pub-solar/os
5
0
Fork 2
Code Issues 4 Pull requests Packages Projects 1 Releases Wiki Activity

reset later

Browse source
This commit is contained in:
Hendrik Sokolowski 2023-03-07 16:48:46 +01:00
parent 4a6a9f11e4
commit 645e223aab
26 changed files with 313 additions and 394 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
flake.lock
View file

@ -10,11 +10,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1677247280, "lastModified": 1677453742,
"narHash": "sha256-sa+8MtoAOSLsWP9vf0qiJUyMovIEYgDzHE8TkoK04Hk=", "narHash": "sha256-/DNOThcCGz21Met/aMhm7NGqughtpxQzrlAqTuq+YZQ=",
"owner": "ryantm", "owner": "ryantm",
"repo": "agenix", "repo": "agenix",
"rev": "833f87c8ff574a29aea3e091045cbaed3cf86bc1", "rev": "4828951d9d05accd244bf8c24706f046b485aceb",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -221,11 +221,11 @@
"utils": "utils_2" "utils": "utils_2"
}, },
"locked": { "locked": {
"lastModified": 1676257154, "lastModified": 1677757546,
"narHash": "sha256-eW3jymNLpdxS5fkp9NWKyNtgL0Gqtgg1vCTofKXDF1g=", "narHash": "sha256-tA1ukoluctzLVyWRaKtD4KlTwgXbUsGB5vcyni1OJ9I=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "2cb27c79117a2a75ff3416c3199a2dc57af6a527", "rev": "86bb69b0b1e10d99a30c4352f230f03106dd0f8a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -237,11 +237,11 @@
}, },
"latest": { "latest": {
"locked": { "locked": {
"lastModified": 1677063315, "lastModified": 1677587185,
"narHash": "sha256-qiB4ajTeAOVnVSAwCNEEkoybrAlA+cpeiBxLobHndE8=", "narHash": "sha256-zYT66MAYwctAQqI5VBw3LbBXiSKdB8vuMAqCGG8onbE=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "988cc958c57ce4350ec248d2d53087777f9e1949", "rev": "68196a61c26748d3e53a6803de3d2f8c69f27831",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -258,11 +258,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1676707513, "lastModified": 1677620425,
"narHash": "sha256-Cr8f0zUpjb9T+aiClDFpJKVqfKKa6S/fbxPcSTX8UHI=", "narHash": "sha256-ThhVPUEfXtnS6kziQMY2GwcUZard1E16+5TA/UKJBf4=",
"owner": "musnix", "owner": "musnix",
"repo": "musnix", "repo": "musnix",
"rev": "2289b7c353e56ee18270fb6b43965036942b2d0f", "rev": "eedb1d32ad356877b0888fb8e3ffb32e71f874de",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -288,11 +288,11 @@
}, },
"nixos": { "nixos": {
"locked": { "locked": {
"lastModified": 1677075010, "lastModified": 1677624842,
"narHash": "sha256-X+UmR1AkdR//lPVcShmLy8p1n857IGf7y+cyCArp8bU=", "narHash": "sha256-4DF9DbDuK4/+KYx0L6XcPBeDHUFVCtzok2fWtwXtb5w=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "c95bf18beba4290af25c60cbaaceea1110d0f727", "rev": "d70f5cd5c3bef45f7f52698f39e7cc7a89daa7f0",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -323,11 +323,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1677232326, "lastModified": 1677591639,
"narHash": "sha256-rAk2/80kLvA3yIMmSV86T1B4kNvwCFMSQ1FxXndaUB0=", "narHash": "sha256-DMlAyge+u3K+JOFLA5YfdjqagdAYJf29YGBWpy5izg4=",
"owner": "nixos", "owner": "nixos",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "2d44015779cced4eec9df5b8dab238b9f6312cb2", "rev": "77de4cd09db4dbee9551ed2853cfcf113d7dc5ce",
"type": "github" "type": "github"
}, },
"original": { "original": {

2
hosts/chonk/chonk.nix
View file

@ -11,6 +11,4 @@ in {
imports = [ imports = [
./configuration.nix ./configuration.nix
]; ];
networking.networkmanager.enable = lib.mkForce false;
} }

