James/eve-psr-nix0
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Flake parts with x64 and ARM support for devshell on both Linux and Mac

Browse Source
This commit is contained in:
James Eversole
2023-07-01 18:30:30 -05:00
parent baf8223799
commit cfe907101d
20 changed files with 137 additions and 96 deletions
Download Patch File Download Diff File Expand all files Collapse all files

134
nix/application/containers.nix Normal file
View File

@ -0,0 +1,134 @@
{ config, lib, pkgs, ... }:
{
virtualisation.oci-containers = {
containers = {
gitlab = {
image = "gitlab/gitlab-ce:latest";
ports = [ "26616:80" "26617:22" ];
volumes = [
"/home/sezycei/srv/containerdata/gitlab/config:/etc/gitlab"
"/home/sezycei/srv/containerdata/gitlab/log:/var/log/gitlab"
"/home/sezycei/srv/containerdata/gitlab/data:/var/opt/gitlab"
];
environment = {
GITLAB_OMNIBUS_CONFIG = ''
external_url 'https://git.eversole.co'
nginx['listen_port'] = 80
nginx['listen_https'] = false
gitlab_rails['gitlab_shell_ssh_port'] = 26617
'';
};
};
# gitlab-runner = a service definition in this file.
jellyfin = {
image = "linuxserver/jellyfin";
ports = [ "127.0.0.1:8096:8096" "127.0.0.1:8920:8920" ];
volumes = [
"/home/sezycei/srv/containerdata/jellyfin/config:/config"
"/home/torrent/data/completed:/data/unsorted"
"/home/torrent/data/TV:/data/tvshows"
"/home/torrent/data/Movies:/data/movies"
"/home/torrent/data/transcode:/data/transcode"
"/home/torrent/data/Music:/data/music"
];
environment = {
PGID = "1000";
PUID = "1000";
TZ = "America/Chicago";
UMASK_SET = "022";
};
};
murmur = {
image = "goofball222/murmur";
ports = [ "127.0.0.1:64738:64738" "127.0.0.1:64738:64738/udp" ];
volumes = [
"/home/sezycei/srv/containerdata/registry/registry/data:/var/lib/registry"
"/home/sezycei/srv/containerdata/registry/registry/certs:/certs"
"/home/sezycei/srv/containerdata/registry/registry/auth:/auth"
];
environment = { };
};
purr = {
image = "docker.matri.cx/purr";
ports = [ "127.0.0.1:5195:3000" ];
volumes = [
"/home/sezycei/dev/purr/data/Purr.sqlite:/app/data/Purr.sqlite"
"/home/sezycei/dev/purr/config.dhall:/app/config.dhall"
];
environment = { };
};
registry = {
image = "registry:2";
ports = [ "127.0.0.1:3001:5000" ];
volumes = [
"/home/sezycei/srv/containerdata/registry/registry/data:/var/lib/registry"
"/home/sezycei/srv/containerdata/registry/registry/certs:/certs"
"/home/sezycei/srv/containerdata/registry/registry/auth:/auth"
];
environment = { };
};
transmission = {
image = "haugene/transmission-openvpn";
ports = [ "127.0.0.1:9091:9091" ];
volumes = [
"/home/sezycei/srv/scripts/transmission/settings.json:/etc/transmission-daemon/settings.json"
"/etc/localtime:/etc/localtime:ro"
"/home/torrent/data:/data"
];
environmentFiles =
[ config.age.secrets.transmission-env.path ];
extraOptions = [ "--cap-add=NET_ADMIN" "--privileged" ];
};
};
};
services.gitlab-runner = {
enable = true;
services = {
nix = with lib; {
registrationConfigFile = toString /run/agenix/gitlab-runner;
dockerImage = "alpine";
dockerVolumes = [
"/nix/store:/nix/store:ro"
"/nix/var/nix/db:/nix/var/nix/db:ro"
"/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
];
preBuildScript = pkgs.writeScript "setup-container" ''
mkdir -p -m 0755 /nix/var/log/nix/drvs
mkdir -p -m 0755 /nix/var/nix/gcroots
mkdir -p -m 0755 /nix/var/nix/profiles
mkdir -p -m 0755 /nix/var/nix/temproots
mkdir -p -m 0755 /nix/var/nix/userpool
mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
mkdir -p -m 1777 /nix/var/nix/profiles/per-user
mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
mkdir -p -m 0700 "$HOME/.nix-defexpr"
. ${pkgs.nix}/etc/profile.d/nix-daemon.sh
${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixos-23.05 nixpkgs
${pkgs.nix}/bin/nix-channel --update nixpkgs
${pkgs.nix}/bin/nix-env -i ${concatStringsSep " " (with pkgs; [ nix cacert git openssh ])}
# Config
mkdir -p "$HOME/.config/nix"
echo "experimental-features = nix-command flakes" >> "$HOME/.config/nix/nix.conf"
echo "max-jobs = 8" >> "$HOME/.config/nix/nix.conf"
echo "build-cores = 8" >> "$HOME/.config/nix/nix.conf"
'';
environmentVariables = {
ENV = "/etc/profile";
USER = "root";
NIX_REMOTE = "daemon";
PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
};
};
};
};
}

