format with alejandra style
This commit is contained in:
parent
02a87f0294
commit
9439acf4d1
410
flake.nix
410
flake.nix
|
@ -22,48 +22,70 @@
|
||||||
kubenix.url = "github:hall/kubenix";
|
kubenix.url = "github:hall/kubenix";
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs = { self, nixpkgs, nixos-generators, nixinate, home-manager, agenix, terranix, alertmanager-ntfy, nixpkgs-wayland, kubenix, kde2nix }@inputs:
|
outputs = {
|
||||||
let
|
self,
|
||||||
pkgs = nixpkgs.legacyPackages.x86_64-linux;
|
nixpkgs,
|
||||||
tf = terranix.lib.terranixConfiguration {
|
nixos-generators,
|
||||||
system = "x86_64-linux";
|
nixinate,
|
||||||
modules = [ ./terraform/main.nix ];
|
home-manager,
|
||||||
};
|
agenix,
|
||||||
in {
|
terranix,
|
||||||
devShells.x86_64-linux.default = with pkgs; mkShell {
|
alertmanager-ntfy,
|
||||||
shellHook =
|
nixpkgs-wayland,
|
||||||
''
|
kubenix,
|
||||||
set -o allexport
|
kde2nix,
|
||||||
source .env set
|
} @ inputs: let
|
||||||
set +o allexport
|
pkgs = nixpkgs.legacyPackages.x86_64-linux;
|
||||||
'';
|
tf = terranix.lib.terranixConfiguration {
|
||||||
|
system = "x86_64-linux";
|
||||||
|
modules = [./terraform/main.nix];
|
||||||
|
};
|
||||||
|
in {
|
||||||
|
devShells.x86_64-linux.default = with pkgs;
|
||||||
|
mkShell {
|
||||||
|
shellHook = ''
|
||||||
|
set -o allexport
|
||||||
|
source .env set
|
||||||
|
set +o allexport
|
||||||
|
'';
|
||||||
nativeBuildInputs = [
|
nativeBuildInputs = [
|
||||||
jq opentofu kubectl
|
jq
|
||||||
k9s terraform-ls kubernetes-helm
|
opentofu
|
||||||
|
kubectl
|
||||||
|
k9s
|
||||||
|
terraform-ls
|
||||||
|
kubernetes-helm
|
||||||
nil
|
nil
|
||||||
];
|
];
|
||||||
buildInputs = [ ];
|
buildInputs = [];
|
||||||
};
|
};
|
||||||
packages.aarch64-linux = {
|
packages.aarch64-linux = {
|
||||||
raspberry-pi = nixos-generators.nixosGenerate {
|
raspberry-pi = nixos-generators.nixosGenerate {
|
||||||
system = "aarch64-linux";
|
system = "aarch64-linux";
|
||||||
modules = [
|
modules = [
|
||||||
(nixpkgs + "/nixos/modules/installer/sd-card/sd-image-aarch64-installer.nix")
|
(nixpkgs + "/nixos/modules/installer/sd-card/sd-image-aarch64-installer.nix")
|
||||||
./pi-imgs/pi-initial.nix
|
./pi-imgs/pi-initial.nix
|
||||||
];
|
];
|
||||||
format = "sd-aarch64-installer";
|
format = "sd-aarch64-installer";
|
||||||
};
|
|
||||||
};
|
};
|
||||||
packages.x86_64-linux = {
|
};
|
||||||
kubernetes = (kubenix.evalModules.x86_64-linux {
|
packages.x86_64-linux = {
|
||||||
module = { kubenix, ... }: {
|
kubernetes =
|
||||||
|
(kubenix.evalModules.x86_64-linux {
|
||||||
|
module = {kubenix, ...}: {
|
||||||
imports = [
|
imports = [
|
||||||
kubenix.modules.k8s ./homelab/kubernetes.nix
|
kubenix.modules.k8s
|
||||||
|
./homelab/kubernetes.nix
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
}).config.kubernetes.result;
|
})
|
||||||
};
|
.config
|
||||||
apps = nixinate.nixinate.x86_64-linux self // {
|
.kubernetes
|
||||||
|
.result;
|
||||||
|
};
|
||||||
|
apps =
|
||||||
|
nixinate.nixinate.x86_64-linux self
|
||||||
|
// {
|
||||||
x86_64-linux = {
|
x86_64-linux = {
|
||||||
kube-apply = {
|
kube-apply = {
|
||||||
type = "app";
|
type = "app";
|
||||||
|
@ -80,176 +102,180 @@
|
||||||
tf-plan = {
|
tf-plan = {
|
||||||
type = "app";
|
type = "app";
|
||||||
program = toString (pkgs.writers.writeBash "plan" ''
|
program = toString (pkgs.writers.writeBash "plan" ''
|
||||||
if [[ -e terraform/config.tf.json ]]; then rm -f terraform/config.tf.json; fi
|
if [[ -e terraform/config.tf.json ]]; then rm -f terraform/config.tf.json; fi
|
||||||
cp ${tf} terraform/config.tf.json \
|
cp ${tf} terraform/config.tf.json \
|
||||||
&& ${pkgs.opentofu}/bin/tofu -chdir=terraform init \
|
&& ${pkgs.opentofu}/bin/tofu -chdir=terraform init \
|
||||||
&& ${pkgs.opentofu}/bin/tofu -chdir=terraform plan -out=plan.out
|
&& ${pkgs.opentofu}/bin/tofu -chdir=terraform plan -out=plan.out
|
||||||
'');
|
'');
|
||||||
};
|
};
|
||||||
tf-apply = {
|
tf-apply = {
|
||||||
type = "app";
|
type = "app";
|
||||||
program = toString (pkgs.writers.writeBash "apply" ''
|
program = toString (pkgs.writers.writeBash "apply" ''
|
||||||
if [[ -e terraform/config.tf.json ]]; then rm -f terraform/config.tf.json; fi
|
if [[ -e terraform/config.tf.json ]]; then rm -f terraform/config.tf.json; fi
|
||||||
cp ${tf} terraform/config.tf.json \
|
cp ${tf} terraform/config.tf.json \
|
||||||
&& ${pkgs.opentofu}/bin/tofu -chdir=terraform init \
|
&& ${pkgs.opentofu}/bin/tofu -chdir=terraform init \
|
||||||
&& ${pkgs.opentofu}/bin/tofu -chdir=terraform apply plan.out
|
&& ${pkgs.opentofu}/bin/tofu -chdir=terraform apply plan.out
|
||||||
'');
|
'');
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
homeConfigurations."gsimmer" = home-manager.lib.homeManagerConfiguration {
|
homeConfigurations."gsimmer" = home-manager.lib.homeManagerConfiguration {
|
||||||
inherit pkgs;
|
inherit pkgs;
|
||||||
modules = [ ./nix/london/gsimmer.nix ];
|
modules = [./nix/london/gsimmer.nix];
|
||||||
};
|
};
|
||||||
nixosConfigurations = {
|
nixosConfigurations = {
|
||||||
london = nixpkgs.lib.nixosSystem {
|
london = nixpkgs.lib.nixosSystem {
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
modules = [
|
modules = [
|
||||||
kde2nix.nixosModules.plasma6
|
kde2nix.nixosModules.plasma6
|
||||||
(import ./nix/london/configuration.nix)
|
(import ./nix/london/configuration.nix)
|
||||||
home-manager.nixosModules.home-manager
|
home-manager.nixosModules.home-manager
|
||||||
|
{
|
||||||
|
home-manager.useUserPackages = true;
|
||||||
|
home-manager.users.gsimmer = import ./nix/london/gsimmer.nix;
|
||||||
|
}
|
||||||
|
(
|
||||||
{
|
{
|
||||||
home-manager.useUserPackages = true;
|
pkgs,
|
||||||
home-manager.users.gsimmer = import ./nix/london/gsimmer.nix;
|
config,
|
||||||
}
|
...
|
||||||
({pkgs, config, ... }:
|
}: {
|
||||||
{
|
config = {
|
||||||
config = {
|
nix.settings = {
|
||||||
nix.settings = {
|
# add binary caches
|
||||||
# add binary caches
|
trusted-public-keys = [
|
||||||
trusted-public-keys = [
|
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
|
||||||
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
|
"nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
|
||||||
"nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
|
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
|
||||||
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
|
];
|
||||||
];
|
substituters = [
|
||||||
substituters = [
|
"https://cache.nixos.org"
|
||||||
"https://cache.nixos.org"
|
"https://nixpkgs-wayland.cachix.org"
|
||||||
"https://nixpkgs-wayland.cachix.org"
|
"https://nix-community.cachix.org"
|
||||||
"https://nix-community.cachix.org"
|
];
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
# use it as an overlay
|
|
||||||
nixpkgs.overlays = [ nixpkgs-wayland.overlay ];
|
|
||||||
};
|
};
|
||||||
}
|
|
||||||
)
|
# use it as an overlay
|
||||||
];
|
nixpkgs.overlays = [nixpkgs-wayland.overlay];
|
||||||
};
|
|
||||||
oracle-gitea-runner = nixpkgs.lib.nixosSystem {
|
|
||||||
system = "aarch64-linux";
|
|
||||||
modules = [
|
|
||||||
(import ./nix/oracle-gitea-runner/configuration.nix)
|
|
||||||
{
|
|
||||||
_module.args.nixinate = {
|
|
||||||
host = "143.47.229.209";
|
|
||||||
sshUser = "root";
|
|
||||||
buildOn = "remote";
|
|
||||||
substituteOnTarget = true;
|
|
||||||
hermetic = false;
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
];
|
)
|
||||||
};
|
];
|
||||||
oracle-stream = nixpkgs.lib.nixosSystem {
|
};
|
||||||
system = "aarch64-linux";
|
oracle-gitea-runner = nixpkgs.lib.nixosSystem {
|
||||||
modules = [
|
system = "aarch64-linux";
|
||||||
(import ./nix/oracle-stream/configuration.nix)
|
modules = [
|
||||||
{
|
(import ./nix/oracle-gitea-runner/configuration.nix)
|
||||||
_module.args.nixinate = {
|
{
|
||||||
host = "100.98.25.34";
|
_module.args.nixinate = {
|
||||||
sshUser = "root";
|
host = "143.47.229.209";
|
||||||
buildOn = "remote";
|
sshUser = "root";
|
||||||
substituteOnTarget = true;
|
buildOn = "remote";
|
||||||
hermetic = false;
|
substituteOnTarget = true;
|
||||||
};
|
hermetic = false;
|
||||||
}
|
};
|
||||||
];
|
}
|
||||||
};
|
];
|
||||||
monitoring = nixpkgs.lib.nixosSystem {
|
};
|
||||||
system = "aarch64-linux";
|
oracle-stream = nixpkgs.lib.nixosSystem {
|
||||||
modules = [
|
system = "aarch64-linux";
|
||||||
(import ./nix/monitoring/configuration.nix)
|
modules = [
|
||||||
agenix.nixosModules.default
|
(import ./nix/oracle-stream/configuration.nix)
|
||||||
alertmanager-ntfy.nixosModules.x86_64-linux.default
|
{
|
||||||
{
|
_module.args.nixinate = {
|
||||||
_module.args.nixinate = {
|
host = "100.98.25.34";
|
||||||
host = "monitoring";
|
sshUser = "root";
|
||||||
sshUser = "root";
|
buildOn = "remote";
|
||||||
buildOn = "remote";
|
substituteOnTarget = true;
|
||||||
substituteOnTarget = true;
|
hermetic = false;
|
||||||
hermetic = false;
|
};
|
||||||
};
|
}
|
||||||
}
|
];
|
||||||
];
|
};
|
||||||
};
|
monitoring = nixpkgs.lib.nixosSystem {
|
||||||
nas = nixpkgs.lib.nixosSystem {
|
system = "aarch64-linux";
|
||||||
system = "x86_64-linux";
|
modules = [
|
||||||
modules = [
|
(import ./nix/monitoring/configuration.nix)
|
||||||
(import ./nix/nas/configuration.nix)
|
agenix.nixosModules.default
|
||||||
agenix.nixosModules.default
|
alertmanager-ntfy.nixosModules.x86_64-linux.default
|
||||||
home-manager.nixosModules.home-manager
|
{
|
||||||
{
|
_module.args.nixinate = {
|
||||||
home-manager.users.gsimmer = import ./nix/nas/home.nix;
|
host = "monitoring";
|
||||||
_module.args.nixinate = {
|
sshUser = "root";
|
||||||
host = "vancouver";
|
buildOn = "remote";
|
||||||
sshUser = "gsimmer";
|
substituteOnTarget = true;
|
||||||
buildOn = "remote";
|
hermetic = false;
|
||||||
substituteOnTarget = true;
|
};
|
||||||
hermetic = false;
|
}
|
||||||
};
|
];
|
||||||
}
|
};
|
||||||
];
|
nas = nixpkgs.lib.nixosSystem {
|
||||||
};
|
system = "x86_64-linux";
|
||||||
seattle = nixpkgs.lib.nixosSystem {
|
modules = [
|
||||||
system = "aarch64-linux";
|
(import ./nix/nas/configuration.nix)
|
||||||
modules = [
|
agenix.nixosModules.default
|
||||||
agenix.nixosModules.default
|
home-manager.nixosModules.home-manager
|
||||||
(import ./nix/seattle/configuration.nix)
|
{
|
||||||
{
|
home-manager.users.gsimmer = import ./nix/nas/home.nix;
|
||||||
_module.args.nixinate = {
|
_module.args.nixinate = {
|
||||||
host = "seattle";
|
host = "vancouver";
|
||||||
sshUser = "gsimmer";
|
sshUser = "gsimmer";
|
||||||
buildOn = "remote";
|
buildOn = "remote";
|
||||||
substituteOnTarget = true;
|
substituteOnTarget = true;
|
||||||
hermetic = false;
|
hermetic = false;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
glasgow = nixpkgs.lib.nixosSystem {
|
seattle = nixpkgs.lib.nixosSystem {
|
||||||
system = "aarch64-linux";
|
system = "aarch64-linux";
|
||||||
modules = [
|
modules = [
|
||||||
agenix.nixosModules.default
|
agenix.nixosModules.default
|
||||||
(import ./nix/glasgow/configuration.nix)
|
(import ./nix/seattle/configuration.nix)
|
||||||
{
|
{
|
||||||
_module.args.nixinate = {
|
_module.args.nixinate = {
|
||||||
host = "glasgow";
|
host = "seattle";
|
||||||
sshUser = "gsimmer";
|
sshUser = "gsimmer";
|
||||||
buildOn = "remote";
|
buildOn = "remote";
|
||||||
substituteOnTarget = true;
|
substituteOnTarget = true;
|
||||||
hermetic = false;
|
hermetic = false;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
proxmox-k3s-node-1 = nixpkgs.lib.nixosSystem {
|
glasgow = nixpkgs.lib.nixosSystem {
|
||||||
system = "x86_64-linux";
|
system = "aarch64-linux";
|
||||||
modules = [
|
modules = [
|
||||||
agenix.nixosModules.default
|
agenix.nixosModules.default
|
||||||
(import ./nix/proxmox-k3s-node/configuration.nix)
|
(import ./nix/glasgow/configuration.nix)
|
||||||
{
|
{
|
||||||
_module.args.nixinate = {
|
_module.args.nixinate = {
|
||||||
host = "proxmox-node-1";
|
host = "glasgow";
|
||||||
sshUser = "gsimmer";
|
sshUser = "gsimmer";
|
||||||
buildOn = "remote";
|
buildOn = "remote";
|
||||||
substituteOnTarget = true;
|
substituteOnTarget = true;
|
||||||
hermetic = false;
|
hermetic = false;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
proxmox-k3s-node-1 = nixpkgs.lib.nixosSystem {
|
||||||
|
system = "x86_64-linux";
|
||||||
|
modules = [
|
||||||
|
agenix.nixosModules.default
|
||||||
|
(import ./nix/proxmox-k3s-node/configuration.nix)
|
||||||
|
{
|
||||||
|
_module.args.nixinate = {
|
||||||
|
host = "proxmox-node-1";
|
||||||
|
sshUser = "gsimmer";
|
||||||
|
buildOn = "remote";
|
||||||
|
substituteOnTarget = true;
|
||||||
|
hermetic = false;
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,9 @@
|
||||||
{ lib, config, kubenix, ... }: {
|
{
|
||||||
|
lib,
|
||||||
|
config,
|
||||||
|
kubenix,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
kubernetes.helm.releases.cloudflare-exporter = {
|
kubernetes.helm.releases.cloudflare-exporter = {
|
||||||
namespace = "default";
|
namespace = "default";
|
||||||
chart = kubenix.lib.helm.fetch {
|
chart = kubenix.lib.helm.fetch {
|
||||||
|
|
|
@ -2,96 +2,110 @@ let
|
||||||
appName = "conduwuit";
|
appName = "conduwuit";
|
||||||
conduwuit-Image = "git.gmem.ca/arch/conduwuit:latest";
|
conduwuit-Image = "git.gmem.ca/arch/conduwuit:latest";
|
||||||
in
|
in
|
||||||
{ ... }: {
|
{...}: {
|
||||||
kubernetes.resources.services.conduwuit = {
|
kubernetes.resources.services.conduwuit = {
|
||||||
spec = {
|
spec = {
|
||||||
selector.app = appName;
|
selector.app = appName;
|
||||||
ports.http = {
|
ports.http = {
|
||||||
port = 6167;
|
port = 6167;
|
||||||
targetPort = 6167;
|
targetPort = 6167;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
kubernetes.resources.statefulSets.conduwuit.spec = {
|
||||||
kubernetes.resources.statefulSets.conduwuit.spec = {
|
selector.matchLabels.app = appName;
|
||||||
selector.matchLabels.app = appName;
|
serviceName = appName;
|
||||||
serviceName = appName;
|
template = {
|
||||||
template = {
|
metadata.labels.app = appName;
|
||||||
metadata.labels.app = appName;
|
spec = {
|
||||||
spec = {
|
volumes = {
|
||||||
volumes = {
|
config.configMap.name = appName;
|
||||||
config.configMap.name = appName;
|
};
|
||||||
};
|
containers = {
|
||||||
containers = {
|
conduwuit = {
|
||||||
conduwuit = {
|
image = conduwuit-Image;
|
||||||
image = conduwuit-Image;
|
imagePullPolicy = "Always";
|
||||||
imagePullPolicy = "Always";
|
ports.http.containerPort = 6167;
|
||||||
ports.http.containerPort = 6167;
|
volumeMounts = [
|
||||||
volumeMounts = [
|
{
|
||||||
{ name = "data"; mountPath = "/var/lib/matrix-conduit"; }
|
name = "data";
|
||||||
{ name = "config"; mountPath = "/etc/matrix-conduit/conduit.toml";
|
mountPath = "/var/lib/matrix-conduit";
|
||||||
subPath = "conduit.toml"; }
|
}
|
||||||
];
|
{
|
||||||
env.CONDUIT_CONFIG.value = "/etc/matrix-conduit/conduit.toml";
|
name = "config";
|
||||||
|
mountPath = "/etc/matrix-conduit/conduit.toml";
|
||||||
|
subPath = "conduit.toml";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
env.CONDUIT_CONFIG.value = "/etc/matrix-conduit/conduit.toml";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
volumeClaimTemplates = [
|
||||||
volumeClaimTemplates = [
|
|
||||||
{ metadata.name = "data";
|
|
||||||
spec = {
|
|
||||||
storageClassName = "nfs-client";
|
|
||||||
accessModes = [ "ReadWriteOnce" ];
|
|
||||||
resources.requests.storage = "5Gi";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
|
||||||
kubernetes.resources.ingresses.conduwuit = {
|
|
||||||
metadata = {
|
|
||||||
name = appName;
|
|
||||||
annotations = {
|
|
||||||
"cert-manager.io/issuer" = "le-issuer";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
spec = {
|
|
||||||
tls = [ { hosts = [ "chat.gmem.ca" ]; secretName = "gmem-ca-wildcard"; } ];
|
|
||||||
rules = [
|
|
||||||
{
|
{
|
||||||
host = "chat.gmem.ca";
|
metadata.name = "data";
|
||||||
http.paths = [
|
spec = {
|
||||||
{ path = "/"; pathType = "Prefix";
|
storageClassName = "nfs-client";
|
||||||
backend.service = {
|
accessModes = ["ReadWriteOnce"];
|
||||||
name = appName;
|
resources.requests.storage = "5Gi";
|
||||||
port.name = "http"; };
|
};
|
||||||
}
|
|
||||||
];
|
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
kubernetes.resources.ingresses.conduwuit = {
|
||||||
kubernetes.resources.configMaps.conduwuit = {
|
metadata = {
|
||||||
metadata = {
|
name = appName;
|
||||||
name = appName;
|
annotations = {
|
||||||
annotations = {
|
"cert-manager.io/issuer" = "le-issuer";
|
||||||
"cert-manager.io/issuer" = "le-issuer";
|
};
|
||||||
|
};
|
||||||
|
spec = {
|
||||||
|
tls = [
|
||||||
|
{
|
||||||
|
hosts = ["chat.gmem.ca"];
|
||||||
|
secretName = "gmem-ca-wildcard";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
rules = [
|
||||||
|
{
|
||||||
|
host = "chat.gmem.ca";
|
||||||
|
http.paths = [
|
||||||
|
{
|
||||||
|
path = "/";
|
||||||
|
pathType = "Prefix";
|
||||||
|
backend.service = {
|
||||||
|
name = appName;
|
||||||
|
port.name = "http";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
}
|
||||||
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
data."conduit.toml" =
|
kubernetes.resources.configMaps.conduwuit = {
|
||||||
''
|
metadata = {
|
||||||
[global]
|
name = appName;
