Finish configuration for odin on NUC, update containers for Incus

This commit is contained in:
Erwin Boskma 2024-01-02 22:01:55 +01:00
parent d06576a0ac
commit d99ac2d3f7
Signed by: erwin
SSH key fingerprint: SHA256:/Wk1WZdLg+vQHs3in9qq7PsIp8SMzwGSk/RLZ5zPuZk
17 changed files with 734 additions and 201 deletions

View file

@ -0,0 +1,90 @@
{ self, ... }:
{ modulesPath, ... }: {
imports = [
(modulesPath + "/virtualisation/lxc-container.nix")
../../users/root
../../users/erwin
];
eboskma = {
users.erwin = {
enable = true;
server = true;
};
nix-common = {
enable = true;
remote-builders = true;
};
tailscale.enable = true;
woodpecker.enable = true;
};
boot.isContainer = true;
time.timeZone = "Europe/Amsterdam";
system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;
networking = {
hostName = "ci";
useDHCP = false;
useHostResolvConf = false;
networkmanager.enable = false;
useNetworkd = true;
nftables.enable = false;
firewall = {
trustedInterfaces = [ "tailscale0" ];
interfaces."podman+" = {
allowedUDPPorts = [ 53 ];
allowedTCPPorts = [ 53 ];
};
};
};
virtualisation.podman = {
enable = true;
autoPrune = {
enable = true;
dates = "weekly";
};
defaultNetwork.settings.dns_enabled = true;
};
systemd.network = {
enable = true;
networks = {
"40-eth0" = {
matchConfig = {
Name = "eth0";
};
networkConfig = {
Address = "10.0.0.202/24";
Gateway = "10.0.0.1";
DNS = "10.0.0.206";
DHCP = "no";
};
};
};
};
security = {
sudo-rs = {
enable = true;
execWheelOnly = true;
wheelNeedsPassword = false;
};
sudo.enable = false;
};
sops.defaultSopsFile = ./secrets.yaml;
sops.secrets = {
woodpecker-server = { };
woodpecker-agent = { };
};
system.stateVersion = "24.05";
}

42
machines/ci/secrets.yaml Normal file
View file

@ -0,0 +1,42 @@
drone: ENC[AES256_GCM,data:PZPChq/iQDw7gOfdmSOB4ZvtWgnT55lMc1/kSKVoh5kTkIX+FdNE7uJlhKJQHryYWdrbyoRu09RhhPLr27oWeiCvN4Z0QmM9ofrM4CfuUPotp3niZIjfXrLIiX2s1JlxT2eElEwkX2h1UCIC+tNqFCL+ThLkP4iMmeXRXwFBIOahYscskwbmutbyraj/yQq3KcwUyFLd618pDT+0VWiBETQudauWdmJXFDW/rKW7STTVhe/7ixCIw3O5BYThOin9YhZSZxje225+bBB8vPM6NfdvNCHEtzAwxTjtm3n0beqsAAxd6hzQXk3L7a2X6Y+mmK1XMjmLhsGgI5B6Zssmv3/3oTSczn+YdtfT9bz0KxaZtJdQrYEfVowKEQMTcWO5H55F5Mv+qShweIAcWqKInFb6+EDjyPzABlN/S9/XJakQsPxcCwBKKusYr3P3IFjNnzdZD18ayhc6frs4TJmSGcQIkW/cCWNjwpct/yVbkIrIXZEWb7DoZ0M=,iv:F++KLxnqAtBhcSdj5rZhGpVvCKfI8y5HhvlejCfwi/k=,tag:YdiiZUN7wGn9yA1evMu5jg==,type:str]
drone-runner: ENC[AES256_GCM,data:Uh7OQSDtV0M5j00oHHm4uz4zwi+1W1k2qd5uXoROj5tcgNs76YBcfkU7d+1qXj/Hma7++HOcga0LvF1+Dl/GJQyj47kVFi/+h6I9yiuoO5sW3nxh5pW5W1Ws1qchKqVhoyZLf0K4AnYE2puleKcYXfogJ1hjnB3vn5F/eOKA/QB+7KfaVPRUGZsUYQw3rHLdTbTFHXPv//z8xxYqY5JcG+vvWsHXiI/sKSTZBWoPJEZnKK2mo8+dbZn3nSj29luG,iv:40JTvOJ7isGcHGg9KI5ED8Ju5knmIWP1m/i/dwlpG/M=,tag:GHbkLIeuiGVlNsR2EW/PGw==,type:str]
woodpecker-server: ENC[AES256_GCM,data:cW108wxYT2b65pCRcwZBoRi6eQsB4NrcUNLirfQkkqPPOymT4QFyE5Zmx6K1P33dUSAj5nA0Eh0HOsS8RhFQIOPZA9za4Ffs51Ex0HkQozduqusDGaENWR+zBOTgRhgIrwQlDSHh8UgLTzOgN8hpEqR8fFVsiWCcCAuOFjDNyczywtbbu2jNHzG6FMz2fdXy7p1dRmyTq1sFjoMEkJM5Ix8oRB8zWV+O3l6XE7Uw1vD3QbOsJiqcbWFoNw==,iv:VIlHVVvuBSZiO/tMgd/4HpT2uecn1WqJE60SkHaX+80=,tag:+xfTfq2FgSrPUVXeH4tJkQ==,type:str]
woodpecker-agent: ENC[AES256_GCM,data:YO9MCMIPVOEU+6euiCHuAN+tFFs8JkRRmb9+AIhMEuQE2ObajfJZ3NN5LsccIT9z1axA/gfjLrxM,iv:UDimHs2cKyCvy0XGdDzgX2ry114qz3V1KaXlXL3yYgI=,tag:OGITUerrT0nWU85fxcpEig==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDTWNGd2FLTWcwTThodlBD
K1VRUmFmQlhoN3YwcDlpQmFzR0JZaW9jQngwCjJOYndqVDVjMWFtQnpmZGpRMGg3
Q0JXQys3TVpSZm1BcWFkcjhQcDJzOG8KLS0tIENjUWtaWW5GeE4yK09yUEx2SWpG
SFc5S1kvT2pBbHorZks3b1MzRU9ERFEKdS9c7j0iyHHbAc8XXpahsOTDu53BKsmr
+ff060PPzBIzQ+7aI52E8CSUAJw0GVYZD5KZForwwBhR3vaZGQYysg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEV3lvZmdCU20vT05SWTVB
cUdZTW4yVndyME4waU5qdmYwbUZuUlQyN2hvClRqSkZ0andyN3RmSFhVdzVMUWdS
VUtPR2tDRzVuZ0kzRVIyZnNMZTIwSVkKLS0tIHprQVR4c2RZQ3I0SlMzSDBnS25a
Z0JrZVhPMEZBQ1FVMjA2QnBITzJjbjQKCghnCUxyR8QkZM2R0EOgjq7J8E7MLlV6
vnEEu6iehd01vHvBKB1x3z6o/wzL8m3TA35knICZCk6jAD0w+OeW9A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1tmlx45s4f6qp929839yd5y5vxkj2z4z8wmhqsnne9j8j5uwx6p8qssun8l
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBneWpaNDRaYk1WS3BuQmtp
L0gxcmFTSEZ3VXBtcTZQLzl0Qm85RmJvMDFnCktJbXJVM0ZDdVJZTHF1VEF6OXAy
RGdMU3RYNytla0k0QjNydTkrbjYrV0kKLS0tIHY3UjFvZ0VxRm1JOTg3NDgySU4x
dFpad2ZiNXR0cEQ4TTMxa0luK3lGRFUKsqF3x5NvdtqXtE05TjMMhFB3cHREYRCA
2LgUDn4FYbxprXTG0dOX+87aAQmoepMkVEXo2kBopoYrGHa1DsOznw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-06-12T09:28:02Z"
mac: ENC[AES256_GCM,data:mE0O44Sa+RMqRoCqXftn3GuPFLHiyGn3tVlYgBGc973nP7mz5ZwClNgja1gk+MNolnztsrwgso5ZiNpriyI7pGKd/dG6DJQrGixqhRvgyNyIESGEuN9n6bfhYNNSzV1yRb9V6Z7iELkut03gvVU9by0MosJ7SJPMyDyZZ4tMFeA=,iv:rzrvGwJQAdbMcHQ7U/JFB08V7o2keLI1kUrUs9RaClA=,tag:UpE7ZeG7S32CNKsgT+rMMQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

