xyno/nix-configs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: add beliskner

Browse source
This commit is contained in:
xyno (Philipp Hochkamp) 2023-06-18 03:04:44 +02:00
parent 8149d5a71d
commit 31637568e2
14 changed files with 294 additions and 35 deletions
Download patch file Download diff file Expand all files Collapse all files

2
darwin-common.nix
View file

@ -8,7 +8,7 @@
nix.settings.max-jobs = 10; # use all cores nix.settings.max-jobs = 10; # use all cores
nix.settings.auto-optimise-store = true; nix.settings.auto-optimise-store = true;
nix.distributedBuilds = true; nix.distributedBuilds = true;
nix.nixPath = [{ nixpkgs = "${inputs.nixpkgs-darwin}"; nixpkgs-master = "${inputs.nixpkgs-master}"; nixpkgs-nixos = "${inputs.nixpkgs}"; }]; nix.nixPath = [{ nixpkgs = "${inputs.nixpkgs-darwin.outPath}"; nixpkgs-master = "${inputs.nixpkgs-master.outPath}"; nixpkgs-nixos = "${inputs.nixpkgs.outPath}"; }];
nix.buildMachines = [{ nix.buildMachines = [{
systems = [ "x86_64-linux" ]; systems = [ "x86_64-linux" ];
supportedFeatures = [ "kvm" "big-parallel" ]; supportedFeatures = [ "kvm" "big-parallel" ];

17
data/monitoring.toml
View file

@ -1,6 +1,6 @@
[master] [master]
hostname = "ds9" hostname = "beliskner"
ip = "100.83.96.25" # tailscale ip = "beliskner.kangaroo-galaxy.ts.net" # tailscale
[hostOverrides] [hostOverrides]
@ -16,17 +16,8 @@ hosts = [ "ds9", "picard" ]
[exporters.smartctl] [exporters.smartctl]
hosts = [ "ds9" ] hosts = [ "ds9" ]
# [exporters.dnsmasq] [exporters.blackbox]
# hosts = [ "wormhole" ] hosts = [ "beliskner" ]
#
# [exporters.wireguard]
# hosts = [ "wormhole"]
#
# [exporters.smokeping]
# hosts = [ "wormhole"]
[exporters.nginxlog]
hosts = [ "picard", "ds9" ]
[promtail] [promtail]
hosts = [ "picard", "ds9" ] hosts = [ "picard", "ds9" ]

1
data/pubkeys.nix
View file

@ -15,6 +15,7 @@ let
picard = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAm3UXZaN95WBUaS9SiHLNEuI1tP1x1w07qnYxPe+vdr" ]; picard = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAm3UXZaN95WBUaS9SiHLNEuI1tP1x1w07qnYxPe+vdr" ];
daedalusvm = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKJCNGGsnAPPmhQnEMBWJulM2pi3pw/tdX1vi3l6cRky" ]; daedalusvm = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKJCNGGsnAPPmhQnEMBWJulM2pi3pw/tdX1vi3l6cRky" ];
octopi = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN+0/lwNc/KN8LrS3KvDCuuipQokO+7qELfksepJXz6a" ]; octopi = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN+0/lwNc/KN8LrS3KvDCuuipQokO+7qELfksepJXz6a" ];
beliskner = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN+0/lwNc/KN8LrS3KvDCuuipQokO+7qELfksepJXz6a" ];
}; };
in in
{ {

21
flake.lock generated
View file

@ -82,6 +82,26 @@
"type": "github" "type": "github"
} }
}, },
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1687028856,
"narHash": "sha256-vKV3I31tmXwaWHiUOgfDVd27cEHqaPBr1lt9+NKdIp8=",
"owner": "nix-community",
"repo": "disko",
"rev": "64c9c78c15fd4c899d857bf09dba88bda771b43a",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -731,6 +751,7 @@
"agenix": "agenix", "agenix": "agenix",
"agkozak-zsh-prompt": "agkozak-zsh-prompt", "agkozak-zsh-prompt": "agkozak-zsh-prompt",
"darwin": "darwin_2", "darwin": "darwin_2",
"disko": "disko",
"home-manager": "home-manager_2", "home-manager": "home-manager_2",
"impermanence": "impermanence", "impermanence": "impermanence",
"miro": "miro", "miro": "miro",

