feat: add beliskner

2023-06-18 03:04:44 +02:00 · 2023-06-18 03:04:44 +02:00 · 31637568e2
commit 31637568e2
parent 8149d5a71d
14 changed files with 294 additions and 35 deletions
--- a/hosts/beliskner/default.nix
+++ b/hosts/beliskner/default.nix
@ -0,0 +1,116 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ inputs, config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+    ];
+
+  documentation.enable = false;
+  documentation.nixos.enable = false;
+  documentation.man.enable = false;
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/sda";
+  boot.loader.systemd-boot.enable = false;
+
+  #networking.interfaces."ens3" = {
+  #  ipv6 = {
+  #    addresses = [
+  #      {
+  #        address = "2a03:4000:54:a98::1";
+  #        prefixLength = 64;
+  #      }
+  #    ];
+  #  };
+  #};
+  #networking.defaultGateway6 = { address = "fe80::1"; interface = "enp0s3"; };
+  networking.nameservers = [ "1.1.1.1" "8.8.8.8" ];
+  # networking.interfaces.eno1.useDHCP = true;
+  networking.hostId = "7c28236a";
+
+  # Immutable users due to tmpfs
+  users.mutableUsers = false;
+
+  services.postgresql.package = pkgs.postgresql_13;
+
+  services.grafana = {
+    enable = true;
+    settings.server = {
+      domain = "beliskner.kangaroo-galaxy.ts.net";
+      root_url = "https://beliskner.kangaroo-galaxy.ts.net/";
+    };
+  };
+
+
+  ragon.agenix.secrets."prometheusBlackboxConfig" = { owner = config.services.prometheus.exporters.blackbox.user; };
+  services.prometheus.exporters.blackbox = {
+    enable = true;
+    configFile = config.age.secrets.prometheusBlackboxConfig.path;
+    enableConfigCheck = false;
+  };
+
+
+  services.caddy = {
+    enable = true;
+    virtualHosts = {
+      "beliskner.kangaroo-galaxy.ts.net" = {
+        extraConfig = ''
+                    reverse_proxy :${toString config.services.grafana.settings.server.http_port}
+                    forward_auth unix//run/tailscale.nginx-auth.sock {
+          	      uri /auth
+          	      header_up Remote-Addr {remote_host}
+          	      header_up Remote-Port {remote_port}
+          	      header_up Original-URI {uri}
+          	      copy_headers {
+               	        Tailscale-User>X-Webauth-User
+          	        Tailscale-Name>X-Webauth-Name
+          	        Tailscale-Login>X-Webauth-Login
+          	        Tailscale-Tailnet>X-Webauth-Tailnet
+          	        Tailscale-Profile-Picture>X-Webauth-Profile-Picture
+          	      }
+                    }
+        '';
+      };
+    };
+  };
+
+  networking.firewall.trustedInterfaces = [ "lo" "tailscale0" ];
+  services.grafana.settings = {
+    analytics.reporting_enabled = false;
+    users = {
+      allow_sign_up = false;
+    };
+    auth.proxy = ''
+      enabled = true
+      header_name = "X-Webauth-User"
+      header_property = "username"
+      auto_sign_up = true
+      allow_sign_up = true
+      whitelist = "127.0.0.1, ::1"
+    '';
+  };
+  services.tailscale = {
+    enable = true;
+    permitCertUid = "caddy";
+  };
+
+
+
+  ragon = {
+    cli.enable = false;
+    user.enable = false;
+    persist.enable = true;
+    persist.extraDirectories = [
+      "/var/lib/tailscale"
+      "/var/lib/caddy"
+    ];
+    services = {
+      ssh.enable = true;
+    };
+  };
+}
--- a/hosts/beliskner/disk-config.nix
+++ b/hosts/beliskner/disk-config.nix
@ -0,0 +1,94 @@
+{ disks ? [ "/dev/vda" ], ... }: {
+  disko.devices = {
+    disk = {
+      vda = {
+        type = "disk";
+        device = builtins.elemAt disks 0;
+        content = {
+          type = "table";
+          format = "gpt";
+          partitions = [
+            {
+              name = "boot";
+              start = "0";
+              end = "1M";
+              part-type = "primary";
+              flags = [ "bios_grub" ];
+            }
+            {
+              name = "ESP";
+              start = "1MiB";
+              end = "265MiB";
+              bootable = true;
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [
+                  "defaults"
+                ];
+              };
+            }
+            {
+              name = "luks";
+              start = "265MiB";
+              end = "100%";
+              content = {
+                type = "luks";
+                name = "crypted";
+                extraOpenArgs = [ "--allow-discards" ];
+                # if you want to use the key for interactive login be sure there is no trailing newline
+                # for example use `echo -n "password" > /tmp/secret.key`
+                keyFile = "/tmp/secret.key";
+                content = {
+                  type = "lvm_pv";
+                  vg = "pool";
+                };
+              };
+            }
+          ];
+        };
+      };
+    };
+    lvm_vg = {
+      pool = {
+        type = "lvm_vg";
+        nix = {
+          persistent = {
+            size = "100%";
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/nix";
+              mountOptions = [
+                "defaults"
+              ];
+            };
+          };
+        };
+      };
+    };
+    nodev = {
+      "/" = {
+        fsType = "tmpfs";
+        mountOptions = [
+          "size=2G"
+          "defaults"
+          "mode=755"
+        ];
+      };
+    };
+  };
+  fileSystems."/var/log" =
+    {
+      device = "/nix/persistent/varlog";
+      fsType = "bind";
+      neededForBoot = true;
+    };
+  fileSystems."/persistent" =
+    {
+      device = "/nix/persistent";
+      fsType = "bind";
+      neededForBoot = true;
+    };
+}
--- a/hosts/beliskner/hardware-configuration.nix
+++ b/hosts/beliskner/hardware-configuration.nix
@ -0,0 +1,30 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, inputs, ... }:
+let
+  pubkeys = import ../../data/pubkeys.nix;
+in
+{
+  imports = [ "${modulesPath}/profiles/qemu-guest.nix" inputs.disko.nixosModules.disko ];
+  boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/d2cb12f8-67e3-4725-86c3-0b5c7ebee3a6";
+  disko.devices = import ./disk-config.nix {
+    inherit lib;
+  };
+
+  boot.initrd = {
+    network = {
+      enable = true;
+      ssh = {
+        enable = true;
+        port = 2222;
+        hostKeys = [
+          "/persistent/etc/nixos/secrets/initrd/ssh_host_rsa_key"
+          "/persistent/etc/nixos/secrets/initrd/ssh_host_ed25519_key"
+        ];
+        authorizedKeys = pubkeys.ragon.user;
+      };
+    };
+  };
+  powerManagement.cpuFreqGovernor = "performance";
+}