gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: replaced deploy system, migrated to infrastructure's methodologies

Browse source
This commit is contained in:
Kat Inskip 2024-01-27 20:07:28 -08:00
parent 5cb3895570
commit 89505a91cd
Signed by: kat
GPG key ID: 465E64DECEA8CF0F
24 changed files with 919 additions and 654 deletions
Download patch file Download diff file Expand all files Collapse all files

17
systems/ct/config.nix Normal file
View file

@ -0,0 +1,17 @@
_: {
arch = "x86_64";
type = "NixOS";
modules = [
({
meta,
lib,
...
}: {
imports = with meta; [
nixos.reisen-ct
];
system.stateVersion = "23.11";
})
];
}

12
systems/ct/nixos.nix
View file

@ -1,12 +0,0 @@
{
meta,
lib,
...
}: {
imports = with meta;
[
nixos.reisen-ct
];
system.stateVersion = "23.11";
}

151
systems/default.nix Normal file
View file

@ -0,0 +1,151 @@
{
inputs,
tree,
pkgs,
lib,
std,
system ? builtins.currentSystem or "x86_64-linux",
...
}: let
# The purpose of this file is to set up the host module which allows assigning of the system, e.g. aarch64-linux and the builder used with less pain.
inherit (lib.modules) evalModules mkOptionDefault;
inherit (std) string types optional set list;
defaultSpecialArgs = {
inherit inputs std;
meta = tree;
};
hostModule = {
config,
machine,
...
}: {
options = let
inherit (lib.types) str listOf attrs unspecified attrsOf nullOr;
jsonType = (pkgs.${system}.formats.json {}).type;
inherit (lib.options) mkOption;
in {
arch = mkOption {
description = "Processor architecture of the host";
type = str;
default = "x86_64";
};
type = mkOption {
description = "Operating system type of the host";
type = str;
default = "NixOS";
};
folder = mkOption {
type = str;
internal = true;
};
system = mkOption {
type = str;
internal = true;
};
modules = mkOption {
type = listOf unspecified;
};
specialArgs = mkOption {
type = attrs;
internal = true;
};
builder = mkOption {
type = unspecified;
internal = true;
};
deploy = mkOption {
type = nullOr jsonType;
};
};
config = {
deploy = {
sshUser = mkOptionDefault "root";
user = mkOptionDefault "root";
sshOpts = mkOptionDefault ["-p" "${builtins.toString (builtins.head inputs.self.nixosConfigurations.${machine}.config.services.openssh.ports)}"];
autoRollback = mkOptionDefault true;
magicRollback = mkOptionDefault true;
fastConnection = mkOptionDefault false;
profiles.system = {
user = "root";
path = inputs.deploy-rs.lib.${system}.activate.nixos inputs.self.nixosConfigurations.${machine};
};
};
system = let
kernel =
{
nixos = "linux";
macos = "darwin";
darwin = "darwin";
linux = "linux";
}
.${string.toLower config.type};
in "${config.arch}-${kernel}";
folder =
{
nixos = "nixos";
macos = "darwin";
darwin = "darwin";
linux = "linux";
}
.${string.toLower config.type};
modules = with tree; [
# per-OS modules
tree.modules.${config.folder}
# per-OS configuration
tree.${config.folder}.base
];
builder =
{
nixos = let
lib = inputs.nixpkgs.lib.extend (self: super:
import (inputs.arcexprs + "/lib") {
inherit super;
lib = self;
isOverlayLib = true;
});
sys = args:
lib.nixosSystem ({
inherit lib;
}
// args);
in
sys;
darwin = inputs.darwin.lib.darwinSystem;
macos = inputs.darwin.lib.darwinSystem;
}
.${string.toLower config.type};
specialArgs =
{
name = machine;
inherit machine;
systemType = config.folder;
inherit (config) system;
}
// defaultSpecialArgs;
};
};
hostConfigs = set.map (name: path:
evalModules {
modules = [
hostModule
path
];
specialArgs =
defaultSpecialArgs
// {
inherit name;
machine = name;
};
})
(set.map (_: c: c.config) tree.systems);
processHost = name: cfg: let
host = cfg.config;
in {
deploy.nodes.${name} = host.deploy;
"${host.folder}Configurations".${name} = host.builder {
inherit (host) system modules specialArgs;
};
};
in
set.merge (set.mapToValues processHost hostConfigs)

