forked from Drift/pvv-nixos-config
Add host `bekkalokk`
`bekkalokk` is a new machine, meant to host web services and eventually miscellaneous services.
This commit is contained in:
parent
387794fbe0
commit
796155481f
17
.sops.yaml
17
.sops.yaml
|
@ -1,9 +1,14 @@
|
||||||
keys:
|
keys:
|
||||||
|
# Users
|
||||||
- &user_danio age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
|
- &user_danio age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
|
||||||
- &user_felixalb age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
|
- &user_felixalb age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
|
||||||
- &user_oysteikt F7D37890228A907440E1FD4846B9228E814A2AAC
|
- &user_oysteikt F7D37890228A907440E1FD4846B9228E814A2AAC
|
||||||
|
|
||||||
|
# Hosts
|
||||||
- &host_jokum age1n4vc3dhv8puqz6ntwrkkpdfj0q002hexqee48wzahll8cmce2ezssrq608
|
- &host_jokum age1n4vc3dhv8puqz6ntwrkkpdfj0q002hexqee48wzahll8cmce2ezssrq608
|
||||||
- &host_ildkule age1hn45n46ypyrvypv0mwfnpt9ddrlmw34dwlpf33n8v67jexr3lucq6ahc9x
|
- &host_ildkule age1hn45n46ypyrvypv0mwfnpt9ddrlmw34dwlpf33n8v67jexr3lucq6ahc9x
|
||||||
|
- &host_bekkalokk age13t2nnr6yukmtda6wn2uggfcj0dmwce8347y8w6xzt4yje6wlgscqnahuqm
|
||||||
|
|
||||||
creation_rules:
|
creation_rules:
|
||||||
# Global secrets
|
# Global secrets
|
||||||
- path_regex: secrets/[^/]+\.yaml$
|
- path_regex: secrets/[^/]+\.yaml$
|
||||||
|
@ -14,8 +19,18 @@ creation_rules:
|
||||||
- *user_felixalb
|
- *user_felixalb
|
||||||
pgp:
|
pgp:
|
||||||
- *user_oysteikt
|
- *user_oysteikt
|
||||||
|
|
||||||
# Host specific secrets
|
# Host specific secrets
|
||||||
## Jokum
|
|
||||||
|
- path_regex: secrets/bekkalokk/[^/]+\.yaml$
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *host_bekkalokk
|
||||||
|
- *user_danio
|
||||||
|
- *user_felixalb
|
||||||
|
pgp:
|
||||||
|
- *user_oysteikt
|
||||||
|
|
||||||
- path_regex: secrets/jokum/[^/]+\.yaml$
|
- path_regex: secrets/jokum/[^/]+\.yaml$
|
||||||
key_groups:
|
key_groups:
|
||||||
- age:
|
- age:
|
||||||
|
|
41
flake.nix
41
flake.nix
|
@ -11,7 +11,7 @@
|
||||||
matrix-next.url = "github:dali99/nixos-matrix-modules";
|
matrix-next.url = "github:dali99/nixos-matrix-modules";
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs = { self, nixpkgs, unstable, sops-nix, ... }@inputs:
|
outputs = { self, nixpkgs, matrix-next, unstable, sops-nix, ... }@inputs:
|
||||||
let
|
let
|
||||||
systems = [
|
systems = [
|
||||||
"x86_64-linux"
|
"x86_64-linux"
|
||||||
|
@ -19,26 +19,31 @@
|
||||||
];
|
];
|
||||||
forAllSystems = f: nixpkgs.lib.genAttrs systems (system: f system);
|
forAllSystems = f: nixpkgs.lib.genAttrs systems (system: f system);
|
||||||
in {
|
in {
|
||||||
nixosConfigurations = {
|
nixosConfigurations = let
|
||||||
jokum = nixpkgs.lib.nixosSystem {
|
