Finish configuration for odin on NUC, update containers for Incus
This commit is contained in:
parent
d06576a0ac
commit
d99ac2d3f7
17 changed files with 734 additions and 201 deletions
90
machines/ci/configuration.nix
Normal file
90
machines/ci/configuration.nix
Normal file
|
@ -0,0 +1,90 @@
|
||||||
|
{ self, ... }:
|
||||||
|
{ modulesPath, ... }: {
|
||||||
|
imports = [
|
||||||
|
(modulesPath + "/virtualisation/lxc-container.nix")
|
||||||
|
../../users/root
|
||||||
|
../../users/erwin
|
||||||
|
];
|
||||||
|
|
||||||
|
eboskma = {
|
||||||
|
users.erwin = {
|
||||||
|
enable = true;
|
||||||
|
server = true;
|
||||||
|
};
|
||||||
|
nix-common = {
|
||||||
|
enable = true;
|
||||||
|
remote-builders = true;
|
||||||
|
};
|
||||||
|
tailscale.enable = true;
|
||||||
|
woodpecker.enable = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
boot.isContainer = true;
|
||||||
|
|
||||||
|
time.timeZone = "Europe/Amsterdam";
|
||||||
|
|
||||||
|
system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;
|
||||||
|
|
||||||
|
networking = {
|
||||||
|
hostName = "ci";
|
||||||
|
useDHCP = false;
|
||||||
|
useHostResolvConf = false;
|
||||||
|
networkmanager.enable = false;
|
||||||
|
useNetworkd = true;
|
||||||
|
nftables.enable = false;
|
||||||
|
|
||||||
|
firewall = {
|
||||||
|
trustedInterfaces = [ "tailscale0" ];
|
||||||
|
interfaces."podman+" = {
|
||||||
|
allowedUDPPorts = [ 53 ];
|
||||||
|
allowedTCPPorts = [ 53 ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
virtualisation.podman = {
|
||||||
|
enable = true;
|
||||||
|
autoPrune = {
|
||||||
|
enable = true;
|
||||||
|
dates = "weekly";
|
||||||
|
};
|
||||||
|
|
||||||
|
defaultNetwork.settings.dns_enabled = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.network = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
networks = {
|
||||||
|
"40-eth0" = {
|
||||||
|
matchConfig = {
|
||||||
|
Name = "eth0";
|
||||||
|
};
|
||||||
|
|
||||||
|
networkConfig = {
|
||||||
|
Address = "10.0.0.202/24";
|
||||||
|
Gateway = "10.0.0.1";
|
||||||
|
DNS = "10.0.0.206";
|
||||||
|
DHCP = "no";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
security = {
|
||||||
|
sudo-rs = {
|
||||||
|
enable = true;
|
||||||
|
execWheelOnly = true;
|
||||||
|
wheelNeedsPassword = false;
|
||||||
|
};
|
||||||
|
sudo.enable = false;
|
||||||
|
};
|
||||||
|
|
||||||
|
sops.defaultSopsFile = ./secrets.yaml;
|
||||||
|
sops.secrets = {
|
||||||
|
woodpecker-server = { };
|
||||||
|
woodpecker-agent = { };
|
||||||
|
};
|
||||||
|
|
||||||
|
system.stateVersion = "24.05";
|
||||||
|
}
|
42
machines/ci/secrets.yaml
Normal file
42
machines/ci/secrets.yaml
Normal file
|
@ -0,0 +1,42 @@
|
||||||
|
drone: ENC[AES256_GCM,data:PZPChq/iQDw7gOfdmSOB4ZvtWgnT55lMc1/kSKVoh5kTkIX+FdNE7uJlhKJQHryYWdrbyoRu09RhhPLr27oWeiCvN4Z0QmM9ofrM4CfuUPotp3niZIjfXrLIiX2s1JlxT2eElEwkX2h1UCIC+tNqFCL+ThLkP4iMmeXRXwFBIOahYscskwbmutbyraj/yQq3KcwUyFLd618pDT+0VWiBETQudauWdmJXFDW/rKW7STTVhe/7ixCIw3O5BYThOin9YhZSZxje225+bBB8vPM6NfdvNCHEtzAwxTjtm3n0beqsAAxd6hzQXk3L7a2X6Y+mmK1XMjmLhsGgI5B6Zssmv3/3oTSczn+YdtfT9bz0KxaZtJdQrYEfVowKEQMTcWO5H55F5Mv+qShweIAcWqKInFb6+EDjyPzABlN/S9/XJakQsPxcCwBKKusYr3P3IFjNnzdZD18ayhc6frs4TJmSGcQIkW/cCWNjwpct/yVbkIrIXZEWb7DoZ0M=,iv:F++KLxnqAtBhcSdj5rZhGpVvCKfI8y5HhvlejCfwi/k=,tag:YdiiZUN7wGn9yA1evMu5jg==,type:str]
|
||||||
|
drone-runner: ENC[AES256_GCM,data:Uh7OQSDtV0M5j00oHHm4uz4zwi+1W1k2qd5uXoROj5tcgNs76YBcfkU7d+1qXj/Hma7++HOcga0LvF1+Dl/GJQyj47kVFi/+h6I9yiuoO5sW3nxh5pW5W1Ws1qchKqVhoyZLf0K4AnYE2puleKcYXfogJ1hjnB3vn5F/eOKA/QB+7KfaVPRUGZsUYQw3rHLdTbTFHXPv//z8xxYqY5JcG+vvWsHXiI/sKSTZBWoPJEZnKK2mo8+dbZn3nSj29luG,iv:40JTvOJ7isGcHGg9KI5ED8Ju5knmIWP1m/i/dwlpG/M=,tag:GHbkLIeuiGVlNsR2EW/PGw==,type:str]
|
||||||
|
woodpecker-server: ENC[AES256_GCM,data:cW108wxYT2b65pCRcwZBoRi6eQsB4NrcUNLirfQkkqPPOymT4QFyE5Zmx6K1P33dUSAj5nA0Eh0HOsS8RhFQIOPZA9za4Ffs51Ex0HkQozduqusDGaENWR+zBOTgRhgIrwQlDSHh8UgLTzOgN8hpEqR8fFVsiWCcCAuOFjDNyczywtbbu2jNHzG6FMz2fdXy7p1dRmyTq1sFjoMEkJM5Ix8oRB8zWV+O3l6XE7Uw1vD3QbOsJiqcbWFoNw==,iv:VIlHVVvuBSZiO/tMgd/4HpT2uecn1WqJE60SkHaX+80=,tag:+xfTfq2FgSrPUVXeH4tJkQ==,type:str]
|
||||||
|
woodpecker-agent: ENC[AES256_GCM,data:YO9MCMIPVOEU+6euiCHuAN+tFFs8JkRRmb9+AIhMEuQE2ObajfJZ3NN5LsccIT9z1axA/gfjLrxM,iv:UDimHs2cKyCvy0XGdDzgX2ry114qz3V1KaXlXL3yYgI=,tag:OGITUerrT0nWU85fxcpEig==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDTWNGd2FLTWcwTThodlBD
|
||||||
|
K1VRUmFmQlhoN3YwcDlpQmFzR0JZaW9jQngwCjJOYndqVDVjMWFtQnpmZGpRMGg3
|
||||||
|
Q0JXQys3TVpSZm1BcWFkcjhQcDJzOG8KLS0tIENjUWtaWW5GeE4yK09yUEx2SWpG
|
||||||
|
SFc5S1kvT2pBbHorZks3b1MzRU9ERFEKdS9c7j0iyHHbAc8XXpahsOTDu53BKsmr
|
||||||
|
+ff060PPzBIzQ+7aI52E8CSUAJw0GVYZD5KZForwwBhR3vaZGQYysg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEV3lvZmdCU20vT05SWTVB
|
||||||
|
cUdZTW4yVndyME4waU5qdmYwbUZuUlQyN2hvClRqSkZ0andyN3RmSFhVdzVMUWdS
|
||||||
|
VUtPR2tDRzVuZ0kzRVIyZnNMZTIwSVkKLS0tIHprQVR4c2RZQ3I0SlMzSDBnS25a
|
||||||
|
Z0JrZVhPMEZBQ1FVMjA2QnBITzJjbjQKCghnCUxyR8QkZM2R0EOgjq7J8E7MLlV6
|
||||||
|
vnEEu6iehd01vHvBKB1x3z6o/wzL8m3TA35knICZCk6jAD0w+OeW9A==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1tmlx45s4f6qp929839yd5y5vxkj2z4z8wmhqsnne9j8j5uwx6p8qssun8l
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBneWpaNDRaYk1WS3BuQmtp
|
||||||
|
L0gxcmFTSEZ3VXBtcTZQLzl0Qm85RmJvMDFnCktJbXJVM0ZDdVJZTHF1VEF6OXAy
|
||||||
|
RGdMU3RYNytla0k0QjNydTkrbjYrV0kKLS0tIHY3UjFvZ0VxRm1JOTg3NDgySU4x
|
||||||
|
dFpad2ZiNXR0cEQ4TTMxa0luK3lGRFUKsqF3x5NvdtqXtE05TjMMhFB3cHREYRCA
|
||||||
|
2LgUDn4FYbxprXTG0dOX+87aAQmoepMkVEXo2kBopoYrGHa1DsOznw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2023-06-12T09:28:02Z"
|
||||||
|
mac: ENC[AES256_GCM,data:mE0O44Sa+RMqRoCqXftn3GuPFLHiyGn3tVlYgBGc973nP7mz5ZwClNgja1gk+MNolnztsrwgso5ZiNpriyI7pGKd/dG6DJQrGixqhRvgyNyIESGEuN9n6bfhYNNSzV1yRb9V6Z7iELkut03gvVU9by0MosJ7SJPMyDyZZ4tMFeA=,iv:rzrvGwJQAdbMcHQ7U/JFB08V7o2keLI1kUrUs9RaClA=,tag:UpE7ZeG7S32CNKsgT+rMMQ==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.7.3
|
|
@ -1,12 +1,13 @@
|
||||||
