CoreDNS, dedicated git.gmem.ca route for NAS

Add nix-cache/reverse proxy Oracle Cloud configuration
git and nix-cache dns records
2023-08-05 12:05:53 +01:00 · 2023-08-05 12:05:09 +01:00 · 2023-08-05 12:02:57 +01:00 · 2023-08-05 12:02:45 +01:00 · 2023-08-05 12:02:26 +01:00 · 2023-08-05 12:02:00 +01:00
11 changed files with 278 additions and 67 deletions
--- a/homelab/couchdb.yaml
+++ b/homelab/couchdb.yaml
@ -1,6 +1,10 @@
 couchdbConfig:
  couchdb:
    uuid: 25274915ac5d403292fef27909e679cc
+  chttpd:
+    enable_cors: true
+  cors:
+    origins: "https://artbybecki.com, https://admin.artbybecki.com"
 clusterSize: 1
 persistentVolume:
  enabled: true
--- a/homelab/nfs-provisioner-values.yml
+++ b/homelab/nfs-provisioner-values.yml
@ -1,7 +1,7 @@
 nfs:
-  server: 192.168.50.229
-  path: /mnt/Primary/k3scluster
+  server: vancouver
+  path: /Primary/k3scluster
 storageClass:
  defaultClass: true
  archiveOnDelete: false
-  onDelete: delete
+  onDelete: delete
--- a/homelab/vaultwarden-s3.env.age
+++ b/homelab/vaultwarden-s3.env.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> piv-p256 JccfSQ AhIbgVYw7nnbfVvpM2755rvolAK+7TVKMYV7+7HXweKW
+tpz/Ea90ttJQanaA033mrIgMzKtIOgiBkcfNY9qPPyM
+-> D-grease &[o{ }PTMp/+M y!I
+4B6KLBrcEWiTzcCyfN+EKTd0j9rOPe9RP5KFM87HAmFAOR7fa4yOousUqFvP32Xw
+Xs8hyC4vT+P3buXFMPR/k9yrzJcAOdmB
+--- e930foLDztNKnvtkkj6phGiXCo6z02hczVmScHC0uw8
+Y	ù_•<>AœWæ"#W@^¦<>‰y4Ò!‘êHz
+°ú)×0Oži5‹9ûV¨7rÖ¦ÙQß(¦ì	™Íš{lÎ.B<>ÖøR¨·¶˜Ä‡U+²hª!h[(©ê1ö ªt #‹è¹ŒƒÁJ±XŒ¶¼xN<>CÚÖ)Èi«ï\t»åq
--- a/homelab/vaultwarden.yml
+++ b/homelab/vaultwarden.yml
@ -30,17 +30,9 @@ spec:
          - name: litestream
            mountPath: /etc/litestream.yml
            subPath: vaultwarden.yml
-          env:
-          - name: LITESTREAM_USERNAME
-            valueFrom:
-              secretKeyRef:
-                name: litestream
-                key: username
-          - name: LITESTREAM_PASSWORD
-            valueFrom:
-              secretKeyRef:
-                name: litestream
-                key: password
+          envFrom:
+            - secretRef:
+                name: vaultwarden-litestream-s3

      containers:
      - name: vaultwarden
@ -70,17 +62,9 @@ spec:
        - name: litestream
          mountPath: /etc/litestream.yml
          subPath: vaultwarden.yml
-        env:
-        - name: LITESTREAM_USERNAME
-          valueFrom:
-            secretKeyRef:
-              name: litestream
-              key: username
-        - name: LITESTREAM_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: litestream
-              key: password
+        envFrom:
+          - secretRef:
+              name: vaultwarden-litestream-s3
        ports:
        - name: metrics
          containerPort: 9090
@ -96,6 +80,7 @@ spec:
  - metadata:
      name: data
    spec:
+      storageClassName: nfs-client
      accessModes: [ "ReadWriteOnce" ]
      resources:
        requests:
--- a/krops/krops.nix
+++ b/krops/krops.nix
@ -8,7 +8,7 @@ let
  oracle-gitea-runner-source =  lib.evalSource [
    {
      nixpkgs.git = {
-        ref = "0a4f20e1867ebb798ba5ed51b9db52a09ba6623d";
+        ref = "66aedfd010204949cb225cf749be08cb13ce1813";
        url = https://github.com/NixOS/nixpkgs;

        shallow = true;
@ -18,14 +18,27 @@ let
    }
  ];