3
flake.nix
View file

@ -16,6 +16,8 @@
nixos-hardware.url = "github:NixOS/nixos-hardware/master"; nixos-hardware.url = "github:NixOS/nixos-hardware/master";
darwin.url = "github:lnl7/nix-darwin/master"; darwin.url = "github:lnl7/nix-darwin/master";
darwin.inputs.nixpkgs.follows = "nixpkgs"; darwin.inputs.nixpkgs.follows = "nixpkgs";
disko.url = "github:nix-community/disko";
disko.inputs.nixpkgs.follows = "nixpkgs";
neovim-nightly-overlay.url = "github:nix-community/neovim-nightly-overlay"; neovim-nightly-overlay.url = "github:nix-community/neovim-nightly-overlay";
neovim-nightly-overlay.inputs.nixpkgs.follows = "nixpkgs-master"; neovim-nightly-overlay.inputs.nixpkgs.follows = "nixpkgs-master";
neovim-nightly-overlay.inputs.neovim-flake.url = "github:neovim/neovim?dir=contrib&rev=eb151a9730f0000ff46e0b3467e29bb9f02ae362"; neovim-nightly-overlay.inputs.neovim-flake.url = "github:neovim/neovim?dir=contrib&rev=eb151a9730f0000ff46e0b3467e29bb9f02ae362";
@ -245,6 +247,7 @@
daedalusvm = nixosSystem "aarch64-linux" [ ./hosts/daedalusvm/default.nix ]; daedalusvm = nixosSystem "aarch64-linux" [ ./hosts/daedalusvm/default.nix ];
octopi = nixosSystem "aarch64-linux" [ ./hosts/octopi/default.nix ]; octopi = nixosSystem "aarch64-linux" [ ./hosts/octopi/default.nix ];
icarus = nixosSystem "x86_64-linux" [ ./hosts/icarus/default.nix ]; icarus = nixosSystem "x86_64-linux" [ ./hosts/icarus/default.nix ];
beliskner = nixosSystem "x86_64-linux" [ ./hosts/beliskner/default.nix ];
}; };
darwinConfigurations = processConfigurations { darwinConfigurations = processConfigurations {
daedalus = darwinSystem "aarch64-darwin" [ ./hosts/daedalus/default.nix ]; daedalus = darwinSystem "aarch64-darwin" [ ./hosts/daedalus/default.nix ];

