Compare commits
31 commits
main
...
feat/ovh-c
Author | SHA1 | Date | |
---|---|---|---|
|
36f1a44253 | ||
|
abc5c42aa7 | ||
|
c30a74895d | ||
|
34c106dadc | ||
|
f48456452b | ||
|
1e7b7e168e | ||
|
5e61bcb30f | ||
|
ffc1621a8e | ||
|
1f235f4e91 | ||
|
95ce17fdef | ||
|
8da4050d77 | ||
|
1f9f05fa9a | ||
|
028e4725b9 | ||
|
fecfce7ad9 | ||
|
9338a7d2ef | ||
|
dcef2ee26d | ||
|
000b708e81 | ||
|
4283a215a1 | ||
|
84225a9a71 | ||
|
a9e075ed8c | ||
|
86a896c688 | ||
|
64dcc1d156 | ||
|
5bff8ead3b | ||
|
9600f18ada | ||
|
b8345d5e06 | ||
|
7f5dcd9190 | ||
|
3e3d45f18b | ||
|
fde946b371 | ||
|
fa927492aa | ||
|
12c5ebb13d | ||
|
bc9f3f9951 |
15 changed files with 645 additions and 5 deletions
10
.sops.yaml
Normal file
10
.sops.yaml
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
keys:
|
||||||
|
- &admin_gaspard age1rgu2e75kt4uztr43y6wj70uz2sj3tr9lz58y4h6rk37alq2vwa5q9v35dr
|
||||||
|
- &server_ovh age1th4zyxdg3y5sdza9v3zlezzru7wyqwvk5y0t7jdv97ej3gd6d5hs5mg7cr
|
||||||
|
creation_rules:
|
||||||
|
- path_regex: secrets/OVHConfig.yaml
|
||||||
|
key_groups:
|
||||||
|
- pgp:
|
||||||
|
age:
|
||||||
|
- *admin_gaspard
|
||||||
|
- *server_ovh
|
33
docs/gasdev.md
Normal file
33
docs/gasdev.md
Normal file
|
@ -0,0 +1,33 @@
|
||||||
|
# Gasdev infrastructure
|
||||||
|
|
||||||
|
## Initial installation
|
||||||
|
|
||||||
|
Cloud providers not always provide a NixOS install option, so I use [nixos-anywhere](https://github.com/nix-community/nixos-anywhere) for remote NixOS installation using SSH
|
||||||
|
|
||||||
|
### Kexec installation
|
||||||
|
|
||||||
|
As specified in [nixos-images](https://github.com/nix-community/nixos-images#kexec-tarballs):
|
||||||
|
|
||||||
|
```sh
|
||||||
|
# Run as root
|
||||||
|
curl -L https://github.com/nix-community/nixos-images/releases/download/nixos-unstable/nixos-kexec-installer-noninteractive-x86_64-linux.tar.gz | tar -xzf- -C /root
|
||||||
|
/root/kexec/run
|
||||||
|
```
|
||||||
|
|
||||||
|
The machine will restart in a new NixOS installation. The existing SSH keys are copied to the new installation's _root_ user.
|
||||||
|
|
||||||
|
### NixOS-everywhere
|
||||||
|
|
||||||
|
```sh
|
||||||
|
nix run github:nix-community/nixos-anywhere -- --flake .#<configuration name> root@<ip address>
|
||||||
|
```
|
||||||
|
|
||||||
|
## Deploy configuration
|
||||||
|
|
||||||
|
In order to deploy new configuration changes after the initial NixOS installation, I use [deploy-rs](https://github.com/serokell/deploy-rs). It requires a properly set-up **ssh-agent** and SSH keys being installed on the **root** user.
