From c0f610b68c824c70a7f4c7ebae8569dbed9711d4 Mon Sep 17 00:00:00 2001 From: teutat3s <10206665+teutat3s@users.noreply.github.com> Date: Sat, 25 Feb 2023 13:52:07 +0100 Subject: [PATCH] ryzensun: add custom networking, docker-ci-runner module enabled, secrets updated --- hosts/ryzensun/networking.nix | 84 +++++++++++++++++++++++++++ hosts/ryzensun/ryzensun.nix | 15 +++++ secrets/docker-ci-runner-secrets.age | Bin 0 -> 783 bytes secrets/environment-secrets.age | Bin 781 -> 875 bytes secrets/secrets.nix | 1 + 5 files changed, 100 insertions(+) create mode 100644 hosts/ryzensun/networking.nix create mode 100644 secrets/docker-ci-runner-secrets.age diff --git a/hosts/ryzensun/networking.nix b/hosts/ryzensun/networking.nix new file mode 100644 index 00000000..3e7ea31b --- /dev/null +++ b/hosts/ryzensun/networking.nix @@ -0,0 +1,84 @@ +{ + hosts = { + "10.0.0.42" = ["nomad.service.consul" "nomad.service.cgn-1.consul"]; + "10.0.0.66" = ["consul.service.cgn-1.consul"]; + "10.0.1.9" = ["consul.service.lev-1.consul"]; + "10.0.0.70" = ["vault.service.consul" "vault.service.cgn-1.consul"]; + "10.0.0.200" = ["headnode.cgn-1"]; + "10.0.0.201" = ["cn01.cgn-1"]; + "10.0.0.202" = ["cn02.cgn-1"]; + "10.0.0.205" = ["cn05.cgn-1"]; + "10.0.0.206" = ["cn06.cgn-1"]; + "10.0.0.207" = ["cn07.cgn-1"]; + "10.0.0.208" = ["cn08.cgn-1"]; + "10.0.1.200" = ["headnode.lev-1"]; + "10.0.1.201" = ["cn01.lev-1"]; + "10.0.1.202" = ["cn02.lev-1"]; + "10.0.1.203" = ["cn03.lev-1"]; + "10.0.1.204" = ["cn04.lev-1"]; + "10.0.1.205" = ["cn05.lev-1"]; + "10.0.1.206" = ["cn00.lev-1"]; + "10.0.1.207" = ["cn06.lev-1"]; + "10.0.1.208" = ["cn07.lev-1"]; + }; + + wireguard.enable = true; + wg-quick.interfaces = { + wg0 = { + address = ["10.8.8.7/32"]; + privateKeyFile = "/etc/wireguard/wg0.privatekey"; + + peers = [ + { + publicKey = "l0DJLicCrcrixNP6zAWTXNSEaNM2jML253BXEZ1KpiU="; + allowedIPs = ["10.8.8.16/32" "10.0.0.0/24" "10.88.88.0/24"]; + endpoint = "85.88.23.16:51820"; + persistentKeepalive = 25; + } + ]; + }; + wg1 = { + address = ["10.11.11.6/32"]; + privateKeyFile = "/etc/wireguard/wg1.privatekey"; + mtu = 1300; + + peers = [ + { + publicKey = "7RRgfZSneqAtAHBeI6+aaYLqz9e1jikg/lIK8mhW928="; + presharedKeyFile = "/etc/wireguard/wg1.presharedkey"; + allowedIPs = ["10.11.11.0/24" "192.168.1.0/24" "10.0.1.0/24"]; + endpoint = "80.71.153.1:51820"; + #persistentKeepalive = 16; + } + ]; + }; + #wg1 = { + # address = [ "10.13.0.1/32" ]; + # privateKeyFile = "/etc/wireguard/wg1.privatekey"; + # mtu = 1412; + + # peers = [ + # { + # publicKey = "XS3TTIMU7Jp3JJANBpE14RsVDJk6/VUvZgjQgQP8kAs="; + # allowedIPs = [ "10.13.0.100/32" "192.168.188.0/24" ]; + # endpoint = "[2a00:6020:48ad:dd00:dea6:32ff:fe85:3306]:51820"; + # persistentKeepalive = 25; + # } + # ]; + #}; + #wg2 = { + # address = [ "10.6.6.4/32" ]; + # privateKeyFile = "/etc/wireguard/wg2.privatekey"; + + # peers = [ + # { + # publicKey = "nYMmaCIW8lZ7SokivN8HXxYDch+SS1G7ab1SC9meDAw="; + # presharedKeyFile = "/etc/wireguard/wg2.presharedkey"; + # allowedIPs = [ "10.6.6.1/32" "10.1.1.0/24" ]; + # endpoint = "85.88.23.127:51820"; + # persistentKeepalive = 16; + # } + # ]; + #}; + }; +} diff --git a/hosts/ryzensun/ryzensun.nix b/hosts/ryzensun/ryzensun.nix index 41cadbb1..610f9e77 100644 --- a/hosts/ryzensun/ryzensun.nix +++ b/hosts/ryzensun/ryzensun.nix @@ -19,13 +19,28 @@ in { mode = "700"; owner = "teutat3s"; }; + age.secrets.docker-ci-runner-secrets = { + file = "${self}/secrets/docker-ci-runner-secrets.age"; + mode = "700"; + owner = "999"; + }; pub-solar.nextcloud.enable = mkForce false; pub-solar.docker.enable = true; pub-solar.virtualisation.enable = true; + pub-solar.docker-ci-runner = { + enable = true; + runnerEnvironment = { + DRONE_RUNNER_CAPACITY = "1"; + DRONE_RUNNER_LABELS = "hosttype:baremetal"; + }; + runnerVarsFile = config.age.secrets.docker-ci-runner-secrets.path; + }; pub-solar.audio.mopidy.enable = mkForce false; + networking = import ./networking.nix; + home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable { "sway/config.d/10-custom-keybindings.conf".source = ./.config/sway/config.d/custom-keybindings.conf; "sway/config.d/autostart.conf".source = ./.config/sway/config.d/autostart.conf; diff --git a/secrets/docker-ci-runner-secrets.age b/secrets/docker-ci-runner-secrets.age new file mode 100644 index 0000000000000000000000000000000000000000..c9ee8a87dcc62912950503393ef29249a28434bb GIT binary patch literal 783 zcmZ9{-;2|B008g_3TO3U4^tTv48j;^jZNC7xrnGq+q6yFWNni+jfy61ezi4C@@>CK z>TMh{WiU3jv4=SZJBA3dr^yLE40I=|_=s^Sk3)Q}}Nm)G? zL>+e22t2H2w$(fq^8}dcK+I%^PKHti1G-gPDv)Ud8>oRLhDBUT^FEQwVfpv983~U& zCK3;%0^=Bz((*CQQF5iUOo!dNAn~JynGq~}oXeF<4Xf1}#-c1E42qyRaUcwgA{z%B z9Ox!d4C(^OYZ05W#Et^Jfl+&3W11imX+-B7MR5~0CKX*+7*J&xa!>~eMRps69Fl`T zEYyS{n+&lSYnwwRfrDzjuA6;!h>Hx(N3`sSpv*VoA=QJKG2bS*n)JWs+7NYa!3)%OrP6cW$|#DA>WXLp*k#sV~#uU}nS=aw!n|8r;F*jlHvaQ^4nk8U1hc5M7(WpO+ETi&|3W-fivpZ)9mh5e|$ zfc&|lKi_1$K6^}kbY$h18)tssbN}z_%U|ERH*2pP-Y~cO+}hoBbnU;(x64;SwCl>^ z>7CndK0be8=H)l@-+ug(zW?Et>;BaGV)XDk>BWtwUG3i=4?Ou`Zu9D^PoDm8X!XIf MvnS8|bZzR$8~*$r=>Px# literal 0 HcmV?d00001 diff --git a/secrets/environment-secrets.age b/secrets/environment-secrets.age index 95a88e1e46838fa5c006c3e5154cea3fdbd3ad6c..13999bb33f8abd34003c70e381758c87b02f2675 100644 GIT binary patch delta 806 zcmWmA>xJ~aGzn~)T=Qy^T;7)+ z%FQ_(90;ePi0BmNvF*ktgMAXW4+HV_VS;`bC!Q0091dR-*_gPAzdzyk^3?UIwF4`C zr*H<1Dw}m$ts$)OLn>`V)$XjF5-MNQ9IvOhZO2Y<#|GTi5I2nZinvq}lQc@OY52Y)q;NP@X9ziBmR*6%<8?Qe8s8z%HR7;lcxtLbWuC2_ZllEG$Jn z9S5U92RI^v^-6R3ORY@ z&qw77m%#MdwAcms|Wi%44fi%CwrU*)LnrzcxE0ke3w|TY> zVi;Z>!wg{dDvolVCsshU|{-4xfYtMqDQ?_GM zPt1~42HfSISEcJ_G)`0}<`+b6rIQPJkU2aUbQH0x)<#)}v+Hp^?zTYLOH74W$fKAQ z5#N|^0psa8BCC%(1Fw<*KJK^yZ)GCCBgStR49~IlO{Z+4QCEqk=q@zrdA`3 zNyDH5_-Gsh<#M@Xw~aZWSn1K^+(ZILQ9Qy%OBHD1rgJJOB8q=$P z&+I*S{@@XK``Vl5UH~4sfBN0kUE4qZvHs-Ui(h>Bxm%%*zI|uYIeg~9^B1;0OAj5M zIrPC3(AqCQzTqGBH%|N@(9fOydi(S@Up=%x=^Z~?daBmh^VrOd<$d4j@8DA(KQ3&n z|9;HhI`&iW>hn({$C0;op4!}h^VUoE?wGzp|9a$lZ~LPcZ*AP=Z=Zhe#O2AE?-P0f z`Q&66t>4)-`sc#!Wt4)nE7$Hp58k}Io1pey{p*svZ}*qZ)}F%pc6H5t{e7-}<791< QzWQnNKKy~5zx{jQKO1N+&j0`b delta 712 zcmWmAOKZ~r003YgbB8!~aEKeIbSQIBYtyDl+k?}z=_^YgX`6J7(wR1G`bg6xZPRuz zx`W`bJ|>RgK~Q9y=&*tl1(~R*2XPJuLkEJ7;mHR~WCw8*^(TDa*VePGV+ZRj;uVFo zWWrgkDWhhfyfQ!}TrLA7X>%|fDPb~^U_4gJjyiyn6V2Hq-t0<~m@@)OT$zxtOlkyn%ih7DGYg)(SGUPBfk9xs|;kjeE|om#l!EW3nY zoR%wi#VvWsWWJE_r36n}7K=cQ3RuJ_myxr0fbfND1~n^NiYa{tq{C51FglPZsg#uu zR06pRKRRgzPZ_0>o`$L_Yz(uUiBm~V=(i!(yrUcpk`fBm=(1TBNWf$1tNt#S%-Fvn}<61Lra6r=9eFG|9a%u)78Z+yF z)_A$nI61L#>a7Yro4h@