inputs: {
|
inputs: {
|
||||||
drone = {
|
ci = {
|
||||||
config = import ./drone/configuration.nix inputs;
|
config = import ./drone/configuration.nix inputs;
|
||||||
deploy = {
|
deploy = {
|
||||||
# host = "10.0.0.202";
|
# host = "10.0.0.202";
|
||||||
host = "drone.barn-beaver.ts.net";
|
host = "ci.barn-beaver.ts.net";
|
||||||
sshUser = "erwin";
|
sshUser = "erwin";
|
||||||
buildOn = "local";
|
buildOn = "local";
|
||||||
substituteOnTarget = true;
|
substituteOnTarget = true;
|
||||||
|
tags = [ "container" ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
frigate = {
|
frigate = {
|
||||||
|
@ -17,6 +18,7 @@ inputs: {
|
||||||
sshUser = "erwin";
|
sshUser = "erwin";
|
||||||
buildOn = "local";
|
buildOn = "local";
|
||||||
substituteOnTarget = true;
|
substituteOnTarget = true;
|
||||||
|
tags = [ "container" ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
gitea = {
|
gitea = {
|
||||||
|
@ -27,6 +29,7 @@ inputs: {
|
||||||
sshUser = "erwin";
|
sshUser = "erwin";
|
||||||
buildOn = "local";
|
buildOn = "local";
|
||||||
substituteOnTarget = true;
|
substituteOnTarget = true;
|
||||||
|
tags = [ "container" ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
heimdall = {
|
heimdall = {
|
||||||
|
@ -53,6 +56,7 @@ inputs: {
|
||||||
sshUser = "erwin";
|
sshUser = "erwin";
|
||||||
buildOn = "local";
|
buildOn = "local";
|
||||||
substituteOnTarget = true;
|
substituteOnTarget = true;
|
||||||
|
tags = [ "container" ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
odin = {
|
odin = {
|
||||||
|
@ -66,6 +70,7 @@ inputs: {
|
||||||
sshUser = "erwin";
|
sshUser = "erwin";
|
||||||
buildOn = "local";
|
buildOn = "local";
|
||||||
substituteOnTarget = true;
|
substituteOnTarget = true;
|
||||||
|
tags = [ "container" ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
regin = {
|
regin = {
|
||||||
|
@ -90,6 +95,7 @@ inputs: {
|
||||||
sshUser = "erwin";
|
sshUser = "erwin";
|
||||||
buildOn = "local";
|
buildOn = "local";
|
||||||
substituteOnTarget = true;
|
substituteOnTarget = true;
|
||||||
|
tags = [ "container" ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
valkyrie = {
|
valkyrie = {
|
||||||
|
@ -100,6 +106,7 @@ inputs: {
|
||||||
sshUser = "erwin";
|
sshUser = "erwin";
|
||||||
buildOn = "local";
|
buildOn = "local";
|
||||||
substituteOnTarget = true;
|
substituteOnTarget = true;
|
||||||
|
tags = [ "container" ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,7 +1,10 @@
|
||||||
{ self, ... }:
|
{ self, nixos-hardware, ... }:
|
||||||
{ modulesPath, ... }: {
|
{ modulesPath, ... }: {
|
||||||
imports = [
|
imports = [
|
||||||
(modulesPath + "/virtualisation/proxmox-lxc.nix")
|
(modulesPath + "/virtualisation/lxc-container.nix")
|
||||||
|
|
||||||
|
nixos-hardware.nixosModules.common-cpu-intel
|
||||||
|
|
||||||
../../users/root
|
../../users/root
|
||||||
../../users/erwin
|
../../users/erwin
|
||||||
];
|
];
|
||||||
|
@ -18,26 +21,57 @@
|
||||||
enable = true;
|
enable = true;
|
||||||
remote-builders = true;
|
remote-builders = true;
|
||||||
};
|
};
|
||||||
|
podman.enable = true;
|
||||||
|
tailscale.enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
time.timeZone = "Europe/Amsterdam";
|
time.timeZone = "Europe/Amsterdam";
|
||||||
|
|
||||||
system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;
|
system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;
|
||||||
|
|
||||||
networking = { };
|
networking = {
|
||||||
|
hostName = "frigate";
|
||||||
|
useDHCP = false;
|
||||||
|
useHostResolvConf = false;
|
||||||
|
networkmanager.enable = false;
|
||||||
|
useNetworkd = true;
|
||||||
|
# nftables.enable = true;
|
||||||
|
|
||||||
proxmoxLXC = {
|
firewall.trustedInterfaces = [ "tailscale0" ];
|
||||||
privileged = true;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
security.sudo.execWheelOnly = true;
|
systemd.network = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
services.tailscale.enable = true;
|
networks = {
|
||||||
|
"40-eth0" = {
|
||||||
|
matchConfig = {
|
||||||
|
Name = "eth0";
|
||||||
|
};
|
||||||
|
|
||||||
|
networkConfig = {
|
||||||
|
Address = "10.0.0.205/24";
|
||||||
|
Gateway = "10.0.0.1";
|
||||||
|
DNS = "10.0.0.206";
|
||||||
|
DHCP = "no";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
security = {
|
||||||
|
sudo-rs = {
|
||||||
|
enable = true;
|
||||||
|
execWheelOnly = true;
|
||||||
|
wheelNeedsPassword = false;
|
||||||
|
};
|
||||||
|
sudo.enable = false;
|
||||||
|
};
|
||||||
|
|
||||||
sops.defaultSopsFile = ./secrets.yaml;
|
sops.defaultSopsFile = ./secrets.yaml;
|
||||||
sops.secrets = {
|
sops.secrets = {
|
||||||
frigate = { };
|
frigate = { };
|
||||||
};
|
};
|
||||||
|
|
||||||
system.stateVersion = "23.05";
|
system.stateVersion = "24.05";
|
||||||
}
|
}
|
||||||
|
|
|
@ -8,29 +8,29 @@ sops:
|
||||||
- recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht
|
- recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3cGVxdk1xWi9PbTl4dGVv
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzTnlKWS9MMlpLaUZFWE5R
|
||||||
QlFIL0ppRzRReVRnYkMwZDQrQVZ5SEkzblNNCjlwK0xFSGFoallaVUhVZWxjNFBQ
|
WUxRZnFmeG1jV2ljajZacUpGaUc0Vks2OFVjCjZlclFMMWhIYzZwa21sTmV0cUZO
|
||||||
ZVJPdUoyRm9FUGZDaFpyRGs2VEZiUmMKLS0tIDloRGZVT290NHYvRXVSb29aMXRw
|
eWhmbHR4OW5Oanl5Y0J4LzZBU1dxekkKLS0tIHBDbHFNMEJlQ1BjQmMyRm5SWEo1
|
||||||
dDIzVFNaVjJGTVNVQlJLODhYUlVKVkkKjMHAlBNaKSk3q/rWSRKSz9wuyXp3KshD
|
Vlp5YUpkanh0a253WEZ4YXJzcXJlU00KN6I5LyH+8QYbVJk3K/0ir0qRf8Q6iwpa
|
||||||
J7sCrTde+8hhudKpS7fw0DzuZ+tq4/JOj+imAS3eXmeNRI6V6eLxLQ==
|
XubDryZhBA/tfy1zaJ7GmpFJVDjjjOiGYcKIGHQ/R35O3awGJcrCmQ==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
- recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg
|
- recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDWGV6TVprTlFQQjFsODRk
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWY0FDM1paRUdJZUd2RTBn
|
||||||
SVBiMFo3WTFmNVg1b21HTTNYMzFNbHBuMXpnCk1uWStoU0RtbG96eXU1ZWlXSk9F
|
QmxxL1VmVWx6Nkp1TmdaaFN5ZmJ5c2dzbVVvCnBGUEI3MUhZSll5Z05KUWhtb2lz
