Compare commits
8 commits
ef4db52dce
...
e1e7b401fc
Author | SHA1 | Date | |
---|---|---|---|
Gabriel Simmer | e1e7b401fc | ||
Gabriel Simmer | 89e425c201 | ||
Gabriel Simmer | 68aa75200a | ||
Gabriel Simmer | fefb270ae3 | ||
Gabriel Simmer | 4751a1b22f | ||
Gabriel Simmer | 8a6f9f6758 | ||
Gabriel Simmer | c644898941 | ||
Gabriel Simmer | a6c3afd416 |
|
@ -1,6 +1,10 @@
|
|||
couchdbConfig:
|
||||
couchdb:
|
||||
uuid: 25274915ac5d403292fef27909e679cc
|
||||
chttpd:
|
||||
enable_cors: true
|
||||
cors:
|
||||
origins: "https://artbybecki.com, https://admin.artbybecki.com"
|
||||
clusterSize: 1
|
||||
persistentVolume:
|
||||
enabled: true
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
nfs:
|
||||
server: 192.168.50.229
|
||||
path: /mnt/Primary/k3scluster
|
||||
server: vancouver
|
||||
path: /Primary/k3scluster
|
||||
storageClass:
|
||||
defaultClass: true
|
||||
archiveOnDelete: false
|
||||
|
|
9
homelab/vaultwarden-s3.env.age
Normal file
9
homelab/vaultwarden-s3.env.age
Normal file
|
@ -0,0 +1,9 @@
|
|||
age-encryption.org/v1
|
||||
-> piv-p256 JccfSQ AhIbgVYw7nnbfVvpM2755rvolAK+7TVKMYV7+7HXweKW
|
||||
tpz/Ea90ttJQanaA033mrIgMzKtIOgiBkcfNY9qPPyM
|
||||
-> D-grease &[o{ }PTMp/+M y!I
|
||||
4B6KLBrcEWiTzcCyfN+EKTd0j9rOPe9RP5KFM87HAmFAOR7fa4yOousUqFvP32Xw
|
||||
Xs8hyC4vT+P3buXFMPR/k9yrzJcAOdmB
|
||||
--- e930foLDztNKnvtkkj6phGiXCo6z02hczVmScHC0uw8
|
||||
Y ù_•<>AœWæ"#W@^¦<>‰y4Ò!‘êHz
|
||||
°ú)×0Oži5‹9ûV¨7rÖ¦ÙQß(¦ì ™Íš{lÎ.B<>ÖøR¨·¶˜Ä‡U+²hª!h[(©ê1ö ªt #‹è¹ŒƒÁJ±XŒ¶¼xN<>CÚÖ)Èi«ï\t»åq
|
|
@ -30,17 +30,9 @@ spec:
|
|||
- name: litestream
|
||||
mountPath: /etc/litestream.yml
|
||||
subPath: vaultwarden.yml
|
||||
env:
|
||||
- name: LITESTREAM_USERNAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: litestream
|
||||
key: username
|
||||
- name: LITESTREAM_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: litestream
|
||||
key: password
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: vaultwarden-litestream-s3
|
||||
|
||||
containers:
|
||||
- name: vaultwarden
|
||||
|
@ -70,17 +62,9 @@ spec:
|
|||
- name: litestream
|
||||
mountPath: /etc/litestream.yml
|
||||
subPath: vaultwarden.yml
|
||||
env:
|
||||
- name: LITESTREAM_USERNAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: litestream
|
||||
key: username
|
||||
- name: LITESTREAM_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: litestream
|
||||
key: password
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: vaultwarden-litestream-s3
|
||||
ports:
|
||||
- name: metrics
|
||||
containerPort: 9090
|
||||
|
@ -96,6 +80,7 @@ spec:
|
|||
- metadata:
|
||||
name: data
|
||||
spec:
|
||||
storageClassName: nfs-client
|
||||
accessModes: [ "ReadWriteOnce" ]
|
||||
resources:
|
||||
requests:
|
||||
|
|
|
@ -8,7 +8,7 @@ let
|
|||
oracle-gitea-runner-source = lib.evalSource [
|
||||
{
|
||||
nixpkgs.git = {
|
||||
ref = "0a4f20e1867ebb798ba5ed51b9db52a09ba6623d";
|
||||
ref = "66aedfd010204949cb225cf749be08cb13ce1813";
|
||||
