arch/infra
arch/infra
1
0
Fork 0
Code Actions Packages Activity

Compare commits

base: arch:f8e30902e1fec9e5559973e10cc2781c49a60ff9
Branches Tags
arch:trunk
arch:woodpecker-ci
...
compare: arch:09cf8c226b657dd80056eb30f49522ddc32d7569
Branches Tags
arch:trunk
arch:woodpecker-ci

12 commits
f8e30902e1 ... 09cf8c226b

Author SHA1 Message Date
Gabriel Simmer 09cf8c226b
Infisical helm values
All checks were successful
Lint / lint (push) Successful in 38s
Details
2024-06-22 23:03:07 +01:00
Gabriel Simmer c39f5c3803
Duplikate import 2024-06-22 23:02:20 +01:00
Gabriel Simmer 76f5b653f3
OIDC for miniflux 2024-06-22 23:01:39 +01:00
Gabriel Simmer d2f62b6ff3
Infisical Secrets DNS, types 2024-06-22 23:01:15 +01:00
Gabriel Simmer 481b0fa9d0
New osc triggers homepage records 2024-06-22 22:57:49 +01:00
Gabriel Simmer 6949c68814
duplikate deployment 2024-06-22 22:57:22 +01:00
Gabriel Simmer d8d8b303cb
Functions file for nix generated kubernetes manifests 2024-06-22 22:57:08 +01:00
Gabriel Simmer 0832307fc3
Swap to Redict where possible, minor refactoring 2024-06-22 22:56:41 +01:00
Gabriel Simmer 88be070f1d
Allow Plex on nas to access GPU 2024-06-22 22:55:29 +01:00
Gabriel Simmer d5d0cb2077
Use papermc 2024-06-22 22:55:11 +01:00
Gabriel Simmer 87a64dc602
Minor refactoring of London config, overlays 2024-06-22 22:54:55 +01:00
Gabriel Simmer d25e732dc0
Upgrade authentik, redict redis instance 2024-06-22 22:54:21 +01:00
20 changed files with 222 additions and 77 deletions
Show stats Expand all files Collapse all files

8
dns/dns.nix
View file

@ -52,11 +52,10 @@
"homelab".a.data = ["192.168.50.45"];
"_acme-challenge.router".txt.data = ["CJKnxKczldLEAy6zPkST0xeJ5Cy-xdT_ElzqMxhNh5E"];
"osc-triggers" = {
a.data = ["46.23.81.157"];
aaaa.data = ["2a03:6000:1813:1337::157"];
"osc-triggers".cname = {
ttl = 0;
data = "osc-triggers.pages.dev";
};
"mitu.camera".a.data = ["192.168.50.121"];
"ns1" = {
@ -166,6 +165,7 @@
"metube"
"search"
"red"
"secrets"
] (name: {cname.data = "cluster.gmem.ca";})
// lib.attrsets.genAttrs [
# Externally hosted applications with Tunnels

1
dns/nextdns.nix
View file

@ -46,6 +46,7 @@
"e6"
"red"
"minecraft-invites"
"secrets"
] (name: {
name = name + ".gmem.ca";
content = "homelab.gmem.ca";

