Drift/pvv-nixos-config
Drift
/
pvv-nixos-config
16
4
Fork 1
Code Issues Pull Requests 6 Wiki Activity

Add host `bekkalokk` 

`bekkalokk` is a new machine, meant to host web services and eventually
miscellaneous services.
This commit is contained in:
Oystein Kristoffer Tveit 2023-01-29 01:51:35 +01:00
parent 387794fbe0
commit 796155481f
Signed by: oysteikt
GPG Key ID: 9F2F7D8250F35146
12 changed files with 279 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
.sops.yaml
View File

@ -1,9 +1,14 @@
keys:
# Users
- &user_danio age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
- &user_felixalb age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
- &user_oysteikt F7D37890228A907440E1FD4846B9228E814A2AAC
# Hosts
- &host_jokum age1n4vc3dhv8puqz6ntwrkkpdfj0q002hexqee48wzahll8cmce2ezssrq608
- &host_ildkule age1hn45n46ypyrvypv0mwfnpt9ddrlmw34dwlpf33n8v67jexr3lucq6ahc9x
- &host_bekkalokk age13t2nnr6yukmtda6wn2uggfcj0dmwce8347y8w6xzt4yje6wlgscqnahuqm
creation_rules:
# Global secrets
- path_regex: secrets/[^/]+\.yaml$
@ -14,8 +19,18 @@ creation_rules:
- *user_felixalb
pgp:
- *user_oysteikt
# Host specific secrets
## Jokum
- path_regex: secrets/bekkalokk/[^/]+\.yaml$
key_groups:
- age:
- *host_bekkalokk
- *user_danio
- *user_felixalb
pgp:
- *user_oysteikt
- path_regex: secrets/jokum/[^/]+\.yaml$
key_groups:
- age:

41
flake.nix
View File

@ -11,7 +11,7 @@
matrix-next.url = "github:dali99/nixos-matrix-modules";
};
outputs = { self, nixpkgs, unstable, sops-nix, ... }@inputs:
outputs = { self, nixpkgs, matrix-next, unstable, sops-nix, ... }@inputs:
let
systems = [
"x86_64-linux"
@ -19,26 +19,31 @@
];
forAllSystems = f: nixpkgs.lib.genAttrs systems (system: f system);
in {
nixosConfigurations = {
jokum = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit unstable inputs; values = import ./values.nix; };
modules = [
./hosts/jokum/configuration.nix
sops-nix.nixosModules.sops
nixosConfigurations = let
nixosConfig = name: config: nixpkgs.lib.nixosSystem (nixpkgs.lib.recursiveUpdate
config
{
system = "x86_64-linux";
specialArgs = {
inherit unstable inputs;
values = import ./values.nix;
};
modules = [
./hosts/${name}/configuration.nix
sops-nix.nixosModules.sops
matrix-next.nixosModules.synapse
];
});
inputs.matrix-next.nixosModules.synapse
];
};
ildkule = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit unstable inputs; values = import ./values.nix; };
modules = [
./hosts/ildkule/configuration.nix
sops-nix.nixosModules.sops
];
in {
bekkalokk = nixosConfig "bekkalokk" { };
greddost = nixosConfig "greddost" { };
ildkule = nixosConfig "ildkule" { };
jokum = nixosConfig "jokum" {
modules = [ matrix-next.nixosModules.synapse ];
};
};
devShells = forAllSystems (system: {
default = nixpkgs.legacyPackages.${system}.callPackage ./shell.nix { };
});

42
hosts/bekkalokk/configuration.nix Normal file
View File

@ -0,0 +1,42 @@
{ pkgs, values, ... }:
{
imports = [
./hardware-configuration.nix
../../base.nix
# TODO: set up authentication for the following:
# ./services/website/website.nix
# ./services/website/nginx.nix
# ./services/website/gitea.nix
# ./services/website/mediawiki.nix
];
sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "bekkalokk";
networking.interfaces.ens33 = {
useDHCP = false;
ipv4.addresses = [{
address = values.hosts.bekkalokk.ipv4;
prefixLength = 25;
}];
ipv6.addresses = [{
address = values.hosts.bekkalokk.ipv6;
prefixLength = 64;
}];
};
# Do not change, even during upgrades.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "22.11";
}

37
hosts/bekkalokk/hardware-configuration.nix Normal file
View File

@ -0,0 +1,37 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ ];
boot.initrd.availableKernelModules = [ "ata_piix" "mptspi" "uhci_hcd" "ehci_pci" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/cdcafe3a-01d8-4bdf-9a3d-78705b581090";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/1CB4-280D";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/3eaace48-91ec-4d46-be86-fd26877d8b86"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens33.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

