Finish configuration for odin on NUC, update containers for Incus

This commit is contained in:
Erwin Boskma 2024-01-02 22:01:55 +01:00
parent d06576a0ac
commit d99ac2d3f7
Signed by: erwin
SSH key fingerprint: SHA256:/Wk1WZdLg+vQHs3in9qq7PsIp8SMzwGSk/RLZ5zPuZk
17 changed files with 734 additions and 201 deletions

View file

@ -0,0 +1,90 @@
{ self, ... }:
{ modulesPath, ... }: {
imports = [
(modulesPath + "/virtualisation/lxc-container.nix")
../../users/root
../../users/erwin
];
eboskma = {
users.erwin = {
enable = true;
server = true;
};
nix-common = {
enable = true;
remote-builders = true;
};
tailscale.enable = true;
woodpecker.enable = true;
};
boot.isContainer = true;
time.timeZone = "Europe/Amsterdam";
system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;
networking = {
hostName = "ci";
useDHCP = false;
useHostResolvConf = false;
networkmanager.enable = false;
useNetworkd = true;
nftables.enable = false;
firewall = {
trustedInterfaces = [ "tailscale0" ];
interfaces."podman+" = {
allowedUDPPorts = [ 53 ];
allowedTCPPorts = [ 53 ];
};
};
};
virtualisation.podman = {
enable = true;
autoPrune = {
enable = true;
dates = "weekly";
};
defaultNetwork.settings.dns_enabled = true;
};
systemd.network = {
enable = true;
networks = {
"40-eth0" = {
matchConfig = {
Name = "eth0";
};
networkConfig = {
Address = "10.0.0.202/24";
Gateway = "10.0.0.1";
DNS = "10.0.0.206";
DHCP = "no";
};
};
};
};
security = {
sudo-rs = {
enable = true;
execWheelOnly = true;
wheelNeedsPassword = false;
};
sudo.enable = false;
};
sops.defaultSopsFile = ./secrets.yaml;
sops.secrets = {
woodpecker-server = { };
woodpecker-agent = { };
};
system.stateVersion = "24.05";
}

42
machines/ci/secrets.yaml Normal file
View file

@ -0,0 +1,42 @@
drone: ENC[AES256_GCM,data:PZPChq/iQDw7gOfdmSOB4ZvtWgnT55lMc1/kSKVoh5kTkIX+FdNE7uJlhKJQHryYWdrbyoRu09RhhPLr27oWeiCvN4Z0QmM9ofrM4CfuUPotp3niZIjfXrLIiX2s1JlxT2eElEwkX2h1UCIC+tNqFCL+ThLkP4iMmeXRXwFBIOahYscskwbmutbyraj/yQq3KcwUyFLd618pDT+0VWiBETQudauWdmJXFDW/rKW7STTVhe/7ixCIw3O5BYThOin9YhZSZxje225+bBB8vPM6NfdvNCHEtzAwxTjtm3n0beqsAAxd6hzQXk3L7a2X6Y+mmK1XMjmLhsGgI5B6Zssmv3/3oTSczn+YdtfT9bz0KxaZtJdQrYEfVowKEQMTcWO5H55F5Mv+qShweIAcWqKInFb6+EDjyPzABlN/S9/XJakQsPxcCwBKKusYr3P3IFjNnzdZD18ayhc6frs4TJmSGcQIkW/cCWNjwpct/yVbkIrIXZEWb7DoZ0M=,iv:F++KLxnqAtBhcSdj5rZhGpVvCKfI8y5HhvlejCfwi/k=,tag:YdiiZUN7wGn9yA1evMu5jg==,type:str]
drone-runner: ENC[AES256_GCM,data:Uh7OQSDtV0M5j00oHHm4uz4zwi+1W1k2qd5uXoROj5tcgNs76YBcfkU7d+1qXj/Hma7++HOcga0LvF1+Dl/GJQyj47kVFi/+h6I9yiuoO5sW3nxh5pW5W1Ws1qchKqVhoyZLf0K4AnYE2puleKcYXfogJ1hjnB3vn5F/eOKA/QB+7KfaVPRUGZsUYQw3rHLdTbTFHXPv//z8xxYqY5JcG+vvWsHXiI/sKSTZBWoPJEZnKK2mo8+dbZn3nSj29luG,iv:40JTvOJ7isGcHGg9KI5ED8Ju5knmIWP1m/i/dwlpG/M=,tag:GHbkLIeuiGVlNsR2EW/PGw==,type:str]
woodpecker-server: ENC[AES256_GCM,data:cW108wxYT2b65pCRcwZBoRi6eQsB4NrcUNLirfQkkqPPOymT4QFyE5Zmx6K1P33dUSAj5nA0Eh0HOsS8RhFQIOPZA9za4Ffs51Ex0HkQozduqusDGaENWR+zBOTgRhgIrwQlDSHh8UgLTzOgN8hpEqR8fFVsiWCcCAuOFjDNyczywtbbu2jNHzG6FMz2fdXy7p1dRmyTq1sFjoMEkJM5Ix8oRB8zWV+O3l6XE7Uw1vD3QbOsJiqcbWFoNw==,iv:VIlHVVvuBSZiO/tMgd/4HpT2uecn1WqJE60SkHaX+80=,tag:+xfTfq2FgSrPUVXeH4tJkQ==,type:str]
woodpecker-agent: ENC[AES256_GCM,data:YO9MCMIPVOEU+6euiCHuAN+tFFs8JkRRmb9+AIhMEuQE2ObajfJZ3NN5LsccIT9z1axA/gfjLrxM,iv:UDimHs2cKyCvy0XGdDzgX2ry114qz3V1KaXlXL3yYgI=,tag:OGITUerrT0nWU85fxcpEig==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDTWNGd2FLTWcwTThodlBD
K1VRUmFmQlhoN3YwcDlpQmFzR0JZaW9jQngwCjJOYndqVDVjMWFtQnpmZGpRMGg3
Q0JXQys3TVpSZm1BcWFkcjhQcDJzOG8KLS0tIENjUWtaWW5GeE4yK09yUEx2SWpG
SFc5S1kvT2pBbHorZks3b1MzRU9ERFEKdS9c7j0iyHHbAc8XXpahsOTDu53BKsmr
+ff060PPzBIzQ+7aI52E8CSUAJw0GVYZD5KZForwwBhR3vaZGQYysg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEV3lvZmdCU20vT05SWTVB
cUdZTW4yVndyME4waU5qdmYwbUZuUlQyN2hvClRqSkZ0andyN3RmSFhVdzVMUWdS
VUtPR2tDRzVuZ0kzRVIyZnNMZTIwSVkKLS0tIHprQVR4c2RZQ3I0SlMzSDBnS25a
Z0JrZVhPMEZBQ1FVMjA2QnBITzJjbjQKCghnCUxyR8QkZM2R0EOgjq7J8E7MLlV6
vnEEu6iehd01vHvBKB1x3z6o/wzL8m3TA35knICZCk6jAD0w+OeW9A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1tmlx45s4f6qp929839yd5y5vxkj2z4z8wmhqsnne9j8j5uwx6p8qssun8l
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBneWpaNDRaYk1WS3BuQmtp
L0gxcmFTSEZ3VXBtcTZQLzl0Qm85RmJvMDFnCktJbXJVM0ZDdVJZTHF1VEF6OXAy
RGdMU3RYNytla0k0QjNydTkrbjYrV0kKLS0tIHY3UjFvZ0VxRm1JOTg3NDgySU4x
dFpad2ZiNXR0cEQ4TTMxa0luK3lGRFUKsqF3x5NvdtqXtE05TjMMhFB3cHREYRCA
2LgUDn4FYbxprXTG0dOX+87aAQmoepMkVEXo2kBopoYrGHa1DsOznw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-06-12T09:28:02Z"
mac: ENC[AES256_GCM,data:mE0O44Sa+RMqRoCqXftn3GuPFLHiyGn3tVlYgBGc973nP7mz5ZwClNgja1gk+MNolnztsrwgso5ZiNpriyI7pGKd/dG6DJQrGixqhRvgyNyIESGEuN9n6bfhYNNSzV1yRb9V6Z7iELkut03gvVU9by0MosJ7SJPMyDyZZ4tMFeA=,iv:rzrvGwJQAdbMcHQ7U/JFB08V7o2keLI1kUrUs9RaClA=,tag:UpE7ZeG7S32CNKsgT+rMMQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

