Migrate Warwick server to this repo

2024-11-30 22:48:30 +01:00 · 2024-11-30 22:48:30 +01:00 · 842d2afbc0
commit 842d2afbc0
parent a90c75931b
12 changed files with 1702 additions and 4 deletions
--- a/nixos/default.nix
+++ b/nixos/default.nix
@ -20,6 +20,8 @@
    ./cinnamon.nix
    ./ssh.nix
    ./desktop.nix
+    ./server.nix
+    ./prometheus.nix
  ];

  options = {
@ -31,9 +33,27 @@

  config = {
    time.timeZone = "Europe/Amsterdam";
-    i18n.defaultLocale = "en_US.UTF-8";
    hardware.pulseaudio.enable = false;

+    i18n = {
+      defaultLocale = "en_US.UTF-8";
+
+      extraLocaleSettings = let
+        extraLocale = "nl_NL.UTF-8";
+      in {
+        LC_ADDRESS = extraLocale;
+        LC_IDENTIFICATION = extraLocale;
+        LC_MEASUREMENT = extraLocale;
+        LC_MONETARY = extraLocale;
+        LC_NAME = extraLocale;
+        LC_NUMERIC = extraLocale;
+        LC_PAPER = extraLocale;
+        LC_TELEPHONE = extraLocale;
+        LC_TIME = extraLocale;
+      };
+    };
+
+    # BUG: this uses root way too much.
    deployment.keys =
      lib.mapAttrs' (user: sopsFile: let
        homeDirectory =
@ -45,7 +65,7 @@
      in {
        name = "${user}-sops-age-key";
        value = {
-          keyCommand = maybeSudo ++ [sops "--extract" "[\"sops_age_key\"]" "-d" (builtins.toString sopsFile)];
+          keyCommand = maybeSudo ++ ["nix" "run" "nixpkgs#sops" "--" "--extract" "[\"sops_age_key\"]" "-d" (builtins.toString sopsFile)];
          name = "keys.txt";
          destDir = "${homeDirectory}/.config/sops/age";
          inherit user;
@ -135,7 +155,7 @@
    };

    nixpkgs = {
-      hostPlatform = lib.mkDefault "x86_64-linux";
+      # hostPlatform = lib.mkDefault "x86_64-linux";

      config = {
        allowUnfreePredicate = pkg:
--- a/nixos/prometheus.nix
+++ b/nixos/prometheus.nix
@ -0,0 +1,76 @@
+{
+  lib,
+  config,
+  nodes,
+  ...
+}: {
+  options.pim.prometheus.enable = lib.mkEnableOption "prometheus";
+
+  config = lib.mkIf config.pim.prometheus.enable {
+    networking.firewall.allowedTCPPorts = [80];
+
+    services.prometheus = {
+      enable = true;
+
+      scrapeConfigs = (
+        let
+          generated = lib.pipe nodes [
+            (lib.filterAttrs (name: node: node.config.services.prometheus.exporters.node.enable))
+            (lib.attrsets.mapAttrsToList
+              (name: node: {
+                job_name = name;
+                static_configs = [
+                  {
+                    targets = ["${node.config.networking.fqdn}:${toString node.config.services.prometheus.exporters.node.port}"];
+                  }
+                ];
+              }))
+          ];
+
+          # TODO: Remove this once they are migrated to this repo.
+          compat = map (
+            name: {
+              job_name = name;
+              static_configs = [
+                {
+                  targets = ["${name}.dmz:${toString config.services.prometheus.exporters.node.port}"];
+                }
+              ];
+            }
+          ) ["lewis" "atlas" "jefke"];
+
+          pikvm = {
+            job_name = "pikvm";
+            metrics_path = "/api/export/prometheus/metrics";
+            scheme = "https";
+            tls_config.insecure_skip_verify = true;
+
+            # We don't care about security here, it's behind a VPN.
+            basic_auth = {
+              username = "admin";
+              password = "admin";
+            };
+
+            static_configs = [
+              {
+                targets = ["pikvm.dmz"];
+              }
+            ];
+          };
+        in
+          generated ++ compat ++ [pikvm]
+      );
+    };
+
+    services.nginx = {
+      enable = true;
+
+      virtualHosts."${config.networking.fqdn}" = {
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:${toString config.services.prometheus.port}";
+          recommendedProxySettings = true;
+        };
+      };
+    };
+  };
+}
--- a/nixos/server.nix
+++ b/nixos/server.nix
@ -1,9 +1,55 @@
 {
  lib,
  config,
+  self,
  ...
 }: {
+  options.pim.tailscale.advertiseExitNode = lib.mkOption {
+    type = lib.types.bool;
+    default = false;
+  };
+
  config = lib.mkIf (builtins.elem "server" config.deployment.tags) {
-    services.openssh.enable = true;
+    networking = {
+      firewall.allowedTCPPorts = [config.services.prometheus.exporters.node.port];
+      domain = "dmz";
+      useDHCP = false;
+      nftables.enable = lib.mkDefault true;
+      firewall.enable = lib.mkDefault true;
+    };
+
+    systemd.network = {
+      enable = true;
+
+      networks = {
+        "30-main-nic" = {
+          matchConfig.Name = "en*";
+          networkConfig.DHCP = "yes";
+        };
+      };
+    };
+
+    services = {
+      openssh.enable = true;
+      prometheus.exporters.node.enable = true;
+
+      tailscale = {
+        authKeyFile = config.sops.secrets."tailscale/authKey".path;
+        useRoutingFeatures = "server";
+        openFirewall = true;
+
+        extraUpFlags =
+          [
+            "--accept-dns=false"
+            "--hostname=${config.networking.hostName}"
+          ]
+          ++ lib.lists.optional config.pim.tailscale.advertiseExitNode "--advertise-exit-node"
+          ++ lib.lists.optional config.pim.tailscale.advertiseExitNode "--advertise-routes=192.168.30.0/24";
+      };
+    };
+
+    sops.secrets."tailscale/authKey" = {
+      sopsFile = "${self}/secrets/servers.sops.yaml";
+    };
  };
 }