sammy/nix-infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

move hosts into a submodule

Browse source
This commit is contained in:
CherryKitten 2024-09-17 12:27:25 +02:00
parent 1557612209
commit b1c275ad64
Signed by: sammy
GPG key ID: 98D8F75FB0658276
12 changed files with 4 additions and 508 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
.gitmodules vendored
View file

@ -5,3 +5,6 @@
[submodule "secrets"]
path = secrets
url = git@git.cherrykitten.dev:sammy/secret-store
[submodule "hosts"]
path = hosts
url = git@git.cherrykitten.dev:sammy/nix-hosts

1
hosts Submodule

@ -0,0 +1 @@
Subproject commit f75c0b5d2238ad0d2c792328f8bae07a6157170e

16
hosts/bengal/default.nix
View file

@ -1,16 +0,0 @@
{ ... }: {
imports = [
./hardware-configuration.nix
../../profiles/desktop
];
boot.loader.systemd-boot.enable = true;
networking.networkmanager.enable = true;
services.printing.enable = true;
hardware.pulseaudio.enable = true;
system.stateVersion = "23.11"; # Did you read the comment?
}

34
hosts/bengal/hardware-configuration.nix
View file

@ -1,34 +0,0 @@
{ config, lib, modulesPath, ... }: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/7a713df7-7027-4ae6-b1a3-839dda62dcbc";
fsType = "btrfs";
};
boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/fbd8d597-8cdb-4c6b-9fa0-b05f4cbfce86";
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/B4A7-702B";
fsType = "vfat";
};
swapDevices = [{ device = "/dev/disk/by-uuid/8cca600e-735e-4486-92e3-01ff6c0b7599"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp4s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

85
hosts/dinictis/default.nix
View file

@ -1,85 +0,0 @@
{ pkgs, ... }: {
imports = [
../../profiles/desktop
./hardware-configuration.nix
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.wireless.iwd.enable = true;
# Enable CUPS to print documents.
services.printing.enable = true;
users.users.sammy.packages = with pkgs; [
picard
];
home-manager.users.sammy.programs.ssh.includes = [
"./famedly-config"
];
home-manager.users.sammy.programs.git.includes = [
{
path = "~/famedly/.gitconfig";
condition = "gitdir:~/famedly/";
}
];
fileSystems."/mnt/Media" = {
device = "192.168.0.3:/mnt/user/Media";
fsType = "nfs";
options = [ "x-systemd.automount" "noauto" "x-systemd.idle-timeout=600" "noatime" ]; # disconnects after 10 minutes (i.e. 600 seconds)
};
system.stateVersion = "23.11"; # Did you read the comment?
# Famedly compliance foo - stolen from evelyn :3
systemd.user.services.usbguard-notifier.enable = true;
services.clamav = {
daemon = {
enable = true;
};
updater = {
enable = true;
frequency = 24;
interval = "hourly";
};
};
deployment.keys."osquery-secret.txt" = {
keyCommand = [ "pass" "work/osquery-secret" ];
destDir = "/etc/osquery/";
uploadAt = "pre-activation";
};
services.osquery = {
enable = true;
flags = {
tls_hostname = "fleet.famedly.de";
host_identifier = "instance";
enroll_secret_path = "/etc/osquery/osquery-secret.txt";
enroll_tls_endpoint = "/api/osquery/enroll";
config_plugin = "tls";
config_tls_endpoint = "/api/v1/osquery/config";
config_refresh = "10";
disable_distributed = "false";
distributed_plugin = "tls";
distributed_interval = "10";
distributed_tls_max_attempts = "3";
distributed_tls_read_endpoint = "/api/v1/osquery/distributed/read";
distributed_tls_write_endpoint = "/api/v1/osquery/distributed/write";
logger_plugin = "tls";
logger_tls_endpoint = "/api/v1/osquery/log";
logger_tls_period = "10";
disable_carver = "false";
carver_start_endpoint = "/api/v1/osquery/carve/begin";
carver_continue_endpoint = "/api/v1/osquery/carve/block";
carver_block_size = "2000000";
tls_server_certs = "/etc/ssl/certs/ca-certificates.crt";
};
};
}

