magic_rb/dotfiles
1
0
Fork 0
mirror of https://git.sr.ht/~magic_rb/dotfiles synced 2024-11-22 08:04:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Initial altra configuration

Browse source 
Signed-off-by: Magic_RB <magic_rb@redalder.org>
This commit is contained in:
Magic_RB 2023-06-28 14:17:17 +02:00
parent cb22a44b9d
commit 8fb752ae01
No known key found for this signature in database
GPG key ID: 08D5287CC5DDCA0E
13 changed files with 963 additions and 52 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

284
flake.lock
View file

@ -3,7 +3,7 @@
"deploy-rs": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": "nixpkgs_7",
"nixpkgs": "nixpkgs_9",
"utils": "utils"
},
"locked": {
@ -19,6 +19,46 @@
"type": "indirect"
}
},
"disko": {
"inputs": {
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1687431792,
"narHash": "sha256-ba5d/XlxQrgNrYeYhriX3FISBMVBF+nKVBMLE0/OC0Q=",
"owner": "nix-community",
"repo": "disko",
"rev": "637d87df3fd265a1d1669d897ad9436a87fc5ad8",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"disko_2": {
"inputs": {
"nixpkgs": [
"nixos-anywhere",
"nixpkgs"
]
},
"locked": {
"lastModified": 1686222354,
"narHash": "sha256-dtqnAwzucKZv54dTrLetIXhOavUrCsdqOe+JtFH9riE=",
"owner": "nix-community",
"repo": "disko",
"rev": "5d9f362aecd7a4c2e8a3bf2afddb49051988cab9",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "master",
"repo": "disko",
"type": "github"
}
},
"dwarffs": {
"inputs": {
"nix": "nix",
@ -140,6 +180,27 @@
}
},
"flake-parts_2": {
"inputs": {
"nixpkgs-lib": [
"nixos-anywhere",
"nixpkgs"
]
},
"locked": {
"lastModified": 1685662779,
"narHash": "sha256-cKDDciXGpMEjP1n6HlzKinN0H+oLmNpgeCTzYnsA2po=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "71fb97f0d875fd4de4994dfb849f2c75e17eb6c3",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_3": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib_2"
},
@ -262,7 +323,7 @@
},
"home-manager": {
"inputs": {
"nixpkgs": "nixpkgs_2"
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1685438474,
@ -330,7 +391,7 @@
"nil": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs_3",
"nixpkgs": "nixpkgs_4",
"rust-overlay": "rust-overlay"
},
"locked": {
@ -350,7 +411,7 @@
"nix": {
"inputs": {
"lowdown-src": "lowdown-src",
"nixpkgs": "nixpkgs",
"nixpkgs": "nixpkgs_2",
"nixpkgs-regression": "nixpkgs-regression"
},
"locked": {
@ -369,7 +430,7 @@
"nix_2": {
"inputs": {
"lowdown-src": "lowdown-src_2",
"nixpkgs": "nixpkgs_8"
"nixpkgs": "nixpkgs_10"
},
"locked": {
"lastModified": 1633098935,
@ -386,7 +447,7 @@
},
"nixinate": {
"inputs": {
"nixpkgs": "nixpkgs_4"
"nixpkgs": "nixpkgs_5"
},
"locked": {
"lastModified": 1682599469,
@ -404,7 +465,7 @@
},
"nixng": {
"inputs": {
"nixpkgs": "nixpkgs_5"
"nixpkgs": "nixpkgs_6"
},
"locked": {
"lastModified": 1684005067,
@ -420,18 +481,82 @@
"type": "github"
}
},
"nixpkgs": {
"nixos-2305": {
"locked": {
"lastModified": 1653988320,
"narHash": "sha256-ZaqFFsSDipZ6KVqriwM34T739+KLYJvNmCWzErjAg7c=",
"lastModified": 1686478675,
