gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 04:19:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: replaced deploy system, migrated to infrastructure's methodologies

Browse source
This commit is contained in:
Kat Inskip 2024-01-27 20:07:28 -08:00
parent 5cb3895570
commit 89505a91cd
Signed by: kat
GPG key ID: 465E64DECEA8CF0F
24 changed files with 919 additions and 654 deletions
Download patch file Download diff file Expand all files Collapse all files

12
default.nix
View file

@ -1 +1,11 @@
import ./meta.nix { inputs = import ./inputs.nix; system = builtins.currentSystem; }
let
lock = builtins.fromJSON (builtins.readFile ./flake.lock);
flakeCompat = fetchTarball {
url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
sha256 = lock.nodes.flake-compat.locked.narHash;
};
kittywitch = import flakeCompat {
src = ./.;
};
in
kittywitch.defaultNix

5
devShell.nix
View file

@ -2,8 +2,8 @@
inputs,
system,
}: let
meta = import ./meta.nix {inherit inputs system;};
inherit (meta) pkgs;
meta = import ./outputs.nix {inherit inputs;};
pkgs = meta.legacyPackages.${system};
nf-actions = pkgs.writeShellScriptBin "nf-actions" ''
NF_CONFIG_FILES=($NF_CONFIG_ROOT/ci/{nodes,flake-cron}.nix)
for f in "''${NF_CONFIG_FILES[@]}"; do
@ -79,6 +79,7 @@ in
nf-deadnix
nf-kustomize
nf-argocd
deploy-rs
];
shellHook = ''
export NIX_BIN_DIR=$(dirname $(readlink -f $(type -P nix)))

28
flake.lock generated
View file

@ -34,6 +34,33 @@
"type": "github"
}
},
"deploy-rs": {
"inputs": {
"flake-compat": [
"flake-compat"
],
"nixpkgs": [
"nixpkgs"
],
"utils": [
"flake-utils"
]
},
"locked": {
"lastModified": 1704875591,
"narHash": "sha256-eWRLbqRcrILgztU/m/k7CYLzETKNbv0OsT2GjkaNm8A=",
"owner": "serokell",
"repo": "deploy-rs",
"rev": "1776009f1f3fb2b5d236b84d9815f2edee463a9b",
"type": "github"
},
"original": {
"owner": "serokell",
"ref": "master",
"repo": "deploy-rs",
"type": "github"
}
},
"fl-config": {
"locked": {
"lastModified": 1653159448,
@ -170,6 +197,7 @@
"inputs": {
"arcexprs": "arcexprs",
"ci": "ci",
"deploy-rs": "deploy-rs",
"flake-compat": "flake-compat",
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs",

11
flake.nix
View file

@ -28,6 +28,14 @@
inputs.std.follows = "std";
inputs.nixpkgs.follows = "nixpkgs";
};
deploy-rs = {
url = "github:serokell/deploy-rs/master";
inputs = {
flake-compat.follows = "flake-compat";
nixpkgs.follows = "nixpkgs";
utils.follows = "flake-utils";
};
};
systemd2mqtt = {
url = "github:arcnmx/systemd2mqtt";
inputs = {
@ -46,6 +54,8 @@
];
};
outputs = inputs: import ./outputs.nix {inherit inputs;};
/*
outputs = {
self,
nixpkgs,
@ -69,4 +79,5 @@
})
self.legacyPackages.x86_64-linux.network.nodes;
};
*/
}

95
meta.nix
View file

@ -1,95 +0,0 @@
{
inputs,
system ? builtins.currentSystem or "x86_64-linux",
...
}: let
patchedInputs = import ./patchedInputs.nix {inherit inputs system;};
pkgs = import ./overlays {
inherit system;
inputs = patchedInputs;
};
inherit (pkgs) lib;
tree = import ./tree.nix {
inherit lib;
inputs = patchedInputs;
};
root = ./.; # Required for modules/meta/imports.nix to find hosts
nixfiles = tree.impure;
eval = let
inherit (config.network.nixos) builder;
mapNixosNodes = lib.mapAttrs (name: args: builder ({
inherit name;
} // args));
nixosNodes = [
{
network.nodes = mapNixosNodes {
tewi = {
imports = [
./systems/tewi/nixos.nix
nixfiles.nixos.base
];
};
tei = {
imports = [
./systems/tei/nixos.nix
nixfiles.nixos.base
];
};
mediabox = {
imports = [
./systems/mediabox/nixos.nix
nixfiles.nixos.base
];
};
reisen-ct = {
imports = [
./systems/ct/nixos.nix
nixfiles.nixos.base
];
};
kuwubernetes = {
imports = [
./systems/kuwubernetes/nixos.nix
nixfiles.nixos.base
];
};
hakurei = {
imports = [
./systems/hakurei/nixos.nix
nixfiles.nixos.base
];
};
};
}
];
in
lib.evalModules {
modules =
[
nixfiles.modules.meta
{
_module.args.pkgs = lib.mkDefault pkgs;
}
]
++ nixosNodes;
specialArgs =
{
inherit root tree;
inputs = patchedInputs;
meta = self;
}
// nixfiles;
};
inherit (eval) config;
self =
config
// {
inherit pkgs lib tree;
inputs = patchedInputs;
}
// nixfiles;
in
self