|
||||||
# The Conduit server needs all /_matrix/ requests to be reachable at
|
annotations = {
|
||||||
# https://your.server.name/ on port 443 (client-server) and 8448 (federation).
|
"cert-manager.io/issuer" = "le-issuer";
|
||||||
server_name = "gmem.ca"
|
};
|
||||||
|
};
|
||||||
|
data."conduit.toml" = ''
|
||||||
|
[global]
|
||||||
|
# The Conduit server needs all /_matrix/ requests to be reachable at
|
||||||
|
# https://your.server.name/ on port 443 (client-server) and 8448 (federation).
|
||||||
|
server_name = "gmem.ca"
|
||||||
|
|
||||||
# This is the only directory where Conduit will save its data
|
# This is the only directory where Conduit will save its data
|
||||||
database_path = "/var/lib/matrix-conduit/"
|
database_path = "/var/lib/matrix-conduit/"
|
||||||
database_backend = "rocksdb"
|
database_backend = "rocksdb"
|
||||||
port = 6167
|
port = 6167
|
||||||
max_request_size = 20_000_000 # in bytes
|
max_request_size = 20_000_000 # in bytes
|
||||||
allow_federation = true
|
allow_federation = true
|
||||||
allow_check_for_updates = false
|
allow_check_for_updates = false
|
||||||
trusted_servers = ["matrix.org"]
|
trusted_servers = ["matrix.org"]
|
||||||
address = "0.0.0.0"
|
address = "0.0.0.0"
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,9 +1,9 @@
|
||||||
{ lib, ... }: {
|
{lib, ...}: {
|
||||||
kubernetes.resourceOrder =
|
kubernetes.resourceOrder = [
|
||||||
[ "CustomResourceDefinition"
|
"CustomResourceDefinition"
|
||||||
"Namespace"
|
"Namespace"
|
||||||
"ConfigMap"
|
"ConfigMap"
|
||||||
];
|
];
|
||||||
kubernetes.customTypes = [
|
kubernetes.customTypes = [
|
||||||
{
|
{
|
||||||
name = "servicemonitors";
|
name = "servicemonitors";
|
||||||
|
|
|
@ -10,52 +10,81 @@ let
|
||||||
location = "192.168.50.237";
|
location = "192.168.50.237";
|
||||||
host = "austin.gmem.ca";
|
host = "austin.gmem.ca";
|
||||||
port = 8080;
|
port = 8080;
|
||||||
protocol = "HTTP";
|
protocol = "HTTP";
|
||||||
};
|
};
|
||||||
"tokyo" = {
|
"tokyo" = {
|
||||||
location = "192.168.50.124";
|
location = "192.168.50.124";
|
||||||
host = "tokyo.gmem.ca";
|
host = "tokyo.gmem.ca";
|
||||||
port = 8000;
|
port = 8000;
|
||||||
protocol = "HTTP";
|
protocol = "HTTP";
|
||||||
};
|
};
|
||||||
"ibiza" = {
|
"ibiza" = {
|
||||||
location = "192.168.50.182";
|
location = "192.168.50.182";
|
||||||
host = "ibiza.gmem.ca";
|
host = "ibiza.gmem.ca";
|
||||||
port = 8000;
|
port = 8000;
|
||||||
protocol = "HTTP";
|
protocol = "HTTP";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
in {
|
in {
|
||||||
kubernetes.resources.services = builtins.mapAttrs (name: endpoint: {
|
kubernetes.resources.services =
|
||||||
spec = {
|
builtins.mapAttrs (name: endpoint: {
|
||||||
ports.${name} = {
|
spec = {
|
||||||
port = endpoint.port;
|
ports.${name} = {
|
||||||
targetPort = endpoint.port;
|
port = endpoint.port;
|
||||||
|
targetPort = endpoint.port;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
})
|
||||||
}) endpoints;
|
endpoints;
|
||||||
kubernetes.resources.endpoints = builtins.mapAttrs (name: endpoint: {
|
kubernetes.resources.endpoints =
|
||||||
subsets = [ {
|
builtins.mapAttrs (name: endpoint: {
|
||||||
addresses = [ { ip = endpoint.location; } ];
|
subsets = [
|
||||||
ports = [ { name = name; port = endpoint.port; protocol = "TCP"; } ];
|
{
|
||||||
} ];
|
addresses = [{ip = endpoint.location;}];
|
||||||
}) endpoints;
|
ports = [
|
||||||
kubernetes.resources.ingresses = builtins.mapAttrs (name: endpoint: {
|
{
|
||||||
metadata = { name = name; annotations = {
|
name = name;
|
||||||
"nginx.ingress.kubernetes.io/proxy-body-size" = "10g";
|
port = endpoint.port;
|
||||||
"cert-manager.io/issuer" = "le-issuer";
|
protocol = "TCP";
|
||||||
"nginx.ingress.kubernetes.io/backend-protocol" = endpoint.protocol;
|
}
|
||||||
}; };
|
];
|
||||||
spec = {
|
|
||||||
tls = [ { hosts = [ endpoint.host ]; secretName = "gmem-ca-wildcard"; } ];
|
|
||||||
rules = [ { host = endpoint.host; http.paths = [
|
|
||||||
{ path = "/"; pathType = "Prefix";
|
|
||||||
backend.service = {
|
|
||||||
name = name;
|
|
||||||
port.number = endpoint.port;
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
];}];
|
];
|
||||||
};
|
})
|
||||||
}) endpoints;
|
endpoints;
|
||||||
|
kubernetes.resources.ingresses =
|
||||||
|
builtins.mapAttrs (name: endpoint: {
|
||||||
|
metadata = {
|
||||||
|
name = name;
|
||||||
|
annotations = {
|
||||||
|
"nginx.ingress.kubernetes.io/proxy-body-size" = "10g";
|
||||||
|
"cert-manager.io/issuer" = "le-issuer";
|
||||||
|
"nginx.ingress.kubernetes.io/backend-protocol" = endpoint.protocol;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
spec = {
|
||||||
|
tls = [
|
||||||
|
{
|
||||||
|
hosts = [endpoint.host];
|
||||||
|
secretName = "gmem-ca-wildcard";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
rules = [
|
||||||
|
{
|
||||||
|
host = endpoint.host;
|
||||||
|
http.paths = [
|
||||||
|
{
|
||||||
|
path = "/";
|
||||||
|
pathType = "Prefix";
|
||||||
|
backend.service = {
|
||||||
|
name = name;
|
||||||
|
port.number = endpoint.port;
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
})
|
||||||
|
endpoints;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,279 +1,306 @@
|
||||||
{ lib, config, kubenix, ... }:
|
|
||||||
let homepage-config = {
|
|
||||||
bookmarks = [];
|
|
||||||
services = [
|
|
||||||
{
|
|
||||||
Media = [
|
|
||||||
{ Plex = {
|
|
||||||
icon = "plex.png";
|
|
||||||
href = "https://app.plex.tv";
|
|
||||||
description = "Plex";
|
|
||||||
widget = {
|
|
||||||
type = "plex";
|
|
||||||
url = "http://vancouver:32400";
|
|
||||||
key = "{{HOMEPAGE_VAR_PLEX_KEY}}";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
||||||
{ Overseerr = {
|
|
||||||
icon = "overseerr.png";
|
|
||||||
href = "https://request-media.gmem.ca";
|
|
||||||
description = "Request movies and TV shows";
|
|
||||||
widget = {
|
|
||||||
type = "overseerr";
|
|
||||||
url = "https://request-media.gmem.ca";
|
|
||||||
key = "{{HOMEPAGE_VAR_OVERSEERR_KEY}}";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
||||||
{ Transmission = {
|
|
||||||
icon = "transmission.png";
|
|
||||||
description = "Download progress for torrents";
|
|
||||||
widget = {
|
|
||||||
type = "transmission";
|
|
||||||
url = "http://192.168.50.187:9091";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
||||||
];
|
|
||||||
}
|
|
||||||
{
|
|
||||||
"Personal Infrastructure" = [
|
|
||||||
{ authentik = {
|
|
||||||
icon = "authentik.png";
|
|
||||||
href = "https://authentik.gmem.ca";
|
|
||||||
description = "OIDC SSO";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
{ Tailscale = {
|
|
||||||
icon = "tailscale.png";
|
|
||||||
href = "https://login.tailscale.com";
|
|
||||||
description = "VPN provider";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
{ Git = {
|
|
||||||
icon = "forgejo.png";
|
|
||||||
href = "https://git.gmem.ca";
|
|
||||||
description = "Git forge";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
{ Grafana = {
|
|
||||||
icon = "grafana.png";
|
|
||||||
href = "https://grafana.gmem.ca";
|
|
||||||
description = "Monitoring & metrics";
|
|
||||||
widget = {
|
|
||||||
type = "grafana";
|
|
||||||
url = "https://grafana.gmem.ca";
|
|
||||||
username = "api@localhost";
|
|
||||||
password = "{{HOMEPAGE_VAR_GRAFANA_PASSWORD}}";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
||||||
{ NextDNS = {
|
|
||||||
icon = "nextdns.png";
|
|
||||||
href = "https://my.nextdns.io/bcee89/setup";
|
|
||||||
description = "DNS provider";
|
|
||||||
widget = {
|
|
||||||
type = "nextdns";
|
|
||||||
profile = "bcee89";
|
|
||||||
key = "{{HOMEPAGE_VAR_NEXTDNS_KEY}}";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
||||||
{ "Proxmox" = {
|
|
||||||
icon = "proxmox.png";
|
|
||||||
href = "https://proxmox.gmem.ca";
|
|
||||||
description = "Homelab proxmox";
|
|
||||||
widget = {
|
|
||||||
type = "proxmox";
|
|
||||||
url = "https://proxmox.gmem.ca";
|
|
||||||
username = "api@pam!homepage";
|
|
||||||
password = "{{HOMEPAGE_VAR_PROXMOX_PASSWORD}}";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
||||||
{ "Immich" = {
|
|
||||||
icon = "immich.png";
|
|
||||||
href = "https://photos.gmem.ca";
|
|
||||||
description = "Image hosting";
|
|
||||||
widget = {
|
|
||||||
type = "immich";
|
|
||||||
url = "https://photos.gmem.ca";
|
|
||||||
key = "{{HOMEPAGE_VAR_IMMICH_KEY}}";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
||||||
{ "NextDNS Tailscale" = {
|
|
||||||
icon = "nextdns.png";
|
|
||||||
href = "https://my.nextdns.io/74c6db/setup";
|
|
||||||
description = "Tailnet DNS provider";
|
|
||||||
widget = {
|
|
||||||
type = "nextdns";
|
|
||||||
profile = "74c6db";
|
|
||||||
key = "{{HOMEPAGE_VAR_NEXTDNS_KEY}}";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
||||||
];
|
|
||||||
}
|
|
||||||
{
|
|
||||||
Reading = [
|
|
||||||
{ FreshRSS = {
|
|
||||||
icon = "freshrss.png";
|
|
||||||
href = "https://freshrss.gmem.ca";
|
|
||||||
description = "FreshRSS RSS Reader";
|
|
||||||
widget = {
|
|
||||||
type = "freshrss";
|
|
||||||
url = "https://freshrss.gmem.ca";
|
|
||||||
username = "arch";
|
|
||||||
password = "{{HOMEPAGE_VAR_FRESHRSS_PASSWORD}}";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
||||||
{ "Lobste.rs" = {
|
|
||||||
href = "https://lobste.rs";
|
|
||||||
description = "News aggregator";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
{ "Hacker News" = {
|
|
||||||
href = "https://news.ycombinator.com";
|
|
||||||
description = "VC news aggregator";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
];
|
|
||||||
}
|
|
||||||
{
|
|
||||||
"Floofy.tech Infrastructure" = [
|
|
||||||
{ Mastodon = {
|
|
||||||
icon = "mastodon.png";
|
|
||||||
href = "https://floofy.tech";
|
|
||||||
description = "Primary Mastodon instance";
|
|
||||||
widget = {
|
|
||||||
type = "mastodon";
|
|
||||||
url = "https://floofy.tech";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
||||||
{ Grafana = {
|
|
||||||
icon = "grafana.png";
|
|
||||||
href = "https://grafana.services.floofy.tech";
|
|
||||||
description = "Metrics and Monitoring";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
{ vSphere = {
|
|
||||||
icon = "vmware-esxi.png";
|
|
||||||
href = "https://vcenter.services.floofy.tech";
|
|
||||||
description = "Hypervisor Manager";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
{ "vrclub.social" = {
|
|
||||||
icon = "calckey.png";
|
|
||||||
href = "https://vrclub.social";
|
|
||||||
description = "Firefish instance for VR clubs";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
];
|
|
||||||
}
|
|
||||||
{
|
|
||||||
"Tools" = [
|
|
||||||
{ "IT Tools" = {
|
|
||||||
icon = "it-tools.png";
|
|
||||||
href = "https://tools.gmem.ca";
|
|
||||||
description = "Various useful tools";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
{ Cyberchef = {
|
|
||||||
icon = "cyberchef.png";
|
|
||||||
href = "https://gchq.github.io/CyberChef/";
|
|
||||||
description = "More useful tools, mostly text manipulation";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
];
|
|
||||||
}
|
|
||||||
{
|
|
||||||
"Backup Status" = [
|
|
||||||
{ "gsimmer backups" = {
|
|
||||||
icon = "healthchecks.png";
|
|
||||||
href = "https://healthchecks.gmem.ca";
|
|
||||||
description = "Uptime monitor for recurring tasks";
|
|
||||||
widget = {
|
|
||||||
type = "healthchecks";
|
|
||||||
url = "https://healthchecks.gmem.ca";
|
|
||||||
key = "{{HOMEPAGE_VAR_HEALTHCHECKS_KEY}}";
|
|
||||||
uuid = "617d460f-69f6-444f-852a-421861543327";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
||||||
{ "becki backups" = {
|
|
||||||
icon = "healthchecks.png";
|
|
||||||
href = "https://healthchecks.gmem.ca";
|
|
||||||
description = "Uptime monitor for recurring tasks";
|
|
||||||
widget = {
|
|
||||||
type = "healthchecks";
|
|
||||||
url = "https://healthchecks.gmem.ca";
|
|
||||||
key = "{{HOMEPAGE_VAR_HEALTHCHECKS_KEY}}";
|
|
||||||
uuid = "9d01d3dd-2a56-4c70-9b5c-9cb99a1466db";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
||||||
{ "apps backups" = {
|
|
||||||
icon = "healthchecks.png";
|
|
||||||
href = "https://healthchecks.gmem.ca";
|
|
||||||
description = "Uptime monitor for recurring tasks";
|
|
||||||
widget = {
|
|
||||||
type = "healthchecks";
|
|
||||||
url = "https://healthchecks.gmem.ca";
|
|
||||||
key = "{{HOMEPAGE_VAR_HEALTHCHECKS_KEY}}";
|
|
||||||
uuid = "37a854b0-9191-4452-aa30-df3969d59b09";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
||||||
];
|
|
||||||
}
|
|
||||||
];
|
|
||||||
settings = {
|
|
||||||
title = "Arch's Homepage";
|
|
||||||
providers.openweathermap = "{{HOMEPAGE_VAR_WEATHER_KEY}}";
|
|
||||||
background = {
|
|
||||||
image = "https://images.unsplash.com/photo-1502790671504-542ad42d5189?auto=format&fit=crop&w=2560&q=80";
|
|
||||||
blur = "sm";
|
|
||||||
opacity = 50;
|
|
||||||
};
|
|
||||||
base = "https://home.gmem.ca";
|
|
||||||
layout.Media.style = "row";
|
|
||||||
layout.Media.columns = "3";
|
|
||||||
layout."Personal Infrastructure".style = "row";
|
|
||||||
layout."Personal Infrastructure".columns = "3";
|
|
||||||
layout."Backup Status".style = "row";
|
|
||||||
layout."Backup Status".columns = "3";
|
|
||||||
};
|
|
||||||
kubernetes.mode = "cluster";
|
|
||||||
widgets = [
|
|
||||||
{
|
|
||||||
logo.icon = "https://gmem.ca/avatar.png";
|
|
||||||
}
|
|
||||||
{
|
|
||||||
kubernetes = {
|
|
||||||
cluster.show = true;
|
|
||||||
nodes.show = true;
|
|
||||||
};
|
|
||||||
}
|
|
||||||
{
|
|
||||||
search = {
|
|
||||||
provider = "duckduckgo";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
{
|
|
||||||
openweathermap = {
|
|
||||||
provider = "openweathermap";
|
|
||||||
cache = 5;
|
|
||||||
units = "metric";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
|
||||||
in
|
|
||||||
{
|
{
|
||||||
|
lib,
|
||||||
|
config,
|
||||||
|
kubenix,
|
||||||
|
...
