nixos on watcher
This commit is contained in:
parent
2e98ba6e2f
commit
1d62b2065f
7 changed files with 305 additions and 19 deletions
54
hive.nix
54
hive.nix
|
@ -10,6 +10,7 @@ in
|
|||
};
|
||||
defaults =
|
||||
{
|
||||
nodes,
|
||||
name,
|
||||
pkgs,
|
||||
lib,
|
||||
|
@ -34,14 +35,13 @@ in
|
|||
"nixpkgs=${builtins.storePath pkgs.path}"
|
||||
"nixos=${builtins.storePath pkgs.path}"
|
||||
];
|
||||
channel.enable = false;
|
||||
package = pkgs.lix;
|
||||
};
|
||||
system.build.anywhere = pkgs.writeShellApplication {
|
||||
name = "anywhere-deploy_${name}.sh";
|
||||
runtimeInputs = [ pkgs.nixos-anywhere ];
|
||||
text = ''
|
||||
nixos-anywhere --store-paths ${config.system.build.diskoScriptNoDeps} ${config.system.build.toplevel} ${config.deployment.targetHost}
|
||||
nixos-anywhere --kexec ${nodes.kat-kexec.config.system.build.kexecTarball}/${nodes.kat-kexec.config.system.kexec-installer.name}-${pkgs.stdenv.hostPlatform.system}.tar.gz --store-paths ${config.system.build.diskoScriptNoDeps} ${config.system.build.toplevel} ${config.deployment.targetHost}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
@ -121,6 +121,16 @@ in
|
|||
];
|
||||
};
|
||||
|
||||
kat-watcher =
|
||||
{ name, nodes, ... }:
|
||||
{
|
||||
deployment.targetHost = "watcher.kat";
|
||||
imports = [
|
||||
./machines/kat-watcher
|
||||
(users.root { ssh = true; })
|
||||
];
|
||||
};
|
||||
|
||||
kat-iso =
|
||||
{
|
||||
name,
|
||||
|
@ -155,4 +165,44 @@ in
|
|||
services.qemuGuest.enable = true;
|
||||
boot.kernelParams = [ "console=ttyS0" ];
|
||||
};
|
||||
|
||||
kat-kexec =
|
||||
{
|
||||
name,
|
||||
pkgs,
|
||||
modulesPath,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
{
|
||||
deployment = {
|
||||
allowLocalDeployment = false;
|
||||
targetHost = null;
|
||||
};
|
||||
|
||||
imports = [
|
||||
("${sources.nixos-images}/nix/kexec-installer/module.nix")
|
||||
(users.root { ssh = true; })
|
||||
];
|
||||
|
||||
networking = {
|
||||
networkmanager.enable = false;
|
||||
wireless.enable = false;
|
||||
};
|
||||
console.keyMap = "fr";
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
perl
|
||||
git
|
||||
];
|
||||
programs.zsh.enable = true;
|
||||
services.openssh.enable = true;
|
||||
services.qemuGuest.enable = true;
|
||||
boot.kernelParams = [ "console=ttyS0" ];
|
||||
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
|
||||
boot.supportedFilesystems = {
|
||||
bcachefs = true;
|
||||
zfs = lib.mkForce false;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -114,6 +114,10 @@
|
|||
recommendedProxySettings = true;
|
||||
proxyPass = "http://192.168.122.2/";
|
||||
};
|
||||
"traque.katvayor.net".locations."/" = {
|
||||
recommendedProxySettings = true;
|
||||
proxyPass = "http://192.168.122.4/";
|
||||
};
|
||||
};
|
||||
streamConfig = ''
|
||||
upstream kat-virt {
|
||||
|
@ -123,18 +127,32 @@
|
|||
listen 22000;
|
||||
proxy_pass kat-virt;
|
||||
}
|
||||
upstream kat-traque {
|
||||
server 192.168.122.4:22;
|
||||
}
|
||||
server {
|
||||
listen 22001;
|
||||
proxy_pass kat-virt;
|
||||
}
|
||||
'';
|
||||
};