132
systems/hakurei/config.nix Normal file
View file

@ -0,0 +1,132 @@
_: {
arch = "x86_64";
type = "NixOS";
modules = [
({
config,
meta,
lib,
access,
...
}: let
inherit (lib.modules) mkIf mkMerge;
mediabox = access.systemFor "mediabox";
tei = access.systemFor "tei";
inherit (mediabox.services) plex;
inherit (tei.services) kanidm;
in {
imports = let
inherit (meta) nixos;
in [
nixos.sops
nixos.base
nixos.reisen-ct
nixos.tailscale
nixos.cloudflared
nixos.ddclient
nixos.acme
nixos.nginx
nixos.access.nginx
nixos.access.global
nixos.access.gensokyo
nixos.access.kanidm
nixos.access.proxmox
nixos.access.plex
./reisen-ssh.nix
];
sops.secrets.cloudflared-tunnel-hakurei = {
owner = config.services.cloudflared.user;
};
services.cloudflared = let
tunnelId = "964121e3-b3a9-4cc1-8480-954c4728b604";
in {
tunnels.${tunnelId} = {
default = "http_status:404";
credentialsFile = config.sops.secrets.cloudflared-tunnel-hakurei.path;
ingress = {
"prox.${config.networking.domain}".service = "http://localhost";
${config.networking.domain}.service = "http://localhost";
};
};
};
security.acme.certs = let
inherit (config.services) nginx tailscale;
inherit (nginx) access;
in {
${access.kanidm.domain} = {
inherit (nginx) group;
extraDomainNames = mkMerge [
[access.kanidm.localDomain]
(mkIf kanidm.server.ldap.enable [
access.kanidm.ldapDomain
access.kanidm.ldapLocalDomain
])
(mkIf tailscale.enable [
access.kanidm.tailDomain
])
(mkIf (kanidm.server.ldap.enable && tailscale.enable) [
access.kanidm.ldapTailDomain
])
];
};
${access.proxmox.domain} = {
inherit (nginx) group;
extraDomainNames = mkMerge [
[access.proxmox.localDomain]
(mkIf config.services.tailscale.enable [
access.proxmox.tailDomain
])
];
};
${access.plex.domain} = {
inherit (nginx) group;
extraDomainNames = [access.plex.localDomain];
};
};
services.nginx = let
inherit (config.services.nginx) access;
in {
access.plex = assert plex.enable; {
url = "http://${mediabox.networking.access.hostnameForNetwork.local}:32400";
};
access.kanidm = assert kanidm.enableServer; {
inherit (kanidm.server.frontend) domain port;
host = tei.networking.access.hostnameForNetwork.local;
ldapPort = kanidm.server.ldap.port;
ldapEnable = kanidm.server.ldap.enable;
};
virtualHosts = {
${access.kanidm.domain} = {
useACMEHost = access.kanidm.domain;
};
${access.proxmox.domain} = {
useACMEHost = access.proxmox.domain;
};
${access.plex.domain} = {
addSSL = true;
useACMEHost = access.plex.domain;
};
};
};
systemd.network.networks.eth0 = {
name = "eth0";
matchConfig = {
MACAddress = "BC:24:11:C4:66:A7";
Type = "ether";
};
address = ["10.1.1.41/24"];
gateway = ["10.1.1.1"];
DHCP = "no";
};
sops.defaultSopsFile = ./secrets.yaml;
system.stateVersion = "23.11";
})
];
}