6
hosts/chonk/configuration.nix
View file

@ -20,6 +20,9 @@
./invoiceplane.nix ./invoiceplane.nix
#./tang.nix #./tang.nix
#./whiteboard.nix #./whiteboard.nix
./libvirt-container.nix
./monitoring.nix
]; ];
boot.loader.systemd-boot.enable = lib.mkForce false; boot.loader.systemd-boot.enable = lib.mkForce false;
@ -32,10 +35,9 @@
networking.nat.internalIPs = ["10.10.42.0/24"]; networking.nat.internalIPs = ["10.10.42.0/24"];
networking.nat.externalInterface = "eno1"; networking.nat.externalInterface = "eno1";
networking.firewall.enable = lib.mkForce true;
networking.firewall.allowedTCPPorts = [80 443 2222]; networking.firewall.allowedTCPPorts = [80 443 2222];
networking.firewall.allowedUDPPorts = [51899]; networking.firewall.allowedUDPPorts = [51899];
networking.firewall.enable = lib.mkForce true;
system.stateVersion = "21.05"; # Did you read the comment? system.stateVersion = "21.05"; # Did you read the comment?
} }

4
hosts/chonk/hardware-configuration.nix
View file

@ -88,7 +88,9 @@
nameservers = ["95.129.51.51" "80.244.244.244"]; nameservers = ["95.129.51.51" "80.244.244.244"];
interfaces."bond0" = { bridges."br0".interfaces = ["bond0"];
interfaces."br0" = {
ipv4.addresses = [ ipv4.addresses = [
{ {
address = "80.244.242.2"; address = "80.244.242.2";

4
hosts/chonk/invoiceplane.nix
View file

@ -51,10 +51,6 @@ in {
enable = true; enable = true;
stateDir = containerStateDir; stateDir = containerStateDir;
extraConfig = ''
ENABLE_DEBUG=true
'';
database = { database = {
user = "invoiceplane"; user = "invoiceplane";
name = "invoiceplane"; name = "invoiceplane";

63
hosts/chonk/libvirt-container.nix Normal file
View file

@ -0,0 +1,63 @@
{
config,
pkgs,
...
}: {
networking.firewall.allowedTCPPorts = [4222];
containers."libvirt-container" = {
autoStart = true;
bindMounts."/dev/kvm" = {
hostPath = "/dev/kvm";
isReadOnly = false;
};
allowedDevices = [
{
node = "/dev/kvm";
modifier = "rw";
}
{
node = "/dev/net/tun";
modifier = "rw";
}
{
node = "/dev/vnet*";
modifier = "rw";
}
];
forwardPorts = [
{
hostPort = 4222;
}
];
enableTun = true;
#extraFlags = [ "-U" ];
config = {
config,
pkgs,
...
}: {
networking.firewall.enable = false;
virtualisation.libvirtd.enable = true;
security.polkit.enable = true;
services.openssh = {
enable = true;
ports = [4222];
};
users.users.root = {
openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work"];
};
system.stateVersion = "22.11";
};
};
}

27
hosts/chonk/monitoring.nix Normal file
View file

@ -0,0 +1,27 @@
{
config,
lib,
self,
...
}: {
pub-solar.monitoring-server.enable = true;
# wireguard exporter
networking.firewall.allowedTCPPorts = [9585];
services.prometheus = {
exporters.wireguard = {
enable = true;
withRemoteIp = true;
};
scrapeConfigs = [
{
job_name = "chonk-wireguard";
static_configs = [
{
targets = ["10.0.1.6:9586"];
}
];
}
];
};
}

