Add nix-cache/reverse proxy Oracle Cloud configuration
This commit is contained in:
parent
68aa75200a
commit
89e425c201
|
@ -8,7 +8,7 @@ let
|
|||
oracle-gitea-runner-source = lib.evalSource [
|
||||
{
|
||||
nixpkgs.git = {
|
||||
ref = "0a4f20e1867ebb798ba5ed51b9db52a09ba6623d";
|
||||
ref = "66aedfd010204949cb225cf749be08cb13ce1813";
|
||||
url = https://github.com/NixOS/nixpkgs;
|
||||
|
||||
shallow = true;
|
||||
|
@ -18,14 +18,27 @@ let
|
|||
}
|
||||
];
|
||||
|
||||
oracle-nix-cache-source = lib.evalSource [
|
||||
{
|
||||
nixpkgs.git = {
|
||||
ref = "66aedfd010204949cb225cf749be08cb13ce1813";
|
||||
url = https://github.com/NixOS/nixpkgs;
|
||||
|
||||
shallow = true;
|
||||
};
|
||||
nixos-config.file = toString ./oracle-nix-cache/configuration.nix;
|
||||
"hardware.nix".file = toString ./oracle-nix-cache/hardware.nix;
|
||||
}
|
||||
];
|
||||
|
||||
nas-source = lib.evalSource [
|
||||
{
|
||||
nixpkgs.git = {
|
||||
ref = "origin/nixos-23.05";
|
||||
ref = "origin/nixos-unstable";
|
||||
url = https://github.com/NixOS/nixpkgs;
|
||||
};
|
||||
home-manager.git = {
|
||||
ref = "origin/release-23.05";
|
||||
ref = "origin/master";
|
||||
url = https://github.com/nix-community/home-manager;
|
||||
};
|
||||
nixos-config.file = toString ./nas/configuration.nix;
|
||||
|
@ -45,6 +58,17 @@ let
|
|||
}
|
||||
];
|
||||
|
||||
seattle-source = lib.evalSource [
|
||||
{
|
||||
nixpkgs.git = {
|
||||
ref = "origin/nixos-unstable";
|
||||
url = https://github.com/NixOS/nixpkgs;
|
||||
};
|
||||
nixos-config.file = toString ./seattle/configuration.nix;
|
||||
"hardware.nix".file = toString ./glasgow/hardware.nix;
|
||||
}
|
||||
];
|
||||
|
||||
glasgow-source = lib.evalSource [
|
||||
{
|
||||
nixpkgs.git = {
|
||||
|
@ -61,6 +85,10 @@ in {
|
|||
source = oracle-gitea-runner-source;
|
||||
target = "root@130.162.169.74";
|
||||
};
|
||||
oracle-nix-cache = pkgs.krops.writeDeploy "oracle-nix-cache" {
|
||||
source = oracle-nix-cache-source;
|
||||
target = "root@141.147.94.210";
|
||||
};
|
||||
nas = pkgs.krops.writeDeploy "nas" {
|
||||
source = nas-source;
|
||||
target = "root@192.168.50.229";
|
||||
|
@ -69,6 +97,10 @@ in {
|
|||
source = nas-k3s-source;
|
||||
target = "root@192.168.50.229:22001";
|
||||
};
|
||||
seattle = pkgs.krops.writeDeploy "seattle" {
|
||||
source = seattle-source;
|
||||
target = "root@192.168.50.146";
|
||||
};
|
||||
glasgow = pkgs.krops.writeDeploy "glasgow" {
|
||||
source = glasgow-source;
|
||||
target = "root@192.168.50.144";
|
||||
|
|
111
krops/oracle-nix-cache/configuration.nix
Normal file
111
krops/oracle-nix-cache/configuration.nix
Normal file
|
@ -0,0 +1,111 @@
|
|||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ # Include the results of the hardware scan.
