diff options
author | Aria <me@aria.rip> | 2023-12-12 02:03:58 +0000 |
---|---|---|
committer | Aria <me@aria.rip> | 2023-12-12 02:03:58 +0000 |
commit | 35564ad41cfbda2b2a698061a2134956736744c9 (patch) | |
tree | 82093ecbeb1f1b9aac9ffa5594f339a22783f2f5 | |
parent | c19dc0924481c7edf4938f5aa105f481a787a30e (diff) |
-rw-r--r-- | nix-personal/flake.lock | 48 | ||||
-rw-r--r-- | nix-personal/flake.nix | 40 | ||||
-rw-r--r-- | nix-personal/hosts/puppy.nix | 71 | ||||
-rw-r--r-- | nix-personal/k8s/ingress.yaml | 33 | ||||
-rw-r--r-- | nix-personal/k8s/svc.yaml | 24 | ||||
-rw-r--r-- | nix-personal/profiles/common.nix | 10 | ||||
-rw-r--r-- | nix-personal/profiles/landing/default.nix | 7 | ||||
-rw-r--r-- | nix-personal/profiles/landing/html/index.html | 5 | ||||
-rw-r--r-- | nix-personal/profiles/nginx.nix | 4 | ||||
-rw-r--r-- | tardis-new/.gitignore | 4 | ||||
-rw-r--r-- | tardis-new/asdf.tf | 24 | ||||
-rw-r--r-- | tardis-new/docker-compose.yml | 85 | ||||
-rw-r--r-- | tardis-new/flake.lock | 82 | ||||
-rw-r--r-- | tardis-new/flake.nix | 47 | ||||
-rw-r--r-- | tardis-new/lib/consts.nix | 7 | ||||
-rw-r--r-- | tardis-new/lib/default.nix | 3 | ||||
-rw-r--r-- | tardis-new/modules/common.nix | 56 | ||||
-rw-r--r-- | tardis-new/notes.org | 8 |
18 files changed, 0 insertions, 558 deletions
diff --git a/nix-personal/flake.lock b/nix-personal/flake.lock deleted file mode 100644 index b15b3fb..0000000 --- a/nix-personal/flake.lock +++ /dev/null @@ -1,48 +0,0 @@ -{ - "nodes": { - "disko": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1701775991, - "narHash": "sha256-/51DaSTzoW+wQfj5P9EnTbSxixDFjjhfnGdMKcSp+is=", - "owner": "nix-community", - "repo": "disko", - "rev": "f84c3684900d11cf19f530070d32d55f0ed51374", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "disko", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1701539137, - "narHash": "sha256-nVO/5QYpf1GwjvtpXhyxx5M3U/WN0MwBro4Lsk+9mL0=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "933d7dc155096e7575d207be6fb7792bc9f34f6d", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-23.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "disko": "disko", - "nixpkgs": "nixpkgs" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/nix-personal/flake.nix b/nix-personal/flake.nix deleted file mode 100644 index 7fe8056..0000000 --- a/nix-personal/flake.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ - inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11"; - inputs.disko.url = "github:nix-community/disko"; - inputs.disko.inputs.nixpkgs.follows = "nixpkgs"; - - outputs = { - nixpkgs, - disko, - ... - }: let - imports = [ - disko.nixosModules.disko - ./hosts/puppy.nix - ]; - in { - devShells.x86_64-linux.default = let - pkgs = import nixpkgs {system = "x86_64-linux";}; - in - pkgs.mkShell { - buildInputs = [pkgs.colmena]; - }; - - nixosConfigurations.puppy = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = imports; - }; - - colmena = { - meta = { - nixpkgs = import nixpkgs { - system = "x86_64-linux"; - }; - }; - - puppy = {...}: { - inherit imports; - }; - }; - }; -} diff --git a/nix-personal/hosts/puppy.nix b/nix-personal/hosts/puppy.nix deleted file mode 100644 index 948b243..0000000 --- a/nix-personal/hosts/puppy.nix +++ /dev/null @@ -1,71 +0,0 @@ -{ - modulesPath, - lib, - ... -}: { - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - (modulesPath + "/profiles/qemu-guest.nix") - ../profiles/common.nix - ../profiles/landing - ]; - - disko.devices = { - disk.disk1 = { - device = lib.mkDefault "/dev/sda"; - type = "disk"; - content = { - type = "gpt"; - partitions = { - boot = { - name = "boot"; - size = "1M"; - type = "EF02"; - }; - esp = { - name = "ESP"; - size = "500M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - }; - }; - swap = { - name = "swap"; - size = "2G"; - content = { - type = "swap"; - }; - }; - root = { - name = "root"; - size = "100%"; - content = { - type = "filesystem"; - format = "ext4"; - mountpoint = "/"; - mountOptions = [ - "defaults" - ]; - }; - }; - }; - }; - }; - }; - - boot.loader.grub = { - # no need to set devices, disko will add all devices that have a EF02 partition to the list already - # devices = [ ]; - efiSupport = true; - efiInstallAsRemovable = true; - }; - - networking.hostName = "puppy"; - deployment = { - targetHost = "puppy.girlth.ing"; - buildOnTarget = true; - }; -} diff --git a/nix-personal/k8s/ingress.yaml b/nix-personal/k8s/ingress.yaml deleted file mode 100644 index 3849905..0000000 --- a/nix-personal/k8s/ingress.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - traefik.ingress.kubernetes.io/router.tls: "true" - traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt - traefik.ingress.kubernetes.io/router.tls.domains.0.main: 'girlth.ing' - traefik.ingress.kubernetes.io/router.tls.domains.0.sans: '*.girlth.ing' - name: girlthing-all - namespace: tcmal -spec: - ingressClassName: traefik - rules: - - host: '*.girlth.ing' - http: - paths: - - backend: - service: - name: puppy - port: - name: http - path: / - pathType: ImplementationSpecific - - host: 'girlth.ing' - http: - paths: - - backend: - service: - name: puppy - port: - name: http - path: / - pathType: ImplementationSpecific diff --git a/nix-personal/k8s/svc.yaml b/nix-personal/k8s/svc.yaml deleted file mode 100644 index e6dfdfb..0000000 --- a/nix-personal/k8s/svc.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: puppy - namespace: tcmal -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: 80 ---- -apiVersion: v1 -kind: Endpoints -metadata: - name: puppy - namespace: tcmal -subsets: -- addresses: - - ip: 192.168.1.248 - ports: - - name: http - port: 80 - protocol: TCP diff --git a/nix-personal/profiles/common.nix b/nix-personal/profiles/common.nix deleted file mode 100644 index b4e1337..0000000 --- a/nix-personal/profiles/common.nix +++ /dev/null @@ -1,10 +0,0 @@ -{...}: { - system.stateVersion = "23.11"; - - networking.domain = "girlth.ing"; - - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [ - "no-touch-required sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIPpKjZfzPN1KxVskFRnmTTCwzyCtjwcXVZc4i1rNfl9oAAAABHNzaDo= me@aria.rip" - ]; -} diff --git a/nix-personal/profiles/landing/default.nix b/nix-personal/profiles/landing/default.nix deleted file mode 100644 index 83fc770..0000000 --- a/nix-personal/profiles/landing/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -{...}: { - imports = [../nginx.nix]; - services.nginx.virtualHosts."girlth.ing" = { - default = true; - root = ./.; - }; -} diff --git a/nix-personal/profiles/landing/html/index.html b/nix-personal/profiles/landing/html/index.html deleted file mode 100644 index 5d5f6be..0000000 --- a/nix-personal/profiles/landing/html/index.html +++ /dev/null @@ -1,5 +0,0 @@ -<html> - <body> - <h1>It works!</h1> - </body> -</html> diff --git a/nix-personal/profiles/nginx.nix b/nix-personal/profiles/nginx.nix deleted file mode 100644 index 60124e2..0000000 --- a/nix-personal/profiles/nginx.nix +++ /dev/null @@ -1,4 +0,0 @@ -{...}: { - networking.firewall.allowedTCPPorts = [80]; - services.nginx.enable = true; -} diff --git a/tardis-new/.gitignore b/tardis-new/.gitignore deleted file mode 100644 index 68a2bf2..0000000 --- a/tardis-new/.gitignore +++ /dev/null @@ -1,4 +0,0 @@ -.env -.terraform -*.tfstate* -.terraform.lock.hcl
