From 9439acf4d10919d34e4b8cb6abdef9c8a5dce662 Mon Sep 17 00:00:00 2001 From: Gabriel Simmer Date: Mon, 5 Feb 2024 13:13:44 +0000 Subject: [PATCH] format with alejandra style --- flake.nix | 410 ++++++++------- homelab/cloudflare-exporter.nix | 7 +- homelab/conduit.nix | 176 ++++--- homelab/custom.nix | 12 +- homelab/endpoints.nix | 95 ++-- homelab/homepage.nix | 585 +++++++++++----------- homelab/immich.nix | 16 +- homelab/irc.nix | 74 ++- homelab/kubernetes.nix | 41 +- homelab/netboot.nix | 68 ++- homelab/nginx.nix | 7 +- homelab/overseerr.nix | 31 +- homelab/piped.nix | 61 ++- homelab/pterodactyl.nix | 147 +++--- homelab/tclip.nix | 62 ++- homelab/vrchat-prometheus-exporter.nix | 20 +- nix/glasgow/configuration.nix | 35 +- nix/glasgow/hardware.nix | 32 +- nix/london/cachix.nix | 8 +- nix/london/configuration.nix | 117 +++-- nix/london/gsimmer.nix | 66 +-- nix/london/hardware-configuration.nix | 44 +- nix/london/wayland.nix | 17 +- nix/monitoring/configuration.nix | 263 +++++----- nix/monitoring/hardware.nix | 20 +- nix/monitoring/networking.nix | 39 +- nix/nas/configuration.nix | 119 +++-- nix/nas/hardware.nix | 44 +- nix/nas/home.nix | 49 +- nix/oracle-gitea-runner/coder.nix | 143 +++--- nix/oracle-gitea-runner/configuration.nix | 33 +- nix/oracle-gitea-runner/hardware.nix | 20 +- nix/oracle-stream/configuration.nix | 51 +- nix/oracle-stream/hardware.nix | 20 +- nix/proxmox-k3s-node/configuration.nix | 35 +- nix/proxmox-k3s-node/hardware.nix | 44 +- nix/seattle/configuration.nix | 34 +- nix/seattle/hardware.nix | 32 +- pi-imgs/pi-initial.nix | 10 +- secrets.nix | 27 +- terraform/main.nix | 6 +- 41 files changed, 1765 insertions(+), 1355 deletions(-) diff --git a/flake.nix b/flake.nix index 80356fe..cf5b2a5 100644 --- a/flake.nix +++ b/flake.nix @@ -22,48 +22,70 @@ kubenix.url = "github:hall/kubenix"; }; - outputs = { self, nixpkgs, nixos-generators, nixinate, home-manager, agenix, terranix, alertmanager-ntfy, nixpkgs-wayland, kubenix, kde2nix }@inputs: - let - pkgs = nixpkgs.legacyPackages.x86_64-linux; - tf = terranix.lib.terranixConfiguration { - system = "x86_64-linux"; - modules = [ ./terraform/main.nix ]; - }; - in { - devShells.x86_64-linux.default = with pkgs; mkShell { - shellHook = - '' - set -o allexport - source .env set - set +o allexport - ''; + outputs = { + self, + nixpkgs, + nixos-generators, + nixinate, + home-manager, + agenix, + terranix, + alertmanager-ntfy, + nixpkgs-wayland, + kubenix, + kde2nix, + } @ inputs: let + pkgs = nixpkgs.legacyPackages.x86_64-linux; + tf = terranix.lib.terranixConfiguration { + system = "x86_64-linux"; + modules = [./terraform/main.nix]; + }; + in { + devShells.x86_64-linux.default = with pkgs; + mkShell { + shellHook = '' + set -o allexport + source .env set + set +o allexport + ''; nativeBuildInputs = [ - jq opentofu kubectl - k9s terraform-ls kubernetes-helm + jq + opentofu + kubectl + k9s + terraform-ls + kubernetes-helm nil ]; - buildInputs = [ ]; + buildInputs = []; }; - packages.aarch64-linux = { - raspberry-pi = nixos-generators.nixosGenerate { - system = "aarch64-linux"; - modules = [ - (nixpkgs + "/nixos/modules/installer/sd-card/sd-image-aarch64-installer.nix") - ./pi-imgs/pi-initial.nix - ]; - format = "sd-aarch64-installer"; - }; + packages.aarch64-linux = { + raspberry-pi = nixos-generators.nixosGenerate { + system = "aarch64-linux"; + modules = [ + (nixpkgs + "/nixos/modules/installer/sd-card/sd-image-aarch64-installer.nix") + ./pi-imgs/pi-initial.nix + ]; + format = "sd-aarch64-installer"; }; - packages.x86_64-linux = { - kubernetes = (kubenix.evalModules.x86_64-linux { - module = { kubenix, ... }: { + }; + packages.x86_64-linux = { + kubernetes = + (kubenix.evalModules.x86_64-linux { + module = {kubenix, ...}: { imports = [ - kubenix.modules.k8s ./homelab/kubernetes.nix + kubenix.modules.k8s + ./homelab/kubernetes.nix ]; }; - }).config.kubernetes.result; - }; - apps = nixinate.nixinate.x86_64-linux self // { + }) + .config + .kubernetes + .result; + }; + apps = + nixinate.nixinate.x86_64-linux self + // { x86_64-linux = { kube-apply = { type = "app"; @@ -80,176 +102,180 @@ tf-plan = { type = "app"; program = toString (pkgs.writers.writeBash "plan" '' - if [[ -e terraform/config.tf.json ]]; then rm -f terraform/config.tf.json; fi - cp ${tf} terraform/config.tf.json \ - && ${pkgs.opentofu}/bin/tofu -chdir=terraform init \ - && ${pkgs.opentofu}/bin/tofu -chdir=terraform plan -out=plan.out - ''); + if [[ -e terraform/config.tf.json ]]; then rm -f terraform/config.tf.json; fi + cp ${tf} terraform/config.tf.json \ + && ${pkgs.opentofu}/bin/tofu -chdir=terraform init \ + && ${pkgs.opentofu}/bin/tofu -chdir=terraform plan -out=plan.out + ''); }; tf-apply = { type = "app"; program = toString (pkgs.writers.writeBash "apply" '' - if [[ -e terraform/config.tf.json ]]; then rm -f terraform/config.tf.json; fi - cp ${tf} terraform/config.tf.json \ - && ${pkgs.opentofu}/bin/tofu -chdir=terraform init \ - && ${pkgs.opentofu}/bin/tofu -chdir=terraform apply plan.out - ''); + if [[ -e terraform/config.tf.json ]]; then rm -f terraform/config.tf.json; fi + cp ${tf} terraform/config.tf.json \ + && ${pkgs.opentofu}/bin/tofu -chdir=terraform init \ + && ${pkgs.opentofu}/bin/tofu -chdir=terraform apply plan.out + ''); }; }; }; - homeConfigurations."gsimmer" = home-manager.lib.homeManagerConfiguration { - inherit pkgs; - modules = [ ./nix/london/gsimmer.nix ]; - }; - nixosConfigurations = { - london = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ - kde2nix.nixosModules.plasma6 - (import ./nix/london/configuration.nix) - home-manager.nixosModules.home-manager + homeConfigurations."gsimmer" = home-manager.lib.homeManagerConfiguration { + inherit pkgs; + modules = [./nix/london/gsimmer.nix]; + }; + nixosConfigurations = { + london = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + kde2nix.nixosModules.plasma6 + (import ./nix/london/configuration.nix) + home-manager.nixosModules.home-manager + { + home-manager.useUserPackages = true; + home-manager.users.gsimmer = import ./nix/london/gsimmer.nix; + } + ( { - home-manager.useUserPackages = true; - home-manager.users.gsimmer = import ./nix/london/gsimmer.nix; - } - ({pkgs, config, ... }: - { - config = { - nix.settings = { - # add binary caches - trusted-public-keys = [ - "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" - "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA=" - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - ]; - substituters = [ - "https://cache.nixos.org" - "https://nixpkgs-wayland.cachix.org" - "https://nix-community.cachix.org" - ]; - }; - - # use it as an overlay - nixpkgs.overlays = [ nixpkgs-wayland.overlay ]; + pkgs, + config, + ... + }: { + config = { + nix.settings = { + # add binary caches + trusted-public-keys = [ + "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + substituters = [ + "https://cache.nixos.org" + "https://nixpkgs-wayland.cachix.org" + "https://nix-community.cachix.org" + ]; }; - } - ) - ]; - }; - oracle-gitea-runner = nixpkgs.lib.nixosSystem { - system = "aarch64-linux"; - modules = [ - (import ./nix/oracle-gitea-runner/configuration.nix) - { - _module.args.nixinate = { - host = "143.47.229.209"; - sshUser = "root"; - buildOn = "remote"; - substituteOnTarget = true; - hermetic = false; + + # use it as an overlay + nixpkgs.overlays = [nixpkgs-wayland.overlay]; }; } - ]; - }; - oracle-stream = nixpkgs.lib.nixosSystem { - system = "aarch64-linux"; - modules = [ - (import ./nix/oracle-stream/configuration.nix) - { - _module.args.nixinate = { - host = "100.98.25.34"; - sshUser = "root"; - buildOn = "remote"; - substituteOnTarget = true; - hermetic = false; - }; - } - ]; - }; - monitoring = nixpkgs.lib.nixosSystem { - system = "aarch64-linux"; - modules = [ - (import ./nix/monitoring/configuration.nix) - agenix.nixosModules.default - alertmanager-ntfy.nixosModules.x86_64-linux.default - { - _module.args.nixinate = { - host = "monitoring"; - sshUser = "root"; - buildOn = "remote"; - substituteOnTarget = true; - hermetic = false; - }; - } - ]; - }; - nas = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ - (import ./nix/nas/configuration.nix) - agenix.nixosModules.default - home-manager.nixosModules.home-manager - { - home-manager.users.gsimmer = import ./nix/nas/home.nix; - _module.args.nixinate = { - host = "vancouver"; - sshUser = "gsimmer"; - buildOn = "remote"; - substituteOnTarget = true; - hermetic = false; - }; - } - ]; - }; - seattle = nixpkgs.lib.nixosSystem { - system = "aarch64-linux"; - modules = [ - agenix.nixosModules.default - (import ./nix/seattle/configuration.nix) - { - _module.args.nixinate = { - host = "seattle"; - sshUser = "gsimmer"; - buildOn = "remote"; - substituteOnTarget = true; - hermetic = false; - }; - } - ]; - }; - glasgow = nixpkgs.lib.nixosSystem { - system = "aarch64-linux"; - modules = [ - agenix.nixosModules.default - (import ./nix/glasgow/configuration.nix) - { - _module.args.nixinate = { - host = "glasgow"; - sshUser = "gsimmer"; - buildOn = "remote"; - substituteOnTarget = true; - hermetic = false; - }; - } - ]; - }; - proxmox-k3s-node-1 = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ - agenix.nixosModules.default - (import ./nix/proxmox-k3s-node/configuration.nix) - { - _module.args.nixinate = { - host = "proxmox-node-1"; - sshUser = "gsimmer"; - buildOn = "remote"; - substituteOnTarget = true; - hermetic = false; - }; - } - ]; - }; + ) + ]; + }; + oracle-gitea-runner = nixpkgs.lib.nixosSystem { + system = "aarch64-linux"; + modules = [ + (import ./nix/oracle-gitea-runner/configuration.nix) + { + _module.args.nixinate = { + host = "143.47.229.209"; + sshUser = "root"; + buildOn = "remote"; + substituteOnTarget = true; + hermetic = false; + }; + } + ]; + }; + oracle-stream = nixpkgs.lib.nixosSystem { + system = "aarch64-linux"; + modules = [ + (import ./nix/oracle-stream/configuration.nix) + { + _module.args.nixinate = { + host = "100.98.25.34"; + sshUser = "root"; + buildOn = "remote"; + substituteOnTarget = true; + hermetic = false; + }; + } + ]; + }; + monitoring = nixpkgs.lib.nixosSystem { + system = "aarch64-linux"; + modules = [ + (import ./nix/monitoring/configuration.nix) + agenix.nixosModules.default + alertmanager-ntfy.nixosModules.x86_64-linux.default + { + _module.args.nixinate = { + host = "monitoring"; + sshUser = "root"; + buildOn = "remote"; + substituteOnTarget = true; + hermetic = false; + }; + } + ]; + }; + nas = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + (import ./nix/nas/configuration.nix) + agenix.nixosModules.default + home-manager.nixosModules.home-manager + { + home-manager.users.gsimmer = import ./nix/nas/home.nix; + _module.args.nixinate = { + host = "vancouver"; + sshUser = "gsimmer"; + buildOn = "remote"; + substituteOnTarget = true; + hermetic = false; + }; + } + ]; + }; + seattle = nixpkgs.lib.nixosSystem { + system = "aarch64-linux"; + modules = [ + agenix.nixosModules.default + (import ./nix/seattle/configuration.nix) + { + _module.args.nixinate = { + host = "seattle"; + sshUser = "gsimmer"; + buildOn = "remote"; + substituteOnTarget = true; + hermetic = false; + }; + } + ]; + }; + glasgow = nixpkgs.lib.nixosSystem { + system = "aarch64-linux"; + modules = [ + agenix.nixosModules.default + (import ./nix/glasgow/configuration.nix) + { + _module.args.nixinate = { + host = "glasgow"; + sshUser = "gsimmer"; + buildOn = "remote"; + substituteOnTarget = true; + hermetic = false; + }; + } + ]; + }; + proxmox-k3s-node-1 = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + agenix.nixosModules.default + (import ./nix/proxmox-k3s-node/configuration.nix) + { + _module.args.nixinate = { + host = "proxmox-node-1"; + sshUser = "gsimmer"; + buildOn = "remote"; + substituteOnTarget = true; + hermetic = false; + }; + } + ]; }; }; + }; } diff --git a/homelab/cloudflare-exporter.nix b/homelab/cloudflare-exporter.nix index bafead7..b4f6544 100644 --- a/homelab/cloudflare-exporter.nix +++ b/homelab/cloudflare-exporter.nix @@ -1,4 +1,9 @@ -{ lib, config, kubenix, ... }: { +{ + lib, + config, + kubenix, + ... +}: { kubernetes.helm.releases.cloudflare-exporter = { namespace = "default"; chart = kubenix.lib.helm.fetch { diff --git a/homelab/conduit.nix b/homelab/conduit.nix index 49a871e..a58aa72 100644 --- a/homelab/conduit.nix +++ b/homelab/conduit.nix @@ -2,96 +2,110 @@ let appName = "conduwuit"; conduwuit-Image = "git.gmem.ca/arch/conduwuit:latest"; in -{ ... }: { - kubernetes.resources.services.conduwuit = { - spec = { - selector.app = appName; - ports.http = { - port = 6167; - targetPort = 6167; + {...