diff --git a/hosts/ryzensun/networking.nix b/hosts/ryzensun/networking.nix new file mode 100644 index 00000000..3e7ea31b --- /dev/null +++ b/hosts/ryzensun/networking.nix @@ -0,0 +1,84 @@ +{ + hosts = { + "10.0.0.42" = ["nomad.service.consul" "nomad.service.cgn-1.consul"]; + "10.0.0.66" = ["consul.service.cgn-1.consul"]; + "10.0.1.9" = ["consul.service.lev-1.consul"]; + "10.0.0.70" = ["vault.service.consul" "vault.service.cgn-1.consul"]; + "10.0.0.200" = ["headnode.cgn-1"]; + "10.0.0.201" = ["cn01.cgn-1"]; + "10.0.0.202" = ["cn02.cgn-1"]; + "10.0.0.205" = ["cn05.cgn-1"]; + "10.0.0.206" = ["cn06.cgn-1"]; + "10.0.0.207" = ["cn07.cgn-1"]; + "10.0.0.208" = ["cn08.cgn-1"]; + "10.0.1.200" = ["headnode.lev-1"]; + "10.0.1.201" = ["cn01.lev-1"]; + "10.0.1.202" = ["cn02.lev-1"]; + "10.0.1.203" = ["cn03.lev-1"]; + "10.0.1.204" = ["cn04.lev-1"]; + "10.0.1.205" = ["cn05.lev-1"]; + "10.0.1.206" = ["cn00.lev-1"]; + "10.0.1.207" = ["cn06.lev-1"]; + "10.0.1.208" = ["cn07.lev-1"]; + }; + + wireguard.enable = true; + wg-quick.interfaces = { + wg0 = { + address = ["10.8.8.7/32"]; + privateKeyFile = "/etc/wireguard/wg0.privatekey"; + + peers = [ + { + publicKey = "l0DJLicCrcrixNP6zAWTXNSEaNM2jML253BXEZ1KpiU="; + allowedIPs = ["10.8.8.16/32" "10.0.0.0/24" "10.88.88.0/24"]; + endpoint = "85.88.23.16:51820"; + persistentKeepalive = 25; + } + ]; + }; + wg1 = { + address = ["10.11.11.6/32"]; + privateKeyFile = "/etc/wireguard/wg1.privatekey"; + mtu = 1300; + + peers = [ + { + publicKey = "7RRgfZSneqAtAHBeI6+aaYLqz9e1jikg/lIK8mhW928="; + presharedKeyFile = "/etc/wireguard/wg1.presharedkey"; + allowedIPs = ["10.11.11.0/24" "192.168.1.0/24" "10.0.1.0/24"]; + endpoint = "80.71.153.1:51820"; + #persistentKeepalive = 16; + } + ]; + }; + #wg1 = { + # address = [ "10.13.0.1/32" ]; + # privateKeyFile = "/etc/wireguard/wg1.privatekey"; + # mtu = 1412; + + # peers = [ + # { + # publicKey = "XS3TTIMU7Jp3JJANBpE14RsVDJk6/VUvZgjQgQP8kAs="; + # allowedIPs = [ "10.13.0.100/32" "192.168.188.0/24" ]; + # endpoint = "[2a00:6020:48ad:dd00:dea6:32ff:fe85:3306]:51820"; + # persistentKeepalive = 25; + # } + # ]; + #}; + #wg2 = { + # address = [ "10.6.6.4/32" ]; + # privateKeyFile = "/etc/wireguard/wg2.privatekey"; + + # peers = [ + # { + # publicKey = "nYMmaCIW8lZ7SokivN8HXxYDch+SS1G7ab1SC9meDAw="; + # presharedKeyFile = "/etc/wireguard/wg2.presharedkey"; + # allowedIPs = [ "10.6.6.1/32" "10.1.1.0/24" ]; + # endpoint = "85.88.23.127:51820"; + # persistentKeepalive = 16; + # } + # ]; + #}; + }; +} diff --git a/hosts/ryzensun/ryzensun.nix b/hosts/ryzensun/ryzensun.nix index 41cadbb1..610f9e77 100644 --- a/hosts/ryzensun/ryzensun.nix +++ b/hosts/ryzensun/ryzensun.nix @@ -19,13 +19,28 @@ in { mode = "700"; owner = "teutat3s"; }; + age.secrets.docker-ci-runner-secrets = { + file = "${self}/secrets/docker-ci-runner-secrets.age"; + mode = "700"; + owner = "999"; + }; pub-solar.nextcloud.enable = mkForce false; pub-solar.docker.enable = true; pub-solar.virtualisation.enable = true; + pub-solar.docker-ci-runner = { + enable = true; + runnerEnvironment = { + DRONE_RUNNER_CAPACITY = "1"; + DRONE_RUNNER_LABELS = "hosttype:baremetal"; + }; + runnerVarsFile = config.age.secrets.docker-ci-runner-secrets.path; + }; pub-solar.audio.mopidy.enable = mkForce false; + networking = import ./networking.nix; + home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable { "sway/config.d/10-custom-keybindings.conf".source = ./.config/sway/config.d/custom-keybindings.conf; "sway/config.d/autostart.conf".source = ./.config/sway/config.d/autostart.conf; diff --git a/secrets/docker-ci-runner-secrets.age b/secrets/docker-ci-runner-secrets.age new file mode 100644 index 00000000..c9ee8a87 Binary files /dev/null and b/secrets/docker-ci-runner-secrets.age differ diff --git a/secrets/environment-secrets.age b/secrets/environment-secrets.age index 95a88e1e..13999bb3 100644 Binary files a/secrets/environment-secrets.age and b/secrets/environment-secrets.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index e8d826db..2332bb39 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -12,5 +12,6 @@ let in { "example-secret.age".publicKeys = allKeys; "environment-secrets.age".publicKeys = allKeys; + "docker-ci-runner-secrets.age".publicKeys = allKeys; "test-secret.age".publicKeys = [users.teutat3s-5-nfc]; }