gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

README To-do, Rinnosuke config split up, samhain TODO removal, ...

Browse source
This commit is contained in:
kat witch 2021-08-29 05:05:39 +01:00
parent 90cf5d1ff9
commit 0d6cb2ade8
No known key found for this signature in database
GPG key ID: 1B477797DCA5EC72
6 changed files with 168 additions and 160 deletions
Download patch file Download diff file Expand all files Collapse all files

11
README.md
View file

@ -6,6 +6,7 @@ These are the NixOS configurations for my systems. I run nothing other than NixO
## Contents ## Contents
* [To-do](#to-do)
* [Nodes](#nodes) * [Nodes](#nodes)
* [Profiles](#profiles) * [Profiles](#profiles)
* [User Profiles](#user-profiles) * [User Profiles](#user-profiles)
@ -15,6 +16,16 @@ These are the NixOS configurations for my systems. I run nothing other than NixO
* [Dependencies](#dependencies) * [Dependencies](#dependencies)
* [Commands](#commands) * [Commands](#commands)
## To-do
* Expand [kittywitch/anicca](https://github.com/kittywitch/anicca) to be a module that helps with impermanence, too.
* Move to using [arcnmx/screenstub](https://github.com/arcnmx/screenstub) without any patches.
* Add swaylock-effects to our theme module.
* Set up [rinnosuke](config/hosts/rinnosuke) as a nameserver. Either using Knot DNS or BIND. (Need RFC2136.)
* Migrate [athame](config/hosts/athame) to OCI.
* Look into alternatives to Yggdrasil and move to them.
* Set up IPv6 network handling for our hosts.
## Nodes ## Nodes
| Node | Purpose | | Node | Purpose |

1
config/hosts/athame/nixos.nix
View file

@ -12,7 +12,6 @@ with lib;
services.filehost services.filehost
services.gitea services.gitea
services.logrotate services.logrotate
services.loki
services.mail services.mail
services.matrix services.matrix
services.murmur services.murmur