View file

@ -1,12 +1,13 @@
inputs: { inputs: {
drone = { ci = {
config = import ./drone/configuration.nix inputs; config = import ./drone/configuration.nix inputs;
deploy = { deploy = {
# host = "10.0.0.202"; # host = "10.0.0.202";
host = "drone.barn-beaver.ts.net"; host = "ci.barn-beaver.ts.net";
sshUser = "erwin"; sshUser = "erwin";
buildOn = "local"; buildOn = "local";
substituteOnTarget = true; substituteOnTarget = true;
tags = [ "container" ];
}; };
}; };
frigate = { frigate = {
@ -17,6 +18,7 @@ inputs: {
sshUser = "erwin"; sshUser = "erwin";
buildOn = "local"; buildOn = "local";
substituteOnTarget = true; substituteOnTarget = true;
tags = [ "container" ];
}; };
}; };
gitea = { gitea = {
@ -27,6 +29,7 @@ inputs: {
sshUser = "erwin"; sshUser = "erwin";
buildOn = "local"; buildOn = "local";
substituteOnTarget = true; substituteOnTarget = true;
tags = [ "container" ];
}; };
}; };
heimdall = { heimdall = {
@ -53,6 +56,7 @@ inputs: {
sshUser = "erwin"; sshUser = "erwin";
buildOn = "local"; buildOn = "local";
substituteOnTarget = true; substituteOnTarget = true;
tags = [ "container" ];
}; };
}; };
odin = { odin = {
@ -66,6 +70,7 @@ inputs: {
sshUser = "erwin"; sshUser = "erwin";
buildOn = "local"; buildOn = "local";
substituteOnTarget = true; substituteOnTarget = true;
tags = [ "container" ];
}; };
}; };
regin = { regin = {
@ -90,6 +95,7 @@ inputs: {
sshUser = "erwin"; sshUser = "erwin";
buildOn = "local"; buildOn = "local";
substituteOnTarget = true; substituteOnTarget = true;
tags = [ "container" ];
}; };
}; };
valkyrie = { valkyrie = {
@ -100,6 +106,7 @@ inputs: {
sshUser = "erwin"; sshUser = "erwin";
buildOn = "local"; buildOn = "local";
substituteOnTarget = true; substituteOnTarget = true;
tags = [ "container" ];
}; };
}; };
} }

View file

@ -1,7 +1,10 @@
{ self, ... }: { self, nixos-hardware, ... }:
{ modulesPath, ... }: { { modulesPath, ... }: {
imports = [ imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix") (modulesPath + "/virtualisation/lxc-container.nix")
nixos-hardware.nixosModules.common-cpu-intel
../../users/root ../../users/root
../../users/erwin ../../users/erwin
]; ];
@ -18,26 +21,57 @@
enable = true; enable = true;
remote-builders = true; remote-builders = true;
}; };
podman.enable = true;
tailscale.enable = true;
}; };
time.timeZone = "Europe/Amsterdam"; time.timeZone = "Europe/Amsterdam";
system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev; system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;
networking = { }; networking = {
hostName = "frigate";
useDHCP = false;
useHostResolvConf = false;
networkmanager.enable = false;
useNetworkd = true;
# nftables.enable = true;
proxmoxLXC = { firewall.trustedInterfaces = [ "tailscale0" ];
privileged = true;
}; };
security.sudo.execWheelOnly = true; systemd.network = {
enable = true;
services.tailscale.enable = true; networks = {
"40-eth0" = {
matchConfig = {
Name = "eth0";
};
networkConfig = {
Address = "10.0.0.205/24";
Gateway = "10.0.0.1";
DNS = "10.0.0.206";
DHCP = "no";
};
};
};
};
security = {
sudo-rs = {
enable = true;
execWheelOnly = true;
wheelNeedsPassword = false;
};
sudo.enable = false;
};
sops.defaultSopsFile = ./secrets.yaml; sops.defaultSopsFile = ./secrets.yaml;
sops.secrets = { sops.secrets = {
frigate = { }; frigate = { };
}; };
system.stateVersion = "23.05"; system.stateVersion = "24.05";
} }

