erwin/nixos-config
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Wiki Activity Actions

read: init container

Browse source
This commit is contained in:
Erwin Boskma 2024-07-15 23:41:19 +02:00
parent acdb3bc5e8
commit 35a39995fc
Signed by: erwin
SSH key fingerprint: SHA256:/Wk1WZdLg+vQHs3in9qq7PsIp8SMzwGSk/RLZ5zPuZk
5 changed files with 183 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
.sops.yaml
View file

@ -13,6 +13,7 @@ keys:
- &neo age1s95yw988he30l6wegfwquh4nh03jst2tvyu4ykng4g88h7s3a3rs5zh5fp - &neo age1s95yw988he30l6wegfwquh4nh03jst2tvyu4ykng4g88h7s3a3rs5zh5fp
- &nix-cache age1ffpkfl4ged52ym7ynyhjc40t9v2g6pgjp4ue670lxcr6mxy7mdtqt5qjlq - &nix-cache age1ffpkfl4ged52ym7ynyhjc40t9v2g6pgjp4ue670lxcr6mxy7mdtqt5qjlq
- &proxy age1yz7k9s5plamjq425memjh00y4sdldgdhpwxqpx9gk9wutttx9scsdg3qd5 - &proxy age1yz7k9s5plamjq425memjh00y4sdldgdhpwxqpx9gk9wutttx9scsdg3qd5
- &read age193v7jejqu7dxk4xejs9cfcatz7605wf4fmytxst424xel2e4z48qj8fflj
- &saga age10advysga7fpkh7uuv9a7phs77c5khswf5c9q9txvrauxtqr4yu0sk2r75v - &saga age10advysga7fpkh7uuv9a7phs77c5khswf5c9q9txvrauxtqr4yu0sk2r75v
- &valkyrie age139zg5z02dx3j70tl6sn2l9kq0nfz2ddkffx0grlh7gg28dafhq6qd2sj6f - &valkyrie age139zg5z02dx3j70tl6sn2l9kq0nfz2ddkffx0grlh7gg28dafhq6qd2sj6f
creation_rules: creation_rules:
@ -88,6 +89,12 @@ creation_rules:
- *erwin - *erwin
- *erwin_horus - *erwin_horus
- *proxy - *proxy
- path_regex: machines/read/[^/]+\.ya?ml$
key_groups:
- age:
- *erwin
- *erwin_horus
- *read
- path_regex: machines/saga/[^/]+\.ya?ml$ - path_regex: machines/saga/[^/]+\.ya?ml$
key_groups: key_groups:
- age: - age:

7
machines/default.nix
View file

@ -105,6 +105,13 @@ inputs: {
tags = [ "metal" ]; tags = [ "metal" ];
}; };
}; };
read = {
config = import ./read/configuration.nix inputs;
deploy = {
host = "10.0.0.101";
tags = [ "container" ];
};
};
proxy = { proxy = {
config = import ./proxy/configuration.nix inputs; config = import ./proxy/configuration.nix inputs;
deploy = { deploy = {

106
machines/read/configuration.nix Normal file
View file

@ -0,0 +1,106 @@
{ self, caddy-with-plugins, ... }:
{
modulesPath,
pkgs,
config,
...
}:
{
imports = [
(modulesPath + "/virtualisation/lxc-container.nix")
../../users/root
../../users/erwin
./miniflux
];
eboskma = {
users.erwin = {
enable = true;
server = true;
};
nix-common = {
enable = true;
remote-builders = true;
};
caddy-proxy = {
enable = true;
package = caddy-with-plugins.packages.${pkgs.system}.caddy-with-cloudflare;
proxyHosts = [
{
externalHostname = "read.datarift.nl";
proxyAddress = "${config.services.miniflux.config.LISTEN_ADDR}";
}
];
};
tailscale.enable = true;
};
boot = {
isContainer = true;
kernel.sysctl = {
"net.core.rmem_max" = 2500000;
"net.core.wmem_max" = 2500000;
};
};
time.timeZone = "Europe/Amsterdam";
system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;
networking = {
hostName = "read";
useDHCP = false;
useHostResolvConf = false;
networkmanager.enable = false;
useNetworkd = true;
nftables.enable = true;
firewall.trustedInterfaces = [ "tailscale0" ];
};
systemd = {
services.logrotate-checkconf.enable = false;
network = {
enable = true;
wait-online.anyInterface = true;
networks = {
"40-eth0" = {
matchConfig = {
Name = "eth0";
};
networkConfig = {
Address = "10.0.0.207/24";
Gateway = "10.0.0.1";
DNS = "10.0.0.206";
DHCP = "no";
};
};
};
};
};
security = {
sudo-rs = {
enable = true;
execWheelOnly = true;
wheelNeedsPassword = false;
};
sudo.enable = false;
};
sops.defaultSopsFile = ./secrets.yaml;
sops.secrets = {
caddy-env = { };
miniflux-admin-user = { };
miniflux-admin-password = { };
miniflux-oidc-client-id = { };
miniflux-oidc-client-secret = { };
};
system.stateVersion = "24.11";
}