|
||||||
QmRhRDhyOWpJWDV6bnRRK01IUllITFUKLS0tIEVCU3RFdmNCazZJL1lSZDJDanRO
|
Szc3SGhoSy9BdTRLSlUwVWNZeC9MclEKLS0tIFF0dXRicm5lQW9ZeDI0SHB4blpu
|
||||||
NmRXdzhlN0Yyb056c1RDY1hhMWZ3MFkKZ9JJmYXKeZRbUiDncC/cfUu/q+O5dBYN
|
TEhuRjhkZXJhUVpvQlA1MFBBQmU0VW8K8D5iIMCLQWHXdzGC67w4Jo+PQin1SXwr
|
||||||
3AxTIOScw7rDyUDEXOxcTMA75V3ttSe9dkny4CNC3881hObYyot6gg==
|
QjjsA6fjfhgV1+PnuRDhOro+WS3Rbp0WfCskq4+uzuDW16+5bpy62A==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
- recipient: age17p30jwu847x5g9y6wzmt2c4a2e0m9m77ajk5qsgsahdxc8wssu8skdzmq2
|
- recipient: age1gtzlyyxdnt23xzyq6lq5ye645egxl7up25agxw23nuhjl6ax0dmqrlqvpf
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPSkJJcHVkSnJxUmo0ajhU
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpQVB0ZWRtaHBqWXo2bEN6
|
||||||
TmRGWEIzSFFDZnI2b2lPaWJDNlQzbTAxTW1zCjZXOVFzZ01uWTJFTTdvQkltR3VD
|
T2dKWThTRzRLOU0zcTZHMUNYOEJCd0hrR0dzClFVVzBFZWlSRzZ3QjQ5YTdpdG1h
|
||||||
cVNFUlFDZDljVDZyaDlhSFJOc3RCT1UKLS0tIDAzVzhueVg5bTJRbS8xN3lDaUR4
|
aVR3cUpPbEVjUU5pVnc5YmlUb1FZaTAKLS0tIEhLQ1V1WWRvYzJaekdFbVR4elF3
|
||||||
NXJsSzFsaVZBeFhlakpZSW9ObGNBWGMKgX2qtoyTmBXH9XjMYT/YWllfUBcbLpv/
|
YkFoWUpBNGhMRUloYzYvMlhPalBnSTgKXUV6iEE5ZU0tlaAAMDg4hrJSCoUkLA/B
|
||||||
tLLIbgDGfEKKlLIO+jn3pyhv3+Vf78uOyxNh7llDetrR2rZmJLZbaw==
|
6WOwLvfq1/JTgyD58LVsJOqMJ8cqvG/4uHIcaHq17F9CFZykBprJqQ==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2023-03-26T14:26:15Z"
|
lastmodified: "2023-03-26T14:26:15Z"
|
||||||
mac: ENC[AES256_GCM,data:0PeNZGGPRcT385nwym2zgjl+rB7b3u/lCj1jF0MB2UPV73ig42A2ZNm2PFAvH0pzPpDiwW+4fZM/4WJbos7XwFC3+jKW5zOxLFmMvNDd7Y3eM0jYbHqxKhWr3I+SNgPyUPAjiZmN1muNpxLi2vie/jz6jABz9ETOksd8PrOjRu4=,iv:pJy6M6HwQfxL7ifkOwy7q2kYgx8a1c38PUMXeFJgv8o=,tag:gDYEuNwFqtc8YXVhWk0JHw==,type:str]
|
mac: ENC[AES256_GCM,data:0PeNZGGPRcT385nwym2zgjl+rB7b3u/lCj1jF0MB2UPV73ig42A2ZNm2PFAvH0pzPpDiwW+4fZM/4WJbos7XwFC3+jKW5zOxLFmMvNDd7Y3eM0jYbHqxKhWr3I+SNgPyUPAjiZmN1muNpxLi2vie/jz6jABz9ETOksd8PrOjRu4=,iv:pJy6M6HwQfxL7ifkOwy7q2kYgx8a1c38PUMXeFJgv8o=,tag:gDYEuNwFqtc8YXVhWk0JHw==,type:str]
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
{ self, ... }:
|
{ self, ... }:
|
||||||
{ modulesPath, ... }: {
|
{ modulesPath, ... }: {
|
||||||
imports = [
|
imports = [
|
||||||
(modulesPath + "/virtualisation/proxmox-lxc.nix")
|
(modulesPath + "/virtualisation/lxc-container.nix")
|
||||||
|
|
||||||
../../users/root
|
../../users/root
|
||||||
../../users/erwin
|
../../users/erwin
|
||||||
|
@ -18,6 +18,7 @@
|
||||||
enable = true;
|
enable = true;
|
||||||
remote-builders = true;
|
remote-builders = true;
|
||||||
};
|
};
|
||||||
|
tailscale.enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
boot.isContainer = true;
|
boot.isContainer = true;
|
||||||
|
@ -26,13 +27,50 @@
|
||||||
|
|
||||||
system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;
|
system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;
|
||||||
|
|
||||||
proxmoxLXC = {
|
networking = {
|
||||||
privileged = true;
|
hostName = "ci";
|
||||||
|
useDHCP = false;
|
||||||
|
useHostResolvConf = false;
|
||||||
|
networkmanager.enable = false;
|
||||||
|
useNetworkd = true;
|
||||||
|
nftables.enable = false;
|
||||||
|
|
||||||
|
firewall = {
|
||||||
|
trustedInterfaces = [ "tailscale0" ];
|
||||||
|
interfaces."podman+" = {
|
||||||
|
allowedUDPPorts = [ 53 ];
|
||||||
|
allowedTCPPorts = [ 53 ];
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
security.sudo.execWheelOnly = true;
|
systemd.network = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
services.tailscale.enable = true;
|
networks = {
|
||||||
|
"40-eth0" = {
|
||||||
|
matchConfig = {
|
||||||
|
Name = "eth0";
|
||||||
|
};
|
||||||
|
|
||||||
|
networkConfig = {
|
||||||
|
Address = "10.0.0.203/24";
|
||||||
|
Gateway = "10.0.0.1";
|
||||||
|
DNS = "10.0.0.206";
|
||||||
|
DHCP = "no";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
security = {
|
||||||
|
sudo-rs = {
|
||||||
|
enable = true;
|
||||||
|
execWheelOnly = true;
|
||||||
|
wheelNeedsPassword = false;
|
||||||
|
};
|
||||||
|
sudo.enable = false;
|
||||||
|
};
|
||||||
|
|
||||||
sops.defaultSopsFile = ./secrets.yaml;
|
sops.defaultSopsFile = ./secrets.yaml;
|
||||||
sops.secrets = {
|
sops.secrets = {
|
||||||
|
|
|
@ -10,29 +10,29 @@ sops:
|
||||||
- recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht
|
- recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4NHY0SzdYUFk3dUNnYU04
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBadmRzQ0pBUlZlNndBK2tH
|
||||||
U2JIK1FnRXVVYy8xNE56eGE2Y1pWRHk0U0ZnCnIvN1RnL2RuNzlOSXNxYisyK21Z
|
NHVmMWxRRlVJRTEyd2tZVkduZmk2cExMQnlvCkZLeEhoYTF1WUJEaG9QK0xrRkpB
|
||||||
YkNuMytqdjltakswT2RoenNyNXFNbFUKLS0tIHh2MkFTMURTUGVWeDlES0UyTngx
|
dG1FdFNJT1BjOXI1VkpNc2lPKzVHZ2cKLS0tIGxVSDRLMVRQQldPSCtoYnhSSkZB
|
||||||
MUsxVWxBQ0FuaHpESjNZRitDcG1YTkUKfrvBUhZNjaQLOVbBVvytb2L9rtvWhUd0
|
aGdJZ3lsSGR3REhvYzEwbmgvNitWSWMKOHG8i+a7RUjWV02a5xczNseDGqEF9q5D
|
||||||
kP4/BcdkKIQQ0WgQ1+qNfHZJUrBTJEUQW74MJai/hZZkXXwT5CB4sQ==
|
N3GA1kZ/imGqTpeh4mlvZ4dnbtN0lsrmUDt3pZD4Zi4zvOhTyJmQdg==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
- recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg
|
- recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqeXlySFFpZW1IZnJpN01F
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4MFg5N092eVd4V1FRTG93
|
||||||
U0F5Nk1vM0pHd3dPTWRFVWJpb0xGM2VSeHhvCmswZXRRT1VWWXZHUTkrMlNGNHh1
|
Z0daWWJGNkloWXJ5bVBWakNUb0RVeVVwVlhnClRqY2VRK3BjK2dWS21HOHV5S3F2
|
||||||
a0lSRUlSMXl2RjlOa2FBVVJTU2hUaXcKLS0tIExoeHhWVDdzM0krNXczT1cwZ0F5
|
TUswZXZNRzh4aHlCQkxpYlJ5b3kwQ2cKLS0tIDVlSGx0MjhBQVNRODRxVFlQS29R
|
||||||
NjVyQmgvaDVuSXNrY0ZCWEY3aldjM0kKKL/vHXncbbk5YSfoOWCsAL4UCWRKiNI3
|
VHZyS3QzZjB3ZW9VVWpoNFpEcWFUL00KX715Po4Kjk7T2axTStyrWsjOmW3knTMO
|
||||||
1wLHWHhJ4Qt6L7sbQD5n4lCvxTgNx94Tow6T0vI3qd3l6ERmAtwmuw==
|
a7Ic/5yRBbCMBipnqH8rNMqNOfUBapnfnZ516kxg9c5NFv/uJlSC1g==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
- recipient: age1jkj6xrhr3uf52hac4wlda4a8jcegha86jf5lgv58df0xunadz53qpjlpae