|
||||
./hardware.nix
|
||||
];
|
||||
|
||||
boot = {
|
||||
tmp.cleanOnBoot = true;
|
||||
};
|
||||
zramSwap.enable = true;
|
||||
|
||||
nix = {
|
||||
settings = {
|
||||
auto-optimise-store = true;
|
||||
experimental-features = ["nix-command" "flakes"];
|
||||
};
|
||||
gc = {
|
||||
automatic = true;
|
||||
dates = "weekly";
|
||||
options = "--delete-older-than 30d";
|
||||
};
|
||||
# Free up to 1GiB whenever there is less than 100MiB left.
|
||||
extraOptions = ''
|
||||
min-free = ${toString (100 * 1024 * 1024)}
|
||||
max-free = ${toString (1024 * 1024 * 1024)}
|
||||
'';
|
||||
};
|
||||
|
||||
networking = {
|
||||
hostName = "nix-cache";
|
||||
domain = "gmem.ca";
|
||||
firewall = {
|
||||
trustedInterfaces = ["tailscale0"];
|
||||
checkReversePath = "loose";
|
||||
allowedTCPPorts = [ 80 443 ];
|
||||
allowedUDPPortRanges = [
|
||||
{ from = 4000; to = 4007; }
|
||||
{ from = 8000; to = 8010; }
|
||||
];
|
||||
enable = true;
|
||||
};
|
||||
nftables.enable = true;
|
||||
nameservers = [ "1.1.1.1" "1.0.0.1" ];
|
||||
};
|
||||
|
||||
time.timeZone = "Europe/London";
|
||||
|
||||
users.users.root.openssh.authorizedKeys.keys = let
|
||||
authorizedKeys = pkgs.fetchurl {
|
||||
url = "https://gmem.ca/ssh";
|
||||
sha256 = "0iwrm80hsadr0midy0h3da4x0sbci76a92g8f9wnz5pj38gimdi9";
|
||||
};
|
||||
in pkgs.lib.splitString "\n" (builtins.readFile
|
||||
authorizedKeys);
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
vim
|
||||
wget
|
||||
htop
|
||||
git
|
||||
screen
|
||||
nix-output-monitor
|
||||
tailscale
|
||||
nfs-utils
|
||||
];
|
||||
|
||||
services = {
|
||||
rpcbind.enable = true;
|
||||
openssh.enable = true;
|
||||
tailscale.enable = true;
|
||||
nix-serve = {
|
||||
enable = true;
|
||||
secretKeyFile = "/var/cache-priv-key.pem";
|
||||
};
|
||||
nginx = {
|
||||
enable = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedBrotliSettings = true;
|
||||
recommendedZstdSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedTlsSettings = true;
|
||||
virtualHosts = {
|
||||
"nix-cache.gmem.ca" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
|
||||
};
|
||||
"git.gmem.ca" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://100.116.48.47";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
email = "acme@gmem.ca";
|
||||
};
|
||||
|
||||
system.copySystemConfiguration = true;
|
||||
|
||||
system.stateVersion = "23.11"; # dId YoU rEaD tHe CoMmEnT?
|
||||
|
||||
}
|
15
krops/oracle-nix-cache/hardware.nix
Normal file
15
krops/oracle-nix-cache/hardware.nix
Normal file
|
@ -0,0 +1,15 @@
|
|||
{ modulesPath, ... }:
|
||||
{
|
||||
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
|
||||
boot.loader.efi.efiSysMountPoint = "/boot/efi";
|
||||
boot.loader.grub = {
|
||||
efiSupport = true;
|
||||
efiInstallAsRemovable = true;
|
||||
device = "nodev";
|
||||
};
|
||||
fileSystems."/boot/efi" = { device = "/dev/disk/by-uuid/CC2E-AEC0"; fsType = "vfat"; };
|
||||
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ];
|
||||
boot.initrd.kernelModules = [ "nvme" ];
|
||||
fileSystems."/" = { device = "/dev/mapper/ocivolume-root"; fsType = "xfs"; };
|
||||
|
||||
}
|
Loading…
Reference in a new issue