diff options
| -rw-r--r-- | flake.lock | 26 | ||||
| -rw-r--r-- | flake.nix | 19 | ||||
| -rw-r--r-- | machines/ettves/default.nix | 31 | ||||
| -rw-r--r-- | machines/fra01/default.nix | 37 | ||||
| -rw-r--r-- | machines/nyc01/default.nix | 37 | ||||
| -rw-r--r-- | machines/phaenn/default.nix | 27 | ||||
| -rw-r--r-- | machines/sin01/default.nix | 37 | ||||
| -rw-r--r-- | modules/default.nix | 1 | ||||
| -rw-r--r-- | modules/kubernetes/cri-o.nix | 2 | ||||
| -rw-r--r-- | modules/zfs/default.nix | 13 |
10 files changed, 188 insertions, 42 deletions
@@ -5,11 +5,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1690933134, - "narHash": "sha256-ab989mN63fQZBFrkk4Q8bYxQCktuHmBIBqUG1jl6/FQ=", + "lastModified": 1693611461, + "narHash": "sha256-aPODl8vAgGQ0ZYFIRisxYG5MOGSkIczvu2Cd8Gb9+1Y=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "59cf3f1447cfc75087e7273b04b31e689a8599fb", + "rev": "7f53fdb7bdc5bb237da7fefef12d099e4fd611ca", "type": "github" }, "original": { @@ -74,11 +74,11 @@ "nixpkgs-lib": { "locked": { "dir": "lib", - "lastModified": 1690881714, - "narHash": "sha256-h/nXluEqdiQHs1oSgkOOWF+j8gcJMWhwnZ9PFabN6q0=", + "lastModified": 1693471703, + "narHash": "sha256-0l03ZBL8P1P6z8MaSDS/MvuU8E75rVxe5eE1N6gxeTo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9e1960bc196baf6881340d53dccb203a951745a2", + "rev": "3e52e76b70d5508f3cec70b882a29199f4d1ee85", "type": "github" }, "original": { @@ -109,11 +109,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1691592289, - "narHash": "sha256-Lqpw7lrXlLkYra33tp57ms8tZ0StWhbcl80vk4D90F8=", + "lastModified": 1695825837, + "narHash": "sha256-4Ne11kNRnQsmSJCRSSNkFRSnHC4Y5gPDBIQGjjPfJiU=", "owner": "nixos", "repo": "nixpkgs", - "rev": "9034b46dc4c7596a87ab837bb8a07ef2d887e8c7", + "rev": "5cfafa12d57374f48bcc36fda3274ada276cf69e", "type": "github" }, "original": { @@ -134,11 +134,11 @@ "secrets": { "flake": false, "locked": { - "lastModified": 1691591003, - "narHash": "sha256-nerinKxLVgEvu+kw4d6Q2H4gSG8R9Ab0DLMcFSb4IrI=", + "lastModified": 1695811743, + "narHash": "sha256-QPgzfxmuma9hqtn5NEQudJKZS8CADxJWEby2t6pwP7I=", "ref": "refs/heads/main", - "rev": "c046615c7c2254a7b32d2e8969f068d163ab63ec", - "revCount": 11, + "rev": "8890cd313ce5dd17b4e723d90ce399cee5a3da8c", + "revCount": 12, "type": "git", "url": "ssh://git@gitlab.com/cocainefarm/k8s/secrets" }, @@ -27,20 +27,13 @@ { nixosModules = import ./modules; nixosConfigurations = with self.nixosModules; { - test1 = mkSystem [ (import ./machines/test) common users vultr wireguard crypto kubernetes ]; - test2 = mkSystem [ (import ./machines/test2) common users vultr wireguard crypto kubernetes ]; # vultr-image = mkSystem [ common users image vultr ]; - # nixbuilder = mkSystem [ (import ./machines/nixbuilder) common users gitlab { - # users.users = { - # nixbuilder = { - # isNormalUser = true; - # extraGroups = [ "wheel" "docker" ]; - # openssh.authorizedKeys.keys = [ - # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGfuzswSmySvmTIiZpCKCEUpOXvETr8sTs49wX7US7yX nixbuilder" - # ]; - # }; - # }; - # } ]; + + ettves = mkSystem [ (import ./machines/ettves) common users wireguard crypto kubernetes zfs ]; + phaenn = mkSystem [ (import ./machines/phaenn) common users wireguard crypto kubernetes zfs ]; + fra01 = mkSystem [ (import ./machines/fra01) common users wireguard crypto kubernetes vultr bgp ]; + nyc01 = mkSystem [ (import ./machines/nyc01) common users wireguard crypto kubernetes vultr bgp ]; + sin01 = mkSystem [ (import ./machines/sin01) common users wireguard crypto kubernetes vultr bgp ]; }; }; systems = [ "x86_64-linux" "x86_64-darwin" "aarch64-linux" "aarch64-darwin" ]; diff --git a/machines/ettves/default.nix b/machines/ettves/default.nix index c614afb..5a4a8c0 100644 --- a/machines/ettves/default.nix +++ b/machines/ettves/default.nix @@ -1,6 +1,7 @@ { config, lib, pkgs, ... }: -{ +let endpoint = "195.201.245.25"; +in { imports = [ ./fs.nix ]; boot.initrd.availableKernelModules = [ "ahci" "nvme" ]; @@ -21,11 +22,12 @@ networking = { domain = "vapor.systems"; + hostName = "ettves"; hostId = "14e28906"; dhcpcd.enable = false; interfaces.eth0.ipv4.addresses = [ { - address = "195.201.245.25"; + address = endpoint; prefixLength = 26; } { @@ -105,4 +107,29 @@ interface = "eth0"; }; }; + + pubKey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIClYZUxD3Xb4bngOT03Bk/PQSwwYiSKuZm7lLoBEesLd root@ettves"; + + kubernetes = { + role = "server"; + advertiseAddress = endpoint; + }; + + wireguard = { + enable = true; + roaming = true; + inherit endpoint; + v4 = { address = "10.10.0.1"; }; + v6 = { address = "1"; }; + publicKey = "5OTaf4MnSzTcCR10CGSrLFngGa3gdzajbqUKkRF+WlY="; + allowedIPs = [ "10.10.0.0/24" "10.102.0.0/24" "fd15:3d8c:d429:102::/72" ]; + }; + + _module.args.nixinate = { + host = endpoint; + buildOn = "remote"; + substituteOnTarget = true; + hermetic = false; + }; } diff --git a/machines/fra01/default.nix b/machines/fra01/default.nix new file mode 100644 index 0000000..059e082 --- /dev/null +++ b/machines/fra01/default.nix @@ -0,0 +1,37 @@ +{ config, lib, pkgs, ... }: + +let endpoint = "95.179.243.82"; +in +{ + networking = { + domain = "ns.vapor.systems"; + hostName = "fra01"; + }; + + pubKey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB9rBu7L0ktMFpYOqvKyjDoO8a5Y0CfqnCJCGEdE6cOV"; + + kubernetes = { + role = "agent"; + externalIP = { + v4 = endpoint; + v6 = "2001:19f0:6c01:28e5:5400:3ff:fed7:7a2a"; + }; + }; + + wireguard = { + enable = true; + inherit endpoint; + v4 = { address = "10.10.0.3"; }; + v6 = { address = "3"; }; + publicKey = "jw3hiRczS0kQoOYlgofFp23/YZq8mzDaPRto+qVz7iE="; + allowedIPs = [ "10.102.5.0/24" "fd15:3d8c:d429:102:500::/72" ]; + }; + + _module.args.nixinate = { + host = endpoint; + buildOn = "local"; + substituteOnTarget = true; + hermetic = true; + }; +} diff --git a/machines/nyc01/default.nix b/machines/nyc01/default.nix new file mode 100644 index 0000000..b745897 --- /dev/null +++ b/machines/nyc01/default.nix @@ -0,0 +1,37 @@ +{ config, lib, pkgs, ... }: + +let endpoint = "207.246.124.62"; +in +{ + networking = { + domain = "ns.vapor.systems"; + hostName = "nyc01"; + }; + + pubKey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC00bSIp5oydOY/SFxPULYFtij5nsZCugdiR3q7PxNqC"; + + kubernetes = { + role = "agent"; + externalIP = { + v4 = endpoint; + v6 = "2001:19f0:5:13df:5400:3ff:fed5:f26c"; + }; + }; + + wireguard = { + enable = true; + inherit endpoint; + v4 = { address = "10.10.0.4"; }; + v6 = { address = "4"; }; + publicKey = "aVIWBqnUhYEwXMuHiUmsU4nKmFhsIj9Nb6rx4TGFvRY="; + allowedIPs = [ "10.102.3.0/24" "fd15:3d8c:d429:102:300::/72" ]; + }; + + _module.args.nixinate = { + host = endpoint; + buildOn = "local"; + substituteOnTarget = true; + hermetic = true; + }; +} diff --git a/machines/phaenn/default.nix b/machines/phaenn/default.nix index 4f25a5c..5e95592 100644 --- a/machines/phaenn/default.nix +++ b/machines/phaenn/default.nix @@ -1,5 +1,7 @@ { config, lib, pkgs, ... }: +let endpoint = "142.132.159.202"; +in { imports = [ ./fs.nix @@ -19,9 +21,10 @@ networking = { domain = "vapor.systems"; + hostName = "phaenn"; hostId = "f9274217"; interfaces.eth0.ipv4.addresses = [{ - address = "142.132.159.202"; + address = endpoint; prefixLength = 26; }]; interfaces.eth0.ipv6.addresses = [{ @@ -34,4 +37,26 @@ interface = "eth0"; }; }; + + pubKey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdujV+knnOzP+oW6C42yWRJVhkSR+lcdx+FUsCP3Q1v root@phaenn"; + + kubernetes.role = "agent"; + + wireguard = { + enable = true; + roaming = true; + inherit endpoint; + v4 = { address = "10.10.0.2"; }; + v6 = { address = "2"; }; + publicKey = "GmUvA3L8M2+N59my6MeoGwDD8puLOO5/Rbe29WtduBI="; + allowedIPs = [ "10.102.1.0/24" "fd15:3d8c:d429:102:100::/72" ]; + }; + + _module.args.nixinate = { + host = endpoint; + buildOn = "remote"; + substituteOnTarget = true; + hermetic = true; + }; } diff --git a/machines/sin01/default.nix b/machines/sin01/default.nix new file mode 100644 index 0000000..267981f --- /dev/null +++ b/machines/sin01/default.nix @@ -0,0 +1,37 @@ +{ config, lib, pkgs, ... }: + +let endpoint = "139.180.191.169"; +in +{ + networking = { + domain = "ns.vapor.systems"; + hostName = "sin01"; + }; + + pubKey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJG9bqNAbHaWgiRgvNMntyW9IeLedXCF11KGB0iQsrJH"; + + kubernetes = { + role = "agent"; + externalIP = { + v4 = endpoint; + v6 = "2001:19f0:4400:7d6a:5400:3ff:fed5:f26d"; + }; + }; + + wireguard = { + enable = true; + inherit endpoint; + v4 = { address = "10.10.0.5"; }; + v6 = { address = "5"; }; + publicKey = "0/g1/0fLOvMDKC87hu9fBDA38S8lzO7qJ+akLGTT/lc="; + allowedIPs = [ "10.102.4.0/24" "fd15:3d8c:d429:102:400::/72" ]; + }; + + _module.args.nixinate = { + host = endpoint; + buildOn = "local"; + substituteOnTarget = true; + hermetic = true; + }; +} diff --git a/modules/default.nix b/modules/default.nix index b2df22e..54af828 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1,4 +1,5 @@ { + bgp = import ./bgp; common = import ./common; crypto = import ./crypto; gitlab = import ./gitlab; diff --git a/modules/kubernetes/cri-o.nix b/modules/kubernetes/cri-o.nix index cc32b26..5062c23 100644 --- a/modules/kubernetes/cri-o.nix +++ b/modules/kubernetes/cri-o.nix @@ -3,6 +3,8 @@ { virtualisation.cri-o = { enable = true; + storageDriver = "overlay"; + extraPackages = with pkgs; [ fuse3 fuse-overlayfs ]; settings = { crio = { network.plugin_dir = "/opt/cni/bin"; diff --git a/modules/zfs/default.nix b/modules/zfs/default.nix index 4e863fc..7ec3ee9 100644 --- a/modules/zfs/default.nix +++ b/modules/zfs/default.nix @@ -16,19 +16,6 @@ autoScrub.pools = [ "rpool" ]; }; - virtualisation.containers.storage.settings.storage = { - driver = "zfs"; - graphroot = "/var/lib/containers/storage"; - runroot = "/run/containers/storage"; - options.zfs.fsname = "rpool/data/containers"; - options.zfs.mountopt = "nodev"; - }; - - virtualisation.cri-o = { - storageDriver = "zfs"; - extraPackages = [ pkgs.zfs ]; - }; - fileSystems = { "/" = { device = "rpool/root"; |