2023-03-06 00:32:20 +01:00
|
|
|
# SPDX-FileCopyrightText: 2023 Richard Brežák <richard@brezak.sk>
|
2022-07-31 11:03:59 +02:00
|
|
|
#
|
|
|
|
# SPDX-License-Identifier: LGPL-3.0-or-later
|
|
|
|
{
|
|
|
|
system = "x86_64-linux";
|
|
|
|
name = "blowhole";
|
|
|
|
module = {
|
|
|
|
pkgs,
|
|
|
|
config,
|
|
|
|
lib,
|
|
|
|
secret,
|
|
|
|
roots,
|
|
|
|
inputs,
|
|
|
|
...
|
|
|
|
}:
|
2023-04-03 18:37:57 +02:00
|
|
|
{
|
2022-07-31 11:03:59 +02:00
|
|
|
imports = [
|
|
|
|
(roots.nixos + "/profiles/vps.nix")
|
2023-03-06 00:32:20 +01:00
|
|
|
(roots.nixos + "/systems/blowhole/consul.nix")
|
|
|
|
(roots.nixos + "/systems/blowhole/nomad.nix")
|
|
|
|
(roots.nixos + "/systems/blowhole/vault.nix")
|
|
|
|
(roots.nixos + "/systems/blowhole/bind.nix")
|
|
|
|
(roots.nixos + "/systems/blowhole/vault-agent.nix")
|
|
|
|
(roots.nixos + "/systems/blowhole/nas.nix")
|
|
|
|
(roots.nixos + "/systems/blowhole/firewall.nix")
|
|
|
|
(roots.nixos + "/systems/blowhole/ical2org.nix")
|
|
|
|
(roots.nixos + "/systems/blowhole/hostapd.nix")
|
|
|
|
(roots.nixos + "/systems/blowhole/klipper.nix")
|
|
|
|
(roots.nixos + "/systems/blowhole/monitoring.nix")
|
2023-04-03 01:29:47 +02:00
|
|
|
(roots.nixos + "/systems/blowhole/uterranix.nix")
|
2022-07-31 11:03:59 +02:00
|
|
|
];
|
|
|
|
|
|
|
|
home-manager.users."main" = {...}: {
|
|
|
|
home.stateVersion = "21.05";
|
|
|
|
};
|
|
|
|
|
|
|
|
magic_rb = {
|
|
|
|
grub = {
|
|
|
|
enable = true;
|
2022-11-27 20:22:12 +01:00
|
|
|
devices = [ "/dev/disk/by-id/usb-Verbatim_STORE_N_GO_072124E3712B7287-0:0" ];
|
2022-07-31 11:03:59 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
hardware.blowhole = true;
|
2022-12-03 16:47:18 +01:00
|
|
|
sshdEmacs.enable = true;
|
2022-07-31 11:03:59 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
_module.args.nixinate = {
|
2023-04-03 01:33:20 +02:00
|
|
|
host = "blowhole.hosts.in.redalder.org";
|
2022-07-31 11:03:59 +02:00
|
|
|
sshUser = "main";
|
|
|
|
buildOn = "local";
|
|
|
|
substituteOnTarget = true;
|
|
|
|
hermetic = false;
|
2022-08-27 22:41:36 +02:00
|
|
|
nixOptions = [
|
|
|
|
"--override-input secret path://$HOME/dotfiles/secret"
|
|
|
|
];
|
2022-07-31 11:03:59 +02:00
|
|
|
};
|
|
|
|
|
2023-02-10 00:31:23 +01:00
|
|
|
systemd.services.nfs-mountd.serviceConfig = {
|
|
|
|
LimitNOFILE = 8192;
|
|
|
|
};
|
|
|
|
|
2023-04-03 01:32:57 +02:00
|
|
|
systemd.watchdog.runtimeTime = "60s";
|
|
|
|
systemd.watchdog.rebootTime = "120s";
|
|
|
|
systemd.watchdog.kexecTime = "120s";
|
|
|
|
systemd.services."emergency".serviceConfig.ExecStartPre = "/bin/sh -c \"read -t 30 || /bin/systemctl reboot\"";
|