9
hosts/chonk/wireguard.nix
View file

@ -24,8 +24,6 @@
privateKeyFile = "/run/agenix/home_controller_wireguard"; privateKeyFile = "/run/agenix/home_controller_wireguard";
peers = [ peers = [
# For a client configuration, one peer entry for the server will suffice.
{ {
# giggles # giggles
publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg="; publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
@ -50,7 +48,14 @@
# Send keepalives every 25 seconds. Important to keep NAT tables alive. # Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25; persistentKeepalive = 25;
} }
{
# norman
publicKey = "FRNg+bJWPn4vAA2Fw8PXYsTpxdEKdVE+b7eTtl8ORxM=";
allowedIPs = ["10.0.1.121/32"];
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
}
{ {
# hsha # hsha
publicKey = "sC0wWHE/tvNaVYX3QQTHQUmSTTjZMOjkQ5x/qy6qjTc="; publicKey = "sC0wWHE/tvNaVYX3QQTHQUmSTTjZMOjkQ5x/qy6qjTc=";

16
hosts/companion/companion.nix
View file

@ -1,18 +1,18 @@
{ config, pkgs, lib, ... }: {
with lib; config,
let pkgs,
lib,
...
}:
with lib; let
psCfg = config.pub-solar; psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg; xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in in {
{
imports = [ imports = [
./configuration.nix ./configuration.nix
]; ];
config = { config = {
nixpkgs.crossSystem.system = "aarch64-linux"; nixpkgs.crossSystem.system = "aarch64-linux";
boot.plymouth.enable = lib.mkForce false;
pub-solar.nextcloud.enable = lib.mkForce false;
}; };
} }

51
hosts/companion/home-controller.nix
View file

@ -1,55 +1,16 @@
{ self, config, pkgs, ... }:
{ {
self,
config,
pkgs,
...
}: {
config = { config = {
#age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_companion_wireguard_key.age"; age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_companion_wireguard_key.age";
pub-solar.home-controller = { pub-solar.home-controller = {
enable = true; enable = true;
role = "server";
ownIp = "10.0.1.13"; ownIp = "10.0.1.13";
wireguardPrivateKeyFile = "/run/agenix/home_controller_wireguard";
k3s = {
serverAddr = "https://api.kube:6443";
tokenFile = "/run/agenix/home_controller_k3s_token";
enableLocalStorage = true;
enableZfs = true;
};
wireguard = {
privateKeyFile = "/run/agenix/home_controller_wireguard";
peers = [
{
# cube
publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk=";
allowedIPs = [ "10.0.1.5/32" ];
endpoint = "data.gssws.de:51899";
persistentKeepalive = 25;
}
{
# giggles
publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
allowedIPs = [ "10.0.1.11/32" ];
endpoint = "giggles.local:51899";
persistentKeepalive = 25;
}
{
# cox
publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
allowedIPs = [ "10.0.1.12/32" ];
endpoint = "cox.local:51899";
persistentKeepalive = 25;
}
{
# ringo
publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw=";
allowedIPs = [ "10.0.1.21/32" ];
endpoint = "ringo.local:51899";
persistentKeepalive = 25;
}
];
};
}; };
}; };
} }

43
hosts/cox/home-controller.nix
View file

@ -5,54 +5,13 @@
... ...
}: { }: {
config = { config = {
#age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cox_wireguard_key.age"; age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cox_wireguard_key.age";
pub-solar.home-controller = { pub-solar.home-controller = {
enable = true; enable = true;
role = "server";
ownIp = "10.0.1.12"; ownIp = "10.0.1.12";
k3s = { wireguardPrivateKeyFile = "/run/agenix/home_controller_wireguard";
serverAddr = "https://api.kube:6443";
tokenFile = "/run/agenix/home_controller_k3s_token";
enableLocalStorage = true;
enableZfs = true;
};
wireguard = {
privateKeyFile = "/run/agenix/home_controller_wireguard";
peers = [
{
# chonk
publicKey = "t1DS0y6eVzyGwomKAEWTWVsHK3xB7M/fNQ3wLgE3+B8=";
allowedIPs = ["10.0.1.6/32"];
endpoint = "data.gssws.de:51899";
persistentKeepalive = 25;
}
{
# giggles
publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
allowedIPs = ["10.0.1.11/32"];
endpoint = "giggles.local:51899";
persistentKeepalive = 25;
}
{
# companion
publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
allowedIPs = ["10.0.1.13/32"];
endpoint = "companion.local:51899";
persistentKeepalive = 25;
}
{
# ringo
publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw=";
allowedIPs = ["10.0.1.21/32"];
endpoint = "ringo.local:51899";
persistentKeepalive = 25;
}
];
};
}; };
}; };
} }