+  oracle-nix-cache-source =  lib.evalSource [
+    {
+      nixpkgs.git = {
+        ref = "66aedfd010204949cb225cf749be08cb13ce1813";
+        url = https://github.com/NixOS/nixpkgs;
+
+        shallow = true;
+      };
+      nixos-config.file = toString ./oracle-nix-cache/configuration.nix;
+      "hardware.nix".file = toString ./oracle-nix-cache/hardware.nix;
+    }
+  ];
+
  nas-source =  lib.evalSource [
    {
      nixpkgs.git = {
-        ref = "origin/nixos-23.05";
+        ref = "origin/nixos-unstable";
        url = https://github.com/NixOS/nixpkgs;
      };
      home-manager.git = {
-        ref = "origin/release-23.05";
+        ref = "origin/master";
        url = https://github.com/nix-community/home-manager;
      };
      nixos-config.file = toString ./nas/configuration.nix;
@ -45,6 +58,17 @@ let
    }
  ];

+  seattle-source =  lib.evalSource [
+    {
+      nixpkgs.git = {
+        ref = "origin/nixos-unstable";
+        url = https://github.com/NixOS/nixpkgs;
+      };
+      nixos-config.file = toString ./seattle/configuration.nix;
+      "hardware.nix".file = toString ./glasgow/hardware.nix;
+    }
+  ];
+
  glasgow-source =  lib.evalSource [
    {
      nixpkgs.git = {
@ -61,6 +85,10 @@ in {
    source = oracle-gitea-runner-source;
    target = "root@130.162.169.74";
  };
+  oracle-nix-cache = pkgs.krops.writeDeploy "oracle-nix-cache" {
+    source = oracle-nix-cache-source;
+    target = "root@141.147.94.210";
+  };
  nas = pkgs.krops.writeDeploy "nas" {
    source = nas-source;
    target = "root@192.168.50.229";
@ -69,6 +97,10 @@ in {
    source = nas-k3s-source;
    target = "root@192.168.50.229:22001";
  };
+  seattle = pkgs.krops.writeDeploy "seattle" {
+    source = seattle-source;
+    target = "root@192.168.50.146";
+  };
  glasgow = pkgs.krops.writeDeploy "glasgow" {
    source = glasgow-source;
    target = "root@192.168.50.144";
--- a/krops/nas/configuration.nix
+++ b/krops/nas/configuration.nix
@ -27,6 +27,30 @@
  };

