arch/infra
arch/infra
1
0
Fork 0
Code Actions Packages Activity

Compare commits

base: arch:e1e7b401fcbec6ae9d7610b614fd9bb814f5b63c
Branches Tags
arch:trunk
arch:woodpecker-ci
..
compare: arch:ef4db52dce8c58fc19755ebd0cef93d78a0023af
Branches Tags
arch:trunk
arch:woodpecker-ci

No commits in common. "e1e7b401fcbec6ae9d7610b614fd9bb814f5b63c" and "ef4db52dce8c58fc19755ebd0cef93d78a0023af" have entirely different histories.
e1e7b401fc ... ef4db52dce

11 changed files with 67 additions and 278 deletions
Show stats Expand all files Collapse all files

4
homelab/couchdb.yaml
View file

@ -1,10 +1,6 @@
couchdbConfig: couchdbConfig:
couchdb: couchdb:
uuid: 25274915ac5d403292fef27909e679cc uuid: 25274915ac5d403292fef27909e679cc
chttpd:
enable_cors: true
cors:
origins: "https://artbybecki.com, https://admin.artbybecki.com"
clusterSize: 1 clusterSize: 1
persistentVolume: persistentVolume:
enabled: true enabled: true

4
homelab/nfs-provisioner-values.yml
View file

@ -1,6 +1,6 @@
nfs: nfs:
server: vancouver server: 192.168.50.229
path: /Primary/k3scluster path: /mnt/Primary/k3scluster
storageClass: storageClass:
defaultClass: true defaultClass: true
archiveOnDelete: false archiveOnDelete: false

9
homelab/vaultwarden-s3.env.age
View file

@ -1,9 +0,0 @@
age-encryption.org/v1
-> piv-p256 JccfSQ AhIbgVYw7nnbfVvpM2755rvolAK+7TVKMYV7+7HXweKW
tpz/Ea90ttJQanaA033mrIgMzKtIOgiBkcfNY9qPPyM
-> D-grease &[o{ }PTMp/+M y!I
4B6KLBrcEWiTzcCyfN+EKTd0j9rOPe9RP5KFM87HAmFAOR7fa4yOousUqFvP32Xw
Xs8hyC4vT+P3buXFMPR/k9yrzJcAOdmB
--- e930foLDztNKnvtkkj6phGiXCo6z02hczVmScHC0uw8
Y ù_<>AœWæ"#W@^¦<>‰y4Ò!êHz
°ú)×0Oži5V¨7rÖ¦Ù Qß(¦ì ™ Íš{lÎ.B<>ÖøR¨·¶˜Ä‡U+²hª!h[(©ê1ö ªt #蹌ƒÁJ±XŒ­¶¼xN<>CÚÖ)Èi«ï\t»åq

29
homelab/vaultwarden.yml
View file

@ -30,9 +30,17 @@ spec:
- name: litestream - name: litestream
mountPath: /etc/litestream.yml mountPath: /etc/litestream.yml
subPath: vaultwarden.yml subPath: vaultwarden.yml
envFrom: env:
- secretRef: - name: LITESTREAM_USERNAME
name: vaultwarden-litestream-s3 valueFrom:
secretKeyRef:
name: litestream
key: username
- name: LITESTREAM_PASSWORD
valueFrom:
secretKeyRef:
name: litestream
key: password
containers: containers:
- name: vaultwarden - name: vaultwarden
@ -62,9 +70,17 @@ spec:
- name: litestream - name: litestream
mountPath: /etc/litestream.yml mountPath: /etc/litestream.yml
subPath: vaultwarden.yml subPath: vaultwarden.yml
envFrom: env:
- secretRef: - name: LITESTREAM_USERNAME
name: vaultwarden-litestream-s3 valueFrom:
secretKeyRef:
name: litestream
key: username
- name: LITESTREAM_PASSWORD
valueFrom:
secretKeyRef:
name: litestream
key: password
ports: ports:
- name: metrics - name: metrics
containerPort: 9090 containerPort: 9090
@ -80,7 +96,6 @@ spec:
- metadata: - metadata:
name: data name: data
spec: spec:
storageClassName: nfs-client
accessModes: [ "ReadWriteOnce" ] accessModes: [ "ReadWriteOnce" ]
resources: resources:
requests: requests:

