arch/infra
arch/infra
1
0
Fork 0
Code Actions Packages Activity

format with alejandra style
All checks were successful
Lint / lint (push) Successful in 18s
Details
Build Pi NixOS Image / sync (push) Successful in 26m51s
Details

Browse source
This commit is contained in:
Gabriel Simmer 2024-02-05 13:13:44 +00:00
parent 02a87f0294
commit 9439acf4d1
Signed by: arch
SSH key fingerprint: SHA256:m3OEcdtrnBpMX+2BDGh/byv3hrCekCLzDYMdvGEKPPQ
41 changed files with 1765 additions and 1355 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

410
flake.nix
View file

@ -22,48 +22,70 @@
kubenix.url = "github:hall/kubenix"; kubenix.url = "github:hall/kubenix";
}; };
outputs = { self, nixpkgs, nixos-generators, nixinate, home-manager, agenix, terranix, alertmanager-ntfy, nixpkgs-wayland, kubenix, kde2nix }@inputs: outputs = {
let self,
pkgs = nixpkgs.legacyPackages.x86_64-linux; nixpkgs,
tf = terranix.lib.terranixConfiguration { nixos-generators,
system = "x86_64-linux"; nixinate,
modules = [ ./terraform/main.nix ]; home-manager,
}; agenix,
in { terranix,
devShells.x86_64-linux.default = with pkgs; mkShell { alertmanager-ntfy,
shellHook = nixpkgs-wayland,
'' kubenix,
set -o allexport kde2nix,
source .env set } @ inputs: let
set +o allexport pkgs = nixpkgs.legacyPackages.x86_64-linux;
''; tf = terranix.lib.terranixConfiguration {
system = "x86_64-linux";
modules = [./terraform/main.nix];
};
in {
devShells.x86_64-linux.default = with pkgs;
mkShell {
shellHook = ''
set -o allexport
source .env set
set +o allexport
'';
nativeBuildInputs = [ nativeBuildInputs = [
jq opentofu kubectl jq
k9s terraform-ls kubernetes-helm opentofu
kubectl
k9s
terraform-ls
kubernetes-helm
nil nil
]; ];
buildInputs = [ ]; buildInputs = [];
}; };
packages.aarch64-linux = { packages.aarch64-linux = {
raspberry-pi = nixos-generators.nixosGenerate { raspberry-pi = nixos-generators.nixosGenerate {
system = "aarch64-linux"; system = "aarch64-linux";
modules = [ modules = [
(nixpkgs + "/nixos/modules/installer/sd-card/sd-image-aarch64-installer.nix") (nixpkgs + "/nixos/modules/installer/sd-card/sd-image-aarch64-installer.nix")
./pi-imgs/pi-initial.nix ./pi-imgs/pi-initial.nix
]; ];
format = "sd-aarch64-installer"; format = "sd-aarch64-installer";
};
}; };
packages.x86_64-linux = { };
kubernetes = (kubenix.evalModules.x86_64-linux { packages.x86_64-linux = {
module = { kubenix, ... }: { kubernetes =
(kubenix.evalModules.x86_64-linux {
module = {kubenix, ...}: {
imports = [ imports = [
kubenix.modules.k8s ./homelab/kubernetes.nix kubenix.modules.k8s
./homelab/kubernetes.nix
]; ];
}; };
}).config.kubernetes.result; })
}; .config
apps = nixinate.nixinate.x86_64-linux self // { .kubernetes
.result;
};
apps =
nixinate.nixinate.x86_64-linux self
// {
x86_64-linux = { x86_64-linux = {
kube-apply = { kube-apply = {
type = "app"; type = "app";
@ -80,176 +102,180 @@
tf-plan = { tf-plan = {
type = "app"; type = "app";
program = toString (pkgs.writers.writeBash "plan" '' program = toString (pkgs.writers.writeBash "plan" ''
if [[ -e terraform/config.tf.json ]]; then rm -f terraform/config.tf.json; fi if [[ -e terraform/config.tf.json ]]; then rm -f terraform/config.tf.json; fi
cp ${tf} terraform/config.tf.json \ cp ${tf} terraform/config.tf.json \
&& ${pkgs.opentofu}/bin/tofu -chdir=terraform init \ && ${pkgs.opentofu}/bin/tofu -chdir=terraform init \
&& ${pkgs.opentofu}/bin/tofu -chdir=terraform plan -out=plan.out && ${pkgs.opentofu}/bin/tofu -chdir=terraform plan -out=plan.out
''); '');
}; };
tf-apply = { tf-apply = {
type = "app"; type = "app";
program = toString (pkgs.writers.writeBash "apply" '' program = toString (pkgs.writers.writeBash "apply" ''
if [[ -e terraform/config.tf.json ]]; then rm -f terraform/config.tf.json; fi if [[ -e terraform/config.tf.json ]]; then rm -f terraform/config.tf.json; fi
cp ${tf} terraform/config.tf.json \ cp ${tf} terraform/config.tf.json \
&& ${pkgs.opentofu}/bin/tofu -chdir=terraform init \ && ${pkgs.opentofu}/bin/tofu -chdir=terraform init \
&& ${pkgs.opentofu}/bin/tofu -chdir=terraform apply plan.out && ${pkgs.opentofu}/bin/tofu -chdir=terraform apply plan.out
''); '');
}; };
}; };
}; };
homeConfigurations."gsimmer" = home-manager.lib.homeManagerConfiguration { homeConfigurations."gsimmer" = home-manager.lib.homeManagerConfiguration {
inherit pkgs; inherit pkgs;
modules = [ ./nix/london/gsimmer.nix ]; modules = [./nix/london/gsimmer.nix];
}; };
nixosConfigurations = { nixosConfigurations = {
london = nixpkgs.lib.nixosSystem { london = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [
kde2nix.nixosModules.plasma6 kde2nix.nixosModules.plasma6
(import ./nix/london/configuration.nix) (import ./nix/london/configuration.nix)
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
{
home-manager.useUserPackages = true;
home-manager.users.gsimmer = import ./nix/london/gsimmer.nix;
}
(
{ {
home-manager.useUserPackages = true; pkgs,
home-manager.users.gsimmer = import ./nix/london/gsimmer.nix; config,
} ...
({pkgs, config, ... }: }: {
{ config = {
config = { nix.settings = {
nix.settings = { # add binary caches
# add binary caches trusted-public-keys = [
trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
"nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ];
]; substituters = [
substituters = [ "https://cache.nixos.org"
"https://cache.nixos.org" "https://nixpkgs-wayland.cachix.org"
"https://nixpkgs-wayland.cachix.org" "https://nix-community.cachix.org"
"https://nix-community.cachix.org" ];
];
};
# use it as an overlay
nixpkgs.overlays = [ nixpkgs-wayland.overlay ];
}; };
}
) # use it as an overlay
]; nixpkgs.overlays = [nixpkgs-wayland.overlay];
};
oracle-gitea-runner = nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
modules = [
(import ./nix/oracle-gitea-runner/configuration.nix)
{
_module.args.nixinate = {
host = "143.47.229.209";
sshUser = "root";
buildOn = "remote";
substituteOnTarget = true;
hermetic = false;
}; };
} }
]; )
}; ];
oracle-stream = nixpkgs.lib.nixosSystem { };
system = "aarch64-linux"; oracle-gitea-runner = nixpkgs.lib.nixosSystem {
modules = [ system = "aarch64-linux";
(import ./nix/oracle-stream/configuration.nix) modules = [
{ (import ./nix/oracle-gitea-runner/configuration.nix)
_module.args.nixinate = { {
host = "100.98.25.34"; _module.args.nixinate = {
sshUser = "root"; host = "143.47.229.209";
buildOn = "remote"; sshUser = "root";
substituteOnTarget = true; buildOn = "remote";
hermetic = false; substituteOnTarget = true;
}; hermetic = false;
} };
]; }
}; ];
monitoring = nixpkgs.lib.nixosSystem { };
system = "aarch64-linux"; oracle-stream = nixpkgs.lib.nixosSystem {
modules = [ system = "aarch64-linux";
(import ./nix/monitoring/configuration.nix) modules = [
agenix.nixosModules.default (import ./nix/oracle-stream/configuration.nix)
alertmanager-ntfy.nixosModules.x86_64-linux.default {
{ _module.args.nixinate = {
_module.args.nixinate = { host = "100.98.25.34";
host = "monitoring"; sshUser = "root";
sshUser = "root"; buildOn = "remote";
buildOn = "remote"; substituteOnTarget = true;
substituteOnTarget = true; hermetic = false;
hermetic = false; };
}; }
} ];
]; };
}; monitoring = nixpkgs.lib.nixosSystem {
nas = nixpkgs.lib.nixosSystem { system = "aarch64-linux";
system = "x86_64-linux"; modules = [
modules = [ (import ./nix/monitoring/configuration.nix)
(import ./nix/nas/configuration.nix) agenix.nixosModules.default
agenix.nixosModules.default alertmanager-ntfy.nixosModules.x86_64-linux.default
home-manager.nixosModules.home-manager {
{ _module.args.nixinate = {
home-manager.users.gsimmer = import ./nix/nas/home.nix; host = "monitoring";
_module.args.nixinate = { sshUser = "root";
host = "vancouver"; buildOn = "remote";
sshUser = "gsimmer"; substituteOnTarget = true;
buildOn = "remote"; hermetic = false;
substituteOnTarget = true; };
hermetic = false; }
}; ];
} };
]; nas = nixpkgs.lib.nixosSystem {
}; system = "x86_64-linux";
seattle = nixpkgs.lib.nixosSystem { modules = [
system = "aarch64-linux"; (import ./nix/nas/configuration.nix)
modules = [ agenix.nixosModules.default
agenix.nixosModules.default home-manager.nixosModules.home-manager
(import ./nix/seattle/configuration.nix) {
{ home-manager.users.gsimmer = import ./nix/nas/home.nix;
_module.args.nixinate = { _module.args.nixinate = {
host = "seattle"; host = "vancouver";
sshUser = "gsimmer"; sshUser = "gsimmer";
buildOn = "remote"; buildOn = "remote";
substituteOnTarget = true; substituteOnTarget = true;
hermetic = false; hermetic = false;
}; };
} }
]; ];
}; };
glasgow = nixpkgs.lib.nixosSystem { seattle = nixpkgs.lib.nixosSystem {
system = "aarch64-linux"; system = "aarch64-linux";
modules = [ modules = [
agenix.nixosModules.default agenix.nixosModules.default
(import ./nix/glasgow/configuration.nix) (import ./nix/seattle/configuration.nix)
{ {
_module.args.nixinate = { _module.args.nixinate = {
host = "glasgow"; host = "seattle";
sshUser = "gsimmer"; sshUser = "gsimmer";
buildOn = "remote"; buildOn = "remote";
substituteOnTarget = true; substituteOnTarget = true;
hermetic = false; hermetic = false;
}; };
} }
]; ];
}; };
proxmox-k3s-node-1 = nixpkgs.lib.nixosSystem { glasgow = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "aarch64-linux";
modules = [ modules = [
agenix.nixosModules.default agenix.nixosModules.default
(import ./nix/proxmox-k3s-node/configuration.nix) (import ./nix/glasgow/configuration.nix)
{ {
_module.args.nixinate = { _module.args.nixinate = {
host = "proxmox-node-1"; host = "glasgow";
sshUser = "gsimmer"; sshUser = "gsimmer";
buildOn = "remote"; buildOn = "remote";
substituteOnTarget = true; substituteOnTarget = true;
hermetic = false; hermetic = false;
}; };
} }
]; ];
}; };
proxmox-k3s-node-1 = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
agenix.nixosModules.default
(import ./nix/proxmox-k3s-node/configuration.nix)
{
_module.args.nixinate = {
host = "proxmox-node-1";
sshUser = "gsimmer";
buildOn = "remote";
substituteOnTarget = true;
hermetic = false;
};
}
];
}; };
}; };
};
} }

7
homelab/cloudflare-exporter.nix
View file

@ -1,4 +1,9 @@
{ lib, config, kubenix, ... }: { {
lib,
config,
kubenix,
...
}: {
kubernetes.helm.releases.cloudflare-exporter = { kubernetes.helm.releases.cloudflare-exporter = {
namespace = "default"; namespace = "default";
chart = kubenix.lib.helm.fetch { chart = kubenix.lib.helm.fetch {

176
homelab/conduit.nix
View file

@ -2,96 +2,110 @@ let
appName = "conduwuit"; appName = "conduwuit";
conduwuit-Image = "git.gmem.ca/arch/conduwuit:latest"; conduwuit-Image = "git.gmem.ca/arch/conduwuit:latest";
in in
{ ... }: { {...}: {
kubernetes.resources.services.conduwuit = { kubernetes.resources.services.conduwuit = {
spec = { spec = {
selector.app = appName; selector.app = appName;
ports.http = { ports.http = {
port = 6167; port = 6167;
targetPort = 6167; targetPort = 6167;
};
}; };
}; };
}; kubernetes.resources.statefulSets.conduwuit.spec = {
kubernetes.resources.statefulSets.conduwuit.spec = { selector.matchLabels.app = appName;
selector.matchLabels.app = appName; serviceName = appName;
serviceName = appName; template = {
template = { metadata.labels.app = appName;
metadata.labels.app = appName; spec = {
spec = { volumes = {
volumes = { config.configMap.name = appName;
config.configMap.name = appName; };
}; containers = {
containers = { conduwuit = {
conduwuit = { image = conduwuit-Image;
image = conduwuit-Image; imagePullPolicy = "Always";
imagePullPolicy = "Always"; ports.http.containerPort = 6167;
ports.http.containerPort = 6167; volumeMounts = [
volumeMounts = [ {
{ name = "data"; mountPath = "/var/lib/matrix-conduit"; } name = "data";
{ name = "config"; mountPath = "/etc/matrix-conduit/conduit.toml"; mountPath = "/var/lib/matrix-conduit";
subPath = "conduit.toml"; } }
]; {
env.CONDUIT_CONFIG.value = "/etc/matrix-conduit/conduit.toml"; name = "config";
mountPath = "/etc/matrix-conduit/conduit.toml";
subPath = "conduit.toml";
}
];
env.CONDUIT_CONFIG.value = "/etc/matrix-conduit/conduit.toml";
};
}; };
}; };
}; };
}; volumeClaimTemplates = [
volumeClaimTemplates = [
{ metadata.name = "data";
spec = {
storageClassName = "nfs-client";
accessModes = [ "ReadWriteOnce" ];
resources.requests.storage = "5Gi";
};
}
];
};
kubernetes.resources.ingresses.conduwuit = {
metadata = {
name = appName;
annotations = {
"cert-manager.io/issuer" = "le-issuer";
};
};
spec = {
tls = [ { hosts = [ "chat.gmem.ca" ]; secretName = "gmem-ca-wildcard"; } ];
rules = [
{ {
host = "chat.gmem.ca"; metadata.name = "data";
http.paths = [ spec = {
{ path = "/"; pathType = "Prefix"; storageClassName = "nfs-client";
backend.service = { accessModes = ["ReadWriteOnce"];
name = appName; resources.requests.storage = "5Gi";
port.name = "http"; }; };
}
];
} }
]; ];
}; };
}; kubernetes.resources.ingresses.conduwuit = {
kubernetes.resources.configMaps.conduwuit = { metadata = {
metadata = { name = appName;
name = appName; annotations = {
annotations = { "cert-manager.io/issuer" = "le-issuer";
"cert-manager.io/issuer" = "le-issuer"; };
};
spec = {
tls = [
{
hosts = ["chat.gmem.ca"];
secretName = "gmem-ca-wildcard";
}
];
rules = [
{
host = "chat.gmem.ca";
http.paths = [
{
path = "/";
pathType = "Prefix";
backend.service = {
name = appName;
port.name = "http";
};
}
];
}
];
}; };
}; };
data."conduit.toml" = kubernetes.resources.configMaps.conduwuit = {
'' metadata = {
[global] name = appName;
# The Conduit server needs all /_matrix/ requests to be reachable at annotations = {
# https://your.server.name/ on port 443 (client-server) and 8448 (federation). "cert-manager.io/issuer" = "le-issuer";
server_name = "gmem.ca" };
};
data."conduit.toml" = ''
[global]
# The Conduit server needs all /_matrix/ requests to be reachable at
# https://your.server.name/ on port 443 (client-server) and 8448 (federation).
server_name = "gmem.ca"
# This is the only directory where Conduit will save its data # This is the only directory where Conduit will save its data
database_path = "/var/lib/matrix-conduit/" database_path = "/var/lib/matrix-conduit/"
database_backend = "rocksdb" database_backend = "rocksdb"
port = 6167 port = 6167
max_request_size = 20_000_000 # in bytes max_request_size = 20_000_000 # in bytes
allow_federation = true allow_federation = true
allow_check_for_updates = false allow_check_for_updates = false
trusted_servers = ["matrix.org"] trusted_servers = ["matrix.org"]
address = "0.0.0.0" address = "0.0.0.0"
''; '';
}; };
} }

