D hosts/dns/default.nix => hosts/dns/default.nix +0 -17
@@ 1,17 0,0 @@
-{config, ...}: {
- sops.secrets.rootPwd.neededForUsers = true;
- sops.secrets.liljamoPwd.neededForUsers = true;
-
- roles.base = {
- root.hashedPasswordFile = config.sops.secrets.rootPwd.path;
- primaryUser = {
- username = "liljamo";
- hashedPasswordFile = config.sops.secrets.liljamoPwd.path;
- };
- };
-
- roles.tailscale = {
- enable = true;
- enableSSH = true;
- };
-}
A lxc/.gitignore => lxc/.gitignore +1 -0
A lxc/flake.lock => lxc/flake.lock +161 -0
@@ 0,0 1,161 @@
+{
+ "nodes": {
+ "flake-parts": {
+ "inputs": {
+ "nixpkgs-lib": "nixpkgs-lib"
+ },
+ "locked": {
+ "lastModified": 1727826117,
+ "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=",
+ "owner": "hercules-ci",
+ "repo": "flake-parts",
+ "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1",
+ "type": "github"
+ },
+ "original": {
+ "owner": "hercules-ci",
+ "repo": "flake-parts",
+ "type": "github"
+ }
+ },
+ "nixlib": {
+ "locked": {
+ "lastModified": 1729386149,
+ "narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=",
+ "owner": "nix-community",
+ "repo": "nixpkgs.lib",
+ "rev": "cce4521b6df014e79a7b7afc58c703ed683c916e",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-community",
+ "repo": "nixpkgs.lib",
+ "type": "github"
+ }
+ },
+ "nixos-generators": {
+ "inputs": {
+ "nixlib": "nixlib",
+ "nixpkgs": "nixpkgs"
+ },
+ "locked": {
+ "lastModified": 1729472750,
+ "narHash": "sha256-s93LPHi5BN7I2xSGNAFWiYb8WRsPvT1LE9ZjZBrpFlg=",
+ "owner": "nix-community",
+ "repo": "nixos-generators",
+ "rev": "7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-community",
+ "repo": "nixos-generators",
+ "type": "github"
+ }
+ },
+ "nixpkgs": {
+ "locked": {
+ "lastModified": 1731245184,
+ "narHash": "sha256-vmLS8+x+gHRv1yzj3n+GTAEObwmhxmkkukB2DwtJRdU=",
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "aebe249544837ce42588aa4b2e7972222ba12e8f",
+ "type": "github"
+ },
+ "original": {
+ "owner": "NixOS",
+ "ref": "nixpkgs-unstable",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
+ "nixpkgs-lib": {
+ "locked": {
+ "lastModified": 1731497087,
+ "narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=",
+ "type": "tarball",
+ "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
+ },
+ "original": {
+ "type": "tarball",
+ "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
+ }
+ },
+ "nixpkgs-stable": {
+ "locked": {
+ "lastModified": 1731489818,
+ "narHash": "sha256-VpMvK9x/CWykzWEENEpukNNIE3oW6M5NGNv3tdKB9OY=",
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "1252394ddb5900089300b8e602302c0fa85da4d2",
+ "type": "github"
+ },
+ "original": {
+ "owner": "NixOS",
+ "ref": "release-24.05",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
+ "nixpkgs_2": {
+ "locked": {
+ "lastModified": 1730327045,
+ "narHash": "sha256-xKel5kd1AbExymxoIfQ7pgcX6hjw9jCgbiBjiUfSVJ8=",
+ "owner": "nixos",
+ "repo": "nixpkgs",
+ "rev": "080166c15633801df010977d9d7474b4a6c549d7",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nixos",
+ "ref": "nixos-24.05",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
+ "nixpkgs_3": {
+ "locked": {
+ "lastModified": 1731245184,
