aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--deploy/flake.lock12
-rw-r--r--flake.lock4
-rw-r--r--flakes/flake.lock2
-rw-r--r--systems/zoldene/base.nix10
-rw-r--r--systems/zoldene/certificates.nix23
-rw-r--r--systems/zoldene/flake.nix3
-rw-r--r--systems/zoldene/virtualisation.nix46
7 files changed, 90 insertions, 10 deletions
diff --git a/deploy/flake.lock b/deploy/flake.lock
index 74f3cb3..711f7ea 100644
--- a/deploy/flake.lock
+++ b/deploy/flake.lock
@@ -2783,7 +2783,7 @@
2783 }, 2783 },
2784 "locked": { 2784 "locked": {
2785 "lastModified": 1, 2785 "lastModified": 1,
2786 "narHash": "sha256-JZAb5V2upUFe8gDKiHtA0iksciLTuZgtLikxZpE2ZkY=", 2786 "narHash": "sha256-On+vOgbdQGNAUM9YxLHmju3ci2yvD5Us4pVLGMAIUw4=",
2787 "path": "../flakes", 2787 "path": "../flakes",
2788 "type": "path" 2788 "type": "path"
2789 }, 2789 },
@@ -3974,7 +3974,7 @@
3974 }, 3974 },
3975 "locked": { 3975 "locked": {
3976 "lastModified": 1, 3976 "lastModified": 1,
3977 "narHash": "sha256-/H0YNxn7csP3GR/5e5DSv5FLAK8VBCySiyGXch+ykMg=", 3977 "narHash": "sha256-26XpjFSVM3B3k2dsnmGGLwUwctJPaGiCr0u2I6MaXFA=",
3978 "path": "../systems/zoldene", 3978 "path": "../systems/zoldene",
3979 "type": "path" 3979 "type": "path"
3980 }, 3980 },
@@ -8888,11 +8888,11 @@
8888 "nixpkgs": "nixpkgs_106" 8888 "nixpkgs": "nixpkgs_106"
8889 }, 8889 },
8890 "locked": { 8890 "locked": {
8891 "lastModified": 1700953172, 8891 "lastModified": 1708773401,
8892 "narHash": "sha256-KcFb43yLFsVOMevka1G2ddTE5JFsS72h+6XfjO7ivAs=", 8892 "narHash": "sha256-5UeCrBFAypxoiJ3TkmtXw40g1durDVV6AiPmzaumeQk=",
8893 "ref": "master", 8893 "ref": "master",
8894 "rev": "4518b25634f2274d2a65bf5bfc4c78c4ab450787", 8894 "rev": "890a76ab7f560b8a8d547d2066fe5e10083b0689",
8895 "revCount": 715, 8895 "revCount": 721,
8896 "type": "git", 8896 "type": "git",
8897 "url": "git+ssh://gitolite@git.immae.eu/perso/Immae/Config/Nix/Nixops/Secrets" 8897 "url": "git+ssh://gitolite@git.immae.eu/perso/Immae/Config/Nix/Nixops/Secrets"
8898 }, 8898 },
diff --git a/flake.lock b/flake.lock
index 19de0cb..2b6bd18 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2664,7 +2664,7 @@
2664 }, 2664 },
2665 "locked": { 2665 "locked": {
2666 "lastModified": 1, 2666 "lastModified": 1,
2667 "narHash": "sha256-JZAb5V2upUFe8gDKiHtA0iksciLTuZgtLikxZpE2ZkY=", 2667 "narHash": "sha256-On+vOgbdQGNAUM9YxLHmju3ci2yvD5Us4pVLGMAIUw4=",
2668 "path": "./flakes", 2668 "path": "./flakes",
2669 "type": "path" 2669 "type": "path"
2670 }, 2670 },
@@ -3990,7 +3990,7 @@
3990 }, 3990 },
3991 "locked": { 3991 "locked": {
3992 "lastModified": 1, 3992 "lastModified": 1,
3993 "narHash": "sha256-/H0YNxn7csP3GR/5e5DSv5FLAK8VBCySiyGXch+ykMg=", 3993 "narHash": "sha256-26XpjFSVM3B3k2dsnmGGLwUwctJPaGiCr0u2I6MaXFA=",
3994 "path": "../systems/zoldene", 3994 "path": "../systems/zoldene",
3995 "type": "path" 3995 "type": "path"
3996 }, 3996 },
diff --git a/flakes/flake.lock b/flakes/flake.lock
index 051086e..f4e88e4 100644
--- a/flakes/flake.lock
+++ b/flakes/flake.lock
@@ -3895,7 +3895,7 @@
3895 }, 3895 },
3896 "locked": { 3896 "locked": {
3897 "lastModified": 1, 3897 "lastModified": 1,
3898 "narHash": "sha256-/H0YNxn7csP3GR/5e5DSv5FLAK8VBCySiyGXch+ykMg=", 3898 "narHash": "sha256-26XpjFSVM3B3k2dsnmGGLwUwctJPaGiCr0u2I6MaXFA=",
3899 "path": "../systems/zoldene", 3899 "path": "../systems/zoldene",
3900 "type": "path" 3900 "type": "path"
3901 }, 3901 },
diff --git a/systems/zoldene/base.nix b/systems/zoldene/base.nix
index 8ca5d52..2c0a461 100644
--- a/systems/zoldene/base.nix
+++ b/systems/zoldene/base.nix
@@ -1,4 +1,4 @@
1{ name, config, lib, pkgs, secrets, ... }: 1{ name, config, lib, pkgs, secrets, pkgs-no-overlay, ... }:
2let 2let
3 # udev rules to be able to boot from qemu in a rescue 3 # udev rules to be able to boot from qemu in a rescue
