Add nix-cache/reverse proxy Oracle Cloud configuration

2023-08-05 12:04:12 +01:00 · 2023-08-05 12:04:12 +01:00 · 89e425c201
parent 68aa75200a
commit 89e425c201
3 changed files with 161 additions and 3 deletions
--- a/krops/krops.nix
+++ b/krops/krops.nix
@ -8,7 +8,7 @@ let
  oracle-gitea-runner-source =  lib.evalSource [
    {
      nixpkgs.git = {
-        ref = "0a4f20e1867ebb798ba5ed51b9db52a09ba6623d";
+        ref = "66aedfd010204949cb225cf749be08cb13ce1813";
        url = https://github.com/NixOS/nixpkgs;

        shallow = true;
@ -18,14 +18,27 @@ let
    }
  ];

+  oracle-nix-cache-source =  lib.evalSource [
+    {
+      nixpkgs.git = {
+        ref = "66aedfd010204949cb225cf749be08cb13ce1813";
+        url = https://github.com/NixOS/nixpkgs;
+
+        shallow = true;
+      };
+      nixos-config.file = toString ./oracle-nix-cache/configuration.nix;
+      "hardware.nix".file = toString ./oracle-nix-cache/hardware.nix;
+    }
+  ];
+
  nas-source =  lib.evalSource [
    {
      nixpkgs.git = {
-        ref = "origin/nixos-23.05";
+        ref = "origin/nixos-unstable";
        url = https://github.com/NixOS/nixpkgs;
      };
      home-manager.git = {
-        ref = "origin/release-23.05";
+        ref = "origin/master";
        url = https://github.com/nix-community/home-manager;
      };
      nixos-config.file = toString ./nas/configuration.nix;
@ -45,6 +58,17 @@ let
    }
  ];

+  seattle-source =  lib.evalSource [
+    {
+      nixpkgs.git = {
+        ref = "origin/nixos-unstable";
+        url = https://github.com/NixOS/nixpkgs;
+      };
+      nixos-config.file = toString ./seattle/configuration.nix;
+      "hardware.nix".file = toString ./glasgow/hardware.nix;
+    }
+  ];
+
  glasgow-source =  lib.evalSource [
    {
      nixpkgs.git = {
@ -61,6 +85,10 @@ in {
    source = oracle-gitea-runner-source;
    target = "root@130.162.169.74";
  };
+  oracle-nix-cache = pkgs.krops.writeDeploy "oracle-nix-cache" {
+    source = oracle-nix-cache-source;
+    target = "root@141.147.94.210";
+  };
  nas = pkgs.krops.writeDeploy "nas" {
    source = nas-source;
    target = "root@192.168.50.229";
@ -69,6 +97,10 @@ in {
    source = nas-k3s-source;
    target = "root@192.168.50.229:22001";
  };
+  seattle = pkgs.krops.writeDeploy "seattle" {
+    source = seattle-source;
+    target = "root@192.168.50.146";
+  };
  glasgow = pkgs.krops.writeDeploy "glasgow" {
    source = glasgow-source;
    target = "root@192.168.50.144";
--- a/krops/oracle-nix-cache/configuration.nix
+++ b/krops/oracle-nix-cache/configuration.nix
@ -0,0 +1,111 @@
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      ./hardware.nix
+    ];
+
+  boot = {
+    tmp.cleanOnBoot = true;
+  };
+  zramSwap.enable = true;
+
+  nix = {
+    settings = {
+      auto-optimise-store = true;
+      experimental-features = ["nix-command" "flakes"];
+    };
+    gc = {
+      automatic = true;
+      dates = "weekly";
+      options = "--delete-older-than 30d";
+    };
+    # Free up to 1GiB whenever there is less than 100MiB left.
+    extraOptions = ''
+      min-free = ${toString (100 * 1024 * 1024)}
+      max-free = ${toString (1024 * 1024 * 1024)}
+      '';
+  };
+
+  networking = {
+    hostName = "nix-cache";
+    domain = "gmem.ca";
+    firewall = {
+      trustedInterfaces = ["tailscale0"];
+      checkReversePath = "loose";
+      allowedTCPPorts = [ 80 443 ];
+      allowedUDPPortRanges = [
+        { from = 4000; to = 4007; }
+        { from = 8000; to = 8010; }
+      ];
+      enable = true;
+    };
+    nftables.enable = true;
+    nameservers = [ "1.1.1.1" "1.0.0.1" ];
+  };
+
+  time.timeZone = "Europe/London";
+
+  users.users.root.openssh.authorizedKeys.keys = let
+    authorizedKeys = pkgs.fetchurl {
+      url = "https://gmem.ca/ssh";
+      sha256 = "0iwrm80hsadr0midy0h3da4x0sbci76a92g8f9wnz5pj38gimdi9";
+    };
+  in pkgs.lib.splitString "\n" (builtins.readFile
+    authorizedKeys);
+
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    htop
+    git
+    screen
+    nix-output-monitor
+    tailscale
+    nfs-utils
+  ];
+
+  services = {
+    rpcbind.enable = true;
+    openssh.enable = true;
+    tailscale.enable = true;
+    nix-serve = {
+      enable = true;
+      secretKeyFile = "/var/cache-priv-key.pem";
+    };
+    nginx = {
+      enable = true;
+      recommendedProxySettings = true;
+      recommendedGzipSettings = true;
+      recommendedBrotliSettings = true;
+      recommendedZstdSettings = true;
+      recommendedOptimisation = true;
+      recommendedTlsSettings = true;
+      virtualHosts = {
+        "nix-cache.gmem.ca" = {
+          enableACME = true;
+          forceSSL = true;
+          locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
+        };
+        "git.gmem.ca" = {
+          enableACME = true;
+          forceSSL = true;
+          locations."/" = {
+            proxyPass = "http://100.116.48.47";
+          };
+        };
+      };
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    email = "acme@gmem.ca";
+  };
+
+  system.copySystemConfiguration = true;
+
+  system.stateVersion = "23.11"; # dId YoU rEaD tHe CoMmEnT?
+
+}
--- a/krops/oracle-nix-cache/hardware.nix
+++ b/krops/oracle-nix-cache/hardware.nix
@ -0,0 +1,15 @@
+{ modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  boot.loader.efi.efiSysMountPoint = "/boot/efi";
+  boot.loader.grub = {
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+    device = "nodev";
+  };
+  fileSystems."/boot/efi" = { device = "/dev/disk/by-uuid/CC2E-AEC0"; fsType = "vfat"; };
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ];
+  boot.initrd.kernelModules = [ "nvme" ];
+  fileSystems."/" = { device = "/dev/mapper/ocivolume-root"; fsType = "xfs"; };
+  
+}