feat(voice01): init (#12)

Also update dns01 config. This PR adds the configuration for a Mumble server @voice.lab.dgnum.eu Reviewed-on: DGNum/lab-infra#12 Co-authored-by: Constantin Gierczak--Galle <git.cst1@mailbox.org> Co-committed-by: Constantin Gierczak--Galle <git.cst1@mailbox.org>
2025-01-13 12:34:03 +01:00 · 2025-01-13 12:34:03 +01:00 · 6d09d3a0b3
commit 6d09d3a0b3
parent 930c1bd90a
12 changed files with 130 additions and 9 deletions
--- a/machines/dns01/_configuration.nix
+++ b/machines/dns01/_configuration.nix
@ -14,13 +14,6 @@ lib.extra.mkConfig {
    # TODO : retrieve this address from meta/network.nix
    deployment.targetHost = "45.13.104.26";
    deployment.tags = [ "cst1" ];
-    networking.firewall = {
-      enable = true;
-      logRefusedConnections = lib.mkForce true;
-      logRefusedPackets = lib.mkForce true;
-      allowedTCPPorts = [ 53 ];
-      allowedUDPPorts = [ 53 ];
-    };
  };

  root = ./.;
--- a/machines/dns01/lab.dgnum.eu.nix
+++ b/machines/dns01/lab.dgnum.eu.nix
@ -35,6 +35,8 @@ with dns.lib.combinators;

    kfet = host "129.199.146.230" "2a0e:e701:1120:1000::f:1";

+    voice = host "129.199.146.105" null;
+
    # Nameservers
    ns01 = host "45.13.104.26" "2a0e:e701:1120:1000:ffff::45.13.104.26";

--- a/machines/dns01/nsd.nix
+++ b/machines/dns01/nsd.nix
@ -21,4 +21,9 @@ in
      };
    };
  };
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [ 53 ];
+    allowedUDPPorts = [ 53 ];
+  };
 }
--- a/machines/photo01/immich.nix
+++ b/machines/photo01/immich.nix
@ -11,6 +11,9 @@
    enableACME = true;
    forceSSL = true;
    serverAliases = [ ];
-    locations."/".proxyPass = "http://localhost:3001/";
+    locations."/" = {
+      proxyPass = "http://localhost:3001/";
+      proxyWebsockets = true;
+    };
  };
 }
--- a/machines/voice01/_configuration.nix
+++ b/machines/voice01/_configuration.nix
@ -0,0 +1,25 @@
+{ lib, ... }:
+
+lib.extra.mkConfig {
+  enabledModules = [
+    # List of modules to enable
+  ];
+
+  enabledServices = [
+    # List of services to enable
+    "murmur"
+    "nginx"
+  ];
+
+  extraConfig = {
+    deployment.tags = [ "cst1" ];
+    networking = {
+      firewall.allowedTCPPorts = [
+        80
+        443
+      ];
+    };
+  };
+
+  root = ./.;
+}
--- a/machines/voice01/_hardware-configuration.nix
+++ b/machines/voice01/_hardware-configuration.nix
@ -0,0 +1,34 @@
+{ lib, modulesPath, ... }:
+
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+
+  boot = {
+    loader.systemd-boot.enable = true;
+    initrd.kernelModules = [ ];
+    kernelModules = [ ];
+    extraModulePackages = [ ];
+    initrd.availableKernelModules = [
+      "ata_piix"
+      "uhci_hcd"
+      "virtio_pci"
+      "virtio_scsi"
+      "sd_mod"
+      "sr_mod"
+    ];
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-partlabel/disk-sda-root";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-partlabel/disk-sda-ESP";
+    fsType = "vfat";
+  };
+
+  networking.useDHCP = lib.mkDefault false;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
--- a/machines/voice01/murmur.nix
+++ b/machines/voice01/murmur.nix
@ -0,0 +1,21 @@
+let
+  port = 64738;
+in
+{
+  services.murmur = {
+    inherit port;
+    enable = true;
+    openFirewall = true;
+    users = 16;
+    welcometext = "Bienvenue sur le serveur Mumble expérimental de la DGNum.";
+    registerHostname = "voice.lab.dgnum.eu";
+    password = "coupe-boulon";
+    logFile = "/var/log/murmur/murmurd.log";
+  };
+  services.nginx.virtualHosts."voice.lab.dgnum.eu" = {
+    enableACME = true;
+    forceSSL = true;
+    serverAliases = [ ];
+    locations."/".proxyPass = "http://localhost:${toString port}/";
+  };
+}
--- a/machines/voice01/nginx.nix
+++ b/machines/voice01/nginx.nix
@ -0,0 +1,10 @@
+{
+  services.nginx = {
+    enable = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+    clientMaxBodySize = "500m";
+  };
+}
--- a/machines/voice01/secrets/secrets.nix
+++ b/machines/voice01/secrets/secrets.nix
@ -0,0 +1,3 @@
+(import ../../../keys).mkSecrets [ "voice01" ] [
+  # List of secrets for router02
+]
--- a/meta/network.nix
+++ b/meta/network.nix
@ -162,5 +162,22 @@ in

    hostId = "999dc679";
  };
+  voice01 = {
+    interfaces = {
+      ens18 = {
+        ipv4 = [
+          {
+            address = "129.199.146.105";
+            prefixLength = 24;
+          }
+        ];
+
+        gateways = [ "129.199.146.254" ];
+        enableDefaultDNS = true;
+      };
+    };
+
+    hostId = "9d05edd1";
+  };
 }
 // mkRoutexp (import ./routexp.nix)
--- a/meta/nodes.nix
+++ b/meta/nodes.nix
@ -104,6 +104,14 @@ in

    deployment.targetHost = "129.199.146.39";

+    stateVersion = "24.11";
+    nixpkgs = "unstable";
+  };
+  voice01 = {
+    site = "pav01";
+
+    hashedPassword = "$y$j9T$eNZQgDN.J5y7KTG2hXgat1$J1i5tjx5dnSZu.C9B7swXi5zMFIkUnmRrnmyLHFAt8/";
+
    stateVersion = "24.11";
    nixpkgs = "unstable";
  };