154
config/hosts/rinnosuke/nixos.nix
View file

@ -5,6 +5,7 @@ in
imports = (with (import (sources.tf-nix + "/modules")); [ imports = (with (import (sources.tf-nix + "/modules")); [
nixos.ubuntu-linux nixos.ubuntu-linux
nixos.oracle nixos.oracle
./oracle.nix
]) ++ (with meta; [ services.nginx ]); ]) ++ (with meta; [ services.nginx ]);
services.nginx.virtualHosts = services.nginx.virtualHosts =
@ -28,157 +29,4 @@ in
ipv4_attr = "public_ip"; ipv4_attr = "public_ip";
}; };
}; };
deploy.tf =
let
compartment_id = oci-root.resources.oci_kw_compartment.importAttr "id";
inherit (tf.lib.tf) terraformExpr;
in
{
deploy.systems.rinnosuke = {
lustrate = {
enable = true;
connection = tf.resources.rinnosuke.connection.set;
};
connection = {
port = 62954;
};
};
providers.oci = {
inputs = {
tenancy_ocid = oci-root.outputs.oci_tenancy.import;
user_ocid = oci-root.resources.oci_kw_user.importAttr "id";
fingerprint = oci-root.resources.oci_kw_apikey.importAttr "fingerprint";
region = oci-root.outputs.oci_region.import;
private_key_path = oci-root.resources.oci_kw_key_file.importAttr "filename";
};
};
resources = mkMerge [{
cloudinit = {
provider = "cloudinit";
type = "config";
dataSource = true;
inputs = {
part = singleton {
content_type = "text/cloud-config";
content = "#cloud-config\n" + builtins.toJSON {
disable_root = false;
};
};
};
};
availability_domain = {
provider = "oci";
type = "identity_availability_domain";
dataSource = true;
inputs = {
inherit compartment_id;
ad_number = 2;
};
};
generic_image = {
provider = "oci";
type = "core_images";
dataSource = true;
inputs = {
inherit compartment_id;
inherit (tf.resources.rinnosuke.inputs) shape;
operating_system = "Canonical Ubuntu"; # "Oracle Linux"
sort_by = "TIMECREATED";
sort_order = "DESC";
};
};
rinnosuke = {
provider = "oci";
type = "core_instance";
inputs = {
inherit compartment_id;
extended_metadata = { };
metadata = {
ssh_authorized_keys = concatStringsSep "\n" config.users.users.root.openssh.authorizedKeys.keys;
user_data = tf.resources.cloudinit.refAttr "rendered";
};
shape = "VM.Standard.E2.1.Micro";
shape_config = {
memory_in_gbs = 1;
ocpus = 1;
};
source_details = {
source_type = "image";
source_id = tf.resources.generic_image.refAttr "images[0].id";
boot_volume_size_in_gbs = 50; # min 50GB, up to 200GB free
};
create_vnic_details = [
{
assign_public_ip = true;
subnet_id = oci-root.resources.oci_kw_subnet.importAttr "id";
private_ip = terraformExpr ''cidrhost("${oci-root.resources.oci_kw_subnet.importAttr "cidr_block"}", 3)'';
nsg_ids = [
(tf.resources.firewall_group.refAttr "id")
];
}
];
availability_domain = tf.resources.availability_domain.refAttr "name";
};
lifecycle.ignoreChanges = [
"source_details[0].source_id"
];
connection = {
type = "ssh";
user = "root";
host = tf.lib.tf.terraformSelf "public_ip";
timeout = "5m";
};
};
firewall_group = {
provider = "oci";
type = "core_network_security_group";
inputs = {
display_name = "${config.networking.hostName} firewall group";
inherit compartment_id;
vcn_id = oci-root.resources.oci_vcn.importAttr "id";
};
};
}
(
let
protoValues = {
TCP = 6;
UDP = 17;
};
inherit (config.networking) firewall;
ipv4 = "0.0.0.0/0";
ipv6 = "::/0";
mapPort = source: protocol: port: {
provider = "oci";
type = "core_network_security_group_security_rule";
inputs = {
network_security_group_id = tf.resources.firewall_group.refAttr "id";
inherit protocol source;
direction = "INGRESS";
${if protocol == protoValues.TCP then "tcp_options" else "udp_options"} = {
destination_port_range =
if isAttrs port then {
min = port.from;
max = port.to;
} else {
min = port;
max = port;
};
};
};
};
mapAll = protocol: port: [ (mapPort ipv4 protocol port) (mapPort ipv6 protocol port) ];
mapAllForInterface =
let
protos = [ "TCP" "UDP" ];
types = [ "Ports" "PortRanges" ];
in
interface: concatMap (type: concatMap (proto: (concatMap (port: (mapAll protoValues.${proto}) port) interface."allowed${proto}${type}")) protos) types;
rules = concatMap mapAllForInterface ([ firewall ] ++ map (interface: firewall.interfaces.${interface}) config.network.firewall.public.interfaces);
# TODO: use `count` and index into a fancy json or something?
in
listToAttrs (imap0 (i: rule: nameValuePair "firewall${toString i}" rule) rules)
)];
};
} }