|
||||||
|
}: let
|
||||||
|
homepage-config = {
|
||||||
|
bookmarks = [];
|
||||||
|
services = [
|
||||||
|
{
|
||||||
|
Media = [
|
||||||
|
{
|
||||||
|
Plex = {
|
||||||
|
icon = "plex.png";
|
||||||
|
href = "https://app.plex.tv";
|
||||||
|
description = "Plex";
|
||||||
|
widget = {
|
||||||
|
type = "plex";
|
||||||
|
url = "http://vancouver:32400";
|
||||||
|
key = "{{HOMEPAGE_VAR_PLEX_KEY}}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
{
|
||||||
|
Overseerr = {
|
||||||
|
icon = "overseerr.png";
|
||||||
|
href = "https://request-media.gmem.ca";
|
||||||
|
description = "Request movies and TV shows";
|
||||||
|
widget = {
|
||||||
|
type = "overseerr";
|
||||||
|
url = "https://request-media.gmem.ca";
|
||||||
|
key = "{{HOMEPAGE_VAR_OVERSEERR_KEY}}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
{
|
||||||
|
Transmission = {
|
||||||
|
icon = "transmission.png";
|
||||||
|
description = "Download progress for torrents";
|
||||||
|
widget = {
|
||||||
|
type = "transmission";
|
||||||
|
url = "http://192.168.50.187:9091";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
}
|
||||||
|
{
|
||||||
|
"Personal Infrastructure" = [
|
||||||
|
{
|
||||||
|
authentik = {
|
||||||
|
icon = "authentik.png";
|
||||||
|
href = "https://authentik.gmem.ca";
|
||||||
|
description = "OIDC SSO";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
{
|
||||||
|
Tailscale = {
|
||||||
|
icon = "tailscale.png";
|
||||||
|
href = "https://login.tailscale.com";
|
||||||
|
description = "VPN provider";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
{
|
||||||
|
Git = {
|
||||||
|
icon = "forgejo.png";
|
||||||
|
href = "https://git.gmem.ca";
|
||||||
|
description = "Git forge";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
{
|
||||||
|
Grafana = {
|
||||||
|
icon = "grafana.png";
|
||||||
|
href = "https://grafana.gmem.ca";
|
||||||
|
description = "Monitoring & metrics";
|
||||||
|
widget = {
|
||||||
|
type = "grafana";
|
||||||
|
url = "https://grafana.gmem.ca";
|
||||||
|
username = "api@localhost";
|
||||||
|
password = "{{HOMEPAGE_VAR_GRAFANA_PASSWORD}}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
{
|
||||||
|
NextDNS = {
|
||||||
|
icon = "nextdns.png";
|
||||||
|
href = "https://my.nextdns.io/bcee89/setup";
|
||||||
|
description = "DNS provider";
|
||||||
|
widget = {
|
||||||
|
type = "nextdns";
|
||||||
|
profile = "bcee89";
|
||||||
|
key = "{{HOMEPAGE_VAR_NEXTDNS_KEY}}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
{
|
||||||
|
"Proxmox" = {
|
||||||
|
icon = "proxmox.png";
|
||||||
|
href = "https://proxmox.gmem.ca";
|
||||||
|
description = "Homelab proxmox";
|
||||||
|
widget = {
|
||||||
|
type = "proxmox";
|
||||||
|
url = "https://proxmox.gmem.ca";
|
||||||
|
username = "api@pam!homepage";
|
||||||
|
password = "{{HOMEPAGE_VAR_PROXMOX_PASSWORD}}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
{
|
||||||
|
"Immich" = {
|
||||||
|
icon = "immich.png";
|
||||||
|
href = "https://photos.gmem.ca";
|
||||||
|
description = "Image hosting";
|
||||||
|
widget = {
|
||||||
|
type = "immich";
|
||||||
|
url = "https://photos.gmem.ca";
|
||||||
|
key = "{{HOMEPAGE_VAR_IMMICH_KEY}}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
{
|
||||||
|
"NextDNS Tailscale" = {
|
||||||
|
icon = "nextdns.png";
|
||||||
|
href = "https://my.nextdns.io/74c6db/setup";
|
||||||
|
description = "Tailnet DNS provider";
|
||||||
|
widget = {
|
||||||
|
type = "nextdns";
|
||||||
|
profile = "74c6db";
|
||||||
|
key = "{{HOMEPAGE_VAR_NEXTDNS_KEY}}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
}
|
||||||
|
{
|
||||||
|
Reading = [
|
||||||
|
{
|
||||||
|
FreshRSS = {
|
||||||
|
icon = "freshrss.png";
|
||||||
|
href = "https://freshrss.gmem.ca";
|
||||||
|
description = "FreshRSS RSS Reader";
|
||||||
|
widget = {
|
||||||
|
type = "freshrss";
|
||||||
|
url = "https://freshrss.gmem.ca";
|
||||||
|
username = "arch";
|
||||||
|
password = "{{HOMEPAGE_VAR_FRESHRSS_PASSWORD}}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
{
|
||||||
|
"Lobste.rs" = {
|
||||||
|
href = "https://lobste.rs";
|
||||||
|
description = "News aggregator";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
{
|
||||||
|
"Hacker News" = {
|
||||||
|
href = "https://news.ycombinator.com";
|
||||||
|
description = "VC news aggregator";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
}
|
||||||
|
{
|
||||||
|
"Floofy.tech Infrastructure" = [
|
||||||
|
{
|
||||||
|
Mastodon = {
|
||||||
|
icon = "mastodon.png";
|
||||||
|
href = "https://floofy.tech";
|
||||||
|
description = "Primary Mastodon instance";
|
||||||
|
widget = {
|
||||||
|
type = "mastodon";
|
||||||
|
url = "https://floofy.tech";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
{
|
||||||
|
Grafana = {
|
||||||
|
icon = "grafana.png";
|
||||||
|
href = "https://grafana.services.floofy.tech";
|
||||||
|
description = "Metrics and Monitoring";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
{
|
||||||
|
vSphere = {
|
||||||
|
icon = "vmware-esxi.png";
|
||||||
|
href = "https://vcenter.services.floofy.tech";
|
||||||
|
description = "Hypervisor Manager";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
{
|
||||||
|
"vrclub.social" = {
|
||||||
|
icon = "calckey.png";
|
||||||
|
href = "https://vrclub.social";
|
||||||
|
description = "Firefish instance for VR clubs";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
}
|
||||||
|
{
|
||||||
|
"Tools" = [
|
||||||
|
{
|
||||||
|
"IT Tools" = {
|
||||||
|
icon = "it-tools.png";
|
||||||
|
href = "https://tools.gmem.ca";
|
||||||
|
description = "Various useful tools";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
{
|
||||||
|
Cyberchef = {
|
||||||
|
icon = "cyberchef.png";
|
||||||
|
href = "https://gchq.github.io/CyberChef/";
|
||||||
|
description = "More useful tools, mostly text manipulation";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
}
|
||||||
|
{
|
||||||
|
"Backup Status" = [
|
||||||
|
{
|
||||||
|
"gsimmer backups" = {
|
||||||
|
icon = "healthchecks.png";
|
||||||
|
href = "https://healthchecks.gmem.ca";
|
||||||
|
description = "Uptime monitor for recurring tasks";
|
||||||
|
widget = {
|
||||||
|
type = "healthchecks";
|
||||||
|
url = "https://healthchecks.gmem.ca";
|
||||||
|
key = "{{HOMEPAGE_VAR_HEALTHCHECKS_KEY}}";
|
||||||
|
uuid = "617d460f-69f6-444f-852a-421861543327";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
{
|
||||||
|
"becki backups" = {
|
||||||
|
icon = "healthchecks.png";
|
||||||
|
href = "https://healthchecks.gmem.ca";
|
||||||
|
description = "Uptime monitor for recurring tasks";
|
||||||
|
widget = {
|
||||||
|
type = "healthchecks";
|
||||||
|
url = "https://healthchecks.gmem.ca";
|
||||||
|
key = "{{HOMEPAGE_VAR_HEALTHCHECKS_KEY}}";
|
||||||
|
uuid = "9d01d3dd-2a56-4c70-9b5c-9cb99a1466db";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
{
|
||||||
|
"apps backups" = {
|
||||||
|
icon = "healthchecks.png";
|
||||||
|
href = "https://healthchecks.gmem.ca";
|
||||||
|
description = "Uptime monitor for recurring tasks";
|
||||||
|
widget = {
|
||||||
|
type = "healthchecks";
|
||||||
|
url = "https://healthchecks.gmem.ca";
|
||||||
|
key = "{{HOMEPAGE_VAR_HEALTHCHECKS_KEY}}";
|
||||||
|
uuid = "37a854b0-9191-4452-aa30-df3969d59b09";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
settings = {
|
||||||
|
title = "Arch's Homepage";
|
||||||
|
providers.openweathermap = "{{HOMEPAGE_VAR_WEATHER_KEY}}";
|
||||||
|
background = {
|
||||||
|
image = "https://images.unsplash.com/photo-1502790671504-542ad42d5189?auto=format&fit=crop&w=2560&q=80";
|
||||||
|
blur = "sm";
|
||||||
|
opacity = 50;
|
||||||
|
};
|
||||||
|
base = "https://home.gmem.ca";
|
||||||
|
layout.Media.style = "row";
|
||||||
|
layout.Media.columns = "3";
|
||||||
|
layout."Personal Infrastructure".style = "row";
|
||||||
|
layout."Personal Infrastructure".columns = "3";
|
||||||
|
layout."Backup Status".style = "row";
|
||||||
|
layout."Backup Status".columns = "3";
|
||||||
|
};
|
||||||
|
kubernetes.mode = "cluster";
|
||||||
|
widgets = [
|
||||||
|
{
|
||||||
|
logo.icon = "https://gmem.ca/avatar.png";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
kubernetes = {
|
||||||
|
cluster.show = true;
|
||||||
|
nodes.show = true;
|
||||||
|
};
|
||||||
|
}
|
||||||
|
{
|
||||||
|
search = {
|
||||||
|
provider = "duckduckgo";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
{
|
||||||
|
openweathermap = {
|
||||||
|
provider = "openweathermap";
|
||||||
|
cache = 5;
|
||||||
|
units = "metric";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
in {
|
||||||
kubernetes.helm.releases.homepage = {
|
kubernetes.helm.releases.homepage = {
|
||||||
chart = kubenix.lib.helm.fetch {
|
chart = kubenix.lib.helm.fetch {
|
||||||
repo = "https://jameswynn.github.io/helm-charts";
|
repo = "https://jameswynn.github.io/helm-charts";
|
||||||
|
@ -307,7 +334,7 @@ in
|
||||||
];
|
];
|
||||||
tls = [
|
tls = [
|
||||||
{
|
{
|
||||||
hosts = [ "home.gmem.ca" ];
|
hosts = ["home.gmem.ca"];
|
||||||
secretName = "gmem-ca-wildcard";
|
secretName = "gmem-ca-wildcard";
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
@ -317,10 +344,10 @@ in
|
||||||
|
|
||||||
kubernetes.resources.deployments.homepage = {
|
kubernetes.resources.deployments.homepage = {
|
||||||
metadata.namespace = "default";
|
metadata.namespace = "default";
|
||||||
|
|
||||||
spec.template = {
|
spec.template = {
|
||||||
metadata.annotations."gmem.ca/homepage-config-hash" = (builtins.hashString "md5" (builtins.toJSON homepage-config));
|
metadata.annotations."gmem.ca/homepage-config-hash" = builtins.hashString "md5" (builtins.toJSON homepage-config);
|
||||||
spec.containers.homepage.envFrom = [ { secretRef.name = "homepage-config"; } ];
|
spec.containers.homepage.envFrom = [{secretRef.name = "homepage-config";}];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,9 @@
|
||||||
{ lib, config, kubenix, ... }: {
|
{
|
||||||
|
lib,
|
||||||
|
config,
|
||||||
|
kubenix,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
kubernetes.helm.releases.immich = {
|
kubernetes.helm.releases.immich = {
|
||||||
chart = kubenix.lib.helm.fetch {
|
chart = kubenix.lib.helm.fetch {
|
||||||
repo = "https://immich-app.github.io/immich-charts";
|
repo = "https://immich-app.github.io/immich-charts";
|
||||||
|
@ -24,11 +29,16 @@
|
||||||
annotations = {
|
annotations = {
|
||||||
"cert-manager.io/issuer" = "le-issuer";
|
"cert-manager.io/issuer" = "le-issuer";
|
||||||
};
|
};
|
||||||
tls = [ { hosts = [ "photos.gmem.ca" ]; secretName = "gmem-ca-wildcard"; } ];
|
tls = [
|
||||||
|
{
|
||||||
|
hosts = ["photos.gmem.ca"];
|
||||||
|
secretName = "gmem-ca-wildcard";
|
||||||
|
}
|
||||||
|
];
|
||||||
hosts = [
|
hosts = [
|
||||||
{
|
{
|
||||||
host = "photos.gmem.ca";
|
host = "photos.gmem.ca";
|
||||||
paths = [ { path = "/"; } ];
|
paths = [{path = "/";}];
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
|
@ -2,8 +2,7 @@ let
|
||||||
appName = "soju";
|
appName = "soju";
|
||||||
sojuImage = "git.gmem.ca/arch/soju:latest";
|
sojuImage = "git.gmem.ca/arch/soju:latest";
|
||||||
gamjaImage = "git.gmem.ca/arch/gamja:latest";
|
gamjaImage = "git.gmem.ca/arch/gamja:latest";
|
||||||
in
|
in {
|
||||||
{
|
|
||||||
kubernetes.resources.services.soju = {
|
kubernetes.resources.services.soju = {
|
||||||
spec = {
|
spec = {
|
||||||
type = "NodePort";
|
type = "NodePort";
|
||||||
|
@ -45,8 +44,17 @@ in
|
||||||
soju = {
|
soju = {
|
||||||
image = sojuImage;
|
image = sojuImage;
|
||||||
imagePullPolicy = "Always";
|
imagePullPolicy = "Always";
|
||||||
volumeMounts = [ { name = "config"; mountPath = "/etc/soju/config"; subPath = "config"; }
|
volumeMounts = [
|
||||||
{ name = "ssl"; mountPath = "/ssl"; } ];
|
{
|
||||||
|
name = "config";
|
||||||
|
mountPath = "/etc/soju/config";
|
||||||
|
subPath = "config";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
name = "ssl";
|
||||||
|
mountPath = "/ssl";
|
||||||
|
}
|
||||||
|
];
|
||||||
ports.tls.containerPort = 6697;
|
ports.tls.containerPort = 6697;
|
||||||
ports.ws.containerPort = 80;
|
ports.ws.containerPort = 80;
|
||||||
|
|
||||||
|
@ -92,32 +100,46 @@ in
|
||||||
"cert-manager.io/issuer" = "le-issuer";
|
"cert-manager.io/issuer" = "le-issuer";
|
||||||
};
|
};
|
||||||
spec = {
|
spec = {
|
||||||
tls = [ { hosts = [ "irc.gmem.ca" ]; secretName = "gmem-ca-wildcard"; } ];
|
tls = [
|
||||||
rules = [ { host = "irc.gmem.ca"; http.paths = [
|
{
|
||||||
{ path = "/"; pathType = "Prefix";
|
hosts = ["irc.gmem.ca"];
|
||||||
backend.service = {
|
secretName = "gmem-ca-wildcard";
|
||||||
name = "gamja";
|
|
||||||
port.number = 80;
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
{ path = "/socket"; pathType = "Prefix";
|
];
|
||||||
backend.service = {
|
rules = [
|
||||||
name = "soju-ws";
|
{
|
||||||
port.number = 80;
|
host = "irc.gmem.ca";
|
||||||
};
|
http.paths = [
|
||||||
|
{
|
||||||
|
path = "/";
|
||||||
|
pathType = "Prefix";
|
||||||
|
backend.service = {
|
||||||
|
name = "gamja";
|
||||||
|
port.number = 80;
|
||||||
|
};
|
||||||
|
}
|
||||||
|
{
|
||||||
|
path = "/socket";
|
||||||
|
pathType = "Prefix";
|
||||||
|
backend.service = {
|
||||||
|
name = "soju-ws";
|
||||||
|
port.number = 80;
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
}
|
}
|
||||||
];}];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
kubernetes.resources.configMaps.soju.data.config = ''
|
kubernetes.resources.configMaps.soju.data.config = ''
|
||||||
listen ircs://
|
listen ircs://
|
||||||
listen unix+admin:///app/admin
|
listen unix+admin:///app/admin
|
||||||
listen ws+insecure://
|
listen ws+insecure://
|
||||||
hostname irc.gmem.ca
|
hostname irc.gmem.ca
|
||||||
title irc.gmem.ca
|
title irc.gmem.ca
|
||||||
db postgres "dbname=soju"
|
db postgres "dbname=soju"
|
||||||
message-store db
|
message-store db
|
||||||
tls /ssl/tls.crt /ssl/tls.key
|
tls /ssl/tls.crt /ssl/tls.key
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,18 +1,25 @@
|
||||||
{ lib, config, kubenix, ... }: {
|
{
|
||||||
imports = [ kubenix.modules.k8s kubenix.modules.helm
|
lib,
|
||||||
(import ./custom.nix)
|
config,
|
||||||
(import ./nginx.nix)
|
kubenix,
|
||||||
(import ./tclip.nix)
|
...
|
||||||
(import ./vrchat-prometheus-exporter.nix)
|
}: {
|
||||||
(import ./overseerr.nix)
|
imports = [
|
||||||
(import ./immich.nix)
|
kubenix.modules.k8s
|
||||||
(import ./endpoints.nix)
|
kubenix.modules.helm
|
||||||
(import ./homepage.nix)
|
(import ./custom.nix)
|
||||||
(import ./pterodactyl.nix)
|
(import ./nginx.nix)
|
||||||
(import ./cloudflare-exporter.nix)
|
(import ./tclip.nix)
|
||||||
(import ./piped.nix)
|
(import ./vrchat-prometheus-exporter.nix)
|
||||||
(import ./conduit.nix)
|
(import ./overseerr.nix)
|
||||||
(import ./irc.nix)
|
(import ./immich.nix)
|
||||||
(import ./netboot.nix)
|
(import ./endpoints.nix)
|
||||||
];
|
(import ./homepage.nix)
|
||||||
|
(import ./pterodactyl.nix)
|
||||||
|
(import ./cloudflare-exporter.nix)
|
||||||
|
(import ./piped.nix)
|
||||||
|
(import ./conduit.nix)
|
||||||
|
(import ./irc.nix)
|
||||||
|
(import ./netboot.nix)
|
||||||
|
];
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,8 +1,7 @@
|
||||||
let
|
let
|
||||||
appName = "netbootxyz";
|
appName = "netbootxyz";
|
||||||
netbootxyzImage = "ghcr.io/netbootxyz/netbootxyz";
|
netbootxyzImage = "ghcr.io/netbootxyz/netbootxyz";
|
||||||
in
|
in {
|
||||||
{
|
|
||||||
kubernetes.resources.services.netbootxyz = {
|
kubernetes.resources.services.netbootxyz = {
|
||||||
spec = {
|
spec = {
|
||||||
selector.app = appName;
|
selector.app = appName;
|
||||||
|
@ -35,16 +34,28 @@ in
|
||||||
metadata.labels.app = appName;
|
metadata.labels.app = appName;
|
||||||
spec = {
|
spec = {
|
||||||
volumes = [
|
volumes = [
|
||||||
{ name = "config"; persistentVolumeClaim.claimName = "netbootxyz-config"; }
|
{
|
||||||
{ name = "assets"; persistentVolumeClaim.claimName = "netbootxyz-assets"; }
|
name = "config";
|
||||||
|
persistentVolumeClaim.claimName = "netbootxyz-config";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
name = "assets";
|
||||||
|
persistentVolumeClaim.claimName = "netbootxyz-assets";
|
||||||
|
}
|
||||||
];
|
];
|
||||||
containers = {
|
containers = {
|
||||||
netbootxyz = {
|
netbootxyz = {
|
||||||
image = netbootxyzImage;
|
image = netbootxyzImage;
|
||||||
imagePullPolicy = "Always";
|
imagePullPolicy = "Always";
|
||||||
volumeMounts = [
|
volumeMounts = [
|
||||||
{ mountPath = "/config"; name = "config"; }
|
{
|
||||||
{ mountPath = "/assets"; name = "assets"; }
|
mountPath = "/config";
|
||||||
|
name = "config";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
mountPath = "/assets";
|
||||||
|
name = "assets";
|
||||||
|
}
|
||||||
];
|
];
|
||||||
env.SUBFOLDER.value = "/ui/";
|
env.SUBFOLDER.value = "/ui/";
|
||||||
ports.http.containerPort = 80;
|
ports.http.containerPort = 80;
|
||||||
|
@ -62,12 +73,12 @@ in
|
||||||
kubernetes.resources.persistentVolumeClaims.netbootxyz-config.spec = {
|
kubernetes.resources.persistentVolumeClaims.netbootxyz-config.spec = {
|
||||||
resources.requests.storage = "1Gi";
|
resources.requests.storage = "1Gi";
|
||||||
volumeMode = "Filesystem";
|
volumeMode = "Filesystem";
|
||||||
accessModes = [ "ReadWriteMany" ];
|
accessModes = ["ReadWriteMany"];
|
||||||
};
|
};
|
||||||
kubernetes.resources.persistentVolumeClaims.netbootxyz-assets.spec = {
|
kubernetes.resources.persistentVolumeClaims.netbootxyz-assets.spec = {
|
||||||
resources.requests.storage = "10Gi";
|
resources.requests.storage = "10Gi";
|
||||||
volumeMode = "Filesystem";
|
volumeMode = "Filesystem";
|
||||||
accessModes = [ "ReadWriteMany" ];
|
accessModes = ["ReadWriteMany"];
|
||||||
};
|
};
|
||||||
|
|
||||||
kubernetes.resources.ingresses.netbootxyz = {
|
kubernetes.resources.ingresses.netbootxyz = {
|
||||||
|
@ -76,22 +87,35 @@ in
|
||||||
"nginx.ingress.kubernetes.io/ssl-redirect" = "false";
|
"nginx.ingress.kubernetes.io/ssl-redirect" = "false";
|
||||||
};
|
};
|
||||||
spec = {
|
spec = {
|
||||||
tls = [ { hosts = [ "netboot.gmem.ca" ]; secretName = "gmem-ca-wildcard"; } ];
|
tls = [
|
||||||
rules = [ { host = "netboot.gmem.ca"; http.paths = [
|
{
|
||||||
{ path = "/ui"; pathType = "Prefix";
|
hosts = ["netboot.gmem.ca"];
|
||||||
backend.service = {
|
secretName = "gmem-ca-wildcard";
|
||||||
name = "netbootxyz";
|
|
||||||
port.number = 3000;
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
{ path = "/"; pathType = "Prefix";
|
];
|
||||||
backend.service = {
|
rules = [
|
||||||
name = "netbootxyz";
|
{
|
||||||
port.number = 80;
|
host = "netboot.gmem.ca";
|
||||||
};
|
http.paths = [
|
||||||
|
{
|
||||||
|
path = "/ui";
|
||||||
|
pathType = "Prefix";
|
||||||
|
backend.service = {
|
||||||
|
name = "netbootxyz";
|
||||||
|
port.number = 3000;
|
||||||
|
};
|
||||||
|
}
|
||||||
|
{
|
||||||
|
path = "/";
|
||||||
|
pathType = "Prefix";
|
||||||
|
backend.service = {
|
||||||
|
name = "netbootxyz";
|
||||||
|
port.number = 80;
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
}
|
}
|
||||||
];}];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,9 @@
|
||||||
{ lib, config, kubenix, ... }: {
|
{
|
||||||
|
lib,
|
||||||
|
config,
|
||||||
|
kubenix,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