4
hosts/bekkalokk/services/metrics/loki.nix Normal file
View File

@ -0,0 +1,4 @@
{ ... }:
{
}

4
hosts/bekkalokk/services/metrics/prometheus.nix Normal file
View File

@ -0,0 +1,4 @@
{ ... }:
{
}

26
hosts/bekkalokk/services/website/gitea.nix Normal file
View File

@ -0,0 +1,26 @@
{ config, values, ... }:
{
sops.secrets."postgres/gitea/password" = { };
services.gitea = {
enable = true;
rootUrl = "https://git2.pvv.ntnu.no/";
stateDir = "/data/gitea";
appName = "PVV Git";
enableUnixSocket = true;
database = {
type = "postgres";
host = values.bicep.ipv4;
port = config.services.postgresql.port;
passwordFile = config.sops.secrets."postgres/gitea/password".path;
createDatabase = false;
};
settings = {
service.DISABLE_REGISTRATION = true;
session.COOKIE_SECURE = true;
};
};
}

23
hosts/bekkalokk/services/website/mediawiki.nix Normal file
View File

@ -0,0 +1,23 @@
{ values, config, ... }:
{
sops.secrets = {
"mediawiki/password" = { };
"postgres/mediawiki/password" = { };
};
services.mediawiki = {
enable = true;
name = "PVV";
passwordFile = config.sops.secrets."mediawiki/password".path;
virtualHost = {
};
database = {
type = "postgres";
host = values.bicep.ipv4;
port = config.services.postgresql.port;
passwordFile = config.sops.secrets."postgres/mediawiki/password".path;
};
};
}

30
hosts/bekkalokk/services/website/nginx.nix Normal file
View File

@ -0,0 +1,30 @@
{ config, ... }:
{
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedProxySettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
virtualHosts = {
"www.pvv.ntnu.no" = {
forceSSL = true;
locations = {
"/pvv" = {
proxyPass = "http://localhost:${config.services.mediawiki.virtualHost.listen.pvv.port}";
};
};
};
"git.pvv.ntnu.no" = {
locations."/" = {
proxyPass = "http://unix:${config.services.gitea.settings.server.HTTP_ADDR}";
proxyWebsockets = true;
};
};
};
};
}