|
||||||
|
|
||||||
|
Then you can deploy the new configuration:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
deploy .#<configuration name>
|
||||||
|
```
|
135
flake.lock
135
flake.lock
|
@ -37,6 +37,48 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"caddy": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1727343602,
|
||||||
|
"narHash": "sha256-V1HAB1p11dcUyurJAB60tcgn4Su2gPoPJ6dZqmCDfiE=",
|
||||||
|
"owner": "GaspardCulis",
|
||||||
|
"repo": "nixos-caddy-ovh",
|
||||||
|
"rev": "df515b6bfd497de2d150867c4c13aab1e3d011ce",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "GaspardCulis",
|
||||||
|
"repo": "nixos-caddy-ovh",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"deploy-rs": {
|
||||||
|
"inputs": {
|
||||||
|
"flake-compat": "flake-compat",
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
],
|
||||||
|
"utils": "utils"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1718194053,
|
||||||
|
"narHash": "sha256-FaGrf7qwZ99ehPJCAwgvNY5sLCqQ3GDiE/6uLhxxwSY=",
|
||||||
|
"owner": "serokell",
|
||||||
|
"repo": "deploy-rs",
|
||||||
|
"rev": "3867348fa92bc892eba5d9ddb2d7a97b9e127a8a",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "serokell",
|
||||||
|
"repo": "deploy-rs",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"disko": {
|
"disko": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
|
@ -77,6 +119,22 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"flake-compat": {
|
||||||
|
"flake": false,
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1696426674,
|
||||||
|
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
|
||||||
|
"owner": "edolstra",
|
||||||
|
"repo": "flake-compat",
|
||||||
|
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "edolstra",
|
||||||
|
"repo": "flake-compat",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"home-manager": {
|
"home-manager": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
|
@ -155,7 +213,7 @@
|
||||||
"hyprutils": "hyprutils",
|
"hyprutils": "hyprutils",
|
||||||
"hyprwayland-scanner": "hyprwayland-scanner",
|
"hyprwayland-scanner": "hyprwayland-scanner",
|
||||||
"nixpkgs": "nixpkgs",
|
"nixpkgs": "nixpkgs",
|
||||||
"systems": "systems",
|
"systems": "systems_2",
|
||||||
"xdph": "xdph"
|
"xdph": "xdph"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
|
@ -306,6 +364,22 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"nixpkgs-stable": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1725762081,
|
||||||
|
"narHash": "sha256-vNv+aJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8=",
|
||||||
|
"owner": "NixOS",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "dc454045f5b5d814e5862a6d057e7bb5c29edc05",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "NixOS",
|
||||||
|
"ref": "release-24.05",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"nixpkgs_2": {
|
"nixpkgs_2": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1726243404,
|
"lastModified": 1726243404,
|
||||||
|
@ -324,6 +398,8 @@
|
||||||
},
|
},
|
||||||
"root": {
|
"root": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
|
"caddy": "caddy",
|
||||||
|
"deploy-rs": "deploy-rs",
|
||||||
"disko": "disko",
|
"disko": "disko",
|
||||||
"end-rs": "end-rs",
|
"end-rs": "end-rs",
|
||||||
"home-manager": "home-manager",
|
"home-manager": "home-manager",
|
||||||
|
@ -332,10 +408,47 @@
|
||||||
"hy3",
|
"hy3",
|
||||||
"hyprland"
|
"hyprland"
|
||||||
],
|
],
|
||||||
"nixpkgs": "nixpkgs_2"
|
"nixpkgs": "nixpkgs_2",
|
||||||
|
"sops-nix": "sops-nix"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"sops-nix": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
],
|
||||||
|
"nixpkgs-stable": "nixpkgs-stable"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1726524647,
|
||||||
|
"narHash": "sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4=",
|
||||||
|
"owner": "Mic92",
|
||||||
|
"repo": "sops-nix",
|
||||||
|
"rev": "e2d404a7ea599a013189aa42947f66cede0645c8",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "Mic92",
|
||||||
|
"repo": "sops-nix",
|
||||||
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"systems": {
|
"systems": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1681028828,
|
||||||
|