View file

@ -1,12 +1,13 @@
inputs: {
drone = {
ci = {
config = import ./drone/configuration.nix inputs;
deploy = {
# host = "10.0.0.202";
host = "drone.barn-beaver.ts.net";
host = "ci.barn-beaver.ts.net";
sshUser = "erwin";
buildOn = "local";
substituteOnTarget = true;
tags = [ "container" ];
};
};
frigate = {
@ -17,6 +18,7 @@ inputs: {
sshUser = "erwin";
buildOn = "local";
substituteOnTarget = true;
tags = [ "container" ];
};
};
gitea = {
@ -27,6 +29,7 @@ inputs: {
sshUser = "erwin";
buildOn = "local";
substituteOnTarget = true;
tags = [ "container" ];
};
};
heimdall = {
@ -53,6 +56,7 @@ inputs: {
sshUser = "erwin";
buildOn = "local";
substituteOnTarget = true;
tags = [ "container" ];
};
};
odin = {
@ -66,6 +70,7 @@ inputs: {
sshUser = "erwin";
buildOn = "local";
substituteOnTarget = true;
tags = [ "container" ];
};
};
regin = {
@ -90,6 +95,7 @@ inputs: {
sshUser = "erwin";
buildOn = "local";
substituteOnTarget = true;
tags = [ "container" ];
};
};
valkyrie = {
@ -100,6 +106,7 @@ inputs: {
sshUser = "erwin";
buildOn = "local";
substituteOnTarget = true;
tags = [ "container" ];
};
};
}

View file

@ -1,7 +1,10 @@
{ self, ... }:
{ self, nixos-hardware, ... }:
{ modulesPath, ... }: {
imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix")
(modulesPath + "/virtualisation/lxc-container.nix")
nixos-hardware.nixosModules.common-cpu-intel
../../users/root
../../users/erwin
];
@ -18,26 +21,57 @@
enable = true;
remote-builders = true;
};
podman.enable = true;
tailscale.enable = true;
};
time.timeZone = "Europe/Amsterdam";
system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;
networking = { };
networking = {
hostName = "frigate";
useDHCP = false;
useHostResolvConf = false;
networkmanager.enable = false;
useNetworkd = true;
# nftables.enable = true;
proxmoxLXC = {
privileged = true;
firewall.trustedInterfaces = [ "tailscale0" ];
};
security.sudo.execWheelOnly = true;
systemd.network = {
enable = true;
services.tailscale.enable = true;
networks = {
"40-eth0" = {
matchConfig = {
Name = "eth0";
};
networkConfig = {
Address = "10.0.0.205/24";
Gateway = "10.0.0.1";
DNS = "10.0.0.206";
DHCP = "no";
};
};
};
};
security = {
sudo-rs = {
enable = true;
execWheelOnly = true;
wheelNeedsPassword = false;
};
sudo.enable = false;
};
sops.defaultSopsFile = ./secrets.yaml;
sops.secrets = {
frigate = { };
};
system.stateVersion = "23.05";
system.stateVersion = "24.05";
}