72
flake.lock
View file

@ -101,11 +101,11 @@
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1717664893,
"narHash": "sha256-k79hmHv7Q1/FZSqBzNqmLAU6WGICKPFN6QcCX0QM8Og=",
"lastModified": 1718644238,
"narHash": "sha256-Kjqe0v2n0+ZU74edGZJADysx+n4Ny5QVuqk4xVEblHE=",
"owner": "nix-community",
"repo": "emacs-overlay",
"rev": "28779a7abf781d387806f2567b578af6fd165705",
"rev": "1f57a6596440c15e6135dfbde5f93c2851f01ac9",
"type": "github"
},
"original": {
@ -310,11 +310,11 @@
]
},
"locked": {
"lastModified": 1717525419,
"narHash": "sha256-5z2422pzWnPXHgq2ms8lcCfttM0dz+hg+x1pCcNkAws=",
"lastModified": 1718526747,
"narHash": "sha256-sKrD/utGvmtQALvuDj4j0CT3AJXP1idOAq2p+27TpeE=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "a7117efb3725e6197dd95424136f79147aa35e5b",
"rev": "0a7ffb28e5df5844d0e8039c9833d7075cdee792",
"type": "github"
},
"original": {
@ -331,11 +331,11 @@
"treefmt": "treefmt"
},
"locked": {
"lastModified": 1717524369,
"narHash": "sha256-OR0IaHPh6dHrpwTJJdq9IMvJyY6/OQWmS4FEk38Qlm4=",
"lastModified": 1718110643,
"narHash": "sha256-KrEOCx/bpN++sySOEL5EO5AhYsqRZZk+CXacueUeSl4=",
"owner": "hall",
"repo": "kubenix",
"rev": "b5dc95c847893857f02579118f7dfb37b580746e",
"rev": "a04066c45526c6d8410ba998134f692ff991b4f3",
"type": "github"
},
"original": {
@ -350,11 +350,11 @@
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1717330178,
"narHash": "sha256-rRZjmC3xcPpHTJHnEy3T99O86Ecjao5YhakzaoNiRcs=",
"lastModified": 1718539824,
"narHash": "sha256-pVGgM3MOOpMMqprkrMkuWwhC1dsw6Xt7aRGaBkMQqG0=",
"owner": "nix-community",
"repo": "lib-aggregate",
"rev": "64d43e2bbc6eab8d1cbdfba96d90a71e15a847d7",
"rev": "17a1c1bfca963a2776969866aaa07744d7ac9135",
"type": "github"
},
"original": {
@ -413,11 +413,11 @@
"treefmt-nix": "treefmt-nix_2"
},
"locked": {
"lastModified": 1715804156,
"narHash": "sha256-GtIHP86Cz1kD9xZO/cKbNQACHKdoT9WFbLJAq6W2EDY=",
"lastModified": 1717698186,
"narHash": "sha256-e3/cvm7bAn0RsTBcPfHwuYOi2lwoO4jpTn4nmMSvHfU=",
"owner": "nix-community",
"repo": "nix-eval-jobs",
"rev": "bb95091f6c6f38f6cfc215a1797a2dd466312c8b",
"rev": "b6169e08e76e10b673d1b54f944cddb1e7cbea97",
"type": "github"
},
"original": {
@ -512,11 +512,11 @@
]
},
"locked": {
"lastModified": 1716210724,
"narHash": "sha256-iqQa3omRcHGpWb1ds75jS9ruA5R39FTmAkeR3J+ve1w=",
"lastModified": 1718025593,
"narHash": "sha256-WZ1gdKq/9u1Ns/oXuNsDm+W0salonVA0VY1amw8urJ4=",
"owner": "nix-community",
"repo": "nixos-generators",
"rev": "d14b286322c7f4f897ca4b1726ce38cb68596c94",
"rev": "35c20ba421dfa5059e20e0ef2343c875372bdcf3",
"type": "github"
},
"original": {
@ -527,11 +527,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1717574423,
"narHash": "sha256-cz3P5MZffAHwL2IQaNzsqUBsJS+u0J/AAwArHMAcCa0=",
"lastModified": 1718548414,
"narHash": "sha256-1obyIuQPR/Kq1j5/i/5EuAfQrDwjYnjCDG8iLtXmBhQ=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "d6c6cf6f5fead4057d8fb2d5f30aa8ac1727f177",
"rev": "cde8f7e11f036160b0fd6a9e07dc4c8e4061cf06",
"type": "github"
},
"original": {
@ -559,11 +559,11 @@
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1717289404,
"narHash": "sha256-4q6ZO3BqHgdd3Aacb/xiQXB4g9TQKpQg/praTpD9vbI=",
"lastModified": 1718499101,
"narHash": "sha256-2oGRKxl3qEyRH2DJRiVtLeJICcybXMkqjWQYODINL9M=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "e090cb30ae82f4b4461aafdb808847c6c97b08c2",
"rev": "6fba0c5a27b984914794ffdab8d7bb5c29ab11b6",
"type": "github"
},
"original": {
@ -574,11 +574,11 @@
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1717530100,
"narHash": "sha256-b4Dn+PnrZoVZ/BoR9JN2fTxXxplJrAsdSUIePf4Cacs=",
"lastModified": 1718447546,
"narHash": "sha256-JHuXsrC9pr4kA4n7LuuPfWFJUVlDBVJ1TXDVpHEuUgM=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a2e1d0414259a144ebdc048408a807e69e0565af",
"rev": "842253bf992c3a7157b67600c2857193f126563a",
"type": "github"
},
"original": {
@ -598,11 +598,11 @@
]
},
"locked": {
"lastModified": 1717669106,
"narHash": "sha256-C7jLK3KgTbGBQcpRsu1qivSoSfkp7PaWI+tLfo9qHHY=",
"lastModified": 1718648571,
"narHash": "sha256-B8gba/06zL6xahoOeoTRg4pc9EvDX6sZNhvuiSmhKbE=",
"owner": "nix-community",
"repo": "nixpkgs-wayland",
"rev": "27f970b56d7de3b7214b6017cec7f149656448a1",
"rev": "8b98b818f71327a617f730cd8a7a8e1be41ce66e",
"type": "github"
},
"original": {
@ -629,11 +629,11 @@
},
"nixpkgs_3": {
"locked": {
"lastModified": 1717196966,
"narHash": "sha256-yZKhxVIKd2lsbOqYd5iDoUIwsRZFqE87smE2Vzf6Ck0=",
"lastModified": 1718318537,
"narHash": "sha256-4Zu0RYRcAY/VWuu6awwq4opuiD//ahpc2aFHg2CWqFY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "57610d2f8f0937f39dbd72251e9614b1561942d8",
"rev": "e9ee548d90ff586a6471b4ae80ae9cfcbceb3420",
"type": "github"
},
"original": {
@ -677,11 +677,11 @@
},
"nixpkgs_6": {
"locked": {
"lastModified": 1717459389,
"narHash": "sha256-I8/plBsua4/NZ5bKgj+z7/ThiWuud1YFwLsn1QQ5PgE=",
"lastModified": 1718428119,
"narHash": "sha256-WdWDpNaq6u1IPtxtYHHWpl5BmabtpmLnMAx0RdJ/vo8=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3b01abcc24846ae49957b30f4345bab4b3f1d14b",
"rev": "e6cea36f83499eb4e9cd184c8a8e823296b50ad5",
"type": "github"
},
"original": {