"narHash": "sha256-EBm0oKY+B+BF/wQzegHCLPZQ2BxfgRSfEJhAd9N2XyA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "2fa57ed190fd6c7c746319444f34b5917666e5c1",
"rev": "207e4680b5ffe797038955949ab20ddc4a31c835",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-22.05-small",
"ref": "release-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixos-anywhere": {
"inputs": {
"disko": "disko_2",
"flake-parts": "flake-parts_2",
"nixos-2305": "nixos-2305",
"nixos-images": "nixos-images",
"nixpkgs": "nixpkgs_7",
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1686903963,
"narHash": "sha256-8XBLIAGUWHhRrTm0+AcpobTHeofaNbCa6Xb3SruYjmk=",
"owner": "numtide",
"repo": "nixos-anywhere",
"rev": "ed9ec041d7d19e5b412aa19e6db0ddc6c7db7d70",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "nixos-anywhere",
"type": "github"
}
},
"nixos-images": {
"inputs": {
"nixos-2305": [
"nixos-anywhere",
"nixos-2305"
],
"nixos-unstable": [
"nixos-anywhere",
"nixpkgs"
]
},
"locked": {
"lastModified": 1686466496,
"narHash": "sha256-HYSUVZ85+POkLOo1Om7yw1870xqwJp3ABu+Fz7hBJY8=",
"owner": "nix-community",
"repo": "nixos-images",
"rev": "13e5db35e8b5a646d0efa81ff1dd003336ffe65f",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixos-images",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1686582075,
"narHash": "sha256-vtflsfKkHtF8IduxDNtbme4cojiqvlvjp5QNYhvoHXc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "7e63eed145566cca98158613f3700515b4009ce3",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
@ -521,6 +646,35 @@
}
},
"nixpkgs_10": {
"locked": {
"lastModified": 1632864508,
"narHash": "sha256-d127FIvGR41XbVRDPVvozUPQ/uRHbHwvfyKHwEt5xFM=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "82891b5e2c2359d7e58d08849e4c89511ab94234",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-21.05-small",
"type": "indirect"
}
},
"nixpkgs_11": {
"locked": {
"lastModified": 1632495107,
"narHash": "sha256-4NGE56r+FJGBaCYu3CTH4O83Ys4TrtnEPXrvdwg1TDs=",
"owner": "serokell",
"repo": "nixpkgs",
"rev": "be220b2dc47092c1e739bf6aaf630f29e71fe1c4",
"type": "github"
},
"original": {
"id": "nixpkgs",
"type": "indirect"
}
},
"nixpkgs_12": {
"locked": {
"lastModified": 1676569297,
"narHash": "sha256-2n4C4H3/U+3YbDrQB6xIw7AaLdFISCCFwOkcETAigqU=",
@ -534,6 +688,22 @@
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1653988320,
"narHash": "sha256-ZaqFFsSDipZ6KVqriwM34T739+KLYJvNmCWzErjAg7c=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "2fa57ed190fd6c7c746319444f34b5917666e5c1",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-22.05-small",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1684570954,
"narHash": "sha256-FX5y4Sm87RWwfu9PI71XFvuRpZLowh00FQpIJ1WfXqE=",
@ -549,7 +719,7 @@
"type": "github"
}
},
"nixpkgs_3": {
"nixpkgs_4": {
"locked": {
"lastModified": 1682929865,
"narHash": "sha256-jxVrgnf5QNjO+XoxDxUWtN2G5xyJSGZ5SWDQFxMuHxc=",
@ -565,7 +735,7 @@
"type": "github"
}
},
"nixpkgs_4": {
"nixpkgs_5": {
"locked": {
"lastModified": 1653060744,
"narHash": "sha256-kfRusllRumpt33J1hPV+CeCCylCXEU7e0gn2/cIM7cY=",
