diff options
-rw-r--r-- | tardis-new/.gitignore | 4 | ||||
-rw-r--r-- | tardis-new/asdf.tf | 24 | ||||
-rw-r--r-- | tardis-new/docker-compose.yml | 85 | ||||
-rw-r--r-- | tardis-new/flake.lock | 82 | ||||
-rw-r--r-- | tardis-new/flake.nix | 47 | ||||
-rw-r--r-- | tardis-new/lib/consts.nix | 7 | ||||
-rw-r--r-- | tardis-new/lib/default.nix | 3 | ||||
-rw-r--r-- | tardis-new/modules/common.nix | 56 | ||||
-rw-r--r-- | tardis-new/notes.org | 8 |
9 files changed, 316 insertions, 0 deletions
diff --git a/tardis-new/.gitignore b/tardis-new/.gitignore new file mode 100644 index 0000000..68a2bf2 --- /dev/null +++ b/tardis-new/.gitignore @@ -0,0 +1,4 @@ +.env +.terraform +*.tfstate* +.terraform.lock.hcl
\ No newline at end of file diff --git a/tardis-new/asdf.tf b/tardis-new/asdf.tf new file mode 100644 index 0000000..40bad49 --- /dev/null +++ b/tardis-new/asdf.tf @@ -0,0 +1,24 @@ +terraform { + required_providers { + authentik = { + source = "goauthentik/authentik" + version = "2023.8.0" + } + } +} + +provider "authentik" { + url = "http://localhost:9000" + token = "pzWOnE9J6OOyVLqFYzeiQRV0CV4zhN7dqcmzuA8Da3x9Xywch4tHp2DrfLSs" +} + +resource "authentik_provider_oauth2" "name" { + name = "grafana" + client_id = "grafana" + authorization_flow = "60ee931d-8266-4b40-8b3b-3f1f4ed77e17" +} + +output "grafana_client_secret" { + value = authentik_provider_oauth2.name.client_secret + sensitive = true +} diff --git a/tardis-new/docker-compose.yml b/tardis-new/docker-compose.yml new file mode 100644 index 0000000..1032bcc --- /dev/null +++ b/tardis-new/docker-compose.yml @@ -0,0 +1,85 @@ +--- +version: "3.4" + +services: + postgresql: + image: docker.io/library/postgres:12-alpine + restart: unless-stopped + healthcheck: + test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"] + start_period: 20s + interval: 30s + retries: 5 + timeout: 5s + volumes: + - database:/var/lib/postgresql/data + environment: + POSTGRES_PASSWORD: ${PG_PASS:?database password required} + POSTGRES_USER: ${PG_USER:-authentik} + POSTGRES_DB: ${PG_DB:-authentik} + env_file: + - .env + redis: + image: docker.io/library/redis:alpine + command: --save 60 1 --loglevel warning + restart: unless-stopped + healthcheck: + test: ["CMD-SHELL", "redis-cli ping | grep PONG"] + start_period: 20s + interval: 30s + retries: 5 + timeout: 3s + volumes: + - redis:/data + server: + image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.2} + restart: unless-stopped + command: server + environment: + AUTHENTIK_REDIS__HOST: redis + AUTHENTIK_POSTGRESQL__HOST: postgresql + AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik} + AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik} + AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS} + volumes: + - ./media:/media + - ./custom-templates:/templates + env_file: + - .env + ports: + - "${COMPOSE_PORT_HTTP:-9000}:9000" + - "${COMPOSE_PORT_HTTPS:-9443}:9443" + depends_on: + - postgresql + - redis + worker: + image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.2} + restart: unless-stopped + command: worker + environment: + AUTHENTIK_REDIS__HOST: redis + AUTHENTIK_POSTGRESQL__HOST: postgresql + AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik} + AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik} + AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS} + # `user: root` and the docker socket volume are optional. + # See more for the docker socket integration here: + # https://goauthentik.io/docs/outposts/integrations/docker + # Removing `user: root` also prevents the worker from fixing the permissions + # on the mounted folders, so when removing this make sure the folders have the correct UID/GID + # (1000:1000 by default) + volumes: + - ./media:/media + - ./certs:/certs + - ./custom-templates:/templates + env_file: + - .env + depends_on: + - postgresql + - redis + +volumes: + database: + driver: local + redis: + driver: local diff --git a/tardis-new/flake.lock b/tardis-new/flake.lock new file mode 100644 index 0000000..05846d9 --- /dev/null +++ b/tardis-new/flake.lock @@ -0,0 +1,82 @@ +{ + "nodes": { + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "microvm": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixos" + ] + }, + "locked": { + "lastModified": 1698882985, + "narHash": "sha256-0of8RrrfQGco9kiLW4vXpI8n4aGFRp+sPdCWKkkN8XY=", + "owner": "astro", + "repo": "microvm.nix", + "rev": "402333c6e461e0af422e305eb680b4ea9d973b06", + "type": "github" + }, + "original": { + "owner": "astro", + "repo": "microvm.nix", + "type": "github" + } + }, + "nixos": { + "locked": { + "lastModified": 1698846319, + "narHash": "sha256-4jyW/dqFBVpWFnhl0nvP6EN4lP7/ZqPxYRjl6var0Oc=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "34bdaaf1f0b7fb6d9091472edc968ff10a8c2857", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "microvm": "microvm", + "nixos": "nixos" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/tardis-new/flake.nix b/tardis-new/flake.nix new file mode 100644 index 0000000..a72caf1 --- /dev/null +++ b/tardis-new/flake.nix @@ -0,0 +1,47 @@ +{ + description = "NixOS in MicroVMs"; + + inputs = { + nixos.url = "github:nixos/nixpkgs/nixos-23.05"; + + microvm.url = "github:astro/microvm.nix"; + microvm.inputs.nixpkgs.follows = "nixos"; + }; + + outputs = inputs @ { + self, + nixos, + microvm, + }: let + system = (import ./lib/consts.nix).system; + overlays = [ + # Access helpful variables from nixpkgs + (_: prev: prev // {inherit inputs overlays;}) + + # Add our custom library functions + (final: prev: prev // {lib = prev.lib // import ./lib final;}) + ]; + pkgs = import nixos {inherit system overlays;}; + in { + packages.${system} = { + my-microvm = self.nixosConfigurations.my-microvm.config.microvm.declaredRunner; + }; + + nixosConfigurations = { + my-microvm = nixos.lib.nixosSystem { + inherit (pkgs) system; + inherit pkgs; + specialArgs = {inherit (pkgs) lib;}; + modules = [ + {nixpkgs.overlays = pkgs.overlays;} + microvm.nixosModules.microvm + ./modules/common.nix + { + networking.hostName = "test"; + users.users.root.password = "1234"; + } + ]; + }; + }; + }; +} diff --git a/tardis-new/lib/consts.nix b/tardis-new/lib/consts.nix new file mode 100644 index 0000000..8e24673 --- /dev/null +++ b/tardis-new/lib/consts.nix @@ -0,0 +1,7 @@ +{ + system = "x86_64-linux"; + + mainDomain = "tardisproject.uk"; + + rootPubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAVMp9Z6X0SERg4lWn+j3cMXFKssl8aBSM5Fzm+jXzaX aria@casper"; +} diff --git a/tardis-new/lib/default.nix b/tardis-new/lib/default.nix new file mode 100644 index 0000000..338b2c6 --- /dev/null +++ b/tardis-new/lib/default.nix @@ -0,0 +1,3 @@ +final: { + consts = import ./consts.nix; +} diff --git a/tardis-new/modules/common.nix b/tardis-new/modules/common.nix new file mode 100644 index 0000000..0d6a1ba --- /dev/null +++ b/tardis-new/modules/common.nix @@ -0,0 +1,56 @@ +{ + lib, + config, + ... +}: { + networking.domain = lib.consts.mainDomain; + + system.stateVersion = "23.05"; + + # Share NixOS store for efficiency + microvm = { + storeOnDisk = false; + shares = [ + { + tag = "ro-store"; + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + } + ]; + }; + + microvm = { + # Hypervisor setup + hypervisor = "qemu"; + socket = "control.socket"; + + # Trusted bridge setup + interfaces = [ + { + type = "tap"; + id = "vm-${config.networking.hostName}"; + mac = "02:00:00:00:00:01"; + } + ]; + }; + + # If this isn't set, then every system changes whenever a commit is made + # Which is super annoying + nix.registry = lib.mkForce {}; + + # SSH Access + services.openssh = { + enable = true; + openFirewall = true; + settings.PermitRootLogin = "prohibit-password"; + }; + users.users.root.openssh.authorizedKeys.keys = [lib.consts.rootPubKey]; + + # Swap file + # swapDevices = [ + # { + # device = "/swapfile"; + # size = builtins.floor (config.microvm.mem * 0.5); + # } + # ]; +} diff --git a/tardis-new/notes.org b/tardis-new/notes.org new file mode 100644 index 0000000..9ef0aea --- /dev/null +++ b/tardis-new/notes.org @@ -0,0 +1,8 @@ +probably better than ldap+keycloak: https://goauthentik.io/docs/ +sops + scalpel lets us do templating, vault is probably unnecessary https://github.com/polygon/scalpel + +authentik terraform provider: https://registry.terraform.io/providers/goauthentik/authentik/latest/docs/resources/provider_oauth2 +can output client secrets and stuff for this, but requires specifying UUIDs of default authentik objects +which we can get from data sources: https://registry.terraform.io/providers/goauthentik/authentik/latest/docs/data-sources/flow + +netdata seems lighter and less maintenance than grafana+prom+loki: https://github.com/netdata/netdata |