alex/nixos-configs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: alex:00b2946d5939a1ad8a9efe95928988cd5f20f0d8
Branches Tags
alex:main
...
compare: alex:423ea622162a71825b639e435b815a4540003160
Branches Tags
alex:main

11 Commits
00b2946d59 ... 423ea62216

Author SHA1 Message Date
Alexander Heldt
423ea62216 tadpole: Assert that nginx is running when using ppp.pm-site 2025-01-03 10:52:23 +01:00
Alexander Heldt
d0a9202615 tadpole: Assert that nginx is running when using gitea 2025-01-03 10:52:23 +01:00
Alexander Heldt
4663a710dc tadpole: Add WHIB backend 2025-01-03 10:52:23 +01:00
Alexander Heldt
c95209cf7c tadpole: Add secrets for whib service 2025-01-03 10:52:23 +01:00
Alexander Heldt
206e956dfb test-vm: Add WHIB backend 2025-01-03 10:52:23 +01:00
Alexander Heldt
51d32e66c4 Update README with documentation about the test-vm 2024-12-20 13:05:45 +01:00
Alexander Heldt
12921700ab test-vm: Echo help message for shutdown alias 2024-12-20 13:05:23 +01:00
Alexander Heldt
94aef10d67 test-vm: Resize terminal to host terminal size 2024-12-20 12:12:16 +01:00
Alexander Heldt
fd31675cac test-vm: Add alias of shutting down the VM 2024-12-20 12:12:16 +01:00
Alexander Heldt
6b79aa8fca test-vm: Auto login a user and assume its sudo 2024-12-20 12:12:16 +01:00
Alexander Heldt
18c95d2f9c test-vm: Increase disk size 2024-12-20 12:12:16 +01:00
19 changed files with 302 additions and 14 deletions
Expand all files Collapse all files

10
README.md
View File

@@ -25,3 +25,13 @@ EDITOR=vim agenix -d "some-secret.age" -i ~/.ssh/alex.pinwheel
Or use some other SSH key that is has been used to key the secret. Or use some other SSH key that is has been used to key the secret.
# Test VM
Build the test VM with the command:
```
cm --build-test-vm
```
and test it with:
```
cm --run-test-vm
```

24
flake.lock generated
View File

@@ -241,7 +241,8 @@
"nix-gc-env": "nix-gc-env", "nix-gc-env": "nix-gc-env",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"pppdotpm-site": "pppdotpm-site" "pppdotpm-site": "pppdotpm-site",
"whib-backend": "whib-backend"
} }
}, },
"systems": { "systems": {
@@ -258,6 +259,27 @@
"repo": "default", "repo": "default",
"type": "github" "type": "github"
} }
},
"whib-backend": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1735841882,
"narHash": "sha256-Fn7mOUV189e/AIzij1n6kvNOROOWA3qRY/8D4bcJRXk=",
"ref": "master",
"rev": "8952e41601f633eee9ec0ab6f8dd0d2783581b8d",
"revCount": 364,
"type": "git",
"url": "ssh://gitea@git.ppp.pm:1122/alex/whib.git"
},
"original": {
"ref": "master",
"type": "git",
"url": "ssh://gitea@git.ppp.pm:1122/alex/whib.git"
}
} }
}, },
"root": "root", "root": "root",

16
flake.nix
View File

@@ -37,6 +37,11 @@
url = "git+ssh://gitea@git.ppp.pm:1122/alex/ppp.pm-site.git?ref=main"; url = "git+ssh://gitea@git.ppp.pm:1122/alex/ppp.pm-site.git?ref=main";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
whib-backend = {
url = "git+ssh://gitea@git.ppp.pm:1122/alex/whib.git?ref=master";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = outputs =
@@ -77,12 +82,19 @@
]; ];
}; };
test-vm = inputs.nixpkgs.lib.nixosSystem { test-vm =
let
system = "x86_64-linux"; system = "x86_64-linux";
in
inputs.nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = { specialArgs = {
inherit inputs; inherit inputs;
}; };
modules = [ ./hosts/test-vm/configuration.nix ]; modules = [
./hosts/test-vm/configuration.nix
inputs.whib-backend.nixosModules.${system}.default
];
}; };
}; };

