erwin/nixos-config
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Wiki Activity Actions

Compare commits

base: erwin:4b4ace72b24afb72533b0c4c311543210ebb67a6
Branches Tags
erwin:main
..
compare: erwin:cf8e6ee452d5924bc91cc11a8cbdb73cd8475878
Branches Tags
erwin:main

No commits in common. "4b4ace72b24afb72533b0c4c311543210ebb67a6" and "cf8e6ee452d5924bc91cc11a8cbdb73cd8475878" have entirely different histories.
4b4ace72b2 ... cf8e6ee452

7 changed files with 29 additions and 203 deletions
Show stats Expand all files Collapse all files

7
.sops.yaml
View file

@ -5,7 +5,6 @@ keys:
- &ci age1tmlx45s4f6qp929839yd5y5vxkj2z4z8wmhqsnne9j8j5uwx6p8qssun8l - &ci age1tmlx45s4f6qp929839yd5y5vxkj2z4z8wmhqsnne9j8j5uwx6p8qssun8l
- &frigate age1gtzlyyxdnt23xzyq6lq5ye645egxl7up25agxw23nuhjl6ax0dmqrlqvpf - &frigate age1gtzlyyxdnt23xzyq6lq5ye645egxl7up25agxw23nuhjl6ax0dmqrlqvpf
- &gitea age1mh39yv2j3ltl50tjnqqgjctxth3nxa74ggwn29dpvcv08qd0psnssajsmd - &gitea age1mh39yv2j3ltl50tjnqqgjctxth3nxa74ggwn29dpvcv08qd0psnssajsmd
- &gitea-runner age19jrte20w4e5u83m5s8m8c2ca6sha6e2l2k66g28jz4mpkfs0f3jq26rdp2
- &heimdall age1z94c897pvq4tx0xwsj6wr8emnlpmk6u0xks75rydga6r33dlapjqyqqacc - &heimdall age1z94c897pvq4tx0xwsj6wr8emnlpmk6u0xks75rydga6r33dlapjqyqqacc
- &mimir age192a3nepaclecjjkxssszueak6rxar49prceplvvxc5m4f3ww7g5qpfgdqj - &mimir age192a3nepaclecjjkxssszueak6rxar49prceplvvxc5m4f3ww7g5qpfgdqj
- &minio age1cjxe2e7zemvs0jacjawug6k2qnmcpvnka3e04mfzp939h7hppydqrlp6l5 - &minio age1cjxe2e7zemvs0jacjawug6k2qnmcpvnka3e04mfzp939h7hppydqrlp6l5
@ -42,12 +41,6 @@ creation_rules:
- *erwin - *erwin
- *erwin_horus - *erwin_horus
- *gitea - *gitea
- path_regex: machines/gitea-runner/[^/]+\.yaml$
key_groups:
- age:
- *erwin
- *erwin_horus
- *gitea-runner
- path_regex: machines/heimdall/[^/]+\.yaml$ - path_regex: machines/heimdall/[^/]+\.yaml$
key_groups: key_groups:
- age: - age:

14
home-manager/modules/nushell/config.nu
View file

@ -1,13 +1,5 @@
let carapace_completer = {|spans| let carapace_completer = {|spans|
let expanded_alias = (scope aliases | where name == $spans.0 | get -i 0 | get -i expansion) carapace $spans.0 nushell ... | from json
let spans = (if $expanded_alias != null {
spans | skip 1 | prepend ($expanded_alias | split row " " | take 1)
} else {
$spans
})
carapace $spans.0 nushell ...$spans | from json
} }
# The default config record. This is where much of your global configuration is setup. # The default config record. This is where much of your global configuration is setup.
@ -50,7 +42,7 @@ $env.config = {
if ($candidates | is-empty) { if ($candidates | is-empty) {
return null return null
} }
let packages = ($candidates | each {|pkg| $"\tnix shell nixpkgs#($pkg.package)" } | str join "\n") let packages = ($candidates | each {|pkg| $"\tnix shell nixpkgs#($pkg.package)" } | str join "\n")
let multiple = if ($candidates | length) > 1 { " one of the following" } else { "" } let multiple = if ($candidates | length) > 1 { " one of the following" } else { "" }
( (
$"The program (ansi $env.config.color_config.shape_external)($cmdname)(ansi reset) " + $"The program (ansi $env.config.color_config.shape_external)($cmdname)(ansi reset) " +

