iofq/nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

monorepo lab stuff, init zen

Browse source
This commit is contained in:
iofq 2025-12-27 22:26:02 -06:00
parent cfc15bba89
commit 645e09f9dd
54 changed files with 67498 additions and 406 deletions
Download patch file Download diff file Expand all files Collapse all files

4
.sops.yaml
View file

@ -3,7 +3,7 @@ keys:
- &t14 age14e2d2y8e2avzfrsyxg9dudxd36svm24t7skw6e969n0c42znlp3shffdtg - &t14 age14e2d2y8e2avzfrsyxg9dudxd36svm24t7skw6e969n0c42znlp3shffdtg
- &consensus age16pdhm238k63uye3rf4cwwe7ddyzds6xj9jv4wpsfggkghyarjqtsjzkxna - &consensus age16pdhm238k63uye3rf4cwwe7ddyzds6xj9jv4wpsfggkghyarjqtsjzkxna
- &oracle1 age12tz2r7clep9e450qhr5a6ctnx29ywmu0llq8uk9kcwhpp82zsa0sk9la9h - &oracle1 age12tz2r7clep9e450qhr5a6ctnx29ywmu0llq8uk9kcwhpp82zsa0sk9la9h
- &oracle2 age1yar6nyfr5xzy79t54yrcf4sn3qc0689wgtsjv0npzh0nls5cjslsp0qruc - &zen age1nzlng9tw59rxnr86jw330s9z4x28hr394cl2qgktptf8swat23gqahgudw
creation_rules: creation_rules:
- path_regex: secrets/[^/]+\.yaml$ - path_regex: secrets/[^/]+\.yaml$
key_groups: key_groups:
@ -11,4 +11,4 @@ creation_rules:
- *t14 - *t14
- *consensus - *consensus
- *oracle1 - *oracle1
- *oracle2 - *zen

6
clusters/lab/.sops.yaml Normal file
View file

@ -0,0 +1,6 @@
---
keys:
- &t14 age14e2d2y8e2avzfrsyxg9dudxd36svm24t7skw6e969n0c42znlp3shffdtg
creation_rules:
- unencrypted_regex: "^(apiVersion|metadata|kind|type)$"
age: *t14

92
clusters/lab/adguard/adguard-deployment.yaml Normal file
View file

@ -0,0 +1,92 @@
---
apiVersion: v1
kind: Service
metadata:
name: adguard-svc
namespace: adguard
spec:
selector:
app: adguard
ports:
- protocol: TCP
port: 8082
targetPort: 3000
name: http-init
- protocol: TCP
port: 8081
targetPort: 80
name: http
- protocol: TCP
port: 53
targetPort: 53
name: dns-tcp
- protocol: UDP
port: 53
targetPort: 53
name: dns-udp
type: LoadBalancer
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: adguard
namespace: adguard
spec:
selector:
matchLabels:
app: adguard
replicas: 0
template:
metadata:
labels:
app: adguard
spec:
containers:
- name: adguard
image: adguard/adguardhome:latest
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
name: http
- containerPort: 53
name: dns
- containerPort: 3000
name: init
volumeMounts:
- name: adguard-data
mountPath: /opt/adguardhome/work
- name: adguard-conf
mountPath: /opt/adguardhome/conf
volumes:
- name: adguard-data
persistentVolumeClaim:
claimName: adguard-pvc-data
- name: adguard-conf
persistentVolumeClaim:
claimName: adguard-pvc-conf
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: adguard-pvc-conf
namespace: adguard
spec:
accessModes:
- ReadWriteOnce
storageClassName: local-path
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: adguard-pvc-data
namespace: adguard
spec:
accessModes:
- ReadWriteOnce
storageClassName: local-path
resources:
requests:
storage: 1Gi

6
clusters/lab/adguard/kustomization.yaml Normal file
View file

@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: adguard
resources:
# - adguard-deployment.yaml

6
clusters/lab/crds/kustomization.yaml Normal file
View file

@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: kube-system
resources:
- sealed-secrets-release.yaml

65842
clusters/lab/crds/prometheus-bundle.yaml Normal file
View file

File diff suppressed because it is too large Load diff

11
clusters/lab/crds/sealed-secrets-release.yaml Normal file
View file

@ -0,0 +1,11 @@
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: sealed-secrets-controller
namespace: kube-system
spec:
repo: https://bitnami-labs.github.io/sealed-secrets
chart: sealed-secrets
valuesContent: |-
fullnameOverride: sealed-secrets-controller

10
clusters/lab/eth/kustomization.yaml Normal file
View file

@ -0,0 +1,10 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: eth
resources:
# - namespace.yaml
# - nethermind-release.yaml
# - nimbus-release.yaml
# - besu-release.yaml
# - mev-boost.yaml

45
clusters/lab/eth/mev-boost.yaml Normal file
View file

@ -0,0 +1,45 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: mev-boost
namespace: eth
spec:
selector:
matchLabels:
app.kubernetes.io/app: mev-boost
replicas: 1
template:
metadata:
labels:
app.kubernetes.io/app: mev-boost
spec:
containers:
- name: mev-boost
image: "flashbots/mev-boost:1.8"
imagePullPolicy: Always
ports:
- containerPort: 18550
args:
- "--addr"
- "0.0.0.0:18550"
- "--min-bid"
- "0.05"
- "--relay-check"
- "--relays"
- "https://0xa15b52576bcbf1072f4a011c0f99f9fb6c66f3e1ff321f11f461d15e31b1cb359caa092c71bbded0bae5b5ea401aab7e@aestus.live,https://0xa7ab7a996c8584251c8f925da3170bdfd6ebc75d50f5ddc4050a6fdc77f2a3b5fce2cc750d0865e05d7228af97d69561@agnostic-relay.net"
- "--debug"
---
apiVersion: v1
kind: Service
metadata:
name: mev-boost
namespace: eth
spec:
type: ClusterIP
selector:
app.kubernetes.io/app: mev-boost
ports:
- protocol: TCP
port: 18550
targetPort: 18550

5
clusters/lab/eth/namespace.yaml Normal file
View file

@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: eth

54
clusters/lab/eth/nethermind-release.yaml Normal file
View file

@ -0,0 +1,54 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nethermind-mainnet-pvc
namespace: eth
spec:
accessModes:
- ReadWriteOnce
storageClassName: local-path
resources:
requests:
storage: 1200Gi
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: nethermind-mainnet
namespace: kube-system
spec:
targetNamespace: eth
repo: https://ethpandaops.github.io/ethereum-helm-charts/
chart: nethermind
valuesContent: |-
replicas: 1
image:
pullPolicy: "Always"
tag: 1.31.10
extraArgs:
- "--Network.MaxActivePeers 20"
- "--Pruning.CacheMb 4096"
- "--Pruning.FullPruningTrigger VolumeFreeSpace"
- "--Pruning.FullPruningCompletionBehavior AlwaysShutdown"
- "--Init.MemoryHint 4096000000"
p2pNodePort:
enabled: true
port: 30303
persistence:
enabled: true
existingClaim: nethermind-mainnet-pvc
---
apiVersion: v1
kind: Service
metadata:
name: nethermind-http-rpc
namespace: eth
spec:
type: LoadBalancer
selector:
app.kubernetes.io/instance: nethermind-mainnet
ports:
- protocol: TCP
port: 8545
targetPort: 8545

57
clusters/lab/eth/nimbus-release.yaml Normal file
View file

@ -0,0 +1,57 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nimbus-mainnet-pvc
namespace: eth
spec:
accessModes:
- ReadWriteOnce
storageClassName: local-path
resources:
requests:
storage: 500Gi
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: nimbus-mainnet
namespace: kube-system
spec:
targetNamespace: eth
repo: https://ethpandaops.github.io/ethereum-helm-charts/
chart: nimbus
valuesContent: |-
replicas: 1
image:
pullPolicy: "Always"
tag: "multiarch-v25.5.0"
extraArgs:
- "--web3-url=http://nethermind-mainnet.eth.svc.cluster.local:8551"
- "--payload-builder=true"
- "--payload-builder-url=http://mev-boost.eth.svc.cluster.local:18550"
- "--max-peers=100"
p2pNodePort:
enabled: true
port: 30001
persistence:
enabled: true
existingClaim: nimbus-mainnet-pvc
checkpointSync:
enabled: true
network: mainnet
url: https://mainnet-checkpoint-sync.attestant.io
---
apiVersion: v1
kind: Service
metadata:
name: nimbus-http-rpc
namespace: eth
spec:
type: LoadBalancer
selector:
app.kubernetes.io/instance: nimbus-mainnet
ports:
- protocol: TCP
port: 5052
targetPort: 5052

14
clusters/lab/kustomization.yaml Normal file
View file

@ -0,0 +1,14 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
generatorOptions:
labels:
type: generated
resources:
- crds/
- minecraft/
- soft-serve/
- eth/
- unifi/
- adguard/
- smokeping/

98
clusters/lab/minecraft/kiki-minecraft-helm.yaml Normal file
View file

@ -0,0 +1,98 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: kiki-mc-world
namespace: minecraft
spec:
accessModes:
- ReadWriteOnce
storageClassName: local-path
resources:
requests:
storage: 5Gi
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: kiki-minecraft
namespace: kube-system
spec:
targetNamespace: minecraft
repo: https://itzg.github.io/minecraft-server-charts/
chart: minecraft
valuesContent: |-
image:
repository: itzg/minecraft-server
tag: latest
pullPolicy: Always
replicaCount: 1
resources:
requests:
memory: 2000Mi
cpu: 1000m
strategyType: Recreate
nodeSelector: {}
tolerations: []
affinity: {}
securityContext:
runAsUser: 1000
fsGroup: 1000
livenessProbe:
command:
- mc-health
initialDelaySeconds: 30
periodSeconds: 5
failureThreshold: 20
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
command:
- mc-health
initialDelaySeconds: 30
periodSeconds: 5
failureThreshold: 20
successThreshold: 1
timeoutSeconds: 1
startupProbe:
command:
- mc-health
enabled: false
failureThreshold: 30
periodSeconds: 10
extraVolumes: []
minecraftServer:
eula: "TRUE"
wersion: "latest"
type: "VANILLA"
difficulty: normal
whitelist: cjriddz,k359
ops: cjriddz,k359
maxWorldSize: 15000
viewDistance: 16
motd: "good morning :)"
pvp: false
levelType: DEFAULT
worldSaveName: world
forceReDownload: false
memory: 2000M
serviceAnnotations: {}
serviceType: LoadBalancer
servicePort: 25566
clusterIP:
loadBalancerIP:
externalIPs:
query:
enabled: false
port: 25566
rcon:
enabled: true
withGeneratedPassword: true
envFrom: []
persistence:
annotations: {}
storageClass: "longhorn"
dataDir:
enabled: true
existingClaim: kiki-mc-world

9
clusters/lab/minecraft/kustomization.yaml Normal file
View file

@ -0,0 +1,9 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: minecraft
resources:
- minecraft-helm.yaml
- kiki-minecraft-helm.yaml
# - minecraft-restic-backup.yaml
# - minecraft-restic-secrets.yaml.enc