|
|
|
|
2022-07-31 11:03:59 +02:00
|
|
|
services.nfs.server = {
|
|
|
|
enable = true;
|
|
|
|
lockdPort = 4001;
|
|
|
|
mountdPort = 4002;
|
|
|
|
statdPort = 4000;
|
2022-08-27 23:21:15 +02:00
|
|
|
exports = ''
|
2022-09-26 18:45:05 +02:00
|
|
|
/var/nfs/jellyfin/cache 10.64.2.1/32(rw,subtree_check,async,no_root_squash,crossmnt)
|
|
|
|
/var/nfs/jellyfin/config 10.64.2.1/32(rw,subtree_check,async,no_root_squash,crossmnt)
|
|
|
|
/var/nfs/jellyfin/media 10.64.2.1/32(rw,subtree_check,async,no_root_squash,crossmnt)
|
2022-08-27 23:21:15 +02:00
|
|
|
|
2022-09-26 18:45:05 +02:00
|
|
|
/var/nfs/gitea-data 10.64.2.1/32(rw,subtree_check,async,no_root_squash)
|
|
|
|
/var/nfs/gitea-db 10.64.2.1/32(rw,subtree_check,async,no_root_squash)
|
2022-08-27 23:21:15 +02:00
|
|
|
|
2022-09-26 18:45:05 +02:00
|
|
|
/var/nfs/hydra-data 10.64.2.1/32(rw,subtree_check,async,no_root_squash)
|
|
|
|
/var/nfs/hydra-nix 10.64.2.1/32(rw,subtree_check,async,no_root_squash)
|
|
|
|
/var/nfs/hydra-db 10.64.2.1/32(rw,subtree_check,async,no_root_squash)
|
2022-08-27 23:21:15 +02:00
|
|
|
|
2022-09-26 18:45:05 +02:00
|
|
|
/var/nfs/minecraft/atm6 10.64.2.1/32(rw,subtree_check,async,no_root_squash)
|
2022-08-27 23:21:15 +02:00
|
|
|
|
|
|
|
/var/nfs/ingress-letsencrypt 10.64.0.1(rw,subtree_check,async,no_root_squash)
|
|
|
|
|
|
|
|
/var/nfs/Magic_RB 10.64.2.129(rw,subtree_check,async)
|
2023-02-10 00:31:50 +01:00
|
|
|
/mnt/cartman 10.64.0.8/32(rw,subtree_check,async,no_root_squash,crossmnt) 10.64.2.129(rw,subtree_check,async,crossmnt)
|
|
|
|
/mnt/kyle 10.64.0.8/32(rw,subtree_check,async,no_root_squash,crossmnt) 10.64.2.129(rw,subtree_check,async,crossmnt)
|
|
|
|
/mnt/stan 10.64.0.8/32(rw,subtree_check,async,no_root_squash,crossmnt) 10.64.2.129(rw,subtree_check,async,crossmnt)
|
2022-08-27 23:21:15 +02:00
|
|
|
|
2022-09-26 18:45:05 +02:00
|
|
|
/var/nfs/home-assistant_hass 10.64.2.1/32(rw,subtree_check,async,no_root_squash)
|
2022-10-27 13:27:21 +02:00
|
|
|
/var/nfs/home-assistant_db 10.64.2.1/32(rw,subtree_check,async,no_root_squash)
|
2022-09-26 18:45:05 +02:00
|
|
|
/var/nfs/home-assistant_mosquitto 10.64.2.1/32(rw,subtree_check,async,no_root_squash)
|
|
|
|
/var/nfs/home-assistant_zigbee2mqtt 10.64.2.1/32(rw,subtree_check,async,no_root_squash)
|
2022-08-27 23:21:15 +02:00
|
|
|
|
2022-09-26 18:45:05 +02:00
|
|
|
/var/nfs/syncthing/data 10.64.2.1/32(rw,subtree_check,async,no_root_squash)
|
|
|
|
/var/nfs/syncthing/config 10.64.2.1/32(rw,subtree_check,async,no_root_squash)
|
2022-11-27 20:22:12 +01:00
|
|
|
/var/nfs/syncthing/storage 10.64.2.1/32(rw,subtree_check,async,crossmnt)
|
2022-08-27 23:21:15 +02:00