20
machines/read/miniflux/default.nix Normal file
View file

@ -0,0 +1,20 @@
{ pkgs, config, ... }:
{
services.miniflux = {
enable = true;
config = {
BASE_URL = "https://read.datarift.nl";
LISTEN_ADDR = "/run/miniflux/miniflux.sock";
POLLING_SCHEDULER = "entry_frequency";
OAUTH2_PROVIDER = "oidc";
OAUTH2_CLIENT_ID_FILE = config.sops.secrets.miniflux-oidc-client-id.path;
OAUTH2_CLIENT_SECRET_FILE = config.sops.secrets.miniflux-oidc-client-secret.path;
OAUTH2_REDIRCT_URL = "https://read.datarift.nl/oauth2/oidc/callback";
OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://id.datarift.nl/realms/datarift/";
ADMIN_USERNAME_FILE = config.sops.secrets.miniflux-admin-user.path;
ADMIN_PASSWORD_FILE = config.sops.secrets.miniflux-admin-password.path;
WEBAUTHN = 1;
};
adminCredentialsFile = pkgs.writeText "miniflux-dummy-admin-credentials" "";
};
}

43
machines/read/secrets.yaml Normal file
View file

@ -0,0 +1,43 @@
caddy-env: ENC[AES256_GCM,data:gw+QSN+c2Lp2F4wNzhTXklq9sUrDT389KLAh2YRpZbqxWpodx4LPJ1uIUsMC1TdeYmq+lkI+,iv:iXjLwOfQo9wEa9bBlE5HYUKDNriJgcm7hxPsBys62hk=,tag:DbutFgWz5ZqHE1/aP4+7Ag==,type:str]
miniflux-admin-user: ENC[AES256_GCM,data:G0JD/iI=,iv:CPVSFIr5TzOGmyAt1zkz37Zld1lfPrnDxdOoJ8oGivQ=,tag:2RmlqB5zNyTBVSPv3zankA==,type:str]
miniflux-admin-password: ENC[AES256_GCM,data:kIxW0Ybz5ZNCBaKiwg==,iv:HMbW6vfid8r9ZDpzlWGYJwALF1wz7NuVvEKtGW27twk=,tag:TXsYzDmIXSsACxe62F15sQ==,type:str]
miniflux-oidc-client-id: ENC[AES256_GCM,data:yCIEu1PBGAA=,iv:YpOU0lfzXNMlwb5jI8LO1WV58j3QwidbxbT5OJu2Vtw=,tag:MrnFlwxcg6wV9bG93XKyVg==,type:str]
miniflux-oidc-client-secret: ENC[AES256_GCM,data:0wVAofr4H7juq3QrqO0fH6lWpdxKbSbUjqo7GtVcnns=,iv:rnePz45XaTkshZ/0YsnmW6VVfJI3FIw4n+SN+2lVrcs=,tag:Mk7IVkrmDsF2sjszhbgf4A==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYRHo4TVNEeWhySXlVOWZs
amRZOWRCUzlvenNkeXY0MzFtNUl6dzJiR1hnCkJzZno4NE5lQzAzb3U5TGN5NnlG
dlh4VmxQWVRrZUFGUEs5OVFzV3FYbFUKLS0tIFJnMTVFVFlja2FNM1VPa0d5MDVZ
OG80aHp3OWRwWTZqWFBlSUhuZWFLRHcKjLMykruXBQxp5ncKqGJ6R1xcFx0xRJjW
+svOHaCOb+j7J8AFr/wLn1Cz9lhinqAfKL+rncCn+sq2tTsH1L0nrA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhMnVwSnhTNk9jM2pYWmVP
Q0t2RnJJNnZPRXpCQXlHQzB1YUl5aXpSc0RvClB5Q0xTemJpb3o3MUFjMlNuYlFO
LzZwRHZnVlU3OVB0bFZIektFMitiZXMKLS0tIHNKSzBVOVh5TXoySWxlOXFaQ25N
ZFlhanZ3WTZuR3Zoa3FiMGNHMXlkZFUKSR5yoXow2D07xpBIrgo2mDwjiWbWp1L9
svyLVXtkxwSun0PqvZ4vg9dl7qLX3IwdaqtWvdetFF9ps7QEsnHzOg==
-----END AGE ENCRYPTED FILE-----
- recipient: age193v7jejqu7dxk4xejs9cfcatz7605wf4fmytxst424xel2e4z48qj8fflj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWSjJKRHV1azVyUGF6NVpL
NHlyWDBnbjRhdjRRR2ZxZy8rcDM1Q0Z4Um5RCjRjOExKWHJPSjExeSsxOEJLQlpI
Q0JkYlZGbVZuSy9yZTdRbFd2OGJwU00KLS0tIE1vbERsbDNOVWR3UHAxQVl2ZEts
alprbldiMEtZQ29DaUJzaEZlWmxXTmMKPYHIg4fMR5fbCoCAyHHuL/WGfn4D6mXJ
yulfOqthMxvvWr+9sOBeAWIWSCcc0DBmDjvUTaDqVA7pnhZE+hQ2mw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-15T21:34:14Z"
mac: ENC[AES256_GCM,data:NZ/kdtM1XFePRz6mbNhU1TZHsBSnQRU6k39dxYaXsDIS/oHM0Cy68qsCaniV309YmYSDmTFPJ9S9QAE3mVa7BbZvuYOcWkdMCRNC5gYKwvM2iP/gpu3XCm64emwDKm+bLL/kDFc69iCyyajPP/KhqvMoEgXrPCAnCWxzhER9LiI=,iv:UdFEQLegd7s0KUUt1BmRakFtEVE91L3M/pa59mjeKPc=,tag:iu8jzwYza7oa9a0lH1puaw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0