reset later

This commit is contained in:
Hendrik Sokolowski 2023-03-07 16:48:46 +01:00
parent 4a6a9f11e4
commit 645e223aab
26 changed files with 313 additions and 394 deletions

View file

@ -10,11 +10,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1677247280, "lastModified": 1677453742,
"narHash": "sha256-sa+8MtoAOSLsWP9vf0qiJUyMovIEYgDzHE8TkoK04Hk=", "narHash": "sha256-/DNOThcCGz21Met/aMhm7NGqughtpxQzrlAqTuq+YZQ=",
"owner": "ryantm", "owner": "ryantm",
"repo": "agenix", "repo": "agenix",
"rev": "833f87c8ff574a29aea3e091045cbaed3cf86bc1", "rev": "4828951d9d05accd244bf8c24706f046b485aceb",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -221,11 +221,11 @@
"utils": "utils_2" "utils": "utils_2"
}, },
"locked": { "locked": {
"lastModified": 1676257154, "lastModified": 1677757546,
"narHash": "sha256-eW3jymNLpdxS5fkp9NWKyNtgL0Gqtgg1vCTofKXDF1g=", "narHash": "sha256-tA1ukoluctzLVyWRaKtD4KlTwgXbUsGB5vcyni1OJ9I=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "2cb27c79117a2a75ff3416c3199a2dc57af6a527", "rev": "86bb69b0b1e10d99a30c4352f230f03106dd0f8a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -237,11 +237,11 @@
}, },
"latest": { "latest": {
"locked": { "locked": {
"lastModified": 1677063315, "lastModified": 1677587185,
"narHash": "sha256-qiB4ajTeAOVnVSAwCNEEkoybrAlA+cpeiBxLobHndE8=", "narHash": "sha256-zYT66MAYwctAQqI5VBw3LbBXiSKdB8vuMAqCGG8onbE=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "988cc958c57ce4350ec248d2d53087777f9e1949", "rev": "68196a61c26748d3e53a6803de3d2f8c69f27831",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -258,11 +258,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1676707513, "lastModified": 1677620425,
"narHash": "sha256-Cr8f0zUpjb9T+aiClDFpJKVqfKKa6S/fbxPcSTX8UHI=", "narHash": "sha256-ThhVPUEfXtnS6kziQMY2GwcUZard1E16+5TA/UKJBf4=",
"owner": "musnix", "owner": "musnix",
"repo": "musnix", "repo": "musnix",
"rev": "2289b7c353e56ee18270fb6b43965036942b2d0f", "rev": "eedb1d32ad356877b0888fb8e3ffb32e71f874de",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -288,11 +288,11 @@
}, },
"nixos": { "nixos": {
"locked": { "locked": {
"lastModified": 1677075010, "lastModified": 1677624842,
"narHash": "sha256-X+UmR1AkdR//lPVcShmLy8p1n857IGf7y+cyCArp8bU=", "narHash": "sha256-4DF9DbDuK4/+KYx0L6XcPBeDHUFVCtzok2fWtwXtb5w=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "c95bf18beba4290af25c60cbaaceea1110d0f727", "rev": "d70f5cd5c3bef45f7f52698f39e7cc7a89daa7f0",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -323,11 +323,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1677232326, "lastModified": 1677591639,
"narHash": "sha256-rAk2/80kLvA3yIMmSV86T1B4kNvwCFMSQ1FxXndaUB0=", "narHash": "sha256-DMlAyge+u3K+JOFLA5YfdjqagdAYJf29YGBWpy5izg4=",
"owner": "nixos", "owner": "nixos",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "2d44015779cced4eec9df5b8dab238b9f6312cb2", "rev": "77de4cd09db4dbee9551ed2853cfcf113d7dc5ce",
"type": "github" "type": "github"
}, },
"original": { "original": {

View file

@ -11,6 +11,4 @@ in {
imports = [ imports = [
./configuration.nix ./configuration.nix
]; ];
networking.networkmanager.enable = lib.mkForce false;
} }