40
hosts/giggles/home-controller.nix
View file

@ -9,47 +9,9 @@
pub-solar.home-controller = { pub-solar.home-controller = {
enable = true; enable = true;
role = "server";
ownIp = "10.0.1.11"; ownIp = "10.0.1.11";
k3s = { wireguardPrivateKeyFile = "/run/agenix/home_controller_wireguard";
enableLocalStorage = true;
enableZfs = true;
};
wireguard = {
privateKeyFile = "/run/agenix/home_controller_wireguard";
peers = [
{
# chonk
publicKey = "t1DS0y6eVzyGwomKAEWTWVsHK3xB7M/fNQ3wLgE3+B8=";
allowedIPs = ["10.0.1.6/32"];
endpoint = "data.gssws.de:51899";
persistentKeepalive = 25;
}
{
# cox
publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
allowedIPs = ["10.0.1.12/32"];
endpoint = "cox.local:51899";
persistentKeepalive = 25;
}
{
# companion
publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
allowedIPs = ["10.0.1.13/32"];
endpoint = "companion.local:51899";
persistentKeepalive = 25;
}
{
# ringo
publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw=";
allowedIPs = ["10.0.1.21/32"];
endpoint = "ringo.local:51899";
persistentKeepalive = 25;
}
];
};
}; };
}; };
} }

21
hosts/norman/.config/sway/config.d/screens.conf
View file

@ -1,18 +1,19 @@
set $left 'Dell Inc. DELL S2721DS D0SVQ43' set $left 'Dell Inc. DELL S3222DGM G1FFT63'
set $middle 'Eizo Nanao Corporation EV2316W 39117013' set $right 'Dell Inc. DELL S2721DS D0SVQ43'
set $right 'Chimei Innolux Corporation 0x14D4' set $bottom 'Chimei Innolux Corporation 0x14D4'
output $left { output $left {
scale 1 scale 1
pos 0 0 pos 0 690
}
output $middle {
scale 1
pos 2560 770
} }
output $right { output $right {
scale 1 scale 1
pos 1000 1440 pos 2560 0
transform 90
}
output $bottom {
scale 1
pos 0 2130
} }

3
hosts/norman/builder.nix
View file

@ -11,7 +11,7 @@
nix.buildMachines = [ nix.buildMachines = [
{ {
hostName = "builder"; hostName = "builder";
systems = ["x86_64-linux" "aarch64-linux"]; systems = ["x86_64-linux" "aarch64-linux" "i686-linux"];
maxJobs = 20; maxJobs = 20;
speedFactor = 2; speedFactor = 2;
supportedFeatures = ["nixos-test" "benchmark" "big-parallel" "kvm"]; supportedFeatures = ["nixos-test" "benchmark" "big-parallel" "kvm"];
@ -21,7 +21,6 @@
nix.distributedBuilds = true; nix.distributedBuilds = true;
nix.settings = { nix.settings = {
substituters = ["ssh-ng://builder"];
trusted-public-keys = ["chonk:1b/yLBRW2ZeL9jErW1ogMRUTq/hidJnZOxopx363JSo="]; trusted-public-keys = ["chonk:1b/yLBRW2ZeL9jErW1ogMRUTq/hidJnZOxopx363JSo="];
builders-use-substitutes = true; builders-use-substitutes = true;
}; };

2
hosts/norman/hardware-configuration.nix
View file

@ -15,7 +15,7 @@
boot.kernelModules = ["kvm-intel"]; boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = []; boot.extraModulePackages = [];
boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelPackages = pkgs.linuxPackages_xanmod_latest;
boot.loader.grub.trustedBoot = { boot.loader.grub.trustedBoot = {
enable = true; enable = true;
systemHasTPM = "YES_TPM_is_activated"; systemHasTPM = "YES_TPM_is_activated";