+ "narHash": "sha256-vmLS8+x+gHRv1yzj3n+GTAEObwmhxmkkukB2DwtJRdU=",
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "aebe249544837ce42588aa4b2e7972222ba12e8f",
+ "type": "github"
+ },
+ "original": {
+ "owner": "NixOS",
+ "ref": "nixpkgs-unstable",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
+ "root": {
+ "inputs": {
+ "flake-parts": "flake-parts",
+ "nixos-generators": "nixos-generators",
+ "nixpkgs": "nixpkgs_2",
+ "sops-nix": "sops-nix"
+ }
+ },
+ "sops-nix": {
+ "inputs": {
+ "nixpkgs": "nixpkgs_3",
+ "nixpkgs-stable": "nixpkgs-stable"
+ },
+ "locked": {
+ "lastModified": 1729999681,
+ "narHash": "sha256-qm0uCtM9bg97LeJTKQ8dqV/FvqRN+ompyW4GIJruLuw=",
+ "owner": "Mic92",
+ "repo": "sops-nix",
+ "rev": "1666d16426abe79af5c47b7c0efa82fd31bf4c56",
+ "type": "github"
+ },
+ "original": {
+ "owner": "Mic92",
+ "repo": "sops-nix",
+ "type": "github"
+ }
+ }
+ },
+ "root": "root",
+ "version": 7
+}
A lxc/flake.nix => lxc/flake.nix +18 -0
@@ 0,0 1,18 @@
+{
+ inputs = {
+ nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
+
+ flake-parts.url = "github:hercules-ci/flake-parts";
+ nixos-generators.url = "github:nix-community/nixos-generators";
+ sops-nix.url = "github:Mic92/sops-nix";
+ };
+
+ outputs = inputs @ {self, ...}:
+ inputs.flake-parts.lib.mkFlake {inherit inputs;} {
+ imports = [
+ ./systems.nix
+ ];
+
+ systems = [];
+ };
+}
A lxc/hosts/default.nix => lxc/hosts/default.nix +7 -0
@@ 0,0 1,7 @@
+profiles: {
+ dns = {
+ system = "x86_64-linux";
+ profile = profiles.generic;
+ modules = [];
+ };
+}
R systems/hosts/dns/default.nix => lxc/hosts/dns/default.nix +10 -2
@@ 1,4 1,8 @@
-{artautil, ...}: let
+{
+ config,
+ util,
+ ...
+}: let
proxyAlias = "proxy.home.arpa";
proxyIP = "10.1.2.10";
@@ 12,6 16,10 @@
rlUrl = ".rustylily.home.arpa";
uwUrl = ".uwulpine.home.arpa";
in {
+ sops.secrets.rootPwd.neededForUsers = true;
+
+ roles.base.root.hashedPasswordFile = config.sops.secrets.rootPwd.path;
+
networking.firewall.allowedTCPPorts = [
portDoT
portWebDoH
@@ 45,7 53,7 @@ in {
"registry${uwUrl}" = proxyIP;
"registryui${uwUrl}" = proxyIP;
}
- // artautil.getDNSEntries "lxc";
+ // util.getDNSEntries;
};
blocking = {
blackLists = {
A lxc/profiles/common/nix.nix => lxc/profiles/common/nix.nix +14 -0
@@ 0,0 1,14 @@
+{
+ nix = {
+ gc = {
+ automatic = true;
+ dates = "weekly";
+ options = "--delete-older-than 7d";
+ };
+ settings = {
+ auto-optimise-store = true;
+ experimental-features = ["nix-command" "flakes"];
+ trusted-users = ["@wheel"];
+ };
+ };
+}
A lxc/profiles/default.nix => lxc/profiles/default.nix +3 -0
@@ 0,0 1,3 @@
+lib: inputs: {
+ generic = import ./generic lib inputs;
+}
A lxc/profiles/generic/default.nix => lxc/profiles/generic/default.nix +22 -0
@@ 0,0 1,22 @@
+lib: inputs: {
+ modules = [
+ "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix"
+ {
+ proxmoxLXC.manageNetwork = true;
+ proxmoxLXC.manageHostName = true;
+ }
+
+ inputs.sops-nix.nixosModules.sops
+
+ ../../roles
+
+ ../common/nix.nix
+
+ ./generic.nix
+ ./roles.nix
+ ];
+ specialArgs = {
+ inherit inputs;
+ util = import ../../util.nix {inherit lib;};
+ };
+}
A lxc/profiles/generic/generic.nix => lxc/profiles/generic/generic.nix +53 -0
@@ 0,0 1,53 @@
+{
+ util,
+ config,
+ lib,
+ ...