5
nixos/base/nixpkgs.nix Normal file
View file

@ -0,0 +1,5 @@
_: {
nixpkgs = {
config.allowUnfree = true;
};
}

33
outputs.nix Normal file
View file

@ -0,0 +1,33 @@
{inputs}: let
patchedInputs = import ./patchedInputs.nix {inherit inputs;};
inherit
(import ./overlays {
inputs = patchedInputs;
})
pkgs
;
inherit (inputs.nixpkgs) lib;
tree = import ./tree.nix {
inherit pkgs;
inputs = patchedInputs;
};
systems = import ./systems {
inherit inputs lib std pkgs;
tree = tree.impure;
};
shells =
inputs.flake-utils.lib.eachDefaultSystem
(system: rec {
devShells.default = import ./devShell.nix {inherit system inputs;};
});
std = import ./std.nix {inherit inputs;};
inherit (std) set;
checks = set.map (_: deployLib: deployLib.deployChecks inputs.self.deploy) inputs.deploy-rs.lib;
in
{
inherit tree std lib checks;
inputs = patchedInputs;
legacyPackages = pkgs;
}
// systems
// shells

11
overlays/default.nix
View file

@ -1,8 +1,5 @@
{
inputs,
system ? builtins.currentSystem,
...
} @ args: let
{inputs, ...} @ args:
inputs.flake-utils.lib.eachDefaultSystem (system: {
pkgs = import inputs.nixpkgs {
inherit system;
overlays =
@ -10,6 +7,7 @@
(import ./nur {inherit inputs;})
(import ./local)
(import ./lib)
inputs.deploy-rs.overlay
(final: prev: {
jemalloc =
if final.hostPlatform != "aarch64-darwin"
@ -31,5 +29,4 @@
];
};
};
in
pkgs
})

7
patchedInputs.nix
View file

@ -1,9 +1,12 @@
{
inputs,
system,
system ? builtins.currentSystem or "x86_64-linux",
...
}: let
pkgs = import ./overlays {inherit inputs system;}; # A local import of nixpkgs without patching.
pkgs = import inputs.nixpkgs {
inherit system;
config.allowUnfree = true;
};
in
inputs
// {

84
std.nix Normal file
View file

@ -0,0 +1,84 @@
{inputs, ...}: let
std = let
baseStd = inputs.std.lib;
inherit (baseStd) set function list bool types optional tuple;
mergeWith = let
append = {
path,
values,
canMerge,
mapToSet,
}: let
mergeWith' = values:
mergeWith {
inherit canMerge mapToSet path;
sets = list.map (v: (mapToSet path v).value) values;
};
mergeUntil = list.findIndex (function.not (canMerge path)) values;
len = list.length values;
in
if len == 0
then {}
else if len == 1
then list.unsafeHead values
else if list.all (canMerge path) values
then mergeWith' values
else
optional.match mergeUntil {
just = i: let
split = list.splitAt i values;
in
if i > 0
then mergeWith' split._0
else list.unsafeHead values;
nothing = list.unsafeHead values;
};
in
{
canMerge ? path: v: optional.isJust (mapToSet path v),
mapToSet ? _: v: bool.toOptional (types.attrs.check v) v,
path ? [],
sets,
}:
set.mapZip (name: values:
append {
path = path ++ list.One name;
inherit canMerge mapToSet values;
})
sets;
merge = sets:
mergeWith {
inherit sets;
};
remap = f: s: set.fromList (list.map f (set.toList s));
renames = names:
remap ({
_0,
_1,
}:
tuple.tuple2 (names.${_0} or _0) _1);
rename = oldName: newName: renames {${oldName} = newName;};
in
merge [
baseStd
{
function = {
pipe = list.foldl' (function.flip function.compose) function.id;
};
set = {
inherit merge mergeWith remap renames rename;
recursiveMap = f: s: let
recurse = str: s: let
g = str1: str2:
if types.attrs.check str2
then f (str ++ [str1]) (recurse (str ++ [str1]) str2)
else f (str ++ [str1]) str2;
in
set.map g s;
in
f [] (recurse [] s);
};
}
];
in
std

17
systems/ct/config.nix Normal file
View file

@ -0,0 +1,17 @@
_: {
arch = "x86_64";
type = "NixOS";
modules = [
({
meta,
lib,
...
}: {
imports = with meta; [
nixos.reisen-ct
];
system.stateVersion = "23.11";
})
];
}

12
systems/ct/nixos.nix
View file

@ -1,12 +0,0 @@
{
meta,
lib,
...
}: {
imports = with meta;
[
nixos.reisen-ct
];
system.stateVersion = "23.11";
}