nixosConfig = name: config: nixpkgs.lib.nixosSystem (nixpkgs.lib.recursiveUpdate
|
||||||
system = "x86_64-linux";
|
config
|
||||||
specialArgs = { inherit unstable inputs; values = import ./values.nix; };
|
{
|
||||||
modules = [
|
system = "x86_64-linux";
|
||||||
./hosts/jokum/configuration.nix
|
specialArgs = {
|
||||||
sops-nix.nixosModules.sops
|
inherit unstable inputs;
|
||||||
|
values = import ./values.nix;
|
||||||
|
};
|
||||||
|
modules = [
|
||||||
|
./hosts/${name}/configuration.nix
|
||||||
|
sops-nix.nixosModules.sops
|
||||||
|
matrix-next.nixosModules.synapse
|
||||||
|
];
|
||||||
|
});
|
||||||
|
|
||||||
inputs.matrix-next.nixosModules.synapse
|
in {
|
||||||
];
|
bekkalokk = nixosConfig "bekkalokk" { };
|
||||||
};
|
greddost = nixosConfig "greddost" { };
|
||||||
ildkule = nixpkgs.lib.nixosSystem {
|
ildkule = nixosConfig "ildkule" { };
|
||||||
system = "x86_64-linux";
|
jokum = nixosConfig "jokum" {
|
||||||
specialArgs = { inherit unstable inputs; values = import ./values.nix; };
|
modules = [ matrix-next.nixosModules.synapse ];
|
||||||
modules = [
|
|
||||||
./hosts/ildkule/configuration.nix
|
|
||||||
sops-nix.nixosModules.sops
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
devShells = forAllSystems (system: {
|
devShells = forAllSystems (system: {
|
||||||
default = nixpkgs.legacyPackages.${system}.callPackage ./shell.nix { };
|
default = nixpkgs.legacyPackages.${system}.callPackage ./shell.nix { };
|
||||||
});
|
});
|
||||||
|
|
|
@ -0,0 +1,42 @@
|
||||||
|
{ pkgs, values, ... }:
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
./hardware-configuration.nix
|
||||||
|
|
||||||
|
../../base.nix
|
||||||
|
|
||||||
|
# TODO: set up authentication for the following:
|
||||||
|
# ./services/website/website.nix
|
||||||
|
# ./services/website/nginx.nix
|
||||||
|
# ./services/website/gitea.nix
|
||||||
|
# ./services/website/mediawiki.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml;
|
||||||
|
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||||
|
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
|
||||||
|
sops.age.generateKey = true;
|
||||||
|
|
||||||
|
boot.loader.systemd-boot.enable = true;
|
||||||
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
|
|
||||||
|
networking.hostName = "bekkalokk";
|
||||||
|
|
||||||
|
networking.interfaces.ens33 = {
|
||||||
|
useDHCP = false;
|
||||||
|
|
||||||
|
ipv4.addresses = [{
|
||||||
|
address = values.hosts.bekkalokk.ipv4;
|
||||||
|
prefixLength = 25;
|
||||||
|
}];
|
||||||
|
|
||||||
|
ipv6.addresses = [{
|
||||||
|
address = values.hosts.bekkalokk.ipv6;
|
||||||
|
prefixLength = 64;
|
||||||
|
}];
|
||||||
|
};
|
||||||
|
|
||||||
|
# Do not change, even during upgrades.
|
||||||
|
# See https://search.nixos.org/options?show=system.stateVersion
|
||||||
|
system.stateVersion = "22.11";