}: { + kubernetes.resources.services.conduwuit = { + spec = { + selector.app = appName; + ports.http = { + port = 6167; + targetPort = 6167; + }; }; }; - }; - kubernetes.resources.statefulSets.conduwuit.spec = { - selector.matchLabels.app = appName; - serviceName = appName; - template = { - metadata.labels.app = appName; - spec = { - volumes = { - config.configMap.name = appName; - }; - containers = { - conduwuit = { - image = conduwuit-Image; - imagePullPolicy = "Always"; - ports.http.containerPort = 6167; - volumeMounts = [ - { name = "data"; mountPath = "/var/lib/matrix-conduit"; } - { name = "config"; mountPath = "/etc/matrix-conduit/conduit.toml"; - subPath = "conduit.toml"; } - ]; - env.CONDUIT_CONFIG.value = "/etc/matrix-conduit/conduit.toml"; + kubernetes.resources.statefulSets.conduwuit.spec = { + selector.matchLabels.app = appName; + serviceName = appName; + template = { + metadata.labels.app = appName; + spec = { + volumes = { + config.configMap.name = appName; + }; + containers = { + conduwuit = { + image = conduwuit-Image; + imagePullPolicy = "Always"; + ports.http.containerPort = 6167; + volumeMounts = [ + { + name = "data"; + mountPath = "/var/lib/matrix-conduit"; + } + { + name = "config"; + mountPath = "/etc/matrix-conduit/conduit.toml"; + subPath = "conduit.toml"; + } + ]; + env.CONDUIT_CONFIG.value = "/etc/matrix-conduit/conduit.toml"; + }; }; }; }; - }; - volumeClaimTemplates = [ - { metadata.name = "data"; - spec = { - storageClassName = "nfs-client"; - accessModes = [ "ReadWriteOnce" ]; - resources.requests.storage = "5Gi"; - }; - } - ]; - }; - kubernetes.resources.ingresses.conduwuit = { - metadata = { - name = appName; - annotations = { - "cert-manager.io/issuer" = "le-issuer"; - }; - }; - spec = { - tls = [ { hosts = [ "chat.gmem.ca" ]; secretName = "gmem-ca-wildcard"; } ]; - rules = [ + volumeClaimTemplates = [ { - host = "chat.gmem.ca"; - http.paths = [ - { path = "/"; pathType = "Prefix"; - backend.service = { - name = appName; - port.name = "http"; }; - } - ]; + metadata.name = "data"; + spec = { + storageClassName = "nfs-client"; + accessModes = ["ReadWriteOnce"]; + resources.requests.storage = "5Gi"; + }; } ]; }; - }; - kubernetes.resources.configMaps.conduwuit = { - metadata = { - name = appName; - annotations = { - "cert-manager.io/issuer" = "le-issuer"; + kubernetes.resources.ingresses.conduwuit = { + metadata = { + name = appName; + annotations = { + "cert-manager.io/issuer" = "le-issuer"; + }; + }; + spec = { + tls = [ + { + hosts = ["chat.gmem.ca"]; + secretName = "gmem-ca-wildcard"; + } + ]; + rules = [ + { + host = "chat.gmem.ca"; + http.paths = [ + { + path = "/"; + pathType = "Prefix"; + backend.service = { + name = appName; + port.name = "http"; + }; + } + ]; + } + ]; }; }; - data."conduit.toml" = - '' - [global] - # The Conduit server needs all /_matrix/ requests to be reachable at - # https://your.server.name/ on port 443 (client-server) and 8448 (federation). - server_name = "gmem.ca" + kubernetes.resources.configMaps.conduwuit = { + metadata = { + name = appName; + annotations = { + "cert-manager.io/issuer" = "le-issuer"; + }; + }; + data."conduit.toml" = '' + [global] + # The Conduit server needs all /_matrix/ requests to be reachable at + # https://your.server.name/ on port 443 (client-server) and 8448 (federation). + server_name = "gmem.ca" - # This is the only directory where Conduit will save its data - database_path = "/var/lib/matrix-conduit/" - database_backend = "rocksdb" - port = 6167 - max_request_size = 20_000_000 # in bytes - allow_federation = true - allow_check_for_updates = false - trusted_servers = ["matrix.org"] - address = "0.0.0.0" - ''; - }; -} + # This is the only directory where Conduit will save its data + database_path = "/var/lib/matrix-conduit/" + database_backend = "rocksdb" + port = 6167 + max_request_size = 20_000_000 # in bytes + allow_federation = true + allow_check_for_updates = false + trusted_servers = ["matrix.org"] + address = "0.0.0.0" + ''; + }; + } diff --git a/homelab/custom.nix b/homelab/custom.nix index a3eaf10..199b7f0 100644 --- a/homelab/custom.nix +++ b/homelab/custom.nix @@ -1,9 +1,9 @@ -{ lib, ... }: { - kubernetes.resourceOrder = - [ "CustomResourceDefinition" - "Namespace" - "ConfigMap" - ]; +{lib, ...}: { + kubernetes.resourceOrder = [ + "CustomResourceDefinition" + "Namespace" + "ConfigMap" + ]; kubernetes.customTypes = [ { name = "servicemonitors"; diff --git a/homelab/endpoints.nix b/homelab/endpoints.nix index f6be639..bd5d9f5 100644 --- a/homelab/endpoints.nix +++ b/homelab/endpoints.nix @@ -10,52 +10,81 @@ let location = "192.168.50.237"; host = "austin.gmem.ca"; port = 8080; - protocol = "HTTP"; + protocol = "HTTP"; }; "tokyo" = { location = "192.168.50.124"; host = "tokyo.gmem.ca"; port = 8000; - protocol = "HTTP"; + protocol = "HTTP"; }; "ibiza" = { location = "192.168.50.182"; host = "ibiza.gmem.ca"; port = 8000; - protocol = "HTTP"; + protocol = "HTTP"; }; }; in { - kubernetes.resources.services = builtins.mapAttrs (name: endpoint: { - spec = { - ports.${name} = { - port = endpoint.port; - targetPort = endpoint.port; + kubernetes.resources.services = + builtins.mapAttrs (name: endpoint: { + spec = { + ports.${name} = { + port = endpoint.port; + targetPort = endpoint.port; + }; }; - }; - }) endpoints; - kubernetes.resources.endpoints = builtins.mapAttrs (name: endpoint: { - subsets = [ { - addresses = [ { ip = endpoint.location; } ]; - ports = [ { name = name; port = endpoint.port; protocol = "TCP"; } ]; - } ]; - }) endpoints; - kubernetes.resources.ingresses = builtins.mapAttrs (name: endpoint: { - metadata = { name = name; annotations = { - "nginx.ingress.kubernetes.io/proxy-body-size" = "10g"; - "cert-manager.io/issuer" = "le-issuer"; - "nginx.ingress.kubernetes.io/backend-protocol" = endpoint.protocol; - }; }; - spec = { - tls = [ { hosts = [ endpoint.host ]; secretName = "gmem-ca-wildcard"; } ]; - rules = [ { host = endpoint.host; http.paths = [ - { path = "/"; pathType = "Prefix"; - backend.service = { - name = name; - port.number = endpoint.port; - }; + }) + endpoints; + kubernetes.resources.endpoints = + builtins.mapAttrs (name: endpoint: { + subsets = [ + { + addresses = [{ip = endpoint.location;}]; + ports = [ + { + name = name; + port = endpoint.port; + protocol = "TCP"; + } + ]; } - ];}]; - }; - }) endpoints; + ]; + }) + endpoints; + kubernetes.resources.ingresses = + builtins.mapAttrs (name: endpoint: { + metadata = { + name = name; + annotations = { + "nginx.ingress.kubernetes.io/proxy-body-size" = "10g"; + "cert-manager.io/issuer" = "le-issuer"; + "nginx.ingress.kubernetes.io/backend-protocol" = endpoint.protocol; + }; + }; + spec = { + tls = [ + { + hosts = [endpoint.host]; + secretName = "gmem-ca-wildcard"; + } + ]; + rules = [ + { + host = endpoint.host; + http.paths = [ + { + path = "/"; + pathType = "Prefix"; + backend.service = { + name = name; + port.number = endpoint.port; + }; + } + ]; + } + ]; + }; + }) + endpoints; } diff --git a/homelab/homepage.nix b/homelab/homepage.nix index 874981b..e0a4c40 100644 --- a/homelab/homepage.nix +++ b/homelab/homepage.nix @@ -1,279 +1,306 @@ -{ lib, config, kubenix, ... }: -let homepage-config = { - bookmarks = []; - services = [ - { - Media = [ - { Plex = { - icon = "plex.png"; - href = "https://app.plex.tv"; - description = "Plex"; - widget = { - type = "plex"; - url = "http://vancouver:32400"; - key = "{{HOMEPAGE_VAR_PLEX_KEY}}"; - }; - }; - } - { Overseerr = { - icon = "overseerr.png"; - href = "https://request-media.gmem.ca"; - description = "Request movies and TV shows"; - widget = { - type = "overseerr"; - url = "https://request-media.gmem.ca"; - key = "{{HOMEPAGE_VAR_OVERSEERR_KEY}}"; - }; - }; - } - { Transmission = { - icon = "transmission.png"; - description = "Download progress for torrents"; - widget = { - type = "transmission"; - url = "http://192.168.50.187:9091"; - }; - }; - } - ]; - } - { - "Personal Infrastructure" = [ - { authentik = { - icon = "authentik.png"; - href = "https://authentik.gmem.ca"; - description = "OIDC SSO"; - }; - } - { Tailscale = { - icon = "tailscale.png"; - href = "https://login.tailscale.com"; - description = "VPN provider"; - }; - } - { Git = { - icon = "forgejo.png"; - href = "https://git.gmem.ca"; - description = "Git forge"; - }; - } - { Grafana = { - icon = "grafana.png"; - href = "https://grafana.gmem.ca"; - description = "Monitoring & metrics"; - widget = { - type = "grafana"; - url = "https://grafana.gmem.ca"; - username = "api@localhost"; - password = "{{HOMEPAGE_VAR_GRAFANA_PASSWORD}}"; - }; - }; - } - { NextDNS = { - icon = "nextdns.png"; - href = "https://my.nextdns.io/bcee89/setup"; - description = "DNS provider"; - widget = { - type = "nextdns"; - profile = "bcee89"; - key = "{{HOMEPAGE_VAR_NEXTDNS_KEY}}"; - }; - }; - } - { "Proxmox" = { - icon = "proxmox.png"; - href = "https://proxmox.gmem.ca"; - description = "Homelab proxmox"; - widget = { - type = "proxmox"; - url = "https://proxmox.gmem.ca"; - username = "api@pam!homepage"; - password = "{{HOMEPAGE_VAR_PROXMOX_PASSWORD}}"; - }; - }; - } - { "Immich" = { - icon = "immich.png"; - href = "https://photos.gmem.ca"; - description = "Image hosting"; - widget = { - type = "immich"; - url = "https://photos.gmem.ca"; - key = "{{HOMEPAGE_VAR_IMMICH_KEY}}"; - }; - }; - } - { "NextDNS Tailscale" = { - icon = "nextdns.png"; - href = "https://my.nextdns.io/74c6db/setup"; - description = "Tailnet DNS provider"; - widget = { - type = "nextdns"; - profile = "74c6db"; - key = "{{HOMEPAGE_VAR_NEXTDNS_KEY}}"; - }; - }; - } - ]; - } - { - Reading = [ - { FreshRSS = { - icon = "freshrss.png"; - href = "https://freshrss.gmem.ca"; - description = "FreshRSS RSS Reader"; - widget = { - type = "freshrss"; - url = "https://freshrss.gmem.ca"; - username = "arch"; - password = "{{HOMEPAGE_VAR_FRESHRSS_PASSWORD}}"; - }; - }; - } - { "Lobste.rs" = { - href = "https://lobste.rs"; - description = "News aggregator"; - }; - } - { "Hacker News" = { - href = "https://news.ycombinator.com"; - description = "VC news aggregator"; - }; - } - ]; - } - { - "Floofy.tech Infrastructure" = [ - { Mastodon = { - icon = "mastodon.png"; - href = "https://floofy.tech"; - description = "Primary Mastodon instance"; - widget = { - type = "mastodon"; - url = "https://floofy.tech"; - }; - }; - } - { Grafana = { - icon = "grafana.png"; - href = "https://grafana.services.floofy.tech"; - description = "Metrics and Monitoring"; - }; - } - { vSphere = { - icon = "vmware-esxi.png"; - href = "https://vcenter.services.floofy.tech"; - description = "Hypervisor Manager"; - }; - } - { "vrclub.social" = { - icon = "calckey.png"; - href = "https://vrclub.social"; - description = "Firefish instance for VR clubs"; - }; - } - ]; - } - { - "Tools" = [ - { "IT Tools" = { - icon = "it-tools.png"; - href = "https://tools.gmem.ca"; - description = "Various useful tools"; - }; - } - { Cyberchef = { - icon = "cyberchef.png"; - href = "https://gchq.github.io/CyberChef/"; - description = "More useful tools, mostly text manipulation"; - }; - } - ]; - } - { - "Backup Status" = [ - { "gsimmer backups" = { - icon = "healthchecks.png"; - href = "https://healthchecks.gmem.ca"; - description = "Uptime monitor for recurring tasks"; - widget = { - type = "healthchecks"; - url = "https://healthchecks.gmem.ca"; - key = "{{HOMEPAGE_VAR_HEALTHCHECKS_KEY}}"; - uuid = "617d460f-69f6-444f-852a-421861543327"; - }; - }; - } - { "becki backups" = { - icon = "healthchecks.png"; - href = "https://healthchecks.gmem.ca"; - description = "Uptime monitor for recurring tasks"; - widget = { - type = "healthchecks"; - url = "https://healthchecks.gmem.ca"; - key = "{{HOMEPAGE_VAR_HEALTHCHECKS_KEY}}"; - uuid = "9d01d3dd-2a56-4c70-9b5c-9cb99a1466db"; - }; - }; - } - { "apps backups" = { - icon = "healthchecks.png"; - href = "https://healthchecks.gmem.ca"; - description = "Uptime monitor for recurring tasks"; - widget = { - type = "healthchecks"; - url = "https://healthchecks.gmem.ca"; - key = "{{HOMEPAGE_VAR_HEALTHCHECKS_KEY}}"; - uuid = "37a854b0-9191-4452-aa30-df3969d59b09"; - }; - }; - } - ]; - } - ]; - settings = { - title = "Arch's Homepage"; - providers.openweathermap = "{{HOMEPAGE_VAR_WEATHER_KEY}}"; - background = { - image = "https://images.unsplash.com/photo-1502790671504-542ad42d5189?auto=format&fit=crop&w=2560&q=80"; - blur = "sm"; - opacity = 50; - }; - base = "https://home.gmem.ca"; - layout.Media.style = "row"; - layout.Media.columns = "3"; - layout."Personal Infrastructure".style = "row"; - layout."Personal Infrastructure".columns = "3"; - layout."Backup Status".style = "row"; - layout."Backup Status".columns = "3"; - }; - kubernetes.mode = "cluster"; - widgets = [ - { - logo.icon = "https://gmem.ca/avatar.png"; - } - { - kubernetes = { - cluster.show = true; - nodes.show = true; - }; - } - { - search = { - provider = "duckduckgo"; - }; - } - { - openweathermap = { - provider = "openweathermap"; - cache = 5; - units = "metric"; - }; - } - ]; - }; -in { + lib, + config, + kubenix, + ... +}: let + homepage-config = { + bookmarks = []; + services = [ + { + Media = [ + { + Plex = { + icon = "plex.png"; + href = "https://app.plex.tv"; + description = "Plex"; + widget = { + type = "plex"; + url = "http://vancouver:32400"; + key = "{{HOMEPAGE_VAR_PLEX_KEY}}"; + }; + }; + } + { + Overseerr = { + icon = "overseerr.png"; + href = "https://request-media.gmem.ca"; + description = "Request movies and TV shows"; + widget = { + type = "overseerr"; + url = "https://request-media.gmem.ca"; + key = "{{HOMEPAGE_VAR_OVERSEERR_KEY}}"; + }; + }; + } + { + Transmission = { + icon = "transmission.png"; + description = "Download progress for torrents"; + widget = { + type = "transmission"; + url = "http://192.168.50.187:9091"; + }; + }; + } + ]; + } + { + "Personal Infrastructure" = [ + { + authentik = { + icon = "authentik.png"; + href = "https://authentik.gmem.ca"; + description = "OIDC SSO"; + }; + } + { + Tailscale = { + icon = "tailscale.png"; + href = "https://login.tailscale.com"; + description = "VPN provider"; + }; + } + { + Git = { + icon = "forgejo.png"; + href = "https://git.gmem.ca"; + description = "Git forge"; + }; + } + { + Grafana = { + icon = "grafana.png"; + href = "https://grafana.gmem.ca"; + description = "Monitoring & metrics"; + widget = { + type = "grafana"; + url = "https://grafana.gmem.ca"; + username = "api@localhost"; + password = "{{HOMEPAGE_VAR_GRAFANA_PASSWORD}}"; + }; + }; + } + { + NextDNS = { + icon = "nextdns.png"; + href = "https://my.nextdns.io/bcee89/setup"; + description = "DNS provider"; + widget = { + type = "nextdns"; + profile = "bcee89"; + key = "{{HOMEPAGE_VAR_NEXTDNS_KEY}}"; + }; + }; + } + { + "Proxmox" = { + icon = "proxmox.png"; + href = "https://proxmox.gmem.ca"; + description = "Homelab proxmox"; + widget = { + type = "proxmox"; + url = "https://proxmox.gmem.ca"; + username = "api@pam!homepage"; + password = "{{HOMEPAGE_VAR_PROXMOX_PASSWORD}}"; + }; + }; + } + { + "Immich" = { + icon = "immich.png"; + href = "https://photos.gmem.ca"; + description = "Image hosting"; + widget = { + type = "immich"; + url = "https://photos.gmem.ca"; + key = "{{HOMEPAGE_VAR_IMMICH_KEY}}"; + }; + }; + } + { + "NextDNS Tailscale" = { + icon = "nextdns.png"; + href = "https://my.nextdns.io/74c6db/setup"; + description = "Tailnet DNS provider"; + widget = { + type = "nextdns"; + profile = "74c6db"; + key = "{{HOMEPAGE_VAR_NEXTDNS_KEY}}"; + }; + }; + } + ]; + } + { + Reading = [ + { + FreshRSS = { + icon = "freshrss.png"; + href = "https://freshrss.gmem.ca"; + description = "FreshRSS RSS Reader"; + widget = { + type = "freshrss"; + url = "https://freshrss.gmem.ca"; + username = "arch"; + password = "{{HOMEPAGE_VAR_FRESHRSS_PASSWORD}}"; + }; + }; + } + { + "Lobste.rs" = { + href = "https://lobste.rs"; + description = "News aggregator"; + }; + } + { + "Hacker News" = { + href = "https://news.ycombinator.com"; + description = "VC news aggregator"; + }; + } + ]; + } + { + "Floofy.tech Infrastructure" = [ + { + Mastodon = { + icon = "mastodon.png"; + href = "https://floofy.tech"; + description = "Primary Mastodon instance"; + widget = { + type = "mastodon"; + url = "https://floofy.tech"; + }; + }; + } + { + Grafana = { + icon = "grafana.png"; + href = "https://grafana.services.floofy.tech"; + description = "Metrics and Monitoring"; + }; + } + { + vSphere = { + icon = "vmware-esxi.png"; + href = "https://vcenter.services.floofy.tech"; + description = "Hypervisor Manager"; + }; + } + { + "vrclub.social" = { + icon = "calckey.png"; + href = "https://vrclub.social"; + description = "Firefish instance for VR clubs"; + }; + } + ]; + } + { + "Tools" = [ + { + "IT Tools" = { + icon = "it-tools.png"; + href = "https://tools.gmem.ca"; + description = "Various useful tools"; + }; + } + { + Cyberchef = { + icon = "cyberchef.png"; + href = "https://gchq.github.io/CyberChef/"; + description = "More useful tools, mostly text manipulation"; + }; + } + ]; + } + { + "Backup Status" = [ + { + "gsimmer backups" = { + icon = "healthchecks.png"; + href = "https://healthchecks.gmem.ca"; + description = "Uptime monitor for recurring tasks"; + widget = { + type = "healthchecks"; + url = "https://healthchecks.gmem.ca"; + key = "{{HOMEPAGE_VAR_HEALTHCHECKS_KEY}}"; + uuid = "617d460f-69f6-444f-852a-421861543327"; + }; + }; + } + { + "becki backups" = { + icon = "healthchecks.png"; + href = "https://healthchecks.gmem.ca"; + description = "Uptime monitor for recurring tasks"; + widget = { + type = "healthchecks"; + url = "https://healthchecks.gmem.ca"; + key = "{{HOMEPAGE_VAR_HEALTHCHECKS_KEY}}"; + uuid = "9d01d3dd-2a56-4c70-9b5c-9cb99a1466db"; + }; + }; + } + { + "apps backups" = { + icon = "healthchecks.png"; + href = "https://healthchecks.gmem.ca"; + description = "Uptime monitor for recurring tasks"; + widget = { + type = "healthchecks"; + url = "https://healthchecks.gmem.ca"; + key = "{{HOMEPAGE_VAR_HEALTHCHECKS_KEY}}"; + uuid = "37a854b0-9191-4452-aa30-df3969d59b09"; + }; + }; + } + ]; + } + ]; + settings = { + title = "Arch's Homepage"; + providers.openweathermap = "{{HOMEPAGE_VAR_WEATHER_KEY}}"; + background = { + image = "https://images.unsplash.com/photo-1502790671504-542ad42d5189?auto=format&fit=crop&w=2560&q=80"; + blur = "sm"; + opacity = 50; + }; + base = "https://home.gmem.ca"; + layout.Media.style = "row"; + layout.Media.columns = "3"; + layout."Personal Infrastructure".style = "row"; + layout."Personal Infrastructure".columns = "3"; + layout."Backup Status".style = "row"; + layout."Backup Status".columns = "3"; + }; + kubernetes.mode = "cluster"; + widgets = [ + { + logo.icon = "https://gmem.ca/avatar.png"; + } + { + kubernetes = { + cluster.show = true; + nodes.show = true; + }; + } + { + search = { + provider = "duckduckgo"; + }; + } + { + openweathermap = { + provider = "openweathermap"; + cache = 5; + units = "metric"; + }; + } + ]; + }; +in { kubernetes.helm.releases.homepage = { chart = kubenix.lib.helm.fetch { repo = "https://jameswynn.github.io/helm-charts"; @@ -307,7 +334,7 @@ in ]; tls = [ { - hosts = [ "home.gmem.ca" ]; + hosts = ["home.gmem.ca"]; secretName = "gmem-ca-wildcard"; } ]; @@ -317,10 +344,10 @@ in kubernetes.resources.deployments.homepage = { metadata.namespace = "default"; - + spec.template = { - metadata.annotations."gmem.ca/homepage-config-hash" = (builtins.hashString "md5" (builtins.toJSON homepage-config)); - spec.containers.homepage.envFrom = [ { secretRef.name = "homepage-config"; } ]; + metadata.annotations."gmem.ca/homepage-config-hash" = builtins.hashString "md5" (builtins.toJSON homepage-config); + spec.containers.homepage.envFrom = [{secretRef.name = "homepage-config";}]; }; }; } diff --git a/homelab/immich.nix b/homelab/immich.nix index a806edf..0191072 100644 --- a/homelab/immich.nix +++ b/homelab/immich.nix @@ -1,4 +1,9 @@ -{ lib, config, kubenix, ... }: { +{ + lib, + config, + kubenix, + ... +}: { kubernetes.helm.releases.immich = { chart = kubenix.lib.helm.fetch { repo = "https://immich-app.github.io/immich-charts"; @@ -24,11 +29,16 @@ annotations = { "cert-manager.io/issuer" = "le-issuer"; }; - tls = [ { hosts = [ "photos.gmem.ca" ]; secretName = "gmem-ca-wildcard"; } ]; + tls = [ + { + hosts = ["photos.gmem.ca"]; + secretName = "gmem-ca-wildcard"; + } + ]; hosts = [ { host = "photos.gmem.ca"; - paths = [ { path = "/"; } ]; + paths = [{path = "/";}]; } ]; }; diff --git a/homelab/irc.nix b/homelab/irc.nix index 661ddd9..f912b9d 100644 --- a/homelab/irc.nix +++ b/homelab/irc.nix @@ -2,8 +2,7 @@ let appName = "soju"; sojuImage = "git.gmem.ca/arch/soju:latest"; gamjaImage = "git.gmem.ca/arch/gamja:latest"; -in -{ +in { kubernetes.resources.services.soju = { spec = { type = "NodePort"; @@ -45,8 +44,17 @@ in soju = { image = sojuImage; imagePullPolicy = "Always"; - volumeMounts = [ { name = "config"; mountPath = "/etc/soju/config"; subPath = "config"; } - { name = "ssl"; mountPath = "/ssl"; } ]; + volumeMounts = [ + { + name = "config"; + mountPath = "/etc/soju/config"; + subPath = "config"; + } + { + name = "ssl"; + mountPath = "/ssl"; + } + ]; ports.tls.containerPort = 6697; ports.ws.containerPort = 80; @@ -92,32 +100,46 @@ in "cert-manager.io/issuer" = "le-issuer"; }; spec = { - tls = [ { hosts = [ "irc.gmem.ca" ]; secretName = "gmem-ca-wildcard"; } ]; - rules = [ { host = "irc.gmem.ca"; http.paths = [ - { path = "/"; pathType = "Prefix"; - backend.service = { - name = "gamja"; - port.number = 80; - }; + tls = [ + { + hosts = ["irc.gmem.ca"]; + secretName = "gmem-ca-wildcard"; } - { path = "/socket"; pathType = "Prefix"; - backend.service = { - name = "soju-ws"; - port.number = 80; - }; + ]; + rules = [ + { + host = "irc.gmem.ca"; + http.paths = [ + { + path = "/"; + pathType = "Prefix"; + backend.service = { + name = "gamja"; + port.number = 80; + }; + } + { + path = "/socket"; + pathType = "Prefix"; + backend.service = { + name = "soju-ws"; + port.number = 80; + }; + } + ]; } - ];}]; + ]; }; }; - + kubernetes.resources.configMaps.soju.data.config = '' -listen ircs:// -listen unix+admin:///app/admin -listen ws+insecure:// -hostname irc.gmem.ca -title irc.gmem.ca -db postgres "dbname=soju" -message-store db -tls /ssl/tls.crt /ssl/tls.key + listen ircs:// + listen unix+admin:///app/admin + listen ws+insecure:// + hostname irc.gmem.ca + title irc.gmem.ca + db postgres "dbname=soju" + message-store db + tls /ssl/tls.crt /ssl/tls.key ''; } diff --git a/homelab/kubernetes.nix b/homelab/kubernetes.nix index 97f8ae7..36bd589 100644 --- a/homelab/kubernetes.nix +++ b/homelab/kubernetes.nix @@ -1,18 +1,25 @@ -{ lib, config, kubenix, ... }: { - imports = [ kubenix.modules.k8s kubenix.modules.helm - (import ./custom.nix) - (import ./nginx.nix) - (import ./tclip.nix) - (import ./vrchat-prometheus-exporter.nix) - (import ./overseerr.nix) - (import ./immich.nix) - (import ./endpoints.nix) - (import ./homepage.nix) - (import ./pterodactyl.nix) - (import ./cloudflare-exporter.nix) - (import ./piped.nix) - (import ./conduit.nix) - (import ./irc.nix) - (import ./netboot.nix) - ]; +{ + lib, + config, + kubenix, + ... +}: { + imports = [ + kubenix.modules.k8s + kubenix.modules.helm + (import ./custom.nix) + (import ./nginx.nix) + (import ./tclip.nix) + (import ./vrchat-prometheus-exporter.nix) + (import ./overseerr.nix) + (import ./immich.nix) + (import ./endpoints.nix) + (import ./homepage.nix) + (import ./pterodactyl.nix) + (import ./cloudflare-exporter.nix) + (import ./piped.nix) + (import ./conduit.nix) + (import ./irc.nix) + (import ./netboot.nix) + ]; } diff --git a/homelab/netboot.nix b/homelab/netboot.nix index eec9a70..d44be96 100644 --- a/homelab/netboot.nix +++ b/homelab/netboot.nix @@ -1,8 +1,7 @@ let appName = "netbootxyz"; netbootxyzImage = "ghcr.io/netbootxyz/netbootxyz"; -in -{ +in { kubernetes.resources.services.netbootxyz = { spec = { selector.app = appName; @@ -35,16 +34,28 @@ in metadata.labels.app = appName; spec = { volumes = [ - { name = "config"; persistentVolumeClaim.claimName = "netbootxyz-config"; } - { name = "assets"; persistentVolumeClaim.claimName = "netbootxyz-assets"; } + { + name = "config"; + persistentVolumeClaim.claimName = "netbootxyz-config"; + } + { + name = "assets"; + persistentVolumeClaim.claimName = "netbootxyz-assets"; + } ]; containers = { netbootxyz = { image = netbootxyzImage; imagePullPolicy = "Always"; volumeMounts = [ - { mountPath = "/config"; name = "config"; } - { mountPath = "/assets"; name = "assets"; } + { + mountPath = "/config"; + name = "config"; + } + { + mountPath = "/assets"; + name = "assets"; + } ]; env.SUBFOLDER.value = "/ui/"; ports.http.containerPort = 80; @@ -62,12 +73,12 @@ in kubernetes.resources.persistentVolumeClaims.netbootxyz-config.spec = { resources.requests.storage = "1Gi"; volumeMode = "Filesystem"; - accessModes = [ "ReadWriteMany" ]; + accessModes = ["ReadWriteMany"]; }; kubernetes.resources.persistentVolumeClaims.netbootxyz-assets.spec = { resources.requests.storage = "10Gi"; volumeMode = "Filesystem"; - accessModes = [ "ReadWriteMany" ]; + accessModes = ["ReadWriteMany"]; }; kubernetes.resources.ingresses.netbootxyz = { @@ -76,22 +87,35 @@ in "nginx.ingress.kubernetes.io/ssl-redirect" = "false"; }; spec = { - tls = [ { hosts = [ "netboot.gmem.ca" ]; secretName = "gmem-ca-wildcard"; } ]; - rules = [ { host = "netboot.gmem.ca"; http.paths = [ - { path = "/ui"; pathType = "Prefix"; - backend.service = { - name = "netbootxyz"; - port.number = 3000; - }; + tls = [ + { + hosts = ["netboot.gmem.ca"]; + secretName = "gmem-ca-wildcard"; } - { path = "/"; pathType = "Prefix"; - backend.service = { - name = "netbootxyz"; - port.number = 80; - }; + ]; + rules = [ + { + host = "netboot.gmem.ca"; + http.paths = [ + { + path = "/ui"; + pathType = "Prefix"; + backend.service = { + name = "netbootxyz"; + port.number = 3000; + }; + } + { + path = "/"; + pathType = "Prefix"; + backend.service = { + name = "netbootxyz"; + port.number = 80; + }; + } + ]; } - ];}]; + ]; }; }; - } diff --git a/homelab/nginx.nix b/homelab/nginx.nix index b5de8a6..ad25da0 100644 --- a/homelab/nginx.nix +++ b/homelab/nginx.nix @@ -1,4 +1,9 @@ -{ lib, config, kubenix, ... }: { +{ + lib, + config, + kubenix, + ... +}: { kubernetes.helm.releases.ingress-nginx = { namespace = "ingress-nginx"; chart = kubenix.lib.helm.fetch { diff --git a/homelab/overseerr.nix b/homelab/overseerr.nix index 11fc900..7e87708 100644 --- a/homelab/overseerr.nix +++ b/homelab/overseerr.nix @@ -1,8 +1,7 @@ let appName = "overseerr"; appImage = "sctx/overseerr"; -in -{ +in { kubernetes.resources.services.overseerr = { spec = { selector.app = appName; @@ -25,7 +24,10 @@ in overseerr = { image = appImage; volumeMounts = [ - { name = "data"; mountPath = "/app/config"; } + { + name = "data"; + mountPath = "/app/config"; + } ]; ports.metrics.containerPort = 5055; resources = { @@ -43,32 +45,41 @@ in }; }; volumeClaimTemplates = [ - { metadata.name = "data"; + { + metadata.name = "data"; spec = { storageClassName = "nfs-client"; - accessModes = [ "ReadWriteOnce" ]; + accessModes = ["ReadWriteOnce"]; resources.requests.storage = "1Gi"; }; } ]; }; - kubernetes.resources.ingresses.overseerr = { - metadata = { + kubernetes.resources.ingresses.overseerr = { + metadata = { name = appName; annotations = { "cert-manager.io/issuer" = "le-issuer"; }; }; spec = { - tls = [ { hosts = [ "request-media.gmem.ca" ]; secretName = "gmem-ca-wildcard"; } ]; + tls = [ + { + hosts = ["request-media.gmem.ca"]; + secretName = "gmem-ca-wildcard"; + } + ]; rules = [ { host = "request-media.gmem.ca"; http.paths = [ - { path = "/"; pathType = "Prefix"; + { + path = "/"; + pathType = "Prefix"; backend.service = { name = appName; - port.name = "http"; }; + port.name = "http"; + }; } ]; } diff --git a/homelab/piped.nix b/homelab/piped.nix index 4c013d7..cf1f7f3 100644 --- a/homelab/piped.nix +++ b/homelab/piped.nix @@ -1,4 +1,9 @@ -{ lib, config, kubenix, ... }: { +{ + lib, + config, + kubenix, + ... +}: { kubernetes.helm.releases.piped = { namespace = "default"; chart = kubenix.lib.helm.fetch { @@ -20,24 +25,48 @@ password = "password"; }; }; - fontend.env.BACKEND_HOSTNAME= "pipedapi.gmem.ca"; + fontend.env.BACKEND_HOSTNAME = "pipedapi.gmem.ca"; ingress = { main = { - tls = [ { hosts = [ "piped.gmem.ca" ]; secretName = "gmem-ca-wildcard"; } ]; + tls = [ + { + hosts = ["piped.gmem.ca"]; + secretName = "gmem-ca-wildcard"; + } + ]; hosts = [ - { host = "piped.gmem.ca"; paths = [ { path = "/"; } ]; } + { + host = "piped.gmem.ca"; + paths = [{path = "/";}]; + } ]; }; backend = { - tls = [ { hosts = [ "pipedapi.gmem.ca" ]; secretName = "gmem-ca-wildcard"; } ]; + tls = [ + { + hosts = ["pipedapi.gmem.ca"]; + secretName = "gmem-ca-wildcard"; + } + ]; hosts = [ - { host = "pipedapi.gmem.ca"; paths = [ { path = "/"; } ]; } + { + host = "pipedapi.gmem.ca"; + paths = [{path = "/";}]; + } ]; }; ytproxy = { - tls = [ { hosts = [ "ytproxy.gmem.ca" ]; secretName = "gmem-ca-wildcard"; } ]; + tls = [ + { + hosts = ["ytproxy.gmem.ca"]; + secretName = "gmem-ca-wildcard"; + } + ]; hosts = [ - { host = "ytproxy.gmem.ca"; paths = [ { path = "/"; } ]; } + { + host = "ytproxy.gmem.ca"; + paths = [{path = "/";}]; + } ]; }; }; @@ -50,18 +79,18 @@ restartPolicy = "Never"; containers.refresh-subscriptions = { image = "alpine:3.15"; - envFrom = [ { secretRef.name = "hippo-pguser-piped"; } ]; + envFrom = [{secretRef.name = "hippo-pguser-piped";}]; command = [ "/bin/ash" "-c" '' - apk --no-cache add postgresql-client curl && - export PGPASSWORD=$password && - export subs=$(psql -U piped -h hippo-primary.default.svc -qtAX -c 'select id from public.pubsub;') && - while IFS= read -r line; do - curl -k "https://pipedapi.gmem.ca/channel/$line" > /dev/null - done < <(printf '%s' "$subs") - '' + apk --no-cache add postgresql-client curl && + export PGPASSWORD=$password && + export subs=$(psql -U piped -h hippo-primary.default.svc -qtAX -c 'select id from public.pubsub;') && + while IFS= read -r line; do + curl -k "https://pipedapi.gmem.ca/channel/$line" > /dev/null + done < <(printf '%s' "$subs") + '' ]; }; }; diff --git a/homelab/pterodactyl.nix b/homelab/pterodactyl.nix index 7dca726..7354864 100644 --- a/homelab/pterodactyl.nix +++ b/homelab/pterodactyl.nix @@ -2,78 +2,95 @@ let appName = "pterodactyl-panel"; pterodactyl-panel-Image = "git.gmem.ca/arch/pterodactyl-panel:latest"; in -{ lib, config, kubenix, ... }: { + { + lib, + config, + kubenix, + ... + }: { kubernetes.resources.services.pterodactyl-panel = { - spec = { - selector.app = appName; - ports.http = { - port = 8080; - targetPort = 8080; + spec = { + selector.app = appName; + ports.http = { + port = 8080; + targetPort = 8080; + }; }; }; - }; - kubernetes.resources.statefulSets.pterodactyl-panel.spec = { - selector.matchLabels.app = appName; - serviceName = appName; - template = { - metadata.labels.app = appName; - spec = { - containers = { - pterodactyl-panel = { - image = pterodactyl-panel-Image; - imagePullPolicy = "Always"; - ports.http.containerPort = 8080; - volumeMounts = [ - { name = "data"; mountPath = "/var/www/pterodactyl/storage/app"; } - ]; - envFrom = [ { secretRef.name = "pterodactyl"; } ]; + kubernetes.resources.statefulSets.pterodactyl-panel.spec = { + selector.matchLabels.app = appName; + serviceName = appName; + template = { + metadata.labels.app = appName; + spec = { + containers = { + pterodactyl-panel = { + image = pterodactyl-panel-Image; + imagePullPolicy = "Always"; + ports.http.containerPort = 8080; + volumeMounts = [ + { + name = "data"; + mountPath = "/var/www/pterodactyl/storage/app"; + } + ]; + envFrom = [{secretRef.name = "pterodactyl";}]; + }; }; }; }; - }; - volumeClaimTemplates = [ - { metadata.name = "data"; - spec = { - storageClassName = "nfs-client"; - accessModes = [ "ReadWriteOnce" ]; - resources.requests.storage = "1Gi"; - }; - } - ]; - }; - kubernetes.helm.releases.pterodactyl-redis = { - chart = kubenix.lib.helm.fetch { - repo = "https://charts.bitnami.com/bitnami"; - chart = "redis"; - version = "18.6.1"; - sha256 = "CyvGHc1v1BtbzDx6hbbPah2uWpUhlNIUQowephT6hmM="; - }; - values = { - auth.enabled = false; - architecture = "standalone"; - }; - }; - kubernetes.resources.ingresses.pterodactyl-panel = { - metadata = { - name = appName; - annotations = { - "cert-manager.io/issuer" = "le-issuer"; - }; - }; - spec = { - tls = [ { hosts = [ "games.gmem.ca" ]; secretName = "gmem-ca-wildcard"; } ]; - rules = [ + volumeClaimTemplates = [ { - host = "games.gmem.ca"; - http.paths = [ - { path = "/"; pathType = "Prefix"; - backend.service = { - name = appName; - port.name = "http"; }; - } - ]; + metadata.name = "data"; + spec = { + storageClassName = "nfs-client"; + accessModes = ["ReadWriteOnce"]; + resources.requests.storage = "1Gi"; + }; } ]; }; - }; -} + kubernetes.helm.releases.pterodactyl-redis = { + chart = kubenix.lib.helm.fetch { + repo = "https://charts.bitnami.com/bitnami"; + chart = "redis"; + version = "18.6.1"; + sha256 = "CyvGHc1v1BtbzDx6hbbPah2uWpUhlNIUQowephT6hmM="; + }; + values = { + auth.enabled = false; + architecture = "standalone"; + }; + }; + kubernetes.resources.ingresses.pterodactyl-panel = { + metadata = { + name = appName; + annotations = { + "cert-manager.io/issuer" = "le-issuer"; + }; + }; + spec = { + tls = [ + { + hosts = ["games.gmem.ca"]; + secretName = "gmem-ca-wildcard"; + } + ]; + rules = [ + { + host = "games.gmem.ca"; + http.paths = [ + { + path = "/"; + pathType = "Prefix"; + backend.service = { + name = appName; + port.name = "http"; + }; + } + ]; + } + ]; + }; + }; + } diff --git a/homelab/tclip.nix b/homelab/tclip.nix index ce58f1c..035d7b1 100644 --- a/homelab/tclip.nix +++ b/homelab/tclip.nix @@ -2,12 +2,16 @@ let appName = "tclip"; litestreamImage = "litestream/litestream:sha-749bc0d"; tclipImage = "git.gmem.ca/arch/tclip:arm"; -in -{ +in { kubernetes.resources."monitoring.coreos.com"."v1".ServiceMonitor.tclip = { spec = { selector.matchLabels.app = appName; - endpoints = [ { port = "metrics"; interval = "30s"; } ]; + endpoints = [ + { + port = "metrics"; + interval = "30s"; + } + ]; }; }; kubernetes.resources.services.tclip = { @@ -36,41 +40,67 @@ in }; initContainers.init-litestream = { image = litestreamImage; - args = ["restore" "-if-db-not-exists" "-if-replica-exists" "-v" "/data/data.db" ]; + args = ["restore" "-if-db-not-exists" "-if-replica-exists" "-v" "/data/data.db"]; volumeMounts = [ - { name = "data"; mountPath = "/data"; } - { name = "litestream"; mountPath = "/etc/litestream.yml"; subPath = "tclip.yml"; } + { + name = "data"; + mountPath = "/data"; + } + { + name = "litestream"; + mountPath = "/etc/litestream.yml"; + subPath = "tclip.yml"; + } ]; - envFrom = [ { secretRef.name = "tclip-litestream-s3"; } ]; + envFrom = [{secretRef.name = "tclip-litestream-s3";}]; }; containers = { tclip = { image = tclipImage; imagePullPolicy = "Always"; - volumeMounts = [ { name = "data"; mountPath = "/data"; } ]; + volumeMounts = [ + { + name = "data"; + mountPath = "/data"; + } + ]; env = [ - { name = "DATA_DIR"; value = "/data"; } - { name = "USE_FUNNEL"; value = "true"; } + { + name = "DATA_DIR"; + value = "/data"; + } + { + name = "USE_FUNNEL"; + value = "true"; + } ]; }; litestream = { image = litestreamImage; - args = [ "replicate" ]; + args = ["replicate"]; volumeMounts = [ - { name = "data"; mountPath = "/data"; } - { name = "litestream"; mountPath = "/etc/litestream.yml"; subPath = "tclip.yml"; } + { + name = "data"; + mountPath = "/data"; + } + { + name = "litestream"; + mountPath = "/etc/litestream.yml"; + subPath = "tclip.yml"; + } ]; - envFrom = [ { secretRef.name = "tclip-litestream-s3"; } ]; + envFrom = [{secretRef.name = "tclip-litestream-s3";}]; ports.metrics.containerPort = 9090; }; }; }; }; volumeClaimTemplates = [ - { metadata.name = "data"; + { + metadata.name = "data"; spec = { storageClassName = "nfs-client"; - accessModes = [ "ReadWriteOnce" ]; + accessModes = ["ReadWriteOnce"]; resources.requests.storage = "1Gi"; }; } diff --git a/homelab/vrchat-prometheus-exporter.nix b/homelab/vrchat-prometheus-exporter.nix index 1587f7b..dc7f1bb 100644 --- a/homelab/vrchat-prometheus-exporter.nix +++ b/homelab/vrchat-prometheus-exporter.nix @@ -1,12 +1,16 @@ let appName = "vrchat-prometheus-exporter"; appImage = "git.gmem.ca/arch/vrchat-prometheus-adapter:arm"; -in -{ +in { kubernetes.resources."monitoring.coreos.com"."v1".ServiceMonitor.vrchat-prometheus-adapter = { spec = { selector.matchLabels.app = appName; - endpoints = [ { port = "metrics"; interval = "60s"; } ]; + endpoints = [ + { + port = "metrics"; + interval = "60s"; + } + ]; }; }; kubernetes.resources.services.vrchat-prometheus-adapter = { @@ -35,8 +39,14 @@ in vrchat-prometheus-adapter = { image = appImage; imagePullPolicy = "Always"; - volumeMounts = [ { name = "config"; mountPath = "/config.toml"; subPath = "config.toml"; } ]; - envFrom = [ { secretRef.name = "vrchat-prometheus-adapter"; } ]; + volumeMounts = [ + { + name = "config"; + mountPath = "/config.toml"; + subPath = "config.toml"; + } + ]; + envFrom = [{secretRef.name = "vrchat-prometheus-adapter";}]; ports.metrics.containerPort = 6534; resources = { requests = { diff --git a/nix/glasgow/configuration.nix b/nix/glasgow/configuration.nix index 0ab0a3a..86d8680 100644 --- a/nix/glasgow/configuration.nix +++ b/nix/glasgow/configuration.nix @@ -1,10 +1,12 @@ -{ config, pkgs, ... }: - { - imports = - [ # Include the results of the hardware scan. - ./hardware.nix - ]; + config, + pkgs, + ... +}: { + imports = [ + # Include the results of the hardware scan. + ./hardware.nix + ]; age.secrets.k3s-token = { file = ../../secrets/k3s-token.age; @@ -12,20 +14,19 @@ }; boot = { - supportedFilesystems = [ "nfs" ]; + supportedFilesystems = ["nfs"]; kernelPackages = pkgs.linuxPackages_rpi4; - kernelParams = [ "cgroup_enable=memory" "cgroup_enable=cpuset" "cgroup_memory=1" ]; + kernelParams = ["cgroup_enable=memory" "cgroup_enable=cpuset" "cgroup_memory=1"]; loader = { grub.enable = false; generic-extlinux-compatible.enable = true; }; }; - swapDevices = [ { device = "/var/lib/swapfile"; - size = 8*1024; + size = 8 * 1024; } ]; @@ -43,7 +44,7 @@ extraOptions = '' min-free = ${toString (100 * 1024 * 1024)} max-free = ${toString (1024 * 1024 * 1024)} - ''; + ''; }; networking = { @@ -52,8 +53,8 @@ firewall = { trustedInterfaces = ["tailscale0"]; checkReversePath = "loose"; - allowedUDPPorts = [ 41641 ]; - allowedTCPPorts = [ 22 80 443 6443 10250 ]; + allowedUDPPorts = [41641]; + allowedTCPPorts = [22 80 443 6443 10250]; enable = false; }; nftables.enable = false; @@ -63,7 +64,7 @@ users.users.gsimmer = { isNormalUser = true; - extraGroups = [ "wheel" ]; + extraGroups = ["wheel"]; packages = with pkgs; [ tree ]; @@ -72,8 +73,9 @@ url = "https://gmem.ca/ssh"; hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4="; }; - in pkgs.lib.splitString "\n" (builtins.readFile - authorizedKeys); + in + pkgs.lib.splitString "\n" (builtins.readFile + authorizedKeys); }; environment.systemPackages = with pkgs; [ @@ -108,5 +110,4 @@ }; system.stateVersion = "23.11"; # dId YoU rEaD tHe CoMmEnT? - } diff --git a/nix/glasgow/hardware.nix b/nix/glasgow/hardware.nix index 7f4962b..65e9e8f 100644 --- a/nix/glasgow/hardware.nix +++ b/nix/glasgow/hardware.nix @@ -1,24 +1,28 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; + boot.initrd.availableKernelModules = ["xhci_pci" "uas"]; + boot.initrd.kernelModules = []; + boot.kernelModules = []; + boot.extraModulePackages = []; - fileSystems."/" = - { device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888"; + fsType = "ext4"; + }; - swapDevices = [ ]; + swapDevices = []; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's diff --git a/nix/london/cachix.nix b/nix/london/cachix.nix index 75b11a8..d888840 100644 --- a/nix/london/cachix.nix +++ b/nix/london/cachix.nix @@ -1,7 +1,9 @@ # WARN: this file will get overwritten by $ cachix use -{ pkgs, lib, ... }: - -let +{ + pkgs, + lib, + ... +}: let folder = ./cachix; toImport = name: value: folder + ("/" + name); filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key; diff --git a/nix/london/configuration.nix b/nix/london/configuration.nix index 7e07238..51ff3fe 100644 --- a/nix/london/configuration.nix +++ b/nix/london/configuration.nix @@ -1,10 +1,11 @@ -{ config, pkgs, ... }: - { - imports = - [ - ./hardware-configuration.nix - ]; + config, + pkgs, + ... +}: { + imports = [ + ./hardware-configuration.nix + ]; # Bootloader boot = { @@ -15,12 +16,12 @@ }; }; tmp.cleanOnBoot = true; - binfmt.emulatedSystems = [ "aarch64-linux" ]; + binfmt.emulatedSystems = ["aarch64-linux"]; extraModulePackages = [ config.boot.kernelPackages.v4l2loopback ]; kernelPackages = pkgs.linuxPackages_zen; - kernelModules = [ "amdgpu" "coretemp" "kvm-amd" "v4l2loopback" ]; + kernelModules = ["amdgpu" "coretemp" "kvm-amd" "v4l2loopback"]; }; time.hardwareClockInLocalTime = true; @@ -31,7 +32,7 @@ }; nix = { settings = { - experimental-features = [ "nix-command" "flakes" ]; + experimental-features = ["nix-command" "flakes"]; auto-optimise-store = true; }; gc = { @@ -48,11 +49,21 @@ networkmanager.enable = true; firewall = { enable = true; - allowedUDPPortRanges = [ { from = 27031; to = 27036; } ]; - allowedTCPPortRanges = [ { from = 27036; to = 27037; } ]; - allowedTCPPorts = [ 7000 7100 7001 22000 8000 3000 9943 9944 ]; - allowedUDPPorts = [ 69 6000 6001 7011 41641 3478 22000 21027 9943 9944 ]; - trustedInterfaces = [ "enp4s0" "tailscale0" "docker0" ]; + allowedUDPPortRanges = [ + { + from = 27031; + to = 27036; + } + ]; + allowedTCPPortRanges = [ + { + from = 27036; + to = 27037; + } + ]; + allowedTCPPorts = [7000 7100 7001 22000 8000 3000 9943 9944]; + allowedUDPPorts = [69 6000 6001 7011 41641 3478 22000 21027 9943 9944]; + trustedInterfaces = ["enp4s0" "tailscale0" "docker0"]; checkReversePath = "loose"; }; nftables.enable = true; @@ -72,23 +83,29 @@ positions = { filename = "/tmp/positions.yaml"; }; - clients = [{ - url = "http://monitoring:3030/loki/api/v1/push"; - }]; - scrape_configs = [{ - job_name = "journal"; - journal = { - max_age = "12h"; - labels = { - job = "systemd-journal"; - host = "london"; + clients = [ + { + url = "http://monitoring:3030/loki/api/v1/push"; + } + ]; + scrape_configs = [ + { + job_name = "journal"; + journal = { + max_age = "12h"; + labels = { + job = "systemd-journal"; + host = "london"; + }; }; - }; - relabel_configs = [{ - source_labels = [ "__journal__systemd_unit" ]; - target_label = "unit"; - }]; - }]; + relabel_configs = [ + { + source_labels = ["__journal__systemd_unit"]; + target_label = "unit"; + } + ]; + } + ]; }; }; fwupd.enable = true; @@ -105,12 +122,13 @@ enable = true; listenAddress = "100.110.180.123"; enabledCollectors = [ - "systemd" "processes" + "systemd" + "processes" ]; }; dbus.enable = true; yubikey-agent.enable = true; - udev.packages = with pkgs; [ libu2f-host yubikey-personalization ]; + udev.packages = with pkgs; [libu2f-host yubikey-personalization]; tailscale.enable = true; pcscd.enable = true; mullvad-vpn.enable = true; @@ -133,7 +151,7 @@ }; printing = { enable = true; - drivers = [ pkgs.gutenprint pkgs.gutenprintBin ]; + drivers = [pkgs.gutenprint pkgs.gutenprintBin]; }; avahi = { nssmdns4 = true; @@ -164,7 +182,7 @@ }; sane.enable = true; - sane.extraBackends = [ pkgs.epkowa ]; + sane.extraBackends = [pkgs.epkowa]; pulseaudio.enable = false; }; environment.variables.AMD_VULKAN_ICD = "RADV"; @@ -184,17 +202,17 @@ dedicatedServer.openFirewall = false; }; gnupg.agent = { - enable = true; - pinentryFlavor = "qt"; - enableSSHSupport = false; - }; + enable = true; + pinentryFlavor = "qt"; + enableSSHSupport = false; + }; }; # Define a user account. Don't forget to set a password with ‘passwd’. users.users.gsimmer = { shell = pkgs.fish; isNormalUser = true; description = "Gabriel Simmer"; - extraGroups = [ "networkmanager" "wheel" "libvirtd" "qemu-libvirtd" "docker" ]; + extraGroups = ["networkmanager" "wheel" "libvirtd" "qemu-libvirtd" "docker"]; packages = with pkgs; [ firefox-wayland vim @@ -223,9 +241,9 @@ enableDefaultPackages = true; }; - systemd.packages = with pkgs; [ cloudflare-warp ]; + systemd.packages = with pkgs; [cloudflare-warp]; environment = { - shells = with pkgs; [ zsh fish ]; + shells = with pkgs; [zsh fish]; systemPackages = with pkgs; [ os-prober tailscale @@ -251,7 +269,7 @@ pcscliteWithPolkit.out ]; }; - + environment.plasma5.excludePackages = with pkgs.libsForQt5; [ elisa okular @@ -265,16 +283,15 @@ polkit = { enable = true; extraConfig = '' - polkit.addRule(function(action, subject) { - if (action.id == "org.debian.pcsc-lite.access_pcsc" && - subject.isInGroup("wheel")) { - return polkit.Result.YES; - } - }); - ''; + polkit.addRule(function(action, subject) { + if (action.id == "org.debian.pcsc-lite.access_pcsc" && + subject.isInGroup("wheel")) { + return polkit.Result.YES; + } + }); + ''; }; rtkit.enable = true; }; system.stateVersion = "23.05"; # Did you read the comment? - } diff --git a/nix/london/gsimmer.nix b/nix/london/gsimmer.nix index 37d7119..ff1c130 100644 --- a/nix/london/gsimmer.nix +++ b/nix/london/gsimmer.nix @@ -1,51 +1,59 @@ -{ config, pkgs, callPackage, lib, ... }: - { + config, + pkgs, + callPackage, + lib, + ... +}: { nixpkgs = { - config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ - "parsec-bin" - "discord" - ]; + config.allowUnfreePredicate = pkg: + builtins.elem (lib.getName pkg) [ + "parsec-bin" + "discord" + ]; config.allowUnfree = true; - overlays = - let - discordOverlay = self: super: { - discord = super.discord.override { withVencord = true; withOpenASAR = true; }; + overlays = let + discordOverlay = self: super: { + discord = super.discord.override { + withVencord = true; + withOpenASAR = true; }; - in - [ - (import (builtins.fetchTarball { - url = "https://github.com/nix-community/emacs-overlay/archive/master.tar.gz"; - sha256 = "1nglxrfynyjmqfzz81y4idc40c6rbsaa4jb4ishiwibdkh85nyf6"; - })) discordOverlay]; + }; + in [ + (import (builtins.fetchTarball { + url = "https://github.com/nix-community/emacs-overlay/archive/master.tar.gz"; + sha256 = "1nglxrfynyjmqfzz81y4idc40c6rbsaa4jb4ishiwibdkh85nyf6"; + })) + discordOverlay + ]; }; home = { username = "gsimmer"; homeDirectory = "/home/gsimmer"; }; - + services.pueue = { enable = true; settings = { - client = { }; + client = {}; daemon.callback = '' ${pkgs.libnotify}/bin/notify-send -t 4000 "Task {{id}} finished, status '{{result}}'" "{{exit_code}} {{command}}" ''; - shared = { }; - profiles = { }; + shared = {}; + profiles = {}; }; }; - + programs = { bash.enable = false; fish = { enable = true; interactiveShellInit = '' - set fish_greeting - atuin init fish | source - ''; + set fish_greeting + atuin init fish | source + ''; }; - + direnv = { enable = true; nix-direnv.enable = true; @@ -90,14 +98,14 @@ # Prevent clobbering SSH_AUTH_SOCK home.sessionVariables = { - SSH_AUTH_SOCK = "$XDG_RUNTIME_DIR/yubikey-agent/yubikey-agent.sock"; + SSH_AUTH_SOCK = "$XDG_RUNTIME_DIR/yubikey-agent/yubikey-agent.sock"; }; # Disable gnome-keyring ssh-agent xdg.configFile."autostart/gnome-keyring-ssh.desktop".text = '' - ${lib.fileContents "${pkgs.gnome3.gnome-keyring}/etc/xdg/autostart/gnome-keyring-ssh.desktop"} - Hidden=true - ''; + ${lib.fileContents "${pkgs.gnome3.gnome-keyring}/etc/xdg/autostart/gnome-keyring-ssh.desktop"} + Hidden=true + ''; home.packages = with pkgs; [ bitwarden-cli diff --git a/nix/london/hardware-configuration.nix b/nix/london/hardware-configuration.nix index b96ba0b..f3b4352 100644 --- a/nix/london/hardware-configuration.nix +++ b/nix/london/hardware-configuration.nix @@ -1,31 +1,35 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; - boot.initrd.availableKernelModules = [ "nvme" "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" ]; - boot.extraModulePackages = [ ]; + boot.initrd.availableKernelModules = ["nvme" "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod"]; + boot.initrd.kernelModules = []; + boot.kernelModules = ["kvm-amd"]; + boot.extraModulePackages = []; - fileSystems."