116
hosts/beliskner/default.nix Normal file
View file

@ -0,0 +1,116 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ inputs, config, pkgs, lib, ... }:
{
imports =
[
# Include the results of the hardware scan.
./hardware-configuration.nix
];
documentation.enable = false;
documentation.nixos.enable = false;
documentation.man.enable = false;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
boot.loader.systemd-boot.enable = false;
#networking.interfaces."ens3" = {
# ipv6 = {
# addresses = [
# {
# address = "2a03:4000:54:a98::1";
# prefixLength = 64;
# }
# ];
# };
#};
#networking.defaultGateway6 = { address = "fe80::1"; interface = "enp0s3"; };
networking.nameservers = [ "1.1.1.1" "8.8.8.8" ];
# networking.interfaces.eno1.useDHCP = true;
networking.hostId = "7c28236a";
# Immutable users due to tmpfs
users.mutableUsers = false;
services.postgresql.package = pkgs.postgresql_13;
services.grafana = {
enable = true;
settings.server = {
domain = "beliskner.kangaroo-galaxy.ts.net";
root_url = "https://beliskner.kangaroo-galaxy.ts.net/";
};
};
ragon.agenix.secrets."prometheusBlackboxConfig" = { owner = config.services.prometheus.exporters.blackbox.user; };
services.prometheus.exporters.blackbox = {
enable = true;
configFile = config.age.secrets.prometheusBlackboxConfig.path;
enableConfigCheck = false;
};
services.caddy = {
enable = true;
virtualHosts = {
"beliskner.kangaroo-galaxy.ts.net" = {
extraConfig = ''
reverse_proxy :${toString config.services.grafana.settings.server.http_port}
forward_auth unix//run/tailscale.nginx-auth.sock {
uri /auth
header_up Remote-Addr {remote_host}
header_up Remote-Port {remote_port}
header_up Original-URI {uri}
copy_headers {
Tailscale-User>X-Webauth-User
Tailscale-Name>X-Webauth-Name
Tailscale-Login>X-Webauth-Login
Tailscale-Tailnet>X-Webauth-Tailnet
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
}
}
'';
};
};
};
networking.firewall.trustedInterfaces = [ "lo" "tailscale0" ];
services.grafana.settings = {
analytics.reporting_enabled = false;
users = {
allow_sign_up = false;
};
auth.proxy = ''
enabled = true
header_name = "X-Webauth-User"
header_property = "username"
auto_sign_up = true
allow_sign_up = true
whitelist = "127.0.0.1, ::1"
'';
};
services.tailscale = {
enable = true;
permitCertUid = "caddy";
};
ragon = {
cli.enable = false;
user.enable = false;
persist.enable = true;
persist.extraDirectories = [
"/var/lib/tailscale"
"/var/lib/caddy"
];
services = {
ssh.enable = true;
};
};
}

94
hosts/beliskner/disk-config.nix Normal file
View file

@ -0,0 +1,94 @@
{ disks ? [ "/dev/vda" ], ... }: {
disko.devices = {
disk = {
vda = {
type = "disk";
device = builtins.elemAt disks 0;
content = {
type = "table";
format = "gpt";
partitions = [
{
name = "boot";
start = "0";
end = "1M";
part-type = "primary";
flags = [ "bios_grub" ];
}
{
name = "ESP";
start = "1MiB";
end = "265MiB";
bootable = true;
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [
"defaults"
];
};
}
{
name = "luks";
start = "265MiB";
end = "100%";
content = {
type = "luks";
name = "crypted";
extraOpenArgs = [ "--allow-discards" ];
# if you want to use the key for interactive login be sure there is no trailing newline
# for example use `echo -n "password" > /tmp/secret.key`
keyFile = "/tmp/secret.key";
content = {
type = "lvm_pv";
vg = "pool";
};
};
}
];
};
};
};
lvm_vg = {
pool = {
type = "lvm_vg";
nix = {
persistent = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/nix";
mountOptions = [
"defaults"
];
};
};
};
};
};
nodev = {
"/" = {
fsType = "tmpfs";
mountOptions = [
"size=2G"
"defaults"
"mode=755"
];
};
};
};
fileSystems."/var/log" =
{
device = "/nix/persistent/varlog";
fsType = "bind";
neededForBoot = true;
};
fileSystems."/persistent" =
{
device = "/nix/persistent";
fsType = "bind";
neededForBoot = true;
};
}

30
hosts/beliskner/hardware-configuration.nix Normal file
View file

@ -0,0 +1,30 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, inputs, ... }:
let
pubkeys = import ../../data/pubkeys.nix;
in
{
imports = [ "${modulesPath}/profiles/qemu-guest.nix" inputs.disko.nixosModules.disko ];
boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/d2cb12f8-67e3-4725-86c3-0b5c7ebee3a6";
disko.devices = import ./disk-config.nix {
inherit lib;
};
boot.initrd = {
network = {
enable = true;
ssh = {
enable = true;
port = 2222;
hostKeys = [
"/persistent/etc/nixos/secrets/initrd/ssh_host_rsa_key"
"/persistent/etc/nixos/secrets/initrd/ssh_host_ed25519_key"
];
authorizedKeys = pubkeys.ragon.user;
};
};
};
powerManagement.cpuFreqGovernor = "performance";
}