126
systems/hakurei/nixos.nix
View file

@ -1,126 +0,0 @@
{
config,
meta,
lib,
access,
...
}: let
inherit (lib.modules) mkIf mkMerge;
mediabox = access.systemFor "mediabox";
tei = access.systemFor "tei";
inherit (mediabox.services) plex;
inherit (tei.services) kanidm;
in {
imports = let
inherit (meta) nixos;
in [
nixos.sops
nixos.base
nixos.reisen-ct
nixos.tailscale
nixos.cloudflared
nixos.ddclient
nixos.acme
nixos.nginx
nixos.access.nginx
nixos.access.global
nixos.access.gensokyo
nixos.access.kanidm
nixos.access.proxmox
nixos.access.plex
./reisen-ssh.nix
];
sops.secrets.cloudflared-tunnel-hakurei = {
owner = config.services.cloudflared.user;
};
services.cloudflared = let
tunnelId = "964121e3-b3a9-4cc1-8480-954c4728b604";
in {
tunnels.${tunnelId} = {
default = "http_status:404";
credentialsFile = config.sops.secrets.cloudflared-tunnel-hakurei.path;
ingress = {
"prox.${config.networking.domain}".service = "http://localhost";
${config.networking.domain}.service = "http://localhost";
};
};
};
security.acme.certs = let
inherit (config.services) nginx tailscale;
inherit (nginx) access;
in {
${access.kanidm.domain} = {
inherit (nginx) group;
extraDomainNames = mkMerge [
[ access.kanidm.localDomain ]
(mkIf kanidm.server.ldap.enable [
access.kanidm.ldapDomain
access.kanidm.ldapLocalDomain
])
(mkIf tailscale.enable [
access.kanidm.tailDomain
])
(mkIf (kanidm.server.ldap.enable && tailscale.enable) [
access.kanidm.ldapTailDomain
])
];
};
${access.proxmox.domain} = {
inherit (nginx) group;
extraDomainNames = mkMerge [
[ access.proxmox.localDomain ]
(mkIf config.services.tailscale.enable [
access.proxmox.tailDomain
])
];
};
${access.plex.domain} = {
inherit (nginx) group;
extraDomainNames = [ access.plex.localDomain ];
};
};
services.nginx = let
inherit (config.services.nginx) access;
in {
access.plex = assert plex.enable; {
url = "http://${mediabox.networking.access.hostnameForNetwork.local}:32400";
};
access.kanidm = assert kanidm.enableServer; {
inherit (kanidm.server.frontend) domain port;
host = tei.networking.access.hostnameForNetwork.local;
ldapPort = kanidm.server.ldap.port;
ldapEnable = kanidm.server.ldap.enable;
};
virtualHosts = {
${access.kanidm.domain} = {
useACMEHost = access.kanidm.domain;
};
${access.proxmox.domain} = {
useACMEHost = access.proxmox.domain;
};
${access.plex.domain} = {
addSSL = true;
useACMEHost = access.plex.domain;
};
};
};
systemd.network.networks.eth0 = {
name = "eth0";
matchConfig = {
MACAddress = "BC:24:11:C4:66:A7";
Type = "ether";
};
address = [ "10.1.1.41/24" ];
gateway = [ "10.1.1.1" ];
DHCP = "no";
};
sops.defaultSopsFile = ./secrets.yaml;
system.stateVersion = "23.11";
}