|
||||
|
||||
# Open ports in the firewall.
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
networking.firewall = {
|
||||
allowedTCPPorts = [
|
||||
22
|
||||
53
|
||||
80
|
||||
443
|
||||
22000
|
||||
];
|
||||
networking.firewall.allowedUDPPorts = [ 67 ];
|
||||
allowedTCPPortRanges = [
|
||||
{
|
||||
from = 22000;
|
||||
to = 22100;
|
||||
}
|
||||
];
|
||||
allowedUDPPorts = [ 67 ];
|
||||
};
|
||||
# Or disable the firewall altogether.
|
||||
# networking.firewall.enable = false;
|
||||
|
||||
|
|
138
machines/kat-watcher/default.nix
Normal file
138
machines/kat-watcher/default.nix
Normal file
|
@ -0,0 +1,138 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
./disks.nix
|
||||
];
|
||||
|
||||
boot = {
|
||||
loader.grub = {
|
||||
enable = true;
|
||||
efiSupport = true;
|
||||
efiInstallAsRemovable = true;
|
||||
};
|
||||
supportedFilesystems = [ "bcachefs" ];
|
||||
kernelPackages = pkgs.linuxPackages_latest;
|
||||
};
|
||||
|
||||
time.timeZone = "Europe/Paris";
|
||||
|
||||
networking = {
|
||||
useNetworkd = true;
|
||||
useDHCP = false;
|
||||
};
|
||||
systemd.network = {
|
||||
enable = true;
|
||||
networks."10-ens3" = {
|
||||
name = "ens3";
|
||||
address = [
|
||||
"51.83.69.54/32"
|
||||
"2001:41d0:305:2100::5c52/56"
|
||||
];
|
||||
routes = [
|
||||
{ Destination = "51.83.68.1/32"; }
|
||||
{
|
||||
Destination = "213.186.33.99/32";
|
||||
Gateway = "51.83.68.1";
|
||||
}
|
||||
{ Gateway = "51.83.68.1"; }
|
||||
{ Gateway = "2001:41d0:305:2100::1"; }
|
||||
];
|
||||
dns = [ "213.186.33.99" ];
|
||||
};
|
||||
};
|
||||
|
||||
i18n.defaultLocale = "en_US.UTF-8";
|
||||
console = {
|
||||
font = "Lat2-Terminus16";
|
||||
keyMap = "fr";
|
||||
};
|
||||
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults.email = "root@katvayor.net";
|
||||
};
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts = {
|
||||
"degette.katvayor.net" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
recommendedProxySettings = true;
|
||||
proxyPass = "http://100.102.49.84/";
|
||||
};
|
||||
};
|
||||
"traque.katvayor.net" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
recommendedProxySettings = true;
|
||||
proxyPass = "http://100.102.49.84/";
|
||||
};
|
||||
};
|
||||
};
|
||||
streamConfig = ''
|
||||
upstream kat-virt {
|
||||
server 100.102.49.84:22000;
|
||||
}
|
||||
server {
|
||||
listen 22000;
|
||||
proxy_pass kat-virt;
|
||||
}
|
||||
upstream kat-traque {
|
||||
server 100.102.49.84:22001;
|
||||
}
|
||||
server {
|
||||
listen 22001;
|
||||
proxy_pass kat-virt;
|
||||
}
|
||||
'';
|
||||
};
|
||||
|
||||
services.dbus.packages = with pkgs; [ dconf ];
|
||||
|
||||
programs.zsh.enable = true;
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
wget
|
||||
nix-search-cli
|
||||
git
|
||||
btop
|
||||
ranger
|
||||
screen
|
||||
];
|
||||
|
||||
programs.gnupg.agent = {
|
||||
enable = true;
|
||||
enableSSHSupport = true;
|
||||
};
|
||||
|
||||
services.openssh.enable = true;
|
||||
|
||||
services.netbird.enable = true;
|
||||
networking = {
|
||||
nftables.enable = true;
|
||||
firewall = {
|
||||
allowedTCPPorts = [
|
||||
22
|
||||
80
|
||||
443
|
||||
];
|
||||
allowedTCPPortRanges = [
|
||||
{
|
||||
from = 22000;
|
||||
to = 22100;
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
system.stateVersion = "23.11";
|
||||
}
|
37
machines/kat-watcher/disks.nix
Normal file
37
machines/kat-watcher/disks.nix
Normal file
|
@ -0,0 +1,37 @@
|
|||
{
|
||||
disko.devices = {
|
||||
disk = {
|
||||
sda = {
|
||||
device = "/dev/sda";
|
||||
type = "disk";
|
||||
content = {
|
||||
type = "gpt";
|
||||
partitions = {
|
||||
boot = {
|
||||
type = "EF02";
|
||||
size = "1M";
|
||||
priority = 1;
|
||||
};
|
||||
ESP = {
|
||||
type = "EF00";
|
||||
size = "100M";
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "vfat";
|
||||
mountpoint = "/boot";
|
||||
};
|
||||
};
|
||||
root = {
|
||||
size = "100%";
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "bcachefs";
|
||||
mountpoint = "/";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
31
machines/kat-watcher/hardware-configuration.nix
Normal file
31
machines/kat-watcher/hardware-configuration.nix
Normal file
|
@ -0,0 +1,31 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
modulesPath,
|
||||
...