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||||
|
"owner": "nix-systems",
|
||||||
|
"repo": "default",
|
||||||
|
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nix-systems",
|
||||||
|
"repo": "default",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"systems_2": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1689347949,
|
"lastModified": 1689347949,
|
||||||
"narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
|
"narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
|
||||||
|
@ -350,6 +463,24 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"utils": {
|
||||||
|
"inputs": {
|
||||||
|
"systems": "systems"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1701680307,
|
||||||
|
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
|
||||||
|
"owner": "numtide",
|
||||||
|
"repo": "flake-utils",
|
||||||
|
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "numtide",
|
||||||
|
"repo": "flake-utils",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"xdph": {
|
"xdph": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"hyprland-protocols": "hyprland-protocols",
|
"hyprland-protocols": "hyprland-protocols",
|
||||||
|
|
48
flake.nix
48
flake.nix
|
@ -8,11 +8,26 @@
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
caddy = {
|
||||||
|
url = "github:GaspardCulis/nixos-caddy-ovh";
|
||||||
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
};
|
||||||
|
|
||||||
disko = {
|
disko = {
|
||||||
url = "github:nix-community/disko";
|
url = "github:nix-community/disko";
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
deploy-rs = {
|
||||||
|
url = "github:serokell/deploy-rs";
|
||||||
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
};
|
||||||
|
|
||||||
|
sops-nix = {
|
||||||
|
url = "github:Mic92/sops-nix";
|
||||||
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
};
|
||||||
|
|
||||||
# Hyprland
|
# Hyprland
|
||||||
hyprland = {
|
hyprland = {
|
||||||
url = "git+https://github.com/hyprwm/Hyprland?submodules=1";
|
url = "git+https://github.com/hyprwm/Hyprland?submodules=1";
|
||||||
|
@ -32,6 +47,8 @@
|
||||||
self,
|
self,
|
||||||
nixpkgs,
|
nixpkgs,
|
||||||
disko,
|
disko,
|
||||||
|
deploy-rs,
|
||||||
|
sops-nix,
|
||||||
home-manager,
|
home-manager,
|
||||||
...
|
...
|
||||||
} @ inputs: let
|
} @ inputs: let
|
||||||
|
@ -47,6 +64,16 @@
|
||||||
home-manager.nixosModules.home-manager
|
home-manager.nixosModules.home-manager
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
OVHCloud = nixpkgs.lib.nixosSystem {
|
||||||
|
extraArgs = {inherit inputs;};
|
||||||
|
modules = [
|
||||||
|
./hosts/OVHCloud
|
||||||
|
disko.nixosModules.disko
|
||||||
|
sops-nix.nixosModules.sops
|
||||||
|
home-manager.nixosModules.home-manager
|
||||||
|
];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
homeConfigurations = {
|
homeConfigurations = {
|
||||||
|
@ -69,13 +96,28 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
deploy.nodes.OVHCloud = {
|
||||||
|
hostname = "gasdev.fr";
|
||||||
|
profiles.system = {
|
||||||
|
user = "root";
|
||||||
|
sshUser = "root";
|
||||||
|
sshOpts = ["-p" "22"];
|
||||||
|
sudo = "";
|
||||||
|
path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.OVHCloud;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
|
||||||
|
|
||||||
devShells.${system}.default = pkgs.mkShell {
|
devShells.${system}.default = pkgs.mkShell {
|
||||||
nativeBuildInputs = with pkgs; [
|
packages = with pkgs; [
|
||||||
|
alejandra
|
||||||
git
|
git
|
||||||
helix
|
helix
|
||||||
pkgs.home-manager
|
|
||||||
alejandra
|
|
||||||
nil
|
nil
|
||||||
|
pkgs.sops
|
||||||
|
pkgs.home-manager
|
||||||
|
pkgs.deploy-rs
|
||||||
];
|
];
|
||||||
|
|
||||||
shellHook = ''
|
shellHook = ''
|
||||||
|
|
84
hosts/OVHCloud/default.nix
Normal file
84
hosts/OVHCloud/default.nix
Normal file
|
@ -0,0 +1,84 @@
|
||||||
|
{
|
||||||
|
inputs,
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
|
|
||||||
|
imports = [
|
||||||
|
./hardware-configuration.nix
|
||||||
|
./sops.nix
|
||||||
|
../../services
|
||||||
|
];
|
||||||
|
|
||||||
|
# Nix
|
||||||
|
nix.settings.experimental-features = ["nix-command" "flakes"];
|
||||||
|
|
||||||
|
# Set your time zone.
|
||||||
|
time.timeZone = "Europe/Paris";