76
hosts/dinictis/hardware-configuration.nix
View file

@ -1,76 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{
device = "/dev/disk/by-uuid/a3e601e7-7005-4513-8dff-748d9f384646";
fsType = "btrfs";
options = [ "subvol=root" ];
};
boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/73e8faf4-a250-4edb-9583-a16dcfff621b";
boot.initrd.luks.devices."swap".device = "/dev/disk/by-uuid/4bd4ac67-74a8-4a67-b5eb-e8ebf814d5d7";
fileSystems."/home" =
{
device = "/dev/disk/by-uuid/a3e601e7-7005-4513-8dff-748d9f384646";
fsType = "btrfs";
options = [ "subvol=home" ];
};
fileSystems."/nix" =
{
device = "/dev/disk/by-uuid/a3e601e7-7005-4513-8dff-748d9f384646";
fsType = "btrfs";
options = [ "subvol=nix" ];
};
fileSystems."/persist" =
{
device = "/dev/disk/by-uuid/a3e601e7-7005-4513-8dff-748d9f384646";
fsType = "btrfs";
options = [ "subvol=persist" ];
};
fileSystems."/var/log" =
{
device = "/dev/disk/by-uuid/a3e601e7-7005-4513-8dff-748d9f384646";
fsType = "btrfs";
options = [ "subvol=log" ];
neededForBoot = true;
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/6891-5A39";
fsType = "vfat";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/65f4c4dd-57e7-4709-a017-2277874d3917"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp0s20f3.useDHCP = lib.mkDefault true;
# networking.interfaces.wwp0s20f0u2.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

61
hosts/ocelot/default.nix
View file

@ -1,61 +0,0 @@
{ lib, config, ... }: {
imports = [
./gotosocial.nix
../../profiles/hcloud
./website.nix
];
fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
fileSystems."/mnt/gts" = { device = "/dev/sdb1"; fsType = "ext4"; };
services.restic.backups.default.paths = ["/mnt/gts"];
cherrykitten.backups.enable = true;
cherrykitten.network = {
public_IPv4 = "128.140.109.125";
public_IPv6 = "2a01:4f8:c2c:bd32::1";
internal_IPv4 = "10.69.0.5";
internal_IPv6 = "fe80::8400:ff:fe8e:470d";
};
cherrykitten.prometheus.client.enable = true;
networking = {
nameservers = [
"8.8.8.8"
];
defaultGateway = "172.31.1.1";
defaultGateway6 = {
address = "fe80::1";
interface = "eth0";
};
dhcpcd.enable = false;
usePredictableInterfaceNames = lib.mkForce false;
interfaces = {
eth0 = {
ipv4.addresses = [
{ address = config.cherrykitten.network.public_IPv4; prefixLength = 32; }
];
ipv6.addresses = [
{ address = config.cherrykitten.network.public_IPv6; prefixLength = 64; }
];
ipv4.routes = [{ address = "172.31.1.1"; prefixLength = 32; }];
ipv6.routes = [{ address = "fe80::1"; prefixLength = 128; }];
};
eth1 = {
ipv4.addresses = [
{ address = config.cherrykitten.network.internal_IPv4; prefixLength = 32; }
];
ipv6.addresses = [
{ address = config.cherrykitten.network.internal_IPv6; prefixLength = 64; }
];
ipv4.routes = [
{ address = "10.69.0.1"; prefixLength = 32; }
{ address = "10.69.0.0"; prefixLength = 24; via = "10.69.0.1"; }
];
};
};
};
services.udev.extraRules = ''
ATTR{address}=="96:00:03:24:67:7a", NAME="eth0"
ATTR{address}=="86:00:00:8e:47:0d", NAME="eth1"
'';
system.stateVersion = "23.11";
}

57
hosts/ocelot/gotosocial.nix
View file

@ -1,57 +0,0 @@
{ ... }:
let
bind-address = "127.0.0.1";
host = "cherrykitten.gay";
port = 8553;
in
{
services.gotosocial = {
enable = true;
setupPostgresqlDB = true;
settings = {
inherit bind-address host port;
application-name = "CherryKitten";
landing-page-user = "sammy";
instance-expose-suspended = true;
instance-expose-suspended-web = true;
accounts-registration-open = false;
media-image-max-size = 41943040;
media-video-max-size = 83886080;
media-description-max-chars = 3000;
media-remote-cache-days = 14;
media-emoji-local-max-size = 204800;
media-emoji-remote-max-size = 204800;
statuses-max-chars = 69420;
statuses-cw-max-chars = 200;
statuses-poll-max-options = 10;
statuses-poll-option-max-chars = 150;
statuses-media-max-files = 16;
storage-backend = "local";
storage-local-base-path = "/mnt/gts";
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = {
enable = true;
clientMaxBodySize = "80M";
virtualHosts = {
"${host}" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
recommendedProxySettings = true;
proxyWebsockets = true;
proxyPass = "http://${bind-address}:${toString port}";
};
};
};
};
};
}

