diff options
| author | Max Audron <audron@cocaine.farm> | 2025-07-31 15:33:56 +0200 |
|---|---|---|
| committer | Max Audron <audron@cocaine.farm> | 2025-07-31 15:33:56 +0200 |
| commit | c487d1c96d791c0ce8e5e5ab98de826fafb892c1 (patch) | |
| tree | 043a530b0ff44a64f89b0cbed0ec259df4650d1b | |
| parent | add more monitoring exporters and scrapers (diff) | |
update to nixos 25.05
| -rw-r--r-- | flake.lock | 49 | ||||
| -rw-r--r-- | flake.nix | 9 | ||||
| -rw-r--r-- | modules/authentik/default.nix | 110 | ||||
| -rw-r--r-- | modules/common/networking.nix | 1 | ||||
| -rw-r--r-- | modules/default.nix | 1 | ||||
| -rw-r--r-- | modules/wireguard/default.nix | 2 | ||||
| -rw-r--r-- | modules/zfs/default.nix | 6 | ||||
| m--------- | secrets | 0 |
8 files changed, 65 insertions, 113 deletions
@@ -201,11 +201,11 @@ "nixpkgs-lib": "nixpkgs-lib_2" }, "locked": { - "lastModified": 1738453229, - "narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=", + "lastModified": 1753121425, + "narHash": "sha256-TVcTNvOeWWk1DXljFxVRp+E0tzG1LhrVjOGGoMHuXio=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd", + "rev": "644e0fc48951a860279da645ba77fe4a6e814c5e", "type": "github" }, "original": { @@ -417,14 +417,17 @@ }, "nixpkgs-lib_2": { "locked": { - "lastModified": 1738452942, - "narHash": "sha256-vJzFZGaCpnmo7I6i416HaBLpC+hvcURh/BQwROcGIp8=", - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz" + "lastModified": 1751159883, + "narHash": "sha256-urW/Ylk9FIfvXfliA1ywh75yszAbiTEVgpPeinFyVZo=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "14a40a1d7fb9afa4739275ac642ed7301a9ba1ab", + "type": "github" }, "original": { - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz" + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" } }, "nixpkgs-lib_3": { @@ -447,11 +450,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1751033378, - "narHash": "sha256-jmbZetc3mrznufOMUJ/kpgljTtjNETCAWxRovveiSmo=", + "lastModified": 1753953669, + "narHash": "sha256-eT6CpwC12xJLCDYyE1zZ/rI+WaWHz1ki7J/ShtEolAw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "42f4406dd0ed467f31459cd8a06954a295169de0", + "rev": "56beea2a19170efb23d8d9e474ea0d45d2e07bac", "type": "github" }, "original": { @@ -463,11 +466,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1738546358, - "narHash": "sha256-nLivjIygCiqLp5QcL7l56Tca/elVqM9FG1hGd9ZSsrg=", + "lastModified": 1753694789, + "narHash": "sha256-cKgvtz6fKuK1Xr5LQW/zOUiAC0oSQoA9nOISB0pJZqM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c6e957d81b96751a3d5967a0fd73694f303cc914", + "rev": "dc9637876d0dcc8c9e5e22986b857632effeb727", "type": "github" }, "original": { @@ -511,16 +514,16 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1738574474, - "narHash": "sha256-rvyfF49e/k6vkrRTV4ILrWd92W+nmBDfRYZgctOyolQ=", + "lastModified": 1753749649, + "narHash": "sha256-+jkEZxs7bfOKfBIk430K+tK9IvXlwzqQQnppC2ZKFj4=", "owner": "nixos", "repo": "nixpkgs", - "rev": "fecfeb86328381268e29e998ddd3ebc70bbd7f7c", + "rev": "1f08a4df998e21f4e8be8fb6fbf61d11a1a5076a", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-24.11", + "ref": "nixos-25.05", "repo": "nixpkgs", "type": "github" } @@ -835,11 +838,11 @@ "secrets": { "flake": false, "locked": { - "lastModified": 1723468369, - "narHash": "sha256-BtC+Xp1OVLgJc59NNwYJ+lnRT0x+RyVKWtRuIFx2ZlU=", + "lastModified": 1748949914, + "narHash": "sha256-ZMhFWEHYSw9nRprh3GunZ3mD3y/mVmLuPkpO4quRJqY=", "ref": "refs/heads/main", - "rev": "21f3a5c51dd80a434f43c2e1c960a9f2c88e6a88", - "revCount": 28, + "rev": "15d23f245d068c92500decd8d93f6436f72b7e4d", + "revCount": 31, "type": "git", "url": "ssh://git@gitlab.com/cocainefarm/k8s/secrets" }, @@ -1,6 +1,6 @@ { inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; nixpkgs-master.url = "github:NixOS/nixpkgs/master"; flake-parts.url = "github:hercules-ci/flake-parts"; @@ -102,14 +102,16 @@ laplace catinator pastor - litellm + # litellm monitoring + monitoring-node ]; phaenn = mkSystem [ (import ./machines/phaenn) zfs acme tlmp + monitoring-node ]; fra01 = mkSystem [ (import ./machines/fra01) @@ -118,6 +120,7 @@ powerdns acme garage + monitoring-node ]; nyc01 = mkSystem [ (import ./machines/nyc01) @@ -126,6 +129,7 @@ powerdns acme garage + monitoring-node ]; sin01 = mkSystem [ (import ./machines/sin01) @@ -134,6 +138,7 @@ powerdns acme garage + monitoring-node ]; }; }; diff --git a/modules/authentik/default.nix b/modules/authentik/default.nix index bc9d4e0..dc87336 100644 --- a/modules/authentik/default.nix +++ b/modules/authentik/default.nix @@ -5,91 +5,37 @@ with