@ -581,7 +751,7 @@
"type": "github"
}
},
"nixpkgs_5": {
"nixpkgs_6": {
"locked": {
"lastModified": 1668984258,
"narHash": "sha256-0gDMJ2T3qf58xgcSbYoXiRGUkPWmKyr5C3vcathWhKs=",
@ -597,7 +767,23 @@
"type": "github"
}
},
"nixpkgs_6": {
"nixpkgs_7": {
"locked": {
"lastModified": 1686406799,
"narHash": "sha256-/MHAr6x5/DDEAWFQLgIlyFT9jCXl5O6OWCoNGmfnL3g=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "9166729004aef4db3390d7199a45f6c7331275a2",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_8": {
"locked": {
"lastModified": 1685383865,
"narHash": "sha256-3uQytfnotO6QJv3r04ajSXbEFMII0dUtw0uqYlZ4dbk=",
@ -613,7 +799,7 @@
"type": "github"
}
},
"nixpkgs_7": {
"nixpkgs_9": {
"locked": {
"lastModified": 1648219316,
"narHash": "sha256-Ctij+dOi0ZZIfX5eMhgwugfvB+WZSrvVNAyAuANOsnQ=",
@ -629,35 +815,6 @@
"type": "github"
}
},
"nixpkgs_8": {
"locked": {
"lastModified": 1632864508,
"narHash": "sha256-d127FIvGR41XbVRDPVvozUPQ/uRHbHwvfyKHwEt5xFM=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "82891b5e2c2359d7e58d08849e4c89511ab94234",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-21.05-small",
"type": "indirect"
}
},
"nixpkgs_9": {
"locked": {
"lastModified": 1632495107,
"narHash": "sha256-4NGE56r+FJGBaCYu3CTH4O83Ys4TrtnEPXrvdwg1TDs=",
"owner": "serokell",
"repo": "nixpkgs",
"rev": "be220b2dc47092c1e739bf6aaf630f29e71fe1c4",
"type": "github"
},
"original": {
"id": "nixpkgs",
"type": "indirect"
}
},
"pre-commit-hooks": {
"inputs": {
"flake-compat": "flake-compat_4",
@ -685,6 +842,7 @@
},
"root": {
"inputs": {
"disko": "disko",
"dwarffs": "dwarffs",
"emacs": "emacs",
"flake-parts": "flake-parts",
@ -693,7 +851,8 @@
"nil": "nil",
"nixinate": "nixinate",
"nixng": "nixng",
"nixpkgs": "nixpkgs_6",
"nixos-anywhere": "nixos-anywhere",
"nixpkgs": "nixpkgs_8",
"nixpkgs-hashicorp": "nixpkgs-hashicorp",
"secret": "secret",
"serokell-nix": "serokell-nix",
@ -732,8 +891,8 @@
"secret": {
"flake": false,
"locked": {
"lastModified": 1687440997,
"narHash": "sha256-Yp3K5WjfHyNcR0F0btrdW4gFmxNdbS43CRntJIjqZWM=",
"lastModified": 1687644093,
"narHash": "sha256-JCeh/wDvkIBaK5BND8xQy00ZXzhn0ygJ+ZESSl6tbqs=",
"path": "/home/main/dotfiles2/secret",
"type": "path"
},
@ -749,7 +908,7 @@
"flake-utils": "flake-utils_2",
"gitignore-nix": "gitignore-nix",
"nix": "nix_2",
"nixpkgs": "nixpkgs_9"
"nixpkgs": "nixpkgs_11"
},
"locked": {
"lastModified": 1665438610,
@ -812,6 +971,27 @@
"type": "github"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"nixos-anywhere",
"nixpkgs"
]
},
"locked": {
"lastModified": 1685519364,
"narHash": "sha256-rE9c9jWDSc5Nj0OjNzBENaJ6j4YBphcqSPia2IwCMLA=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "6521a278bcba66b440554cc1350403594367b4ac",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"tuxedo-nixos": {
"inputs": {
"flake-compat": "flake-compat_3",
@ -873,8 +1053,8 @@
},
"uterranix": {
"inputs": {
"flake-parts": "flake-parts_2",
"nixpkgs": "nixpkgs_10",
"flake-parts": "flake-parts_3",
"nixpkgs": "nixpkgs_12",
"terranix": "terranix"
},
"locked": {