kubernetes.helm.releases.ingress-nginx = {
|
kubernetes.helm.releases.ingress-nginx = {
|
||||||
namespace = "ingress-nginx";
|
namespace = "ingress-nginx";
|
||||||
chart = kubenix.lib.helm.fetch {
|
chart = kubenix.lib.helm.fetch {
|
||||||
|
|
|
@ -1,8 +1,7 @@
|
||||||
let
|
let
|
||||||
appName = "overseerr";
|
appName = "overseerr";
|
||||||
appImage = "sctx/overseerr";
|
appImage = "sctx/overseerr";
|
||||||
in
|
in {
|
||||||
{
|
|
||||||
kubernetes.resources.services.overseerr = {
|
kubernetes.resources.services.overseerr = {
|
||||||
spec = {
|
spec = {
|
||||||
selector.app = appName;
|
selector.app = appName;
|
||||||
|
@ -25,7 +24,10 @@ in
|
||||||
overseerr = {
|
overseerr = {
|
||||||
image = appImage;
|
image = appImage;
|
||||||
volumeMounts = [
|
volumeMounts = [
|
||||||
{ name = "data"; mountPath = "/app/config"; }
|
{
|
||||||
|
name = "data";
|
||||||
|
mountPath = "/app/config";
|
||||||
|
}
|
||||||
];
|
];
|
||||||
ports.metrics.containerPort = 5055;
|
ports.metrics.containerPort = 5055;
|
||||||
resources = {
|
resources = {
|
||||||
|
@ -43,32 +45,41 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
volumeClaimTemplates = [
|
volumeClaimTemplates = [
|
||||||
{ metadata.name = "data";
|
{
|
||||||
|
metadata.name = "data";
|
||||||
spec = {
|
spec = {
|
||||||
storageClassName = "nfs-client";
|
storageClassName = "nfs-client";
|
||||||
accessModes = [ "ReadWriteOnce" ];
|
accessModes = ["ReadWriteOnce"];
|
||||||
resources.requests.storage = "1Gi";
|
resources.requests.storage = "1Gi";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
kubernetes.resources.ingresses.overseerr = {
|
kubernetes.resources.ingresses.overseerr = {
|
||||||
metadata = {
|
metadata = {
|
||||||
name = appName;
|
name = appName;
|
||||||
annotations = {
|
annotations = {
|
||||||
"cert-manager.io/issuer" = "le-issuer";
|
"cert-manager.io/issuer" = "le-issuer";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
spec = {
|
spec = {
|
||||||
tls = [ { hosts = [ "request-media.gmem.ca" ]; secretName = "gmem-ca-wildcard"; } ];
|
tls = [
|
||||||
|
{
|
||||||
|
hosts = ["request-media.gmem.ca"];
|
||||||
|
secretName = "gmem-ca-wildcard";
|
||||||
|
}
|
||||||
|
];
|
||||||
rules = [
|
rules = [
|
||||||
{
|
{
|
||||||
host = "request-media.gmem.ca";
|
host = "request-media.gmem.ca";
|
||||||
http.paths = [
|
http.paths = [
|
||||||
{ path = "/"; pathType = "Prefix";
|
{
|
||||||
|
path = "/";
|
||||||
|
pathType = "Prefix";
|
||||||
backend.service = {
|
backend.service = {
|
||||||
name = appName;
|
name = appName;
|
||||||
port.name = "http"; };
|
port.name = "http";
|
||||||
|
};
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,9 @@
|
||||||
{ lib, config, kubenix, ... }: {
|
{
|
||||||
|
lib,
|
||||||
|
config,
|
||||||
|
kubenix,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
kubernetes.helm.releases.piped = {
|
kubernetes.helm.releases.piped = {
|
||||||
namespace = "default";
|
namespace = "default";
|
||||||
chart = kubenix.lib.helm.fetch {
|
chart = kubenix.lib.helm.fetch {
|
||||||
|
@ -20,24 +25,48 @@
|
||||||
password = "password";
|
password = "password";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
fontend.env.BACKEND_HOSTNAME= "pipedapi.gmem.ca";
|
fontend.env.BACKEND_HOSTNAME = "pipedapi.gmem.ca";
|
||||||
ingress = {
|
ingress = {
|
||||||
main = {
|
main = {
|
||||||
tls = [ { hosts = [ "piped.gmem.ca" ]; secretName = "gmem-ca-wildcard"; } ];
|
tls = [
|
||||||
|
{
|
||||||
|
hosts = ["piped.gmem.ca"];
|
||||||
|
secretName = "gmem-ca-wildcard";
|
||||||
|
}
|
||||||
|
];
|
||||||
hosts = [
|
hosts = [
|
||||||
{ host = "piped.gmem.ca"; paths = [ { path = "/"; } ]; }
|
{
|
||||||
|
host = "piped.gmem.ca";
|
||||||
|
paths = [{path = "/";}];
|
||||||
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
backend = {
|
backend = {
|
||||||
tls = [ { hosts = [ "pipedapi.gmem.ca" ]; secretName = "gmem-ca-wildcard"; } ];
|
tls = [
|
||||||
|
{
|
||||||
|
hosts = ["pipedapi.gmem.ca"];
|
||||||
|
secretName = "gmem-ca-wildcard";
|
||||||
|
}
|
||||||
|
];
|
||||||
hosts = [
|
hosts = [
|
||||||
{ host = "pipedapi.gmem.ca"; paths = [ { path = "/"; } ]; }
|
{
|
||||||
|
host = "pipedapi.gmem.ca";
|
||||||
|
paths = [{path = "/";}];
|
||||||
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
ytproxy = {
|
ytproxy = {
|
||||||
tls = [ { hosts = [ "ytproxy.gmem.ca" ]; secretName = "gmem-ca-wildcard"; } ];
|
tls = [
|
||||||
|
{
|
||||||
|
hosts = ["ytproxy.gmem.ca"];
|
||||||
|
secretName = "gmem-ca-wildcard";
|
||||||
|
}
|
||||||
|
];
|
||||||
hosts = [
|
hosts = [
|
||||||
{ host = "ytproxy.gmem.ca"; paths = [ { path = "/"; } ]; }
|
{
|
||||||
|
host = "ytproxy.gmem.ca";
|
||||||
|
paths = [{path = "/";}];
|
||||||
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -50,18 +79,18 @@
|
||||||
restartPolicy = "Never";
|
restartPolicy = "Never";
|
||||||
containers.refresh-subscriptions = {
|
containers.refresh-subscriptions = {
|
||||||
image = "alpine:3.15";
|
image = "alpine:3.15";
|
||||||
envFrom = [ { secretRef.name = "hippo-pguser-piped"; } ];
|
envFrom = [{secretRef.name = "hippo-pguser-piped";}];
|
||||||
command = [
|
command = [
|
||||||
"/bin/ash"
|
"/bin/ash"
|
||||||
"-c"
|
"-c"
|
||||||
''
|
''
|
||||||
apk --no-cache add postgresql-client curl &&
|
apk --no-cache add postgresql-client curl &&
|
||||||
export PGPASSWORD=$password &&
|
export PGPASSWORD=$password &&
|
||||||
export subs=$(psql -U piped -h hippo-primary.default.svc -qtAX -c 'select id from public.pubsub;') &&
|
export subs=$(psql -U piped -h hippo-primary.default.svc -qtAX -c 'select id from public.pubsub;') &&
|
||||||
while IFS= read -r line; do
|
while IFS= read -r line; do
|
||||||
curl -k "https://pipedapi.gmem.ca/channel/$line" > /dev/null
|
curl -k "https://pipedapi.gmem.ca/channel/$line" > /dev/null
|
||||||
done < <(printf '%s' "$subs")
|
done < <(printf '%s' "$subs")
|
||||||
''
|
''
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -2,78 +2,95 @@ let
|
||||||
appName = "pterodactyl-panel";
|
appName = "pterodactyl-panel";
|
||||||
pterodactyl-panel-Image = "git.gmem.ca/arch/pterodactyl-panel:latest";
|
pterodactyl-panel-Image = "git.gmem.ca/arch/pterodactyl-panel:latest";
|
||||||
in
|
in
|
||||||
{ lib, config, kubenix, ... }: {
|
{
|
||||||
|
lib,
|
||||||
|
config,
|
||||||
|
kubenix,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
kubernetes.resources.services.pterodactyl-panel = {
|
kubernetes.resources.services.pterodactyl-panel = {
|
||||||
spec = {
|
spec = {
|
||||||
selector.app = appName;
|
selector.app = appName;
|
||||||
ports.http = {
|
ports.http = {
|
||||||
port = 8080;
|
port = 8080;
|
||||||
targetPort = 8080;
|
targetPort = 8080;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
kubernetes.resources.statefulSets.pterodactyl-panel.spec = {
|
||||||
kubernetes.resources.statefulSets.pterodactyl-panel.spec = {
|
selector.matchLabels.app = appName;
|
||||||
selector.matchLabels.app = appName;
|
serviceName = appName;
|
||||||
serviceName = appName;
|
template = {
|
||||||
template = {
|
metadata.labels.app = appName;
|
||||||
metadata.labels.app = appName;
|
spec = {
|
||||||
spec = {
|
containers = {
|
||||||
containers = {
|
pterodactyl-panel = {
|
||||||
pterodactyl-panel = {
|
image = pterodactyl-panel-Image;
|
||||||
image = pterodactyl-panel-Image;
|
imagePullPolicy = "Always";
|
||||||
imagePullPolicy = "Always";
|
ports.http.containerPort = 8080;
|
||||||
ports.http.containerPort = 8080;
|
volumeMounts = [
|
||||||
volumeMounts = [
|
{
|
||||||
{ name = "data"; mountPath = "/var/www/pterodactyl/storage/app"; }
|
name = "data";
|
||||||
];
|
mountPath = "/var/www/pterodactyl/storage/app";
|
||||||
envFrom = [ { secretRef.name = "pterodactyl"; } ];
|
}
|
||||||
|
];
|
||||||
|
envFrom = [{secretRef.name = "pterodactyl";}];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
volumeClaimTemplates = [
|
||||||
volumeClaimTemplates = [
|
|
||||||
{ metadata.name = "data";
|
|
||||||
spec = {
|
|
||||||
storageClassName = "nfs-client";
|
|
||||||
accessModes = [ "ReadWriteOnce" ];
|
|
||||||
resources.requests.storage = "1Gi";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
|
||||||
kubernetes.helm.releases.pterodactyl-redis = {
|
|
||||||
chart = kubenix.lib.helm.fetch {
|
|
||||||
repo = "https://charts.bitnami.com/bitnami";
|
|
||||||
chart = "redis";
|
|
||||||
version = "18.6.1";
|
|
||||||
sha256 = "CyvGHc1v1BtbzDx6hbbPah2uWpUhlNIUQowephT6hmM=";
|
|
||||||
};
|
|
||||||
values = {
|
|
||||||
auth.enabled = false;
|
|
||||||
architecture = "standalone";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
kubernetes.resources.ingresses.pterodactyl-panel = {
|
|
||||||
metadata = {
|
|
||||||
name = appName;
|
|
||||||
annotations = {
|
|
||||||
"cert-manager.io/issuer" = "le-issuer";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
spec = {
|
|
||||||
tls = [ { hosts = [ "games.gmem.ca" ]; secretName = "gmem-ca-wildcard"; } ];
|
|
||||||
rules = [
|
|
||||||
{
|
{
|
||||||
host = "games.gmem.ca";
|
metadata.name = "data";
|
||||||
http.paths = [
|
spec = {
|
||||||
{ path = "/"; pathType = "Prefix";
|
storageClassName = "nfs-client";
|
||||||
backend.service = {
|
accessModes = ["ReadWriteOnce"];
|
||||||
name = appName;
|
resources.requests.storage = "1Gi";
|
||||||
port.name = "http"; };
|
};
|
||||||
}
|
|
||||||
];
|
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
kubernetes.helm.releases.pterodactyl-redis = {
|
||||||
}
|
chart = kubenix.lib.helm.fetch {
|
||||||
|
repo = "https://charts.bitnami.com/bitnami";
|
||||||
|
chart = "redis";
|
||||||
|
version = "18.6.1";
|
||||||
|
sha256 = "CyvGHc1v1BtbzDx6hbbPah2uWpUhlNIUQowephT6hmM=";
|
||||||
|
};
|
||||||
|
values = {
|
||||||
|
auth.enabled = false;
|
||||||
|
architecture = "standalone";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
kubernetes.resources.ingresses.pterodactyl-panel = {
|
||||||
|
metadata = {
|
||||||
|
name = appName;
|
||||||
|
annotations = {
|
||||||
|
"cert-manager.io/issuer" = "le-issuer";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
spec = {
|
||||||
|
tls = [
|
||||||
|
{
|
||||||
|
hosts = ["games.gmem.ca"];
|
||||||
|
secretName = "gmem-ca-wildcard";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
rules = [
|
||||||
|
{
|
||||||
|
host = "games.gmem.ca";
|
||||||
|
http.paths = [
|
||||||
|
{
|
||||||
|
path = "/";
|
||||||
|
pathType = "Prefix";
|
||||||
|
backend.service = {
|
||||||
|
name = appName;
|
||||||
|
port.name = "http";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
|
@ -2,12 +2,16 @@ let
|
||||||
appName = "tclip";
|
appName = "tclip";
|
||||||
litestreamImage = "litestream/litestream:sha-749bc0d";
|
litestreamImage = "litestream/litestream:sha-749bc0d";
|
||||||
tclipImage = "git.gmem.ca/arch/tclip:arm";
|
tclipImage = "git.gmem.ca/arch/tclip:arm";
|
||||||
in
|
in {
|
||||||
{
|
|
||||||
kubernetes.resources."monitoring.coreos.com"."v1".ServiceMonitor.tclip = {
|
kubernetes.resources."monitoring.coreos.com"."v1".ServiceMonitor.tclip = {
|
||||||
spec = {
|
spec = {
|
||||||
selector.matchLabels.app = appName;
|
selector.matchLabels.app = appName;
|
||||||
endpoints = [ { port = "metrics"; interval = "30s"; } ];
|
endpoints = [
|
||||||
|
{
|
||||||
|
port = "metrics";
|
||||||
|
interval = "30s";
|
||||||
|
}
|
||||||
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
kubernetes.resources.services.tclip = {
|
kubernetes.resources.services.tclip = {
|
||||||
|
@ -36,41 +40,67 @@ in
|
||||||
};
|
};
|
||||||
initContainers.init-litestream = {
|
initContainers.init-litestream = {
|
||||||
image = litestreamImage;
|
image = litestreamImage;
|
||||||
args = ["restore" "-if-db-not-exists" "-if-replica-exists" "-v" "/data/data.db" ];
|
args = ["restore" "-if-db-not-exists" "-if-replica-exists" "-v" "/data/data.db"];
|
||||||
volumeMounts = [
|
volumeMounts = [
|
||||||
{ name = "data"; mountPath = "/data"; }
|
{
|
||||||
{ name = "litestream"; mountPath = "/etc/litestream.yml"; subPath = "tclip.yml"; }
|
name = "data";
|
||||||
|
mountPath = "/data";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
name = "litestream";
|
||||||
|
mountPath = "/etc/litestream.yml";
|
||||||
|
subPath = "tclip.yml";
|
||||||
|
}
|
||||||
];
|
];
|
||||||
envFrom = [ { secretRef.name = "tclip-litestream-s3"; } ];
|
envFrom = [{secretRef.name = "tclip-litestream-s3";}];
|
||||||
};
|
};
|
||||||
containers = {
|
containers = {
|
||||||
tclip = {
|
tclip = {
|
||||||
image = tclipImage;
|
image = tclipImage;
|
||||||
imagePullPolicy = "Always";
|
imagePullPolicy = "Always";
|
||||||
volumeMounts = [ { name = "data"; mountPath = "/data"; } ];
|
volumeMounts = [
|
||||||
|
{
|
||||||
|
name = "data";
|
||||||
|
mountPath = "/data";
|
||||||
|
}
|
||||||
|
];
|
||||||
env = [
|
env = [
|
||||||
{ name = "DATA_DIR"; value = "/data"; }
|
{
|
||||||
{ name = "USE_FUNNEL"; value = "true"; }
|
name = "DATA_DIR";
|
||||||
|
value = "/data";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
name = "USE_FUNNEL";
|
||||||
|
value = "true";
|
||||||
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
litestream = {
|
litestream = {
|
||||||
image = litestreamImage;
|
image = litestreamImage;
|
||||||
args = [ "replicate" ];
|
args = ["replicate"];
|
||||||
volumeMounts = [
|
volumeMounts = [
|
||||||
{ name = "data"; mountPath = "/data"; }
|
{
|
||||||
{ name = "litestream"; mountPath = "/etc/litestream.yml"; subPath = "tclip.yml"; }
|
name = "data";
|
||||||
|
mountPath = "/data";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
name = "litestream";
|
||||||
|
mountPath = "/etc/litestream.yml";
|
||||||
|
subPath = "tclip.yml";
|
||||||
|
}
|
||||||
];
|
];
|
||||||
envFrom = [ { secretRef.name = "tclip-litestream-s3"; } ];
|
envFrom = [{secretRef.name = "tclip-litestream-s3";}];
|
||||||
ports.metrics.containerPort = 9090;
|
ports.metrics.containerPort = 9090;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
volumeClaimTemplates = [
|
volumeClaimTemplates = [
|
||||||
{ metadata.name = "data";
|
{
|
||||||
|
metadata.name = "data";
|
||||||
spec = {
|
spec = {
|
||||||
storageClassName = "nfs-client";
|
storageClassName = "nfs-client";
|
||||||
accessModes = [ "ReadWriteOnce" ];
|
accessModes = ["ReadWriteOnce"];
|
||||||
resources.requests.storage = "1Gi";
|
resources.requests.storage = "1Gi";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,12 +1,16 @@
|
||||||
let
|
let
|
||||||
appName = "vrchat-prometheus-exporter";
|
appName = "vrchat-prometheus-exporter";
|
||||||
appImage = "git.gmem.ca/arch/vrchat-prometheus-adapter:arm";
|
appImage = "git.gmem.ca/arch/vrchat-prometheus-adapter:arm";
|
||||||
in
|
in {
|
||||||
{
|
|
||||||
kubernetes.resources."monitoring.coreos.com"."v1".ServiceMonitor.vrchat-prometheus-adapter = {
|
kubernetes.resources."monitoring.coreos.com"."v1".ServiceMonitor.vrchat-prometheus-adapter = {
|
||||||
spec = {
|
spec = {
|
||||||
selector.matchLabels.app = appName;
|
selector.matchLabels.app = appName;
|
||||||
endpoints = [ { port = "metrics"; interval = "60s"; } ];
|
endpoints = [
|
||||||
|
{
|
||||||
|
port = "metrics";
|
||||||
|
interval = "60s";
|
||||||
|
}
|
||||||
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
kubernetes.resources.services.vrchat-prometheus-adapter = {
|
kubernetes.resources.services.vrchat-prometheus-adapter = {
|
||||||
|
@ -35,8 +39,14 @@ in
|
||||||
vrchat-prometheus-adapter = {
|
vrchat-prometheus-adapter = {
|
||||||
image = appImage;
|
image = appImage;
|
||||||
imagePullPolicy = "Always";
|
imagePullPolicy = "Always";
|
||||||
volumeMounts = [ { name = "config"; mountPath = "/config.toml"; subPath = "config.toml"; } ];
|
volumeMounts = [
|
||||||
envFrom = [ { secretRef.name = "vrchat-prometheus-adapter"; } ];
|
{
|
||||||
|
name = "config";
|
||||||
|
mountPath = "/config.toml";
|
||||||
|
subPath = "config.toml";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
envFrom = [{secretRef.name = "vrchat-prometheus-adapter";}];
|
||||||
ports.metrics.containerPort = 6534;
|
ports.metrics.containerPort = 6534;
|
||||||
resources = {
|
resources = {
|
||||||
requests = {
|
requests = {
|
||||||
|
|
|
@ -1,10 +1,12 @@
|
||||||
{ config, pkgs, ... }:
|
|
||||||
|
|
||||||
{
|
{
|
||||||
imports =
|
config,
|
||||||
[ # Include the results of the hardware scan.
|
pkgs,
|
||||||
./hardware.nix
|
...
|
||||||
];
|
}: {
|
||||||
|
imports = [
|
||||||
|
# Include the results of the hardware scan.
|
||||||
|
./hardware.nix
|
||||||
|
];
|
||||||
|
|
||||||
age.secrets.k3s-token = {
|
age.secrets.k3s-token = {
|
||||||
file = ../../secrets/k3s-token.age;
|
file = ../../secrets/k3s-token.age;
|
||||||
|
@ -12,20 +14,19 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
boot = {
|
boot = {
|
||||||
supportedFilesystems = [ "nfs" ];
|
supportedFilesystems = ["nfs"];
|
||||||
kernelPackages = pkgs.linuxPackages_rpi4;
|
kernelPackages = pkgs.linuxPackages_rpi4;
|
||||||
kernelParams = [ "cgroup_enable=memory" "cgroup_enable=cpuset" "cgroup_memory=1" ];
|
kernelParams = ["cgroup_enable=memory" "cgroup_enable=cpuset" "cgroup_memory=1"];
|
||||||
loader = {
|
loader = {
|
||||||
grub.enable = false;
|
grub.enable = false;
|
||||||
generic-extlinux-compatible.enable = true;
|
generic-extlinux-compatible.enable = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
swapDevices = [
|
swapDevices = [
|
||||||
{
|
{
|
||||||
device = "/var/lib/swapfile";
|
device = "/var/lib/swapfile";
|
||||||
size = 8*1024;
|
size = 8 * 1024;
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
|
@ -43,7 +44,7 @@
|
||||||
extraOptions = ''
|
extraOptions = ''
|
||||||
min-free = ${toString (100 * 1024 * 1024)}
|
min-free = ${toString (100 * 1024 * 1024)}
|
||||||
max-free = ${toString (1024 * 1024 * 1024)}
|
max-free = ${toString (1024 * 1024 * 1024)}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
|
@ -52,8 +53,8 @@
|
||||||
firewall = {
|
firewall = {
|
||||||
trustedInterfaces = ["tailscale0"];
|
trustedInterfaces = ["tailscale0"];
|
||||||
checkReversePath = "loose";
|
checkReversePath = "loose";
|
||||||
allowedUDPPorts = [ 41641 ];
|
allowedUDPPorts = [41641];
|
||||||
allowedTCPPorts = [ 22 80 443 6443 10250 ];
|
allowedTCPPorts = [22 80 443 6443 10250];
|
||||||
enable = false;
|
enable = false;
|
||||||
};
|
};
|
||||||
nftables.enable = false;
|
nftables.enable = false;
|
||||||
|
@ -63,7 +64,7 @@
|
||||||
|
|
||||||
users.users.gsimmer = {
|
users.users.gsimmer = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
extraGroups = [ "wheel" ];
|
extraGroups = ["wheel"];
|
||||||
packages = with pkgs; [
|
packages = with pkgs; [
|
||||||
tree
|
tree
|
||||||
];
|
];
|
||||||
|
@ -72,8 +73,9 @@
|
||||||
url = "https://gmem.ca/ssh";
|
url = "https://gmem.ca/ssh";
|
||||||
hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4=";
|
hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4=";
|
||||||
};
|
};
|
||||||
in pkgs.lib.splitString "\n" (builtins.readFile
|
in
|
||||||
authorizedKeys);
|
pkgs.lib.splitString "\n" (builtins.readFile
|
||||||
|
authorizedKeys);
|
||||||
};
|
};
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
|
@ -108,5 +110,4 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
system.stateVersion = "23.11"; # dId YoU rEaD tHe CoMmEnT?
|
system.stateVersion = "23.11"; # dId YoU rEaD tHe CoMmEnT?