View file

@ -8,29 +8,29 @@ sops:
- recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3cGVxdk1xWi9PbTl4dGVv
QlFIL0ppRzRReVRnYkMwZDQrQVZ5SEkzblNNCjlwK0xFSGFoallaVUhVZWxjNFBQ
ZVJPdUoyRm9FUGZDaFpyRGs2VEZiUmMKLS0tIDloRGZVT290NHYvRXVSb29aMXRw
dDIzVFNaVjJGTVNVQlJLODhYUlVKVkkKjMHAlBNaKSk3q/rWSRKSz9wuyXp3KshD
J7sCrTde+8hhudKpS7fw0DzuZ+tq4/JOj+imAS3eXmeNRI6V6eLxLQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzTnlKWS9MMlpLaUZFWE5R
WUxRZnFmeG1jV2ljajZacUpGaUc0Vks2OFVjCjZlclFMMWhIYzZwa21sTmV0cUZO
eWhmbHR4OW5Oanl5Y0J4LzZBU1dxekkKLS0tIHBDbHFNMEJlQ1BjQmMyRm5SWEo1
Vlp5YUpkanh0a253WEZ4YXJzcXJlU00KN6I5LyH+8QYbVJk3K/0ir0qRf8Q6iwpa
XubDryZhBA/tfy1zaJ7GmpFJVDjjjOiGYcKIGHQ/R35O3awGJcrCmQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDWGV6TVprTlFQQjFsODRk
SVBiMFo3WTFmNVg1b21HTTNYMzFNbHBuMXpnCk1uWStoU0RtbG96eXU1ZWlXSk9F
QmRhRDhyOWpJWDV6bnRRK01IUllITFUKLS0tIEVCU3RFdmNCazZJL1lSZDJDanRO
NmRXdzhlN0Yyb056c1RDY1hhMWZ3MFkKZ9JJmYXKeZRbUiDncC/cfUu/q+O5dBYN
3AxTIOScw7rDyUDEXOxcTMA75V3ttSe9dkny4CNC3881hObYyot6gg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWY0FDM1paRUdJZUd2RTBn
QmxxL1VmVWx6Nkp1TmdaaFN5ZmJ5c2dzbVVvCnBGUEI3MUhZSll5Z05KUWhtb2lz
Szc3SGhoSy9BdTRLSlUwVWNZeC9MclEKLS0tIFF0dXRicm5lQW9ZeDI0SHB4blpu
TEhuRjhkZXJhUVpvQlA1MFBBQmU0VW8K8D5iIMCLQWHXdzGC67w4Jo+PQin1SXwr
QjjsA6fjfhgV1+PnuRDhOro+WS3Rbp0WfCskq4+uzuDW16+5bpy62A==
-----END AGE ENCRYPTED FILE-----
- recipient: age17p30jwu847x5g9y6wzmt2c4a2e0m9m77ajk5qsgsahdxc8wssu8skdzmq2
- recipient: age1gtzlyyxdnt23xzyq6lq5ye645egxl7up25agxw23nuhjl6ax0dmqrlqvpf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPSkJJcHVkSnJxUmo0ajhU
TmRGWEIzSFFDZnI2b2lPaWJDNlQzbTAxTW1zCjZXOVFzZ01uWTJFTTdvQkltR3VD
cVNFUlFDZDljVDZyaDlhSFJOc3RCT1UKLS0tIDAzVzhueVg5bTJRbS8xN3lDaUR4
NXJsSzFsaVZBeFhlakpZSW9ObGNBWGMKgX2qtoyTmBXH9XjMYT/YWllfUBcbLpv/
tLLIbgDGfEKKlLIO+jn3pyhv3+Vf78uOyxNh7llDetrR2rZmJLZbaw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpQVB0ZWRtaHBqWXo2bEN6
T2dKWThTRzRLOU0zcTZHMUNYOEJCd0hrR0dzClFVVzBFZWlSRzZ3QjQ5YTdpdG1h
aVR3cUpPbEVjUU5pVnc5YmlUb1FZaTAKLS0tIEhLQ1V1WWRvYzJaekdFbVR4elF3
YkFoWUpBNGhMRUloYzYvMlhPalBnSTgKXUV6iEE5ZU0tlaAAMDg4hrJSCoUkLA/B
6WOwLvfq1/JTgyD58LVsJOqMJ8cqvG/4uHIcaHq17F9CFZykBprJqQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-03-26T14:26:15Z"
mac: ENC[AES256_GCM,data:0PeNZGGPRcT385nwym2zgjl+rB7b3u/lCj1jF0MB2UPV73ig42A2ZNm2PFAvH0pzPpDiwW+4fZM/4WJbos7XwFC3+jKW5zOxLFmMvNDd7Y3eM0jYbHqxKhWr3I+SNgPyUPAjiZmN1muNpxLi2vie/jz6jABz9ETOksd8PrOjRu4=,iv:pJy6M6HwQfxL7ifkOwy7q2kYgx8a1c38PUMXeFJgv8o=,tag:gDYEuNwFqtc8YXVhWk0JHw==,type:str]

View file

@ -1,7 +1,7 @@
{ self, ... }:
{ modulesPath, ... }: {
imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix")
(modulesPath + "/virtualisation/lxc-container.nix")
../../users/root
../../users/erwin
@ -18,6 +18,7 @@
enable = true;
remote-builders = true;
};
tailscale.enable = true;
};
boot.isContainer = true;
@ -26,13 +27,50 @@
system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;
proxmoxLXC = {
privileged = true;
networking = {
hostName = "ci";
useDHCP = false;
useHostResolvConf = false;
networkmanager.enable = false;
useNetworkd = true;
nftables.enable = false;
firewall = {
trustedInterfaces = [ "tailscale0" ];
interfaces."podman+" = {
allowedUDPPorts = [ 53 ];
allowedTCPPorts = [ 53 ];
};
};
};
security.sudo.execWheelOnly = true;
systemd.network = {
enable = true;
services.tailscale.enable = true;
networks = {
"40-eth0" = {
matchConfig = {
Name = "eth0";
};
networkConfig = {
Address = "10.0.0.203/24";
Gateway = "10.0.0.1";
DNS = "10.0.0.206";
DHCP = "no";
};
};
};
};
security = {
sudo-rs = {
enable = true;
execWheelOnly = true;
wheelNeedsPassword = false;
};
sudo.enable = false;
};
sops.defaultSopsFile = ./secrets.yaml;
sops.secrets = {