163
clusters/lab/minecraft/minecraft-helm.yaml Normal file
View file

@ -0,0 +1,163 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: minecraft
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: mc-world
namespace: minecraft
spec:
accessModes:
- ReadWriteOnce
storageClassName: local-path
resources:
requests:
storage: 5Gi
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: minecraft
namespace: kube-system
spec:
targetNamespace: minecraft
repo: https://itzg.github.io/minecraft-server-charts/
chart: minecraft
valuesContent: |-
image:
repository: itzg/minecraft-server
tag: java21
pullPolicy: Always
replicaCount: 1
resources:
requests:
memory: 3000Mi
cpu: 1000m
strategyType: Recreate
nodeSelector: {}
tolerations: []
affinity: {}
securityContext:
runAsUser: 1000
fsGroup: 1000
livenessProbe:
command:
- mc-health
initialDelaySeconds: 30
periodSeconds: 5
failureThreshold: 20
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
command:
- mc-health
initialDelaySeconds: 30
periodSeconds: 5
failureThreshold: 20
successThreshold: 1
timeoutSeconds: 1
startupProbe:
command:
- mc-health
enabled: false
failureThreshold: 30
periodSeconds: 10
extraVolumes: []
minecraftServer:
eula: "TRUE"
wersion: "latest"
type: "FABRIC"
difficulty: normal
whitelist: cjriddz,k359,yessorre,ZaltyPretzel,Yessorre,aemdryr
ops: cjriddz,k359,yessorre,ZaltyPretzel,Yessorre,aemdryr
maxWorldSize: 15000
viewDistance: 16
motd: "good morning :)"
pvp: false
levelType: DEFAULT
worldSaveName: world-gims-7
forceReDownload: false
memory: 3000M
serviceAnnotations: {}
serviceType: LoadBalancer
servicePort: 25565
clusterIP:
loadBalancerIP:
externalIPs:
query:
enabled: false
port: 25565
rcon:
enabled: true
withGeneratedPassword: true
extraEnv:
# https://fabricmc.net/use/server/
VERSION_FROM_MODRINTH_PROJECTS: true
RCON_CMDS_STARTUP: |-
gamerule playersSleepingPercentage 19
gamerule doInsomnia false
gamerule mobGriefing false
# deprecated mods
# incendium:alpha
# nullscape
# true-ending
# upgraded-mobs
# spellbound-weapons
# neoenchant
# lukis-grand-capitals
# lukis-crazy-chambers
# lukis-ancient-cities
# towns-and-towers
# dungeons-and-taverns-jungle-temple-overhaul
# dungeons-and-taverns-ocean-monument-overhaul
# dungeons-and-taverns-woodland-mansion-replacement
# dungeons-and-taverns-nether-fortress-overhaul
# dungeons-and-taverns-stronghold-overhaul
# structory
# structory-towers
# yggdrasil-structure
# hostile-mobs-improve-over-time
# beyondenchant
# expanded-axe-enchanting
# expanded-weapon-enchanting
# expanded-bow-enchanting
# expanded-armor-enchanting
# expanded-trident-enchanting
# infinite-trading
# healing-campfire
# fabric-language-kotlin
# cloth-config
# owo-lib
# cristel-lib
# ct-overhaul-village
# tectonic
# terralith
# portfolio
# tree-harvester
# chunky
# ferrite-core
# scalablelux
# appleskin
# inventory-sorting
# datapack:health-indicator
MODRINTH_PROJECTS: |-
fabric-api
collective
cloth-config
lithium
c2me-fabric:alpha
your-items-are-safe
datapack:geophilic
dungeons-and-taverns
more-mobs
envFrom: []
persistence:
annotations: {}
storageClass: "longhorn"
dataDir:
enabled: true
existingClaim: mc-world

6
clusters/lab/smokeping/kustomization.yaml Normal file
View file

@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: smokeping
resources:
- smokeping-helm.yaml

40
clusters/lab/smokeping/smokeping-helm.yaml Normal file
View file

@ -0,0 +1,40 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: smokeping
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: smokeping
namespace: kube-system
spec:
targetNamespace: smokeping
repo: https://nicholaswilde.github.io/helm-charts/
chart: smokeping
valuesContent: |-
image:
repository: ghcr.io/linuxserver/smokeping
pullPolicy: IfNotPresent
env:
TZ: "America/Chigaco"
ingress:
enabled: false
persistence:
config:
enabled: true
emptyDir: false
mountPath: /config
storageClass: local-path
accessMode: ReadWriteOnce
size: 1Gi
skipuninstall: false
data:
enabled: true
emptyDir: false
mountPath: /data
storageClass: local-path
accessMode: ReadWriteOnce
size: 1Gi
skipuninstall: false

6
clusters/lab/soft-serve/kustomization.yaml Normal file
View file

@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: soft-serve
resources:
# - ss-deployment.yaml

64
clusters/lab/soft-serve/ss-deployment.yaml Normal file
View file

@ -0,0 +1,64 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: soft-serve
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: soft-serve-pvc
namespace: soft-serve
spec:
accessModes:
- ReadWriteOnce
storageClassName: local-path
resources:
requests:
storage: 5Gi
---
apiVersion: v1
kind: Service
metadata:
name: soft-serve-svc
namespace: soft-serve
spec:
selector:
app: soft-serve
ports:
- protocol: TCP
port: 22
targetPort: 23231
type: LoadBalancer
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: soft-serve
namespace: soft-serve
spec:
selector:
matchLabels:
app: soft-serve
replicas: 1
template:
metadata:
labels:
app: soft-serve
spec:
containers:
- name: soft-serve
image: charmcli/soft-serve:v0.10.0
imagePullPolicy: Always
ports:
- containerPort: 23231
volumeMounts:
- name: soft-serve-data
mountPath: /soft-serve
env:
- name: SOFT_SERVE_INITIAL_ADMIN_KEYS
value: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHM4Zr0PFN7QdOG2aJ+nuzRCK6caulrpY6bphA1Ppl8Y e@t14"
volumes:
- name: soft-serve-data
persistentVolumeClaim:
claimName: soft-serve-pvc

6
clusters/lab/unifi/kustomization.yaml Normal file
View file

@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: adguard
resources:
- unifi-deployment.yaml

75
clusters/lab/unifi/unifi-deployment.yaml Normal file
View file

@ -0,0 +1,75 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: unifi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: unifi-pvc
namespace: unifi
spec:
accessModes:
- ReadWriteOnce
storageClassName: local-path
resources:
requests:
storage: 5Gi
---
apiVersion: v1
kind: Service
metadata:
name: unifi-svc
namespace: unifi
spec:
selector:
app: unifi
ports:
- protocol: TCP
port: 8443
targetPort: 8443
name: http
- protocol: UDP
port: 10001
targetPort: 10001
name: ap-disc
- protocol: TCP
port: 8080
targetPort: 8080
name: adopt
type: LoadBalancer
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: unifi
namespace: unifi
spec:
selector:
matchLabels:
app: unifi
replicas: 1
template:
metadata:
labels:
app: unifi
spec:
containers:
- name: unifi
image: lscr.io/linuxserver/unifi-controller:latest
imagePullPolicy: Always
ports:
- containerPort: 8080
name: adopt
- containerPort: 10001
name: ap-disc
- containerPort: 8443
name: http
volumeMounts:
- name: unifi-data
mountPath: /config
volumes:
- name: unifi-data
persistentVolumeClaim:
claimName: unifi-pvc

59
flake.lock generated
View file

@ -181,15 +181,15 @@
"flake-compat_6": { "flake-compat_6": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1761588595, "lastModified": 1767039857,
"narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=", "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
"owner": "edolstra", "owner": "NixOS",
"repo": "flake-compat", "repo": "flake-compat",
"rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5", "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "edolstra", "owner": "NixOS",
"repo": "flake-compat", "repo": "flake-compat",
"type": "github" "type": "github"
} }
@ -323,7 +323,7 @@
"gen-luarc", "gen-luarc",
"nixpkgs" "nixpkgs"
], ],
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable_2"
}, },
"locked": { "locked": {
"lastModified": 1723803910, "lastModified": 1723803910,
@ -528,11 +528,11 @@
"spectrum": "spectrum" "spectrum": "spectrum"
}, },
"locked": { "locked": {
"lastModified": 1766664413, "lastModified": 1767412754,
"narHash": "sha256-zP/5t+ZDVSjflXalMu8aN5vCb2HuoNMRGeP3FzLKJOM=", "narHash": "sha256-Rl54gtnxxjYzfZFCanu5CzgG3EQQc4AgAoatFL94jqg=",
"owner": "microvm-nix", "owner": "microvm-nix",
"repo": "microvm.nix", "repo": "microvm.nix",
"rev": "a4c90d904703096b51abcb5d09417d98604c5f30", "rev": "f4ae3dc4ee4c9b585b03c36bd73ef68d2a8eb3a9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -627,11 +627,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1766568855, "lastModified": 1767185284,
"narHash": "sha256-UXVtN77D7pzKmzOotFTStgZBqpOcf8cO95FcupWp4Zo=", "narHash": "sha256-ljDBUDpD1Cg5n3mJI81Hz5qeZAwCGxon4kQW3Ho3+6Q=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "c5db9569ac9cc70929c268ac461f4003e3e5ca80", "rev": "40b1a28dce561bea34858287fbb23052c3ee63fe",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -699,6 +699,22 @@
} }
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": {
"lastModified": 1767325753,
"narHash": "sha256-yA/CuWyqm+AQo2ivGy6PlYrjZBQm7jfbe461+4HF2fo=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "64049ca74d63e971b627b5f3178d95642e61cedd",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-25.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable_2": {
"locked": { "locked": {
"lastModified": 1720386169, "lastModified": 1720386169,
"narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=", "narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=",
@ -730,11 +746,11 @@
}, },
"nixpkgs_3": { "nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1766651565, "lastModified": 1767379071,
"narHash": "sha256-QEhk0eXgyIqTpJ/ehZKg9IKS7EtlWxF3N7DXy42zPfU=", "narHash": "sha256-EgE0pxsrW9jp9YFMkHL9JMXxcqi/OoumPJYwf+Okucw=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "3e2499d5539c16d0d173ba53552a4ff8547f4539", "rev": "fb7944c166a3b630f177938e478f0378e64ce108",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -860,11 +876,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1765911976, "lastModified": 1767281941,
"narHash": "sha256-t3T/xm8zstHRLx+pIHxVpQTiySbKqcQbK+r+01XVKc0=", "narHash": "sha256-6MkqajPICgugsuZ92OMoQcgSHnD6sJHwk8AxvMcIgTE=",
"owner": "cachix", "owner": "cachix",
"repo": "pre-commit-hooks.nix", "repo": "pre-commit-hooks.nix",
"rev": "b68b780b69702a090c8bb1b973bab13756cc7a27", "rev": "f0927703b7b1c8d97511c4116eb9b4ec6645a0fa",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -882,6 +898,7 @@
"nix-index-database": "nix-index-database", "nix-index-database": "nix-index-database",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_3", "nixpkgs": "nixpkgs_3",
"nixpkgs-stable": "nixpkgs-stable",
"nvim": "nvim", "nvim": "nvim",
"pre-commit-hooks": "pre-commit-hooks", "pre-commit-hooks": "pre-commit-hooks",
"sops-nix": "sops-nix", "sops-nix": "sops-nix",
@ -1014,11 +1031,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1766000401, "lastModified": 1767468822,
"narHash": "sha256-+cqN4PJz9y0JQXfAK5J1drd0U05D5fcAGhzhfVrDlsI=", "narHash": "sha256-MpffQxHxmjVKMiQd0Tg2IM/bSjjdQAM+NDcX6yxj7rE=",
"owner": "numtide", "owner": "numtide",
"repo": "treefmt-nix", "repo": "treefmt-nix",
"rev": "42d96e75aa56a3f70cab7e7dc4a32868db28e8fd", "rev": "d56486eb9493ad9c4777c65932618e9c2d0468fc",
"type": "github" "type": "github"
}, },
"original": { "original": {