|
||||||
|
|
||||||
|
# Enable the OpenSSH daemon.
|
||||||
|
services.openssh = {
|
||||||
|
enable = true;
|
||||||
|
ports = [22];
|
||||||
|
settings = {
|
||||||
|
PasswordAuthentication = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
users.users.root.openssh.authorizedKeys.keys = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQyRXFQ6iA5p0vDuoGSHZfajiVZPAGIyqhTziM7QgBV gaspard@nixos"
|
||||||
|
];
|
||||||
|
|
||||||
|
# Podman
|
||||||
|
virtualisation = {
|
||||||
|
containers.enable = true;
|
||||||
|
oci-containers.backend = "podman";
|
||||||
|
podman = {
|
||||||
|
enable = true;
|
||||||
|
# Required for containers under podman-compose to be able to talk to each other.
|
||||||
|
defaultNetwork.settings.dns_enabled = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
helix
|
||||||
|
git
|
||||||
|
];
|
||||||
|
|
||||||
|
# User config
|
||||||
|
users.groups.gaspard = {
|
||||||
|
name = "gaspard";
|
||||||
|
};
|
||||||
|
users.users.gaspard = {
|
||||||
|
isNormalUser = true;
|
||||||
|
extraGroups = [
|
||||||
|
"wheel"
|
||||||
|
];
|
||||||
|
group = "gaspard";
|
||||||
|
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
|
||||||
|
};
|
||||||
|
|
||||||
|
home-manager = {
|
||||||
|
extraSpecialArgs = {inherit inputs;};
|
||||||
|
users = {
|
||||||
|
# FIX: No user config file
|
||||||
|
"gaspard" = {
|
||||||
|
home.username = "gaspard";
|
||||||
|
home.homeDirectory = "/home/gaspard";
|
||||||
|
home.stateVersion = "24.05";
|
||||||
|
|
||||||
|
programs.home-manager.enable = true;
|
||||||
|
programs.direnv.enable = true;
|
||||||
|
|
||||||
|
imports = [
|
||||||
|
../../shell
|
||||||
|
../../editor
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
system.stateVersion = "24.11";
|
||||||
|
}
|
54
hosts/OVHCloud/disko-config.nix
Normal file
54
hosts/OVHCloud/disko-config.nix
Normal file
|
@ -0,0 +1,54 @@
|
||||||
|
{lib, ...}: {
|
||||||
|
disko.devices = {
|
||||||
|
disk.disk1 = {
|
||||||
|
device = lib.mkDefault "/dev/sda";
|
||||||
|
type = "disk";
|
||||||
|
content = {
|
||||||
|
type = "gpt";
|
||||||
|
partitions = {
|
||||||
|
boot = {
|
||||||
|
name = "boot";
|
||||||
|
size = "1M";
|
||||||
|
type = "EF02";
|
||||||
|
};
|
||||||
|
esp = {
|
||||||
|
name = "ESP";
|
||||||
|
size = "500M";
|
||||||
|
type = "EF00";
|
||||||
|
content = {
|
||||||
|
type = "filesystem";
|
||||||
|
format = "vfat";
|
||||||
|
mountpoint = "/boot";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
root = {
|
||||||
|
name = "root";
|
||||||
|
size = "100%";
|
||||||
|
content = {
|
||||||
|
type = "lvm_pv";
|
||||||
|
vg = "pool";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
lvm_vg = {
|
||||||
|
pool = {
|
||||||
|
type = "lvm_vg";
|
||||||
|
lvs = {
|
||||||
|
root = {
|
||||||
|
size = "100%FREE";
|
||||||
|
content = {
|
||||||
|
type = "filesystem";
|
||||||
|
format = "ext4";
|
||||||
|
mountpoint = "/";
|
||||||
|
mountOptions = [
|
||||||
|
"defaults"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
48
hosts/OVHCloud/hardware-configuration.nix
Normal file
