commit 7e9358efa507789ac51ecdf3811e016468ada7a2
parent 6cb5dda6af94bc9d8bb77143bbe9fbb4fab814aa
Author: Vincent Demeester <vincent@sbr.pm>
Date: Fri, 5 Jun 2020 11:02:31 +0200
systems: migrate kerkouane 👼
- Fix wireguard.server profiles
- add govanityurl to services/default.nix
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Diffstat:
5 files changed, 144 insertions(+), 5 deletions(-)
diff --git a/hosts.nix b/hosts.nix
@@ -1,6 +1,7 @@
{
hokkaido = { arch = "x86_64-linux"; type = "unstable"; };
wakasu = { arch = "x86_64-linux"; type = "unstable"; };
+ kerkouane = { arch = "x86_64-linux"; };
okinawa = { arch = "x86_64-linux"; };
sakhalin = { arch = "x86_64-linux"; };
# mypi = { arch = "aarch64-linux" };
diff --git a/modules/profiles/wireguard.server.nixos.nix b/modules/profiles/wireguard.server.nixos.nix
@@ -3,6 +3,12 @@
with lib;
let
cfg = config.profiles.wireguard.server;
+
+ secretPath = ../secrets/machines.nix;
+ secretCondition = (builtins.pathExists secretPath);
+ allowedIPs = lists.optionals secretCondition (import secretPath).wireguard.kerkouane.allowedIPs;
+ listenPort = if secretCondition then (import secretPath).wg.listenPort else 0;
+ peers = lists.optionals secretCondition (import secretPath).wg.peers;
in
{
options = {
@@ -23,12 +29,12 @@ in
'';
networking.firewall.allowedUDPPorts = [ 51820 ];
networking.firewall.trustedInterfaces = [ "wg0" ];
- networking.wireguard.interfaces = with import ../../assets/machines.nix; {
+ networking.wireguard.interfaces = {
"wg0" = {
- ips = wireguard.kerkouane.allowedIPs;
- listenPort = wg.listenPort;
+ ips = allowedIPs;
+ listenPort = listenPort;
privateKeyFile = "/etc/nixos/wireguard.private.key";
- peers = wg.peers;
+ peers = peers;
};
};
};
diff --git a/modules/services/default.nix b/modules/services/default.nix
@@ -1,6 +1,7 @@
{
imports = [
- ./wireguard.client.nixos.nix
+ ./govanityurl.nixos.nix
./nix-binary-cache.nixos.nix
+ ./wireguard.client.nixos.nix
];
}
diff --git a/systems/kerkouane.nix b/systems/kerkouane.nix
@@ -0,0 +1,130 @@
+{ pkgs, lib, ... }:
+
+with lib;
+let
+ hostname = "kerkouane";
+
+ networkingConfigPath = ../networking.nix;
+ hasNetworkingConfig = (builtins.pathExists networkingConfigPath);
+ secretPath = ../secrets/machines.nix;
+ secretCondition = (builtins.pathExists secretPath);
+
+ sshPort = if secretCondition then (import secretPath).ssh.kerkouane.port else 22;
+
+ sources = import ../nix/sources.nix;
+in
+{
+ imports = [
+ (sources.nixos + "/nixos/modules/profiles/qemu-guest.nix")
+ #(pkgs + "/nixos/modules/profiles/qemu-guest.nix")
+ #<nixpkgs/nixos/modules/profiles/qemu-guest.nix>
+ ../modules
+ (import ../users).vincent
+ (import ../users).root
+ ]
+ # digitalocean specifics
+ ++ optionals hasNetworkingConfig [ networkingConfigPath ];
+
+ boot.loader.grub.device = "/dev/vda";
+ fileSystems."/" = { device = "/dev/vda1"; fsType = "ext4"; };
+ swapDevices = [{ device = "/swapfile"; size = 1024; }];
+
+ core.nix = {
+ # FIXME move this away
+ localCaches = [ ];
+ buildCores = 1;
+ };
+
+ profiles = {
+ git.enable = true;
+ ssh.enable = true;
+ syncthing.enable = true;
+
+ # FIXME remove the need for it
+ users.enable = false;
+
+ wireguard.server.enable = true;
+ };
+
+ networking.firewall.allowPing = true;
+ networking.firewall.allowedTCPPorts = [ 80 443 ];
+ security = {
+ acme = {
+ acceptTerms = true;
+ email = "vincent@sbr.pm";
+ };
+ #acme.certs = {
+ # "sbr.pm".email = "vincent@sbr.pm";
+ #};
+ };
+ security.pam.enableSSHAgentAuth = true;
+ services = {
+ govanityurl = {
+ enable = true;
+ user = "nginx";
+ host = "go.sbr.pm";
+ config = ''
+ paths:
+ /ape:
+ repo: https://git.sr.ht/~vdemeester/ape
+ /nr:
+ repo: https://gitlab.com/vdemeester/nr
+ /ram:
+ repo: https://git.sr.ht/~vdemeester/ram
+ /sec:
+ repo: https://gitlab.com/vdemeester/sec
+ '';
+ };
+ nginx = {
+ enable = true;
+ virtualHosts."dl.sbr.pm" = {
+ enableACME = true;
+ forceSSL = true;
+ root = "/home/vincent/desktop/sites/dl.sbr.pm";
+ locations."/" = {
+ index = "index.html";
+ };
+ };
+ virtualHosts."paste.sbr.pm" = {
+ enableACME = true;
+ forceSSL = true;
+ root = "/home/vincent/desktop/sites/paste.sbr.pm";
+ locations."/" = {
+ index = "index.html";
+ };
+ };
+ virtualHosts."go.sbr.pm" = {
+ enableACME = true;
+ forceSSL = true;
+ locations."/" = { proxyPass = "http://127.0.0.1:8080"; };
+ };
+ virtualHosts."sbr.pm" = {
+ enableACME = true;
+ forceSSL = true;
+ root = "/home/vincent/desktop/sites/sbr.pm";
+ locations."/" = {
+ index = "index.html";
+ };
+ };
+ virtualHosts."sbr.systems" = {
+ enableACME = true;
+ forceSSL = true;
+ root = "/home/vincent/desktop/sites/sbr.systems";
+ locations."/" = {
+ index = "index.html";
+ };
+ };
+ virtualHosts."vincent.demeester.fr" = {
+ enableACME = true;
+ forceSSL = true;
+ root = "/home/vincent/desktop/sites/vincent.demeester.fr";
+ locations."/" = {
+ index = "index.html";
+ };
+ };
+ };
+ openssh.ports = [ sshPort ];
+ openssh.permitRootLogin = "without-password";
+ syncthing.guiAddress = "127.0.0.1:8384";
+ };
+}
diff --git a/users/vincent/default.nix b/users/vincent/default.nix
@@ -10,6 +10,7 @@ let
(name: value: value.key)
(attrsets.filterAttrs (name: value: isAuthorized value) (import secretPath).ssh)
);
+
hasConfigVirtualizationContainers = builtins.hasAttr "containers" config.virtualisation;
isContainersEnabled = if hasConfigVirtualizationContainers then config.virtualisation.containers.enable else false;
in