6
flake.nix
View file

@ -14,6 +14,9 @@
dwarffs.url = "github:edolstra/dwarffs";
serokell-nix.url = "github:serokell/serokell.nix?ref=magicrb-allow-wildcards-with-no-main";
disko.url = "github:nix-community/disko";
nixos-anywhere.url = "github:numtide/nixos-anywhere";
tuxedo-rs.url = "github:AaronErhardt/tuxedo-rs";
tuxedo-rs.inputs.nixpkgs.follows = "nixpkgs";
@ -48,6 +51,7 @@
nixos/systems/toothpick
nixos/systems/liveusb
nixos/systems/blowhole
nixos/systems/altra
nixng/containers/ingress-blowhole
nixng/containers/ingress-toothpick
@ -146,6 +150,8 @@
flake.apps = inputs.nixpkgs.lib.genAttrs config.systems (system: {
nixinate = (inputs.nixinate.nixinate.${system} self).nixinate;
nixos-anywhere.program = (inputs.nixos-anywhere.packages.${system}.nixos-anywhere);
nixos-anywhere.type = "app";
});
perSystem = { system, pkgs, ... }:

56
nixos/systems/altra/consul.nix Normal file
View file

@ -0,0 +1,56 @@
{ inputs', lib, config, pkgs, secret, ... }:
let
inherit (lib)
mkForce
singleton;
in
{
services.hashicorp.consul = {
enable = true;
extraSettingsPaths = singleton "/run/secrets/consul.json";
package = inputs'.nixpkgs-hashicorp.legacyPackages.${pkgs.stdenv.system}.consul;
settings = {
datacenter = "do-1";
data_dir = "/var/lib/consul";
retry_join_wan = singleton (secret.network.ips.blowhole.ip or "");
server = true;
bind_addr = secret.network.ips.toothpick or "";
client_addr = secret.network.ips.toothpick or "";
primary_datacenter = "homelab-1";
acl = {
enabled = true;
default_policy = "deny";
enable_token_persistence = true;
enable_token_replication = true;
};
ports = {
http = 8500;
grpc = 8502;
};
ui_config.enabled = true;
connect.enabled = true;
# ca_file = "/var/secrets/consul-ca.crt";
# cert_file = ""
# key_file = ""
verify_incoming = false;
verify_outgoing = false;
verify_server_hostname = false;
};
};
systemd.services.hashicorp-consul.serviceConfig = {
LimitNOFILE = mkForce "infinity";
LimitNPROC = mkForce "infinity";
};
}

78
nixos/systems/altra/default.nix Normal file
View file

@ -0,0 +1,78 @@
# SPDX-FileCopyrightText: 2022 Richard Brežák <richard@brezak.sk>
#
# SPDX-License-Identifier: LGPL-3.0-or-later
{ inputs, lib', config, ... }:
let
inherit (lib')
flip
mapAttrs
singleton
mkForce;
config' = config;
in
{
flake.nixosConfigurations.altra = inputs.nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
specialArgs = {
config' = config';
inputs' = inputs;
secret = lib'.loadSecrets inputs.secret;
};
modules = singleton
({ pkgs, config, ... }:
{
imports = [
# ./consul.nix
# ./nomad.nix
# ./vault-agent.nix
# ./u2t.nix
./grub.nix
./networking.nix
./nixpkgs.nix
./hardware.nix
./filesystems.nix
./users.nix
../../common/remote_access.nix
config'.flake.nixosModules.hashicorp
inputs.disko.nixosModules.disko
];
environment.defaultPackages = mkForce [];
nix.allowedUsers = [ "@wheel" ];
security.sudo.execWheelOnly = true;
security.auditd.enable = true;
security.audit.enable = true;
security.audit.rules = [
"-a exit,always -F arch=b64 -S execve"
];
environment.etc."audit/auditd.conf".text = ''
write_logs = no
dispatcher = ${pkgs.audit}/bin/audispd
space_left = 1
'';
_module.args.nixinate = {
host = "altra.redalder.org";
sshUser = "main";
buildOn = "local";
substituteOnTarget = true;
hermetic = false;
nixOptions = [
"--override-input secret path://$HOME/dotfiles/secret"
];
};
environment.systemPackages = [
pkgs.git
];
time.timeZone = "Europe/Amsterdam";
system.stateVersion = "23.05";
});
};
}