48
hosts/OVHCloud/hardware-configuration.nix
Normal file
|
@ -0,0 +1,48 @@
|
||||||
|
{
|
||||||
|
modulesPath,
|
||||||
|
config,
|
||||||
|
inputs,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
imports = [
|
||||||
|
(modulesPath + "/profiles/qemu-guest.nix")
|
||||||
|
./disko-config.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.loader.grub = {
|
||||||
|
efiSupport = true;
|
||||||
|
efiInstallAsRemovable = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
# Firewall
|
||||||
|
networking.nftables.enable = true;
|
||||||
|
networking.firewall = {
|
||||||
|
enable = true;
|
||||||
|
allowedTCPPorts = [22 80 443];
|
||||||
|
};
|
||||||
|
|
||||||
|
# Proxy
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
nss.tools
|
||||||
|
];
|
||||||
|
|
||||||
|
services.caddy = {
|
||||||
|
enable = true;
|
||||||
|
package = inputs.caddy.packages.${pkgs.system}.caddy;
|
||||||
|
|
||||||
|
globalConfig = ''
|
||||||
|
acme_dns ovh {
|
||||||
|
endpoint {$OVH_ENDPOINT}
|
||||||
|
application_key {$OVH_APPLICATION_KEY}
|
||||||
|
application_secret {$OVH_APPLICATION_SECRET}
|
||||||
|
consumer_key {$OVH_CONSUMER_KEY}
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
systemd.services.caddy = {
|
||||||
|
serviceConfig = {
|
||||||
|
EnvironmentFile = config.sops.templates."caddy.env".path;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
23
hosts/OVHCloud/sops.nix
Normal file
23
hosts/OVHCloud/sops.nix
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
{config, ...}: {
|
||||||
|
# This will add secrets.yml to the nix store
|
||||||
|
# You can avoid this by adding a string to the full path instead, i.e.
|
||||||
|
# sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
|
||||||
|
sops.defaultSopsFile = ../../secrets/OVHCloud.yaml;
|
||||||
|
# This will automatically import SSH keys as age keys
|
||||||
|
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
|
||||||
|
|
||||||
|
sops.secrets."caddy/ovh_endpoint".owner = "caddy";
|
||||||
|
sops.secrets."caddy/ovh_application_key".owner = "caddy";
|
||||||
|
sops.secrets."caddy/ovh_application_secret".owner = "caddy";
|
||||||
|
sops.secrets."caddy/ovh_consumer_key".owner = "caddy";
|
||||||
|
|
||||||
|
sops.templates."caddy.env" = {
|
||||||
|
content = ''
|
||||||
|
OVH_ENDPOINT=${config.sops.placeholder."caddy/ovh_endpoint"}
|
||||||
|
OVH_APPLICATION_KEY=${config.sops.placeholder."caddy/ovh_application_key"}
|
||||||
|
OVH_APPLICATION_SECRET=${config.sops.placeholder."caddy/ovh_application_secret"}
|
||||||
|
OVH_CONSUMER_KEY=${config.sops.placeholder."caddy/ovh_consumer_key"}
|
||||||
|
'';
|
||||||
|
owner = "caddy";
|
||||||
|
};
|
||||||
|
}
|
41
secrets/OVHCloud.yaml
Normal file
41
secrets/OVHCloud.yaml
Normal file
|
@ -0,0 +1,41 @@
|
||||||
|
caddy:
|
||||||
|
ovh_endpoint: ENC[AES256_GCM,data:dTdfKCWE,iv:NnmdUyM9F8ujEIfEEl9WXGLY3zRpIy9BDeqs1frK+R0=,tag:1AblJqi2hKISXBqNdWybqQ==,type:str]
|
||||||
|
ovh_application_key: ENC[AES256_GCM,data:48HzVrSa35qUSkLO7sbUwg==,iv:QfTRXsfTlgeoJdRJIph39EBbLynRNxH4DkFuuC06IuE=,tag:m8lJPHEEpK24MKUou0MTpw==,type:str]
