opentofu incus

2026-03-21 13:41:50 -05:00 · 2026-03-21 13:41:50 -05:00 · 3d8242b314
commit 3d8242b314
parent e4f5ca2fc9
22 changed files with 340 additions and 211 deletions
--- a/home-manager/shared/programs/dev.nix
+++ b/home-manager/shared/programs/dev.nix
@ -6,13 +6,14 @@
    gnumake
    jq
    tree
-    jjui
+    unzip
    #devops
    k9s
    kubectl
    nerdctl
    gh
    opentofu
    #golang
    go
--- a/home-manager/shared/wayland/hyprland/default.nix
+++ b/home-manager/shared/wayland/hyprland/default.nix
@ -14,6 +14,19 @@
        gaps_out = 0;
        layout = "master";
      };
      group = {
        groupbar = {
          priority = 99;
          enabled = true;
          "col.active" = "rgb(4d7d90)";
          "col.inactive" = "rgb(101d20)";
          gaps_in = 0;
          gaps_out = 0;
          gradients = true;
          text_color = "rgb(101d20)";
          text_color_inactive = "rgb(ffffff)";
        };
      };
      misc = {
        disable_hyprland_logo = true;
        on_focus_under_fullscreen = 1;
--- a/home-manager/t14/home.nix
+++ b/home-manager/t14/home.nix
@ -33,6 +33,7 @@
      appimage-run
      wireguard-tools
      android-tools
      incus
    ];
    sessionVariables = {
      MOZ_ENABLE_WAYLAND = 1;
--- a/nixos/base/configuration.nix
+++ b/nixos/base/configuration.nix
@ -0,0 +1,8 @@
 { pkgs, ... }:
 with pkgs;
 {
  security.sudo.enable = lib.mkForce false;
  networking = {
    useHostResolvConf = lib.mkForce false;
  };
 }
--- a/nixos/default.nix
+++ b/nixos/default.nix
@ -73,4 +73,17 @@ in
      ./oracle/configuration.nix
    ];
  };
  base = inputs.nixpkgs-stable.lib.nixosSystem {
    pkgs = pkgs.nixos-stable;
    specialArgs = {
      inherit inputs system attrs;
      host = {
        hostName = "nixos";
        inherit (attrs) username;
      };
    };
    modules = defaultModules ++ [
      ./base/configuration.nix
    ];
  };
 }
--- a/nixos/modules/net.nix
+++ b/nixos/modules/net.nix
@ -94,25 +94,25 @@ in
      };
    };
    systemd = {
-      mounts = [
+      # mounts = [
-        {
+      #   {
-          type = "nfs";
+      #     type = "nfs";
-          mountConfig = {
+      #     mountConfig = {
-            Options = "noatime";
+      #       Options = "noatime";
-          };
+      #     };
-          what = "zen:/tank/home";
+      #     what = "zen:/tank/home";
-          where = "/mnt/home";
+      #     where = "/mnt/home";
-        }
+      #   }
-      ];
+      # ];
-      automounts = [
+      # automounts = [
-        {
+      #   {
-          wantedBy = [ "multi-user.target" ];
+      #     wantedBy = [ "multi-user.target" ];
-          automountConfig = {
+      #     automountConfig = {
-            TimeoutIdleSec = "600";
+      #       TimeoutIdleSec = "600";
-          };
+      #     };
-          where = "/mnt/home";
+      #     where = "/mnt/home";
-        }
+      #   }
-      ];
+      # ];
    };
  };
 }
--- a/nixos/zen/configuration.nix
+++ b/nixos/zen/configuration.nix
@ -9,152 +9,12 @@
  imports = [
    ./hardware-configuration.nix
  ];
-  boot = {
+  machine.sys.zram = false;
-    kernel.sysctl = {
+  machine.sys.swap = false;
      "vm.swappiness" = 6;
    };
  };
  sops = {
    secrets = {
      "password".sopsFile = ../../secrets/k8s.yaml;
      forgejo-runner.sopsFile = ../../secrets/forgejo-runner.yaml;
      "b2-immich/env".sopsFile = ../../secrets/restic.yaml;
      "b2-immich/repo".sopsFile = ../../secrets/restic.yaml;
      "b2-immich/password".sopsFile = ../../secrets/restic.yaml;
      "cf-dns-key".sopsFile = ../../secrets/cf-acme.yaml;