12
homelab/custom.nix
View file

@ -1,9 +1,9 @@
{ lib, ... }: { {lib, ...}: {
kubernetes.resourceOrder = kubernetes.resourceOrder = [
[ "CustomResourceDefinition" "CustomResourceDefinition"
"Namespace" "Namespace"
"ConfigMap" "ConfigMap"
]; ];
kubernetes.customTypes = [ kubernetes.customTypes = [
{ {
name = "servicemonitors"; name = "servicemonitors";

95
homelab/endpoints.nix
View file

@ -10,52 +10,81 @@ let
location = "192.168.50.237"; location = "192.168.50.237";
host = "austin.gmem.ca"; host = "austin.gmem.ca";
port = 8080; port = 8080;
protocol = "HTTP"; protocol = "HTTP";
}; };
"tokyo" = { "tokyo" = {
location = "192.168.50.124"; location = "192.168.50.124";
host = "tokyo.gmem.ca"; host = "tokyo.gmem.ca";
port = 8000; port = 8000;
protocol = "HTTP"; protocol = "HTTP";
}; };
"ibiza" = { "ibiza" = {
location = "192.168.50.182"; location = "192.168.50.182";
host = "ibiza.gmem.ca"; host = "ibiza.gmem.ca";
port = 8000; port = 8000;
protocol = "HTTP"; protocol = "HTTP";
}; };
}; };
in { in {
kubernetes.resources.services = builtins.mapAttrs (name: endpoint: { kubernetes.resources.services =
spec = { builtins.mapAttrs (name: endpoint: {
ports.${name} = { spec = {
port = endpoint.port; ports.${name} = {
targetPort = endpoint.port; port = endpoint.port;
targetPort = endpoint.port;
};
}; };
}; })
}) endpoints; endpoints;
kubernetes.resources.endpoints = builtins.mapAttrs (name: endpoint: { kubernetes.resources.endpoints =
subsets = [ { builtins.mapAttrs (name: endpoint: {
addresses = [ { ip = endpoint.location; } ]; subsets = [
ports = [ { name = name; port = endpoint.port; protocol = "TCP"; } ]; {
} ]; addresses = [{ip = endpoint.location;}];
}) endpoints; ports = [
kubernetes.resources.ingresses = builtins.mapAttrs (name: endpoint: { {
metadata = { name = name; annotations = { name = name;
"nginx.ingress.kubernetes.io/proxy-body-size" = "10g"; port = endpoint.port;
"cert-manager.io/issuer" = "le-issuer"; protocol = "TCP";
"nginx.ingress.kubernetes.io/backend-protocol" = endpoint.protocol; }
}; }; ];
spec = {
tls = [ { hosts = [ endpoint.host ]; secretName = "gmem-ca-wildcard"; } ];
rules = [ { host = endpoint.host; http.paths = [
{ path = "/"; pathType = "Prefix";
backend.service = {
name = name;
port.number = endpoint.port;
};
} }
];}]; ];
}; })
}) endpoints; endpoints;
kubernetes.resources.ingresses =
builtins.mapAttrs (name: endpoint: {
metadata = {
name = name;
annotations = {
"nginx.ingress.kubernetes.io/proxy-body-size" = "10g";
"cert-manager.io/issuer" = "le-issuer";
"nginx.ingress.kubernetes.io/backend-protocol" = endpoint.protocol;
};
};
spec = {
tls = [
{
hosts = [endpoint.host];
secretName = "gmem-ca-wildcard";
}
];
rules = [
{
host = endpoint.host;
http.paths = [
{
path = "/";
pathType = "Prefix";
backend.service = {
name = name;
port.number = endpoint.port;
};
}
];
}
];
};
})
endpoints;
} }

585
homelab/homepage.nix
View file

@ -1,279 +1,306 @@
{ lib, config, kubenix, ... }:
let homepage-config = {
bookmarks = [];
services = [
{
Media = [
{ Plex = {
icon = "plex.png";
href = "https://app.plex.tv";
description = "Plex";
widget = {
type = "plex";
url = "http://vancouver:32400";
key = "{{HOMEPAGE_VAR_PLEX_KEY}}";
};
};
}
{ Overseerr = {
icon = "overseerr.png";
href = "https://request-media.gmem.ca";
description = "Request movies and TV shows";
widget = {
type = "overseerr";
url = "https://request-media.gmem.ca";
key = "{{HOMEPAGE_VAR_OVERSEERR_KEY}}";
};
};
}
{ Transmission = {
icon = "transmission.png";
description = "Download progress for torrents";
widget = {
type = "transmission";
url = "http://192.168.50.187:9091";
};
};
}
];
}
{
"Personal Infrastructure" = [
{ authentik = {
icon = "authentik.png";
href = "https://authentik.gmem.ca";
description = "OIDC SSO";
};
}
{ Tailscale = {
icon = "tailscale.png";
href = "https://login.tailscale.com";
description = "VPN provider";
};
}
{ Git = {
icon = "forgejo.png";
href = "https://git.gmem.ca";
description = "Git forge";
};
}
{ Grafana = {
icon = "grafana.png";
href = "https://grafana.gmem.ca";
description = "Monitoring & metrics";
widget = {
type = "grafana";
url = "https://grafana.gmem.ca";
username = "api@localhost";
password = "{{HOMEPAGE_VAR_GRAFANA_PASSWORD}}";
};
};
}
{ NextDNS = {
icon = "nextdns.png";
href = "https://my.nextdns.io/bcee89/setup";
description = "DNS provider";
widget = {
type = "nextdns";
profile = "bcee89";
key = "{{HOMEPAGE_VAR_NEXTDNS_KEY}}";
};
};
}
{ "Proxmox" = {
icon = "proxmox.png";
href = "https://proxmox.gmem.ca";
description = "Homelab proxmox";
widget = {
type = "proxmox";
url = "https://proxmox.gmem.ca";
username = "api@pam!homepage";
password = "{{HOMEPAGE_VAR_PROXMOX_PASSWORD}}";
};
};
}
{ "Immich" = {
icon = "immich.png";
href = "https://photos.gmem.ca";
description = "Image hosting";
widget = {
type = "immich";
url = "https://photos.gmem.ca";
key = "{{HOMEPAGE_VAR_IMMICH_KEY}}";
};
};
}
{ "NextDNS Tailscale" = {
icon = "nextdns.png";
href = "https://my.nextdns.io/74c6db/setup";
description = "Tailnet DNS provider";
widget = {
type = "nextdns";
profile = "74c6db";
key = "{{HOMEPAGE_VAR_NEXTDNS_KEY}}";
};
};
}
];
}
{
Reading = [
{ FreshRSS = {
icon = "freshrss.png";
href = "https://freshrss.gmem.ca";
description = "FreshRSS RSS Reader";
widget = {
type = "freshrss";
url = "https://freshrss.gmem.ca";
username = "arch";
password = "{{HOMEPAGE_VAR_FRESHRSS_PASSWORD}}";
};
};
}
{ "Lobste.rs" = {
href = "https://lobste.rs";
description = "News aggregator";
};
}
{ "Hacker News" = {
href = "https://news.ycombinator.com";
description = "VC news aggregator";
};
}
];
}
{
"Floofy.tech Infrastructure" = [
{ Mastodon = {
icon = "mastodon.png";
href = "https://floofy.tech";
description = "Primary Mastodon instance";
widget = {
type = "mastodon";
url = "https://floofy.tech";
};
};
}
{ Grafana = {
icon = "grafana.png";
href = "https://grafana.services.floofy.tech";
description = "Metrics and Monitoring";
};
}
{ vSphere = {
icon = "vmware-esxi.png";
href = "https://vcenter.services.floofy.tech";
description = "Hypervisor Manager";
};
}
{ "vrclub.social" = {
icon = "calckey.png";
href = "https://vrclub.social";
description = "Firefish instance for VR clubs";
};
}
];
}
{
"Tools" = [
{ "IT Tools" = {
icon = "it-tools.png";
href = "https://tools.gmem.ca";
description = "Various useful tools";
};
}
{ Cyberchef = {
icon = "cyberchef.png";
href = "https://gchq.github.io/CyberChef/";
description = "More useful tools, mostly text manipulation";
};
}
];
}
{
"Backup Status" = [
{ "gsimmer backups" = {
icon = "healthchecks.png";
href = "https://healthchecks.gmem.ca";
description = "Uptime monitor for recurring tasks";
widget = {
type = "healthchecks";
url = "https://healthchecks.gmem.ca";
key = "{{HOMEPAGE_VAR_HEALTHCHECKS_KEY}}";
uuid = "617d460f-69f6-444f-852a-421861543327";
};
};
}
{ "becki backups" = {
icon = "healthchecks.png";
href = "https://healthchecks.gmem.ca";
description = "Uptime monitor for recurring tasks";
widget = {
type = "healthchecks";
url = "https://healthchecks.gmem.ca";
key = "{{HOMEPAGE_VAR_HEALTHCHECKS_KEY}}";
uuid = "9d01d3dd-2a56-4c70-9b5c-9cb99a1466db";
};
};
}
{ "apps backups" = {
icon = "healthchecks.png";
href = "https://healthchecks.gmem.ca";
description = "Uptime monitor for recurring tasks";
widget = {
type = "healthchecks";
url = "https://healthchecks.gmem.ca";
key = "{{HOMEPAGE_VAR_HEALTHCHECKS_KEY}}";
uuid = "37a854b0-9191-4452-aa30-df3969d59b09";
};
};
}
];
}
];
settings = {
title = "Arch's Homepage";
providers.openweathermap = "{{HOMEPAGE_VAR_WEATHER_KEY}}";
background = {
image = "https://images.unsplash.com/photo-1502790671504-542ad42d5189?auto=format&fit=crop&w=2560&q=80";
blur = "sm";
opacity = 50;
};
base = "https://home.gmem.ca";
layout.Media.style = "row";
layout.Media.columns = "3";
layout."Personal Infrastructure".style = "row";
layout."Personal Infrastructure".columns = "3";
layout."Backup Status".style = "row";
layout."Backup Status".columns = "3";
};
kubernetes.mode = "cluster";
widgets = [
{
logo.icon = "https://gmem.ca/avatar.png";
}
{
kubernetes = {
cluster.show = true;
nodes.show = true;
};
}
{
search = {
provider = "duckduckgo";
};
}
{
openweathermap = {
provider = "openweathermap";
cache = 5;
units = "metric";
};
}
];
};
in
{ {
lib,
config,
kubenix,
...
}: let
homepage-config = {
bookmarks = [];
services = [
{
Media = [
{
Plex = {
icon = "plex.png";
href = "https://app.plex.tv";
description = "Plex";
widget = {
type = "plex";
url = "http://vancouver:32400";
key = "{{HOMEPAGE_VAR_PLEX_KEY}}";
};
};
}
{
Overseerr = {
icon = "overseerr.png";
href = "https://request-media.gmem.ca";
description = "Request movies and TV shows";
widget = {
type = "overseerr";
url = "https://request-media.gmem.ca";
key = "{{HOMEPAGE_VAR_OVERSEERR_KEY}}";
};
};
}
{
Transmission = {
icon = "transmission.png";
description = "Download progress for torrents";
widget = {
type = "transmission";
url = "http://192.168.50.187:9091";
};
};
}
];
}
{
"Personal Infrastructure" = [
{
authentik = {
icon = "authentik.png";
href = "https://authentik.gmem.ca";
description = "OIDC SSO";
};
}
{
Tailscale = {
icon = "tailscale.png";
href = "https://login.tailscale.com";
description = "VPN provider";
};
}
{
Git = {
icon = "forgejo.png";
href = "https://git.gmem.ca";
description = "Git forge";
};
}
{
Grafana = {
icon = "grafana.png";
href = "https://grafana.gmem.ca";
description = "Monitoring & metrics";
widget = {
type = "grafana";
url = "https://grafana.gmem.ca";
username = "api@localhost";
password = "{{HOMEPAGE_VAR_GRAFANA_PASSWORD}}";
};
};
}
{
NextDNS = {
icon = "nextdns.png";
href = "https://my.nextdns.io/bcee89/setup";
description = "DNS provider";
widget = {
type = "nextdns";
profile = "bcee89";
key = "{{HOMEPAGE_VAR_NEXTDNS_KEY}}";
};
};
}
{
"Proxmox" = {
icon = "proxmox.png";
href = "https://proxmox.gmem.ca";
description = "Homelab proxmox";
widget = {
type = "proxmox";
url = "https://proxmox.gmem.ca";
username = "api@pam!homepage";
password = "{{HOMEPAGE_VAR_PROXMOX_PASSWORD}}";
};
};
}
{
"Immich" = {
icon = "immich.png";
href = "https://photos.gmem.ca";
description = "Image hosting";
widget = {
type = "immich";
url = "https://photos.gmem.ca";
key = "{{HOMEPAGE_VAR_IMMICH_KEY}}";
};
};
}
{
"NextDNS Tailscale" = {
icon = "nextdns.png";
href = "https://my.nextdns.io/74c6db/setup";
description = "Tailnet DNS provider";
widget = {
type = "nextdns";
profile = "74c6db";
key = "{{HOMEPAGE_VAR_NEXTDNS_KEY}}";
};
};
}
];
}
{
Reading = [
{
FreshRSS = {
icon = "freshrss.png";
href = "https://freshrss.gmem.ca";
description = "FreshRSS RSS Reader";
widget = {
type = "freshrss";
url = "https://freshrss.gmem.ca";
username = "arch";
password = "{{HOMEPAGE_VAR_FRESHRSS_PASSWORD}}";
};
};
}
{
"Lobste.rs" = {
href = "https://lobste.rs";
description = "News aggregator";
};
}
{
"Hacker News" = {
href = "https://news.ycombinator.com";
description = "VC news aggregator";
};
}
];
}
{
"Floofy.tech Infrastructure" = [
{
Mastodon = {
icon = "mastodon.png";
href = "https://floofy.tech";
description = "Primary Mastodon instance";
widget = {
type = "mastodon";
url = "https://floofy.tech";
};
};
}
{
Grafana = {
icon = "grafana.png";
href = "https://grafana.services.floofy.tech";
description = "Metrics and Monitoring";
};
}
{
vSphere = {
icon = "vmware-esxi.png";
href = "https://vcenter.services.floofy.tech";
description = "Hypervisor Manager";
};
}
{
"vrclub.social" = {
icon = "calckey.png";
href = "https://vrclub.social";
description = "Firefish instance for VR clubs";
};
}
];
}
{
"Tools" = [
{
"IT Tools" = {
icon = "it-tools.png";
href = "https://tools.gmem.ca";
description = "Various useful tools";
};
}
{
Cyberchef = {
icon = "cyberchef.png";
href = "https://gchq.github.io/CyberChef/";
description = "More useful tools, mostly text manipulation";
};
}
];
}
{
"Backup Status" = [
{
"gsimmer backups" = {
icon = "healthchecks.png";
href = "https://healthchecks.gmem.ca";
description = "Uptime monitor for recurring tasks";
widget = {
type = "healthchecks";
url = "https://healthchecks.gmem.ca";
key = "{{HOMEPAGE_VAR_HEALTHCHECKS_KEY}}";
uuid = "617d460f-69f6-444f-852a-421861543327";
};
};
}
{
"becki backups" = {
icon = "healthchecks.png";
href = "https://healthchecks.gmem.ca";
description = "Uptime monitor for recurring tasks";
widget = {
type = "healthchecks";
url = "https://healthchecks.gmem.ca";
key = "{{HOMEPAGE_VAR_HEALTHCHECKS_KEY}}";
uuid = "9d01d3dd-2a56-4c70-9b5c-9cb99a1466db";
};
};
}
{
"apps backups" = {
icon = "healthchecks.png";
href = "https://healthchecks.gmem.ca";
description = "Uptime monitor for recurring tasks";
widget = {
type = "healthchecks";
url = "https://healthchecks.gmem.ca";
key = "{{HOMEPAGE_VAR_HEALTHCHECKS_KEY}}";
uuid = "37a854b0-9191-4452-aa30-df3969d59b09";
};
};
}
];
}
];
settings = {
title = "Arch's Homepage";
providers.openweathermap = "{{HOMEPAGE_VAR_WEATHER_KEY}}";
background = {
image = "https://images.unsplash.com/photo-1502790671504-542ad42d5189?auto=format&fit=crop&w=2560&q=80";
blur = "sm";
opacity = 50;
};
base = "https://home.gmem.ca";
layout.Media.style = "row";
layout.Media.columns = "3";
layout."Personal Infrastructure".style = "row";
layout."Personal Infrastructure".columns = "3";
layout."Backup Status".style = "row";
layout."Backup Status".columns = "3";
};
kubernetes.mode = "cluster";
widgets = [
{
logo.icon = "https://gmem.ca/avatar.png";
}
{
kubernetes = {
cluster.show = true;
nodes.show = true;
};
}
{
search = {
provider = "duckduckgo";
};
}
{
openweathermap = {
provider = "openweathermap";
cache = 5;
units = "metric";
};
}
];
};
in {
kubernetes.helm.releases.homepage = { kubernetes.helm.releases.homepage = {
chart = kubenix.lib.helm.fetch { chart = kubenix.lib.helm.fetch {
repo = "https://jameswynn.github.io/helm-charts"; repo = "https://jameswynn.github.io/helm-charts";
@ -307,7 +334,7 @@ in
]; ];
tls = [ tls = [
{ {
hosts = [ "home.gmem.ca" ]; hosts = ["home.gmem.ca"];
secretName = "gmem-ca-wildcard"; secretName = "gmem-ca-wildcard";
} }
]; ];
@ -317,10 +344,10 @@ in
kubernetes.resources.deployments.homepage = { kubernetes.resources.deployments.homepage = {
metadata.namespace = "default"; metadata.namespace = "default";
spec.template = { spec.template = {
metadata.annotations."gmem.ca/homepage-config-hash" = (builtins.hashString "md5" (builtins.toJSON homepage-config)); metadata.annotations."gmem.ca/homepage-config-hash" = builtins.hashString "md5" (builtins.toJSON homepage-config);
spec.containers.homepage.envFrom = [ { secretRef.name = "homepage-config"; } ]; spec.containers.homepage.envFrom = [{secretRef.name = "homepage-config";}];
}; };
}; };
} }

