Compare commits
5 Commits
f2bc058e20
...
06615390aa
Author | SHA1 | Date |
---|---|---|
josiah | 06615390aa | 9 months ago |
josiah | 21a30eabd1 | 9 months ago |
josiah | e253cf9898 | 9 months ago |
josiah | 9d7ba14fdb | 9 months ago |
josiah | 65fc8af6d8 | 9 months ago |
@ -1,59 +0,0 @@
|
||||
---
|
||||
- name: cloud wg config
|
||||
hosts: vpn
|
||||
gather_facts: no
|
||||
tasks:
|
||||
- debug: msg="Deploying wg to cloud server"
|
||||
roles:
|
||||
- { name: wg_vpn, tags: ['wg_vpn'] }
|
||||
|
||||
- name: deploy the awful stack
|
||||
gather_facts: no
|
||||
hosts: dockerhosts
|
||||
tasks:
|
||||
- debug: msg="Deploying awful stack to cloud server"
|
||||
roles:
|
||||
- { name: awfulAll, tags: ['awfulAll'] }
|
||||
|
||||
|
||||
- name: Configure home-net base packages
|
||||
hosts: hatchery.home.jowj.net
|
||||
gather_facts: no
|
||||
roles:
|
||||
- { name: home-net, tags: ['base'] }
|
||||
|
||||
|
||||
- name: Deploy mediaserver
|
||||
hosts: mediaserver
|
||||
gather_facts: no
|
||||
roles:
|
||||
- { name: mediaserver, tags: ['mediaserver'] }
|
||||
|
||||
|
||||
- name: Deploy gitea
|
||||
hosts: dockerhosts
|
||||
gather_facts: no
|
||||
roles:
|
||||
- { name: gitea, tags: ['gitea'] }
|
||||
|
||||
- name: Deploy nextcloud
|
||||
hosts: dockerhosts
|
||||
gather_facts: no
|
||||
roles:
|
||||
- { name: nextcloud, tags: ['nextcloud'] }
|
||||
|
||||
- name: deploy the dev stack
|
||||
gather_facts: no
|
||||
hosts: dockerhosts
|
||||
tasks:
|
||||
- debug: msg="Deploying awful stack to cloud server"
|
||||
roles:
|
||||
- { name: test, tags: ['test'] }
|
||||
|
||||
- name: deploy syslog server
|
||||
gather_facts: no
|
||||
hosts: syslog
|
||||
tasks:
|
||||
- debug: msg="Deploy syslog server to larva."
|
||||
roles:
|
||||
- { name: syslog, tags: ['syslog'] }
|
@ -0,0 +1,60 @@
|
||||
---
|
||||
# Configure the baseline I want on every debian box
|
||||
|
||||
|
||||
# Configure apt
|
||||
- name: Install aptitude using apt
|
||||
apt: name=aptitude state=latest update_cache=yes force_apt_get=yes
|
||||
|
||||
# Add custom packages to apt.
|
||||
- name: Add tailscale GPG apt Key
|
||||
apt_key:
|
||||
url: https://pkgs.tailscale.com/stable/debian/bullseye.noarmor.gpg
|
||||
state: present
|
||||
|
||||
- name: Add tailscsale Repository
|
||||
apt_repository:
|
||||
repo: deb https://pkgs.tailscale.com/stable/debian bullseye main
|
||||
state: present
|
||||
|
||||
# Add our packages
|
||||
- name: Install required system packages
|
||||
apt: name={{ sys_packages }} state=latest
|
||||
|
||||
# Configure sudo
|
||||
- name: Make sure we have a 'sudo' group
|
||||
group:
|
||||
name: sudo
|
||||
state: present
|
||||
|
||||
- name: Allow sudo group to have passwordless sudo
|
||||
lineinfile:
|
||||
path: /etc/sudoers
|
||||
state: present
|
||||
regexp: '^%sudo'
|
||||
line: '%sudo ALL=(ALL) NOPASSWD: ALL'
|
||||
validate: '/usr/sbin/visudo -cf %s'
