diff --git a/flake.lock b/flake.lock index 3f11240..6826ae1 100644 --- a/flake.lock +++ b/flake.lock @@ -3,7 +3,7 @@ "deploy-rs": { "inputs": { "flake-compat": "flake-compat", - "nixpkgs": "nixpkgs_7", + "nixpkgs": "nixpkgs_9", "utils": "utils" }, "locked": { @@ -19,6 +19,46 @@ "type": "indirect" } }, + "disko": { + "inputs": { + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1687431792, + "narHash": "sha256-ba5d/XlxQrgNrYeYhriX3FISBMVBF+nKVBMLE0/OC0Q=", + "owner": "nix-community", + "repo": "disko", + "rev": "637d87df3fd265a1d1669d897ad9436a87fc5ad8", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "disko_2": { + "inputs": { + "nixpkgs": [ + "nixos-anywhere", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1686222354, + "narHash": "sha256-dtqnAwzucKZv54dTrLetIXhOavUrCsdqOe+JtFH9riE=", + "owner": "nix-community", + "repo": "disko", + "rev": "5d9f362aecd7a4c2e8a3bf2afddb49051988cab9", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "master", + "repo": "disko", + "type": "github" + } + }, "dwarffs": { "inputs": { "nix": "nix", @@ -140,6 +180,27 @@ } }, "flake-parts_2": { + "inputs": { + "nixpkgs-lib": [ + "nixos-anywhere", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1685662779, + "narHash": "sha256-cKDDciXGpMEjP1n6HlzKinN0H+oLmNpgeCTzYnsA2po=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "71fb97f0d875fd4de4994dfb849f2c75e17eb6c3", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_3": { "inputs": { "nixpkgs-lib": "nixpkgs-lib_2" }, @@ -262,7 +323,7 @@ }, "home-manager": { "inputs": { - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_3" }, "locked": { "lastModified": 1685438474, @@ -330,7 +391,7 @@ "nil": { "inputs": { "flake-utils": "flake-utils", - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_4", "rust-overlay": "rust-overlay" }, "locked": { @@ -350,7 +411,7 @@ "nix": { "inputs": { "lowdown-src": "lowdown-src", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_2", "nixpkgs-regression": "nixpkgs-regression" }, "locked": { @@ -369,7 +430,7 @@ "nix_2": { "inputs": { "lowdown-src": "lowdown-src_2", - "nixpkgs": "nixpkgs_8" + "nixpkgs": "nixpkgs_10" }, "locked": { "lastModified": 1633098935, @@ -386,7 +447,7 @@ }, "nixinate": { "inputs": { - "nixpkgs": "nixpkgs_4" + "nixpkgs": "nixpkgs_5" }, "locked": { "lastModified": 1682599469, @@ -404,7 +465,7 @@ }, "nixng": { "inputs": { - "nixpkgs": "nixpkgs_5" + "nixpkgs": "nixpkgs_6" }, "locked": { "lastModified": 1684005067, @@ -420,18 +481,82 @@ "type": "github" } }, - "nixpkgs": { + "nixos-2305": { "locked": { - "lastModified": 1653988320, - "narHash": "sha256-ZaqFFsSDipZ6KVqriwM34T739+KLYJvNmCWzErjAg7c=", + "lastModified": 1686478675, + "narHash": "sha256-EBm0oKY+B+BF/wQzegHCLPZQ2BxfgRSfEJhAd9N2XyA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2fa57ed190fd6c7c746319444f34b5917666e5c1", + "rev": "207e4680b5ffe797038955949ab20ddc4a31c835", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-22.05-small", + "ref": "release-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixos-anywhere": { + "inputs": { + "disko": "disko_2", + "flake-parts": "flake-parts_2", + "nixos-2305": "nixos-2305", + "nixos-images": "nixos-images", + "nixpkgs": "nixpkgs_7", + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1686903963, + "narHash": "sha256-8XBLIAGUWHhRrTm0+AcpobTHeofaNbCa6Xb3SruYjmk=", + "owner": "numtide", + "repo": "nixos-anywhere", + "rev": "ed9ec041d7d19e5b412aa19e6db0ddc6c7db7d70", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "nixos-anywhere", + "type": "github" + } + }, + "nixos-images": { + "inputs": { + "nixos-2305": [ + "nixos-anywhere", + "nixos-2305" + ], + "nixos-unstable": [ + "nixos-anywhere", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1686466496, + "narHash": "sha256-HYSUVZ85+POkLOo1Om7yw1870xqwJp3ABu+Fz7hBJY8=", + "owner": "nix-community", + "repo": "nixos-images", + "rev": "13e5db35e8b5a646d0efa81ff1dd003336ffe65f", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixos-images", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1686582075, + "narHash": "sha256-vtflsfKkHtF8IduxDNtbme4cojiqvlvjp5QNYhvoHXc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "7e63eed145566cca98158613f3700515b4009ce3", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" } @@ -521,6 +646,35 @@ } }, "nixpkgs_10": { + "locked": { + "lastModified": 1632864508, + "narHash": "sha256-d127FIvGR41XbVRDPVvozUPQ/uRHbHwvfyKHwEt5xFM=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "82891b5e2c2359d7e58d08849e4c89511ab94234", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-21.05-small", + "type": "indirect" + } + }, + "nixpkgs_11": { + "locked": { + "lastModified": 1632495107, + "narHash": "sha256-4NGE56r+FJGBaCYu3CTH4O83Ys4TrtnEPXrvdwg1TDs=", + "owner": "serokell", + "repo": "nixpkgs", + "rev": "be220b2dc47092c1e739bf6aaf630f29e71fe1c4", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, + "nixpkgs_12": { "locked": { "lastModified": 1676569297, "narHash": "sha256-2n4C4H3/U+3YbDrQB6xIw7AaLdFISCCFwOkcETAigqU=", @@ -534,6 +688,22 @@ } }, "nixpkgs_2": { + "locked": { + "lastModified": 1653988320, + "narHash": "sha256-ZaqFFsSDipZ6KVqriwM34T739+KLYJvNmCWzErjAg7c=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "2fa57ed190fd6c7c746319444f34b5917666e5c1", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-22.05-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1684570954, "narHash": "sha256-FX5y4Sm87RWwfu9PI71XFvuRpZLowh00FQpIJ1WfXqE=", @@ -549,7 +719,7 @@ "type": "github" } }, - "nixpkgs_3": { + "nixpkgs_4": { "locked": { "lastModified": 1682929865, "narHash": "sha256-jxVrgnf5QNjO+XoxDxUWtN2G5xyJSGZ5SWDQFxMuHxc=", @@ -565,7 +735,7 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_5": { "locked": { "lastModified": 1653060744, "narHash": "sha256-kfRusllRumpt33J1hPV+CeCCylCXEU7e0gn2/cIM7cY=", @@ -581,7 +751,7 @@ "type": "github" } }, - "nixpkgs_5": { + "nixpkgs_6": { "locked": { "lastModified": 1668984258, "narHash": "sha256-0gDMJ2T3qf58xgcSbYoXiRGUkPWmKyr5C3vcathWhKs=", @@ -597,7 +767,23 @@ "type": "github" } }, - "nixpkgs_6": { + "nixpkgs_7": { + "locked": { + "lastModified": 1686406799, + "narHash": "sha256-/MHAr6x5/DDEAWFQLgIlyFT9jCXl5O6OWCoNGmfnL3g=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "9166729004aef4db3390d7199a45f6c7331275a2", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_8": { "locked": { "lastModified": 1685383865, "narHash": "sha256-3uQytfnotO6QJv3r04ajSXbEFMII0dUtw0uqYlZ4dbk=", @@ -613,7 +799,7 @@ "type": "github" } }, - "nixpkgs_7": { + "nixpkgs_9": { "locked": { "lastModified": 