16
homelab/immich.nix
View file

@ -1,4 +1,9 @@
{ lib, config, kubenix, ... }: { {
lib,
config,
kubenix,
...
}: {
kubernetes.helm.releases.immich = { kubernetes.helm.releases.immich = {
chart = kubenix.lib.helm.fetch { chart = kubenix.lib.helm.fetch {
repo = "https://immich-app.github.io/immich-charts"; repo = "https://immich-app.github.io/immich-charts";
@ -24,11 +29,16 @@
annotations = { annotations = {
"cert-manager.io/issuer" = "le-issuer"; "cert-manager.io/issuer" = "le-issuer";
}; };
tls = [ { hosts = [ "photos.gmem.ca" ]; secretName = "gmem-ca-wildcard"; } ]; tls = [
{
hosts = ["photos.gmem.ca"];
secretName = "gmem-ca-wildcard";
}
];
hosts = [ hosts = [
{ {
host = "photos.gmem.ca"; host = "photos.gmem.ca";
paths = [ { path = "/"; } ]; paths = [{path = "/";}];
} }
]; ];
}; };

74
homelab/irc.nix
View file

@ -2,8 +2,7 @@ let
appName = "soju"; appName = "soju";
sojuImage = "git.gmem.ca/arch/soju:latest"; sojuImage = "git.gmem.ca/arch/soju:latest";
gamjaImage = "git.gmem.ca/arch/gamja:latest"; gamjaImage = "git.gmem.ca/arch/gamja:latest";
in in {
{
kubernetes.resources.services.soju = { kubernetes.resources.services.soju = {
spec = { spec = {
type = "NodePort"; type = "NodePort";
@ -45,8 +44,17 @@ in
soju = { soju = {
image = sojuImage; image = sojuImage;
imagePullPolicy = "Always"; imagePullPolicy = "Always";
volumeMounts = [ { name = "config"; mountPath = "/etc/soju/config"; subPath = "config"; } volumeMounts = [
{ name = "ssl"; mountPath = "/ssl"; } ]; {
name = "config";
mountPath = "/etc/soju/config";
subPath = "config";
}
{
name = "ssl";
mountPath = "/ssl";
}
];
ports.tls.containerPort = 6697; ports.tls.containerPort = 6697;
ports.ws.containerPort = 80; ports.ws.containerPort = 80;
@ -92,32 +100,46 @@ in
"cert-manager.io/issuer" = "le-issuer"; "cert-manager.io/issuer" = "le-issuer";
}; };
spec = { spec = {
tls = [ { hosts = [ "irc.gmem.ca" ]; secretName = "gmem-ca-wildcard"; } ]; tls = [
rules = [ { host = "irc.gmem.ca"; http.paths = [ {
{ path = "/"; pathType = "Prefix"; hosts = ["irc.gmem.ca"];
backend.service = { secretName = "gmem-ca-wildcard";
name = "gamja";
port.number = 80;
};
} }
{ path = "/socket"; pathType = "Prefix"; ];
backend.service = { rules = [
name = "soju-ws"; {
port.number = 80; host = "irc.gmem.ca";
}; http.paths = [
{
path = "/";
pathType = "Prefix";
backend.service = {
name = "gamja";
port.number = 80;
};
}
{
path = "/socket";
pathType = "Prefix";
backend.service = {
name = "soju-ws";
port.number = 80;
};
}
];
} }
];}]; ];
}; };
}; };
kubernetes.resources.configMaps.soju.data.config = '' kubernetes.resources.configMaps.soju.data.config = ''
listen ircs:// listen ircs://
listen unix+admin:///app/admin listen unix+admin:///app/admin
listen ws+insecure:// listen ws+insecure://
hostname irc.gmem.ca hostname irc.gmem.ca
title irc.gmem.ca title irc.gmem.ca
db postgres "dbname=soju" db postgres "dbname=soju"
message-store db message-store db
tls /ssl/tls.crt /ssl/tls.key tls /ssl/tls.crt /ssl/tls.key
''; '';
} }

41
homelab/kubernetes.nix
View file

@ -1,18 +1,25 @@
{ lib, config, kubenix, ... }: { {
imports = [ kubenix.modules.k8s kubenix.modules.helm lib,
(import ./custom.nix) config,
(import ./nginx.nix) kubenix,
(import ./tclip.nix) ...
(import ./vrchat-prometheus-exporter.nix) }: {
(import ./overseerr.nix) imports = [
(import ./immich.nix) kubenix.modules.k8s
(import ./endpoints.nix) kubenix.modules.helm
(import ./homepage.nix) (import ./custom.nix)
(import ./pterodactyl.nix) (import ./nginx.nix)
(import ./cloudflare-exporter.nix) (import ./tclip.nix)
(import ./piped.nix) (import ./vrchat-prometheus-exporter.nix)
(import ./conduit.nix) (import ./overseerr.nix)
(import ./irc.nix) (import ./immich.nix)
(import ./netboot.nix) (import ./endpoints.nix)
]; (import ./homepage.nix)
(import ./pterodactyl.nix)
(import ./cloudflare-exporter.nix)
(import ./piped.nix)
(import ./conduit.nix)
(import ./irc.nix)
(import ./netboot.nix)
];
} }

68
homelab/netboot.nix
View file

@ -1,8 +1,7 @@
let let
appName = "netbootxyz"; appName = "netbootxyz";
netbootxyzImage = "ghcr.io/netbootxyz/netbootxyz"; netbootxyzImage = "ghcr.io/netbootxyz/netbootxyz";
in in {
{
kubernetes.resources.services.netbootxyz = { kubernetes.resources.services.netbootxyz = {
spec = { spec = {
selector.app = appName; selector.app = appName;
@ -35,16 +34,28 @@ in
metadata.labels.app = appName; metadata.labels.app = appName;
spec = { spec = {
volumes = [ volumes = [
{ name = "config"; persistentVolumeClaim.claimName = "netbootxyz-config"; } {
{ name = "assets"; persistentVolumeClaim.claimName = "netbootxyz-assets"; } name = "config";
persistentVolumeClaim.claimName = "netbootxyz-config";
}
{
name = "assets";
persistentVolumeClaim.claimName = "netbootxyz-assets";
}
]; ];
containers = { containers = {
netbootxyz = { netbootxyz = {
image = netbootxyzImage; image = netbootxyzImage;
imagePullPolicy = "Always"; imagePullPolicy = "Always";
volumeMounts = [ volumeMounts = [
{ mountPath = "/config"; name = "config"; } {
{ mountPath = "/assets"; name = "assets"; } mountPath = "/config";
name = "config";
}
{
mountPath = "/assets";
name = "assets";
}
]; ];
env.SUBFOLDER.value = "/ui/"; env.SUBFOLDER.value = "/ui/";
ports.http.containerPort = 80; ports.http.containerPort = 80;
@ -62,12 +73,12 @@ in
kubernetes.resources.persistentVolumeClaims.netbootxyz-config.spec = { kubernetes.resources.persistentVolumeClaims.netbootxyz-config.spec = {
resources.requests.storage = "1Gi"; resources.requests.storage = "1Gi";
volumeMode = "Filesystem"; volumeMode = "Filesystem";
accessModes = [ "ReadWriteMany" ]; accessModes = ["ReadWriteMany"];
}; };
kubernetes.resources.persistentVolumeClaims.netbootxyz-assets.spec = { kubernetes.resources.persistentVolumeClaims.netbootxyz-assets.spec = {
resources.requests.storage = "10Gi"; resources.requests.storage = "10Gi";
volumeMode = "Filesystem"; volumeMode = "Filesystem";
accessModes = [ "ReadWriteMany" ]; accessModes = ["ReadWriteMany"];
}; };
kubernetes.resources.ingresses.netbootxyz = { kubernetes.resources.ingresses.netbootxyz = {
@ -76,22 +87,35 @@ in
"nginx.ingress.kubernetes.io/ssl-redirect" = "false"; "nginx.ingress.kubernetes.io/ssl-redirect" = "false";
}; };
spec = { spec = {
tls = [ { hosts = [ "netboot.gmem.ca" ]; secretName = "gmem-ca-wildcard"; } ]; tls = [
rules = [ { host = "netboot.gmem.ca"; http.paths = [ {
{ path = "/ui"; pathType = "Prefix"; hosts = ["netboot.gmem.ca"];
backend.service = { secretName = "gmem-ca-wildcard";
name = "netbootxyz";
port.number = 3000;
};
} }
{ path = "/"; pathType = "Prefix"; ];
backend.service = { rules = [
name = "netbootxyz"; {
port.number = 80; host = "netboot.gmem.ca";
}; http.paths = [
{
path = "/ui";
pathType = "Prefix";
backend.service = {
name = "netbootxyz";
port.number = 3000;
};
}
{
path = "/";
pathType = "Prefix";
backend.service = {
name = "netbootxyz";
port.number = 80;
};
}
];
} }
];}]; ];
}; };
}; };
} }

7
homelab/nginx.nix
View file

@ -1,4 +1,9 @@
{ lib, config, kubenix, ... }: { {
lib,
config,
kubenix,
...
}: {
kubernetes.helm.releases.ingress-nginx = { kubernetes.helm.releases.ingress-nginx = {
namespace = "ingress-nginx"; namespace = "ingress-nginx";
chart = kubenix.lib.helm.fetch { chart = kubenix.lib.helm.fetch {

31
homelab/overseerr.nix
View file

@ -1,8 +1,7 @@
let let
appName = "overseerr"; appName = "overseerr";
appImage = "sctx/overseerr"; appImage = "sctx/overseerr";
in in {
{
kubernetes.resources.services.overseerr = { kubernetes.resources.services.overseerr = {
spec = { spec = {
selector.app = appName; selector.app = appName;
@ -25,7 +24,10 @@ in
overseerr = { overseerr = {
image = appImage; image = appImage;
volumeMounts = [ volumeMounts = [
{ name = "data"; mountPath = "/app/config"; } {
name = "data";
mountPath = "/app/config";
}
]; ];
ports.metrics.containerPort = 5055; ports.metrics.containerPort = 5055;
resources = { resources = {
@ -43,32 +45,41 @@ in
}; };
}; };
volumeClaimTemplates = [ volumeClaimTemplates = [
{ metadata.name = "data"; {
metadata.name = "data";
spec = { spec = {
storageClassName = "nfs-client"; storageClassName = "nfs-client";
accessModes = [ "ReadWriteOnce" ]; accessModes = ["ReadWriteOnce"];
resources.requests.storage = "1Gi"; resources.requests.storage = "1Gi";
}; };
} }
]; ];
}; };
kubernetes.resources.ingresses.overseerr = { kubernetes.resources.ingresses.overseerr = {
metadata = { metadata = {
name = appName; name = appName;
annotations = { annotations = {
"cert-manager.io/issuer" = "le-issuer"; "cert-manager.io/issuer" = "le-issuer";
}; };
}; };
spec = { spec = {
tls = [ { hosts = [ "request-media.gmem.ca" ]; secretName = "gmem-ca-wildcard"; } ]; tls = [
{
hosts = ["request-media.gmem.ca"];
secretName = "gmem-ca-wildcard";
}
];
rules = [ rules = [
{ {
host = "request-media.gmem.ca"; host = "request-media.gmem.ca";
http.paths = [ http.paths = [
{ path = "/"; pathType = "Prefix"; {
path = "/";
pathType = "Prefix";
backend.service = { backend.service = {
name = appName; name = appName;
port.name = "http"; }; port.name = "http";
};
} }
]; ];
} }

