From 796155481fa9edc88e1b9bf4ea3475e293e65af8 Mon Sep 17 00:00:00 2001 From: h7x4 Date: Sun, 29 Jan 2023 01:51:35 +0100 Subject: [PATCH] Add host `bekkalokk` `bekkalokk` is a new machine, meant to host web services and eventually miscellaneous services. --- .sops.yaml | 17 ++++- flake.nix | 41 +++++++----- hosts/bekkalokk/configuration.nix | 42 ++++++++++++ hosts/bekkalokk/hardware-configuration.nix | 37 +++++++++++ hosts/bekkalokk/services/metrics/loki.nix | 4 ++ .../bekkalokk/services/metrics/prometheus.nix | 4 ++ hosts/bekkalokk/services/website/gitea.nix | 26 ++++++++ .../bekkalokk/services/website/mediawiki.nix | 23 +++++++ hosts/bekkalokk/services/website/nginx.nix | 30 +++++++++ hosts/bekkalokk/services/website/website.nix | 4 ++ secrets/bekkalokk/bekkalokk/bekkalokk.yaml | 66 +++++++++++++++++++ values.nix | 4 ++ 12 files changed, 279 insertions(+), 19 deletions(-) create mode 100644 hosts/bekkalokk/configuration.nix create mode 100644 hosts/bekkalokk/hardware-configuration.nix create mode 100644 hosts/bekkalokk/services/metrics/loki.nix create mode 100644 hosts/bekkalokk/services/metrics/prometheus.nix create mode 100644 hosts/bekkalokk/services/website/gitea.nix create mode 100644 hosts/bekkalokk/services/website/mediawiki.nix create mode 100644 hosts/bekkalokk/services/website/nginx.nix create mode 100644 hosts/bekkalokk/services/website/website.nix create mode 100644 secrets/bekkalokk/bekkalokk/bekkalokk.yaml diff --git a/.sops.yaml b/.sops.yaml index 8638a237..24e3bbec 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,9 +1,14 @@ keys: + # Users - &user_danio age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq - &user_felixalb age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6 - &user_oysteikt F7D37890228A907440E1FD4846B9228E814A2AAC + + # Hosts - &host_jokum age1n4vc3dhv8puqz6ntwrkkpdfj0q002hexqee48wzahll8cmce2ezssrq608 - &host_ildkule age1hn45n46ypyrvypv0mwfnpt9ddrlmw34dwlpf33n8v67jexr3lucq6ahc9x + - &host_bekkalokk age13t2nnr6yukmtda6wn2uggfcj0dmwce8347y8w6xzt4yje6wlgscqnahuqm + creation_rules: # Global secrets - path_regex: secrets/[^/]+\.yaml$ @@ -14,8 +19,18 @@ creation_rules: - *user_felixalb pgp: - *user_oysteikt + # Host specific secrets - ## Jokum + + - path_regex: secrets/bekkalokk/[^/]+\.yaml$ + key_groups: + - age: + - *host_bekkalokk + - *user_danio + - *user_felixalb + pgp: + - *user_oysteikt + - path_regex: secrets/jokum/[^/]+\.yaml$ key_groups: - age: diff --git a/flake.nix b/flake.nix index 938d4f85..db082648 100644 --- a/flake.nix +++ b/flake.nix @@ -11,7 +11,7 @@ matrix-next.url = "github:dali99/nixos-matrix-modules"; }; - outputs = { self, nixpkgs, unstable, sops-nix, ... }@inputs: + outputs = { self, nixpkgs, matrix-next, unstable, sops-nix, ... }@inputs: let systems = [ "x86_64-linux" @@ -19,26 +19,31 @@ ]; forAllSystems = f: nixpkgs.lib.genAttrs systems (system: f system); in { - nixosConfigurations = { - jokum = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = { inherit unstable inputs; values = import ./values.nix; }; - modules = [ - ./hosts/jokum/configuration.nix - sops-nix.nixosModules.sops + nixosConfigurations = let + nixosConfig = name: config: nixpkgs.lib.nixosSystem (nixpkgs.lib.recursiveUpdate + config + { + system = "x86_64-linux"; + specialArgs = { + inherit unstable inputs; + values = import ./values.nix; + }; + modules = [ + ./hosts/${name}/configuration.nix + sops-nix.nixosModules.sops + matrix-next.nixosModules.synapse + ]; + }); - inputs.matrix-next.nixosModules.synapse - ]; - }; - ildkule = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = { inherit unstable inputs; values = import ./values.nix; }; - modules = [ - ./hosts/ildkule/configuration.nix - sops-nix.nixosModules.sops - ]; + in { + bekkalokk = nixosConfig "bekkalokk" { }; + greddost = nixosConfig "greddost" { }; + ildkule = nixosConfig "ildkule" { }; + jokum = nixosConfig "jokum" { + modules = [ matrix-next.nixosModules.synapse ]; }; }; + devShells = forAllSystems (system: { default = nixpkgs.legacyPackages.${system}.callPackage ./shell.nix { }; }); diff --git a/hosts/bekkalokk/configuration.nix b/hosts/bekkalokk/configuration.nix new file mode 100644 index 00000000..f48cbc91 --- /dev/null +++ b/hosts/bekkalokk/configuration.nix @@ -0,0 +1,42 @@ +{ pkgs, values, ... }: +{ + imports = [ + ./hardware-configuration.nix + + ../../base.nix + + # TODO: set up authentication for the following: + # ./services/website/website.nix + # ./services/website/nginx.nix + # ./services/website/gitea.nix + # ./services/website/mediawiki.nix + ]; + + sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops.age.keyFile = "/var/lib/sops-nix/key.txt"; + sops.age.generateKey = true; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = "bekkalokk"; + + networking.interfaces.ens33 = { + useDHCP = false; + + ipv4.addresses = [{ + address = values.hosts.bekkalokk.ipv4; + prefixLength = 25; + }]; + + ipv6.addresses = [{ + address = values.hosts.bekkalokk.ipv6; + prefixLength = 64; + }]; + }; + + # Do not change, even during upgrades. + # See https://search.nixos.org/options?show=system.stateVersion + system.stateVersion = "22.11"; +} diff --git a/hosts/bekkalokk/hardware-configuration.nix b/hosts/bekkalokk/hardware-configuration.nix new file mode 100644 index 00000000..0653c98f --- /dev/null +++ b/hosts/bekkalokk/hardware-configuration.nix @@ -0,0 +1,37 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "mptspi" "uhci_hcd" "ehci_pci" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/cdcafe3a-01d8-4bdf-9a3d-78705b581090"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/1CB4-280D"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/3eaace48-91ec-4d46-be86-fd26877d8b86"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens33.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/bekkalokk/services/metrics/loki.nix b/hosts/bekkalokk/services/metrics/loki.nix new file mode 100644 index 00000000..facb35d6 --- /dev/null +++ b/hosts/bekkalokk/services/metrics/loki.nix @@ -0,0 +1,4 @@ +{ ... }: +{ + +} diff --git a/hosts/bekkalokk/services/metrics/prometheus.nix b/hosts/bekkalokk/services/metrics/prometheus.nix new file mode 100644 index 00000000..facb35d6 --- /dev/null +++ b/hosts/bekkalokk/services/metrics/prometheus.nix @@ -0,0 +1,4 @@ +{ ... }: +{ + +} diff --git