2
hosts/pinwheel/home.nix
View File

@@ -14,6 +14,8 @@
home.homeDirectory = "/home/alex"; home.homeDirectory = "/home/alex";
home.packages = [ home.packages = [
inputs.whib-backend.packages.${pkgs.system}.whib-import
pkgs.beekeeper-studio
pkgs.bitwarden-desktop pkgs.bitwarden-desktop
pkgs.gimp pkgs.gimp
pkgs.zip pkgs.zip

5
hosts/tadpole/modules/certs/default.nix
View File

@@ -17,6 +17,11 @@
webroot = "/var/lib/acme/acme-challenge/"; webroot = "/var/lib/acme/acme-challenge/";
group = "nginx"; group = "nginx";
}; };
"api.whib.ppp.pm" = {
webroot = "/var/lib/acme/acme-challenge/";
group = "nginx";
};
}; };
}; };
} }

1
hosts/tadpole/modules/default.nix
View File

@@ -22,6 +22,7 @@ in
}; };
pppdotpm-site.enable = true; pppdotpm-site.enable = true;
whib-backend.enable = true;
}; };
}; };
} }

8
hosts/tadpole/modules/gitea/default.nix
View File

@@ -7,8 +7,6 @@
let let
conf = config.mod.gitea; conf = config.mod.gitea;
gitDomain = "git.${conf.baseDomain}"; gitDomain = "git.${conf.baseDomain}";
nginxEnable = config.mod.nginx.enable;
in in
{ {
options = { options = {
@@ -37,8 +35,12 @@ in
}; };
}; };
config = lib.mkIf (conf.enable && nginxEnable) { config = lib.mkIf conf.enable {
assertions = [ assertions = [
{
assertion = config.services.nginx.enable;
message = "Option 'config.services.nginx' must be enabled";
}
{ {
assertion = conf.baseDomain != ""; assertion = conf.baseDomain != "";
message = "Option 'mod.gitea.baseDomain' cannot be empty"; message = "Option 'mod.gitea.baseDomain' cannot be empty";

11
hosts/tadpole/modules/ppp.pm-site/default.nix
View File

@@ -6,8 +6,6 @@
}: }:
let let
enabled = config.mod.pppdotpm-site.enable; enabled = config.mod.pppdotpm-site.enable;
nginxEnabled = config.mod.nginx.enable;
in in
{ {
imports = [ inputs.pppdotpm-site.nixosModules.default ]; imports = [ inputs.pppdotpm-site.nixosModules.default ];
@@ -18,7 +16,14 @@ in
}; };
}; };
config = lib.mkIf (enabled && nginxEnabled) { config = lib.mkIf enabled {
assertions = [
{
assertion = config.services.nginx.enable;
message = "Option 'config.services.nginx' must be enabled";
}
];
services.pppdotpm-site = { services.pppdotpm-site = {
enable = true; enable = true;
domain = "ppp.pm"; domain = "ppp.pm";