+}: {
+ sops.defaultSopsFile = ../../../secrets/${config.networking.hostName}/secrets.yaml;
+
+ time.timeZone = "Europe/Helsinki";
+
+ networking.defaultGateway = {
+ address = "10.1.2.1";
+ interface = "eth0";
+ };
+ networking.nameservers = ["10.1.2.3"];
+ networking.interfaces."eth0".ipv4.addresses = [
+ {
+ address = util.getIPv4 config.networking.hostName;
+ prefixLength = 24;
+ }
+ ];
+
+ nix.settings.trusted-users = ["root"];
+
+ users.users.root = {
+ openssh.authorizedKeys.keys = [
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGAlif3ABIk0YSx++A+sEeRYPNMMZWLcDuoTKhmcCL6K jonni@liljamo.com"
+ ];
+ };
+
+ services.openssh = {
+ enable = true;
+ settings = {
+ PasswordAuthentication = lib.mkForce false;
+ KbdInteractiveAuthentication = lib.mkForce false;
+ PermitRootLogin = lib.mkForce "prohibit-password";
+ };
+ };
+
+ systemd.suppressedSystemUnits = [
+ "systemd-udev-trigger.service"
+ "systemd-udevd.service"
+ "sys-fs-fuse-connections.mount"
+ "sys-kernel-debug.mount"
+ "dev-mqueue.mount"
+ ];
+ services = {
+ journald.extraConfig = "SystemMaxUse=4G";
+ cron.systemCronJobs = [
+ "0 22 * * * root journalctl --vacuum-time=7d"
+ ];
+ };
+}
A lxc/profiles/generic/roles.nix => lxc/profiles/generic/roles.nix +26 -0
@@ 0,0 1,26 @@
+{
+ roles.tailscale = {
+ enable = true;
+ enableSSH = true;
+ };
+
+ roles.prometheus.exporters = {
+ enable = true;
+ openFirewall = true;
+ node = {
+ enable = true;
+ extraFlags = [
+ "--collector.disable-defaults"
+ "--collector.filesystem"
+ "--collector.stat"
+ "--collector.time"
+ ];
+ };
+ systemd.enable = true;
+ };
+
+ roles.cadvisor = {
+ enable = true;
+ openFirewall = true;
+ };
+}
A lxc/roles/base.nix => lxc/roles/base.nix +23 -0
@@ 0,0 1,23 @@
+{
+ config,
+ lib,
+ ...
+}: let
+ cfg = config.roles.base;
+in {
+ options.roles.base = {
+ root = lib.mkOption {
+ type = lib.types.submodule {
+ options = {
+ hashedPasswordFile = lib.mkOption {
+ type = lib.types.path;
+ };
+ };
+ };
+ };
+ };
+
+ config = {
+ users.users.root.hashedPasswordFile = cfg.root.hashedPasswordFile;
+ };
+}
A lxc/roles/cadvisor.nix => lxc/roles/cadvisor.nix +32 -0
@@ 0,0 1,32 @@
+{
+ lib,
+ config,
+ ...
+}: let
+ cfg = config.roles.cadvisor;
+in {
+ options.roles.cadvisor = {
+ enable = lib.mkEnableOption "cadvisor";
+ port = lib.mkOption {
+ type = lib.types.port;
+ default = 9080;
+ };
+ openFirewall = lib.mkOption {
+ type = lib.types.bool;
+ default = false;
+ description = "Wheter to open firewall port for cadvisor";
+ };
+ };
+
+ config = lib.mkIf cfg.enable {
+ networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [
+ cfg.port
+ ];
+
+ services.cadvisor = {
+ enable = true;
+ listenAddress = "0.0.0.0";
+ port = cfg.port;
+ };
+ };
+}
A lxc/roles/default.nix => lxc/roles/default.nix +9 -0
@@ 0,0 1,9 @@
+{
+ imports = [
+ ./base.nix
+
+ ./cadvisor.nix
+ ./prometheus.nix
+ ./tailscale.nix
+ ];
+}
A lxc/roles/prometheus.nix => lxc/roles/prometheus.nix +70 -0
@@ 0,0 1,70 @@
+{
+ lib,
+ config,
+ ...