|
||||||
|
}
|
|
@ -0,0 +1,37 @@
|
||||||
|
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||||
|
# and may be overwritten by future invocations. Please make changes
|
||||||
|
# to /etc/nixos/configuration.nix instead.
|
||||||
|
{ config, lib, pkgs, modulesPath, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports = [ ];
|
||||||
|
|
||||||
|
boot.initrd.availableKernelModules = [ "ata_piix" "mptspi" "uhci_hcd" "ehci_pci" "sd_mod" "sr_mod" ];
|
||||||
|
boot.initrd.kernelModules = [ ];
|
||||||
|
boot.kernelModules = [ ];
|
||||||
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
|
fileSystems."/" =
|
||||||
|
{ device = "/dev/disk/by-uuid/cdcafe3a-01d8-4bdf-9a3d-78705b581090";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/boot" =
|
||||||
|
{ device = "/dev/disk/by-uuid/1CB4-280D";
|
||||||
|
fsType = "vfat";
|
||||||
|
};
|
||||||
|
|
||||||
|
swapDevices =
|
||||||
|
[ { device = "/dev/disk/by-uuid/3eaace48-91ec-4d46-be86-fd26877d8b86"; }
|
||||||
|
];
|
||||||
|
|
||||||
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
|
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||||
|
# still possible to use this option, but it's recommended to use it in conjunction
|
||||||
|
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||||
|
networking.useDHCP = lib.mkDefault true;
|
||||||
|
# networking.interfaces.ens33.useDHCP = lib.mkDefault true;
|
||||||
|
|
||||||
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
|
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||||
|
}
|
|
@ -0,0 +1,4 @@
|
||||||
|
{ ... }:
|
||||||
|
{
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,4 @@
|
||||||
|
{ ... }:
|
||||||
|
{
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,26 @@
|
||||||
|
{ config, values, ... }:
|
||||||
|
{
|
||||||
|
sops.secrets."postgres/gitea/password" = { };
|
||||||
|
|
||||||
|
services.gitea = {
|
||||||
|
enable = true;
|
||||||
|
rootUrl = "https://git2.pvv.ntnu.no/";
|
||||||
|
stateDir = "/data/gitea";
|
||||||
|
appName = "PVV Git";
|
||||||
|
|
||||||
|
enableUnixSocket = true;
|
||||||
|
|
||||||
|
database = {
|
||||||
|
type = "postgres";
|
||||||
|
host = values.bicep.ipv4;
|
||||||
|
port = config.services.postgresql.port;
|
||||||
|
passwordFile = config.sops.secrets."postgres/gitea/password".path;
|
||||||
|
createDatabase = false;
|
||||||
|
};
|
||||||
|
|
||||||
|
settings = {
|
||||||
|
service.DISABLE_REGISTRATION = true;
|
||||||
|
session.COOKIE_SECURE = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,23 @@
|
||||||
|
{ values, config, ... }:
|
||||||
|
{
|
||||||
|
sops.secrets = {
|
||||||
|
"mediawiki/password" = { };
|
||||||
|
"postgres/mediawiki/password" = { };
|
||||||
|