View file

@ -8,29 +8,29 @@ sops:
- recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht - recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3cGVxdk1xWi9PbTl4dGVv YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzTnlKWS9MMlpLaUZFWE5R
QlFIL0ppRzRReVRnYkMwZDQrQVZ5SEkzblNNCjlwK0xFSGFoallaVUhVZWxjNFBQ WUxRZnFmeG1jV2ljajZacUpGaUc0Vks2OFVjCjZlclFMMWhIYzZwa21sTmV0cUZO
ZVJPdUoyRm9FUGZDaFpyRGs2VEZiUmMKLS0tIDloRGZVT290NHYvRXVSb29aMXRw eWhmbHR4OW5Oanl5Y0J4LzZBU1dxekkKLS0tIHBDbHFNMEJlQ1BjQmMyRm5SWEo1
dDIzVFNaVjJGTVNVQlJLODhYUlVKVkkKjMHAlBNaKSk3q/rWSRKSz9wuyXp3KshD Vlp5YUpkanh0a253WEZ4YXJzcXJlU00KN6I5LyH+8QYbVJk3K/0ir0qRf8Q6iwpa
J7sCrTde+8hhudKpS7fw0DzuZ+tq4/JOj+imAS3eXmeNRI6V6eLxLQ== XubDryZhBA/tfy1zaJ7GmpFJVDjjjOiGYcKIGHQ/R35O3awGJcrCmQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg - recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDWGV6TVprTlFQQjFsODRk YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWY0FDM1paRUdJZUd2RTBn
SVBiMFo3WTFmNVg1b21HTTNYMzFNbHBuMXpnCk1uWStoU0RtbG96eXU1ZWlXSk9F QmxxL1VmVWx6Nkp1TmdaaFN5ZmJ5c2dzbVVvCnBGUEI3MUhZSll5Z05KUWhtb2lz
QmRhRDhyOWpJWDV6bnRRK01IUllITFUKLS0tIEVCU3RFdmNCazZJL1lSZDJDanRO Szc3SGhoSy9BdTRLSlUwVWNZeC9MclEKLS0tIFF0dXRicm5lQW9ZeDI0SHB4blpu
NmRXdzhlN0Yyb056c1RDY1hhMWZ3MFkKZ9JJmYXKeZRbUiDncC/cfUu/q+O5dBYN TEhuRjhkZXJhUVpvQlA1MFBBQmU0VW8K8D5iIMCLQWHXdzGC67w4Jo+PQin1SXwr
3AxTIOScw7rDyUDEXOxcTMA75V3ttSe9dkny4CNC3881hObYyot6gg== QjjsA6fjfhgV1+PnuRDhOro+WS3Rbp0WfCskq4+uzuDW16+5bpy62A==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age17p30jwu847x5g9y6wzmt2c4a2e0m9m77ajk5qsgsahdxc8wssu8skdzmq2 - recipient: age1gtzlyyxdnt23xzyq6lq5ye645egxl7up25agxw23nuhjl6ax0dmqrlqvpf
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPSkJJcHVkSnJxUmo0ajhU YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpQVB0ZWRtaHBqWXo2bEN6
TmRGWEIzSFFDZnI2b2lPaWJDNlQzbTAxTW1zCjZXOVFzZ01uWTJFTTdvQkltR3VD T2dKWThTRzRLOU0zcTZHMUNYOEJCd0hrR0dzClFVVzBFZWlSRzZ3QjQ5YTdpdG1h
cVNFUlFDZDljVDZyaDlhSFJOc3RCT1UKLS0tIDAzVzhueVg5bTJRbS8xN3lDaUR4 aVR3cUpPbEVjUU5pVnc5YmlUb1FZaTAKLS0tIEhLQ1V1WWRvYzJaekdFbVR4elF3
NXJsSzFsaVZBeFhlakpZSW9ObGNBWGMKgX2qtoyTmBXH9XjMYT/YWllfUBcbLpv/ YkFoWUpBNGhMRUloYzYvMlhPalBnSTgKXUV6iEE5ZU0tlaAAMDg4hrJSCoUkLA/B
tLLIbgDGfEKKlLIO+jn3pyhv3+Vf78uOyxNh7llDetrR2rZmJLZbaw== 6WOwLvfq1/JTgyD58LVsJOqMJ8cqvG/4uHIcaHq17F9CFZykBprJqQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-03-26T14:26:15Z" lastmodified: "2023-03-26T14:26:15Z"
mac: ENC[AES256_GCM,data:0PeNZGGPRcT385nwym2zgjl+rB7b3u/lCj1jF0MB2UPV73ig42A2ZNm2PFAvH0pzPpDiwW+4fZM/4WJbos7XwFC3+jKW5zOxLFmMvNDd7Y3eM0jYbHqxKhWr3I+SNgPyUPAjiZmN1muNpxLi2vie/jz6jABz9ETOksd8PrOjRu4=,iv:pJy6M6HwQfxL7ifkOwy7q2kYgx8a1c38PUMXeFJgv8o=,tag:gDYEuNwFqtc8YXVhWk0JHw==,type:str] mac: ENC[AES256_GCM,data:0PeNZGGPRcT385nwym2zgjl+rB7b3u/lCj1jF0MB2UPV73ig42A2ZNm2PFAvH0pzPpDiwW+4fZM/4WJbos7XwFC3+jKW5zOxLFmMvNDd7Y3eM0jYbHqxKhWr3I+SNgPyUPAjiZmN1muNpxLi2vie/jz6jABz9ETOksd8PrOjRu4=,iv:pJy6M6HwQfxL7ifkOwy7q2kYgx8a1c38PUMXeFJgv8o=,tag:gDYEuNwFqtc8YXVhWk0JHw==,type:str]

View file

@ -1,7 +1,7 @@
{ self, ... }: { self, ... }:
{ modulesPath, ... }: { { modulesPath, ... }: {
imports = [ imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix") (modulesPath + "/virtualisation/lxc-container.nix")
../../users/root ../../users/root
../../users/erwin ../../users/erwin
@ -18,6 +18,7 @@
enable = true; enable = true;
remote-builders = true; remote-builders = true;
}; };
tailscale.enable = true;
}; };
boot.isContainer = true; boot.isContainer = true;
@ -26,13 +27,50 @@
system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev; system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;
proxmoxLXC = { networking = {
privileged = true; hostName = "ci";
useDHCP = false;
useHostResolvConf = false;
networkmanager.enable = false;
useNetworkd = true;
nftables.enable = false;
firewall = {
trustedInterfaces = [ "tailscale0" ];
interfaces."podman+" = {
allowedUDPPorts = [ 53 ];
allowedTCPPorts = [ 53 ];
};
};
}; };
security.sudo.execWheelOnly = true; systemd.network = {
enable = true;
services.tailscale.enable = true; networks = {
"40-eth0" = {
matchConfig = {
Name = "eth0";
};
networkConfig = {
Address = "10.0.0.203/24";
Gateway = "10.0.0.1";
DNS = "10.0.0.206";
DHCP = "no";
};
};
};
};
security = {
sudo-rs = {
enable = true;
execWheelOnly = true;
wheelNeedsPassword = false;
};
sudo.enable = false;
};
sops.defaultSopsFile = ./secrets.yaml; sops.defaultSopsFile = ./secrets.yaml;
sops.secrets = { sops.secrets = {