157
nixos/systems/altra/filesystems.nix Normal file
View file

@ -0,0 +1,157 @@
{ ... }:
{
disko.devices = {
disk.boot = {
type = "disk";
device = "/dev/sda";
content = {
type = "table";
format = "gpt";
partitions = [
{
name = "boot";
start = "0";
end = "1MiB";
part-type = "primary";
flags = [ "bios_grub" ];
}
{
name = "ESP";
start = "1MiB";
end = "513MiB";
bootable = true;
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
}
{
name = "swap";
start = "513MiB";
end = "4609MiB";
content = {
type = "swap";
randomEncryption = true;
};
}
{
name = "altra-zpool";
start = "4609MiB";
end = "100%";
content = {
type = "zfs";
pool = "altra-zpool";
};
}
];
};
};
zpool.altra-zpool = {
type = "zpool";
rootFsOptions = {
compression = "zstd-2";
acltype = "posixacl";
xattr = "sa";
atime = "off";
};
datasets = {
"local" = {
type = "zfs_fs";
options.mountpoint = "none";
};
"local/nix" = {
type = "zfs_fs";
mountpoint = "/nix";
options.mountpoint = "legacy";
};
"persist" = {
type = "zfs_fs";
options.mountpoint = "none";
};
"persist/nomad" = {
type = "zfs_fs";
mountpoint = "/var/lib/nomad";
options.mountpoint = "legacy";
mountOptions = [ "defaults""noexec" ];
};
"persist/consul" = {
type = "zfs_fs";
mountpoint = "/var/lib/consul";
options.mountpoint = "legacy";
mountOptions = [ "defaults" "noexec" ];
};
"persist/log" = {
type = "zfs_fs";
mountpoint = "/var/log";
options.mountpoint = "legacy";
mountOptions = [ "defaults" "noexec" ];
};
"persist/etc" = {
type = "zfs_fs";
mountpoint = "/nix/persist/etc";
options.mountpoint = "legacy";
mountOptions = [ "defaults" "noexec" ];
};
"persist/secret" = {
type = "zfs_fs";
mountpoint = "/var/secret";
options.mountpoint = "legacy";
mountOptions = [ "defaults" "noexec" ];
};
"persist/var" = {
type = "zfs_fs";
options.mountpoint = "none";
};
"persist/var/lib" = {
type = "zfs_fs";
options.mountpoint = "none";
};
"persist/var/lib/nixos" = {
type = "zfs_fs";
mountpoint = "/var/lib/nixos";
options.mountpoint = "legacy";
mountOptions = [ "defaults" "noexec" ];
};
};
};
nodev = {
"/" = {
fsType = "tmpfs";
mountOptions = [ "defaults" "size=512M" "mode=755" "noexec" ];
};
};
};
fileSystems."/nix/persist/etc".neededForBoot = true;
systemd.tmpfiles.rules = [
"d /nix/persist/etc/ssh - - - - -"
];
system.activationScripts = {
machine-id = ''
ln -sf /nix/persist/etc/machine-id /etc/machine-id
'';
};
environment.etc."ssh/ssh_host_rsa_key".source = "/nix/persist/etc/ssh/ssh_host_rsa_key";
environment.etc."ssh/ssh_host_rsa_key.pub".source = "/nix/persist/etc/ssh/ssh_host_rsa_key.pub";
environment.etc."ssh/ssh_host_ed25519_key".source = "/nix/persist/etc/ssh/ssh_host_ed25519_key";
environment.etc."ssh/ssh_host_ed25519_key.pub".source = "/nix/persist/etc/ssh/ssh_host_ed25519_key.pub";
}

15
nixos/systems/altra/grub.nix Normal file
View file

@ -0,0 +1,15 @@
{ pkgs, lib, ... }:
let
inherit (lib)
singleton;
in
{
boot.loader.efi = {
canTouchEfiVariables = true;
};
boot.loader.grub = {
enable = true;
device = "nodev";
efiSupport = true;
};
}

8
nixos/systems/altra/hardware.nix Normal file
View file

@ -0,0 +1,8 @@
{ inputs', ... }:
{
imports = [
(inputs'.nixpkgs + "/nixos/modules/profiles/qemu-guest.nix")
];
boot.initrd.kernelModules = ["nvme"];
}