    };
  };
  services.restic.backups = {
    b2-immich = {
      initialize = true;
      environmentFile = config.sops.secrets."b2-immich/env".path;
      repositoryFile = config.sops.secrets."b2-immich/repo".path;
      passwordFile = config.sops.secrets."b2-immich/password".path;
      paths = [
        "/tank/immich"
      ];
      timerConfig = {
        OnCalendar = "06:00";
      };
      pruneOpts = [
        "--keep-daily 31"
        "--keep-monthly 6"
        "--keep-yearly 1"
      ];
    };
  };
  networking = {
    hostId = "44238132";
    firewall = {
      allowedTCPPorts = [
        22
        80
        443
        2049 # nfs
      ];
      interfaces."podman+" = {
        allowedTCPPorts = [ 33393 ];
      };
    };
  };
  services = {
    zfs.autoScrub.enable = true;
    zfs.autoSnapshot.enable = true;
    fstrim.enable = true;
    nfs.server.enable = true;
    immich = {
      enable = true;
      package = pkgs-unstable.immich;
      port = 2283;
      host = "localhost";
      openFirewall = true;
      machine-learning.enable = true;
      mediaLocation = "/tank/immich";
      accelerationDevices = null;
    };
    nginx = {
      enable = true;
      virtualHosts."img.10110110.xyz" = {
        forceSSL = true;
        useACMEHost = "10110110.xyz";
        locations."/" = {
          proxyPass = "http://localhost:${toString config.services.immich.port}";
          proxyWebsockets = true;
          recommendedProxySettings = true;
          extraConfig = ''
            client_max_body_size 50000M;
            proxy_read_timeout   600s;
            proxy_send_timeout   600s;
            send_timeout         600s;
          '';
        };
      };
    };
  };
  services.gitea-actions-runner = {
    package = pkgs.forgejo-runner;
    instances.default = {
      enable = true;
      name = host.hostName;
      settings = {
        runner.capacity = 3;
        container = {
          force_pull = true;
          valid_volumes = [
            "/nix/store"
            "/nix/var/nix/daemon-socket"
          ];
        };
      };
      url = "https://git.10110110.xyz";
      tokenFile = config.sops.secrets.forgejo-runner.path;
      labels = [
        "ubuntu-latest:docker://node:24-bullseye"
        "nix-upstream-latest:docker://nixos/nix:latest"
        "nix-latest:docker://git.10110110.xyz/ci/nix"
      ];
    };
  };
  # services.k3s = {
  #   enable = true;
  #   role = "agent";
  #   extraFlags = toString [
  #     "--flannel-iface=tailscale0"
  #   ];
  #   tokenFile = config.sops.secrets."password".path;
  #   serverAddr = "https://consensus:6443";
  # };
  # systemd.services.k3s = {
  #   preStart = ''
  #     until ${pkgs.tailscale}/bin/tailscale status; do
  #       sleep 1
  #     done
  #   '';
  # };
  security.acme = {
    acceptTerms = true;
    defaults.email = "acme@10110110.xyz";
    certs = {
      "10110110.xyz" = {
        domain = "*.10110110.xyz";
        group = config.services.nginx.group;
        dnsProvider = "cloudflare";
        environmentFile = config.sops.secrets."cf-dns-key".path;
      };
    };
  };
  virtualisation.podman.enable = true;
  hardware = {
    graphics.enable = true;
    nvidia = {
      modesetting.enable = true;
      nvidiaSettings = true;
      open = false;
      package = config.boot.kernelPackages.nvidiaPackages.stable;
    };
    enableRedistributableFirmware = true;
    firmware = [ pkgs.linux-firmware ];
  };
 }
--- a/nixos/zen/hardware-configuration.nix
+++ b/nixos/zen/hardware-configuration.nix
@ -1,69 +1,27 @@
 {
  config,
  lib,
  modulesPath,
  ...