  services = {
+    coredns = {
+      enable = true;
+      config =
+        ''
+        .:53 {
+          cache
+          bind tailscale0
+        }
+        git.gmem.ca {
+         cache
+         bind tailscale0
+         template IN A  {
+          answer "{{ .Name }} 0 IN A 100.116.48.47"
+         }
+        }
+    '';
+    };
+    pipewire = {
+      enable = true;
+      alsa.enable = true;
+      alsa.support32Bit = true;
+      pulse.enable = true;
+      jack.enable = true;
+    };
    zfs.autoScrub.enable = true;
    tailscale.enable = true;
    openssh.enable = true;
@ -104,28 +128,24 @@
      recommendedBrotliSettings = true;
      recommendedZstdSettings = true;
      recommendedOptimisation = true;
-
+      recommendedTlsSettings = true;
      # We can only proxy one port with Tailscale Funnel so we abuse locations instead.
      virtualHosts."vancouver.gmem.ca" =  {
        default = true;
-        enableACME = false;
-        forceSSL = false;
+        enableACME = true;
+        addSSL = true;
+        acmeRoot = null;
        locations."/" = {
          root = "/var/www/";
          extraConfig = ''
            error_page 404 /404.html;
          '';
        };
-        locations."/git/" = {
-          proxyWebsockets = false; # needed if you need to use WebSocket
+        locations."/git" = {
          extraConfig =
            ''
-            proxy_set_header Host $host;
-            proxy_set_header X-Real-IP $remote_addr;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $scheme;
+            return 301 $scheme://git.gmem.ca;
            '';
-          proxyPass = "http://127.0.0.1:8973/";
        };
        locations."/n8n/" = {
          proxyPass = "http://127.0.0.1:5678/";
@ -136,6 +156,21 @@
            '';
        };
      };
+      virtualHosts."git.gmem.ca" =  {
+        enableACME = true;
+        addSSL = true;
+        acmeRoot = null;
+        locations."/" = {
+          extraConfig =
+            ''
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            '';
+          proxyPass = "http://127.0.0.1:8973/";
+        };
+      };
    };
    gitea = {
      enable = true;
@ -143,7 +178,7 @@
      package = pkgs.forgejo;
      settings = {
        server = {
-          ROOT_URL = "https://vancouver.scorpion-ghost.ts.net/git/";
+          ROOT_URL = "https://git.gmem.ca/";
          HTTP_PORT = 8973;
        };
        service = {
@ -159,6 +194,7 @@
      };
    };
    gitea-actions-runner = {
+      package = pkgs.forgejo-actions-runner;
      instances = {
        vancouver = {
          name = "vancouver";
@ -167,8 +203,7 @@
            "debian-latest:docker://node:18-bullseye"
            "nix:docker://nixos/nix"
          ];
-          url = "https://vancouver.scorpion-ghost.ts.net/git";
-          token = "";
+          url = "https://git.gmem.ca/";
        };
      };
    };
@ -182,7 +217,9 @@
    firewall = {
      trustedInterfaces = ["tailscale0"];
      checkReversePath = "loose";
-      enable = false;
+      enable = true;
+      allowedTCPPorts = [ 22 53 80 443 ];
+      allowedUDPPorts = [ 53 ];
    };
    nftables.enable = true;
  };
@ -197,6 +234,8 @@
    screen
    nix-output-monitor
    cifs-utils
+    cloudflared
+    bat
    # atuin
  ];

@ -233,9 +272,13 @@
      isNormalUser = true;
      home = "/Primary/becki";
    };
-    root.openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIztwQxt+jqroFONSgq+xzPMuE2I5Dq/zWPQ8RcTYJr" 
-    ];
+    root.openssh.authorizedKeys.keys = let
+        authorizedKeys = pkgs.fetchurl {
+          url = "https://gmem.ca/ssh";
+          sha256 = "0iwrm80hsadr0midy0h3da4x0sbci76a92g8f9wnz5pj38gimdi9";
+        };
+      in pkgs.lib.splitString "\n" (builtins.readFile
+        authorizedKeys);
  };

  home-manager.users.gsimmer = { pkgs, ... }: {
@ -251,22 +294,25 @@
  virtualisation = {
    docker = {
      enable = true;
-      rootless = {
-        enable = true;
-        setSocketVariable = true;
-      };
    };
    libvirtd.enable = true;
  };

