pim/nixos-configs
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

Migrate Warwick server to this repo

Browse source
This commit is contained in:
Pim Kunis 2024-11-30 22:48:30 +01:00
parent a90c75931b
commit 842d2afbc0
12 changed files with 1702 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
.sops.yaml
View file

@ -4,6 +4,8 @@ keys:
- &sue_pim age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
- &gamepc_root age1y5wgcxmn37drmjtpgld3xc76mw8dckhred8hecusywjlvdyfedfse8y60u
- &gamepc_pim age1qlldg2c6kptvnmvlkpf9pae3wnczk6eklcmwdvnzyvvnur3aqdcq3c3trt
- &warwick_root age1th8rdw4fs3vmgy9gzc0k9xy88tddjj4vasepckfx9h4nlzsg3q3q4cjgwu
- &niels age159whjxeyw94xmkkephmtlur8e85xd9d5vnvkwkcayfv7el0neqfq863yga
creation_rules:
- path_regex: machines/sue/nixos.sops.yaml
@ -28,3 +30,17 @@ creation_rules:
- *sue_root
- *gamepc_root
- *gamepc_pim
- path_regex: machines/warwick/nixos.sops.yaml
key_groups:
- age:
- *warwick_root
- *sue_pim
- *sue_root
- *niels
- path_regex: secrets/servers.sops.yaml
key_groups:
- age:
- *warwick_root
- *sue_pim
- *sue_root
- *niels

7
colmena.nix
View file

@ -27,5 +27,12 @@ inputs @ {
./nixos
];
};
warwick = {
imports = [
(import ./machines).warwick.nixosModule
./nixos
];
};
};
}

17
flake.lock
View file

@ -551,6 +551,22 @@
"type": "github"
}
},
"nixos-hardware": {
"locked": {
"lastModified": 1732483221,
"narHash": "sha256-kF6rDeCshoCgmQz+7uiuPdREVFuzhIorGOoPXMalL2U=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "45348ad6fb8ac0e8415f6e5e96efe47dd7f39405",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "master",
"repo": "nixos-hardware",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1732521221,
@ -720,6 +736,7 @@
"nixos-artwork": "nixos-artwork",
"nixos-cosmic": "nixos-cosmic",
"nixos-facter-modules": "nixos-facter-modules",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_2",
"nixpkgs-unstable": "nixpkgs-unstable",
"nur": "nur",

1
flake.nix
View file

@ -9,6 +9,7 @@
treefmt-nix.url = "github:numtide/treefmt-nix";
nixos-facter-modules.url = "github:numtide/nixos-facter-modules";
flake-utils.url = "github:numtide/flake-utils";
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
git-hooks = {
url = "github:cachix/git-hooks.nix";

5
machines/default.nix
View file

@ -8,4 +8,9 @@
system = "x86_64-linux";
nixosModule = import ./gamepc/configuration.nix;
};
warwick = {
system = "aarch64-linux";
nixosModule = import ./warwick/configuration.nix;
};
}

45
machines/warwick/configuration.nix Normal file
View file

@ -0,0 +1,45 @@
{
lib,
config,
inputs,
...
}: {
imports = [inputs.nixos-hardware.nixosModules.raspberry-pi-4];
config = {
pim = {
tailscale.advertiseExitNode = true;
sopsKeys.root = ./nixos.sops.yaml;
prometheus.enable = true;
};
facter.reportPath = ./facter.json;
networking.hostName = "warwick";
system.stateVersion = "23.05";
systemd.network.networks."30-main-nic" = {
matchConfig.Name = lib.mkForce "end*";
networkConfig.IPv6AcceptRA = true;
};
deployment = {
targetHost = "warwick";
targetUser = "root";
tags = ["server"];
buildOnTarget = true;
};
users.users.root.openssh.authorizedKeys.keys = config.pim.ssh.keys.pim ++ config.pim.ssh.keys.niels;
sops = {
age.keyFile = "/root/.config/sops/age/keys.txt";
defaultSopsFile = ./nixos.sops.yaml;
};
fileSystems."/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
options = ["noatime"];
};
};
}