|
||||
|
||||
# loop here??
|
||||
- name: Create a new regular user with sudo privileges
|
||||
user:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
groups: sudo
|
||||
append: true
|
||||
create_home: true
|
||||
shell: /bin/bash
|
||||
loop: "{{ create_users }}"
|
||||
|
||||
# loop here
|
||||
- name: Set authorized key for remote user
|
||||
authorized_key:
|
||||
user: "{{ item }}"
|
||||
state: present
|
||||
key: "{{ copy_local_key }}"
|
||||
loop: "{{ create_users }}"
|
||||
|
||||
- name: Restart sshd
|
||||
service:
|
||||
name: sshd.service
|
||||
state: restarted
|
@ -0,0 +1,3 @@
|
||||
create_users: ['josiah', 'alice']
|
||||
copy_local_key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/home-net.pub') }}"
|
||||
sys_packages: [ 'sudo', 'tailscale' ]
|
@ -0,0 +1,13 @@
|
||||
* nix configurations
|
||||
This folder tracks any nix configuration required. In the past I've experimented with using things like ~deploy-rs~ and ~morph~ for managing nix hosts, but unfortunately nix state of the art is just trash from a UX perspective. I don't recommend any of these things. Instead, I'm moving to naked configuration of a single ~configuration.nix~ file for the immediate future.
|
||||
|
||||
** How this works
|
||||
|
||||
There is a single folder per host currently in use. Each folder contains about 2 files, ~configuration.nix~ and ~hardware-configuration.nix~. Any changes made to a hosts configuration should go in the appropriate configuration file, saved, and committed. To use the latest version of a file, invoke ~rebuild switch~ with additional arguments, like:
|
||||
|
||||
~nixos-rebuild -I nixos-config=path/to/your/configuration.nix~
|
||||
|
||||
In our case, to rebuild the local ~hoyden~ configuration, we would run something like:
|
||||
|
||||
~nixos-rebuild -I nixos-config=~/Documents/projects/adc/nix-configs/hosts/hoyden/configuration.nix switch~
|
||||
|
@ -1,40 +0,0 @@
|
||||
# common/default.nix
|
||||
|
||||
# inputs to this NixOS module. We don't use any here
|
||||
# so we can ignore them all.
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
# User account definitions
|
||||
./users
|
||||
];
|
||||
|
||||
# clean /tmp on boot.
|
||||
boot.cleanTmpDir = true;
|
||||
# Allow any admin to build packages, not just root.
|
||||
## if you don't set this then your sshUser MUST BE ROOT, or you'll get untrusted sig errors.
|
||||
nix.settings.trusted-users = [ "@wheel" ];
|
||||
|
||||
# Automatically optimize the Nix store to save space
|
||||
# by hard-linking identical files together. These savings
|
||||
# add up.
|
||||
#nix.settings.autoOptimiseStore = true;
|
||||
|
||||
# Limit the systemd journal to 100 MB of disk or the
|
||||
# last 7 days of logs, whichever happens first.
|
||||
services.journald.extraConfig = ''
|
||||
SystemMaxUse=100M
|
||||
MaxFileSec=7day
|
||||
'';