View file

@ -10,29 +10,29 @@ sops:
- recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht - recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4NHY0SzdYUFk3dUNnYU04 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBadmRzQ0pBUlZlNndBK2tH
U2JIK1FnRXVVYy8xNE56eGE2Y1pWRHk0U0ZnCnIvN1RnL2RuNzlOSXNxYisyK21Z NHVmMWxRRlVJRTEyd2tZVkduZmk2cExMQnlvCkZLeEhoYTF1WUJEaG9QK0xrRkpB
YkNuMytqdjltakswT2RoenNyNXFNbFUKLS0tIHh2MkFTMURTUGVWeDlES0UyTngx dG1FdFNJT1BjOXI1VkpNc2lPKzVHZ2cKLS0tIGxVSDRLMVRQQldPSCtoYnhSSkZB
MUsxVWxBQ0FuaHpESjNZRitDcG1YTkUKfrvBUhZNjaQLOVbBVvytb2L9rtvWhUd0 aGdJZ3lsSGR3REhvYzEwbmgvNitWSWMKOHG8i+a7RUjWV02a5xczNseDGqEF9q5D
kP4/BcdkKIQQ0WgQ1+qNfHZJUrBTJEUQW74MJai/hZZkXXwT5CB4sQ== N3GA1kZ/imGqTpeh4mlvZ4dnbtN0lsrmUDt3pZD4Zi4zvOhTyJmQdg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg - recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqeXlySFFpZW1IZnJpN01F YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4MFg5N092eVd4V1FRTG93
U0F5Nk1vM0pHd3dPTWRFVWJpb0xGM2VSeHhvCmswZXRRT1VWWXZHUTkrMlNGNHh1 Z0daWWJGNkloWXJ5bVBWakNUb0RVeVVwVlhnClRqY2VRK3BjK2dWS21HOHV5S3F2
a0lSRUlSMXl2RjlOa2FBVVJTU2hUaXcKLS0tIExoeHhWVDdzM0krNXczT1cwZ0F5 TUswZXZNRzh4aHlCQkxpYlJ5b3kwQ2cKLS0tIDVlSGx0MjhBQVNRODRxVFlQS29R
NjVyQmgvaDVuSXNrY0ZCWEY3aldjM0kKKL/vHXncbbk5YSfoOWCsAL4UCWRKiNI3 VHZyS3QzZjB3ZW9VVWpoNFpEcWFUL00KX715Po4Kjk7T2axTStyrWsjOmW3knTMO
1wLHWHhJ4Qt6L7sbQD5n4lCvxTgNx94Tow6T0vI3qd3l6ERmAtwmuw== a7Ic/5yRBbCMBipnqH8rNMqNOfUBapnfnZ516kxg9c5NFv/uJlSC1g==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1jkj6xrhr3uf52hac4wlda4a8jcegha86jf5lgv58df0xunadz53qpjlpae - recipient: age1mh39yv2j3ltl50tjnqqgjctxth3nxa74ggwn29dpvcv08qd0psnssajsmd
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRK2E5OVBvV1pVa3dwQ0k1 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOM3BIb2F2eU0wQURqRzZR
M3RIWHJXakgzWFNWMStuOGxXdk11VGtNM2djCm5UQmo0bEd3Y3B5Q3pGSCt2a0g3 NHNyVngvM2kwTE05YlU3Z3VBVHlPeFRDREE4CndkZ1N0RjBRRHJBUW04UGdtVlV6
bkE0UG8yOTJ0QnBDdmJxS0tKcWY5S28KLS0tIEUxTi9mUWpuTGM1ZjdWUVZuTTBq MWc4SGp6OUo0UXhXQis0Q2RiWi9oemMKLS0tIHcvbDljUStRL2g4Slk3T1dKamRQ
eXVkZ2NzYXd0K3RKMEFnYU9yT1JmU0kKVJ97jMdqiz19NGQi3EBXvYEr4D37h79G bjRhdWRWN1l0WkpiQkx6OGdYanZWYzAKygot2Ef5HWuetcXNP16ZfNx7ZsIXX0Ap
G02mxBm9EDKb4jgaj/5TcKqCOj8qLnBpu1DJSu1vICt9S/hN2baJsQ== mMSyckoJWMTnuxBLGq8WZMeoHTANPL+gpVoPU1IULCqpIff5rn7z4g==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2022-10-26T18:26:01Z" lastmodified: "2022-10-26T18:26:01Z"
mac: ENC[AES256_GCM,data:byjcMu8J5cAeOoU0mAZbJL/bkX3utCXk7VuBhApz8F/6N0ekyLixUHVqBcShp7XgWs4MU3GewVaMZZNqPkEfj15PgEWxxfpsE4HiLN6eaI6Fx21X2CmllQQ5qjeRQVZwkJchrpCO4rp/Q+nFqyVYMgAr8yJm85zZ3FIvHPbErOY=,iv:RsXReft0DUnPr/huYQYZkPy/0iCeEiU3k881KqhcUiY=,tag:JqD3o2BLU8PrBYCeLtdZjg==,type:str] mac: ENC[AES256_GCM,data:byjcMu8J5cAeOoU0mAZbJL/bkX3utCXk7VuBhApz8F/6N0ekyLixUHVqBcShp7XgWs4MU3GewVaMZZNqPkEfj15PgEWxxfpsE4HiLN6eaI6Fx21X2CmllQQ5qjeRQVZwkJchrpCO4rp/Q+nFqyVYMgAr8yJm85zZ3FIvHPbErOY=,iv:RsXReft0DUnPr/huYQYZkPy/0iCeEiU3k881KqhcUiY=,tag:JqD3o2BLU8PrBYCeLtdZjg==,type:str]

View file

@ -1,7 +1,7 @@
{ self, ... }: { self, ... }:
{ modulesPath, ... }: { { modulesPath, ... }: {
imports = [ imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix") (modulesPath + "/virtualisation/lxc-container.nix")
./backup.nix ./backup.nix
../../users/root ../../users/root
@ -20,19 +20,51 @@
enable = true; enable = true;
remote-builders = true; remote-builders = true;
}; };
tailscale.enable = true;
}; };
time.timeZone = "Europe/Amsterdam"; time.timeZone = "Europe/Amsterdam";
system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev; system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;
proxmoxLXC = { networking = {
privileged = true; hostName = "minio";
useDHCP = false;
useHostResolvConf = false;
networkmanager.enable = false;
useNetworkd = true;
nftables.enable = true;
firewall.trustedInterfaces = [ "tailscale0" ];
}; };
security.sudo.execWheelOnly = true; systemd.network = {
enable = true;
services.tailscale.enable = true; networks = {
"40-eth0" = {
matchConfig = {
Name = "eth0";
};
networkConfig = {
Address = "10.0.0.204/24";
Gateway = "10.0.0.1";
DNS = "10.0.0.206";
DHCP = "no";
};
};
};
};
security = {
sudo-rs = {
enable = true;
execWheelOnly = true;
wheelNeedsPassword = false;
};
sudo.enable = false;
};
sops.defaultSopsFile = ./secrets.yaml; sops.defaultSopsFile = ./secrets.yaml;
sops.secrets = { sops.secrets = {
@ -41,5 +73,5 @@
minio_backup_pass = { }; minio_backup_pass = { };
}; };
system.stateVersion = "23.05"; system.stateVersion = "24.05";
} }