151
systems/default.nix Normal file
View file

@ -0,0 +1,151 @@
{
inputs,
tree,
pkgs,
lib,
std,
system ? builtins.currentSystem or "x86_64-linux",
...
}: let
# The purpose of this file is to set up the host module which allows assigning of the system, e.g. aarch64-linux and the builder used with less pain.
inherit (lib.modules) evalModules mkOptionDefault;
inherit (std) string types optional set list;
defaultSpecialArgs = {
inherit inputs std;
meta = tree;
};
hostModule = {
config,
machine,
...
}: {
options = let
inherit (lib.types) str listOf attrs unspecified attrsOf nullOr;
jsonType = (pkgs.${system}.formats.json {}).type;
inherit (lib.options) mkOption;
in {
arch = mkOption {
description = "Processor architecture of the host";
type = str;
default = "x86_64";
};
type = mkOption {
description = "Operating system type of the host";
type = str;
default = "NixOS";
};
folder = mkOption {
type = str;
internal = true;
};
system = mkOption {
type = str;
internal = true;
};
modules = mkOption {
type = listOf unspecified;
};
specialArgs = mkOption {
type = attrs;
internal = true;
};
builder = mkOption {
type = unspecified;
internal = true;
};
deploy = mkOption {
type = nullOr jsonType;
};
};
config = {
deploy = {
sshUser = mkOptionDefault "root";
user = mkOptionDefault "root";
sshOpts = mkOptionDefault ["-p" "${builtins.toString (builtins.head inputs.self.nixosConfigurations.${machine}.config.services.openssh.ports)}"];
autoRollback = mkOptionDefault true;
magicRollback = mkOptionDefault true;
fastConnection = mkOptionDefault false;
profiles.system = {
user = "root";
path = inputs.deploy-rs.lib.${system}.activate.nixos inputs.self.nixosConfigurations.${machine};
};
};
system = let
kernel =
{
nixos = "linux";
macos = "darwin";
darwin = "darwin";
linux = "linux";
}
.${string.toLower config.type};
in "${config.arch}-${kernel}";
folder =
{
nixos = "nixos";
macos = "darwin";
darwin = "darwin";
linux = "linux";
}
.${string.toLower config.type};
modules = with tree; [
# per-OS modules
tree.modules.${config.folder}
# per-OS configuration
tree.${config.folder}.base
];
builder =
{
nixos = let
lib = inputs.nixpkgs.lib.extend (self: super:
import (inputs.arcexprs + "/lib") {
inherit super;
lib = self;
isOverlayLib = true;
});
sys = args:
lib.nixosSystem ({
inherit lib;
}
// args);
in
sys;
darwin = inputs.darwin.lib.darwinSystem;
macos = inputs.darwin.lib.darwinSystem;
}
.${string.toLower config.type};
specialArgs =
{
name = machine;
inherit machine;
systemType = config.folder;
inherit (config) system;
}
// defaultSpecialArgs;
};
};
hostConfigs = set.map (name: path:
evalModules {
modules = [
hostModule
path
];
specialArgs =
defaultSpecialArgs
// {
inherit name;
machine = name;
};
})
(set.map (_: c: c.config) tree.systems);
processHost = name: cfg: let
host = cfg.config;
in {
deploy.nodes.${name} = host.deploy;
"${host.folder}Configurations".${name} = host.builder {
inherit (host) system modules specialArgs;
};
};
in
set.merge (set.mapToValues processHost hostConfigs)

132
systems/hakurei/config.nix Normal file
View file

@ -0,0 +1,132 @@
_: {
arch = "x86_64";
type = "NixOS";
modules = [
({
config,
meta,
lib,
access,
...
}: let
inherit (lib.modules) mkIf mkMerge;
mediabox = access.systemFor "mediabox";
tei = access.systemFor "tei";
inherit (mediabox.services) plex;
inherit (tei.services) kanidm;
in {
imports = let
inherit (meta) nixos;
in [
nixos.sops
nixos.base
nixos.reisen-ct
nixos.tailscale
nixos.cloudflared
nixos.ddclient
nixos.acme
nixos.nginx
nixos.access.nginx
nixos.access.global
nixos.access.gensokyo
nixos.access.kanidm
nixos.access.proxmox
nixos.access.plex
./reisen-ssh.nix
];
sops.secrets.cloudflared-tunnel-hakurei = {
owner = config.services.cloudflared.user;
};
services.cloudflared = let
tunnelId = "964121e3-b3a9-4cc1-8480-954c4728b604";
in {
tunnels.${tunnelId} = {
default = "http_status:404";
credentialsFile = config.sops.secrets.cloudflared-tunnel-hakurei.path;
ingress = {
"prox.${config.networking.domain}".service = "http://localhost";
${config.networking.domain}.service = "http://localhost";
};
};
};
security.acme.certs = let
inherit (config.services) nginx tailscale;
inherit (nginx) access;
in {
${access.kanidm.domain} = {
inherit (nginx) group;
extraDomainNames = mkMerge [
[access.kanidm.localDomain]
(mkIf kanidm.server.ldap.enable [
access.kanidm.ldapDomain
access.kanidm.ldapLocalDomain
])
(mkIf tailscale.enable [
access.kanidm.tailDomain
])
(mkIf (kanidm.server.ldap.enable && tailscale.enable) [
access.kanidm.ldapTailDomain
])
];
};
${access.proxmox.domain} = {
inherit (nginx) group;
extraDomainNames = mkMerge [
[access.proxmox.localDomain]
(mkIf config.services.tailscale.enable [
access.proxmox.tailDomain
])
];
};
${access.plex.domain} = {
inherit (nginx) group;
extraDomainNames = [access.plex.localDomain];
};
};
services.nginx = let
inherit (config.services.nginx) access;
in {
access.plex = assert plex.enable; {
url = "http://${mediabox.networking.access.hostnameForNetwork.local}:32400";
};
access.kanidm = assert kanidm.enableServer; {
inherit (kanidm.server.frontend) domain port;
host = tei.networking.access.hostnameForNetwork.local;
ldapPort = kanidm.server.ldap.port;
ldapEnable = kanidm.server.ldap.enable;
};
virtualHosts = {
${access.kanidm.domain} = {
useACMEHost = access.kanidm.domain;
};
${access.proxmox.domain} = {
useACMEHost = access.proxmox.domain;
};
${access.plex.domain} = {
addSSL = true;
useACMEHost = access.plex.domain;
};
};
};
systemd.network.networks.eth0 = {
name = "eth0";
matchConfig = {
MACAddress = "BC:24:11:C4:66:A7";
Type = "ether";
};
address = ["10.1.1.41/24"];
gateway = ["10.1.1.1"];
DHCP = "no";
};
sops.defaultSopsFile = ./secrets.yaml;
system.stateVersion = "23.11";
})
];
}