61
homelab/piped.nix
View file

@ -1,4 +1,9 @@
{ lib, config, kubenix, ... }: { {
lib,
config,
kubenix,
...
}: {
kubernetes.helm.releases.piped = { kubernetes.helm.releases.piped = {
namespace = "default"; namespace = "default";
chart = kubenix.lib.helm.fetch { chart = kubenix.lib.helm.fetch {
@ -20,24 +25,48 @@
password = "password"; password = "password";
}; };
}; };
fontend.env.BACKEND_HOSTNAME= "pipedapi.gmem.ca"; fontend.env.BACKEND_HOSTNAME = "pipedapi.gmem.ca";
ingress = { ingress = {
main = { main = {
tls = [ { hosts = [ "piped.gmem.ca" ]; secretName = "gmem-ca-wildcard"; } ]; tls = [
{
hosts = ["piped.gmem.ca"];
secretName = "gmem-ca-wildcard";
}
];
hosts = [ hosts = [
{ host = "piped.gmem.ca"; paths = [ { path = "/"; } ]; } {
host = "piped.gmem.ca";
paths = [{path = "/";}];
}
]; ];
}; };
backend = { backend = {
tls = [ { hosts = [ "pipedapi.gmem.ca" ]; secretName = "gmem-ca-wildcard"; } ]; tls = [
{
hosts = ["pipedapi.gmem.ca"];
secretName = "gmem-ca-wildcard";
}
];
hosts = [ hosts = [
{ host = "pipedapi.gmem.ca"; paths = [ { path = "/"; } ]; } {
host = "pipedapi.gmem.ca";
paths = [{path = "/";}];
}
]; ];
}; };
ytproxy = { ytproxy = {
tls = [ { hosts = [ "ytproxy.gmem.ca" ]; secretName = "gmem-ca-wildcard"; } ]; tls = [
{
hosts = ["ytproxy.gmem.ca"];
secretName = "gmem-ca-wildcard";
}
];
hosts = [ hosts = [
{ host = "ytproxy.gmem.ca"; paths = [ { path = "/"; } ]; } {
host = "ytproxy.gmem.ca";
paths = [{path = "/";}];
}
]; ];
}; };
}; };
@ -50,18 +79,18 @@
restartPolicy = "Never"; restartPolicy = "Never";
containers.refresh-subscriptions = { containers.refresh-subscriptions = {
image = "alpine:3.15"; image = "alpine:3.15";
envFrom = [ { secretRef.name = "hippo-pguser-piped"; } ]; envFrom = [{secretRef.name = "hippo-pguser-piped";}];
command = [ command = [
"/bin/ash" "/bin/ash"
"-c" "-c"
'' ''
apk --no-cache add postgresql-client curl && apk --no-cache add postgresql-client curl &&
export PGPASSWORD=$password && export PGPASSWORD=$password &&
export subs=$(psql -U piped -h hippo-primary.default.svc -qtAX -c 'select id from public.pubsub;') && export subs=$(psql -U piped -h hippo-primary.default.svc -qtAX -c 'select id from public.pubsub;') &&
while IFS= read -r line; do while IFS= read -r line; do
curl -k "https://pipedapi.gmem.ca/channel/$line" > /dev/null curl -k "https://pipedapi.gmem.ca/channel/$line" > /dev/null
done < <(printf '%s' "$subs") done < <(printf '%s' "$subs")
'' ''
]; ];
}; };
}; };

147
homelab/pterodactyl.nix
View file

@ -2,78 +2,95 @@ let
appName = "pterodactyl-panel"; appName = "pterodactyl-panel";
pterodactyl-panel-Image = "git.gmem.ca/arch/pterodactyl-panel:latest"; pterodactyl-panel-Image = "git.gmem.ca/arch/pterodactyl-panel:latest";
in in
{ lib, config, kubenix, ... }: { {
lib,
config,
kubenix,
...
}: {
kubernetes.resources.services.pterodactyl-panel = { kubernetes.resources.services.pterodactyl-panel = {
spec = { spec = {
selector.app = appName; selector.app = appName;
ports.http = { ports.http = {
port = 8080; port = 8080;
targetPort = 8080; targetPort = 8080;
};
}; };
}; };
}; kubernetes.resources.statefulSets.pterodactyl-panel.spec = {
kubernetes.resources.statefulSets.pterodactyl-panel.spec = { selector.matchLabels.app = appName;
selector.matchLabels.app = appName; serviceName = appName;
serviceName = appName; template = {
template = { metadata.labels.app = appName;
metadata.labels.app = appName; spec = {
spec = { containers = {
containers = { pterodactyl-panel = {
pterodactyl-panel = { image = pterodactyl-panel-Image;
image = pterodactyl-panel-Image; imagePullPolicy = "Always";
imagePullPolicy = "Always"; ports.http.containerPort = 8080;
ports.http.containerPort = 8080; volumeMounts = [
volumeMounts = [ {
{ name = "data"; mountPath = "/var/www/pterodactyl/storage/app"; } name = "data";
]; mountPath = "/var/www/pterodactyl/storage/app";
envFrom = [ { secretRef.name = "pterodactyl"; } ]; }
];
envFrom = [{secretRef.name = "pterodactyl";}];
};
}; };
}; };
}; };
}; volumeClaimTemplates = [
volumeClaimTemplates = [
{ metadata.name = "data";
spec = {
storageClassName = "nfs-client";
accessModes = [ "ReadWriteOnce" ];
resources.requests.storage = "1Gi";
};
}
];
};
kubernetes.helm.releases.pterodactyl-redis = {
chart = kubenix.lib.helm.fetch {
repo = "https://charts.bitnami.com/bitnami";
chart = "redis";
version = "18.6.1";
sha256 = "CyvGHc1v1BtbzDx6hbbPah2uWpUhlNIUQowephT6hmM=";
};
values = {
auth.enabled = false;
architecture = "standalone";
};
};
kubernetes.resources.ingresses.pterodactyl-panel = {
metadata = {
name = appName;
annotations = {
"cert-manager.io/issuer" = "le-issuer";
};
};
spec = {
tls = [ { hosts = [ "games.gmem.ca" ]; secretName = "gmem-ca-wildcard"; } ];
rules = [
{ {
host = "games.gmem.ca"; metadata.name = "data";
http.paths = [ spec = {
{ path = "/"; pathType = "Prefix"; storageClassName = "nfs-client";
backend.service = { accessModes = ["ReadWriteOnce"];
name = appName; resources.requests.storage = "1Gi";
port.name = "http"; }; };
}
];
} }
]; ];
}; };
}; kubernetes.helm.releases.pterodactyl-redis = {
} chart = kubenix.lib.helm.fetch {
repo = "https://charts.bitnami.com/bitnami";
chart = "redis";
version = "18.6.1";
sha256 = "CyvGHc1v1BtbzDx6hbbPah2uWpUhlNIUQowephT6hmM=";
};
values = {
auth.enabled = false;
architecture = "standalone";
};
};
kubernetes.resources.ingresses.pterodactyl-panel = {
metadata = {
name = appName;
annotations = {
"cert-manager.io/issuer" = "le-issuer";
};
};
spec = {
tls = [
{
hosts = ["games.gmem.ca"];
secretName = "gmem-ca-wildcard";
}
];
rules = [
{
host = "games.gmem.ca";
http.paths = [
{
path = "/";
pathType = "Prefix";
backend.service = {
name = appName;
port.name = "http";
};
}
];
}
];
};
};
}

62
homelab/tclip.nix
View file

@ -2,12 +2,16 @@ let
appName = "tclip"; appName = "tclip";
litestreamImage = "litestream/litestream:sha-749bc0d"; litestreamImage = "litestream/litestream:sha-749bc0d";
tclipImage = "git.gmem.ca/arch/tclip:arm"; tclipImage = "git.gmem.ca/arch/tclip:arm";
in in {
{
kubernetes.resources."monitoring.coreos.com"."v1".ServiceMonitor.tclip = { kubernetes.resources."monitoring.coreos.com"."v1".ServiceMonitor.tclip = {
spec = { spec = {
selector.matchLabels.app = appName; selector.matchLabels.app = appName;
endpoints = [ { port = "metrics"; interval = "30s"; } ]; endpoints = [
{
port = "metrics";
interval = "30s";
}
];
}; };
}; };
kubernetes.resources.services.tclip = { kubernetes.resources.services.tclip = {
@ -36,41 +40,67 @@ in
}; };
initContainers.init-litestream = { initContainers.init-litestream = {
image = litestreamImage; image = litestreamImage;
args = ["restore" "-if-db-not-exists" "-if-replica-exists" "-v" "/data/data.db" ]; args = ["restore" "-if-db-not-exists" "-if-replica-exists" "-v" "/data/data.db"];
volumeMounts = [ volumeMounts = [
{ name = "data"; mountPath = "/data"; } {
{ name = "litestream"; mountPath = "/etc/litestream.yml"; subPath = "tclip.yml"; } name = "data";
mountPath = "/data";
}
{
name = "litestream";
mountPath = "/etc/litestream.yml";
subPath = "tclip.yml";
}
]; ];
envFrom = [ { secretRef.name = "tclip-litestream-s3"; } ]; envFrom = [{secretRef.name = "tclip-litestream-s3";}];
}; };
containers = { containers = {
tclip = { tclip = {
image = tclipImage; image = tclipImage;
imagePullPolicy = "Always"; imagePullPolicy = "Always";
volumeMounts = [ { name = "data"; mountPath = "/data"; } ]; volumeMounts = [
{
name = "data";
mountPath = "/data";
}
];
env = [ env = [
{ name = "DATA_DIR"; value = "/data"; } {
{ name = "USE_FUNNEL"; value = "true"; } name = "DATA_DIR";
value = "/data";
}
{
name = "USE_FUNNEL";
value = "true";
}
]; ];
}; };
litestream = { litestream = {
image = litestreamImage; image = litestreamImage;
args = [ "replicate" ]; args = ["replicate"];
volumeMounts = [ volumeMounts = [
{ name = "data"; mountPath = "/data"; } {
{ name = "litestream"; mountPath = "/etc/litestream.yml"; subPath = "tclip.yml"; } name = "data";
mountPath = "/data";
}
{
name = "litestream";
mountPath = "/etc/litestream.yml";
subPath = "tclip.yml";
}
]; ];
envFrom = [ { secretRef.name = "tclip-litestream-s3"; } ]; envFrom = [{secretRef.name = "tclip-litestream-s3";}];
ports.metrics.containerPort = 9090; ports.metrics.containerPort = 9090;
}; };
}; };
}; };
}; };
volumeClaimTemplates = [ volumeClaimTemplates = [
{ metadata.name = "data"; {
metadata.name = "data";
spec = { spec = {
storageClassName = "nfs-client"; storageClassName = "nfs-client";
accessModes = [ "ReadWriteOnce" ]; accessModes = ["ReadWriteOnce"];
resources.requests.storage = "1Gi"; resources.requests.storage = "1Gi";
}; };
} }

20
homelab/vrchat-prometheus-exporter.nix
View file

@ -1,12 +1,16 @@
let let
appName = "vrchat-prometheus-exporter"; appName = "vrchat-prometheus-exporter";
appImage = "git.gmem.ca/arch/vrchat-prometheus-adapter:arm"; appImage = "git.gmem.ca/arch/vrchat-prometheus-adapter:arm";
in in {
{
kubernetes.resources."monitoring.coreos.com"."v1".ServiceMonitor.vrchat-prometheus-adapter = { kubernetes.resources."monitoring.coreos.com"."v1".ServiceMonitor.vrchat-prometheus-adapter = {
spec = { spec = {
selector.matchLabels.app = appName; selector.matchLabels.app = appName;
endpoints = [ { port = "metrics"; interval = "60s"; } ]; endpoints = [
{
port = "metrics";
interval = "60s";
}
];
}; };
}; };
kubernetes.resources.services.vrchat-prometheus-adapter = { kubernetes.resources.services.vrchat-prometheus-adapter = {
@ -35,8 +39,14 @@ in
vrchat-prometheus-adapter = { vrchat-prometheus-adapter = {
image = appImage; image = appImage;
imagePullPolicy = "Always"; imagePullPolicy = "Always";
volumeMounts = [ { name = "config"; mountPath = "/config.toml"; subPath = "config.toml"; } ]; volumeMounts = [
envFrom = [ { secretRef.name = "vrchat-prometheus-adapter"; } ]; {
name = "config";
mountPath = "/config.toml";
subPath = "config.toml";
}
];
envFrom = [{secretRef.name = "vrchat-prometheus-adapter";}];
ports.metrics.containerPort = 6534; ports.metrics.containerPort = 6534;
resources = { resources = {
requests = { requests = {

35
nix/glasgow/configuration.nix
View file

@ -1,10 +1,12 @@
{ config, pkgs, ... }:
{ {
imports = config,
[ # Include the results of the hardware scan. pkgs,
./hardware.nix ...
]; }: {
imports = [
# Include the results of the hardware scan.
./hardware.nix
];
age.secrets.k3s-token = { age.secrets.k3s-token = {
file = ../../secrets/k3s-token.age; file = ../../secrets/k3s-token.age;
@ -12,20 +14,19 @@
}; };
boot = { boot = {
supportedFilesystems = [ "nfs" ]; supportedFilesystems = ["nfs"];
kernelPackages = pkgs.linuxPackages_rpi4; kernelPackages = pkgs.linuxPackages_rpi4;
kernelParams = [ "cgroup_enable=memory" "cgroup_enable=cpuset" "cgroup_memory=1" ]; kernelParams = ["cgroup_enable=memory" "cgroup_enable=cpuset" "cgroup_memory=1"];
loader = { loader = {
grub.enable = false; grub.enable = false;
generic-extlinux-compatible.enable = true; generic-extlinux-compatible.enable = true;
}; };
}; };
swapDevices = [ swapDevices = [
{ {
device = "/var/lib/swapfile"; device = "/var/lib/swapfile";
size = 8*1024; size = 8 * 1024;
} }
]; ];
@ -43,7 +44,7 @@
extraOptions = '' extraOptions = ''
min-free = ${toString (100 * 1024 * 1024)} min-free = ${toString (100 * 1024 * 1024)}
max-free = ${toString (1024 * 1024 * 1024)} max-free = ${toString (1024 * 1024 * 1024)}
''; '';
}; };
networking = { networking = {
@ -52,8 +53,8 @@
firewall = { firewall = {
trustedInterfaces = ["tailscale0"]; trustedInterfaces = ["tailscale0"];
checkReversePath = "loose"; checkReversePath = "loose";
allowedUDPPorts = [ 41641 ]; allowedUDPPorts = [41641];
allowedTCPPorts = [ 22 80 443 6443 10250 ]; allowedTCPPorts = [22 80 443 6443 10250];
enable = false; enable = false;
}; };
nftables.enable = false; nftables.enable = false;
@ -63,7 +64,7 @@
users.users.gsimmer = { users.users.gsimmer = {
isNormalUser = true; isNormalUser = true;
extraGroups = [ "wheel" ]; extraGroups = ["wheel"];
packages = with pkgs; [ packages = with pkgs; [
tree tree
]; ];
@ -72,8 +73,9 @@
url = "https://gmem.ca/ssh"; url = "https://gmem.ca/ssh";
hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4="; hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4=";
}; };
in pkgs.lib.splitString "\n" (builtins.readFile in
authorizedKeys); pkgs.lib.splitString "\n" (builtins.readFile
authorizedKeys);
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
@ -108,5 +110,4 @@
}; };
system.stateVersion = "23.11"; # dId YoU rEaD tHe CoMmEnT? system.stateVersion = "23.11"; # dId YoU rEaD tHe CoMmEnT?
} }

32
nix/glasgow/hardware.nix
View file

@ -1,24 +1,28 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ {
imports = config,
[ (modulesPath + "/installer/scan/not-detected.nix") lib,
]; pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ]; boot.initrd.availableKernelModules = ["xhci_pci" "uas"];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [];
boot.kernelModules = [ ]; boot.kernelModules = [];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [];
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888"; device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
fsType = "ext4"; fsType = "ext4";
}; };
swapDevices = [ ]; swapDevices = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's