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,24 +1,28 @@
|
||||||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||||
# and may be overwritten by future invocations. Please make changes
|
# and may be overwritten by future invocations. Please make changes
|
||||||
# to /etc/nixos/configuration.nix instead.
|
# to /etc/nixos/configuration.nix instead.
|
||||||
{ config, lib, pkgs, modulesPath, ... }:
|
|
||||||
|
|
||||||
{
|
{
|
||||||
imports =
|
config,
|
||||||
[ (modulesPath + "/installer/scan/not-detected.nix")
|
lib,
|
||||||
];
|
pkgs,
|
||||||
|
modulesPath,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
imports = [
|
||||||
|
(modulesPath + "/installer/scan/not-detected.nix")
|
||||||
|
];
|
||||||
|
|
||||||
boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ];
|
boot.initrd.availableKernelModules = ["xhci_pci" "uas"];
|
||||||
boot.initrd.kernelModules = [ ];
|
boot.initrd.kernelModules = [];
|
||||||
boot.kernelModules = [ ];
|
boot.kernelModules = [];
|
||||||
boot.extraModulePackages = [ ];
|
boot.extraModulePackages = [];
|
||||||
|
|
||||||
fileSystems."/" =
|
fileSystems."/" = {
|
||||||
{ device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
|
device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
|
||||||
fsType = "ext4";
|
fsType = "ext4";
|
||||||
};
|
};
|
||||||
|
|
||||||
swapDevices = [ ];
|
swapDevices = [];
|
||||||
|
|
||||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||||
|
|
|
@ -1,7 +1,9 @@
|
||||||
# WARN: this file will get overwritten by $ cachix use <name>
|
# WARN: this file will get overwritten by $ cachix use <name>
|
||||||
{ pkgs, lib, ... }:
|
{
|
||||||
|
pkgs,
|
||||||
let
|
lib,
|
||||||
|
...
|
||||||
|
}: let
|
||||||
folder = ./cachix;
|
folder = ./cachix;
|
||||||
toImport = name: value: folder + ("/" + name);
|
toImport = name: value: folder + ("/" + name);
|
||||||
filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key;
|
filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key;
|
||||||
|
|
|
@ -1,10 +1,11 @@
|
||||||
{ config, pkgs, ... }:
|
|
||||||
|
|
||||||
{
|
{
|
||||||
imports =
|
config,
|
||||||
[
|
pkgs,
|
||||||
./hardware-configuration.nix
|
...
|
||||||
];
|
}: {
|
||||||
|
imports = [
|
||||||
|
./hardware-configuration.nix
|
||||||
|
];
|
||||||
|
|
||||||
# Bootloader
|
# Bootloader
|
||||||
boot = {
|
boot = {
|
||||||
|
@ -15,12 +16,12 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
tmp.cleanOnBoot = true;
|
tmp.cleanOnBoot = true;
|
||||||
binfmt.emulatedSystems = [ "aarch64-linux" ];
|
binfmt.emulatedSystems = ["aarch64-linux"];
|
||||||
extraModulePackages = [
|
extraModulePackages = [
|
||||||
config.boot.kernelPackages.v4l2loopback
|
config.boot.kernelPackages.v4l2loopback
|
||||||
];
|
];
|
||||||
kernelPackages = pkgs.linuxPackages_zen;
|
kernelPackages = pkgs.linuxPackages_zen;
|
||||||
kernelModules = [ "amdgpu" "coretemp" "kvm-amd" "v4l2loopback" ];
|
kernelModules = ["amdgpu" "coretemp" "kvm-amd" "v4l2loopback"];
|
||||||
};
|
};
|
||||||
|
|
||||||
time.hardwareClockInLocalTime = true;
|
time.hardwareClockInLocalTime = true;
|
||||||
|
@ -31,7 +32,7 @@
|
||||||
};
|
};
|
||||||
nix = {
|
nix = {
|
||||||
settings = {
|
settings = {
|
||||||
experimental-features = [ "nix-command" "flakes" ];
|
experimental-features = ["nix-command" "flakes"];
|
||||||
auto-optimise-store = true;
|
auto-optimise-store = true;
|
||||||
};
|
};
|
||||||
gc = {
|
gc = {
|
||||||
|
@ -48,11 +49,21 @@
|
||||||
networkmanager.enable = true;
|
networkmanager.enable = true;
|
||||||
firewall = {
|
firewall = {
|
||||||
enable = true;
|
enable = true;
|
||||||
allowedUDPPortRanges = [ { from = 27031; to = 27036; } ];
|
allowedUDPPortRanges = [
|
||||||
allowedTCPPortRanges = [ { from = 27036; to = 27037; } ];
|
{
|
||||||
allowedTCPPorts = [ 7000 7100 7001 22000 8000 3000 9943 9944 ];
|
from = 27031;
|
||||||
allowedUDPPorts = [ 69 6000 6001 7011 41641 3478 22000 21027 9943 9944 ];
|
to = 27036;
|
||||||
trustedInterfaces = [ "enp4s0" "tailscale0" "docker0" ];
|
}
|
||||||
|
];
|
||||||
|
allowedTCPPortRanges = [
|
||||||
|
{
|
||||||
|
from = 27036;
|
||||||
|
to = 27037;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
allowedTCPPorts = [7000 7100 7001 22000 8000 3000 9943 9944];
|
||||||
|
allowedUDPPorts = [69 6000 6001 7011 41641 3478 22000 21027 9943 9944];
|
||||||
|
trustedInterfaces = ["enp4s0" "tailscale0" "docker0"];
|
||||||
checkReversePath = "loose";
|
checkReversePath = "loose";
|
||||||
};
|
};
|
||||||
nftables.enable = true;
|
nftables.enable = true;
|
||||||
|
@ -72,23 +83,29 @@
|
||||||
positions = {
|
positions = {
|
||||||
filename = "/tmp/positions.yaml";
|
filename = "/tmp/positions.yaml";
|
||||||
};
|
};
|
||||||
clients = [{
|
clients = [
|
||||||
url = "http://monitoring:3030/loki/api/v1/push";
|
{
|
||||||
}];
|
url = "http://monitoring:3030/loki/api/v1/push";
|
||||||
scrape_configs = [{
|
}
|
||||||
job_name = "journal";
|
];
|
||||||
journal = {
|
scrape_configs = [
|
||||||
max_age = "12h";
|
{
|
||||||
labels = {
|
job_name = "journal";
|
||||||
job = "systemd-journal";
|
journal = {
|
||||||
host = "london";
|
max_age = "12h";
|
||||||
|
labels = {
|
||||||
|
job = "systemd-journal";
|
||||||
|
host = "london";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
relabel_configs = [
|
||||||
relabel_configs = [{
|
{
|
||||||
source_labels = [ "__journal__systemd_unit" ];
|
source_labels = ["__journal__systemd_unit"];
|
||||||
target_label = "unit";
|
target_label = "unit";
|
||||||
}];
|
}
|
||||||
}];
|
];
|
||||||
|
}
|
||||||
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
fwupd.enable = true;
|
fwupd.enable = true;
|
||||||
|
@ -105,12 +122,13 @@
|
||||||
enable = true;
|
enable = true;
|
||||||
listenAddress = "100.110.180.123";
|
listenAddress = "100.110.180.123";
|
||||||
enabledCollectors = [
|
enabledCollectors = [
|
||||||
"systemd" "processes"
|
"systemd"
|
||||||
|
"processes"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
dbus.enable = true;
|
dbus.enable = true;
|
||||||
yubikey-agent.enable = true;
|
yubikey-agent.enable = true;
|
||||||
udev.packages = with pkgs; [ libu2f-host yubikey-personalization ];
|
udev.packages = with pkgs; [libu2f-host yubikey-personalization];
|
||||||
tailscale.enable = true;
|
tailscale.enable = true;
|
||||||
pcscd.enable = true;
|
pcscd.enable = true;
|
||||||
mullvad-vpn.enable = true;
|
mullvad-vpn.enable = true;
|
||||||
|
@ -133,7 +151,7 @@
|
||||||
};
|
};
|
||||||
printing = {
|
printing = {
|
||||||
enable = true;
|
enable = true;
|
||||||
drivers = [ pkgs.gutenprint pkgs.gutenprintBin ];
|
drivers = [pkgs.gutenprint pkgs.gutenprintBin];
|
||||||
};
|
};
|
||||||
avahi = {
|
avahi = {
|
||||||
nssmdns4 = true;
|
nssmdns4 = true;
|
||||||
|
@ -164,7 +182,7 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
sane.enable = true;
|
sane.enable = true;
|
||||||
sane.extraBackends = [ pkgs.epkowa ];
|
sane.extraBackends = [pkgs.epkowa];
|
||||||
pulseaudio.enable = false;
|
pulseaudio.enable = false;
|
||||||
};
|
};
|
||||||
environment.variables.AMD_VULKAN_ICD = "RADV";
|
environment.variables.AMD_VULKAN_ICD = "RADV";
|
||||||
|
@ -184,17 +202,17 @@
|
||||||
dedicatedServer.openFirewall = false;
|
dedicatedServer.openFirewall = false;
|
||||||
};
|
};
|
||||||
gnupg.agent = {
|
gnupg.agent = {
|
||||||
enable = true;
|
enable = true;
|
||||||
pinentryFlavor = "qt";
|
pinentryFlavor = "qt";
|
||||||
enableSSHSupport = false;
|
enableSSHSupport = false;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
# Define a user account. Don't forget to set a password with ‘passwd’.
|
# Define a user account. Don't forget to set a password with ‘passwd’.
|
||||||
users.users.gsimmer = {
|
users.users.gsimmer = {
|
||||||
shell = pkgs.fish;
|
shell = pkgs.fish;
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
description = "Gabriel Simmer";
|
description = "Gabriel Simmer";
|
||||||
extraGroups = [ "networkmanager" "wheel" "libvirtd" "qemu-libvirtd" "docker" ];
|
extraGroups = ["networkmanager" "wheel" "libvirtd" "qemu-libvirtd" "docker"];
|
||||||
packages = with pkgs; [
|
packages = with pkgs; [
|
||||||
firefox-wayland
|
firefox-wayland
|
||||||
vim
|
vim
|
||||||
|
@ -223,9 +241,9 @@
|
||||||
enableDefaultPackages = true;
|
enableDefaultPackages = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.packages = with pkgs; [ cloudflare-warp ];
|
systemd.packages = with pkgs; [cloudflare-warp];
|
||||||
environment = {
|
environment = {
|
||||||
shells = with pkgs; [ zsh fish ];
|
shells = with pkgs; [zsh fish];
|
||||||
systemPackages = with pkgs; [
|
systemPackages = with pkgs; [
|
||||||
os-prober
|
os-prober
|
||||||
tailscale
|
tailscale
|
||||||
|
@ -251,7 +269,7 @@
|
||||||
pcscliteWithPolkit.out
|
pcscliteWithPolkit.out
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
environment.plasma5.excludePackages = with pkgs.libsForQt5; [
|
environment.plasma5.excludePackages = with pkgs.libsForQt5; [
|
||||||
elisa
|
elisa
|
||||||
okular
|
okular
|
||||||
|
@ -265,16 +283,15 @@
|
||||||
polkit = {
|
polkit = {
|
||||||
enable = true;
|
enable = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
polkit.addRule(function(action, subject) {
|
polkit.addRule(function(action, subject) {
|
||||||
if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
|
if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
|
||||||
subject.isInGroup("wheel")) {
|
subject.isInGroup("wheel")) {
|
||||||
return polkit.Result.YES;
|
return polkit.Result.YES;
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
rtkit.enable = true;
|
rtkit.enable = true;
|
||||||
};
|
};
|
||||||
system.stateVersion = "23.05"; # Did you read the comment?
|
system.stateVersion = "23.05"; # Did you read the comment?
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,51 +1,59 @@
|
||||||
{ config, pkgs, callPackage, lib, ... }:
|
|
||||||
|
|
||||||
{
|
{
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
callPackage,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
nixpkgs = {
|
nixpkgs = {
|
||||||
config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
|
config.allowUnfreePredicate = pkg:
|
||||||
"parsec-bin"
|
builtins.elem (lib.getName pkg) [
|
||||||
"discord"
|
"parsec-bin"
|
||||||
];
|
"discord"
|
||||||
|
];
|
||||||
config.allowUnfree = true;
|
config.allowUnfree = true;
|
||||||
overlays =
|
overlays = let
|
||||||
let
|
discordOverlay = self: super: {
|
||||||
discordOverlay = self: super: {
|
discord = super.discord.override {
|
||||||
discord = super.discord.override { withVencord = true; withOpenASAR = true; };
|
withVencord = true;
|
||||||
|
withOpenASAR = true;
|
||||||
};
|
};
|
||||||
in
|
};
|
||||||
[
|
in [
|
||||||
(import (builtins.fetchTarball {
|
(import (builtins.fetchTarball {
|
||||||
url = "https://github.com/nix-community/emacs-overlay/archive/master.tar.gz";
|
url = "https://github.com/nix-community/emacs-overlay/archive/master.tar.gz";
|
||||||
sha256 = "1nglxrfynyjmqfzz81y4idc40c6rbsaa4jb4ishiwibdkh85nyf6";
|
sha256 = "1nglxrfynyjmqfzz81y4idc40c6rbsaa4jb4ishiwibdkh85nyf6";
|
||||||
})) discordOverlay];
|
}))
|
||||||
|
discordOverlay
|
||||||
|
];
|
||||||
};
|
};
|
||||||
home = {
|
home = {
|
||||||
username = "gsimmer";
|
username = "gsimmer";
|
||||||
homeDirectory = "/home/gsimmer";
|
homeDirectory = "/home/gsimmer";
|
||||||
};
|
};
|
||||||
|
|
||||||
services.pueue = {
|
services.pueue = {
|
||||||
enable = true;
|
enable = true;
|
||||||
settings = {
|
settings = {
|
||||||
client = { };
|
client = {};
|
||||||
daemon.callback = ''
|
daemon.callback = ''
|
||||||
${pkgs.libnotify}/bin/notify-send -t 4000 "Task {{id}} finished, status '{{result}}'" "<b>{{exit_code}}</b> {{command}}"
|
${pkgs.libnotify}/bin/notify-send -t 4000 "Task {{id}} finished, status '{{result}}'" "<b>{{exit_code}}</b> {{command}}"
|
||||||
'';
|
'';
|
||||||
shared = { };
|
shared = {};
|
||||||
profiles = { };
|
profiles = {};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
programs = {
|
programs = {
|
||||||
bash.enable = false;
|
bash.enable = false;
|
||||||
fish = {
|
fish = {
|
||||||
enable = true;
|
enable = true;
|
||||||
interactiveShellInit = ''
|
interactiveShellInit = ''
|
||||||
set fish_greeting
|
set fish_greeting
|
||||||
atuin init fish | source
|
atuin init fish | source
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
direnv = {
|
direnv = {
|
||||||
enable = true;
|
enable = true;
|
||||||
nix-direnv.enable = true;
|
nix-direnv.enable = true;
|
||||||
|
@ -90,14 +98,14 @@
|
||||||
|
|
||||||
# Prevent clobbering SSH_AUTH_SOCK
|
# Prevent clobbering SSH_AUTH_SOCK
|
||||||
home.sessionVariables = {
|
home.sessionVariables = {
|
||||||
SSH_AUTH_SOCK = "$XDG_RUNTIME_DIR/yubikey-agent/yubikey-agent.sock";
|
SSH_AUTH_SOCK = "$XDG_RUNTIME_DIR/yubikey-agent/yubikey-agent.sock";
|
||||||
};
|
};
|
||||||
|
|
||||||
# Disable gnome-keyring ssh-agent
|
# Disable gnome-keyring ssh-agent
|
||||||
xdg.configFile."autostart/gnome-keyring-ssh.desktop".text = ''
|
xdg.configFile."autostart/gnome-keyring-ssh.desktop".text = ''
|
||||||
${lib.fileContents "${pkgs.gnome3.gnome-keyring}/etc/xdg/autostart/gnome-keyring-ssh.desktop"}
|
${lib.fileContents "${pkgs.gnome3.gnome-keyring}/etc/xdg/autostart/gnome-keyring-ssh.desktop"}
|
||||||
Hidden=true
|
Hidden=true
|
||||||
'';
|
'';
|
||||||
|
|
||||||
home.packages = with pkgs; [
|
home.packages = with pkgs; [
|
||||||
bitwarden-cli
|
bitwarden-cli
|
||||||
|
|
|
@ -1,31 +1,35 @@
|
||||||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||||
# and may be overwritten by future invocations. Please make changes
|
# and may be overwritten by future invocations. Please make changes
|
||||||
# to /etc/nixos/configuration.nix instead.
|
# to /etc/nixos/configuration.nix instead.
|
||||||
{ config, lib, pkgs, modulesPath, ... }:
|
|
||||||
|
|
||||||
{
|
{
|
||||||
imports =
|
config,
|
||||||
[ (modulesPath + "/installer/scan/not-detected.nix")
|
lib,
|
||||||
];
|
pkgs,
|
||||||
|
modulesPath,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
imports = [
|
||||||
|
(modulesPath + "/installer/scan/not-detected.nix")
|
||||||
|
];
|
||||||
|
|
||||||
boot.initrd.availableKernelModules = [ "nvme" "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
|
boot.initrd.availableKernelModules = ["nvme" "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod"];
|
||||||
boot.initrd.kernelModules = [ ];
|
boot.initrd.kernelModules = [];
|
||||||
boot.kernelModules = [ "kvm-amd" ];
|
boot.kernelModules = ["kvm-amd"];
|
||||||
boot.extraModulePackages = [ ];
|
boot.extraModulePackages = [];
|
||||||
|
|
||||||
fileSystems."/" =
|
fileSystems."/" = {
|
||||||
{ device = "/dev/disk/by-uuid/736c20e1-f11a-4af7-88f2-bba7b0f09939";
|
device = "/dev/disk/by-uuid/736c20e1-f11a-4af7-88f2-bba7b0f09939";
|
||||||
fsType = "xfs";
|
fsType = "xfs";
|
||||||
};
|
};
|
||||||
|
|
||||||
fileSystems."/boot" =
|
fileSystems."/boot" = {
|
||||||
{ device = "/dev/disk/by-uuid/2A2C-A8CE";
|
device = "/dev/disk/by-uuid/2A2C-A8CE";
|
||||||
fsType = "vfat";
|
fsType = "vfat";
|
||||||
};
|
};
|
||||||
|
|
||||||
swapDevices =
|
swapDevices = [
|
||||||
[ { device = "/dev/disk/by-uuid/41c7d0e1-e015-4d78-a0fb-f039a7f648ef"; }
|
{device = "/dev/disk/by-uuid/41c7d0e1-e015-4d78-a0fb-f039a7f648ef";}
|
||||||
];
|
];
|
||||||
|
|
||||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||||
|
|
|
@ -1,9 +1,12 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{
|
||||||
let
|
config,
|
||||||
|
lib,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}: let
|
||||||
rev = "master"; # 'rev' could be a git rev, to pin the overlay.
|
rev = "master"; # 'rev' could be a git rev, to pin the overlay.