7
hosts/norman/wireguard.nix
View file

@ -59,7 +59,7 @@
wg1 = { wg1 = {
# Determines the IP address and subnet of the client's end of the tunnel interface. # Determines the IP address and subnet of the client's end of the tunnel interface.
ips = [ ips = [
"10.7.0.21" "10.0.1.121"
]; ];
listenPort = 51821; # to match firewall allowedUDPPorts (without this wg uses random port numbers) listenPort = 51821; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
@ -77,13 +77,12 @@
# Public key of the server (not a file path). # Public key of the server (not a file path).
publicKey = "t1DS0y6eVzyGwomKAEWTWVsHK3xB7M/fNQ3wLgE3+B8="; publicKey = "t1DS0y6eVzyGwomKAEWTWVsHK3xB7M/fNQ3wLgE3+B8=";
# Forward all the traffic via VPN.
allowedIPs = [ allowedIPs = [
"10.7.0.0/24" "10.0.1.0/24"
]; ];
# Set this to the server IP and port. # Set this to the server IP and port.
endpoint = "80.244.242.2:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577 endpoint = "vpn.gssws.de:51899";
# Send keepalives every 25 seconds. Important to keep NAT tables alive. # Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25; persistentKeepalive = 25;

9
modules/graphical/default.nix
View file

@ -110,16 +110,7 @@ in {
gnome.nautilus gnome.nautilus
gnome.yelp gnome.yelp
hicolor-icon-theme hicolor-icon-theme
wine
toggle-kbd-layout toggle-kbd-layout
wcwd
vlc
gimp
]; ];
xdg.configFile."alacritty/alacritty.yml" = { xdg.configFile."alacritty/alacritty.yml" = {

118
modules/home-controller/default.nix
View file

@ -1,27 +1,21 @@
{ lib, config, pkgs, ... }: {
with lib; lib,
let config,
pkgs,
...
}:
with lib; let
psCfg = config.pub-solar; psCfg = config.pub-solar;
cfg = config.pub-solar.home-controller; cfg = config.pub-solar.home-controller;
in in {
{
imports = [ imports = [
#./k3s.nix
./wireguard.nix ./wireguard.nix
./monitoring-client.nix
]; ];
options.pub-solar.home-controller = { options.pub-solar.home-controller = {
enable = mkEnableOption "Control your home"; enable = mkEnableOption "Control your home";
role = mkOption {
description = ''
Whether the node should run as a server or agent.
Note that the server, by default, also runs as an agent.
'';
default = "server";
type = types.enum [ "server" "agent" ];
};
ownIp = mkOption { ownIp = mkOption {
description = '' description = ''
Internal ip in wireguard used for cluster control-plane communication. Internal ip in wireguard used for cluster control-plane communication.
@ -29,103 +23,11 @@ in
type = types.str; type = types.str;
}; };
k3s = { wireguardPrivateKeyFile = mkOption {
enableLocalStorage = mkOption {
description = ''
Enable local storage provisioner.
'';
default = false;
type = types.bool;
};
defaultLocalStoragePath = mkOption {
description = ''
Default path to use for local storage provisioner.
'';
default = "/var/lib/rancher/k3s/storage";
type = types.path;
};
flannelBackend = mkOption {
description = ''
Flannel backend to use.
'';
default = "wireguard-native";
type = types.str;
};
serverAddr = mkOption {
description = ''
Set server address of master
'';
default = "";
type = types.str;
example = "https://api.kube:6443";
};
tokenFile = mkOption {
description = ''
Location of token file used to join cluster.
'';
default = "";
type = types.str;
};
enableZfs = mkOption {
description = ''
Enable when k3s should use a ZFS compatible runtime.
'';
default = false;
type = types.bool;
};
zfsPool = mkOption {
description = ''
The ZFS pool to use and create a containerd volume in.
'';
default = "zroot";
type = types.str;
};
};
wireguard = {
privateKeyFile = mkOption {
description = '' description = ''
Location of private key file Location of private key file
''; '';
type = types.path; type = types.path;
}; };
listenPort = mkOption {
description = ''
Port for wireguard.
'';
default = 51899;
type = types.int;
};
peers = mkOption {
description = ''
Wireguard peers.
'';
type = types.listOf types.attrs;
};
};
};
config = mkIf cfg.enable {
boot.kernelModules = [ "rbd" ];
networking.extraHosts =
''
192.168.42.231 ringo.local
192.168.42.232 giggles.local
192.168.42.234 cox.local
192.168.42.236 companion.local
10.0.1.11 api.kube giggles.kube
10.0.1.12 cox.kube
10.0.1.13 companion.kube
10.0.1.21 ringo.kube
'';
}; };
} }