|
||||||
|
ovh_application_secret: ENC[AES256_GCM,data:X+grjuPsaIRYUEZZyoL1Tqx55tNYpvovYsXEwB15+K0=,iv:b88NCbfxahkryBp6eey74hc2IBwLTbTBe001uVJHaKw=,tag:HDw8w4g5ZS4m8ePCvvwJqw==,type:str]
|
||||||
|
ovh_consumer_key: ENC[AES256_GCM,data:oFLHB7obwz3F59Vt8LRxpKaHBjEaoYCrKLKPoqVHz4M=,iv:rXxR2Nv3YaT2QubZUqIi60RxaHe9ZaIT9hLiogbPVFw=,tag:5m+xXEUbN+a2fHCf+EXf9A==,type:str]
|
||||||
|
garage:
|
||||||
|
RPC_SECRET: ENC[AES256_GCM,data:OJbIST1mtpqMNk+MKnGFy6+tXjc6aEOMIWnfs8QY9ozpxN2apAN7ZrjAAZc3J7ORUIhUQh8Vjkb1EhxdqGxERA==,iv:NhREhGE0wz3/0sdXUxuDqWaPdjeeQFau2OEVsqpV3F0=,tag:yGYd5txtVQzIOchh2L/XXQ==,type:str]
|
||||||
|
shadowsocks:
|
||||||
|
password: ENC[AES256_GCM,data:IdAvKXKckwvZUetkYSFTIPxd8nrwm13Ngc3KVDSmiW3AE4Rhmjk2VHjdUyQ=,iv:LVeQcL7XIEQyMTsXpXIROGte2+Z9+7FpemfiwhA0Pw0=,tag:qt+8jgN5UqwMeCV+D3stEQ==,type:str]
|
||||||
|
wireguard:
|
||||||
|
private_key: ENC[AES256_GCM,data:fjaBcBplx4IOrbnT8PZwUl6m4j4sdiObJYJXSrzCOqXcL3Qyymj4HUPSBuM=,iv:4XVH1d0/PTfVHKtDoziOD3b+TGXafNEGNgqAUtQsoD8=,tag:c/9AQO5TmLPGvIRN59KMZg==,type:str]
|
||||||
|
public_key: ENC[AES256_GCM,data:zHQkA3wu7Kn9wnODn65zHKGX3qBvhRa0H/cSlg/8TjyTNtaMgY3Y0RiQEr4=,iv:kaWxt11DR4jZzgfoA7PDg/wPc6VqSoyuFU4KllOzZjY=,tag:acA0M4Eq0AR4FjFJZ4l13w==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1rgu2e75kt4uztr43y6wj70uz2sj3tr9lz58y4h6rk37alq2vwa5q9v35dr
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqckxiTmx3Rm12ZFJ2ZXBn
|
||||||
|
VVdOeCtWeE5xZGExOE4wTFliOGlqWWpWSFNBCmFSWS9MQmt1TWg4VFJzZmNpdStv
|
||||||
|
dThvSFlPSjk0dHZGTlEraldHSklDUkkKLS0tIFVjbFliTFZjUlkrejR2RnAwVTRU
|
||||||
|
U0NEaEpLREVNMUlxUFNIbTVKaUpoc1EKRC6skQPEMA4odk3yD66bqPa/2rvLGztx
|
||||||
|
FTwwdJuE1CXaErwtt7wOfMsb3c9HhpT2R+c76woP20+VsMJdrwdeHg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1th4zyxdg3y5sdza9v3zlezzru7wyqwvk5y0t7jdv97ej3gd6d5hs5mg7cr
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSLy8yZlBuUU5QRXptZmZQ
|
||||||
|
UzlLUmxSblpFVCtFdE4vWmUreThhT090aEFrCkV6b2FaVy83QnBTZTVrcWE2RGNE
|
||||||
|
VldUZVkveUl5bnFLZzRBR0JCWGhseEUKLS0tIDNZeGczT1BxV21VcnFmSkN0V09P
|
||||||
|
MFpMemF4MGg1bmVUeWV5N25LTUtyczQKss0x4zT1kyeRu+qenhrdbcPlU/p+yjVN
|
||||||
|
y3j4eGpnwgc2rxSL9vkrrkzx/atUqUkgGU/YstszUrP6XKbJ+9ydpQ==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-10-02T07:32:18Z"
|
||||||
|
mac: ENC[AES256_GCM,data:0fwZxJO2LKpwV4+IYbBSyrqcQt4RrqlF/2OM8vP+3B/AI3Ny6LSP851IXdwzIMtMLiGBnvl787sXmZWPcUaizq3XmQR7t9lX/q4WkgVIDZ5JQtmHc4TSYDIxECBAQ5P4V6CNsUw3gjC5X4OSLtSfil/pAXbcMFKdlVLgP4S6wMU=,iv:UlJPlLFx2y/YJQWEDCY4NyqkZuQjNH8yCeELzoa3IoU=,tag:JI1tTnMSnQiWXVZmqb+ykA==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.9.0
|
7
services/default.nix
Normal file
7
services/default.nix
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
./shadowsocks
|
||||||
|
./uptime-kuma
|
||||||
|
./wireguard
|
||||||
|
];
|
||||||
|
}
|
36
services/garage/default.nix
Normal file
36
services/garage/default.nix
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
# TODO: Run as different user
|
||||||
|
{...}: {
|
||||||
|
sops.secrets."garage/RPC_SECRET".owner = "root";
|
||||||