98
systems/kuwubernetes/config.nix Normal file
View file

@ -0,0 +1,98 @@
_: {
arch = "x86_64";
type = "NixOS";
modules = [
({
config,
meta,
lib,
modulesPath,
...
}: let
inherit (lib.attrsets) genAttrs nameValuePair;
inherit (builtins) listToAttrs;
dexFiles = [
"ca-key.pem"
"ca.pem"
"ca.srl"
"csr.pem"
"key.pem"
"req.cnf"
];
in {
imports = with meta; [
(modulesPath + "/profiles/qemu-guest.nix")
nixos.sops
nixos.cloudflared
nixos.k8s
];
boot = {
initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
loader.grub.device = "/dev/sda";
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/5ab5efe2-0250-4bf1-8fd6-3725cdd15031";
fsType = "ext4";
};
swapDevices = [
{device = "/dev/disk/by-uuid/b374e454-7af5-46fc-b949-24e38a2216d5";}
];
networking.interfaces.ens18.useDHCP = true;
sops.secrets = let
dexCommon = {
owner = "kubernetes";
};
in
{
cloudflare_kubernetes_tunnel = {
owner = config.services.cloudflared.user;
};
}
// (genAttrs (map (name: "dex-${name}") dexFiles) (_: dexCommon));
environment.etc = listToAttrs (map (name: nameValuePair "dex-ssl/${name}" {source = config.sops.secrets."dex-${name}".path;}) dexFiles);
services.cloudflared = let
tunnelId = "3dde2376-1dd1-4282-b5a4-aba272594976";
in {
tunnels.${tunnelId} = {
default = "http_status:404";
credentialsFile = config.sops.secrets.cloudflare_kubernetes_tunnel.path;
ingress = {
"k8s.gensokyo.zone" = {
service = "https://localhost:6443";
originRequest.noTLSVerify = true;
};
};
};
};
systemd.network.networks.ens18 = {
name = "ens18";
matchConfig = {
MACAddress = "BC:24:11:49:FE:DC";
Type = "ether";
};
address = ["10.1.1.42/24"];
gateway = ["10.1.1.1"];
DHCP = "no";
};
sops.defaultSopsFile = ./secrets.yaml;
system.stateVersion = "23.11";
})
];
}

92
systems/kuwubernetes/nixos.nix
View file

@ -1,92 +0,0 @@
{
config,
meta,
lib,
modulesPath,
...
}: let
inherit (lib.attrsets) genAttrs nameValuePair;
inherit (builtins) listToAttrs;
dexFiles = [
"ca-key.pem"
"ca.pem"
"ca.srl"
"csr.pem"
"key.pem"
"req.cnf"
];
in {
imports = with meta; [
(modulesPath + "/profiles/qemu-guest.nix")
nixos.sops
nixos.cloudflared
nixos.k8s
];
boot = {
initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
loader.grub.device = "/dev/sda";
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/5ab5efe2-0250-4bf1-8fd6-3725cdd15031";
fsType = "ext4";
};
swapDevices = [
{device = "/dev/disk/by-uuid/b374e454-7af5-46fc-b949-24e38a2216d5";}
];
networking.interfaces.ens18.useDHCP = true;
sops.secrets = let
dexCommon = {
owner = "kubernetes";
};
in
{
cloudflare_kubernetes_tunnel = {
owner = config.services.cloudflared.user;
};
}
// (genAttrs (map (name: "dex-${name}") dexFiles) (_: dexCommon));
environment.etc = listToAttrs (map (name: nameValuePair "dex-ssl/${name}" {source = config.sops.secrets."dex-${name}".path;}) dexFiles);
services.cloudflared = let
tunnelId = "3dde2376-1dd1-4282-b5a4-aba272594976";
in {
tunnels.${tunnelId} = {
default = "http_status:404";
credentialsFile = config.sops.secrets.cloudflare_kubernetes_tunnel.path;
ingress = {
"k8s.gensokyo.zone" = {
service = "https://localhost:6443";
originRequest.noTLSVerify = true;
};
};
};
};
systemd.network.networks.ens18 = {
name = "ens18";
matchConfig = {
MACAddress = "BC:24:11:49:FE:DC";
Type = "ether";
};
address = [ "10.1.1.42/24" ];
gateway = [ "10.1.1.1" ];
DHCP = "no";
};
sops.defaultSopsFile = ./secrets.yaml;
system.stateVersion = "23.11";
}