126
systems/hakurei/nixos.nix
View file

@ -1,126 +0,0 @@
{
config,
meta,
lib,
access,
...
}: let
inherit (lib.modules) mkIf mkMerge;
mediabox = access.systemFor "mediabox";
tei = access.systemFor "tei";
inherit (mediabox.services) plex;
inherit (tei.services) kanidm;
in {
imports = let
inherit (meta) nixos;
in [
nixos.sops
nixos.base
nixos.reisen-ct
nixos.tailscale
nixos.cloudflared
nixos.ddclient
nixos.acme
nixos.nginx
nixos.access.nginx
nixos.access.global
nixos.access.gensokyo
nixos.access.kanidm
nixos.access.proxmox
nixos.access.plex
./reisen-ssh.nix
];
sops.secrets.cloudflared-tunnel-hakurei = {
owner = config.services.cloudflared.user;
};
services.cloudflared = let
tunnelId = "964121e3-b3a9-4cc1-8480-954c4728b604";
in {
tunnels.${tunnelId} = {
default = "http_status:404";
credentialsFile = config.sops.secrets.cloudflared-tunnel-hakurei.path;
ingress = {
"prox.${config.networking.domain}".service = "http://localhost";
${config.networking.domain}.service = "http://localhost";
};
};
};
security.acme.certs = let
inherit (config.services) nginx tailscale;
inherit (nginx) access;
in {
${access.kanidm.domain} = {
inherit (nginx) group;
extraDomainNames = mkMerge [
[ access.kanidm.localDomain ]
(mkIf kanidm.server.ldap.enable [
access.kanidm.ldapDomain
access.kanidm.ldapLocalDomain
])
(mkIf tailscale.enable [
access.kanidm.tailDomain
])
(mkIf (kanidm.server.ldap.enable && tailscale.enable) [
access.kanidm.ldapTailDomain
])
];
};
${access.proxmox.domain} = {
inherit (nginx) group;
extraDomainNames = mkMerge [
[ access.proxmox.localDomain ]
(mkIf config.services.tailscale.enable [
access.proxmox.tailDomain
])
];
};
${access.plex.domain} = {
inherit (nginx) group;
extraDomainNames = [ access.plex.localDomain ];
};
};
services.nginx = let
inherit (config.services.nginx) access;
in {
access.plex = assert plex.enable; {
url = "http://${mediabox.networking.access.hostnameForNetwork.local}:32400";
};
access.kanidm = assert kanidm.enableServer; {
inherit (kanidm.server.frontend) domain port;
host = tei.networking.access.hostnameForNetwork.local;
ldapPort = kanidm.server.ldap.port;
ldapEnable = kanidm.server.ldap.enable;
};
virtualHosts = {
${access.kanidm.domain} = {
useACMEHost = access.kanidm.domain;
};
${access.proxmox.domain} = {
useACMEHost = access.proxmox.domain;
};
${access.plex.domain} = {
addSSL = true;
useACMEHost = access.plex.domain;
};
};
};
systemd.network.networks.eth0 = {
name = "eth0";
matchConfig = {
MACAddress = "BC:24:11:C4:66:A7";
Type = "ether";
};
address = [ "10.1.1.41/24" ];
gateway = [ "10.1.1.1" ];
DHCP = "no";
};
sops.defaultSopsFile = ./secrets.yaml;
system.stateVersion = "23.11";
}

