From d99ac2d3f7e7b06d868b6fbc51bbc3b1ed1a2ae9 Mon Sep 17 00:00:00 2001 From: Erwin Boskma Date: Tue, 2 Jan 2024 22:01:55 +0100 Subject: [PATCH] Finish configuration for odin on NUC, update containers for Incus --- machines/ci/configuration.nix | 90 +++++++++++++++++++ machines/ci/secrets.yaml | 42 +++++++++ machines/default.nix | 11 ++- machines/frigate/configuration.nix | 50 +++++++++-- machines/frigate/secrets.yaml | 32 +++---- machines/gitea/configuration.nix | 48 ++++++++-- machines/gitea/secrets.yaml | 32 +++---- machines/minio/configuration.nix | 44 +++++++-- machines/minio/secrets.yaml | 32 +++---- machines/odin/configuration.nix | 52 +++++++---- machines/odin/network.nix | 67 ++++++++++++++ machines/odin/storage.nix | 99 ++++++++++---------- machines/odin/virtualisation.nix | 134 ++++++++++++++++++++++++++++ machines/proxy/configuration.nix | 71 +++++++++------ machines/proxy/secrets.yaml | 32 +++---- machines/unifi/configuration.nix | 57 +++++++++--- machines/valkyrie/configuration.nix | 42 +++++++-- 17 files changed, 734 insertions(+), 201 deletions(-) create mode 100644 machines/ci/configuration.nix create mode 100644 machines/ci/secrets.yaml create mode 100644 machines/odin/network.nix create mode 100644 machines/odin/virtualisation.nix diff --git a/machines/ci/configuration.nix b/machines/ci/configuration.nix new file mode 100644 index 0000000..ece6017 --- /dev/null +++ b/machines/ci/configuration.nix @@ -0,0 +1,90 @@ +{ self, ... }: +{ modulesPath, ... }: { + imports = [ + (modulesPath + "/virtualisation/lxc-container.nix") + ../../users/root + ../../users/erwin + ]; + + eboskma = { + users.erwin = { + enable = true; + server = true; + }; + nix-common = { + enable = true; + remote-builders = true; + }; + tailscale.enable = true; + woodpecker.enable = true; + }; + + boot.isContainer = true; + + time.timeZone = "Europe/Amsterdam"; + + system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev; + + networking = { + hostName = "ci"; + useDHCP = false; + useHostResolvConf = false; + networkmanager.enable = false; + useNetworkd = true; + nftables.enable = false; + + firewall = { + trustedInterfaces = [ "tailscale0" ]; + interfaces."podman+" = { + allowedUDPPorts = [ 53 ]; + allowedTCPPorts = [ 53 ]; + }; + }; + }; + + virtualisation.podman = { + enable = true; + autoPrune = { + enable = true; + dates = "weekly"; + }; + + defaultNetwork.settings.dns_enabled = true; + }; + + systemd.network = { + enable = true; + + networks = { + "40-eth0" = { + matchConfig = { + Name = "eth0"; + }; + + networkConfig = { + Address = "10.0.0.202/24"; + Gateway = "10.0.0.1"; + DNS = "10.0.0.206"; + DHCP = "no"; + }; + }; + }; + }; + + security = { + sudo-rs = { + enable = true; + execWheelOnly = true; + wheelNeedsPassword = false; + }; + sudo.enable = false; + }; + + sops.defaultSopsFile = ./secrets.yaml; + sops.secrets = { + woodpecker-server = { }; + woodpecker-agent = { }; + }; + + system.stateVersion = "24.05"; +} diff --git a/machines/ci/secrets.yaml b/machines/ci/secrets.yaml new file mode 100644 index 0000000..9392836 --- /dev/null +++ b/machines/ci/secrets.yaml @@ -0,0 +1,42 @@ +drone: ENC[AES256_GCM,data:PZPChq/iQDw7gOfdmSOB4ZvtWgnT55lMc1/kSKVoh5kTkIX+FdNE7uJlhKJQHryYWdrbyoRu09RhhPLr27oWeiCvN4Z0QmM9ofrM4CfuUPotp3niZIjfXrLIiX2s1JlxT2eElEwkX2h1UCIC+tNqFCL+ThLkP4iMmeXRXwFBIOahYscskwbmutbyraj/yQq3KcwUyFLd618pDT+0VWiBETQudauWdmJXFDW/rKW7STTVhe/7ixCIw3O5BYThOin9YhZSZxje225+bBB8vPM6NfdvNCHEtzAwxTjtm3n0beqsAAxd6hzQXk3L7a2X6Y+mmK1XMjmLhsGgI5B6Zssmv3/3oTSczn+YdtfT9bz0KxaZtJdQrYEfVowKEQMTcWO5H55F5Mv+qShweIAcWqKInFb6+EDjyPzABlN/S9/XJakQsPxcCwBKKusYr3P3IFjNnzdZD18ayhc6frs4TJmSGcQIkW/cCWNjwpct/yVbkIrIXZEWb7DoZ0M=,iv:F++KLxnqAtBhcSdj5rZhGpVvCKfI8y5HhvlejCfwi/k=,tag:YdiiZUN7wGn9yA1evMu5jg==,type:str] +drone-runner: ENC[AES256_GCM,data:Uh7OQSDtV0M5j00oHHm4uz4zwi+1W1k2qd5uXoROj5tcgNs76YBcfkU7d+1qXj/Hma7++HOcga0LvF1+Dl/GJQyj47kVFi/+h6I9yiuoO5sW3nxh5pW5W1Ws1qchKqVhoyZLf0K4AnYE2puleKcYXfogJ1hjnB3vn5F/eOKA/QB+7KfaVPRUGZsUYQw3rHLdTbTFHXPv//z8xxYqY5JcG+vvWsHXiI/sKSTZBWoPJEZnKK2mo8+dbZn3nSj29luG,iv:40JTvOJ7isGcHGg9KI5ED8Ju5knmIWP1m/i/dwlpG/M=,tag:GHbkLIeuiGVlNsR2EW/PGw==,type:str] +woodpecker-server: ENC[AES256_GCM,data:cW108wxYT2b65pCRcwZBoRi6eQsB4NrcUNLirfQkkqPPOymT4QFyE5Zmx6K1P33dUSAj5nA0Eh0HOsS8RhFQIOPZA9za4Ffs51Ex0HkQozduqusDGaENWR+zBOTgRhgIrwQlDSHh8UgLTzOgN8hpEqR8fFVsiWCcCAuOFjDNyczywtbbu2jNHzG6FMz2fdXy7p1dRmyTq1sFjoMEkJM5Ix8oRB8zWV+O3l6XE7Uw1vD3QbOsJiqcbWFoNw==,iv:VIlHVVvuBSZiO/tMgd/4HpT2uecn1WqJE60SkHaX+80=,tag:+xfTfq2FgSrPUVXeH4tJkQ==,type:str] +woodpecker-agent: ENC[AES256_GCM,data:YO9MCMIPVOEU+6euiCHuAN+tFFs8JkRRmb9+AIhMEuQE2ObajfJZ3NN5LsccIT9z1axA/gfjLrxM,iv:UDimHs2cKyCvy0XGdDzgX2ry114qz3V1KaXlXL3yYgI=,tag:OGITUerrT0nWU85fxcpEig==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDTWNGd2FLTWcwTThodlBD + K1VRUmFmQlhoN3YwcDlpQmFzR0JZaW9jQngwCjJOYndqVDVjMWFtQnpmZGpRMGg3 + Q0JXQys3TVpSZm1BcWFkcjhQcDJzOG8KLS0tIENjUWtaWW5GeE4yK09yUEx2SWpG + SFc5S1kvT2pBbHorZks3b1MzRU9ERFEKdS9c7j0iyHHbAc8XXpahsOTDu53BKsmr + +ff060PPzBIzQ+7aI52E8CSUAJw0GVYZD5KZForwwBhR3vaZGQYysg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEV3lvZmdCU20vT05SWTVB + cUdZTW4yVndyME4waU5qdmYwbUZuUlQyN2hvClRqSkZ0andyN3RmSFhVdzVMUWdS + VUtPR2tDRzVuZ0kzRVIyZnNMZTIwSVkKLS0tIHprQVR4c2RZQ3I0SlMzSDBnS25a + Z0JrZVhPMEZBQ1FVMjA2QnBITzJjbjQKCghnCUxyR8QkZM2R0EOgjq7J8E7MLlV6 + vnEEu6iehd01vHvBKB1x3z6o/wzL8m3TA35knICZCk6jAD0w+OeW9A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1tmlx45s4f6qp929839yd5y5vxkj2z4z8wmhqsnne9j8j5uwx6p8qssun8l + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBneWpaNDRaYk1WS3BuQmtp + L0gxcmFTSEZ3VXBtcTZQLzl0Qm85RmJvMDFnCktJbXJVM0ZDdVJZTHF1VEF6OXAy + RGdMU3RYNytla0k0QjNydTkrbjYrV0kKLS0tIHY3UjFvZ0VxRm1JOTg3NDgySU4x + dFpad2ZiNXR0cEQ4TTMxa0luK3lGRFUKsqF3x5NvdtqXtE05TjMMhFB3cHREYRCA + 2LgUDn4FYbxprXTG0dOX+87aAQmoepMkVEXo2kBopoYrGHa1DsOznw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-06-12T09:28:02Z" + mac: ENC[AES256_GCM,data:mE0O44Sa+RMqRoCqXftn3GuPFLHiyGn3tVlYgBGc973nP7mz5ZwClNgja1gk+MNolnztsrwgso5ZiNpriyI7pGKd/dG6DJQrGixqhRvgyNyIESGEuN9n6bfhYNNSzV1yRb9V6Z7iELkut03gvVU9by0MosJ7SJPMyDyZZ4tMFeA=,iv:rzrvGwJQAdbMcHQ7U/JFB08V7o2keLI1kUrUs9RaClA=,tag:UpE7ZeG7S32CNKsgT+rMMQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/machines/default.nix b/machines/default.nix index 4e41aea..f41d677 100644 --- a/machines/default.nix +++ b/machines/default.nix @@ -1,12 +1,13 @@ inputs: { - drone = { + ci = { config = import ./drone/configuration.nix inputs; deploy = { # host = "10.0.0.202"; - host = "drone.barn-beaver.ts.net"; + host = "ci.barn-beaver.ts.net"; sshUser = "erwin"; buildOn = "local"; substituteOnTarget = true; + tags = [ "container" ]; }; }; frigate = { @@ -17,6 +18,7 @@ inputs: { sshUser = "erwin"; buildOn = "local"; substituteOnTarget = true; + tags = [ "container" ]; }; }; gitea = { @@ -27,6 +29,7 @@ inputs: { sshUser = "erwin"; buildOn = "local"; substituteOnTarget = true; + tags = [ "container" ]; }; }; heimdall = { @@ -53,6 +56,7 @@ inputs: { sshUser = "erwin"; buildOn = "local"; substituteOnTarget = true; + tags = [ "container" ]; }; }; odin = { @@ -66,6 +70,7 @@ inputs: { sshUser = "erwin"; buildOn = "local"; substituteOnTarget = true; + tags = [ "container" ]; }; }; regin = { @@ -90,6 +95,7 @@ inputs: { sshUser = "erwin"; buildOn = "local"; substituteOnTarget = true; + tags = [ "container" ]; }; }; valkyrie = { @@ -100,6 +106,7 @@ inputs: { sshUser = "erwin"; buildOn = "local"; substituteOnTarget = true; + tags = [ "container" ]; }; }; } diff --git a/machines/frigate/configuration.nix b/machines/frigate/configuration.nix index a2cf91f..e5120e8 100644 --- a/machines/frigate/configuration.nix +++ b/machines/frigate/configuration.nix @@ -1,7 +1,10 @@ -{ self, ... }: +{ self, nixos-hardware, ... }: { modulesPath, ... }: { imports = [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") + (modulesPath + "/virtualisation/lxc-container.nix") + + nixos-hardware.nixosModules.common-cpu-intel + ../../users/root ../../users/erwin ]; @@ -18,26 +21,57 @@ enable = true; remote-builders = true; }; + podman.enable = true; + tailscale.enable = true; }; time.timeZone = "Europe/Amsterdam"; system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev; - networking = { }; + networking = { + hostName = "frigate"; + useDHCP = false; + useHostResolvConf = false; + networkmanager.enable = false; + useNetworkd = true; + # nftables.enable = true; - proxmoxLXC = { - privileged = true; + firewall.trustedInterfaces = [ "tailscale0" ]; }; - security.sudo.execWheelOnly = true; + systemd.network = { + enable = true; - services.tailscale.enable = true; + networks = { + "40-eth0" = { + matchConfig = { + Name = "eth0"; + }; + + networkConfig = { + Address = "10.0.0.205/24"; + Gateway = "10.0.0.1"; + DNS = "10.0.0.206"; + DHCP = "no"; + }; + }; + }; + }; + + security = { + sudo-rs = { + enable = true; + execWheelOnly = true; + wheelNeedsPassword = false; + }; + sudo.enable = false; + }; sops.defaultSopsFile = ./secrets.yaml; sops.secrets = { frigate = { }; }; - system.stateVersion = "23.05"; + system.stateVersion = "24.05"; } diff --git a/machines/frigate/secrets.yaml b/machines/frigate/secrets.yaml index ae6aae0..2abfff5 100644 --- a/machines/frigate/secrets.yaml +++ b/machines/frigate/secrets.yaml @@ -8,29 +8,29 @@ sops: - recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3cGVxdk1xWi9PbTl4dGVv - QlFIL0ppRzRReVRnYkMwZDQrQVZ5SEkzblNNCjlwK0xFSGFoallaVUhVZWxjNFBQ - ZVJPdUoyRm9FUGZDaFpyRGs2VEZiUmMKLS0tIDloRGZVT290NHYvRXVSb29aMXRw - dDIzVFNaVjJGTVNVQlJLODhYUlVKVkkKjMHAlBNaKSk3q/rWSRKSz9wuyXp3KshD - J7sCrTde+8hhudKpS7fw0DzuZ+tq4/JOj+imAS3eXmeNRI6V6eLxLQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzTnlKWS9MMlpLaUZFWE5R + WUxRZnFmeG1jV2ljajZacUpGaUc0Vks2OFVjCjZlclFMMWhIYzZwa21sTmV0cUZO + eWhmbHR4OW5Oanl5Y0J4LzZBU1dxekkKLS0tIHBDbHFNMEJlQ1BjQmMyRm5SWEo1 + Vlp5YUpkanh0a253WEZ4YXJzcXJlU00KN6I5LyH+8QYbVJk3K/0ir0qRf8Q6iwpa + XubDryZhBA/tfy1zaJ7GmpFJVDjjjOiGYcKIGHQ/R35O3awGJcrCmQ== -----END AGE ENCRYPTED FILE----- - recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDWGV6TVprTlFQQjFsODRk - SVBiMFo3WTFmNVg1b21HTTNYMzFNbHBuMXpnCk1uWStoU0RtbG96eXU1ZWlXSk9F - QmRhRDhyOWpJWDV6bnRRK01IUllITFUKLS0tIEVCU3RFdmNCazZJL1lSZDJDanRO - NmRXdzhlN0Yyb056c1RDY1hhMWZ3MFkKZ9JJmYXKeZRbUiDncC/cfUu/q+O5dBYN - 3AxTIOScw7rDyUDEXOxcTMA75V3ttSe9dkny4CNC3881hObYyot6gg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWY0FDM1paRUdJZUd2RTBn + QmxxL1VmVWx6Nkp1TmdaaFN5ZmJ5c2dzbVVvCnBGUEI3MUhZSll5Z05KUWhtb2lz + Szc3SGhoSy9BdTRLSlUwVWNZeC9MclEKLS0tIFF0dXRicm5lQW9ZeDI0SHB4blpu + TEhuRjhkZXJhUVpvQlA1MFBBQmU0VW8K8D5iIMCLQWHXdzGC67w4Jo+PQin1SXwr + QjjsA6fjfhgV1+PnuRDhOro+WS3Rbp0WfCskq4+uzuDW16+5bpy62A== -----END AGE ENCRYPTED FILE----- - - recipient: age17p30jwu847x5g9y6wzmt2c4a2e0m9m77ajk5qsgsahdxc8wssu8skdzmq2 + - recipient: age1gtzlyyxdnt23xzyq6lq5ye645egxl7up25agxw23nuhjl6ax0dmqrlqvpf enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPSkJJcHVkSnJxUmo0ajhU - TmRGWEIzSFFDZnI2b2lPaWJDNlQzbTAxTW1zCjZXOVFzZ01uWTJFTTdvQkltR3VD - cVNFUlFDZDljVDZyaDlhSFJOc3RCT1UKLS0tIDAzVzhueVg5bTJRbS8xN3lDaUR4 - NXJsSzFsaVZBeFhlakpZSW9ObGNBWGMKgX2qtoyTmBXH9XjMYT/YWllfUBcbLpv/ - tLLIbgDGfEKKlLIO+jn3pyhv3+Vf78uOyxNh7llDetrR2rZmJLZbaw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpQVB0ZWRtaHBqWXo2bEN6 + T2dKWThTRzRLOU0zcTZHMUNYOEJCd0hrR0dzClFVVzBFZWlSRzZ3QjQ5YTdpdG1h + aVR3cUpPbEVjUU5pVnc5YmlUb1FZaTAKLS0tIEhLQ1V1WWRvYzJaekdFbVR4elF3 + YkFoWUpBNGhMRUloYzYvMlhPalBnSTgKXUV6iEE5ZU0tlaAAMDg4hrJSCoUkLA/B + 6WOwLvfq1/JTgyD58LVsJOqMJ8cqvG/4uHIcaHq17F9CFZykBprJqQ== -----END AGE ENCRYPTED FILE----- lastmodified: "2023-03-26T14:26:15Z" mac: ENC[AES256_GCM,data:0PeNZGGPRcT385nwym2zgjl+rB7b3u/lCj1jF0MB2UPV73ig42A2ZNm2PFAvH0pzPpDiwW+4fZM/4WJbos7XwFC3+jKW5zOxLFmMvNDd7Y3eM0jYbHqxKhWr3I+SNgPyUPAjiZmN1muNpxLi2vie/jz6jABz9ETOksd8PrOjRu4=,iv:pJy6M6HwQfxL7ifkOwy7q2kYgx8a1c38PUMXeFJgv8o=,tag:gDYEuNwFqtc8YXVhWk0JHw==,type:str] diff --git a/machines/gitea/configuration.nix b/machines/gitea/configuration.nix index ffae08d..0250311 100644 --- a/machines/gitea/configuration.nix +++ b/machines/gitea/configuration.nix @@ -1,7 +1,7 @@ { self, ... }: { modulesPath, ... }: { imports = [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") + (modulesPath + "/virtualisation/lxc-container.nix") ../../users/root ../../users/erwin @@ -18,6 +18,7 @@ enable = true; remote-builders = true; }; + tailscale.enable = true; }; boot.isContainer = true; @@ -26,13 +27,50 @@ system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev; - proxmoxLXC = { - privileged = true; + networking = { + hostName = "ci"; + useDHCP = false; + useHostResolvConf = false; + networkmanager.enable = false; + useNetworkd = true; + nftables.enable = false; + + firewall = { + trustedInterfaces = [ "tailscale0" ]; + interfaces."podman+" = { + allowedUDPPorts = [ 53 ]; + allowedTCPPorts = [ 53 ]; + }; + }; }; - security.sudo.execWheelOnly = true; + systemd.network = { + enable = true; - services.tailscale.enable = true; + networks = { + "40-eth0" = { + matchConfig = { + Name = "eth0"; + }; + + networkConfig = { + Address = "10.0.0.203/24"; + Gateway = "10.0.0.1"; + DNS = "10.0.0.206"; + DHCP = "no"; + }; + }; + }; + }; + + security = { + sudo-rs = { + enable = true; + execWheelOnly = true; + wheelNeedsPassword = false; + }; + sudo.enable = false; + }; sops.defaultSopsFile = ./secrets.yaml; sops.secrets = { diff --git a/machines/gitea/secrets.yaml b/machines/gitea/secrets.yaml index 8b180f0..13c478d 100644 --- a/machines/gitea/secrets.yaml +++ b/machines/gitea/secrets.yaml @@ -10,29 +10,29 @@ sops: - recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4NHY0SzdYUFk3dUNnYU04 - U2JIK1FnRXVVYy8xNE56eGE2Y1pWRHk0U0ZnCnIvN1RnL2RuNzlOSXNxYisyK21Z - YkNuMytqdjltakswT2RoenNyNXFNbFUKLS0tIHh2MkFTMURTUGVWeDlES0UyTngx - MUsxVWxBQ0FuaHpESjNZRitDcG1YTkUKfrvBUhZNjaQLOVbBVvytb2L9rtvWhUd0 - kP4/BcdkKIQQ0WgQ1+qNfHZJUrBTJEUQW74MJai/hZZkXXwT5CB4sQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBadmRzQ0pBUlZlNndBK2tH + NHVmMWxRRlVJRTEyd2tZVkduZmk2cExMQnlvCkZLeEhoYTF1WUJEaG9QK0xrRkpB + dG1FdFNJT1BjOXI1VkpNc2lPKzVHZ2cKLS0tIGxVSDRLMVRQQldPSCtoYnhSSkZB + aGdJZ3lsSGR3REhvYzEwbmgvNitWSWMKOHG8i+a7RUjWV02a5xczNseDGqEF9q5D + N3GA1kZ/imGqTpeh4mlvZ4dnbtN0lsrmUDt3pZD4Zi4zvOhTyJmQdg== -----END AGE ENCRYPTED FILE----- - recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqeXlySFFpZW1IZnJpN01F - U0F5Nk1vM0pHd3dPTWRFVWJpb0xGM2VSeHhvCmswZXRRT1VWWXZHUTkrMlNGNHh1 - a0lSRUlSMXl2RjlOa2FBVVJTU2hUaXcKLS0tIExoeHhWVDdzM0krNXczT1cwZ0F5 - NjVyQmgvaDVuSXNrY0ZCWEY3aldjM0kKKL/vHXncbbk5YSfoOWCsAL4UCWRKiNI3 - 1wLHWHhJ4Qt6L7sbQD5n4lCvxTgNx94Tow6T0vI3qd3l6ERmAtwmuw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4MFg5N092eVd4V1FRTG93 + Z0daWWJGNkloWXJ5bVBWakNUb0RVeVVwVlhnClRqY2VRK3BjK2dWS21HOHV5S3F2 + TUswZXZNRzh4aHlCQkxpYlJ5b3kwQ2cKLS0tIDVlSGx0MjhBQVNRODRxVFlQS29R + VHZyS3QzZjB3ZW9VVWpoNFpEcWFUL00KX715Po4Kjk7T2axTStyrWsjOmW3knTMO + a7Ic/5yRBbCMBipnqH8rNMqNOfUBapnfnZ516kxg9c5NFv/uJlSC1g== -----END AGE ENCRYPTED FILE----- - - recipient: age1jkj6xrhr3uf52hac4wlda4a8jcegha86jf5lgv58df0xunadz53qpjlpae + - recipient: age1mh39yv2j3ltl50tjnqqgjctxth3nxa74ggwn29dpvcv08qd0psnssajsmd enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRK2E5OVBvV1pVa3dwQ0k1 - M3RIWHJXakgzWFNWMStuOGxXdk11VGtNM2djCm5UQmo0bEd3Y3B5Q3pGSCt2a0g3 - bkE0UG8yOTJ0QnBDdmJxS0tKcWY5S28KLS0tIEUxTi9mUWpuTGM1ZjdWUVZuTTBq - eXVkZ2NzYXd0K3RKMEFnYU9yT1JmU0kKVJ97jMdqiz19NGQi3EBXvYEr4D37h79G - G02mxBm9EDKb4jgaj/5TcKqCOj8qLnBpu1DJSu1vICt9S/hN2baJsQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOM3BIb2F2eU0wQURqRzZR + NHNyVngvM2kwTE05YlU3Z3VBVHlPeFRDREE4CndkZ1N0RjBRRHJBUW04UGdtVlV6 + MWc4SGp6OUo0UXhXQis0Q2RiWi9oemMKLS0tIHcvbDljUStRL2g4Slk3T1dKamRQ + bjRhdWRWN1l0WkpiQkx6OGdYanZWYzAKygot2Ef5HWuetcXNP16ZfNx7ZsIXX0Ap + mMSyckoJWMTnuxBLGq8WZMeoHTANPL+gpVoPU1IULCqpIff5rn7z4g== -----END AGE ENCRYPTED FILE----- lastmodified: "2022-10-26T18:26:01Z" mac: ENC[AES256_GCM,data:byjcMu8J5cAeOoU0mAZbJL/bkX3utCXk7VuBhApz8F/6N0ekyLixUHVqBcShp7XgWs4MU3GewVaMZZNqPkEfj15PgEWxxfpsE4HiLN6eaI6Fx21X2CmllQQ5qjeRQVZwkJchrpCO4rp/Q+nFqyVYMgAr8yJm85zZ3FIvHPbErOY=,iv:RsXReft0DUnPr/huYQYZkPy/0iCeEiU3k881KqhcUiY=,tag:JqD3o2BLU8PrBYCeLtdZjg==,type:str] diff --git a/machines/minio/configuration.nix b/machines/minio/configuration.nix index ea09c65..1a1fac9 100644 --- a/machines/minio/configuration.nix +++ b/machines/minio/configuration.nix @@ -1,7 +1,7 @@ { self, ... }: { modulesPath, ... }: { imports = [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") + (modulesPath + "/virtualisation/lxc-container.nix") ./backup.nix ../../users/root @@ -20,19 +20,51 @@ enable = true; remote-builders = true; }; + tailscale.enable = true; }; time.timeZone = "Europe/Amsterdam"; system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev; - proxmoxLXC = { - privileged = true; + networking = { + hostName = "minio"; + useDHCP = false; + useHostResolvConf = false; + networkmanager.enable = false; + useNetworkd = true; + nftables.enable = true; + + firewall.trustedInterfaces = [ "tailscale0" ]; }; - security.sudo.execWheelOnly = true; + systemd.network = { + enable = true; - services.tailscale.enable = true; + networks = { + "40-eth0" = { + matchConfig = { + Name = "eth0"; + }; + + networkConfig = { + Address = "10.0.0.204/24"; + Gateway = "10.0.0.1"; + DNS = "10.0.0.206"; + DHCP = "no"; + }; + }; + }; + }; + + security = { + sudo-rs = { + enable = true; + execWheelOnly = true; + wheelNeedsPassword = false; + }; + sudo.enable = false; + }; sops.defaultSopsFile = ./secrets.yaml; sops.secrets = { @@ -41,5 +73,5 @@ minio_backup_pass = { }; }; - system.stateVersion = "23.05"; + system.stateVersion = "24.05"; } diff --git a/machines/minio/secrets.yaml b/machines/minio/secrets.yaml index d40912f..adbd021 100644 --- a/machines/minio/secrets.yaml +++ b/machines/minio/secrets.yaml @@ -10,29 +10,29 @@ sops: - recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYQ1B1TFBnd0NZWVFWT25P - bHk2RDRHL0tzSW5abzh1MS9KNUFDaERUWlNVCkc3UkJrZFl4cW9zY3JmYjgrOHJC - a0ZHWm9TL0dTVWIrTW8rTFRlZ08zQUkKLS0tIFQ2S2VrMTJFMkwzN1QyclcyMllM - SXJhdUh6NzdmbUR6cklyaFdxdDFqMDQKJa1jgD3oZS5CxZViKeurzfVORoGPX4ky - b3oIjohx17LHinrO1zVhwZXfcHF7xlsMKVqAvZldZE9ckRPSbH7f8g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmZHY3T3BldXRVZTBxTkQr + YXNZbzRXSS9xVlhvMXRXWTFwUUwya3V6SlZzCmNTL1FTbTFxSkVCVEUrVjVacUlR + YVNsZXBaRlVTMHM4ZU1FMlhqWE8wb3MKLS0tIGJZVHlWc00ya3lPUG5BYWtJdkxY + aGVJY1JPZzRDc253Q3hHRk1hWE5sT1EKFVk0QJSjdZQrYFfeaDWZpBK/nIQY95Ah + Y9fBEaQkzsKZBdOTQZu3SEU7W4KjXrkU/SAP9EbF8sph/1UaAzsYrw== -----END AGE ENCRYPTED FILE----- - recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0b0FqNktKbUtTcDBlUExn - SEJyak5nOW1ITzgyR0ZCZ0ZXVkErS1FmMHlBCnNxbC9BU01Ua2NKSEZQL2hqYkVP - RmRMeENPMGhKbzlLdVE0aU02MGg5c1UKLS0tIHA3citHSWVqODhKT3RpbHNhcEo2 - akozVFpEOW9COEgwL0lPdm4xRUlobWcKQpov1ITcXNSTiP3nZ7vL+WYBep2NKFjV - LGk4wKfAry+SlRfsq3A/4Kv/WDceaFY9UiXoGu7lWwuJkzJXaJUBPg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIUzBOZnZ0d01KZFdsTCsy + dGZLRXg4U0sxcVgvTEE0Ri9rWEVrU2Q0Z2tvCmMvWENWU3l6elY4SDF4b1dBdkMw + aEtxMXdSbmRjcWgzUGV5MktRWncyQ0UKLS0tIHp3STNadDJFR1djNk5ZZW5iTThr + SmtnRlUwUVpxN00rUmd4VGQ4ZnA0U0EKrzkG5duj91jy2j6cB612urKhK8cMkeVJ + lBrmKXt0/SddCgpn0ldZx99E1KIL/O1V6JhfxAPvTGkIIIXGXut1hQ== -----END AGE ENCRYPTED FILE----- - - recipient: age1p5hu2l0ys8z2j9rhf0xp5et2wd4222utyn3tk562ksrxmckye9dqu25f49 + - recipient: age1cjxe2e7zemvs0jacjawug6k2qnmcpvnka3e04mfzp939h7hppydqrlp6l5 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTWmdQZUlZZ2JZcHMvVWV5 - TGVzUnU3cHNySlowa21VYVZvS1REcVV0ZkVFCmV3NURRNWZzaXRaQ3EzeU52UVhS - MkJIbHFVSXRqQXdLSDFQR2hkcUN5T28KLS0tIExUNWgySDVaaVNHRFJIbWtFWFBN - S2VBY05lVXZIZ1dTaDNvSGNQaVVmS1kKirfOAiMzO6dz5VYHb0RpUtNojg7Zd6I4 - 1QZR3oJykIUybeNScW7Qhb2AtRObUefXMx3kA814d62yDJkwbApkDw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5M3J4czVkVXI1QUVwMlly + MDBSQUpTZFdITEZXa3kxeU9sQUtkNkJTZm1RCnMzeHRyNDJqTi9QRXFqQ241eUV1 + QlhMZUszQmZLQXAwaGJORThoNnFMK28KLS0tIHRkdW03MDBwRGxMV280R2hoaTFN + d0NWMXF3R2lwL2RQRFVFY3RteGFPVEkKACtGvv9tx9H34QW7vbLswFBsaQHTWwXc + L2n3760iwAnVad4Aw7cQHUwzEUopWwhvg10BTrhi67CB9AG73yPNmA== -----END AGE ENCRYPTED FILE----- lastmodified: "2023-09-11T14:19:07Z" mac: ENC[AES256_GCM,data:G/hYRqQxQxdij3hNsZcaQvx/SA95FeEA9q2DlC/Bkx1x0ApM7qG7eVNeVtqlYHkUd7IsylKyq1lf4Z4GQMj0Cq2sMZRn0Z6InUq67FSHqTd0JInZPQGDY5DDSD0WNuDSIHPJLWd1cC+onSpvBtx2xqxGb9HGNAJo+sGM4mlUBvU=,iv:E5pzAv+WRx8lPofUGZcH39lEPZa0MIn/m/ldX4I9PdU=,tag:a7pnkayI+U04G1KBrBEpOg==,type:str] diff --git a/machines/odin/configuration.nix b/machines/odin/configuration.nix index 6ea1c58..90ffc45 100644 --- a/machines/odin/configuration.nix +++ b/machines/odin/configuration.nix @@ -1,4 +1,5 @@ { nixos-hardware, disko, ... }: +{ pkgs, config, ... }: { imports = [ nixos-hardware.nixosModules.common-cpu-intel @@ -7,6 +8,8 @@ disko.nixosModules.disko ./storage.nix + ./network.nix + ./virtualisation.nix ../../users/erwin ../../users/root ]; @@ -14,6 +17,7 @@ eboskma = { users.erwin = { enable = true; + server = true; }; base = { @@ -25,11 +29,18 @@ remote-builders = true; }; - libvirtd.enable = true; + # libvirtd.enable = true; systemd.enable = true; + tailscale.enable = true; + }; + + security = { + sudo-rs = { + enable = true; + }; + sudo.enable = false; }; - networking.hostName = "odin"; boot = { loader = { @@ -41,30 +52,37 @@ }; initrd = { - availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "virtio_blk" "virtio_pci" ]; - kernelModules = [ "kvm-intel" "kvm-amd" ]; + availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "ahci" "usb_storage" "usbhid" "sd_mod" "virtio_blk" "virtio_pci" ]; + kernelModules = [ "kvm-intel" ]; }; - kernelModules = [ "kvm-intel" "kvm-amd" ]; + kernelPackages = pkgs.linuxPackages_latest; + kernelModules = [ "kvm-intel" "dm-thin-pool" "dm-snapshot" ]; + # From PVE: ro quiet intel_iommu=on i915.enable_gvt=1 cpufreq.default_governor=ondemand + # kernelParams = [ "intel_iommu=on" "i915.enable_gvt=1" "cpufreq.default_governor=ondemand" ]; + + extraModulePackages = with config.boot.kernelPackages; [ gasket ]; }; hardware.enableAllFirmware = true; powerManagement.cpuFreqGovernor = "ondemand"; - services.cockpit = { - enable = true; - settings = { - WebService = { - Origins = [ "https://cockpit.datarift.nl" ]; - ProtocolHeader = "X-Forwarded-Proto"; - ForwardedForHeader = "X-Forwarded-For"; + services = { + openssh.enable = true; + cockpit = { + enable = true; + settings = { + WebService = { + Origins = "https://cockpit.datarift.nl"; + ProtocolHeader = "X-Forwarded-Proto"; + ForwardedForHeader = "X-Forwarded-For"; + }; }; }; + lvm = { + enable = true; + }; }; - services.lvm = { - enable = true; - }; - - system.stateVersion = "23.05"; + system.stateVersion = "24.05"; } diff --git a/machines/odin/network.nix b/machines/odin/network.nix new file mode 100644 index 0000000..39d454d --- /dev/null +++ b/machines/odin/network.nix @@ -0,0 +1,67 @@ +{ + networking = { + hostName = "odin"; + useDHCP = false; + networkmanager.enable = false; + useNetworkd = true; + nftables.enable = true; + }; + + systemd = { + coredump.enable = false; + network = { + enable = true; + + wait-online = { + anyInterface = true; + }; + + netdevs = { + "25-vmbr0" = { + netdevConfig = { + Kind = "bridge"; + Name = "vmbr0"; + MACAddress = "48:21:0b:56:b1:42"; + }; + }; + }; + + networks = { + "40-enp86s0" = { + matchConfig = { + Name = "enp86s0"; + }; + + networkConfig = { + # DHCP = "yes"; + Bridge = "vmbr0"; + }; + }; + "40-vmbr0" = { + matchConfig = { + Name = "vmbr0"; + }; + + networkConfig = { + Address = "10.0.0.252/24"; + Gateway = "10.0.0.1"; + DNS = "10.0.0.1"; + DHCP = "no"; + }; + }; + }; + + links = { + "40-enp86s0" = { + matchConfig = { + OriginalName = "enp86s0"; + }; + linkConfig = { + WakeOnLan = "magic"; + }; + }; + }; + }; + + }; +} diff --git a/machines/odin/storage.nix b/machines/odin/storage.nix index e49fcc2..123d740 100644 --- a/machines/odin/storage.nix +++ b/machines/odin/storage.nix @@ -1,64 +1,66 @@ -{ disko, ... }: { disko.devices = { disk = { - sda = { - device = "/dev/vda"; + nvme0n1 = { + device = "/dev/nvme0n1"; type = "disk"; content = { - type = "table"; - format = "gpt"; - partitions = [ - { - name = "boot"; - start = "1MiB"; - end = "512MiB"; - bootable = true; + type = "gpt"; + partitions = { + esp = { + name = "ESP"; + size = "512M"; + type = "EF00"; content = { type = "filesystem"; format = "vfat"; mountpoint = "/boot"; }; - } - { - name = "root_pv_sda"; - start = "512MiB"; - end = "100%"; + }; + root = { + name = "root_pv_nvme0n1"; + size = "260G"; content = { type = "lvm_pv"; - vg = "pool"; + vg = "root-pool"; }; - } - ]; + }; + data = { + name = "data_pv_nvme0n1"; + size = "100%"; + content = { + type = "lvm_pv"; + vg = "data"; + }; + }; + }; }; }; sdb = { - device = "/dev/vdb"; + device = "/dev/sda"; type = "disk"; content = { - type = "table"; - format = "gpt"; - partitions = [ - { - name = "root_pv_sdb"; - start = "0%"; - end = "100%"; + type = "gpt"; + partitions = { + root = { + name = "data_pv_sdb"; + size = "100%"; content = { type = "lvm_pv"; - vg = "pool"; + vg = "data"; }; - } - ]; + }; + }; }; }; }; lvm_vg = { - pool = { + root-pool = { type = "lvm_vg"; lvs = { - root = { - size = "32GiB"; + nixos = { + size = "250G"; content = { type = "filesystem"; format = "ext4"; @@ -68,34 +70,25 @@ }; swap = { - size = "8GiB"; + size = "8G"; content = { type = "swap"; - randomEncryption = false; + randomEncryption = true; }; }; - - zz_data = { + }; + }; + data = { + type = "lvm_vg"; + lvs = { + data = { size = "100%FREE"; - content = { - type = "filesystem"; - format = "ext4"; - mountpoint = "/data"; - mountOptions = [ "defaults" ]; - }; + extraArgs = [ + "--type=thin-pool" + ]; }; }; }; }; }; - # fileSystems."/" = { - # device = "/dev/disk/by-label/nixos"; - # fsType = "ext4"; - # }; - - # fileSystems."/data" = { - # device = "/dev/disk/by-label/data"; - # fsType = "btrfs"; - # }; - } diff --git a/machines/odin/virtualisation.nix b/machines/odin/virtualisation.nix new file mode 100644 index 0000000..229856f --- /dev/null +++ b/machines/odin/virtualisation.nix @@ -0,0 +1,134 @@ +{ pkgs, ... }: +{ + users.users.erwin.extraGroups = [ "incus-admin" ]; + virtualisation = { + incus = { + enable = true; + preseed = { + networks = [ + { + config = { + "ipv4.address" = "10.0.100.1/24"; + "ipv4.nat" = "true"; + }; + name = "incusbr0"; + type = "bridge"; + } + ]; + + profiles = [ + { + name = "default"; + devices = { + root = { + path = "/"; + pool = "default"; + size = "32GiB"; + type = "disk"; + }; + }; + } + { + name = "nixos"; + config = { + "security.nesting" = true; + }; + } + { + name = "privileged"; + config = { + "security.privileged" = true; + }; + } + { + name = "autostart"; + config = { + "boot.autostart" = true; + }; + } + { + name = "net-bridged"; + devices = { + eth0 = { + type = "nic"; + nictype = "bridged"; + parent = "vmbr0"; + }; + }; + } + { + name = "homeassistant"; + devices = { + root = { + path = "/"; + pool = "default"; + size = "128GiB"; + type = "disk"; + }; + + eth0 = { + type = "nic"; + nictype = "bridged"; + parent = "vmbr0"; + }; + + zigbee = { + type = "usb"; + productid = "55d4"; + vendorid = "1a86"; + }; + + p1 = { + type = "usb"; + productid = "0403"; + vendorid = "6001"; + }; + }; + config = { + "limits.cpu" = 4; + "limits.memory" = "8GiB"; + }; + } + ]; + + storage_pools = [ + { + config = { + "lvm.thinpool_name" = "data"; + "lvm.vg_name" = "data"; + }; + driver = "lvm"; + name = "default"; + } + ]; + + config = { + "oidc.client.id" = "incus"; + "oidc.issuer" = "https://id.datarift.nl/realms/datarift/.well-known/openid-configuration"; + "core.https_address" = "[::]:8443"; + }; + }; + }; + }; + + systemd.services = { + incus = { + path = [ + pkgs.nftables + pkgs.lvm2 + pkgs.e2fsprogs + ]; + environment = { + INCUS_UI = pkgs.incus-ui; + }; + }; + incus-preseed = { + path = [ pkgs.lvm2 ]; + }; + }; + + networking.firewall.allowedTCPPorts = [ + 8443 + + ]; +} diff --git a/machines/proxy/configuration.nix b/machines/proxy/configuration.nix index 14d9856..1ea2c6f 100644 --- a/machines/proxy/configuration.nix +++ b/machines/proxy/configuration.nix @@ -1,7 +1,7 @@ { self, caddy-with-plugins, ... }: { modulesPath, pkgs, ... }: { imports = [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") + (modulesPath + "/virtualisation/lxc-container.nix") ../../users/root ../../users/erwin ]; @@ -21,48 +21,67 @@ package = caddy-with-plugins.lib.caddyWithPackages { inherit (pkgs) caddy buildGoModule; plugins = [ "github.com/caddy-dns/cloudflare@74f004e1c1ab9056288f0baf3cd4b0039d6c77f3" ]; - vendorSha256 = "7TWLOeEHn/cmpCXWuwLQrWpezrW6qcCERscutzYjpN0="; + vendorSha256 = "UYNFkGK4A7DJSmin4nCo9rUD60gx80e9YZodn7uEcUM="; }; }; + tailscale.enable = true; }; - boot.isContainer = true; + boot = { + isContainer = true; + kernel.sysctl = { + "net.core.rmem_max" = 2500000; + "net.core.wmem_max" = 2500000; + }; + }; time.timeZone = "Europe/Amsterdam"; system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev; - # networking = { - # hostName = "proxy"; - # useDHCP = false; + networking = { + hostName = "proxy"; + useDHCP = false; + useHostResolvConf = false; + networkmanager.enable = false; + useNetworkd = true; + nftables.enable = true; - # interfaces = { - # eth0 = { - # ipv4.addresses = [ - # { - # address = "10.0.0.251"; - # prefixLength = 24; - # } - # ]; - # }; - # }; - - # defaultGateway = "10.0.0.1"; - # nameservers = [ "10.0.0.254" ]; - # }; - - proxmoxLXC = { - privileged = true; + firewall.trustedInterfaces = [ "tailscale0" ]; }; - services.tailscale.enable = true; + systemd.network = { + enable = true; - security.sudo.execWheelOnly = true; + networks = { + "40-eth0" = { + matchConfig = { + Name = "eth0"; + }; + + networkConfig = { + Address = "10.0.0.251/24"; + Gateway = "10.0.0.1"; + DNS = "10.0.0.206"; + DHCP = "no"; + }; + }; + }; + }; + + security = { + sudo-rs = { + enable = true; + execWheelOnly = true; + wheelNeedsPassword = false; + }; + sudo.enable = false; + }; sops.defaultSopsFile = ./secrets.yaml; sops.secrets = { caddy-env = { }; }; - system.stateVersion = "21.11"; + system.stateVersion = "24.05"; } diff --git a/machines/proxy/secrets.yaml b/machines/proxy/secrets.yaml index 56b82e6..afeb885 100644 --- a/machines/proxy/secrets.yaml +++ b/machines/proxy/secrets.yaml @@ -8,29 +8,29 @@ sops: - recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxMDh2aUZrNjFrb0FoOUN2 - Q0ZYUGJUaVh0QnU4NWV1bzU3OEJNUU1iZzNRCkgxYnN4NzJnaldrSXZsY2VPM1ZF - YlR4eVlmRG9yVU1ieWJEbU13bnljV2sKLS0tIFFIODJtRFZ4SjFMbWZDZVFCMUUv - VjBpQUY2OWRpNWNpcDVXVUhTQnFvMXcKF6T0r4jS+mtmsm0oG48n8GTrIh6K6QFB - rLa2LMjqXJFv1PohM3/oRdznHKLV8sW1mr/GQ+DgNmh/8i0J1RH/vA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKNmVyOGtudS9ZdlpxVmpD + Qmd5dWlQRkJ0b3lrK1JrV0RXWjRzdHgyblZzCjlacnJra1NHT25oQ3V4NEc3K09k + MnBObjBXQTFxaHJNTmpsTVo4TDlCdjQKLS0tIGFZREpPWVI5a2ZDQjAxbkRHRTJ4 + a1dYRzNXQWRrYkRESkRIVGljYlZDOGcKBdQ+F+5KmTpOkBR0UlTRdon+F+qWgQRA + oisOMoX/WFss3/CNJxr4LwqXFoinWQT7qiXXPsBiZ+VpsaBfPJ3sMw== -----END AGE ENCRYPTED FILE----- - recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRUDVGaTFzdTNpdkJaQ1Qw - ZGRWNHBEcHo5VHh1SXIxUHJjVHhlVWV6Y3g4CjJGTlQ2M1JXMi8wamREQ29ud0ho - anVaV2FtUkp4SGt2ZlFwSmpyMUxQclUKLS0tIDIrVGhZUkRzMG42RXFIdFVybFZO - K1FiL21YTTh5RVZ4eEZaN0FjNmZmeXcK2cC+7TXmiXlcfbYelTjqpTMBMYh255Du - g82xFVcvd404xnnrDuYp5hHFnz3D3Gg6IQoVjJv6H+t5I2x/gJiQZg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWeElXK2hjLzhQc2hpYUtT + VjAyM3lIcjdJNGQ0Ujh0S2U5eXlxYXFTU2swCjlMa2xTQTFqZUVQd3lMalRrSDds + aXJyM3B1ZFg3cWxKSHdpbWVxT3JKS3cKLS0tIHp0Q0dDM1d0aGNrQlA4bnlITE41 + OWZIT3BZbCtLaFl5eU1CMlE3S3RNVUkKUShpf1ahWy5AF7UhucPcz1FzGF85Z26E + FbPEHzSfjLZoRtEaxXDOJVASd7xuGkb+L8g86rWR462atAI6lTuEfg== -----END AGE ENCRYPTED FILE----- - - recipient: age1dg4euuwvqyyuwpjm08psvehgxr5p6q76ht8k4je6z2xc2pv55vksw9ap7m + - recipient: age1yz7k9s5plamjq425memjh00y4sdldgdhpwxqpx9gk9wutttx9scsdg3qd5 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1MGM0K1FJbmdvMUJWd2wz - djBRMWxML2dBQ2ZBTjN1S0gwWDlSUytWeERnCmZteWFZRnpKcEt5aXo3R00zWUkx - RGVCdFhVYVR2RjZaZGJ0YnAvVnpBcGcKLS0tIHpUV25RcmFjMENTQWI5OVdVZ2Zz - RW5kVVdlTmxsalB1TFVRd2dUOU5kL00KP4f1FGMxnWJajfdQqeTXr1ADu6HCTcto - yUbbhHkhwS8IBUM0ETbEaY76o3y9WufAye37Lp3Vg44GN5IozURpOg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBERWtjd2h3N2lIbDNBZGpZ + VnViQ2FXY0hQaXV6RXZaYnRHODJFOVZOcEJZCmdXSjMrVTFBZzhlQS9XSWNmYzRs + NXVCT2N6NDlSbGhpNnZ0S0FhTFpEMjAKLS0tIGg1TDFrZ3RmVjBPR1hleWhwNWVC + UTFJZmxIK2YxY0FieFpoNVV4Z2ttK1UKeqJuuzuMyVayliFUscLSCtUZDjjZKaIg + Kp6952AQPC4h+7j61C0iqtqG8dxIABdJfu7gvdgEfpKltDae3vQR8w== -----END AGE ENCRYPTED FILE----- lastmodified: "2023-08-09T22:09:02Z" mac: ENC[AES256_GCM,data:PxSVqIFldfaMf/XGV+eHwEGZoSLDBCc+Vmgt9EMMMA9CrJLniMXdBWCfDyoIal3JOPy7RekwMHsw56D56vaX7Fe0g80/IK+xoUv8a6nrXW1T58bOuQbSliuKI3MbGHYrqDkZXr+7+A8rugg3ENwmGdunQx02CzS5v3RraCzr/L4=,iv:avU85FslUGNdLRRyCgrlfS+WvAES1MGqyJ5Yy3fUPHU=,tag:b6reWUEKxIUQNystlRRYNA==,type:str] diff --git a/machines/unifi/configuration.nix b/machines/unifi/configuration.nix index 08cc410..dfd53cc 100644 --- a/machines/unifi/configuration.nix +++ b/machines/unifi/configuration.nix @@ -1,7 +1,7 @@ { self, ... }: { modulesPath, pkgs, lib, ... }: { imports = [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") + (modulesPath + "/virtualisation/lxc-container.nix") ../../users/root ../../users/erwin ]; @@ -15,11 +15,12 @@ enable = true; remote-builders = true; }; + tailscale.enable = true; }; services.unifi = { enable = true; - unifiPackage = pkgs.unifi; + unifiPackage = pkgs.unifi8; # unifiPackage = pkgs.unifi.overrideAttrs (_oldAttrs: { # version = "7.5.176"; # src = builtins.fetchurl { @@ -30,25 +31,53 @@ openFirewall = true; }; - networking.firewall = { - allowPing = true; - trustedInterfaces = [ "tailscale0" ]; - allowedTCPPorts = [ 8443 ]; - }; - - boot.isContainer = true; - time.timeZone = "Europe/Amsterdam"; system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev; - proxmoxLXC = { - privileged = true; + networking = { + hostName = "unifi"; + useDHCP = false; + useHostResolvConf = false; + networkmanager.enable = false; + useNetworkd = true; + nftables.enable = true; + + firewall = { + trustedInterfaces = [ "tailscale0" ]; + allowPing = true; + allowedTCPPorts = [ 8443 ]; + }; }; - services.tailscale.enable = true; + systemd.network = { + enable = true; + + networks = { + "40-eth0" = { + matchConfig = { + Name = "eth0"; + }; + + networkConfig = { + Address = "10.0.0.207/24"; + Gateway = "10.0.0.1"; + DNS = "10.0.0.206"; + DHCP = "no"; + }; + }; + }; + }; + + security = { + sudo-rs = { + enable = true; + execWheelOnly = true; + wheelNeedsPassword = false; + }; + sudo.enable = false; + }; - security.sudo.execWheelOnly = true; sops.defaultSopsFile = ./secrets.yaml; sops.secrets = { }; diff --git a/machines/valkyrie/configuration.nix b/machines/valkyrie/configuration.nix index 5fc68ec..3586550 100644 --- a/machines/valkyrie/configuration.nix +++ b/machines/valkyrie/configuration.nix @@ -1,7 +1,7 @@ { self, ... }: { modulesPath, ... }: { imports = [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") + (modulesPath + "/virtualisation/lxc-container.nix") ../../users/root ../../users/erwin @@ -23,6 +23,7 @@ remote-builders = true; }; unbound.enable = true; + tailscale.enable = true; }; services.resolved.extraConfig = '' @@ -33,15 +34,44 @@ system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev; - proxmoxLXC = { - privileged = true; + networking = { + hostName = "valkyrie"; + useDHCP = false; + useHostResolvConf = false; + networkmanager.enable = false; + useNetworkd = true; + nftables.enable = true; + + firewall.trustedInterfaces = [ "tailscale0" ]; }; - networking.firewall.trustedInterfaces = [ "tailscale0" ]; + systemd.network = { + enable = true; - security.sudo.execWheelOnly = true; + networks = { + "40-eth0" = { + matchConfig = { + Name = "eth0"; + }; - services.tailscale.enable = true; + networkConfig = { + Address = "10.0.0.206/24"; + Gateway = "10.0.0.1"; + DNS = "127.0.0.1"; + DHCP = "no"; + }; + }; + }; + }; + + security = { + sudo-rs = { + enable = true; + execWheelOnly = true; + wheelNeedsPassword = false; + }; + sudo.enable = false; + }; system.stateVersion = "23.11"; }