155
systems/mediabox/config.nix Normal file
View file

@ -0,0 +1,155 @@
_: {
deploy.hostname = "mediabox.local.gensokyo.zone";
arch = "x86_64";
type = "NixOS";
modules = [
({
config,
meta,
lib,
pkgs,
...
}: let
inherit (lib.modules) mkIf mkMerge;
inherit (lib.attrsets) mapAttrs mapAttrsToList;
inherit (lib.strings) removePrefix;
inherit (config.services) deluge plex tautulli ombi sonarr radarr bazarr lidarr readarr prowlarr cloudflared;
kyuuto = "/mnt/kyuuto-media";
kyuuto-library = kyuuto + "/library";
plexLibrary = {
"/mnt/Anime".hostPath = kyuuto-library + "/anime";
"/mnt/Shows".hostPath = kyuuto-library + "/tv";
"/mnt/Movies".hostPath = kyuuto-library + "/movies";
"/mnt/Music".hostPath = kyuuto-library + "/music";
};
in {
imports = let
inherit (meta) nixos;
in [
nixos.reisen-ct
nixos.sops
nixos.nginx
nixos.access.plex
nixos.cloudflared
# media
nixos.plex
nixos.tautulli
nixos.ombi
nixos.deluge
nixos.mediatomb
# yarr harr fiddle dee dee >w<
nixos.radarr
nixos.sonarr
nixos.bazarr
nixos.lidarr
nixos.readarr
nixos.prowlarr
];
sops.secrets.cloudflare_mediabox_tunnel = {
owner = cloudflared.user;
};
services.cloudflared = let
tunnelId = "6a3c1863-d879-462f-b5d5-7c6ddf476d0e";
inherit (config.networking) domain;
in {
tunnels.${tunnelId} = {
default = "http_status:404";
credentialsFile = config.sops.secrets.cloudflare_mediabox_tunnel.path;
ingress = {
"tautulli.${domain}".service = "http://localhost:${toString tautulli.port}";
"ombi.${domain}".service = "http://localhost:${toString ombi.port}";
"sonarr.${domain}".service = "http://localhost:${toString sonarr.port}";
"radarr.${domain}".service = "http://localhost:${toString radarr.port}";
"bazarr.${domain}".service = "http://localhost:${toString bazarr.listenPort}";
"lidarr.${domain}".service = "http://localhost:${toString lidarr.port}";
"readarr.${domain}".service = "http://localhost:${toString readarr.port}";
"prowlarr.${domain}".service = "http://localhost:${toString prowlarr.port}";
"deluge.${domain}".service = "http://localhost:${toString deluge.web.port}";
};
};
};
services.mediatomb = {
serverName = "tewi";
mediaDirectories = let
mkLibraryDir = dir: {
path = kyuuto-library + "/${dir}";
mountPoint = kyuuto-library;
};
libraryDir = {
path = kyuuto-library;
mountPoint = kyuuto-library;
subdirectories =
mapAttrsToList (
_: {hostPath, ...}:
removePrefix "${kyuuto-library}/" hostPath
)
plexLibrary
++ ["tlmc" "music-raw"];
};
in
[libraryDir] ++ map mkLibraryDir ["tlmc" "music-raw" "lewd"];
};
hardware.opengl = {
enable = true;
extraPackages = with pkgs; [mesa.drivers vaapiVdpau libvdpau-va-gl];
};
fileSystems = let
bind = {
fsType = "none";
options = ["bind" "nofail"];
};
fsPlex = mapAttrs (_: {hostPath, ...}:
mkMerge [
bind
{
device = hostPath;
}
])
plexLibrary;
fsDeluge = {
"${deluge.downloadDir}" = mkIf deluge.enable (mkMerge [
bind
{
device = kyuuto + "/downloads/deluge/download";
}
]);
};
in
mkMerge [
fsPlex
(mkIf deluge.enable fsDeluge)
];
systemd.services.deluged = mkIf deluge.enable {
unitConfig.RequiresMountsFor = [
"${deluge.downloadDir}"
];
};
systemd.services.plex = mkIf plex.enable {
unitConfig.RequiresMountsFor = mapAttrsToList (path: _: path) plexLibrary;
};
systemd.network.networks.eth0 = {
name = "eth0";
matchConfig = {
MACAddress = "BC:24:11:34:F4:A8";
Type = "ether";
};
address = ["10.1.1.44/24"];
gateway = ["10.1.1.1"];
DHCP = "no";
};
sops.defaultSopsFile = ./secrets.yaml;
system.stateVersion = "21.05";
})
];
}

