asdf
This commit is contained in:
parent
c4b37568b5
commit
a4756c8466
16
flake.nix
16
flake.nix
@ -12,12 +12,14 @@
|
|||||||
# TODO_: Add any other flake you might need
|
# TODO_: Add any other flake you might need
|
||||||
hardware.url = "github:nixos/nixos-hardware";
|
hardware.url = "github:nixos/nixos-hardware";
|
||||||
|
|
||||||
|
# inputs.agenix.url = "github:ryantm/agenix";
|
||||||
|
|
||||||
# Shameless plug: looking for a way to nixify your themes and make
|
# Shameless plug: looking for a way to nixify your themes and make
|
||||||
# everything match nicely? Try nix-colors!
|
# everything match nicely? Try nix-colors!
|
||||||
# nix-colors.url = "github:misterio77/nix-colors";
|
# nix-colors.url = "github:misterio77/nix-colors";
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs = { nixpkgs, ... }@inputs: {
|
outputs = { self, nixpkgs, ... }@inputs: {
|
||||||
# NixOS configuration entrypoint
|
# NixOS configuration entrypoint
|
||||||
# Available through 'nixos-rebuild --flake .#your-hostname'
|
# Available through 'nixos-rebuild --flake .#your-hostname'
|
||||||
nixosConfigurations = {
|
nixosConfigurations = {
|
||||||
@ -25,19 +27,25 @@
|
|||||||
pc-mans = nixpkgs.lib.nixosSystem {
|
pc-mans = nixpkgs.lib.nixosSystem {
|
||||||
specialArgs = { inherit inputs; }; # Pass flake inputs to our config
|
specialArgs = { inherit inputs; }; # Pass flake inputs to our config
|
||||||
# > Our main nixos configuration file <
|
# > Our main nixos configuration file <
|
||||||
modules = [ ./nixos/machines/pc-mans/configuration.nix ];
|
modules = [
|
||||||
|
./nixos/machines/pc-mans/configuration.nix
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
lpt-mans = nixpkgs.lib.nixosSystem {
|
lpt-mans = nixpkgs.lib.nixosSystem {
|
||||||
specialArgs = { inherit inputs; }; # Pass flake inputs to our config
|
specialArgs = { inherit inputs; }; # Pass flake inputs to our config
|
||||||
# > Our main nixos configuration file <
|
# > Our main nixos configuration file <
|
||||||
modules = [ ./nixos/machines/lpt-mans/configuration.nix ];
|
modules = [
|
||||||
|
./nixos/machines/lpt-mans/configuration.nix
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
srv01-home = nixpkgs.lib.nixosSystem {
|
srv01-home = nixpkgs.lib.nixosSystem {
|
||||||
specialArgs = { inherit inputs; }; # Pass flake inputs to our config
|
specialArgs = { inherit inputs; }; # Pass flake inputs to our config
|
||||||
# > Our main nixos configuration file <
|
# > Our main nixos configuration file <
|
||||||
modules = [ ./nixos/machines/srv01-home/configuration.nix ];
|
modules = [
|
||||||
|
./nixos/machines/srv01-home/configuration.nix
|
||||||
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -2,22 +2,48 @@
|
|||||||
# your system. Help is available in the configuration.nix(5) man page
|
# your system. Help is available in the configuration.nix(5) man page
|
||||||
# and in the NixOS manual (accessible by running `nixos-help`).
|
# and in the NixOS manual (accessible by running `nixos-help`).
|
||||||
|
|
||||||
{ config, pkgs, ... }:
|
{ inputs, lib, config, pkgs, ... }: {
|
||||||
|
|
||||||
{
|
|
||||||
imports =
|
imports =
|
||||||
[ # Include the results of the hardware scan.
|
[ # Include the results of the hardware scan.