74
nix/application/nginx.nix Normal file
View File

@ -0,0 +1,74 @@
{ pkgs, config, ... }: {
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
virtualHosts =
let
base = locations: {
enableACME = true;
forceSSL = true;
inherit locations;
};
static = { dir }: base {
"/".root = dir;
};
proxied = { target, extra ? "" }: base {
"/" = {
proxyPass = target;
extraConfig = extra;
};
};
proxiedAuth = { target, extra ? "", auth }: base {
"/" = {
proxyPass = target;
basicAuthFile = auth;
extraConfig = extra;
};
};
proxiedLAN = { target }: base {
"/" = {
proxyPass = target;
extraConfig = ''
allow 192.168.0.0/24;
deny all;
'';
};
};
in
{
"cache.matri.cx" = proxiedLAN {
target = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
};
"caitlynncox.com" = static { dir = "/var/www/caitlynncox.com"; };
"dallasmed65.com" = static { dir = "/var/www/dallasmed65.com"; };
"docker.matri.cx" = proxiedAuth {
auth = config.age.secrets.htpasswd-dock.path;
target = "http://127.0.0.1:3001";
};
"eversole.co" = static { dir = "/var/www/jame.su"; };
"git.eversole.co" = proxied { target = "http://127.0.0.1:26616"; };
"graf.matri.cx" = { root = "/var/www/graf.matri.cx"; }; # refer to /monitoring/nginx.nix
"hydra.matri.cx" = proxied {
target = "http://127.0.0.1:3034";
extra = ''
proxy_set_header X-Request-Base "https://hydra.matri.cx";
'';
};
"jame.su" = static { dir = "/var/www/jame.su"; };
"matri.cx" = static { dir = "/var/www/matri.cx"; };
"media.matri.cx" = proxied { target = "http://127.0.0.1:8096"; };
"sezycei.com" = static { dir = "/var/www/sezycei.com"; };
"snakebelmont.com" = static { dir = "/var/www/snakebelmont.com"; };
"transmission.matri.cx" = proxiedLAN { target = "http://127.0.0.1:9091"; };
"purr.eversole.co" = proxied { target = "http://127.0.0.1:5195"; };
};
};
}

40
nix/monitoring/grafana.nix Normal file
View File

@ -0,0 +1,40 @@
{ config, pkgs, ... }: {
services.grafana = {
enable = true;
provision = {
enable = true;
datasources.settings.datasources = [
{
name = "Prometheus";
type = "prometheus";
access = "proxy";
url = "http://127.0.0.1:${toString config.services.prometheus.port}";
}
{
name = "Loki";
type = "loki";
access = "proxy";
url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}";
}
];
};
settings = {
analytics.reporting_enabled = false;
server = {
domain = "graf.matri.cx";
http_addr = "127.0.0.1";
http_port = 7000;
protocol = "http";
root_Url = "http://192.168.0.130:7000";
};
smtp = {
enabled = true;
from_address = "graf@matri.cx";
host = "box.eversole.co:465";
user = "graf@matri.cx";
password = "$__file{${config.age.secrets.graf-email.path}}";
};
};
};
}

76
nix/monitoring/loki.nix Normal file
View File

@ -0,0 +1,76 @@
{ config, pkgs, ... }: {
services.loki = {
enable = true;
configuration = {
server.http_listen_port = 6999;
auth_enabled = false;
ingester = {
lifecycler = {
address = "127.0.0.1";
ring = {
kvstore = {
store = "inmemory";
};
replication_factor = 1;
};
};
chunk_idle_period = "1h";
max_chunk_age = "1h";
chunk_target_size = 999999;
chunk_retain_period = "30s";
max_transfer_retries = 0;
};
schema_config = {
configs = [{
from = "2022-06-06";
store = "boltdb-shipper";
object_store = "filesystem";
schema = "v11";
index = {
prefix = "index_";
period = "24h";
};
}];
};
storage_config = {
boltdb_shipper = {
active_index_directory = "/var/lib/loki/boltdb-shipper-active";
cache_location = "/var/lib/loki/boltdb-shipper-cache";
cache_ttl = "24h";
shared_store = "filesystem";
};
filesystem = {
directory = "/var/lib/loki/chunks";
};
};
limits_config = {
reject_old_samples = true;
reject_old_samples_max_age = "168h";
};
chunk_store_config = {
max_look_back_period = "0s";
};
table_manager = {
retention_deletes_enabled = false;
retention_period = "0s";
};
compactor = {
working_directory = "/var/lib/loki";
shared_store = "filesystem";
compactor_ring = {
kvstore = {
store = "inmemory";
};
};
};
};
};
}