38
krops/krops.nix
View file

@ -8,7 +8,7 @@ let
oracle-gitea-runner-source = lib.evalSource [ oracle-gitea-runner-source = lib.evalSource [
{ {
nixpkgs.git = { nixpkgs.git = {
ref = "66aedfd010204949cb225cf749be08cb13ce1813"; ref = "0a4f20e1867ebb798ba5ed51b9db52a09ba6623d";
url = https://github.com/NixOS/nixpkgs; url = https://github.com/NixOS/nixpkgs;
shallow = true; shallow = true;
@ -18,27 +18,14 @@ let
} }
]; ];
oracle-nix-cache-source = lib.evalSource [
{
nixpkgs.git = {
ref = "66aedfd010204949cb225cf749be08cb13ce1813";
url = https://github.com/NixOS/nixpkgs;
shallow = true;
};
nixos-config.file = toString ./oracle-nix-cache/configuration.nix;
"hardware.nix".file = toString ./oracle-nix-cache/hardware.nix;
}
];
nas-source = lib.evalSource [ nas-source = lib.evalSource [
{ {
nixpkgs.git = { nixpkgs.git = {
ref = "origin/nixos-unstable"; ref = "origin/nixos-23.05";
url = https://github.com/NixOS/nixpkgs; url = https://github.com/NixOS/nixpkgs;
}; };
home-manager.git = { home-manager.git = {
ref = "origin/master"; ref = "origin/release-23.05";
url = https://github.com/nix-community/home-manager; url = https://github.com/nix-community/home-manager;
}; };
nixos-config.file = toString ./nas/configuration.nix; nixos-config.file = toString ./nas/configuration.nix;
@ -58,17 +45,6 @@ let
} }
]; ];
seattle-source = lib.evalSource [
{
nixpkgs.git = {
ref = "origin/nixos-unstable";
url = https://github.com/NixOS/nixpkgs;
};
nixos-config.file = toString ./seattle/configuration.nix;
"hardware.nix".file = toString ./glasgow/hardware.nix;
}
];
glasgow-source = lib.evalSource [ glasgow-source = lib.evalSource [
{ {
nixpkgs.git = { nixpkgs.git = {
@ -85,10 +61,6 @@ in {
source = oracle-gitea-runner-source; source = oracle-gitea-runner-source;
target = "root@130.162.169.74"; target = "root@130.162.169.74";
}; };
oracle-nix-cache = pkgs.krops.writeDeploy "oracle-nix-cache" {
source = oracle-nix-cache-source;
target = "root@141.147.94.210";
};
nas = pkgs.krops.writeDeploy "nas" { nas = pkgs.krops.writeDeploy "nas" {
source = nas-source; source = nas-source;
target = "root@192.168.50.229"; target = "root@192.168.50.229";
@ -97,10 +69,6 @@ in {
source = nas-k3s-source; source = nas-k3s-source;
target = "root@192.168.50.229:22001"; target = "root@192.168.50.229:22001";
}; };
seattle = pkgs.krops.writeDeploy "seattle" {
source = seattle-source;
target = "root@192.168.50.146";
};
glasgow = pkgs.krops.writeDeploy "glasgow" { glasgow = pkgs.krops.writeDeploy "glasgow" {
source = glasgow-source; source = glasgow-source;
target = "root@192.168.50.144"; target = "root@192.168.50.144";