View file

@ -10,29 +10,29 @@ sops:
- recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4NHY0SzdYUFk3dUNnYU04
U2JIK1FnRXVVYy8xNE56eGE2Y1pWRHk0U0ZnCnIvN1RnL2RuNzlOSXNxYisyK21Z
YkNuMytqdjltakswT2RoenNyNXFNbFUKLS0tIHh2MkFTMURTUGVWeDlES0UyTngx
MUsxVWxBQ0FuaHpESjNZRitDcG1YTkUKfrvBUhZNjaQLOVbBVvytb2L9rtvWhUd0
kP4/BcdkKIQQ0WgQ1+qNfHZJUrBTJEUQW74MJai/hZZkXXwT5CB4sQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBadmRzQ0pBUlZlNndBK2tH
NHVmMWxRRlVJRTEyd2tZVkduZmk2cExMQnlvCkZLeEhoYTF1WUJEaG9QK0xrRkpB
dG1FdFNJT1BjOXI1VkpNc2lPKzVHZ2cKLS0tIGxVSDRLMVRQQldPSCtoYnhSSkZB
aGdJZ3lsSGR3REhvYzEwbmgvNitWSWMKOHG8i+a7RUjWV02a5xczNseDGqEF9q5D
N3GA1kZ/imGqTpeh4mlvZ4dnbtN0lsrmUDt3pZD4Zi4zvOhTyJmQdg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqeXlySFFpZW1IZnJpN01F
U0F5Nk1vM0pHd3dPTWRFVWJpb0xGM2VSeHhvCmswZXRRT1VWWXZHUTkrMlNGNHh1
a0lSRUlSMXl2RjlOa2FBVVJTU2hUaXcKLS0tIExoeHhWVDdzM0krNXczT1cwZ0F5
NjVyQmgvaDVuSXNrY0ZCWEY3aldjM0kKKL/vHXncbbk5YSfoOWCsAL4UCWRKiNI3
1wLHWHhJ4Qt6L7sbQD5n4lCvxTgNx94Tow6T0vI3qd3l6ERmAtwmuw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4MFg5N092eVd4V1FRTG93
Z0daWWJGNkloWXJ5bVBWakNUb0RVeVVwVlhnClRqY2VRK3BjK2dWS21HOHV5S3F2
TUswZXZNRzh4aHlCQkxpYlJ5b3kwQ2cKLS0tIDVlSGx0MjhBQVNRODRxVFlQS29R
VHZyS3QzZjB3ZW9VVWpoNFpEcWFUL00KX715Po4Kjk7T2axTStyrWsjOmW3knTMO
a7Ic/5yRBbCMBipnqH8rNMqNOfUBapnfnZ516kxg9c5NFv/uJlSC1g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jkj6xrhr3uf52hac4wlda4a8jcegha86jf5lgv58df0xunadz53qpjlpae
- recipient: age1mh39yv2j3ltl50tjnqqgjctxth3nxa74ggwn29dpvcv08qd0psnssajsmd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRK2E5OVBvV1pVa3dwQ0k1
M3RIWHJXakgzWFNWMStuOGxXdk11VGtNM2djCm5UQmo0bEd3Y3B5Q3pGSCt2a0g3
bkE0UG8yOTJ0QnBDdmJxS0tKcWY5S28KLS0tIEUxTi9mUWpuTGM1ZjdWUVZuTTBq
eXVkZ2NzYXd0K3RKMEFnYU9yT1JmU0kKVJ97jMdqiz19NGQi3EBXvYEr4D37h79G
G02mxBm9EDKb4jgaj/5TcKqCOj8qLnBpu1DJSu1vICt9S/hN2baJsQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOM3BIb2F2eU0wQURqRzZR
NHNyVngvM2kwTE05YlU3Z3VBVHlPeFRDREE4CndkZ1N0RjBRRHJBUW04UGdtVlV6
MWc4SGp6OUo0UXhXQis0Q2RiWi9oemMKLS0tIHcvbDljUStRL2g4Slk3T1dKamRQ
bjRhdWRWN1l0WkpiQkx6OGdYanZWYzAKygot2Ef5HWuetcXNP16ZfNx7ZsIXX0Ap
mMSyckoJWMTnuxBLGq8WZMeoHTANPL+gpVoPU1IULCqpIff5rn7z4g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-10-26T18:26:01Z"
mac: ENC[AES256_GCM,data:byjcMu8J5cAeOoU0mAZbJL/bkX3utCXk7VuBhApz8F/6N0ekyLixUHVqBcShp7XgWs4MU3GewVaMZZNqPkEfj15PgEWxxfpsE4HiLN6eaI6Fx21X2CmllQQ5qjeRQVZwkJchrpCO4rp/Q+nFqyVYMgAr8yJm85zZ3FIvHPbErOY=,iv:RsXReft0DUnPr/huYQYZkPy/0iCeEiU3k881KqhcUiY=,tag:JqD3o2BLU8PrBYCeLtdZjg==,type:str]

View file

@ -1,7 +1,7 @@
{ self, ... }:
{ modulesPath, ... }: {
imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix")
(modulesPath + "/virtualisation/lxc-container.nix")
./backup.nix
../../users/root
@ -20,19 +20,51 @@
enable = true;
remote-builders = true;
};
tailscale.enable = true;
};
time.timeZone = "Europe/Amsterdam";
system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;
proxmoxLXC = {
privileged = true;
networking = {
hostName = "minio";
useDHCP = false;
useHostResolvConf = false;
networkmanager.enable = false;
useNetworkd = true;
nftables.enable = true;
firewall.trustedInterfaces = [ "tailscale0" ];
};
security.sudo.execWheelOnly = true;
systemd.network = {
enable = true;
services.tailscale.enable = true;
networks = {
"40-eth0" = {
matchConfig = {
Name = "eth0";
};
networkConfig = {
Address = "10.0.0.204/24";
Gateway = "10.0.0.1";
DNS = "10.0.0.206";
DHCP = "no";
};
};
};
};
security = {
sudo-rs = {
enable = true;
execWheelOnly = true;
wheelNeedsPassword = false;
};
sudo.enable = false;
};
sops.defaultSopsFile = ./secrets.yaml;
sops.secrets = {
@ -41,5 +73,5 @@
minio_backup_pass = { };
};
system.stateVersion = "23.05";
system.stateVersion = "24.05";
}

