From 289b69d342bc9864d83ce0481cfd660cf302d65f Mon Sep 17 00:00:00 2001 From: NyxErinys Date: Sun, 17 May 2026 16:06:46 -0500 Subject: [PATCH] Setup Commit --- flake.lock | 108 +++++++++++++++++++++ flake.nix | 48 +++++++++ hosts/base.nix | 91 +++++++++++++++++ hosts/servers/blades/1-alpha/default.nix | 33 +++++++ hosts/servers/blades/2-beta/default.nix | 33 +++++++ hosts/servers/blades/3-gamma/default.nix | 29 ++++++ hosts/servers/blades/4-delta/default.nix | 28 ++++++ hosts/servers/blades/5-epsilon/default.nix | 28 ++++++ hosts/servers/blades/6-digamma/default.nix | 0 hosts/servers/blades/7-zeta/default.nix | 0 hosts/servers/blades/8-eta/default.nix | 0 hosts/servers/blades/default.nix | 8 ++ hosts/servers/blades/hardware.nix | 16 +++ hosts/servers/blades/systems.nix | 43 ++++++++ hosts/servers/iris/default.nix | 27 ++++++ hosts/servers/poseidon/default.nix | 0 modules/k3s/default.nix | 41 ++++++++ modules/k3s/deployments/default.nix | 8 ++ modules/k3s/manifests.nix | 9 ++ modules/k3s/services/default.nix | 8 ++ modules/nginx.nix | 55 +++++++++++ modules/sops.nix | 10 ++ modules/vrrp.nix | 105 ++++++++++++++++++++ 23 files changed, 728 insertions(+) create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 hosts/base.nix create mode 100644 hosts/servers/blades/1-alpha/default.nix create mode 100644 hosts/servers/blades/2-beta/default.nix create mode 100644 hosts/servers/blades/3-gamma/default.nix create mode 100644 hosts/servers/blades/4-delta/default.nix create mode 100644 hosts/servers/blades/5-epsilon/default.nix create mode 100644 hosts/servers/blades/6-digamma/default.nix create mode 100644 hosts/servers/blades/7-zeta/default.nix create mode 100644 hosts/servers/blades/8-eta/default.nix create mode 100644 hosts/servers/blades/default.nix create mode 100644 hosts/servers/blades/hardware.nix create mode 100644 hosts/servers/blades/systems.nix create mode 100644 hosts/servers/iris/default.nix create mode 100644 hosts/servers/poseidon/default.nix create mode 100644 modules/k3s/default.nix create mode 100644 modules/k3s/deployments/default.nix create mode 100644 modules/k3s/manifests.nix create mode 100644 modules/k3s/services/default.nix create mode 100644 modules/nginx.nix create mode 100644 modules/sops.nix create mode 100644 modules/vrrp.nix diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..72f0b7c --- /dev/null +++ b/flake.lock @@ -0,0 +1,108 @@ +{ + "nodes": { + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "nur", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1733312601, + "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1778737229, + "narHash": "sha256-6xWoytx8jFW4PF1GjRm/i/53trbpKGfz6zjzQGBr4cI=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "d7a713c0b7e47c908258e71cba7a2d77cc8d71d5", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-25.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nur": { + "inputs": { + "flake-parts": "flake-parts", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1779047312, + "narHash": "sha256-Q4CSXZehRX3CKnXXaHc2nCMjK9lgZR2Leu5DTwe1Vnw=", + "owner": "nix-community", + "repo": "NUR", + "rev": "8070eab81003118a0d3cde9c316aca3b2c21533e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "NUR", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs", + "nur": "nur", + "secrets": "secrets", + "sops-nix": "sops-nix" + } + }, + "secrets": { + "flake": false, + "locked": { + "lastModified": 