/" = - { device = "/dev/disk/by-uuid/736c20e1-f11a-4af7-88f2-bba7b0f09939"; - fsType = "xfs"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/736c20e1-f11a-4af7-88f2-bba7b0f09939"; + fsType = "xfs"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/2A2C-A8CE"; - fsType = "vfat"; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/2A2C-A8CE"; + fsType = "vfat"; + }; - swapDevices = - [ { device = "/dev/disk/by-uuid/41c7d0e1-e015-4d78-a0fb-f039a7f648ef"; } - ]; + swapDevices = [ + {device = "/dev/disk/by-uuid/41c7d0e1-e015-4d78-a0fb-f039a7f648ef";} + ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's diff --git a/nix/london/wayland.nix b/nix/london/wayland.nix index e35ad6a..60653e7 100644 --- a/nix/london/wayland.nix +++ b/nix/london/wayland.nix @@ -1,9 +1,12 @@ -{ config, lib, pkgs, ... }: -let +{ + config, + lib, + pkgs, + ... +}: let rev = "master"; # 'rev' could be a git rev, to pin the overlay. url = "https://github.com/nix-community/nixpkgs-wayland/archive/${rev}.tar.gz"; - waylandOverlay = (import "${builtins.fetchTarball url}/overlay.nix"); -in - { - nixpkgs.overlays = [ waylandOverlay ]; - } + waylandOverlay = import "${builtins.fetchTarball url}/overlay.nix"; +in { + nixpkgs.overlays = [waylandOverlay]; +} diff --git a/nix/monitoring/configuration.nix b/nix/monitoring/configuration.nix index 5847f7a..7faf7b2 100644 --- a/nix/monitoring/configuration.nix +++ b/nix/monitoring/configuration.nix @@ -1,6 +1,8 @@ -{ config, pkgs, ... }: - { + config, + pkgs, + ... +}: { imports = [ ./hardware.nix ./networking.nix # generated at runtime by nixos-infect @@ -20,7 +22,7 @@ file = ../../secrets/healthchecks-telegram.age; owner = "healthchecks"; }; - + age.secrets.prometheus-webconfig-secret = { file = ../../secrets/monitoring-prometheus-webconfig.age; owner = "prometheus"; @@ -43,7 +45,7 @@ networking.domain = ""; services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keys = [ - ''ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDjEgtIWPA5Ncs/KOcMeT6Q/HACJJetDOLjMvXXwUE+08oTX1EpHrWPpy8J+UHKIyErCNPYq8dgtrbhnMRlxHqI='' + ''ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDjEgtIWPA5Ncs/KOcMeT6Q/HACJJetDOLjMvXXwUE+08oTX1EpHrWPpy8J+UHKIyErCNPYq8dgtrbhnMRlxHqI='' ]; networking.firewall.enable = false; @@ -104,16 +106,18 @@ }; schema_config = { - configs = [{ - from = "2022-06-06"; - store = "boltdb-shipper"; - object_store = "filesystem"; - schema = "v11"; - index = { - prefix = "index_"; - period = "24h"; - }; - }]; + configs = [ + { + from = "2022-06-06"; + store = "boltdb-shipper"; + object_store = "filesystem"; + schema = "v11"; + index = { + prefix = "index_"; + period = "24h"; + }; + } + ]; }; storage_config = { @@ -164,27 +168,33 @@ positions = { filename = "/tmp/positions.yaml"; }; - clients = [{ - url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push"; - }]; - scrape_configs = [{ - job_name = "journal"; - journal = { - max_age = "12h"; - labels = { - job = "systemd-journal"; - host = "monitoring"; + clients = [ + { + url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push"; + } + ]; + scrape_configs = [ + { + job_name = "journal"; + journal = { + max_age = "12h"; + labels = { + job = "systemd-journal"; + host = "monitoring"; + }; }; - }; - relabel_configs = [{ - source_labels = [ "__journal__systemd_unit" ]; - target_label = "unit"; - }]; - }]; + relabel_configs = [ + { + source_labels = ["__journal__systemd_unit"]; + target_label = "unit"; + } + ]; + } + ]; }; }; services.alertmanager-ntfy = { - enable = true; + enable = true; settings = { http = { addr = "127.0.0.1:8111"; @@ -195,7 +205,7 @@ topic = "alerts"; priority = '' status == "firing" ? "high" : "default" - ''; + ''; templates = { title = ''{{ if eq .Status "resolved" }}Resolved: {{ end }}{{ index .Annotations "summary" }}''; description = ''{{ index .Annotations "description" }}''; @@ -211,136 +221,155 @@ globalConfig = { scrape_interval = "15s"; }; - alertmanagers = [ { - basic_auth = { - username = "homelab"; - password_file = config.age.secrets.prometheus-password-secret.path; - }; - static_configs = [ { - targets = [ - "localhost:9093" + alertmanagers = [ + { + basic_auth = { + username = "homelab"; + password_file = config.age.secrets.prometheus-password-secret.path; + }; + static_configs = [ + { + targets = [ + "localhost:9093" + ]; + } ]; - } ]; - } ]; - rules = [(builtins.toJSON { - groups = [ - { - name = "internet_connection"; - rules = [ - { - alert = "LowInternetDownload"; - expr = ''speedtest_download_bits_per_second{} < 500000000''; - for = "2h"; - labels.severity = "page"; - annotations = { - summary = "Internet speed low"; - description = "Home internet speed dropped below 500Mb/s."; - dashboard = "o9mIe_Aik"; - }; - } - ]; - } - { - name = "healthchecks"; - rules = [ - { - alert = "HealthcheckFailedCheckin"; - expr = ''hc_check_up < 1''; - for = "5m"; - labels.severity = "page"; - annotations = { - summary = "{{ $labels.name }} healthcheck failed"; - description = "The {{ $labels.name }} healthcheck failed to check in."; - dashboard = "f594ea85-45f2-4019-b988-2d17638b5cf3"; - }; - } - ]; - }]; - })]; + } + ]; + rules = [ + (builtins.toJSON { + groups = [ + { + name = "internet_connection"; + rules = [ + { + alert = "LowInternetDownload"; + expr = ''speedtest_download_bits_per_second{} < 500000000''; + for = "2h"; + labels.severity = "page"; + annotations = { + summary = "Internet speed low"; + description = "Home internet speed dropped below 500Mb/s."; + dashboard = "o9mIe_Aik"; + }; + } + ]; + } + { + name = "healthchecks"; + rules = [ + { + alert = "HealthcheckFailedCheckin"; + expr = ''hc_check_up < 1''; + for = "5m"; + labels.severity = "page"; + annotations = { + summary = "{{ $labels.name }} healthcheck failed"; + description = "The {{ $labels.name }} healthcheck failed to check in."; + dashboard = "f594ea85-45f2-4019-b988-2d17638b5cf3"; + }; + } + ]; + } + ]; + }) + ]; alertmanager = { enable = true; - extraFlags = [ "--web.config.file=${config.age.secrets.prometheus-webconfig-secret.path}" ]; + extraFlags = ["--web.config.file=${config.age.secrets.prometheus-webconfig-secret.path}"]; webExternalUrl = "https://alerts.gmem.ca"; configText = '' - global: {} + global: {} - # The directory from which notification templates are read. - templates: - - '/etc/alertmanager/template/*.tmpl' + # The directory from which notification templates are read. + templates: + - '/etc/alertmanager/template/*.tmpl' - # The root route on which each incoming alert enters. - route: - group_by: ['alertname', 'cluster', 'service'] - group_wait: 0s - group_interval: 5m - repeat_interval: 3h - # A default receiver - receiver: ntfy + # The root route on which each incoming alert enters. + route: + group_by: ['alertname', 'cluster', 'service'] + group_wait: 0s + group_interval: 5m + repeat_interval: 3h + # A default receiver + receiver: ntfy - receivers: - - name: ntfy - webhook_configs: - - url: http://localhost:8111/hook + receivers: + - name: ntfy + webhook_configs: + - url: http://localhost:8111/hook ''; }; port = 9001; - extraFlags = [ "--web.enable-remote-write-receiver" ]; + extraFlags = ["--web.enable-remote-write-receiver"]; scrapeConfigs = [ { job_name = "proxmox"; metrics_path = "/pve"; - params = { "target" = [ "localhost" ]; }; - static_configs = [ { targets = [ "proxmox:9221" ]; } ]; + params = {"target" = ["localhost"];}; + static_configs = [{targets = ["proxmox:9221"];}]; } { job_name = "personal_hardware"; - static_configs = [ { targets = [ "london:9100" "vancouver:9100" "localhost:9100" ]; } ]; + static_configs = [{targets = ["london:9100" "vancouver:9100" "localhost:9100"];}]; } { - job_name = "speedtest-exporter"; - scrape_interval = "1h"; - scrape_timeout = "1m"; - static_configs = [ { targets = [ "vancouver:9798" ]; } ]; + job_name = "speedtest-exporter"; + scrape_interval = "1h"; + scrape_timeout = "1m"; + static_configs = [{targets = ["vancouver:9798"];}]; } { - job_name = "syncthing"; - static_configs = [ { targets = [ "vancouver:8384" "london:8384" ]; } ]; + job_name = "syncthing"; + static_configs = [{targets = ["vancouver:8384" "london:8384"];}]; } { job_name = "forgejo"; - static_configs = [ { targets = [ "git.gmem.ca" ]; } ]; + static_configs = [{targets = ["git.gmem.ca"];}]; } { job_name = "coredns"; - static_configs = [ { targets = [ "vancouver:9253" ]; } ]; + static_configs = [{targets = ["vancouver:9253"];}]; } { job_name = "healthchecks"; scrape_interval = "60s"; metrics_path = "/projects/5f1de50f-a52d-4215-961f-aae7cc6cf6c9/metrics/TbMoU7SUdknzMe-H5Q4HzmKl3itOIrJk"; - static_configs = [ { targets = [ "localhost:8000" ]; } ]; + static_configs = [{targets = ["localhost:8000"];}]; } { job_name = "vrc_events"; scrape_interval = "60s"; - static_configs = [ { targets = [ "vancouver:6534" ]; } ]; + static_configs = [{targets = ["vancouver:6534"];}]; } { - job_name = "blackbox"; + job_name = "blackbox"; metrics_path = "/probe"; - params = { "modules" = [ "http_2xx" ]; }; - static_configs = [ { targets = [ "google.com" "gabrielsimmer.com" "artbybecki.com" ]; } ]; - relabel_configs = [ - { source_labels = ["__address__"]; target_label = "__param_target"; } - { source_labels = ["__param_target"]; target_label = "instance"; } - { source_labels = []; target_label = "__address__"; replacement = "vancouver:9115"; } ]; + params = {"modules" = ["http_2xx"];}; + static_configs = [{targets = ["google.com" "gabrielsimmer.com" "artbybecki.com"];}]; + relabel_configs = [ + { + source_labels = ["__address__"]; + target_label = "__param_target"; + } + { + source_labels = ["__param_target"]; + target_label = "instance"; + } + { + source_labels = []; + target_label = "__address__"; + replacement = "vancouver:9115"; + } + ]; } ]; exporters.node = { enable = true; listenAddress = "127.0.0.1"; enabledCollectors = [ - "systemd" "processes" + "systemd" + "processes" ]; }; }; @@ -361,7 +390,7 @@ TELEGRAM_TOKEN_FILE = config.age.secrets.healthchecks-telegram.path; }; }; - + # nginx reverse proxy services.nginx = { enable = true; diff --git a/nix/monitoring/hardware.nix b/nix/monitoring/hardware.nix index 8e067c1..b5eaffd 100644 --- a/nix/monitoring/hardware.nix +++ b/nix/monitoring/hardware.nix @@ -1,14 +1,18 @@ -{ modulesPath, ... }: -{ - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; +{modulesPath, ...}: { + imports = [(modulesPath + "/profiles/qemu-guest.nix")]; boot.loader.grub = { efiSupport = true; efiInstallAsRemovable = true; device = "nodev"; }; - fileSystems."/boot" = { device = "/dev/disk/by-uuid/77CF-345D"; fsType = "vfat"; }; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ]; - boot.initrd.kernelModules = [ "nvme" ]; - fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; - + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/77CF-345D"; + fsType = "vfat"; + }; + boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront"]; + boot.initrd.kernelModules = ["nvme"]; + fileSystems."/" = { + device = "/dev/sda1"; + fsType = "ext4"; + }; } diff --git a/nix/monitoring/networking.nix b/nix/monitoring/networking.nix index 61a8426..8edae2b 100644 --- a/nix/monitoring/networking.nix +++ b/nix/monitoring/networking.nix @@ -1,9 +1,10 @@ -{ lib, ... }: { +{lib, ...}: { # This file was populated at runtime with the networking # details gathered from the active system. networking = { - nameservers = [ "8.8.8.8" - ]; + nameservers = [ + "8.8.8.8" + ]; defaultGateway = "172.31.1.1"; defaultGateway6 = { address = "fe80::1"; @@ -14,20 +15,38 @@ interfaces = { eth0 = { ipv4.addresses = [ - { address="91.107.206.145"; prefixLength=32; } + { + address = "91.107.206.145"; + prefixLength = 32; + } ]; ipv6.addresses = [ - { address="2a01:4f8:c012:5ec6::1"; prefixLength=64; } -{ address="fe80::9400:2ff:fe83:3979"; prefixLength=64; } + { + address = "2a01:4f8:c012:5ec6::1"; + prefixLength = 64; + } + { + address = "fe80::9400:2ff:fe83:3979"; + prefixLength = 64; + } + ]; + ipv4.routes = [ + { + address = "172.31.1.1"; + prefixLength = 32; + } + ]; + ipv6.routes = [ + { + address = "fe80::1"; + prefixLength = 128; + } ]; - ipv4.routes = [ { address = "172.31.1.1"; prefixLength = 32; } ]; - ipv6.routes = [ { address = "fe80::1"; prefixLength = 128; } ]; }; - }; }; services.udev.extraRules = '' ATTR{address}=="96:00:02:83:39:79", NAME="eth0" - + ''; } diff --git a/nix/nas/configuration.nix b/nix/nas/configuration.nix index 07f58c6..25ff584 100644 --- a/nix/nas/configuration.nix +++ b/nix/nas/configuration.nix @@ -1,10 +1,12 @@ -{ config, pkgs, ... }: - { - imports = - [ # Include the results of the hardware scan. - ./hardware.nix - ]; + config, + pkgs, + ... +}: { + imports = [ + # Include the results of the hardware scan. + ./hardware.nix + ]; age.secrets.action-token = { file = ../../secrets/vancouver-action-runner.age; @@ -42,7 +44,7 @@ efi.canTouchEfiVariables = true; }; supportedFilesystems = ["zfs"]; - kernelModules = [ "coretemp" "kvm-amd" "it87" ]; + kernelModules = ["coretemp" "kvm-amd" "it87"]; zfs.extraPools = ["tank"]; }; @@ -58,23 +60,29 @@ positions = { filename = "/tmp/positions.yaml"; }; - clients = [{ - url = "http://monitoring:3030/loki/api/v1/push"; - }]; - scrape_configs = [{ - job_name = "journal"; - journal = { - max_age = "12h"; - labels = { - job = "systemd-journal"; - host = "vancouver"; + clients = [ + { + url = "http://monitoring:3030/loki/api/v1/push"; + } + ]; + scrape_configs = [ + { + job_name = "journal"; + journal = { + max_age = "12h"; + labels = { + job = "systemd-journal"; + host = "vancouver"; + }; }; - }; - relabel_configs = [{ - source_labels = [ "__journal__systemd_unit" ]; - target_label = "unit"; - }]; - }]; + relabel_configs = [ + { + source_labels = ["__journal__systemd_unit"]; + target_label = "unit"; + } + ]; + } + ]; }; }; restic = { @@ -187,7 +195,9 @@ enable = true; listenAddress = "100.116.48.47"; enabledCollectors = [ - "systemd" "zfs" "processes" + "systemd" + "zfs" + "processes" ]; }; }; @@ -201,7 +211,7 @@ zfs.autoScrub.enable = true; tailscale.enable = true; openssh.enable = true; - xserver.videoDrivers = [ "nvidia" ]; + xserver.videoDrivers = ["nvidia"]; nfs.server.enable = true; samba-wsdd.enable = true; samba = { @@ -209,18 +219,18 @@ securityType = "user"; openFirewall = true; extraConfig = '' - workgroup = WORKGROUP - server string = smbnix - netbios name = smbnix - security = user - #use sendfile = yes - #max protocol = smb2 - # note: localhost is the ipv6 localhost ::1 - hosts allow = 100. 