1368
machines/warwick/facter.json Normal file
View file

File diff suppressed because it is too large Load diff

48
machines/warwick/nixos.sops.yaml Normal file
View file

@ -0,0 +1,48 @@
sops_age_key: ENC[AES256_GCM,data:xoZAEBVDGyq3mpq7+eeXJVYR0LJXktE64aPPayO3BAAeLE9qyfru5LEuJiKmswmT4GehgRV4iDIM35a62nuHkf1SEp4bQXQJ6dE=,iv:DPdp1iuIrGcVjbUbhmiy8dIdnripIC7KU+JGveajwvc=,tag:oqlSl5ydnr4/r9/lFSUlLA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1th8rdw4fs3vmgy9gzc0k9xy88tddjj4vasepckfx9h4nlzsg3q3q4cjgwu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3cWpBQk40cTNZSjFCVW5p
ajJlZUpFMFdzZEpJM0VDUTNoUWNVZzdZRkYwCjNNQjJUZThCU2RiQnVKQjhjVWZL
V1hNQXNBMGw0bUtmTnJVM2hoWWtyOUkKLS0tIFJFQVBpaXN6WFk2VFVSdExNcUl1
KzVQV09IUmFEVFpzbS9tdTE5cjhkVkEKnX1/AvxwSeo6p0EPGU5KnqxwdhEDSQQA
FB3JiU12vy0kh1NYWT+roUYT39BJCk/tjRgHJ6E5qc9LKwthXFdi/A==
-----END AGE ENCRYPTED FILE-----
- recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyWkxEV2ViREFzSE1ZOU9w
ZDNMYnlSSzdOWVZIc1oveHByVVJrTU1SbGx3CmZjRlF6MkJnTXNHK2k3K0hCcEdW
SkcwWE5XakthWHJxWEpud3ZuY2ZFNkUKLS0tIFdRL3JpSWFHZ2hYQXVEOVgvaElN
RnFzNUkwVWVhd3RCOFVZaXZRc3hEM1kKlk5bPXaDkVCk5/4hZF2aoFAr8LEVX/Te
I90BMUglu4qsUjNNhiZVGMV1LIk9mue4sxBP25BZpDLJVR+Mw7J61g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1w99m9klvc7m5qtmtmu3l0jx8ksdzp5c4p9rkvh5fdullfc6afemqv5py2q
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4YkwyblJRd1dpV3lQSTNr
RlI4cHlXYXdleE9HL2E3YThka3pkZlBFcXhzCmtvZWc1cjIraldtazgrZXRod09U
WlRoYTFvM2t4ZmI5bzYxcGJlZmlzencKLS0tIEdxZU5QaVZWYkp0WjhKWTZZTXhr
REtoU1UxWUR3TUI0RUZaMEpwNEsvbHcKFAaqhhC92VHBr0c1yLlx7f3+yEWVaEtg
K+/JE0GTpcvWsrtGRslhcIP7zEFHlJ0hnOH/PUu1E9xEDF09c3gkBQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age159whjxeyw94xmkkephmtlur8e85xd9d5vnvkwkcayfv7el0neqfq863yga
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2U1lwdlFZTlphdTNMTXh2
Q3F2UEJQSzBjRC9EY1Y0dExlcW9wUzM4NFc4CmZuaFcwc1hEcmRSQ0lDZ3BUSGQ4
Uy9STGVRMVg2NEpOaGVtTzhab3d4RGsKLS0tIFBCN2FtN2dOSjlIejRJNEFqWEVW
TTE1QzlIWlBtaFVBdkkvczFtaG82Z1EKlzD1POogze+J3C+e1Wf8n2JcWZxPUGSn
SZPp3j2NvvK/OrlcgPYJYt1513QzS5JYY5Sleqoj/GcF48+lq8523A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-30T18:11:28Z"
mac: ENC[AES256_GCM,data:Yi0IWmRPVHeO+GptuJN1gfDUldL/nKcx3BsIPuvSCF0/cpwVIWQ3BwfTZFfYOZlWAWTnmVbzuPSdbWmAUNmAb7E8A88VERCjY1z60mQ5uuW+LwbwLS6IY3/mXK6CQrnptH5etTNUoE+PrAVOPT7nBq/MohW0T5X09WW/63t0+Uc=,iv:JF/Yg/i8jtFxfiyk0OjoIdakXjVTLU6JHKiO7c8GwkI=,tag:g8kP1HLxGp8uNYfWpj5wBQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