url = https://github.com/NixOS/nixpkgs;
|
||||
|
||||
shallow = true;
|
||||
|
@ -18,14 +18,27 @@ let
|
|||
}
|
||||
];
|
||||
|
||||
oracle-nix-cache-source = lib.evalSource [
|
||||
{
|
||||
nixpkgs.git = {
|
||||
ref = "66aedfd010204949cb225cf749be08cb13ce1813";
|
||||
url = https://github.com/NixOS/nixpkgs;
|
||||
|
||||
shallow = true;
|
||||
};
|
||||
nixos-config.file = toString ./oracle-nix-cache/configuration.nix;
|
||||
"hardware.nix".file = toString ./oracle-nix-cache/hardware.nix;
|
||||
}
|
||||
];
|
||||
|
||||
nas-source = lib.evalSource [
|
||||
{
|
||||
nixpkgs.git = {
|
||||
ref = "origin/nixos-23.05";
|
||||
ref = "origin/nixos-unstable";
|
||||
url = https://github.com/NixOS/nixpkgs;
|
||||
};
|
||||
home-manager.git = {
|
||||
ref = "origin/release-23.05";
|
||||
ref = "origin/master";
|
||||
url = https://github.com/nix-community/home-manager;
|
||||
};
|
||||
nixos-config.file = toString ./nas/configuration.nix;
|
||||
|
@ -45,6 +58,17 @@ let
|
|||
}
|
||||
];
|
||||
|
||||
seattle-source = lib.evalSource [
|
||||
{
|
||||
nixpkgs.git = {
|
||||
ref = "origin/nixos-unstable";
|
||||
url = https://github.com/NixOS/nixpkgs;
|
||||
};
|
||||
nixos-config.file = toString ./seattle/configuration.nix;
|
||||
"hardware.nix".file = toString ./glasgow/hardware.nix;
|
||||
}
|
||||
];
|
||||
|
||||
glasgow-source = lib.evalSource [
|
||||
{
|
||||
nixpkgs.git = {
|
||||
|
@ -61,6 +85,10 @@ in {
|
|||
source = oracle-gitea-runner-source;
|
||||
target = "root@130.162.169.74";
|
||||
};
|
||||
oracle-nix-cache = pkgs.krops.writeDeploy "oracle-nix-cache" {
|
||||
source = oracle-nix-cache-source;
|
||||
target = "root@141.147.94.210";
|
||||
};
|
||||
nas = pkgs.krops.writeDeploy "nas" {
|
||||
source = nas-source;
|
||||
target = "root@192.168.50.229";
|
||||
|
@ -69,6 +97,10 @@ in {
|
|||
source = nas-k3s-source;
|
||||
target = "root@192.168.50.229:22001";
|
||||
};
|
||||
seattle = pkgs.krops.writeDeploy "seattle" {
|
||||
source = seattle-source;
|
||||
target = "root@192.168.50.146";
|
||||
};
|
||||
glasgow = pkgs.krops.writeDeploy "glasgow" {
|
||||
source = glasgow-source;
|
||||
target = "root@192.168.50.144";
|
||||
|
|
|
@ -27,6 +27,30 @@
|
|||
};
|
||||
|
||||
services = {
|
||||
coredns = {
|
||||
enable = true;
|
||||
config =
|
||||
''
|
||||
.:53 {
|
||||
cache
|
||||
bind tailscale0
|
||||
}
|
||||
git.gmem.ca {
|
||||
cache
|
||||
bind tailscale0
|
||||
template IN A {
|
||||
answer "{{ .Name }} 0 IN A 100.116.48.47"
|
||||
}
|
||||
}
|
||||
'';
|
||||
};
|
||||
pipewire = {
|
||||
enable = true;
|
||||
alsa.enable = true;
|
||||
alsa.support32Bit = true;
|
||||
pulse.enable = true;
|
||||
jack.enable = true;
|
||||
};
|
||||
zfs.autoScrub.enable = true;
|
||||
tailscale.enable = true;
|
||||
openssh.enable = true;
|
||||
|
@ -104,28 +128,24 @@
|
|||
recommendedBrotliSettings = true;
|
||||
recommendedZstdSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
|
||||
recommendedTlsSettings = true;