8
nix/london/cachix.nix
View file

@ -1,7 +1,9 @@
# WARN: this file will get overwritten by $ cachix use <name> # WARN: this file will get overwritten by $ cachix use <name>
{ pkgs, lib, ... }: {
pkgs,
let lib,
...
}: let
folder = ./cachix; folder = ./cachix;
toImport = name: value: folder + ("/" + name); toImport = name: value: folder + ("/" + name);
filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key; filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key;

117
nix/london/configuration.nix
View file

@ -1,10 +1,11 @@
{ config, pkgs, ... }:
{ {
imports = config,
[ pkgs,
./hardware-configuration.nix ...
]; }: {
imports = [
./hardware-configuration.nix
];
# Bootloader # Bootloader
boot = { boot = {
@ -15,12 +16,12 @@
}; };
}; };
tmp.cleanOnBoot = true; tmp.cleanOnBoot = true;
binfmt.emulatedSystems = [ "aarch64-linux" ]; binfmt.emulatedSystems = ["aarch64-linux"];
extraModulePackages = [ extraModulePackages = [
config.boot.kernelPackages.v4l2loopback config.boot.kernelPackages.v4l2loopback
]; ];
kernelPackages = pkgs.linuxPackages_zen; kernelPackages = pkgs.linuxPackages_zen;
kernelModules = [ "amdgpu" "coretemp" "kvm-amd" "v4l2loopback" ]; kernelModules = ["amdgpu" "coretemp" "kvm-amd" "v4l2loopback"];
}; };
time.hardwareClockInLocalTime = true; time.hardwareClockInLocalTime = true;
@ -31,7 +32,7 @@
}; };
nix = { nix = {
settings = { settings = {
experimental-features = [ "nix-command" "flakes" ]; experimental-features = ["nix-command" "flakes"];
auto-optimise-store = true; auto-optimise-store = true;
}; };
gc = { gc = {
@ -48,11 +49,21 @@
networkmanager.enable = true; networkmanager.enable = true;
firewall = { firewall = {
enable = true; enable = true;
allowedUDPPortRanges = [ { from = 27031; to = 27036; } ]; allowedUDPPortRanges = [
allowedTCPPortRanges = [ { from = 27036; to = 27037; } ]; {
allowedTCPPorts = [ 7000 7100 7001 22000 8000 3000 9943 9944 ]; from = 27031;
allowedUDPPorts = [ 69 6000 6001 7011 41641 3478 22000 21027 9943 9944 ]; to = 27036;
trustedInterfaces = [ "enp4s0" "tailscale0" "docker0" ]; }
];
allowedTCPPortRanges = [
{
from = 27036;
to = 27037;
}
];
allowedTCPPorts = [7000 7100 7001 22000 8000 3000 9943 9944];
allowedUDPPorts = [69 6000 6001 7011 41641 3478 22000 21027 9943 9944];
trustedInterfaces = ["enp4s0" "tailscale0" "docker0"];
checkReversePath = "loose"; checkReversePath = "loose";
}; };
nftables.enable = true; nftables.enable = true;
@ -72,23 +83,29 @@
positions = { positions = {
filename = "/tmp/positions.yaml"; filename = "/tmp/positions.yaml";
}; };
clients = [{ clients = [
url = "http://monitoring:3030/loki/api/v1/push"; {
}]; url = "http://monitoring:3030/loki/api/v1/push";
scrape_configs = [{ }
job_name = "journal"; ];
journal = { scrape_configs = [
max_age = "12h"; {
labels = { job_name = "journal";
job = "systemd-journal"; journal = {
host = "london"; max_age = "12h";
labels = {
job = "systemd-journal";
host = "london";
};
}; };
}; relabel_configs = [
relabel_configs = [{ {
source_labels = [ "__journal__systemd_unit" ]; source_labels = ["__journal__systemd_unit"];
target_label = "unit"; target_label = "unit";
}]; }
}]; ];
}
];
}; };
}; };
fwupd.enable = true; fwupd.enable = true;
@ -105,12 +122,13 @@
enable = true; enable = true;
listenAddress = "100.110.180.123"; listenAddress = "100.110.180.123";
enabledCollectors = [ enabledCollectors = [
"systemd" "processes" "systemd"
"processes"
]; ];
}; };
dbus.enable = true; dbus.enable = true;
yubikey-agent.enable = true; yubikey-agent.enable = true;
udev.packages = with pkgs; [ libu2f-host yubikey-personalization ]; udev.packages = with pkgs; [libu2f-host yubikey-personalization];
tailscale.enable = true; tailscale.enable = true;
pcscd.enable = true; pcscd.enable = true;
mullvad-vpn.enable = true; mullvad-vpn.enable = true;
@ -133,7 +151,7 @@
}; };
printing = { printing = {
enable = true; enable = true;
drivers = [ pkgs.gutenprint pkgs.gutenprintBin ]; drivers = [pkgs.gutenprint pkgs.gutenprintBin];
}; };
avahi = { avahi = {
nssmdns4 = true; nssmdns4 = true;
@ -164,7 +182,7 @@
}; };
sane.enable = true; sane.enable = true;
sane.extraBackends = [ pkgs.epkowa ]; sane.extraBackends = [pkgs.epkowa];
pulseaudio.enable = false; pulseaudio.enable = false;
}; };
environment.variables.AMD_VULKAN_ICD = "RADV"; environment.variables.AMD_VULKAN_ICD = "RADV";
@ -184,17 +202,17 @@
dedicatedServer.openFirewall = false; dedicatedServer.openFirewall = false;
}; };
gnupg.agent = { gnupg.agent = {
enable = true; enable = true;
pinentryFlavor = "qt"; pinentryFlavor = "qt";
enableSSHSupport = false; enableSSHSupport = false;
}; };
}; };
# Define a user account. Don't forget to set a password with passwd. # Define a user account. Don't forget to set a password with passwd.
users.users.gsimmer = { users.users.gsimmer = {
shell = pkgs.fish; shell = pkgs.fish;
isNormalUser = true; isNormalUser = true;
description = "Gabriel Simmer"; description = "Gabriel Simmer";
extraGroups = [ "networkmanager" "wheel" "libvirtd" "qemu-libvirtd" "docker" ]; extraGroups = ["networkmanager" "wheel" "libvirtd" "qemu-libvirtd" "docker"];
packages = with pkgs; [ packages = with pkgs; [
firefox-wayland firefox-wayland
vim vim
@ -223,9 +241,9 @@
enableDefaultPackages = true; enableDefaultPackages = true;
}; };
systemd.packages = with pkgs; [ cloudflare-warp ]; systemd.packages = with pkgs; [cloudflare-warp];
environment = { environment = {
shells = with pkgs; [ zsh fish ]; shells = with pkgs; [zsh fish];
systemPackages = with pkgs; [ systemPackages = with pkgs; [
os-prober os-prober
tailscale tailscale
@ -251,7 +269,7 @@
pcscliteWithPolkit.out pcscliteWithPolkit.out
]; ];
}; };
environment.plasma5.excludePackages = with pkgs.libsForQt5; [ environment.plasma5.excludePackages = with pkgs.libsForQt5; [
elisa elisa
okular okular
@ -265,16 +283,15 @@
polkit = { polkit = {
enable = true; enable = true;
extraConfig = '' extraConfig = ''
polkit.addRule(function(action, subject) { polkit.addRule(function(action, subject) {
if (action.id == "org.debian.pcsc-lite.access_pcsc" && if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
subject.isInGroup("wheel")) { subject.isInGroup("wheel")) {
return polkit.Result.YES; return polkit.Result.YES;
} }
}); });
''; '';
}; };
rtkit.enable = true; rtkit.enable = true;
}; };
system.stateVersion = "23.05"; # Did you read the comment? system.stateVersion = "23.05"; # Did you read the comment?
} }

66
nix/london/gsimmer.nix
View file

@ -1,51 +1,59 @@
{ config, pkgs, callPackage, lib, ... }:
{ {
config,
pkgs,
callPackage,
lib,
...
}: {
nixpkgs = { nixpkgs = {
config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ config.allowUnfreePredicate = pkg:
"parsec-bin" builtins.elem (lib.getName pkg) [
"discord" "parsec-bin"
]; "discord"
];
config.allowUnfree = true; config.allowUnfree = true;
overlays = overlays = let
let discordOverlay = self: super: {
discordOverlay = self: super: { discord = super.discord.override {
discord = super.discord.override { withVencord = true; withOpenASAR = true; }; withVencord = true;
withOpenASAR = true;
}; };
in };
[ in [
(import (builtins.fetchTarball { (import (builtins.fetchTarball {
url = "https://github.com/nix-community/emacs-overlay/archive/master.tar.gz"; url = "https://github.com/nix-community/emacs-overlay/archive/master.tar.gz";
sha256 = "1nglxrfynyjmqfzz81y4idc40c6rbsaa4jb4ishiwibdkh85nyf6"; sha256 = "1nglxrfynyjmqfzz81y4idc40c6rbsaa4jb4ishiwibdkh85nyf6";
})) discordOverlay]; }))
discordOverlay
];
}; };
home = { home = {
username = "gsimmer"; username = "gsimmer";
homeDirectory = "/home/gsimmer"; homeDirectory = "/home/gsimmer";
}; };
services.pueue = { services.pueue = {
enable = true; enable = true;
settings = { settings = {
client = { }; client = {};
daemon.callback = '' daemon.callback = ''
${pkgs.libnotify}/bin/notify-send -t 4000 "Task {{id}} finished, status '{{result}}'" "<b>{{exit_code}}</b> {{command}}" ${pkgs.libnotify}/bin/notify-send -t 4000 "Task {{id}} finished, status '{{result}}'" "<b>{{exit_code}}</b> {{command}}"
''; '';
shared = { }; shared = {};
profiles = { }; profiles = {};
}; };
}; };
programs = { programs = {
bash.enable = false; bash.enable = false;
fish = { fish = {
enable = true; enable = true;
interactiveShellInit = '' interactiveShellInit = ''
set fish_greeting set fish_greeting
atuin init fish | source atuin init fish | source
''; '';
}; };
direnv = { direnv = {
enable = true; enable = true;
nix-direnv.enable = true; nix-direnv.enable = true;
@ -90,14 +98,14 @@
# Prevent clobbering SSH_AUTH_SOCK # Prevent clobbering SSH_AUTH_SOCK
home.sessionVariables = { home.sessionVariables = {
SSH_AUTH_SOCK = "$XDG_RUNTIME_DIR/yubikey-agent/yubikey-agent.sock"; SSH_AUTH_SOCK = "$XDG_RUNTIME_DIR/yubikey-agent/yubikey-agent.sock";
}; };
# Disable gnome-keyring ssh-agent # Disable gnome-keyring ssh-agent
xdg.configFile."autostart/gnome-keyring-ssh.desktop".text = '' xdg.configFile."autostart/gnome-keyring-ssh.desktop".text = ''
${lib.fileContents "${pkgs.gnome3.gnome-keyring}/etc/xdg/autostart/gnome-keyring-ssh.desktop"} ${lib.fileContents "${pkgs.gnome3.gnome-keyring}/etc/xdg/autostart/gnome-keyring-ssh.desktop"}
Hidden=true Hidden=true
''; '';
home.packages = with pkgs; [ home.packages = with pkgs; [
bitwarden-cli bitwarden-cli

44
nix/london/hardware-configuration.nix
View file

@ -1,31 +1,35 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ {
imports = config,
[ (modulesPath + "/installer/scan/not-detected.nix") lib,
]; pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ]; boot.initrd.availableKernelModules = ["nvme" "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod"];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [];
boot.kernelModules = [ "kvm-amd" ]; boot.kernelModules = ["kvm-amd"];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [];
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/disk/by-uuid/736c20e1-f11a-4af7-88f2-bba7b0f09939"; device = "/dev/disk/by-uuid/736c20e1-f11a-4af7-88f2-bba7b0f09939";
fsType = "xfs"; fsType = "xfs";
}; };
fileSystems."/boot" = fileSystems."/boot" = {
{ device = "/dev/disk/by-uuid/2A2C-A8CE"; device = "/dev/disk/by-uuid/2A2C-A8CE";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = swapDevices = [
[ { device = "/dev/disk/by-uuid/41c7d0e1-e015-4d78-a0fb-f039a7f648ef"; } {device = "/dev/disk/by-uuid/41c7d0e1-e015-4d78-a0fb-f039a7f648ef";}
]; ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's

17
nix/london/wayland.nix
View file

@ -1,9 +1,12 @@
{ config, lib, pkgs, ... }: {
let config,
lib,
pkgs,
...
}: let
rev = "master"; # 'rev' could be a git rev, to pin the overlay. rev = "master"; # 'rev' could be a git rev, to pin the overlay.
url = "https://github.com/nix-community/nixpkgs-wayland/archive/${rev}.tar.gz"; url = "https://github.com/nix-community/nixpkgs-wayland/archive/${rev}.tar.gz";
waylandOverlay = (import "${builtins.fetchTarball url}/overlay.nix"); waylandOverlay = import "${builtins.fetchTarball url}/overlay.nix";
in in {
{ nixpkgs.overlays = [waylandOverlay];
nixpkgs.overlays = [ waylandOverlay ]; }
}