a/hosts/bekkalokk/services/website/gitea.nix b/hosts/bekkalokk/services/website/gitea.nix new file mode 100644 index 00000000..908bc227 --- /dev/null +++ b/hosts/bekkalokk/services/website/gitea.nix @@ -0,0 +1,26 @@ +{ config, values, ... }: +{ + sops.secrets."postgres/gitea/password" = { }; + + services.gitea = { + enable = true; + rootUrl = "https://git2.pvv.ntnu.no/"; + stateDir = "/data/gitea"; + appName = "PVV Git"; + + enableUnixSocket = true; + + database = { + type = "postgres"; + host = values.bicep.ipv4; + port = config.services.postgresql.port; + passwordFile = config.sops.secrets."postgres/gitea/password".path; + createDatabase = false; + }; + + settings = { + service.DISABLE_REGISTRATION = true; + session.COOKIE_SECURE = true; + }; + }; +} diff --git a/hosts/bekkalokk/services/website/mediawiki.nix b/hosts/bekkalokk/services/website/mediawiki.nix new file mode 100644 index 00000000..3af2411d --- /dev/null +++ b/hosts/bekkalokk/services/website/mediawiki.nix @@ -0,0 +1,23 @@ +{ values, config, ... }: +{ + sops.secrets = { + "mediawiki/password" = { }; + "postgres/mediawiki/password" = { }; + }; + + services.mediawiki = { + enable = true; + name = "PVV"; + passwordFile = config.sops.secrets."mediawiki/password".path; + + virtualHost = { + }; + + database = { + type = "postgres"; + host = values.bicep.ipv4; + port = config.services.postgresql.port; + passwordFile = config.sops.secrets."postgres/mediawiki/password".path; + }; + }; +} diff --git a/hosts/bekkalokk/services/website/nginx.nix b/hosts/bekkalokk/services/website/nginx.nix new file mode 100644 index 00000000..6410f607 --- /dev/null +++ b/hosts/bekkalokk/services/website/nginx.nix @@ -0,0 +1,30 @@ +{ config, ... }: +{ + services.nginx = { + enable = true; + + recommendedTlsSettings = true; + recommendedProxySettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + + virtualHosts = { + "www.pvv.ntnu.no" = { + forceSSL = true; + + locations = { + "/pvv" = { + proxyPass = "http://localhost:${config.services.mediawiki.virtualHost.listen.pvv.port}"; + }; + }; + }; + + "git.pvv.ntnu.no" = { + locations."/" = { + proxyPass = "http://unix:${config.services.gitea.settings.server.HTTP_ADDR}"; + proxyWebsockets = true; + }; + }; + }; + }; +} diff --git a/hosts/bekkalokk/services/website/website.nix b/hosts/bekkalokk/services/website/website.nix new file mode 100644 index 00000000..facb35d6 --- /dev/null +++ b/hosts/bekkalokk/services/website/website.nix @@ -0,0 +1,4 @@ +{ ... }: +{ + +} diff --git a/secrets/bekkalokk/bekkalokk/bekkalokk.yaml b/secrets/bekkalokk/bekkalokk/bekkalokk.yaml new file mode 100644 index 00000000..606da8fa --- /dev/null +++ b/secrets/bekkalokk/bekkalokk/bekkalokk.yaml @@ -0,0 +1,66 @@ +gitea: + password: ENC[AES256_GCM,data:hlNzdU1ope0t50/3aztyLeXjMHd2vFPpwURX+Iu8f49DOqgSnEMtV+KtLA==,iv:qljRnSnchL5cFmaUAfCH9GQYQxcy5cyWejgk1x6bFgI=,tag:tIhboFU5kZsj5oAQR3hLbw==,type:str] +mediawiki: + password: ENC[AES256_GCM,data:HsBuA1E7187roGnKuFPfPDYxA16GFjAUucgUtrdUFmcOzmTNiFH+NWY2ZQ==,iv:vDYUmmZftcrkDtJxNYKAJSx9j+AQcmQarC62QRHR4IM=,tag:3TKjNrGRivFWoK3djC748g==,type:str] +keys: + postgres: + gitea: ENC[AES256_GCM,data:lG4P8kzp7Zq94WftN7p1RJqM65esPuTFZ2JJWkFFXTzlid2DRZPsG2FGIA==,iv:JvHQUgwwb7wJTNMxjLjOUw5sKKWlyMJafVaUOLUu9Sk=,tag:qE0+gDFU/YtghqCv/d2Qgw==,type:str] + mediawiki: ENC[AES256_GCM,data:p+s/uQ3ywQY9RpImFWTxjt1orzl905i9kTQPzsAIs6hAK5t3B00XVzKZgQ==,iv:xp3PRrjCGFxCsRZOlJGIonBOKWJ+3/1CByc4q7O3vDw=,tag:bfKlU2Pcoq0cQjbhp+UXag==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSYUR4TjA3WU96TzV6R1V5 + TFpPUW1CdnRZck50bzJSb3VnUXFYUDhxM2hJCmI2Q0p3ZVZGS0U4UmNaQ0Z3Vmgv + MkNyS1hVUWs5UjZ3cTJRU0pWbmFSeEkKLS0tIGlIRGYxTjgzWmVWbXRwTjhHdnRx + U3JMU1ZUT1ZhT2xSbHRLVXgzODB1NXcKJ2LTJB2oKffW+aZgkEEwp+xhAY0FpnBl + 5GqUdZrgkNOV0pvgVAOoXMyCdZbndYLS+dUzggnF91HJOr87wRH4uw== + -----END AGE ENCRYPTED FILE----- + - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzUmpzTVdlRlg0OHBFQ2lq + eDdmOUlxbzcxakFsS2JHK3JqU0tNTC9mOGhRCjNCbFcxWTFzeTkxcHZLQjBpb2c1 + V3VHeGhuTkhNbGlsVVlMallPcTVIK0kKLS0tIHRISitSQXBENVY3ejdYa3pXRmJ1 + TVNBRXQvUmRPdlMreGtzZUNUcnM4aEkKAp/Ofix26q1eeHszIJa4yYF9ycwWodeV + 216hz9YUYb9aZCoJJzGPceb/ER17yvqFHQlhgEb9EiKaH3vbIu+WRQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age13t2nnr6yukmtda6wn2uggfcj0dmwce8347y8w6xzt4yje6wlgscqnahuqm + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUVC9Cd01HaWpyUm5mdTh4 + Uk5mSlBLQTlydkpQc0Irakxmalg1WU92U0JjCnhFbDFNaThIVEVNMldiT3BtL2cw + UU4rNEhvTXkzWXlMWUZGeEdJaTg0WjQKLS0tIEZlWkI3SzFOT1NoQWpIM2poMXE4 + RHN4RDJWWGV2ZDJzVUo1VVorNzhlMGMKCwdWOZOnibpbB5mZSCBGhj+yUZvk/vuK + hsiDo74vmsmNZ/zmN6cw60hNwhZ4NgtfXcKG8Axe+1rPUwEcrvWHIQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-01-28T23:33:14Z" + mac: ENC[AES256_GCM,data:c7YytaXdAPQmCiZHH2cojJqcZna2ilGXzpnkgxgYUOSQ0n3tryOK45uVp2JDN9OJ9gS5QsLf62AlqidE0wkYYuRC6HZnwhmlMuoY3kl2sr0/Y4kJqGeODRlZoGzUIOahHkphK1Y5GBs8GW6OYk46U54wi9+BF062pYxuOCoPwD4=,iv:ZLueZpRdaD/7uvmimDUELCAtM3e9169vmoXcHz4OKfQ=,tag:Ya8tMbUBhuypXJeZ8GQmWA==,type:str] + pgp: + - created_at: "2023-01-28T23:37:44Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA0av/duuklWYAQ//foXRhar7kfr0PbxVjk2uWzGBoXpffjZPCoaM3D8RhIM8 + kod/LMqUUkCvGjBFrmKiN2BCKf3SLDjnZp55J7zQ8x3Go133JdOAB/zZDaT+oxv1 + kGQneeXRqeD51/25nFTq+ZZSzBP8fXJgmlsR/1ZM1/IjKF5m5JzD2duqNKV3fqto + IwdiqvrkMiCQICmvKxwwtbdP8+29eUbnfdOi9MO8wcXuObwz84mmpgjT30mNCWF8 + Ha7PlcdjpRpYHwUp66+yO4uZ9nOAs7ygzcxKLOMwyaHDv9QJYHtXDUvLv50Jnucw + KhukMJHTURzeNgUEtTu7kR0WCEBl4IyZ6GUJhc2bX3JEbYi9xZqMHgh+lf1usd1q + bDPe3xUEKKgAPXeZRzqCQoy/MuIPErMWpqAQePtL3KOafX+vTve0lfPtLKKbne8+ + Tv3eaj3chC255wq6CaJjHO+PI1nt2k29KC6XXxTzkwbRxgT6wVP9uIszeRdREpyX + +//TCsvnAwd2l3ojzXwIEv3F6/xeYpj7hur59BopDRX3yEUNZhgfDa+l6+BIHoDZ + TY3ocQrIxH40CF4IxL6dDR8OOut9vlDpfZTora7MLiQbTU1t5huGY0zBH1LpQ4u9 + B/DnBKIuEhZf6eoH5DNHLnzuFYT6Q8QUHfHsM5KOnSEtx2oS2Txd/Ag7dS4FTPPS + XgEe6r+BP6ItZlDVBHN9EPkgS96xpQ5EIacTxX7qmA0ToGySIyMC3PVJkO8muIIK + /Lmmp6yaBOQN0kqQ26dTuVOMfMzI8zqnOW03Lm35nGnl3x8mGDH48j4Y05pS85k= + =t11j + -----END PGP MESSAGE----- + fp: F7D37890228A907440E1FD4846B9228E814A2AAC + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/values.nix b/values.nix index fa42f12c..68ebeb25 100644 --- a/values.nix +++ b/values.nix @@ -17,6 +17,10 @@ in rec { hosts = { gateway = pvv-ipv4 129; + bekkalokk = { + ipv4 = pvv-ipv4 168; + ipv6 = pvv-ipv6 168; + }; jokum = { ipv4 = pvv-ipv4 169; ipv6 = pvv-ipv6 169;