View file

@ -10,29 +10,29 @@ sops:
- recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYQ1B1TFBnd0NZWVFWT25P
bHk2RDRHL0tzSW5abzh1MS9KNUFDaERUWlNVCkc3UkJrZFl4cW9zY3JmYjgrOHJC
a0ZHWm9TL0dTVWIrTW8rTFRlZ08zQUkKLS0tIFQ2S2VrMTJFMkwzN1QyclcyMllM
SXJhdUh6NzdmbUR6cklyaFdxdDFqMDQKJa1jgD3oZS5CxZViKeurzfVORoGPX4ky
b3oIjohx17LHinrO1zVhwZXfcHF7xlsMKVqAvZldZE9ckRPSbH7f8g==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmZHY3T3BldXRVZTBxTkQr
YXNZbzRXSS9xVlhvMXRXWTFwUUwya3V6SlZzCmNTL1FTbTFxSkVCVEUrVjVacUlR
YVNsZXBaRlVTMHM4ZU1FMlhqWE8wb3MKLS0tIGJZVHlWc00ya3lPUG5BYWtJdkxY
aGVJY1JPZzRDc253Q3hHRk1hWE5sT1EKFVk0QJSjdZQrYFfeaDWZpBK/nIQY95Ah
Y9fBEaQkzsKZBdOTQZu3SEU7W4KjXrkU/SAP9EbF8sph/1UaAzsYrw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0b0FqNktKbUtTcDBlUExn
SEJyak5nOW1ITzgyR0ZCZ0ZXVkErS1FmMHlBCnNxbC9BU01Ua2NKSEZQL2hqYkVP
RmRMeENPMGhKbzlLdVE0aU02MGg5c1UKLS0tIHA3citHSWVqODhKT3RpbHNhcEo2
akozVFpEOW9COEgwL0lPdm4xRUlobWcKQpov1ITcXNSTiP3nZ7vL+WYBep2NKFjV
LGk4wKfAry+SlRfsq3A/4Kv/WDceaFY9UiXoGu7lWwuJkzJXaJUBPg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIUzBOZnZ0d01KZFdsTCsy
dGZLRXg4U0sxcVgvTEE0Ri9rWEVrU2Q0Z2tvCmMvWENWU3l6elY4SDF4b1dBdkMw
aEtxMXdSbmRjcWgzUGV5MktRWncyQ0UKLS0tIHp3STNadDJFR1djNk5ZZW5iTThr
SmtnRlUwUVpxN00rUmd4VGQ4ZnA0U0EKrzkG5duj91jy2j6cB612urKhK8cMkeVJ
lBrmKXt0/SddCgpn0ldZx99E1KIL/O1V6JhfxAPvTGkIIIXGXut1hQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1p5hu2l0ys8z2j9rhf0xp5et2wd4222utyn3tk562ksrxmckye9dqu25f49
- recipient: age1cjxe2e7zemvs0jacjawug6k2qnmcpvnka3e04mfzp939h7hppydqrlp6l5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTWmdQZUlZZ2JZcHMvVWV5
TGVzUnU3cHNySlowa21VYVZvS1REcVV0ZkVFCmV3NURRNWZzaXRaQ3EzeU52UVhS
MkJIbHFVSXRqQXdLSDFQR2hkcUN5T28KLS0tIExUNWgySDVaaVNHRFJIbWtFWFBN
S2VBY05lVXZIZ1dTaDNvSGNQaVVmS1kKirfOAiMzO6dz5VYHb0RpUtNojg7Zd6I4
1QZR3oJykIUybeNScW7Qhb2AtRObUefXMx3kA814d62yDJkwbApkDw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5M3J4czVkVXI1QUVwMlly
MDBSQUpTZFdITEZXa3kxeU9sQUtkNkJTZm1RCnMzeHRyNDJqTi9QRXFqQ241eUV1
QlhMZUszQmZLQXAwaGJORThoNnFMK28KLS0tIHRkdW03MDBwRGxMV280R2hoaTFN
d0NWMXF3R2lwL2RQRFVFY3RteGFPVEkKACtGvv9tx9H34QW7vbLswFBsaQHTWwXc
L2n3760iwAnVad4Aw7cQHUwzEUopWwhvg10BTrhi67CB9AG73yPNmA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-09-11T14:19:07Z"
mac: ENC[AES256_GCM,data:G/hYRqQxQxdij3hNsZcaQvx/SA95FeEA9q2DlC/Bkx1x0ApM7qG7eVNeVtqlYHkUd7IsylKyq1lf4Z4GQMj0Cq2sMZRn0Z6InUq67FSHqTd0JInZPQGDY5DDSD0WNuDSIHPJLWd1cC+onSpvBtx2xqxGb9HGNAJo+sGM4mlUBvU=,iv:E5pzAv+WRx8lPofUGZcH39lEPZa0MIn/m/ldX4I9PdU=,tag:a7pnkayI+U04G1KBrBEpOg==,type:str]