100
krops/nas/configuration.nix
View file

@ -27,30 +27,6 @@
}; };
services = { services = {
coredns = {
enable = true;
config =
''
.:53 {
cache
bind tailscale0
}
git.gmem.ca {
cache
bind tailscale0
template IN A {
answer "{{ .Name }} 0 IN A 100.116.48.47"
}
}
'';
};
pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
};
zfs.autoScrub.enable = true; zfs.autoScrub.enable = true;
tailscale.enable = true; tailscale.enable = true;
openssh.enable = true; openssh.enable = true;
@ -128,24 +104,28 @@
recommendedBrotliSettings = true; recommendedBrotliSettings = true;
recommendedZstdSettings = true; recommendedZstdSettings = true;
recommendedOptimisation = true; recommendedOptimisation = true;
recommendedTlsSettings = true;
# We can only proxy one port with Tailscale Funnel so we abuse locations instead. # We can only proxy one port with Tailscale Funnel so we abuse locations instead.
virtualHosts."vancouver.gmem.ca" = { virtualHosts."vancouver.gmem.ca" = {
default = true; default = true;
enableACME = true; enableACME = false;
addSSL = true; forceSSL = false;
acmeRoot = null;
locations."/" = { locations."/" = {
root = "/var/www/"; root = "/var/www/";
extraConfig = '' extraConfig = ''
error_page 404 /404.html; error_page 404 /404.html;
''; '';
}; };
locations."/git" = { locations."/git/" = {
proxyWebsockets = false; # needed if you need to use WebSocket
extraConfig = extraConfig =
'' ''
return 301 $scheme://git.gmem.ca; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
''; '';
proxyPass = "http://127.0.0.1:8973/";
}; };
locations."/n8n/" = { locations."/n8n/" = {
proxyPass = "http://127.0.0.1:5678/"; proxyPass = "http://127.0.0.1:5678/";
@ -156,21 +136,6 @@
''; '';
}; };
}; };
virtualHosts."git.gmem.ca" = {
enableACME = true;
addSSL = true;
acmeRoot = null;
locations."/" = {
extraConfig =
''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
proxyPass = "http://127.0.0.1:8973/";
};
};
}; };
gitea = { gitea = {
enable = true; enable = true;
@ -178,7 +143,7 @@
package = pkgs.forgejo; package = pkgs.forgejo;
settings = { settings = {
server = { server = {
ROOT_URL = "https://git.gmem.ca/"; ROOT_URL = "https://vancouver.scorpion-ghost.ts.net/git/";
HTTP_PORT = 8973; HTTP_PORT = 8973;
}; };
service = { service = {
@ -194,7 +159,6 @@
}; };
}; };
gitea-actions-runner = { gitea-actions-runner = {
package = pkgs.forgejo-actions-runner;
instances = { instances = {
vancouver = { vancouver = {
name = "vancouver"; name = "vancouver";
@ -203,7 +167,8 @@
"debian-latest:docker://node:18-bullseye" "debian-latest:docker://node:18-bullseye"
"nix:docker://nixos/nix" "nix:docker://nixos/nix"
]; ];
url = "https://git.gmem.ca/"; url = "https://vancouver.scorpion-ghost.ts.net/git";
token = "";
}; };
}; };
}; };
@ -217,9 +182,7 @@
firewall = { firewall = {
trustedInterfaces = ["tailscale0"]; trustedInterfaces = ["tailscale0"];
checkReversePath = "loose"; checkReversePath = "loose";
enable = true; enable = false;
allowedTCPPorts = [ 22 53 80 443 ];
allowedUDPPorts = [ 53 ];
}; };
nftables.enable = true; nftables.enable = true;
}; };
@ -234,8 +197,6 @@
screen screen
nix-output-monitor nix-output-monitor
cifs-utils cifs-utils
cloudflared
bat
# atuin # atuin
]; ];
@ -272,13 +233,9 @@
isNormalUser = true; isNormalUser = true;
home = "/Primary/becki"; home = "/Primary/becki";
}; };
root.openssh.authorizedKeys.keys = let root.openssh.authorizedKeys.keys = [
authorizedKeys = pkgs.fetchurl { "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIztwQxt+jqroFONSgq+xzPMuE2I5Dq/zWPQ8RcTYJr"
url = "https://gmem.ca/ssh"; ];
sha256 = "0iwrm80hsadr0midy0h3da4x0sbci76a92g8f9wnz5pj38gimdi9";
};
in pkgs.lib.splitString "\n" (builtins.readFile
authorizedKeys);
}; };
home-manager.users.gsimmer = { pkgs, ... }: { home-manager.users.gsimmer = { pkgs, ... }: {
@ -294,25 +251,22 @@
virtualisation = { virtualisation = {
docker = { docker = {
enable = true; enable = true;
rootless = {
enable = true;
setSocketVariable = true;
};
}; };
libvirtd.enable = true; libvirtd.enable = true;
}; };
sound.enable = true; sound.enable = true;
security.rtkit.enable = true; security.rtkit.enable = true;
services.pipewire = {
security.acme.acceptTerms = true; enable = true;
security.acme.defaults.email = "acme@gmem.ca"; alsa.enable = true;
security.acme.certs."git.gmem.ca" = { alsa.support32Bit = true;
domain = "git.gmem.ca"; pulse.enable = true;
dnsProvider = "route53"; jack.enable = true;
credentialsFile = "/var/lib/secrets/credentials";
}; };
security.acme.certs."vancouver.gmem.ca" = {
domain = "vancouver.gmem.ca";
dnsProvider = "route53";
credentialsFile = "/var/lib/secrets/credentials";
};
system.stateVersion = "23.05"; system.stateVersion = "23.05";
} }