|
|
||||||
|
services.caddy.virtualHosts."*.s3.gasdev.fr".extraConfig = ''
|
||||||
|
reverse_proxy http://127.0.0.1:3900
|
||||||
|
'';
|
||||||
|
|
||||||
|
services.caddy.virtualHosts."*.s3web.gasdev.fr".extraConfig = ''
|
||||||
|
reverse_proxy http://127.0.0.1:3902
|
||||||
|
'';
|
||||||
|
|
||||||
|
virtualisation.oci-containers.containers = {
|
||||||
|
garage = {
|
||||||
|
image = "docker.io/dxflrs/garage:v1.0.0";
|
||||||
|
autoStart = true;
|
||||||
|
ports = [
|
||||||
|
"127.0.0.1:3900:3900"
|
||||||
|
"127.0.0.1:3901:3901"
|
||||||
|
"127.0.0.1:3902:3902"
|
||||||
|
];
|
||||||
|
volumes = [
|
||||||
|
"/etc/garage.toml:/etc/garage.toml"
|
||||||
|
"/var/lib/garage/meta:/var/lib/garage/meta"
|
||||||
|
"/var/lib/garage/data:/var/lib/garage/data"
|
||||||
|
"/run/secrets/garage/RPC_SECRET:/run/secrets/garage/RPC_SECRET"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
environment.etc."garage.toml".text = builtins.readFile ./garage.toml;
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d /var/lib/garage/meta 0700 root root -"
|
||||||
|
"d /var/lib/garage/data 0700 root root -"
|
||||||
|
];
|
||||||
|
}
|
22
services/garage/garage.toml
Normal file
22
services/garage/garage.toml
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
metadata_dir = "/var/lib/garage/meta"
|
||||||
|
data_dir = "/var/lib/garage/data"
|
||||||
|
db_engine = "lmdb"
|
||||||
|
metadata_auto_snapshot_interval = "6h"
|
||||||
|
|
||||||
|
replication_factor = 1
|
||||||
|
|
||||||
|
compression_level = 2
|
||||||
|
|
||||||
|
rpc_bind_addr = "[::]:3901"
|
||||||
|
rpc_public_addr = "gasdev.fr:3901"
|
||||||
|
rpc_secret_file = "/run/secrets/garage/rpc_secret"
|
||||||
|
|
||||||
|
[s3_api]
|
||||||
|
s3_region = "garage"
|
||||||
|
api_bind_addr = "[::]:3900"
|
||||||
|
root_domain = ".s3.gasdev.fr"
|
||||||
|
|
||||||
|
[s3_web]
|
||||||
|
bind_addr = "[::]:3902"
|
||||||
|
root_domain = ".s3web.gasdev.fr"
|
||||||
|
index = "index.html"
|
43
services/shadowsocks/default.nix
Normal file
43
services/shadowsocks/default.nix
Normal file
|
@ -0,0 +1,43 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}: let
|
||||||
|
port = "8388";
|
||||||
|
in {
|
||||||
|
sops.secrets."shadowsocks/password".owner = "root";
|
||||||
|
sops.templates."shadowsocks/config.json" = {
|
||||||
|
content = ''
|
||||||
|
{
|
||||||
|
"server": "0.0.0.0",
|
||||||
|
"server_port": ${port},
|
||||||
|
"password": "${config.sops.placeholder."shadowsocks/password"}",
|
||||||
|
"method": "aes-256-gcm",
|
||||||
|
"timeout": 300,
|
||||||
|
"plugin": "${pkgs.shadowsocks-v2ray-plugin}/bin/v2ray-plugin",
|
||||||
|
"plugin_opts":"server;loglevel=none",
|
||||||
|
|
||||||
|
"local_port": ${port},
|
||||||
|
"local_address": "127.0.0.1"
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
owner = "root";
|
||||||
|
};
|
||||||
|
|
||||||
|
services.caddy.virtualHosts."shadowsocks.gasdev.fr".extraConfig = ''
|
||||||
|
reverse_proxy http://127.0.0.1:${port}
|
||||||
|
'';
|
||||||
|
|
||||||
|
systemd.services = {
|
||||||
|
shadowsocks = {
|
||||||