View file

@ -10,29 +10,29 @@ sops:
- recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht - recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYQ1B1TFBnd0NZWVFWT25P YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmZHY3T3BldXRVZTBxTkQr
bHk2RDRHL0tzSW5abzh1MS9KNUFDaERUWlNVCkc3UkJrZFl4cW9zY3JmYjgrOHJC YXNZbzRXSS9xVlhvMXRXWTFwUUwya3V6SlZzCmNTL1FTbTFxSkVCVEUrVjVacUlR
a0ZHWm9TL0dTVWIrTW8rTFRlZ08zQUkKLS0tIFQ2S2VrMTJFMkwzN1QyclcyMllM YVNsZXBaRlVTMHM4ZU1FMlhqWE8wb3MKLS0tIGJZVHlWc00ya3lPUG5BYWtJdkxY
SXJhdUh6NzdmbUR6cklyaFdxdDFqMDQKJa1jgD3oZS5CxZViKeurzfVORoGPX4ky aGVJY1JPZzRDc253Q3hHRk1hWE5sT1EKFVk0QJSjdZQrYFfeaDWZpBK/nIQY95Ah
b3oIjohx17LHinrO1zVhwZXfcHF7xlsMKVqAvZldZE9ckRPSbH7f8g== Y9fBEaQkzsKZBdOTQZu3SEU7W4KjXrkU/SAP9EbF8sph/1UaAzsYrw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg - recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0b0FqNktKbUtTcDBlUExn YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIUzBOZnZ0d01KZFdsTCsy
SEJyak5nOW1ITzgyR0ZCZ0ZXVkErS1FmMHlBCnNxbC9BU01Ua2NKSEZQL2hqYkVP dGZLRXg4U0sxcVgvTEE0Ri9rWEVrU2Q0Z2tvCmMvWENWU3l6elY4SDF4b1dBdkMw
RmRMeENPMGhKbzlLdVE0aU02MGg5c1UKLS0tIHA3citHSWVqODhKT3RpbHNhcEo2 aEtxMXdSbmRjcWgzUGV5MktRWncyQ0UKLS0tIHp3STNadDJFR1djNk5ZZW5iTThr
akozVFpEOW9COEgwL0lPdm4xRUlobWcKQpov1ITcXNSTiP3nZ7vL+WYBep2NKFjV SmtnRlUwUVpxN00rUmd4VGQ4ZnA0U0EKrzkG5duj91jy2j6cB612urKhK8cMkeVJ
LGk4wKfAry+SlRfsq3A/4Kv/WDceaFY9UiXoGu7lWwuJkzJXaJUBPg== lBrmKXt0/SddCgpn0ldZx99E1KIL/O1V6JhfxAPvTGkIIIXGXut1hQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1p5hu2l0ys8z2j9rhf0xp5et2wd4222utyn3tk562ksrxmckye9dqu25f49 - recipient: age1cjxe2e7zemvs0jacjawug6k2qnmcpvnka3e04mfzp939h7hppydqrlp6l5
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTWmdQZUlZZ2JZcHMvVWV5 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5M3J4czVkVXI1QUVwMlly
TGVzUnU3cHNySlowa21VYVZvS1REcVV0ZkVFCmV3NURRNWZzaXRaQ3EzeU52UVhS MDBSQUpTZFdITEZXa3kxeU9sQUtkNkJTZm1RCnMzeHRyNDJqTi9QRXFqQ241eUV1
MkJIbHFVSXRqQXdLSDFQR2hkcUN5T28KLS0tIExUNWgySDVaaVNHRFJIbWtFWFBN QlhMZUszQmZLQXAwaGJORThoNnFMK28KLS0tIHRkdW03MDBwRGxMV280R2hoaTFN
S2VBY05lVXZIZ1dTaDNvSGNQaVVmS1kKirfOAiMzO6dz5VYHb0RpUtNojg7Zd6I4 d0NWMXF3R2lwL2RQRFVFY3RteGFPVEkKACtGvv9tx9H34QW7vbLswFBsaQHTWwXc
1QZR3oJykIUybeNScW7Qhb2AtRObUefXMx3kA814d62yDJkwbApkDw== L2n3760iwAnVad4Aw7cQHUwzEUopWwhvg10BTrhi67CB9AG73yPNmA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-09-11T14:19:07Z" lastmodified: "2023-09-11T14:19:07Z"
mac: ENC[AES256_GCM,data:G/hYRqQxQxdij3hNsZcaQvx/SA95FeEA9q2DlC/Bkx1x0ApM7qG7eVNeVtqlYHkUd7IsylKyq1lf4Z4GQMj0Cq2sMZRn0Z6InUq67FSHqTd0JInZPQGDY5DDSD0WNuDSIHPJLWd1cC+onSpvBtx2xqxGb9HGNAJo+sGM4mlUBvU=,iv:E5pzAv+WRx8lPofUGZcH39lEPZa0MIn/m/ldX4I9PdU=,tag:a7pnkayI+U04G1KBrBEpOg==,type:str] mac: ENC[AES256_GCM,data:G/hYRqQxQxdij3hNsZcaQvx/SA95FeEA9q2DlC/Bkx1x0ApM7qG7eVNeVtqlYHkUd7IsylKyq1lf4Z4GQMj0Cq2sMZRn0Z6InUq67FSHqTd0JInZPQGDY5DDSD0WNuDSIHPJLWd1cC+onSpvBtx2xqxGb9HGNAJo+sGM4mlUBvU=,iv:E5pzAv+WRx8lPofUGZcH39lEPZa0MIn/m/ldX4I9PdU=,tag:a7pnkayI+U04G1KBrBEpOg==,type:str]