};
|
||||||
|
|
||||||
|
services.mediawiki = {
|
||||||
|
enable = true;
|
||||||
|
name = "PVV";
|
||||||
|
passwordFile = config.sops.secrets."mediawiki/password".path;
|
||||||
|
|
||||||
|
virtualHost = {
|
||||||
|
};
|
||||||
|
|
||||||
|
database = {
|
||||||
|
type = "postgres";
|
||||||
|
host = values.bicep.ipv4;
|
||||||
|
port = config.services.postgresql.port;
|
||||||
|
passwordFile = config.sops.secrets."postgres/mediawiki/password".path;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,30 @@
|
||||||
|
{ config, ... }:
|
||||||
|
{
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
recommendedTlsSettings = true;
|
||||||
|
recommendedProxySettings = true;
|
||||||
|
recommendedOptimisation = true;
|
||||||
|
recommendedGzipSettings = true;
|
||||||
|
|
||||||
|
virtualHosts = {
|
||||||
|
"www.pvv.ntnu.no" = {
|
||||||
|
forceSSL = true;
|
||||||
|
|
||||||
|
locations = {
|
||||||
|
"/pvv" = {
|
||||||
|
proxyPass = "http://localhost:${config.services.mediawiki.virtualHost.listen.pvv.port}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
"git.pvv.ntnu.no" = {
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://unix:${config.services.gitea.settings.server.HTTP_ADDR}";
|
||||||
|
proxyWebsockets = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,4 @@
|
||||||
|
{ ... }:
|
||||||
|
{
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,66 @@
|
||||||
|
gitea:
|
||||||
|
password: ENC[AES256_GCM,data:hlNzdU1ope0t50/3aztyLeXjMHd2vFPpwURX+Iu8f49DOqgSnEMtV+KtLA==,iv:qljRnSnchL5cFmaUAfCH9GQYQxcy5cyWejgk1x6bFgI=,tag:tIhboFU5kZsj5oAQR3hLbw==,type:str]
|
||||||
|
mediawiki:
|
||||||
|
password: ENC[AES256_GCM,data:HsBuA1E7187roGnKuFPfPDYxA16GFjAUucgUtrdUFmcOzmTNiFH+NWY2ZQ==,iv:vDYUmmZftcrkDtJxNYKAJSx9j+AQcmQarC62QRHR4IM=,tag:3TKjNrGRivFWoK3djC748g==,type:str]
|
||||||
|
keys:
|
||||||
|
postgres:
|
||||||
|
gitea: ENC[AES256_GCM,data:lG4P8kzp7Zq94WftN7p1RJqM65esPuTFZ2JJWkFFXTzlid2DRZPsG2FGIA==,iv:JvHQUgwwb7wJTNMxjLjOUw5sKKWlyMJafVaUOLUu9Sk=,tag:qE0+gDFU/YtghqCv/d2Qgw==,type:str]
|
||||||
|
mediawiki: ENC[AES256_GCM,data:p+s/uQ3ywQY9RpImFWTxjt1orzl905i9kTQPzsAIs6hAK5t3B00XVzKZgQ==,iv:xp3PRrjCGFxCsRZOlJGIonBOKWJ+3/1CByc4q7O3vDw=,tag:bfKlU2Pcoq0cQjbhp+UXag==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSYUR4TjA3WU96TzV6R1V5
|
||||||
|
TFpPUW1CdnRZck50bzJSb3VnUXFYUDhxM2hJCmI2Q0p3ZVZGS0U4UmNaQ0Z3Vmgv
|
||||||
|
MkNyS1hVUWs5UjZ3cTJRU0pWbmFSeEkKLS0tIGlIRGYxTjgzWmVWbXRwTjhHdnRx
|
||||||
|
U3JMU1ZUT1ZhT2xSbHRLVXgzODB1NXcKJ2LTJB2oKffW+aZgkEEwp+xhAY0FpnBl
|
||||||
|
5GqUdZrgkNOV0pvgVAOoXMyCdZbndYLS+dUzggnF91HJOr87wRH4uw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzUmpzTVdlRlg0OHBFQ2lq
|
||||||
|
eDdmOUlxbzcxakFsS2JHK3JqU0tNTC9mOGhRCjNCbFcxWTFzeTkxcHZLQjBpb2c1
