federez/nix
7
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Bump version + minor cleanups

Browse source 
Signed-off-by: jeltz@federez.net
This commit is contained in:
jeltz 2025-04-02 15:46:38 +02:00
parent 09d82c6b88
commit 01b5a0fe25
Signed by: jeltz
GPG key ID: 800882B66C0C3326
7 changed files with 44 additions and 34 deletions
Download patch file Download diff file Expand all files Collapse all files

51
hive.nix
View file

@ -1,6 +1,8 @@
let let
src = import ./npins; src = import ./npins;
pkgs = import src.nixpkgs { }; pkgs = import src.nixpkgs {
config.permittedInsecurePackages = [ "olm-3.2.16" ];
};
disko = (import src.disko { inherit (pkgs) lib; }); disko = (import src.disko { inherit (pkgs) lib; });
diskConfig = import ./disks/ext4.nix { diskConfig = import ./disks/ext4.nix {
inherit (pkgs) lib; inherit (pkgs) lib;
@ -8,7 +10,11 @@ let
in in
{ {
meta = { meta = {
nixpkgs = src.nixpkgs; nixpkgs = pkgs;
nodeNixpkgs = {
# FIXME discourse est cassé en unstable
pendragon = src."nixpkgs-24.11";
};
}; };
# FIXME # FIXME
@ -21,6 +27,9 @@ in
"${src.agenix}/modules/age.nix" "${src.agenix}/modules/age.nix"
]; ];
deployment.targetHost = "${name}.federez.net";
networking.hostName = name;
security.acme.defaults.email = "monitoring@federez.net"; security.acme.defaults.email = "monitoring@federez.net";
security.acme.acceptTerms = true; security.acme.acceptTerms = true;
@ -45,10 +54,8 @@ in
time.timeZone = "Europe/Paris"; time.timeZone = "Europe/Paris";
}; };
vogon = { name, nodes, ... }: { vogon = { ... }: {
deployment.tags = [ "hypervisor" ]; deployment.tags = [ "hypervisor" ];
deployment.targetHost = "vogon.federez.net";
networking.hostName = name;
networking.hostId = "1751e2a7"; networking.hostId = "1751e2a7";
imports = [ imports = [
@ -57,12 +64,8 @@ in
]; ];
}; };
estragon = { name, nodes, pkgs, ... }: { estragon = { pkgs, ... }: {
deployment.tags = [ "matrix" ]; deployment.tags = [ "matrix" ];
deployment.targetHost = "estragon.federez.net";
networking.hostName = name;
environment.systemPackages = [ pkgs.tcpdump pkgs.openssl ];
glucagon.networking = { glucagon.networking = {
nibble = 227; nibble = 227;
@ -88,10 +91,8 @@ in
system.build.diskoScript = disko.diskoScript diskConfig pkgs; system.build.diskoScript = disko.diskoScript diskConfig pkgs;
}; };
wagon = { name, nodes, ... }: { wagon = { pkgs, ... }: {
deployment.tags = [ "vaultwarden" "pass" "passwords" ]; deployment.tags = [ "vaultwarden" "pass" "passwords" ];
deployment.targetHost = "wagon.federez.net";
networking.hostName = name;
glucagon.networking = { glucagon.networking = {
nibble = 228; nibble = 228;
@ -114,10 +115,8 @@ in
system.build.diskoScript = disko.diskoScript diskConfig pkgs; system.build.diskoScript = disko.diskoScript diskConfig pkgs;
}; };
lagon = { name, nodes, ... }: { lagon = { pkgs, ... }: {
deployment.tags = [ "keycloak" "wayf" ]; deployment.tags = [ "keycloak" "wayf" ];
deployment.targetHost = "lagon.federez.net";
networking.hostName = name;
glucagon.networking = { glucagon.networking = {
nibble = 229; nibble = 229;
@ -140,10 +139,8 @@ in
system.build.diskoScript = disko.diskoScript diskConfig pkgs; system.build.diskoScript = disko.diskoScript diskConfig pkgs;
}; };
aragon = { name, nodes, ... }: { aragon = { pkgs, ... }: {
deployment.tags = [ "gitlab" ]; deployment.tags = [ "gitlab" ];
deployment.targetHost = "aragon.federez.net";
networking.hostName = name;
glucagon.networking = { glucagon.networking = {
nibble = 231; nibble = 231;
@ -166,11 +163,8 @@ in
system.build.diskoScript = disko.diskoScript diskConfig pkgs; system.build.diskoScript = disko.diskoScript diskConfig pkgs;
}; };
# FIXME can't update: discourse pkg is broken pendragon = { pkgs, ... }: {
pendragon = { name, nodes, ... }: {
deployment.tags = [ "discourse" ]; deployment.tags = [ "discourse" ];
deployment.targetHost = "pendragon.federez.net";
networking.hostName = name;
glucagon.networking = { glucagon.networking = {
nibble = 233; nibble = 233;
@ -193,18 +187,21 @@ in
system.build.diskoScript = disko.diskoScript diskConfig pkgs; system.build.diskoScript = disko.diskoScript diskConfig pkgs;
}; };
perdrigon = { name, nodes, ... }: { perdrigon = { pkgs, ... }: {
deployment.tags = [ "indico" ]; deployment.tags = [ "indico" ];
deployment.targetHost = "perdrigon.federez.net";
federez.monitoring.apiKey = "370a181d-6b00-4c3d-af27-ca65e6e4c1b0";
networking.hostName = name;
glucagon.networking = { glucagon.networking = {
nibble = 234; nibble = 234;
wan-mac = "BC:24:11:04:9B:51"; wan-mac = "BC:24:11:04:9B:51";
}; };
infra-net.leaf = {
mac = "BC:24:11:09:B8:76";
id = 17;
};
imports = [ imports = [
(disko.config diskConfig)
./profiles/vm.nix ./profiles/vm.nix
./profiles/indico.nix ./profiles/indico.nix
]; ];

6
npins/sources.json
View file

@ -39,6 +39,12 @@
"url": "https://github.com/fossar/nix-phps/archive/87aa57df1dffc535756256efbd141c735852145f.tar.gz", "url": "https://github.com/fossar/nix-phps/archive/87aa57df1dffc535756256efbd141c735852145f.tar.gz",
"hash": "0i8bp50hm55jxlgfmcfjql3lz8la0cipmdh1m73i8jag7p8mmrnl" "hash": "0i8bp50hm55jxlgfmcfjql3lz8la0cipmdh1m73i8jag7p8mmrnl"
}, },
"nixpkgs-24.11": {
"type": "Channel",
"name": "nixos-24.11",
"url": "https://releases.nixos.org/nixos/24.11/nixos-24.11.716438.7ffe0edc685f/nixexprs.tar.xz",
"hash": "1i99256170lllhdy8z1agvb4hgim20zs7i2qvikw5x9ldzh4q7zv"
},
"nixpkgs": { "nixpkgs": {
"type": "Channel", "type": "Channel",
"name": "nixos-unstable-small", "name": "nixos-unstable-small",

2
profiles/irc-bot.nix
View file

@ -2,7 +2,7 @@
let let
cfg = config.services.matrix-appservice-irc; cfg = config.services.matrix-appservice-irc;
bindPort = cfg.settings.ircService.mediaProxy.bindPort; bindPort = cfg.settings.ircService.mediaProxy.bindPort;
upstreamUrl = "http://127.0.0.1:${toString bindPort}"; upstreamUrl = "127.0.0.1:${toString bindPort}";
in { in {
services.nginx = { services.nginx = {
enable = true; enable = true;