68
flake.nix
View file

@ -3,6 +3,7 @@
inputs = { inputs = {
nixos-hardware.url = "github:NixOS/nixos-hardware"; nixos-hardware.url = "github:NixOS/nixos-hardware";
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-25.11";
pre-commit-hooks = { pre-commit-hooks = {
url = "github:cachix/pre-commit-hooks.nix"; url = "github:cachix/pre-commit-hooks.nix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
@ -45,6 +46,7 @@
{ {
self, self,
nixpkgs, nixpkgs,
nixpkgs-stable,
systems, systems,
... ...
}@inputs: }@inputs:
@ -61,6 +63,10 @@
(import ./pkgs/overlay.nix) (import ./pkgs/overlay.nix)
]; ];
}; };
pkgs-stable = import nixpkgs-stable {
inherit system;
config.allowUnfree = true;
};
eachSystem = f: nixpkgs.lib.genAttrs (import systems) (system: f nixpkgs.legacyPackages.${system}); eachSystem = f: nixpkgs.lib.genAttrs (import systems) (system: f nixpkgs.legacyPackages.${system});
treefmtEval = eachSystem (pkgs: inputs.treefmt-nix.lib.evalModule pkgs ./treefmt.nix); treefmtEval = eachSystem (pkgs: inputs.treefmt-nix.lib.evalModule pkgs ./treefmt.nix);
in in
@ -69,6 +75,7 @@
inherit inherit
inputs inputs
pkgs pkgs
pkgs-stable
attrs attrs
system system
; ;
@ -83,54 +90,27 @@
}; };
}; };
}; };
deploy.nodes = { deploy.nodes = import ./fleet.nix { inherit inputs self system; };
consensus = {
hostname = "consensus";
sshUser = "root";
remoteBuild = true;
profiles.system = {
user = "root";
path = inputs.deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.consensus;
};
};
oracle1 = {
hostname = "oracle1";
sshUser = "root";
sshOpts = [
"-p"
"2022"
];
remoteBuild = false;
profiles.system = {
user = "root";
path = inputs.deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.oracle1;
};
};
oracle2 = {
hostname = "oracle2";
sshUser = "root";
sshOpts = [
"-p"
"2022"
];
remoteBuild = false;
profiles.system = {
user = "root";
path = inputs.deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.oracle2;
};
};
};
formatter = eachSystem (pkgs: treefmtEval.${pkgs.system}.config.build.wrapper); formatter = eachSystem (pkgs: treefmtEval.${pkgs.system}.config.build.wrapper);
devShells.${system}.default = pkgs.mkShell { devShells.${system}.default = pkgs.mkShell {
inherit (self.checks.pre-commit-check) shellHook; inherit (self.checks.pre-commit-check) shellHook;
buildInputs = [ buildInputs = with pkgs; [
pkgs.home-manager age
pkgs.git deploy-rs
pkgs.ssh-to-age git
pkgs.sops home-manager
pkgs.age k9s
pkgs.deploy-rs kubectl
kubeseal
sops
ssh-to-age
treefmtEval.${system}.config.build.wrapper treefmtEval.${system}.config.build.wrapper
velero
(pkgs.writeShellScriptBin "deploy-k8s" ''
cd $(git rev-parse --show-toplevel)
kubectl config use-context lab
kubectl apply -k ./clusters/lab
'')
]; ];
}; };
}; };

33
fleet.nix Normal file
View file

@ -0,0 +1,33 @@
{inputs, system, self}: {
consensus = {
hostname = "consensus";
sshUser = "root";
remoteBuild = false;
profiles.system = {
user = "root";
path = inputs.deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.consensus;
};
};
zen = {
hostname = "192.168.1.148";
sshUser = "root";
remoteBuild = false;
profiles.system = {
user = "root";
path = inputs.deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.zen;
};
};
oracle1 = {
hostname = "oracle1";
sshUser = "root";
sshOpts = [
"-p"
"2022"
];
remoteBuild = false;
profiles.system = {
user = "root";
path = inputs.deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.oracle1;
};
};
}

6
home-manager/t14/home.nix
View file

@ -56,12 +56,6 @@
user = "root"; user = "root";
identityFile = "/home/e/.ssh/id_ed25519"; identityFile = "/home/e/.ssh/id_ed25519";
}; };
"oracle2" = {
port = 2022;
hostname = "oracle2";
user = "root";
identityFile = "/home/e/.ssh/id_ed25519";
};
"10110110.xyz" = { "10110110.xyz" = {
port = 22; port = 22;
hostname = "10110110.xyz"; hostname = "10110110.xyz";

63
nixos/configuration.nix
View file

@ -1,66 +1,7 @@
{ {
inputs, lib,
pkgs,
host,
... ...
}: }:
{ {
# Create plugdev group nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
networking.hostName = host.hostName;
time.timeZone = "America/Chicago";
users = {
groups.plugdev = { };
groups.${host.username} = { };
users.${host.username} = {
isNormalUser = true;
group = "${host.username}";
extraGroups = [
"wheel"
"plugdev"
"video"
"adbusers"
"network"
];
};
};
programs = {
nix-index = {
enableBashIntegration = false;
enableZshIntegration = false;
};
nix-index-database.comma.enable = true;
};
# Enable flakes and unfree packages
nix = {
package = pkgs.nixVersions.nix_2_31; # https://github.com/serokell/deploy-rs/issues/340
registry.nixpkgs.flake = inputs.nixpkgs;
settings = {
auto-optimise-store = true;
substituters = [
"https://nix-community.cachix.org"
"https://install.determinate.systems"
"https://nvim-treesitter-main.cachix.org"
];
trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"cache.flakehub.com-3:hJuILl5sVK4iKm86JzgdXW12Y2Hwd5G07qKtHTOcDCM="
"nvim-treesitter-main.cachix.org-1:cbwE6blfW5+BkXXyeAXoVSu1gliqPLHo2m98E4hWfZQ="
];
trusted-users = [ host.username ];
experimental-features = [
"nix-command"
"flakes"
];
# lazy-trees = true; # https://github.com/serokell/deploy-rs/issues/340
};
channel.enable = false;
nixPath = [ "nixpkgs=flake:nixpkgs" ];
gc = {
automatic = true;
dates = "00:00";
options = "--delete-older-than 14d";
};
};
security.sudo-rs.enable = true;
} }

4
nixos/consensus/backups.nix
View file

@ -16,13 +16,13 @@
passwordFile = config.sops.secrets."b2-immich/password".path; passwordFile = config.sops.secrets."b2-immich/password".path;
paths = [ paths = [
"/srv/immich" "/rice/immich"
]; ];
timerConfig = { timerConfig = {
OnCalendar = "06:00"; OnCalendar = "06:00";
}; };
pruneOpts = [ pruneOpts = [
"--keep-daily 14" "--keep-daily 31"
"--keep-monthly 6" "--keep-monthly 6"
"--keep-yearly 1" "--keep-yearly 1"
]; ];

165
nixos/consensus/configuration.nix
View file

@ -1,6 +1,6 @@
{ {
lib,
pkgs, pkgs,
pkgs-unstable,
config, config,
... ...
}: }:
@ -16,105 +16,57 @@
}; };
}; };
}; };
documentation = {
enable = lib.mkDefault false;
info.enable = lib.mkDefault false;
man.enable = lib.mkDefault false;
nixos.enable = lib.mkDefault false;
};
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
git git
vim vim
docker-compose docker-compose
tmux tmux
]; ];
system-net.openssh.ports = [2022];
services = { services = {
# zfs.autoScrub.enable = true; zfs.autoScrub.enable = true;
# zfs.autoSnapshot.enable = true; zfs.autoSnapshot.enable = true;
fstrim.enable = true; fstrim.enable = true;
tailscale.enable = true; nfs.server = {
enable = true;
exports = ''
/rice 192.168.1.0/24(rw,fsid=0,no_subtree_check) 100.87.58.70(rw,fsid=0,no_subtree_check)
'';
};
k3s = { k3s = {
enable = true; enable = true;
role = "server"; role = "server";
extraFlags = toString [ extraFlags = toString [
"--disable=traefik" "--disable=traefik"
]; "--flannel-iface=tailscale0"
};
fail2ban = {
enable = true;
maxretry = 5;
bantime = "1h";
ignoreIP = [
"172.16.0.0/12"
"192.168.0.0/16"
"10.0.0.0/8"
"tailc353f.ts.net"
];
bantime-increment = {
enable = true;
multipliers = "1 2 4 8 16 32 64 128 256";
maxtime = "24h";
overalljails = true;
};
};
openssh = {
enable = true;
ports = [ 2022 ];
settings = {
PasswordAuthentication = false;
PermitRootLogin = "prohibit-password";
PermitEmptyPasswords = false;
PermitTunnel = false;
UseDns = false;
KbdInteractiveAuthentication = false;
X11Forwarding = false;
MaxAuthTries = 3;
MaxSessions = 2;
ClientAliveInterval = 300;
ClientAliveCountMax = 0;
TCPKeepAlive = false;
AllowTcpForwarding = false;
AllowAgentForwarding = false;
LogLevel = "VERBOSE";
};
hostKeys = [
{
path = "/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
]; ];
}; };
immich = { immich = {
enable = false; enable = true;
package = pkgs-unstable.immich;
port = 2283; port = 2283;
host = "localhost"; host = "localhost";
openFirewall = true; openFirewall = true;
machine-learning.enable = true; machine-learning.enable = true;
mediaLocation = "/srv/immich"; mediaLocation = "/rice/immich";
accelerationDevices = null;
}; };
nginx = { nginx = {
enable = true; enable = true;
# virtualHosts."img.10110110.xyz" = { virtualHosts."img.10110110.xyz" = {
# forceSSL = true;
# useACMEHost = "10110110.xyz";
# locations."/" = {
# proxyPass = "http://localhost:${toString config.services.immich.port}";
# proxyWebsockets = true;
# recommendedProxySettings = true;
# extraConfig = ''
# client_max_body_size 50000M;
# proxy_read_timeout 600s;
# proxy_send_timeout 600s;
# send_timeout 600s;
# '';
# };
# };
virtualHosts."fs.10110110.xyz" = {
forceSSL = true; forceSSL = true;
useACMEHost = "10110110.xyz"; useACMEHost = "10110110.xyz";
root = "/var/www/nginx"; locations."/" = {
extraConfig = "autoindex on;"; proxyPass = "http://localhost:${toString config.services.immich.port}";
proxyWebsockets = true;
recommendedProxySettings = true;
extraConfig = ''
client_max_body_size 50000M;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
send_timeout 600s;
'';
};
}; };
}; };
}; };
@ -122,64 +74,44 @@
kernel.sysctl = { kernel.sysctl = {
"vm.swappiness" = 6; "vm.swappiness" = 6;
}; };
tmp.cleanOnBoot = true;
# supportedFilesystems = ["zfs"];
# zfs.forceImportRoot = false;
# zfs.extraPools = ["rice"];
}; };
networking = { networking = {
hostId = "91238132"; hostId = "91238132";
hostName = "consensus";
firewall = { firewall = {
enable = true;
allowedTCPPorts = [ allowedTCPPorts = [
22 22
80 80
443 443
2022 2022
8080 2049 #nfs
8443 8080 #unifi
8443 #unifi
10001 10001
6443 10250
25565 6443 #k8s
25566 25565 #mc
9001 25566 #mc
30303 9001 #eth
30303 #eth
]; ];
allowedUDPPorts = [ allowedUDPPorts = [
9001 9001
30303 30303
]; ];
logRefusedConnections = true;
}; };
}; };
zramSwap.enable = false; system-sys = {
swapDevices = [ zram = false;
{ swapSize = 16;
device = "/swapfile"; };
size = 16 * 1024; virtualisation.docker = {
} enable = true;
]; extraOptions = "--dns 1.1.1.1";
virtualisation.docker.enable = true; };
users.users = { users.users = {
root = { immich.extraGroups = [ "video" "render" ];
openssh.authorizedKeys.keys = [
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHM4Zr0PFN7QdOG2aJ+nuzRCK6caulrpY6bphA1Ppl8Y e@t14''
];
};
e = {
isNormalUser = true;
extraGroups = [ "wheel" ];
home = "/home/e";
openssh.authorizedKeys.keys = [
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHM4Zr0PFN7QdOG2aJ+nuzRCK6caulrpY6bphA1Ppl8Y e@t14''
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJou+k8HtIWdlztpWog7fVfJgxJnRIo7c5xVPUBhBxhi'' # phone
];
};
}; };
security.sudo-rs.wheelNeedsPassword = false;
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
defaults.email = "acme@10110110.xyz"; defaults.email = "acme@10110110.xyz";
@ -192,6 +124,11 @@
}; };
}; };
}; };
nix.settings.trusted-users = [ "e" ]; hardware.graphics = {
enable = true;
extraPackages = with pkgs; [
intel-media-driver # For Broadwell (2014) or newer processors. LIBVA_DRIVER_NAME=iHD
];
};
system.stateVersion = "23.11"; system.stateVersion = "23.11";
} }