|
||||||
url = "https://github.com/nix-community/nixpkgs-wayland/archive/${rev}.tar.gz";
|
url = "https://github.com/nix-community/nixpkgs-wayland/archive/${rev}.tar.gz";
|
||||||
waylandOverlay = (import "${builtins.fetchTarball url}/overlay.nix");
|
waylandOverlay = import "${builtins.fetchTarball url}/overlay.nix";
|
||||||
in
|
in {
|
||||||
{
|
nixpkgs.overlays = [waylandOverlay];
|
||||||
nixpkgs.overlays = [ waylandOverlay ];
|
}
|
||||||
}
|
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
{ config, pkgs, ... }:
|
|
||||||
|
|
||||||
{
|
{
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
imports = [
|
imports = [
|
||||||
./hardware.nix
|
./hardware.nix
|
||||||
./networking.nix # generated at runtime by nixos-infect
|
./networking.nix # generated at runtime by nixos-infect
|
||||||
|
@ -20,7 +22,7 @@
|
||||||
file = ../../secrets/healthchecks-telegram.age;
|
file = ../../secrets/healthchecks-telegram.age;
|
||||||
owner = "healthchecks";
|
owner = "healthchecks";
|
||||||
};
|
};
|
||||||
|
|
||||||
age.secrets.prometheus-webconfig-secret = {
|
age.secrets.prometheus-webconfig-secret = {
|
||||||
file = ../../secrets/monitoring-prometheus-webconfig.age;
|
file = ../../secrets/monitoring-prometheus-webconfig.age;
|
||||||
owner = "prometheus";
|
owner = "prometheus";
|
||||||
|
@ -43,7 +45,7 @@
|
||||||
networking.domain = "";
|
networking.domain = "";
|
||||||
services.openssh.enable = true;
|
services.openssh.enable = true;
|
||||||
users.users.root.openssh.authorizedKeys.keys = [
|
users.users.root.openssh.authorizedKeys.keys = [
|
||||||
''ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDjEgtIWPA5Ncs/KOcMeT6Q/HACJJetDOLjMvXXwUE+08oTX1EpHrWPpy8J+UHKIyErCNPYq8dgtrbhnMRlxHqI=''
|
''ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDjEgtIWPA5Ncs/KOcMeT6Q/HACJJetDOLjMvXXwUE+08oTX1EpHrWPpy8J+UHKIyErCNPYq8dgtrbhnMRlxHqI=''
|
||||||
];
|
];
|
||||||
networking.firewall.enable = false;
|
networking.firewall.enable = false;
|
||||||
|
|
||||||
|
@ -104,16 +106,18 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
schema_config = {
|
schema_config = {
|
||||||
configs = [{
|
configs = [
|
||||||
from = "2022-06-06";
|
{
|
||||||
store = "boltdb-shipper";
|
from = "2022-06-06";
|
||||||
object_store = "filesystem";
|
store = "boltdb-shipper";
|
||||||
schema = "v11";
|
object_store = "filesystem";
|
||||||
index = {
|
schema = "v11";
|
||||||
prefix = "index_";
|
index = {
|
||||||
period = "24h";
|
prefix = "index_";
|
||||||
};
|
period = "24h";
|
||||||
}];
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
storage_config = {
|
storage_config = {
|
||||||
|
@ -164,27 +168,33 @@
|
||||||
positions = {
|
positions = {
|
||||||
filename = "/tmp/positions.yaml";
|
filename = "/tmp/positions.yaml";
|
||||||
};
|
};
|
||||||
clients = [{
|
clients = [
|
||||||
url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push";
|
{
|
||||||
}];
|
url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push";
|
||||||
scrape_configs = [{
|
}
|
||||||
job_name = "journal";
|
];
|
||||||
journal = {
|
scrape_configs = [
|
||||||
max_age = "12h";
|
{
|
||||||
labels = {
|
job_name = "journal";
|
||||||
job = "systemd-journal";
|
journal = {
|
||||||
host = "monitoring";
|
max_age = "12h";
|
||||||
|
labels = {
|
||||||
|
job = "systemd-journal";
|
||||||
|
host = "monitoring";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
relabel_configs = [
|
||||||
relabel_configs = [{
|
{
|
||||||
source_labels = [ "__journal__systemd_unit" ];
|
source_labels = ["__journal__systemd_unit"];
|
||||||
target_label = "unit";
|
target_label = "unit";
|
||||||
}];
|
}
|
||||||
}];
|
];
|
||||||
|
}
|
||||||
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
services.alertmanager-ntfy = {
|
services.alertmanager-ntfy = {
|
||||||
enable = true;
|
enable = true;
|
||||||
settings = {
|
settings = {
|
||||||
http = {
|
http = {
|
||||||
addr = "127.0.0.1:8111";
|
addr = "127.0.0.1:8111";
|
||||||
|
@ -195,7 +205,7 @@
|
||||||
topic = "alerts";
|
topic = "alerts";
|
||||||
priority = ''
|
priority = ''
|
||||||
status == "firing" ? "high" : "default"
|
status == "firing" ? "high" : "default"
|
||||||
'';
|
'';
|
||||||
templates = {
|
templates = {
|
||||||
title = ''{{ if eq .Status "resolved" }}Resolved: {{ end }}{{ index .Annotations "summary" }}'';
|
title = ''{{ if eq .Status "resolved" }}Resolved: {{ end }}{{ index .Annotations "summary" }}'';
|
||||||
description = ''{{ index .Annotations "description" }}'';
|
description = ''{{ index .Annotations "description" }}'';
|
||||||
|
@ -211,136 +221,155 @@
|
||||||
globalConfig = {
|
globalConfig = {
|
||||||
scrape_interval = "15s";
|
scrape_interval = "15s";
|
||||||
};
|
};
|
||||||
alertmanagers = [ {
|
alertmanagers = [
|
||||||
basic_auth = {
|
{
|
||||||
username = "homelab";
|
basic_auth = {
|
||||||
password_file = config.age.secrets.prometheus-password-secret.path;
|
username = "homelab";
|
||||||
};
|
password_file = config.age.secrets.prometheus-password-secret.path;
|
||||||
static_configs = [ {
|
};
|
||||||
targets = [
|
static_configs = [
|
||||||
"localhost:9093"
|
{
|
||||||
|
targets = [
|
||||||
|
"localhost:9093"
|
||||||
|
];
|
||||||
|
}
|
||||||
];
|
];
|
||||||
} ];
|
}
|
||||||
} ];
|
];
|
||||||
rules = [(builtins.toJSON {
|
rules = [
|
||||||
groups = [
|
(builtins.toJSON {
|
||||||
{
|
groups = [
|
||||||
name = "internet_connection";
|
{
|
||||||
rules = [
|
name = "internet_connection";
|
||||||
{
|
rules = [
|
||||||
alert = "LowInternetDownload";
|
{
|
||||||
expr = ''speedtest_download_bits_per_second{} < 500000000'';
|
alert = "LowInternetDownload";
|
||||||
for = "2h";
|
expr = ''speedtest_download_bits_per_second{} < 500000000'';
|
||||||
labels.severity = "page";
|
for = "2h";
|
||||||
annotations = {
|
labels.severity = "page";
|
||||||
summary = "Internet speed low";
|
annotations = {
|
||||||
description = "Home internet speed dropped below 500Mb/s.";
|
summary = "Internet speed low";
|
||||||
dashboard = "o9mIe_Aik";
|
description = "Home internet speed dropped below 500Mb/s.";
|
||||||
};
|
dashboard = "o9mIe_Aik";
|
||||||
}
|
};
|
||||||
];
|
}
|
||||||
}
|
];
|
||||||
{
|
}
|
||||||
name = "healthchecks";
|
{
|
||||||
rules = [
|
name = "healthchecks";
|
||||||
{
|
rules = [
|
||||||
alert = "HealthcheckFailedCheckin";
|
{
|
||||||
expr = ''hc_check_up < 1'';
|
alert = "HealthcheckFailedCheckin";
|
||||||
for = "5m";
|
expr = ''hc_check_up < 1'';
|
||||||
labels.severity = "page";
|
for = "5m";
|
||||||
annotations = {
|
labels.severity = "page";
|
||||||
summary = "{{ $labels.name }} healthcheck failed";
|
annotations = {
|
||||||
description = "The {{ $labels.name }} healthcheck failed to check in.";
|
summary = "{{ $labels.name }} healthcheck failed";
|
||||||
dashboard = "f594ea85-45f2-4019-b988-2d17638b5cf3";
|
description = "The {{ $labels.name }} healthcheck failed to check in.";
|
||||||
};
|
dashboard = "f594ea85-45f2-4019-b988-2d17638b5cf3";
|
||||||
}
|
};
|
||||||
];
|
}
|
||||||
}];
|
];
|
||||||
})];
|
}
|
||||||
|
];
|
||||||
|
})
|
||||||
|
];
|
||||||
alertmanager = {
|
alertmanager = {
|
||||||
enable = true;
|
enable = true;
|
||||||
extraFlags = [ "--web.config.file=${config.age.secrets.prometheus-webconfig-secret.path}" ];
|
extraFlags = ["--web.config.file=${config.age.secrets.prometheus-webconfig-secret.path}"];
|
||||||
webExternalUrl = "https://alerts.gmem.ca";
|
webExternalUrl = "https://alerts.gmem.ca";
|
||||||
configText = ''
|
configText = ''
|
||||||
global: {}
|
global: {}
|
||||||
|
|
||||||
# The directory from which notification templates are read.
|
# The directory from which notification templates are read.
|
||||||
templates:
|
templates:
|
||||||
- '/etc/alertmanager/template/*.tmpl'
|
- '/etc/alertmanager/template/*.tmpl'
|
||||||
|
|
||||||
# The root route on which each incoming alert enters.
|
# The root route on which each incoming alert enters.
|
||||||
route:
|
route:
|
||||||
group_by: ['alertname', 'cluster', 'service']
|
group_by: ['alertname', 'cluster', 'service']
|
||||||
group_wait: 0s
|
group_wait: 0s
|
||||||
group_interval: 5m
|
group_interval: 5m
|
||||||
repeat_interval: 3h
|
repeat_interval: 3h
|
||||||
# A default receiver
|
# A default receiver
|
||||||
receiver: ntfy
|
receiver: ntfy
|
||||||
|
|
||||||
receivers:
|
receivers:
|
||||||
- name: ntfy
|
- name: ntfy
|
||||||
webhook_configs:
|
webhook_configs:
|
||||||
- url: http://localhost:8111/hook
|
- url: http://localhost:8111/hook
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
port = 9001;
|
port = 9001;
|
||||||
extraFlags = [ "--web.enable-remote-write-receiver" ];
|
extraFlags = ["--web.enable-remote-write-receiver"];
|
||||||
scrapeConfigs = [
|
scrapeConfigs = [
|
||||||
{
|
{
|
||||||
job_name = "proxmox";
|
job_name = "proxmox";
|
||||||
metrics_path = "/pve";
|
metrics_path = "/pve";
|
||||||
params = { "target" = [ "localhost" ]; };
|
params = {"target" = ["localhost"];};
|
||||||
static_configs = [ { targets = [ "proxmox:9221" ]; } ];
|
static_configs = [{targets = ["proxmox:9221"];}];
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
job_name = "personal_hardware";
|
job_name = "personal_hardware";
|
||||||
static_configs = [ { targets = [ "london:9100" "vancouver:9100" "localhost:9100" ]; } ];
|
static_configs = [{targets = ["london:9100" "vancouver:9100" "localhost:9100"];}];
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
job_name = "speedtest-exporter";
|
job_name = "speedtest-exporter";
|
||||||
scrape_interval = "1h";
|
scrape_interval = "1h";
|
||||||
scrape_timeout = "1m";
|
scrape_timeout = "1m";
|
||||||
static_configs = [ { targets = [ "vancouver:9798" ]; } ];
|
static_configs = [{targets = ["vancouver:9798"];}];
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
job_name = "syncthing";
|
job_name = "syncthing";
|
||||||
static_configs = [ { targets = [ "vancouver:8384" "london:8384" ]; } ];
|
static_configs = [{targets = ["vancouver:8384" "london:8384"];}];
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
job_name = "forgejo";
|
job_name = "forgejo";
|
||||||
static_configs = [ { targets = [ "git.gmem.ca" ]; } ];
|
static_configs = [{targets = ["git.gmem.ca"];}];
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
job_name = "coredns";
|
job_name = "coredns";
|
||||||
static_configs = [ { targets = [ "vancouver:9253" ]; } ];
|
static_configs = [{targets = ["vancouver:9253"];}];
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
job_name = "healthchecks";
|
job_name = "healthchecks";
|
||||||
scrape_interval = "60s";
|
scrape_interval = "60s";
|
||||||
metrics_path = "/projects/5f1de50f-a52d-4215-961f-aae7cc6cf6c9/metrics/TbMoU7SUdknzMe-H5Q4HzmKl3itOIrJk";
|
metrics_path = "/projects/5f1de50f-a52d-4215-961f-aae7cc6cf6c9/metrics/TbMoU7SUdknzMe-H5Q4HzmKl3itOIrJk";
|
||||||
static_configs = [ { targets = [ "localhost:8000" ]; } ];
|
static_configs = [{targets = ["localhost:8000"];}];
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
job_name = "vrc_events";
|
job_name = "vrc_events";
|
||||||
scrape_interval = "60s";
|
scrape_interval = "60s";
|
||||||
static_configs = [ { targets = [ "vancouver:6534" ]; } ];
|
static_configs = [{targets = ["vancouver:6534"];}];
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
job_name = "blackbox";
|
job_name = "blackbox";
|
||||||
metrics_path = "/probe";
|
metrics_path = "/probe";
|
||||||
params = { "modules" = [ "http_2xx" ]; };
|
params = {"modules" = ["http_2xx"];};
|
||||||
static_configs = [ { targets = [ "google.com" "gabrielsimmer.com" "artbybecki.com" ]; } ];
|
static_configs = [{targets = ["google.com" "gabrielsimmer.com" "artbybecki.com"];}];
|
||||||
relabel_configs = [
|
relabel_configs = [
|
||||||
{ source_labels = ["__address__"]; target_label = "__param_target"; }
|
{
|
||||||
{ source_labels = ["__param_target"]; target_label = "instance"; }
|
source_labels = ["__address__"];
|
||||||
{ source_labels = []; target_label = "__address__"; replacement = "vancouver:9115"; } ];
|
target_label = "__param_target";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
source_labels = ["__param_target"];
|
||||||
|
target_label = "instance";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
source_labels = [];
|
||||||
|
target_label = "__address__";
|
||||||
|
replacement = "vancouver:9115";
|
||||||
|
}
|
||||||
|
];
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
exporters.node = {
|
exporters.node = {
|
||||||
enable = true;
|
enable = true;
|
||||||
listenAddress = "127.0.0.1";
|
listenAddress = "127.0.0.1";
|
||||||
enabledCollectors = [
|
enabledCollectors = [
|
||||||
"systemd" "processes"
|
"systemd"
|
||||||
|
"processes"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -361,7 +390,7 @@
|
||||||
TELEGRAM_TOKEN_FILE = config.age.secrets.healthchecks-telegram.path;
|
TELEGRAM_TOKEN_FILE = config.age.secrets.healthchecks-telegram.path;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# nginx reverse proxy
|
# nginx reverse proxy
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
|
@ -1,14 +1,18 @@
|
||||||
{ modulesPath, ... }:
|
{modulesPath, ...}: {
|
||||||
{
|
imports = [(modulesPath + "/profiles/qemu-guest.nix")];
|
||||||
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
|
|
||||||
boot.loader.grub = {
|
boot.loader.grub = {
|
||||||
efiSupport = true;
|
efiSupport = true;
|
||||||
efiInstallAsRemovable = true;
|
efiInstallAsRemovable = true;
|
||||||
device = "nodev";
|
device = "nodev";
|
||||||
};
|
};
|
||||||
fileSystems."/boot" = { device = "/dev/disk/by-uuid/77CF-345D"; fsType = "vfat"; };
|
fileSystems."/boot" = {
|
||||||
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ];
|
device = "/dev/disk/by-uuid/77CF-345D";
|
||||||
boot.initrd.kernelModules = [ "nvme" ];
|
fsType = "vfat";
|
||||||
fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
|
};
|
||||||
|
boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront"];
|
||||||
|
boot.initrd.kernelModules = ["nvme"];
|
||||||
|
fileSystems."/" = {
|
||||||
|
device = "/dev/sda1";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,9 +1,10 @@
|
||||||
{ lib, ... }: {
|
{lib, ...}: {
|
||||||
# This file was populated at runtime with the networking
|
# This file was populated at runtime with the networking
|
||||||
# details gathered from the active system.
|
# details gathered from the active system.
|
||||||
networking = {
|
networking = {
|
||||||
nameservers = [ "8.8.8.8"
|
nameservers = [
|
||||||
];
|
"8.8.8.8"
|
||||||
|
];
|
||||||
defaultGateway = "172.31.1.1";
|
defaultGateway = "172.31.1.1";
|
||||||
defaultGateway6 = {
|
defaultGateway6 = {
|
||||||
address = "fe80::1";
|
address = "fe80::1";
|
||||||
|
@ -14,20 +15,38 @@
|
||||||
interfaces = {
|
interfaces = {
|
||||||
eth0 = {
|
eth0 = {
|
||||||
ipv4.addresses = [
|
ipv4.addresses = [
|
||||||
{ address="91.107.206.145"; prefixLength=32; }
|
{
|
||||||
|
address = "91.107.206.145";
|
||||||
|
prefixLength = 32;
|
||||||
|
}
|
||||||
];
|
];
|
||||||
ipv6.addresses = [
|
ipv6.addresses = [
|
||||||
{ address="2a01:4f8:c012:5ec6::1"; prefixLength=64; }
|
{
|
||||||
{ address="fe80::9400:2ff:fe83:3979"; prefixLength=64; }
|
address = "2a01:4f8:c012:5ec6::1";
|
||||||
|
prefixLength = 64;
|
||||||
|
}
|
||||||
|
{
|
||||||
|
address = "fe80::9400:2ff:fe83:3979";
|
||||||
|
prefixLength = 64;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
ipv4.routes = [
|
||||||
|
{
|
||||||
|
address = "172.31.1.1";
|
||||||
|
prefixLength = 32;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
ipv6.routes = [
|
||||||
|
{
|
||||||
|
address = "fe80::1";
|
||||||
|
prefixLength = 128;
|
||||||
|
}
|
||||||
];
|
];
|
||||||
ipv4.routes = [ { address = "172.31.1.1"; prefixLength = 32; } ];
|
|
||||||
ipv6.routes = [ { address = "fe80::1"; prefixLength = 128; } ];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
services.udev.extraRules = ''
|
services.udev.extraRules = ''
|
||||||
ATTR{address}=="96:00:02:83:39:79", NAME="eth0"
|
ATTR{address}=="96:00:02:83:39:79", NAME="eth0"
|
||||||
|
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,10 +1,12 @@
|
||||||
{ config, pkgs, ... }:
|
|
||||||
|
|
||||||
{
|
{
|
||||||
imports =
|
config,
|
||||||
[ # Include the results of the hardware scan.
|
pkgs,
|
||||||
./hardware.nix
|
...
|
||||||
];
|
}: {
|
||||||
|
imports = [
|
||||||
|
# Include the results of the hardware scan.
|
||||||
|
./hardware.nix
|
||||||
|
];
|
||||||
|
|
||||||
age.secrets.action-token = {
|
age.secrets.action-token = {
|
||||||
file = ../../secrets/vancouver-action-runner.age;
|
file = ../../secrets/vancouver-action-runner.age;
|
||||||
|
@ -42,7 +44,7 @@
|
||||||
efi.canTouchEfiVariables = true;
|
efi.canTouchEfiVariables = true;
|
||||||
};
|
};
|
||||||
supportedFilesystems = ["zfs"];
|
supportedFilesystems = ["zfs"];
|
||||||
kernelModules = [ "coretemp" "kvm-amd" "it87" ];
|
kernelModules = ["coretemp" "kvm-amd" "it87"];
|
||||||
zfs.extraPools = ["tank"];
|
zfs.extraPools = ["tank"];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -58,23 +60,29 @@
|
||||||
positions = {
|
positions = {
|
||||||
filename = "/tmp/positions.yaml";
|
filename = "/tmp/positions.yaml";
|
||||||
};
|
};
|
||||||
clients = [{
|
clients = [
|
||||||
url = "http://monitoring:3030/loki/api/v1/push";
|
{
|
||||||
}];
|
url = "http://monitoring:3030/loki/api/v1/push";
|
||||||
scrape_configs = [{
|
}
|
||||||
job_name = "journal";
|
];
|
||||||
journal = {
|
scrape_configs = [
|
||||||
max_age = "12h";
|
{
|
||||||
labels = {
|
job_name = "journal";
|
||||||
job = "systemd-journal";
|
journal = {
|
||||||
host = "vancouver";
|
max_age = "12h";
|
||||||
|
labels = {
|
||||||
|
job = "systemd-journal";
|
||||||
|
host = "vancouver";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
relabel_configs = [
|
||||||
relabel_configs = [{
|
{
|
||||||
source_labels = [ "__journal__systemd_unit" ];
|
source_labels = ["__journal__systemd_unit"];
|
||||||
target_label = "unit";
|
target_label = "unit";
|
||||||
}];
|
}
|
||||||
}];
|
];
|
||||||
|
}
|
||||||
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
restic = {
|
restic = {
|
||||||
|
@ -187,7 +195,9 @@
|
||||||
enable = true;
|
enable = true;
|
||||||
listenAddress = "100.116.48.47";
|
listenAddress = "100.116.48.47";
|
||||||
enabledCollectors = [
|
enabledCollectors = [
|
||||||
"systemd" "zfs" "processes"
|
"systemd"
|
||||||
|
"zfs"
|
||||||
|
"processes"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -201,7 +211,7 @@
|
||||||
zfs.autoScrub.enable = true;
|
zfs.autoScrub.enable = true;
|
||||||
tailscale.enable = true;
|
tailscale.enable = true;
|
||||||
openssh.enable = true;
|
openssh.enable = true;
|
||||||
xserver.videoDrivers = [ "nvidia" ];
|
xserver.videoDrivers = ["nvidia"];
|
||||||
nfs.server.enable = true;
|
nfs.server.enable = true;
|
||||||
samba-wsdd.enable = true;
|
samba-wsdd.enable = true;
|
||||||
samba = {
|
samba = {
|
||||||
|
@ -209,18 +219,18 @@
|
||||||
securityType = "user";
|
securityType = "user";
|
||||||
openFirewall = true;
|
openFirewall = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
workgroup = WORKGROUP
|
workgroup = WORKGROUP
|
||||||
server string = smbnix
|
server string = smbnix
|
||||||
netbios name = smbnix
|
netbios name = smbnix
|
||||||
security = user
|
security = user
|
||||||
#use sendfile = yes
|
#use sendfile = yes
|
||||||
#max protocol = smb2
|
#max protocol = smb2
|
||||||
# note: localhost is the ipv6 localhost ::1
|
# note: localhost is the ipv6 localhost ::1
|
||||||
hosts allow = 100. 192.168.50. 127.0.0.1 localhost
|
hosts allow = 100. 192.168.50. 127.0.0.1 localhost
|
||||||
hosts deny = 0.0.0.0/0
|
hosts deny = 0.0.0.0/0
|
||||||
guest account = nobody
|
guest account = nobody
|
||||||
map to guest = bad user
|
map to guest = bad user
|
||||||
'';
|
'';
|
||||||
shares = {
|
shares = {
|
||||||
streamboxes = {
|
streamboxes = {
|
||||||
path = "/tank/streamboxes";
|
path = "/tank/streamboxes";
|
||||||
|
@ -277,20 +287,19 @@
|
||||||
recommendedZstdSettings = true;
|
recommendedZstdSettings = true;
|
||||||
recommendedOptimisation = true;
|
recommendedOptimisation = true;
|
||||||
recommendedTlsSettings = true;
|
recommendedTlsSettings = true;
|
||||||
virtualHosts."git.gmem.ca" = {
|
virtualHosts."git.gmem.ca" = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
addSSL = true;
|
addSSL = true;
|
||||||
acmeRoot = null;
|
acmeRoot = null;
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
extraConfig =
|
extraConfig = ''
|
||||||
''
|
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
|
||||||
client_max_body_size 500M;
|
client_max_body_size 500M;
|
||||||
'';
|
'';
|
||||||
proxyPass = "http://127.0.0.1:8973/";
|
proxyPass = "http://127.0.0.1:8973/";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -400,8 +409,8 @@
|
||||||
trustedInterfaces = ["tailscale0"];
|
trustedInterfaces = ["tailscale0"];
|
||||||
checkReversePath = "loose";
|
checkReversePath = "loose";
|
||||||
enable = true;
|
enable = true;
|
||||||
allowedTCPPorts = [ 22 80 443 9798 2049 ];
|
allowedTCPPorts = [22 80 443 9798 2049];
|
||||||
allowedUDPPorts = [ 41641 ];
|
allowedUDPPorts = [41641];
|
||||||
};
|
};
|
||||||
nftables.enable = true;
|
nftables.enable = true;
|
||||||
};
|
};
|
||||||
|
@ -434,21 +443,22 @@
|
||||||
zsh.enable = true;
|
zsh.enable = true;
|
||||||
fish.enable = true;
|
fish.enable = true;
|
||||||
};
|
};
|
||||||
environment.shells = with pkgs; [ zsh fish ];
|
environment.shells = with pkgs; [zsh fish];
|
||||||
|
|
||||||
users.users = {
|
users.users = {
|
||||||
gsimmer = {
|
gsimmer = {
|
||||||
shell = pkgs.fish;
|
shell = pkgs.fish;
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
home = "/tank/gsimmer";
|
home = "/tank/gsimmer";
|
||||||
extraGroups = [ "wheel" "libvirtd" "qemu-libvirtd" ];
|
extraGroups = ["wheel" "libvirtd" "qemu-libvirtd"];
|
||||||
openssh.authorizedKeys.keys = let
|
openssh.authorizedKeys.keys = let
|
||||||
authorizedKeys = pkgs.fetchurl {
|
authorizedKeys = pkgs.fetchurl {
|
||||||
url = "https://gmem.ca/ssh";
|
url = "https://gmem.ca/ssh";
|
||||||
hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4=";
|
hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4=";
|
||||||
};
|
};
|
||||||
in pkgs.lib.splitString "\n" (builtins.readFile
|
in
|
||||||
authorizedKeys);
|
pkgs.lib.splitString "\n" (builtins.readFile
|
||||||
|
authorizedKeys);
|
||||||
};
|
};
|
||||||
becki = {
|
becki = {
|
||||||
shell = pkgs.fish;
|
shell = pkgs.fish;
|
||||||
|
@ -456,15 +466,16 @@
|
||||||
home = "/tank/becki";
|
home = "/tank/becki";
|
||||||
};
|
};
|
||||||
root.openssh.authorizedKeys.keys = let
|
root.openssh.authorizedKeys.keys = let
|
||||||
authorizedKeys = pkgs.fetchurl {
|
authorizedKeys = pkgs.fetchurl {
|
||||||
url = "https://gmem.ca/ssh";
|
url = "https://gmem.ca/ssh";
|
||||||
hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4=";
|
hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4=";
|
||||||
};
|
};
|
||||||
in pkgs.lib.splitString "\n" (builtins.readFile
|
in
|
||||||
|
pkgs.lib.splitString "\n" (builtins.readFile
|
||||||
authorizedKeys);
|
authorizedKeys);
|
||||||
};
|
};
|
||||||
|
|
||||||
home-manager.users.gsimmer = { pkgs, ... }: {
|
home-manager.users.gsimmer = {pkgs, ...}: {
|
||||||
programs.git = {
|
programs.git = {
|
||||||
userName = "Gabriel Simmer";
|
userName = "Gabriel Simmer";
|
||||||
userEmail = "git@gmem.ca";
|
userEmail = "git@gmem.ca";
|
||||||
|
@ -487,7 +498,7 @@
|
||||||
virtualisation.oci-containers.containers = {
|
virtualisation.oci-containers.containers = {
|
||||||
speedtest = {
|
speedtest = {
|
||||||
image = "ghcr.io/miguelndecarvalho/speedtest-exporter";
|
image = "ghcr.io/miguelndecarvalho/speedtest-exporter";
|
||||||
ports = [ "9798:9798" ];
|
ports = ["9798:9798"];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -1,31 +1,35 @@