|
- recipient: age1mh39yv2j3ltl50tjnqqgjctxth3nxa74ggwn29dpvcv08qd0psnssajsmd
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRK2E5OVBvV1pVa3dwQ0k1
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOM3BIb2F2eU0wQURqRzZR
|
||||||
M3RIWHJXakgzWFNWMStuOGxXdk11VGtNM2djCm5UQmo0bEd3Y3B5Q3pGSCt2a0g3
|
NHNyVngvM2kwTE05YlU3Z3VBVHlPeFRDREE4CndkZ1N0RjBRRHJBUW04UGdtVlV6
|
||||||
bkE0UG8yOTJ0QnBDdmJxS0tKcWY5S28KLS0tIEUxTi9mUWpuTGM1ZjdWUVZuTTBq
|
MWc4SGp6OUo0UXhXQis0Q2RiWi9oemMKLS0tIHcvbDljUStRL2g4Slk3T1dKamRQ
|
||||||
eXVkZ2NzYXd0K3RKMEFnYU9yT1JmU0kKVJ97jMdqiz19NGQi3EBXvYEr4D37h79G
|
bjRhdWRWN1l0WkpiQkx6OGdYanZWYzAKygot2Ef5HWuetcXNP16ZfNx7ZsIXX0Ap
|
||||||
G02mxBm9EDKb4jgaj/5TcKqCOj8qLnBpu1DJSu1vICt9S/hN2baJsQ==
|
mMSyckoJWMTnuxBLGq8WZMeoHTANPL+gpVoPU1IULCqpIff5rn7z4g==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2022-10-26T18:26:01Z"
|
lastmodified: "2022-10-26T18:26:01Z"
|
||||||
mac: ENC[AES256_GCM,data:byjcMu8J5cAeOoU0mAZbJL/bkX3utCXk7VuBhApz8F/6N0ekyLixUHVqBcShp7XgWs4MU3GewVaMZZNqPkEfj15PgEWxxfpsE4HiLN6eaI6Fx21X2CmllQQ5qjeRQVZwkJchrpCO4rp/Q+nFqyVYMgAr8yJm85zZ3FIvHPbErOY=,iv:RsXReft0DUnPr/huYQYZkPy/0iCeEiU3k881KqhcUiY=,tag:JqD3o2BLU8PrBYCeLtdZjg==,type:str]
|
mac: ENC[AES256_GCM,data:byjcMu8J5cAeOoU0mAZbJL/bkX3utCXk7VuBhApz8F/6N0ekyLixUHVqBcShp7XgWs4MU3GewVaMZZNqPkEfj15PgEWxxfpsE4HiLN6eaI6Fx21X2CmllQQ5qjeRQVZwkJchrpCO4rp/Q+nFqyVYMgAr8yJm85zZ3FIvHPbErOY=,iv:RsXReft0DUnPr/huYQYZkPy/0iCeEiU3k881KqhcUiY=,tag:JqD3o2BLU8PrBYCeLtdZjg==,type:str]
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
{ self, ... }:
|
{ self, ... }:
|
||||||
{ modulesPath, ... }: {
|
{ modulesPath, ... }: {
|
||||||
imports = [
|
imports = [
|
||||||
(modulesPath + "/virtualisation/proxmox-lxc.nix")
|
(modulesPath + "/virtualisation/lxc-container.nix")
|
||||||
|
|
||||||
./backup.nix
|
./backup.nix
|
||||||
../../users/root
|
../../users/root
|
||||||
|
@ -20,19 +20,51 @@
|
||||||
enable = true;
|
enable = true;
|
||||||
remote-builders = true;
|
remote-builders = true;
|
||||||
};
|
};
|
||||||
|
tailscale.enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
time.timeZone = "Europe/Amsterdam";
|
time.timeZone = "Europe/Amsterdam";
|
||||||
|
|
||||||
system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;
|
system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;
|
||||||
|
|
||||||
proxmoxLXC = {
|
networking = {
|
||||||
privileged = true;
|
hostName = "minio";
|
||||||
|
useDHCP = false;
|
||||||
|
useHostResolvConf = false;
|
||||||
|
networkmanager.enable = false;
|
||||||
|
useNetworkd = true;
|
||||||
|
nftables.enable = true;
|
||||||
|
|
||||||
|
firewall.trustedInterfaces = [ "tailscale0" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
security.sudo.execWheelOnly = true;
|
systemd.network = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
services.tailscale.enable = true;
|
networks = {
|
||||||
|
"40-eth0" = {
|
||||||
|
matchConfig = {
|
||||||
|
Name = "eth0";
|
||||||
|
};
|
||||||
|
|
||||||
|
networkConfig = {
|
||||||
|
Address = "10.0.0.204/24";
|
||||||
|
Gateway = "10.0.0.1";
|
||||||
|
DNS = "10.0.0.206";
|
||||||
|
DHCP = "no";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
security = {
|
||||||
|
sudo-rs = {
|
||||||
|
enable = true;
|
||||||
|
execWheelOnly = true;
|
||||||
|
wheelNeedsPassword = false;
|
||||||
|
};
|
||||||
|
sudo.enable = false;
|
||||||
|
};
|
||||||
|
|
||||||
sops.defaultSopsFile = ./secrets.yaml;
|
sops.defaultSopsFile = ./secrets.yaml;
|
||||||
sops.secrets = {
|
sops.secrets = {
|
||||||
|
@ -41,5 +73,5 @@
|
||||||
minio_backup_pass = { };
|
minio_backup_pass = { };
|
||||||
};
|
};
|
||||||
|
|
||||||
system.stateVersion = "23.05";
|
system.stateVersion = "24.05";
|
||||||
}
|
}
|
||||||
|
|
|
@ -10,29 +10,29 @@ sops:
|
||||||
- recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht
|
- recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYQ1B1TFBnd0NZWVFWT25P
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmZHY3T3BldXRVZTBxTkQr
|
||||||
bHk2RDRHL0tzSW5abzh1MS9KNUFDaERUWlNVCkc3UkJrZFl4cW9zY3JmYjgrOHJC
|
YXNZbzRXSS9xVlhvMXRXWTFwUUwya3V6SlZzCmNTL1FTbTFxSkVCVEUrVjVacUlR
|
||||||
a0ZHWm9TL0dTVWIrTW8rTFRlZ08zQUkKLS0tIFQ2S2VrMTJFMkwzN1QyclcyMllM
|
YVNsZXBaRlVTMHM4ZU1FMlhqWE8wb3MKLS0tIGJZVHlWc00ya3lPUG5BYWtJdkxY
|
||||||
SXJhdUh6NzdmbUR6cklyaFdxdDFqMDQKJa1jgD3oZS5CxZViKeurzfVORoGPX4ky
|
aGVJY1JPZzRDc253Q3hHRk1hWE5sT1EKFVk0QJSjdZQrYFfeaDWZpBK/nIQY95Ah
|
||||||
b3oIjohx17LHinrO1zVhwZXfcHF7xlsMKVqAvZldZE9ckRPSbH7f8g==
|
Y9fBEaQkzsKZBdOTQZu3SEU7W4KjXrkU/SAP9EbF8sph/1UaAzsYrw==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
- recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg
|
- recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0b0FqNktKbUtTcDBlUExn
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIUzBOZnZ0d01KZFdsTCsy
|
||||||
SEJyak5nOW1ITzgyR0ZCZ0ZXVkErS1FmMHlBCnNxbC9BU01Ua2NKSEZQL2hqYkVP
|
dGZLRXg4U0sxcVgvTEE0Ri9rWEVrU2Q0Z2tvCmMvWENWU3l6elY4SDF4b1dBdkMw
|
||||||
RmRMeENPMGhKbzlLdVE0aU02MGg5c1UKLS0tIHA3citHSWVqODhKT3RpbHNhcEo2
|
aEtxMXdSbmRjcWgzUGV5MktRWncyQ0UKLS0tIHp3STNadDJFR1djNk5ZZW5iTThr
|
||||||
akozVFpEOW9COEgwL0lPdm4xRUlobWcKQpov1ITcXNSTiP3nZ7vL+WYBep2NKFjV
|
SmtnRlUwUVpxN00rUmd4VGQ4ZnA0U0EKrzkG5duj91jy2j6cB612urKhK8cMkeVJ
|
||||||
LGk4wKfAry+SlRfsq3A/4Kv/WDceaFY9UiXoGu7lWwuJkzJXaJUBPg==
|
lBrmKXt0/SddCgpn0ldZx99E1KIL/O1V6JhfxAPvTGkIIIXGXut1hQ==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
- recipient: age1p5hu2l0ys8z2j9rhf0xp5et2wd4222utyn3tk562ksrxmckye9dqu25f49
|
- recipient: age1cjxe2e7zemvs0jacjawug6k2qnmcpvnka3e04mfzp939h7hppydqrlp6l5
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTWmdQZUlZZ2JZcHMvVWV5
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5M3J4czVkVXI1QUVwMlly
|
||||||
TGVzUnU3cHNySlowa21VYVZvS1REcVV0ZkVFCmV3NURRNWZzaXRaQ3EzeU52UVhS
|
MDBSQUpTZFdITEZXa3kxeU9sQUtkNkJTZm1RCnMzeHRyNDJqTi9QRXFqQ241eUV1
|
||||||
MkJIbHFVSXRqQXdLSDFQR2hkcUN5T28KLS0tIExUNWgySDVaaVNHRFJIbWtFWFBN
|
QlhMZUszQmZLQXAwaGJORThoNnFMK28KLS0tIHRkdW03MDBwRGxMV280R2hoaTFN