|
description = "Shadowsocks tunnel";
|
||||||
|
after = ["network-online.target"];
|
||||||
|
wants = ["network-online.target"];
|
||||||
|
enable = true;
|
||||||
|
serviceConfig = {
|
||||||
|
Restart = "always";
|
||||||
|
ExecStart = "${pkgs.shadowsocks-rust}/bin/ssserver -c ${config.sops.templates."shadowsocks/config.json".path}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
14
services/uptime-kuma/default.nix
Normal file
14
services/uptime-kuma/default.nix
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
{...}: {
|
||||||
|
services.caddy.virtualHosts."uptime.gasdev.fr".extraConfig = ''
|
||||||
|
reverse_proxy http://127.0.0.1:3001
|
||||||
|
'';
|
||||||
|
|
||||||
|
virtualisation.oci-containers.containers = {
|
||||||
|
uptime-kuma = {
|
||||||
|
image = "docker.io/louislam/uptime-kuma:1";
|
||||||
|
autoStart = true;
|
||||||
|
ports = ["127.0.0.1:3001:3001"];
|
||||||
|
volumes = ["uptime-kuma:/app/data"];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
52
services/wireguard/default.nix
Normal file
52
services/wireguard/default.nix
Normal file
|
@ -0,0 +1,52 @@
|
||||||
|
{pkgs, ...}: {
|
||||||
|
sops.secrets."wireguard/private_key".owner = "root";
|
||||||
|
|
||||||
|
networking.nat.enable = true;
|
||||||
|
networking.nat.externalInterface = "ens3";
|
||||||
|
networking.nat.internalInterfaces = ["wg0"];
|
||||||
|
networking.firewall = {
|
||||||
|
allowedUDPPorts = [993];
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.wireguard.interfaces = {
|
||||||
|
# "wg0" is the network interface name. You can name the interface arbitrarily.
|
||||||
|
wg0 = {
|
||||||
|
# Determines the IP address and subnet of the server's end of the tunnel interface.
|
||||||
|
ips = ["10.8.0.1/24"];
|
||||||
|
|
||||||
|
# The port that WireGuard listens to. Must be accessible by the client.
|
||||||
|
listenPort = 993;
|
||||||
|
|
||||||
|
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
|
||||||
|
# For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
|
||||||
|
postSetup = ''
|
||||||
|
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens3 -j MASQUERADE
|
||||||
|
'';
|
||||||
|
|
||||||
|
# This undoes the above command
|
||||||
|
postShutdown = ''
|
||||||
|
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o ens3 -j MASQUERADE
|
||||||
|
'';
|
||||||
|
|
||||||
|
# Path to the private key file.
|
||||||
|
#
|
||||||
|
# Note: The private key can also be included inline via the privateKey option,
|
||||||
|
# but this makes the private key world-readable; thus, using privateKeyFile is
|
||||||
|
# recommended.
|
||||||
|
privateKeyFile = "/run/secrets/wireguard/private_key";
|
||||||
|
|
||||||
|
peers = [
|
||||||
|
{
|
||||||
|
# Pixel
|
||||||
|
publicKey = "xMO5xTvBXtikri0WS9wpzGvSWITjkQV5oUOYwFjqB0g=";
|
||||||
|
allowedIPs = ["10.8.0.69/32"];
|
||||||
|
}
|
||||||
|
{
|
||||||
|
# Zephyrus
|
||||||
|
publicKey = "42Vj5VG4bJpOUE7j5UW28IFSmPlV+X3tIA9ne55W0Fo=";
|
||||||
|
allowedIPs = ["10.8.0.42/32"];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in a new issue