|
||||||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||||
# and may be overwritten by future invocations. Please make changes
|
# and may be overwritten by future invocations. Please make changes
|
||||||
# to /etc/nixos/configuration.nix instead.
|
# to /etc/nixos/configuration.nix instead.
|
||||||
{ config, lib, pkgs, modulesPath, ... }:
|
|
||||||
|
|
||||||
{
|
{
|
||||||
imports =
|
config,
|
||||||
[ (modulesPath + "/installer/scan/not-detected.nix")
|
lib,
|
||||||
];
|
pkgs,
|
||||||
|
modulesPath,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
imports = [
|
||||||
|
(modulesPath + "/installer/scan/not-detected.nix")
|
||||||
|
];
|
||||||
|
|
||||||
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
|
boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"];
|
||||||
boot.initrd.kernelModules = [ ];
|
boot.initrd.kernelModules = [];
|
||||||
boot.kernelModules = [ "kvm-amd" ];
|
boot.kernelModules = ["kvm-amd"];
|
||||||
boot.extraModulePackages = [ ];
|
boot.extraModulePackages = [];
|
||||||
|
|
||||||
fileSystems."/" =
|
fileSystems."/" = {
|
||||||
{ device = "/dev/disk/by-uuid/c099cd1d-75a0-42ee-bffa-1e92cd241064";
|
device = "/dev/disk/by-uuid/c099cd1d-75a0-42ee-bffa-1e92cd241064";
|
||||||
fsType = "ext4";
|
fsType = "ext4";
|
||||||
};
|
};
|
||||||
|
|
||||||
fileSystems."/boot" =
|
fileSystems."/boot" = {
|
||||||
{ device = "/dev/disk/by-uuid/77EB-F216";
|
device = "/dev/disk/by-uuid/77EB-F216";
|
||||||
fsType = "vfat";
|
fsType = "vfat";
|
||||||
};
|
};
|
||||||
|
|
||||||
swapDevices =
|
swapDevices = [
|
||||||
[ { device = "/dev/disk/by-uuid/6e19c559-000a-4ba4-b68c-7ec0794f45e4"; }
|
{device = "/dev/disk/by-uuid/6e19c559-000a-4ba4-b68c-7ec0794f45e4";}
|
||||||
];
|
];
|
||||||
|
|
||||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||||
|
|
|
@ -1,6 +1,9 @@
|
||||||
{ config, pkgs, callPackage, ... }:
|
|
||||||
|
|
||||||
{
|
{
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
callPackage,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
home.username = "gsimmer";
|
home.username = "gsimmer";
|
||||||
home.homeDirectory = "/tank/gsimmer";
|
home.homeDirectory = "/tank/gsimmer";
|
||||||
|
|
||||||
|
@ -10,31 +13,31 @@
|
||||||
programs.fish = {
|
programs.fish = {
|
||||||
enable = true;
|
enable = true;
|
||||||
interactiveShellInit = ''
|
interactiveShellInit = ''
|
||||||
set fish_greeting
|
set fish_greeting
|
||||||
if test "$TERM" = "dumb"
|
if test "$TERM" = "dumb"
|
||||||
function fish_prompt
|
function fish_prompt
|
||||||
echo "\$ "
|
echo "\$ "
|
||||||
end
|
end
|
||||||
|
|
||||||
function fish_right_prompt; end
|
function fish_right_prompt; end
|
||||||
function fish_greeting; end
|
function fish_greeting; end
|
||||||
function fish_title; end
|
function fish_title; end
|
||||||
end
|
end
|
||||||
atuin init fish | source
|
atuin init fish | source
|
||||||
'';
|
'';
|
||||||
loginShellInit = ''
|
loginShellInit = ''
|
||||||
if test "$TERM" = "dumb"
|
if test "$TERM" = "dumb"
|
||||||
function fish_prompt
|
function fish_prompt
|
||||||
echo "\$ "
|
echo "\$ "
|
||||||
end
|
end
|
||||||
|
|
||||||
function fish_right_prompt; end
|
function fish_right_prompt; end
|
||||||
function fish_greeting; end
|
function fish_greeting; end
|
||||||
function fish_title; end
|
function fish_title; end
|
||||||
end
|
end
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
programs.direnv = {
|
programs.direnv = {
|
||||||
enable = true;
|
enable = true;
|
||||||
nix-direnv.enable = true;
|
nix-direnv.enable = true;
|
||||||
|
@ -48,8 +51,8 @@ end
|
||||||
programs.bat = {
|
programs.bat = {
|
||||||
enable = true;
|
enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
home.packages = with pkgs; [ atuin ];
|
home.packages = with pkgs; [atuin];
|
||||||
|
|
||||||
# This value determines the Home Manager release that your
|
# This value determines the Home Manager release that your
|
||||||
# configuration is compatible with. This helps avoid breakage
|
# configuration is compatible with. This helps avoid breakage
|
||||||
|
|
|
@ -1,82 +1,85 @@
|
||||||
{ lib
|
{
|
||||||
, fetchurl
|
lib,
|
||||||
, installShellFiles
|
fetchurl,
|
||||||
, makeWrapper
|
installShellFiles,
|
||||||
, terraform
|
makeWrapper,
|
||||||
, stdenvNoCC
|
terraform,
|
||||||
, unzip
|
stdenvNoCC,
|
||||||
}:
|
unzip,
|
||||||
let
|
}: let
|
||||||
inherit (stdenvNoCC.hostPlatform) system;
|
inherit (stdenvNoCC.hostPlatform) system;
|
||||||
in
|
in
|
||||||
|
stdenvNoCC.mkDerivation rec {
|
||||||
|
pname = "coder";
|
||||||
|
version = "2.3.3";
|
||||||
|
|
||||||
stdenvNoCC.mkDerivation rec {
|
src = fetchurl {
|
||||||
pname = "coder";
|
sha256 =
|
||||||
version = "2.3.3";
|
{
|
||||||
|
x86_64-linux = "sha256-3gO71Eii3KBjn/oQ1Q3OCJ7S6H12iDYjOfqf43ph1nQ=";
|
||||||
|
x86_64-darwin = lib.fakeHash;
|
||||||
|
aarch64-linux = "sha256-v7S22I62EKPcHO9yZGciKKftRlzIowfAeVgnccOdlSs=";
|
||||||
|
aarch64-darwin = "";
|
||||||
|
}
|
||||||
|
.${system};
|
||||||
|
|
||||||
src = fetchurl {
|
url = let
|
||||||
sha256 = {
|
systemName =
|
||||||
x86_64-linux = "sha256-3gO71Eii3KBjn/oQ1Q3OCJ7S6H12iDYjOfqf43ph1nQ=";
|
{
|
||||||
x86_64-darwin = lib.fakeHash;
|
x86_64-linux = "linux_amd64";
|
||||||
aarch64-linux = "sha256-v7S22I62EKPcHO9yZGciKKftRlzIowfAeVgnccOdlSs=";
|
aarch64-linux = "linux_arm64";
|
||||||
aarch64-darwin = "";
|
x86_64-darwin = "darwin_amd64";
|
||||||
}.${system};
|
aarch64-darwin = "darwin_arm64";
|
||||||
|
}
|
||||||
|
.${system};
|
||||||
|
|
||||||
url =
|
ext =
|
||||||
let
|
{
|
||||||
systemName = {
|
x86_64-linux = "tar.gz";
|
||||||
x86_64-linux = "linux_amd64";
|
aarch64-linux = "tar.gz";
|
||||||
aarch64-linux = "linux_arm64";
|
x86_64-darwin = "zip";
|
||||||
x86_64-darwin = "darwin_amd64";
|
aarch64-darwin = "zip";
|
||||||
aarch64-darwin = "darwin_arm64";
|
}
|
||||||
}.${system};
|
.${system};
|
||||||
|
in "https://github.com/coder/coder/releases/download/v${version}/coder_${version}_${systemName}.${ext}";
|
||||||
|
};
|
||||||
|
|
||||||
ext = {
|
nativeBuildInputs = [
|
||||||
x86_64-linux = "tar.gz";
|
installShellFiles
|
||||||
aarch64-linux = "tar.gz";
|
makeWrapper
|
||||||
x86_64-darwin = "zip";
|
unzip
|
||||||
aarch64-darwin = "zip";
|
];
|
||||||
}.${system};
|
|
||||||
in
|
|
||||||
"https://github.com/coder/coder/releases/download/v${version}/coder_${version}_${systemName}.${ext}";
|
|
||||||
};
|
|
||||||
|
|
||||||
nativeBuildInputs = [
|
unpackPhase = ''
|
||||||
installShellFiles
|
printf 'Decompressing %s\n' "$src"
|
||||||
makeWrapper
|
case $src in
|
||||||
unzip
|
*.tar.gz) tar -xz -f "$src" ;;
|
||||||
];
|
*.zip) unzip "$src" ;;
|
||||||
|
esac
|
||||||
|
'';
|
||||||
|
|
||||||
unpackPhase = ''
|
installPhase = ''
|
||||||
printf 'Decompressing %s\n' "$src"
|
mkdir -p $out/bin
|
||||||
case $src in
|
cp coder $out/bin
|
||||||
*.tar.gz) tar -xz -f "$src" ;;
|
'';
|
||||||
*.zip) unzip "$src" ;;
|
|
||||||
esac
|
|
||||||
'';
|
|
||||||
|
|
||||||
installPhase = ''
|
postInstall = ''
|
||||||
mkdir -p $out/bin
|
installShellCompletion --cmd coder \
|
||||||
cp coder $out/bin
|
--bash <($out/bin/coder completion bash) \
|
||||||
'';
|
--fish <($out/bin/coder completion fish) \
|
||||||
|
--zsh <($out/bin/coder completion zsh)
|
||||||
|
|
||||||
postInstall = ''
|
wrapProgram $out/bin/coder --prefix PATH : ${lib.makeBinPath [terraform]}
|
||||||
installShellCompletion --cmd coder \
|
'';
|
||||||
--bash <($out/bin/coder completion bash) \
|
|
||||||
--fish <($out/bin/coder completion fish) \
|
|
||||||
--zsh <($out/bin/coder completion zsh)
|
|
||||||
|
|
||||||
wrapProgram $out/bin/coder --prefix PATH : ${lib.makeBinPath [ terraform ]}
|
# integration tests require network access
|
||||||
'';
|
doCheck = false;
|
||||||
|
|
||||||
# integration tests require network access
|
meta = {
|
||||||
doCheck = false;
|
description = "Provision software development environments via Terraform on Linux, macOS, Windows, X86, ARM, and of course, Kubernetes";
|
||||||
|
homepage = "https://coder.com";
|
||||||
meta = {
|
license = lib.licenses.agpl3;
|
||||||
description = "Provision software development environments via Terraform on Linux, macOS, Windows, X86, ARM, and of course, Kubernetes";
|
maintainers = [lib.maintainers.ghuntley lib.maintainers.urandom];
|
||||||
homepage = "https://coder.com";
|
broken = false;
|
||||||
license = lib.licenses.agpl3;
|
};
|
||||||
maintainers = [ lib.maintainers.ghuntley lib.maintainers.urandom ];
|
}
|
||||||
broken = false;
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
|
@ -1,13 +1,15 @@
|
||||||
{ config, pkgs, ... }:
|
|
||||||
|
|
||||||
{
|
{
|
||||||
imports =
|
config,
|
||||||
[ # Include the results of the hardware scan.
|
pkgs,
|
||||||
./hardware.nix
|
...
|
||||||
];
|
}: {
|
||||||
|
imports = [
|
||||||
|
# Include the results of the hardware scan.
|
||||||
|
./hardware.nix
|
||||||
|
];
|
||||||
|
|
||||||
nixpkgs.config.allowUnfree = true;
|
nixpkgs.config.allowUnfree = true;
|
||||||
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
nix.settings.experimental-features = ["nix-command" "flakes"];
|
||||||
boot.tmp.cleanOnBoot = true;
|
boot.tmp.cleanOnBoot = true;
|
||||||
zramSwap.enable = true;
|
zramSwap.enable = true;
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
|
@ -38,37 +40,38 @@
|
||||||
|
|
||||||
programs.zsh.enable = true;
|
programs.zsh.enable = true;
|
||||||
programs.fish.enable = true;
|
programs.fish.enable = true;
|
||||||
environment.shells = with pkgs; [ zsh fish ];
|
environment.shells = with pkgs; [zsh fish];
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
hostName = "forgejo-action-runner";
|
hostName = "forgejo-action-runner";
|
||||||
domain = "gmem.ca";
|
domain = "gmem.ca";
|
||||||
nameservers = [ "1.1.1.1" "1.0.0.1" ];
|
nameservers = ["1.1.1.1" "1.0.0.1"];
|
||||||
firewall = {
|
firewall = {
|
||||||
trustedInterfaces = ["tailscale0"];
|
trustedInterfaces = ["tailscale0"];
|
||||||
checkReversePath = "loose";
|
checkReversePath = "loose";
|
||||||
enable = true;
|
enable = true;
|
||||||
allowedTCPPorts = [ 22 80 443 4328 ];
|
allowedTCPPorts = [22 80 443 4328];
|
||||||
allowedUDPPorts = [ ];
|
allowedUDPPorts = [];
|
||||||
};
|
};
|
||||||
nftables.enable = true;
|
nftables.enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
users.users = {
|
users.users = {
|
||||||
root.openssh.authorizedKeys.keys = let
|
root.openssh.authorizedKeys.keys = let
|
||||||
authorizedKeys = pkgs.fetchurl {
|
authorizedKeys = pkgs.fetchurl {
|
||||||
url = "https://gmem.ca/ssh";
|
url = "https://gmem.ca/ssh";
|
||||||
hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4=";
|
hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4=";
|
||||||
};
|
};
|
||||||
in pkgs.lib.splitString "\n" (builtins.readFile
|
in
|
||||||
authorizedKeys);
|
pkgs.lib.splitString "\n" (builtins.readFile
|
||||||
|
authorizedKeys);
|
||||||
};
|
};
|
||||||
virtualisation = {
|
virtualisation = {
|
||||||
docker = {
|
docker = {
|
||||||
enable = true;
|
enable = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.openssh.enable = true;
|
services.openssh.enable = true;
|
||||||
services.tailscale.enable = true;
|
services.tailscale.enable = true;
|
||||||
system.stateVersion = "23.11";
|
system.stateVersion = "23.11";
|
||||||
|
|
|
@ -1,15 +1,19 @@
|
||||||
{ modulesPath, ... }:
|
{modulesPath, ...}: {
|
||||||
{
|
imports = [(modulesPath + "/profiles/qemu-guest.nix")];
|
||||||
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
|
|
||||||
boot.loader.efi.efiSysMountPoint = "/boot/efi";
|
boot.loader.efi.efiSysMountPoint = "/boot/efi";
|
||||||
boot.loader.grub = {
|
boot.loader.grub = {
|
||||||
efiSupport = true;
|
efiSupport = true;
|
||||||
efiInstallAsRemovable = true;
|
efiInstallAsRemovable = true;
|
||||||
device = "nodev";
|
device = "nodev";
|
||||||
};
|
};
|
||||||
fileSystems."/boot/efi" = { device = "/dev/disk/by-uuid/CC2E-AEC0"; fsType = "vfat"; };
|
fileSystems."/boot/efi" = {
|
||||||
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ];
|
device = "/dev/disk/by-uuid/CC2E-AEC0";
|
||||||
boot.initrd.kernelModules = [ "nvme" ];
|
fsType = "vfat";
|
||||||
fileSystems."/" = { device = "/dev/mapper/ocivolume-root"; fsType = "xfs"; };
|
};
|
||||||
|
boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront"];
|
||||||
|
boot.initrd.kernelModules = ["nvme"];
|
||||||
|
fileSystems."/" = {
|
||||||
|
device = "/dev/mapper/ocivolume-root";
|
||||||
|
fsType = "xfs";
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,11 +1,13 @@
|
||||||
{ config, pkgs, ... }:
|
|
||||||
|
|
||||||
{
|
{
|
||||||
imports =
|
config,
|
||||||
[ # Include the results of the hardware scan.
|
pkgs,
|
||||||
./hardware.nix
|
...
|
||||||
];
|
}: {
|
||||||
|
imports = [
|
||||||
|
# Include the results of the hardware scan.
|
||||||
|
./hardware.nix
|
||||||
|
];
|
||||||
|
|
||||||
boot = {
|
boot = {
|
||||||
tmp.cleanOnBoot = true;
|
tmp.cleanOnBoot = true;
|
||||||
};
|
};
|
||||||
|
@ -25,7 +27,7 @@
|
||||||
extraOptions = ''
|
extraOptions = ''
|
||||||
min-free = ${toString (100 * 1024 * 1024)}
|
min-free = ${toString (100 * 1024 * 1024)}
|
||||||
max-free = ${toString (1024 * 1024 * 1024)}
|
max-free = ${toString (1024 * 1024 * 1024)}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
|
@ -34,16 +36,22 @@
|
||||||
firewall = {
|
firewall = {
|
||||||
trustedInterfaces = ["tailscale0"];
|
trustedInterfaces = ["tailscale0"];
|
||||||
checkReversePath = "loose";
|
checkReversePath = "loose";
|
||||||
allowedTCPPorts = [ 80 443 1935 ];
|
allowedTCPPorts = [80 443 1935];
|
||||||
allowedUDPPortRanges = [
|
allowedUDPPortRanges = [
|
||||||
{ from = 4000; to = 4007; }
|
{
|
||||||
{ from = 8000; to = 8010; }
|
from = 4000;
|
||||||
|
to = 4007;
|
||||||
|
}
|
||||||
|
{
|
||||||
|
from = 8000;
|
||||||
|
to = 8010;
|
||||||
|
}
|
||||||
];
|
];
|
||||||
allowedUDPPorts = [ 41641 1935 ];
|
allowedUDPPorts = [41641 1935];
|
||||||
enable = true;
|
enable = true;
|
||||||
};
|
};
|
||||||
nftables.enable = true;
|
nftables.enable = true;
|
||||||
nameservers = [ "1.1.1.1" "1.0.0.1" ];
|
nameservers = ["1.1.1.1" "1.0.0.1"];
|
||||||
};
|
};
|
||||||
|
|
||||||
time.timeZone = "Europe/London";
|
time.timeZone = "Europe/London";
|
||||||
|
@ -53,8 +61,9 @@
|
||||||
url = "https://gmem.ca/ssh";
|
url = "https://gmem.ca/ssh";
|
||||||
sha256 = "0vm0q5fzx55mmgw7md430c20rvywmknmpvnkffx9szlm0l74bypc";
|
sha256 = "0vm0q5fzx55mmgw7md430c20rvywmknmpvnkffx9szlm0l74bypc";
|
||||||
};
|
};
|
||||||
in pkgs.lib.splitString "\n" (builtins.readFile
|
in
|
||||||
authorizedKeys);
|
pkgs.lib.splitString "\n" (builtins.readFile
|
||||||
|
authorizedKeys);
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
vim
|
vim
|
||||||
|
@ -77,7 +86,7 @@
|
||||||
openFirewall = false;
|
openFirewall = false;
|
||||||
};
|
};
|
||||||
nginx = {
|
nginx = {
|
||||||
additionalModules = [ pkgs.nginxModules.rtmp ];
|
additionalModules = [pkgs.nginxModules.rtmp];
|
||||||
enable = true;
|
enable = true;
|
||||||
recommendedProxySettings = true;
|
recommendedProxySettings = true;
|
||||||
recommendedGzipSettings = true;
|
recommendedGzipSettings = true;
|
||||||
|
@ -92,16 +101,15 @@
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://127.0.0.1:8080";
|
proxyPass = "http://127.0.0.1:8080";
|
||||||
proxyWebsockets = true;
|
proxyWebsockets = true;
|
||||||
|
|
||||||
extraConfig =
|
extraConfig = ''
|
||||||
''
|
|
||||||
client_max_body_size 100M;
|
client_max_body_size 100M;
|
||||||
proxy_pass_header Authorization;
|
proxy_pass_header Authorization;
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
appendConfig = ''
|
appendConfig = ''
|
||||||
rtmp {
|
rtmp {
|
||||||
server {
|
server {
|
||||||
|
@ -135,5 +143,4 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
system.stateVersion = "23.11"; # dId YoU rEaD tHe CoMmEnT?
|
system.stateVersion = "23.11"; # dId YoU rEaD tHe CoMmEnT?