263
nix/monitoring/configuration.nix
View file

@ -1,6 +1,8 @@
{ config, pkgs, ... }:
{ {
config,
pkgs,
...
}: {
imports = [ imports = [
./hardware.nix ./hardware.nix
./networking.nix # generated at runtime by nixos-infect ./networking.nix # generated at runtime by nixos-infect
@ -20,7 +22,7 @@
file = ../../secrets/healthchecks-telegram.age; file = ../../secrets/healthchecks-telegram.age;
owner = "healthchecks"; owner = "healthchecks";
}; };
age.secrets.prometheus-webconfig-secret = { age.secrets.prometheus-webconfig-secret = {
file = ../../secrets/monitoring-prometheus-webconfig.age; file = ../../secrets/monitoring-prometheus-webconfig.age;
owner = "prometheus"; owner = "prometheus";
@ -43,7 +45,7 @@
networking.domain = ""; networking.domain = "";
services.openssh.enable = true; services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [ users.users.root.openssh.authorizedKeys.keys = [
''ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDjEgtIWPA5Ncs/KOcMeT6Q/HACJJetDOLjMvXXwUE+08oTX1EpHrWPpy8J+UHKIyErCNPYq8dgtrbhnMRlxHqI='' ''ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDjEgtIWPA5Ncs/KOcMeT6Q/HACJJetDOLjMvXXwUE+08oTX1EpHrWPpy8J+UHKIyErCNPYq8dgtrbhnMRlxHqI=''
]; ];
networking.firewall.enable = false; networking.firewall.enable = false;
@ -104,16 +106,18 @@
}; };
schema_config = { schema_config = {
configs = [{ configs = [
from = "2022-06-06"; {
store = "boltdb-shipper"; from = "2022-06-06";
object_store = "filesystem"; store = "boltdb-shipper";
schema = "v11"; object_store = "filesystem";
index = { schema = "v11";
prefix = "index_"; index = {
period = "24h"; prefix = "index_";
}; period = "24h";
}]; };
}
];
}; };
storage_config = { storage_config = {
@ -164,27 +168,33 @@
positions = { positions = {
filename = "/tmp/positions.yaml"; filename = "/tmp/positions.yaml";
}; };
clients = [{ clients = [
url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push"; {
}]; url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push";
scrape_configs = [{ }
job_name = "journal"; ];
journal = { scrape_configs = [
max_age = "12h"; {
labels = { job_name = "journal";
job = "systemd-journal"; journal = {
host = "monitoring"; max_age = "12h";
labels = {
job = "systemd-journal";
host = "monitoring";
};
}; };
}; relabel_configs = [
relabel_configs = [{ {
source_labels = [ "__journal__systemd_unit" ]; source_labels = ["__journal__systemd_unit"];
target_label = "unit"; target_label = "unit";
}]; }
}]; ];
}
];
}; };
}; };
services.alertmanager-ntfy = { services.alertmanager-ntfy = {
enable = true; enable = true;
settings = { settings = {
http = { http = {
addr = "127.0.0.1:8111"; addr = "127.0.0.1:8111";
@ -195,7 +205,7 @@
topic = "alerts"; topic = "alerts";
priority = '' priority = ''
status == "firing" ? "high" : "default" status == "firing" ? "high" : "default"
''; '';
templates = { templates = {
title = ''{{ if eq .Status "resolved" }}Resolved: {{ end }}{{ index .Annotations "summary" }}''; title = ''{{ if eq .Status "resolved" }}Resolved: {{ end }}{{ index .Annotations "summary" }}'';
description = ''{{ index .Annotations "description" }}''; description = ''{{ index .Annotations "description" }}'';
@ -211,136 +221,155 @@
globalConfig = { globalConfig = {
scrape_interval = "15s"; scrape_interval = "15s";
}; };
alertmanagers = [ { alertmanagers = [
basic_auth = { {
username = "homelab"; basic_auth = {
password_file = config.age.secrets.prometheus-password-secret.path; username = "homelab";
}; password_file = config.age.secrets.prometheus-password-secret.path;
static_configs = [ { };
targets = [ static_configs = [
"localhost:9093" {
targets = [
"localhost:9093"
];
}
]; ];
} ]; }
} ]; ];
rules = [(builtins.toJSON { rules = [
groups = [ (builtins.toJSON {
{ groups = [
name = "internet_connection"; {
rules = [ name = "internet_connection";
{ rules = [
alert = "LowInternetDownload"; {
expr = ''speedtest_download_bits_per_second{} < 500000000''; alert = "LowInternetDownload";
for = "2h"; expr = ''speedtest_download_bits_per_second{} < 500000000'';
labels.severity = "page"; for = "2h";
annotations = { labels.severity = "page";
summary = "Internet speed low"; annotations = {
description = "Home internet speed dropped below 500Mb/s."; summary = "Internet speed low";
dashboard = "o9mIe_Aik"; description = "Home internet speed dropped below 500Mb/s.";
}; dashboard = "o9mIe_Aik";
} };
]; }
} ];
{ }
name = "healthchecks"; {
rules = [ name = "healthchecks";
{ rules = [
alert = "HealthcheckFailedCheckin"; {
expr = ''hc_check_up < 1''; alert = "HealthcheckFailedCheckin";
for = "5m"; expr = ''hc_check_up < 1'';
labels.severity = "page"; for = "5m";
annotations = { labels.severity = "page";
summary = "{{ $labels.name }} healthcheck failed"; annotations = {
description = "The {{ $labels.name }} healthcheck failed to check in."; summary = "{{ $labels.name }} healthcheck failed";
dashboard = "f594ea85-45f2-4019-b988-2d17638b5cf3"; description = "The {{ $labels.name }} healthcheck failed to check in.";
}; dashboard = "f594ea85-45f2-4019-b988-2d17638b5cf3";
} };
]; }
}]; ];
})]; }
];
})
];
alertmanager = { alertmanager = {
enable = true; enable = true;
extraFlags = [ "--web.config.file=${config.age.secrets.prometheus-webconfig-secret.path}" ]; extraFlags = ["--web.config.file=${config.age.secrets.prometheus-webconfig-secret.path}"];
webExternalUrl = "https://alerts.gmem.ca"; webExternalUrl = "https://alerts.gmem.ca";
configText = '' configText = ''
global: {} global: {}
# The directory from which notification templates are read. # The directory from which notification templates are read.
templates: templates:
- '/etc/alertmanager/template/*.tmpl' - '/etc/alertmanager/template/*.tmpl'
# The root route on which each incoming alert enters. # The root route on which each incoming alert enters.
route: route:
group_by: ['alertname', 'cluster', 'service'] group_by: ['alertname', 'cluster', 'service']
group_wait: 0s group_wait: 0s
group_interval: 5m group_interval: 5m
repeat_interval: 3h repeat_interval: 3h
# A default receiver # A default receiver
receiver: ntfy receiver: ntfy
receivers: receivers:
- name: ntfy - name: ntfy
webhook_configs: webhook_configs:
- url: http://localhost:8111/hook - url: http://localhost:8111/hook
''; '';
}; };
port = 9001; port = 9001;
extraFlags = [ "--web.enable-remote-write-receiver" ]; extraFlags = ["--web.enable-remote-write-receiver"];
scrapeConfigs = [ scrapeConfigs = [
{ {
job_name = "proxmox"; job_name = "proxmox";
metrics_path = "/pve"; metrics_path = "/pve";
params = { "target" = [ "localhost" ]; }; params = {"target" = ["localhost"];};
static_configs = [ { targets = [ "proxmox:9221" ]; } ]; static_configs = [{targets = ["proxmox:9221"];}];
} }
{ {
job_name = "personal_hardware"; job_name = "personal_hardware";
static_configs = [ { targets = [ "london:9100" "vancouver:9100" "localhost:9100" ]; } ]; static_configs = [{targets = ["london:9100" "vancouver:9100" "localhost:9100"];}];
} }
{ {
job_name = "speedtest-exporter"; job_name = "speedtest-exporter";
scrape_interval = "1h"; scrape_interval = "1h";
scrape_timeout = "1m"; scrape_timeout = "1m";
static_configs = [ { targets = [ "vancouver:9798" ]; } ]; static_configs = [{targets = ["vancouver:9798"];}];
} }
{ {
job_name = "syncthing"; job_name = "syncthing";
static_configs = [ { targets = [ "vancouver:8384" "london:8384" ]; } ]; static_configs = [{targets = ["vancouver:8384" "london:8384"];}];
} }
{ {
job_name = "forgejo"; job_name = "forgejo";
static_configs = [ { targets = [ "git.gmem.ca" ]; } ]; static_configs = [{targets = ["git.gmem.ca"];}];
} }
{ {
job_name = "coredns"; job_name = "coredns";
static_configs = [ { targets = [ "vancouver:9253" ]; } ]; static_configs = [{targets = ["vancouver:9253"];}];
} }
{ {
job_name = "healthchecks"; job_name = "healthchecks";
scrape_interval = "60s"; scrape_interval = "60s";
metrics_path = "/projects/5f1de50f-a52d-4215-961f-aae7cc6cf6c9/metrics/TbMoU7SUdknzMe-H5Q4HzmKl3itOIrJk"; metrics_path = "/projects/5f1de50f-a52d-4215-961f-aae7cc6cf6c9/metrics/TbMoU7SUdknzMe-H5Q4HzmKl3itOIrJk";
static_configs = [ { targets = [ "localhost:8000" ]; } ]; static_configs = [{targets = ["localhost:8000"];}];
} }
{ {
job_name = "vrc_events"; job_name = "vrc_events";
scrape_interval = "60s"; scrape_interval = "60s";
static_configs = [ { targets = [ "vancouver:6534" ]; } ]; static_configs = [{targets = ["vancouver:6534"];}];
} }
{ {
job_name = "blackbox"; job_name = "blackbox";
metrics_path = "/probe"; metrics_path = "/probe";
params = { "modules" = [ "http_2xx" ]; }; params = {"modules" = ["http_2xx"];};
static_configs = [ { targets = [ "google.com" "gabrielsimmer.com" "artbybecki.com" ]; } ]; static_configs = [{targets = ["google.com" "gabrielsimmer.com" "artbybecki.com"];}];
relabel_configs = [ relabel_configs = [
{ source_labels = ["__address__"]; target_label = "__param_target"; } {
{ source_labels = ["__param_target"]; target_label = "instance"; } source_labels = ["__address__"];
{ source_labels = []; target_label = "__address__"; replacement = "vancouver:9115"; } ]; target_label = "__param_target";
}
{
source_labels = ["__param_target"];
target_label = "instance";
}
{
source_labels = [];
target_label = "__address__";
replacement = "vancouver:9115";
}
];
} }
]; ];
exporters.node = { exporters.node = {
enable = true; enable = true;
listenAddress = "127.0.0.1"; listenAddress = "127.0.0.1";
enabledCollectors = [ enabledCollectors = [
"systemd" "processes" "systemd"
"processes"
]; ];
}; };
}; };
@ -361,7 +390,7 @@
TELEGRAM_TOKEN_FILE = config.age.secrets.healthchecks-telegram.path; TELEGRAM_TOKEN_FILE = config.age.secrets.healthchecks-telegram.path;
}; };
}; };
# nginx reverse proxy # nginx reverse proxy
services.nginx = { services.nginx = {
enable = true; enable = true;

20
nix/monitoring/hardware.nix
View file

@ -1,14 +1,18 @@
{ modulesPath, ... }: {modulesPath, ...}: {
{ imports = [(modulesPath + "/profiles/qemu-guest.nix")];
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.loader.grub = { boot.loader.grub = {
efiSupport = true; efiSupport = true;
efiInstallAsRemovable = true; efiInstallAsRemovable = true;
device = "nodev"; device = "nodev";
}; };
fileSystems."/boot" = { device = "/dev/disk/by-uuid/77CF-345D"; fsType = "vfat"; }; fileSystems."/boot" = {
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ]; device = "/dev/disk/by-uuid/77CF-345D";
boot.initrd.kernelModules = [ "nvme" ]; fsType = "vfat";
fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; };
boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront"];
boot.initrd.kernelModules = ["nvme"];
fileSystems."/" = {
device = "/dev/sda1";
fsType = "ext4";
};
} }

39
nix/monitoring/networking.nix
View file

@ -1,9 +1,10 @@
{ lib, ... }: { {lib, ...}: {
# This file was populated at runtime with the networking # This file was populated at runtime with the networking
# details gathered from the active system. # details gathered from the active system.
networking = { networking = {
nameservers = [ "8.8.8.8" nameservers = [
]; "8.8.8.8"
];
defaultGateway = "172.31.1.1"; defaultGateway = "172.31.1.1";
defaultGateway6 = { defaultGateway6 = {
address = "fe80::1"; address = "fe80::1";
@ -14,20 +15,38 @@
interfaces = { interfaces = {
eth0 = { eth0 = {
ipv4.addresses = [ ipv4.addresses = [
{ address="91.107.206.145"; prefixLength=32; } {
address = "91.107.206.145";
prefixLength = 32;
}
]; ];
ipv6.addresses = [ ipv6.addresses = [
{ address="2a01:4f8:c012:5ec6::1"; prefixLength=64; } {
{ address="fe80::9400:2ff:fe83:3979"; prefixLength=64; } address = "2a01:4f8:c012:5ec6::1";
prefixLength = 64;
}
{
address = "fe80::9400:2ff:fe83:3979";
prefixLength = 64;
}
];
ipv4.routes = [
{
address = "172.31.1.1";
prefixLength = 32;
}
];
ipv6.routes = [
{
address = "fe80::1";
prefixLength = 128;
}
]; ];
ipv4.routes = [ { address = "172.31.1.1"; prefixLength = 32; } ];
ipv6.routes = [ { address = "fe80::1"; prefixLength = 128; } ];
}; };
}; };
}; };
services.udev.extraRules = '' services.udev.extraRules = ''
ATTR{address}=="96:00:02:83:39:79", NAME="eth0" ATTR{address}=="96:00:02:83:39:79", NAME="eth0"
''; '';
} }

119
nix/nas/configuration.nix
View file

@ -1,10 +1,12 @@
{ config, pkgs, ... }:
{ {
imports = config,
[ # Include the results of the hardware scan. pkgs,
./hardware.nix ...
]; }: {
imports = [
# Include the results of the hardware scan.
./hardware.nix
];
age.secrets.action-token = { age.secrets.action-token = {
file = ../../secrets/vancouver-action-runner.age; file = ../../secrets/vancouver-action-runner.age;
@ -42,7 +44,7 @@
efi.canTouchEfiVariables = true; efi.canTouchEfiVariables = true;
}; };
supportedFilesystems = ["zfs"]; supportedFilesystems = ["zfs"];
kernelModules = [ "coretemp" "kvm-amd" "it87" ]; kernelModules = ["coretemp" "kvm-amd" "it87"];
zfs.extraPools = ["tank"]; zfs.extraPools = ["tank"];
}; };
@ -58,23 +60,29 @@
positions = { positions = {
filename = "/tmp/positions.yaml"; filename = "/tmp/positions.yaml";
}; };
clients = [{ clients = [
url = "http://monitoring:3030/loki/api/v1/push"; {
}]; url = "http://monitoring:3030/loki/api/v1/push";
scrape_configs = [{ }
job_name = "journal"; ];
journal = { scrape_configs = [
max_age = "12h"; {
labels = { job_name = "journal";
job = "systemd-journal"; journal = {
host = "vancouver"; max_age = "12h";
labels = {
job = "systemd-journal";
host = "vancouver";
};
}; };
}; relabel_configs = [
relabel_configs = [{ {
source_labels = [ "__journal__systemd_unit" ]; source_labels = ["__journal__systemd_unit"];
target_label = "unit"; target_label = "unit";
}]; }
}]; ];
}
];
}; };
}; };
restic = { restic = {
@ -187,7 +195,9 @@
enable = true; enable = true;
listenAddress = "100.116.48.47"; listenAddress = "100.116.48.47";
enabledCollectors = [ enabledCollectors = [
"systemd" "zfs" "processes" "systemd"
"zfs"
"processes"
]; ];
}; };
}; };
@ -201,7 +211,7 @@
zfs.autoScrub.enable = true; zfs.autoScrub.enable = true;
tailscale.enable = true; tailscale.enable = true;
openssh.enable = true; openssh.enable = true;
xserver.videoDrivers = [ "nvidia" ]; xserver.videoDrivers = ["nvidia"];
nfs.server.enable = true; nfs.server.enable = true;
samba-wsdd.enable = true; samba-wsdd.enable = true;
samba = { samba = {
@ -209,18 +219,18 @@
securityType = "user"; securityType = "user";
openFirewall = true; openFirewall = true;
extraConfig = '' extraConfig = ''
workgroup = WORKGROUP workgroup = WORKGROUP
server string = smbnix server string = smbnix
netbios name = smbnix netbios name = smbnix
security = user security = user
#use sendfile = yes #use sendfile = yes
#max protocol = smb2 #max protocol = smb2
# note: localhost is the ipv6 localhost ::1 # note: localhost is the ipv6 localhost ::1
hosts allow = 100. 192.168.50. 127.0.0.1 localhost hosts allow = 100. 192.168.50. 127.0.0.1 localhost
hosts deny = 0.0.0.0/0 hosts deny = 0.0.0.0/0
guest account = nobody guest account = nobody
map to guest = bad user map to guest = bad user
''; '';
shares = { shares = {
streamboxes = { streamboxes = {
path = "/tank/streamboxes"; path = "/tank/streamboxes";
@ -277,20 +287,19 @@
recommendedZstdSettings = true; recommendedZstdSettings = true;
recommendedOptimisation = true; recommendedOptimisation = true;
recommendedTlsSettings = true; recommendedTlsSettings = true;
virtualHosts."git.gmem.ca" = { virtualHosts."git.gmem.ca" = {
enableACME = true; enableACME = true;
addSSL = true; addSSL = true;
acmeRoot = null; acmeRoot = null;
locations."/" = { locations."/" = {
extraConfig = extraConfig = ''
''
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
client_max_body_size 500M; client_max_body_size 500M;
''; '';
proxyPass = "http://127.0.0.1:8973/"; proxyPass = "http://127.0.0.1:8973/";
}; };
}; };
@ -400,8 +409,8 @@
trustedInterfaces = ["tailscale0"]; trustedInterfaces = ["tailscale0"];
checkReversePath = "loose"; checkReversePath = "loose";
enable = true; enable = true;
allowedTCPPorts = [ 22 80 443 9798 2049 ]; allowedTCPPorts = [22 80 443 9798 2049];
allowedUDPPorts = [ 41641 ]; allowedUDPPorts = [41641];
}; };
nftables.enable = true; nftables.enable = true;
}; };
@ -434,21 +443,22 @@
zsh.enable = true; zsh.enable = true;
fish.enable = true; fish.enable = true;
}; };
environment.shells = with pkgs; [ zsh fish ]; environment.shells = with pkgs; [zsh fish];
users.users = { users.users = {
gsimmer = { gsimmer = {
shell = pkgs.fish; shell = pkgs.fish;
isNormalUser = true; isNormalUser = true;
home = "/tank/gsimmer"; home = "/tank/gsimmer";
extraGroups = [ "wheel" "libvirtd" "qemu-libvirtd" ]; extraGroups = ["wheel" "libvirtd" "qemu-libvirtd"];
openssh.authorizedKeys.keys = let openssh.authorizedKeys.keys = let
authorizedKeys = pkgs.fetchurl { authorizedKeys = pkgs.fetchurl {
url = "https://gmem.ca/ssh"; url = "https://gmem.ca/ssh";
hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4="; hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4=";
}; };
in pkgs.lib.splitString "\n" (builtins.readFile in
authorizedKeys); pkgs.lib.splitString "\n" (builtins.readFile
authorizedKeys);
}; };
becki = { becki = {
shell = pkgs.fish; shell = pkgs.fish;
@ -456,15 +466,16 @@
home = "/tank/becki"; home = "/tank/becki";
}; };
root.openssh.authorizedKeys.keys = let root.openssh.authorizedKeys.keys = let
authorizedKeys = pkgs.fetchurl { authorizedKeys = pkgs.fetchurl {
url = "https://gmem.ca/ssh"; url = "https://gmem.ca/ssh";
hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4="; hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4=";
}; };
in pkgs.lib.splitString "\n" (builtins.readFile in
pkgs.lib.splitString "\n" (builtins.readFile
authorizedKeys); authorizedKeys);
}; };
home-manager.users.gsimmer = { pkgs, ... }: { home-manager.users.gsimmer = {pkgs, ...}: {
programs.git = { programs.git = {
userName = "Gabriel Simmer"; userName = "Gabriel Simmer";
userEmail = "git@gmem.ca"; userEmail = "git@gmem.ca";
@ -487,7 +498,7 @@
virtualisation.oci-containers.containers = { virtualisation.oci-containers.containers = {
speedtest = { speedtest = {
image = "ghcr.io/miguelndecarvalho/speedtest-exporter"; image = "ghcr.io/miguelndecarvalho/speedtest-exporter";
ports = [ "9798:9798" ]; ports = ["9798:9798"];
}; };
}; };