3
nixos/consensus/hardware-configuration.nix
View file

@ -12,6 +12,9 @@
"xen_blkfront" "xen_blkfront"
"vmw_pvscsi" "vmw_pvscsi"
]; ];
boot.supportedFilesystems = [ "zfs" ];
boot.zfs.forceImportRoot = false;
boot.zfs.extraPools = [ "rice" ];
boot.initrd.kernelModules = [ "nvme" ]; boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = { fileSystems."/" = {
device = "/dev/mapper/vg-root"; device = "/dev/mapper/vg-root";

43
nixos/default.nix
View file

@ -1,6 +1,7 @@
{ {
inputs, inputs,
pkgs, pkgs,
pkgs-stable,
attrs, attrs,
system, system,
... ...
@ -11,7 +12,10 @@ let
inputs.sops-nix.nixosModules.sops inputs.sops-nix.nixosModules.sops
inputs.nix-index-database.nixosModules.nix-index inputs.nix-index-database.nixosModules.nix-index
# inputs.determinate.nixosModules.default # https://github.com/serokell/deploy-rs/issues/340 # inputs.determinate.nixosModules.default # https://github.com/serokell/deploy-rs/issues/340
]; ] ++ builtins.attrValues
(builtins.mapAttrs
(name: _: ./modules/${name})
(builtins.readDir ./modules));
in in
{ {
t14 = inputs.nixpkgs.lib.nixosSystem { t14 = inputs.nixpkgs.lib.nixosSystem {
@ -28,9 +32,10 @@ in
inputs.nixos-hardware.nixosModules.lenovo-thinkpad-t14-amd-gen1 inputs.nixos-hardware.nixosModules.lenovo-thinkpad-t14-amd-gen1
]; ];
}; };
consensus = inputs.nixpkgs.lib.nixosSystem { consensus = inputs.nixpkgs-stable.lib.nixosSystem {
inherit pkgs; pkgs = pkgs-stable;
specialArgs = { specialArgs = {
pkgs-unstable = pkgs;
inherit inputs system attrs; inherit inputs system attrs;
host = { host = {
hostName = "consensus"; hostName = "consensus";
@ -38,12 +43,24 @@ in
}; };
}; };
modules = defaultModules ++ [ modules = defaultModules ++ [
inputs.microvm.nixosModules.host
./consensus/configuration.nix ./consensus/configuration.nix
]; ];
}; };
oracle1 = inputs.nixpkgs.lib.nixosSystem { zen = inputs.nixpkgs-stable.lib.nixosSystem {
inherit pkgs; pkgs = pkgs-stable;
specialArgs = {
inherit inputs system attrs;
host = {
hostName = "zen";
inherit (attrs) username;
};
};
modules = defaultModules ++ [
./zen/configuration.nix
];
};
oracle1 = inputs.nixpkgs-stable.lib.nixosSystem {
pkgs = pkgs-stable;
specialArgs = { specialArgs = {
inherit inputs system attrs; inherit inputs system attrs;
host = { host = {
@ -51,20 +68,6 @@ in
inherit (attrs) username; inherit (attrs) username;
}; };
}; };
modules = defaultModules ++ [
./oracle/configuration.nix
./oracle/forgejo.nix
];
};
oracle2 = inputs.nixpkgs.lib.nixosSystem {
inherit pkgs;
specialArgs = {
inherit inputs system attrs;
host = {
hostName = "oracle2";
inherit (attrs) username;
};
};
modules = defaultModules ++ [ modules = defaultModules ++ [
./oracle/configuration.nix ./oracle/configuration.nix
]; ];

105
nixos/modules/net.nix Normal file
View file

@ -0,0 +1,105 @@
{ host, pkgs, config, lib, ...}:
let cfg = config.system-net; in {
options.system-net = {
enable = lib.mkOption {
type = lib.types.bool;
default = true;
};
dns = lib.mkOption {
type = lib.types.bool;
default = true;
};
openssh = {
enable = lib.mkOption {
type = lib.types.bool;
default = true;
};
ports = lib.mkOption {
type = lib.types.listOf lib.types.int;
default = [22];
};
};
tailscale = lib.mkOption {
type = lib.types.bool;
default = true;
};
nfs = lib.mkOption {
type = lib.types.bool;
default = false;
};
};
config = lib.mkIf cfg.enable {
services = {
tailscale.enable = cfg.tailscale;
resolved = lib.mkIf cfg.dns {
enable = true;
fallbackDns = [
"1.1.1.1"
"9.9.9.9"
];
};
fail2ban = {
enable = true;
maxretry = 5;
bantime = "1h";
ignoreIP = [
"172.16.0.0/12"
"192.168.0.0/16"
"10.0.0.0/8"
"tailc353f.ts.net"
];
bantime-increment = {
enable = true;
multipliers = "1 2 4 8 16 32 64 128 256";
maxtime = "24h";
overalljails = true;
};
};
openssh = {
enable = cfg.openssh.enable;
ports = cfg.openssh.ports;
settings = {
PasswordAuthentication = false;
PermitRootLogin = "prohibit-password";
PermitEmptyPasswords = false;
PermitTunnel = false;
UseDns = false;
KbdInteractiveAuthentication = false;
X11Forwarding = false;
MaxAuthTries = 3;
MaxSessions = 2;
ClientAliveInterval = 300;
ClientAliveCountMax = 0;
TCPKeepAlive = false;
AllowTcpForwarding = false;
AllowAgentForwarding = false;
LogLevel = "VERBOSE";
};
hostKeys = [
{
path = "/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
};
};
systemd = {
mounts = [{
type = "nfs";
mountConfig = {
Options = "noatime";
};
what = "consensus:/rice";
where = "/mnt/rice";
}];
automounts = [{
wantedBy = [ "multi-user.target" ];
automountConfig = {
TimeoutIdleSec = "600";
};
where = "/mnt/rice";
}];
};
};
}

46
nixos/modules/nix.nix Normal file
View file

@ -0,0 +1,46 @@
{ host, pkgs, config, lib, ...}:
let cfg = config.system-nix; in {
options.system-nix = {
enable = lib.mkOption {
type = lib.types.bool;
default = true;
};
};
config = lib.mkIf cfg.enable {
programs = {
nix-index = {
enableBashIntegration = false;
enableZshIntegration = false;
};
nix-index-database.comma.enable = true;
};
nix = {
package = pkgs.nixVersions.nix_2_31; # https://github.com/serokell/deploy-rs/issues/340
settings = {
auto-optimise-store = true;
substituters = [
"https://install.determinate.systems"
"https://nvim-treesitter-main.cachix.org"
];
trusted-public-keys = [
"cache.flakehub.com-3:hJuILl5sVK4iKm86JzgdXW12Y2Hwd5G07qKtHTOcDCM="
"nvim-treesitter-main.cachix.org-1:cbwE6blfW5+BkXXyeAXoVSu1gliqPLHo2m98E4hWfZQ="
];
trusted-users = [ host.username ];
experimental-features = [
"nix-command"
"flakes"
];
# lazy-trees = true; # https://github.com/serokell/deploy-rs/issues/340
};
channel.enable = false;
nixPath = [ "nixpkgs=flake:nixpkgs" ];
gc = {
automatic = true;
dates = "00:00";
options = "--delete-older-than 14d";
};
};
};
}

17
nixos/modules/pkgs.nix Normal file
View file

@ -0,0 +1,17 @@
{ pkgs, config, lib, ...}:
let cfg = config.system-pkgs; in {
options.system-pkgs = {
enable = lib.mkOption {
type = lib.types.bool;
default = true;
};
};
config = lib.mkIf cfg.enable {
environment.systemPackages = with pkgs; [
git
vim
tmux
];
};
}