|
||||
}:
|
||||
|
||||
{
|
||||
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
|
||||
|
||||
boot.initrd.availableKernelModules = [
|
||||
"ata_piix"
|
||||
"uhci_hcd"
|
||||
"virtio_pci"
|
||||
"virtio_scsi"
|
||||
"sd_mod"
|
||||
];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.ens3.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
}
|
|
@ -10,7 +10,7 @@
|
|||
};
|
||||
|
||||
"watcher.kat" = {
|
||||
user = "ubuntu";
|
||||
user = "root";
|
||||
hostname = "watcher.katvayor.net";
|
||||
};
|
||||
"r86s.kat" = {
|
||||
|
|
|
@ -8,9 +8,9 @@
|
|||
"repo": "agenix"
|
||||
},
|
||||
"branch": "main",
|
||||
"revision": "c2fc0762bbe8feb06a2e59a364fa81b3a57671c9",
|
||||
"url": "https://github.com/ryantm/agenix/archive/c2fc0762bbe8feb06a2e59a364fa81b3a57671c9.tar.gz",
|
||||
"hash": "1lpkwinlax40b7xgzspbkm9rsi4a1x48hxhixnni4irxxwnav0ah"
|
||||
"revision": "3a56735779db467538fb2e577eda28a9daacaca6",
|
||||
"url": "https://github.com/ryantm/agenix/archive/3a56735779db467538fb2e577eda28a9daacaca6.tar.gz",
|
||||
"hash": "1h66zapc6im07k3kcgvhy3lhzahb70vd6m2ijhz4i0v6mn5l3fk9"
|
||||
},
|
||||
"disko": {
|
||||
"type": "GitRelease",
|
||||
|
@ -35,15 +35,27 @@
|
|||
"repo": "home-manager"
|
||||
},
|
||||
"branch": "master",
|
||||
"revision": "0eb314b4f0ba337e88123e0b1e57ef58346aafd9",
|
||||
"url": "https://github.com/nix-community/home-manager/archive/0eb314b4f0ba337e88123e0b1e57ef58346aafd9.tar.gz",
|
||||
"hash": "1fwcxx8ilkih855g2dk9n9wvhizkxy1r16x414n3rchqg8knybhw"
|
||||
"revision": "0a7ffb28e5df5844d0e8039c9833d7075cdee792",
|
||||
"url": "https://github.com/nix-community/home-manager/archive/0a7ffb28e5df5844d0e8039c9833d7075cdee792.tar.gz",
|
||||
"hash": "1qd5sdpgpadd0972gmngjl0gf96h4cz0xvmv0186pgj6xgzc7amh"
|
||||
},
|
||||
"nixos-images": {
|
||||
"type": "Git",
|
||||
"repository": {
|
||||
"type": "GitHub",
|
||||
"owner": "nix-community",
|
||||
"repo": "nixos-images"
|
||||
},
|
||||
"branch": "main",
|
||||
"revision": "42b13bbd6fce3bcf6272a6ed664a23b9417b82c2",
|
||||
"url": "https://github.com/nix-community/nixos-images/archive/42b13bbd6fce3bcf6272a6ed664a23b9417b82c2.tar.gz",
|
||||
"hash": "1ap3z694mjbfrwa2ddqlq1sqbwqy6xrq0r68blwr53cn7nx0rn4f"
|
||||
},
|
||||
"nixpkgs": {
|
||||
"type": "Channel",
|
||||
"name": "nixpkgs-unstable",
|
||||
"url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.11pre633168.6132b0f6e344/nixexprs.tar.xz",
|
||||
"hash": "0jli5364mw57krjc9csswc3xh1bvbjcv85hf81l9gx7fcp5qkswa"
|
||||
"url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.11pre639552.e6cea36f8349/nixexprs.tar.xz",
|
||||
"hash": "0pii8c6wlh7wc6wxwhc85nyn3pk00qi3kn3jah2agf87cbmm9qdk"
|
||||
}
|
||||
},
|
||||
"version": 3
|
||||
|
|
Loading…
Reference in a new issue