View file

@ -1,4 +1,5 @@
{ nixos-hardware, disko, ... }: { nixos-hardware, disko, ... }:
{ pkgs, config, ... }:
{ {
imports = [ imports = [
nixos-hardware.nixosModules.common-cpu-intel nixos-hardware.nixosModules.common-cpu-intel
@ -7,6 +8,8 @@
disko.nixosModules.disko disko.nixosModules.disko
./storage.nix ./storage.nix
./network.nix
./virtualisation.nix
../../users/erwin ../../users/erwin
../../users/root ../../users/root
]; ];
@ -14,6 +17,7 @@
eboskma = { eboskma = {
users.erwin = { users.erwin = {
enable = true; enable = true;
server = true;
}; };
base = { base = {
@ -25,11 +29,18 @@
remote-builders = true; remote-builders = true;
}; };
libvirtd.enable = true; # libvirtd.enable = true;
systemd.enable = true; systemd.enable = true;
tailscale.enable = true;
};
security = {
sudo-rs = {
enable = true;
};
sudo.enable = false;
}; };
networking.hostName = "odin";
boot = { boot = {
loader = { loader = {
@ -41,30 +52,37 @@
}; };
initrd = { initrd = {
availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "virtio_blk" "virtio_pci" ]; availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "ahci" "usb_storage" "usbhid" "sd_mod" "virtio_blk" "virtio_pci" ];
kernelModules = [ "kvm-intel" "kvm-amd" ]; kernelModules = [ "kvm-intel" ];
}; };
kernelModules = [ "kvm-intel" "kvm-amd" ]; kernelPackages = pkgs.linuxPackages_latest;
kernelModules = [ "kvm-intel" "dm-thin-pool" "dm-snapshot" ];
# From PVE: ro quiet intel_iommu=on i915.enable_gvt=1 cpufreq.default_governor=ondemand
# kernelParams = [ "intel_iommu=on" "i915.enable_gvt=1" "cpufreq.default_governor=ondemand" ];
extraModulePackages = with config.boot.kernelPackages; [ gasket ];
}; };
hardware.enableAllFirmware = true; hardware.enableAllFirmware = true;
powerManagement.cpuFreqGovernor = "ondemand"; powerManagement.cpuFreqGovernor = "ondemand";
services.cockpit = { services = {
enable = true; openssh.enable = true;
settings = { cockpit = {
WebService = { enable = true;
Origins = [ "https://cockpit.datarift.nl" ]; settings = {
ProtocolHeader = "X-Forwarded-Proto"; WebService = {
ForwardedForHeader = "X-Forwarded-For"; Origins = "https://cockpit.datarift.nl";
ProtocolHeader = "X-Forwarded-Proto";
ForwardedForHeader = "X-Forwarded-For";
};
}; };
}; };
lvm = {
enable = true;
};
}; };
services.lvm = { system.stateVersion = "24.05";
enable = true;
};
system.stateVersion = "23.05";
} }

67
machines/odin/network.nix Normal file
View file

@ -0,0 +1,67 @@
{
networking = {
hostName = "odin";
useDHCP = false;
networkmanager.enable = false;
useNetworkd = true;
nftables.enable = true;
};
systemd = {
coredump.enable = false;
network = {
enable = true;
wait-online = {
anyInterface = true;
};
netdevs = {
"25-vmbr0" = {
netdevConfig = {
Kind = "bridge";
Name = "vmbr0";
MACAddress = "48:21:0b:56:b1:42";
};
};
};
networks = {
"40-enp86s0" = {
matchConfig = {
Name = "enp86s0";
};
networkConfig = {
# DHCP = "yes";
Bridge = "vmbr0";
};
};
"40-vmbr0" = {
matchConfig = {
Name = "vmbr0";
};
networkConfig = {
Address = "10.0.0.252/24";
Gateway = "10.0.0.1";
DNS = "10.0.0.1";
DHCP = "no";
};
};
};
links = {
"40-enp86s0" = {
matchConfig = {
OriginalName = "enp86s0";
};
linkConfig = {
WakeOnLan = "magic";
};
};
};
};
};
}

View file

@ -1,64 +1,66 @@
{ disko, ... }:
{ {
disko.devices = { disko.devices = {
disk = { disk = {
sda = { nvme0n1 = {
device = "/dev/vda"; device = "/dev/nvme0n1";
type = "disk"; type = "disk";
content = { content = {
type = "table"; type = "gpt";
format = "gpt"; partitions = {
partitions = [ esp = {
{ name = "ESP";
name = "boot"; size = "512M";
start = "1MiB"; type = "EF00";
end = "512MiB";
bootable = true;
content = { content = {
type = "filesystem"; type = "filesystem";
format = "vfat"; format = "vfat";
mountpoint = "/boot"; mountpoint = "/boot";
}; };
} };
{ root = {
name = "root_pv_sda"; name = "root_pv_nvme0n1";
start = "512MiB"; size = "260G";
end = "100%";
content = { content = {
type = "lvm_pv"; type = "lvm_pv";
vg = "pool"; vg = "root-pool";
}; };
} };
]; data = {
name = "data_pv_nvme0n1";
size = "100%";
content = {
type = "lvm_pv";
vg = "data";
};
};
};
}; };
}; };
sdb = { sdb = {
device = "/dev/vdb"; device = "/dev/sda";
type = "disk"; type = "disk";
content = { content = {
type = "table"; type = "gpt";
format = "gpt"; partitions = {
partitions = [ root = {
{ name = "data_pv_sdb";
name = "root_pv_sdb"; size = "100%";
start = "0%";
end = "100%";
content = { content = {
type = "lvm_pv"; type = "lvm_pv";
vg = "pool"; vg = "data";
}; };
} };
]; };
}; };
}; };
}; };
lvm_vg = { lvm_vg = {
pool = { root-pool = {
type = "lvm_vg"; type = "lvm_vg";
lvs = { lvs = {
root = { nixos = {
size = "32GiB"; size = "250G";
content = { content = {
type = "filesystem"; type = "filesystem";
format = "ext4"; format = "ext4";
@ -68,34 +70,25 @@
}; };
swap = { swap = {
size = "8GiB"; size = "8G";
content = { content = {
type = "swap"; type = "swap";
randomEncryption = false; randomEncryption = true;
}; };
}; };
};
zz_data = { };
data = {
type = "lvm_vg";
lvs = {
data = {
size = "100%FREE"; size = "100%FREE";
content = { extraArgs = [
type = "filesystem"; "--type=thin-pool"
format = "ext4"; ];
mountpoint = "/data";
mountOptions = [ "defaults" ];
};
}; };
}; };
}; };
}; };
}; };
# fileSystems."/" = {
# device = "/dev/disk/by-label/nixos";
# fsType = "ext4";
# };
# fileSystems."/data" = {
# device = "/dev/disk/by-label/data";
# fsType = "btrfs";
# };
} }

