ciapa
/
infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Decommission nyx
ci / test (push) Successful in 1m16s Details
ci / deploy (push) Successful in 6m23s Details

This commit is contained in:
Ciapa 2024-02-10 19:27:37 +01:00
parent e7838b8992
commit 6215a962e4
12 changed files with 0 additions and 265 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
flake.nix
View File

@ -40,16 +40,6 @@
];
};
"nyx.lewd.wtf" = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit inputs self; };
modules = [
sops-nix.nixosModules.sops
./default.nix
./hosts/nyx.lewd.wtf/configuration.nix
];
};
"phoenix.lewd.wtf" = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit inputs self; };
@ -128,19 +118,6 @@
};
};
"nyx.lewd.wtf" = {
sshOpts = [ "-p" "222" "-o" "StrictHostKeyChecking=no" ];
hostname = "nyx.lewd.wtf";
fastConnection = true;
profiles.system = {
sshUser = "root";
path =
deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations."nyx.lewd.wtf";
user = "root";
};
};
"phoenix.lewd.wtf" = {
sshOpts = [ "-p" "22" "-o" "StrictHostKeyChecking=no" ];
hostname = "phoenix.lewd.wtf";

24
hosts/nyx.lewd.wtf/configuration.nix
View File

@ -1,24 +0,0 @@
{ self, config, pkgs, lib, ... }:
let
utils = import ../../util/include.nix { lib = lib; };
imports =
(utils.includeDir ./services) ++
[
./hardware-configuration.nix
./networking.nix
./users.nix
./secrets.nix
];
in
{
inherit imports;
networking.hostName = "nyx";
networking.domain = "lewd.wtf";
boot.loader.grub.enable = false;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
system.stateVersion = "22.11";
}

35
hosts/nyx.lewd.wtf/hardware-configuration.nix
View File

@ -1,35 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/adde8f5f-358d-4ed2-835a-8fecbe4a86a4";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/8D9D-CCA2";
fsType = "vfat";
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/6cee1359-6e2c-45fc-927d-f2a558f0ec5d";
fsType = "ext4";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/474244b3-df18-4af7-badf-d7b2531ae17c"; }
];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

11
hosts/nyx.lewd.wtf/networking.nix
View File

@ -1,11 +0,0 @@
{ ... }:
{
networking.defaultGateway = "192.168.0.1";
networking.nameservers = [ "192.168.0.1" ];
networking.interfaces.enp2s0.ipv4.addresses = [
{
address = "192.168.0.10";
prefixLength = 22;
}
];
}

14
hosts/nyx.lewd.wtf/secrets.nix
View File

@ -1,14 +0,0 @@
{ config, ... }:
{
sops.defaultSopsFile = ./secrets/services.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# Vaultwarden
sops.secrets."services/vaultwarden/.env" = {
mode = "0400";
owner = config.users.users.vaultwarden.name;
group = config.users.users.vaultwarden.group;
sopsFile = ./secrets/vaultwarden.env;
format = "dotenv";
};
}

30
hosts/nyx.lewd.wtf/secrets/services.yaml
View File

@ -1,30 +0,0 @@
example_key: ENC[AES256_GCM,data:MB+njL6mhVGUYKlBww==,iv:wXY3sv0gW37H/Mv5s4caJIZe0NPzrSOu5+/zZV21OsU=,tag:G9EH5DpFHMq2Qx/grNrYNQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age17wdazshqnfe63cy7mmsmwld75e5wedgn8gngvmvlqdktlr86c4us87tjxv
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5QXk5U3JRZ1FtNzM0cEZJ
b3RXdEpra2VJSWxvT3BwOWZuc1JkWkhBQWlVCmFQUHlybEZYNXYrNVpLT2xPc2pP
UEtxdlJHdWhzK05CRzN1dFlqM01ValkKLS0tIDZVQWo0SXFyV1Nad2RGcGFtcDBt
UHQyVjkvOGZXVXJDYWhQeFN0WFJhOHcKsmRy6Sn3IHPuXdv5j8l373HLBSgBy7M/
Z/uIth3S50OGf6okvvHJxWuZ3xVXwZqUwfYpE5WtJuSXi4rBaJHISw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1vnyex6qqzwl5laxgww9xzcqy9ht85s0etgq0esry8gk7ad0eaq8qz9p5ya
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxamE0eTB3TXVGNDN1azZ3
MmRHalA4TjErZE1Db2tNM1lhd2VHK0l0YlVNClFic2t2VXhKR0pBMGFIVHRFczEy
cE9KZjlDSzZuYlJWTlVEL1ZXOUxRajAKLS0tIHhaekZvdE40YlVlS3A2Y0kxWHVR
SkMwdFUrcmN4aUJ0cms5WlhBWnZKTncKt0JurciGm7hQI8VSalQaHvGzh9xF2Xrl
afe94Ma/mmojj8cEqJQlarMMDtAAGsWjz7zwwam629uE9Yjsr/YRbw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-04-15T08:13:59Z"
mac: ENC[AES256_GCM,data:ockH8FVoLTeGuCOKknJ3aSQIQEIFFtmJQ+RwmDgorWSYHCUDsriSGy8fVEoAE/6pzGMahjdC1rK2YtaeAFljsNTh1Ct5CpVBmwKZVOCZSM9eWz4d7JFjJolIc+kNSj/9k+NUZBZafUMa1ckIK/8CMM0AysZ/mBeYTsaP8WOfB5g=,iv:aFICxoznCi5Tg+YZrsBAiEWPw7Hw+Abv1wJpdB50PQY=,tag:2sWz7OvFI7pIRsoeHJKpxQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