156
config/hosts/rinnosuke/oracle.nix Normal file
View file

@ -0,0 +1,156 @@
{ config, tf, meta, kw, pkgs, lib, sources, ... }: with lib; let
oci-root = meta.deploy.targets.oci-root.tf;
in
{
deploy.tf =
let
compartment_id = oci-root.resources.oci_kw_compartment.importAttr "id";
inherit (tf.lib.tf) terraformExpr;
in
{
deploy.systems.rinnosuke = {
lustrate = {
enable = true;
connection = tf.resources.rinnosuke.connection.set;
};
connection = {
port = 62954;
};
};
providers.oci = {
inputs = {
tenancy_ocid = oci-root.outputs.oci_tenancy.import;
user_ocid = oci-root.resources.oci_kw_user.importAttr "id";
fingerprint = oci-root.resources.oci_kw_apikey.importAttr "fingerprint";
region = oci-root.outputs.oci_region.import;
private_key_path = oci-root.resources.oci_kw_key_file.importAttr "filename";
};
};
resources = mkMerge [{
cloudinit = {
provider = "cloudinit";
type = "config";
dataSource = true;
inputs = {
part = singleton {
content_type = "text/cloud-config";
content = "#cloud-config\n" + builtins.toJSON {
disable_root = false;
};
};
};
};
availability_domain = {
provider = "oci";
type = "identity_availability_domain";
dataSource = true;
inputs = {
inherit compartment_id;
ad_number = 2;
};
};
generic_image = {
provider = "oci";
type = "core_images";
dataSource = true;
inputs = {
inherit compartment_id;
inherit (tf.resources.rinnosuke.inputs) shape;
operating_system = "Canonical Ubuntu"; # "Oracle Linux"
sort_by = "TIMECREATED";
sort_order = "DESC";
};
};
rinnosuke = {
provider = "oci";
type = "core_instance";
inputs = {
inherit compartment_id;
extended_metadata = { };
metadata = {
ssh_authorized_keys = concatStringsSep "\n" config.users.users.root.openssh.authorizedKeys.keys;
user_data = tf.resources.cloudinit.refAttr "rendered";
};
shape = "VM.Standard.E2.1.Micro";
shape_config = {
memory_in_gbs = 1;
ocpus = 1;
};
source_details = {
source_type = "image";
source_id = tf.resources.generic_image.refAttr "images[0].id";
boot_volume_size_in_gbs = 50; # min 50GB, up to 200GB free
};
create_vnic_details = [
{
assign_public_ip = true;
subnet_id = oci-root.resources.oci_kw_subnet.importAttr "id";
private_ip = terraformExpr ''cidrhost("${oci-root.resources.oci_kw_subnet.importAttr "cidr_block"}", 3)'';
nsg_ids = [
(tf.resources.firewall_group.refAttr "id")
];
}
];
availability_domain = tf.resources.availability_domain.refAttr "name";
};
lifecycle.ignoreChanges = [
"source_details[0].source_id"
];
connection = {
type = "ssh";
user = "root";
host = tf.lib.tf.terraformSelf "public_ip";
timeout = "5m";
};
};
firewall_group = {
provider = "oci";
type = "core_network_security_group";
inputs = {
display_name = "${config.networking.hostName} firewall group";
inherit compartment_id;
vcn_id = oci-root.resources.oci_vcn.importAttr "id";
};
};
}
(
let
protoValues = {
TCP = 6;
UDP = 17;
};
inherit (config.networking) firewall;
ipv4 = "0.0.0.0/0";
ipv6 = "::/0";
mapPort = source: protocol: port: {
provider = "oci";
type = "core_network_security_group_security_rule";
inputs = {
network_security_group_id = tf.resources.firewall_group.refAttr "id";
inherit protocol source;
direction = "INGRESS";
${if protocol == protoValues.TCP then "tcp_options" else "udp_options"} = {
destination_port_range =
if isAttrs port then {
min = port.from;
max = port.to;
} else {
min = port;
max = port;
};
};
};
};
mapAll = protocol: port: [ (mapPort ipv4 protocol port) (mapPort ipv6 protocol port) ];
mapAllForInterface =
let
protos = [ "TCP" "UDP" ];
types = [ "Ports" "PortRanges" ];
in
interface: concatMap (type: concatMap (proto: (concatMap (port: (mapAll protoValues.${proto}) port) interface."allowed${proto}${type}")) protos) types;
rules = concatMap mapAllForInterface ([ firewall ] ++ map (interface: firewall.interfaces.${interface}) config.network.firewall.public.interfaces);
# TODO: use `count` and index into a fancy json or something?
in
listToAttrs (imap0 (i: rule: nameValuePair "firewall${toString i}" rule) rules)
)];
};

3
config/hosts/samhain/nixos.nix
View file

@ -174,9 +174,6 @@ in
SUBSYSTEM=="block", ACTION=="add", ATTRS{model}=="HFS256G32TNF-N3A", ATTRS{wwid}=="t10.ATA HFS256G32TNF-N3A0A MJ8BN15091150BM1Z ", OWNER="kat" SUBSYSTEM=="block", ACTION=="add", ATTRS{model}=="HFS256G32TNF-N3A", ATTRS{wwid}=="t10.ATA HFS256G32TNF-N3A0A MJ8BN15091150BM1Z ", OWNER="kat"
''; '';
# TODO: Replace this drive forward with one half of the 1.82TiB drive.
# SUBSYSTEM=="block", ACTION=="add", ATTR{partition}=="2", ATTR{size}=="1953503232", ATTRS{wwid}=="naa.5000039fe6e8614e", OWNER="kat"
# Networking # Networking
networking = { networking = {

3
overlays/default.nix
View file

@ -8,9 +8,6 @@ let
(import ./rustfmt) (import ./rustfmt)
(import ./katlib) (import ./katlib)
(import ./katpkgs) (import ./katpkgs)
/* # TODO: implement these
(import ./vimrc)
*/
] ++ (map (path: import "${path}/overlay.nix") [ ] ++ (map (path: import "${path}/overlay.nix") [
sources.arcexprs sources.arcexprs
sources.anicca sources.anicca