72
hosts/tadpole/modules/whib/default.nix Normal file
View File

@@ -0,0 +1,72 @@
{
pkgs,
lib,
config,
...
}:
let
enabled = config.mod.whib-backend.enable;
in
{
options = {
mod.whib-backend = {
enable = lib.mkEnableOption "enable WHIB backend";
};
};
config = lib.mkIf enabled {
assertions = [
{
assertion = config.services.nginx.enable;
message = "Option 'config.services.nginx' must be enabled";
}
];
services.whib-backend = {
enable = true;
domain = "api.whib.ppp.pm";
useACMEHost = "api.whib.ppp.pm";
backend = {
signingKey = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-signing-key.path})";
};
postgres = {
database = "whib";
host = "postgres";
port = "5432";
user = "whib";
password = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-postgres-password.path})";
backup = {
interval = "*-*-* 00:00:00 UTC";
gpgPassphraseFile = config.age.secrets.whib-gpg-key.path;
backblazeBucket = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-backblaze-bucket.path})";
backblazeKeyID = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-backblaze-key-id.path})";
backblazeKey = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-backblaze-key.path})";
};
};
grafana = {
domain = "grafana.whib.ppp.pm";
useACMEHost = "grafana.whib.ppp.pm";
password = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-grafana-password.path})";
};
};
age.secrets = {
"whib-signing-key".file = ../../../../secrets/tadpole/whib-signing-key.age;
"whib-postgres-password".file = ../../../../secrets/tadpole/whib-postgres-password.age;
"whib-grafana-password".file = ../../../../secrets/tadpole/whib-grafana-password.age;
"whib-gpg-key".file = ../../../../secrets/tadpole/whib-gpg-key.age;
"whib-backblaze-bucket".file = ../../../../secrets/tadpole/whib-backblaze-bucket.age;
"whib-backblaze-key-id".file = ../../../../secrets/tadpole/whib-backblaze-key-id.age;
"whib-backblaze-key".file = ../../../../secrets/tadpole/whib-backblaze-key.age;
};
};
}

18
hosts/test-vm/configuration.nix
View File

@@ -2,6 +2,7 @@
{ {
imports = [ imports = [
./ppp.pm-site.nix ./ppp.pm-site.nix
./whib-backend.nix
]; ];
config = { config = {
@@ -10,7 +11,8 @@
networking.hostName = "test-vm"; networking.hostName = "test-vm";
mod = { mod = {
pppdotpm-site.enable = true; pppdotpm-site.enable = false;
whib-backend.enable = true;
}; };
users.users.a = { users.users.a = {
@@ -18,16 +20,30 @@
extraGroups = [ "wheel" ]; extraGroups = [ "wheel" ];
password = "a"; password = "a";
}; };
services.getty.autologinUser = "a";
security.sudo.wheelNeedsPassword = false;
virtualisation.vmVariant = { virtualisation.vmVariant = {
# following configuration is added only when building VM with build-vm # following configuration is added only when building VM with build-vm
virtualisation = { virtualisation = {
diskSize = 4096;
memorySize = 2048; memorySize = 2048;
cores = 3; cores = 3;
graphics = false; graphics = false;
}; };
}; };
# Resize terminal to host terminal size
environment.loginShellInit = ''
${pkgs.xterm}/bin/resize
echo alias 'sd' can be used to shutdown the VM
'';
environment.interactiveShellInit = ''
alias sd='sudo shutdown now'
'';
environment.systemPackages = [ ]; environment.systemPackages = [ ];
system.stateVersion = "24.05"; system.stateVersion = "24.05";

89
hosts/test-vm/whib-backend.nix Normal file
View File

@@ -0,0 +1,89 @@
{
lib,
config,
...
}:
let
enabled = config.mod.whib-backend.enable;
in
{
options = {
mod.whib-backend = {
enable = lib.mkEnableOption "enable WHIB backend";
};
};
config = lib.mkIf enabled {
services.whib-backend = {
enable = true;
domain = "whib-backend.local";
backend = {
signingKey = "super-secret-key";
};
postgres = {
password = "postgrespassword";
backup = {
interval = "*-*-* *:*:00 UTC"; # Every minute, for testing
# Set these for test runs
gpgPassphraseFile = "";
backblazeBucket = "";
backblazeKeyID = "";
backblazeKey = "";
};
};
grafana = {
password = "granfanapassword";
};
};
virtualisation.vmVariant = {
virtualisation = {
sharedDirectories = {
my-shared = {
source = "/home/alex/whib-backup";
target = "/mnt/shared";
};
};
forwardPorts = [
{
# Service API
from = "host";
host.port = 8080;
guest.port = 8080;
}
{
# Service Metrics
from = "host";
host.port = 8181;
guest.port = 8181;
}
{
# Postgres
from = "host";
host.port = 5432;
guest.port = 5432;
}
{
# Grafana
from = "host";
host.port = 3000;
guest.port = 3000;
}
{
# Prometheus
from = "host";
host.port = 9090;
guest.port = 9090;
}
];
};
};
};
}

