From 89e425c2019ecb081195040c2e48e7d8e6352608 Mon Sep 17 00:00:00 2001 From: Gabriel Simmer Date: Sat, 5 Aug 2023 12:04:12 +0100 Subject: [PATCH] Add nix-cache/reverse proxy Oracle Cloud configuration --- krops/krops.nix | 38 +++++++- krops/oracle-nix-cache/configuration.nix | 111 +++++++++++++++++++++++ krops/oracle-nix-cache/hardware.nix | 15 +++ 3 files changed, 161 insertions(+), 3 deletions(-) create mode 100644 krops/oracle-nix-cache/configuration.nix create mode 100644 krops/oracle-nix-cache/hardware.nix diff --git a/krops/krops.nix b/krops/krops.nix index 245ffd5..1273662 100644 --- a/krops/krops.nix +++ b/krops/krops.nix @@ -8,7 +8,7 @@ let oracle-gitea-runner-source = lib.evalSource [ { nixpkgs.git = { - ref = "0a4f20e1867ebb798ba5ed51b9db52a09ba6623d"; + ref = "66aedfd010204949cb225cf749be08cb13ce1813"; url = https://github.com/NixOS/nixpkgs; shallow = true; @@ -18,14 +18,27 @@ let } ]; + oracle-nix-cache-source = lib.evalSource [ + { + nixpkgs.git = { + ref = "66aedfd010204949cb225cf749be08cb13ce1813"; + url = https://github.com/NixOS/nixpkgs; + + shallow = true; + }; + nixos-config.file = toString ./oracle-nix-cache/configuration.nix; + "hardware.nix".file = toString ./oracle-nix-cache/hardware.nix; + } + ]; + nas-source = lib.evalSource [ { nixpkgs.git = { - ref = "origin/nixos-23.05"; + ref = "origin/nixos-unstable"; url = https://github.com/NixOS/nixpkgs; }; home-manager.git = { - ref = "origin/release-23.05"; + ref = "origin/master"; url = https://github.com/nix-community/home-manager; }; nixos-config.file = toString ./nas/configuration.nix; @@ -45,6 +58,17 @@ let } ]; + seattle-source = lib.evalSource [ + { + nixpkgs.git = { + ref = "origin/nixos-unstable"; + url = https://github.com/NixOS/nixpkgs; + }; + nixos-config.file = toString ./seattle/configuration.nix; + "hardware.nix".file = toString ./glasgow/hardware.nix; + } + ]; + glasgow-source = lib.evalSource [ { nixpkgs.git = { @@ -61,6 +85,10 @@ in { source = oracle-gitea-runner-source; target = "root@130.162.169.74"; }; + oracle-nix-cache = pkgs.krops.writeDeploy "oracle-nix-cache" { + source = oracle-nix-cache-source; + target = "root@141.147.94.210"; + }; nas = pkgs.krops.writeDeploy "nas" { source = nas-source; target = "root@192.168.50.229"; @@ -69,6 +97,10 @@ in { source = nas-k3s-source; target = "root@192.168.50.229:22001"; }; + seattle = pkgs.krops.writeDeploy "seattle" { + source = seattle-source; + target = "root@192.168.50.146"; + }; glasgow = pkgs.krops.writeDeploy "glasgow" { source = glasgow-source; target = "root@192.168.50.144"; diff --git a/krops/oracle-nix-cache/configuration.nix b/krops/oracle-nix-cache/configuration.nix new file mode 100644 index 0000000..c2a2e5e --- /dev/null +++ b/krops/oracle-nix-cache/configuration.nix @@ -0,0 +1,111 @@ +{ config, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware.nix + ]; + + boot = { + tmp.cleanOnBoot = true; + }; + zramSwap.enable = true; + + nix = { + settings = { + auto-optimise-store = true; + experimental-features = ["nix-command" "flakes"]; + }; + gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 30d"; + }; + # Free up to 1GiB whenever there is less than 100MiB left. + extraOptions = '' + min-free = ${toString (100 * 1024 * 1024)} + max-free = ${toString (1024 * 1024 * 1024)} + ''; + }; + + networking = { + hostName = "nix-cache"; + domain = "gmem.ca"; + firewall = { + trustedInterfaces = ["tailscale0"]; + checkReversePath = "loose"; + allowedTCPPorts = [ 80 443 ]; + allowedUDPPortRanges = [ + { from = 4000; to = 4007; } + { from = 8000; to = 8010; } + ]; + enable = true; + }; + nftables.enable = true; + nameservers = [ "1.1.1.1" "1.0.0.1" ]; + }; + + time.timeZone = "Europe/London"; + + users.users.root.openssh.authorizedKeys.keys = let + authorizedKeys = pkgs.fetchurl { + url = "https://gmem.ca/ssh"; + sha256 = "0iwrm80hsadr0midy0h3da4x0sbci76a92g8f9wnz5pj38gimdi9"; + }; + in pkgs.lib.splitString "\n" (builtins.readFile + authorizedKeys); + + environment.systemPackages = with pkgs; [ + vim + wget + htop + git + screen + nix-output-monitor + tailscale + nfs-utils + ]; + + services = { + rpcbind.enable = true; + openssh.enable = true; + tailscale.enable = true; + nix-serve = { + enable = true; + secretKeyFile = "/var/cache-priv-key.pem"; + }; + nginx = { + enable = true; + recommendedProxySettings = true; + recommendedGzipSettings = true; + recommendedBrotliSettings = true; + recommendedZstdSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + virtualHosts = { + "nix-cache.gmem.ca" = { + enableACME = true; + forceSSL = true; + locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}"; + }; + "git.gmem.ca" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://100.116.48.47"; + }; + }; + }; + }; + }; + + security.acme = { + acceptTerms = true; + email = "acme@gmem.ca"; + }; + + system.copySystemConfiguration = true; + + system.stateVersion = "23.11"; # dId YoU rEaD tHe CoMmEnT? + +} diff --git a/krops/oracle-nix-cache/hardware.nix b/krops/oracle-nix-cache/hardware.nix new file mode 100644 index 0000000..ccd5d2d --- /dev/null +++ b/krops/oracle-nix-cache/hardware.nix @@ -0,0 +1,15 @@ +{ modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot.loader.efi.efiSysMountPoint = "/boot/efi"; + boot.loader.grub = { + efiSupport = true; + efiInstallAsRemovable = true; + device = "nodev"; + }; + fileSystems."/boot/efi" = { device = "/dev/disk/by-uuid/CC2E-AEC0"; fsType = "vfat"; }; + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ]; + boot.initrd.kernelModules = [ "nvme" ]; + fileSystems."/" = { device = "/dev/mapper/ocivolume-root"; fsType = "xfs"; }; + +}