|
||||
|
||||
# Use systemd-resolved for DNS lookups, but disable
|
||||
# its dnssec support because it is kinda broken in
|
||||
# surprising ways.
|
||||
|
||||
# Who is surprised that dnssec is broken? no one.
|
||||
# services.resolved = {
|
||||
# enable = true;
|
||||
# dnssec = "false";
|
||||
# };
|
||||
}
|
@ -1,21 +0,0 @@
|
||||
# common/users/default.nix
|
||||
|
||||
# Inputs to this NixOS module, in this case we are
|
||||
# using `pkgs` so I can configure my favorite shell fish
|
||||
# and `config` so we can make my SSH key also work with
|
||||
# the root user.
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
# The block that specifies my user account.
|
||||
users.users.josiah = {
|
||||
isNormalUser = true;
|
||||
shell = pkgs.bash;
|
||||
|
||||
# My SSH keys.
|
||||
openssh.authorizedKeys.keys = [
|
||||
# Replace this with your SSH key!
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPAZhFDzl1lbhWJ7MiTV3+Z1EY8M5b4cH/+ju4uo1d91 admin"
|
||||
];
|
||||
};
|
||||
}
|
@ -1,95 +0,0 @@
|
||||
{
|
||||
"nodes": {
|
||||
"deploy-rs": {
|
||||
"inputs": {
|
||||
"flake-compat": "flake-compat",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"utils": "utils"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1674127017,
|
||||
"narHash": "sha256-QO1xF7stu5ZMDLbHN30LFolMAwY6TVlzYvQoUs1RD68=",
|
||||
"owner": "serokell",
|
||||
"repo": "deploy-rs",
|
||||
"rev": "8c9ea9605eed20528bf60fae35a2b613b901fd77",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "serokell",
|
||||
"repo": "deploy-rs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-compat": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1668681692,
|
||||
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"rev": "009399224d5e398d03b22badca40a37ac85412a1",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1671417167,
|
||||
"narHash": "sha256-JkHam6WQOwZN1t2C2sbp1TqMv3TVRjzrdoejqfefwrM=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "bb31220cca6d044baa6dc2715b07497a2a7c4bc7",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixpkgs-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1672580127,
|
||||
"narHash": "sha256-3lW3xZslREhJogoOkjeZtlBtvFMyxHku7I/9IVehhT8=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "0874168639713f547c05947c76124f78441ea46c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nixos",
|
||||
"ref": "nixos-22.05",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"deploy-rs": "deploy-rs",
|
||||
"nixpkgs": "nixpkgs_2"
|
||||
}
|
||||
},
|
||||
"utils": {
|
||||
"locked": {
|
||||
"lastModified": 1667395993,
|
||||
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
"version": 7
|
||||
}
|
@ -1,117 +0,0 @@
|
||||
{
|
||||
description = "Test deployment for my server cluster";
|
||||
|
||||
inputs = {
|
||||
nixpkgs.url =
|
||||
"github:nixos/nixpkgs/nixos-22.05"; # change this to your desired NixOS version
|
||||
# For accessing `deploy-rs`'s utility Nix functions
|
||||
deploy-rs.url = "github:serokell/deploy-rs";
|
||||
};
|
||||
|
||||
outputs = { self, nixpkgs, deploy-rs }: {
|
||||
nixosConfigurations.seraph = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
modules = [
|
||||
../hosts/seraph/configuration.nix
|
||||
../common/default.nix
|
||||
];
|
||||
};
|
||||
nixosConfigurations.demiurge = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
modules = [
|
||||
../hosts/demiurge/configuration.nix
|
||||
../common/default.nix
|
||||
];
|
||||
};
|
||||
nixosConfigurations.exgod = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
modules = [
|
||||
../hosts/exgod/configuration.nix
|
||||
../common/default.nix
|
||||
];
|
||||
};
|
||||
|
||||
nixosConfigurations.hoyden = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
modules = [
|
||||
../hosts/hoyden/configuration.nix
|
||||
../common/default.nix
|
||||
];
|
||||
};
|
||||
|
||||
deploy.nodes.hoyden = {
|
||||
hostname = "hoyden";
|
||||
user = "root";
|
||||
sshUser = "josiah";
|
||||
# magicRollback = false;
|
||||
remoteBuild = false;
|
||||
path = deploy-rs.lib.x86_64-linux.activate.nixos
|
||||
self.nixosConfigurations.hoyden;
