dotfiles/nixos/systems/blowhole/default.nix

175 lines
6.4 KiB
Nix
Raw Normal View History

# SPDX-FileCopyrightText: 2023 Richard Brežák <richard@brezak.sk>
#
# SPDX-License-Identifier: LGPL-3.0-or-later
{
system = "x86_64-linux";
name = "blowhole";
module = {
pkgs,
config,
lib,
secret,
roots,
inputs,
...
}:
with lib; {
imports = [
(roots.nixos + "/profiles/vps.nix")
(roots.nixos + "/systems/blowhole/consul.nix")
(roots.nixos + "/systems/blowhole/nomad.nix")
(roots.nixos + "/systems/blowhole/vault.nix")
(roots.nixos + "/systems/blowhole/bind.nix")
(roots.nixos + "/systems/blowhole/vault-agent.nix")
(roots.nixos + "/systems/blowhole/nas.nix")
(roots.nixos + "/systems/blowhole/firewall.nix")
(roots.nixos + "/systems/blowhole/ical2org.nix")
(roots.nixos + "/systems/blowhole/hostapd.nix")
(roots.nixos + "/systems/blowhole/klipper.nix")
(roots.nixos + "/systems/blowhole/monitoring.nix")
];
home-manager.users."main" = {...}: {
home.stateVersion = "21.05";
};
magic_rb = {
grub = {
enable = true;
devices = [ "/dev/disk/by-id/usb-Verbatim_STORE_N_GO_072124E3712B7287-0:0" ];
};
hardware.blowhole = true;
sshdEmacs.enable = true;
};
_module.args.nixinate = {
host = "10.64.0.2";
sshUser = "main";
buildOn = "local";
substituteOnTarget = true;
hermetic = false;
nixOptions = [
"--override-input secret path://$HOME/dotfiles/secret"
];
};
systemd.services.nfs-mountd.serviceConfig = {
LimitNOFILE = 8192;
};
services.nfs.server = {
enable = true;
lockdPort = 4001;
mountdPort = 4002;
statdPort = 4000;
exports = ''
/var/nfs/jellyfin/cache 10.64.2.1/32(rw,subtree_check,async,no_root_squash,crossmnt)
/var/nfs/jellyfin/config 10.64.2.1/32(rw,subtree_check,async,no_root_squash,crossmnt)
/var/nfs/jellyfin/media 10.64.2.1/32(rw,subtree_check,async,no_root_squash,crossmnt)
/var/nfs/gitea-data 10.64.2.1/32(rw,subtree_check,async,no_root_squash)
/var/nfs/gitea-db 10.64.2.1/32(rw,subtree_check,async,no_root_squash)
/var/nfs/hydra-data 10.64.2.1/32(rw,subtree_check,async,no_root_squash)
/var/nfs/hydra-nix 10.64.2.1/32(rw,subtree_check,async,no_root_squash)
/var/nfs/hydra-db 10.64.2.1/32(rw,subtree_check,async,no_root_squash)
/var/nfs/minecraft/atm6 10.64.2.1/32(rw,subtree_check,async,no_root_squash)
/var/nfs/ingress-letsencrypt 10.64.0.1(rw,subtree_check,async,no_root_squash)
/var/nfs/Magic_RB 10.64.2.129(rw,subtree_check,async)
/mnt/cartman 10.64.0.8/32(rw,subtree_check,async,no_root_squash,crossmnt) 10.64.2.129(rw,subtree_check,async,crossmnt)
/mnt/kyle 10.64.0.8/32(rw,subtree_check,async,no_root_squash,crossmnt) 10.64.2.129(rw,subtree_check,async,crossmnt)
/mnt/stan 10.64.0.8/32(rw,subtree_check,async,no_root_squash,crossmnt) 10.64.2.129(rw,subtree_check,async,crossmnt)
/var/nfs/home-assistant_hass 10.64.2.1/32(rw,subtree_check,async,no_root_squash)
/var/nfs/home-assistant_db 10.64.2.1/32(rw,subtree_check,async,no_root_squash)
/var/nfs/home-assistant_mosquitto 10.64.2.1/32(rw,subtree_check,async,no_root_squash)
/var/nfs/home-assistant_zigbee2mqtt 10.64.2.1/32(rw,subtree_check,async,no_root_squash)
/var/nfs/syncthing/data 10.64.2.1/32(rw,subtree_check,async,no_root_squash)
/var/nfs/syncthing/config 10.64.2.1/32(rw,subtree_check,async,no_root_squash)
/var/nfs/syncthing/storage 10.64.2.1/32(rw,subtree_check,async,crossmnt)
/var/nfs/dovecot/maildir 10.64.0.8/32(rw,subtree_check,async,no_root_squash) 10.64.2.1/32(rw,subtree_check,async,no_root_squash) 10.64.3.20/32(rw,subtree_check,async,no_root_squash)
/var/nfs/getmail/getmail.d 10.64.0.8/32(rw,subtree_check,async,no_root_squash) 10.64.2.1/32(rw,subtree_check,async,no_root_squash) 10.64.3.20/32(rw,subtree_check,async,no_root_squash)
/var/nfs/mail-configuration 10.64.0.8/32(rw,subtree_check,async,no_root_squash) 10.64.2.1/32(rw,subtree_check,async,no_root_squash) 10.64.3.20/32(rw,subtree_check,async,no_root_squash)
/var/nfs/baikal/specific 10.64.2.1/32(rw,subtree_check,async,no_root_squash)
/var/nfs/baikal/config 10.64.2.1/32(rw,subtree_check,async,no_root_squash)
/var/nfs/matrix/synapse 10.64.2.1/32(rw,subtree_check,async,no_root_squash)
/var/nfs/matrix/postgresql 10.64.2.1/32(rw,subtree_check,async,no_root_squash)
/var/nfs/matrix/mautrix-facebook 10.64.2.1/32(rw,subtree_check,async,no_root_squash)
/var/nfs/matrix/registrations 10.64.2.1/32(rw,subtree_check,async,no_root_squash)
'';
};
# systemd.tmpfiles.rules = singleton "d /run/cfg/vault 0750 vault vault 1d";
networking = {
hostName = "blowhole";
useDHCP = false;
interfaces.enp7s0f1.useDHCP = true;
firewall = {
enable = true;
allowedTCPPorts = [
80
## Nomad
4646
4647
4648
## Consul
8600 # DNS
8500 # HTTP
8502 # gRPC
8300 # server
8301 # LAN serf
8302 # WAN serf
## Vault
8200
## NFS
111
2049
4000
4001
4002
20048
];
allowedTCPPortRanges = [
{
from = 21000;
to = 21999;
}
];
allowedUDPPorts = [
## Consul
8600 # DNS
8301 # LAN serf
8302 # WAN serf
## NFS
111
2049
4000
4001
4002
20048
];
allowedUDPPortRanges = [
{
from = 21000;
to = 21999;
}
];
};
hostId = "2cb135ac";
};
system.stateVersion = "21.05";
};
}