78
nixos/modules/system.nix Normal file
View file

@ -0,0 +1,78 @@
{ host, config, lib, ...}:
let cfg = config.system-sys; in {
options.system-sys = {
enable = lib.mkOption {
type = lib.types.bool;
default = true;
};
swapSize = lib.mkOption {
type = lib.types.int;
default = 4;
};
zram = lib.mkOption {
type = lib.types.bool;
default = true;
};
documentation = lib.mkOption {
type = lib.types.bool;
default = false;
};
};
config = lib.mkIf cfg.enable {
time.timeZone = "America/Chicago";
boot.tmp.cleanOnBoot = true;
zramSwap.enable = cfg.zram;
security.sudo-rs = {
enable = true;
wheelNeedsPassword = false;
};
swapDevices = [
{
device = "/swapfile";
size = cfg.swapSize * 1024;
}
];
documentation = lib.mkIf cfg.documentation {
enable = lib.mkDefault false;
info.enable = lib.mkDefault false;
man.enable = lib.mkDefault false;
nixos.enable = lib.mkDefault false;
};
networking = {
domain = "";
hostName = host.hostName;
firewall = {
enable = true;
allowedTCPPorts = [
22
];
logRefusedConnections = true;
};
};
users = {
groups.plugdev = { };
groups.${host.username} = { };
users.${host.username} = {
isNormalUser = true;
group = "${host.username}";
home = "/home/e";
extraGroups = [
"wheel"
"plugdev"
"video"
"adbusers"
"network"
];
openssh.authorizedKeys.keys = [
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHM4Zr0PFN7QdOG2aJ+nuzRCK6caulrpY6bphA1Ppl8Y e@t14''
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJou+k8HtIWdlztpWog7fVfJgxJnRIo7c5xVPUBhBxhi'' # phone
];
};
};
users.users.root.openssh.authorizedKeys.keys = [
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDcL53Gdrj5V9YDwKlCBIcgqiS+zHtOQpJlnOHTevJCJ e@t14''
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHM4Zr0PFN7QdOG2aJ+nuzRCK6caulrpY6bphA1Ppl8Y e@t14''
];
};
}

62
nixos/oracle/configuration.nix
View file

@ -2,79 +2,23 @@
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
./forgejo.nix
]; ];
boot.tmp.cleanOnBoot = true;
boot.kernel.sysctl = { boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1; "net.ipv4.ip_forward" = 1;
"net.ipv6.conf.all.forwarding" = 1; "net.ipv6.conf.all.forwarding" = 1;
}; };
zramSwap.enable = true; system-net.openssh.ports = [22 2022];
swapDevices = [
{
device = "/swapfile";
size = 2 * 1024;
}
];
services = {
fail2ban.enable = true;
fail2ban.maxretry = 5;
fail2ban.bantime = "1h";
fail2ban.ignoreIP = [
"172.16.0.0/12"
"192.168.0.0/16"
"10.0.0.0/8"
"tailc353f.ts.net"
];
fail2ban.bantime-increment = {
enable = true;
multipliers = "1 2 4 8 16 32 64 128 256";
maxtime = "24h";
overalljails = true;
};
tailscale.enable = true;
openssh = {
enable = true;
ports = [
22
2022
];
settings = {
PasswordAuthentication = false;
PermitRootLogin = "prohibit-password";
PermitEmptyPasswords = false;
UseDns = false;
KbdInteractiveAuthentication = false;
X11Forwarding = false;
AllowTcpForwarding = false;
AllowAgentForwarding = false;
};
hostKeys = [
{
path = "/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
};
};
networking = { networking = {
domain = ""; hostId = "00238132";
hostId = "81238132";
hostName = host.hostName;
firewall = { firewall = {
enable = true;
allowedTCPPorts = [ allowedTCPPorts = [
22 22
2022 2022
80 80
443 443
]; ];
logRefusedConnections = true;
}; };
}; };
users.users.root.openssh.authorizedKeys.keys = [
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDcL53Gdrj5V9YDwKlCBIcgqiS+zHtOQpJlnOHTevJCJ e@t14''
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHM4Zr0PFN7QdOG2aJ+nuzRCK6caulrpY6bphA1Ppl8Y e@t14''
];
system.stateVersion = "23.11"; system.stateVersion = "23.11";
} }

2
nixos/oracle/forgejo.nix
View file

@ -76,7 +76,7 @@ in
"/var/lib/forgejo" "/var/lib/forgejo"
]; ];
timerConfig = { timerConfig = {
OnCalendar = "*-*-* */6:00:00"; OnCalendar = "06:00";
}; };
pruneOpts = [ pruneOpts = [
"--keep-daily 31" "--keep-daily 31"

1
nixos/oracle/hardware-configuration.nix
View file

@ -21,5 +21,4 @@
device = "/dev/sda1"; device = "/dev/sda1";
fsType = "ext4"; fsType = "ext4";
}; };
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
} }

14
nixos/t14/configuration.nix
View file

@ -44,11 +44,8 @@ in
dns = "systemd-resolved"; dns = "systemd-resolved";
}; };
firewall = { firewall = {
enable = true;
allowedTCPPorts = [ 11111 ]; allowedTCPPorts = [ 11111 ];
allowedUDPPorts = [ ];
trustedInterfaces = [ "tailscale0" ]; trustedInterfaces = [ "tailscale0" ];
logRefusedConnections = true;
}; };
}; };
@ -86,7 +83,8 @@ in
]; ];
}; };
}; };
system-net.nfs = true;
system-sys.zram = false;
hardware = { hardware = {
graphics = { graphics = {
enable = true; enable = true;
@ -100,13 +98,6 @@ in
enableAllFirmware = true; enableAllFirmware = true;
}; };
services = { services = {
resolved = {
enable = true;
fallbackDns = [
"1.1.1.1"
];
};
tailscale.enable = true;
pipewire = { pipewire = {
enable = true; enable = true;
alsa.enable = true; alsa.enable = true;
@ -157,7 +148,6 @@ in
trezord.enable = true; trezord.enable = true;
udisks2.enable = true; # kindle udisks2.enable = true; # kindle
ollama.enable = true;
}; };
fonts = { fonts = {
# Set a sane system-wide default font # Set a sane system-wide default font

1
nixos/t14/hardware-configuration.nix
View file

@ -15,6 +15,7 @@
initrd.kernelModules = ["amdgpu"]; initrd.kernelModules = ["amdgpu"];
kernelModules = ["kvm-amd"]; kernelModules = ["kvm-amd"];
extraModulePackages = []; extraModulePackages = [];
supportedFilesystems = [ "nfs" "btrfs" ];
tmp = { tmp = {
useTmpfs = true; useTmpfs = true;
}; };

54
nixos/zen/configuration.nix Normal file
View file

@ -0,0 +1,54 @@
{ host, config, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
];
sops.secrets = {
"password" = {
sopsFile = ../../secrets/k8s.yaml;
};
forgejo-runner = {
sopsFile = ../../secrets/forgejo-runner.yaml;
};
};
system-sys.zram = false;
networking = {
hostId = "81238132";
firewall = {
allowedTCPPorts = [
22
10250
25565 #mc
25566 #mc
];
};
};
virtualisation.podman.enable = true;
services.gitea-actions-runner = {
package = pkgs.forgejo-runner;
instances.default = {
enable = true;
name = host.hostName;
url = "https://git.10110110.xyz";
tokenFile = config.sops.secrets.forgejo-runner.path;
labels = [
"ubuntu-latest:docker://node:24-bullseye"
"nix-upstream-latest:docker://nixos/nix:latest"
];
};
};
services.k3s = {
enable = true;
role = "agent";
extraFlags = toString [
"--flannel-iface=tailscale0"
];
tokenFile = config.sops.secrets."password".path;
serverAddr = "https://consensus:6443";
};
services.logind.lidSwitch = "ignore";
services.logind.lidSwitchExternalPower = "ignore";
hardware.enableRedistributableFirmware = true;
hardware.firmware = [ pkgs.linux-firmware ];
system.stateVersion = "23.11";
}

14
nixos/zen/hardware-configuration.nix Normal file
View file

@ -0,0 +1,14 @@
{ lib, modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.loader.grub = {
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
};
fileSystems."/boot" = { device = "/dev/disk/by-uuid/EECE-9ACB"; fsType = "vfat"; };
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = { device = "/dev/sda2"; fsType = "ext4"; };
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