View file

@ -20,6 +20,9 @@
./invoiceplane.nix ./invoiceplane.nix
#./tang.nix #./tang.nix
#./whiteboard.nix #./whiteboard.nix
./libvirt-container.nix
./monitoring.nix
]; ];
boot.loader.systemd-boot.enable = lib.mkForce false; boot.loader.systemd-boot.enable = lib.mkForce false;
@ -32,10 +35,9 @@
networking.nat.internalIPs = ["10.10.42.0/24"]; networking.nat.internalIPs = ["10.10.42.0/24"];
networking.nat.externalInterface = "eno1"; networking.nat.externalInterface = "eno1";
networking.firewall.enable = lib.mkForce true;
networking.firewall.allowedTCPPorts = [80 443 2222]; networking.firewall.allowedTCPPorts = [80 443 2222];
networking.firewall.allowedUDPPorts = [51899]; networking.firewall.allowedUDPPorts = [51899];
networking.firewall.enable = lib.mkForce true;
system.stateVersion = "21.05"; # Did you read the comment? system.stateVersion = "21.05"; # Did you read the comment?
} }

View file

@ -88,7 +88,9 @@
nameservers = ["95.129.51.51" "80.244.244.244"]; nameservers = ["95.129.51.51" "80.244.244.244"];
interfaces."bond0" = { bridges."br0".interfaces = ["bond0"];
interfaces."br0" = {
ipv4.addresses = [ ipv4.addresses = [
{ {
address = "80.244.242.2"; address = "80.244.242.2";

View file

@ -51,10 +51,6 @@ in {
enable = true; enable = true;
stateDir = containerStateDir; stateDir = containerStateDir;
extraConfig = ''
ENABLE_DEBUG=true
'';
database = { database = {
user = "invoiceplane"; user = "invoiceplane";
name = "invoiceplane"; name = "invoiceplane";

View file

@ -0,0 +1,63 @@
{
config,
pkgs,
...
}: {
networking.firewall.allowedTCPPorts = [4222];
containers."libvirt-container" = {
autoStart = true;
bindMounts."/dev/kvm" = {
hostPath = "/dev/kvm";
isReadOnly = false;
};
allowedDevices = [
{
node = "/dev/kvm";
modifier = "rw";
}
{
node = "/dev/net/tun";
modifier = "rw";
}
{
node = "/dev/vnet*";
modifier = "rw";
}
];
forwardPorts = [
{
hostPort = 4222;
}
];
enableTun = true;
#extraFlags = [ "-U" ];
config = {
config,
pkgs,
...
}: {
networking.firewall.enable = false;
virtualisation.libvirtd.enable = true;
security.polkit.enable = true;
services.openssh = {
enable = true;
ports = [4222];
};
users.users.root = {
openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work"];
};
system.stateVersion = "22.11";
};
};
}

View file

@ -0,0 +1,27 @@
{
config,
lib,
self,
...
}: {
pub-solar.monitoring-server.enable = true;
# wireguard exporter
networking.firewall.allowedTCPPorts = [9585];
services.prometheus = {
exporters.wireguard = {
enable = true;
withRemoteIp = true;
};
scrapeConfigs = [
{
job_name = "chonk-wireguard";
static_configs = [
{
targets = ["10.0.1.6:9586"];
}
];
}
];
};
}

View file

@ -24,8 +24,6 @@
privateKeyFile = "/run/agenix/home_controller_wireguard"; privateKeyFile = "/run/agenix/home_controller_wireguard";
peers = [ peers = [
# For a client configuration, one peer entry for the server will suffice.
{ {
# giggles # giggles
publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg="; publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
@ -50,7 +48,14 @@
# Send keepalives every 25 seconds. Important to keep NAT tables alive. # Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25; persistentKeepalive = 25;
} }
{
# norman
publicKey = "FRNg+bJWPn4vAA2Fw8PXYsTpxdEKdVE+b7eTtl8ORxM=";
allowedIPs = ["10.0.1.121/32"];
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
}
{ {
# hsha # hsha
publicKey = "sC0wWHE/tvNaVYX3QQTHQUmSTTjZMOjkQ5x/qy6qjTc="; publicKey = "sC0wWHE/tvNaVYX3QQTHQUmSTTjZMOjkQ5x/qy6qjTc=";