11
hosts/nyx.lewd.wtf/secrets/vaultwarden.env
View File

@ -1,11 +0,0 @@
ADMIN_TOKEN=ENC[AES256_GCM,data:R1mhyfHnTvnWaeKL7UFUuaA8bmpoQciLXRgLZKTDH0Zvo/M76s/NSenBEtpfpUJMbHGp1hmXqkK6jR5WVemYhg==,iv:yCdNQbQx86CZU7GvShcL9YxOlzGr/bTfTp5DDMudTDs=,tag:yPXiqasJbj2NCc5vIc2zVw==,type:str]
SMTP_PASSWORD=ENC[AES256_GCM,data:dhTGLgXtdn6olKATr/qTRA==,iv:uA3WytiA9o/3qohl/eaMD7gVbORo4YZg2gzT/qZZHbA=,tag:cmcSLz0/YS1/45ZrLSp08Q==,type:str]
YUBICO_SECRET_KEY=ENC[AES256_GCM,data:mIfNhnuU3+KaOJ/MXSabOus5nAGdNmoHimWhba8s,iv:XDmIl7dqV8R7bykwtQz3EQIf1qJHh3wPbL9RAu6ZWEk=,tag:zIUbM5mBqJeQJ2npKPJ+fw==,type:str]
sops_unencrypted_suffix=_unencrypted
sops_mac=ENC[AES256_GCM,data:3EjD4AKgXCOTIwCZrRkq+NYDrRSH7+8LsC4Eop6SNVyXUCP5zyhJwInFpSnrSeYPp81HSxZz0LZEotJH0P6e1/JVfxKz9bOuoGr2856fEh3qmzQW2Mu6UJSFa2rGjtqTuWC+fMvIUpNX5dF2d3nxEGkRbylQedQLWACKgYVmfEo=,iv:EBBRSR84VLpezX7WdFwHyvqu5fZn7bZ/t/2H37Mx44Q=,tag:Rbkcq2V8G0rDwQYiwm0JtQ==,type:str]
sops_age__list_1__map_recipient=age1vnyex6qqzwl5laxgww9xzcqy9ht85s0etgq0esry8gk7ad0eaq8qz9p5ya
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTdTRPUGxqcGowU0FjRE84\nNjhKdEJabFZEVXo3aTArQnNNRjhaMFZiKzNrCmpLbFoxTVlTUkYxOHVJdlFqa0JF\nQStIT29uSlY3SWtzZHFqbjZwTHZ1aEUKLS0tIHJlLzlCV0RJekVvOWRLV3JmZ2pv\nZ0VrUVg5NXVTWU5LRDk2M3dYWXM3bkEKA4KusPniM0pO6oJhHq1khrfcwdSvG+/A\n7rn6Ib23WSHUAquxCxOz9IXL2GDrajEFnv82lyYUgijgb7PEWC2pPQ==\n-----END AGE ENCRYPTED FILE-----\n
sops_version=3.7.3
sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0UXYrVkxHSmx1V1E1aVlW\nTVMwamo2ZnJrbERDTkJoSS8yanVXZ2pEbEJnCjExM2U5T1U3SkVrNFhIaXg5VE9K\ncnNyUDdQM2IyQ2FpenV0VEhIR1NBaTQKLS0tIEsvOTNDa1BvUlk3UE01VGZydmVG\nZDZOelphR0Nsa3c4aXZ5NDJVWlVvQmsKPxUi8Vgxe+EsHSF/33OfoEdFIUscDTzR\nzjf8rkG5BU616tudvXUGLfdncCiG+hfz7ZvmEYlTEAdGzSYSW8tuhg==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_0__map_recipient=age17wdazshqnfe63cy7mmsmwld75e5wedgn8gngvmvlqdktlr86c4us87tjxv
sops_lastmodified=2023-04-21T17:46:25Z