42
secrets/cf-acme.yaml
View file

@ -4,38 +4,38 @@ sops:
- recipient: age14e2d2y8e2avzfrsyxg9dudxd36svm24t7skw6e969n0c42znlp3shffdtg - recipient: age14e2d2y8e2avzfrsyxg9dudxd36svm24t7skw6e969n0c42znlp3shffdtg
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3bEpKNEhOMVRYazNDSmhB YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKQ3YzNU13MGFvUGliY25x
T0VadEhCdExkT2tXaklDcXFMcnNYTkx6ejJVCmJiRFUyVGRkU2tTalBCUFpYTWVk TmxIRUwzRjlPTlh5Tyt3R2Zkc3lCMFhBT2p3ClhlR3VXM3ExQS9CeDNSY1Vvb1NC
WkZNSFVSSi9lMkQyOFU1bVM5WkFCSkUKLS0tIGo0c0QrRStRWEp3SE9vNFdMY0lP ejE3elFhSk40ejBOaHdTK2Y5cVBSdHcKLS0tIHQ3TTRnSmdLWjFEWks4bnZFNkt0
dDNaTGprZVRlcmpwSzZmVzl3clZ3MzgK8y4ck9cgiPT6jDl23g0Da6mr7+KD7J+K ZHU2MkJVZUErTnJubHcxcDhxVDJwS1EKtx8pjBpjz8r8era40aUspZ8Nyg2uKBfJ
DflytAEkBZxWN8JLIeFSml6HS65xWeMuwjnQHVXQVQBlVAN9pl4fmg== 2m0FXMUyI/4KzGXAnFxPPqdeVun+NkJ61Wv4jT9Xn6PXf35ngqJ0xw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age16pdhm238k63uye3rf4cwwe7ddyzds6xj9jv4wpsfggkghyarjqtsjzkxna - recipient: age16pdhm238k63uye3rf4cwwe7ddyzds6xj9jv4wpsfggkghyarjqtsjzkxna
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwNzZUdnVwUDBKRmo3Nm9s YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLYzdFY3J3R3lOcUUvRXJi
Q0l1NXZOQXhvT1JIZStLK0YyWWhQbVNuazJVCnRDa21lcHJpczk4OWtsbkN3Z2tW K0doenVhVHk4Q2syZWNidmNXNk1BaTd5Q1I4Cm9oWWYvQ0s3T3pQMEJGYllyWUl2
aXJGbnJGK1VvenJwa0ExWEFrZ3pFYjQKLS0tIGxBcUxlcnV4UEQyeE5sTWNDRU1l MEg2eHZZWHdTMkVwdjRMbXdPN3RPWncKLS0tIFFIL2NoQXRkbnZONjJOZGIwNVBl
bTVmbmxhZXk5RmlUV0h0dWFVZyszSnMKQ/DVB38i8a5d6LFJaftxChthRdjBY5GQ aXZrNGVxRHdRR3VLbTFOS2I4czFGcWcKUzvwpiCHzQIgtX/cikMwvHoGu/8QxPbN
TsFDbl6okwxUqBCx07A0ftYSeCHoC2Nj/AW0b8HU0DwXPPHqXwA08w== HIyjqxwxpBOWPvLV4xdayQAnIbVwK4TrQ2lcXVPJUs8/ZfTF7MREHQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age12tz2r7clep9e450qhr5a6ctnx29ywmu0llq8uk9kcwhpp82zsa0sk9la9h - recipient: age12tz2r7clep9e450qhr5a6ctnx29ywmu0llq8uk9kcwhpp82zsa0sk9la9h
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRZjY1RXI1Y3MyeWVlMGlC YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBV1pNTE5oNmZTZlg1anpn
Nm1XNUlkODFYTkRqbnlMUytxZjZNSURYcXg0CjYxaDdLWDVZR0gwdEgrMVBSK1Br Q1NRUjRaVVBGaDRLYlByVEo4ZktKcnQrL240CkhXRlc1bENhWUdqVHJ5bkdyNXox
V2lXZ2t2Nnp2ZG52YWxYQXVoKzBTU1UKLS0tIG9RcUdqQ2E4cnlFbVRQajVJalM5 eGJ4dUNwb2M0U2o5SnQxcmxCaTJKQkUKLS0tIHRqaDdwcHVlZ21JVVh2SzQ5SHkv
bWhxdERTaHpFSVE5MEdoRndMM3VGK2MKYbs06A2NmyFKssKqeudt/mFG4l/yDV9k d0RtZjRKN1ZhU2VCWE4rMDBvYTBwUnMKlygdEBamBOQnhDOH7nzhbSYFDyFS+3q5
Kod6mEZYxdjUP91waOmLCC997DSIkih9sHaaYhm/ahy4ryD4fstkLA== eSqIZfCWW0V1yEHbe/t4SwSLYiVZLY21DS63JZ22jrnl0v7521ntqA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1yar6nyfr5xzy79t54yrcf4sn3qc0689wgtsjv0npzh0nls5cjslsp0qruc - recipient: age1nzlng9tw59rxnr86jw330s9z4x28hr394cl2qgktptf8swat23gqahgudw
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2ek8vNVNZUkNraGNGbFJy YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPaGZUM3hKSE1BM1JscmlS
RmliVHFiVnRhUDArVFN0MGplTkYzbGxSQmg4ClZaMzZobFM3eGNvaytIeEJ3cjI2 ZGZST2g3MkZzbmRISnN3TkltK2lleHpmWHlzCmdFbnZKSXZWOFZoWFhhV0RON0tm
VlhKNXBIK0pWTml2TThqQ1VUSi9hMHcKLS0tIEExN0dwWS9UNTBzWmZTWHFnWnBH MENsZnprTkJka3pJZXM1cFpwNCtUclEKLS0tIFR4TUFSQkxkN296aXJyT25nK3RG
Skx4ZWgrN0lFLzNyL0RTNWRaRnZUL0kKGysePFPyRFVSEfoSaqsdRkH/SbkWy7RJ b3pxaExSTjYxbFFwYU1PNUJBbEIrSTgKzxlxMiHPdQpvciHa2fNr3/QIRrReq3mm
IyYjt0JFtSo9QplzHFkOsdbeAV5E8MrMP/lFhhvPZcjwmO6/Pxl5Lg== xDjklnlIAdYTrq2mr6rS3sZMer3aOx7A8glOTcVL2VjgyQ1/s30+uA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-06-02T00:02:47Z" lastmodified: "2025-06-02T00:02:47Z"
mac: ENC[AES256_GCM,data:l3I8KNMoZGrUUS/RzY0fAr7DkvyhynOqPW/09IfI8sKYBP+gavdf3/OpW3uwhYzuS6pRWwCaUTa0F+HELu7rBG8FwpvyBpdeAgZb1hVFtKeBuaCjXDieuxKjj27IKLx3UbHx2iRm91oB7bIMZaXYMrlYVmrs/BkgoT8vHj5j7Rc=,iv:KaB9qaUTYbnS6ix297MjIHxl+LSazZnRW0Lu2bP/kmk=,tag:bbncBMsk/qOfz0LRmrqiUQ==,type:str] mac: ENC[AES256_GCM,data:l3I8KNMoZGrUUS/RzY0fAr7DkvyhynOqPW/09IfI8sKYBP+gavdf3/OpW3uwhYzuS6pRWwCaUTa0F+HELu7rBG8FwpvyBpdeAgZb1hVFtKeBuaCjXDieuxKjj27IKLx3UbHx2iRm91oB7bIMZaXYMrlYVmrs/BkgoT8vHj5j7Rc=,iv:KaB9qaUTYbnS6ix297MjIHxl+LSazZnRW0Lu2bP/kmk=,tag:bbncBMsk/qOfz0LRmrqiUQ==,type:str]

42
secrets/forgejo-runner.yaml
View file

@ -4,38 +4,38 @@ sops:
- recipient: age14e2d2y8e2avzfrsyxg9dudxd36svm24t7skw6e969n0c42znlp3shffdtg - recipient: age14e2d2y8e2avzfrsyxg9dudxd36svm24t7skw6e969n0c42znlp3shffdtg
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyUEh4TDhiL2ZQRlpBRUd5 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGWnNRSHpLWkdMVGpDNVdF
ZDduRGpqd2xNdml1eHIyanM3bVpyazFYZld3CjFHS29NcXhUTTJRQS9haUxYUzZn QitwMkoyUDFVRk5STCthU0VvaENOMmhxUW13CmVCaTExQXRsTXI4UEJVM0tNSGJC
akIzZW0yMFNyUEV5MDJ1c1NJRGwzekkKLS0tIDJ0ZmdXVVQ5TDUzUmRvYTIrY3JC NHg1cU1FTzlrRithbFNlejU5N0p6QmMKLS0tIE81R1lxVmw0YUtQT0tLWWlFR0VR
Q1l5NHZZRGgxTjkyRml3Zjk3c0J6b0UKWxpejYzaLl5ndmITKoWeFdwjytSQwTm+ QjlJTVZTbENqa2xNMlJzR0wwN3NwMkUKbhEnJPJu46i+Zx/cjlCMgahBwCsFWTG3
6FKP8jFUjybRjhAVvJDQ7Cxab+oHJ7p7+fCAT5mo7i3okVB7bdHhrw== aIlCS9tPZNHHw/BZ0qoOeXAzRsAbqQaelxTRkStnksslgzZPdfpaiA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age16pdhm238k63uye3rf4cwwe7ddyzds6xj9jv4wpsfggkghyarjqtsjzkxna - recipient: age16pdhm238k63uye3rf4cwwe7ddyzds6xj9jv4wpsfggkghyarjqtsjzkxna
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGZnYyNVZqNzVYcitMampP YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNSDdTalFXelU5V2JWQUhr
a0VtYTkwRlNkaktrNThZeGljZUt1RXgrYkQ0Ck5WNHNHT3NOd2daSW8rMERsN1JN UHhKSUxBek1HR0dEbkdyODFOWVJILzlpVVFrCmtXM20wMjkwangrS3cveWp2aE5Q
WEYrWDZFOEpDYzFXQldqWWRyWjYyeTAKLS0tIDZObFRaRFpoMkZmNlFUcVJrRHRZ Z1FpeE43cWwyNk1DbGoxVjJzNXJHWHMKLS0tIHZMM21BRy91ZE1kU0RVTys5WStW
dHV3bFRZTExqNWpiblJoQ1h2MXJQNzgKXHwe7ZyvKuAf9wMxFHR1U1oilw3ecD1P NGlFYlJTMXRmZ0NENXBHRVkvV2tjNEEK9PaKtAHAnlkiAtXm0AcqTSUm4ynB6WFi
O/XS/+WhYAVHMkaUVUkanczvP6ff5DRBrbdJ+akBYu3pZNkrgCCiiw== XAX4I/Yv6ykAMA6FyfFXQjqPA1pqh9HjrlVimor91Puwz0omCJcgjw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age12tz2r7clep9e450qhr5a6ctnx29ywmu0llq8uk9kcwhpp82zsa0sk9la9h - recipient: age12tz2r7clep9e450qhr5a6ctnx29ywmu0llq8uk9kcwhpp82zsa0sk9la9h
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiQjZNLytxTWlIdG0ycmlM YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGRktOaW5XSU1jbitCMjFJ
aURiMUdBN3dEbmc4UitmT2xIcWl2RitnS21BClpmM0RDQ2xHQ2R2eHordUhTdWp0 NDJTcXc5enNLQWFqWVpXbkM2dGxpb1lpN3lVClVJZWEvYTBHbm1vd3dwVTV4Y3Fn
cW9zNHY4Z1JaQitCQ2lUQm05cWlkT3MKLS0tIGJ5VVU2ZzN2L0ZRTEFTS2hnaDkz T2JRYmlFNE5hMDB4cmJwNUs0RlFKQVEKLS0tIHM3cEpwUFZIbmEvZnkxbW5BQ1E4
NnVJZEpvQ3VpVXZQMEhFMTBiL0IrNEEK4lbNKd8AiN5pY9dEUirZ2TiCkexI4v0a dDVpbFVoVGprWHF4K0lJSnVOY01TcUUKWzrAsKsGMVWqds0BuYjXxo7In1RSlmQP
W8XtUcGg+tQsrw1G5q7jS0EgV/oy1I9+0gJkHNhfRJH2P0UQ7079YQ== C2BpEutA3uQ8GrNEM5N0r1Nauy3x+e0n+j0/LS7hzSaj0HQLTKUR6w==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1yar6nyfr5xzy79t54yrcf4sn3qc0689wgtsjv0npzh0nls5cjslsp0qruc - recipient: age1nzlng9tw59rxnr86jw330s9z4x28hr394cl2qgktptf8swat23gqahgudw
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0VUtrNU1KdENHNVdOT0tu YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2NUJyamdFdHh1YS9BZjN1
TmY1S0tNb0ZHM0JyT2tPUTllTnFIT25YWmhRCk1ORHJvUkRqclQveDhwazIvM2pM bWlvWVpjRGFnUXhoSGNHSDRLRFN0NWJvY1ZjCmFOL0RHY1JXbk1hQVF4dEp2anNu
V3JUNjVZa28yK1FyY1VLazFDd0x6N0EKLS0tIEd5eDRRak1yclNaS0lOWnNoTkR4 ajRaWFJ0RVVRZ0NGT1NFeVBVQzd2d1kKLS0tIC93d3NvdWZtMXRVWHNHcE8xT1Ew
YU5PeW52MEZGd3lzUG5aZEZhaURHdE0KUlf6EEc22UHcPDyVCQoVND5PFs20aCc3 bzliRFhSUUpVZ3RJZTNnVlQxdmlaMUEKmPkrlHyc/bXfHKE0qbFEXX2/w4rgiRSB
XUbtQQD9w3/aRpsuaYfJBHINjB+Ns7XIIOfWkdJe5fJiOU0u29SO8Q== bbk+uwK1IhoZnqvPhwWxiHTlvSgYCJmxzYzP+f+qO/rl+hkAaePg0Q==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-09-27T18:30:16Z" lastmodified: "2025-09-27T18:30:16Z"
mac: ENC[AES256_GCM,data:nOs0CUT0DD5dphyPTN8ev8WTdflFmNScg3UIPvXtlhGE3nJdPRW/MjraUEd5gQZ4qrwkgo99fsD1Uv6HiWBQbg59TqDNQOwhXU3SYto/zVX9Y1LGwvGurMymiQNbhHjzn+VN1tXdwyTbvhUnRSwz2a6uu1sl9m3VNfRbMewuQnM=,iv:FtMd7i5V9eRcuK9HhjiKETx/SWs5+MijVExUB/mxHjE=,tag:H+USoPhnzWzTNl7um39Pfw==,type:str] mac: ENC[AES256_GCM,data:nOs0CUT0DD5dphyPTN8ev8WTdflFmNScg3UIPvXtlhGE3nJdPRW/MjraUEd5gQZ4qrwkgo99fsD1Uv6HiWBQbg59TqDNQOwhXU3SYto/zVX9Y1LGwvGurMymiQNbhHjzn+VN1tXdwyTbvhUnRSwz2a6uu1sl9m3VNfRbMewuQnM=,iv:FtMd7i5V9eRcuK9HhjiKETx/SWs5+MijVExUB/mxHjE=,tag:H+USoPhnzWzTNl7um39Pfw==,type:str]