111
krops/oracle-nix-cache/configuration.nix
View file

@ -1,111 +0,0 @@
{ config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware.nix
];
boot = {
tmp.cleanOnBoot = true;
};
zramSwap.enable = true;
nix = {
settings = {
auto-optimise-store = true;
experimental-features = ["nix-command" "flakes"];
};
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 30d";
};
# Free up to 1GiB whenever there is less than 100MiB left.
extraOptions = ''
min-free = ${toString (100 * 1024 * 1024)}
max-free = ${toString (1024 * 1024 * 1024)}
'';
};
networking = {
hostName = "nix-cache";
domain = "gmem.ca";
firewall = {
trustedInterfaces = ["tailscale0"];
checkReversePath = "loose";
allowedTCPPorts = [ 80 443 ];
allowedUDPPortRanges = [
{ from = 4000; to = 4007; }
{ from = 8000; to = 8010; }
];
enable = true;
};
nftables.enable = true;
nameservers = [ "1.1.1.1" "1.0.0.1" ];
};
time.timeZone = "Europe/London";
users.users.root.openssh.authorizedKeys.keys = let
authorizedKeys = pkgs.fetchurl {
url = "https://gmem.ca/ssh";
sha256 = "0iwrm80hsadr0midy0h3da4x0sbci76a92g8f9wnz5pj38gimdi9";
};
in pkgs.lib.splitString "\n" (builtins.readFile
authorizedKeys);
environment.systemPackages = with pkgs; [
vim
wget
htop
git
screen
nix-output-monitor
tailscale
nfs-utils
];
services = {
rpcbind.enable = true;
openssh.enable = true;
tailscale.enable = true;
nix-serve = {
enable = true;
secretKeyFile = "/var/cache-priv-key.pem";
};
nginx = {
enable = true;
recommendedProxySettings = true;
recommendedGzipSettings = true;
recommendedBrotliSettings = true;
recommendedZstdSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
virtualHosts = {
"nix-cache.gmem.ca" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
};
"git.gmem.ca" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://100.116.48.47";
};
};
};
};
};
security.acme = {
acceptTerms = true;
email = "acme@gmem.ca";
};
system.copySystemConfiguration = true;
system.stateVersion = "23.11"; # dId YoU rEaD tHe CoMmEnT?
}

15
krops/oracle-nix-cache/hardware.nix
View file

@ -1,15 +0,0 @@
{ modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.loader.efi.efiSysMountPoint = "/boot/efi";
boot.loader.grub = {
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
};
fileSystems."/boot/efi" = { device = "/dev/disk/by-uuid/CC2E-AEC0"; fsType = "vfat"; };
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ];
boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = { device = "/dev/mapper/ocivolume-root"; fsType = "xfs"; };
}

2
pi-imgs/pi-initial.nix
View file

@ -24,6 +24,4 @@
nix-output-monitor nix-output-monitor
tailscale tailscale
]; ];
system.stateVersion = "23.05";
} }

15
terraform/gabrielsimmer.com.tf
View file

@ -30,6 +30,16 @@ resource "aws_route53_record" "gabrielsimmercom-a" {
] ]
} }
resource "aws_route53_record" "gabrielsimmercom-google-ownership" {
zone_id = aws_route53_zone.gabrielsimmercom.zone_id
name = "gabrielsimmer.com"
type = "TXT"
ttl = 300
records = [
"google-site-verification=EW1TJ2_9BRa81mIRX9doz-5aR4ydYh4hzG1yuqfu_C4",
]
}
resource "aws_route53_record" "gabrielsimmercom-next" { resource "aws_route53_record" "gabrielsimmercom-next" {
zone_id = aws_route53_zone.gabrielsimmercom.zone_id zone_id = aws_route53_zone.gabrielsimmercom.zone_id
name = "next" name = "next"
@ -72,7 +82,7 @@ resource "aws_route53_record" "gabrielsimmercom-github-verification" {
type = "TXT" type = "TXT"
ttl = 300 ttl = 300
records = [ records = [
"fcf7482bbeced61719161ebd56e110", "fcf7482bbeced61719161ebd56e110"
] ]
} }
@ -83,8 +93,7 @@ resource "aws_route53_record" "gabrielsimmercom-txt-verifications" {
ttl = 300 ttl = 300
records = [ records = [
"keybase-site-verification=f2MAsoM3HCGQAsYNcWzCy4Ul2kvh79j6etJbL7aQwv8", "keybase-site-verification=f2MAsoM3HCGQAsYNcWzCy4Ul2kvh79j6etJbL7aQwv8",
"v=spf1 include:spf.messagingengine.com ?all", "v=spf1 include:spf.messagingengine.com ?all"
"google-site-verification=EW1TJ2_9BRa81mIRX9doz-5aR4ydYh4hzG1yuqfu_C4"
] ]
} }

16
terraform/gmem.ca.tf
View file

@ -2,22 +2,6 @@ resource "aws_route53_zone" "gmemca" {
name = "gmem.ca" name = "gmem.ca"
} }
resource "aws_route53_record" "git" {
zone_id = aws_route53_zone.gmemca.zone_id
name = "git"
type = "A"
ttl = 300
records = ["141.147.94.210"]
}
resource "aws_route53_record" "nix-cache" {
zone_id = aws_route53_zone.gmemca.zone_id
name = "nix-cache"
type = "A"
ttl = 300
records = ["141.147.94.210"]
}
resource "aws_route53_record" "fursona" { resource "aws_route53_record" "fursona" {
zone_id = aws_route53_zone.gmemca.zone_id zone_id = aws_route53_zone.gmemca.zone_id
name = "fursona" name = "fursona"