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
|
inputs.hardware.nixosModules.common-cpu-amd
|
||||||
|
|
||||||
../../modules/docker.nix
|
../../modules/docker.nix
|
||||||
|
|
||||||
../../roles/server.nix
|
../../roles/server.nix
|
||||||
];
|
];
|
||||||
services.gitea-actions-runner.instances.test = {
|
services.haproxy = {
|
||||||
|
enable = true;
|
||||||
|
config = ''
|
||||||
|
global
|
||||||
|
daemon
|
||||||
|
maxconn 256
|
||||||
|
|
||||||
|
defaults
|
||||||
|
mode http
|
||||||
|
timeout connect 5000ms
|
||||||
|
timeout client 50000ms
|
||||||
|
timeout server 50000ms
|
||||||
|
|
||||||
|
frontend http-in
|
||||||
|
bind *:88
|
||||||
|
default_backend garage-web
|
||||||
|
|
||||||
|
backend garage-s3
|
||||||
|
server server1 127.0.0.1:3900 maxconn 32
|
||||||
|
backend garage-web
|
||||||
|
server server1 127.0.0.1:3902 maxconn 32
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
virtualisation.libvirtd.enable = true;
|
||||||
|
|
||||||
|
services.gitea-actions-runner.instances.nixos = {
|
||||||
enable = true;
|
enable = true;
|
||||||
name = "NixOs";
|
name = "NixOs";
|
||||||
url = "https://git.mzsl.nl";
|
url = "https://git.mzsl.nl";
|
||||||
token = "kkhRRI5MsCDrqK30XLaLvSIYx5mjPUlJ0KBUl2OH";
|
token = "vKx7ZkXHrQES3cAgNTr0KhT0LQZK3gKj7KY2Jdk3";
|
||||||
labels = [
|
labels = [
|
||||||
"ubuntu-latest:docker://node:16-bullseye"
|
"ubuntu-latest:docker://node:16-bullseye"
|
||||||
"ubuntu-22.04:docker://node:16-bullseye"
|
"ubuntu-22.04:docker://node:16-bullseye"
|
||||||
@ -26,6 +52,43 @@
|
|||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.prometheus = {
|
||||||
|
exporters = {
|
||||||
|
node = {
|
||||||
|
enable = true;
|
||||||
|
enabledCollectors = [ "systemd" ];
|
||||||
|
port = 9002;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# services.garage = {
|
||||||
|
# enable = true;
|
||||||
|
# package = pkgs.garage_0_8;
|
||||||
|
# settings = {
|
||||||
|
# metadata_dir = "/var/lib/garage/meta";
|
||||||
|
# data_dir = "/var/lib/garage/data";
|
||||||
|
# db_engine = "lmdb";
|
||||||
|
# compression_level = 2;
|
||||||
|
# replication_mode = "none";
|
||||||
|
# rpc_bind_addr = "[::]:3901";
|
||||||
|
# rpc_public_addr = "0.0.0.0:3901";
|
||||||
|
# rpc_secret = "aa6d8a7fc7a53d3c89b28838920eb75934ee8cb814b322c2c9f96af687a6f053";
|
||||||
|
#
|
||||||
|
# s3_api = {
|
||||||
|
# s3_region = "garage";
|
||||||
|
# api_bind_addr = "127.0.0.1:3900";
|
||||||
|
# root_domain = ".s3.mzsl.nl";
|
||||||
|
# };
|
||||||
|
#
|
||||||
|
# s3_web = {
|
||||||
|
# bind_addr = "127.0.0.1:3902";
|
||||||
|
# root_domain = ".site.mzsl.nl";
|
||||||
|
# index = "index.html";
|
||||||
|
# };
|
||||||
|
# };
|
||||||
|
# };
|
||||||
|
|
||||||
# Use the systemd-boot EFI boot loader.
|
# Use the systemd-boot EFI boot loader.
|
||||||
# boot.loader.systemd-boot.enable = true;
|
# boot.loader.systemd-boot.enable = true;
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
@ -55,20 +118,6 @@
|
|||||||
nameservers = ["1.1.1.1" "8.8.8.8"];
|
nameservers = ["1.1.1.1" "8.8.8.8"];
|
||||||
};
|
};