98
systems/kuwubernetes/config.nix Normal file
View file

@ -0,0 +1,98 @@
_: {
arch = "x86_64";
type = "NixOS";
modules = [
({
config,
meta,
lib,
modulesPath,
...
}: let
inherit (lib.attrsets) genAttrs nameValuePair;
inherit (builtins) listToAttrs;
dexFiles = [
"ca-key.pem"
"ca.pem"
"ca.srl"
"csr.pem"
"key.pem"
"req.cnf"
];
in {
imports = with meta; [
(modulesPath + "/profiles/qemu-guest.nix")
nixos.sops
nixos.cloudflared
nixos.k8s
];
boot = {
initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
loader.grub.device = "/dev/sda";
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/5ab5efe2-0250-4bf1-8fd6-3725cdd15031";
fsType = "ext4";
};
swapDevices = [
{device = "/dev/disk/by-uuid/b374e454-7af5-46fc-b949-24e38a2216d5";}
];
networking.interfaces.ens18.useDHCP = true;
sops.secrets = let
dexCommon = {
owner = "kubernetes";
};
in
{
cloudflare_kubernetes_tunnel = {
owner = config.services.cloudflared.user;
};
}
// (genAttrs (map (name: "dex-${name}") dexFiles) (_: dexCommon));
environment.etc = listToAttrs (map (name: nameValuePair "dex-ssl/${name}" {source = config.sops.secrets."dex-${name}".path;}) dexFiles);
services.cloudflared = let
tunnelId = "3dde2376-1dd1-4282-b5a4-aba272594976";
in {
tunnels.${tunnelId} = {
default = "http_status:404";
credentialsFile = config.sops.secrets.cloudflare_kubernetes_tunnel.path;
ingress = {
"k8s.gensokyo.zone" = {
service = "https://localhost:6443";
originRequest.noTLSVerify = true;
};
};
};
};
systemd.network.networks.ens18 = {
name = "ens18";
matchConfig = {
MACAddress = "BC:24:11:49:FE:DC";
Type = "ether";
};
address = ["10.1.1.42/24"];
gateway = ["10.1.1.1"];
DHCP = "no";
};
sops.defaultSopsFile = ./secrets.yaml;
system.stateVersion = "23.11";
})
];
}

92
systems/kuwubernetes/nixos.nix
View file

@ -1,92 +0,0 @@
{
config,
meta,
lib,
modulesPath,
...
}: let
inherit (lib.attrsets) genAttrs nameValuePair;
inherit (builtins) listToAttrs;
dexFiles = [
"ca-key.pem"
"ca.pem"
"ca.srl"
"csr.pem"
"key.pem"
"req.cnf"
];
in {
imports = with meta; [
(modulesPath + "/profiles/qemu-guest.nix")
nixos.sops
nixos.cloudflared
nixos.k8s
];
boot = {
initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
loader.grub.device = "/dev/sda";
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/5ab5efe2-0250-4bf1-8fd6-3725cdd15031";
fsType = "ext4";
};
swapDevices = [
{device = "/dev/disk/by-uuid/b374e454-7af5-46fc-b949-24e38a2216d5";}
];
networking.interfaces.ens18.useDHCP = true;
sops.secrets = let
dexCommon = {
owner = "kubernetes";
};
in
{
cloudflare_kubernetes_tunnel = {
owner = config.services.cloudflared.user;
};
}
// (genAttrs (map (name: "dex-${name}") dexFiles) (_: dexCommon));
environment.etc = listToAttrs (map (name: nameValuePair "dex-ssl/${name}" {source = config.sops.secrets."dex-${name}".path;}) dexFiles);
services.cloudflared = let
tunnelId = "3dde2376-1dd1-4282-b5a4-aba272594976";
in {
tunnels.${tunnelId} = {
default = "http_status:404";
credentialsFile = config.sops.secrets.cloudflare_kubernetes_tunnel.path;
ingress = {
"k8s.gensokyo.zone" = {
service = "https://localhost:6443";
originRequest.noTLSVerify = true;
};
};
};
};
systemd.network.networks.ens18 = {
name = "ens18";
matchConfig = {
MACAddress = "BC:24:11:49:FE:DC";
Type = "ether";
};
address = [ "10.1.1.42/24" ];
gateway = [ "10.1.1.1" ];
DHCP = "no";
};
sops.defaultSopsFile = ./secrets.yaml;
system.stateVersion = "23.11";
}