View file

@ -0,0 +1,134 @@
{ pkgs, ... }:
{
users.users.erwin.extraGroups = [ "incus-admin" ];
virtualisation = {
incus = {
enable = true;
preseed = {
networks = [
{
config = {
"ipv4.address" = "10.0.100.1/24";
"ipv4.nat" = "true";
};
name = "incusbr0";
type = "bridge";
}
];
profiles = [
{
name = "default";
devices = {
root = {
path = "/";
pool = "default";
size = "32GiB";
type = "disk";
};
};
}
{
name = "nixos";
config = {
"security.nesting" = true;
};
}
{
name = "privileged";
config = {
"security.privileged" = true;
};
}
{
name = "autostart";
config = {
"boot.autostart" = true;
};
}
{
name = "net-bridged";
devices = {
eth0 = {
type = "nic";
nictype = "bridged";
parent = "vmbr0";
};
};
}
{
name = "homeassistant";
devices = {
root = {
path = "/";
pool = "default";
size = "128GiB";
type = "disk";
};
eth0 = {
type = "nic";
nictype = "bridged";
parent = "vmbr0";
};
zigbee = {
type = "usb";
productid = "55d4";
vendorid = "1a86";
};
p1 = {
type = "usb";
productid = "0403";
vendorid = "6001";
};
};
config = {
"limits.cpu" = 4;
"limits.memory" = "8GiB";
};
}
];
storage_pools = [
{
config = {
"lvm.thinpool_name" = "data";
"lvm.vg_name" = "data";
};
driver = "lvm";
name = "default";
}
];
config = {
"oidc.client.id" = "incus";
"oidc.issuer" = "https://id.datarift.nl/realms/datarift/.well-known/openid-configuration";
"core.https_address" = "[::]:8443";
};
};
};
};
systemd.services = {
incus = {
path = [
pkgs.nftables
pkgs.lvm2
pkgs.e2fsprogs
];
environment = {
INCUS_UI = pkgs.incus-ui;
};
};
incus-preseed = {
path = [ pkgs.lvm2 ];
};
};
networking.firewall.allowedTCPPorts = [
8443
];
}

View file

@ -1,7 +1,7 @@
{ self, caddy-with-plugins, ... }: { self, caddy-with-plugins, ... }:
{ modulesPath, pkgs, ... }: { { modulesPath, pkgs, ... }: {
imports = [ imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix") (modulesPath + "/virtualisation/lxc-container.nix")
../../users/root ../../users/root
../../users/erwin ../../users/erwin
]; ];
@ -21,48 +21,67 @@
package = caddy-with-plugins.lib.caddyWithPackages { package = caddy-with-plugins.lib.caddyWithPackages {
inherit (pkgs) caddy buildGoModule; inherit (pkgs) caddy buildGoModule;
plugins = [ "github.com/caddy-dns/cloudflare@74f004e1c1ab9056288f0baf3cd4b0039d6c77f3" ]; plugins = [ "github.com/caddy-dns/cloudflare@74f004e1c1ab9056288f0baf3cd4b0039d6c77f3" ];
vendorSha256 = "7TWLOeEHn/cmpCXWuwLQrWpezrW6qcCERscutzYjpN0="; vendorSha256 = "UYNFkGK4A7DJSmin4nCo9rUD60gx80e9YZodn7uEcUM=";
}; };
}; };
tailscale.enable = true;
}; };
boot.isContainer = true; boot = {
isContainer = true;
kernel.sysctl = {
"net.core.rmem_max" = 2500000;
"net.core.wmem_max" = 2500000;
};
};
time.timeZone = "Europe/Amsterdam"; time.timeZone = "Europe/Amsterdam";
system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev; system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;
# networking = { networking = {
# hostName = "proxy"; hostName = "proxy";
# useDHCP = false; useDHCP = false;
useHostResolvConf = false;
networkmanager.enable = false;
useNetworkd = true;
nftables.enable = true;
# interfaces = { firewall.trustedInterfaces = [ "tailscale0" ];
# eth0 = {
# ipv4.addresses = [
# {
# address = "10.0.0.251";
# prefixLength = 24;
# }
# ];
# };
# };
# defaultGateway = "10.0.0.1";
# nameservers = [ "10.0.0.254" ];
# };
proxmoxLXC = {
privileged = true;
}; };
services.tailscale.enable = true; systemd.network = {
enable = true;
security.sudo.execWheelOnly = true; networks = {
"40-eth0" = {
matchConfig = {
Name = "eth0";
};
networkConfig = {
Address = "10.0.0.251/24";
Gateway = "10.0.0.1";
DNS = "10.0.0.206";
DHCP = "no";
};
};
};
};
security = {
sudo-rs = {
enable = true;
execWheelOnly = true;
wheelNeedsPassword = false;
};
sudo.enable = false;
};
sops.defaultSopsFile = ./secrets.yaml; sops.defaultSopsFile = ./secrets.yaml;
sops.secrets = { sops.secrets = {
caddy-env = { }; caddy-env = { };
}; };
system.stateVersion = "21.11"; system.stateVersion = "24.05";
} }

