From 645e223aab2c873e4c1936f65a547f260aa40301 Mon Sep 17 00:00:00 2001 From: Hendrik Sokolowski Date: Tue, 7 Mar 2023 16:48:46 +0100 Subject: [PATCH] reset later --- flake.lock | 36 ++--- hosts/chonk/chonk.nix | 2 - hosts/chonk/configuration.nix | 6 +- hosts/chonk/hardware-configuration.nix | 4 +- hosts/chonk/invoiceplane.nix | 4 - hosts/chonk/libvirt-container.nix | 63 +++++++++ hosts/chonk/monitoring.nix | 27 ++++ hosts/chonk/wireguard.nix | 9 +- hosts/companion/companion.nix | 16 +-- hosts/companion/home-controller.nix | 51 +------ hosts/cox/home-controller.nix | 43 +----- hosts/giggles/home-controller.nix | 40 +----- .../norman/.config/sway/config.d/screens.conf | 21 +-- hosts/norman/builder.nix | 3 +- hosts/norman/hardware-configuration.nix | 2 +- hosts/norman/wireguard.nix | 7 +- modules/graphical/default.nix | 9 -- modules/home-controller/default.nix | 126 ++---------------- modules/home-controller/k3s.nix | 77 ----------- modules/home-controller/monitoring-client.nix | 13 ++ modules/home-controller/wireguard.nix | 31 +++-- modules/monitoring-client/default.nix | 29 ++++ modules/monitoring-server/default.nix | 69 ++++++++++ modules/server/default.nix | 16 ++- modules/sway/default.nix | 2 +- users/hensoko/ssh.nix | 1 + 26 files changed, 313 insertions(+), 394 deletions(-) create mode 100644 hosts/chonk/libvirt-container.nix create mode 100644 hosts/chonk/monitoring.nix delete mode 100644 modules/home-controller/k3s.nix create mode 100644 modules/home-controller/monitoring-client.nix create mode 100644 modules/monitoring-client/default.nix create mode 100644 modules/monitoring-server/default.nix diff --git a/flake.lock b/flake.lock index df2b2ba6..3490d6d7 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ ] }, "locked": { - "lastModified": 1677247280, - "narHash": "sha256-sa+8MtoAOSLsWP9vf0qiJUyMovIEYgDzHE8TkoK04Hk=", + "lastModified": 1677453742, + "narHash": "sha256-/DNOThcCGz21Met/aMhm7NGqughtpxQzrlAqTuq+YZQ=", "owner": "ryantm", "repo": "agenix", - "rev": "833f87c8ff574a29aea3e091045cbaed3cf86bc1", + "rev": "4828951d9d05accd244bf8c24706f046b485aceb", "type": "github" }, "original": { @@ -221,11 +221,11 @@ "utils": "utils_2" }, "locked": { - "lastModified": 1676257154, - "narHash": "sha256-eW3jymNLpdxS5fkp9NWKyNtgL0Gqtgg1vCTofKXDF1g=", + "lastModified": 1677757546, + "narHash": "sha256-tA1ukoluctzLVyWRaKtD4KlTwgXbUsGB5vcyni1OJ9I=", "owner": "nix-community", "repo": "home-manager", - "rev": "2cb27c79117a2a75ff3416c3199a2dc57af6a527", + "rev": "86bb69b0b1e10d99a30c4352f230f03106dd0f8a", "type": "github" }, "original": { @@ -237,11 +237,11 @@ }, "latest": { "locked": { - "lastModified": 1677063315, - "narHash": "sha256-qiB4ajTeAOVnVSAwCNEEkoybrAlA+cpeiBxLobHndE8=", + "lastModified": 1677587185, + "narHash": "sha256-zYT66MAYwctAQqI5VBw3LbBXiSKdB8vuMAqCGG8onbE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "988cc958c57ce4350ec248d2d53087777f9e1949", + "rev": "68196a61c26748d3e53a6803de3d2f8c69f27831", "type": "github" }, "original": { @@ -258,11 +258,11 @@ ] }, "locked": { - "lastModified": 1676707513, - "narHash": "sha256-Cr8f0zUpjb9T+aiClDFpJKVqfKKa6S/fbxPcSTX8UHI=", + "lastModified": 1677620425, + "narHash": "sha256-ThhVPUEfXtnS6kziQMY2GwcUZard1E16+5TA/UKJBf4=", "owner": "musnix", "repo": "musnix", - "rev": "2289b7c353e56ee18270fb6b43965036942b2d0f", + "rev": "eedb1d32ad356877b0888fb8e3ffb32e71f874de", "type": "github" }, "original": { @@ -288,11 +288,11 @@ }, "nixos": { "locked": { - "lastModified": 1677075010, - "narHash": "sha256-X+UmR1AkdR//lPVcShmLy8p1n857IGf7y+cyCArp8bU=", + "lastModified": 1677624842, + "narHash": "sha256-4DF9DbDuK4/+KYx0L6XcPBeDHUFVCtzok2fWtwXtb5w=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c95bf18beba4290af25c60cbaaceea1110d0f727", + "rev": "d70f5cd5c3bef45f7f52698f39e7cc7a89daa7f0", "type": "github" }, "original": { @@ -323,11 +323,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1677232326, - "narHash": "sha256-rAk2/80kLvA3yIMmSV86T1B4kNvwCFMSQ1FxXndaUB0=", + "lastModified": 1677591639, + "narHash": "sha256-DMlAyge+u3K+JOFLA5YfdjqagdAYJf29YGBWpy5izg4=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "2d44015779cced4eec9df5b8dab238b9f6312cb2", + "rev": "77de4cd09db4dbee9551ed2853cfcf113d7dc5ce", "type": "github" }, "original": { diff --git a/hosts/chonk/chonk.nix b/hosts/chonk/chonk.nix index 0ee8ffba..bca7d463 100644 --- a/hosts/chonk/chonk.nix +++ b/hosts/chonk/chonk.nix @@ -11,6 +11,4 @@ in { imports = [ ./configuration.nix ]; - - networking.networkmanager.enable = lib.mkForce false; } diff --git a/hosts/chonk/configuration.nix b/hosts/chonk/configuration.nix index 708a0c5d..905ee36e 100644 --- a/hosts/chonk/configuration.nix +++ b/hosts/chonk/configuration.nix @@ -20,6 +20,9 @@ ./invoiceplane.nix #./tang.nix #./whiteboard.nix + + ./libvirt-container.nix + ./monitoring.nix ]; boot.loader.systemd-boot.enable = lib.mkForce false; @@ -32,10 +35,9 @@ networking.nat.internalIPs = ["10.10.42.0/24"]; networking.nat.externalInterface = "eno1"; + networking.firewall.enable = lib.mkForce true; networking.firewall.allowedTCPPorts = [80 443 2222]; networking.firewall.allowedUDPPorts = [51899]; - networking.firewall.enable = lib.mkForce true; - system.stateVersion = "21.05"; # Did you read the comment? } diff --git a/hosts/chonk/hardware-configuration.nix b/hosts/chonk/hardware-configuration.nix index fd8bfe57..082976f2 100644 --- a/hosts/chonk/hardware-configuration.nix +++ b/hosts/chonk/hardware-configuration.nix @@ -88,7 +88,9 @@ nameservers = ["95.129.51.51" "80.244.244.244"]; - interfaces."bond0" = { + bridges."br0".interfaces = ["bond0"]; + + interfaces."br0" = { ipv4.addresses = [ { address = "80.244.242.2"; diff --git a/hosts/chonk/invoiceplane.nix b/hosts/chonk/invoiceplane.nix index ff705a40..4ef757aa 100644 --- a/hosts/chonk/invoiceplane.nix +++ b/hosts/chonk/invoiceplane.nix @@ -51,10 +51,6 @@ in { enable = true; stateDir = containerStateDir; - extraConfig = '' - ENABLE_DEBUG=true - ''; - database = { user = "invoiceplane"; name = "invoiceplane"; diff --git a/hosts/chonk/libvirt-container.nix b/hosts/chonk/libvirt-container.nix new file mode 100644 index 00000000..b69e54a9 --- /dev/null +++ b/hosts/chonk/libvirt-container.nix @@ -0,0 +1,63 @@ +{ + config, + pkgs, + ... +}: { + networking.firewall.allowedTCPPorts = [4222]; + + containers."libvirt-container" = { + autoStart = true; + + bindMounts."