+}: let
+ cfg = config.roles.prometheus;
+in {
+ options.roles.prometheus = {
+ exporters = lib.mkOption {
+ type = lib.types.submodule {
+ options = {
+ enable = lib.mkEnableOption "prometheus exporters";
+ openFirewall = lib.mkOption {
+ type = lib.types.bool;
+ default = false;
+ description = "Wheter to open firewall ports for enabled exporters";
+ };
+ node = lib.mkOption {
+ type = lib.types.submodule {
+ options = {
+ enable = lib.mkEnableOption "node exporter";
+ port = lib.mkOption {
+ type = lib.types.port;
+ default = 9100;
+ };
+ extraFlags = lib.mkOption {
+ type = lib.types.listOf lib.types.str;
+ default = [];
+ };
+ };
+ };
+ };
+ systemd = lib.mkOption {
+ type = lib.types.submodule {
+ options = {
+ enable = lib.mkEnableOption "systemd exporter";
+ port = lib.mkOption {
+ type = lib.types.port;
+ default = 9558;
+ };
+ };
+ };
+ };
+ };
+ };
+ default = {};
+ };
+ };
+
+ # FIXME: this or top level prometheus server enable
+ config = lib.mkIf cfg.exporters.enable {
+ # FIXME: only open for exporters that are enabled
+ networking.firewall.allowedTCPPorts = lib.mkIf cfg.exporters.openFirewall [
+ cfg.exporters.node.port
+ cfg.exporters.systemd.port
+ ];
+
+ services.prometheus.exporters = lib.mkIf cfg.exporters.enable {
+ node = lib.mkIf cfg.exporters.node.enable {
+ enable = true;
+ port = cfg.exporters.node.port;
+ extraFlags = cfg.exporters.node.extraFlags;
+ };
+ systemd = lib.mkIf cfg.exporters.systemd.enable {
+ enable = true;
+ port = cfg.exporters.systemd.port;
+ };
+ };
+ };
+}
A lxc/roles/tailscale.nix => lxc/roles/tailscale.nix +34 -0
@@ 0,0 1,34 @@
+{
+ config,
+ lib,
+ ...
+}: let
+ cfg = config.roles.tailscale;
+in {
+ options.roles.tailscale = {
+ enable = lib.mkEnableOption "Tailscale";
+ authKeyFile = lib.mkOption {
+ type = lib.types.nullOr lib.types.path;
+ default = null;
+ };
+ interfaceName = lib.mkOption {
+ type = lib.types.str;
+ default = "tailscale0";
+ };
+ enableSSH = lib.mkOption {
+ type = lib.types.bool;
+ default = false;
+ };
+ };
+
+ config = lib.mkIf cfg.enable {
+ services.tailscale = {
+ enable = true;
+ authKeyFile = lib.mkIf (cfg.authKeyFile != null) cfg.authKeyFile;
+ extraUpFlags = lib.mkIf (cfg.enableSSH) ["--ssh"]; # TODO: Make modular for multiple possible flags.
+ interfaceName = cfg.interfaceName;
+ openFirewall = false;
+ useRoutingFeatures = "none";
+ };
+ };
+}
A lxc/systems.nix => lxc/systems.nix +45 -0
@@ 0,0 1,45 @@
+{
+ lib,
+ inputs,
+ ...
+}: {
+ flake = let
+ mkHost = name: cfg:
+ inputs.nixpkgs.lib.nixosSystem {
+ system = cfg.system;
+ specialArgs = cfg.profile.specialArgs;
+ modules =
+ cfg.profile.modules
+ ++ cfg.modules
+ ++ [
+ ./hosts/${name}
+ {
+ networking.hostName = name;
+ }
+ ];
+ };
+
+ /*
+ mkLXCTemplatePackage = name: cfg:
+ inputs.nixos-generators.nixosGenerate {
+ system = cfg.system;
+ specialArgs = cfg.profile.specialArgs;
+ modules =
+ cfg.profile.modules
+ ++ cfg.modules
+ ++ [
+ {
+ networking.hostName = name;
+ }
+ ];