1648219316, "narHash": "sha256-Ctij+dOi0ZZIfX5eMhgwugfvB+WZSrvVNAyAuANOsnQ=", @@ -629,35 +815,6 @@ "type": "github" } }, - "nixpkgs_8": { - "locked": { - "lastModified": 1632864508, - "narHash": "sha256-d127FIvGR41XbVRDPVvozUPQ/uRHbHwvfyKHwEt5xFM=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "82891b5e2c2359d7e58d08849e4c89511ab94234", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "ref": "nixos-21.05-small", - "type": "indirect" - } - }, - "nixpkgs_9": { - "locked": { - "lastModified": 1632495107, - "narHash": "sha256-4NGE56r+FJGBaCYu3CTH4O83Ys4TrtnEPXrvdwg1TDs=", - "owner": "serokell", - "repo": "nixpkgs", - "rev": "be220b2dc47092c1e739bf6aaf630f29e71fe1c4", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "type": "indirect" - } - }, "pre-commit-hooks": { "inputs": { "flake-compat": "flake-compat_4", @@ -685,6 +842,7 @@ }, "root": { "inputs": { + "disko": "disko", "dwarffs": "dwarffs", "emacs": "emacs", "flake-parts": "flake-parts", @@ -693,7 +851,8 @@ "nil": "nil", "nixinate": "nixinate", "nixng": "nixng", - "nixpkgs": "nixpkgs_6", + "nixos-anywhere": "nixos-anywhere", + "nixpkgs": "nixpkgs_8", "nixpkgs-hashicorp": "nixpkgs-hashicorp", "secret": "secret", "serokell-nix": "serokell-nix", @@ -732,8 +891,8 @@ "secret": { "flake": false, "locked": { - "lastModified": 1687440997, - "narHash": "sha256-Yp3K5WjfHyNcR0F0btrdW4gFmxNdbS43CRntJIjqZWM=", + "lastModified": 1687644093, + "narHash": "sha256-JCeh/wDvkIBaK5BND8xQy00ZXzhn0ygJ+ZESSl6tbqs=", "path": "/home/main/dotfiles2/secret", "type": "path" }, @@ -749,7 +908,7 @@ "flake-utils": "flake-utils_2", "gitignore-nix": "gitignore-nix", "nix": "nix_2", - "nixpkgs": "nixpkgs_9" + "nixpkgs": "nixpkgs_11" }, "locked": { "lastModified": 1665438610, @@ -812,6 +971,27 @@ "type": "github" } }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "nixos-anywhere", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1685519364, + "narHash": "sha256-rE9c9jWDSc5Nj0OjNzBENaJ6j4YBphcqSPia2IwCMLA=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "6521a278bcba66b440554cc1350403594367b4ac", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, "tuxedo-nixos": { "inputs": { "flake-compat": "flake-compat_3", @@ -873,8 +1053,8 @@ }, "uterranix": { "inputs": { - "flake-parts": "flake-parts_2", - "nixpkgs": "nixpkgs_10", + "flake-parts": "flake-parts_3", + "nixpkgs": "nixpkgs_12", "terranix": "terranix" }, "locked": { diff --git a/flake.nix b/flake.nix index 2542ddf..32cac6a 100644 --- a/flake.nix +++ b/flake.nix @@ -14,6 +14,9 @@ dwarffs.url = "github:edolstra/dwarffs"; serokell-nix.url = "github:serokell/serokell.nix?ref=magicrb-allow-wildcards-with-no-main"; + disko.url = "github:nix-community/disko"; + nixos-anywhere.url = "github:numtide/nixos-anywhere"; + tuxedo-rs.url = "github:AaronErhardt/tuxedo-rs"; tuxedo-rs.inputs.nixpkgs.follows = "nixpkgs"; @@ -48,6 +51,7 @@ nixos/systems/toothpick nixos/systems/liveusb nixos/systems/blowhole + nixos/systems/altra nixng/containers/ingress-blowhole nixng/containers/ingress-toothpick @@ -146,6 +150,8 @@ flake.apps = inputs.nixpkgs.lib.genAttrs config.systems (system: { nixinate = (inputs.nixinate.nixinate.${system} self).nixinate; + nixos-anywhere.program = (inputs.nixos-anywhere.packages.