatter = nixpkgs.legacyPackages.${system}.nixfmt; formatter = nixpkgs.legacyPackages.${system}.nixfmt;
})); }));

4
kubernetes/kubenix-namespace.yaml
View file

@ -1,4 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: kubenix

35
kubernetes/loadbalancer-test.yaml Normal file
View file

@ -0,0 +1,35 @@
apiVersion: v1
kind: Service
metadata:
name: loadbalancer-test
# annotations:
# metallb.universe.tf/loadBalancerIPs: 192.168.1.100
spec:
ports:
- port: 80
targetPort: 8000
selector:
app: loadbalancer-test
type: LoadBalancer
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: loadbalancer-test
labels:
app: loadbalancer-test
spec:
replicas: 3
selector:
matchLabels:
app: loadbalancer-test
template:
metadata:
labels:
app: loadbalancer-test
spec:
containers:
- name: loadbalancer-test
image: mpepping/cyberchef
ports:
- containerPort: 8000

62
nix/flake/kubenix.nix
View file

@ -1,62 +0,0 @@
{ self, flake-utils, kubenix, ... }: flake-utils.lib.eachDefaultSystem
(system: {
kubenix = kubenix.packages.${system}.default.override {
specialArgs.flake = self;
module = { kubenix, ... }: {
imports = [ kubenix.modules.k8s ];
kubernetes.kubeconfig = "~/.kube/config";
kubenix.project = "home";
kubernetes.resources = {
deployments.cyberchef.spec = {
replicas = 3;
selector.matchLabels.app = "cyberchef";
template = {
metadata.labels.app = "cyberchef";
spec = {
containers.cyberchef = {
image = "mpepping/cyberchef";
ports = [{
containerPort = 8000;
protocol = "TCP";
}];
};
};
};
};
services.cyberchef.spec = {
selector.app = "cyberchef";
ports = [{
protocol = "TCP";
port = 80;
targetPort = 8000;
}];
};
ingresses.cyberchef.spec = {
ingressClassName = "traefik";
rules = [{
host = "cyberchef.kun.is";
http.paths = [{
path = "/";
pathType = "Prefix";
backend.service = {
name = "cyberchef";
port.number = 80;
};
}];
}];
};
};
};
};
})

114
nix/flake/kubenix/default.nix Normal file
View file

@ -0,0 +1,114 @@
{ self, flake-utils, kubenix, nixhelm, ... }: flake-utils.lib.eachDefaultSystem
(system: {
kubenix = kubenix.packages.${system}.default.override {
specialArgs.flake = self;
module = { kubenix, ... }: {
imports = [
kubenix.modules.k8s
kubenix.modules.helm
# ./freshrss.nix
];
kubernetes.kubeconfig = "~/.kube/config";
kubenix.project = "home";
kubernetes = {
# namespace = "kubenix";
customTypes = {
# HACK: These are dummy custom types.
# This is needed, because the CRDs imported as a chart are not available as Nix modules.
# There is no nix-based validation on resources defined using these types!
# See: https://github.com/hall/kubenix/issues/34
ipAddressPool = {
attrName = "ipAddressPools";
group = "metallb.io";
version = "v1beta1";
kind = "IPAddressPool";
};
l2Advertisement = {
attrName = "l2Advertisements";
group = "metallb.io";
version = "v1beta1";
kind = "L2Advertisement";
};
};
resources = {
# namespaces = {
# kubenix = { };
# metallb-system.metadata.labels = {
# "pod-security.kubernetes.io/enforce" = "privileged";
# "pod-security.kubernetes.io/audit" = "privileged";
# "pod-security.kubernetes.io/warn" = "privileged";
# };
# };
deployments.cyberchef.spec = {
replicas = 3;
selector.matchLabels.app = "cyberchef";
template = {
metadata.labels.app = "cyberchef";
spec = {
containers.cyberchef = {
image = "mpepping/cyberchef";
ports = [{
containerPort = 8000;
protocol = "TCP";
}];
};
};
};
};
services.cyberchef.spec = {
selector.app = "cyberchef";
ports = [{
protocol = "TCP";
port = 80;
targetPort = 8000;
}];
};
ingresses.cyberchef.spec = {
ingressClassName = "traefik";
rules = [{
host = "cyberchef.kun.is";
http.paths = [{
path = "/";
pathType = "Prefix";
backend.service = {
name = "cyberchef";
port.number = 80;
};
}];
}];
};
ipAddressPools.main = {
# metadata.namespace = "metallb-system";
spec.addresses = [ "192.168.40.100-192.168.40.254" ];
};
# l2Advertisements.main.metadata.namespace = "metallb-system";
l2Advertisements.main.metadata = { };
};
helm.releases.metallb = {
chart = nixhelm.chartsDerivations.${system}.metallb.metallb;
# namespace = "metallb-system";
includeCRDs = true;
};
};
};
};
})