155
systems/mediabox/config.nix Normal file
View file

@ -0,0 +1,155 @@
_: {
deploy.hostname = "mediabox.local.gensokyo.zone";
arch = "x86_64";
type = "NixOS";
modules = [
({
config,
meta,
lib,
pkgs,
...
}: let
inherit (lib.modules) mkIf mkMerge;
inherit (lib.attrsets) mapAttrs mapAttrsToList;
inherit (lib.strings) removePrefix;
inherit (config.services) deluge plex tautulli ombi sonarr radarr bazarr lidarr readarr prowlarr cloudflared;
kyuuto = "/mnt/kyuuto-media";
kyuuto-library = kyuuto + "/library";
plexLibrary = {
"/mnt/Anime".hostPath = kyuuto-library + "/anime";
"/mnt/Shows".hostPath = kyuuto-library + "/tv";
"/mnt/Movies".hostPath = kyuuto-library + "/movies";
"/mnt/Music".hostPath = kyuuto-library + "/music";
};
in {
imports = let
inherit (meta) nixos;
in [
nixos.reisen-ct
nixos.sops
nixos.nginx
nixos.access.plex
nixos.cloudflared
# media
nixos.plex
nixos.tautulli
nixos.ombi
nixos.deluge
nixos.mediatomb
# yarr harr fiddle dee dee >w<
nixos.radarr
nixos.sonarr
nixos.bazarr
nixos.lidarr
nixos.readarr
nixos.prowlarr
];
sops.secrets.cloudflare_mediabox_tunnel = {
owner = cloudflared.user;
};
services.cloudflared = let
tunnelId = "6a3c1863-d879-462f-b5d5-7c6ddf476d0e";
inherit (config.networking) domain;
in {
tunnels.${tunnelId} = {
default = "http_status:404";
credentialsFile = config.sops.secrets.cloudflare_mediabox_tunnel.path;
ingress = {
"tautulli.${domain}".service = "http://localhost:${toString tautulli.port}";
"ombi.${domain}".service = "http://localhost:${toString ombi.port}";
"sonarr.${domain}".service = "http://localhost:${toString sonarr.port}";
"radarr.${domain}".service = "http://localhost:${toString radarr.port}";
"bazarr.${domain}".service = "http://localhost:${toString bazarr.listenPort}";
"lidarr.${domain}".service = "http://localhost:${toString lidarr.port}";
"readarr.${domain}".service = "http://localhost:${toString readarr.port}";
"prowlarr.${domain}".service = "http://localhost:${toString prowlarr.port}";
"deluge.${domain}".service = "http://localhost:${toString deluge.web.port}";
};
};
};
services.mediatomb = {
serverName = "tewi";
mediaDirectories = let
mkLibraryDir = dir: {
path = kyuuto-library + "/${dir}";
mountPoint = kyuuto-library;
};
libraryDir = {
path = kyuuto-library;
mountPoint = kyuuto-library;
subdirectories =
mapAttrsToList (
_: {hostPath, ...}:
removePrefix "${kyuuto-library}/" hostPath
)
plexLibrary
++ ["tlmc" "music-raw"];
};
in
[libraryDir] ++ map mkLibraryDir ["tlmc" "music-raw" "lewd"];
};
hardware.opengl = {
enable = true;
extraPackages = with pkgs; [mesa.drivers vaapiVdpau libvdpau-va-gl];
};
fileSystems = let
bind = {
fsType = "none";
options = ["bind" "nofail"];
};
fsPlex = mapAttrs (_: {hostPath, ...}:
mkMerge [
bind
{
device = hostPath;
}
])
plexLibrary;
fsDeluge = {
"${deluge.downloadDir}" = mkIf deluge.enable (mkMerge [
bind
{
device = kyuuto + "/downloads/deluge/download";
}
]);
};
in
mkMerge [
fsPlex
(mkIf deluge.enable fsDeluge)
];
systemd.services.deluged = mkIf deluge.enable {
unitConfig.RequiresMountsFor = [
"${deluge.downloadDir}"
];
};
systemd.services.plex = mkIf plex.enable {
unitConfig.RequiresMountsFor = mapAttrsToList (path: _: path) plexLibrary;
};
systemd.network.networks.eth0 = {
name = "eth0";
matchConfig = {
MACAddress = "BC:24:11:34:F4:A8";
Type = "ether";
};
address = ["10.1.1.44/24"];
gateway = ["10.1.1.1"];
DHCP = "no";
};
sops.defaultSopsFile = ./secrets.yaml;
system.stateVersion = "21.05";
})
];
}