43
secrets/k8s.yaml Normal file
View file

@ -0,0 +1,43 @@
password: ENC[AES256_GCM,data:ZGMA25kEy+ulzCSz4Cf2awwNJt0YgithxU4E73hCBucmATVwRvP9RLTb3/wryVJCdRqytMbNCUn10ucB/AixpCF5ocRlsY2FGJWXt7BSHUPnptQo02ycR99fgDPDKWHMdZhIp8lmFYER3cSD,iv:N7kyENzosqbG6ziJncJ0B3MsqpMMBDF+PQEgYz/7ymw=,tag:drDfEiXLotKtxRb6Ek2Mzg==,type:str]
sops:
age:
- recipient: age14e2d2y8e2avzfrsyxg9dudxd36svm24t7skw6e969n0c42znlp3shffdtg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBidk5Qak9TZGxxbEhOa2c5
Vk5walNpc2lsL0RieHBUQ1NzUzFJdXI1NVVrCk1JRkN6ZjJKTWh2T0lWUWxyZjB2
K0RGM003aThuWnZxcmhENGFjYUhGWXcKLS0tIC9QQU9BRE1LZU1TbElHQ2dFRXB1
M0xGL1ZwcDEvV3lYQU5XN3hoN0w1elUKnmnIHsA1wNdXhF32O6RymrTiabnI78Ho
Gg3LFTTj8DxZP/OZwOR+djW7xjwzw8NHWbxc1gT3YiYTWiP7DRepnw==
-----END AGE ENCRYPTED FILE-----
- recipient: age16pdhm238k63uye3rf4cwwe7ddyzds6xj9jv4wpsfggkghyarjqtsjzkxna
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtNVZaWWs1WjdxanYvRmt5
OUE4SHd2REE3RGZNTEt6UmFVSVYrZThkSUdnCktrZWk4QTV5dkdBTFlGQ2tsdTJJ
eEpTQ0FEbkVRZ0pEdysvWnVLVUJxVm8KLS0tIDRxZEgvNFk1WENGTGdUZEdmU0tr
NGxUK2thclU0cHd4cS8rYW1kQm9WT1kKX7oKMJWC3G4o2ZFlyxzl/dCEi+uUTFI1
XStgutdWvyMQ2nmJbQlhnN12qTt6VDj36QXVH3175U47KaJNOGvdZA==
-----END AGE ENCRYPTED FILE-----
- recipient: age12tz2r7clep9e450qhr5a6ctnx29ywmu0llq8uk9kcwhpp82zsa0sk9la9h
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtclF0TityOStDWFZsMzA3
Qit2d3g4VC9kRWpqd016ZXM1OW11WVhKQUh3CkhZTFhmaklWYlBwSXhuOUo0SUdl
NTVsVVNtTXNmRStBVXI1VzlYTFgwSlUKLS0tIHhPeWFsUmtkZFVvZDRxVkE5UXN3
STR3MUphNlBHcFNrS01NOUQ2b2lXV2MK1AxEIpS5+clX5EoMbQoyufLg/+Rh+NHz
/Oe/xM4IqrKAlFn2vHXw0DxDxj16ReucUBRsp8haixZiGr1pMVgHvw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nzlng9tw59rxnr86jw330s9z4x28hr394cl2qgktptf8swat23gqahgudw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVNzJacDVvTnB6VFNmL0dW
NzRmSHRpeVVVZnBJZXJOZXUrb2hWQjhDZ3pVCk1QbnpPZTFxdEFaSW0zMmtwWTBm
VXZsN3E5Nk9GYnF6WUUyMElVclRpZ00KLS0tIEZJWkNVbllvS0ZTVWY5ZnpUSlpU
NzUxTHZhL2Y4YXpvR29JUW9aOFRKemMK+fPgPXc1eGfVsJU7gyo7OwLVcpm3PE7K
x2GFKtrw84aNE4CMxKvx3dRUoIphj2vw45cLOriJRpnig9xnMQIbCg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-11T20:07:38Z"
mac: ENC[AES256_GCM,data:JNF6aQfUQy1a+L2BbMAjSCfnntUaUlWcyfP9kgXpwrxcVK/qEbXxHPb+NDOliWvOPp4cMDjVphBgyQtjNTzTRfkMeMqtpKEIOkYUpo9dN69uHrws6rGq+tDCn50UZOgKirA3ojvrqEZvUKS8QgsRN7l0XK4RJjgTATBJQfNjGRY=,iv:vEAJJJEF/rPSDAfcxp1FbhnP78I3Uuk+GarWpHSGCUs=,tag:BIz3mYMVjmugWtKEg9WXiw==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

42
secrets/restic.yaml
View file

@ -22,38 +22,38 @@ sops:
- recipient: age14e2d2y8e2avzfrsyxg9dudxd36svm24t7skw6e969n0c42znlp3shffdtg - recipient: age14e2d2y8e2avzfrsyxg9dudxd36svm24t7skw6e969n0c42znlp3shffdtg
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKcC90dkcvbnJoQzFDWTcr YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1V3hSa0VVY1hLLzNEZkJw
SXFTdnRTOGhxZ3RNMHVpZFFLWHdIWUxMYzNZCjRlRTdYaS9YMjdFdzIzeHVLR3hs OEp0THhMM3VMOWMxOGMxZjV6UVdJMTMrZzFZCnlrL0sveTBqL08zSUJDeVZLUVNO
QzNPM2k2UVV3bWI5WjVDT2pDaVZPaFEKLS0tIFFtdDI2Zmxnbk4xV2NGb2NDWUF6 WUgzZGhYdytRZ1FVa2N3Vmd4aEFnS00KLS0tIFJHMStGQ29pMWFGUno5aEg0REU5
VmROS3plOURRTzYzaEo2S1RraFRKeW8Kg3jYWWQuEX1Y6SfkT6lRdX6tmgkFiIW7 N1J1c3JLT2h1R25ZWVVoY3g3bzF4M00KW4YOac1MZEVvtlovVcEvVOGqnghq5JDF
JX9D10jqN4DbDOYKu+MRvdz9/cagIyodg1/5LIPGBNGOKpNLiEH7AQ== V0uBNdqtYEyIBVCQI0gXebtNmtxkfg06PI4JdGiUkoUKW+ztIk4TsQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age16pdhm238k63uye3rf4cwwe7ddyzds6xj9jv4wpsfggkghyarjqtsjzkxna - recipient: age16pdhm238k63uye3rf4cwwe7ddyzds6xj9jv4wpsfggkghyarjqtsjzkxna
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqd3RQQUtmVXgvb1JLMnZt YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuV1FBTGpKc1d5cjhRdUUy
Y0dITDF6anBKcWxoOWZuQStSTk1zWkdwdEN3CmFaVWphcVpjTUhNcUdjVGpnV0hq MG8yQ3BqTTlsemhzWFBQTFR3UXV4SEFOaUhnCmE5ajdYaTRsN1BrY2JMYnBGUTZJ
Z25hVmNDQUQ1YnJSd3puS214TzlkbkUKLS0tIGVXRG9mczBKcHFzb0FwYU5FZkpY VnFvS0gvU05mT1hzb1A4NU5xOXFMbGMKLS0tIGdOZDE5SVJXNkFhYmVUbVZ0UkNK
ZVhQWDZwR2xFU0xTVGVLZ3NFanY1emcKu09zXLUscPvcVQSgiN4H4dWpjMyb3t7e R2Y3NUdlay9LZmtHVCtSQm83bHBJWlEKCzXphy/+kQXUDIkhYDZ8oaQlenP3yfFe
aa54tbZ6o1+6lLg1DniL9lBxit6R+qk3SjMuU1MQJvD7ah39RSuyng== RmPZ2/asS8Ol0xkJui54i9Qqvu+18VISJVHGqcaYw+YrQnCGRPP92w==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age12tz2r7clep9e450qhr5a6ctnx29ywmu0llq8uk9kcwhpp82zsa0sk9la9h - recipient: age12tz2r7clep9e450qhr5a6ctnx29ywmu0llq8uk9kcwhpp82zsa0sk9la9h
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYdUpxSWtHbmxzdlRYZHFT YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRRzBPdGp2d0k0RzFWNE94
NUY5RDhXUGN5YmlPS0UyTWcrUDlUZ3Rjbnp3CnlkQUgyNVBVclh0KzNCZkVYZURx dWRlVDRlTDMyclNMMnQ4UE5sSTNsRzdMbm1vCjZFZnEzbStzU1lyQ2xGOU5DK3No
RXFkR2JFckVPbkg5Umo3VEF1cFFOZFkKLS0tIEM2OE1hZVpUd0EzeEFrVGc4Zmww RU5jTGJra0NuQWhxakVQMDZMRSsxcG8KLS0tIE9xOThadmRISWRLb2tmeGZqWkRW
UzZZcFB4UngvTHF2YWtsSWQ1dGJaKzQK+cuuvX8un2bID+fLG5SFzQhfJ6QX5/pG RFRxbzdKa0MwRDlqOC9ITjBkSDV1Z00KI0Iq7DnOBGNmvx3RZvwdG4KYcKKgUQbB
sVSUc+VG+04aak70p8AgOO7zN75rzSf5R83mmpEwB9a+rfDrKvbjiQ== myqlctokOU3cKkGLVdVn+dYUsYqU814oIAuwiqQmD7OydIqfhbSQVQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1yar6nyfr5xzy79t54yrcf4sn3qc0689wgtsjv0npzh0nls5cjslsp0qruc - recipient: age1nzlng9tw59rxnr86jw330s9z4x28hr394cl2qgktptf8swat23gqahgudw
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBdUU2NDRKV0w1Wkp0cDh6 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRMEZML0xZRHFQdXJXVm1x
NkV5bGRXOXpId1N4R09HdGhaK1lyM05WMkNRCnZSa0ovK01JaUZ3cG1qMkFzbW5z elFhWnorOTB4RXFES0VCZG1KZVBMeCtMd3lzCmJFZnpZT3BUeEVVaUJEeXc5djN0
WHc2NDYvNFN0SnBnSVlId0pjM2xBZnMKLS0tIHRoVkQ3NzBab1BzUVltWEVWeVZi N3d0ZzJ0UHNFM0hpTS85T014VUwyY2MKLS0tIGVremFqNGh2YkNCWkNYQnNiRy93
MmJRaXZheS9JamgybTc2THc1OVQ5N3MKr73ke9RIRsZvvVGl4nyxbbe/8f5KQ6Av WS9RVW1VcXRXVjlaeE9ZNHhzaFdabWcKUbNHbMPw4O+sDjWk8ziRPoTRzzBF07ul
Uac6joEg0R6DbcQ9xRkbHyFySnLTHsF5HfVnUj2gPbdA1YsO0w2nlg== TRVXuiIAzfAXcf4Z9P5fyY0saPJhBijaurzdTD0JUP5LZh8jreWJRg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-09-27T20:37:26Z" lastmodified: "2025-09-27T20:37:26Z"
mac: ENC[AES256_GCM,data:30D/RyuIjhaJkRa4kBb3JK3FOGbbGL0aKAOlPgyNhpPyp7OWY1eYo2uoQSVa6lnjRgCV+YbmquXF6iNzUgWbzUWs6UuOfN+hIb/PKydBgITgVLp1bOfUQs8l2X2feYJ/QatBwr6VMgbBdrshppctSdypc9cTNv5r6sod0QwfpHA=,iv:uhwGM/bru/Z3UqnmOUHImhQkNm97zad+aH+VNXKy9m0=,tag:Zpdgcp2lPBNP4FjlTeXtKw==,type:str] mac: ENC[AES256_GCM,data:30D/RyuIjhaJkRa4kBb3JK3FOGbbGL0aKAOlPgyNhpPyp7OWY1eYo2uoQSVa6lnjRgCV+YbmquXF6iNzUgWbzUWs6UuOfN+hIb/PKydBgITgVLp1bOfUQs8l2X2feYJ/QatBwr6VMgbBdrshppctSdypc9cTNv5r6sod0QwfpHA=,iv:uhwGM/bru/Z3UqnmOUHImhQkNm97zad+aH+VNXKy9m0=,tag:Zpdgcp2lPBNP4FjlTeXtKw==,type:str]