44
nix/nas/hardware.nix
View file

@ -1,31 +1,35 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ {
imports = config,
[ (modulesPath + "/installer/scan/not-detected.nix") lib,
]; pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [];
boot.kernelModules = [ "kvm-amd" ]; boot.kernelModules = ["kvm-amd"];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [];
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/disk/by-uuid/c099cd1d-75a0-42ee-bffa-1e92cd241064"; device = "/dev/disk/by-uuid/c099cd1d-75a0-42ee-bffa-1e92cd241064";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = fileSystems."/boot" = {
{ device = "/dev/disk/by-uuid/77EB-F216"; device = "/dev/disk/by-uuid/77EB-F216";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = swapDevices = [
[ { device = "/dev/disk/by-uuid/6e19c559-000a-4ba4-b68c-7ec0794f45e4"; } {device = "/dev/disk/by-uuid/6e19c559-000a-4ba4-b68c-7ec0794f45e4";}
]; ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's

49
nix/nas/home.nix
View file

@ -1,6 +1,9 @@
{ config, pkgs, callPackage, ... }:
{ {
config,
pkgs,
callPackage,
...
}: {
home.username = "gsimmer"; home.username = "gsimmer";
home.homeDirectory = "/tank/gsimmer"; home.homeDirectory = "/tank/gsimmer";
@ -10,31 +13,31 @@
programs.fish = { programs.fish = {
enable = true; enable = true;
interactiveShellInit = '' interactiveShellInit = ''
set fish_greeting set fish_greeting
if test "$TERM" = "dumb" if test "$TERM" = "dumb"
function fish_prompt function fish_prompt
echo "\$ " echo "\$ "
end end
function fish_right_prompt; end function fish_right_prompt; end
function fish_greeting; end function fish_greeting; end
function fish_title; end function fish_title; end
end end
atuin init fish | source atuin init fish | source
''; '';
loginShellInit = '' loginShellInit = ''
if test "$TERM" = "dumb" if test "$TERM" = "dumb"
function fish_prompt function fish_prompt
echo "\$ " echo "\$ "
end end
function fish_right_prompt; end function fish_right_prompt; end
function fish_greeting; end function fish_greeting; end
function fish_title; end function fish_title; end
end end
''; '';
}; };
programs.direnv = { programs.direnv = {
enable = true; enable = true;
nix-direnv.enable = true; nix-direnv.enable = true;
@ -48,8 +51,8 @@ end
programs.bat = { programs.bat = {
enable = true; enable = true;
}; };
home.packages = with pkgs; [ atuin ]; home.packages = with pkgs; [atuin];
# This value determines the Home Manager release that your # This value determines the Home Manager release that your
# configuration is compatible with. This helps avoid breakage # configuration is compatible with. This helps avoid breakage

143
nix/oracle-gitea-runner/coder.nix
View file

@ -1,82 +1,85 @@
{ lib {
, fetchurl lib,
, installShellFiles fetchurl,
, makeWrapper installShellFiles,
, terraform makeWrapper,
, stdenvNoCC terraform,
, unzip stdenvNoCC,
}: unzip,
let }: let
inherit (stdenvNoCC.hostPlatform) system; inherit (stdenvNoCC.hostPlatform) system;
in in
stdenvNoCC.mkDerivation rec {
pname = "coder";
version = "2.3.3";
stdenvNoCC.mkDerivation rec { src = fetchurl {
pname = "coder"; sha256 =
version = "2.3.3"; {
x86_64-linux = "sha256-3gO71Eii3KBjn/oQ1Q3OCJ7S6H12iDYjOfqf43ph1nQ=";
x86_64-darwin = lib.fakeHash;
aarch64-linux = "sha256-v7S22I62EKPcHO9yZGciKKftRlzIowfAeVgnccOdlSs=";
aarch64-darwin = "";
}
.${system};
src = fetchurl { url = let
sha256 = { systemName =
x86_64-linux = "sha256-3gO71Eii3KBjn/oQ1Q3OCJ7S6H12iDYjOfqf43ph1nQ="; {
x86_64-darwin = lib.fakeHash; x86_64-linux = "linux_amd64";
aarch64-linux = "sha256-v7S22I62EKPcHO9yZGciKKftRlzIowfAeVgnccOdlSs="; aarch64-linux = "linux_arm64";
aarch64-darwin = ""; x86_64-darwin = "darwin_amd64";
}.${system}; aarch64-darwin = "darwin_arm64";
}
.${system};
url = ext =
let {
systemName = { x86_64-linux = "tar.gz";
x86_64-linux = "linux_amd64"; aarch64-linux = "tar.gz";
aarch64-linux = "linux_arm64"; x86_64-darwin = "zip";
x86_64-darwin = "darwin_amd64"; aarch64-darwin = "zip";
aarch64-darwin = "darwin_arm64"; }
}.${system}; .${system};
in "https://github.com/coder/coder/releases/download/v${version}/coder_${version}_${systemName}.${ext}";
};
ext = { nativeBuildInputs = [
x86_64-linux = "tar.gz"; installShellFiles
aarch64-linux = "tar.gz"; makeWrapper
x86_64-darwin = "zip"; unzip
aarch64-darwin = "zip"; ];
}.${system};
in
"https://github.com/coder/coder/releases/download/v${version}/coder_${version}_${systemName}.${ext}";
};
nativeBuildInputs = [ unpackPhase = ''
installShellFiles printf 'Decompressing %s\n' "$src"
makeWrapper case $src in
unzip *.tar.gz) tar -xz -f "$src" ;;
]; *.zip) unzip "$src" ;;
esac
'';
unpackPhase = '' installPhase = ''
printf 'Decompressing %s\n' "$src" mkdir -p $out/bin
case $src in cp coder $out/bin
*.tar.gz) tar -xz -f "$src" ;; '';
*.zip) unzip "$src" ;;
esac
'';
installPhase = '' postInstall = ''
mkdir -p $out/bin installShellCompletion --cmd coder \
cp coder $out/bin --bash <($out/bin/coder completion bash) \
''; --fish <($out/bin/coder completion fish) \
--zsh <($out/bin/coder completion zsh)
postInstall = '' wrapProgram $out/bin/coder --prefix PATH : ${lib.makeBinPath [terraform]}
installShellCompletion --cmd coder \ '';
--bash <($out/bin/coder completion bash) \
--fish <($out/bin/coder completion fish) \
--zsh <($out/bin/coder completion zsh)
wrapProgram $out/bin/coder --prefix PATH : ${lib.makeBinPath [ terraform ]} # integration tests require network access
''; doCheck = false;
# integration tests require network access meta = {
doCheck = false; description = "Provision software development environments via Terraform on Linux, macOS, Windows, X86, ARM, and of course, Kubernetes";
homepage = "https://coder.com";
meta = { license = lib.licenses.agpl3;
description = "Provision software development environments via Terraform on Linux, macOS, Windows, X86, ARM, and of course, Kubernetes"; maintainers = [lib.maintainers.ghuntley lib.maintainers.urandom];
homepage = "https://coder.com"; broken = false;
license = lib.licenses.agpl3; };
maintainers = [ lib.maintainers.ghuntley lib.maintainers.urandom ]; }
broken = false;
};
}

33
nix/oracle-gitea-runner/configuration.nix
View file

@ -1,13 +1,15 @@
{ config, pkgs, ... }:
{ {
imports = config,
[ # Include the results of the hardware scan. pkgs,
./hardware.nix ...
]; }: {
imports = [
# Include the results of the hardware scan.
./hardware.nix
];
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
nix.settings.experimental-features = [ "nix-command" "flakes" ]; nix.settings.experimental-features = ["nix-command" "flakes"];
boot.tmp.cleanOnBoot = true; boot.tmp.cleanOnBoot = true;
zramSwap.enable = true; zramSwap.enable = true;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
@ -38,37 +40,38 @@
programs.zsh.enable = true; programs.zsh.enable = true;
programs.fish.enable = true; programs.fish.enable = true;
environment.shells = with pkgs; [ zsh fish ]; environment.shells = with pkgs; [zsh fish];
networking = { networking = {
hostName = "forgejo-action-runner"; hostName = "forgejo-action-runner";
domain = "gmem.ca"; domain = "gmem.ca";
nameservers = [ "1.1.1.1" "1.0.0.1" ]; nameservers = ["1.1.1.1" "1.0.0.1"];
firewall = { firewall = {
trustedInterfaces = ["tailscale0"]; trustedInterfaces = ["tailscale0"];
checkReversePath = "loose"; checkReversePath = "loose";
enable = true; enable = true;
allowedTCPPorts = [ 22 80 443 4328 ]; allowedTCPPorts = [22 80 443 4328];
allowedUDPPorts = [ ]; allowedUDPPorts = [];
}; };
nftables.enable = true; nftables.enable = true;
}; };
users.users = { users.users = {
root.openssh.authorizedKeys.keys = let root.openssh.authorizedKeys.keys = let
authorizedKeys = pkgs.fetchurl { authorizedKeys = pkgs.fetchurl {
url = "https://gmem.ca/ssh"; url = "https://gmem.ca/ssh";
hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4="; hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4=";
}; };
in pkgs.lib.splitString "\n" (builtins.readFile in
authorizedKeys); pkgs.lib.splitString "\n" (builtins.readFile
authorizedKeys);
}; };
virtualisation = { virtualisation = {
docker = { docker = {
enable = true; enable = true;
}; };
}; };
services.openssh.enable = true; services.openssh.enable = true;
services.tailscale.enable = true; services.tailscale.enable = true;
system.stateVersion = "23.11"; system.stateVersion = "23.11";

20
nix/oracle-gitea-runner/hardware.nix
View file

@ -1,15 +1,19 @@
{ modulesPath, ... }: {modulesPath, ...}: {
{ imports = [(modulesPath + "/profiles/qemu-guest.nix")];
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.loader.efi.efiSysMountPoint = "/boot/efi"; boot.loader.efi.efiSysMountPoint = "/boot/efi";
boot.loader.grub = { boot.loader.grub = {
efiSupport = true; efiSupport = true;
efiInstallAsRemovable = true; efiInstallAsRemovable = true;
device = "nodev"; device = "nodev";
}; };
fileSystems."/boot/efi" = { device = "/dev/disk/by-uuid/CC2E-AEC0"; fsType = "vfat"; }; fileSystems."/boot/efi" = {
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ]; device = "/dev/disk/by-uuid/CC2E-AEC0";
boot.initrd.kernelModules = [ "nvme" ]; fsType = "vfat";
fileSystems."/" = { device = "/dev/mapper/ocivolume-root"; fsType = "xfs"; }; };
boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront"];
boot.initrd.kernelModules = ["nvme"];
fileSystems."/" = {
device = "/dev/mapper/ocivolume-root";
fsType = "xfs";
};
} }

51
nix/oracle-stream/configuration.nix
View file

@ -1,11 +1,13 @@
{ config, pkgs, ... }:
{ {
imports = config,
[ # Include the results of the hardware scan. pkgs,
./hardware.nix ...
]; }: {
imports = [
# Include the results of the hardware scan.
./hardware.nix
];
boot = { boot = {
tmp.cleanOnBoot = true; tmp.cleanOnBoot = true;
}; };
@ -25,7 +27,7 @@
extraOptions = '' extraOptions = ''
min-free = ${toString (100 * 1024 * 1024)} min-free = ${toString (100 * 1024 * 1024)}
max-free = ${toString (1024 * 1024 * 1024)} max-free = ${toString (1024 * 1024 * 1024)}
''; '';
}; };
networking = { networking = {
@ -34,16 +36,22 @@
firewall = { firewall = {
trustedInterfaces = ["tailscale0"]; trustedInterfaces = ["tailscale0"];
checkReversePath = "loose"; checkReversePath = "loose";
allowedTCPPorts = [ 80 443 1935 ]; allowedTCPPorts = [80 443 1935];
allowedUDPPortRanges = [ allowedUDPPortRanges = [
{ from = 4000; to = 4007; } {
{ from = 8000; to = 8010; } from = 4000;
to = 4007;
}
{
from = 8000;
to = 8010;
}
]; ];
allowedUDPPorts = [ 41641 1935 ]; allowedUDPPorts = [41641 1935];
enable = true; enable = true;
}; };
nftables.enable = true; nftables.enable = true;
nameservers = [ "1.1.1.1" "1.0.0.1" ]; nameservers = ["1.1.1.1" "1.0.0.1"];
}; };
time.timeZone = "Europe/London"; time.timeZone = "Europe/London";
@ -53,8 +61,9 @@
url = "https://gmem.ca/ssh"; url = "https://gmem.ca/ssh";
sha256 = "0vm0q5fzx55mmgw7md430c20rvywmknmpvnkffx9szlm0l74bypc"; sha256 = "0vm0q5fzx55mmgw7md430c20rvywmknmpvnkffx9szlm0l74bypc";
}; };
in pkgs.lib.splitString "\n" (builtins.readFile in
authorizedKeys); pkgs.lib.splitString "\n" (builtins.readFile
authorizedKeys);
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
vim vim
@ -77,7 +86,7 @@
openFirewall = false; openFirewall = false;
}; };
nginx = { nginx = {
additionalModules = [ pkgs.nginxModules.rtmp ]; additionalModules = [pkgs.nginxModules.rtmp];
enable = true; enable = true;
recommendedProxySettings = true; recommendedProxySettings = true;
recommendedGzipSettings = true; recommendedGzipSettings = true;
@ -92,16 +101,15 @@
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:8080"; proxyPass = "http://127.0.0.1:8080";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = extraConfig = ''
''
client_max_body_size 100M; client_max_body_size 100M;
proxy_pass_header Authorization; proxy_pass_header Authorization;
''; '';
}; };
}; };
}; };
appendConfig = '' appendConfig = ''
rtmp { rtmp {
server { server {
@ -135,5 +143,4 @@
}; };
system.stateVersion = "23.11"; # dId YoU rEaD tHe CoMmEnT? system.stateVersion = "23.11"; # dId YoU rEaD tHe CoMmEnT?
} }

