arch/infra
arch/infra
1
0
Fork 0
Code Actions Packages Activity

Cleanup

Browse source
This commit is contained in:
Gabriel Simmer 2023-09-05 17:09:09 +01:00
parent 1813986ad4
commit a7f6e9f4c7
Signed by: arch
SSH key fingerprint: SHA256:m3OEcdtrnBpMX+2BDGh/byv3hrCekCLzDYMdvGEKPPQ
4 changed files with 0 additions and 192 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
homelab/vaultwarden-s3.env.age
View file

@ -1,9 +0,0 @@
age-encryption.org/v1
-> piv-p256 JccfSQ AhIbgVYw7nnbfVvpM2755rvolAK+7TVKMYV7+7HXweKW
tpz/Ea90ttJQanaA033mrIgMzKtIOgiBkcfNY9qPPyM
-> D-grease &[o{ }PTMp/+M y!I
4B6KLBrcEWiTzcCyfN+EKTd0j9rOPe9RP5KFM87HAmFAOR7fa4yOousUqFvP32Xw
Xs8hyC4vT+P3buXFMPR/k9yrzJcAOdmB
--- e930foLDztNKnvtkkj6phGiXCo6z02hczVmScHC0uw8
Y ù_<>AœWæ"#W@^¦<>‰y4Ò!êHz
°ú)×0Oži5V¨7rÖ¦Ù Qß(¦ì ™ Íš{lÎ.B<>ÖøR¨·¶˜Ä‡U+²hª!h[(©ê1ö ªt #蹌ƒÁJ±XŒ­¶¼xN<>CÚÖ)Èi«ï\t»åq

52
krops/nas/k3s/configuration.nix
View file

@ -1,52 +0,0 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running `nixos-help`).
{ config, pkgs, ... }:
{
imports =
[
./hardware.nix
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
time.timeZone = "Europe/London";
environment.systemPackages = with pkgs; [
vim
wget
k3s
git
];
services = {
openssh.enable = true;
k3s = {
enable = true;
role = "server";
extraFlags = toString [
"--secrets-encryption"
"--tls-san=192.168.50.229"
];
};
};
networking = {
hostName = "k3s";
domain = "gmem.ca";
firewall = {
enable = false;
allowedTCPPorts = [ 6443 80 443 ];
};
nftables.enable = true;
};
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
system.copySystemConfiguration = true;
system.stateVersion = "23.05"; # Did you read the comment?
}

38
krops/nas/k3s/hardware.nix
View file

@ -1,38 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/f306aefe-e24d-4f19-9131-124aeb3b0880";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/7562-558C";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/b94a7a44-73d2-4c69-aadd-80f030a38bc0"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

93
krops/nas/nixpkgs/n8n.nix
View file

@ -1,93 +0,0 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.services.n8n;
format = pkgs.formats.json {};
configFile = format.generate "n8n.json" cfg.settings;
in
{
options.services.n8n = {
enable = mkEnableOption (lib.mdDoc "n8n server");
openFirewall = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Open ports in the firewall for the n8n web interface.";
};
settings = mkOption {
type = format.type;
default = {};
description = lib.mdDoc ''
Configuration for n8n, see <https://docs.n8n.io/hosting/environment-variables/configuration-methods/>
for supported values.
'';
};
webhookUrl = mkOption {
type = types.str;
default = "";
description = lib.mdDoc ''
WEBHOOK_URL for n8n, in case we're running behind a reverse proxy.
This cannot be set through configuration and must reside in an environment variable.
'';
};
};
config = mkIf cfg.enable {
services.n8n.settings = {
# We use this to open the firewall, so we need to know about the default at eval time
port = lib.mkDefault 5678;
};
systemd.services.n8n = {
description = "N8N service";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
environment = {
# This folder must be writeable as the application is storing
# its data in it, so the StateDirectory is a good choice
N8N_USER_FOLDER = "/var/lib/n8n";
HOME = "/var/lib/n8n";
N8N_CONFIG_FILES = "${configFile}";
WEBHOOK_URL = "${cfg.webhookUrl}";
VUE_APP_URL_BASE_API="https://vancouver.scorpion-ghost.ts.net/n8n/";
N8N_PATH="/n8n/";
# Don't phone home
N8N_DIAGNOSTICS_ENABLED = "false";
N8N_VERSION_NOTIFICATIONS_ENABLED = "false";
};
serviceConfig = {
Type = "simple";
ExecStart = "${pkgs.n8n}/bin/n8n";
Restart = "on-failure";
StateDirectory = "n8n";
# Basic Hardening
NoNewPrivileges = "yes";
PrivateTmp = "yes";
PrivateDevices = "yes";
DevicePolicy = "closed";
DynamicUser = "true";
ProtectSystem = "strict";
ProtectHome = "read-only";
ProtectControlGroups = "yes";
ProtectKernelModules = "yes";
ProtectKernelTunables = "yes";
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
RestrictNamespaces = "yes";
RestrictRealtime = "yes";
RestrictSUIDSGID = "yes";
MemoryDenyWriteExecute = "no"; # v8 JIT requires memory segments to be Writable-Executable.
LockPersonality = "yes";
};
};
networking.firewall = mkIf cfg.openFirewall {
allowedTCPPorts = [ cfg.settings.port ];
};
};
}