 }:
 {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  boot = {
-    extraModulePackages = [ ];
+    initrd.availableKernelModules = [
-    initrd = {
+      "xhci_pci"
-      availableKernelModules = [
+      "ahci"
-        "xhci_pci"
+    ];
-        "ahci"
+    initrd.kernelModules = [ ];
        "usbhid"
        "usb_storage"
        "sd_mod"
      ];
      kernelModules = [
        "dm-snapshot"
        "nvme"
      ];
    };
    kernelModules = [ "kvm-amd" ];
-    loader = {
+    extraModulePackages = [ ];
      efi = {
        canTouchEfiVariables = true;
      };
      systemd-boot = {
        enable = true;
      };
    };
    supportedFilesystems = [
      "zfs"
      "nfs"
    ];
    zfs = {
-      # extraPools = [ "rice" ];
+      extraPools = [ "tank" ];
      forceImportRoot = false;
    };
  };
  fileSystems = {
    "/" = {
      device = "/dev/mapper/nixos-root";
      fsType = "btrfs";
    };
    "/boot" = {
      device = "/dev/disk/by-uuid/7A75-7368";
      fsType = "vfat";
      options = [
        "fmask=0022"
        "dmask=0022"
      ];
    };
    "/nix/store" = {
      device = "/dev/mapper/nixos-store";
      fsType = "btrfs";
    };
  };
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
  system.stateVersion = "25.11";
 }
--- a/nixos/zen/old-configuration.nix
+++ b/nixos/zen/old-configuration.nix
@ -0,0 +1,168 @@
 {
  host,
  config,
  pkgs,
  pkgs-unstable,
  ...
 }:
 {
  imports = [
    ./hardware-configuration.nix
  ];
  # boot = {
  #   kernel.sysctl = {
  #     "vm.swappiness" = 6;
  #   };
  # };
  # sops = {
  #   secrets = {
  #     "password".sopsFile = ../../secrets/k8s.yaml;
  #     # "tailscale-auth".sopsFile = ../../secrets/tailscale.yaml;
  #     forgejo-runner.sopsFile = ../../secrets/forgejo-runner.yaml;
  #     "b2-immich/env".sopsFile = ../../secrets/restic.yaml;
  #     "b2-immich/repo".sopsFile = ../../secrets/restic.yaml;
  #     "b2-immich/password".sopsFile = ../../secrets/restic.yaml;
  #     "cf-dns-key".sopsFile = ../../secrets/cf-acme.yaml;
  #   };
  # };
  # services.restic.backups = {
  #   b2-immich = {
  #     initialize = true;
  #     environmentFile = config.sops.secrets."b2-immich/env".path;
  #     repositoryFile = config.sops.secrets."b2-immich/repo".path;
  #     passwordFile = config.sops.secrets."b2-immich/password".path;
  #
  #     paths = [
  #       "/tank/immich"
  #     ];
  #     timerConfig = {
  #       OnCalendar = "06:00";
  #     };
  #     pruneOpts = [
  #       "--keep-daily 31"
  #       "--keep-monthly 6"
  #       "--keep-yearly 1"
  #     ];
  #   };
  # };
  # networking = {
  #   nftables.enable = true;
  #   hostId = "44238132";
  #   firewall = {
  #     allowedTCPPorts = [
  #       22
  #       80
  #       443
  #       2049 # nfs
  #     ];
  #     trustedInterfaces = [
  #       "tailscale0"
  #       "incusbr0"
  #     ];
  #   };
  # };
  services = {
    zfs.autoScrub.enable = true;
    zfs.autoSnapshot.enable = true;
    fstrim.enable = true;
    nfs.server.enable = true;
    # immich = {
    #   enable = true;
    #   package = pkgs-unstable.immich;
    #   port = 2283;
    #   host = "localhost";
    #   openFirewall = true;
    #   machine-learning.enable = true;
    #   mediaLocation = "/tank/immich";
    #   accelerationDevices = null;
    # };
    # nginx = {
    #   enable = true;
    #   virtualHosts."img.10110110.xyz" = {
    #     forceSSL = true;
    #     useACMEHost = "10110110.xyz";
    #     locations."/" = {