4
hosts/bekkalokk/services/website/website.nix Normal file
View File

@ -0,0 +1,4 @@
{ ... }:
{
}

66
secrets/bekkalokk/bekkalokk/bekkalokk.yaml Normal file
View File

@ -0,0 +1,66 @@
gitea:
password: ENC[AES256_GCM,data:hlNzdU1ope0t50/3aztyLeXjMHd2vFPpwURX+Iu8f49DOqgSnEMtV+KtLA==,iv:qljRnSnchL5cFmaUAfCH9GQYQxcy5cyWejgk1x6bFgI=,tag:tIhboFU5kZsj5oAQR3hLbw==,type:str]
mediawiki:
password: ENC[AES256_GCM,data:HsBuA1E7187roGnKuFPfPDYxA16GFjAUucgUtrdUFmcOzmTNiFH+NWY2ZQ==,iv:vDYUmmZftcrkDtJxNYKAJSx9j+AQcmQarC62QRHR4IM=,tag:3TKjNrGRivFWoK3djC748g==,type:str]
keys:
postgres:
gitea: ENC[AES256_GCM,data:lG4P8kzp7Zq94WftN7p1RJqM65esPuTFZ2JJWkFFXTzlid2DRZPsG2FGIA==,iv:JvHQUgwwb7wJTNMxjLjOUw5sKKWlyMJafVaUOLUu9Sk=,tag:qE0+gDFU/YtghqCv/d2Qgw==,type:str]
mediawiki: ENC[AES256_GCM,data:p+s/uQ3ywQY9RpImFWTxjt1orzl905i9kTQPzsAIs6hAK5t3B00XVzKZgQ==,iv:xp3PRrjCGFxCsRZOlJGIonBOKWJ+3/1CByc4q7O3vDw=,tag:bfKlU2Pcoq0cQjbhp+UXag==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSYUR4TjA3WU96TzV6R1V5
TFpPUW1CdnRZck50bzJSb3VnUXFYUDhxM2hJCmI2Q0p3ZVZGS0U4UmNaQ0Z3Vmgv
MkNyS1hVUWs5UjZ3cTJRU0pWbmFSeEkKLS0tIGlIRGYxTjgzWmVWbXRwTjhHdnRx
U3JMU1ZUT1ZhT2xSbHRLVXgzODB1NXcKJ2LTJB2oKffW+aZgkEEwp+xhAY0FpnBl
5GqUdZrgkNOV0pvgVAOoXMyCdZbndYLS+dUzggnF91HJOr87wRH4uw==
-----END AGE ENCRYPTED FILE-----
- recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzUmpzTVdlRlg0OHBFQ2lq
eDdmOUlxbzcxakFsS2JHK3JqU0tNTC9mOGhRCjNCbFcxWTFzeTkxcHZLQjBpb2c1
V3VHeGhuTkhNbGlsVVlMallPcTVIK0kKLS0tIHRISitSQXBENVY3ejdYa3pXRmJ1
TVNBRXQvUmRPdlMreGtzZUNUcnM4aEkKAp/Ofix26q1eeHszIJa4yYF9ycwWodeV
216hz9YUYb9aZCoJJzGPceb/ER17yvqFHQlhgEb9EiKaH3vbIu+WRQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age13t2nnr6yukmtda6wn2uggfcj0dmwce8347y8w6xzt4yje6wlgscqnahuqm
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUVC9Cd01HaWpyUm5mdTh4
Uk5mSlBLQTlydkpQc0Irakxmalg1WU92U0JjCnhFbDFNaThIVEVNMldiT3BtL2cw
UU4rNEhvTXkzWXlMWUZGeEdJaTg0WjQKLS0tIEZlWkI3SzFOT1NoQWpIM2poMXE4
RHN4RDJWWGV2ZDJzVUo1VVorNzhlMGMKCwdWOZOnibpbB5mZSCBGhj+yUZvk/vuK
hsiDo74vmsmNZ/zmN6cw60hNwhZ4NgtfXcKG8Axe+1rPUwEcrvWHIQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-01-28T23:33:14Z"
mac: ENC[AES256_GCM,data:c7YytaXdAPQmCiZHH2cojJqcZna2ilGXzpnkgxgYUOSQ0n3tryOK45uVp2JDN9OJ9gS5QsLf62AlqidE0wkYYuRC6HZnwhmlMuoY3kl2sr0/Y4kJqGeODRlZoGzUIOahHkphK1Y5GBs8GW6OYk46U54wi9+BF062pYxuOCoPwD4=,iv:ZLueZpRdaD/7uvmimDUELCAtM3e9169vmoXcHz4OKfQ=,tag:Ya8tMbUBhuypXJeZ8GQmWA==,type:str]
pgp:
- created_at: "2023-01-28T23:37:44Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA0av/duuklWYAQ//foXRhar7kfr0PbxVjk2uWzGBoXpffjZPCoaM3D8RhIM8
kod/LMqUUkCvGjBFrmKiN2BCKf3SLDjnZp55J7zQ8x3Go133JdOAB/zZDaT+oxv1
kGQneeXRqeD51/25nFTq+ZZSzBP8fXJgmlsR/1ZM1/IjKF5m5JzD2duqNKV3fqto
IwdiqvrkMiCQICmvKxwwtbdP8+29eUbnfdOi9MO8wcXuObwz84mmpgjT30mNCWF8
Ha7PlcdjpRpYHwUp66+yO4uZ9nOAs7ygzcxKLOMwyaHDv9QJYHtXDUvLv50Jnucw
KhukMJHTURzeNgUEtTu7kR0WCEBl4IyZ6GUJhc2bX3JEbYi9xZqMHgh+lf1usd1q
bDPe3xUEKKgAPXeZRzqCQoy/MuIPErMWpqAQePtL3KOafX+vTve0lfPtLKKbne8+
Tv3eaj3chC255wq6CaJjHO+PI1nt2k29KC6XXxTzkwbRxgT6wVP9uIszeRdREpyX
+//TCsvnAwd2l3ojzXwIEv3F6/xeYpj7hur59BopDRX3yEUNZhgfDa+l6+BIHoDZ
TY3ocQrIxH40CF4IxL6dDR8OOut9vlDpfZTora7MLiQbTU1t5huGY0zBH1LpQ4u9
B/DnBKIuEhZf6eoH5DNHLnzuFYT6Q8QUHfHsM5KOnSEtx2oS2Txd/Ag7dS4FTPPS
XgEe6r+BP6ItZlDVBHN9EPkgS96xpQ5EIacTxX7qmA0ToGySIyMC3PVJkO8muIIK
/Lmmp6yaBOQN0kqQ26dTuVOMfMzI8zqnOW03Lm35nGnl3x8mGDH48j4Y05pS85k=
=t11j
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted
version: 3.7.3

4
values.nix
View File

@ -17,6 +17,10 @@ in rec {
hosts = {
gateway = pvv-ipv4 129;
bekkalokk = {
ipv4 = pvv-ipv4 168;
ipv6 = pvv-ipv6 168;
};
jokum = {
ipv4 = pvv-ipv4 169;
ipv6 = pvv-ipv6 169;