+ format = "proxmox-lxc";
+ };
+ */
+
+ profiles = import ./profiles lib inputs;
+ hosts = import ./hosts profiles;
+ in {
+ nixosConfigurations = lib.mapAttrs mkHost hosts;
+ #packages.x86_64-linux = inputs.nixpkgs.lib.mapAttrs mkLXCTemplatePackage templatePackages;
+ };
+}
R tamma.yaml => lxc/tamma.yaml +0 -0
A lxc/util.nix => lxc/util.nix +27 -0
@@ 0,0 1,27 @@
+{lib, ...}: let
+ hostnameIPv4 = {
+ "dns" = "10.1.2.3";
+ "metrics" = "10.1.2.5";
+ "oci" = "10.1.2.9";
+ "proxy" = "10.1.2.10";
+ "auth" = "10.1.2.12";
+ "cloud" = "10.1.2.15";
+ "social" = "10.1.2.17";
+ };
+
+ # getIPv4 "hostname"
+ getIPv4 = hostname: hostnameIPv4.${hostname};
+
+ # getHostnames
+ getHostnames = builtins.attrNames hostnameIPv4;
+
+ # getDNSEntries
+ getDNSEntries =
+ lib.attrsets.mapAttrs'
+ (name: value: lib.attrsets.nameValuePair (name + ".home.arpa") value)
+ hostnameIPv4;
+in {
+ getIPv4 = getIPv4;
+ getHostnames = getHostnames;
+ getDNSEntries = getDNSEntries;
+}
M secrets/dns/secrets.yaml => secrets/dns/secrets.yaml +3 -4
@@ 1,5 1,4 @@
-rootPwd: ENC[AES256_GCM,data:cuZt7paSCrVK7rp88SXhrFmko7YLIWgNG3KNmcelCBJBvoCAlLwSdfXMKljMGWTBB5qs+GQTSYlbPlqjRfWEX/imABrivg8YMGNn4o8O0hkWvyc9IYCGFVaTJkrB5gNpkMLEHda05Wvf/w==,iv:n+tuhDnyYIe9xl9YYPkhMnh5W/g3Ceg7E5Nuy5pu97s=,tag:aq37MjrsizGuwIHgDGt2dw==,type:str]
-liljamoPwd: ENC[AES256_GCM,data:MMissiTedcpmM7cWGm3PL3/7mrRMLcHatf4BHTcrR1BjGkpEuSIwFxQGgbhulj2Taa4djdL7013tS6Jbb+Hz/o/yL1SrKDD5w0y1hwXcjfDYTsys9uly5UoCtQDLG0gFn4FLxv00ATufdw==,iv:psHrWXFAsUKcgDnDjAOdAOo6bF8h8yr/MLyJeC1+cRI=,tag:BC4EaIT3Rqw/2W1LXxxIvA==,type:str]
+rootPwd: ENC[AES256_GCM,data:s/VdQNQSmepsk8+Fp2ryDo6AwHxX51cRnSndfcZjMxV5vosGcCa82zXVps4Lloxq4lzg5ZOGPqpCVmqpmzNhfoPOXy73JaVQB/ITU20pO8l9e65PUTvZRBhEEpNnWlf9AOa7A1aqMnxi+w==,iv:T/nVYNOvYqymCQk18oWkS5YjNxBkZsN+DqjiPqEPg5M=,tag:9PCrU/m1pKqNwgSgBgGdIA==,type:str]
sops:
kms: []
gcp_kms: []
@@ 15,8 14,8 @@ sops:
ZVRRZ1hkRllRd1BGTmU0STVQNWVGT1UKE4PBQjAlb0NCI8vrAv9GpsmJFBkR6qRw
4RYHGreTyTgE1NLyf4d+AMIrTmfIXixx4SeiInO4tmMct6ds1gwMAw==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2024-08-18T09:49:50Z"
- mac: ENC[AES256_GCM,data:No+EUPIds/phGQHY+Lw/8Ict+iLn+0509oXcx2sW2OjGnGU3mJ4uFPrtpoEJ/JWyHUwKhVkuNmqNT4zYe+qVnGUYxnTDFnjcC+nlcIxIkI9vxQhDYruS0FitxuG6BK+6YLmOszmMIEHf2MZUfK5MFvPqAn2gQbzPXzNj+fzW2xo=,iv:seFsJRgJbrHATjTuJ1y55WrrOait56oXSjvB41i29kY=,tag:Zi0N+niUxzqhKytwAZ5RpA==,type:str]
+ lastmodified: "2024-11-13T13:29:04Z"
+ mac: ENC[AES256_GCM,data:+jWbH78CfAnrT6VbYbnQpK0UYZq3pnhXOx+UDULIOms3ESJnJWDiQQ13G+EUEcJ5tJuZajB9iXYHWBcRMuJlfDiqXeHI4LPxC1rUftNsTiz9bDcAOu1ctRWTvSJ08kszbR3BsxkpYNRX74Wc233N0qIkP9hpSWrk3CLtJ3mzYb4=,iv:SoiZ9y6vCDYvR/+KMgInmy9qdTJwipk7LLQlL3zgKbs=,tag:MjR7CmhzfzzL1j3sLNiy5g==,type:str]
pgp:
- created_at: "2024-08-18T09:36:11Z"
enc: |-
M systems/hosts/default.nix => systems/hosts/default.nix +0 -5
@@ 27,11 27,6 @@
profile = lxc;
modules = [];
};
- dns = {
- system = "x86_64-linux";
- profile = lxc;
- modules = [];
- };
metrics = {
system = "x86_64-linux";
profile = lxc;