4 udev-qemu-rules = 4 udev-qemu-rules =
@@ -9,6 +9,12 @@ let
9 '') (builtins.attrNames disks)); 9 '') (builtins.attrNames disks));
10in 10in
11{ 11{
12 imports = [
13 secrets.nixosModules.users-config-zoldene
14 ./virtualisation.nix
15 ./certificates.nix
16 ];
17
12 services.openssh = { 18 services.openssh = {
13 settings.KbdInteractiveAuthentication = false; 19 settings.KbdInteractiveAuthentication = false;
14 hostKeys = [ 20 hostKeys = [
@@ -119,4 +125,6 @@ in
119 secrets.decryptKey = "/persist/zpool/etc/ssh/ssh_host_ed25519_key"; 125 secrets.decryptKey = "/persist/zpool/etc/ssh/ssh_host_ed25519_key";
120 # ssh-keyscan zoldene | nix-shell -p ssh-to-age --run ssh-to-age 126 # ssh-keyscan zoldene | nix-shell -p ssh-to-age --run ssh-to-age
121 secrets.ageKeys = [ "age1rqr7qdpjm8fy9nf3x07fa824v87n40g0ljrgdysuayuklnvhcynq4c8en8" ]; 127 secrets.ageKeys = [ "age1rqr7qdpjm8fy9nf3x07fa824v87n40g0ljrgdysuayuklnvhcynq4c8en8" ];
128
129
122} 130}
diff --git a/systems/zoldene/certificates.nix b/systems/zoldene/certificates.nix
new file mode 100644
index 0000000..d6ffd12
--- /dev/null
+++ b/systems/zoldene/certificates.nix
@@ -0,0 +1,23 @@
1{ ... }:
2{
3 disko.devices.zpool.zfast.datasets."root/persist/var/lib/acme" =
4 { type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/acme"; options.mountpoint = "legacy"; };
5
6 environment.persistence."/persist/zfast".directories = [
7 {
8 directory = "/var/lib/acme";
9 user = "root";
10 group = "root";
11 mode = "0755";
12 }
13 ];
14
15 users.users.nginx.extraGroups = [ "acme" ];
16 services.nginx = {
17 enable = true;
18 recommendedOptimisation = true;
19 recommendedGzipSettings = true;
20 recommendedProxySettings = true;
21 };
22
23}
diff --git a/systems/zoldene/flake.nix b/systems/zoldene/flake.nix
index 42466e8..7b7b4b7 100644
--- a/systems/zoldene/flake.nix
+++ b/systems/zoldene/flake.nix
@@ -14,6 +14,9 @@
14 system = "x86_64-linux"; 14 system = "x86_64-linux";
15 targetHost = "88.198.39.152"; 15 targetHost = "88.198.39.152";
16 targetUser = "root"; 16 targetUser = "root";
17 moduleArgs = {
18 pkgs-no-overlay = inputs.nixpkgs.legacyPackages.x86_64-linux;
19 };
17 nixosModules = with inputs; { 20 nixosModules = with inputs; {
18 impermanence = impermanence.nixosModule; 21 impermanence = impermanence.nixosModule;
19 base = ./base.nix; 22 base = ./base.nix;
diff --git a/systems/zoldene/virtualisation.nix b/systems/zoldene/virtualisation.nix
new file mode 100644
index 0000000..d2212fe
--- /dev/null
+++ b/systems/zoldene/virtualisation.nix
@@ -0,0 +1,46 @@
1{ pkgs-no-overlay, ... }:
2{
3 boot.kernelModules = [ "nf_nat_ftp" ];
4
5 ### Enable Docker
6 virtualisation.docker.enable = true;
7 disko.devices.zpool.zfast.datasets."root/persist/var/lib/docker" =
8 { type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/docker"; options.mountpoint = "legacy"; };
9
10 ### Enable LXC
11 disko.devices.zpool.zfast.datasets."root/persist/var/lib/lxc" =
12 { type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/lxc"; options.mountpoint = "legacy"; };
13 virtualisation.lxc = {
14 enable = true;
15 lxcfs.enable = true;
16 };
17
18 ### Enable libvirtd
19 virtualisation.libvirtd = {
20 enable = true;
21 qemu.package = pkgs-no-overlay.qemu;
22 };
23
24 ### Persistence for LXC / Docker
25 environment.persistence."/persist/zfast".directories = [
26 {
27 directory = "/var/lib/lxc";
28 user = "root";
29 group = "root";
30 mode = "0755";
31 }
32 {
33 directory = "/var/lib/docker";
34 user = "root";
35 group = "root";
36 mode = "0750";
37 }
38 ];
39
40 # ip forwarding is needed for NAT'ing to work in containers/VMs.
41 boot.kernel.sysctl = {
42 "net.ipv4.conf.all.forwarding" = true;
43 "net.ipv4.conf.default.forwarding" = true;
44 };
45}
46