|
||||||
|
|
||||||
# Configure keymap in X11
|
|
||||||
# services.xserver.layout = "us";
|
|
||||||
# services.xserver.xkbOptions = "";
|
|
||||||
|
|
||||||
# Enable CUPS to print documents.
|
|
||||||
# services.printing.enable = true;
|
|
||||||
|
|
||||||
# Enable sound.
|
|
||||||
# sound.enable = true;
|
|
||||||
# hardware.pulseaudio.enable = true;
|
|
||||||
|
|
||||||
# Enable touchpad support (enabled default in most desktopManager).
|
|
||||||
# services.xserver.libinput.enable = true;
|
|
||||||
|
|
||||||
# Define a user account. Don't forget to set a password with ‘passwd’.
|
# Define a user account. Don't forget to set a password with ‘passwd’.
|
||||||
users.users.adminmz = {
|
users.users.adminmz = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
@ -98,11 +147,52 @@
|
|||||||
# };
|
# };
|
||||||
|
|
||||||
# Open ports in the firewall.
|
# Open ports in the firewall.
|
||||||
networking.firewall.allowedTCPPorts = [ 80 443 22 ];
|
networking.firewall.allowedTCPPorts = [ 22 80 88 443 9002 2022 ];
|
||||||
networking.firewall.allowedUDPPorts = [ 80 443 22 ];
|
networking.firewall.allowedUDPPorts = [ 22 80 88 443 9002 2022 51820];
|
||||||
# Or disable the firewall altogether.
|
# Or disable the firewall altogether.
|
||||||
# networking.firewall.enable = false;
|
networking.firewall.enable = true;
|
||||||
|
|
||||||
|
networking.nat.enable = true;
|
||||||
|
networking.nat.externalInterface = "enp2s0";
|
||||||
|
networking.nat.internalInterfaces = [ "wg0" ];
|
||||||
|
|
||||||
|
networking.wireguard.interfaces = {
|
||||||
|
# "wg0" is the network interface name. You can name the interface arbitrarily.
|
||||||
|
wg0 = {
|
||||||
|
# Determines the IP address and subnet of the server's end of the tunnel interface.
|
||||||
|
ips = [ "10.100.0.1/24" ];
|
||||||
|
|
||||||
|
# The port that WireGuard listens to. Must be accessible by the client.
|
||||||
|
listenPort = 51820;
|
||||||
|
|
||||||
|
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
|
||||||
|
# For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
|
||||||
|
postSetup = ''
|
||||||
|
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o enp2s0 -j MASQUERADE
|
||||||
|
'';
|
||||||
|
|
||||||
|
# This undoes the above command
|
||||||
|
postShutdown = ''
|
||||||
|
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o enp2s0 -j MASQUERADE
|
||||||
|
'';
|
||||||
|
|
||||||
|
# Path to the private key file.
|
||||||
|
#
|
||||||
|
# Note: The private key can also be included inline via the privateKey option,
|
||||||
|
# but this makes the private key world-readable; thus, using privateKeyFile is
|
||||||
|
# recommended.
|
||||||
|
privateKeyFile = "/etc/wireguard/private";
|
||||||
|
|
||||||
|
peers = [
|
||||||
|
# List of allowed peers.
|
||||||
|
{ # PC werk
|
||||||
|
publicKey = "0PWQA3zf48RFFJXMxPE/i6FWzbH9FzKliRugtDVmPlY=";
|
||||||
|
# List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
|
||||||
|
allowedIPs = [ "10.100.0.2/32" ];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
# This value determines the NixOS release from which the default
|
# This value determines the NixOS release from which the default
|
||||||
# settings for stateful data, like file locations and database versions
|
# settings for stateful data, like file locations and database versions
|
||||||
# on your system were taken. It's perfectly fine and recommended to leave
|
# on your system were taken. It's perfectly fine and recommended to leave
|
||||||
|
@ -3,6 +3,7 @@
|
|||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
../modules/ssh.nix
|
../modules/ssh.nix
|
||||||
|
../modules
|
||||||
];
|
];
|
||||||
|
|
||||||
options = {
|
options = {
|
||||||
|
Loading…
Reference in New Issue
Block a user