|
||||||
S2VBY05lVXZIZ1dTaDNvSGNQaVVmS1kKirfOAiMzO6dz5VYHb0RpUtNojg7Zd6I4
|
d0NWMXF3R2lwL2RQRFVFY3RteGFPVEkKACtGvv9tx9H34QW7vbLswFBsaQHTWwXc
|
||||||
1QZR3oJykIUybeNScW7Qhb2AtRObUefXMx3kA814d62yDJkwbApkDw==
|
L2n3760iwAnVad4Aw7cQHUwzEUopWwhvg10BTrhi67CB9AG73yPNmA==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2023-09-11T14:19:07Z"
|
lastmodified: "2023-09-11T14:19:07Z"
|
||||||
mac: ENC[AES256_GCM,data:G/hYRqQxQxdij3hNsZcaQvx/SA95FeEA9q2DlC/Bkx1x0ApM7qG7eVNeVtqlYHkUd7IsylKyq1lf4Z4GQMj0Cq2sMZRn0Z6InUq67FSHqTd0JInZPQGDY5DDSD0WNuDSIHPJLWd1cC+onSpvBtx2xqxGb9HGNAJo+sGM4mlUBvU=,iv:E5pzAv+WRx8lPofUGZcH39lEPZa0MIn/m/ldX4I9PdU=,tag:a7pnkayI+U04G1KBrBEpOg==,type:str]
|
mac: ENC[AES256_GCM,data:G/hYRqQxQxdij3hNsZcaQvx/SA95FeEA9q2DlC/Bkx1x0ApM7qG7eVNeVtqlYHkUd7IsylKyq1lf4Z4GQMj0Cq2sMZRn0Z6InUq67FSHqTd0JInZPQGDY5DDSD0WNuDSIHPJLWd1cC+onSpvBtx2xqxGb9HGNAJo+sGM4mlUBvU=,iv:E5pzAv+WRx8lPofUGZcH39lEPZa0MIn/m/ldX4I9PdU=,tag:a7pnkayI+U04G1KBrBEpOg==,type:str]
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
{ nixos-hardware, disko, ... }:
|
{ nixos-hardware, disko, ... }:
|
||||||
|
{ pkgs, config, ... }:
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
nixos-hardware.nixosModules.common-cpu-intel
|
nixos-hardware.nixosModules.common-cpu-intel
|
||||||
|
@ -7,6 +8,8 @@
|
||||||
disko.nixosModules.disko
|
disko.nixosModules.disko
|
||||||
|
|
||||||
./storage.nix
|
./storage.nix
|
||||||
|
./network.nix
|
||||||
|
./virtualisation.nix
|
||||||
../../users/erwin
|
../../users/erwin
|
||||||
../../users/root
|
../../users/root
|
||||||
];
|
];
|
||||||
|
@ -14,6 +17,7 @@
|
||||||
eboskma = {
|
eboskma = {
|
||||||
users.erwin = {
|
users.erwin = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
server = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
base = {
|
base = {
|
||||||
|
@ -25,11 +29,18 @@
|
||||||
remote-builders = true;
|
remote-builders = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
libvirtd.enable = true;
|
# libvirtd.enable = true;
|
||||||
systemd.enable = true;
|
systemd.enable = true;
|
||||||
|
tailscale.enable = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
security = {
|
||||||
|
sudo-rs = {
|
||||||
|
enable = true;
|
||||||
|
};
|
||||||
|
sudo.enable = false;
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.hostName = "odin";
|
|
||||||
|
|
||||||
boot = {
|
boot = {
|
||||||
loader = {
|
loader = {
|
||||||
|
@ -41,30 +52,37 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
initrd = {
|
initrd = {
|
||||||
availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "virtio_blk" "virtio_pci" ];
|
availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "ahci" "usb_storage" "usbhid" "sd_mod" "virtio_blk" "virtio_pci" ];
|
||||||
kernelModules = [ "kvm-intel" "kvm-amd" ];
|
kernelModules = [ "kvm-intel" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
kernelModules = [ "kvm-intel" "kvm-amd" ];
|
kernelPackages = pkgs.linuxPackages_latest;
|
||||||
|
kernelModules = [ "kvm-intel" "dm-thin-pool" "dm-snapshot" ];
|
||||||
|
# From PVE: ro quiet intel_iommu=on i915.enable_gvt=1 cpufreq.default_governor=ondemand
|
||||||
|
# kernelParams = [ "intel_iommu=on" "i915.enable_gvt=1" "cpufreq.default_governor=ondemand" ];
|
||||||
|
|
||||||
|
extraModulePackages = with config.boot.kernelPackages; [ gasket ];
|
||||||
};
|
};
|
||||||
|
|
||||||
hardware.enableAllFirmware = true;
|
hardware.enableAllFirmware = true;
|
||||||
powerManagement.cpuFreqGovernor = "ondemand";
|
powerManagement.cpuFreqGovernor = "ondemand";
|
||||||
|
|
||||||
services.cockpit = {
|
services = {
|
||||||
|
openssh.enable = true;
|
||||||
|
cockpit = {
|
||||||
enable = true;
|
enable = true;
|
||||||
settings = {
|
settings = {
|
||||||
WebService = {
|
WebService = {
|
||||||
Origins = [ "https://cockpit.datarift.nl" ];
|
Origins = "https://cockpit.datarift.nl";
|
||||||
ProtocolHeader = "X-Forwarded-Proto";
|
ProtocolHeader = "X-Forwarded-Proto";
|
||||||
ForwardedForHeader = "X-Forwarded-For";
|
ForwardedForHeader = "X-Forwarded-For";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
lvm = {
|
||||||
services.lvm = {
|
|
||||||
enable = true;
|
enable = true;
|
||||||
};
|
};
|
||||||
|
};
|
||||||
|
|
||||||
system.stateVersion = "23.05";
|
system.stateVersion = "24.05";
|
||||||
}
|
}
|
||||||
|
|
67
machines/odin/network.nix
Normal file
67
machines/odin/network.nix
Normal file
|
@ -0,0 +1,67 @@
|
||||||
|
{
|
||||||
|
networking = {
|
||||||
|
hostName = "odin";
|
||||||
|
useDHCP = false;
|
||||||
|
networkmanager.enable = false;
|
||||||
|
useNetworkd = true;
|
||||||
|
nftables.enable = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd = {
|
||||||
|
coredump.enable = false;
|
||||||
|
network = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
wait-online = {
|
||||||
|
anyInterface = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
netdevs = {
|
||||||
|
"25-vmbr0" = {
|
||||||
|
netdevConfig = {
|
||||||
|
Kind = "bridge";
|
||||||
|
Name = "vmbr0";
|
||||||
|
MACAddress = "48:21:0b:56:b1:42";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
networks = {
|
||||||
|
"40-enp86s0" = {
|
||||||
|
matchConfig = {
|
||||||
|
Name = "enp86s0";
|
||||||
|
};
|
||||||
|
|
||||||
|
networkConfig = {
|
||||||
|
# DHCP = "yes";
|
||||||
|
Bridge = "vmbr0";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
"40-vmbr0" = {
|
||||||
|
matchConfig = {
|
||||||
|
Name = "vmbr0";
|
||||||
|
};
|
||||||
|
|
||||||
|
networkConfig = {
|
||||||
|
Address = "10.0.0.252/24";
|
||||||
|
Gateway = "10.0.0.1";
|
||||||
|
DNS = "10.0.0.1";
|
||||||
|
DHCP = "no";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
links = {
|
||||||
|
"40-enp86s0" = {
|
||||||
|
matchConfig = {
|
||||||
|
OriginalName = "enp86s0";
|
||||||
|
};
|
||||||
|
linkConfig = {
|
||||||
|
WakeOnLan = "magic";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,64 +1,66 @@
|
||||||
{ disko, ... }:
|
|
||||||
{
|
{
|
||||||
disko.devices = {
|
disko.devices = {