6
terraform/.gitignore vendored Normal file
View file

@ -0,0 +1,6 @@
terraform.tfvars
*.tfstate
*.pem
*.backup
*.lock*
*.terraform/

19
terraform/compartment.tf Normal file
View file

@ -0,0 +1,19 @@
resource "oci_identity_compartment" "tf-compartment" {
compartment_id = var.tenancy_ocid
description = "Compartment for Terraform resources."
name = var.compartment_name
}
# Source from https://registry.terraform.io/providers/hashicorp/oci/latest/docs/data-sources/identity_availability_domains
# <tenancy-ocid> is the compartment OCID for the root compartment.
# Use <tenancy-ocid> for the compartment OCID.
data "oci_identity_availability_domains" "ads" {
compartment_id = var.tenancy_ocid
}
data "oci_core_boot_volumes" "homelab_boot_volumes" {
availability_domain = data.oci_identity_availability_domains.ads.availability_domains[1].name
compartment_id = oci_identity_compartment.tf-compartment.id
}

59
terraform/compute.tf Normal file
View file

@ -0,0 +1,59 @@
resource "oci_core_instance" "vm_instance_ampere" {
count = 1
availability_domain = data.oci_identity_availability_domains.ads.availability_domains[1].name
compartment_id = oci_identity_compartment.tf-compartment.id
shape = "VM.Standard.A1.Flex"
display_name = join("", [var.vm_name_template, "-arm", count.index])
is_pv_encryption_in_transit_enabled = true
preserve_boot_volume = false
shape_config {
memory_in_gbs = 16
ocpus = 4
}
metadata = {
ssh_authorized_keys = var.ssh_public_key
}
source_details {
source_id = var.vm_image_arm
source_type = "image"
boot_volume_size_in_gbs = 100
}
create_vnic_details {
assign_public_ip = true
subnet_id = oci_core_subnet.homelab_subnet.id
assign_private_dns_record = true
hostname_label = join("", [var.vm_name_template, "-arm", count.index])
nsg_ids = [oci_core_network_security_group.homelab_nsg.id]
}
}
resource "oci_core_instance" "vm_instance_x86_64" {
count = 1
availability_domain = data.oci_identity_availability_domains.ads.availability_domains[2].name
compartment_id = oci_identity_compartment.tf-compartment.id
shape = "VM.Standard.E2.1.Micro"
display_name = join("", [var.vm_name_template, "-x64", count.index])
is_pv_encryption_in_transit_enabled = true
metadata = {
ssh_authorized_keys = var.ssh_public_key
}
source_details {
source_id = var.vm_image_amd64
source_type = "image"
boot_volume_size_in_gbs = 50
}
create_vnic_details {
assign_public_ip = true
subnet_id = oci_core_subnet.homelab_subnet.id
assign_private_dns_record = true
hostname_label = join("", [var.vm_name_template, "-x84", count.index])
nsg_ids = [oci_core_network_security_group.homelab_nsg.id]
}
}

25
terraform/main.tf Normal file
View file

@ -0,0 +1,25 @@
terraform {
required_version = ">= 1.3.0"
cloud {
organization = "lab-xyz"
workspaces {
name = "xyz-homelab"
}
}
required_providers {
oci = {
source = "oracle/oci"
version = ">= 4.90.0"
}
}
}
provider "oci" {
tenancy_ocid = var.tenancy_ocid
user_ocid = var.user_ocid
private_key = var.private_key
fingerprint = var.fingerprint
region = var.region
}

81
terraform/networking.tf Normal file
View file

@ -0,0 +1,81 @@
resource "oci_core_vcn" "homelab_vcn" {
cidr_block = "10.0.0.0/16"
compartment_id = oci_identity_compartment.tf-compartment.id
display_name = var.compartment_name
dns_label = "vcn"
}
resource "oci_core_network_security_group" "homelab_nsg" {
compartment_id = oci_identity_compartment.tf-compartment.id
display_name = "${var.compartment_name}-nsg"
vcn_id = oci_core_vcn.homelab_vcn.id
}
resource "oci_core_internet_gateway" "homelab_ig" {
compartment_id = oci_identity_compartment.tf-compartment.id
display_name = "${var.compartment_name}-ig"
vcn_id = oci_core_vcn.homelab_vcn.id
}
resource "oci_core_route_table" "homelab_rt" {
compartment_id = oci_identity_compartment.tf-compartment.id
vcn_id = oci_core_vcn.homelab_vcn.id
display_name = "${var.compartment_name}-rt"
route_rules {
destination = "0.0.0.0/0"
destination_type = "CIDR_BLOCK"
network_entity_id = oci_core_internet_gateway.homelab_ig.id
}
}
resource "oci_core_subnet" "homelab_subnet" {
#Required
cidr_block = "10.0.0.0/24"
compartment_id = oci_identity_compartment.tf-compartment.id
vcn_id = oci_core_vcn.homelab_vcn.id
dns_label = "homelab"
# Provider code tries to maintain compatibility with old versions.
security_list_ids = [oci_core_security_list.public-security-list.id]
display_name = "${var.compartment_name}-subnet"
route_table_id = oci_core_route_table.homelab_rt.id
}
resource "oci_core_security_list" "public-security-list" {
compartment_id = oci_identity_compartment.tf-compartment.id
vcn_id = oci_core_vcn.homelab_vcn.id
display_name = "public-security-list"
egress_security_rules {
stateless = false
destination = "0.0.0.0/0"
destination_type = "CIDR_BLOCK"
protocol = "all"
}
ingress_security_rules {
stateless = false
source = "0.0.0.0/0"
source_type = "CIDR_BLOCK"
protocol = "all"
description = "allow all"
}
}
resource "oci_core_network_security_group_security_rule" "homelab-network-security-group-list-ingress" {
network_security_group_id = oci_core_network_security_group.homelab_nsg.id
direction = "INGRESS"
source = oci_core_network_security_group.homelab_nsg.id
source_type = "NETWORK_SECURITY_GROUP"
protocol = "all"
stateless = true
}
resource "oci_core_network_security_group_security_rule" "homelab-network-security-group-list-egress" {
network_security_group_id = oci_core_network_security_group.homelab_nsg.id
direction = "EGRESS"
destination = oci_core_network_security_group.homelab_nsg.id
destination_type = "NETWORK_SECURITY_GROUP"
protocol = "all"
stateless = true
}

3
terraform/outputs.tf Normal file
View file

@ -0,0 +1,3 @@
output "x64_public_ip0" {
value = oci_core_instance.vm_instance_x86_64[0].public_ip
}

20
terraform/terraform.tfvars.example Normal file
View file

@ -0,0 +1,20 @@
# https://cloud.oracle.com/org-mgmt/tenancy
tenancy_ocid = ""
# https://cloud.oracle.com/identity/domains/my-profile
user_ocid = ""
# https://cloud.oracle.com/identity/domains/my-profile/api-keys
# contents of the private key, rather than a path pointing to the .pem file
private_key = ""
fingerprint = ""
region = "us-ashburn-1"
# VM Images: https://docs.oracle.com/en-us/iaas/images/
vm_image_arm = "ocid1.image.oc1.iad.aaaaaaaam4d2tsohvgq7cqilhtcnlvp2zmzatb57xuprljhkvqgon73uzeqq"
# SSH keys for remote exec
ssh_public_key = "ssh-ed25519 xxx..."
ssh_private_key = "..."
# OPTIONAL
vm_name_template = "xyz-homelab"
compartment_name = "xyz_homelab"

65
terraform/variables.tf Normal file
View file

@ -0,0 +1,65 @@
variable "compartment_name" {
description = "Name of OCI compartment"
type = string
}
variable "tenancy_ocid" {
description = "Tenancy OCID."
type = string
}
variable "user_ocid" {
description = "User OCID."
type = string
}
variable "vm_image_arm" {
description = "The OCID of the arm VM image to deploy."
type = string
}
variable "vm_image_amd64" {
description = "The OCID of the amd64 VM image to deploy."
type = string
}
variable "vm_name_template" {
description = ""
type = string
}
variable "region" {
description = "The name of the OCI resource region."
type = string
default = "us-ashburn-1"
}
variable "fingerprint" {
description = "Fingerprint of the public API key from OCI."
type = string
}
variable "private_key" {
description = "Contents of the .pem private key, downloaded from Oracle Cloud"
type = string
}
variable "ssh_public_key" {
description = "SSH pubkey string"
type = string
}
variable "ssh_private_key" {
description = "SSH privkey string"
type = string
}
variable "k3s_master_ip" {
description = "IP addr of k3s master, to pass to ansible"
type = string
}
variable "k3s_token" {
description = "k3s token, to pass to ansible"
type = string
}