136
nixos/systems/altra/networking.nix Normal file
View file

@ -0,0 +1,136 @@
{ pkgs, lib, secret, ... }:
let
inherit (lib)
getExe;
in
{
# boot.kernel.sysctl = {"net.ipv4.ip_forward" = "1";};
# https://github.com/NixOS/nixpkgs/issues/76671
# the rpc.statd daemon is not running when not mounting any nfs filesystems on boot
# and can't be manually started...
boot.supportedFilesystems = [ "nfs" ];
services.rpcbind.enable = true;
networking = {
hostName = "altra";
hostId = "4eb49917";
useDHCP = false;
interfaces.eth0.useDHCP = true;
firewall.enable = true;
# nameservers = [
# (secret.network.ips.blowhole.ip or "")
# "93.184.77.2"
# "67.207.67.3"
# ];
# wireguard = {
# enable = true;
# interfaces."wg0" =
# {
# postSetup = ''
# ${getExe pkgs.iptables} -I FORWARD -i wg0 -o wg0 -j ACCEPT
# '';
# postShutdown = ''
# ${getExe pkgs.iptables} -D FORWARD -i wg0 -o wg0 -j ACCEPT
# '';
# }
# // secret.wireguard."toothpick" or { privateKey = ""; };
# };
# defaultGateway = "64.225.96.1";
# defaultGateway6 = "";
# dhcpcd.enable = false;
# usePredictableInterfaceNames = lib.mkForce false;
# firewall = {
# extraCommands = ''
# iptables -P FORWARD DROP
# '';
# interfaces."eth0" = {
# allowedTCPPorts = [
# 80
# 443
# 6001
# ];
# allowedUDPPorts = [
# 6666
# ];
# };
# interfaces."nomad" = {
# allowedTCPPorts = [
# 8500
# ];
# };
# interfaces."wg0" = {
# allowedTCPPorts = [
# ## Consul
# 8600 # DNS
# 8500 # HTTP
# 8502 # gRPC
# 8300 # server
# 8301 # LAN serf
# 8302 # WAN serf
# 4646 # Nomad
# 4647
# 4648
# 10000
# ];
# allowedTCPPortRanges = [
# {
# from = 21000;
# to = 21255;
# }
# ];
# allowedUDPPorts = [
# ## Consul
# 8600 # DNS
# 8301 # LAN serf
# 8302 # WAN serf
# ];
# allowedUDPPortRanges = [
# {
# from = 21000;
# to = 21255;
# }
# ];
# };
# };
# interfaces = {
# eth0 = {
# ipv4.addresses = [
# {
# address = "64.225.104.221";
# prefixLength = 20;
# }
# {
# address = "10.19.0.6";
# prefixLength = 16;
# }
# ];
# ipv6.addresses = [
# {
# address = "fe80::8ce0:84ff:fefb:f981";
# prefixLength = 64;
# }
# ];
# ipv4.routes = [
# {
# address = "64.225.96.1";
# prefixLength = 32;
# }
# ];
# };
# };
};
services.udev.extraRules = ''
ATTR{address}=="96:00:02:4e:68:63", NAME="eth0"
'';
}

13
nixos/systems/altra/nixpkgs.nix Normal file
View file

@ -0,0 +1,13 @@
{ inputs', config', ... }:
{
imports = [
../../common/nixpkgs.nix
];
nixpkgs.overlays =
(with config'.flake.overlays; [])
++
(with inputs'.nixng.overlays; [
default
]);
}

132
nixos/systems/altra/nomad.nix Normal file
View file

@ -0,0 +1,132 @@
{ lib, config, config', pkgs, inputs', secret, ... }:
{
services.hashicorp.nomad = {
enable = true;
extraPackages = with pkgs; [
coreutils
iproute2
iptables
consul
glibc
config.nix.package
git
];
extraSettingsPaths = [
"/run/secrets/nomad.json"
];
package = inputs'.nixpkgs-hashicorp.legacyPackages.${pkgs.stdenv.system}.nomad_1_5.overrideAttrs (old:
{
patches = with config'.flake.patches; [
hashicorp-nomad.revert-change-consul-si-tokens-to-be-local
hashicorp-nomad.add-nix-integration
];
});
settings = {
server.enabled = true;
tls = {
# http = false # true
# rpc = true
# ca_file = "nomad-ca.pem"
# cert_file = "client.pem"
# key_file = "client-key.pem"
# verify_server_hostname = true
# verify_https_client = true
};
vault = {
enabled = true;
address = "https://${secret.network.ips.vault.dns or ""}:8200";
allow_unauthenticated = true;
create_from_role = "nomad-cluster";
};
consul = {
address = "${secret.network.ips.toothpick or ""}:8500";
auto_advertise = true;
server_auto_join = true;
client_auto_join = true;
};
acl.enabled = true;
client = {
cni_path = "${pkgs.cni-plugins}/bin";
options = {
"docker.privileged.enabled" = "true";
};
host_network."default" = {
cidr = secret.network.ips.toothpick or "" + "/32";
};
host_network."private" = {
cidr = secret.network.ips.toothpick or "" + "/32";
};
host_network."mesh" = {
cidr = secret.network.ips.toothpick or "" + "/32";
};
network_interface = "wg0";
host_network."public" = {
cidr = "64.225.104.221/32";
reserved_ports = "22";
};
enabled = true;
};
plugin."docker" = {
config = {
allow_caps = [
"CHOWN"
"DAC_OVERRIDE"
"FSETID"
"FOWNER"
"MKNOD"
"NET_RAW"
"SETGID"
"SETUID"
"SETFCAP"
"SETPCAP"
"NET_BIND_SERVICE"
"SYS_CHROOT"
"KILL"
"AUDIT_WRITE"
"SYS_ADMIN"
];
allow_privileged = true;
extra_labels = [
"job_name"
"job_id"
"task_group_name"
"task_name"
"namespace"
"node_name"
"node_id"
];
};
};
bind_addr = secret.network.ips.toothpick or "";
disable_update_check = true;
data_dir = "/var/lib/nomad";
server.authoritative_region = "homelab-1";
datacenter = "do-1";
region = "do-1";
};
};
virtualisation.docker.enable = true;
virtualisation.docker.daemon.settings.dns = [
(secret.network.ips.blowhole.ip or "")
];
}