self.lib.nginx; let version = "2025.6.4"; in { - virtualisation.oci-containers.backend = "podman"; - virtualisation.oci-containers.containers = { - authentik-redis = { - image = "docker.io/library/redis:alpine"; - cmd = [ "--save" "60" "1" "--loglevel" "warning" ]; - autoStart = true; - volumes = [ - "/var/lib/authentik/redis:/data" - ]; - ports = [ - "10.10.0.1:6379:6379" - ]; - }; - authentik-server = { - image = "ghcr.io/goauthentik/server:${version}"; - environmentFiles = [ "/etc/secrets/authentik/container.env" ]; - cmd = [ "server" ]; - autoStart = true; - ports = [ - # "10.10.0.1:9000:9000" - "10.10.0.1:9443:9443" - ]; - }; - authentik-worker = { - image = "ghcr.io/goauthentik/server:${version}"; - environmentFiles = [ "/etc/secrets/authentik/container.env" ]; - cmd = [ "worker" ]; - autoStart = true; - volumes = [ - "/var/lib/authentik/media:/media" - "/var/lib/authentik/certs:/certs" - "/var/lib/authentik/templates:/templates" - ]; - }; - authentik-ldap = { - image = "ghcr.io/goauthentik/ldap:${version}"; - environmentFiles = [ "/etc/secrets/authentik/ldap.env" ]; - autoStart = true; - extraOptions = [ "-m=1000m" ]; - ports = [ - "389:3389" - "636:6636" - ]; - }; - authentik-proxy = { - image = "ghcr.io/goauthentik/proxy:${version}"; - environmentFiles = [ "/etc/secrets/authentik/proxy.env" ]; - autoStart = true; - ports = [ - "10.10.0.1:9444:9443" - ]; + services.authentik = { + enable = true; + createDatabase = false; + + # The environmentFile needs to be on the target host! + # Best use something like sops-nix or agenix to manage it + environmentFile = "/etc/secrets/authentik/container.env"; + settings = { + # email = { + # host = "smtp.example.com"; + # port = 587; + # username = "authentik@example.com"; + # use_tls = true; + # use_ssl = false; + # from = "authentik@example.com"; + # }; + disable_startup_analytics = true; + avatars = "initials"; }; }; - # services.authentik = { - # enable = true; - # createDatabase = false; - # - # # The environmentFile needs to be on the target host! - # # Best use something like sops-nix or agenix to manage it - # environmentFile = "/etc/secrets/authentik/container.env"; - # settings = { - # # email = { - # # host = "smtp.example.com"; - # # port = 587; - # # username = "authentik@example.com"; - # # use_tls = true; - # # use_ssl = false; - # # from = "authentik@example.com"; - # # }; - # disable_startup_analytics = true; - # avatars = "initials"; - # }; - # }; - # - # - # services.authentik-ldap = { - # enable = true; - # environmentFile = "/etc/secrets/authentik/ldap.env"; - # }; - # - # services.authentik-proxy = { - # enable = true; - # environmentFile = "/etc/secrets/authentik/proxy.env"; - # }; + + services.authentik-ldap = { + enable = true; + environmentFile = "/etc/secrets/authentik/ldap.env"; + }; + + services.authentik-proxy = { + enable = true; + environmentFile = "/etc/secrets/authentik/proxy.env"; + }; # networking.firewall.allowedTCPPorts = [ 389 636 ]; diff --git a/modules/common/networking.nix b/modules/common/networking.nix index 009610a..9829672 100644 --- a/modules/common/networking.nix +++ b/modules/common/networking.nix @@ -7,6 +7,7 @@ tempAddresses = "disabled"; interfaces.eth0.useDHCP = true; nameservers = [ "1.1.1.1" "8.8.8.8" ]; + search = [ "wg.vapor.systems" ]; dhcpcd.extraConfig = '' nohook resolv.conf diff --git a/modules/default.nix b/modules/default.nix index 3855e4b..59faed7 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -33,4 +33,5 @@ pastor = import ./pastor; monitoring = import ./monitoring; + monitoring-node = import ./monitoring/node-exporter.nix; } diff --git a/modules/wireguard/default.nix b/modules/wireguard/default.nix index 6738b29..733bd80 100644 --- a/modules/wireguard/default.nix +++ b/modules/wireguard/default.nix @@ -41,6 +41,8 @@ with lib; { }; }; + networking.firewall.allowedUDPPorts = mkIf config.wireguard.enable [ 51820 ]; + networking.wireguard.interfaces = mkIf config.wireguard.enable { wg0 = with { ifname = "wg0"; }; { ips = [ diff --git a/modules/zfs/default.nix b/modules/zfs/default.nix index fb2f063..75018ea 100644 --- a/modules/zfs/default.nix +++ b/modules/zfs/default.nix @@ -64,12 +64,6 @@ options = [ "zfsutil" ]; }; - "/var/lib/docker" = { - device = "rpool/root/var/lib/docker"; - fsType = "zfs"; - options = [ "zfsutil" ]; - }; - "/var/lib/containers" = { device = "rpool/root/var/lib/containers"; fsType = "zfs"; diff --git a/secrets b/secrets -Subproject 15d23f245d068c92500decd8d93f6436f72b7e4 +Subproject 421236f500d491540f6ef112f47baaaed9f6b7c |