diff options
Diffstat (limited to 'tardis-new')
| -rw-r--r-- | tardis-new/.gitignore | 4 | ||||
| -rw-r--r-- | tardis-new/asdf.tf | 24 | ||||
| -rw-r--r-- | tardis-new/docker-compose.yml | 85 | ||||
| -rw-r--r-- | tardis-new/flake.lock | 82 | ||||
| -rw-r--r-- | tardis-new/flake.nix | 47 | ||||
| -rw-r--r-- | tardis-new/lib/consts.nix | 7 | ||||
| -rw-r--r-- | tardis-new/lib/default.nix | 3 | ||||
| -rw-r--r-- | tardis-new/modules/common.nix | 56 | ||||
| -rw-r--r-- | tardis-new/notes.org | 8 |
9 files changed, 0 insertions, 316 deletions
diff --git a/tardis-new/.gitignore b/tardis-new/.gitignore deleted file mode 100644 index 68a2bf2..0000000 --- a/tardis-new/.gitignore +++ /dev/null @@ -1,4 +0,0 @@ -.env -.terraform -*.tfstate* -.terraform.lock.hcl
\ No newline at end of file diff --git a/tardis-new/asdf.tf b/tardis-new/asdf.tf deleted file mode 100644 index 40bad49..0000000 --- a/tardis-new/asdf.tf +++ /dev/null @@ -1,24 +0,0 @@ -terraform { - required_providers { - authentik = { - source = "goauthentik/authentik" - version = "2023.8.0" - } - } -} - -provider "authentik" { - url = "http://localhost:9000" - token = "pzWOnE9J6OOyVLqFYzeiQRV0CV4zhN7dqcmzuA8Da3x9Xywch4tHp2DrfLSs" -} - -resource "authentik_provider_oauth2" "name" { - name = "grafana" - client_id = "grafana" - authorization_flow = "60ee931d-8266-4b40-8b3b-3f1f4ed77e17" -} - -output "grafana_client_secret" { - value = authentik_provider_oauth2.name.client_secret - sensitive = true -} diff --git a/tardis-new/docker-compose.yml b/tardis-new/docker-compose.yml deleted file mode 100644 index 1032bcc..0000000 --- a/tardis-new/docker-compose.yml +++ /dev/null @@ -1,85 +0,0 @@ ---- -version: "3.4" - -services: - postgresql: - image: docker.io/library/postgres:12-alpine - restart: unless-stopped - healthcheck: - test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"] - start_period: 20s - interval: 30s - retries: 5 - timeout: 5s - volumes: - - database:/var/lib/postgresql/data - environment: - POSTGRES_PASSWORD: ${PG_PASS:?database password required} - POSTGRES_USER: ${PG_USER:-authentik} - POSTGRES_DB: ${PG_DB:-authentik} - env_file: - - .env - redis: - image: docker.io/library/redis:alpine - command: --save 60 1 --loglevel warning - restart: unless-stopped - healthcheck: - test: ["CMD-SHELL", "redis-cli ping | grep PONG"] - start_period: 20s - interval: 30s - retries: 5 - timeout: 3s - volumes: - - redis:/data - server: - image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.2} - restart: unless-stopped - command: server - environment: - AUTHENTIK_REDIS__HOST: redis - AUTHENTIK_POSTGRESQL__HOST: postgresql - AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik} - AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik} - AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS} - volumes: - - ./media:/media - - ./custom-templates:/templates - env_file: - - .env - ports: - - "${COMPOSE_PORT_HTTP:-9000}:9000" - - "${COMPOSE_PORT_HTTPS:-9443}:9443" - depends_on: - - postgresql - - redis - worker: - image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.2} - restart: unless-stopped - command: worker - environment: - AUTHENTIK_REDIS__HOST: redis - AUTHENTIK_POSTGRESQL__HOST: postgresql - AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik} - AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik} - AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS} - # `user: root` and the docker socket volume are optional. - # See more for the docker socket integration here: - # https://goauthentik.io/docs/outposts/integrations/docker - # Removing `user: root` also prevents the worker from fixing the permissions - # on the mounted folders, so when removing this make sure the folders have the correct UID/GID - # (1000:1000 by default) - volumes: - - ./media:/media - - ./certs:/certs - - ./custom-templates:/templates - env_file: - - .env - depends_on: - - postgresql - - redis - -volumes: - database: - driver: local - redis: - driver: local diff --git a/tardis-new/flake.lock b/tardis-new/flake.lock deleted file mode 100644 index 05846d9..0000000 --- a/tardis-new/flake.lock +++ /dev/null @@ -1,82 +0,0 @@ -{ - "nodes": { - "flake-utils": { - "inputs": { - "systems": "systems" - }, - "locked": { - "lastModified": 1694529238, - "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "microvm": { - "inputs": { - "flake-utils": "flake-utils", - "nixpkgs": [ - "nixos" - ] - }, - "locked": { - "lastModified": 1698882985, - "narHash": "sha256-0of8RrrfQGco9kiLW4vXpI8n4aGFRp+sPdCWKkkN8XY=", - "owner": "astro", - "repo": "microvm.nix", - "rev": "402333c6e461e0af422e305eb680b4ea9d973b06", - "type": "github" - }, - "original": { - "owner": "astro", - "repo": "microvm.nix", - "type": "github" - } - }, - "nixos": { - "locked": { - "lastModified": 1698846319, - "narHash": "sha256-4jyW/dqFBVpWFnhl0nvP6EN4lP7/ZqPxYRjl6var0Oc=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "34bdaaf1f0b7fb6d9091472edc968ff10a8c2857", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-23.