1
hosts/picard/default.nix
View file

@ -15,7 +15,6 @@
documentation.nixos.enable = false; documentation.nixos.enable = false;
documentation.man.enable = false; documentation.man.enable = false;
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sda"; boot.loader.grub.device = "/dev/sda";
boot.loader.systemd-boot.enable = false; boot.loader.systemd-boot.enable = false;

17
nixos-modules/services/monitoring.nix
View file

@ -19,7 +19,6 @@ in
config = mkMerge ([ config = mkMerge ([
(mkIf (cfg.master.hostname == hostName) { (mkIf (cfg.master.hostname == hostName) {
services.loki.enable = true; services.loki.enable = true;
networking.firewall.allowedTCPPorts = [ 3100 ];
services.loki.configFile = pkgs.writeText "loki.yml" '' services.loki.configFile = pkgs.writeText "loki.yml" ''
auth_enabled: false auth_enabled: false
server: server:
@ -57,7 +56,7 @@ in
boltdb_shipper: boltdb_shipper:
active_index_directory: /tmp/loki/boltdb-shipper-active active_index_directory: /tmp/loki/boltdb-shipper-active
cache_location: /tmp/loki/boltdb-shipper-cache cache_location: /tmp/loki/boltdb-shipper-cache
cache_ttl: 24h # Can be increased for faster performance over longer query periods, uses more disk space cache_ttl: 4h # Can be increased for faster performance over longer query periods, uses more disk space
shared_store: filesystem shared_store: filesystem
filesystem: filesystem:
directory: /tmp/loki/chunks directory: /tmp/loki/chunks
@ -114,21 +113,7 @@ in
{ {
# some global settings # some global settings
services.prometheus.exporters.node.enabledCollectors = [ "systemd" ]; services.prometheus.exporters.node.enabledCollectors = [ "systemd" ];
services.prometheus.exporters.dnsmasq.leasesPath = "/var/lib/dnsmasq/dnsmasq.leases";
systemd.services."prometheus-smartctl-exporter".serviceConfig.DeviceAllow = [ "* r" ];
services.prometheus.exporters.smartctl.user = "root";
services.prometheus.exporters.smartctl.group = "root";
services.prometheus.exporters.smokeping.hosts = [ "1.1.1.1" ]; services.prometheus.exporters.smokeping.hosts = [ "1.1.1.1" ];
services.nginx.statusPage = mkDefault config.services.prometheus.exporters.nginx.enable;
services.prometheus.exporters.nginxlog.user = "nginx";
services.prometheus.exporters.nginxlog.group = "nginx";
services.prometheus.exporters.nginxlog.settings = {
namespaces = [{
name = "nginxlog";
format = "$remote_addr - - [$time_local] \"$request\" $status $body_bytes_sent \"$http_referer\" \"$http_user_agent\"";
source.files = [ "/var/log/nginx/access.log" ];
}];
};
} }
(mkIf (builtins.elem hostName cfg.promtail.hosts) { (mkIf (builtins.elem hostName cfg.promtail.hosts) {
services.promtail = { services.promtail = {

4
nixos-modules/services/ssh.nix
View file

@ -6,9 +6,9 @@ in
{ {
options.ragon.services.ssh.enable = lib.mkEnableOption "Enables sshd"; options.ragon.services.ssh.enable = lib.mkEnableOption "Enables sshd";
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
services.openssh.permitRootLogin = "without-password"; services.openssh.settings.PermitRootLogin = "without-password";
services.openssh.enable = true; services.openssh.enable = true;
services.openssh.passwordAuthentication = false; services.openssh.settings.PasswordAuthentication = false;
users.users.root.openssh.authorizedKeys.keys = pubkeys.ragon.user; users.users.root.openssh.authorizedKeys.keys = pubkeys.ragon.user;
}; };
} }