|
||||
# We can only proxy one port with Tailscale Funnel so we abuse locations instead.
|
||||
virtualHosts."vancouver.gmem.ca" = {
|
||||
default = true;
|
||||
enableACME = false;
|
||||
forceSSL = false;
|
||||
enableACME = true;
|
||||
addSSL = true;
|
||||
acmeRoot = null;
|
||||
locations."/" = {
|
||||
root = "/var/www/";
|
||||
extraConfig = ''
|
||||
error_page 404 /404.html;
|
||||
'';
|
||||
};
|
||||
locations."/git/" = {
|
||||
proxyWebsockets = false; # needed if you need to use WebSocket
|
||||
locations."/git" = {
|
||||
extraConfig =
|
||||
''
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
return 301 $scheme://git.gmem.ca;
|
||||
'';
|
||||
proxyPass = "http://127.0.0.1:8973/";
|
||||
};
|
||||
locations."/n8n/" = {
|
||||
proxyPass = "http://127.0.0.1:5678/";
|
||||
|
@ -136,6 +156,21 @@
|
|||
'';
|
||||
};
|
||||
};
|
||||
virtualHosts."git.gmem.ca" = {
|
||||
enableACME = true;
|
||||
addSSL = true;
|
||||
acmeRoot = null;
|
||||
locations."/" = {
|
||||
extraConfig =
|
||||
''
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
'';
|
||||
proxyPass = "http://127.0.0.1:8973/";
|
||||
};
|
||||
};
|
||||
};
|
||||
gitea = {
|
||||
enable = true;
|
||||
|
@ -143,7 +178,7 @@
|
|||
package = pkgs.forgejo;
|
||||
settings = {
|
||||
server = {
|
||||
ROOT_URL = "https://vancouver.scorpion-ghost.ts.net/git/";
|
||||
ROOT_URL = "https://git.gmem.ca/";
|
||||
HTTP_PORT = 8973;
|
||||
};
|
||||
service = {
|
||||
|
@ -159,6 +194,7 @@
|
|||
};
|
||||
};
|
||||
gitea-actions-runner = {
|
||||
package = pkgs.forgejo-actions-runner;
|
||||
instances = {
|
||||
vancouver = {
|
||||
name = "vancouver";
|
||||
|
@ -167,8 +203,7 @@
|
|||
"debian-latest:docker://node:18-bullseye"
|
||||
"nix:docker://nixos/nix"
|
||||
];
|
||||
url = "https://vancouver.scorpion-ghost.ts.net/git";
|
||||
token = "";
|
||||
url = "https://git.gmem.ca/";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -182,7 +217,9 @@
|
|||
firewall = {
|
||||
trustedInterfaces = ["tailscale0"];
|
||||
checkReversePath = "loose";
|
||||
enable = false;
|
||||
enable = true;
|
||||
allowedTCPPorts = [ 22 53 80 443 ];
|
||||
allowedUDPPorts = [ 53 ];
|
||||
};
|
||||
nftables.enable = true;
|
||||
};
|
||||
|
@ -197,6 +234,8 @@
|
|||
screen
|
||||
nix-output-monitor
|
||||
cifs-utils
|
||||
cloudflared
|
||||
bat
|
||||
# atuin
|
||||
];
|
||||
|
||||
|
@ -233,9 +272,13 @@
|
|||
isNormalUser = true;
|
||||
home = "/Primary/becki";
|
||||
};
|
||||
root.openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIztwQxt+jqroFONSgq+xzPMuE2I5Dq/zWPQ8RcTYJr"
|
||||
];
|
||||
root.openssh.authorizedKeys.keys = let
|
||||
authorizedKeys = pkgs.fetchurl {
|
||||
url = "https://gmem.ca/ssh";
|
||||
sha256 = "0iwrm80hsadr0midy0h3da4x0sbci76a92g8f9wnz5pj38gimdi9";
|
||||
};
|
||||
in pkgs.lib.splitString "\n" (builtins.readFile
|
||||
authorizedKeys);
|
||||
};
|
||||
|
||||
home-manager.users.gsimmer = { pkgs, ... }: {
|
||||
|
@ -251,22 +294,25 @@
|
|||
virtualisation = {
|
||||
docker = {
|
||||
enable = true;
|
||||
rootless = {
|
||||
enable = true;
|
||||
setSocketVariable = true;
|
||||
};
|
||||
};
|
||||
libvirtd.enable = true;
|
||||
};
|
||||
|
||||
sound.enable = true;
|
||||
security.rtkit.enable = true;
|
||||
services.pipewire = {
|
||||
enable = true;
|
||||