1778724910, + "narHash": "sha256-V7G1u4RFoRgIy0ERbnPVGj1EcNQcLzP7pZ2t+H+t9zk=", + "ref": "refs/heads/master", + "rev": "7f2f5e303a3651e28b1ef021794f49ae3446639b", + "revCount": 1, + "type": "git", + "url": "ssh://git@git.nyxerinys.dev:222/nyxerinys/nix-secrets" + }, + "original": { + "type": "git", + "url": "ssh://git@git.nyxerinys.dev:222/nyxerinys/nix-secrets" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1777944972, + "narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "c591bf665727040c6cc5cb409079acb22dcce33c", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..70da510 --- /dev/null +++ b/flake.nix @@ -0,0 +1,48 @@ +{ + description = "Nyx's Nix/Nixos configs"; + + inputs = { + nixpkgs = { url = "github:nixos/nixpkgs/nixos-25.11"; }; + nur = { + url = "github:nix-community/NUR"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + secrets ={ + url = "git+ssh://git@git.nyxerinys.dev:222/nyxerinys/nix-secrets"; + flake = false; + }; + }; + + outputs = { self, nixpkgs, ... } @ inputs: + let + blades = import ./hosts/servers/blades/systems.nix { inherit inputs; }; + in + { + nixosConfigurations = { + Apollo = nixpkgs.lib.nixosSystem { + modules = [ + ./hosts/base.nix + ]; + specialArgs = { inherit inputs; }; + }; + iris = nixpkgs.lib.nixosSystem { + modules = [ + ./hosts/base.nix + ./hosts/servers/iris + ]; + }; + nixos = nixpkgs.lib.nixosSystem { + modules = [ + ./hosts/base.nix + /etc/nixos/hardware-configuration.nix + ]; + specialArgs = { inherit inputs; }; + }; + } // + blades; + }; +} \ No newline at end of file diff --git a/hosts/base.nix b/hosts/base.nix new file mode 100644 index 0000000..248af69 --- /dev/null +++ b/hosts/base.nix @@ -0,0 +1,91 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, lib, ... }: + +{ + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + + boot = { + loader = lib.mkDefault { + efi.canTouchEfiVariables = false; + grub = { + enable = true; + efiSupport = true; + efiInstallAsRemovable = true; + devices = ["nodev"]; + }; + }; + kernelParams = [ "ipv6.disable=1" ]; + }; + + # system.autoUpgrade = mkDefault { + # enable = true; + # flake = "https://git.nyxerinys.dev/nyxerinys/nix-config"; + # flags = [ + # "--update-input" "nixpkgs" + # "--update-input" "secrets" + # "--commit-lock-file" + # ]; + # dates = "04:00"; # Runs every day at 4 AM + # randomizedDelaySec = "1h"; # Prevents all your machines from hitting the repo at once + # }; + + networking.hostName = lib.mkDefault "nixos"; + + # Enable networking + networking.networkmanager = { enable = true; }; + networking.enableIPv6 = false; + # Set your time zone. + time.timeZone = "America/Chicago"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + i18n.extraLocaleSettings = { + LC_ADDRESS = "en_US.UTF-8"; + LC_IDENTIFICATION = "en_US.UTF-8"; + LC_MEASUREMENT = "en_US.UTF-8"; + LC_MONETARY = "en_US.UTF-8"; + LC_NAME = "en_US.UTF-8"; + LC_NUMERIC = "en_US.UTF-8"; + LC_PAPER = "en_US.UTF-8"; + LC_TELEPHONE = "en_US.UTF-8"; + LC_TIME = "en_US.UTF-8"; + }; + + # Configure keymap in X11 + services.xserver.xkb = { + layout = "us"; + variant = ""; + }; + + users.users.nyxerinys = { + isNormalUser = true; + description = "Nyx"; + extraGroups = [ "networkmanager" "wheel"]; + packages = with