View file

@ -1,4 +1,5 @@
{ nixos-hardware, disko, ... }:
{ pkgs, config, ... }:
{
imports = [
nixos-hardware.nixosModules.common-cpu-intel
@ -7,6 +8,8 @@
disko.nixosModules.disko
./storage.nix
./network.nix
./virtualisation.nix
../../users/erwin
../../users/root
];
@ -14,6 +17,7 @@
eboskma = {
users.erwin = {
enable = true;
server = true;
};
base = {
@ -25,11 +29,18 @@
remote-builders = true;
};
libvirtd.enable = true;
# libvirtd.enable = true;
systemd.enable = true;
tailscale.enable = true;
};
security = {
sudo-rs = {
enable = true;
};
sudo.enable = false;
};
networking.hostName = "odin";
boot = {
loader = {
@ -41,30 +52,37 @@
};
initrd = {
availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "virtio_blk" "virtio_pci" ];
kernelModules = [ "kvm-intel" "kvm-amd" ];
availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "ahci" "usb_storage" "usbhid" "sd_mod" "virtio_blk" "virtio_pci" ];
kernelModules = [ "kvm-intel" ];
};
kernelModules = [ "kvm-intel" "kvm-amd" ];
kernelPackages = pkgs.linuxPackages_latest;
kernelModules = [ "kvm-intel" "dm-thin-pool" "dm-snapshot" ];
# From PVE: ro quiet intel_iommu=on i915.enable_gvt=1 cpufreq.default_governor=ondemand
# kernelParams = [ "intel_iommu=on" "i915.enable_gvt=1" "cpufreq.default_governor=ondemand" ];
extraModulePackages = with config.boot.kernelPackages; [ gasket ];
};
hardware.enableAllFirmware = true;
powerManagement.cpuFreqGovernor = "ondemand";
services.cockpit = {
enable = true;
settings = {
WebService = {
Origins = [ "https://cockpit.datarift.nl" ];
ProtocolHeader = "X-Forwarded-Proto";
ForwardedForHeader = "X-Forwarded-For";
services = {
openssh.enable = true;
cockpit = {
enable = true;
settings = {
WebService = {
Origins = "https://cockpit.datarift.nl";
ProtocolHeader = "X-Forwarded-Proto";
ForwardedForHeader = "X-Forwarded-For";
};
};
};
lvm = {
enable = true;
};
};
services.lvm = {
enable = true;
};
system.stateVersion = "23.05";
system.stateVersion = "24.05";
}

67
machines/odin/network.nix Normal file
View file

@ -0,0 +1,67 @@
{
networking = {
hostName = "odin";
useDHCP = false;
networkmanager.enable = false;
useNetworkd = true;
nftables.enable = true;
};
systemd = {
coredump.enable = false;
network = {
enable = true;
wait-online = {
anyInterface = true;
};
netdevs = {
"25-vmbr0" = {
netdevConfig = {
Kind = "bridge";
Name = "vmbr0";
MACAddress = "48:21:0b:56:b1:42";
};
};
};
networks = {
"40-enp86s0" = {
matchConfig = {
Name = "enp86s0";
};
networkConfig = {
# DHCP = "yes";
Bridge = "vmbr0";
};
};
"40-vmbr0" = {
matchConfig = {
Name = "vmbr0";
};
networkConfig = {
Address = "10.0.0.252/24";
Gateway = "10.0.0.1";
DNS = "10.0.0.1";
DHCP = "no";
};
};
};
links = {
"40-enp86s0" = {
matchConfig = {
OriginalName = "enp86s0";
};
linkConfig = {
WakeOnLan = "magic";
};
};
};
};
};
}

View file

@ -1,64 +1,66 @@
{ disko, ... }:
{
disko.devices = {
disk = {
sda = {
device = "/dev/vda";
nvme0n1 = {
device = "/dev/nvme0n1";
type = "disk";
content = {
type = "table";
format = "gpt";
partitions = [
{
name = "boot";
start = "1MiB";
end = "512MiB";
bootable = true;
type = "gpt";
partitions = {
esp = {
name = "ESP";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
}
{
name = "root_pv_sda";
start = "512MiB";
end = "100%";
};
root = {
name = "root_pv_nvme0n1";
size = "260G";
content = {
type = "lvm_pv";
vg = "pool";
vg = "root-pool";
};
}
];
};
data = {
name = "data_pv_nvme0n1";
size = "100%";
content = {
type = "lvm_pv";
vg = "data";
};
};
};
};
};
sdb = {
device = "/dev/vdb";
device = "/dev/sda";
type = "disk";
content = {
type = "table";
format = "gpt";
partitions = [
{
name = "root_pv_sdb";
start = "0%";
end = "100%";
type = "gpt";
partitions = {
root = {
name = "data_pv_sdb";
size = "100%";
content = {
type = "lvm_pv";
vg = "pool";
vg = "data";
};
}
];
};
};
};
};
};
lvm_vg = {
pool = {
root-pool = {
type = "lvm_vg";
lvs = {
root = {
size = "32GiB";
nixos = {
size = "250G";
content = {
type = "filesystem";
format = "ext4";
@ -68,34 +70,25 @@
};
swap = {
size = "8GiB";
size = "8G";
content = {
type = "swap";
randomEncryption = false;
randomEncryption = true;
};
};
zz_data = {
};
};
data = {
type = "lvm_vg";
lvs = {
data = {
size = "100%FREE";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/data";
mountOptions = [ "defaults" ];
};
extraArgs = [
"--type=thin-pool"
];
};
};
};
};
};
# fileSystems."/" = {
# device = "/dev/disk/by-label/nixos";
# fsType = "ext4";
# };
# fileSystems."/data" = {
# device = "/dev/disk/by-label/data";
# fsType = "btrfs";
# };
}