alsa.enable = true;
|
||||
alsa.support32Bit = true;
|
||||
pulse.enable = true;
|
||||
jack.enable = true;
|
||||
|
||||
security.acme.acceptTerms = true;
|
||||
security.acme.defaults.email = "acme@gmem.ca";
|
||||
security.acme.certs."git.gmem.ca" = {
|
||||
domain = "git.gmem.ca";
|
||||
dnsProvider = "route53";
|
||||
credentialsFile = "/var/lib/secrets/credentials";
|
||||
};
|
||||
security.acme.certs."vancouver.gmem.ca" = {
|
||||
domain = "vancouver.gmem.ca";
|
||||
dnsProvider = "route53";
|
||||
credentialsFile = "/var/lib/secrets/credentials";
|
||||
};
|
||||
|
||||
system.stateVersion = "23.05";
|
||||
}
|
||||
|
|
111
krops/oracle-nix-cache/configuration.nix
Normal file
111
krops/oracle-nix-cache/configuration.nix
Normal file
|
@ -0,0 +1,111 @@
|
|||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ # Include the results of the hardware scan.
|
||||
./hardware.nix
|
||||
];
|
||||
|
||||
boot = {
|
||||
tmp.cleanOnBoot = true;
|
||||
};
|
||||
zramSwap.enable = true;
|
||||
|
||||
nix = {
|
||||
settings = {
|
||||
auto-optimise-store = true;
|
||||
experimental-features = ["nix-command" "flakes"];
|
||||
};
|
||||
gc = {
|
||||
automatic = true;
|
||||
dates = "weekly";
|
||||
options = "--delete-older-than 30d";
|
||||
};
|
||||
# Free up to 1GiB whenever there is less than 100MiB left.
|
||||
extraOptions = ''
|
||||
min-free = ${toString (100 * 1024 * 1024)}
|
||||
max-free = ${toString (1024 * 1024 * 1024)}
|
||||
'';
|
||||
};
|
||||
|
||||
networking = {
|
||||
hostName = "nix-cache";
|
||||
domain = "gmem.ca";
|
||||
firewall = {
|
||||
trustedInterfaces = ["tailscale0"];
|
||||
checkReversePath = "loose";
|
||||
allowedTCPPorts = [ 80 443 ];
|
||||
allowedUDPPortRanges = [
|
||||
{ from = 4000; to = 4007; }
|
||||
{ from = 8000; to = 8010; }
|
||||
];
|
||||
enable = true;
|
||||
};
|
||||
nftables.enable = true;
|
||||
nameservers = [ "1.1.1.1" "1.0.0.1" ];
|
||||
};
|
||||
|
||||
time.timeZone = "Europe/London";
|
||||
|
||||
users.users.root.openssh.authorizedKeys.keys = let
|
||||
authorizedKeys = pkgs.fetchurl {
|
||||
url = "https://gmem.ca/ssh";
|
||||
sha256 = "0iwrm80hsadr0midy0h3da4x0sbci76a92g8f9wnz5pj38gimdi9";
|
||||
};
|
||||
in pkgs.lib.splitString "\n" (builtins.readFile
|
||||
authorizedKeys);
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
vim
|
||||
wget
|
||||
htop
|
||||
git
|
||||
screen
|
||||
nix-output-monitor
|
||||
tailscale
|
||||
nfs-utils
|
||||
];
|
||||
|
||||
services = {
|
||||
rpcbind.enable = true;
|
||||
openssh.enable = true;
|
||||
tailscale.enable = true;
|
||||
nix-serve = {
|
||||
enable = true;
|
||||
secretKeyFile = "/var/cache-priv-key.pem";
|
||||
};
|
||||
nginx = {
|
||||
enable = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedBrotliSettings = true;
|
||||
recommendedZstdSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedTlsSettings = true;
|
||||
virtualHosts = {
|
||||
"nix-cache.gmem.ca" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
|
||||
};
|
||||
"git.gmem.ca" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://100.116.48.47";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
email = "acme@gmem.ca";
|
||||
};
|
||||
|
||||
system.copySystemConfiguration = true;
|
||||
|
||||
system.stateVersion = "23.11"; # dId YoU rEaD tHe CoMmEnT?