${system}.nixos-anywhere); + nixos-anywhere.type = "app"; }); perSystem = { system, pkgs, ... }: diff --git a/nixos/systems/altra/consul.nix b/nixos/systems/altra/consul.nix new file mode 100644 index 0000000..9a9f982 --- /dev/null +++ b/nixos/systems/altra/consul.nix @@ -0,0 +1,56 @@ +{ inputs', lib, config, pkgs, secret, ... }: +let + inherit (lib) + mkForce + singleton; +in +{ + services.hashicorp.consul = { + enable = true; + + extraSettingsPaths = singleton "/run/secrets/consul.json"; + package = inputs'.nixpkgs-hashicorp.legacyPackages.${pkgs.stdenv.system}.consul; + + settings = { + datacenter = "do-1"; + data_dir = "/var/lib/consul"; + + retry_join_wan = singleton (secret.network.ips.blowhole.ip or ""); + + server = true; + + bind_addr = secret.network.ips.toothpick or ""; + client_addr = secret.network.ips.toothpick or ""; + + primary_datacenter = "homelab-1"; + + acl = { + enabled = true; + default_policy = "deny"; + enable_token_persistence = true; + enable_token_replication = true; + }; + + ports = { + http = 8500; + grpc = 8502; + }; + + ui_config.enabled = true; + + connect.enabled = true; + + # ca_file = "/var/secrets/consul-ca.crt"; + # cert_file = "" + # key_file = "" + verify_incoming = false; + verify_outgoing = false; + verify_server_hostname = false; + }; + }; + + systemd.services.hashicorp-consul.serviceConfig = { + LimitNOFILE = mkForce "infinity"; + LimitNPROC = mkForce "infinity"; + }; +} diff --git a/nixos/systems/altra/default.nix b/nixos/systems/altra/default.nix new file mode 100644 index 0000000..29991dd --- /dev/null +++ b/nixos/systems/altra/default.nix @@ -0,0 +1,78 @@ +# SPDX-FileCopyrightText: 2022 Richard Brežák +# +# SPDX-License-Identifier: LGPL-3.0-or-later +{ inputs, lib', config, ... }: +let + inherit (lib') + flip + mapAttrs + singleton + mkForce; + + config' = config; +in +{ + flake.nixosConfigurations.altra = inputs.nixpkgs.lib.nixosSystem { + system = "aarch64-linux"; + + specialArgs = { + config' = config'; + inputs' = inputs; + secret = lib'.loadSecrets inputs.secret; + }; + + modules = singleton + ({ pkgs, config, ... }: + { + imports = [ + # ./consul.nix + # ./nomad.nix + # ./vault-agent.nix + # ./u2t.nix + ./grub.nix + ./networking.nix + ./nixpkgs.nix + ./hardware.nix + ./filesystems.nix + ./users.nix + ../../common/remote_access.nix + + config'.flake.nixosModules.hashicorp + inputs.disko.nixosModules.disko + ]; + + environment.defaultPackages = mkForce []; + nix.allowedUsers = [ "@wheel" ]; + security.sudo.execWheelOnly = true; + + security.auditd.enable = true; + security.audit.enable = true; + security.audit.rules = [ + "-a exit,always -F arch=b64 -S execve" + ]; + environment.etc."audit/auditd.conf".text = '' + write_logs = no + dispatcher = ${pkgs.audit}/bin/audispd + space_left = 1 + ''; + + _module.args.nixinate = { + host = "altra.redalder.org"; + sshUser = "main"; + buildOn = "local"; + substituteOnTarget = true; + hermetic = false; + nixOptions = [ + "--override-input secret path://$HOME/dotfiles/secret" + ]; + }; + + environment.systemPackages = [ + pkgs.git + ]; + + time.timeZone = "Europe/Amsterdam"; + system.stateVersion = "23.05"; + }); + }; +} diff --git a/nixos/systems/altra/filesystems.nix b/nixos/systems/altra/filesystems.nix new file mode 100644 index 0000000..dbdb42b --- /dev/null +++ b/nixos/systems/altra/filesystems.nix @@ -0,0 +1,157 @@ +{ ... }: +{ + disko.devices = { + disk.boot = { + type = "disk"; + device = "/dev/sda"; + + content = { + type = "table"; + format = "gpt"; + + partitions = [ + { + name = "boot"; + start = "0"; + end = "1MiB"; + part-type = "primary"; + flags = [ "bios_grub" ]; + } + { + name = "ESP"; + start = "1MiB"; + end = "513MiB"; + bootable = true; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + } + { + name = "swap"; + start = "513MiB"; + end = "4609MiB"; + content = { + type = "swap"; + randomEncryption = true; + }; + } + { + name = "altra-zpool"; + start = "4609MiB"; + end = "100%"; + content = { + type = "zfs"; + pool = "altra-zpool"; + }; + } + ]; + }; + }; + + zpool.altra-zpool = { + type = "zpool"; + rootFsOptions = { + compression = "zstd-2"; + acltype = "posixacl"; + xattr = "sa"; + atime = "off"; + }; + + datasets = { + "local" = { + type = "zfs_fs"; + options.mountpoint = "none"; + }; + + "local/nix" = { + type = "zfs_fs"; + mountpoint = "/nix"; + options.mountpoint = "legacy"; + }; + + "persist" = { + type = "zfs_fs"; + options.mountpoint = "none"; + }; + + "persist/nomad" = { + type = "zfs_fs"; + mountpoint = "/var/lib/nomad"; + options.mountpoint = "legacy"; + mountOptions = [ "defaults""noexec" ]; + }; + + "persist/consul" = { + type = "zfs_fs"; + mountpoint = "/var/lib/consul"; + options.mountpoint = "legacy"; + mountOptions = [ "defaults" "noexec" ]; + }; + + "persist/log" = { + type = "zfs_fs"; + mountpoint = "/var/log"; + options.mountpoint = "legacy"; + mountOptions = [ "defaults" "noexec" ]; + }; + + "persist/etc" = { + type = "zfs_fs"; + mountpoint = "/nix/persist/etc"; + options.mountpoint = "legacy"; + mountOptions = [ "defaults" "noexec" ]; + }; + + "persist/secret" = { + type = "zfs_fs"; + mountpoint = "/var/secret"; + options.mountpoint = "legacy"; + mountOptions = [ "defaults" "noexec" ]; + }; + + "persist/var" = { + type = "zfs_fs"; + options.mountpoint = "none"; + }; + + "persist/var/lib" = { + type = "zfs_fs"; + options.mountpoint = "none"; + }; + + "persist/var/lib/nixos" = { + type = "zfs_fs"; + mountpoint = "/var/lib/nixos"; + options.mountpoint = "legacy"; + mountOptions = [ "defaults" "noexec" ]; + }; + }; + }; + + nodev = { + "/" = { + fsType = "tmpfs"; + mountOptions = [ "defaults" "size=512M" "mode=755" "noexec" ]; + }; + }; + }; + + fileSystems."/nix/persist/etc".neededForBoot = true; + + systemd.tmpfiles.rules = [ + "d /nix/persist/etc/ssh - - - - -" + ]; + + system.activationScripts = { + machine-id = '' + ln -sf /nix/persist/etc/machine-id /etc/machine-id + ''; + }; + + environment.etc."ssh/ssh_host_rsa_key".source = "/nix/persist/etc/ssh/ssh_host_rsa_key"; + environment.etc."ssh/ssh_host_rsa_key.pub".source = "/nix/persist/etc/ssh/ssh_host_rsa_key.pub"; + environment.etc."ssh/ssh_host_ed25519_key".source = "/nix/persist/etc/ssh/ssh_host_ed25519_key"; + environment.etc."ssh/ssh_host_ed25519_key.pub".source = "/nix/persist/etc/ssh/ssh_host_ed25519_key.pub"; +} diff --git a/nixos/systems/altra/grub.nix b/nixos/systems/altra/grub.nix new file mode 100644 index 0000000..52d377a --- /dev/null +++ b/nixos/systems/altra/grub.nix @@ -0,0 +1,15 @@ +{ pkgs, lib, ... }: +let + inherit (lib) + singleton; +in +{ + boot.loader.efi = { + canTouchEfiVariables = true; + }; + boot.loader.grub = { + enable = true; + device = "nodev"; + efiSupport = true; + }; +} diff --git a/nixos/systems/altra/hardware.nix b/nixos/systems/altra/hardware.nix new file mode 100644 index 0000000..851e51b --- /dev/null +++ b/nixos/systems/altra/hardware.nix @@ -0,0 +1,8 @@ +{ inputs', ... }: +{ + imports = [ + (inputs'.nixpkgs + "/nixos/modules/profiles/qemu-guest.nix") + ]; + + boot.initrd.kernelModules = ["nvme"]; +} diff --git a/nixos/systems/altra/networking.nix b/nixos/systems/altra/networking.nix new file mode 100644 index 0000000..f92791a --- /dev/null +++ b/nixos/systems/altra/networking.nix @@ -0,0 +1,136 @@ +{ pkgs, lib, secret, ... }: +let + inherit (lib) + getExe; +in +{ + # boot.kernel.sysctl = {"net.ipv4.ip_forward" = "1";}; + + # https://github.com/NixOS/nixpkgs/issues/76671 + # the rpc.statd daemon is not running when not mounting any nfs filesystems on boot + # and can't be manually started... + boot.supportedFilesystems = [ "nfs" ]; + services.rpcbind.enable = true; + + networking = { + hostName = "altra"; + hostId = "4eb49917"; + useDHCP = false; + interfaces.eth0.useDHCP = true; + firewall.enable = true; + + # nameservers = [ + # (secret.network.ips.blowhole.ip or "") + # "93.184.77.2" + # "67.207.67.3" + # ]; + + # wireguard = { + # enable = true; + # interfaces."wg0" = + # { + # postSetup = '' + # ${getExe pkgs.iptables} -I FORWARD -i wg0 -o wg0 -j ACCEPT + # ''; + + # postShutdown = '' + # ${getExe pkgs.iptables} -D FORWARD -i wg0 -o wg0 -j ACCEPT + # ''; + # } + # // secret.wireguard."toothpick" or { privateKey = ""; }; + # }; + + # defaultGateway = "64.225.96.1"; + # defaultGateway6 = ""; + # dhcpcd.enable = false; + # usePredictableInterfaceNames = lib.mkForce false; + + # firewall = { + # extraCommands = '' + # iptables -P FORWARD DROP + # ''; + + # interfaces."eth0" = { + # allowedTCPPorts = [ + # 80 + # 443 + # 6001 + # ]; + # allowedUDPPorts = [ + # 6666 + # ]; + # }; + + # interfaces."nomad" = { + # allowedTCPPorts = [ + # 8500 + # ]; + # }; + + # interfaces."wg0" = { + # allowedTCPPorts = [ + # ## Consul + # 8600 # DNS + # 8500 # HTTP + # 8502 # gRPC + # 8300 # server + # 8301 # LAN serf + # 8302 # WAN serf + # 4646 # Nomad + # 4647 + # 4648 + # 10000 + # ]; + # allowedTCPPortRanges = [ + # { + # from = 21000; + # to = 21255; + # } + # ]; + # allowedUDPPorts = [ + # ## Consul + # 8600 # DNS + # 8301 # LAN serf + # 8302 # WAN serf + # ]; + # allowedUDPPortRanges = [ + # { + # from = 21000; + # to = 21255; + # } + # ]; + # }; + # }; + + # interfaces = { + # eth0 = { + # ipv4.addresses = [ + # { + # address = "64.225.104.221"; + # prefixLength = 20; + # } + # { + # address = "10.19.0.6"; + # prefixLength = 16; + # } + # ]; + # ipv6.addresses = [ + # { + # address = "fe80::8ce0:84ff:fefb:f981"; + # prefixLength = 64; + # } + # ]; + # ipv4.routes = [ + # { + # address = "64.225.96.1"; + # prefixLength = 32; + # } + # ]; + # }; + # }; + }; + + services.udev.extraRules = '' + ATTR{address}=="96:00:02:4e:68:63", NAME="eth0" + ''; +} diff --git a/nixos/systems/altra/nixpkgs.nix b/nixos/systems/altra/nixpkgs.nix new file mode 100644 index 0000000..cacedfe --- /dev/null +++ b/nixos/systems/altra/nixpkgs.nix @@ -0,0 +1,13 @@ +{ inputs', config', ... }: +{ + imports = [ + ../../common/nixpkgs.nix + ]; + + nixpkgs.overlays = + (with config'.flake.overlays; []) + ++ + (with inputs'.nixng.overlays; [ + default + ]); +} diff --git a/nixos/systems/altra/nomad.nix b/nixos/systems/altra/nomad.nix new file mode 100644 index 0000000..625fc01 --- /dev/null +++ b/nixos/systems/altra/nomad.nix @@ -0,0 +1,132 @@ +{ lib, config, config', pkgs, inputs', secret, ... }: +{ + services.hashicorp.nomad = { + enable = true; + + extraPackages = with pkgs; [ + coreutils + iproute2 + iptables + consul + glibc + config.nix.package + git + ]; + extraSettingsPaths = [ + "/run/secrets/nomad.json" + ]; + package = inputs'.nixpkgs-hashicorp.legacyPackages.${pkgs.stdenv.system}.nomad_1_5.overrideAttrs (old: + { + patches = with config'.flake.patches; [ + hashicorp-nomad.revert-change-consul-si-tokens-to-be-local + hashicorp-nomad.add-nix-integration + ]; + }); + + settings = { + server.enabled = true; + + tls = { + # http = false # true + # rpc = true + + # ca_file = "nomad-ca.pem" + # cert_file = "client.pem" + # key_file = "client-key.pem" + + # verify_server_hostname = true + # verify_https_client = true + }; + + vault = { + enabled = true; + address = "https://${secret.network.ips.vault.dns or ""}:8200"; + allow_unauthenticated = true; + create_from_role = "nomad-cluster"; + }; + + consul = { + address = "${secret.network.ips.toothpick or ""}:8500"; + auto_advertise = true; + server_auto_join = true; + client_auto_join = true; + }; + + acl.enabled = true; + + client = { + cni_path = "${pkgs.cni-plugins}/bin"; + + options = { + "docker.privileged.enabled" = "true"; + }; + + host_network."default" = { + cidr = secret.network.ips.toothpick or "" + "/32"; + }; + + host_network."private" = { + cidr = secret.network.ips.toothpick or "" + "/32"; + }; + + host_network."mesh" = { + cidr = secret.network.ips.toothpick or "" + "/32"; + }; + + network_interface = "wg0"; + + host_network."public" = { + cidr = "64.225.104.221/32"; + reserved_ports = "22"; + }; + + enabled = true; + }; + + plugin."docker" = { + config = { + allow_caps = [ + "CHOWN" + "DAC_OVERRIDE" + "FSETID" + "FOWNER" + "MKNOD" + "NET_RAW" + "SETGID" + "SETUID" + "SETFCAP" + "SETPCAP" + "NET_BIND_SERVICE" + "SYS_CHROOT" + "KILL" + "AUDIT_WRITE" + "SYS_ADMIN" + ]; + allow_privileged = true; + extra_labels = [ + "job_name" + "job_id" + "task_group_name" + "task_name" + "namespace" + "node_name" + "node_id" + ]; + }; + }; + + bind_addr = secret.network.ips.toothpick or ""; + disable_update_check = true; + data_dir = "/var/lib/nomad"; + + server.authoritative_region = "homelab-1"; + datacenter = "do-1"; + region = "do-1"; + }; + }; + + virtualisation.docker.enable = true; + virtualisation.docker.daemon.settings.dns = [ + (secret.network.ips.blowhole.ip or "") + ]; +} diff --git a/nixos/systems/altra/u2t.nix b/nixos/systems/altra/u2t.nix new file mode 100644 index 0000000..26a8869 --- /dev/null +++ b/nixos/systems/altra/u2t.nix @@ -0,0 +1,18 @@ +{ pkgs, ... }: +{ + systemd.services.udp2tcp = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + restartIfChanged = true; + + path = with pkgs; [ dig.host ]; + + script = '' + ${pkgs.udp-over-tcp}/bin/tcp2udp\ + --tcp-listen 127.0.0.1:6001 \ + --tcp-listen "$(host redalder.org | sed -e 's/.