17
hosts/ocelot/website.nix
View file

@ -1,17 +0,0 @@
{ inputs, ... }: {
services.nginx = {
enable = true;
virtualHosts = {
"cherrykitten.dev" = {
extraConfig = "error_page 404 /404.html;";
addSSL = true;
enableACME = true;
locations = {
"/" = {
root = "${inputs.cherrykitten-website.packages.x86_64-linux.website}/var/www/cherrykitten.dev";
};
};
};
};
};
}

65
hosts/serval/default.nix
View file

@ -1,65 +0,0 @@
{ lib, config, ... }: {
imports = [ ../../profiles/hcloud ];
fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
cherrykitten.backups.enable = true;
cherrykitten.prometheus = {
server.enable = true;
client.enable = true;
};
cherrykitten.grafana = {
enable = true;
hostname = "graph.cherrykitten.dev";
};
cherrykitten.network = {
public_IPv4 = "116.203.116.228";
public_IPv6 = "2a01:4f8:1c1b:5db9::1";
internal_IPv4 = "10.69.0.2";
internal_IPv6 = "fe80::8400:ff:fe8e:e0a0";
};
networking = {
nameservers = [
"2a01:4ff:ff00::add:2"
"2a01:4ff:ff00::add:1"
"185.12.64.2"
];
defaultGateway = "172.31.1.1";
defaultGateway6 = {
address = "fe80::1";
interface = "eth0";
};
dhcpcd.enable = false;
usePredictableInterfaceNames = lib.mkForce false;
interfaces = {
eth0 = {
ipv4.addresses = [
{ address = config.cherrykitten.network.public_IPv4; prefixLength = 32; }
];
ipv6.addresses = [
{ address = config.cherrykitten.network.public_IPv6; prefixLength = 64; }
];
ipv4.routes = [{ address = "172.31.1.1"; prefixLength = 32; }];
ipv6.routes = [{ address = "fe80::1"; prefixLength = 128; }];
};
ens10 = {
ipv4.addresses = [
{ address = config.cherrykitten.network.internal_IPv4; prefixLength = 32; }
];
ipv6.addresses = [
{ address = config.cherrykitten.network.internal_IPv6; prefixLength = 64; }
];
ipv4.routes = [
{ address = "10.69.0.1"; prefixLength = 32; }
{ address = "10.69.0.0"; prefixLength = 24; via = "10.69.0.1"; }
];
};
};
};
services.udev.extraRules = ''
ATTR{address}=="96:00:03:60:ec:55", NAME="eth0"
ATTR{address}=="86:00:00:8e:e0:a0", NAME="ens10"
'';
system.stateVersion = "23.11";
}

52
hosts/tabby/default.nix
View file

@ -1,52 +0,0 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{ pkgs, pkgs-unstable, lib, inputs, ... }: {
imports = [
../../profiles/desktop
./hardware-configuration.nix
inputs.nixos-hardware.nixosModules.framework-16-7040-amd
];
services.hardware.bolt.enable = true;
cherrykitten.impermanence.enable = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.wireless.iwd.enable = true;
fileSystems."/mnt/Media" = {
device = "192.168.0.3:/mnt/user/Media";
fsType = "nfs";
options = [ "x-systemd.automount" "noauto" "x-systemd.idle-timeout=600" "noatime" ]; # disconnects after 10 minutes (i.e. 600 seconds)
};
# Enable CUPS to print documents.
services.printing.enable = true;
services.fwupd.enable = true;
services.xserver.xkb.layout = lib.mkForce "us";
users.users.sammy.packages = with pkgs; [
picard
discord
inkscape
pkgs-unstable.osu-lazer-bin
];
programs.steam = {
enable = true;
};
hardware.steam-hardware.enable = true;
services.usbmuxd.enable = true;
environment.systemPackages = with pkgs; [
libimobiledevice
ifuse # optional, to mount using 'ifuse'
];
system.stateVersion = "24.05"; # Did you read the comment?
}

45
hosts/tabby/hardware-configuration.nix
View file

@ -1,45 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usbhid" "uas" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{
device = "none";
fsType = "tmpfs";
options = [ "defaults" "size=50%" "mode=755" ];
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/7BD4-96D5";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
fileSystems."/nix" =
{
device = "/dev/disk/by-uuid/b1377283-89a6-434b-8315-60314dcd56ab";
fsType = "btrfs";
neededForBoot = true;
};
boot.initrd.luks.devices."nix".device = "/dev/disk/by-uuid/51f9bf11-5b38-4753-b927-2ff3e01dd5e0";
boot.initrd.luks.devices."swap".device = "/dev/disk/by-uuid/2c2f9f9d-0eca-4375-b284-108564c48af8";
swapDevices =
[{ device = "/dev/mapper/swap"; }];
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}