148
systems/mediabox/nixos.nix
View file

@ -1,148 +0,0 @@
{
config,
meta,
lib,
pkgs,
...
}: let
inherit (lib.modules) mkIf mkMerge;
inherit (lib.attrsets) mapAttrs mapAttrsToList;
inherit (lib.strings) removePrefix;
inherit (config.services) deluge plex tautulli ombi sonarr radarr bazarr lidarr readarr prowlarr cloudflared;
kyuuto = "/mnt/kyuuto-media";
kyuuto-library = kyuuto + "/library";
plexLibrary = {
"/mnt/Anime".hostPath = kyuuto-library + "/anime";
"/mnt/Shows".hostPath = kyuuto-library + "/tv";
"/mnt/Movies".hostPath = kyuuto-library + "/movies";
"/mnt/Music".hostPath = kyuuto-library + "/music";
};
in {
imports = let
inherit (meta) nixos;
in [
nixos.reisen-ct
nixos.sops
nixos.nginx
nixos.access.plex
nixos.cloudflared
# media
nixos.plex
nixos.tautulli
nixos.ombi
nixos.deluge
nixos.mediatomb
# yarr harr fiddle dee dee >w<
nixos.radarr
nixos.sonarr
nixos.bazarr
nixos.lidarr
nixos.readarr
nixos.prowlarr
];
sops.secrets.cloudflare_mediabox_tunnel = {
owner = cloudflared.user;
};
services.cloudflared = let
tunnelId = "6a3c1863-d879-462f-b5d5-7c6ddf476d0e";
inherit (config.networking) domain;
in {
tunnels.${tunnelId} = {
default = "http_status:404";
credentialsFile = config.sops.secrets.cloudflare_mediabox_tunnel.path;
ingress = {
"tautulli.${domain}".service = "http://localhost:${toString tautulli.port}";
"ombi.${domain}".service = "http://localhost:${toString ombi.port}";
"sonarr.${domain}".service = "http://localhost:${toString sonarr.port}";
"radarr.${domain}".service = "http://localhost:${toString radarr.port}";
"bazarr.${domain}".service = "http://localhost:${toString bazarr.listenPort}";
"lidarr.${domain}".service = "http://localhost:${toString lidarr.port}";
"readarr.${domain}".service = "http://localhost:${toString readarr.port}";
"prowlarr.${domain}".service = "http://localhost:${toString prowlarr.port}";
"deluge.${domain}".service = "http://localhost:${toString deluge.web.port}";
};
};
};
services.mediatomb = {
serverName = "tewi";
mediaDirectories = let
mkLibraryDir = dir: {
path = kyuuto-library + "/${dir}";
mountPoint = kyuuto-library;
};
libraryDir = {
path = kyuuto-library;
mountPoint = kyuuto-library;
subdirectories =
mapAttrsToList (
_: {hostPath, ...}:
removePrefix "${kyuuto-library}/" hostPath
)
plexLibrary
++ ["tlmc" "music-raw"];
};
in
[libraryDir] ++ map mkLibraryDir ["tlmc" "music-raw" "lewd"];
};
hardware.opengl = {
enable = true;
extraPackages = with pkgs; [mesa.drivers vaapiVdpau libvdpau-va-gl];
};
fileSystems = let
bind = {
fsType = "none";
options = ["bind" "nofail"];
};
fsPlex = mapAttrs (_: {hostPath, ...}:
mkMerge [
bind
{
device = hostPath;
}
])
plexLibrary;
fsDeluge = {
"${deluge.downloadDir}" = mkIf deluge.enable (mkMerge [
bind
{
device = kyuuto + "/downloads/deluge/download";
}
]);
};
in
mkMerge [
fsPlex
(mkIf deluge.enable fsDeluge)
];
systemd.services.deluged = mkIf deluge.enable {
unitConfig.RequiresMountsFor = [
"${deluge.downloadDir}"
];
};
systemd.services.plex = mkIf plex.enable {
unitConfig.RequiresMountsFor = mapAttrsToList (path: _: path) plexLibrary;
};
systemd.network.networks.eth0 = {
name = "eth0";
matchConfig = {
MACAddress = "BC:24:11:34:F4:A8";
Type = "ether";
};
address = ["10.1.1.44/24"];
gateway = ["10.1.1.1"];
DHCP = "no";
};
sops.defaultSopsFile = ./secrets.yaml;
system.stateVersion = "21.05";
}