View file

@ -1,18 +1,18 @@
{ config, pkgs, lib, ... }: {
with lib; config,
let pkgs,
lib,
...
}:
with lib; let
psCfg = config.pub-solar; psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg; xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in in {
{
imports = [ imports = [
./configuration.nix ./configuration.nix
]; ];
config = { config = {
nixpkgs.crossSystem.system = "aarch64-linux"; nixpkgs.crossSystem.system = "aarch64-linux";
boot.plymouth.enable = lib.mkForce false;
pub-solar.nextcloud.enable = lib.mkForce false;
}; };
} }

View file

@ -1,55 +1,16 @@
{ self, config, pkgs, ... }:
{ {
self,
config,
pkgs,
...
}: {
config = { config = {
#age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_companion_wireguard_key.age"; age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_companion_wireguard_key.age";
pub-solar.home-controller = { pub-solar.home-controller = {
enable = true; enable = true;
role = "server";
ownIp = "10.0.1.13"; ownIp = "10.0.1.13";
wireguardPrivateKeyFile = "/run/agenix/home_controller_wireguard";
k3s = {
serverAddr = "https://api.kube:6443";
tokenFile = "/run/agenix/home_controller_k3s_token";
enableLocalStorage = true;
enableZfs = true;
};
wireguard = {
privateKeyFile = "/run/agenix/home_controller_wireguard";
peers = [
{
# cube
publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk=";
allowedIPs = [ "10.0.1.5/32" ];
endpoint = "data.gssws.de:51899";
persistentKeepalive = 25;
}
{
# giggles
publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
allowedIPs = [ "10.0.1.11/32" ];
endpoint = "giggles.local:51899";
persistentKeepalive = 25;
}
{
# cox
publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
allowedIPs = [ "10.0.1.12/32" ];
endpoint = "cox.local:51899";
persistentKeepalive = 25;
}
{
# ringo
publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw=";
allowedIPs = [ "10.0.1.21/32" ];
endpoint = "ringo.local:51899";
persistentKeepalive = 25;
}
];
};
}; };
}; };
} }

View file

@ -5,54 +5,13 @@
... ...
}: { }: {
config = { config = {
#age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cox_wireguard_key.age"; age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cox_wireguard_key.age";
pub-solar.home-controller = { pub-solar.home-controller = {
enable = true; enable = true;
role = "server";
ownIp = "10.0.1.12"; ownIp = "10.0.1.12";
k3s = { wireguardPrivateKeyFile = "/run/agenix/home_controller_wireguard";
serverAddr = "https://api.kube:6443";
tokenFile = "/run/agenix/home_controller_k3s_token";
enableLocalStorage = true;
enableZfs = true;
};
wireguard = {
privateKeyFile = "/run/agenix/home_controller_wireguard";
peers = [
{
# chonk
publicKey = "t1DS0y6eVzyGwomKAEWTWVsHK3xB7M/fNQ3wLgE3+B8=";
allowedIPs = ["10.0.1.6/32"];
endpoint = "data.gssws.de:51899";
persistentKeepalive = 25;
}
{
# giggles
publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
allowedIPs = ["10.0.1.11/32"];
endpoint = "giggles.local:51899";
persistentKeepalive = 25;
}
{
# companion
publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
allowedIPs = ["10.0.1.13/32"];
endpoint = "companion.local:51899";
persistentKeepalive = 25;
}
{
# ringo
publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw=";
allowedIPs = ["10.0.1.21/32"];
endpoint = "ringo.local:51899";
persistentKeepalive = 25;
}
];
};
}; };
}; };
} }