|
||||
|
||||
}
|
15
krops/oracle-nix-cache/hardware.nix
Normal file
15
krops/oracle-nix-cache/hardware.nix
Normal file
|
@ -0,0 +1,15 @@
|
|||
{ modulesPath, ... }:
|
||||
{
|
||||
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
|
||||
boot.loader.efi.efiSysMountPoint = "/boot/efi";
|
||||
boot.loader.grub = {
|
||||
efiSupport = true;
|
||||
efiInstallAsRemovable = true;
|
||||
device = "nodev";
|
||||
};
|
||||
fileSystems."/boot/efi" = { device = "/dev/disk/by-uuid/CC2E-AEC0"; fsType = "vfat"; };
|
||||
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ];
|
||||
boot.initrd.kernelModules = [ "nvme" ];
|
||||
fileSystems."/" = { device = "/dev/mapper/ocivolume-root"; fsType = "xfs"; };
|
||||
|
||||
}
|
|
@ -24,4 +24,6 @@
|
|||
nix-output-monitor
|
||||
tailscale
|
||||
];
|
||||
|
||||
system.stateVersion = "23.05";
|
||||
}
|
||||
|
|
|
@ -30,16 +30,6 @@ resource "aws_route53_record" "gabrielsimmercom-a" {
|
|||
]
|
||||
}
|
||||
|
||||
resource "aws_route53_record" "gabrielsimmercom-google-ownership" {
|
||||
zone_id = aws_route53_zone.gabrielsimmercom.zone_id
|
||||
name = "gabrielsimmer.com"
|
||||
type = "TXT"
|
||||
ttl = 300
|
||||
records = [
|
||||
"google-site-verification=EW1TJ2_9BRa81mIRX9doz-5aR4ydYh4hzG1yuqfu_C4",
|
||||
]
|
||||
}
|
||||
|
||||
resource "aws_route53_record" "gabrielsimmercom-next" {
|
||||
zone_id = aws_route53_zone.gabrielsimmercom.zone_id
|
||||
name = "next"
|
||||
|
@ -82,7 +72,7 @@ resource "aws_route53_record" "gabrielsimmercom-github-verification" {
|
|||
type = "TXT"
|
||||
ttl = 300
|
||||
records = [
|
||||
"fcf7482bbeced61719161ebd56e110"
|
||||
"fcf7482bbeced61719161ebd56e110",
|
||||
]
|
||||
}
|
||||
|
||||
|
@ -93,7 +83,8 @@ resource "aws_route53_record" "gabrielsimmercom-txt-verifications" {
|
|||
ttl = 300
|
||||
records = [
|
||||
"keybase-site-verification=f2MAsoM3HCGQAsYNcWzCy4Ul2kvh79j6etJbL7aQwv8",
|
||||
"v=spf1 include:spf.messagingengine.com ?all"
|
||||
"v=spf1 include:spf.messagingengine.com ?all",
|
||||
"google-site-verification=EW1TJ2_9BRa81mIRX9doz-5aR4ydYh4hzG1yuqfu_C4"
|
||||
]
|
||||
}
|
||||
|
||||
|
|
|
@ -2,6 +2,22 @@ resource "aws_route53_zone" "gmemca" {
|
|||
name = "gmem.ca"
|
||||
}
|
||||
|
||||
resource "aws_route53_record" "git" {
|
||||
zone_id = aws_route53_zone.gmemca.zone_id
|
||||
name = "git"
|
||||
type = "A"
|
||||
ttl = 300
|
||||
records = ["141.147.94.210"]
|
||||
}
|
||||
|
||||
resource "aws_route53_record" "nix-cache" {
|
||||
zone_id = aws_route53_zone.gmemca.zone_id
|
||||
name = "nix-cache"
|
||||
type = "A"
|
||||
ttl = 300
|
||||
records = ["141.147.94.210"]
|
||||
}
|
||||
|
||||
resource "aws_route53_record" "fursona" {
|
||||
zone_id = aws_route53_zone.gmemca.zone_id
|
||||
name = "fursona"
|
||||
|
|
Loading…
Reference in a new issue