-
Notifications
You must be signed in to change notification settings - Fork 2
/
default.nix
417 lines (391 loc) · 12.1 KB
/
default.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
{ config, lib, pkgs, nixpkgs-unstable, inputs, ... }:
let
user = "nix";
cpu = "intel";
domain = "server02.lan";
ip = "10.0.1.11";
dns = "10.0.1.1";
subnet = 24;
gateway = "10.0.1.1";
interface = "eno3";
cpufreqmax = 2100000;
bridge = "br1";
disk = "/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_1TB_S4EWNF0MA23122T";
in
{
imports = with inputs.self.nixosModules; [
inputs.self.nixosRoles.k3s
inputs.home-manager.nixosModules.home-manager
];
hardware.cpu."${cpu}".updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
security.pki.certificateFiles = [
./secrets/ca-cert.crt
];
networking.firewall = {
enable = true;
# NOTE: `loose` required for cilium when using without kube-proxy replacement to get working livenes probe for pods. With this settings the cluster is mostly usable with exception of
# Cilium DNS Filtering: msg="Timeout waiting for response to forwarded proxied DNS lookup" dnsName=vpn-gateway-pod-gateway.vpn-gateway.svc.cluster.local. error="read udp 10.42.0.183:43844->10.42.0.176:53: i/o timeout" ipAddr="10.42.0.183:43844" subsys=fqdn/dnsproxy
# => Therefore we have to use `checkReversePath=false` to get our vpn-gateway CiliumNetworkPolicy with DNS Filter working (when installing without cilium kube-proxy replacement).
checkReversePath = false;
allowedTCPPorts = [
3000 # nixos gitea
8080 # unifi control
18089 # monerod rpc
20108 # zigbee adapter via serial2net
22000 # syncthing local discovery
];
allowedUDPPorts = [
3478 # unifi stun
10001 # unifi discovery
21027 # syncthing discovery broadcast
];
};
services.k3s.package = nixpkgs-unstable.k3s;
age.secrets = {
flux-git-auth.file = ./secrets/flux-git-auth.yaml.age;
flux-sops-age.file = ./secrets/flux-sops-age.yaml.age;
minio-credentials = {
file = ./secrets/minio-credentials.age;
mode = "770";
owner = "minio";
group = "minio";
};
"sops-age-keys.txt" = {
file = ./secrets/sops-age-keys.txt.age;
path = "/home/${user}/.config/sops/age/keys.txt";
owner = "${user}";
group = "users";
mode = "600";
};
};
sops = {
defaultSopsFile = ./secrets/secrets.sops.yaml;
secrets.user-password.neededForUsers = true;
};
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
networking = {
defaultGateway = "${gateway}";
nameservers = [ "${dns}" ];
bridges = {
"${bridge}" = {
interfaces = [ "${interface}" ];
};
};
interfaces."${bridge}".ipv4.addresses = [
{ address = "${ip}"; prefixLength = subnet; }
];
};
templates = {
apps = {
modernUnix.enable = true;
monitoring.enable = true;
};
system = {
setup = {
enable = true;
encrypt = true;
disk = disk;
};
};
services = {
k3s = {
enable = true;
prepare = {
cilium = true;
};
services = {
kube-proxy = true;
flux = true;
servicelb = false;
traefik = false;
local-storage = false;
metrics-server = false;
coredns = false;
flannel = false;
};
bootstrap = {
helm = {
enable = true;
completedIf = "get CustomResourceDefinition -A | grep -q 'cilium.io'";
helmfile = "/etc/k3s/helmfile.yaml";
};
};
addons = {
minio = {
enable = true;