  sound.enable = true;
  security.rtkit.enable = true;
-  services.pipewire = {
-    enable = true;
-    alsa.enable = true;
-    alsa.support32Bit = true;
-    pulse.enable = true;
-    jack.enable = true;
+
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = "acme@gmem.ca";
+  security.acme.certs."git.gmem.ca" = {
+    domain = "git.gmem.ca";
+    dnsProvider = "route53";
+    credentialsFile = "/var/lib/secrets/credentials";
  };
+  security.acme.certs."vancouver.gmem.ca" = {
+    domain = "vancouver.gmem.ca";
+    dnsProvider = "route53";
+    credentialsFile = "/var/lib/secrets/credentials";
+  };
+
  system.stateVersion = "23.05";
 }
--- a/krops/oracle-nix-cache/configuration.nix
+++ b/krops/oracle-nix-cache/configuration.nix
@ -0,0 +1,111 @@
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      ./hardware.nix
+    ];
+
+  boot = {
+    tmp.cleanOnBoot = true;
+  };
+  zramSwap.enable = true;
+
+  nix = {
+    settings = {
+      auto-optimise-store = true;
+      experimental-features = ["nix-command" "flakes"];
+    };
+    gc = {
+      automatic = true;
+      dates = "weekly";
+      options = "--delete-older-than 30d";
+    };
+    # Free up to 1GiB whenever there is less than 100MiB left.
+    extraOptions = ''
+      min-free = ${toString (100 * 1024 * 1024)}
+      max-free = ${toString (1024 * 1024 * 1024)}
+      '';
+  };
+
+  networking = {
+    hostName = "nix-cache";
+    domain = "gmem.ca";
+    firewall = {
+      trustedInterfaces = ["tailscale0"];
+      checkReversePath = "loose";
+      allowedTCPPorts = [ 80 443 ];
+      allowedUDPPortRanges = [
+        { from = 4000; to = 4007; }
+        { from = 8000; to = 8010; }
+      ];
+      enable = true;
+    };
+    nftables.enable = true;
+    nameservers = [ "1.1.1.1" "1.0.0.1" ];
+  };
+
+  time.timeZone = "Europe/London";
+
+  users.users.root.openssh.authorizedKeys.keys = let
+    authorizedKeys = pkgs.fetchurl {
+      url = "https://gmem.ca/ssh";
+      sha256 = "0iwrm80hsadr0midy0h3da4x0sbci76a92g8f9wnz5pj38gimdi9";
+    };
+  in pkgs.lib.splitString "\n" (builtins.readFile
+    authorizedKeys);
+
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    htop
+    git
+    screen
+    nix-output-monitor
+    tailscale
+    nfs-utils
+  ];
+
+  services = {
+    rpcbind.enable = true;
+    openssh.enable = true;
+    tailscale.enable = true;
+    nix-serve = {
+      enable = true;
+      secretKeyFile = "/var/cache-priv-key.pem";
+    };
+    nginx = {
+      enable = true;
+      recommendedProxySettings = true;
+      recommendedGzipSettings = true;
+      recommendedBrotliSettings = true;
+      recommendedZstdSettings = true;
+      recommendedOptimisation = true;
+      recommendedTlsSettings = true;
+      virtualHosts = {
+        "nix-cache.gmem.ca" = {
+          enableACME = true;
+          forceSSL = true;
+          locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
+        };
+        "git.gmem.ca" = {
+          enableACME = true;
+          forceSSL = true;
+          locations."/" = {
+            proxyPass = "http://100.116.48.47";
+          };
+        };
+      };
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    email = "acme@gmem.ca";
+  };
+
+  system.copySystemConfiguration = true;
+
+  system.stateVersion = "23.11"; # dId YoU rEaD tHe CoMmEnT?
+
+}
--- a/krops/oracle-nix-cache/hardware.nix
+++ b/krops/oracle-nix-cache/hardware.nix
@ -0,0 +1,15 @@
+{ modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  boot.loader.efi.efiSysMountPoint = "/boot/efi";
+  boot.loader.grub = {
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+    device = "nodev";
+  };
+  fileSystems."/boot/efi" = { device = "/dev/disk/by-uuid/CC2E-AEC0"; fsType = "vfat"; };
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ];
+  boot.initrd.kernelModules = [ "nvme" ];
+  fileSystems."/" = { device = "/dev/mapper/ocivolume-root"; fsType = "xfs"; };
+  
+}
--- a/pi-imgs/pi-initial.nix
+++ b/pi-imgs/pi-initial.nix
@ -24,4 +24,6 @@
    nix-output-monitor
    tailscale
  ];
+
+  system.stateVersion = "23.05";
 }
--- a/terraform/gabrielsimmer.com.tf
+++ b/terraform/gabrielsimmer.com.tf
@ -30,16 +30,6 @@ resource "aws_route53_record" "gabrielsimmercom-a" {
  ]
 }