|
||||||
disk = {
|
disk = {
|
||||||
sda = {
|
nvme0n1 = {
|
||||||
device = "/dev/vda";
|
device = "/dev/nvme0n1";
|
||||||
type = "disk";
|
type = "disk";
|
||||||
content = {
|
content = {
|
||||||
type = "table";
|
type = "gpt";
|
||||||
format = "gpt";
|
partitions = {
|
||||||
partitions = [
|
esp = {
|
||||||
{
|
name = "ESP";
|
||||||
name = "boot";
|
size = "512M";
|
||||||
start = "1MiB";
|
type = "EF00";
|
||||||
end = "512MiB";
|
|
||||||
bootable = true;
|
|
||||||
content = {
|
content = {
|
||||||
type = "filesystem";
|
type = "filesystem";
|
||||||
format = "vfat";
|
format = "vfat";
|
||||||
mountpoint = "/boot";
|
mountpoint = "/boot";
|
||||||
};
|
};
|
||||||
}
|
};
|
||||||
{
|
root = {
|
||||||
name = "root_pv_sda";
|
name = "root_pv_nvme0n1";
|
||||||
start = "512MiB";
|
size = "260G";
|
||||||
end = "100%";
|
|
||||||
content = {
|
content = {
|
||||||
type = "lvm_pv";
|
type = "lvm_pv";
|
||||||
vg = "pool";
|
vg = "root-pool";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
data = {
|
||||||
|
name = "data_pv_nvme0n1";
|
||||||
|
size = "100%";
|
||||||
|
content = {
|
||||||
|
type = "lvm_pv";
|
||||||
|
vg = "data";
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
sdb = {
|
sdb = {
|
||||||
device = "/dev/vdb";
|
device = "/dev/sda";
|
||||||
type = "disk";
|
type = "disk";
|
||||||
content = {
|
content = {
|
||||||
type = "table";
|
type = "gpt";
|
||||||
format = "gpt";
|
partitions = {
|
||||||
partitions = [
|
root = {
|
||||||
{
|
name = "data_pv_sdb";
|
||||||
name = "root_pv_sdb";
|
size = "100%";
|
||||||
start = "0%";
|
|
||||||
end = "100%";
|
|
||||||
content = {
|
content = {
|
||||||
type = "lvm_pv";
|
type = "lvm_pv";
|
||||||
vg = "pool";
|
vg = "data";
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
lvm_vg = {
|
lvm_vg = {
|
||||||
pool = {
|
root-pool = {
|
||||||
type = "lvm_vg";
|
type = "lvm_vg";
|
||||||
lvs = {
|
lvs = {
|
||||||
root = {
|
nixos = {
|
||||||
size = "32GiB";
|
size = "250G";
|
||||||
content = {
|
content = {
|
||||||
type = "filesystem";
|
type = "filesystem";
|
||||||
format = "ext4";
|
format = "ext4";
|
||||||
|
@ -68,34 +70,25 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
swap = {
|
swap = {
|
||||||
size = "8GiB";
|
size = "8G";
|
||||||
content = {
|
content = {
|
||||||
type = "swap";
|
type = "swap";
|
||||||
randomEncryption = false;
|
randomEncryption = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
};
|
||||||
zz_data = {
|
};
|
||||||
|
data = {
|
||||||
|
type = "lvm_vg";
|
||||||
|
lvs = {
|
||||||
|
data = {
|
||||||
size = "100%FREE";
|
size = "100%FREE";
|
||||||
content = {
|
extraArgs = [
|
||||||
type = "filesystem";
|
"--type=thin-pool"
|
||||||
format = "ext4";
|
];
|
||||||
mountpoint = "/data";
|
|
||||||
mountOptions = [ "defaults" ];
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
|
||||||
# fileSystems."/" = {
|
|
||||||
# device = "/dev/disk/by-label/nixos";
|
|
||||||
# fsType = "ext4";
|
|
||||||
# };
|
|
||||||
|
|
||||||
# fileSystems."/data" = {
|
|
||||||
# device = "/dev/disk/by-label/data";
|
|
||||||
# fsType = "btrfs";
|
|
||||||
# };
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
134
machines/odin/virtualisation.nix
Normal file
134
machines/odin/virtualisation.nix
Normal file
|
@ -0,0 +1,134 @@
|
||||||
|
{ pkgs, ... }:
|
||||||
|
{
|
||||||
|
users.users.erwin.extraGroups = [ "incus-admin" ];
|
||||||
|
virtualisation = {
|
||||||
|
incus = {
|
||||||
|
enable = true;
|
||||||
|
preseed = {
|
||||||
|
networks = [
|
||||||
|
{
|
||||||
|
config = {
|
||||||
|
"ipv4.address" = "10.0.100.1/24";
|
||||||
|
"ipv4.nat" = "true";
|
||||||
|
};
|
||||||
|
name = "incusbr0";
|
||||||
|
type = "bridge";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
profiles = [
|
||||||
|
{
|
||||||
|
name = "default";
|
||||||
|
devices = {
|
||||||
|
root = {
|
||||||
|
path = "/";
|
||||||
|
pool = "default";
|
||||||
|
size = "32GiB";
|
||||||
|
type = "disk";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
{
|
||||||
|
name = "nixos";
|
||||||
|
config = {
|
||||||
|
"security.nesting" = true;
|
||||||
|
};
|
||||||
|
}
|
||||||
|
{
|
||||||
|
name = "privileged";
|
||||||
|
config = {
|
||||||
|
"security.privileged" = true;
|
||||||
|
};
|
||||||
|
}
|
||||||
|
{
|
||||||
|
name = "autostart";
|
||||||
|
config = {
|
||||||
|
"boot.autostart" = true;
|
||||||
|
};
|
||||||
|
}
|
||||||
|
{
|
||||||
|
name = "net-bridged";
|
||||||
|
devices = {
|
||||||
|
eth0 = {
|
||||||
|
type = "nic";
|
||||||
|
nictype = "bridged";
|
||||||
|
parent = "vmbr0";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
{
|
||||||
|
name = "homeassistant";
|
||||||
|
devices = {
|
||||||
|
root = {
|
||||||
|
path = "/";
|
||||||
|
pool = "default";
|
||||||
|
size = "128GiB";
|
||||||
|
type = "disk";
|
||||||
|
};
|
||||||
|
|
||||||
|
eth0 = {
|
||||||
|
type = "nic";
|
||||||
|
nictype = "bridged";
|
||||||
|
parent = "vmbr0";
|
||||||
|
};
|
||||||
|
|
||||||
|
zigbee = {
|
||||||
|
type = "usb";
|
||||||
|
productid = "55d4";
|
||||||
|
vendorid = "1a86";
|
||||||
|
};
|
||||||
|
|
||||||
|
p1 = {
|
||||||
|
type = "usb";
|
||||||
|
productid = "0403";
|
||||||
|
vendorid = "6001";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
config = {
|
||||||
|
"limits.cpu" = 4;
|
||||||
|
"limits.memory" = "8GiB";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
storage_pools = [
|
||||||
|
{
|
||||||
|
config = {
|
||||||
|
"lvm.thinpool_name" = "data";
|
||||||
|
"lvm.vg_name" = "data";
|
||||||
|
};
|
||||||
|
driver = "lvm";
|
||||||
|
name = "default";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
config = {
|
||||||
|
"oidc.client.id" = "incus";
|
||||||
|
"oidc.issuer" = "https://id.datarift.nl/realms/datarift/.well-known/openid-configuration";
|
||||||
|
"core.https_address" = "[::]:8443";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services = {
|
||||||
|
incus = {
|
||||||
|
path = [
|
||||||
|
