iofq/nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add SOPS, etc.

Browse source
This commit is contained in:
iofq 2024-04-07 17:54:27 -05:00
parent e1f0194350
commit 10c6af76f2
No known key found for this signature in database
GPG key ID: ECF3B2DA38BF7183
25 changed files with 435 additions and 413 deletions
Download patch file Download diff file Expand all files Collapse all files

40
nixos/htz/configuration.nix
View file

@ -10,23 +10,14 @@
./eth.nix
];
environment.systemPackages = with pkgs; [
vim
git
bridge-utils
comma
];
virtualisation = {
docker = {
enable = true;
};
};
networking = {
hostName = "htz";
domain = "";
firewall = {
enable = true;
allowedTCPPorts = [22 80 443];
allowedUDPPorts = [];
allowedTCPPorts = [22];
logRefusedConnections = true;
trustedInterfaces = ["microvm"];
};
@ -43,9 +34,8 @@
device = "/eth1";
options = ["bind"];
};
services = let
domain = "ts.10110110.xyz";
in {
services = {
tailscale.enable = true;
openssh = {
enable = true;
settings = {
@ -53,30 +43,6 @@
PermitRootLogin = "prohibit-password";
};
};
tailscale.enable = true;
headscale = {
enable = true;
address = "0.0.0.0";
port = 8080;
serverUrl = "https://${domain}";
dns = {baseDomain = domain;};
settings = {logtail.enabled = false;};
};
nginx = {
enable = true;
virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:8080";
proxyWebsockets = true;
};
};
};
};
security.acme = {
acceptTerms = true;
defaults.email = "mail@10110110.xyz";
};
users.users = {
root = {

34
nixos/htz/eth.nix
View file

@ -9,8 +9,37 @@
allowedUDPPorts = [9000 30303];
logRefusedConnections = true;
trustedInterfaces = ["microvm"];
interfaces."tailscale0".allowedTCPPorts = [5052 8545];
};
};
# virtualisation.oci-containers.containers = {
# besu = {
# image = "hyperledger/besu:24.3-graalvm";
# ports = [
# "0.0.0.0:30303:30303"
# "0.0.0.0:30303:30303/udp"
# "100.79.221.28:8551:8551"
# ];
# volumes = [
# "/eth1/besu:/var/lib/besu"
# "/etc/nixos/eth_jwt:/var/lib/jwtsecret/jwt.hex"
# ];
# environment = {
# JAVA_OPTS = "\"-Xmx16192m\"";
# };
# cmd = [
# "--Xsnapsync-synchronizer-flat-db-healing-enabled=true"
# "--data-path=/var/lib/besu"
# "--data-storage-format=bonsai"
# "--engine-jwt-secret=/var/lib/jwtsecret/jwt.hex"
# "--engine-rpc-enabled"
# "--engine-rpc-port=8551"
# "--fast-sync-min-peers=3"
# "--nat-method=docker"
# "--network=mainnet"
# "--sync-mode=X_SNAP"
# ];
# };
services.ethereum.geth.mainnet = {
enable = true;
package = inputs.ethereum-nix.packages.${system}.geth;
@ -18,7 +47,8 @@
args = {
http = {
enable = true;
addr = "10.0.0.1";
addr = "0.0.0.0";
vhosts = ["htz.tailc353f.ts.net"];
};
authrpc.jwtsecret = "/etc/nixos/eth_jwt";
};
@ -34,7 +64,7 @@
enr-auto-update = true;
rest = {
enable = true;
address = "10.0.0.1";
address = "0.0.0.0";
};
light-client-data.max-periods = "3";
};

6
nixos/htz/vms/default.nix
View file

@ -1,8 +1,6 @@
{
inputs,
lib,
pkgs,
system,
addressList,
...
}: let
@ -93,10 +91,6 @@
};
in {
microvm.vms = {
vm-pool = genVMConfig {
name = "vm-pool";
config = import ./pool.nix {inherit pkgs system inputs;};
};
vm-k3s = genVMConfig {
name = "vm-k3s";
config = import ./k3s.nix {inherit pkgs;};

3
nixos/htz/vms/k3s.nix
View file

@ -7,6 +7,7 @@
role = "server";
extraFlags = toString [
"--disable traefik"
"--tls-san vm-k3s.tailc353f.ts.net"
];
};
networking.firewall = {
@ -21,7 +22,7 @@
image = "/var/lib/microvms/vm-k3s/vm-k3s-root.img";
label = "vm-pool-root";
mountPoint = "/";
size = 10000;
size = 100000;
}
];
};