-resource "aws_route53_record" "gabrielsimmercom-google-ownership" {
-  zone_id = aws_route53_zone.gabrielsimmercom.zone_id
-  name    = "gabrielsimmer.com"
-  type    = "TXT"
-  ttl     = 300
-  records = [
-	"google-site-verification=EW1TJ2_9BRa81mIRX9doz-5aR4ydYh4hzG1yuqfu_C4",
-  ]
-}
-
 resource "aws_route53_record" "gabrielsimmercom-next" {
  zone_id = aws_route53_zone.gabrielsimmercom.zone_id
  name    = "next"
@ -82,7 +72,7 @@ resource "aws_route53_record" "gabrielsimmercom-github-verification" {
  type    = "TXT"
  ttl     = 300
  records = [
-    "fcf7482bbeced61719161ebd56e110"
+	"fcf7482bbeced61719161ebd56e110",
  ]
 }

@ -93,7 +83,8 @@ resource "aws_route53_record" "gabrielsimmercom-txt-verifications" {
  ttl     = 300
  records = [
    "keybase-site-verification=f2MAsoM3HCGQAsYNcWzCy4Ul2kvh79j6etJbL7aQwv8",
-    "v=spf1 include:spf.messagingengine.com ?all"
+	"v=spf1 include:spf.messagingengine.com ?all",
+	"google-site-verification=EW1TJ2_9BRa81mIRX9doz-5aR4ydYh4hzG1yuqfu_C4"
  ]
 }

--- a/terraform/gmem.ca.tf
+++ b/terraform/gmem.ca.tf
@ -2,6 +2,22 @@ resource "aws_route53_zone" "gmemca" {
  name = "gmem.ca"
 }

+resource "aws_route53_record" "git" {
+  zone_id = aws_route53_zone.gmemca.zone_id
+  name    = "git"
+  type    = "A"
+  ttl     = 300
+  records = ["141.147.94.210"]
+}
+
+resource "aws_route53_record" "nix-cache" {
+  zone_id = aws_route53_zone.gmemca.zone_id
+  name    = "nix-cache"
+  type    = "A"
+  ttl     = 300
+  records = ["141.147.94.210"]
+}
+
 resource "aws_route53_record" "fursona" {
  zone_id = aws_route53_zone.gmemca.zone_id
  name    = "fursona"
Author	SHA1	Message	Date
Gabriel Simmer	e1e7b401fc	CoreDNS, dedicated git.gmem.ca route for NAS Some checks failed Lint / lint (push) Failing after 0s Details Build Pi NixOS Image / sync (push) Has been cancelled Details	2023-08-05 12:05:53 +01:00
Gabriel Simmer	89e425c201	Add nix-cache/reverse proxy Oracle Cloud configuration	2023-08-05 12:05:09 +01:00
Gabriel Simmer	68aa75200a	git and nix-cache dns records	2023-08-05 12:02:57 +01:00
Gabriel Simmer	fefb270ae3	Add google site verification to gabrielsimmer.com	2023-08-05 12:02:45 +01:00
Gabriel Simmer	4751a1b22f	stateVersion for custom pi image	2023-08-05 12:02:26 +01:00
Gabriel Simmer	8a6f9f6758	Swap to S3 for Vaultwarden Litestream	2023-08-05 12:02:00 +01:00
Gabriel Simmer	c644898941	Update values for nfs provisioner use tailscale dns name, update path	2023-08-05 12:01:32 +01:00
Gabriel Simmer	a6c3afd416	Ensure CORS is enabled for couch instance	2023-08-05 12:01:18 +01:00