77
modules/home-controller/k3s.nix
View file

@ -1,77 +0,0 @@
{ lib, config, pkgs, ... }:
with lib;
let
psCfg = config.pub-solar;
cfg = config.pub-solar.home-controller;
in
{
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [
kubernetes-helm
];
environment.sessionVariables = lib.mkIf (cfg.role == "server") rec {
KUBECONFIG = "/etc/rancher/k3s/k3s.yaml";
};
networking.firewall.enable = lib.mkForce false;
services.k3s = {
enable = true;
role = cfg.role;
serverAddr = lib.mkIf (cfg.k3s.serverAddr != "") cfg.k3s.serverAddr;
tokenFile = lib.mkIf (cfg.k3s.tokenFile != "") cfg.k3s.tokenFile;
extraFlags = concatStringsSep " " (
[
"--node-ip ${cfg.ownIp}"
"--container-runtime-endpoint unix:///run/containerd/containerd.sock"
"${optionalString (cfg.role == "server") "--disable servicelb"}"
"${optionalString (cfg.role == "server") "--disable traefik"}"
"${optionalString (cfg.role == "server") "--bind-address ${cfg.ownIp}"}"
"${optionalString (cfg.role == "server" && cfg.k3s.flannelBackend != "") "--flannel-backend=${cfg.k3s.flannelBackend}"}"
"${optionalString (cfg.role == "server" && !cfg.k3s.enableLocalStorage) "--disable local-storage"}"
"${optionalString (cfg.role == "server" && cfg.k3s.enableLocalStorage) "--default-local-storage-path ${cfg.k3s.defaultLocalStoragePath}"}"
"${optionalString cfg.k3s.enableZfs "--snapshotter=zfs"}"
]
);
};
systemd.services.containerd = mkIf cfg.k3s.enableZfs {
serviceConfig = {
ExecStartPre = [
"-${pkgs.zfs}/bin/zfs create -o mountpoint=/var/lib/containerd/io.containerd.snapshotter.v1.zfs ${cfg.k3s.zfsPool}/containerd"
];
};
};
systemd.services.k3s = {
after = [ "containerd.service" ];
requisite = [ "containerd.service" ];
};
virtualisation.containerd = {
enable = true;
settings =
let
fullCNIPlugins = pkgs.buildEnv {
name = "full-cni";
paths = with pkgs; [
cni-plugins
cni-plugin-flannel
];
};
in
{
plugins."io.containerd.grpc.v1.cri".cni = {
bin_dir = "${fullCNIPlugins}/bin";
conf_dir = "/var/lib/rancher/k3s/agent/etc/cni/net.d/";
};
};
};
};
}

13
modules/home-controller/monitoring-client.nix Normal file
View file

@ -0,0 +1,13 @@
{
config,
pkgs,
lib,
...
}: let
cfg = config.pub-solar.home-controller;
in {
pub-solar.monitoring-client = lib.mkIf cfg.enable {
enable = true;
listenAddress = cfg.ownIp;
};
}