2
profiles/matrix-server.nix
View file

@ -50,7 +50,7 @@ in {
# in client applications. # in client applications.
settings.public_baseurl = baseUrl; settings.public_baseurl = baseUrl;
settings.app_service_config_files = [ settings.app_service_config_files = [
"/var/lib/matrix-synapse/telegram-registration.yaml" #"/var/lib/matrix-synapse/telegram-registration.yaml"
"/var/lib/matrix-synapse/irc-registration.yml" "/var/lib/matrix-synapse/irc-registration.yml"
]; ];
settings.listeners = [ settings.listeners = [

13
profiles/vogon.nix
View file

@ -64,6 +64,9 @@
"sr_mod" "sr_mod"
]; ];
# FIXME
networking.firewall.trustedInterfaces = [ "wg-infra" "vxl-infra" "br-infra" ];
systemd.network.links = { systemd.network.links = {
"10-phy1" = { "10-phy1" = {
matchConfig.MACAddress = "18:66:da:75:da:04"; matchConfig.MACAddress = "18:66:da:75:da:04";
@ -114,19 +117,22 @@
}; };
wireguardPeers = [ wireguardPeers = [
{ {
PublicKey = "A+tXWigWNzrj0zAyg0MCSgP53ngH3kNsP5m8E+JbDmA="; PublicKey = "JfTsY3+jPTDgLDrECoSvoYs+6+GpjII0ookjhFhd5SY=";
Endpoint = "89.234.162.224:51039"; Endpoint = "89.234.162.224:51039";
AllowedIPs = [ "fd0a:66d3:1c19:1000::2" ]; AllowedIPs = [ "fd0a:66d3:1c19:1000::2" ];
PersistentKeepalive = 10;
} }
{ {
PublicKey = "77IPc//p+mSl1yeapuDd4tIZDRp5acOTmBF5V7dG4BA="; PublicKey = "nOeLgmE1U6nY3UNxltQKwlID9lD7fvpEwij2XUvEGgg=";
Endpoint = "137.194.12.129:51039"; Endpoint = "137.194.12.129:51039";
AllowedIPs = [ "fd0a:66d3:1c19:1000::3" ]; AllowedIPs = [ "fd0a:66d3:1c19:1000::3" ];
PersistentKeepalive = 10;
} }
{ {
PublicKey = "tUonMgyYxE5l1aee7iSBR6AwmuhITk3ystPhouUAMBc="; PublicKey = "9pGyE4+CQl+f8sFJ/Mkvp14yxDQJ0SJmGnher5Tgzjc=";
Endpoint = "193.48.225.201:51039"; Endpoint = "193.48.225.201:51039";
AllowedIPs = [ "fd0a:66d3:1c19:1000::4" ]; AllowedIPs = [ "fd0a:66d3:1c19:1000::4" ];
PersistentKeepalive = 10;
} }
]; ];
}; };
@ -156,6 +162,7 @@
}; };
"10-br-infra" = { "10-br-infra" = {
matchConfig.Name = "br-infra"; matchConfig.Name = "br-infra";
linkConfig.MACAddress = "9E:D8:78:A1:CE:22";
address = [ address = [
"fd0a:66d3:1c19:42::1/64" "fd0a:66d3:1c19:42::1/64"
"10.42.0.1/16" "10.42.0.1/16"

4
secrets/secrets.nix
View file

@ -22,10 +22,10 @@ let
keycloak-admins = active-admins; keycloak-admins = active-admins;
ldap-bind-admins = active-admins; ldap-bind-admins = active-admins;
discourse-admins = active-admins; discourse-admins = active-admins;
wg-admins = active-admins;
indico-admins = active-admins; indico-admins = active-admins;
grafana-admins = active-admins; grafana-admins = active-admins;
wg-admins = active-admins; servers = [ estragon wagon lagon klingon aragon pendragon vogon perdrigon martagon ];
servers = [ estragon wagon lagon klingon aragon pendragon perdrigon martagon ];
in in
{ {
"matrix-shared-secret.age".publicKeys = [ estragon ] ++ matrix-admins; "matrix-shared-secret.age".publicKeys = [ estragon ] ++ matrix-admins;

BIN
secrets/vogon-wg-infra-key.age
View file

Binary file not shown.