76
systems/tei/config.nix Normal file
View file

@ -0,0 +1,76 @@
_: {
arch = "x86_64";
type = "NixOS";
modules = [
({
config,
lib,
meta,
pkgs,
...
}: let
inherit (lib.modules) mkIf mkMerge;
inherit (config.services) kanidm mosquitto home-assistant;
in {
imports = let
inherit (meta) nixos;
in [
nixos.reisen-ct
nixos.sops
nixos.tailscale
nixos.cloudflared
nixos.postgres
nixos.nginx
nixos.access.zigbee2mqtt
nixos.access.home-assistant
nixos.vouch
nixos.kanidm
nixos.mosquitto
nixos.home-assistant
nixos.zigbee2mqtt
nixos.syncplay
./cloudflared.nix
];
sops.defaultSopsFile = ./secrets.yaml;
services.kanidm = {
package =
lib.warnIf
(pkgs.kanidm.version != "1.1.0-rc.15")
"upstream kanidm may have localhost oauth2 support now!"
pkgs.kanidm-develop;
};
networking.firewall = {
interfaces.local.allowedTCPPorts = mkMerge [
(mkIf kanidm.enableServer [
kanidm.server.frontend.port
(mkIf kanidm.server.ldap.enable kanidm.server.ldap.port)
])
(mkIf home-assistant.enable [
home-assistant.config.http.server_port
])
(mkIf mosquitto.enable (map (
listener:
listener.port
)
mosquitto.listeners))
];
};
systemd.network.networks.eth0 = {
name = "eth0";
matchConfig = {
MACAddress = "BC:24:11:CC:66:57";
Type = "ether";
};
address = ["10.1.1.39/24"];
gateway = ["10.1.1.1"];
DHCP = "no";
};
system.stateVersion = "23.11";
})
];
}

67
systems/tei/nixos.nix
View file

@ -1,67 +0,0 @@
{
config,
lib,
meta,
pkgs,
...
}: let
inherit (lib.modules) mkIf mkMerge;
inherit (config.services) kanidm mosquitto home-assistant;
in {
imports = let
inherit (meta) nixos;
in [
nixos.reisen-ct
nixos.sops
nixos.tailscale
nixos.cloudflared
nixos.postgres
nixos.nginx
nixos.access.zigbee2mqtt
nixos.access.home-assistant
nixos.vouch
nixos.kanidm
nixos.mosquitto
nixos.home-assistant
nixos.zigbee2mqtt
nixos.syncplay
./cloudflared.nix
];
sops.defaultSopsFile = ./secrets.yaml;
services.kanidm = {
package = lib.warnIf
(pkgs.kanidm.version != "1.1.0-rc.15")
"upstream kanidm may have localhost oauth2 support now!"
pkgs.kanidm-develop;
};
networking.firewall = {
interfaces.local.allowedTCPPorts = mkMerge [
(mkIf kanidm.enableServer [
kanidm.server.frontend.port
(mkIf kanidm.server.ldap.enable kanidm.server.ldap.port)
])
(mkIf home-assistant.enable [
home-assistant.config.http.server_port
])
(mkIf mosquitto.enable (map (listener:
listener.port
) mosquitto.listeners))
];
};
systemd.network.networks.eth0 = {
name = "eth0";
matchConfig = {
MACAddress = "BC:24:11:CC:66:57";
Type = "ether";
};
address = [ "10.1.1.39/24" ];
gateway = [ "10.1.1.1" ];
DHCP = "no";
};
system.stateVersion = "23.11";
}