credentialsFile = config.age.secrets.minio-credentials.path;
buckets = ["volsync" "postgres"];
dataDir = ["/mnt/backup/minio"];
};
};
};
kvm = {
enable = true;
cockpit.enable = false; # broken
platform = "${cpu}";
user = "${user}";
};
};
};
boot.initrd.luks.devices."crypt_01" = {
device = "/dev/disk/by-id/ata-Samsung_SSD_870_EVO_1TB_S626NZFR300623P-part1";
preLVM = true;
keyFile = "/disk.key";
allowDiscards = true;
fallbackToPassword = true;
};
boot.initrd.luks.devices."crypt_02" = {
device = "/dev/disk/by-id/ata-WDC_WDS100T1R0A-68A4W0_212507A00254-part1";
preLVM = true;
keyFile = "/disk.key";
allowDiscards = true;
fallbackToPassword = true;
};
fileSystems."/mnt/backup" = {
device = "/dev/disk/by-label/data01";
fsType = "btrfs";
options = ["defaults" "noatime" "compress=zstd" "subvol=@data"];
neededForBoot = true; # gitea and minio store data here so ensure to first mount the drive
};
services.gitea = {
enable = true;
lfs.enable = true;
stateDir = "/mnt/backup/gitea";
useWizard = false; # broken
group = "data";
settings = {
server = {
HTTP_PORT = 3000;
ROOT_URL = "http://${domain}:3000/";
DOMAIN = "${domain}";
SSH_DOMAIN = "${domain}";
};
service = {
DISABLE_REGISTRATION = true;
};
actions = {
ENABLED = true;
};
};
};
powerManagement = {
cpuFreqGovernor = "ondemand";
cpufreq.max = cpufreqmax;
};
environment = {
systemPackages = with pkgs; [
gnutar
ser2net
par2cmdline
rsync
gzip
];
};
users = {
groups = {
data = {
name = "data";
members = ["${user}"];
gid = 1000;
};
};
users = {
${user} = {
isNormalUser = true;
description = "nix user";
createHome = true;
# use `mkpasswd -m sha-512 | tr -d '\n'` to get the password hash for your sops file
hashedPasswordFile = config.sops.secrets.user-password.path;
home = "/home/${user}";
extraGroups = [
"audit"
"dialout"
"users"
"sshusers"
"storage"
"wheel"
];
openssh.authorizedKeys.keyFiles = [
./secrets/ssh.server02.lan.pub
];
};
root = {
hashedPasswordFile = config.sops.secrets.user-password.path;
};
};
};
home-manager = {
extraSpecialArgs = { inherit inputs; };
users = {
${user} = import ./home.nix;
};
};
# TODO why do we need to fix the folder permission of mapped age secrets?
systemd.tmpfiles.rules = [
"d /mnt/backup 0775 root data -" # must be owned by root to solve gitea folder transition issues!
"d /opt/k3s 0775 ${user} data -"
"d /opt/k3s/data 0775 ${user} data -"
"d /home/${user}/.config 0775 ${user} data -"
"d /home/${user}/.config/sops 0775 ${user} data -"
"d /home/${user}/.config/sops/age 0775 ${user} data -"
"d /home/${user}/.kube 0775 ${user} data -"
"d /var/lib/rancher/k3s/server/manifests 0775 root data -"
"L /home/${user}/.kube/config - - - - /etc/rancher/k3s/k3s.yaml"
"L /var/lib/rancher/k3s/server/manifests/flux.yaml - - - - /etc/k3s/flux.yaml"
"L /var/lib/rancher/k3s/server/manifests/flux-git-auth.yaml - - - - ${config.age.secrets.flux-git-auth.path}"
"L /var/lib/rancher/k3s/server/manifests/flux-sops-age.yaml - - - - ${config.age.secrets.flux-sops-age.path}"
"L /var/lib/rancher/k3s/server/manifests/00-coredns-custom.yaml - - - - /etc/k3s/coredns-custom.yaml" # use 00- prefix to deploy this first
];
# required for deploy-rs
nix.settings.trusted-users = [ "root" "${user}" ];