View file

@ -0,0 +1,134 @@
{ pkgs, ... }:
{
users.users.erwin.extraGroups = [ "incus-admin" ];
virtualisation = {
incus = {
enable = true;
preseed = {
networks = [
{
config = {
"ipv4.address" = "10.0.100.1/24";
"ipv4.nat" = "true";
};
name = "incusbr0";
type = "bridge";
}
];
profiles = [
{
name = "default";
devices = {
root = {
path = "/";
pool = "default";
size = "32GiB";
type = "disk";
};
};
}
{
name = "nixos";
config = {
"security.nesting" = true;
};
}
{
name = "privileged";
config = {
"security.privileged" = true;
};
}
{
name = "autostart";
config = {
"boot.autostart" = true;
};
}
{
name = "net-bridged";
devices = {
eth0 = {
type = "nic";
nictype = "bridged";
parent = "vmbr0";
};
};
}
{
name = "homeassistant";
devices = {
root = {
path = "/";
pool = "default";
size = "128GiB";
type = "disk";
};
eth0 = {
type = "nic";
nictype = "bridged";
parent = "vmbr0";
};
zigbee = {
type = "usb";
productid = "55d4";
vendorid = "1a86";
};
p1 = {
type = "usb";
productid = "0403";
vendorid = "6001";
};
};
config = {
"limits.cpu" = 4;
"limits.memory" = "8GiB";
};
}
];
storage_pools = [
{
config = {
"lvm.thinpool_name" = "data";
"lvm.vg_name" = "data";
};
driver = "lvm";
name = "default";
}
];
config = {
"oidc.client.id" = "incus";
"oidc.issuer" = "https://id.datarift.nl/realms/datarift/.well-known/openid-configuration";
"core.https_address" = "[::]:8443";
};
};
};
};
systemd.services = {
incus = {
path = [
pkgs.nftables
pkgs.lvm2
pkgs.e2fsprogs
];
environment = {
INCUS_UI = pkgs.incus-ui;
};
};
incus-preseed = {
path = [ pkgs.lvm2 ];
};
};
networking.firewall.allowedTCPPorts = [
8443
];
}

View file

@ -1,7 +1,7 @@
{ self, caddy-with-plugins, ... }:
{ modulesPath, pkgs, ... }: {
imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix")
(modulesPath + "/virtualisation/lxc-container.nix")
../../users/root
../../users/erwin
];
@ -21,48 +21,67 @@
package = caddy-with-plugins.lib.caddyWithPackages {
inherit (pkgs) caddy buildGoModule;
plugins = [ "github.com/caddy-dns/cloudflare@74f004e1c1ab9056288f0baf3cd4b0039d6c77f3" ];
vendorSha256 = "7TWLOeEHn/cmpCXWuwLQrWpezrW6qcCERscutzYjpN0=";
vendorSha256 = "UYNFkGK4A7DJSmin4nCo9rUD60gx80e9YZodn7uEcUM=";
};
};
tailscale.enable = true;
};
boot.isContainer = true;
boot = {
isContainer = true;
kernel.sysctl = {
"net.core.rmem_max" = 2500000;
"net.core.wmem_max" = 2500000;
};
};
time.timeZone = "Europe/Amsterdam";
system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;
# networking = {
# hostName = "proxy";
# useDHCP = false;
networking = {
hostName = "proxy";
useDHCP = false;
useHostResolvConf = false;
networkmanager.enable = false;
useNetworkd = true;
nftables.enable = true;
# interfaces = {
# eth0 = {
# ipv4.addresses = [
# {
# address = "10.0.0.251";
# prefixLength = 24;
# }
# ];
# };
# };
# defaultGateway = "10.0.0.1";
# nameservers = [ "10.0.0.254" ];
# };
proxmoxLXC = {
privileged = true;
firewall.trustedInterfaces = [ "tailscale0" ];
};
services.tailscale.enable = true;
systemd.network = {
enable = true;
security.sudo.execWheelOnly = true;
networks = {
"40-eth0" = {
matchConfig = {
Name = "eth0";
};
networkConfig = {
Address = "10.0.0.251/24";
Gateway = "10.0.0.1";
DNS = "10.0.0.206";
DHCP = "no";
};
};
};
};
security = {
sudo-rs = {
enable = true;
execWheelOnly = true;
wheelNeedsPassword = false;
};
sudo.enable = false;
};
sops.defaultSopsFile = ./secrets.yaml;
sops.secrets = {
caddy-env = { };
};
system.stateVersion = "21.11";
system.stateVersion = "24.05";
}