76
nix/monitoring/nginx.nix Normal file
View File

@ -0,0 +1,76 @@
{ config, ... }:
let
hostIP = "192.168.0.130";
in
{
services.nginx = {
upstreams = {
"grafana" = {
servers = {
"127.0.0.1:${toString config.services.grafana.settings.server.http_port}" = { };
};
};
"prometheus" = {
servers = {
"127.0.0.1:${toString config.services.prometheus.port}" = { };
};
};
"loki" = {
servers = {
"127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}" = { };
};
};
"promtail" = {
servers = {
"127.0.0.1:${toString config.services.promtail.configuration.server.http_listen_port}" = { };
};
};
};
virtualHosts."graf.matri.cx" = {
enableACME = true;
forceSSL = true;
root = "/var/www/graf.matri.cx";
locations."/" = {
proxyPass = "http://grafana";
proxyWebsockets = true;
};
};
virtualHosts.grafana = {
locations."/" = {
proxyPass = "http://grafana";
proxyWebsockets = true;
};
listen = [{
addr = hostIP;
port = 8010;
}];
};
virtualHosts.prometheus = {
locations."/".proxyPass = "http://prometheus";
listen = [{
addr = hostIP;
port = 8020;
}];
};
virtualHosts.loki = {
locations."/".proxyPass = "http://loki";
listen = [{
addr = hostIP;
port = 8030;
}];
};
virtualHosts.promtail = {
locations."/".proxyPass = "http://promtail";
listen = [{
addr = hostIP;
port = 8031;
}];
};
};
}

21
nix/monitoring/prometheus.nix Normal file
View File

@ -0,0 +1,21 @@
{ config, pkgs, ... }: {
services.prometheus = {
enable = true;
port = 7001;
exporters = {
node = {
enable = true;
enabledCollectors = [ "systemd" ];
port = 7002;
};
};
scrapeConfigs = [
{
job_name = "eve-psr-nix0";
static_configs = [{
targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ];
}];
}
];
};
}

31
nix/monitoring/promtail.nix Normal file
View File

@ -0,0 +1,31 @@
{ config, pkgs, ... }: {
services.promtail = {
enable = true;
configuration = {
server = {
http_listen_port = 6998;
grpc_listen_port = 0;
};
positions = {
filename = "/tmp/positions.yaml";
};
clients = [{
url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push";
}];
scrape_configs = [{
job_name = "journal";
journal = {
max_age = "12h";
labels = {
job = "systemd-journal";
host = "pihole";
};
};
relabel_configs = [{
source_labels = [ "__journal__systemd_unit" ];
target_label = "unit";
}];
}];
};
};
}

22
nix/shell.nix Normal file
View File

@ -0,0 +1,22 @@
{ agenix, inputs', pkgs, ... }: rec {
dev = pkgs.mkShell {
buildInputs = [
inputs'.agenix.packages.default
(pkgs.nixos { }).nixos-rebuild
pkgs.terraform
packages.deploy
packages.format
];
shellHook = ''
'';
};
packages = {
deploy = pkgs.writeShellScriptBin "deploy" ''
nixos-rebuild switch --target-host root@192.168.0.130 --build-host root@192.168.0.130 --flake .#eve-psr-nix0 ;
'';
format = pkgs.writeShellScriptBin "format" ''
find . -type f -name "*.nix" -exec sh -c 'echo "Formatting: $1"; nix fmt $1' _ {} \;
'';
};
}

19
nix/system/age.nix Normal file
View File

@ -0,0 +1,19 @@
{ ... }: {
age = {
secrets = {
cache-key.file = ../../secrets/cache-key.age;
gitlab-runner.file = ../../secrets/gitlab-runner.age;
graf-email = {
file = ../../secrets/graf-email.age;
mode = "770";
owner = "grafana";
group = "grafana";
};
htpasswd-dock.file = ../../secrets/htpasswd-dock.age;
keys.file = ../../secrets/keys.age;
sezycei.file = ../../secrets/sezycei.age;
transmission-env.file = ../../secrets/transmission-env.age;
};
identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
};
}