\ No newline at end of file diff --git a/tardis-new/asdf.tf b/tardis-new/asdf.tf deleted file mode 100644 index 40bad49..0000000 --- a/tardis-new/asdf.tf +++ /dev/null @@ -1,24 +0,0 @@ -terraform { - required_providers { - authentik = { - source = "goauthentik/authentik" - version = "2023.8.0" - } - } -} - -provider "authentik" { - url = "http://localhost:9000" - token = "pzWOnE9J6OOyVLqFYzeiQRV0CV4zhN7dqcmzuA8Da3x9Xywch4tHp2DrfLSs" -} - -resource "authentik_provider_oauth2" "name" { - name = "grafana" - client_id = "grafana" - authorization_flow = "60ee931d-8266-4b40-8b3b-3f1f4ed77e17" -} - -output "grafana_client_secret" { - value = authentik_provider_oauth2.name.client_secret - sensitive = true -} diff --git a/tardis-new/docker-compose.yml b/tardis-new/docker-compose.yml deleted file mode 100644 index 1032bcc..0000000 --- a/tardis-new/docker-compose.yml +++ /dev/null @@ -1,85 +0,0 @@ ---- -version: "3.4" - -services: - postgresql: - image: docker.io/library/postgres:12-alpine - restart: unless-stopped - healthcheck: - test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"] - start_period: 20s - interval: 30s - retries: 5 - timeout: 5s - volumes: - - database:/var/lib/postgresql/data - environment: - POSTGRES_PASSWORD: ${PG_PASS:?database password required} - POSTGRES_USER: ${PG_USER:-authentik} - POSTGRES_DB: ${PG_DB:-authentik} - env_file: - - .env - redis: - image: docker.io/library/redis:alpine - command: --save 60 1 --loglevel warning - restart: unless-stopped - healthcheck: - test: ["CMD-SHELL", "redis-cli ping | grep PONG"] - start_period: 20s - interval: 30s - retries: 5 - timeout: 3s - volumes: - - redis:/data - server: - image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.2} - restart: unless-stopped - command: server - environment: - AUTHENTIK_REDIS__HOST: redis - AUTHENTIK_POSTGRESQL__HOST: postgresql - AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik} - AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik} - AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS} - volumes: - - ./media:/media - - ./custom-templates:/templates - env_file: - - .env - ports: - - "${COMPOSE_PORT_HTTP:-9000}:9000" - - "${COMPOSE_PORT_HTTPS:-9443}:9443" - depends_on: - - postgresql - - redis - worker: - image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.2} - restart: unless-stopped - command: worker - environment: - AUTHENTIK_REDIS__HOST: redis - AUTHENTIK_POSTGRESQL__HOST: postgresql - AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik} - AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik} - AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS} - # `user: root` and the docker socket volume are optional. - # See more for the docker socket integration here: - # https://goauthentik.io/docs/outposts/integrations/docker - # Removing `user: root` also prevents the worker from fixing the permissions - # on the mounted folders, so when removing this make sure the folders have the correct UID/GID - # (1000:1000 by default) - volumes: - - ./media:/media - - ./certs:/certs - - ./custom-templates:/templates - env_file: - - .env - depends_on: - - postgresql - - redis - -volumes: - database: - driver: local - redis: - driver: local diff --git a/tardis-new/flake.lock b/tardis-new/flake.lock deleted file mode 100644 index 05846d9..0000000 --- a/tardis-new/flake.lock +++ /dev/null @@ -1,82 +0,0 @@ -{ - "nodes": { - "flake-utils": { - "inputs": { - "systems": "systems" - }, - "locked": { - "lastModified": 1694529238, - "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "microvm": { - "inputs": { - "flake-utils": "flake-utils", - "nixpkgs": [ - "nixos" - ] - }, - "locked": { - "lastModified": 1698882985, - "narHash": "sha256-0of8RrrfQGco9kiLW4vXpI8n4aGFRp+sPdCWKkkN8XY=", - "owner": "astro", - "repo": "microvm.nix", - "rev": "402333c6e461e0af422e305eb680b4ea9d973b06", - "type": "github" - }, - "original": { - "owner": "astro", - "repo": "microvm.nix", - "type": "github" - } - }, - "nixos": { - "locked": { - "lastModified": 1698846319, - "narHash": "sha256-4jyW/dqFBVpWFnhl0nvP6EN4lP7/ZqPxYRjl6var0Oc=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "34bdaaf1f0b7fb6d9091472edc968ff10a8c2857", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-23.