26
nixos/default.nix
View file

@ -20,6 +20,8 @@
./cinnamon.nix
./ssh.nix
./desktop.nix
./server.nix
./prometheus.nix
];
options = {
@ -31,9 +33,27 @@
config = {
time.timeZone = "Europe/Amsterdam";
i18n.defaultLocale = "en_US.UTF-8";
hardware.pulseaudio.enable = false;
i18n = {
defaultLocale = "en_US.UTF-8";
extraLocaleSettings = let
extraLocale = "nl_NL.UTF-8";
in {
LC_ADDRESS = extraLocale;
LC_IDENTIFICATION = extraLocale;
LC_MEASUREMENT = extraLocale;
LC_MONETARY = extraLocale;
LC_NAME = extraLocale;
LC_NUMERIC = extraLocale;
LC_PAPER = extraLocale;
LC_TELEPHONE = extraLocale;
LC_TIME = extraLocale;
};
};
# BUG: this uses root way too much.
deployment.keys =
lib.mapAttrs' (user: sopsFile: let
homeDirectory =
@ -45,7 +65,7 @@
in {
name = "${user}-sops-age-key";
value = {
keyCommand = maybeSudo ++ [sops "--extract" "[\"sops_age_key\"]" "-d" (builtins.toString sopsFile)];
keyCommand = maybeSudo ++ ["nix" "run" "nixpkgs#sops" "--" "--extract" "[\"sops_age_key\"]" "-d" (builtins.toString sopsFile)];
name = "keys.txt";
destDir = "${homeDirectory}/.config/sops/age";
inherit user;
@ -135,7 +155,7 @@
};
nixpkgs = {
hostPlatform = lib.mkDefault "x86_64-linux";
# hostPlatform = lib.mkDefault "x86_64-linux";
config = {
allowUnfreePredicate = pkg:

76
nixos/prometheus.nix Normal file
View file

@ -0,0 +1,76 @@
{
lib,
config,
nodes,
...
}: {
options.pim.prometheus.enable = lib.mkEnableOption "prometheus";
config = lib.mkIf config.pim.prometheus.enable {
networking.firewall.allowedTCPPorts = [80];
services.prometheus = {
enable = true;
scrapeConfigs = (
let
generated = lib.pipe nodes [
(lib.filterAttrs (name: node: node.config.services.prometheus.exporters.node.enable))
(lib.attrsets.mapAttrsToList
(name: node: {
job_name = name;
static_configs = [
{
targets = ["${node.config.networking.fqdn}:${toString node.config.services.prometheus.exporters.node.port}"];
}
];
}))
];
# TODO: Remove this once they are migrated to this repo.
compat = map (
name: {
job_name = name;
static_configs = [
{
targets = ["${name}.dmz:${toString config.services.prometheus.exporters.node.port}"];
}
];
}
) ["lewis" "atlas" "jefke"];
pikvm = {
job_name = "pikvm";
metrics_path = "/api/export/prometheus/metrics";
scheme = "https";
tls_config.insecure_skip_verify = true;
# We don't care about security here, it's behind a VPN.
basic_auth = {
username = "admin";
password = "admin";
};
static_configs = [
{
targets = ["pikvm.dmz"];
}
];
};
in
generated ++ compat ++ [pikvm]
);
};
services.nginx = {
enable = true;
virtualHosts."${config.networking.fqdn}" = {
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.prometheus.port}";
recommendedProxySettings = true;
};
};
};
};
}

48
nixos/server.nix
View file

@ -1,9 +1,55 @@
{
lib,
config,
self,
...
}: {
options.pim.tailscale.advertiseExitNode = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf (builtins.elem "server" config.deployment.tags) {
services.openssh.enable = true;
networking = {
firewall.allowedTCPPorts = [config.services.prometheus.exporters.node.port];
domain = "dmz";
useDHCP = false;
nftables.enable = lib.mkDefault true;
firewall.enable = lib.mkDefault true;
};
systemd.network = {
enable = true;
networks = {
"30-main-nic" = {
matchConfig.Name = "en*";
networkConfig.DHCP = "yes";
};
};
};
services = {
openssh.enable = true;
prometheus.exporters.node.enable = true;
tailscale = {
authKeyFile = config.sops.secrets."tailscale/authKey".path;
useRoutingFeatures = "server";
openFirewall = true;
extraUpFlags =
[
"--accept-dns=false"
"--hostname=${config.networking.hostName}"
]
++ lib.lists.optional config.pim.tailscale.advertiseExitNode "--advertise-exit-node"
++ lib.lists.optional config.pim.tailscale.advertiseExitNode "--advertise-routes=192.168.30.0/24";
};
};
sops.secrets."tailscale/authKey" = {
sopsFile = "${self}/secrets/servers.sops.yaml";
};
};
}

