aboutsummaryrefslogtreecommitdiff
path: root/systems/zoldene
diff options
context:
space:
mode:
Diffstat (limited to 'systems/zoldene')
-rw-r--r--systems/zoldene/base.nix10
-rw-r--r--systems/zoldene/certificates.nix23
-rw-r--r--systems/zoldene/flake.nix3
-rw-r--r--systems/zoldene/virtualisation.nix46
4 files changed, 81 insertions, 1 deletions
diff --git a/systems/zoldene/base.nix b/systems/zoldene/base.nix
index 8ca5d52..2c0a461 100644
--- a/systems/zoldene/base.nix
+++ b/systems/zoldene/base.nix
@@ -1,4 +1,4 @@
1{ name, config, lib, pkgs, secrets, ... }: 1{ name, config, lib, pkgs, secrets, pkgs-no-overlay, ... }:
2let 2let
3 # udev rules to be able to boot from qemu in a rescue 3 # udev rules to be able to boot from qemu in a rescue
4 udev-qemu-rules = 4 udev-qemu-rules =
@@ -9,6 +9,12 @@ let
9 '') (builtins.attrNames disks)); 9 '') (builtins.attrNames disks));
10in 10in
11{ 11{
12 imports = [
13 secrets.nixosModules.users-config-zoldene
14 ./virtualisation.nix
15 ./certificates.nix
16 ];
17
12 services.openssh = { 18 services.openssh = {
13 settings.KbdInteractiveAuthentication = false; 19 settings.KbdInteractiveAuthentication = false;
14 hostKeys = [ 20 hostKeys = [
@@ -119,4 +125,6 @@ in
119 secrets.decryptKey = "/persist/zpool/etc/ssh/ssh_host_ed25519_key"; 125 secrets.decryptKey = "/persist/zpool/etc/ssh/ssh_host_ed25519_key";
120 # ssh-keyscan zoldene | nix-shell -p ssh-to-age --run ssh-to-age 126 # ssh-keyscan zoldene | nix-shell -p ssh-to-age --run ssh-to-age
121 secrets.ageKeys = [ "age1rqr7qdpjm8fy9nf3x07fa824v87n40g0ljrgdysuayuklnvhcynq4c8en8" ]; 127 secrets.ageKeys = [ "age1rqr7qdpjm8fy9nf3x07fa824v87n40g0ljrgdysuayuklnvhcynq4c8en8" ];
128
129
122} 130}
diff --git a/systems/zoldene/certificates.nix b/systems/zoldene/certificates.nix
new file mode 100644
index 0000000..d6ffd12
--- /dev/null
+++ b/systems/zoldene/certificates.nix
@@ -0,0 +1,23 @@
1{ ... }:
2{
3 disko.devices.zpool.zfast.datasets."root/persist/var/lib/acme" =
4 { type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/acme"; options.mountpoint = "legacy"; };
5
6 environment.persistence."/persist/zfast".directories = [
7 {
8 directory = "/var/lib/acme";
9 user = "root";
10 group = "root";
11 mode = "0755";
12 }
13 ];
14
15 users.users.nginx.extraGroups = [ "acme" ];
16 services.nginx = {
17 enable = true;
18 recommendedOptimisation = true;
19 recommendedGzipSettings = true;
20 recommendedProxySettings = true;
21 };
22
23}
diff --git a/systems/zoldene/flake.nix b/systems/zoldene/flake.nix
index 42466e8..7b7b4b7 100644
--- a/systems/zoldene/flake.nix
+++ b/systems/zoldene/flake.nix
@@ -14,6 +14,9 @@
14 system = "x86_64-linux"; 14 system = "x86_64-linux";
15 targetHost = "88.198.39.152"; 15 targetHost = "88.198.39.152";
16 targetUser = "root"; 16 targetUser = "root";
17 moduleArgs = {
18 pkgs-no-overlay = inputs.nixpkgs.legacyPackages.x86_64-linux;
19 };
17 nixosModules = with inputs; { 20 nixosModules = with inputs; {
18 impermanence = impermanence.nixosModule; 21 impermanence = impermanence.nixosModule;
19 base = ./base.nix; 22 base = ./base.nix;
diff --git a/systems/zoldene/virtualisation.nix b/systems/zoldene/virtualisation.nix
new file mode 100644
index 0000000..d2212fe
--- /dev/null
+++ b/systems/zoldene/virtualisation.nix
@@ -0,0 +1,46 @@
1{ pkgs-no-overlay, ... }:
2{
3 boot.kernelModules = [ "nf_nat_ftp" ];
4
5 ### Enable Docker
6 virtualisation.docker.enable = true;
7 disko.devices.zpool.zfast.datasets."root/persist/var/lib/docker" =
8 { type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/docker"; options.mountpoint = "legacy"; };
9
10 ### Enable LXC
11 disko.devices.zpool.zfast.datasets."root/persist/var/lib/lxc" =
12 { type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/lxc"; options.mountpoint = "legacy"; };
13 virtualisation.lxc = {
14 enable = true;
15 lxcfs.enable = true;
16 };
17
18 ### Enable libvirtd
19 virtualisation.libvirtd = {
20 enable = true;
21 qemu.package = pkgs-no-overlay.qemu;
22 };
23
24 ### Persistence for LXC / Docker
25 environment.persistence."/persist/zfast".directories = [
26 {
27 directory = "/var/lib/lxc";
28 user = "root";
29 group = "root";
30 mode = "0755";
31 }
32 {
33 directory = "/var/lib/docker";
34 user = "root";
35 group = "root";
36 mode = "0750";
37 }
38 ];
39
40 # ip forwarding is needed for NAT'ing to work in containers/VMs.
41 boot.kernel.sysctl = {
42 "net.ipv4.conf.all.forwarding" = true;
43 "net.ipv4.conf.default.forwarding" = true;
44 };
45}
46