27
machines/default.nix
View file

@ -1,14 +1,14 @@
inputs: { inputs: {
ci = { ci = {
config = import ./ci/configuration.nix inputs; config = import ./ci/configuration.nix inputs;
# deploy = { deploy = {
# # host = "10.0.0.202"; # host = "10.0.0.202";
# host = "ci.barn-beaver.ts.net"; host = "ci.barn-beaver.ts.net";
# sshUser = "erwin"; sshUser = "erwin";
# buildOn = "local"; buildOn = "local";
# substituteOnTarget = true; substituteOnTarget = true;
# tags = [ "container" ]; tags = [ "container" ];
# }; };
}; };
frigate = { frigate = {
config = import ./frigate/configuration.nix inputs; config = import ./frigate/configuration.nix inputs;
@ -32,17 +32,6 @@ inputs: {
tags = [ "container" ]; tags = [ "container" ];
}; };
}; };
gitea-runner = {
config = import ./gitea-runner/configuration.nix inputs;
deploy = {
# host = "10.0.0.210";
host = "gitea-runner.barn-beaver.ts.net";
sshUser = "erwin";
buildOn = "local";
substituteOnTarget = true;
tags = [ "container" ];
};
};
heimdall = { heimdall = {
config = import ./heimdall/configuration.nix inputs; config = import ./heimdall/configuration.nix inputs;
deploy = { deploy = {

78
machines/gitea-runner/configuration.nix
View file

@ -1,78 +0,0 @@
{ self, ... }:
{ modulesPath, ... }: {
imports = [
(modulesPath + "/virtualisation/lxc-container.nix")
../../users/root
../../users/erwin
./gitea-runner
];
eboskma = {
users.erwin = {
enable = true;
server = true;
};
nix-common = {
enable = true;
remote-builders = true;
};
podman.enable = true;
tailscale.enable = true;
};
boot.isContainer = true;
time.timeZone = "Europe/Amsterdam";
system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;
networking = {
hostName = "gitea-runner";
useDHCP = false;
useHostResolvConf = false;
networkmanager.enable = false;
useNetworkd = true;
nftables.enable = false;
firewall = {
trustedInterfaces = [ "tailscale0" ];
};
};
systemd.network = {
enable = true;
networks = {
"40-eth0" = {
matchConfig = {
Name = "eth0";
};
networkConfig = {
Address = "10.0.0.210/24";
Gateway = "10.0.0.1";
DNS = "10.0.0.206";
DHCP = "no";
};
};
};
};
security = {
sudo-rs = {
enable = true;
execWheelOnly = true;
wheelNeedsPassword = false;
};
sudo.enable = false;
};
sops.defaultSopsFile = ./secrets.yaml;
sops.secrets = {
runner-nix-token = { };
};
system.stateVersion = "24.05";
}

31
machines/gitea-runner/gitea-runner/default.nix
View file

@ -1,31 +0,0 @@
{ pkgs, config, ... }: {
services.gitea-actions-runner = {
package = pkgs.forgejo-actions-runner;
instances = {
nix = {
name = "nix";
enable = true;
url = "https://git.datarift.nl";
tokenFile = config.sops.secrets.runner-nix-token.path;
labels = [
"nix:docker://ghcr.io/eboskma/forgejo-nix-runner:latest"
];
settings = {
runner = {
capacity = 1;
};
container = {
privileged = true;
valid_volumes = [
"/nix"
"/run/podman/podman.sock"
"/etc/containers/policy.json"
];
docker_host = "-";
};
};
};
};
};
}