192.168.50. 127.0.0.1 localhost - hosts deny = 0.0.0.0/0 - guest account = nobody - map to guest = bad user - ''; + workgroup = WORKGROUP + server string = smbnix + netbios name = smbnix + security = user + #use sendfile = yes + #max protocol = smb2 + # note: localhost is the ipv6 localhost ::1 + hosts allow = 100. 192.168.50. 127.0.0.1 localhost + hosts deny = 0.0.0.0/0 + guest account = nobody + map to guest = bad user + ''; shares = { streamboxes = { path = "/tank/streamboxes"; @@ -277,20 +287,19 @@ recommendedZstdSettings = true; recommendedOptimisation = true; recommendedTlsSettings = true; - virtualHosts."git.gmem.ca" = { + virtualHosts."git.gmem.ca" = { enableACME = true; addSSL = true; acmeRoot = null; locations."/" = { - extraConfig = - '' + extraConfig = '' proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; client_max_body_size 500M; - ''; + ''; proxyPass = "http://127.0.0.1:8973/"; }; }; @@ -400,8 +409,8 @@ trustedInterfaces = ["tailscale0"]; checkReversePath = "loose"; enable = true; - allowedTCPPorts = [ 22 80 443 9798 2049 ]; - allowedUDPPorts = [ 41641 ]; + allowedTCPPorts = [22 80 443 9798 2049]; + allowedUDPPorts = [41641]; }; nftables.enable = true; }; @@ -434,21 +443,22 @@ zsh.enable = true; fish.enable = true; }; - environment.shells = with pkgs; [ zsh fish ]; + environment.shells = with pkgs; [zsh fish]; users.users = { gsimmer = { shell = pkgs.fish; isNormalUser = true; home = "/tank/gsimmer"; - extraGroups = [ "wheel" "libvirtd" "qemu-libvirtd" ]; + extraGroups = ["wheel" "libvirtd" "qemu-libvirtd"]; openssh.authorizedKeys.keys = let authorizedKeys = pkgs.fetchurl { url = "https://gmem.ca/ssh"; hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4="; }; - in pkgs.lib.splitString "\n" (builtins.readFile - authorizedKeys); + in + pkgs.lib.splitString "\n" (builtins.readFile + authorizedKeys); }; becki = { shell = pkgs.fish; @@ -456,15 +466,16 @@ home = "/tank/becki"; }; root.openssh.authorizedKeys.keys = let - authorizedKeys = pkgs.fetchurl { - url = "https://gmem.ca/ssh"; - hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4="; - }; - in pkgs.lib.splitString "\n" (builtins.readFile + authorizedKeys = pkgs.fetchurl { + url = "https://gmem.ca/ssh"; + hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4="; + }; + in + pkgs.lib.splitString "\n" (builtins.readFile authorizedKeys); }; - home-manager.users.gsimmer = { pkgs, ... }: { + home-manager.users.gsimmer = {pkgs, ...}: { programs.git = { userName = "Gabriel Simmer"; userEmail = "git@gmem.ca"; @@ -487,7 +498,7 @@ virtualisation.oci-containers.containers = { speedtest = { image = "ghcr.io/miguelndecarvalho/speedtest-exporter"; - ports = [ "9798:9798" ]; + ports = ["9798:9798"]; }; }; diff --git a/nix/nas/hardware.nix b/nix/nas/hardware.nix index 1022555..33bb3c0 100644 --- a/nix/nas/hardware.nix +++ b/nix/nas/hardware.nix @@ -1,31 +1,35 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; - boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" ]; - boot.extraModulePackages = [ ]; + boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"]; + boot.initrd.kernelModules = []; + boot.kernelModules = ["kvm-amd"]; + boot.extraModulePackages = []; - fileSystems."/" = - { device = "/dev/disk/by-uuid/c099cd1d-75a0-42ee-bffa-1e92cd241064"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/c099cd1d-75a0-42ee-bffa-1e92cd241064"; + fsType = "ext4"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/77EB-F216"; - fsType = "vfat"; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/77EB-F216"; + fsType = "vfat"; + }; - swapDevices = - [ { device = "/dev/disk/by-uuid/6e19c559-000a-4ba4-b68c-7ec0794f45e4"; } - ]; + swapDevices = [ + {device = "/dev/disk/by-uuid/6e19c559-000a-4ba4-b68c-7ec0794f45e4";} + ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's diff --git a/nix/nas/home.nix b/nix/nas/home.nix index 96984ab..ed772b4 100644 --- a/nix/nas/home.nix +++ b/nix/nas/home.nix @@ -1,6 +1,9 @@ -{ config, pkgs, callPackage, ... }: - { + config, + pkgs, + callPackage, + ... +}: { home.username = "gsimmer"; home.homeDirectory = "/tank/gsimmer"; @@ -10,31 +13,31 @@ programs.fish = { enable = true; interactiveShellInit = '' - set fish_greeting -if test "$TERM" = "dumb" - function fish_prompt - echo "\$ " - end + set fish_greeting + if test "$TERM" = "dumb" + function fish_prompt + echo "\$ " + end - function fish_right_prompt; end - function fish_greeting; end - function fish_title; end -end -atuin init fish | source + function fish_right_prompt; end + function fish_greeting; end + function fish_title; end + end + atuin init fish | source ''; loginShellInit = '' -if test "$TERM" = "dumb" - function fish_prompt - echo "\$ " - end + if test "$TERM" = "dumb" + function fish_prompt + echo "\$ " + end - function fish_right_prompt; end - function fish_greeting; end - function fish_title; end -end + function fish_right_prompt; end + function fish_greeting; end + function fish_title; end + end ''; }; - + programs.direnv = { enable = true; nix-direnv.enable = true; @@ -48,8 +51,8 @@ end programs.bat = { enable = true; }; - - home.packages = with pkgs; [ atuin ]; + + home.packages = with pkgs; [atuin]; # This value determines the Home Manager release that your # configuration is compatible with. This helps avoid breakage diff --git a/nix/oracle-gitea-runner/coder.nix b/nix/oracle-gitea-runner/coder.nix index 63a1a23..89918b0 100644 --- a/nix/oracle-gitea-runner/coder.nix +++ b/nix/oracle-gitea-runner/coder.nix @@ -1,82 +1,85 @@ -{ lib -, fetchurl -, installShellFiles -, makeWrapper -, terraform -, stdenvNoCC -, unzip -}: -let +{ + lib, + fetchurl, + installShellFiles, + makeWrapper, + terraform, + stdenvNoCC, + unzip, +}: let inherit (stdenvNoCC.hostPlatform) system; in + stdenvNoCC.mkDerivation rec { + pname = "coder"; + version = "2.3.3"; -stdenvNoCC.mkDerivation rec { - pname = "coder"; - version = "2.3.3"; + src = fetchurl { + sha256 = + { + x86_64-linux = "sha256-3gO71Eii3KBjn/oQ1Q3OCJ7S6H12iDYjOfqf43ph1nQ="; + x86_64-darwin = lib.fakeHash; + aarch64-linux = "sha256-v7S22I62EKPcHO9yZGciKKftRlzIowfAeVgnccOdlSs="; + aarch64-darwin = ""; + } + .${system}; - src = fetchurl { - sha256 = { - x86_64-linux = "sha256-3gO71Eii3KBjn/oQ1Q3OCJ7S6H12iDYjOfqf43ph1nQ="; - x86_64-darwin = lib.fakeHash; - aarch64-linux = "sha256-v7S22I62EKPcHO9yZGciKKftRlzIowfAeVgnccOdlSs="; - aarch64-darwin = ""; - }.${system}; + url = let + systemName = + { + x86_64-linux = "linux_amd64"; + aarch64-linux = "linux_arm64"; + x86_64-darwin = "darwin_amd64"; + aarch64-darwin = "darwin_arm64"; + } + .${system}; - url = - let - systemName = { - x86_64-linux = "linux_amd64"; - aarch64-linux = "linux_arm64"; - x86_64-darwin = "darwin_amd64"; - aarch64-darwin = "darwin_arm64"; - }.${system}; + ext = + { + x86_64-linux = "tar.gz"; + aarch64-linux = "tar.gz"; + x86_64-darwin = "zip"; + aarch64-darwin = "zip"; + } + .${system}; + in "https://github.com/coder/coder/releases/download/v${version}/coder_${version}_${systemName}.${ext}"; + }; - ext = { - x86_64-linux = "tar.gz"; - aarch64-linux = "tar.gz"; - x86_64-darwin = "zip"; - aarch64-darwin = "zip"; - }.${system}; - in - "https://github.com/coder/coder/releases/download/v${version}/coder_${version}_${systemName}.${ext}"; - }; + nativeBuildInputs = [ + installShellFiles + makeWrapper + unzip + ]; - nativeBuildInputs = [ - installShellFiles - makeWrapper - unzip - ]; + unpackPhase = '' + printf 'Decompressing %s\n' "$src" + case $src in + *.tar.gz) tar -xz -f "$src" ;; + *.zip) unzip "$src" ;; + esac + ''; - unpackPhase = '' - printf 'Decompressing %s\n' "$src" - case $src in - *.tar.gz) tar -xz -f "$src" ;; - *.zip) unzip "$src" ;; - esac - ''; + installPhase = '' + mkdir -p $out/bin + cp coder $out/bin + ''; - installPhase = '' - mkdir -p $out/bin - cp coder $out/bin - ''; + postInstall = '' + installShellCompletion --cmd coder \ + --bash <($out/bin/coder completion bash) \ + --fish <($out/bin/coder completion fish) \ + --zsh <($out/bin/coder completion zsh) - postInstall = '' - installShellCompletion --cmd coder \ - --bash <($out/bin/coder completion bash) \ - --fish <($out/bin/coder completion fish) \ - --zsh <($out/bin/coder completion zsh) + wrapProgram $out/bin/coder --prefix PATH : ${lib.makeBinPath [terraform]} + ''; - wrapProgram $out/bin/coder --prefix PATH : ${lib.makeBinPath [ terraform ]} - ''; + # integration tests require network access + doCheck = false; - # integration tests require network access - doCheck = false; - - meta = { - description = "Provision software development environments via Terraform on Linux, macOS, Windows, X86, ARM, and of course, Kubernetes"; - homepage = "https://coder.com"; - license = lib.licenses.agpl3; - maintainers = [ lib.maintainers.ghuntley lib.maintainers.urandom ]; - broken = false; - }; -} + meta = { + description = "Provision software development environments via Terraform on Linux, macOS, Windows, X86, ARM, and of course, Kubernetes"; + homepage = "https://coder.com"; + license = lib.licenses.agpl3; + maintainers = [lib.maintainers.ghuntley lib.maintainers.urandom]; + broken = false; + }; + } diff --git a/nix/oracle-gitea-runner/configuration.nix b/nix/oracle-gitea-runner/configuration.nix index e826056..3dad477 100644 --- a/nix/oracle-gitea-runner/configuration.nix +++ b/nix/oracle-gitea-runner/configuration.nix @@ -1,13 +1,15 @@ -{ config, pkgs, ... }: - { - imports = - [ # Include the results of the hardware scan. - ./hardware.nix - ]; + config, + pkgs, + ... +}: { + imports = [ + # Include the results of the hardware scan. + ./hardware.nix + ]; nixpkgs.config.allowUnfree = true; - nix.settings.experimental-features = [ "nix-command" "flakes" ]; + nix.settings.experimental-features = ["nix-command" "flakes"]; boot.tmp.cleanOnBoot = true; zramSwap.enable = true; environment.systemPackages = with pkgs; [ @@ -38,37 +40,38 @@ programs.zsh.enable = true; programs.fish.enable = true; - environment.shells = with pkgs; [ zsh fish ]; + environment.shells = with pkgs; [zsh fish]; networking = { hostName = "forgejo-action-runner"; domain = "gmem.ca"; - nameservers = [ "1.1.1.1" "1.0.0.1" ]; + nameservers = ["1.1.1.1" "1.0.0.1"]; firewall = { trustedInterfaces = ["tailscale0"]; checkReversePath = "loose"; enable = true; - allowedTCPPorts = [ 22 80 443 4328 ]; - allowedUDPPorts = [ ]; + allowedTCPPorts = [22 80 443 4328]; + allowedUDPPorts = []; }; nftables.enable = true; }; - + users.users = { root.openssh.authorizedKeys.keys = let authorizedKeys = pkgs.fetchurl { url = "https://gmem.ca/ssh"; hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4="; }; - in pkgs.lib.splitString "\n" (builtins.readFile - authorizedKeys); + in + pkgs.lib.splitString "\n" (builtins.readFile + authorizedKeys); }; virtualisation = { docker = { enable = true; }; }; - + services.openssh.enable = true; services.tailscale.enable = true; system.stateVersion = "23.11"; diff --git a/nix/oracle-gitea-runner/hardware.nix b/nix/oracle-gitea-runner/hardware.nix index ccd5d2d..edb834b 100644 --- a/nix/oracle-gitea-runner/hardware.nix +++ b/nix/oracle-gitea-runner/hardware.nix @@ -1,15 +1,19 @@ -{ modulesPath, ... }: -{ - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; +{modulesPath, ...}: { + imports = [(modulesPath + "/profiles/qemu-guest.nix")]; boot.loader.efi.efiSysMountPoint = "/boot/efi"; boot.loader.grub = { efiSupport = true; efiInstallAsRemovable = true; device = "nodev"; }; - fileSystems."/boot/efi" = { device = "/dev/disk/by-uuid/CC2E-AEC0"; fsType = "vfat"; }; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ]; - boot.initrd.kernelModules = [ "nvme" ]; - fileSystems."/" = { device = "/dev/mapper/ocivolume-root"; fsType = "xfs"; }; - + fileSystems."/boot/efi" = { + device = "/dev/disk/by-uuid/CC2E-AEC0"; + fsType = "vfat"; + }; + boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront"]; + boot.initrd.kernelModules = ["nvme"]; + fileSystems."