ryzensun: add custom networking, docker-ci-runner
module enabled, secrets updated
This commit is contained in:
parent
a476b72916
commit
c0f610b68c
84
hosts/ryzensun/networking.nix
Normal file
84
hosts/ryzensun/networking.nix
Normal file
|
@ -0,0 +1,84 @@
|
||||||
|
{
|
||||||
|
hosts = {
|
||||||
|
"10.0.0.42" = ["nomad.service.consul" "nomad.service.cgn-1.consul"];
|
||||||
|
"10.0.0.66" = ["consul.service.cgn-1.consul"];
|
||||||
|
"10.0.1.9" = ["consul.service.lev-1.consul"];
|
||||||
|
"10.0.0.70" = ["vault.service.consul" "vault.service.cgn-1.consul"];
|
||||||
|
"10.0.0.200" = ["headnode.cgn-1"];
|
||||||
|
"10.0.0.201" = ["cn01.cgn-1"];
|
||||||
|
"10.0.0.202" = ["cn02.cgn-1"];
|
||||||
|
"10.0.0.205" = ["cn05.cgn-1"];
|
||||||
|
"10.0.0.206" = ["cn06.cgn-1"];
|
||||||
|
"10.0.0.207" = ["cn07.cgn-1"];
|
||||||
|
"10.0.0.208" = ["cn08.cgn-1"];
|
||||||
|
"10.0.1.200" = ["headnode.lev-1"];
|
||||||
|
"10.0.1.201" = ["cn01.lev-1"];
|
||||||
|
"10.0.1.202" = ["cn02.lev-1"];
|
||||||
|
"10.0.1.203" = ["cn03.lev-1"];
|
||||||
|
"10.0.1.204" = ["cn04.lev-1"];
|
||||||
|
"10.0.1.205" = ["cn05.lev-1"];
|
||||||
|
"10.0.1.206" = ["cn00.lev-1"];
|
||||||
|
"10.0.1.207" = ["cn06.lev-1"];
|
||||||
|
"10.0.1.208" = ["cn07.lev-1"];
|
||||||
|
};
|
||||||
|
|
||||||
|
wireguard.enable = true;
|
||||||
|
wg-quick.interfaces = {
|
||||||
|
wg0 = {
|
||||||
|
address = ["10.8.8.7/32"];
|
||||||
|
privateKeyFile = "/etc/wireguard/wg0.privatekey";
|
||||||
|
|
||||||
|
peers = [
|
||||||
|
{
|
||||||
|
publicKey = "l0DJLicCrcrixNP6zAWTXNSEaNM2jML253BXEZ1KpiU=";
|
||||||
|
allowedIPs = ["10.8.8.16/32" "10.0.0.0/24" "10.88.88.0/24"];
|
||||||
|
endpoint = "85.88.23.16:51820";
|
||||||
|
persistentKeepalive = 25;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
wg1 = {
|
||||||
|
address = ["10.11.11.6/32"];
|
||||||
|
privateKeyFile = "/etc/wireguard/wg1.privatekey";
|
||||||
|
mtu = 1300;
|
||||||
|
|
||||||
|
peers = [
|
||||||
|
{
|
||||||
|
publicKey = "7RRgfZSneqAtAHBeI6+aaYLqz9e1jikg/lIK8mhW928=";
|
||||||
|
presharedKeyFile = "/etc/wireguard/wg1.presharedkey";
|
||||||
|
allowedIPs = ["10.11.11.0/24" "192.168.1.0/24" "10.0.1.0/24"];
|
||||||
|
endpoint = "80.71.153.1:51820";
|
||||||
|
#persistentKeepalive = 16;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
#wg1 = {
|
||||||
|
# address = [ "10.13.0.1/32" ];
|
||||||
|
# privateKeyFile = "/etc/wireguard/wg1.privatekey";
|
||||||
|
# mtu = 1412;
|
||||||
|
|
||||||
|
# peers = [
|
||||||
|
# {
|
||||||
|
# publicKey = "XS3TTIMU7Jp3JJANBpE14RsVDJk6/VUvZgjQgQP8kAs=";
|
||||||
|
# allowedIPs = [ "10.13.0.100/32" "192.168.188.0/24" ];
|
||||||
|
# endpoint = "[2a00:6020:48ad:dd00:dea6:32ff:fe85:3306]:51820";
|
||||||
|
# persistentKeepalive = 25;
|
||||||
|
# }
|
||||||
|
# ];
|
||||||
|
#};
|
||||||
|
#wg2 = {
|
||||||
|
# address = [ "10.6.6.4/32" ];
|
||||||
|
# privateKeyFile = "/etc/wireguard/wg2.privatekey";
|
||||||
|
|
||||||
|
# peers = [
|
||||||
|
# {
|
||||||
|
# publicKey = "nYMmaCIW8lZ7SokivN8HXxYDch+SS1G7ab1SC9meDAw=";
|
||||||
|
# presharedKeyFile = "/etc/wireguard/wg2.presharedkey";
|
||||||
|
# allowedIPs = [ "10.6.6.1/32" "10.1.1.0/24" ];
|
||||||
|
# endpoint = "85.88.23.127:51820";
|
||||||
|
# persistentKeepalive = 16;
|
||||||
|
# }
|
||||||
|
# ];
|
||||||
|
#};
|
||||||
|
};
|
||||||
|
}
|
|
@ -19,13 +19,28 @@ in {
|
||||||
mode = "700";
|
mode = "700";
|
||||||
owner = "teutat3s";
|
owner = "teutat3s";
|
||||||
};
|
};
|
||||||
|
age.secrets.docker-ci-runner-secrets = {
|
||||||
|
file = "${self}/secrets/docker-ci-runner-secrets.age";
|
||||||
|
mode = "700";
|
||||||
|
owner = "999";
|
||||||
|
};
|
||||||
|
|
||||||
pub-solar.nextcloud.enable = mkForce false;
|
pub-solar.nextcloud.enable = mkForce false;
|
||||||
pub-solar.docker.enable = true;
|
pub-solar.docker.enable = true;
|
||||||
pub-solar.virtualisation.enable = true;
|
pub-solar.virtualisation.enable = true;
|
||||||
|
pub-solar.docker-ci-runner = {
|
||||||
|
enable = true;
|
||||||
|
runnerEnvironment = {
|
||||||
|
DRONE_RUNNER_CAPACITY = "1";
|
||||||
|
DRONE_RUNNER_LABELS = "hosttype:baremetal";
|
||||||
|
};
|
||||||
|
runnerVarsFile = config.age.secrets.docker-ci-runner-secrets.path;
|
||||||
|
};
|
||||||
|
|
||||||
pub-solar.audio.mopidy.enable = mkForce false;
|
pub-solar.audio.mopidy.enable = mkForce false;
|
||||||
|
|
||||||
|
networking = import ./networking.nix;
|
||||||
|
|
||||||
home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable {
|
home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable {
|
||||||
"sway/config.d/10-custom-keybindings.conf".source = ./.config/sway/config.d/custom-keybindings.conf;
|
"sway/config.d/10-custom-keybindings.conf".source = ./.config/sway/config.d/custom-keybindings.conf;
|
||||||
"sway/config.d/autostart.conf".source = ./.config/sway/config.d/autostart.conf;
|
"sway/config.d/autostart.conf".source = ./.config/sway/config.d/autostart.conf;
|
||||||
|
|
BIN
secrets/docker-ci-runner-secrets.age
Normal file
BIN
secrets/docker-ci-runner-secrets.age
Normal file
Binary file not shown.
Binary file not shown.
|
@ -12,5 +12,6 @@ let
|
||||||
in {
|
in {
|
||||||
"example-secret.age".publicKeys = allKeys;
|
"example-secret.age".publicKeys = allKeys;
|
||||||
"environment-secrets.age".publicKeys = allKeys;
|
"environment-secrets.age".publicKeys = allKeys;
|
||||||
|
"docker-ci-runner-secrets.age".publicKeys = allKeys;
|
||||||
"test-secret.age".publicKeys = [users.teutat3s-5-nfc];
|
"test-secret.age".publicKeys = [users.teutat3s-5-nfc];
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue