aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--tardis-new/.gitignore4
-rw-r--r--tardis-new/asdf.tf24
-rw-r--r--tardis-new/docker-compose.yml85
-rw-r--r--tardis-new/flake.lock82
-rw-r--r--tardis-new/flake.nix47
-rw-r--r--tardis-new/lib/consts.nix7
-rw-r--r--tardis-new/lib/default.nix3
-rw-r--r--tardis-new/modules/common.nix56
-rw-r--r--tardis-new/notes.org8
9 files changed, 316 insertions, 0 deletions
diff --git a/tardis-new/.gitignore b/tardis-new/.gitignore
new file mode 100644
index 0000000..68a2bf2
--- /dev/null
+++ b/tardis-new/.gitignore
@@ -0,0 +1,4 @@
+.env
+.terraform
+*.tfstate*
+.terraform.lock.hcl \ No newline at end of file
diff --git a/tardis-new/asdf.tf b/tardis-new/asdf.tf
new file mode 100644
index 0000000..40bad49
--- /dev/null
+++ b/tardis-new/asdf.tf
@@ -0,0 +1,24 @@
+terraform {
+ required_providers {
+ authentik = {
+ source = "goauthentik/authentik"
+ version = "2023.8.0"
+ }
+ }
+}
+
+provider "authentik" {
+ url = "http://localhost:9000"
+ token = "pzWOnE9J6OOyVLqFYzeiQRV0CV4zhN7dqcmzuA8Da3x9Xywch4tHp2DrfLSs"
+}
+
+resource "authentik_provider_oauth2" "name" {
+ name = "grafana"
+ client_id = "grafana"
+ authorization_flow = "60ee931d-8266-4b40-8b3b-3f1f4ed77e17"
+}
+
+output "grafana_client_secret" {
+ value = authentik_provider_oauth2.name.client_secret
+ sensitive = true
+}
diff --git a/tardis-new/docker-compose.yml b/tardis-new/docker-compose.yml
new file mode 100644
index 0000000..1032bcc
--- /dev/null
+++ b/tardis-new/docker-compose.yml
@@ -0,0 +1,85 @@
+---
+version: "3.4"
+
+services:
+ postgresql:
+ image: docker.io/library/postgres:12-alpine
+ restart: unless-stopped
+ healthcheck:
+ test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+ start_period: 20s
+ interval: 30s
+ retries: 5
+ timeout: 5s
+ volumes:
+ - database:/var/lib/postgresql/data
+ environment:
+ POSTGRES_PASSWORD: ${PG_PASS:?database password required}
+ POSTGRES_USER: ${PG_USER:-authentik}
+ POSTGRES_DB: ${PG_DB:-authentik}
+ env_file:
+ - .env
+ redis:
+ image: docker.io/library/redis:alpine
+ command: --save 60 1 --loglevel warning
+ restart: unless-stopped
+ healthcheck:
+ test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+ start_period: 20s
+ interval: 30s
+ retries: 5
+ timeout: 3s
+ volumes:
+ - redis:/data
+ server:
+ image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.2}
+ restart: unless-stopped
+ command: server
+ environment:
+ AUTHENTIK_REDIS__HOST: redis
+ AUTHENTIK_POSTGRESQL__HOST: postgresql
+ AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
+ AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
+ AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
+ volumes:
+ - ./media:/media
+ - ./custom-templates:/templates
+ env_file:
+ - .env
+ ports:
+ - "${COMPOSE_PORT_HTTP:-9000}:9000"
+ - "${COMPOSE_PORT_HTTPS:-9443}:9443"
+ depends_on:
+ - postgresql
+ - redis
+ worker:
+ image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.2}
+ restart: unless-stopped
+ command: worker
+ environment:
+ AUTHENTIK_REDIS__HOST: redis
+ AUTHENTIK_POSTGRESQL__HOST: postgresql
+ AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
+ AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
+ AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
+ # `user: root` and the docker socket volume are optional.
+ # See more for the docker socket integration here:
+ # https://goauthentik.io/docs/outposts/integrations/docker
+ # Removing `user: root` also prevents the worker from fixing the permissions
+ # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
+ # (1000:1000 by default)
+ volumes:
+ - ./media:/media
+ - ./certs:/certs
+ - ./custom-templates:/templates
+ env_file:
+ - .env
+ depends_on:
+ - postgresql
+ - redis
+
+volumes:
+ database:
+ driver: local
+ redis:
+ driver: local
diff --git a/tardis-new/flake.lock b/tardis-new/flake.lock
new file mode 100644
index 0000000..05846d9
--- /dev/null
+++ b/tardis-new/flake.lock
@@ -0,0 +1,82 @@
+{
+ "nodes": {
+ "flake-utils": {
+ "inputs": {
+ "systems": "systems"
+ },
+ "locked": {
+ "lastModified": 1694529238,
+ "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
+ "owner": "numtide",
+ "repo": "flake-utils",
+ "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
+ "type": "github"
+ },
+ "original": {
+ "owner": "numtide",
+ "repo": "flake-utils",
+ "type": "github"
+ }
+ },
+ "microvm": {
+ "inputs": {
+ "flake-utils": "flake-utils",
+ "nixpkgs": [
+ "nixos"
+ ]
+ },
+ "locked": {
+ "lastModified": 1698882985,
+ "narHash": "sha256-0of8RrrfQGco9kiLW4vXpI8n4aGFRp+sPdCWKkkN8XY=",
+ "owner": "astro",
+ "repo": "microvm.nix",
+ "rev": "402333c6e461e0af422e305eb680b4ea9d973b06",