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "microvm": "microvm", - "nixos": "nixos" - } - }, - "systems": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/tardis-new/flake.nix b/tardis-new/flake.nix deleted file mode 100644 index a72caf1..0000000 --- a/tardis-new/flake.nix +++ /dev/null @@ -1,47 +0,0 @@ -{ - description = "NixOS in MicroVMs"; - - inputs = { - nixos.url = "github:nixos/nixpkgs/nixos-23.05"; - - microvm.url = "github:astro/microvm.nix"; - microvm.inputs.nixpkgs.follows = "nixos"; - }; - - outputs = inputs @ { - self, - nixos, - microvm, - }: let - system = (import ./lib/consts.nix).system; - overlays = [ - # Access helpful variables from nixpkgs - (_: prev: prev // {inherit inputs overlays;}) - - # Add our custom library functions - (final: prev: prev // {lib = prev.lib // import ./lib final;}) - ]; - pkgs = import nixos {inherit system overlays;}; - in { - packages.${system} = { - my-microvm = self.nixosConfigurations.my-microvm.config.microvm.declaredRunner; - }; - - nixosConfigurations = { - my-microvm = nixos.lib.nixosSystem { - inherit (pkgs) system; - inherit pkgs; - specialArgs = {inherit (pkgs) lib;}; - modules = [ - {nixpkgs.overlays = pkgs.overlays;} - microvm.nixosModules.microvm - ./modules/common.nix - { - networking.hostName = "test"; - users.users.root.password = "1234"; - } - ]; - }; - }; - }; -} diff --git a/tardis-new/lib/consts.nix b/tardis-new/lib/consts.nix deleted file mode 100644 index 8e24673..0000000 --- a/tardis-new/lib/consts.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ - system = "x86_64-linux"; - - mainDomain = "tardisproject.uk"; - - rootPubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAVMp9Z6X0SERg4lWn+j3cMXFKssl8aBSM5Fzm+jXzaX aria@casper"; -} diff --git a/tardis-new/lib/default.nix b/tardis-new/lib/default.nix deleted file mode 100644 index 338b2c6..0000000 --- a/tardis-new/lib/default.nix +++ /dev/null @@ -1,3 +0,0 @@ -final: { - consts = import ./consts.nix; -} diff --git a/tardis-new/modules/common.nix b/tardis-new/modules/common.nix deleted file mode 100644 index 0d6a1ba..0000000 --- a/tardis-new/modules/common.nix +++ /dev/null @@ -1,56 +0,0 @@ -{ - lib, - config, - ... -}: { - networking.domain = lib.consts.mainDomain; - - system.stateVersion = "23.05"; - - # Share NixOS store for efficiency - microvm = { - storeOnDisk = false; - shares = [ - { - tag = "ro-store"; - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - } - ]; - }; - - microvm = { - # Hypervisor setup - hypervisor = "qemu"; - socket = "control.socket"; - - # Trusted bridge setup - interfaces = [ - { - type = "tap"; - id = "vm-${config.networking.hostName}"; - mac = "02:00:00:00:00:01"; - } - ]; - }; - - # If this isn't set, then every system changes whenever a commit is made - # Which is super annoying - nix.registry = lib.mkForce {}; - - # SSH Access - services.openssh = { - enable = true; - openFirewall = true; - settings.PermitRootLogin = "prohibit-password"; - }; - users.users.root.openssh.authorizedKeys.keys = [lib.consts.rootPubKey]; - - # Swap file - # swapDevices = [ - # { - # device = "/swapfile"; - # size = builtins.floor (config.microvm.mem * 0.5); - # } - # ]; -} diff --git a/tardis-new/notes.org b/tardis-new/notes.org deleted file mode 100644 index 9ef0aea..0000000 --- a/tardis-new/notes.org +++ /dev/null @@ -1,8 +0,0 @@ -probably better than ldap+keycloak: https://goauthentik.io/docs/ -sops + scalpel lets us do templating, vault is probably unnecessary https://github.com/polygon/scalpel - -authentik terraform provider: https://registry.terraform.io/providers/goauthentik/authentik/latest/docs/resources/provider_oauth2 -can output client secrets and stuff for this, but requires specifying UUIDs of default authentik objects -which we can get from data sources: https://registry.terraform.io/providers/goauthentik/authentik/latest/docs/data-sources/flow - -netdata seems lighter and less maintenance than grafana+prom+loki: https://github.com/netdata/netdata |