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,15 +1,19 @@
|
||||||
{ modulesPath, ... }:
|
{modulesPath, ...}: {
|
||||||
{
|
imports = [(modulesPath + "/profiles/qemu-guest.nix")];
|
||||||
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
|
|
||||||
boot.loader.efi.efiSysMountPoint = "/boot/efi";
|
boot.loader.efi.efiSysMountPoint = "/boot/efi";
|
||||||
boot.loader.grub = {
|
boot.loader.grub = {
|
||||||
efiSupport = true;
|
efiSupport = true;
|
||||||
efiInstallAsRemovable = true;
|
efiInstallAsRemovable = true;
|
||||||
device = "nodev";
|
device = "nodev";
|
||||||
};
|
};
|
||||||
fileSystems."/boot/efi" = { device = "/dev/disk/by-uuid/CC2E-AEC0"; fsType = "vfat"; };
|
fileSystems."/boot/efi" = {
|
||||||
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ];
|
device = "/dev/disk/by-uuid/CC2E-AEC0";
|
||||||
boot.initrd.kernelModules = [ "nvme" ];
|
fsType = "vfat";
|
||||||
fileSystems."/" = { device = "/dev/mapper/ocivolume-root"; fsType = "xfs"; };
|
};
|
||||||
|
boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront"];
|
||||||
|
boot.initrd.kernelModules = ["nvme"];
|
||||||
|
fileSystems."/" = {
|
||||||
|
device = "/dev/mapper/ocivolume-root";
|
||||||
|
fsType = "xfs";
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,10 +1,12 @@
|
||||||
{ config, pkgs, ... }:
|
|
||||||
|
|
||||||
{
|
{
|
||||||
imports =
|
config,
|
||||||
[ # Include the results of the hardware scan.
|
pkgs,
|
||||||
./hardware.nix
|
...
|
||||||
];
|
}: {
|
||||||
|
imports = [
|
||||||
|
# Include the results of the hardware scan.
|
||||||
|
./hardware.nix
|
||||||
|
];
|
||||||
|
|
||||||
age.secrets.k3s-token = {
|
age.secrets.k3s-token = {
|
||||||
file = ../../secrets/k3s-token.age;
|
file = ../../secrets/k3s-token.age;
|
||||||
|
@ -12,19 +14,18 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
boot = {
|
boot = {
|
||||||
supportedFilesystems = [ "nfs" ];
|
supportedFilesystems = ["nfs"];
|
||||||
kernelParams = [ "cgroup_enable=memory" "cgroup_enable=cpuset" "cgroup_memory=1" ];
|
kernelParams = ["cgroup_enable=memory" "cgroup_enable=cpuset" "cgroup_memory=1"];
|
||||||
loader = {
|
loader = {
|
||||||
systemd-boot.enable = true;
|
systemd-boot.enable = true;
|
||||||
efi.canTouchEfiVariables = true;
|
efi.canTouchEfiVariables = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
swapDevices = [
|
swapDevices = [
|
||||||
{
|
{
|
||||||
device = "/var/lib/swapfile";
|
device = "/var/lib/swapfile";
|
||||||
size = 8*1024;
|
size = 8 * 1024;
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
|
@ -42,7 +43,7 @@
|
||||||
extraOptions = ''
|
extraOptions = ''
|
||||||
min-free = ${toString (100 * 1024 * 1024)}
|
min-free = ${toString (100 * 1024 * 1024)}
|
||||||
max-free = ${toString (1024 * 1024 * 1024)}
|
max-free = ${toString (1024 * 1024 * 1024)}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
|
@ -51,8 +52,8 @@
|
||||||
firewall = {
|
firewall = {
|
||||||
trustedInterfaces = ["tailscale0"];
|
trustedInterfaces = ["tailscale0"];
|
||||||
checkReversePath = "loose";
|
checkReversePath = "loose";
|
||||||
allowedUDPPorts = [ 41641 ];
|
allowedUDPPorts = [41641];
|
||||||
allowedTCPPorts = [ 22 80 443 6443 10250 ];
|
allowedTCPPorts = [22 80 443 6443 10250];
|
||||||
enable = false;
|
enable = false;
|
||||||
};
|
};
|
||||||
nftables.enable = false;
|
nftables.enable = false;
|
||||||
|
@ -62,7 +63,7 @@
|
||||||
|
|
||||||
users.users.gsimmer = {
|
users.users.gsimmer = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
extraGroups = [ "wheel" ];
|
extraGroups = ["wheel"];
|
||||||
packages = with pkgs; [
|
packages = with pkgs; [
|
||||||
tree
|
tree
|
||||||
];
|
];
|
||||||
|
@ -71,8 +72,9 @@
|
||||||
url = "https://gmem.ca/ssh";
|
url = "https://gmem.ca/ssh";
|
||||||
hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4=";
|
hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4=";
|
||||||
};
|
};
|
||||||
in pkgs.lib.splitString "\n" (builtins.readFile
|
in
|
||||||
authorizedKeys);
|
pkgs.lib.splitString "\n" (builtins.readFile
|
||||||
|
authorizedKeys);
|
||||||
};
|
};
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
|
@ -99,5 +101,4 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
system.stateVersion = "23.11"; # dId YoU rEaD tHe CoMmEnT?
|
system.stateVersion = "23.11"; # dId YoU rEaD tHe CoMmEnT?
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,31 +1,35 @@
|
||||||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||||
# and may be overwritten by future invocations. Please make changes
|
# and may be overwritten by future invocations. Please make changes
|
||||||
# to /etc/nixos/configuration.nix instead.
|
# to /etc/nixos/configuration.nix instead.
|
||||||
{ config, lib, pkgs, modulesPath, ... }:
|
|
||||||
|
|
||||||
{
|
{
|
||||||
imports =
|
config,
|
||||||
[ (modulesPath + "/profiles/qemu-guest.nix")
|
lib,
|
||||||
];
|
pkgs,
|
||||||
|
modulesPath,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
imports = [
|
||||||
|
(modulesPath + "/profiles/qemu-guest.nix")
|
||||||
|
];
|
||||||
|
|
||||||
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "sr_mod" "virtio_blk" ];
|
boot.initrd.availableKernelModules = ["uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "sr_mod" "virtio_blk"];
|
||||||
boot.initrd.kernelModules = [ ];
|
boot.initrd.kernelModules = [];
|
||||||
boot.kernelModules = [ ];
|
boot.kernelModules = [];
|
||||||
boot.extraModulePackages = [ ];
|
boot.extraModulePackages = [];
|
||||||
|
|
||||||
fileSystems."/" =
|
fileSystems."/" = {
|
||||||
{ device = "/dev/disk/by-uuid/b6eaa1d7-49dc-44a7-9494-6363939a36ee";
|
device = "/dev/disk/by-uuid/b6eaa1d7-49dc-44a7-9494-6363939a36ee";
|
||||||
fsType = "ext4";
|
fsType = "ext4";
|
||||||
};
|
};
|
||||||
|
|
||||||
fileSystems."/boot" =
|
fileSystems."/boot" = {
|
||||||
{ device = "/dev/disk/by-uuid/92BB-B090";
|
device = "/dev/disk/by-uuid/92BB-B090";
|
||||||
fsType = "vfat";
|
fsType = "vfat";
|
||||||
};
|
};
|
||||||
|
|
||||||
swapDevices =
|
swapDevices = [
|
||||||
[ { device = "/dev/disk/by-uuid/45b1b1cc-7a27-4abc-9903-16d293c8570c"; }
|
{device = "/dev/disk/by-uuid/45b1b1cc-7a27-4abc-9903-16d293c8570c";}
|
||||||
];
|
];
|
||||||
|
|
||||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||||
|
|
|
@ -1,15 +1,17 @@
|
||||||
{ config, pkgs, ... }:
|
|
||||||
|
|
||||||
{
|
{
|
||||||
imports =
|
config,
|
||||||
[ # Include the results of the hardware scan.
|
pkgs,
|
||||||
./hardware.nix
|
...
|
||||||
];
|
}: {
|
||||||
|
imports = [
|
||||||
|
# Include the results of the hardware scan.
|
||||||
|
./hardware.nix
|
||||||
|
];
|
||||||
|
|
||||||
boot = {
|
boot = {
|
||||||
supportedFilesystems = [ "nfs" ];
|
supportedFilesystems = ["nfs"];
|
||||||
kernelPackages = pkgs.linuxPackages_rpi4;
|
kernelPackages = pkgs.linuxPackages_rpi4;
|
||||||
kernelParams = [ "cgroup_enable=memory" "cgroup_enable=cpuset" "cgroup_memory=1" ];
|
kernelParams = ["cgroup_enable=memory" "cgroup_enable=cpuset" "cgroup_memory=1"];
|
||||||
loader = {
|
loader = {
|
||||||
grub.enable = false;
|
grub.enable = false;
|
||||||
generic-extlinux-compatible.enable = true;
|
generic-extlinux-compatible.enable = true;
|
||||||
|
@ -19,7 +21,7 @@
|
||||||
swapDevices = [
|
swapDevices = [
|
||||||
{
|
{
|
||||||
device = "/var/lib/swapfile";
|
device = "/var/lib/swapfile";
|
||||||
size = 8*1024;
|
size = 8 * 1024;
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
|
@ -37,7 +39,7 @@
|
||||||
extraOptions = ''
|
extraOptions = ''
|
||||||
min-free = ${toString (100 * 1024 * 1024)}
|
min-free = ${toString (100 * 1024 * 1024)}
|
||||||
max-free = ${toString (1024 * 1024 * 1024)}
|
max-free = ${toString (1024 * 1024 * 1024)}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
|
@ -46,8 +48,8 @@
|
||||||
firewall = {
|
firewall = {
|
||||||
trustedInterfaces = ["tailscale0"];
|
trustedInterfaces = ["tailscale0"];
|
||||||
checkReversePath = "loose";
|
checkReversePath = "loose";
|
||||||
allowedTCPPorts = [ 22 80 443 6443 10250 ];
|
allowedTCPPorts = [22 80 443 6443 10250];
|
||||||
allowedUDPPorts = [ 41641 80 443 ];
|
allowedUDPPorts = [41641 80 443];
|
||||||
enable = false;
|
enable = false;
|
||||||
};
|
};
|
||||||
nftables.enable = false;
|
nftables.enable = false;
|
||||||
|
@ -57,7 +59,7 @@
|
||||||
|
|
||||||
users.users.gsimmer = {
|
users.users.gsimmer = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
extraGroups = [ "wheel" ];
|
extraGroups = ["wheel"];
|
||||||
packages = with pkgs; [
|
packages = with pkgs; [
|
||||||
tree
|
tree
|
||||||
];
|
];
|
||||||
|
@ -66,8 +68,9 @@
|
||||||
url = "https://gmem.ca/ssh";
|
url = "https://gmem.ca/ssh";
|
||||||
hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4=";
|
hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4=";
|
||||||
};
|
};
|
||||||
in pkgs.lib.splitString "\n" (builtins.readFile
|
in
|
||||||
authorizedKeys);
|
pkgs.lib.splitString "\n" (builtins.readFile
|
||||||
|
authorizedKeys);
|
||||||
};
|
};
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
|
@ -103,5 +106,4 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
system.stateVersion = "23.11"; # dId YoU rEaD tHe CoMmEnT?
|
system.stateVersion = "23.11"; # dId YoU rEaD tHe CoMmEnT?
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,24 +1,28 @@
|
||||||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||||
# and may be overwritten by future invocations. Please make changes
|
# and may be overwritten by future invocations. Please make changes
|
||||||
# to /etc/nixos/configuration.nix instead.
|
# to /etc/nixos/configuration.nix instead.
|
||||||
{ config, lib, pkgs, modulesPath, ... }:
|
|
||||||
|
|
||||||
{
|
{
|
||||||
imports =
|
config,
|
||||||
[ (modulesPath + "/installer/scan/not-detected.nix")
|
lib,
|
||||||
];
|
pkgs,
|
||||||
|
modulesPath,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
imports = [
|
||||||
|
(modulesPath + "/installer/scan/not-detected.nix")
|
||||||
|
];
|
||||||
|
|
||||||
boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ];
|
boot.initrd.availableKernelModules = ["xhci_pci" "uas"];
|
||||||
boot.initrd.kernelModules = [ ];
|
boot.initrd.kernelModules = [];
|
||||||
boot.kernelModules = [ ];
|
boot.kernelModules = [];
|
||||||
boot.extraModulePackages = [ ];
|
boot.extraModulePackages = [];
|
||||||
|
|
||||||
fileSystems."/" =
|
fileSystems."/" = {
|
||||||
{ device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
|
device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
|
||||||
fsType = "ext4";
|
fsType = "ext4";
|
||||||
};
|
};
|
||||||
|
|
||||||
swapDevices = [ ];
|
swapDevices = [];
|
||||||
|
|
||||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||||
|
|
|
@ -1,11 +1,15 @@
|
||||||
{ lib, pkgs, ... }: {
|
{
|
||||||
|
lib,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
users.users.root.openssh.authorizedKeys.keys = [
|
users.users.root.openssh.authorizedKeys.keys = [
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIztwQxt+jqroFONSgq+xzPMuE2I5Dq/zWPQ8RcTYJr gabriel@gitgalaxy.com"
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIztwQxt+jqroFONSgq+xzPMuE2I5Dq/zWPQ8RcTYJr gabriel@gitgalaxy.com"
|
||||||
];
|
];
|
||||||
sdImage.compressImage = false;
|
sdImage.compressImage = false;
|
||||||
systemd.services.openssh.wantedBy = lib.mkOverride 40 [ "multi-user.target" ];
|
systemd.services.openssh.wantedBy = lib.mkOverride 40 ["multi-user.target"];
|
||||||
services.openssh.enable = true;
|
services.openssh.enable = true;
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
vim
|
vim
|
||||||
wget
|
wget
|
||||||
|
|
27
secrets.nix
27
secrets.nix
|
@ -1,28 +1,27 @@
|
||||||
let
|
let
|
||||||
vancouver = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC30kDkktiWJGaJEIrqgneQx1SmIYUEVPm7w1F9p//CB";
|
vancouver = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC30kDkktiWJGaJEIrqgneQx1SmIYUEVPm7w1F9p//CB";
|
||||||
monitoring = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEDtzsbxKgZ/NBYlYO2EJQZhBy3nVBVERWebbsP9mLcy";
|
monitoring = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEDtzsbxKgZ/NBYlYO2EJQZhBy3nVBVERWebbsP9mLcy";
|
||||||
machines = [ vancouver monitoring ];
|
machines = [vancouver monitoring];
|
||||||
|
|
||||||
proxmox-k3s-node = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB1KEjdFl0UmuKfESJTMZdKR2H9a405z0SSlt75NKKht";
|
proxmox-k3s-node = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB1KEjdFl0UmuKfESJTMZdKR2H9a405z0SSlt75NKKht";
|
||||||
seattle = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9pTEqeVljLq0ctFgDn25Q76mCqpddkSNN9kd3IQXd1";
|
seattle = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9pTEqeVljLq0ctFgDn25Q76mCqpddkSNN9kd3IQXd1";
|
||||||
glasgow = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMgZSpfnx/4kfE4P1tFpq047IZkF2Q0UYahputnWxtEJ";
|
glasgow = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMgZSpfnx/4kfE4P1tFpq047IZkF2Q0UYahputnWxtEJ";
|
||||||
k3s = [ proxmox-k3s-node seattle glasgow ];
|
k3s = [proxmox-k3s-node seattle glasgow];
|
||||||
|
|
||||||
gsimmer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIztwQxt+jqroFONSgq+xzPMuE2I5Dq/zWPQ8RcTYJr gabriel@gitgalaxy.com";
|
gsimmer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIztwQxt+jqroFONSgq+xzPMuE2I5Dq/zWPQ8RcTYJr gabriel@gitgalaxy.com";
|
||||||
users = [ gsimmer ];
|
users = [gsimmer];
|
||||||
in
|
in {
|
||||||
{
|
"secrets/vancouver-action-runner.age".publicKeys = [vancouver gsimmer];
|
||||||
"secrets/vancouver-action-runner.age".publicKeys = [ vancouver gsimmer ];
|
"secrets/vancouver-restic-b2.age".publicKeys = [vancouver gsimmer];
|
||||||
"secrets/vancouver-restic-b2.age".publicKeys = [ vancouver gsimmer ];
|
"secrets/vancouver-restic-password.age".publicKeys = [vancouver gsimmer];
|
||||||
"secrets/vancouver-restic-password.age".publicKeys = [ vancouver gsimmer ];
|
"secrets/monitoring-healthchecks-secret.age".publicKeys = [monitoring gsimmer];
|
||||||
"secrets/monitoring-healthchecks-secret.age".publicKeys = [ monitoring gsimmer ];
|
"secrets/monitoring-healthchecks-ro.age".publicKeys = [monitoring gsimmer];
|
||||||
"secrets/monitoring-healthchecks-ro.age".publicKeys = [ monitoring gsimmer ];
|
"secrets/monitoring-prometheus-webconfig.age".publicKeys = [monitoring gsimmer];
|
||||||
"secrets/monitoring-prometheus-webconfig.age".publicKeys = [ monitoring gsimmer ];
|
"secrets/monitoring-prometheus-password.age".publicKeys = [monitoring gsimmer];
|
||||||
"secrets/monitoring-prometheus-password.age".publicKeys = [ monitoring gsimmer ];
|
|
||||||
"secrets/healthchecks-ping.sh.age".publicKeys = machines ++ users;
|
"secrets/healthchecks-ping.sh.age".publicKeys = machines ++ users;
|
||||||
"secrets/fastmail-smtp.age".publicKeys = machines ++ users;
|
"secrets/fastmail-smtp.age".publicKeys = machines ++ users;
|
||||||
"secrets/healthchecks-telegram.age".publicKeys = [ monitoring gsimmer ];
|
"secrets/healthchecks-telegram.age".publicKeys = [monitoring gsimmer];
|
||||||
"secrets/cloudflare-dns.age".publicKeys = machines ++ users;
|
"secrets/cloudflare-dns.age".publicKeys = machines ++ users;
|
||||||
"secrets/monitoring-grafana-client-secret.age".publicKeys = [monitoring gsimmer ];
|
"secrets/monitoring-grafana-client-secret.age".publicKeys = [monitoring gsimmer];
|
||||||
"secrets/k3s-token.age".publicKeys = k3s ++ users;
|
"secrets/k3s-token.age".publicKeys = k3s ++ users;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ ... }: {
|
{...}: {
|
||||||
terraform = {
|
terraform = {
|
||||||
required_providers = {
|
required_providers = {
|
||||||
cloudflare.source = "cloudflare/cloudflare";
|
cloudflare.source = "cloudflare/cloudflare";
|
||||||
|
@ -6,13 +6,13 @@
|
||||||
};
|
};
|
||||||
backend."s3" = {
|
backend."s3" = {
|
||||||
bucket = "gsimmer-terraform-state";
|
bucket = "gsimmer-terraform-state";
|
||||||
key = "state/personal.tfstate";
|
key = "state/personal.tfstate";
|
||||||
region = "eu-west-2";
|
region = "eu-west-2";
|
||||||
|
|
||||||
dynamodb_table = "gsimmer-terraform-lock";
|
dynamodb_table = "gsimmer-terraform-lock";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
provider = {
|
provider = {
|
||||||
"cloudflare" = {};
|
"cloudflare" = {};
|
||||||
"aws" = [
|
"aws" = [
|
||||||
|
|
Loading…
Reference in a new issue