18
nixos/systems/altra/u2t.nix Normal file
View file

@ -0,0 +1,18 @@
{ pkgs, ... }:
{
systemd.services.udp2tcp = {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
restartIfChanged = true;
path = with pkgs; [ dig.host ];
script = ''
${pkgs.udp-over-tcp}/bin/tcp2udp\
--tcp-listen 127.0.0.1:6001 \
--tcp-listen "$(host redalder.org | sed -e 's/.* //'):6001" \
--udp-forward 127.0.0.1:6666
'';
};
}

19
nixos/systems/altra/users.nix Normal file
View file

@ -0,0 +1,19 @@
{ inputs', config', secret, ... }:
{
imports = [
inputs'.home-manager.nixosModules.default
../../common/users.nix
];
home-manager.useGlobalPkgs = true;
home-manager.extraSpecialArgs = {
config' = config';
inputs' = inputs';
secret = secret;
};
home-manager.users.main = {
imports = [ (inputs'.self + "/home-manager/modules/profiles/server.nix") ];
home.stateVersion = "23.05";
};
}

93
nixos/systems/altra/vault-agent.nix Normal file
View file

@ -0,0 +1,93 @@
{ config, lib, pkgs, secret, inputs', ... }:
let
inherit (lib)
singleton;
in
{
services.hashicorp.vault-agent = {
enable = true;
package = inputs'.nixpkgs-hashicorp.legacyPackages.${pkgs.stdenv.system}.vault;
command = "agent";
extraPackages = with pkgs; [
sudo
getent
];
settings = {
vault = {
address = "https://${secret.network.ips.vault.dns or ""}:8200";
retry.num_retries = 5;
};
auto_auth.method = singleton
{
"approle" = {
mount_path = "auth/approle";
config =
{
role_id_file_path = "/var/secrets/approle.roleid";
secret_id_file_path = "/var/secrets/approle.secretid";
remove_secret_id_file_after_reading = false;
};
};
};
sink = singleton
{
"file" = {
type = "file";
config.path = "/run/secrets/vault-token";
};
};
template = [
{
source = pkgs.writeText "consul.json.vtmpl"
''
{
"encrypt": "{{ with secret "kv/data/do-1/toothpick/consul/encryption_key" }}{{ or .Data.data.key "" }}{{ end }}",
"acl": {
"tokens": {
"agent": "{{ with secret "kv/data/do-1/toothpick/consul/agent_token" }}{{ or .Data.data.secret "" }}{{ end }}",
"replication": "{{ with secret "kv/data/do-1/toothpick/consul/replication_token" }}{{ or .Data.data.secret "" }}{{ end }}",
"default": "{{ with secret "kv/data/do-1/toothpick/consul/anonymous_token" }}{{ or .Data.data.secret "" }}{{ end }}"
}
}
}
'';
destination = "/run/secrets/consul.json";
command = pkgs.writeShellScript "consul-command"
''
sudo systemctl try-reload-or-restart hashicorp-consul.service
'';
}
{
source = pkgs.writeText "nomad.json.vtmpl"
''
{
"server": {
"encrypt": "{{ with secret "kv/data/do-1/toothpick/nomad/encryption_key" }}{{ or .Data.data.key "" }}{{ end }}"
},
"acl": {
"replication_token": "{{ with secret "kv/data/do-1/toothpick/nomad/replication_token" }}{{ or .Data.data.secret "" }}{{ end }}"
},
"vault": {
"token": "{{ with secret "kv/data/do-1/toothpick/nomad/vault_token" }}{{ or .Data.data.secret "" }}{{ end }}"
},
"consul": {
"token": "{{ with secret "kv/data/do-1/toothpick/nomad/consul_token" }}{{ or .Data.data.secret "" }}{{ end }}"
}
}
'';
destination = "/run/secrets/nomad.json";
command = pkgs.writeShellScript "nomad-command"
''
sudo systemctl try-reload-or-restart hashicorp-nomad.service
'';
}
];
};
};
}