View file

@ -8,29 +8,29 @@ sops:
- recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht - recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxMDh2aUZrNjFrb0FoOUN2 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKNmVyOGtudS9ZdlpxVmpD
Q0ZYUGJUaVh0QnU4NWV1bzU3OEJNUU1iZzNRCkgxYnN4NzJnaldrSXZsY2VPM1ZF Qmd5dWlQRkJ0b3lrK1JrV0RXWjRzdHgyblZzCjlacnJra1NHT25oQ3V4NEc3K09k
YlR4eVlmRG9yVU1ieWJEbU13bnljV2sKLS0tIFFIODJtRFZ4SjFMbWZDZVFCMUUv MnBObjBXQTFxaHJNTmpsTVo4TDlCdjQKLS0tIGFZREpPWVI5a2ZDQjAxbkRHRTJ4
VjBpQUY2OWRpNWNpcDVXVUhTQnFvMXcKF6T0r4jS+mtmsm0oG48n8GTrIh6K6QFB a1dYRzNXQWRrYkRESkRIVGljYlZDOGcKBdQ+F+5KmTpOkBR0UlTRdon+F+qWgQRA
rLa2LMjqXJFv1PohM3/oRdznHKLV8sW1mr/GQ+DgNmh/8i0J1RH/vA== oisOMoX/WFss3/CNJxr4LwqXFoinWQT7qiXXPsBiZ+VpsaBfPJ3sMw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg - recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRUDVGaTFzdTNpdkJaQ1Qw YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWeElXK2hjLzhQc2hpYUtT
ZGRWNHBEcHo5VHh1SXIxUHJjVHhlVWV6Y3g4CjJGTlQ2M1JXMi8wamREQ29ud0ho VjAyM3lIcjdJNGQ0Ujh0S2U5eXlxYXFTU2swCjlMa2xTQTFqZUVQd3lMalRrSDds
anVaV2FtUkp4SGt2ZlFwSmpyMUxQclUKLS0tIDIrVGhZUkRzMG42RXFIdFVybFZO aXJyM3B1ZFg3cWxKSHdpbWVxT3JKS3cKLS0tIHp0Q0dDM1d0aGNrQlA4bnlITE41
K1FiL21YTTh5RVZ4eEZaN0FjNmZmeXcK2cC+7TXmiXlcfbYelTjqpTMBMYh255Du OWZIT3BZbCtLaFl5eU1CMlE3S3RNVUkKUShpf1ahWy5AF7UhucPcz1FzGF85Z26E
g82xFVcvd404xnnrDuYp5hHFnz3D3Gg6IQoVjJv6H+t5I2x/gJiQZg== FbPEHzSfjLZoRtEaxXDOJVASd7xuGkb+L8g86rWR462atAI6lTuEfg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1dg4euuwvqyyuwpjm08psvehgxr5p6q76ht8k4je6z2xc2pv55vksw9ap7m - recipient: age1yz7k9s5plamjq425memjh00y4sdldgdhpwxqpx9gk9wutttx9scsdg3qd5
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1MGM0K1FJbmdvMUJWd2wz YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBERWtjd2h3N2lIbDNBZGpZ
djBRMWxML2dBQ2ZBTjN1S0gwWDlSUytWeERnCmZteWFZRnpKcEt5aXo3R00zWUkx VnViQ2FXY0hQaXV6RXZaYnRHODJFOVZOcEJZCmdXSjMrVTFBZzhlQS9XSWNmYzRs
RGVCdFhVYVR2RjZaZGJ0YnAvVnpBcGcKLS0tIHpUV25RcmFjMENTQWI5OVdVZ2Zz NXVCT2N6NDlSbGhpNnZ0S0FhTFpEMjAKLS0tIGg1TDFrZ3RmVjBPR1hleWhwNWVC
RW5kVVdlTmxsalB1TFVRd2dUOU5kL00KP4f1FGMxnWJajfdQqeTXr1ADu6HCTcto UTFJZmxIK2YxY0FieFpoNVV4Z2ttK1UKeqJuuzuMyVayliFUscLSCtUZDjjZKaIg
yUbbhHkhwS8IBUM0ETbEaY76o3y9WufAye37Lp3Vg44GN5IozURpOg== Kp6952AQPC4h+7j61C0iqtqG8dxIABdJfu7gvdgEfpKltDae3vQR8w==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-08-09T22:09:02Z" lastmodified: "2023-08-09T22:09:02Z"
mac: ENC[AES256_GCM,data:PxSVqIFldfaMf/XGV+eHwEGZoSLDBCc+Vmgt9EMMMA9CrJLniMXdBWCfDyoIal3JOPy7RekwMHsw56D56vaX7Fe0g80/IK+xoUv8a6nrXW1T58bOuQbSliuKI3MbGHYrqDkZXr+7+A8rugg3ENwmGdunQx02CzS5v3RraCzr/L4=,iv:avU85FslUGNdLRRyCgrlfS+WvAES1MGqyJ5Yy3fUPHU=,tag:b6reWUEKxIUQNystlRRYNA==,type:str] mac: ENC[AES256_GCM,data:PxSVqIFldfaMf/XGV+eHwEGZoSLDBCc+Vmgt9EMMMA9CrJLniMXdBWCfDyoIal3JOPy7RekwMHsw56D56vaX7Fe0g80/IK+xoUv8a6nrXW1T58bOuQbSliuKI3MbGHYrqDkZXr+7+A8rugg3ENwmGdunQx02CzS5v3RraCzr/L4=,iv:avU85FslUGNdLRRyCgrlfS+WvAES1MGqyJ5Yy3fUPHU=,tag:b6reWUEKxIUQNystlRRYNA==,type:str]

View file

@ -1,7 +1,7 @@
{ self, ... }: { self, ... }:
{ modulesPath, pkgs, lib, ... }: { { modulesPath, pkgs, lib, ... }: {
imports = [ imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix") (modulesPath + "/virtualisation/lxc-container.nix")
../../users/root ../../users/root
../../users/erwin ../../users/erwin
]; ];
@ -15,11 +15,12 @@
enable = true; enable = true;
remote-builders = true; remote-builders = true;
}; };
tailscale.enable = true;
}; };
services.unifi = { services.unifi = {
enable = true; enable = true;
unifiPackage = pkgs.unifi; unifiPackage = pkgs.unifi8;
# unifiPackage = pkgs.unifi.overrideAttrs (_oldAttrs: { # unifiPackage = pkgs.unifi.overrideAttrs (_oldAttrs: {
# version = "7.5.176"; # version = "7.5.176";
# src = builtins.fetchurl { # src = builtins.fetchurl {
@ -30,25 +31,53 @@
openFirewall = true; openFirewall = true;
}; };
networking.firewall = {
allowPing = true;
trustedInterfaces = [ "tailscale0" ];
allowedTCPPorts = [ 8443 ];
};
boot.isContainer = true;
time.timeZone = "Europe/Amsterdam"; time.timeZone = "Europe/Amsterdam";
system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev; system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;
proxmoxLXC = { networking = {
privileged = true; hostName = "unifi";
useDHCP = false;
useHostResolvConf = false;
networkmanager.enable = false;
useNetworkd = true;
nftables.enable = true;
firewall = {
trustedInterfaces = [ "tailscale0" ];
allowPing = true;
allowedTCPPorts = [ 8443 ];
};
}; };
services.tailscale.enable = true; systemd.network = {
enable = true;
networks = {
"40-eth0" = {
matchConfig = {
Name = "eth0";
};
networkConfig = {
Address = "10.0.0.207/24";
Gateway = "10.0.0.1";
DNS = "10.0.0.206";
DHCP = "no";
};
};
};
};
security = {
sudo-rs = {
enable = true;
execWheelOnly = true;
wheelNeedsPassword = false;
};
sudo.enable = false;
};
security.sudo.execWheelOnly = true;
sops.defaultSopsFile = ./secrets.yaml; sops.defaultSopsFile = ./secrets.yaml;
sops.secrets = { }; sops.secrets = { };

View file

@ -1,7 +1,7 @@
{ self, ... }: { self, ... }:
{ modulesPath, ... }: { { modulesPath, ... }: {
imports = [ imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix") (modulesPath + "/virtualisation/lxc-container.nix")
../../users/root ../../users/root
../../users/erwin ../../users/erwin
@ -23,6 +23,7 @@
remote-builders = true; remote-builders = true;
}; };
unbound.enable = true; unbound.enable = true;
tailscale.enable = true;
}; };
services.resolved.extraConfig = '' services.resolved.extraConfig = ''
@ -33,15 +34,44 @@
system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev; system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;
proxmoxLXC = { networking = {
privileged = true; hostName = "valkyrie";
useDHCP = false;
useHostResolvConf = false;
networkmanager.enable = false;
useNetworkd = true;
nftables.enable = true;
firewall.trustedInterfaces = [ "tailscale0" ];
}; };
networking.firewall.trustedInterfaces = [ "tailscale0" ]; systemd.network = {
enable = true;
security.sudo.execWheelOnly = true; networks = {
"40-eth0" = {
matchConfig = {
Name = "eth0";
};
services.tailscale.enable = true; networkConfig = {
Address = "10.0.0.206/24";
Gateway = "10.0.0.1";
DNS = "127.0.0.1";
DHCP = "no";
};
};
};
};
security = {
sudo-rs = {
enable = true;
execWheelOnly = true;
wheelNeedsPassword = false;
};
sudo.enable = false;
};
system.stateVersion = "23.11"; system.stateVersion = "23.11";
} }