pkgs; []; + openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7wPByAa6fsn7deoMRbnveEVXgwP8CTs3A1yCGCe+YRSDjS64MMcr5zoHjvlpKfRdsFCaiEXCnNiMSC9sZfmvZOFO3ptecNFnmt6gAZ7X67bYdTQedwiy7mK6JXAiRmv83YSblL5DaQY+jswIeTTyVk5A76tnCOzFVfFyRd0QOmjmF1vu0ii2zhVvODsfrB3wi7+fbPYONIA7nUVL13UFvavOKtEupSdN3LGhiYKNItrTzmCCSOPpttrkj/Bvqspt6kPJE82n+ryoWpOmzAsz+YdHCsZN16CDwkOOWzD2HrHzDUEt50kImlpTFthhGfysp7zO9dalZApMH5yPH7kRjztwBmttLh9b2+j08j/Z48WsHCyZaQws7xLW/08bh/4xGL5yoQeZ00UHWrJbH/WEnfKWpsQ9YJmA3xD3FVOvGjslmVHzBqCes9XRbTkLJTcOhTsBOYsZ0Eq6oZQ2AyFqWnn2RT604HtVmDqjtVMd2DEPkAmhCj2OW9ygjBFTnF8G55O2Pd2g9Y7zSv3i6F97ztQeqbNUfuAgEQ+9QYbEgxXVXMLnKIAZG+TBScl5Nk+mm/4oeKlESCfjgi5HIeda8IENEE48XJknb9MDpL1XP2s4fbnBRQS9f+OsDj5i86PAgLeEbVaq9OgifdxZKSTi6jZg4m3ZBGhK8kFjnbrKgMQ==" ]; + }; + + nixpkgs.config.allowUnfree = true; + + environment.systemPackages = with pkgs; [ + git + pciutils + sysstat + xivlauncher + ]; + + services.openssh.enable = true; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "25.11"; # Did you read the comment? + +} diff --git a/hosts/servers/blades/1-alpha/default.nix b/hosts/servers/blades/1-alpha/default.nix new file mode 100644 index 0000000..0b38b45 --- /dev/null +++ b/hosts/servers/blades/1-alpha/default.nix @@ -0,0 +1,33 @@ +{ config, pkgs, lib, ... }: +{ + imports = [ + ../../../../modules/vrrp.nix + ../../../../modules/nginx.nix + ]; + + networking.hostName = "alpha"; + + nyxs-nix.services.vrrp = { + enable = true; + priority = 200; + peers = [ + "10.5.0.102" + ]; + }; + + systemd.network.links."10-eth0" = { + matchConfig.PermanentMACAddress = "00:25:90:e6:e1:0e"; + linkConfig.Name = "eth0"; + }; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/29a440ba-305c-4041-b45d-502b5cf3a514"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/A579-28EC"; + fsType = "vfat"; + options = [ "fmask=0077" "dmask=0077" ]; + }; +} \ No newline at end of file diff --git a/hosts/servers/blades/2-beta/default.nix b/hosts/servers/blades/2-beta/default.nix new file mode 100644 index 0000000..2b057a8 --- /dev/null +++ b/hosts/servers/blades/2-beta/default.nix @@ -0,0 +1,33 @@ +{ config, pkgs, lib, ... }: +{ + imports = [ + ../../../../modules/vrrp.nix + ../../../../modules/nginx.nix + ]; + + networking.hostName = "beta"; + + nyxs-nix.services.vrrp = { + enable = true; + priority = 150; + peers = [ + "10.5.0.101" + ]; + }; + + systemd.network.links."10-eth0" = { + matchConfig.PermanentMACAddress = "00:25:90:e6:e1:10"; + linkConfig.Name = "eth0"; + }; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/7422bf7a-0760-41f2-aad3-28eff66c4b4d"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/0DED-C0F5"; + fsType = "vfat"; + options = [ "fmask=0077" "dmask=0077" ]; + }; +} \ No newline at end of file diff --git a/hosts/servers/blades/3-gamma/default.nix b/hosts/servers/blades/3-gamma/default.nix new file mode 100644 index 0000000..d1bdd0d --- /dev/null +++ b/hosts/servers/blades/3-gamma/default.nix @@ -0,0 +1,29 @@ +{ config, pkgs, lib, ... }: +{ + imports = [ + ../../../../modules/k3s + ]; + + networking.hostName = "gamma"; + + nyxs-nix.services.k3s = { + enable = true; + initServer = true; + }; + + systemd.network.links."10-eth0" = { + matchConfig.PermanentMACAddress = "00:25:90:e6:e1:09"; + linkConfig.Name = "eth0"; + }; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/8d8325bb-b5ba-469b-8054-b295bbbc70c2"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/0954-3305"; + fsType = "vfat"; + options = [ "fmask=0077" "dmask=0077" ]; + }; +} \ No newline at end of file diff --git a/hosts/servers/blades/4-delta/default.nix b/hosts/servers/blades/4-delta/default.nix new file mode 100644 index 0000000..2f94f5e --- /dev/null +++ b/hosts/servers/blades/4-delta/default.nix @@ -0,0 +1,28 @@ +{ config, pkgs, lib, ... }: +{ + imports = [ + ../../../../modules/k3s + ]; + + networking.hostName = "delta"; + + nyxs-nix.services.k3s = { + enable = true; + }; + + systemd.network.links."10-eth0" = { + matchConfig.PermanentMACAddress = "00:25:90:e6:e1:63"; + linkConfig.Name = "eth0"; + }; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/103ed8d1-3681-4d67-938c-e7349447fcbb"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/4EB3-06A1"; + fsType = "vfat"; + options = [ "fmask=0077" "dmask=0077" ]; + }; +} \ No newline at end of file diff --git a/hosts/servers/blades/5-epsilon/default.nix b/hosts/servers/blades/5-epsilon/default.nix new file mode 100644 index 0000000..fc7d976 --- /dev/null +++ b/hosts/servers/blades/5-epsilon/default.nix @@ -0,0 +1,28 @@ +{ config, pkgs, lib, ... }: +{ + imports = [ + ../../../../modules/k3s + ]; + + networking.hostName = "epsilon"; + + nyxs-nix.services.k3s = { + enable = true; + }; + + systemd.network.links."10-eth0" = { + matchConfig.PermanentMACAddress = "00:25:90:e6:e1:21"; + linkConfig.Name = "eth0"; + }; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/a0c8475c-cda8-4ceb-bbad-50d9537924be"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/8D63-DF1F"; + fsType = "vfat"; + options = [ "fmask=0077" "dmask=0077" ]; + }; +} \ No newline at end of file diff --git a/hosts/servers/blades/6-digamma/default.nix b/hosts/servers/blades/6-digamma/default.nix new file mode 100644 index 0000000..e69de29 diff --git a/hosts/servers/blades/7-zeta/default.nix b/hosts/servers/blades/7-zeta/default.nix new file mode 100644 index 0000000..e69de29 diff --git a/hosts/servers/blades/8-eta/default.nix b/hosts/servers/blades/8-eta/default.nix new file mode 100644 index 0000000..e69de29 diff --git a/hosts/servers/blades/default.nix b/hosts/servers/blades/default.nix new file mode 100644 index 0000000..a209aee --- /dev/null +++ b/hosts/servers/blades/default.nix @@ -0,0 +1,8 @@ +{ config, lib, pkgs, modulesPath, ... }: +{ + imports = [ + ./hardware.nix + ../../../modules/sops.nix + ]; + +} \ No newline at end of file diff --git a/hosts/servers/blades/hardware.nix b/hosts/servers/blades/hardware.nix new file mode 100644 index 0000000..a9dcf29 --- /dev/null +++ b/hosts/servers/blades/hardware.nix @@ -0,0 +1,16 @@ +{ config, lib, pkgs, modulesPath, ... }: +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + swapDevices = [ ]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} \ No newline at end of file diff --git a/hosts/servers/blades/systems.nix b/hosts/servers/blades/systems.nix new file mode 100644 index 0000000..6340026 --- /dev/null +++ b/hosts/servers/blades/systems.nix @@ -0,0 +1,43 @@ +{ inputs }: +{ + alpha = inputs.nixpkgs.lib.nixosSystem { + modules = [ + ../../base.nix + ../blades + ./1-alpha + ]; + specialArgs = { inherit inputs; }; + }; + beta = inputs.nixpkgs.lib.nixosSystem { + modules = [ + ../../base.nix + ../blades + ./2-beta + ]; + specialArgs = { inherit inputs; }; + }; + gamma = inputs.nixpkgs.lib.nixosSystem { + modules = [ + ../../base.nix + ../blades + ./3-gamma + ]; + specialArgs = { inherit inputs; }; + }; + delta = inputs.nixpkgs.lib.nixosSystem { + modules = [ + ../../base.nix + ../blades + ./4-delta + ]; + specialArgs = { inherit inputs; }; + }; + epsilon = inputs.nixpkgs.lib.nixosSystem { + modules = [ + ../../base.nix + ../blades + ./5-epsilon + ]; + specialArgs = { inherit inputs; }; + }; +} \ No newline at end of file diff --git