39
machines/gitea-runner/secrets.yaml
View file

@ -1,39 +0,0 @@
runner-nix-token: ENC[AES256_GCM,data:jZjs3RGr7Ga0Vf+O40o0PggDMD7T1y/zOEiOgD9quDo7u7Xce5sJxxl+Wzu0nw==,iv:to+r5Q0xO3TKtgWYF47Jur5Os93mfkCOXyXWkLfhG3c=,tag:kVbSOLCbxCgEhYZoXDM65g==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLRVhralpxUDBGZ1FXdllT
Z0dZYnErZDZmdlpuUTIzUVY3dndvWmNURlhJCnd4WEkwUE5RY2lBL0RwbzZ4VHFj
T2g2a01kbmF6RjE2bUNobVJ1ejdVREEKLS0tIFBGd2VHTkxIYVRNb3ZTMGtpZVM4
NjEwUUI4RWtleU10d1hmaFp4cXNZdHMKM/HEhoyImQ+VI+is4ylOixEZLqaVkVJd
O3MYXhRYT+ZpxqfIjVgV/eKSiLQp4S6rrYaFu/2Fxrqs3SahUkKStQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5OElSUDBCbzRNOGU2VDhG
dEo4WEFvZWM3dDc0ZlhRdGVNZnBjRWFHbUJJClhWZ2pBWHNBb0VobVhHbTU0Tko4
bVMwNEphNDR1QVRtT3RLNHJsZFRkL0UKLS0tIEdjcVYzMW1IWlJBM0Fnc2ZSMXFu
UWZ3VDg1WFlCbnZZU3hMUVpUeFVaMVUKgGsTLinuI1dfAhZmLrbWLYf0tp0NYeu3
q1o53uBuMSyHZbS7RSxXuq6BdudHaNNZaQJJps2tdMpfvuC3YQnvdw==
-----END AGE ENCRYPTED FILE-----
- recipient: age19jrte20w4e5u83m5s8m8c2ca6sha6e2l2k66g28jz4mpkfs0f3jq26rdp2
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOTGhSLzFyaFR1cUZHb3Ez
K01oMEpEazNhOENTSzB4bUxhZE9XN29NUzJZCkxNdzQvUVB6Nlk4bHVPMUpNODdI
T3dmMlZQOWM3Wk9NazBwcWJmamI1M00KLS0tIG9qclJXaVA2SEthODkxRGIrTm4w
ZnlXMVd2OThCVmRnb1NWK1VWdTJndk0K41fiD0QsAorIZ6wuIty4+U22ET0+pGla
sAUGsOtBZ/vGSkCwc3lBHtdPKBWwY6J4B/ytS/H6Dnauw4RvOzjgbQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-24T11:13:17Z"
mac: ENC[AES256_GCM,data:R6r0IhmAXGlqQeo0A5beEbgolOX5rrXx32MlPjpPjybarB+0S6Jfu0tEWuMLy60sQ9j1xvkV7zF9HVfS+O+HLBVqTHolQ0HmFn6KmtK1bajXKSzOloRkKkooDvSvZJBlomRKPBsSNeXr0zqh2KbJzMRPIblnEXhq//hYWF8Q64A=,iv:iF1lDC/xPU145rbcslRDD3399h33TQe/XSmQah19XhY=,tag:n35gtrKF6eDyldAGl3rcZw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

36
modules/podman/default.nix
View file

@ -13,11 +13,6 @@ in
enable = mkEnableOption "podman"; enable = mkEnableOption "podman";
enableNvidia = mkEnableOption "podman NVidia support"; enableNvidia = mkEnableOption "podman NVidia support";
# enableTcpSocket = mkEnableOption "podman TCP socket"; # enableTcpSocket = mkEnableOption "podman TCP socket";
insecureRegistries = mkOption {
description = "List of insecure registries that don't have a (valid) certificate";
type = types.listOf types.str;
default = [ ];
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -38,21 +33,25 @@ in
}; };
virtualisation.containers = { virtualisation.containers = {
enable = true;
registries = { registries = {
insecure = cfg.insecureRegistries; insecure = [ "containers.internal.horus.nu" ];
search = [
"docker.io"
"quay.io"
"containers.internal.horus.nu"
];
};
containersConf.settings = {
engine = {
helper_binaries_dir = [
"${pkgs.podman}/libexec/podman"
];
};
containers = {
log_driver = "k8s-file";
events_logger = "journald";
};
}; };
# containersConf.settings = {
# engine = {
# helper_binaries_dir = [
# "${pkgs.podman}/libexec/podman"
# ];
# };
# containers = {
# log_driver = "k8s-file";
# events_logger = "journald";
# };
# };
}; };
users.extraUsers.${config.eboskma.var.mainUser}.extraGroups = [ "podman" ]; users.extraUsers.${config.eboskma.var.mainUser}.extraGroups = [ "podman" ];
@ -60,6 +59,7 @@ in
# Make DNS work in containers # Make DNS work in containers
networking.firewall.interfaces.${podmanInterfaces} = { networking.firewall.interfaces.${podmanInterfaces} = {
allowedUDPPorts = [ 53 ]; allowedUDPPorts = [ 53 ];
allowedTCPPorts = [ 53 ];
}; };
# services.ghostunnel = mkIf cfg.enableTcpSocket { # services.ghostunnel = mkIf cfg.enableTcpSocket {