This commit is contained in:
Mans Ziesel 2023-06-28 22:14:05 +02:00
parent c4b37568b5
commit a4756c8466
3 changed files with 124 additions and 25 deletions

View File

@ -12,12 +12,14 @@
# TODO_: Add any other flake you might need # TODO_: Add any other flake you might need
hardware.url = "github:nixos/nixos-hardware"; hardware.url = "github:nixos/nixos-hardware";
# inputs.agenix.url = "github:ryantm/agenix";
# Shameless plug: looking for a way to nixify your themes and make # Shameless plug: looking for a way to nixify your themes and make
# everything match nicely? Try nix-colors! # everything match nicely? Try nix-colors!
# nix-colors.url = "github:misterio77/nix-colors"; # nix-colors.url = "github:misterio77/nix-colors";
}; };
outputs = { nixpkgs, ... }@inputs: { outputs = { self, nixpkgs, ... }@inputs: {
# NixOS configuration entrypoint # NixOS configuration entrypoint
# Available through 'nixos-rebuild --flake .#your-hostname' # Available through 'nixos-rebuild --flake .#your-hostname'
nixosConfigurations = { nixosConfigurations = {
@ -25,19 +27,25 @@
pc-mans = nixpkgs.lib.nixosSystem { pc-mans = nixpkgs.lib.nixosSystem {
specialArgs = { inherit inputs; }; # Pass flake inputs to our config specialArgs = { inherit inputs; }; # Pass flake inputs to our config
# > Our main nixos configuration file < # > Our main nixos configuration file <
modules = [ ./nixos/machines/pc-mans/configuration.nix ]; modules = [
./nixos/machines/pc-mans/configuration.nix
];
}; };
lpt-mans = nixpkgs.lib.nixosSystem { lpt-mans = nixpkgs.lib.nixosSystem {
specialArgs = { inherit inputs; }; # Pass flake inputs to our config specialArgs = { inherit inputs; }; # Pass flake inputs to our config
# > Our main nixos configuration file < # > Our main nixos configuration file <
modules = [ ./nixos/machines/lpt-mans/configuration.nix ]; modules = [
./nixos/machines/lpt-mans/configuration.nix
];
}; };
srv01-home = nixpkgs.lib.nixosSystem { srv01-home = nixpkgs.lib.nixosSystem {
specialArgs = { inherit inputs; }; # Pass flake inputs to our config specialArgs = { inherit inputs; }; # Pass flake inputs to our config
# > Our main nixos configuration file < # > Our main nixos configuration file <
modules = [ ./nixos/machines/srv01-home/configuration.nix ]; modules = [
./nixos/machines/srv01-home/configuration.nix
];
}; };
}; };
}; };