pkgs.nftables
|
||||||
|
pkgs.lvm2
|
||||||
|
pkgs.e2fsprogs
|
||||||
|
];
|
||||||
|
environment = {
|
||||||
|
INCUS_UI = pkgs.incus-ui;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
incus-preseed = {
|
||||||
|
path = [ pkgs.lvm2 ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = [
|
||||||
|
8443
|
||||||
|
|
||||||
|
];
|
||||||
|
}
|
|
@ -1,7 +1,7 @@
|
||||||
{ self, caddy-with-plugins, ... }:
|
{ self, caddy-with-plugins, ... }:
|
||||||
{ modulesPath, pkgs, ... }: {
|
{ modulesPath, pkgs, ... }: {
|
||||||
imports = [
|
imports = [
|
||||||
(modulesPath + "/virtualisation/proxmox-lxc.nix")
|
(modulesPath + "/virtualisation/lxc-container.nix")
|
||||||
../../users/root
|
../../users/root
|
||||||
../../users/erwin
|
../../users/erwin
|
||||||
];
|
];
|
||||||
|
@ -21,48 +21,67 @@
|
||||||
package = caddy-with-plugins.lib.caddyWithPackages {
|
package = caddy-with-plugins.lib.caddyWithPackages {
|
||||||
inherit (pkgs) caddy buildGoModule;
|
inherit (pkgs) caddy buildGoModule;
|
||||||
plugins = [ "github.com/caddy-dns/cloudflare@74f004e1c1ab9056288f0baf3cd4b0039d6c77f3" ];
|
plugins = [ "github.com/caddy-dns/cloudflare@74f004e1c1ab9056288f0baf3cd4b0039d6c77f3" ];
|
||||||
vendorSha256 = "7TWLOeEHn/cmpCXWuwLQrWpezrW6qcCERscutzYjpN0=";
|
vendorSha256 = "UYNFkGK4A7DJSmin4nCo9rUD60gx80e9YZodn7uEcUM=";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
tailscale.enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
boot.isContainer = true;
|
boot = {
|
||||||
|
isContainer = true;
|
||||||
|
kernel.sysctl = {
|
||||||
|
"net.core.rmem_max" = 2500000;
|
||||||
|
"net.core.wmem_max" = 2500000;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
time.timeZone = "Europe/Amsterdam";
|
time.timeZone = "Europe/Amsterdam";
|
||||||
|
|
||||||
system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;
|
system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;
|
||||||
|
|
||||||
# networking = {
|
networking = {
|
||||||
# hostName = "proxy";
|
hostName = "proxy";
|
||||||
# useDHCP = false;
|
useDHCP = false;
|
||||||
|
useHostResolvConf = false;
|
||||||
|
networkmanager.enable = false;
|
||||||
|
useNetworkd = true;
|
||||||
|
nftables.enable = true;
|
||||||
|
|
||||||
# interfaces = {
|
firewall.trustedInterfaces = [ "tailscale0" ];
|
||||||
# eth0 = {
|
|
||||||
# ipv4.addresses = [
|
|
||||||
# {
|
|
||||||
# address = "10.0.0.251";
|
|
||||||
# prefixLength = 24;
|
|
||||||
# }
|
|
||||||
# ];
|
|
||||||
# };
|
|
||||||
# };
|
|
||||||
|
|
||||||
# defaultGateway = "10.0.0.1";
|
|
||||||
# nameservers = [ "10.0.0.254" ];
|
|
||||||
# };
|
|
||||||
|
|
||||||
proxmoxLXC = {
|
|
||||||
privileged = true;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
services.tailscale.enable = true;
|
systemd.network = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
security.sudo.execWheelOnly = true;
|
networks = {
|
||||||
|
"40-eth0" = {
|
||||||
|
matchConfig = {
|
||||||
|
Name = "eth0";
|
||||||
|
};
|
||||||
|
|
||||||
|
networkConfig = {
|
||||||
|
Address = "10.0.0.251/24";
|
||||||
|
Gateway = "10.0.0.1";
|
||||||
|
DNS = "10.0.0.206";
|
||||||
|
DHCP = "no";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
security = {
|
||||||
|
sudo-rs = {
|
||||||
|
enable = true;
|
||||||
|
execWheelOnly = true;
|
||||||
|
wheelNeedsPassword = false;
|
||||||
|
};
|
||||||
|
sudo.enable = false;
|
||||||
|
};
|
||||||
|
|
||||||
sops.defaultSopsFile = ./secrets.yaml;
|
sops.defaultSopsFile = ./secrets.yaml;
|
||||||
sops.secrets = {
|
sops.secrets = {
|
||||||
caddy-env = { };
|
caddy-env = { };
|
||||||
};
|
};
|
||||||
|
|
||||||
system.stateVersion = "21.11";
|
system.stateVersion = "24.05";
|
||||||
}
|
}
|
||||||
|
|
|
@ -8,29 +8,29 @@ sops:
|
||||||
- recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht
|
- recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxMDh2aUZrNjFrb0FoOUN2
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKNmVyOGtudS9ZdlpxVmpD
|
||||||
Q0ZYUGJUaVh0QnU4NWV1bzU3OEJNUU1iZzNRCkgxYnN4NzJnaldrSXZsY2VPM1ZF
|
Qmd5dWlQRkJ0b3lrK1JrV0RXWjRzdHgyblZzCjlacnJra1NHT25oQ3V4NEc3K09k
|
||||||
YlR4eVlmRG9yVU1ieWJEbU13bnljV2sKLS0tIFFIODJtRFZ4SjFMbWZDZVFCMUUv
|
MnBObjBXQTFxaHJNTmpsTVo4TDlCdjQKLS0tIGFZREpPWVI5a2ZDQjAxbkRHRTJ4
|
||||||
VjBpQUY2OWRpNWNpcDVXVUhTQnFvMXcKF6T0r4jS+mtmsm0oG48n8GTrIh6K6QFB
|
a1dYRzNXQWRrYkRESkRIVGljYlZDOGcKBdQ+F+5KmTpOkBR0UlTRdon+F+qWgQRA
|
||||||
rLa2LMjqXJFv1PohM3/oRdznHKLV8sW1mr/GQ+DgNmh/8i0J1RH/vA==
|
oisOMoX/WFss3/CNJxr4LwqXFoinWQT7qiXXPsBiZ+VpsaBfPJ3sMw==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
- recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg
|
- recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRUDVGaTFzdTNpdkJaQ1Qw
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWeElXK2hjLzhQc2hpYUtT
|
||||||
ZGRWNHBEcHo5VHh1SXIxUHJjVHhlVWV6Y3g4CjJGTlQ2M1JXMi8wamREQ29ud0ho
|
VjAyM3lIcjdJNGQ0Ujh0S2U5eXlxYXFTU2swCjlMa2xTQTFqZUVQd3lMalRrSDds
|
||||||
anVaV2FtUkp4SGt2ZlFwSmpyMUxQclUKLS0tIDIrVGhZUkRzMG42RXFIdFVybFZO
|
aXJyM3B1ZFg3cWxKSHdpbWVxT3JKS3cKLS0tIHp0Q0dDM1d0aGNrQlA4bnlITE41
|
||||||
K1FiL21YTTh5RVZ4eEZaN0FjNmZmeXcK2cC+7TXmiXlcfbYelTjqpTMBMYh255Du
|
OWZIT3BZbCtLaFl5eU1CMlE3S3RNVUkKUShpf1ahWy5AF7UhucPcz1FzGF85Z26E
|
||||||
g82xFVcvd404xnnrDuYp5hHFnz3D3Gg6IQoVjJv6H+t5I2x/gJiQZg==
|
FbPEHzSfjLZoRtEaxXDOJVASd7xuGkb+L8g86rWR462atAI6lTuEfg==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
- recipient: age1dg4euuwvqyyuwpjm08psvehgxr5p6q76ht8k4je6z2xc2pv55vksw9ap7m
|
- recipient: age1yz7k9s5plamjq425memjh00y4sdldgdhpwxqpx9gk9wutttx9scsdg3qd5
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1MGM0K1FJbmdvMUJWd2wz
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBERWtjd2h3N2lIbDNBZGpZ
|
||||||
djBRMWxML2dBQ2ZBTjN1S0gwWDlSUytWeERnCmZteWFZRnpKcEt5aXo3R00zWUkx
|
VnViQ2FXY0hQaXV6RXZaYnRHODJFOVZOcEJZCmdXSjMrVTFBZzhlQS9XSWNmYzRs
|
||||||
RGVCdFhVYVR2RjZaZGJ0YnAvVnpBcGcKLS0tIHpUV25RcmFjMENTQWI5OVdVZ2Zz
|
NXVCT2N6NDlSbGhpNnZ0S0FhTFpEMjAKLS0tIGg1TDFrZ3RmVjBPR1hleWhwNWVC
|
||||||