29
modules/home-controller/wireguard.nix
View file

@ -1,22 +1,33 @@
{ lib, config, pkgs, ... }: {
with lib; lib,
let config,
pkgs,
...
}:
with lib; let
psCfg = config.pub-solar; psCfg = config.pub-solar;
cfg = config.pub-solar.home-controller; cfg = config.pub-solar.home-controller;
in in {
{
config = mkIf cfg.enable { config = mkIf cfg.enable {
systemd.services.wireguard-wghome.serviceConfig.Restart = "on-failure"; systemd.services.wireguard-wghome.serviceConfig.Restart = "on-failure";
systemd.services.wireguard-wghome.serviceConfig.RestartSec = "5s"; systemd.services.wireguard-wghome.serviceConfig.RestartSec = "5s";
networking.firewall.allowedUDPPorts = [ cfg.wireguard.listenPort ]; networking.firewall.allowedUDPPorts = [51899];
networking.wireguard.interfaces = { networking.wireguard.interfaces = {
wghome = { wghome = {
ips = [cfg.ownIp]; ips = [cfg.ownIp];
listenPort = cfg.wireguard.listenPort; listenPort = 51899;
privateKeyFile = cfg.wireguard.privateKeyFile; privateKeyFile = cfg.wireguardPrivateKeyFile;
peers = cfg.wireguard.peers; peers = [
{
# chonk
publicKey = "t1DS0y6eVzyGwomKAEWTWVsHK3xB7M/fNQ3wLgE3+B8=";
allowedIPs = ["10.0.1.0/24"];
endpoint = "vpn.gssws.de:51899";
persistentKeepalive = 25;
}
];
}; };
}; };
}; };

29
modules/monitoring-client/default.nix Normal file
View file

@ -0,0 +1,29 @@
{
lib,
config,
pkgs,
...
}:
with lib; let
psCfg = config.pub-solar;
cfg = config.pub-solar.monitoring-client;
in {
options.pub-solar.monitoring-client = {
enable = mkEnableOption "Install a monitoring client node";
listenAddress = mkOption {
type = types.str;
};
};
config = mkIf cfg.enable {
services.prometheus.exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
port = 9002;
openFirewall = true;
listenAddress = cfg.listenAddress;
};
};
};
}

69
modules/monitoring-server/default.nix Normal file
View file

@ -0,0 +1,69 @@
{
lib,
config,
pkgs,
...
}:
with lib; let
psCfg = config.pub-solar;
cfg = config.pub-solar.monitoring-server;
in {
options.pub-solar.monitoring-server = {
enable = mkEnableOption "Install a monitoring server node";
};
config = mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [2342 9001];
pub-solar.monitoring-client = {
enable = true;
listenAddress = "10.0.1.6";
};
services.grafana = {
enable = true;
port = 2342;
addr = "10.0.1.6";
};
services.prometheus = {
enable = true;
listenAddress = "10.0.1.6";
port = 9001;
scrapeConfigs = [
{
job_name = "chonk";
static_configs = [
{
targets = ["10.0.1.6:9002"];
}
];
}
{
job_name = "giggles";
static_configs = [
{
targets = ["10.0.1.11:9002"];
}
];
}
{
job_name = "cox";
static_configs = [
{
targets = ["10.0.1.12:9002"];
}
];
}
{
job_name = "companion";
static_configs = [
{
targets = ["10.0.1.13:9002"];
}
];
}
];
};
};
}

16
modules/server/default.nix
View file

@ -1,10 +1,13 @@
{ lib, config, pkgs, ... }: {
with lib; lib,
let config,
pkgs,
...
}:
with lib; let
psCfg = config.pub-solar; psCfg = config.pub-solar;
cfg = config.pub-solar.server; cfg = config.pub-solar.server;
in in {
{
options.pub-solar.server = { options.pub-solar.server = {
enable = mkEnableOption "Enable server options like sshd"; enable = mkEnableOption "Enable server options like sshd";
}; };
@ -18,5 +21,8 @@ in
passwordAuthentication = true; passwordAuthentication = true;
openFirewall = true; openFirewall = true;
}; };
networking.networkmanager.enable = lib.mkForce false;
pub-solar.nextcloud.enable = lib.mkForce false;
}; };
} }

2
modules/sway/default.nix
View file

@ -82,8 +82,8 @@ in {
sway-launcher sway-launcher
record-screen record-screen
import-gtk-settings import-gtk-settings
s
wcwd wcwd
wdisplays
]; ];
programs.waybar.enable = true; programs.waybar.enable = true;

1
users/hensoko/ssh.nix
View file

@ -38,6 +38,7 @@ in {
}; };
"companion" = { "companion" = {
user = "iot"; user = "iot";
hostname = "10.0.1.13";
}; };
"chonk" = { "chonk" = {
hostname = "80.244.242.2"; hostname = "80.244.242.2";