/" = { + device = "/dev/mapper/ocivolume-root"; + fsType = "xfs"; + }; } diff --git a/nix/oracle-stream/configuration.nix b/nix/oracle-stream/configuration.nix index 35240d8..d50821c 100644 --- a/nix/oracle-stream/configuration.nix +++ b/nix/oracle-stream/configuration.nix @@ -1,11 +1,13 @@ -{ config, pkgs, ... }: - { - imports = - [ # Include the results of the hardware scan. - ./hardware.nix - ]; - + config, + pkgs, + ... +}: { + imports = [ + # Include the results of the hardware scan. + ./hardware.nix + ]; + boot = { tmp.cleanOnBoot = true; }; @@ -25,7 +27,7 @@ extraOptions = '' min-free = ${toString (100 * 1024 * 1024)} max-free = ${toString (1024 * 1024 * 1024)} - ''; + ''; }; networking = { @@ -34,16 +36,22 @@ firewall = { trustedInterfaces = ["tailscale0"]; checkReversePath = "loose"; - allowedTCPPorts = [ 80 443 1935 ]; + allowedTCPPorts = [80 443 1935]; allowedUDPPortRanges = [ - { from = 4000; to = 4007; } - { from = 8000; to = 8010; } + { + from = 4000; + to = 4007; + } + { + from = 8000; + to = 8010; + } ]; - allowedUDPPorts = [ 41641 1935 ]; + allowedUDPPorts = [41641 1935]; enable = true; }; nftables.enable = true; - nameservers = [ "1.1.1.1" "1.0.0.1" ]; + nameservers = ["1.1.1.1" "1.0.0.1"]; }; time.timeZone = "Europe/London"; @@ -53,8 +61,9 @@ url = "https://gmem.ca/ssh"; sha256 = "0vm0q5fzx55mmgw7md430c20rvywmknmpvnkffx9szlm0l74bypc"; }; - in pkgs.lib.splitString "\n" (builtins.readFile - authorizedKeys); + in + pkgs.lib.splitString "\n" (builtins.readFile + authorizedKeys); environment.systemPackages = with pkgs; [ vim @@ -77,7 +86,7 @@ openFirewall = false; }; nginx = { - additionalModules = [ pkgs.nginxModules.rtmp ]; + additionalModules = [pkgs.nginxModules.rtmp]; enable = true; recommendedProxySettings = true; recommendedGzipSettings = true; @@ -92,16 +101,15 @@ locations."/" = { proxyPass = "http://127.0.0.1:8080"; proxyWebsockets = true; - - extraConfig = - '' + + extraConfig = '' client_max_body_size 100M; proxy_pass_header Authorization; - ''; + ''; }; }; }; - + appendConfig = '' rtmp { server { @@ -135,5 +143,4 @@ }; system.stateVersion = "23.11"; # dId YoU rEaD tHe CoMmEnT? - } diff --git a/nix/oracle-stream/hardware.nix b/nix/oracle-stream/hardware.nix index ccd5d2d..edb834b 100644 --- a/nix/oracle-stream/hardware.nix +++ b/nix/oracle-stream/hardware.nix @@ -1,15 +1,19 @@ -{ modulesPath, ... }: -{ - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; +{modulesPath, ...}: { + imports = [(modulesPath + "/profiles/qemu-guest.nix")]; boot.loader.efi.efiSysMountPoint = "/boot/efi"; boot.loader.grub = { efiSupport = true; efiInstallAsRemovable = true; device = "nodev"; }; - fileSystems."/boot/efi" = { device = "/dev/disk/by-uuid/CC2E-AEC0"; fsType = "vfat"; }; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ]; - boot.initrd.kernelModules = [ "nvme" ]; - fileSystems."/" = { device = "/dev/mapper/ocivolume-root"; fsType = "xfs"; }; - + fileSystems."/boot/efi" = { + device = "/dev/disk/by-uuid/CC2E-AEC0"; + fsType = "vfat"; + }; + boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront"]; + boot.initrd.kernelModules = ["nvme"]; + fileSystems."/" = { + device = "/dev/mapper/ocivolume-root"; + fsType = "xfs"; + }; } diff --git a/nix/proxmox-k3s-node/configuration.nix b/nix/proxmox-k3s-node/configuration.nix index 3e726f2..0d5be4f 100644 --- a/nix/proxmox-k3s-node/configuration.nix +++ b/nix/proxmox-k3s-node/configuration.nix @@ -1,10 +1,12 @@ -{ config, pkgs, ... }: - { - imports = - [ # Include the results of the hardware scan. - ./hardware.nix - ]; + config, + pkgs, + ... +}: { + imports = [ + # Include the results of the hardware scan. + ./hardware.nix + ]; age.secrets.k3s-token = { file = ../../secrets/k3s-token.age; @@ -12,19 +14,18 @@ }; boot = { - supportedFilesystems = [ "nfs" ]; - kernelParams = [ "cgroup_enable=memory" "cgroup_enable=cpuset" "cgroup_memory=1" ]; + supportedFilesystems = ["nfs"]; + kernelParams = ["cgroup_enable=memory" "cgroup_enable=cpuset" "cgroup_memory=1"]; loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; }; }; - swapDevices = [ { device = "/var/lib/swapfile"; - size = 8*1024; + size = 8 * 1024; } ]; @@ -42,7 +43,7 @@ extraOptions = '' min-free = ${toString (100 * 1024 * 1024)} max-free = ${toString (1024 * 1024 * 1024)} - ''; + ''; }; networking = { @@ -51,8 +52,8 @@ firewall = { trustedInterfaces = ["tailscale0"]; checkReversePath = "loose"; - allowedUDPPorts = [ 41641 ]; - allowedTCPPorts = [ 22 80 443 6443 10250 ]; + allowedUDPPorts = [41641]; + allowedTCPPorts = [22 80 443 6443 10250]; enable = false; }; nftables.enable = false; @@ -62,7 +63,7 @@ users.users.gsimmer = { isNormalUser = true; - extraGroups = [ "wheel" ]; + extraGroups = ["wheel"]; packages = with pkgs; [ tree ]; @@ -71,8 +72,9 @@ url = "https://gmem.ca/ssh"; hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4="; }; - in pkgs.lib.splitString "\n" (builtins.readFile - authorizedKeys); + in + pkgs.lib.splitString "\n" (builtins.readFile + authorizedKeys); }; environment.systemPackages = with pkgs; [ @@ -99,5 +101,4 @@ }; system.stateVersion = "23.11"; # dId YoU rEaD tHe CoMmEnT? - } diff --git a/nix/proxmox-k3s-node/hardware.nix b/nix/proxmox-k3s-node/hardware.nix index 3771cca..c129b0c 100644 --- a/nix/proxmox-k3s-node/hardware.nix +++ b/nix/proxmox-k3s-node/hardware.nix @@ -1,31 +1,35 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - { - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; - boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "sr_mod" "virtio_blk" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; + boot.initrd.availableKernelModules = ["uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "sr_mod" "virtio_blk"]; + boot.initrd.kernelModules = []; + boot.kernelModules = []; + boot.extraModulePackages = []; - fileSystems."/" = - { device = "/dev/disk/by-uuid/b6eaa1d7-49dc-44a7-9494-6363939a36ee"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/b6eaa1d7-49dc-44a7-9494-6363939a36ee"; + fsType = "ext4"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/92BB-B090"; - fsType = "vfat"; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/92BB-B090"; + fsType = "vfat"; + }; - swapDevices = - [ { device = "/dev/disk/by-uuid/45b1b1cc-7a27-4abc-9903-16d293c8570c"; } - ]; + swapDevices = [ + {device = "/dev/disk/by-uuid/45b1b1cc-7a27-4abc-9903-16d293c8570c";} + ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's diff --git a/nix/seattle/configuration.nix b/nix/seattle/configuration.nix index c4d6a28..fa36cb6 100644 --- a/nix/seattle/configuration.nix +++ b/nix/seattle/configuration.nix @@ -1,15 +1,17 @@ -{ config, pkgs, ... }: - { - imports = - [ # Include the results of the hardware scan. - ./hardware.nix - ]; + config, + pkgs, + ... +}: { + imports = [ + # Include the results of the hardware scan. + ./hardware.nix + ]; boot = { - supportedFilesystems = [ "nfs" ]; + supportedFilesystems = ["nfs"]; kernelPackages = pkgs.linuxPackages_rpi4; - kernelParams = [ "cgroup_enable=memory" "cgroup_enable=cpuset" "cgroup_memory=1" ]; + kernelParams = ["cgroup_enable=memory" "cgroup_enable=cpuset" "cgroup_memory=1"]; loader = { grub.enable = false; generic-extlinux-compatible.enable = true; @@ -19,7 +21,7 @@ swapDevices = [ { device = "/var/lib/swapfile"; - size = 8*1024; + size = 8 * 1024; } ]; @@ -37,7 +39,7 @@ extraOptions = '' min-free = ${toString (100 * 1024 * 1024)} max-free = ${toString (1024 * 1024 * 1024)} - ''; + ''; }; networking = { @@ -46,8 +48,8 @@ firewall = { trustedInterfaces = ["tailscale0"]; checkReversePath = "loose"; - allowedTCPPorts = [ 22 80 443 6443 10250 ]; - allowedUDPPorts = [ 41641 80 443 ]; + allowedTCPPorts = [22 80 443 6443 10250]; + allowedUDPPorts = [41641 80 443]; enable = false; }; nftables.enable = false; @@ -57,7 +59,7 @@ users.users.gsimmer = { isNormalUser = true; - extraGroups = [ "wheel" ]; + extraGroups = ["wheel"]; packages = with pkgs; [ tree ]; @@ -66,8 +68,9 @@ url = "https://gmem.ca/ssh"; hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4="; }; - in pkgs.lib.splitString "\n" (builtins.readFile - authorizedKeys); + in + pkgs.lib.splitString "\n" (builtins.readFile + authorizedKeys); }; environment.systemPackages = with pkgs; [ @@ -103,5 +106,4 @@ }; system.stateVersion = "23.11"; # dId YoU rEaD tHe CoMmEnT? - } diff --git a/nix/seattle/hardware.nix b/nix/seattle/hardware.nix index 7f4962b..65e9e8f 100644 --- a/nix/seattle/hardware.nix +++ b/nix/seattle/hardware.nix @@ -1,24 +1,28 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; + boot.initrd.availableKernelModules = ["xhci_pci" "uas"]; + boot.initrd.kernelModules = []; + boot.kernelModules = []; + boot.extraModulePackages = []; - fileSystems."/" = - { device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888"; + fsType = "ext4"; + }; - swapDevices = [ ]; + swapDevices = []; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's diff --git a/pi-imgs/pi-initial.nix b/pi-imgs/pi-initial.nix index 3ed1a37..8723657 100644 --- a/pi-imgs/pi-initial.nix +++ b/pi-imgs/pi-initial.nix @@ -1,11 +1,15 @@ -{ lib, pkgs, ... }: { +{ + lib, + pkgs, + ... +}: { users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIztwQxt+jqroFONSgq+xzPMuE2I5Dq/zWPQ8RcTYJr gabriel@gitgalaxy.com" ]; sdImage.compressImage = false; - systemd.services.openssh.wantedBy = lib.mkOverride 40 [ "multi-user.target" ]; + systemd.services.openssh.wantedBy = lib.mkOverride 40 ["multi-user.target"]; services.openssh.enable = true; - + environment.systemPackages = with pkgs; [ vim wget diff --git a/secrets.nix b/secrets.nix index a0b894a..f65bb32 100644 --- a/secrets.nix +++ b/secrets.nix @@ -1,28 +1,27 @@ let vancouver = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC30kDkktiWJGaJEIrqgneQx1SmIYUEVPm7w1F9p//CB"; monitoring = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEDtzsbxKgZ/NBYlYO2EJQZhBy3nVBVERWebbsP9mLcy"; - machines = [ vancouver monitoring ]; + machines = [vancouver monitoring]; proxmox-k3s-node = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB1KEjdFl0UmuKfESJTMZdKR2H9a405z0SSlt75NKKht"; seattle = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9pTEqeVljLq0ctFgDn25Q76mCqpddkSNN9kd3IQXd1"; glasgow = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMgZSpfnx/4kfE4P1tFpq047IZkF2Q0UYahputnWxtEJ"; - k3s = [ proxmox-k3s-node seattle glasgow ]; + k3s = [proxmox-k3s-node seattle glasgow]; gsimmer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIztwQxt+jqroFONSgq+xzPMuE2I5Dq/zWPQ8RcTYJr gabriel@gitgalaxy.com"; - users = [ gsimmer ]; -in -{ - "secrets/vancouver-action-runner.age".publicKeys = [ vancouver gsimmer ]; - "secrets/vancouver-restic-b2.age".publicKeys = [ vancouver gsimmer ]; - "secrets/vancouver-restic-password.age".publicKeys = [ vancouver gsimmer ]; - "secrets/monitoring-healthchecks-secret.age".publicKeys = [ monitoring gsimmer ]; - "secrets/monitoring-healthchecks-ro.age".publicKeys = [ monitoring gsimmer ]; - "secrets/monitoring-prometheus-webconfig.age".publicKeys = [ monitoring gsimmer ]; - "secrets/monitoring-prometheus-password.age".publicKeys = [ monitoring gsimmer ]; + users = [gsimmer]; +in { + "secrets/vancouver-action-runner.age".publicKeys = [vancouver gsimmer]; + "secrets/vancouver-restic-b2.age".publicKeys = [vancouver gsimmer]; + "secrets/vancouver-restic-password.age".publicKeys = [vancouver gsimmer]; + "secrets/monitoring-healthchecks-secret.age".publicKeys = [monitoring gsimmer]; + "secrets/monitoring-healthchecks-ro.age".publicKeys = [monitoring gsimmer]; + "secrets/monitoring-prometheus-webconfig.age".publicKeys = [monitoring gsimmer]; + "secrets/monitoring-prometheus-password.age".publicKeys = [monitoring gsimmer]; "secrets/healthchecks-ping.sh.age".publicKeys = machines ++ users; "secrets/fastmail-smtp.age".publicKeys = machines ++ users; - "secrets/healthchecks-telegram.age".publicKeys = [ monitoring gsimmer ]; + "secrets/healthchecks-telegram.age".publicKeys = [monitoring gsimmer]; "secrets/cloudflare-dns.age".publicKeys = machines ++ users; - "secrets/monitoring-grafana-client-secret.age".publicKeys = [monitoring gsimmer ]; + "secrets/monitoring-grafana-client-secret.age".publicKeys = [monitoring gsimmer]; "secrets/k3s-token.age".publicKeys = k3s ++ users; } diff --git a/terraform/main.nix b/terraform/main.nix index f2af026..97a735c 100644 --- a/terraform/main.nix +++ b/terraform/main.nix @@ -1,4 +1,4 @@ -{ ... }: { +{...}: { terraform = { required_providers = { cloudflare.source = "cloudflare/cloudflare"; @@ -6,13 +6,13 @@ }; backend."s3" = { bucket = "gsimmer-terraform-state"; - key = "state/personal.tfstate"; + key = "state/personal.tfstate"; region = "eu-west-2"; dynamodb_table = "gsimmer-terraform-lock"; }; }; - + provider = { "cloudflare" = {}; "aws" = [