# NOTE: we use the ssh key not the git key
# git url schmeas:
# - 'git@server02.lan:r/gitops-homelab.git'
# - 'ssh://git@server02.lan/home/git/r/gitops-homelab.git'
# - 'ssh://git@server02.lan/~/r/gitops-homelab.git' => ~ is not supported in flux git repo url!
# flux git secret:
# 1. flux create secret git flux-git-auth --url="ssh://git@${domain}/~/r/gitops-homelab.git" --private-key-file={{ .PRIVATE_SSH_KEYFILE }} --export > flux-git-secret.yaml
# 2. manually change the knwon_hosts to `ssh-keyscan -p 22 ${domain}` ssh-ed25519 output
# 3. encrypt yaml with age
environment.etc."k3s/flux.yaml" = {
mode = "0750";
text = ''
apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
name: flux-system
namespace: flux-system
spec:
interval: 2m
ref:
branch: main
secretRef:
name: flux-git-auth
url: ssh://gitea@${domain}/r/nixos-k3s.git
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: flux-system
namespace: flux-system
spec:
interval: 2m
path: ./kubernetes/flux
prune: true
wait: false
sourceRef:
kind: GitRepository
name: flux-system
decryption:
provider: sops
secretRef:
name: sops-age
'';
};
environment.etc."k3s/helmfile.yaml" = {
mode = "0750";
text = ''
repositories:
- name: coredns
url: https://coredns.github.io/helm
- name: cilium
url: https://helm.cilium.io
releases:
- name: cilium
namespace: kube-system
# renovate: repository=https://helm.cilium.io
chart: cilium/cilium
version: 1.15.4
values: ["${../../../kubernetes/core/networking/cilium/operator/helm-values.yaml}"]
wait: true
- name: coredns
namespace: kube-system
# renovate: repository=https://coredns.github.io/helm
chart: coredns/coredns
version: 1.29.0
values: ["${../../../kubernetes/core/networking/coredns/app/helm-values.yaml}"]
wait: true
'';
};
# NOTE this config map is optional used by k3s coredns see https://github.com/k3s-io/k3s/blob/master/manifests/coredns.yaml
environment.etc."k3s/coredns-custom.yaml" = {
mode = "0750";
text = ''
apiVersion: v1
kind: ConfigMap
metadata:
name: coredns-custom
namespace: kube-system
data:
domain.server: |
${domain}:53 {
errors
health
ready
hosts {
${ip} ${domain}
fallthrough
}
prometheus :9153
forward . /etc/resolv.conf
cache 30
loop
reload
loadbalance
}
'';
};
# Config for ConBee II
environment.etc."ser2net.yaml" = {
mode = "0755";
text = ''
connection: &con01
accepter: tcp,20108
connector: serialdev,/dev/ttyACM0,115200n81,nobreak,local
options:
kickolduser: true
'';
};
systemd.services.ser2net = {
wantedBy = [ "multi-user.target" ];
description = "Serial to network proxy";
after = [ "network.target" "dev-ttyACM0.device" ];
serviceConfig = {
Type = "simple";
User = "root"; # todo user with only dialout group?
ExecStart = ''${pkgs.ser2net}/bin/ser2net -n -c /etc/ser2net.yaml'';
ExecReload = ''kill -HUP $MAINPID'';
Restart = "on-failure";
};
};
systemd.services.minio-backup = {
serviceConfig.Type = "oneshot";
path = [
pkgs.findutils
pkgs.gnutar
pkgs.gzip
];
script = ''
echo "Start minio backup now"
mkdir -p /mnt/backup/${domain}/rsync/data/minio
mkdir -p /mnt/backup/${domain}/rsync/log
mkdir -p /mnt/backup/${domain}/archiv
${pkgs.rsync}/bin/rsync \
-av \
--delete \
--ignore-missing-args \
--log-file="/mnt/backup/${domain}/rsync/log/$(date +"%Y-%m-%d_%H-%M-%S").log" \
--exclude "volsync/monerod" \
/mnt/backup/minio/ /mnt/backup/${domain}/rsync/data/minio/
export BACKUP_ARCHIVE_NAME="backup_$(date +%Y-%m-%d).tar.gz"
tar -I 'gzip --fast' -cf "/mnt/backup/${domain}/archiv/$BACKUP_ARCHIVE_NAME" /mnt/backup/${domain}/rsync/data/minio
find /mnt/backup/${domain}/archiv/*.tar.gz* -mtime +15 -exec rm {} \;
echo "minio backup completed"
'';
};
systemd.timers.minio-backup = {
wantedBy = [ "timers.target" ];
partOf = [ "minio-backup.service" ];
timerConfig.OnCalendar = [ "Mon 06:00:00" ];
};
}