a/hosts/servers/iris/default.nix b/hosts/servers/iris/default.nix new file mode 100644 index 0000000..1acdc31 --- /dev/null +++ b/hosts/servers/iris/default.nix @@ -0,0 +1,27 @@ +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ../../modules/sops.nix + ]; + + networking.hostName = "iris"; + + boot.loader.grub.enable = false; + boot.loader.generic-extlinux-compatible.enable = true; + + boot.initrd.availableKernelModules = [ "usbhid" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; +} \ No newline at end of file diff --git a/hosts/servers/poseidon/default.nix b/hosts/servers/poseidon/default.nix new file mode 100644 index 0000000..e69de29 diff --git a/modules/k3s/default.nix b/modules/k3s/default.nix new file mode 100644 index 0000000..768daf7 --- /dev/null +++ b/modules/k3s/default.nix @@ -0,0 +1,41 @@ +{ config, lib, pkgs, inputs, ... }: +with lib; +let + cfg = config.nyxs-nix.services.k3s; +in +{ + options.nyxs-nix.services.k3s = with types; { + enable = mkEnableOption "Enable the vrrp quotes service"; + + initServer = mkOption { + type = bool; + default = false; + description = "Whether or not the node is the main one or sub node"; + }; + }; + + config = mkIf cfg.enable { + networking.firewall.allowedTCPPorts = [ + 6443 # k3s: required so that pods can reach the API server (running on port 6443 by default) + 2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration + 2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration + ]; + networking.firewall.allowedUDPPorts = [ + 8472 # k3s, flannel: required if using multi-node for inter-node networking + ]; + + sops.secrets.k3s_token = { + format = "json"; + key = "token"; + sopsFile = "${inputs.secrets}/k3s.json"; + }; + + services.k3s = { + enable = true; + token = config.sops.secrets.k3s_token.path; + clusterInit = mkIf cfg.initServer true; + serverAddr = mkIf (!cfg.initServer) "https://10.5.0.103:6443"; + # manifests = import ./manifests.nix { inherit lib cfg } + }; + }; +} \ No newline at end of file diff --git a/modules/k3s/deployments/default.nix b/modules/k3s/deployments/default.nix new file mode 100644 index 0000000..4922150 --- /dev/null +++ b/modules/k3s/deployments/default.nix @@ -0,0 +1,8 @@ +{ cfg, lib, ... }: +let + manifests = [ + + ]; + imported = map ( n: import ${n} { inherit cfg, lib } ) manifests; +in + lib.foldl' lib.recursiveUpdate {} imported \ No newline at end of file diff --git a/modules/k3s/manifests.nix b/modules/k3s/manifests.nix new file mode 100644 index 0000000..cc1b89e --- /dev/null +++ b/modules/k3s/manifests.nix @@ -0,0 +1,9 @@ +{ cfg, lib, ... }: +let + manifests = [ + ./deployments + ./services + ]; + imported = map ( n: import ${n} { inherit cfg lib } ) manifests; +in + lib.foldl' lib.recursiveUpdate {} imported \ No newline at end of file diff --git a/modules/k3s/services/default.nix b/modules/k3s/services/default.nix new file mode 100644 index 0000000..f916720 --- /dev/null +++ b/modules/k3s/services/default.nix @@ -0,0 +1,8 @@ +{ cfg, lib, ... }: +let + manifests = [ + + ]; + imported = map ( n: import ${n} { inherit cfg, lib } ) manifests; +in + lib.foldl' lib.recursiveUpdate {} imported \ No newline at end of file diff --git a/modules/nginx.nix b/modules/nginx.nix new file mode 100644 index 0000000..c4de3ca --- /dev/null +++ b/modules/nginx.nix @@ -0,0 +1,55 @@ +{inputs, pkgs, config, ...