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "microvm": "microvm", - "nixos": "nixos" - } - }, - "systems": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/tardis-new/flake.nix b/tardis-new/flake.nix deleted file mode 100644 index a72caf1..0000000 --- a/tardis-new/flake.nix +++ /dev/null @@ -1,47 +0,0 @@ -{ - description = "NixOS in MicroVMs"; - - inputs = { - nixos.url = "github:nixos/nixpkgs/nixos-23.05"; - - microvm.url = "github:astro/microvm.nix"; - microvm.inputs.nixpkgs.follows = "nixos"; - }; - - outputs = inputs @ { - self, - nixos, - microvm, - }: let - system = (import ./lib/consts.nix).system; - overlays = [ - # Access helpful variables from nixpkgs - (_: prev: prev // {inherit inputs overlays;}) - - # Add our custom library functions - (final: prev: prev // {lib = prev.lib // import ./lib final;}) - ]; - pkgs = import nixos {inherit system overlays;}; - in { - packages.${system} = { - my-microvm = self.nixosConfigurations.my-microvm.config.microvm.declaredRunner; - }; - - nixosConfigurations = { - my-microvm = nixos.lib.nixosSystem { - inherit (pkgs) system; - inherit pkgs; - specialArgs = {inherit (pkgs) lib;}; - modules = [ - {nixpkgs.overlays = pkgs.overlays;} - microvm.nixosModules.microvm - ./modules/common.nix - { - networking.hostName = "test"; - users.users.root.password = "1234"; - } - ]; - }; - }; - }; -} diff --git a/tardis-new/lib/consts.nix b/tardis-new/lib/consts.nix deleted file mode 100644 index 8e24673..0000000 --- a/tardis-new/lib/consts.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ - system = "x86_64-linux"; - - mainDomain = "tardisproject.uk"; - - rootPubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAVMp9Z6X0SERg4lWn+j3cMXFKssl8aBSM5Fzm+jXzaX aria@casper"; -} diff --git a/tardis-new/lib/default.nix b/tardis-new/lib/default.nix deleted file mode 100644 index 338b2c6..0000000 --- a/tardis-new/lib/default.nix +++ /dev/null @@ -1,3 +0,0 @@ -final: { - consts = import ./consts.nix; -} diff --git a/tardis-new/modules/common.nix b/tardis-new/modules/common.nix deleted file mode 100644 index 0d6a1ba..0000000 --- a/tardis-new/modules/common.nix +++ /dev/null @@ -1,56 +0,0 @@ -{ - lib, - config, - ... -}: { - networking.domain = lib.consts.mainDomain; - - system.stateVersion = "23.05"; - - # Share NixOS store for efficiency - microvm = { - storeOnDisk = false; - shares = [ - { - tag = "ro-store"; - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - } - ]; - }; - - microvm = { - # Hypervisor setup - hypervisor = "qemu"; - socket = "control.socket"; - - # Trusted bridge setup - interfaces = [ - { - type = "tap"; - id = "vm-${config.networking.hostName}"; - mac = "02:00:00:00:00:01"; - } - ]; - }; - - # If this isn't set, then every system changes whenever a commit is made - # Which is super annoying - nix.registry = lib.mkForce {}; - - # SSH Access - services.openssh = { - enable = true; - openFirewall = true; - settings.PermitRootLogin = "prohibit-password"; - }; - users.users.root.openssh.authorizedKeys.keys = [lib.consts.rootPubKey]; - - # Swap file - # swapDevices = [ - # { - # device = "/swapfile"; - # size = builtins.floor (config.microvm.mem * 0.5); - # } - # ]; -} diff --git a/tardis-new/notes.org b/tardis-new/notes.org deleted file mode 100644 index 9ef0aea..0000000 --- a/tardis-new/notes.org +++ /dev/null @@ -1,8 +0,0 @@ -probably better than ldap+keycloak: https://goauthentik.io/docs/ -sops + scalpel lets us do templating, vault is probably unnecessary https://github.com/polygon/scalpel - -authentik terraform provider: https://registry.terraform.io/providers/goauthentik/authentik/latest/docs/resources/provider_oauth2 -can output client secrets and stuff for this, but requires specifying UUIDs of default authentik objects -which we can get from data sources: https://registry.terraform.io/providers/goauthentik/authentik/latest/docs/data-sources/flow - -netdata seems lighter and less maintenance than grafana+prom+loki: https://github.com/netdata/netdata |