ci: add self-hosted runner tankstelle #198

Merged
teutat3s merged 8 commits from feat/add-tankstelle into main 2024-05-31 14:49:21 +00:00
8 changed files with 188 additions and 0 deletions
Showing only changes of commit 946585d1ca - Show all commits

View file

@ -122,6 +122,10 @@
hostname = "10.7.6.2";
sshUser = username;
};
tankstelle = {
hostname = "80.244.242.5";
sshUser = username;
};
};
};
};

View file

@ -58,6 +58,16 @@
self.nixosModules.loki
];
};
tankstelle = self.nixos-flake.lib.mkLinuxSystem {
imports = [
self.inputs.agenix.nixosModules.default
self.nixosModules.home-manager
./tankstelle
self.nixosModules.overlays
self.nixosModules.core
];
};
};
};
}

View file

@ -0,0 +1,13 @@
{ flake, ... }:
{
age.secrets."restic-repo-droppie" = {
file = "${flake.self}/secrets/restic-repo-droppie.age";
mode = "400";
owner = "root";
};
age.secrets."restic-repo-storagebox" = {
file = "${flake.self}/secrets/restic-repo-storagebox.age";
mode = "400";
owner = "root";
};
}

View file

@ -0,0 +1,17 @@
{
flake,
config,
pkgs,
...
}:
{
imports =
[
./hardware-configuration.nix
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
system.stateVersion = "23.11";
}

View file

@ -0,0 +1,12 @@
{ flake, ... }:
{
imports = [
./hardware-configuration.nix
./configuration.nix
./networking.nix
#./wireguard.nix
#./backups.nix
];
}

View file

@ -0,0 +1,39 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/17531ffc-46bd-4259-8287-2dea73804b5b";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/AF98-AA5C";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/7aee04b5-1ef9-43de-acb4-70ac1238b58a"; }
];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

View file

@ -0,0 +1,39 @@
{
config,
pkgs,
flake,
...
}:
{
networking = {
hostName = "tankstelle";
domain = "pub.solar";
enableIPv6 = true;
defaultGateway = {
address = "80.244.242.1";
interface = "enp1s0";
};
defaultGateway6 = {
address = "2001:4d88:1ffa:26::1";
interface = "enp1s0";
};
nameservers = [ "95.129.51.51" "80.244.244.244" ];
interfaces."enp1s0" = {
ipv4.addresses = [
{
address = "80.244.242.5";
prefixLength = 29;
}
];
ipv6.addresses = [
{
address = "2001:4d88:1ffa:26::5";
prefixLength = 64;
}
];
};
};
# TODO: ssh via wireguard only
services.openssh.openFirewall = true;
}

View file

@ -0,0 +1,54 @@
{
config,
pkgs,
flake,
...
}:
{
networking.firewall.allowedUDPPorts = [ 51820 ];
age.secrets.wg-private-key.file = "${flake.self}/secrets/metronom-wg-private-key.age";
networking.wireguard.interfaces = {
wg-ssh = {
listenPort = 51820;
mtu = 1300;
ips = [
"10.7.6.3/32"
"fd00:fae:fae:fae:fae:3::/96"
];
privateKeyFile = config.age.secrets.wg-private-key.path;
peers = flake.self.logins.admins.wireguardDevices ++ [
{
# flora-6.pub.solar
endpoint = "80.71.153.210:51820";
publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU=";
allowedIPs = [
"10.7.6.2/32"
"fd00:fae:fae:fae:fae:2::/96"
];
}
{
# nachtigall.pub.solar
endpoint = "138.201.80.102:51820";
publicKey = "qzNywKY9RvqTnDO8eLik75/SHveaSk9OObilDzv+xkk=";
allowedIPs = [
"10.7.6.1/32"
"fd00:fae:fae:fae:fae:1::/96"
];
}
];
};
};
services.openssh.listenAddresses = [
{
addr = "10.7.6.3";
port = 22;
}
{
addr = "[fd00:fae:fae:fae:fae:3::]";
port = 22;
}
];
}