50
nix/system/dns.nix Normal file
View File

@ -0,0 +1,50 @@
{ config, ... }: {
services = {
coredns.enable = true;
# https://coredns.io/manual/configuration/
# https://github.com/coredns/coredns.io/blob/master/content/manual/configuration.md
coredns.config = ''
matri.cx {
template IN A {
answer "{{ .Name }} 0 IN A 192.168.0.130"
}
}
mail.matri.cx {
template IN A {
answer "{{ .Name }} 0 IN A 149.28.112.101"
}
}
*.matri.cx {
template IN A {
answer "{{ .Name }} 0 IN A 192.168.0.130"
}
}
eversole.co {
template IN A {
answer "{{ .Name }} 0 IN A 192.168.0.130"
}
}
box.eversole.co {
template IN A {
answer "{{ .Name }} 0 IN A 149.28.112.101"
}
}
*.eversole.co {
template IN A {
answer "{{ .Name }} 0 IN A 192.168.0.130"
}
}
. {
forward . 9.9.9.9 149.112.112.112 84.200.69.80 84.200.70.40
cache
}
'';
};
}

42
nix/system/hardware.nix Normal file
View File

@ -0,0 +1,42 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = {
initrd = {
availableKernelModules =
[ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" "sdhci_pci" ];
kernelModules = [ ];
};
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
};
fileSystems = {
"/" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "ext4";
};
"/nix" = {
device = "/dev/disk/by-label/SDA-EXT";
fsType = "ext4";
neededForBoot = true;
options = [ "noatime" ];
};
"/boot" = {
device = "/dev/disk/by-label/NIXBOOT";
fsType = "vfat";
};
};
swapDevices = [ ];
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode =
lib.mkDefault config.hardware.enableRedistributableFirmware;
}

23
nix/system/nix-conf.nix Normal file
View File

@ -0,0 +1,23 @@
{ config, ... }: {
services = {
nix-serve = {
enable = true;
secretKeyFile = config.age.secrets.cache-key.path;
};
};
nix = {
buildMachines = [
{
hostName = "localhost";
system = "x86_64-linux";
supportedFeatures = [ "kvm" "nixos-test" "big-parallel" "benchmark" ];
maxJobs = 8;
}
];
distributedBuilds = false;
settings = {
auto-optimise-store = false; # https://github.com/NixOS/nix/issues/7273
experimental-features = [ "nix-command" "flakes" ];
};
};
}

12
nix/system/security.nix Normal file
View File

@ -0,0 +1,12 @@
{ ... }: {
services.openssh = {
enable = true;
};
security = {
sudo.wheelNeedsPassword = false;
acme = {
acceptTerms = true;
defaults.email = "james@eversole.co";
};
};
}

30
nix/system/system.nix Normal file
View File

@ -0,0 +1,30 @@
{ pkgs, ... }: {
boot = {
kernel.sysctl."net.ipv4.ip_forward" = true;
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
};
environment.systemPackages = with pkgs; [ git pciutils vim wget ];
networking = {
hostName = "eve-psr-nix0";
firewall = {
allowedTCPPorts = [ 22 80 443 ];
allowedUDPPorts = [ 22 80 443 53 ];
};
};
programs.ssh.knownHosts = {
selbeiskami = {
hostNames = [ "192.168.0.57" ];
publicKey = "192.168.0.57 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBiTyWzAu7V2Jkk4rqEjBLu+lAhhkLTO8W/PGb8HkeqQ";
};
matricx = {
hostNames = [ "192.168.0.130" "matri.cx" ];
publicKey = "matri.cx ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMyaPYK0HcKAjrD1g+FPqPEU9FJ0I6+iKYmQlWKE0zHp";
};
};
time.timeZone = "America/Chicago";
}

1
nix/system/virtualisation.nix Normal file
View File

@ -0,0 +1 @@
{ ... }: { virtualisation = { oci-containers = { backend = "podman"; }; }; }

11
nix/user/users.nix Normal file
View File

@ -0,0 +1,11 @@
{ config, pkgs, ... }: {
users.users = {
sezycei = {
isNormalUser = true;
passwordFile = config.age.secrets.sezycei.path;
extraGroups = [ "wheel" ];
packages = with pkgs; [ byobu tmux stack ];
};
torrent = { isNormalUser = true; };
};
}