148
systems/mediabox/nixos.nix
View file

@ -1,148 +0,0 @@
{
config,
meta,
lib,
pkgs,
...
}: let
inherit (lib.modules) mkIf mkMerge;
inherit (lib.attrsets) mapAttrs mapAttrsToList;
inherit (lib.strings) removePrefix;
inherit (config.services) deluge plex tautulli ombi sonarr radarr bazarr lidarr readarr prowlarr cloudflared;
kyuuto = "/mnt/kyuuto-media";
kyuuto-library = kyuuto + "/library";
plexLibrary = {
"/mnt/Anime".hostPath = kyuuto-library + "/anime";
"/mnt/Shows".hostPath = kyuuto-library + "/tv";
"/mnt/Movies".hostPath = kyuuto-library + "/movies";
"/mnt/Music".hostPath = kyuuto-library + "/music";
};
in {
imports = let
inherit (meta) nixos;
in [
nixos.reisen-ct
nixos.sops
nixos.nginx
nixos.access.plex
nixos.cloudflared
# media
nixos.plex
nixos.tautulli
nixos.ombi
nixos.deluge
nixos.mediatomb
# yarr harr fiddle dee dee >w<
nixos.radarr
nixos.sonarr
nixos.bazarr
nixos.lidarr
nixos.readarr
nixos.prowlarr
];
sops.secrets.cloudflare_mediabox_tunnel = {
owner = cloudflared.user;
};
services.cloudflared = let
tunnelId = "6a3c1863-d879-462f-b5d5-7c6ddf476d0e";
inherit (config.networking) domain;
in {
tunnels.${tunnelId} = {
default = "http_status:404";
credentialsFile = config.sops.secrets.cloudflare_mediabox_tunnel.path;
ingress = {
"tautulli.${domain}".service = "http://localhost:${toString tautulli.port}";
"ombi.${domain}".service = "http://localhost:${toString ombi.port}";
"sonarr.${domain}".service = "http://localhost:${toString sonarr.port}";
"radarr.${domain}".service = "http://localhost:${toString radarr.port}";
"bazarr.${domain}".service = "http://localhost:${toString bazarr.listenPort}";
"lidarr.${domain}".service = "http://localhost:${toString lidarr.port}";
"readarr.${domain}".service = "http://localhost:${toString readarr.port}";
"prowlarr.${domain}".service = "http://localhost:${toString prowlarr.port}";
"deluge.${domain}".service = "http://localhost:${toString deluge.web.port}";
};
};
};
services.mediatomb = {
serverName = "tewi";
mediaDirectories = let
mkLibraryDir = dir: {
path = kyuuto-library + "/${dir}";
mountPoint = kyuuto-library;
};
libraryDir = {
path = kyuuto-library;
mountPoint = kyuuto-library;
subdirectories =
mapAttrsToList (
_: {hostPath, ...}:
removePrefix "${kyuuto-library}/" hostPath
)
plexLibrary
++ ["tlmc" "music-raw"];
};
in
[libraryDir] ++ map mkLibraryDir ["tlmc" "music-raw" "lewd"];
};
hardware.opengl = {
enable = true;
extraPackages = with pkgs; [mesa.drivers vaapiVdpau libvdpau-va-gl];
};
fileSystems = let
bind = {
fsType = "none";
options = ["bind" "nofail"];
};
fsPlex = mapAttrs (_: {hostPath, ...}:
mkMerge [
bind
{
device = hostPath;
}
])
plexLibrary;
fsDeluge = {
"${deluge.downloadDir}" = mkIf deluge.enable (mkMerge [
bind
{
device = kyuuto + "/downloads/deluge/download";
}
]);
};
in
mkMerge [
fsPlex
(mkIf deluge.enable fsDeluge)
];
systemd.services.deluged = mkIf deluge.enable {
unitConfig.RequiresMountsFor = [
"${deluge.downloadDir}"
];
};
systemd.services.plex = mkIf plex.enable {
unitConfig.RequiresMountsFor = mapAttrsToList (path: _: path) plexLibrary;
};
systemd.network.networks.eth0 = {
name = "eth0";
matchConfig = {
MACAddress = "BC:24:11:34:F4:A8";
Type = "ether";
};
address = ["10.1.1.44/24"];
gateway = ["10.1.1.1"];
DHCP = "no";
};
sops.defaultSopsFile = ./secrets.yaml;
system.stateVersion = "21.05";
}

76
systems/tei/config.nix Normal file
View file

@ -0,0 +1,76 @@
_: {
arch = "x86_64";
type = "NixOS";
modules = [
({
config,
lib,
meta,
pkgs,
...
}: let
inherit (lib.modules) mkIf mkMerge;
inherit (config.services) kanidm mosquitto home-assistant;
in {
imports = let
inherit (meta) nixos;
in [
nixos.reisen-ct
nixos.sops
nixos.tailscale
nixos.cloudflared
nixos.postgres
nixos.nginx
nixos.access.zigbee2mqtt
nixos.access.home-assistant
nixos.vouch
nixos.kanidm
nixos.mosquitto
nixos.home-assistant
nixos.zigbee2mqtt
nixos.syncplay
./cloudflared.nix
];
sops.defaultSopsFile = ./secrets.yaml;
services.kanidm = {
package =
lib.warnIf
(pkgs.kanidm.version != "1.1.0-rc.15")
"upstream kanidm may have localhost oauth2 support now!"
pkgs.kanidm-develop;
};
networking.firewall = {
interfaces.local.allowedTCPPorts = mkMerge [
(mkIf kanidm.enableServer [
kanidm.server.frontend.port
(mkIf kanidm.server.ldap.enable kanidm.server.ldap.port)
])
(mkIf home-assistant.enable [
home-assistant.config.http.server_port
])
(mkIf mosquitto.enable (map (
listener:
listener.port
)
mosquitto.listeners))
];
};
systemd.network.networks.eth0 = {
name = "eth0";
matchConfig = {
MACAddress = "BC:24:11:CC:66:57";
Type = "ether";
};
address = ["10.1.1.39/24"];
gateway = ["10.1.1.1"];
DHCP = "no";
};
system.stateVersion = "23.11";
})
];
}