86
systems/tewi/config.nix Normal file
View file

@ -0,0 +1,86 @@
_: {
arch = "x86_64";
type = "NixOS";
modules = [
({
meta,
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = with meta; [
(modulesPath + "/installer/scan/not-detected.nix")
nixos.sops
nixos.tailscale
];
services.kanidm.serverSettings.db_fs_type = "zfs";
services.tailscale.advertiseExitNode = true;
services.postgresql.package = pkgs.postgresql_14;
sops.defaultSopsFile = ./secrets.yaml;
networking = {
useNetworkd = true;
useDHCP = false;
};
services.resolved.enable = true;
boot = {
loader = {
systemd-boot = {
enable = true;
};
efi = {
canTouchEfiVariables = true;
};
};
initrd = {
availableKernelModules = ["xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"];
};
kernelModules = ["kvm-intel"];
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/6c5d82b1-5d11-4c72-96c6-5f90e6ce57f5";
fsType = "ext4";
};
"/boot" = {
device = "/dev/disk/by-uuid/85DC-72FA";
fsType = "vfat";
};
};
systemd = {
network = {
networks.eno1 = {
inherit (config.systemd.network.links.eno1) matchConfig;
networkConfig = {
DHCP = "yes";
DNSDefaultRoute = true;
MulticastDNS = true;
};
linkConfig.Multicast = true;
};
links.eno1 = {
matchConfig = {
Type = "ether";
Driver = "e1000e";
};
linkConfig = {
WakeOnLan = "magic";
};
};
};
};
swapDevices = lib.singleton {
device = "/dev/disk/by-uuid/137605d3-5e3f-47c8-8070-6783ce651932";
};
system.stateVersion = "21.05";
})
];
}

81
systems/tewi/nixos.nix
View file

@ -1,81 +0,0 @@
{
meta,
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = with meta;
[
(modulesPath + "/installer/scan/not-detected.nix")
nixos.sops
nixos.tailscale
];
services.kanidm.serverSettings.db_fs_type = "zfs";
services.tailscale.advertiseExitNode = true;
services.postgresql.package = pkgs.postgresql_14;
sops.defaultSopsFile = ./secrets.yaml;
networking = {
useNetworkd = true;
useDHCP = false;
};
services.resolved.enable = true;
boot = {
loader = {
systemd-boot = {
enable = true;
};
efi = {
canTouchEfiVariables = true;
};
};
initrd = {
availableKernelModules = ["xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"];
};
kernelModules = ["kvm-intel"];
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/6c5d82b1-5d11-4c72-96c6-5f90e6ce57f5";
fsType = "ext4";
};
"/boot" = {
device = "/dev/disk/by-uuid/85DC-72FA";
fsType = "vfat";
};
};
systemd = {
network = {
networks.eno1 = {
inherit (config.systemd.network.links.eno1) matchConfig;
networkConfig = {
DHCP = "yes";
DNSDefaultRoute = true;
MulticastDNS = true;
};
linkConfig.Multicast = true;
};
links.eno1 = {
matchConfig = {
Type = "ether";
Driver = "e1000e";
};
linkConfig = {
WakeOnLan = "magic";
};
};
};
};
swapDevices = lib.singleton {
device = "/dev/disk/by-uuid/137605d3-5e3f-47c8-8070-6783ce651932";
};
system.stateVersion = "21.05";
}