|
||||||
|
V3VHeGhuTkhNbGlsVVlMallPcTVIK0kKLS0tIHRISitSQXBENVY3ejdYa3pXRmJ1
|
||||||
|
TVNBRXQvUmRPdlMreGtzZUNUcnM4aEkKAp/Ofix26q1eeHszIJa4yYF9ycwWodeV
|
||||||
|
216hz9YUYb9aZCoJJzGPceb/ER17yvqFHQlhgEb9EiKaH3vbIu+WRQ==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age13t2nnr6yukmtda6wn2uggfcj0dmwce8347y8w6xzt4yje6wlgscqnahuqm
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUVC9Cd01HaWpyUm5mdTh4
|
||||||
|
Uk5mSlBLQTlydkpQc0Irakxmalg1WU92U0JjCnhFbDFNaThIVEVNMldiT3BtL2cw
|
||||||
|
UU4rNEhvTXkzWXlMWUZGeEdJaTg0WjQKLS0tIEZlWkI3SzFOT1NoQWpIM2poMXE4
|
||||||
|
RHN4RDJWWGV2ZDJzVUo1VVorNzhlMGMKCwdWOZOnibpbB5mZSCBGhj+yUZvk/vuK
|
||||||
|
hsiDo74vmsmNZ/zmN6cw60hNwhZ4NgtfXcKG8Axe+1rPUwEcrvWHIQ==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2023-01-28T23:33:14Z"
|
||||||
|
mac: ENC[AES256_GCM,data:c7YytaXdAPQmCiZHH2cojJqcZna2ilGXzpnkgxgYUOSQ0n3tryOK45uVp2JDN9OJ9gS5QsLf62AlqidE0wkYYuRC6HZnwhmlMuoY3kl2sr0/Y4kJqGeODRlZoGzUIOahHkphK1Y5GBs8GW6OYk46U54wi9+BF062pYxuOCoPwD4=,iv:ZLueZpRdaD/7uvmimDUELCAtM3e9169vmoXcHz4OKfQ=,tag:Ya8tMbUBhuypXJeZ8GQmWA==,type:str]
|
||||||
|
pgp:
|
||||||
|
- created_at: "2023-01-28T23:37:44Z"
|
||||||
|
enc: |
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hQIMA0av/duuklWYAQ//foXRhar7kfr0PbxVjk2uWzGBoXpffjZPCoaM3D8RhIM8
|
||||||
|
kod/LMqUUkCvGjBFrmKiN2BCKf3SLDjnZp55J7zQ8x3Go133JdOAB/zZDaT+oxv1
|
||||||
|
kGQneeXRqeD51/25nFTq+ZZSzBP8fXJgmlsR/1ZM1/IjKF5m5JzD2duqNKV3fqto
|
||||||
|
IwdiqvrkMiCQICmvKxwwtbdP8+29eUbnfdOi9MO8wcXuObwz84mmpgjT30mNCWF8
|
||||||
|
Ha7PlcdjpRpYHwUp66+yO4uZ9nOAs7ygzcxKLOMwyaHDv9QJYHtXDUvLv50Jnucw
|
||||||
|
KhukMJHTURzeNgUEtTu7kR0WCEBl4IyZ6GUJhc2bX3JEbYi9xZqMHgh+lf1usd1q
|
||||||
|
bDPe3xUEKKgAPXeZRzqCQoy/MuIPErMWpqAQePtL3KOafX+vTve0lfPtLKKbne8+
|
||||||
|
Tv3eaj3chC255wq6CaJjHO+PI1nt2k29KC6XXxTzkwbRxgT6wVP9uIszeRdREpyX
|
||||||
|
+//TCsvnAwd2l3ojzXwIEv3F6/xeYpj7hur59BopDRX3yEUNZhgfDa+l6+BIHoDZ
|
||||||
|
TY3ocQrIxH40CF4IxL6dDR8OOut9vlDpfZTora7MLiQbTU1t5huGY0zBH1LpQ4u9
|
||||||
|
B/DnBKIuEhZf6eoH5DNHLnzuFYT6Q8QUHfHsM5KOnSEtx2oS2Txd/Ag7dS4FTPPS
|
||||||
|
XgEe6r+BP6ItZlDVBHN9EPkgS96xpQ5EIacTxX7qmA0ToGySIyMC3PVJkO8muIIK
|
||||||
|
/Lmmp6yaBOQN0kqQ26dTuVOMfMzI8zqnOW03Lm35nGnl3x8mGDH48j4Y05pS85k=
|
||||||
|
=t11j
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.7.3
|
|
@ -17,6 +17,10 @@ in rec {
|
||||||
|
|
||||||
hosts = {
|
hosts = {
|
||||||
gateway = pvv-ipv4 129;
|
gateway = pvv-ipv4 129;
|
||||||
|
bekkalokk = {
|
||||||
|
ipv4 = pvv-ipv4 168;
|
||||||
|
ipv6 = pvv-ipv6 168;
|
||||||
|
};
|
||||||
jokum = {
|
jokum = {
|
||||||
ipv4 = pvv-ipv4 169;
|
ipv4 = pvv-ipv4 169;
|
||||||
ipv6 = pvv-ipv6 169;
|
ipv6 = pvv-ipv6 169;
|
||||||
|
|
Loading…
Reference in New Issue