View file

@ -8,29 +8,29 @@ sops:
- recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxMDh2aUZrNjFrb0FoOUN2
Q0ZYUGJUaVh0QnU4NWV1bzU3OEJNUU1iZzNRCkgxYnN4NzJnaldrSXZsY2VPM1ZF
YlR4eVlmRG9yVU1ieWJEbU13bnljV2sKLS0tIFFIODJtRFZ4SjFMbWZDZVFCMUUv
VjBpQUY2OWRpNWNpcDVXVUhTQnFvMXcKF6T0r4jS+mtmsm0oG48n8GTrIh6K6QFB
rLa2LMjqXJFv1PohM3/oRdznHKLV8sW1mr/GQ+DgNmh/8i0J1RH/vA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKNmVyOGtudS9ZdlpxVmpD
Qmd5dWlQRkJ0b3lrK1JrV0RXWjRzdHgyblZzCjlacnJra1NHT25oQ3V4NEc3K09k
MnBObjBXQTFxaHJNTmpsTVo4TDlCdjQKLS0tIGFZREpPWVI5a2ZDQjAxbkRHRTJ4
a1dYRzNXQWRrYkRESkRIVGljYlZDOGcKBdQ+F+5KmTpOkBR0UlTRdon+F+qWgQRA
oisOMoX/WFss3/CNJxr4LwqXFoinWQT7qiXXPsBiZ+VpsaBfPJ3sMw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRUDVGaTFzdTNpdkJaQ1Qw
ZGRWNHBEcHo5VHh1SXIxUHJjVHhlVWV6Y3g4CjJGTlQ2M1JXMi8wamREQ29ud0ho
anVaV2FtUkp4SGt2ZlFwSmpyMUxQclUKLS0tIDIrVGhZUkRzMG42RXFIdFVybFZO
K1FiL21YTTh5RVZ4eEZaN0FjNmZmeXcK2cC+7TXmiXlcfbYelTjqpTMBMYh255Du
g82xFVcvd404xnnrDuYp5hHFnz3D3Gg6IQoVjJv6H+t5I2x/gJiQZg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWeElXK2hjLzhQc2hpYUtT
VjAyM3lIcjdJNGQ0Ujh0S2U5eXlxYXFTU2swCjlMa2xTQTFqZUVQd3lMalRrSDds
aXJyM3B1ZFg3cWxKSHdpbWVxT3JKS3cKLS0tIHp0Q0dDM1d0aGNrQlA4bnlITE41
OWZIT3BZbCtLaFl5eU1CMlE3S3RNVUkKUShpf1ahWy5AF7UhucPcz1FzGF85Z26E
FbPEHzSfjLZoRtEaxXDOJVASd7xuGkb+L8g86rWR462atAI6lTuEfg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1dg4euuwvqyyuwpjm08psvehgxr5p6q76ht8k4je6z2xc2pv55vksw9ap7m
- recipient: age1yz7k9s5plamjq425memjh00y4sdldgdhpwxqpx9gk9wutttx9scsdg3qd5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1MGM0K1FJbmdvMUJWd2wz
djBRMWxML2dBQ2ZBTjN1S0gwWDlSUytWeERnCmZteWFZRnpKcEt5aXo3R00zWUkx
RGVCdFhVYVR2RjZaZGJ0YnAvVnpBcGcKLS0tIHpUV25RcmFjMENTQWI5OVdVZ2Zz
RW5kVVdlTmxsalB1TFVRd2dUOU5kL00KP4f1FGMxnWJajfdQqeTXr1ADu6HCTcto
yUbbhHkhwS8IBUM0ETbEaY76o3y9WufAye37Lp3Vg44GN5IozURpOg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBERWtjd2h3N2lIbDNBZGpZ
VnViQ2FXY0hQaXV6RXZaYnRHODJFOVZOcEJZCmdXSjMrVTFBZzhlQS9XSWNmYzRs
NXVCT2N6NDlSbGhpNnZ0S0FhTFpEMjAKLS0tIGg1TDFrZ3RmVjBPR1hleWhwNWVC
UTFJZmxIK2YxY0FieFpoNVV4Z2ttK1UKeqJuuzuMyVayliFUscLSCtUZDjjZKaIg
Kp6952AQPC4h+7j61C0iqtqG8dxIABdJfu7gvdgEfpKltDae3vQR8w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-08-09T22:09:02Z"
mac: ENC[AES256_GCM,data:PxSVqIFldfaMf/XGV+eHwEGZoSLDBCc+Vmgt9EMMMA9CrJLniMXdBWCfDyoIal3JOPy7RekwMHsw56D56vaX7Fe0g80/IK+xoUv8a6nrXW1T58bOuQbSliuKI3MbGHYrqDkZXr+7+A8rugg3ENwmGdunQx02CzS5v3RraCzr/L4=,iv:avU85FslUGNdLRRyCgrlfS+WvAES1MGqyJ5Yy3fUPHU=,tag:b6reWUEKxIUQNystlRRYNA==,type:str]

View file

@ -1,7 +1,7 @@
{ self, ... }:
{ modulesPath, pkgs, lib, ... }: {
imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix")
(modulesPath + "/virtualisation/lxc-container.nix")
../../users/root
../../users/erwin
];
@ -15,11 +15,12 @@
enable = true;
remote-builders = true;
};
tailscale.enable = true;
};
services.unifi = {
enable = true;
unifiPackage = pkgs.unifi;
unifiPackage = pkgs.unifi8;
# unifiPackage = pkgs.unifi.overrideAttrs (_oldAttrs: {
# version = "7.5.176";
# src = builtins.fetchurl {
@ -30,25 +31,53 @@
openFirewall = true;
};
networking.firewall = {
allowPing = true;
trustedInterfaces = [ "tailscale0" ];
allowedTCPPorts = [ 8443 ];
};
boot.isContainer = true;
time.timeZone = "Europe/Amsterdam";
system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;
proxmoxLXC = {
privileged = true;
networking = {
hostName = "unifi";
useDHCP = false;
useHostResolvConf = false;
networkmanager.enable = false;
useNetworkd = true;
nftables.enable = true;
firewall = {
trustedInterfaces = [ "tailscale0" ];
allowPing = true;
allowedTCPPorts = [ 8443 ];
};
};
services.tailscale.enable = true;
systemd.network = {
enable = true;
networks = {
"40-eth0" = {
matchConfig = {
Name = "eth0";
};
networkConfig = {
Address = "10.0.0.207/24";
Gateway = "10.0.0.1";
DNS = "10.0.0.206";
DHCP = "no";
};
};
};
};
security = {
sudo-rs = {
enable = true;
execWheelOnly = true;
wheelNeedsPassword = false;
};
sudo.enable = false;
};
security.sudo.execWheelOnly = true;
sops.defaultSopsFile = ./secrets.yaml;
sops.secrets = { };

View file

@ -1,7 +1,7 @@
{ self, ... }:
{ modulesPath, ... }: {
imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix")
(modulesPath + "/virtualisation/lxc-container.nix")
../../users/root
../../users/erwin
@ -23,6 +23,7 @@
remote-builders = true;
};
unbound.enable = true;
tailscale.enable = true;
};
services.resolved.extraConfig = ''
@ -33,15 +34,44 @@
system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;
proxmoxLXC = {
privileged = true;
networking = {
hostName = "valkyrie";
useDHCP = false;
useHostResolvConf = false;
networkmanager.enable = false;
useNetworkd = true;
nftables.enable = true;
firewall.trustedInterfaces = [ "tailscale0" ];
};
networking.firewall.trustedInterfaces = [ "tailscale0" ];
systemd.network = {
enable = true;
security.sudo.execWheelOnly = true;
networks = {
"40-eth0" = {
matchConfig = {
Name = "eth0";
};
services.tailscale.enable = true;
networkConfig = {
Address = "10.0.0.206/24";
Gateway = "10.0.0.1";
DNS = "127.0.0.1";
DHCP = "no";
};
};
};
};
security = {
sudo-rs = {
enable = true;
execWheelOnly = true;
wheelNeedsPassword = false;
};
sudo.enable = false;
};
system.stateVersion = "23.11";
}