View file

@ -9,47 +9,9 @@
pub-solar.home-controller = { pub-solar.home-controller = {
enable = true; enable = true;
role = "server";
ownIp = "10.0.1.11"; ownIp = "10.0.1.11";
k3s = { wireguardPrivateKeyFile = "/run/agenix/home_controller_wireguard";
enableLocalStorage = true;
enableZfs = true;
};
wireguard = {
privateKeyFile = "/run/agenix/home_controller_wireguard";
peers = [
{
# chonk
publicKey = "t1DS0y6eVzyGwomKAEWTWVsHK3xB7M/fNQ3wLgE3+B8=";
allowedIPs = ["10.0.1.6/32"];
endpoint = "data.gssws.de:51899";
persistentKeepalive = 25;
}
{
# cox
publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
allowedIPs = ["10.0.1.12/32"];
endpoint = "cox.local:51899";
persistentKeepalive = 25;
}
{
# companion
publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
allowedIPs = ["10.0.1.13/32"];
endpoint = "companion.local:51899";
persistentKeepalive = 25;
}
{
# ringo
publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw=";
allowedIPs = ["10.0.1.21/32"];
endpoint = "ringo.local:51899";
persistentKeepalive = 25;
}
];
};
}; };
}; };
} }

View file

@ -1,18 +1,19 @@
set $left 'Dell Inc. DELL S2721DS D0SVQ43' set $left 'Dell Inc. DELL S3222DGM G1FFT63'
set $middle 'Eizo Nanao Corporation EV2316W 39117013' set $right 'Dell Inc. DELL S2721DS D0SVQ43'
set $right 'Chimei Innolux Corporation 0x14D4' set $bottom 'Chimei Innolux Corporation 0x14D4'
output $left { output $left {
scale 1 scale 1
pos 0 0 pos 0 690
}
output $middle {
scale 1
pos 2560 770
} }
output $right { output $right {
scale 1 scale 1
pos 1000 1440 pos 2560 0
transform 90
}
output $bottom {
scale 1
pos 0 2130
} }

View file

@ -11,7 +11,7 @@
nix.buildMachines = [ nix.buildMachines = [
{ {
hostName = "builder"; hostName = "builder";
systems = ["x86_64-linux" "aarch64-linux"]; systems = ["x86_64-linux" "aarch64-linux" "i686-linux"];
maxJobs = 20; maxJobs = 20;
speedFactor = 2; speedFactor = 2;
supportedFeatures = ["nixos-test" "benchmark" "big-parallel" "kvm"]; supportedFeatures = ["nixos-test" "benchmark" "big-parallel" "kvm"];
@ -21,7 +21,6 @@
nix.distributedBuilds = true; nix.distributedBuilds = true;
nix.settings = { nix.settings = {
substituters = ["ssh-ng://builder"];
trusted-public-keys = ["chonk:1b/yLBRW2ZeL9jErW1ogMRUTq/hidJnZOxopx363JSo="]; trusted-public-keys = ["chonk:1b/yLBRW2ZeL9jErW1ogMRUTq/hidJnZOxopx363JSo="];
builders-use-substitutes = true; builders-use-substitutes = true;
}; };

View file

@ -15,7 +15,7 @@
boot.kernelModules = ["kvm-intel"]; boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = []; boot.extraModulePackages = [];
boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelPackages = pkgs.linuxPackages_xanmod_latest;
boot.loader.grub.trustedBoot = { boot.loader.grub.trustedBoot = {
enable = true; enable = true;
systemHasTPM = "YES_TPM_is_activated"; systemHasTPM = "YES_TPM_is_activated";