    #       proxyPass = "http://localhost:${toString config.services.immich.port}";
    #       proxyWebsockets = true;
    #       recommendedProxySettings = true;
    #       extraConfig = ''
    #         client_max_body_size 50000M;
    #         proxy_read_timeout   600s;
    #         proxy_send_timeout   600s;
    #         send_timeout         600s;
    #       '';
    #     };
    #   };
    # };
  };
  # services.gitea-actions-runner = {
  #   package = pkgs.forgejo-runner;
  #   instances.default = {
  #     enable = true;
  #     name = host.hostName;
  #     settings = {
  #       runner.capacity = 3;
  #       container = {
  #         force_pull = true;
  #         valid_volumes = [
  #           "/nix/store"
  #           "/nix/var/nix/daemon-socket"
  #         ];
  #       };
  #     };
  #     url = "https://git.10110110.xyz";
  #     tokenFile = config.sops.secrets.forgejo-runner.path;
  #     labels = [
  #       "ubuntu-latest:docker://node:24-bullseye"
  #       "nix-upstream-latest:docker://nixos/nix:latest"
  #       "nix-latest:docker://git.10110110.xyz/ci/nix"
  #     ];
  #   };
  # };
  # services.k3s = {
  #   enable = true;
  #   role = "server";
  #   extraFlags = toString [
  #     "--disable=traefik"
  #     "--vpn-auth=file=${config.sops.secrets."tailscale-auth".path}"
  #     "--node-external-ip=100.64.246.41"
  #   ];
  #   tokenFile = config.sops.secrets."password".path;
  #   serverAddr = "https://zen:6443";
  # };
  # systemd.services.k3s = {
  #   preStart = ''
  #     until ${pkgs.tailscale}/bin/tailscale status; do
  #       sleep 1
  #     done
  #   '';
  # };
  # security.acme = {
  #   acceptTerms = true;
  #   defaults.email = "acme@10110110.xyz";
  #   certs = {
  #     "10110110.xyz" = {
  #       domain = "*.10110110.xyz";
  #       group = config.services.nginx.group;
  #       dnsProvider = "cloudflare";
  #       environmentFile = config.sops.secrets."cf-dns-key".path;
  #     };
  #   };
  # };
  # virtualisation = {
  #   podman.enable = false;
  #   incus.enable = true;
  # };
  # hardware = {
  #   graphics.enable = true;
  #   nvidia = {
  #     modesetting.enable = true;
  #     nvidiaSettings = true;
  #     open = false;
  #     package = config.boot.kernelPackages.nvidiaPackages.stable;
  #   };
  #   enableRedistributableFirmware = true;
  #   firmware = [ pkgs.linux-firmware ];
  # };
 }
--- a/secrets/tailscale.yaml
+++ b/secrets/tailscale.yaml
@ -0,0 +1,43 @@
 tailscale-auth: ENC[AES256_GCM,data:6dagpkltnpNpS74SDfv8gyyz7HPhZLLAapzf0e3bo//6n5CDeoGABg/cDVrros5GJUaV3BDvVPWrivZyGRR6PE3YnshnzUEsrjc2znxdPgQJqFL2,iv:CQabdCJf9sWFVOqGaOF2Bg8SKyI1x2NFjWmpSynXHtM=,tag:6CabVRg/dypUl/cHIBphTQ==,type:str]
 sops:
    age:
        - recipient: age14e2d2y8e2avzfrsyxg9dudxd36svm24t7skw6e969n0c42znlp3shffdtg
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaanhuSnNwNnphTmtDRkFy
            MEtmdEhrKzNlc01yZE5Eb08weWZLdHc0dUNzClcydUl0a1BabEJYK01mcmQwZDhw
            c3I2SW1zMzZGUDdGQ3BjNUM1NitqY3MKLS0tIGQ3NFlRQW1MSld3eUVPUXoxVFdX
            QnR0bittRkpYWnl5U0U3N0pzSVJnUHcKhNgibP853I6RbeXoXSSsRE61Eskw6muN
            aUJHR84sV6TlLS1Z3K6H1mO/VrfeECVaqogt4d/al6KwKWtAZRRGzQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age16pdhm238k63uye3rf4cwwe7ddyzds6xj9jv4wpsfggkghyarjqtsjzkxna
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFSXl0bmMxbEUrMWt1UDZJ
            QkJBR1BUd29QZ0JYaC8xbFY5UVp5aVRFelRnCk9XakhJWitkSEZxYmpWM1o1WElZ
            MUJod2ZYSjVwNE5GMFFNZmdEMVY1S3MKLS0tIGsxaDh2Nm5LN3dUOEEvOVpIS1M1
            aThvcm5YbXUzampaVlhDWGdGL29FcEEKOw51czIS/5pgLNtMehhKvfKBf5/KemtP