* //'):6001" \ + --udp-forward 127.0.0.1:6666 + ''; + }; +} diff --git a/nixos/systems/altra/users.nix b/nixos/systems/altra/users.nix new file mode 100644 index 0000000..b58a9fe --- /dev/null +++ b/nixos/systems/altra/users.nix @@ -0,0 +1,19 @@ +{ inputs', config', secret, ... }: +{ + imports = [ + inputs'.home-manager.nixosModules.default + ../../common/users.nix + ]; + + home-manager.useGlobalPkgs = true; + home-manager.extraSpecialArgs = { + config' = config'; + inputs' = inputs'; + secret = secret; + }; + home-manager.users.main = { + imports = [ (inputs'.self + "/home-manager/modules/profiles/server.nix") ]; + + home.stateVersion = "23.05"; + }; +} diff --git a/nixos/systems/altra/vault-agent.nix b/nixos/systems/altra/vault-agent.nix new file mode 100644 index 0000000..77c93dd --- /dev/null +++ b/nixos/systems/altra/vault-agent.nix @@ -0,0 +1,93 @@ +{ config, lib, pkgs, secret, inputs', ... }: +let + inherit (lib) + singleton; +in +{ + services.hashicorp.vault-agent = { + enable = true; + package = inputs'.nixpkgs-hashicorp.legacyPackages.${pkgs.stdenv.system}.vault; + + command = "agent"; + + extraPackages = with pkgs; [ + sudo + getent + ]; + + settings = { + vault = { + address = "https://${secret.network.ips.vault.dns or ""}:8200"; + retry.num_retries = 5; + }; + + auto_auth.method = singleton + { + "approle" = { + mount_path = "auth/approle"; + config = + { + role_id_file_path = "/var/secrets/approle.roleid"; + secret_id_file_path = "/var/secrets/approle.secretid"; + remove_secret_id_file_after_reading = false; + }; + }; + }; + + sink = singleton + { + "file" = { + type = "file"; + config.path = "/run/secrets/vault-token"; + }; + }; + + template = [ + { + source = pkgs.writeText "consul.json.vtmpl" + '' + { + "encrypt": "{{ with secret "kv/data/do-1/toothpick/consul/encryption_key" }}{{ or .Data.data.key "" }}{{ end }}", + "acl": { + "tokens": { + "agent": "{{ with secret "kv/data/do-1/toothpick/consul/agent_token" }}{{ or .Data.data.secret "" }}{{ end }}", + "replication": "{{ with secret "kv/data/do-1/toothpick/consul/replication_token" }}{{ or .Data.data.secret "" }}{{ end }}", + "default": "{{ with secret "kv/data/do-1/toothpick/consul/anonymous_token" }}{{ or .Data.data.secret "" }}{{ end }}" + } + } + } + ''; + destination = "/run/secrets/consul.json"; + command = pkgs.writeShellScript "consul-command" + '' + sudo systemctl try-reload-or-restart hashicorp-consul.service + ''; + } + { + source = pkgs.writeText "nomad.json.vtmpl" + '' + { + "server": { + "encrypt": "{{ with secret "kv/data/do-1/toothpick/nomad/encryption_key" }}{{ or .Data.data.key "" }}{{ end }}" + }, + "acl": { + "replication_token": "{{ with secret "kv/data/do-1/toothpick/nomad/replication_token" }}{{ or .Data.data.secret "" }}{{ end }}" + }, + "vault": { + "token": "{{ with secret "kv/data/do-1/toothpick/nomad/vault_token" }}{{ or .Data.data.secret "" }}{{ end }}" + }, + "consul": { + "token": "{{ with secret "kv/data/do-1/toothpick/nomad/consul_token" }}{{ or .Data.data.secret "" }}{{ end }}" + } + } + ''; + destination = "/run/secrets/nomad.json"; + command = pkgs.writeShellScript "nomad-command" + '' + sudo systemctl try-reload-or-restart hashicorp-nomad.service + ''; + } + ]; + }; + }; +}