View file

@ -59,7 +59,7 @@
wg1 = { wg1 = {
# Determines the IP address and subnet of the client's end of the tunnel interface. # Determines the IP address and subnet of the client's end of the tunnel interface.
ips = [ ips = [
"10.7.0.21" "10.0.1.121"
]; ];
listenPort = 51821; # to match firewall allowedUDPPorts (without this wg uses random port numbers) listenPort = 51821; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
@ -77,13 +77,12 @@
# Public key of the server (not a file path). # Public key of the server (not a file path).
publicKey = "t1DS0y6eVzyGwomKAEWTWVsHK3xB7M/fNQ3wLgE3+B8="; publicKey = "t1DS0y6eVzyGwomKAEWTWVsHK3xB7M/fNQ3wLgE3+B8=";
# Forward all the traffic via VPN.
allowedIPs = [ allowedIPs = [
"10.7.0.0/24" "10.0.1.0/24"
]; ];
# Set this to the server IP and port. # Set this to the server IP and port.
endpoint = "80.244.242.2:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577 endpoint = "vpn.gssws.de:51899";
# Send keepalives every 25 seconds. Important to keep NAT tables alive. # Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25; persistentKeepalive = 25;

View file

@ -110,16 +110,7 @@ in {
gnome.nautilus gnome.nautilus
gnome.yelp gnome.yelp
hicolor-icon-theme hicolor-icon-theme
wine
toggle-kbd-layout toggle-kbd-layout
wcwd
vlc
gimp
]; ];
xdg.configFile."alacritty/alacritty.yml" = { xdg.configFile."alacritty/alacritty.yml" = {

View file

@ -1,27 +1,21 @@
{ lib, config, pkgs, ... }: {
with lib; lib,
let config,
pkgs,
...
}:
with lib; let
psCfg = config.pub-solar; psCfg = config.pub-solar;
cfg = config.pub-solar.home-controller; cfg = config.pub-solar.home-controller;
in in {
{
imports = [ imports = [
#./k3s.nix
./wireguard.nix ./wireguard.nix
./monitoring-client.nix
]; ];
options.pub-solar.home-controller = { options.pub-solar.home-controller = {
enable = mkEnableOption "Control your home"; enable = mkEnableOption "Control your home";
role = mkOption {
description = ''
Whether the node should run as a server or agent.
Note that the server, by default, also runs as an agent.
'';
default = "server";
type = types.enum [ "server" "agent" ];
};
ownIp = mkOption { ownIp = mkOption {
description = '' description = ''
Internal ip in wireguard used for cluster control-plane communication. Internal ip in wireguard used for cluster control-plane communication.
@ -29,103 +23,11 @@ in
type = types.str; type = types.str;
}; };
k3s = { wireguardPrivateKeyFile = mkOption {
enableLocalStorage = mkOption { description = ''
description = '' Location of private key file
Enable local storage provisioner.
'';
default = false;
type = types.bool;
};
defaultLocalStoragePath = mkOption {
description = ''
Default path to use for local storage provisioner.
'';
default = "/var/lib/rancher/k3s/storage";
type = types.path;
};
flannelBackend = mkOption {
description = ''
Flannel backend to use.
'';
default = "wireguard-native";
type = types.str;
};
serverAddr = mkOption {
description = ''
Set server address of master
'';
default = "";
type = types.str;
example = "https://api.kube:6443";
};
tokenFile = mkOption {
description = ''
Location of token file used to join cluster.
'';
default = "";
type = types.str;
};
enableZfs = mkOption {
description = ''
Enable when k3s should use a ZFS compatible runtime.
'';
default = false;
type = types.bool;
};
zfsPool = mkOption {
description = ''
The ZFS pool to use and create a containerd volume in.
'';
default = "zroot";
type = types.str;
};
};
wireguard = {
privateKeyFile = mkOption {
description = ''
Location of private key file
'';
type = types.path;
};
listenPort = mkOption {
description = ''
Port for wireguard.
'';
default = 51899;
type = types.int;
};
peers = mkOption {
description = ''
Wireguard peers.
'';
type = types.listOf types.attrs;
};
};
};
config = mkIf cfg.enable {
boot.kernelModules = [ "rbd" ];
networking.extraHosts =
''
192.168.42.231 ringo.local
192.168.42.232 giggles.local
192.168.42.234 cox.local
192.168.42.236 companion.local
10.0.1.11 api.kube giggles.kube
10.0.1.12 cox.kube
10.0.1.13 companion.kube
10.0.1.21 ringo.kube
''; '';
type = types.path;
};
}; };
} }

View file

@ -1,77 +0,0 @@
{ lib, config, pkgs, ... }:
with lib;
let
psCfg = config.pub-solar;
cfg = config.pub-solar.home-controller;
in
{
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [
kubernetes-helm
];
environment.sessionVariables = lib.mkIf (cfg.role == "server") rec {
KUBECONFIG = "/etc/rancher/k3s/k3s.yaml";
};
networking.firewall.enable = lib.mkForce false;
services.k3s = {
enable = true;
role = cfg.role;
serverAddr = lib.mkIf (cfg.k3s.serverAddr != "") cfg.k3s.serverAddr;
tokenFile = lib.mkIf (cfg.k3s.tokenFile != "") cfg.k3s.tokenFile;
extraFlags = concatStringsSep " " (
[
"--node-ip ${cfg.ownIp}"
"--container-runtime-endpoint unix:///run/containerd/containerd.sock"
"${optionalString (cfg.role == "server") "--disable servicelb"}"
"${optionalString (cfg.role == "server") "--disable traefik"}"
"${optionalString (cfg.role == "server") "--bind-address ${cfg.ownIp}"}"
"${optionalString (cfg.role == "server" && cfg.k3s.flannelBackend != "") "--flannel-backend=${cfg.k3s.flannelBackend}"}"
"${optionalString (cfg.role == "server" && !cfg.k3s.enableLocalStorage) "--disable local-storage"}"
"${optionalString (cfg.role == "server" && cfg.k3s.enableLocalStorage) "--default-local-storage-path ${cfg.k3s.defaultLocalStoragePath}"}"
"${optionalString cfg.k3s.enableZfs "--snapshotter=zfs"}"
]
);
};
systemd.services.containerd = mkIf cfg.k3s.enableZfs {
serviceConfig = {
ExecStartPre = [
"-${pkgs.zfs}/bin/zfs create -o mountpoint=/var/lib/containerd/io.containerd.snapshotter.v1.zfs ${cfg.k3s.zfsPool}/containerd"
];
};
};
systemd.services.k3s = {
after = [ "containerd.service" ];
requisite = [ "containerd.service" ];
};
virtualisation.containerd = {
enable = true;
settings =
let
fullCNIPlugins = pkgs.buildEnv {
name = "full-cni";
paths = with pkgs; [
cni-plugins
cni-plugin-flannel
];
};
in
{
plugins."io.containerd.grpc.v1.cri".cni = {
bin_dir = "${fullCNIPlugins}/bin";
conf_dir = "/var/lib/rancher/k3s/agent/etc/cni/net.d/";
};
};
};
};
}

View file

@ -0,0 +1,13 @@
{
config,
pkgs,
lib,
...
}: let
cfg = config.pub-solar.home-controller;
in {
pub-solar.monitoring-client = lib.mkIf cfg.enable {
enable = true;
listenAddress = cfg.ownIp;
};
}