            qiGAQHkzgM3wD7B5nyI7shS0FgyyoedEgu8h+plSjV3s/Va6HyIIAQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age12tz2r7clep9e450qhr5a6ctnx29ywmu0llq8uk9kcwhpp82zsa0sk9la9h
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2ODdQOFl1Zm5sTHB0by9E
            K0k3SFdEVnZtQVAwZnJEd2E3Z20xYU9HYmdJCllPZVZjSktPVHpBRXM3ZmpMVjZp
            T1RhaElJL2VxUmoxN2tpYjEyVm5POGsKLS0tIGhkTkEzV3FtWTVTYU5rdmYwdGtV
            VmNXdGU0OGZjR2tMQmxPR0VpSnBTSGMK6NGw/2x6Y6YaFxXoiIMYjcSm9YbTKUjS
            5GjUG21P3MJ3nAFZYCq6vWve1pRLteKvSdSpwLnoUo8lFjIvTvhAqA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1cqgjdpyf5n9nyusvcyl83l0gmn8sx3tju45kmp5yrfgmtfy5gvusessj83
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxUytSdG1ZZFA3OTVCUmQ2
            RWpQTnZXWXNMWWZuT2xMSmJobzAxbUladndvClV5SnpOQUNaTm42VW9reWd3ckVG
            MUFad2VhS1liZXk1c3ZuaDFLbk4zc1kKLS0tIEMvd0tvYWowQW5SZkZWRVRuQVdl
            d2J1ZWtpSDVMRVhKcTVKWnVZOGZqdk0K74ftYUft0Rc8nrmDIgHWarY8FFZXvkqu
            +SPB7iZcKY/G/M0d3PvieKq5FSl5KkFNTFntk2ZulPNyj3iX9FaG6w==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-03-21T18:25:50Z"
    mac: ENC[AES256_GCM,data:SpkdH4sBGUXlohQHpjGcRJq8Y1fMf7FSlbZ0xBbQoMT3QDEyWFSyewUoZZ/MNoTFZKPPZ5B+AXYYD/YQN/0EuavfqWZtp1MTM/OrFQ9Ofn9Lx0iAmPssvaWWHGjzzZcb39HeI7NfF7XrfdRBDACKI4xX7zVcV4k+hdcHOA1FG9s=,iv:cy6uY5MtqeYgu3WEXPErxvLkbcNlWaWKzpFLSgM68gY=,tag:M9LA4m3y164074VyJgeBMQ==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.12.1
--- a/terraform/incus/.gitignore
+++ b/terraform/incus/.gitignore
@ -0,0 +1,2 @@
 *.tar.xz
 result
--- a/terraform/incus/images.tf
+++ b/terraform/incus/images.tf
@ -0,0 +1,10 @@
 resource "incus_image" "nixos-lxc-base" {
  source_file = {
    data_path = "lxc.tar.xz"
    metadata_path = "lxc-metadata.tar.xz"
  }
  alias {
    name = "nixos-lxc-base"
    description = "Nixos Base"
  }
 }
--- a/terraform/incus/instances.tf
+++ b/terraform/incus/instances.tf
@ -0,0 +1,17 @@
 resource "incus_instance" "zen" {
  name = "zen"
  image = incus_image.nixos-lxc-base.fingerprint
  config = {
    "boot.autostart" = true
    "limits.cpu" = 2
  }
  device {
    name = "zfs"
    type = "unix-block"
    properties = {
      source = "/dev/disk/by-id/wwn-0x50014ee2671b7f30"
    }
  }
 }
--- a/terraform/incus/main.tf
+++ b/terraform/incus/main.tf
@ -0,0 +1,26 @@
 terraform {
  required_providers {
    incus = {
      source = "lxc/incus"
    }
  }
 }
 provider "incus" {
  generate_client_certificates = true
  accept_remote_certificate    = true
  default_remote               = "incus"
  remote {
    name    = "incus"
    address = "https://incus:8443"
  }
 }
 resource "incus_network" "enp4s0" {
  name = "enp4s0"
  type = "physical"
  config = {
    parent = "enp4s0"
  }
 }
--- a/terraform/incus/make-images.fish
+++ b/terraform/incus/make-images.fish
@ -0,0 +1,9 @@
 #!/usr/bin/env fish
 function make-image -a variant
    nixos-rebuild build-image --flake .#base --image-variant $variant
    and cp ./result/tarball/*.tar.xz $variant.tar.xz
 end
 make-image lxc
 make-image lxc-metadata
--- a/terraform/ocf/compartment.tf
+++ b/terraform/ocf/compartment.tf
--- a/terraform/ocf/compute.tf
+++ b/terraform/ocf/compute.tf
--- a/terraform/ocf/main.tf
+++ b/terraform/ocf/main.tf
--- a/terraform/ocf/networking.tf
+++ b/terraform/ocf/networking.tf
--- a/terraform/ocf/outputs.tf
+++ b/terraform/ocf/outputs.tf
--- a/terraform/ocf/terraform.tfvars.example
+++ b/terraform/ocf/terraform.tfvars.example
--- a/terraform/ocf/variables.tf
+++ b/terraform/ocf/variables.tf