|
|
|
|
2023-02-16 14:46:20 +01:00
|
|
|
/var/nfs/dovecot/maildir 10.64.0.8/32(rw,subtree_check,async,no_root_squash) 10.64.2.1/32(rw,subtree_check,async,no_root_squash) 10.64.3.20/32(rw,subtree_check,async,no_root_squash)
|
|
|
|
/var/nfs/getmail/getmail.d 10.64.0.8/32(rw,subtree_check,async,no_root_squash) 10.64.2.1/32(rw,subtree_check,async,no_root_squash) 10.64.3.20/32(rw,subtree_check,async,no_root_squash)
|
|
|
|
/var/nfs/mail-configuration 10.64.0.8/32(rw,subtree_check,async,no_root_squash) 10.64.2.1/32(rw,subtree_check,async,no_root_squash) 10.64.3.20/32(rw,subtree_check,async,no_root_squash)
|
2022-08-27 23:21:15 +02:00
|
|
|
|
2022-09-26 18:45:05 +02:00
|
|
|
/var/nfs/baikal/specific 10.64.2.1/32(rw,subtree_check,async,no_root_squash)
|
|
|
|
/var/nfs/baikal/config 10.64.2.1/32(rw,subtree_check,async,no_root_squash)
|
|
|
|
|
|
|
|
/var/nfs/matrix/synapse 10.64.2.1/32(rw,subtree_check,async,no_root_squash)
|
2022-10-30 15:13:02 +01:00
|
|
|
/var/nfs/matrix/postgresql 10.64.2.1/32(rw,subtree_check,async,no_root_squash)
|
2022-09-26 18:45:05 +02:00
|
|
|
/var/nfs/matrix/mautrix-facebook 10.64.2.1/32(rw,subtree_check,async,no_root_squash)
|
|
|
|
/var/nfs/matrix/registrations 10.64.2.1/32(rw,subtree_check,async,no_root_squash)
|
2022-08-27 23:21:15 +02:00
|
|
|
'';
|
2022-07-31 11:03:59 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
# systemd.tmpfiles.rules = singleton "d /run/cfg/vault 0750 vault vault 1d";
|
|
|
|
|
|
|
|
networking = {
|
|
|
|
hostName = "blowhole";
|
|
|
|
useDHCP = false;
|
2022-08-18 22:55:46 +02:00
|
|
|
interfaces.enp7s0f1.useDHCP = true;
|
2022-07-31 11:03:59 +02:00
|
|
|
|
|
|
|
firewall = {
|
|
|
|
enable = true;
|
|
|
|
|
|
|
|
allowedTCPPorts = [
|
|
|
|
80
|
|
|
|
## Nomad
|
|
|
|
4646
|
|
|
|
4647
|
|
|
|
4648
|
|
|
|
## Consul
|
|
|
|
8600 # DNS
|
|
|
|
8500 # HTTP
|
|
|
|
8502 # gRPC
|
|
|
|
8300 # server
|
|
|
|
8301 # LAN serf
|
|
|
|
8302 # WAN serf
|
|
|
|
## Vault
|
|
|
|
8200
|
|
|
|
## NFS
|
|
|
|
111
|
|
|
|
2049
|
|
|
|
4000
|
|
|
|
4001
|
|
|
|
4002
|
|
|
|
20048
|
|
|
|
];
|
|
|
|
allowedTCPPortRanges = [
|
|
|
|
{
|
|
|
|
from = 21000;
|
|
|
|
to = 21999;
|
|
|
|
}
|
|
|
|
];
|
|
|
|
allowedUDPPorts = [
|
|
|
|
## Consul
|
|
|
|
8600 # DNS
|
|
|
|
8301 # LAN serf
|
|
|
|
8302 # WAN serf
|
|
|
|
## NFS
|
|
|
|
111
|
|
|
|
2049
|
|
|
|
4000
|
|
|
|
4001
|
|
|
|
4002
|
|
|
|
20048
|
|
|
|
];
|
|
|
|
allowedUDPPortRanges = [
|
|
|
|
{
|
|
|
|
from = 21000;
|
|
|
|
to = 21999;
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
hostId = "2cb135ac";
|
|
|
|
};
|
|
|
|
|
|
|
|
system.stateVersion = "21.05";
|
|
|
|
};
|
|
|
|
}
|