View File

@ -2,22 +2,48 @@
# your system. Help is available in the configuration.nix(5) man page # your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running `nixos-help`). # and in the NixOS manual (accessible by running `nixos-help`).
{ config, pkgs, ... }: { inputs, lib, config, pkgs, ... }: {
{
imports = imports =
[ # Include the results of the hardware scan. [ # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
inputs.hardware.nixosModules.common-cpu-amd
../../modules/docker.nix ../../modules/docker.nix
../../roles/server.nix ../../roles/server.nix
]; ];
services.gitea-actions-runner.instances.test = { services.haproxy = {
enable = true;
config = ''
global
daemon
maxconn 256
defaults
mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
frontend http-in
bind *:88
default_backend garage-web
backend garage-s3
server server1 127.0.0.1:3900 maxconn 32
backend garage-web
server server1 127.0.0.1:3902 maxconn 32
'';
};
virtualisation.libvirtd.enable = true;
services.gitea-actions-runner.instances.nixos = {
enable = true; enable = true;
name = "NixOs"; name = "NixOs";
url = "https://git.mzsl.nl"; url = "https://git.mzsl.nl";
token = "kkhRRI5MsCDrqK30XLaLvSIYx5mjPUlJ0KBUl2OH"; token = "vKx7ZkXHrQES3cAgNTr0KhT0LQZK3gKj7KY2Jdk3";
labels = [ labels = [
"ubuntu-latest:docker://node:16-bullseye" "ubuntu-latest:docker://node:16-bullseye"
"ubuntu-22.04:docker://node:16-bullseye" "ubuntu-22.04:docker://node:16-bullseye"
@ -26,6 +52,43 @@
]; ];
}; };
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = [ "systemd" ];
port = 9002;
};
};
};
# services.garage = {
# enable = true;
# package = pkgs.garage_0_8;
# settings = {
# metadata_dir = "/var/lib/garage/meta";
# data_dir = "/var/lib/garage/data";
# db_engine = "lmdb";
# compression_level = 2;
# replication_mode = "none";
# rpc_bind_addr = "[::]:3901";
# rpc_public_addr = "0.0.0.0:3901";
# rpc_secret = "aa6d8a7fc7a53d3c89b28838920eb75934ee8cb814b322c2c9f96af687a6f053";
#
# s3_api = {
# s3_region = "garage";
# api_bind_addr = "127.0.0.1:3900";
# root_domain = ".s3.mzsl.nl";
# };
#
# s3_web = {
# bind_addr = "127.0.0.1:3902";
# root_domain = ".site.mzsl.nl";
# index = "index.html";
# };
# };
# };
# Use the systemd-boot EFI boot loader. # Use the systemd-boot EFI boot loader.
# boot.loader.systemd-boot.enable = true; # boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
@ -55,20 +118,6 @@
nameservers = ["1.1.1.1" "8.8.8.8"]; nameservers = ["1.1.1.1" "8.8.8.8"];
}; };
# Configure keymap in X11
# services.xserver.layout = "us";
# services.xserver.xkbOptions = "";
# Enable CUPS to print documents.
# services.printing.enable = true;
# Enable sound.
# sound.enable = true;
# hardware.pulseaudio.enable = true;
# Enable touchpad support (enabled default in most desktopManager).
# services.xserver.libinput.enable = true;
# Define a user account. Don't forget to set a password with passwd. # Define a user account. Don't forget to set a password with passwd.
users.users.adminmz = { users.users.adminmz = {
isNormalUser = true; isNormalUser = true;
@ -98,11 +147,52 @@
# }; # };
# Open ports in the firewall. # Open ports in the firewall.
networking.firewall.allowedTCPPorts = [ 80 443 22 ]; networking.firewall.allowedTCPPorts = [ 22 80 88 443 9002 2022 ];
networking.firewall.allowedUDPPorts = [ 80 443 22 ]; networking.firewall.allowedUDPPorts = [ 22 80 88 443 9002 2022 51820];
# Or disable the firewall altogether. # Or disable the firewall altogether.
# networking.firewall.enable = false; networking.firewall.enable = true;
networking.nat.enable = true;
networking.nat.externalInterface = "enp2s0";
networking.nat.internalInterfaces = [ "wg0" ];
networking.wireguard.interfaces = {
# "wg0" is the network interface name. You can name the interface arbitrarily.
wg0 = {
# Determines the IP address and subnet of the server's end of the tunnel interface.
ips = [ "10.100.0.1/24" ];
# The port that WireGuard listens to. Must be accessible by the client.
listenPort = 51820;
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
# For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o enp2s0 -j MASQUERADE
'';
# This undoes the above command
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o enp2s0 -j MASQUERADE
'';
# Path to the private key file.
#
# Note: The private key can also be included inline via the privateKey option,
# but this makes the private key world-readable; thus, using privateKeyFile is
# recommended.
privateKeyFile = "/etc/wireguard/private";
peers = [
# List of allowed peers.
{ # PC werk
publicKey = "0PWQA3zf48RFFJXMxPE/i6FWzbH9FzKliRugtDVmPlY=";
# List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
allowedIPs = [ "10.100.0.2/32" ];
}
];
};
};
# This value determines the NixOS release from which the default # This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions # settings for stateful data, like file locations and database versions
# on your system were taken. It's perfectly fine and recommended to leave # on your system were taken. It's perfectly fine and recommended to leave

View File

@ -3,6 +3,7 @@
{ {
imports = [ imports = [
../modules/ssh.nix ../modules/ssh.nix
../modules
]; ];
options = { options = {