View file

@ -1,22 +1,33 @@
{ lib, config, pkgs, ... }: {
with lib; lib,
let config,
pkgs,
...
}:
with lib; let
psCfg = config.pub-solar; psCfg = config.pub-solar;
cfg = config.pub-solar.home-controller; cfg = config.pub-solar.home-controller;
in in {
{
config = mkIf cfg.enable { config = mkIf cfg.enable {
systemd.services.wireguard-wghome.serviceConfig.Restart = "on-failure"; systemd.services.wireguard-wghome.serviceConfig.Restart = "on-failure";
systemd.services.wireguard-wghome.serviceConfig.RestartSec = "5s"; systemd.services.wireguard-wghome.serviceConfig.RestartSec = "5s";
networking.firewall.allowedUDPPorts = [ cfg.wireguard.listenPort ]; networking.firewall.allowedUDPPorts = [51899];
networking.wireguard.interfaces = { networking.wireguard.interfaces = {
wghome = { wghome = {
ips = [ cfg.ownIp ]; ips = [cfg.ownIp];
listenPort = cfg.wireguard.listenPort; listenPort = 51899;
privateKeyFile = cfg.wireguard.privateKeyFile; privateKeyFile = cfg.wireguardPrivateKeyFile;
peers = cfg.wireguard.peers; peers = [
{
# chonk
publicKey = "t1DS0y6eVzyGwomKAEWTWVsHK3xB7M/fNQ3wLgE3+B8=";
allowedIPs = ["10.0.1.0/24"];
endpoint = "vpn.gssws.de:51899";
persistentKeepalive = 25;
}
];
}; };
}; };
}; };

View file

@ -0,0 +1,29 @@
{
lib,
config,
pkgs,
...
}:
with lib; let
psCfg = config.pub-solar;
cfg = config.pub-solar.monitoring-client;
in {
options.pub-solar.monitoring-client = {
enable = mkEnableOption "Install a monitoring client node";
listenAddress = mkOption {
type = types.str;
};
};
config = mkIf cfg.enable {
services.prometheus.exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
port = 9002;
openFirewall = true;
listenAddress = cfg.listenAddress;
};
};
};
}

View file

@ -0,0 +1,69 @@
{
lib,
config,
pkgs,
...
}:
with lib; let
psCfg = config.pub-solar;
cfg = config.pub-solar.monitoring-server;
in {
options.pub-solar.monitoring-server = {
enable = mkEnableOption "Install a monitoring server node";
};
config = mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [2342 9001];
pub-solar.monitoring-client = {
enable = true;
listenAddress = "10.0.1.6";
};
services.grafana = {
enable = true;
port = 2342;
addr = "10.0.1.6";
};
services.prometheus = {
enable = true;
listenAddress = "10.0.1.6";
port = 9001;
scrapeConfigs = [
{
job_name = "chonk";
static_configs = [
{
targets = ["10.0.1.6:9002"];
}
];
}
{
job_name = "giggles";
static_configs = [
{
targets = ["10.0.1.11:9002"];
}
];
}
{
job_name = "cox";
static_configs = [
{
targets = ["10.0.1.12:9002"];
}
];
}
{
job_name = "companion";
static_configs = [
{
targets = ["10.0.1.13:9002"];
}
];
}
];
};
};
}

View file

@ -1,10 +1,13 @@
{ lib, config, pkgs, ... }: {
with lib; lib,
let config,
pkgs,
...
}:
with lib; let
psCfg = config.pub-solar; psCfg = config.pub-solar;
cfg = config.pub-solar.server; cfg = config.pub-solar.server;
in in {
{
options.pub-solar.server = { options.pub-solar.server = {
enable = mkEnableOption "Enable server options like sshd"; enable = mkEnableOption "Enable server options like sshd";
}; };
@ -18,5 +21,8 @@ in
passwordAuthentication = true; passwordAuthentication = true;
openFirewall = true; openFirewall = true;
}; };
networking.networkmanager.enable = lib.mkForce false;
pub-solar.nextcloud.enable = lib.mkForce false;
}; };
} }

View file

@ -82,8 +82,8 @@ in {
sway-launcher sway-launcher
record-screen record-screen
import-gtk-settings import-gtk-settings
s
wcwd wcwd
wdisplays
]; ];
programs.waybar.enable = true; programs.waybar.enable = true;

View file

@ -38,6 +38,7 @@ in {
}; };
"companion" = { "companion" = {
user = "iot"; user = "iot";
hostname = "10.0.1.13";
}; };
"chonk" = { "chonk" = {
hostname = "80.244.242.2"; hostname = "80.244.242.2";