8
secrets/secrets.nix
View File

@@ -47,4 +47,12 @@ in {
"tadpole/alex.tadpole-git.ppp.pm.age".publicKeys = [ tadpole alex ]; "tadpole/alex.tadpole-git.ppp.pm.age".publicKeys = [ tadpole alex ];
"tadpole/alex.tadpole-git.ppp.pm.pub.age".publicKeys = [ tadpole alex ]; "tadpole/alex.tadpole-git.ppp.pm.pub.age".publicKeys = [ tadpole alex ];
"tadpole/gitea-dbpassword.age".publicKeys = [ tadpole alex ]; "tadpole/gitea-dbpassword.age".publicKeys = [ tadpole alex ];
"tadpole/whib-signing-key.age".publicKeys = [ tadpole alex ];
"tadpole/whib-postgres-password.age".publicKeys = [ tadpole alex ];
"tadpole/whib-grafana-password.age".publicKeys = [ tadpole alex ];
"tadpole/whib-gpg-key.age".publicKeys = [ tadpole alex ];
"tadpole/whib-backblaze-bucket.age".publicKeys = [ tadpole alex ];
"tadpole/whib-backblaze-key-id.age".publicKeys = [ tadpole alex ];
"tadpole/whib-backblaze-key.age".publicKeys = [ tadpole alex ];
} }

7
secrets/tadpole/whib-backblaze-bucket.age Normal file
View File

@@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 5R7G9A V2ngjouYa4wi42HngK3TQfGRNqZ+gW4iQ01HxdnfNxo
vvK7WyZkdH/vmeBrC8cs3neLpaZ8RryvYg61sBzf12A
-> ssh-ed25519 +oNaHQ 1pK15FPOkaejA0GfotISM2ATOcE8tsUgZOpL0PONC08
dDjq/2ZH/FHgLCQHgRaYba/3JtOvHl4k9GgzxyQw+L4
--- yyW+//7KvwvcTHs76bPxtG9TUrFgJzp7KtqaqjP/0GY
<EFBFBD><EFBFBD>~<7E><>}"[<5B>~nIm<49><6D><EFBFBD>2<EFBFBD><32>t<EFBFBD><74><EFBFBD>T<EFBFBD><54>xw<78>T<EFBFBD><54><EFBFBD>5,5^<5E><>w<EFBFBD><77>6l<36><6C>T<EFBFBD><54>(<28>

8
secrets/tadpole/whib-backblaze-key-id.age Normal file
View File

@@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 5R7G9A YRCagpPHZ/4X9VyWgxWbugjSdYTzSUD2ncgWunzYVFs
7SKYPayWt4XGG5YVB3yKt+dpGKOBtJW3E/LZq3eJmGI
-> ssh-ed25519 +oNaHQ EHjg/EH4AbcqEHp27hhJqOLwa9P7sz2iavqIvkBkFQA
T/2Po7X5FFb575QSxvvE1LqwZpFoDX/gnKLopBw/NMU
--- 2cWhyrmkeeeiYNTyhJri/UHVhLqU0fJ3Py34rzhmr7c
clN<>2<EFBFBD>ʍ<EFBFBD><CA8D>y~<7E>,lsX<73><58><EFBFBD><EFBFBD>s.<2E><>4<EFBFBD>*!<21><><EFBFBD>j<EFBFBD>c
]u<>Ʒ<EFBFBD>z<EFBFBD>g<EFBFBD><67><06><>;F

7
secrets/tadpole/whib-backblaze-key.age Normal file
View File

@@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 5R7G9A /exiuF2v+lsAUID7eT53DooUgVnQHsE0lJOPgdbLuzU
KPZKG2vYo7hczQ9iRTubb8mBUM9F3E19+1T6GExhsJM
-> ssh-ed25519 +oNaHQ 6/BOd1ahNHbKPH6V4DwiSWQ2MFPztTAqBHTc8V1HJFw
IF8V4HtNQqYzK58WdxYg1e2bfh9T7keV67VR/VzCUz0
--- WuqN3ez4lofmNyDaaKKXA23lFtnd+2VwuG7wT28u0xU
СQ<EFBFBD><EFBFBD>Vd<EFBFBD><EFBFBD><08><>>\<5C><11><15>

