Setup Commit

modules/k3s/default.nix

@@ -0,0 +1,41 @@
+{ config, lib, pkgs, inputs, ... }:
+with lib;
+let
+  cfg = config.nyxs-nix.services.k3s;
+in
+{
+  options.nyxs-nix.services.k3s = with types; {
+    enable = mkEnableOption "Enable the vrrp quotes service";
+
+    initServer = mkOption {
+      type = bool;
+      default = false;
+      description = "Whether or not the node is the main one or sub node";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = [
+      6443 # k3s: required so that pods can reach the API server (running on port 6443 by default)
+      2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration
+      2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration
+    ];
+    networking.firewall.allowedUDPPorts = [
+      8472 # k3s, flannel: required if using multi-node for inter-node networking
+    ];
+    
+    sops.secrets.k3s_token = {
+      format = "json";
+      key = "token";
+      sopsFile = "${inputs.secrets}/k3s.json";
+    };
+    
+    services.k3s = {
+      enable = true;
+      token = config.sops.secrets.k3s_token.path;
+      clusterInit = mkIf cfg.initServer true;
+      serverAddr = mkIf (!cfg.initServer) "https://10.5.0.103:6443";
+      # manifests = import ./manifests.nix { inherit lib cfg }
+    };
+  };
+}

modules/k3s/deployments/default.nix

@@ -0,0 +1,8 @@
+{ cfg, lib, ... }:
+let
+  manifests = [
+
+  ];
+  imported = map ( n: import ${n} { inherit cfg, lib } ) manifests;
+in
+  lib.foldl' lib.recursiveUpdate {} imported

modules/k3s/manifests.nix

@@ -0,0 +1,9 @@
+{ cfg, lib, ... }:
+let
+  manifests = [
+    ./deployments
+    ./services
+  ];
+  imported = map ( n: import ${n} { inherit cfg lib } ) manifests;
+in
+  lib.foldl' lib.recursiveUpdate {} imported

modules/k3s/services/default.nix

@@ -0,0 +1,8 @@
+{ cfg, lib, ... }:
+let
+  manifests = [
+    
+  ];
+  imported = map ( n: import ${n} { inherit cfg, lib } ) manifests;
+in
+  lib.foldl' lib.recursiveUpdate {} imported

modules/nginx.nix

@@ -0,0 +1,55 @@
+{inputs, pkgs, config, ...}:
+
+{
+  sops.secrets."CF_DNS_API_TOKEN" = {
+    format = "json";
+    sopsFile = "${inputs.secrets}/nginx.json";
+  };
+
+  sops.secrets."CF_ZONE_API_TOKEN" = {
+    format = "json";
+    sopsFile = "${inputs.secrets}/nginx.json";
+  };
+
+  sops.templates."ACME.env".content = ''
+    CF_DNS_API_TOKEN="${config.sops.placeholder."CF_DNS_API_TOKEN"}"
+    CF_ZONE_API_TOKEN="${config.sops.placeholder."CF_ZONE_API_TOKEN"}"
+  '';
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      dnsProvider = "cloudflare";
+      environmentFile = config.sops.templates."ACME.env".path;
+      email = "nyxerinys5@gmail.com";
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "vault.nyxerinys.dev" = {
+        addSSL = true;
+        enableACME = true;
+        acmeRoot = null;
+
+        locations."/" = {
+          proxyPass = "http://10.5.0.2:83";
+          proxyWebsockets = true;
+        };
+      };
+      "git.nyxerinys.dev" = {
+        addSSL = true;
+        enableACME = true;
+        acmeRoot = null;
+
+        locations."/" = {
+          proxyPass = "http://10.5.0.2:3000";
+          proxyWebsockets = true;
+        };
+      };
+    };
+  };
+}

modules/sops.nix

@@ -0,0 +1,10 @@
+{inputs, pkgs, ...}:
+
+{
+  imports = [ inputs.sops-nix.nixosModules.sops ];
+
+  sops = {
+    defaultSopsFile = "${inputs.secrets}/main.json";
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  };
+}

modules/vrrp.nix

@@ -0,0 +1,105 @@
+{ config, lib, pkgs, ... }:
+with lib;
+let
+  cfg = config.nyxs-nix.services.vrrp;
+in
+{
+  options.nyxs-nix.services.vrrp = with types; {
+    enable = mkEnableOption "Enable the vrrp quotes service";
+
+    ip = mkOption {
+      type = str;
+      default = "10.5.0.5/24";
+      description = "Virtual IP address";
+    };
+
+    priority = mkOption {
+      type = int;
+      default = 0;
+      description = "Priority of the system in the vrrp pool";
+    };
+
+    interface = mkOption {
+      type = str;
+      default = "eth0";
+      description = "interface for vrrp communication";
+    };
+
+    id = mkOption {
+      type = int;
+      default = 1;
+      description = "virtual router config id";
+    };
+
+    peers = mkOption {
+      type = nullOr (listOf str);
+      default = null;
+      description = "List of ips for the other vrrp instancess";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # networking.firewall.extraCommands = ''
+    #   iptables -I INPUT 1 -i vrrp.6 -p tcp --dport 22 -j ACCEPT
+    #   iptables -I INPUT 2 -i vrrp.6 -p tcp -j DROP
+    # '';
+
+    # networking.vlans."eth0.6" = {
+    #   id = 6;
+    #   interface = "eth0";
+    # };
+
+    # networking.interfaces."eth0.6" = {
+    #   ipv4.routes = [
+    #      {
+    #       address = "10.5.1.0";
+    #       prefixLength = 24;
+    #       via = "10.5.1.1";
+    #     }
+    #     {
+    #       address = "0.0.0.0";
+    #       prefixLength = 0;
+    #       via = "10.5.1.1";
+    #     }
+    #   ];
+    # };
+
+    services.keepalived = {
+      enable = true;
+
+      openFirewall = true;
+
+      extraGlobalDefs = ''
+        use_symlink_paths true
+      '';
+      
+      vrrpInstances.VIP_1 = {
+        state = "BACKUP";
+        interface = cfg.interface;
+        virtualRouterId = cfg.id;
+        priority = cfg.priority;
+        virtualIps = [
+          {
+            addr = cfg.ip;
+            scope = "global";
+          }
+        ];
+        unicastPeers = mkIf (cfg.peers != null) cfg.peers;
+        # useVmac = true;
+        # vmacXmitBase = true;
+        trackScripts = ["track_nginx"];
+      };
+      vrrpScripts = {
+        track_nginx = {
+          script = "${pkgs.systemd}/bin/systemctl is-active nginx";
+          interval = 1;
+          timeout = 2;
+          rise = 2;
+          fall = 2;
+          weight = 0;
+          user = "root";
+        };
+      };
+    };
+  };
+}