49
secrets/servers.sops.yaml Normal file
View file

@ -0,0 +1,49 @@
tailscale:
authKey: ENC[AES256_GCM,data:3eXxQBY6AVqU4R1NlsyhGCfXW5wL58ODRH/f+zo5YFRad/ys1vB9JeKagq0SJSj/w4zxRAEpCf1o47Ypww==,iv:QklyIFuXlbH6cM/I0gqDH/Xeay9gqxqeyulQ7W/dbig=,tag:E/3UqtsfSVOi6otSlReO0Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1th8rdw4fs3vmgy9gzc0k9xy88tddjj4vasepckfx9h4nlzsg3q3q4cjgwu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQcjVsVnNxcGlibnJDSWxE
NEtERm5xS3RRc0QvK09rOEdCYytlZUliaEVNCjZYR2l0Y3dhUDdGVGNwSlRLaTFa
WkZSKzJpVXBCUXhqZldMSis3UHpTQW8KLS0tIEI5V3FMR2xaeEpzMzZYdHo4YWNJ
MHBMeVpaMi9lTjFwcVVsUm1jR255UmsKxvOywqqgMfpQ1TngUmtxH80So10Yd+R2
I9+1chjRTAnHemtUU1154cL591b3BV5FHO3DpoiyY3MoxD2IC9PtzA==
-----END AGE ENCRYPTED FILE-----
- recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXbVVVVEI0b3hpd3hyU2Vp
V1ZNejBUOUp6NU12dVgraTlrbDNDdmxENVEwCkJobDdObTVwcXB4a3pxUnM3QlVR
d253eUxnVlpnaTRPWFZXYnVoaW5jK00KLS0tIGRnbVhFMFk4aCtpMk9hSEJYT3ZZ
dVUwOTlCVXFoSTl0VjBaQm9BWkJyQTQKuPdUd32RaHmBvdyan4O5FRzUC4q8WtlQ
NXIhBUIVQgA8ns7HMP1Q5MxFg4s3I2dhUKq5qs6430+M+cVKF3wGEA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1w99m9klvc7m5qtmtmu3l0jx8ksdzp5c4p9rkvh5fdullfc6afemqv5py2q
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwRkVnOHZoaXo5SGRiRzdU
KzdiRWNQMXRvQ2g2WG5GVWRNUzJkemd0ZzJBCnBtM1IwWVJ3L1BxakR0MFRTcm1I
cjVqdDEyRDNjbCtFNnk5aWd4L0tVR3cKLS0tIFJ1a2d3dzA2cWFESFlzbnRzc3FH
L21Hd2oyR0pWaTZONDByN0NrMS9lTDAKcMkHaUsUfV/kZBvT+UN8f+QTIvqJjmMY
7sVMAumtvBNhKs9OxMlPqiWvaeLtgGoExYZqq05VwWTHxYXLouPnuQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age159whjxeyw94xmkkephmtlur8e85xd9d5vnvkwkcayfv7el0neqfq863yga
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaZEw4R3VvdEtjK2VSa3Bu
QzZ0dWU3Uk16TkVDaldEdzN6ZWduZERyd25NCmRzdWlEZ2V2SEc4VnczbE9yc0FX
eTZXemQxaU5LOXFzWmlmYTc3YWFvYUEKLS0tIFRwOHVIcUR2ejN5NHdSQ2N6c3hL
elZ6STcwTHZXZGI5Sk0yamtQN3lhcm8KWa4JI1H+pcav7ZwCZgUMXk+lsxFewD4O
1AOnFdamXZkUHN+zZB1zN6YJvHhUEaq2NiGAhc+ZLAc1sb5yeqd/2Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-30T18:44:29Z"
mac: ENC[AES256_GCM,data:SG6a5pWa3gMaSz9d9fOchUXtXbRTpMOXmbOjZo5Fdx8Es1MEDwezwscQaj9p1dzmGa+7U8UUUzMYxlg2SmGgGdPgCs0a5RQVYvQFNdgpRiuknflFMcdgXLv7XFsTqsqSmbN0O662YDvCcz4DWRKjNCZAimlLym8pwDihj1D8dcU=,iv:JmCbcazDK2KPyYsoVy39sr4IbfiGfmGoopit5ojVADk=,tag:6tKYfMkJBjsThaa4qLqobw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1