}: + +{ + sops.secrets."CF_DNS_API_TOKEN" = { + format = "json"; + sopsFile = "${inputs.secrets}/nginx.json"; + }; + + sops.secrets."CF_ZONE_API_TOKEN" = { + format = "json"; + sopsFile = "${inputs.secrets}/nginx.json"; + }; + + sops.templates."ACME.env".content = '' + CF_DNS_API_TOKEN="${config.sops.placeholder."CF_DNS_API_TOKEN"}" + CF_ZONE_API_TOKEN="${config.sops.placeholder."CF_ZONE_API_TOKEN"}" + ''; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + security.acme = { + acceptTerms = true; + defaults = { + dnsProvider = "cloudflare"; + environmentFile = config.sops.templates."ACME.env".path; + email = "nyxerinys5@gmail.com"; + }; + }; + + services.nginx = { + enable = true; + virtualHosts = { + "vault.nyxerinys.dev" = { + addSSL = true; + enableACME = true; + acmeRoot = null; + + locations."/" = { + proxyPass = "http://10.5.0.2:83"; + proxyWebsockets = true; + }; + }; + "git.nyxerinys.dev" = { + addSSL = true; + enableACME = true; + acmeRoot = null; + + locations."/" = { + proxyPass = "http://10.5.0.2:3000"; + proxyWebsockets = true; + }; + }; + }; + }; +} \ No newline at end of file diff --git a/modules/sops.nix b/modules/sops.nix new file mode 100644 index 0000000..eeee381 --- /dev/null +++ b/modules/sops.nix @@ -0,0 +1,10 @@ +{inputs, pkgs, ...}: + +{ + imports = [ inputs.sops-nix.nixosModules.sops ]; + + sops = { + defaultSopsFile = "${inputs.secrets}/main.json"; + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + }; +} \ No newline at end of file diff --git a/modules/vrrp.nix b/modules/vrrp.nix new file mode 100644 index 0000000..d54cc56 --- /dev/null +++ b/modules/vrrp.nix @@ -0,0 +1,105 @@ +{ config, lib, pkgs, ... }: +with lib; +let + cfg = config.nyxs-nix.services.vrrp; +in +{ + options.nyxs-nix.services.vrrp = with types; { + enable = mkEnableOption "Enable the vrrp quotes service"; + + ip = mkOption { + type = str; + default = "10.5.0.5/24"; + description = "Virtual IP address"; + }; + + priority = mkOption { + type = int; + default = 0; + description = "Priority of the system in the vrrp pool"; + }; + + interface = mkOption { + type = str; + default = "eth0"; + description = "interface for vrrp communication"; + }; + + id = mkOption { + type = int; + default = 1; + description = "virtual router config id"; + }; + + peers = mkOption { + type = nullOr (listOf str); + default = null; + description = "List of ips for the other vrrp instancess"; + }; + }; + + config = mkIf cfg.enable { + # networking.firewall.extraCommands = '' + # iptables -I INPUT 1 -i vrrp.6 -p tcp --dport 22 -j ACCEPT + # iptables -I INPUT 2 -i vrrp.6 -p tcp -j DROP + # ''; + + # networking.vlans."eth0.6" = { + # id = 6; + # interface = "eth0"; + # }; + + # networking.interfaces."eth0.6" = { + # ipv4.routes = [ + # { + # address = "10.5.1.0"; + # prefixLength = 24; + # via = "10.5.1.1"; + # } + # { + # address = "0.0.0.0"; + # prefixLength = 0; + # via = "10.5.1.1"; + # } + # ]; + # }; + + services.keepalived = { + enable = true; + + openFirewall = true; + + extraGlobalDefs = '' + use_symlink_paths true + ''; + + vrrpInstances.VIP_1 = { + state = "BACKUP"; + interface = cfg.interface; + virtualRouterId = cfg.id; + priority = cfg.priority; + virtualIps = [ + { + addr = cfg.ip; + scope = "global"; + } + ]; + unicastPeers = mkIf (cfg.peers != null) cfg.peers; + # useVmac = true; + # vmacXmitBase = true; + trackScripts = ["track_nginx"]; + }; + vrrpScripts = { + track_nginx = { + script = "${pkgs.systemd}/bin/systemctl is-active nginx"; + interval = 1; + timeout = 2; + rise = 2; + fall = 2; + weight = 0; + user = "root"; + }; + }; + }; + }; +}