4
nixos-modules/system/security.nix
View file

@ -11,9 +11,9 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
security.sudo.execWheelOnly = true; security.sudo.execWheelOnly = true;
services.openssh = { services.openssh = {
passwordAuthentication = false; settings.PasswordAuthentication = false;
allowSFTP = true; # just use rsync, lol allowSFTP = true; # just use rsync, lol
kbdInteractiveAuthentication = false; settings.KbdInteractiveAuthentication = false;
extraConfig = '' extraConfig = ''
AllowTcpForwarding yes AllowTcpForwarding yes
X11Forwarding no X11Forwarding no

18
secrets/prometheusBlackboxConfig.age Normal file
View file

@ -0,0 +1,18 @@
age-encryption.org/v1
-> ssh-ed25519 46dvqg YDxtUSg3QOM3qbqxYuKO1ga4JOAumKpcuf9GlBd0Nn8
d5tNS2c0LSqFXEzz1So4DG7ymdsjFf3fL0NmvUwMghw
-> ssh-ed25519 ugHWWw SOIF3aWQ0PWJqz7z5Ah4EtjXxAzfN4FwACEqXtqBrWY
+VEK3cDwW3lZiI+09jr4M1Kzf76klZgrcqr5qYtLtR4
-> ssh-ed25519 UU9RSA y3sYSGTO+DC7btlBd9+KwIjzX9TjzPXPU39kH12f11E
IppTK0GKRPQ3CKAjqXoweb4n8N7IXSOpZjhgiBe+VUU
-> ssh-ed25519 RJI3BA d1Qw2K7LTibTh8+Zaha9ynmNk1xgDlXfDeF/vHPd2FM
indJ1NRruWxnhg3NtlkdhxkDCDGF4ghSyDgkTCBFDvU
-> ssh-ed25519 XnvJKw xsGYu6HUfUgkb93mhgDHNYJ+8dZZJpqFRAg1c32luUE
p9gDrwX9jvnuP+QRjqpLJp2qMpti5Oa+8dUIjMBZqrA
-> ssh-ed25519 7NL5Ng fiu2K+E1F/6A5WBHeAgEM40dbDUvqskOaxrJfOmCSlQ
nBVY0IZ10hatoxWQQkYatcxzYrU3Zn0z/o9tJia9ooI
-> ;\&a?k}-grease 2Xc0a 8J&H^ hR>D
EEyqIPv7t8ElVB/DilVhYGEDY1Jn5mrxVvmuUCPO3kPWJUdJCNAVv9uJPAN3/k0e
eP/qCcMJq5Y+W5hkAhH7SFk
--- XmJJ95cSiIMh9vOsct53Ix0d19Gwbl0aQYU+i5MNysA
ó4ªŸiC§³QªqeC¹áÌÑQ»2mV¥T,<2C> Ö¸

1
secrets/secrets.nix
View file

@ -23,6 +23,7 @@ in
"gitlabSecretFile.age".publicKeys = pubkeys.ragon.host "picard"; "gitlabSecretFile.age".publicKeys = pubkeys.ragon.host "picard";
"gitlabDBFile.age".publicKeys = pubkeys.ragon.host "picard"; "gitlabDBFile.age".publicKeys = pubkeys.ragon.host "picard";
"gitlabOTPFile.age".publicKeys = pubkeys.ragon.host "picard"; "gitlabOTPFile.age".publicKeys = pubkeys.ragon.host "picard";
"prometheusBlackboxConfig.age".publicKeys = pubkeys.ragon.host "beliskner";
"gitlabJWSFile.age".publicKeys = pubkeys.ragon.host "picard"; "gitlabJWSFile.age".publicKeys = pubkeys.ragon.host "picard";
"nextcloudAdminPass.age".publicKeys = pubkeys.ragon.host "picard"; "nextcloudAdminPass.age".publicKeys = pubkeys.ragon.host "picard";
"picardResticSSHKey.age".publicKeys = pubkeys.ragon.host "picard"; "picardResticSSHKey.age".publicKeys = pubkeys.ragon.host "picard";