67
systems/tei/nixos.nix
View file

@ -1,67 +0,0 @@
{
config,
lib,
meta,
pkgs,
...
}: let
inherit (lib.modules) mkIf mkMerge;
inherit (config.services) kanidm mosquitto home-assistant;
in {
imports = let
inherit (meta) nixos;
in [
nixos.reisen-ct
nixos.sops
nixos.tailscale
nixos.cloudflared
nixos.postgres
nixos.nginx
nixos.access.zigbee2mqtt
nixos.access.home-assistant
nixos.vouch
nixos.kanidm
nixos.mosquitto
nixos.home-assistant
nixos.zigbee2mqtt
nixos.syncplay
./cloudflared.nix
];
sops.defaultSopsFile = ./secrets.yaml;
services.kanidm = {
package = lib.warnIf
(pkgs.kanidm.version != "1.1.0-rc.15")
"upstream kanidm may have localhost oauth2 support now!"
pkgs.kanidm-develop;
};
networking.firewall = {
interfaces.local.allowedTCPPorts = mkMerge [
(mkIf kanidm.enableServer [
kanidm.server.frontend.port
(mkIf kanidm.server.ldap.enable kanidm.server.ldap.port)
])
(mkIf home-assistant.enable [
home-assistant.config.http.server_port
])
(mkIf mosquitto.enable (map (listener:
listener.port
) mosquitto.listeners))
];
};
systemd.network.networks.eth0 = {
name = "eth0";
matchConfig = {
MACAddress = "BC:24:11:CC:66:57";
Type = "ether";
};
address = [ "10.1.1.39/24" ];
gateway = [ "10.1.1.1" ];
DHCP = "no";
};
system.stateVersion = "23.11";
}

86
systems/tewi/config.nix Normal file
View file

@ -0,0 +1,86 @@
_: {
arch = "x86_64";
type = "NixOS";
modules = [
({
meta,
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = with meta; [
(modulesPath + "/installer/scan/not-detected.nix")
nixos.sops
nixos.tailscale
];
services.kanidm.serverSettings.db_fs_type = "zfs";
services.tailscale.advertiseExitNode = true;
services.postgresql.package = pkgs.postgresql_14;
sops.defaultSopsFile = ./secrets.yaml;
networking = {
useNetworkd = true;
useDHCP = false;
};
services.resolved.enable = true;
boot = {
loader = {
systemd-boot = {
enable = true;
};
efi = {
canTouchEfiVariables = true;
};
};
initrd = {
availableKernelModules = ["xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"];
};
kernelModules = ["kvm-intel"];
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/6c5d82b1-5d11-4c72-96c6-5f90e6ce57f5";
fsType = "ext4";
};
"/boot" = {
device = "/dev/disk/by-uuid/85DC-72FA";
fsType = "vfat";
};
};
systemd = {
network = {
networks.eno1 = {
inherit (config.systemd.network.links.eno1) matchConfig;
networkConfig = {
DHCP = "yes";
DNSDefaultRoute = true;
MulticastDNS = true;
};
linkConfig.Multicast = true;
};
links.eno1 = {
matchConfig = {
Type = "ether";
Driver = "e1000e";
};
linkConfig = {
WakeOnLan = "magic";
};
};
};
};
swapDevices = lib.singleton {
device = "/dev/disk/by-uuid/137605d3-5e3f-47c8-8070-6783ce651932";
};
system.stateVersion = "21.05";
})
];
}

81
systems/tewi/nixos.nix
View file

@ -1,81 +0,0 @@
{
meta,
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = with meta;
[
(modulesPath + "/installer/scan/not-detected.nix")
nixos.sops
nixos.tailscale
];
services.kanidm.serverSettings.db_fs_type = "zfs";
services.tailscale.advertiseExitNode = true;
services.postgresql.package = pkgs.postgresql_14;
sops.defaultSopsFile = ./secrets.yaml;
networking = {
useNetworkd = true;
useDHCP = false;
};
services.resolved.enable = true;
boot = {
loader = {
systemd-boot = {
enable = true;
};
efi = {
canTouchEfiVariables = true;
};
};
initrd = {
availableKernelModules = ["xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"];
};
kernelModules = ["kvm-intel"];
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/6c5d82b1-5d11-4c72-96c6-5f90e6ce57f5";
fsType = "ext4";
};
"/boot" = {
device = "/dev/disk/by-uuid/85DC-72FA";
fsType = "vfat";
};
};
systemd = {
network = {
networks.eno1 = {
inherit (config.systemd.network.links.eno1) matchConfig;
networkConfig = {
DHCP = "yes";
DNSDefaultRoute = true;
MulticastDNS = true;
};
linkConfig.Multicast = true;
};
links.eno1 = {
matchConfig = {
Type = "ether";
Driver = "e1000e";
};
linkConfig = {
WakeOnLan = "magic";
};
};
};
};
swapDevices = lib.singleton {
device = "/dev/disk/by-uuid/137605d3-5e3f-47c8-8070-6783ce651932";
};
system.stateVersion = "21.05";
}

13
tree.nix
View file

@ -1,8 +1,4 @@
{
inputs,
lib,
...
}: (inputs.tree.tree {
{inputs, ...}: (inputs.tree.tree {
inherit inputs;
folder = ./.;
config = {
@ -12,7 +8,6 @@
"inputs"
"default"
"patchedInputs"
"mkTree"
"outputs"
"tree"
"flake"
@ -20,6 +15,11 @@
"inputs"
];
};
systems = {
excludes = [
"default"
];
};
"modules/nixos" = {
functor = {
external = with (import (inputs.arcexprs + "/modules")).nixos; [
@ -54,7 +54,6 @@
"nixos/*".functor = {
enable = true;
};
"system".functor.enable = true;
"hardware".evaluateDefault = true;
"nixos/cross".evaluateDefault = true;
"hardware/*".evaluateDefault = true;