97
nix/flake/kubenix/freshrss.nix Normal file
View file

@ -0,0 +1,97 @@
{
kubernetes.resources = {
configMaps.freshrss.data = {
TZ = "Europe/Amsterdam";
CRON_MIN = "2,32";
ADMIN_EMAIL = "pim@kunis.nl";
PUBLISHED_PORT = "443";
};
secrets.freshrss.stringData.adminPassword = "ref+file:///home/pim/.config/home/vals.yaml";
persistentVolumeClaims.freshrss.spec = {
accessModes = [ "ReadWriteOnce" ];
storageClassName = "local-path";
resources.requests.storage = "1Mi";
};
deployments.freshrss = {
metadata.labels.app = "freshrss";
spec = {
selector.matchLabels.app = "freshrss";
template = {
metadata.labels.app = "freshrss";
spec = {
containers.freshrss = {
image = "freshrss/freshrss:edge";
ports = [{
containerPort = 80;
protocol = "TCP";
}];
envFrom = [{ configMapRef.name = "freshrss"; }];
env = [
{
name = "ADMIN_PASSWORD";
valueFrom.secretKeyRef = {
name = "freshrss";
key = "adminPassword";
};
}
{
name = "ADMIN_API_PASSWORD";
valueFrom.secretKeyRef = {
name = "freshrss";
key = "adminPassword";
};
}
];
volumeMounts = [{
name = "data";
mountPath = "/var/www/FreshRSS/data";
}];
};
volumes = [{
name = "data";
persistentVolumeClaim.claimName = "freshrss";
}];
};
};
};
};
services.freshrss.spec = {
selector.app = "freshrss";
ports = [{
protocol = "TCP";
port = 80;
targetPort = 80;
}];
};
ingresses.freshrss.spec = {
ingressClassName = "traefik";
rules = [{
host = "freshrss.k3s.kun.is";
http.paths = [{
path = "/";
pathType = "Prefix";
backend.service = {
name = "freshrss";
port.number = 80;
};
}];
}];
};
};
}

4
nix/modules/k3s/default.nix
View file

@ -20,7 +20,7 @@ in {
services.k3s = { services.k3s = {
enable = true; enable = true;
role = "server"; role = "server";
extraFlags = "--tls-san ${config.networking.fqdn} --data-dir ${config.lab.storage.dataMountPoint}/k3s --disable servicelb"; extraFlags = "--tls-san ${config.networking.fqdn} --disable servicelb";
}; };
system.activationScripts.k3s-bootstrap.text = system.activationScripts.k3s-bootstrap.text =
@ -30,7 +30,7 @@ in {
}).config.kubernetes.result; }).config.kubernetes.result;
in in
'' ''
ln -sf ${k3sBootstrapFile} ${config.lab.storage.dataMountPoint}/k3s/server/manifests/k3s-bootstrap.json ln -sf ${k3sBootstrapFile} /var/lib/rancher/k3s/server/manifests/k3s-bootstrap.json
''; '';
}; };
} }