RW5kVVdlTmxsalB1TFVRd2dUOU5kL00KP4f1FGMxnWJajfdQqeTXr1ADu6HCTcto
|
UTFJZmxIK2YxY0FieFpoNVV4Z2ttK1UKeqJuuzuMyVayliFUscLSCtUZDjjZKaIg
|
||||||
yUbbhHkhwS8IBUM0ETbEaY76o3y9WufAye37Lp3Vg44GN5IozURpOg==
|
Kp6952AQPC4h+7j61C0iqtqG8dxIABdJfu7gvdgEfpKltDae3vQR8w==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2023-08-09T22:09:02Z"
|
lastmodified: "2023-08-09T22:09:02Z"
|
||||||
mac: ENC[AES256_GCM,data:PxSVqIFldfaMf/XGV+eHwEGZoSLDBCc+Vmgt9EMMMA9CrJLniMXdBWCfDyoIal3JOPy7RekwMHsw56D56vaX7Fe0g80/IK+xoUv8a6nrXW1T58bOuQbSliuKI3MbGHYrqDkZXr+7+A8rugg3ENwmGdunQx02CzS5v3RraCzr/L4=,iv:avU85FslUGNdLRRyCgrlfS+WvAES1MGqyJ5Yy3fUPHU=,tag:b6reWUEKxIUQNystlRRYNA==,type:str]
|
mac: ENC[AES256_GCM,data:PxSVqIFldfaMf/XGV+eHwEGZoSLDBCc+Vmgt9EMMMA9CrJLniMXdBWCfDyoIal3JOPy7RekwMHsw56D56vaX7Fe0g80/IK+xoUv8a6nrXW1T58bOuQbSliuKI3MbGHYrqDkZXr+7+A8rugg3ENwmGdunQx02CzS5v3RraCzr/L4=,iv:avU85FslUGNdLRRyCgrlfS+WvAES1MGqyJ5Yy3fUPHU=,tag:b6reWUEKxIUQNystlRRYNA==,type:str]
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
{ self, ... }:
|
{ self, ... }:
|
||||||
{ modulesPath, pkgs, lib, ... }: {
|
{ modulesPath, pkgs, lib, ... }: {
|
||||||
imports = [
|
imports = [
|
||||||
(modulesPath + "/virtualisation/proxmox-lxc.nix")
|
(modulesPath + "/virtualisation/lxc-container.nix")
|
||||||
../../users/root
|
../../users/root
|
||||||
../../users/erwin
|
../../users/erwin
|
||||||
];
|
];
|
||||||
|
@ -15,11 +15,12 @@
|
||||||
enable = true;
|
enable = true;
|
||||||
remote-builders = true;
|
remote-builders = true;
|
||||||
};
|
};
|
||||||
|
tailscale.enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
services.unifi = {
|
services.unifi = {
|
||||||
enable = true;
|
enable = true;
|
||||||
unifiPackage = pkgs.unifi;
|
unifiPackage = pkgs.unifi8;
|
||||||
# unifiPackage = pkgs.unifi.overrideAttrs (_oldAttrs: {
|
# unifiPackage = pkgs.unifi.overrideAttrs (_oldAttrs: {
|
||||||
# version = "7.5.176";
|
# version = "7.5.176";
|
||||||
# src = builtins.fetchurl {
|
# src = builtins.fetchurl {
|
||||||
|
@ -30,25 +31,53 @@
|
||||||
openFirewall = true;
|
openFirewall = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall = {
|
|
||||||
allowPing = true;
|
|
||||||
trustedInterfaces = [ "tailscale0" ];
|
|
||||||
allowedTCPPorts = [ 8443 ];
|
|
||||||
};
|
|
||||||
|
|
||||||
boot.isContainer = true;
|
|
||||||
|
|
||||||
time.timeZone = "Europe/Amsterdam";
|
time.timeZone = "Europe/Amsterdam";
|
||||||
|
|
||||||
system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;
|
system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;
|
||||||
|
|
||||||
proxmoxLXC = {
|
networking = {
|
||||||
privileged = true;
|
hostName = "unifi";
|
||||||
|
useDHCP = false;
|
||||||
|
useHostResolvConf = false;
|
||||||
|
networkmanager.enable = false;
|
||||||
|
useNetworkd = true;
|
||||||
|
nftables.enable = true;
|
||||||
|
|
||||||
|
firewall = {
|
||||||
|
trustedInterfaces = [ "tailscale0" ];
|
||||||
|
allowPing = true;
|
||||||
|
allowedTCPPorts = [ 8443 ];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.tailscale.enable = true;
|
systemd.network = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
networks = {
|
||||||
|
"40-eth0" = {
|
||||||
|
matchConfig = {
|
||||||
|
Name = "eth0";
|
||||||
|
};
|
||||||
|
|
||||||
|
networkConfig = {
|
||||||
|
Address = "10.0.0.207/24";
|
||||||
|
Gateway = "10.0.0.1";
|
||||||
|
DNS = "10.0.0.206";
|
||||||
|
DHCP = "no";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
security = {
|
||||||
|
sudo-rs = {
|
||||||
|
enable = true;
|
||||||
|
execWheelOnly = true;
|
||||||
|
wheelNeedsPassword = false;
|
||||||
|
};
|
||||||
|
sudo.enable = false;
|
||||||
|
};
|
||||||
|
|
||||||
security.sudo.execWheelOnly = true;
|
|
||||||
|
|
||||||
sops.defaultSopsFile = ./secrets.yaml;
|
sops.defaultSopsFile = ./secrets.yaml;
|
||||||
sops.secrets = { };
|
sops.secrets = { };
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
{ self, ... }:
|
{ self, ... }:
|
||||||
{ modulesPath, ... }: {
|
{ modulesPath, ... }: {
|
||||||
imports = [
|
imports = [
|
||||||
(modulesPath + "/virtualisation/proxmox-lxc.nix")
|
(modulesPath + "/virtualisation/lxc-container.nix")
|
||||||
|
|
||||||
../../users/root
|
../../users/root
|
||||||
../../users/erwin
|
../../users/erwin
|
||||||
|
@ -23,6 +23,7 @@
|
||||||
remote-builders = true;
|
remote-builders = true;
|
||||||
};
|
};
|
||||||
unbound.enable = true;
|
unbound.enable = true;
|
||||||
|
tailscale.enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
services.resolved.extraConfig = ''
|
services.resolved.extraConfig = ''
|
||||||
|
@ -33,15 +34,44 @@
|
||||||
|
|
||||||
system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;
|
system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;
|
||||||
|
|
||||||
proxmoxLXC = {
|
networking = {
|
||||||
privileged = true;
|
hostName = "valkyrie";
|
||||||
|
useDHCP = false;
|
||||||
|
useHostResolvConf = false;
|
||||||
|
networkmanager.enable = false;
|
||||||
|
useNetworkd = true;
|
||||||
|
nftables.enable = true;
|
||||||
|
|
||||||
|
firewall.trustedInterfaces = [ "tailscale0" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall.trustedInterfaces = [ "tailscale0" ];
|
systemd.network = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
security.sudo.execWheelOnly = true;
|
networks = {
|
||||||
|
"40-eth0" = {
|
||||||
|
matchConfig = {
|
||||||
|
Name = "eth0";
|
||||||
|
};
|
||||||
|
|
||||||
services.tailscale.enable = true;
|
networkConfig = {
|
||||||
|
Address = "10.0.0.206/24";
|
||||||
|
Gateway = "10.0.0.1";
|
||||||
|
DNS = "127.0.0.1";
|
||||||
|
DHCP = "no";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
security = {
|
||||||
|
sudo-rs = {
|
||||||
|
enable = true;
|
||||||
|
execWheelOnly = true;
|
||||||
|
wheelNeedsPassword = false;
|
||||||
|
};
|
||||||
|
sudo.enable = false;
|
||||||
|
};
|
||||||
|
|
||||||
system.stateVersion = "23.11";
|
system.stateVersion = "23.11";
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue