James/eve-psr-nix0
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactor and modularize

Browse Source
This commit is contained in:
James Eversole 2023-06-26 16:19:14 -05:00
parent 00bc694fcb
commit c8366db03f
13 changed files with 207 additions and 318 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

94
containers.nix
View File

@ -1,94 +0,0 @@
{
containers = {
bind = {
image = "sameersbn/bind:latest";
ports =
[ "0.0.0.0:53:53/tcp" "0.0.0.0:53:53/udp" "0.0.0.0:5053:10000/tcp" ];
volumes = [ "/home/sezycei/srv/containerdata/bind/bind:/data" ];
environmentFiles = [ /home/sezycei/srv/containerdata/bind/.env ];
};
jellyfin = {
image = "linuxserver/jellyfin";
ports = [ "0.0.0.0:8096:8096" "0.0.0.0:8920:8920" ];
volumes = [
"/home/sezycei/srv/containerdata/jellyfin/config:/config"
"/home/torrent/data/completed:/data/unsorted"
"/home/torrent/data/TV:/data/tvshows"
"/home/torrent/data/Movies:/data/movies"
"/home/torrent/data/transcode:/data/transcode"
"/home/torrent/data/Music:/data/music"
];
environment = {
PGID = "1000";
PUID = "1000";
TZ = "America/Chicago";
UMASK_SET = "022";
};
};
legit = {
image = "docker.matri.cx/legit";
ports = [ "0.0.0.0:5121:8080" ];
volumes = [
"/home/sezycei/srv/containerdata/legit/static:/static"
"/home/sezycei/srv/containerdata/legit/templates:/templates"
"/home/sezycei/srv/containerdata/legit/legit.yml:/legit.yml"
"/home/sezycei/srv/containerdata/legit/repos:/var/www/git"
];
environment = { };
};
murmur = {
image = "goofball222/murmur";
ports = [ "0.0.0.0:64738:64738" "0.0.0.0:64738:64738/udp" ];
volumes = [
"/home/sezycei/srv/containerdata/registry/registry/data:/var/lib/registry"
"/home/sezycei/srv/containerdata/registry/registry/certs:/certs"
"/home/sezycei/srv/containerdata/registry/registry/auth:/auth"
];
environment = { };
};
nginx = {
image = "nginx:alpine";
ports = [ "0.0.0.0:80:80" "0.0.0.0:443:443" "0.0.0.0:20222:20222" ];
volumes = [
"/home/sezycei/srv/web/www:/var/www/"
"/home/sezycei/srv/web/configuration/nginx.conf:/etc/nginx/nginx.conf"
"/home/sezycei/srv/web/configuration/htpasswd:/etc/nginx/htpasswd"
"/home/sezycei/srv/web/configuration/htpasswd-dock:/etc/nginx/htpasswd-dock"
"/home/sezycei/srv/web/configuration/sites-available:/etc/nginx/sites-enabled"
"/home/sezycei/srv/web/ssl/letsencrypt:/etc/letsencrypt"
"/home/sezycei/srv/web/ssl/dhparam.pem:/etc/ssl/certs/dhparam.pem"
];
environment = { };
};
purr = {
image = "docker.matri.cx/purr";
ports = [ "0.0.0.0:5195:3000" ];
volumes = [
"/home/sezycei/dev/purr/data/Purr.sqlite:/app/data/Purr.sqlite"
"/home/sezycei/dev/purr/config.dhall:/app/config.dhall"
];
environment = { };
};
registry = {
image = "registry:2";
ports = [ "0.0.0.0:3001:5000" ];
volumes = [
"/home/sezycei/srv/containerdata/registry/registry/data:/var/lib/registry"
"/home/sezycei/srv/containerdata/registry/registry/certs:/certs"
"/home/sezycei/srv/containerdata/registry/registry/auth:/auth"
];
environment = { };
};
transmission = {
image = "haugene/transmission-openvpn";
ports = [ "0.0.0.0:9091:9091" ];
volumes = [
"/home/sezycei/srv/scripts/transmission/settings.json:/etc/transmission-daemon/settings.json"
"/etc/localtime:/etc/localtime:ro"
"/home/torrent/data:/data"
];
environmentFiles = [ /home/sezycei/srv/containerdata/transmission/.env ];
extraOptions = [ "--cap-add=NET_ADMIN" "--privileged" ];
};
};
}

129
flake.lock generated
View File

@ -22,91 +22,6 @@
"type": "github" "type": "github"
} }
}, },
"attic": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat",
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1686620679,
"narHash": "sha256-Ck/r3f+W9mOn3cHn5ii/fogBiJtosFnDaOQveaJ0zVU=",
"owner": "zhaofengli",
"repo": "attic",
"rev": "4fedffe6a1020edfcfa7bef18d21321d4983b3a7",
"type": "github"
},
"original": {
"owner": "zhaofengli",
"repo": "attic",
"type": "github"
}
},
"crane": {
"inputs": {
"flake-compat": [
"attic",
"flake-compat"
],
"flake-utils": [
"attic",
"flake-utils"
],
"nixpkgs": [
"attic",
"nixpkgs"
],
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1677892403,
"narHash": "sha256-/Wi0L1spSWLFj+UQxN3j0mPYMoc7ZoAujpUF/juFVII=",
"owner": "ipetkov",
"repo": "crane",
"rev": "105e27adb70a9890986b6d543a67761cbc1964a2",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-utils": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -143,55 +58,11 @@
"type": "indirect" "type": "indirect"
} }
}, },
"nixpkgs-stable": {
"locked": {
"lastModified": 1685004253,
"narHash": "sha256-AbVL1nN/TDicUQ5wXZ8xdLERxz/eJr7+o8lqkIOVuaE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3e01645c40b92d29f3ae76344a6d654986a91a91",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix", "agenix": "agenix",
"attic": "attic",
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs"
} }
},
"rust-overlay": {
"inputs": {
"flake-utils": [
"attic",
"crane",
"flake-utils"
],
"nixpkgs": [
"attic",
"crane",
"nixpkgs"
]
},
"locked": {
"lastModified": 1675391458,
"narHash": "sha256-ukDKZw922BnK5ohL9LhwtaDAdCsJL7L6ScNEyF1lO9w=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "383a4acfd11d778d5c2efcf28376cbd845eeaedf",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

103
flake.nix
View File

@ -1,31 +1,20 @@
{ {
inputs = { inputs = {
nixpkgs.url = "nixpkgs/nixos-23.05";
agenix = { agenix = {
url = "github:ryantm/agenix"; url = "github:ryantm/agenix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
inputs.darwin.follows = ""; inputs.darwin.follows = "";
}; };
nixpkgs.url = "nixpkgs/nixos-23.05";
}; };
outputs = { self, nixpkgs, agenix, ... }@attrs: outputs = { self, nixpkgs, agenix, ... }@attrs:
let let
containerDef = import ./containers.nix;
serviceContainers = containerDef.containers;
pkgs = import nixpkgs { inherit system; }; pkgs = import nixpkgs { inherit system; };
shell = import ./shell.nix { inherit agenix pkgs; };
system = "x86_64-linux"; system = "x86_64-linux";
in { in {
devShell.x86_64-linux = pkgs.mkShell { devShell.x86_64-linux = shell.dev;
buildInputs = [
agenix.packages.x86_64-linux.default
(pkgs.nixos { }).nixos-rebuild
pkgs.terraform
];
shellHook = ''
alias deploy="nixos-rebuild switch --target-host root@matri.cx --build-host root@matri.cx --flake .#eve-psr-nix0"
'';
};
formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt; formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt;
@ -38,88 +27,24 @@
imports = [ imports = [
agenix.nixosModules.default agenix.nixosModules.default
./hardware-configuration.nix
./system/containers.nix
./system/hardware-configuration.nix
./system/nix-configuration.nix
./system/security.nix
./system/services.nix
./system/system.nix
./system/virtualisation.nix
./user/users.nix
]; ];
nix = {
buildMachines = [ ];
distributedBuilds = false;
settings = {
auto-optimise-store = false; # https://github.com/NixOS/nix/issues/7273
experimental-features = [ "nix-command" "flakes" ];
};
};
boot = {
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
};
time.timeZone = "America/Chicago";
networking = {
hostName = "eve-psr-nix0";
firewall = {
allowedTCPPorts = [ 22 80 443 3034 ];
allowedUDPPorts = [ 22 80 443 ];
};
};
environment.systemPackages = with pkgs; [ git pciutils vim wget ];
services = {
openssh = {
enable = true;
};
hydra = {
enable = true;
hydraURL = "https://hydra.matri.cx";
listenHost = "192.168.0.130";
port = 3034;
extraConfig = ''
using_frontend_proxy = 1
base_uri = "https://hydra.matri.cx"
'';
useSubstitutes = true;
notificationSender = "hydra@matri.cx";
buildMachinesFiles = [ ];
};
};
virtualisation = {
oci-containers = {
backend = "podman";
containers = serviceContainers;
};
};
security.sudo.wheelNeedsPassword = false;
users = {
users = {
sezycei = {
isNormalUser = true;
passwordFile = self.nixosConfigurations.eve-psr-nix0.config.age.secrets.sezycei.path;
extraGroups = [ "wheel" ];
packages = with pkgs; [
byobu
tmux
stack
];
};
torrent = {
isNormalUser = true;
};
};
};
age = { age = {
secrets = { secrets = {
keys.file = ./secrets/keys.age; keys.file = ./secrets/keys.age;
sezycei.file = ./secrets/sezycei.age; sezycei.file = ./secrets/sezycei.age;
}; };
identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
}; };
system.stateVersion = "22.11"; system.stateVersion = "22.11";

6
secrets.nix
View File

@ -4,15 +4,9 @@ let
all = [ james eve-psr-nix0 ]; all = [ james eve-psr-nix0 ];
in in
{ {
"secrets/attic_token.age" = {
publicKeys = all;
};
"secrets/keys.age" = { "secrets/keys.age" = {
publicKeys = all; publicKeys = all;
}; };
"secrets/minio_root.age" = {
publicKeys = all;
};
"secrets/sezycei.age" = { "secrets/sezycei.age" = {
publicKeys = all; publicKeys = all;
}; };

12
shell.nix Normal file
View File

@ -0,0 +1,12 @@
{ agenix, pkgs, ... }: {
dev = pkgs.mkShell {
buildInputs = [
agenix.packages.x86_64-linux.default
(pkgs.nixos { }).nixos-rebuild
pkgs.terraform
];
shellHook = ''
alias deploy="nixos-rebuild switch --target-host root@matri.cx --build-host root@matri.cx --flake .#eve-psr-nix0"
'';
};
}

96
system/containers.nix Normal file
View File

@ -0,0 +1,96 @@
{
virtualisation.oci-containers = {
containers = {
bind = {
image = "sameersbn/bind:latest";
ports =
[ "0.0.0.0:53:53/tcp" "0.0.0.0:53:53/udp" "0.0.0.0:5053:10000/tcp" ];
volumes = [ "/home/sezycei/srv/containerdata/bind/bind:/data" ];
environmentFiles = [ /home/sezycei/srv/containerdata/bind/.env ];
};
jellyfin = {
image = "linuxserver/jellyfin";
ports = [ "0.0.0.0:8096:8096" "0.0.0.0:8920:8920" ];
volumes = [
"/home/sezycei/srv/containerdata/jellyfin/config:/config"
"/home/torrent/data/completed:/data/unsorted"
"/home/torrent/data/TV:/data/tvshows"
"/home/torrent/data/Movies:/data/movies"
"/home/torrent/data/transcode:/data/transcode"
"/home/torrent/data/Music:/data/music"
];
environment = {
PGID = "1000";
PUID = "1000";
TZ = "America/Chicago";
UMASK_SET = "022";
};
};
legit = {
image = "docker.matri.cx/legit";
ports = [ "0.0.0.0:5121:8080" ];
volumes = [
"/home/sezycei/srv/containerdata/legit/static:/static"
"/home/sezycei/srv/containerdata/legit/templates:/templates"
"/home/sezycei/srv/containerdata/legit/legit.yml:/legit.yml"
"/home/sezycei/srv/containerdata/legit/repos:/var/www/git"
];
environment = { };
};
murmur = {
image = "goofball222/murmur";
ports = [ "0.0.0.0:64738:64738" "0.0.0.0:64738:64738/udp" ];
volumes = [
"/home/sezycei/srv/containerdata/registry/registry/data:/var/lib/registry"
"/home/sezycei/srv/containerdata/registry/registry/certs:/certs"
"/home/sezycei/srv/containerdata/registry/registry/auth:/auth"
];
environment = { };
};
nginx = {
image = "nginx:alpine";
ports = [ "0.0.0.0:80:80" "0.0.0.0:443:443" "0.0.0.0:20222:20222" ];
volumes = [
"/home/sezycei/srv/web/www:/var/www/"
"/home/sezycei/srv/web/configuration/nginx.conf:/etc/nginx/nginx.conf"
"/home/sezycei/srv/web/configuration/htpasswd:/etc/nginx/htpasswd"
"/home/sezycei/srv/web/configuration/htpasswd-dock:/etc/nginx/htpasswd-dock"
"/home/sezycei/srv/web/configuration/sites-available:/etc/nginx/sites-enabled"
"/home/sezycei/srv/web/ssl/letsencrypt:/etc/letsencrypt"
"/home/sezycei/srv/web/ssl/dhparam.pem:/etc/ssl/certs/dhparam.pem"
];
environment = { };
};
purr = {
image = "docker.matri.cx/purr";
ports = [ "0.0.0.0:5195:3000" ];
volumes = [
"/home/sezycei/dev/purr/data/Purr.sqlite:/app/data/Purr.sqlite"
"/home/sezycei/dev/purr/config.dhall:/app/config.dhall"
];
environment = { };
};
registry = {
image = "registry:2";
ports = [ "0.0.0.0:3001:5000" ];
volumes = [
"/home/sezycei/srv/containerdata/registry/registry/data:/var/lib/registry"
"/home/sezycei/srv/containerdata/registry/registry/certs:/certs"
"/home/sezycei/srv/containerdata/registry/registry/auth:/auth"
];
environment = { };
};
transmission = {
image = "haugene/transmission-openvpn";
ports = [ "0.0.0.0:9091:9091" ];
volumes = [
"/home/sezycei/srv/scripts/transmission/settings.json:/etc/transmission-daemon/settings.json"
"/etc/localtime:/etc/localtime:ro"
"/home/torrent/data:/data"
];
environmentFiles = [ /home/sezycei/srv/containerdata/transmission/.env ];
extraOptions = [ "--cap-add=NET_ADMIN" "--privileged" ];
};
};
};
}

0
hardware-configuration.nix → system/hardware-configuration.nix
View File

11
system/nix-configuration.nix Normal file
View File

@ -0,0 +1,11 @@
{ ... }:
{
nix = {
buildMachines = [ ];
distributedBuilds = false;
settings = {
auto-optimise-store = false; # https://github.com/NixOS/nix/issues/7273
experimental-features = [ "nix-command" "flakes" ];
};
};
}

4
system/security.nix Normal file
View File

@ -0,0 +1,4 @@
{ ... }:
{
security.sudo.wheelNeedsPassword = false;
}

25
system/services.nix Normal file
View File

@ -0,0 +1,25 @@
{ ... }:
{
services = {
openssh = {
enable = true;
};
hydra = {
enable = true;
hydraURL = "https://hydra.matri.cx";
listenHost = "192.168.0.130";
port = 3034;
extraConfig = ''
using_frontend_proxy = 1
base_uri = "https://hydra.matri.cx"
'';
useSubstitutes = true;
notificationSender = "hydra@matri.cx";
buildMachinesFiles = [ ];
};
};
}

19
system/system.nix Normal file
View File

@ -0,0 +1,19 @@
{ pkgs, ... }:
{
boot = {
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
};
environment.systemPackages = with pkgs; [ git pciutils vim wget ];
networking = {
hostName = "eve-psr-nix0";
firewall = {
allowedTCPPorts = [ 22 80 443 3034 ];
allowedUDPPorts = [ 22 80 443 ];
};
};
time.timeZone = "America/Chicago";
}

8
system/virtualisation.nix Normal file
View File

@ -0,0 +1,8 @@
{ ... }:
{
virtualisation = {
oci-containers = {
backend = "podman";
};
};
}

18
user/users.nix Normal file
View File

@ -0,0 +1,18 @@
{ config, pkgs, ... }:
{
users.users = {
sezycei = {
isNormalUser = true;
passwordFile = config.age.secrets.sezycei.path;
extraGroups = [ "wheel" ];
packages = with pkgs; [
byobu
tmux
stack
];
};
torrent = {
isNormalUser = true;
};
};
}