7
secrets/tadpole/whib-gpg-key.age Normal file
View File

@@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 5R7G9A ORTl5WSeg4vSKUAwzCp9ABRL02SvjFZrBHuWLMbSmxI
obXt5wHXbfkdOAXwPySZeFelSFwJnCoH1EExtXNmBio
-> ssh-ed25519 +oNaHQ vxTHufUlEwbuztnIsCcprfXonpNUlv1ZcHQpEQjGtz8
uFym0SgmM6LZRqJrSPMLHI6DLZ5t/WLvKP0dMvM8bUc
--- 7UQLcCs/G20iP2YlwjCEmpFcXgqJfQacqSVGBBPmAbY
y<>ӆ<EFBFBD><D386>'<27>_K<07><>f<EFBFBD>3<EFBFBD>;<EFBFBD>X<EFBFBD><58><EFBFBD><EFBFBD>_<EFBFBD>tu[<5B>\<10><><EFBFBD><1F>)uK<75><4B>,ƫ<>zq񐏭<71>|<7C>1!X<>YY<59>g<EFBFBD>7<><37>Eڛ<>^<5E><>

BIN
secrets/tadpole/whib-grafana-password.age Normal file
View File

Binary file not shown.

7
secrets/tadpole/whib-postgres-password.age Normal file
View File

@@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 5R7G9A WqkH9G2AGAcQfa9u+w6+QVXYVlozt0JsB/icILH/Jnc
SGhXQ33eRtVtIEKdZCmpyxNUtFgtZhGUs9QX20GbHRg
-> ssh-ed25519 +oNaHQ k66ZToSUzHxDm0yZkI4+Gase/Q5GJrsB7c6+LvmgGSg
6x9dzdloKJT2Tcawn4m2d518KUjdINGi4u+PFvMt9tQ
--- 395jqjDR3lBIIPOUIlnOJW/048qeJPC5CJbMJdpSjTo
<EFBFBD>ϛ<EFBFBD><uI<75>X"<22> <0C>^C<12>j};<3B><><EFBFBD><EFBFBD>Kd<4B><64><06><>ٗX<D997><58>b<EFBFBD> <0C><><EFBFBD>W<>,{7u+x<>L]<5D>ž

8
secrets/tadpole/whib-signing-key.age Normal file
View File

@@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 5R7G9A ncGAywK2O0Geyy5E9HmRdDCmCD7RwmflyyBXFKH4KSc
4Izx8nT/k5yOMOG4InifQw+wzEDe9PqMyeF3LEicOKE
-> ssh-ed25519 +oNaHQ cPf/X971sb4pNKz9t0W318EpY3XJNB/OId7nGZ/ooXc
Vp5x6PZML0jtPEjuaDo7KjtHdKv5SyPAS2+Fvhjbro8
--- 4jGA5763tvEcNDmNnYaoCfw99xROjqpKW0dMG23BqbE
<1F><><EFBFBD>j^t<><74><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>B%<25><>a<><61><EFBFBD><EFBFBD>$<24><>8m}-LbM<62>n<EFBFBD><6E><18><1C>R<02><>cZ<63><5A><EFBFBD>=<3D> <0C>$ x<18><>}<7D><>)PH<50>{X<>3<EFBFBD><EFBFBD><E18FBB><EFBFBD>V<EFBFBD><15><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><12><><EFBFBD>Օ<EFBFBD>6Rs<52><73><EFBFBD><12><>r<EFBFBD><72>b<EFBFBD>nl<6E>]<5D><>/Ȏe@/<2F>*<2A><><EFBFBD>:<3A>ڸ<EFBFBD><DAB8>V~<7E><>V<EFBFBD>a]`<60><19>
<EFBFBD><EFBFBD><EFBFBD>=ٿv<D9BF>z\<5C>