32
flake.nix
View file

@ -54,7 +54,8 @@
system = "x86_64-linux";
pkgs = import nixpkgs {
inherit system;
overlays = [emacs-overlay.overlays.default];
config.allowUnfree = true;
overlays = [emacs-overlay.overlay nixpkgs-wayland.overlay];
};
tf = terranix.lib.terranixConfiguration {
system = "x86_64-linux";
@ -267,7 +268,7 @@
};
nixosConfigurations = {
london = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
inherit system pkgs;
modules = [
lix-module.nixosModules.default
(import ./nix/london/configuration.nix)
@ -275,35 +276,10 @@
(import ./modules/vfio.nix)
home-manager.nixosModules.home-manager
{
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users.gsimmer = import ./nix/london/gsimmer.nix;
}
(
{
pkgs,
config,
...
}: {
config = {
nix.settings = {
# add binary caches
trusted-public-keys = [
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
];
substituters = [
"https://cache.nixos.org"
"https://nixpkgs-wayland.cachix.org"
"https://nix-community.cachix.org"
];
};
# use it as an overlay
nixpkgs.overlays = [nixpkgs-wayland.overlay];
};
}
)
];
};
oracle-gitea-runner = nixpkgs.lib.nixosSystem {

6
homelab/authentik.yml
View file

@ -3,7 +3,7 @@ authentik:
enabled: false
global:
image:
tag: 2024.2.3
tag: 2024.4.2
env:
- name: AUTHENTIK_WEB__THREADS
value: "2"
@ -43,3 +43,7 @@ server:
- authentik.gmem.ca
redis:
enabled: true
image:
registry: "registry.redict.io"
repository: "redict"
tag: "7.3-compat"

8
homelab/custom.nix
View file

@ -18,5 +18,13 @@
};
};
}
{
name = "infisicalsecrets";
attrName = "infisicalsecret";
group = "secrets.infisical.com";
kind = "InfisicalSecret";
version = "v1alpha1";
}
];
}