+ "type": "github"
+ },
+ "original": {
+ "owner": "astro",
+ "repo": "microvm.nix",
+ "type": "github"
+ }
+ },
+ "nixos": {
+ "locked": {
+ "lastModified": 1698846319,
+ "narHash": "sha256-4jyW/dqFBVpWFnhl0nvP6EN4lP7/ZqPxYRjl6var0Oc=",
+ "owner": "nixos",
+ "repo": "nixpkgs",
+ "rev": "34bdaaf1f0b7fb6d9091472edc968ff10a8c2857",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nixos",
+ "ref": "nixos-23.05",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
+ "root": {
+ "inputs": {
+ "microvm": "microvm",
+ "nixos": "nixos"
+ }
+ },
+ "systems": {
+ "locked": {
+ "lastModified": 1681028828,
+ "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+ "owner": "nix-systems",
+ "repo": "default",
+ "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-systems",
+ "repo": "default",
+ "type": "github"
+ }
+ }
+ },
+ "root": "root",
+ "version": 7
+}
diff --git a/tardis-new/flake.nix b/tardis-new/flake.nix
new file mode 100644
index 0000000..a72caf1
--- /dev/null
+++ b/tardis-new/flake.nix
@@ -0,0 +1,47 @@
+{
+ description = "NixOS in MicroVMs";
+
+ inputs = {
+ nixos.url = "github:nixos/nixpkgs/nixos-23.05";
+
+ microvm.url = "github:astro/microvm.nix";
+ microvm.inputs.nixpkgs.follows = "nixos";
+ };
+
+ outputs = inputs @ {
+ self,
+ nixos,
+ microvm,
+ }: let
+ system = (import ./lib/consts.nix).system;
+ overlays = [
+ # Access helpful variables from nixpkgs
+ (_: prev: prev // {inherit inputs overlays;})
+
+ # Add our custom library functions
+ (final: prev: prev // {lib = prev.lib // import ./lib final;})
+ ];
+ pkgs = import nixos {inherit system overlays;};
+ in {
+ packages.${system} = {
+ my-microvm = self.nixosConfigurations.my-microvm.config.microvm.declaredRunner;
+ };
+
+ nixosConfigurations = {
+ my-microvm = nixos.lib.nixosSystem {
+ inherit (pkgs) system;
+ inherit pkgs;
+ specialArgs = {inherit (pkgs) lib;};
+ modules = [
+ {nixpkgs.overlays = pkgs.overlays;}
+ microvm.nixosModules.microvm
+ ./modules/common.nix
+ {
+ networking.hostName = "test";
+ users.users.root.password = "1234";
+ }
+ ];
+ };
+ };
+ };
+}
diff --git a/tardis-new/lib/consts.nix b/tardis-new/lib/consts.nix
new file mode 100644
index 0000000..8e24673
--- /dev/null
+++ b/tardis-new/lib/consts.nix
@@ -0,0 +1,7 @@
+{
+ system = "x86_64-linux";
+
+ mainDomain = "tardisproject.uk";
+
+ rootPubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAVMp9Z6X0SERg4lWn+j3cMXFKssl8aBSM5Fzm+jXzaX aria@casper";
+}
diff --git a/tardis-new/lib/default.nix b/tardis-new/lib/default.nix
new file mode 100644
index 0000000..338b2c6
--- /dev/null
+++ b/tardis-new/lib/default.nix
@@ -0,0 +1,3 @@
+final: {
+ consts = import ./consts.nix;
+}
diff --git a/tardis-new/modules/common.nix b/tardis-new/modules/common.nix
new file mode 100644
index 0000000..0d6a1ba
--- /dev/null
+++ b/tardis-new/modules/common.nix
@@ -0,0 +1,56 @@
+{
+ lib,
+ config,
+ ...
+}: {
+ networking.domain = lib.consts.mainDomain;
+
+ system.stateVersion = "23.05";
+
+ # Share NixOS store for efficiency
+ microvm = {
+ storeOnDisk = false;
+ shares = [
+ {
+ tag = "ro-store";
+ source = "/nix/store";
+ mountPoint = "/nix/.ro-store";
+ }
+ ];
+ };
+
+ microvm = {
+ # Hypervisor setup
+ hypervisor = "qemu";
+ socket = "control.socket";
+
+ # Trusted bridge setup
+ interfaces = [
+ {
+ type = "tap";
+ id = "vm-${config.networking.hostName}";
+ mac = "02:00:00:00:00:01";
+ }
+ ];
+ };
+
+ # If this isn't set, then every system changes whenever a commit is made
+ # Which is super annoying
+ nix.registry = lib.mkForce {};
+
+ # SSH Access
+ services.openssh = {
+ enable = true;
+ openFirewall = true;
+ settings.PermitRootLogin = "prohibit-password";
+ };
+ users.users.root.openssh.authorizedKeys.keys = [lib.consts.rootPubKey];
+
+ # Swap file
+ # swapDevices = [
+ # {
+ # device = "/swapfile";
+ # size = builtins.floor (config.microvm.mem * 0.5);
+ # }
+ # ];
+}
diff --git a/tardis-new/notes.org b/tardis-new/notes.org
new file mode 100644
index 0000000..9ef0aea
--- /dev/null
+++ b/tardis-new/notes.org
@@ -0,0 +1,8 @@
+probably better than ldap+keycloak: https://goauthentik.io/docs/
+sops + scalpel lets us do templating, vault is probably unnecessary https://github.com/polygon/scalpel
+
+authentik terraform provider: https://registry.terraform.io/providers/goauthentik/authentik/latest/docs/resources/provider_oauth2
+can output client secrets and stuff for this, but requires specifying UUIDs of default authentik objects
+which we can get from data sources: https://registry.terraform.io/providers/goauthentik/authentik/latest/docs/data-sources/flow
+
+netdata seems lighter and less maintenance than grafana+prom+loki: https://github.com/netdata/netdata