7
hosts/nyx.lewd.wtf/services/nginx.nix
View File

@ -1,7 +0,0 @@
{
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = {
enable = true;
};
}

23
hosts/nyx.lewd.wtf/services/uptimekuma.nix
View File

@ -1,23 +0,0 @@
{
services.uptime-kuma = {
enable = true;
settings = {
UPTIME_KUMA_PORT = "8099";
};
};
services.nginx.virtualHosts."status.lewd.wtf" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8099";
proxyWebsockets = true; # needed if you need to use WebSocket
extraConfig =
"proxy_set_header Host $host;" +
"proxy_set_header X-Real-IP $remote_addr;" +
"proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" +
"proxy_set_header X-Forwarded-Proto $scheme;"
;
};
};
}

60
hosts/nyx.lewd.wtf/services/vaultwarden.nix
View File

@ -1,60 +0,0 @@
{ config, ... }:
{
users.users.vaultwarden.extraGroups = [ config.users.groups.keys.name ];
services.vaultwarden = {
enable = true;
environmentFile = "/run/secrets/services/vaultwarden/.env";
config = {
DOMAIN = "https://vault.lewd.wtf";
SIGNUPS_ALLOWED = false;
SIGNUPS_VERIFY = true;
INVITATIONS_ALLOWED = false;
WEBSOCKET_ENABLED = true;
WEBSOCKET_PORT = 3012;
ROCKET_PORT = 8222;
SMTP_HOST = "mail.your-server.de";
SMTP_FROM = "vaultwarden@lewd.wtf";
SMTP_FROM_NAME = "Vaultwarden";
SMTP_USERNAME = "vaultwarden@lewd.wtf";
YUBICO_CLIENT_ID = 88022;
};
};
services.nginx.clientMaxBodySize = "128M";
services.nginx.virtualHosts."vault.lewd.wtf" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8222";
proxyWebsockets = true; # needed if you need to use WebSocket
extraConfig =
"proxy_set_header Host $host;" +
"proxy_set_header X-Real-IP $remote_addr;" +
"proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" +
"proxy_set_header X-Forwarded-Proto $scheme;"
;
};
locations."/notifications/hub/negotiate" = {
proxyPass = "http://127.0.0.1:8222";
proxyWebsockets = true; # needed if you need to use WebSocket
extraConfig =
"proxy_set_header Host $host;" +
"proxy_set_header X-Real-IP $remote_addr;" +
"proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" +
"proxy_set_header X-Forwarded-Proto $scheme;"
;
};
locations."/notifications/hub" = {
proxyPass = "http://127.0.0.1:3012";
proxyWebsockets = true; # needed if you need to use WebSocket
extraConfig =
"proxy_set_header Host $host;" +
"proxy_set_header X-Real-IP $remote_addr;" +
"proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" +
"proxy_set_header X-Forwarded-Proto $scheme;"
;
};
};
}

13
hosts/nyx.lewd.wtf/services/vikunja.nix
View File

@ -1,13 +0,0 @@
{ pkgs, ...}:
{
services.vikunja = {
enable = true;
setupNginx = true;
frontendScheme = "https";
frontendHostname = "todo.lewd.wtf";
};
services.nginx.virtualHosts."todo.lewd.wtf" = {
enableACME = true;
forceSSL = true;
};
}

14
hosts/nyx.lewd.wtf/users.nix
View File

@ -1,14 +0,0 @@
{
users.groups.markus = {};
users.users.markus = {
group = "markus";
isNormalUser = true;
home = "/home/markus";
homeMode = "755";
createHome = true;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIERtfY26/h5xl+bzZm2htR4+Wd879DvZRPHsosFaEqIW gaming@DESKTOP-4ACM3JU"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC2eur+tK9VTYqXTgYlJY1/oV1EzUhm4QZGEl4e3/kWr deck@steamdeck"
];
};
}