/dev/kvm" = { + hostPath = "/dev/kvm"; + isReadOnly = false; + }; + + allowedDevices = [ + { + node = "/dev/kvm"; + modifier = "rw"; + } + { + node = "/dev/net/tun"; + modifier = "rw"; + } + { + node = "/dev/vnet*"; + modifier = "rw"; + } + ]; + + forwardPorts = [ + { + hostPort = 4222; + } + ]; + + enableTun = true; + + #extraFlags = [ "-U" ]; + + config = { + config, + pkgs, + ... + }: { + networking.firewall.enable = false; + + virtualisation.libvirtd.enable = true; + security.polkit.enable = true; + + services.openssh = { + enable = true; + ports = [4222]; + }; + + users.users.root = { + openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work"]; + }; + + system.stateVersion = "22.11"; + }; + }; +} diff --git a/hosts/chonk/monitoring.nix b/hosts/chonk/monitoring.nix new file mode 100644 index 00000000..1cdfb4ae --- /dev/null +++ b/hosts/chonk/monitoring.nix @@ -0,0 +1,27 @@ +{ + config, + lib, + self, + ... +}: { + pub-solar.monitoring-server.enable = true; + + # wireguard exporter + networking.firewall.allowedTCPPorts = [9585]; + services.prometheus = { + exporters.wireguard = { + enable = true; + withRemoteIp = true; + }; + scrapeConfigs = [ + { + job_name = "chonk-wireguard"; + static_configs = [ + { + targets = ["10.0.1.6:9586"]; + } + ]; + } + ]; + }; +} diff --git a/hosts/chonk/wireguard.nix b/hosts/chonk/wireguard.nix index fbe00363..82609e5d 100644 --- a/hosts/chonk/wireguard.nix +++ b/hosts/chonk/wireguard.nix @@ -24,8 +24,6 @@ privateKeyFile = "/run/agenix/home_controller_wireguard"; peers = [ - # For a client configuration, one peer entry for the server will suffice. - { # giggles publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg="; @@ -50,7 +48,14 @@ # Send keepalives every 25 seconds. Important to keep NAT tables alive. persistentKeepalive = 25; } + { + # norman + publicKey = "FRNg+bJWPn4vAA2Fw8PXYsTpxdEKdVE+b7eTtl8ORxM="; + allowedIPs = ["10.0.1.121/32"]; + # Send keepalives every 25 seconds. Important to keep NAT tables alive. + persistentKeepalive = 25; + } { # hsha publicKey = "sC0wWHE/tvNaVYX3QQTHQUmSTTjZMOjkQ5x/qy6qjTc="; diff --git a/hosts/companion/companion.nix b/hosts/companion/companion.nix index 6ff0d422..bb0b2561 100644 --- a/hosts/companion/companion.nix +++ b/hosts/companion/companion.nix @@ -1,18 +1,18 @@ -{ config, pkgs, lib, ... }: -with lib; -let +{ + config, + pkgs, + lib, + ... +}: +with lib; let psCfg = config.pub-solar; xdg = config.home-manager.users."${psCfg.user.name}".xdg; -in -{ +in { imports = [ ./configuration.nix ]; config = { nixpkgs.crossSystem.system = "aarch64-linux"; - - boot.plymouth.enable = lib.mkForce false; - pub-solar.nextcloud.enable = lib.mkForce false; }; } diff --git a/hosts/companion/home-controller.nix b/hosts/companion/home-controller.nix index 534c2dfd..f49c3e9f 100644 --- a/hosts/companion/home-controller.nix +++ b/hosts/companion/home-controller.nix @@ -1,55 +1,16 @@ -{ self, config, pkgs, ... }: - { + self, + config, + pkgs, + ... +}: { config = { - #age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age"; age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_companion_wireguard_key.age"; pub-solar.home-controller = { enable = true; - role = "server"; ownIp = "10.0.1.13"; - - k3s = { - serverAddr = "https://api.kube:6443"; - tokenFile = "/run/agenix/home_controller_k3s_token"; - enableLocalStorage = true; - enableZfs = true; - }; - - wireguard = { - privateKeyFile = "/run/agenix/home_controller_wireguard"; - peers = [ - { - # cube - publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk="; - allowedIPs = [ "10.0.1.5/32" ]; - endpoint = "data.gssws.de:51899"; - persistentKeepalive = 25; - } - { - # giggles - publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg="; - allowedIPs = [ "10.0.1.11/32" ]; - endpoint = "giggles.local:51899"; - persistentKeepalive = 25; - } - { - # cox - publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k="; - allowedIPs = [ "10.0.1.12/32" ]; - endpoint = "cox.local:51899"; - persistentKeepalive = 25; - } - { - # ringo - publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw="; - allowedIPs = [ "10.0.1.21/32" ]; - endpoint = "ringo.local:51899"; - persistentKeepalive = 25; - } - ]; - }; + wireguardPrivateKeyFile = "/run/agenix/home_controller_wireguard"; }; }; } diff --git a/hosts/cox/home-controller.nix b/hosts/cox/home-controller.nix index d8deced2..c6b22bd7 100644 --- a/hosts/cox/home-controller.nix +++ b/hosts/cox/home-controller.nix @@ -5,54 +5,13 @@ ... }: { config = { - #age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age"; age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cox_wireguard_key.age"; pub-solar.home-controller = { enable = true; - role = "server"; ownIp = "10.0.1.12"; - k3s = { - serverAddr = "https://api.kube:6443"; - tokenFile = "/run/agenix/home_controller_k3s_token"; - enableLocalStorage = true; - enableZfs = true; - }; - - wireguard = { - privateKeyFile = "/run/agenix/home_controller_wireguard"; - peers = [ - { - # chonk - publicKey = "t1DS0y6eVzyGwomKAEWTWVsHK3xB7M/fNQ3wLgE3+B8="; - allowedIPs = ["10.0.1.6/32"]; - endpoint = "data.gssws.de:51899"; - persistentKeepalive = 25; - } - { - # giggles - publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg="; - allowedIPs = ["10.0.1.11/32"]; - endpoint = "giggles.local:51899"; - persistentKeepalive = 25; - } - { - # companion - publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0="; - allowedIPs = ["10.0.1.13/32"]; - endpoint = "companion.local:51899"; - persistentKeepalive = 25; - } - { - # ringo - publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw="; - allowedIPs = ["10.0.1.21/32"]; - endpoint = "ringo.local:51899"; - persistentKeepalive = 25; - } - ]; - }; + wireguardPrivateKeyFile = "/run/agenix/home_controller_wireguard"; }; }; } diff --git a/hosts/giggles/home-controller.nix b/hosts/giggles/home-controller.nix index be3447f5..ee7dd2c7 100644 --- a/hosts/giggles/home-controller.nix +++ b/hosts/giggles/home-controller.nix @@ -9,47 +9,9 @@ pub-solar.home-controller = { enable = true; - role = "server"; ownIp = "10.0.1.11"; - k3s = { - enableLocalStorage = true; - enableZfs = true; - }; - - wireguard = { - privateKeyFile = "/run/agenix/home_controller_wireguard"; - peers = [ - { - # chonk - publicKey = "t1DS0y6eVzyGwomKAEWTWVsHK3xB7M/fNQ3wLgE3+B8="; - allowedIPs = ["10.0.1.6/32"]; - endpoint = "data.gssws.de:51899"; - persistentKeepalive = 25; - } - { - # cox - publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k="; - allowedIPs = ["10.0.1.12/32"]; - endpoint = "cox.local:51899"; - persistentKeepalive = 25; - } - { - # companion - publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0="; - allowedIPs = ["10.0.1.13/32"]; - endpoint = "companion.local:51899"; - persistentKeepalive = 25; - } - { - # ringo - publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw="; - allowedIPs = ["10.0.1.21/32"]; - endpoint = "ringo.local:51899"; - persistentKeepalive = 25; - } - ]; - }; + wireguardPrivateKeyFile = "/run/agenix/home_controller_wireguard"; }; }; } diff --git a/hosts/norman/.config/sway/config.d/screens.conf b/hosts/norman/.config/sway/config.d/screens.conf index 13b97991..e72c3df9 100644 --- a/hosts/norman/.config/sway/config.d/screens.conf +++ b/hosts/norman/.config/sway/config.d/screens.conf @@ -1,18 +1,19 @@ -set $left 'Dell Inc. DELL S2721DS D0SVQ43' -set $middle 'Eizo Nanao Corporation EV2316W 39117013' -set $right 'Chimei Innolux Corporation 0x14D4' +set $left 'Dell Inc. DELL S3222DGM G1FFT63' +set $right 'Dell Inc. DELL S2721DS D0SVQ43' +set $bottom 'Chimei Innolux Corporation 0x14D4' output $left { scale 1 - pos 0 0 -} - -output $middle { - scale 1 - pos 2560 770 + pos 0 690 } output $right { scale 1 - pos 1000 1440 + pos 2560 0 + transform 90 +} + +output $bottom { + scale 1 + pos 0 2130 } diff --git a/hosts/norman/builder.nix b/hosts/norman/builder.nix index 2a71694a..3aa92d11 100644 --- a/hosts/norman/builder.nix +++ b/hosts/norman/builder.nix @@ -11,7 +11,7 @@ nix.buildMachines = [ { hostName = "builder"; - systems = ["x86_64-linux" "aarch64-linux"]; + systems = ["x86_64-linux" "aarch64-linux" "i686-linux"]; maxJobs = 20; speedFactor = 2; supportedFeatures = ["nixos-test" "benchmark" "big-parallel" "kvm"]; @@ -21,7 +21,6 @@ nix.distributedBuilds = true; nix.settings = { - substituters = ["ssh-ng://builder"]; trusted-public-keys = ["chonk:1b/yLBRW2ZeL9jErW1ogMRUTq/hidJnZOxopx363JSo="]; builders-use-substitutes = true; }; diff --git a/hosts/norman/hardware-configuration.nix b/hosts/norman/hardware-configuration.nix index 2b6778e7..84219ca6 100644 --- a/hosts/norman/hardware-configuration.nix +++ b/hosts/norman/hardware-configuration.nix @@ -15,7 +15,7 @@ boot.kernelModules = ["kvm-intel"]; boot.extraModulePackages = []; - boot.kernelPackages = pkgs.linuxPackages_latest; + boot.kernelPackages = pkgs.linuxPackages_xanmod_latest; boot.loader.grub.trustedBoot = { enable = true; systemHasTPM = "YES_TPM_is_activated"; diff --git a/hosts/norman/wireguard.nix b/hosts/norman/wireguard.nix index 55538a98..df4f96aa 100644 --- a/hosts/norman/wireguard.nix +++ b/hosts/norman/wireguard.nix @@ -59,7 +59,7 @@ wg1 = { # Determines the IP address and subnet of the client's end of the tunnel interface. ips = [ - "10.7.0.21" + "10.0.1.121" ]; listenPort = 51821; # to match firewall allowedUDPPorts (without this wg uses random port numbers) @@ -77,13 +77,12 @@ # Public key of the server (not a file path). publicKey = "t1DS0y6eVzyGwomKAEWTWVsHK3xB7M/fNQ3wLgE3+B8="; - # Forward all the traffic via VPN. allowedIPs = [ - "10.7.0.0/24" + "10.0.1.0/24" ]; # Set this to the server IP and port. - endpoint = "80.244.242.2:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577 + endpoint = "vpn.gssws.de:51899"; # Send keepalives every 25 seconds. Important to keep NAT tables alive. persistentKeepalive = 25; diff --git a/modules/graphical/default.nix b/modules/graphical/default.nix index 5966e73e..9644f849 100644 --- a/modules/graphical/default.nix +++ b/modules/graphical/default.nix @@ -110,16 +110,7 @@ in { gnome.nautilus gnome.yelp hicolor-icon-theme - - wine - toggle-kbd-layout - - wcwd - - vlc - - gimp ]; xdg.configFile."alacritty/alacritty.yml" = { diff --git a/modules/home-controller/default.nix b/modules/home-controller/default.nix index a0562286..7562c5f2 100644 --- a/modules/home-controller/default.nix +++ b/modules/home-controller/default.nix @@ -1,27 +1,21 @@ -{ lib, config, pkgs, ... }: -with lib; -let +{ + lib, + config, + pkgs, + ... +}: +with lib; let psCfg = config.pub-solar; cfg = config.pub-solar.home-controller; -in -{ +in { imports = [ - #./k3s.nix ./wireguard.nix + ./monitoring-client.nix ]; options.pub-solar.home-controller = { enable = mkEnableOption "Control your home"; - role = mkOption { - description = '' - Whether the node should run as a server or agent. - Note that the server, by default, also runs as an agent. - ''; - default = "server"; - type = types.enum [ "server" "agent" ]; - }; - ownIp = mkOption { description = '' Internal ip in wireguard used for cluster control-plane communication. @@ -29,103 +23,11 @@ in type = types.str; }; - k3s = { - enableLocalStorage = mkOption { - description = '' - Enable local storage provisioner. - ''; - default = false; - type = types.bool; - }; - - defaultLocalStoragePath = mkOption { - description = '' - Default path to use for local storage provisioner. - ''; - default = "/var/lib/rancher/k3s/storage"; - type = types.path; - }; - - flannelBackend = mkOption { - description = '' - Flannel backend to use. - ''; - default = "wireguard-native"; - type = types.str; - }; - - serverAddr = mkOption { - description = '' - Set server address of master - ''; - default = ""; - type = types.str; - example = "https://api.kube:6443"; - }; - - tokenFile = mkOption { - description = '' - Location of token file used to join cluster. - ''; - default = ""; - type = types.str; - }; - - enableZfs = mkOption { - description = '' - Enable when k3s should use a ZFS compatible runtime. - ''; - default = false; - type = types.bool; - }; - - zfsPool = mkOption { - description = '' - The ZFS pool to use and create a containerd volume in. - ''; - default = "zroot"; - type = types.str; - }; - }; - - wireguard = { - privateKeyFile = mkOption { - description = '' - Location of private key file - ''; - type = types.path; - }; - - listenPort = mkOption { - description = '' - Port for wireguard. - ''; - default = 51899; - type = types.int; - }; - - peers = mkOption { - description = '' - Wireguard peers. - ''; - type = types.listOf types.attrs; - }; - }; - }; - - config = mkIf cfg.enable { - boot.kernelModules = [ "rbd" ]; - - networking.extraHosts = - '' - 192.168.42.231 ringo.local - 192.168.42.232 giggles.local - 192.168.42.234 cox.local - 192.168.42.236 companion.local - 10.0.1.11 api.kube giggles.kube - 10.0.1.12 cox.kube - 10.0.1.13 companion.kube - 10.0.1.21 ringo.kube + wireguardPrivateKeyFile = mkOption { + description = '' + Location of private key file ''; + type = types.path; + }; }; } diff --git a/modules/home-controller/k3s.nix b/modules/home-controller/k3s.nix deleted file mode 100644 index 2366e7b5..00000000 --- a/modules/home-controller/k3s.nix +++ /dev/null @@ -1,77 +0,0 @@ -{ lib, config, pkgs, ... }: -with lib; -let - psCfg = config.pub-solar; - cfg = config.pub-solar.home-controller; -in -{ - config = mkIf cfg.enable { - environment.systemPackages = with pkgs; [ - kubernetes-helm - ]; - - environment.sessionVariables = lib.mkIf (cfg.role == "server") rec { - KUBECONFIG = "/etc/rancher/k3s/k3s.yaml"; - }; - - networking.firewall.enable = lib.mkForce false; - - services.k3s = { - enable = true; - role = cfg.role; - serverAddr = lib.mkIf (cfg.k3s.serverAddr != "") cfg.k3s.serverAddr; - tokenFile = lib.mkIf (cfg.k3s.tokenFile != "") cfg.k3s.tokenFile; - extraFlags = concatStringsSep " " ( - [ - "--node-ip ${cfg.ownIp}" - "--container-runtime-endpoint unix:///run/containerd/containerd.sock" - - "${optionalString (cfg.role == "server") "--disable servicelb"}" - "${optionalString (cfg.role == "server") "--disable traefik"}" - - "${optionalString (cfg.role == "server") "--bind-address ${cfg.ownIp}"}" - - "${optionalString (cfg.role == "server" && cfg.k3s.flannelBackend != "") "--flannel-backend=${cfg.k3s.flannelBackend}"}" - - "${optionalString (cfg.role == "server" && !cfg.k3s.enableLocalStorage) "--disable local-storage"}" - "${optionalString (cfg.role == "server" && cfg.k3s.enableLocalStorage) "--default-local-storage-path ${cfg.k3s.defaultLocalStoragePath}"}" - - "${optionalString cfg.k3s.enableZfs "--snapshotter=zfs"}" - ] - ); - }; - - systemd.services.containerd = mkIf cfg.k3s.enableZfs { - serviceConfig = { - ExecStartPre = [ - "-${pkgs.zfs}/bin/zfs create -o mountpoint=/var/lib/containerd/io.containerd.snapshotter.v1.zfs ${cfg.k3s.zfsPool}/containerd" - ]; - }; - }; - - systemd.services.k3s = { - after = [ "containerd.service" ]; - requisite = [ "containerd.service" ]; - }; - - virtualisation.containerd = { - enable = true; - settings = - let - fullCNIPlugins = pkgs.buildEnv { - name = "full-cni"; - paths = with pkgs; [ - cni-plugins - cni-plugin-flannel - ]; - }; - in - { - plugins."io.containerd.grpc.v1.cri".cni = { - bin_dir = "${fullCNIPlugins}/bin"; - conf_dir = "/var/lib/rancher/k3s/agent/etc/cni/net.d/"; - }; - }; - }; - }; -} diff --git a/modules/home-controller/monitoring-client.nix b/modules/home-controller/monitoring-client.nix new file mode 100644 index 00000000..3173aad0 --- /dev/null +++ b/modules/home-controller/monitoring-client.nix @@ -0,0 +1,13 @@ +{ + config, + pkgs, + lib, + ... +}: let + cfg = config.pub-solar.home-controller; +in { + pub-solar.monitoring-client = lib.mkIf cfg.enable { + enable = true; + listenAddress = cfg.ownIp; + }; +} diff --git a/modules/home-controller/wireguard.nix b/modules/home-controller/wireguard.nix index 3fa7c92a..f1848fad 100644 --- a/modules/home-controller/wireguard.nix +++ b/modules/home-controller/wireguard.nix @@ -1,22 +1,33 @@ -{ lib, config, pkgs, ... }: -with lib; -let +{ + lib, + config, + pkgs, + ... +}: +with lib; let psCfg = config.pub-solar; cfg = config.pub-solar.home-controller; -in -{ +in { config = mkIf cfg.enable { systemd.services.wireguard-wghome.serviceConfig.Restart = "on-failure"; systemd.services.wireguard-wghome.serviceConfig.RestartSec = "5s"; - networking.firewall.allowedUDPPorts = [ cfg.wireguard.listenPort ]; + networking.firewall.allowedUDPPorts = [51899]; networking.wireguard.interfaces = { wghome = { - ips = [ cfg.ownIp ]; - listenPort = cfg.wireguard.listenPort; - privateKeyFile = cfg.wireguard.privateKeyFile; - peers = cfg.wireguard.peers; + ips = [cfg.ownIp]; + listenPort = 51899; + privateKeyFile = cfg.wireguardPrivateKeyFile; + peers = [ + { + # chonk + publicKey = "t1DS0y6eVzyGwomKAEWTWVsHK3xB7M/fNQ3wLgE3+B8="; + allowedIPs = ["10.0.1.0/24"]; + endpoint = "vpn.gssws.de:51899"; + persistentKeepalive = 25; + } + ]; }; }; }; diff --git a/modules/monitoring-client/default.nix b/modules/monitoring-client/default.nix new file mode 100644 index 00000000..46b89576 --- /dev/null +++ b/modules/monitoring-client/default.nix @@ -0,0 +1,29 @@ +{ + lib, + config, + pkgs, + ... +}: +with lib; let + psCfg = config.pub-solar; + cfg = config.pub-solar.monitoring-client; +in { + options.pub-solar.monitoring-client = { + enable = mkEnableOption "Install a monitoring client node"; + listenAddress = mkOption { + type = types.str; + }; + }; + + config = mkIf cfg.enable { + services.prometheus.exporters = { + node = { + enable = true; + enabledCollectors = ["systemd"]; + port = 9002; + openFirewall = true; + listenAddress = cfg.listenAddress; + }; + }; + }; +} diff --git a/modules/monitoring-server/default.nix b/modules/monitoring-server/default.nix new file mode 100644 index 00000000..22070d6e --- /dev/null +++ b/modules/monitoring-server/default.nix @@ -0,0 +1,69 @@ +{ + lib, + config, + pkgs, + ... +}: +with lib; let + psCfg = config.pub-solar; + cfg = config.pub-solar.monitoring-server; +in { + options.pub-solar.monitoring-server = { + enable = mkEnableOption "Install a monitoring server node"; + }; + + config = mkIf cfg.enable { + networking.firewall.allowedTCPPorts = [2342 9001]; + + pub-solar.monitoring-client = { + enable = true; + listenAddress = "10.0.1.6"; + }; + + services.grafana = { + enable = true; + port = 2342; + addr = "10.0.1.6"; + }; + + services.prometheus = { + enable = true; + listenAddress = "10.0.1.6"; + port = 9001; + scrapeConfigs = [ + { + job_name = "chonk"; + static_configs = [ + { + targets = ["10.0.1.6:9002"]; + } + ]; + } + { + job_name = "giggles"; + static_configs = [ + { + targets = ["10.0.1.11:9002"]; + } + ]; + } + { + job_name = "cox"; + static_configs = [ + { + targets = ["10.0.1.12:9002"]; + } + ]; + } + { + job_name = "companion"; + static_configs = [ + { + targets = ["10.0.1.13:9002"]; + } + ]; + } + ]; + }; + }; +} diff --git a/modules/server/default.nix b/modules/server/default.nix index 6ab9a0a9..7931e16a 100644 --- a/modules/server/default.nix +++ b/modules/server/default.nix @@ -1,10 +1,13 @@ -{ lib, config, pkgs, ... }: -with lib; -let +{ + lib, + config, + pkgs, + ... +}: +with lib; let psCfg = config.pub-solar; cfg = config.pub-solar.server; -in -{ +in { options.pub-solar.server = { enable = mkEnableOption "Enable server options like sshd"; }; @@ -18,5 +21,8 @@ in passwordAuthentication = true; openFirewall = true; }; + + networking.networkmanager.enable = lib.mkForce false; + pub-solar.nextcloud.enable = lib.mkForce false; }; } diff --git a/modules/sway/default.nix b/modules/sway/default.nix index 019119bd..4f36a375 100644 --- a/modules/sway/default.nix +++ b/modules/sway/default.nix @@ -82,8 +82,8 @@ in { sway-launcher record-screen import-gtk-settings - s wcwd + wdisplays ]; programs.waybar.enable = true; diff --git a/users/hensoko/ssh.nix b/users/hensoko/ssh.nix index 82b07010..c53d17bd 100644 --- a/users/hensoko/ssh.nix +++ b/users/hensoko/ssh.nix @@ -38,6 +38,7 @@ in { }; "companion" = { user = "iot"; + hostname = "10.0.1.13"; }; "chonk" = { hostname = "80.244.242.2";