73
homelab/duplikate.nix Normal file
View file

@ -0,0 +1,73 @@
let
appName = "duplikate";
appImage = "git.gmem.ca/arch/duplikate:latest";
functions = import ./functions.nix {};
in
{
lib,
config,
kubenix,
...
}: {
kubernetes.resources.deployments.duplikate = {
metadata.namespace = "duplikate";
spec = {
selector.matchLabels.app = appName;
template = {
metadata.labels.app = appName;
spec = {
containers = {
duplikate = {
image = appImage;
env.REDIS_URL.value = "redis://duplikate-redis-master";
envFrom = [
{secretRef.name = "duplikate";}
];
resources = {
requests = {
cpu = "10m";
memory = "32Mi";
};
limits = {
cpu = "1";
memory = "128Mi";
};
};
};
};
};
};
};
};
kubernetes.resources."secrets.infisical.com"."v1alpha1".InfisicalSecret.duplikate = functions.secret "duplikate";
kubernetes.helm.releases.duplikate-redis = {
namespace = "duplikate";
chart = kubenix.lib.helm.fetch {
repo = "https://charts.bitnami.com/bitnami";
chart = "redis";
version = "18.6.1";
sha256 = "CyvGHc1v1BtbzDx6hbbPah2uWpUhlNIUQowephT6hmM=";
};
values = {
auth.enabled = false;
architecture = "standalone";
image = {
registry = "registry.redict.io";
repository = "redict";
tag = "7.3-compat";
digest = "sha256:91fcd3124ddb77a098ec0da93c07f99b02b178ab356fe51aa0839aaa62891208";
};
};
};
kubernetes.resources.statefulSets.duplikate-redis-master = {
metadata.namespace = "duplikate";
spec = {
template.spec.volumes.start-scripts.configMap.name = lib.mkForce "duplikate-redis-scripts-a4596108c1";
template.spec.volumes.health.configMap.name = lib.mkForce "duplikate-redis-health-05691b979f";
template.spec.volumes.config.configMap.name = lib.mkForce "duplikate-redis-configuration-4712c8e029";
};
};
}

28
homelab/functions.nix Normal file
View file

@ -0,0 +1,28 @@
{ ... }: {
secret = name: {
metadata.namespace = "${name}";
spec = {
hostAPI = "http://infisical:8080";
resyncInterval = 10;
authentication = {
kubernetesAuth = {
identityId = "68d1f432-7b0a-4e4a-b439-acbbbc160f1e";
serviceAccountRef = {
name = "infisical-auth";
namespace = "infisical";
};
secretsScope = {
projectSlug = "kubernetes-homelab-dp67";
envSlug = "prod";
secretsPath = "/${name}";
};
};
};
managedSecretReference = {
secretName = "${name}";
secretNamespace = "${name}";
creationPolicy = "Owner";
};
};
};
}

6
homelab/immich.nix
View file

@ -19,6 +19,7 @@
immich.persistence.library.existingClaim = "immich";
redis = {
enabled = true;
};
env = {
PGSSLMODE = "no-verify";
@ -58,4 +59,9 @@
resources.requests.storage = "50Gi";
};
};
kubernetes.resources.statefulSets.immich-redis-master = {
metadata.namespace = "immich";
spec.template.spec.containers.redis.image = lib.mkForce "registry.redict.io/redict:7.3-compat";
};
}

12
homelab/infvalues.yml Normal file
View file

@ -0,0 +1,12 @@
infisical:
fullnameOverride: infisical
image:
tag: v0.70.1-postgres
ingress:
enabled: true
hostName: secrets.gmem.ca
tls:
- hosts:
- secrets.gmem.ca
postgresql:
enabled: false

9
homelab/irc.nix
View file

@ -2,7 +2,12 @@ let
appName = "soju";
sojuImage = "git.gmem.ca/arch/soju:latest";
gamjaImage = "git.gmem.ca/arch/gamja:latest";
in {
in {
lib,
config,
kubenix,
...
}: {
kubernetes.resources.services.soju = {
metadata.namespace = "irc";
spec = {
@ -43,7 +48,7 @@ in {
metadata.labels.app = appName;
spec = {
volumes = {
config.configMap.name = "soju";
config.configMap.name = config.kubernetes.resources.configMaps.soju.metadata.name;
ssl.secret.secretName = "irc-gmem-ca";
};
containers = {