20
nix/oracle-stream/hardware.nix
View file

@ -1,15 +1,19 @@
{ modulesPath, ... }: {modulesPath, ...}: {
{ imports = [(modulesPath + "/profiles/qemu-guest.nix")];
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.loader.efi.efiSysMountPoint = "/boot/efi"; boot.loader.efi.efiSysMountPoint = "/boot/efi";
boot.loader.grub = { boot.loader.grub = {
efiSupport = true; efiSupport = true;
efiInstallAsRemovable = true; efiInstallAsRemovable = true;
device = "nodev"; device = "nodev";
}; };
fileSystems."/boot/efi" = { device = "/dev/disk/by-uuid/CC2E-AEC0"; fsType = "vfat"; }; fileSystems."/boot/efi" = {
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ]; device = "/dev/disk/by-uuid/CC2E-AEC0";
boot.initrd.kernelModules = [ "nvme" ]; fsType = "vfat";
fileSystems."/" = { device = "/dev/mapper/ocivolume-root"; fsType = "xfs"; }; };
boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront"];
boot.initrd.kernelModules = ["nvme"];
fileSystems."/" = {
device = "/dev/mapper/ocivolume-root";
fsType = "xfs";
};
} }

35
nix/proxmox-k3s-node/configuration.nix
View file

@ -1,10 +1,12 @@
{ config, pkgs, ... }:
{ {
imports = config,
[ # Include the results of the hardware scan. pkgs,
./hardware.nix ...
]; }: {
imports = [
# Include the results of the hardware scan.
./hardware.nix
];
age.secrets.k3s-token = { age.secrets.k3s-token = {
file = ../../secrets/k3s-token.age; file = ../../secrets/k3s-token.age;
@ -12,19 +14,18 @@
}; };
boot = { boot = {
supportedFilesystems = [ "nfs" ]; supportedFilesystems = ["nfs"];
kernelParams = [ "cgroup_enable=memory" "cgroup_enable=cpuset" "cgroup_memory=1" ]; kernelParams = ["cgroup_enable=memory" "cgroup_enable=cpuset" "cgroup_memory=1"];
loader = { loader = {
systemd-boot.enable = true; systemd-boot.enable = true;
efi.canTouchEfiVariables = true; efi.canTouchEfiVariables = true;
}; };
}; };
swapDevices = [ swapDevices = [
{ {
device = "/var/lib/swapfile"; device = "/var/lib/swapfile";
size = 8*1024; size = 8 * 1024;
} }
]; ];
@ -42,7 +43,7 @@
extraOptions = '' extraOptions = ''
min-free = ${toString (100 * 1024 * 1024)} min-free = ${toString (100 * 1024 * 1024)}
max-free = ${toString (1024 * 1024 * 1024)} max-free = ${toString (1024 * 1024 * 1024)}
''; '';
}; };
networking = { networking = {
@ -51,8 +52,8 @@
firewall = { firewall = {
trustedInterfaces = ["tailscale0"]; trustedInterfaces = ["tailscale0"];
checkReversePath = "loose"; checkReversePath = "loose";
allowedUDPPorts = [ 41641 ]; allowedUDPPorts = [41641];
allowedTCPPorts = [ 22 80 443 6443 10250 ]; allowedTCPPorts = [22 80 443 6443 10250];
enable = false; enable = false;
}; };
nftables.enable = false; nftables.enable = false;
@ -62,7 +63,7 @@
users.users.gsimmer = { users.users.gsimmer = {
isNormalUser = true; isNormalUser = true;
extraGroups = [ "wheel" ]; extraGroups = ["wheel"];
packages = with pkgs; [ packages = with pkgs; [
tree tree
]; ];
@ -71,8 +72,9 @@
url = "https://gmem.ca/ssh"; url = "https://gmem.ca/ssh";
hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4="; hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4=";
}; };
in pkgs.lib.splitString "\n" (builtins.readFile in
authorizedKeys); pkgs.lib.splitString "\n" (builtins.readFile
authorizedKeys);
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
@ -99,5 +101,4 @@
}; };
system.stateVersion = "23.11"; # dId YoU rEaD tHe CoMmEnT? system.stateVersion = "23.11"; # dId YoU rEaD tHe CoMmEnT?
} }

44
nix/proxmox-k3s-node/hardware.nix
View file

@ -1,31 +1,35 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ {
imports = config,
[ (modulesPath + "/profiles/qemu-guest.nix") lib,
]; pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "sr_mod" "virtio_blk" ]; boot.initrd.availableKernelModules = ["uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "sr_mod" "virtio_blk"];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [];
boot.kernelModules = [ ]; boot.kernelModules = [];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [];
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/disk/by-uuid/b6eaa1d7-49dc-44a7-9494-6363939a36ee"; device = "/dev/disk/by-uuid/b6eaa1d7-49dc-44a7-9494-6363939a36ee";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = fileSystems."/boot" = {
{ device = "/dev/disk/by-uuid/92BB-B090"; device = "/dev/disk/by-uuid/92BB-B090";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = swapDevices = [
[ { device = "/dev/disk/by-uuid/45b1b1cc-7a27-4abc-9903-16d293c8570c"; } {device = "/dev/disk/by-uuid/45b1b1cc-7a27-4abc-9903-16d293c8570c";}
]; ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's

34
nix/seattle/configuration.nix
View file

@ -1,15 +1,17 @@
{ config, pkgs, ... }:
{ {
imports = config,
[ # Include the results of the hardware scan. pkgs,
./hardware.nix ...
]; }: {
imports = [
# Include the results of the hardware scan.
./hardware.nix
];
boot = { boot = {
supportedFilesystems = [ "nfs" ]; supportedFilesystems = ["nfs"];
kernelPackages = pkgs.linuxPackages_rpi4; kernelPackages = pkgs.linuxPackages_rpi4;
kernelParams = [ "cgroup_enable=memory" "cgroup_enable=cpuset" "cgroup_memory=1" ]; kernelParams = ["cgroup_enable=memory" "cgroup_enable=cpuset" "cgroup_memory=1"];
loader = { loader = {
grub.enable = false; grub.enable = false;
generic-extlinux-compatible.enable = true; generic-extlinux-compatible.enable = true;
@ -19,7 +21,7 @@
swapDevices = [ swapDevices = [
{ {
device = "/var/lib/swapfile"; device = "/var/lib/swapfile";
size = 8*1024; size = 8 * 1024;
} }
]; ];
@ -37,7 +39,7 @@
extraOptions = '' extraOptions = ''
min-free = ${toString (100 * 1024 * 1024)} min-free = ${toString (100 * 1024 * 1024)}
max-free = ${toString (1024 * 1024 * 1024)} max-free = ${toString (1024 * 1024 * 1024)}
''; '';
}; };
networking = { networking = {
@ -46,8 +48,8 @@
firewall = { firewall = {
trustedInterfaces = ["tailscale0"]; trustedInterfaces = ["tailscale0"];
checkReversePath = "loose"; checkReversePath = "loose";
allowedTCPPorts = [ 22 80 443 6443 10250 ]; allowedTCPPorts = [22 80 443 6443 10250];
allowedUDPPorts = [ 41641 80 443 ]; allowedUDPPorts = [41641 80 443];
enable = false; enable = false;
}; };
nftables.enable = false; nftables.enable = false;
@ -57,7 +59,7 @@
users.users.gsimmer = { users.users.gsimmer = {
isNormalUser = true; isNormalUser = true;
extraGroups = [ "wheel" ]; extraGroups = ["wheel"];
packages = with pkgs; [ packages = with pkgs; [
tree tree
]; ];
@ -66,8 +68,9 @@
url = "https://gmem.ca/ssh"; url = "https://gmem.ca/ssh";
hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4="; hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4=";
}; };
in pkgs.lib.splitString "\n" (builtins.readFile in
authorizedKeys); pkgs.lib.splitString "\n" (builtins.readFile
authorizedKeys);
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
@ -103,5 +106,4 @@
}; };
system.stateVersion = "23.11"; # dId YoU rEaD tHe CoMmEnT? system.stateVersion = "23.11"; # dId YoU rEaD tHe CoMmEnT?
} }

32
nix/seattle/hardware.nix
View file

@ -1,24 +1,28 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ {
imports = config,
[ (modulesPath + "/installer/scan/not-detected.nix") lib,
]; pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ]; boot.initrd.availableKernelModules = ["xhci_pci" "uas"];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [];
boot.kernelModules = [ ]; boot.kernelModules = [];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [];
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888"; device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
fsType = "ext4"; fsType = "ext4";
}; };
swapDevices = [ ]; swapDevices = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's

10
pi-imgs/pi-initial.nix
View file

@ -1,11 +1,15 @@
{ lib, pkgs, ... }: { {
lib,
pkgs,
...
}: {
users.users.root.openssh.authorizedKeys.keys = [ users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIztwQxt+jqroFONSgq+xzPMuE2I5Dq/zWPQ8RcTYJr gabriel@gitgalaxy.com" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIztwQxt+jqroFONSgq+xzPMuE2I5Dq/zWPQ8RcTYJr gabriel@gitgalaxy.com"
]; ];
sdImage.compressImage = false; sdImage.compressImage = false;
systemd.services.openssh.wantedBy = lib.mkOverride 40 [ "multi-user.target" ]; systemd.services.openssh.wantedBy = lib.mkOverride 40 ["multi-user.target"];
services.openssh.enable = true; services.openssh.enable = true;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
vim vim
wget wget

27
secrets.nix
View file

@ -1,28 +1,27 @@
let let
vancouver = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC30kDkktiWJGaJEIrqgneQx1SmIYUEVPm7w1F9p//CB"; vancouver = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC30kDkktiWJGaJEIrqgneQx1SmIYUEVPm7w1F9p//CB";
monitoring = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEDtzsbxKgZ/NBYlYO2EJQZhBy3nVBVERWebbsP9mLcy"; monitoring = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEDtzsbxKgZ/NBYlYO2EJQZhBy3nVBVERWebbsP9mLcy";
machines = [ vancouver monitoring ]; machines = [vancouver monitoring];
proxmox-k3s-node = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB1KEjdFl0UmuKfESJTMZdKR2H9a405z0SSlt75NKKht"; proxmox-k3s-node = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB1KEjdFl0UmuKfESJTMZdKR2H9a405z0SSlt75NKKht";
seattle = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9pTEqeVljLq0ctFgDn25Q76mCqpddkSNN9kd3IQXd1"; seattle = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9pTEqeVljLq0ctFgDn25Q76mCqpddkSNN9kd3IQXd1";
glasgow = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMgZSpfnx/4kfE4P1tFpq047IZkF2Q0UYahputnWxtEJ"; glasgow = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMgZSpfnx/4kfE4P1tFpq047IZkF2Q0UYahputnWxtEJ";
k3s = [ proxmox-k3s-node seattle glasgow ]; k3s = [proxmox-k3s-node seattle glasgow];
gsimmer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIztwQxt+jqroFONSgq+xzPMuE2I5Dq/zWPQ8RcTYJr gabriel@gitgalaxy.com"; gsimmer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIztwQxt+jqroFONSgq+xzPMuE2I5Dq/zWPQ8RcTYJr gabriel@gitgalaxy.com";
users = [ gsimmer ]; users = [gsimmer];
in in {
{ "secrets/vancouver-action-runner.age".publicKeys = [vancouver gsimmer];
"secrets/vancouver-action-runner.age".publicKeys = [ vancouver gsimmer ]; "secrets/vancouver-restic-b2.age".publicKeys = [vancouver gsimmer];
"secrets/vancouver-restic-b2.age".publicKeys = [ vancouver gsimmer ]; "secrets/vancouver-restic-password.age".publicKeys = [vancouver gsimmer];
"secrets/vancouver-restic-password.age".publicKeys = [ vancouver gsimmer ]; "secrets/monitoring-healthchecks-secret.age".publicKeys = [monitoring gsimmer];
"secrets/monitoring-healthchecks-secret.age".publicKeys = [ monitoring gsimmer ]; "secrets/monitoring-healthchecks-ro.age".publicKeys = [monitoring gsimmer];
"secrets/monitoring-healthchecks-ro.age".publicKeys = [ monitoring gsimmer ]; "secrets/monitoring-prometheus-webconfig.age".publicKeys = [monitoring gsimmer];
"secrets/monitoring-prometheus-webconfig.age".publicKeys = [ monitoring gsimmer ]; "secrets/monitoring-prometheus-password.age".publicKeys = [monitoring gsimmer];
"secrets/monitoring-prometheus-password.age".publicKeys = [ monitoring gsimmer ];
"secrets/healthchecks-ping.sh.age".publicKeys = machines ++ users; "secrets/healthchecks-ping.sh.age".publicKeys = machines ++ users;
"secrets/fastmail-smtp.age".publicKeys = machines ++ users; "secrets/fastmail-smtp.age".publicKeys = machines ++ users;
"secrets/healthchecks-telegram.age".publicKeys = [ monitoring gsimmer ]; "secrets/healthchecks-telegram.age".publicKeys = [monitoring gsimmer];
"secrets/cloudflare-dns.age".publicKeys = machines ++ users; "secrets/cloudflare-dns.age".publicKeys = machines ++ users;
"secrets/monitoring-grafana-client-secret.age".publicKeys = [monitoring gsimmer ]; "secrets/monitoring-grafana-client-secret.age".publicKeys = [monitoring gsimmer];
"secrets/k3s-token.age".publicKeys = k3s ++ users; "secrets/k3s-token.age".publicKeys = k3s ++ users;
} }

6
terraform/main.nix
View file

@ -1,4 +1,4 @@
{ ... }: { {...}: {
terraform = { terraform = {
required_providers = { required_providers = {
cloudflare.source = "cloudflare/cloudflare"; cloudflare.source = "cloudflare/cloudflare";
@ -6,13 +6,13 @@
}; };
backend."s3" = { backend."s3" = {
bucket = "gsimmer-terraform-state"; bucket = "gsimmer-terraform-state";
key = "state/personal.tfstate"; key = "state/personal.tfstate";
region = "eu-west-2"; region = "eu-west-2";
dynamodb_table = "gsimmer-terraform-lock"; dynamodb_table = "gsimmer-terraform-lock";
}; };
}; };
provider = { provider = {
"cloudflare" = {}; "cloudflare" = {};
"aws" = [ "aws" = [