1
homelab/kubernetes.nix
View file

@ -30,5 +30,6 @@
(import ./searxng.nix)
(import ./redlib.nix)
(import ./minecraft-invites.nix)
(import ./duplikate.nix)
];
}

12
homelab/miniflux.nix
View file

@ -1,6 +1,7 @@
let
appName = "miniflux";
appImage = "docker.io/miniflux/miniflux";
functions = import ./functions.nix {};
in
{
lib,
@ -20,7 +21,7 @@ in
image = appImage;
envFrom = [
{secretRef.name = "miniflux";}
{configMapRef.name = "miniflux";}
{configMapRef.name = config.kubernetes.resources.configMaps.miniflux.metadata.name;}
];
resources = {
requests = {
@ -100,6 +101,15 @@ in
METRICS_COLLECTOR = "1";
METRICS_ALLOWED_NETWORKS = "0.0.0.0/0";
BASE_URL = "https://rss.gmem.ca/";
RUN_MIGRATIONS = "1";
CREATE_ADMIN = "1";
OAUTH2_PROVIDER = "oidc";
OAUTH2_REDIRECT_URL = "https://rss.gmem.ca/oauth2/oidc/callback";
OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://authentik.gmem.ca/application/o/miniflux/";
OAUTH2_USER_CREATION = "1";
YOUTUBE_EMBED_URL_OVERRIDE = "https://piped.gmem.ca/embed/";
};
};
kubernetes.resources."secrets.infisical.com"."v1alpha1".InfisicalSecret.miniflux = functions.secret "miniflux";
}

2
homelab/nitter-bot.nix
View file

@ -21,7 +21,7 @@ in
image = appImage;
envFrom = [
{secretRef.name = "nitter-bot";}
{configMapRef.name = "nitter-bot";}
{configMapRef.name = config.kubernetes.resources.configMaps.nitter-bot.metadata.name;}
];
resources = {
requests = {

5
homelab/nitter.nix
View file

@ -84,6 +84,11 @@ in
values = {
auth.enabled = false;
architecture = "standalone";
image = {
registry = "registry.redict.io";
repository = "redict";
tag = "7.3-compat";
};
};
};
kubernetes.resources.ingresses.nitter = {

7
homelab/searxng.nix
View file

@ -27,7 +27,7 @@ in
metadata.labels.app = appName;
spec = {
volumes = {
config.configMap.name = "searxng";
config.configMap.name = config.kubernetes.resources.configMaps.searxng.metadata.name;
};
containers = {
searxng = {
@ -104,6 +104,11 @@ in
values = {
auth.enabled = false;
architecture = "standalone";
image = {
registry = "registry.redict.io";
repository = "redict";
tag = "7.3-compat";
};
};
};

11
nix/london/configuration.nix
View file

@ -39,6 +39,16 @@
settings = {
experimental-features = ["nix-command" "flakes"];
auto-optimise-store = true;
trusted-public-keys = [
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
];
substituters = [
"https://cache.nixos.org"
"https://nixpkgs-wayland.cachix.org"
"https://nix-community.cachix.org"
];
};
gc = {
automatic = true;
@ -46,7 +56,6 @@
options = "--delete-older-than 15d";
};
};
nixpkgs.config.allowUnfree = true;
systemd.services.NetworkManager-wait-online.enable = false;
networking = {
hostId = "3c26267f";

2
nix/london/hardware-configuration.nix
View file

@ -30,7 +30,7 @@
fileSystems."/tmp" = {
device = "tmpfs";
fsType = "tmpfs";
options = ["size=4G" "mode=777"]; # mode=755 so only root can write to those files
options = ["size=4G" "mode=777"];
};
swapDevices = [

2
nix/minecraft-server/configuration.nix
View file

@ -48,7 +48,7 @@
enable = true;
openFirewall = true;
eula = true;
#package = pkgs.papermc;
package = pkgs.papermc;
};
bluemap = {
enable = true;

2
nix/nas/configuration.nix
View file

@ -293,6 +293,7 @@
plex = {
enable = true;
openFirewall = true;
accelerationDevices = [ "/dev/dri/renderD128" ];
};
nginx = {
enable = true;
@ -478,6 +479,7 @@
bat
gnupg
pinentry
nvtopPackages.nvidia
];
time.timeZone = "Europe/London";