|
||||
|
||||
# This forces ssh to connect over IPv4.
|
||||
sshOpts = [ "-4" ];
|
||||
|
||||
profiles.system = {
|
||||
path = deploy-rs.lib.x86_64-linux.activate.nixos
|
||||
self.nixosConfigurations.hoyden;
|
||||
};
|
||||
};
|
||||
|
||||
deploy.nodes.seraph = {
|
||||
hostname = "seraph";
|
||||
user = "root";
|
||||
sshUser = "alice";
|
||||
# magicRollback = false;
|
||||
remoteBuild = false;
|
||||
path = deploy-rs.lib.x86_64-linux.activate.nixos
|
||||
self.nixosConfigurations.seraph;
|
||||
|
||||
# This forces ssh to connect over IPv4.
|
||||
sshOpts = [ "-4" ];
|
||||
|
||||
profiles.system = {
|
||||
path = deploy-rs.lib.x86_64-linux.activate.nixos
|
||||
self.nixosConfigurations.seraph;
|
||||
};
|
||||
};
|
||||
deploy.nodes.demiurge = {
|
||||
hostname = "demiurge";
|
||||
user = "root";
|
||||
sshUser = "alice";
|
||||
# magicRollback = false;
|
||||
remoteBuild = false;
|
||||
path = deploy-rs.lib.x86_64-linux.activate.nixos
|
||||
self.nixosConfigurations.demiurge;
|
||||
|
||||
# This forces ssh to connect over IPv4.
|
||||
sshOpts = [ "-4" ];
|
||||
|
||||
profiles.system = {
|
||||
path = deploy-rs.lib.x86_64-linux.activate.nixos
|
||||
self.nixosConfigurations.demiurge;
|
||||
};
|
||||
};
|
||||
deploy.nodes.exgod = {
|
||||
hostname = "exgod";
|
||||
user = "root";
|
||||
sshUser = "alice";
|
||||
# magicRollback = false;
|
||||
remoteBuild = false;
|
||||
path = deploy-rs.lib.x86_64-linux.activate.nixos
|
||||
self.nixosConfigurations.exgod;
|
||||
|
||||
# This forces ssh to connect over IPv4.
|
||||
sshOpts = [ "-4" ];
|
||||
|
||||
profiles.system = {
|
||||
path = deploy-rs.lib.x86_64-linux.activate.nixos
|
||||
self.nixosConfigurations.exgod;
|
||||
};
|
||||
};
|
||||
|
||||
# This is highly advised, and will prevent many possible mistakes
|
||||
checks =
|
||||
builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy)
|
||||
deploy-rs.lib;
|
||||
};
|
||||
}
|
@ -1,25 +0,0 @@
|
||||
{
|
||||
description = "Hoyden's Flake";
|
||||
|
||||
inputs = {
|
||||
nixpkgs.url =
|
||||
"github:nixos/nixpkgs/nixos-22.05"; # change this to your desired NixOS version
|
||||
# For accessing `deploy-rs`'s utility Nix functions
|
||||
deploy-rs.url = "github:serokell/deploy-rs";
|
||||
unstableTarball = fetchTarball
|
||||
"https://github.com/NixOS/nixpkgs/archive/nixos-unstable.tar.gz";
|
||||
};
|
||||
|
||||
outputs = { self, nixpkgs, unstableTarball }@attrs: {
|
||||
nixosConfigurations.hoyden = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
specialArgs = attrs;
|
||||
modules = [ ./configuration.nix ];
|
||||
};
|
||||
};
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
@ -1 +0,0 @@
|
||||
/nix/store/lwyi13rbiw9afcjps9fyiarjfkjkqq12-morph
|
@ -1 +0,0 @@
|
||||
hoyden:mzRpcmjuqPqre3Si990zXvAeD9xwqRJMezGsxdXV2vTayggi7ycd8bhQlPQGg3u2YhjbaztvTo1bogdeAlI/bg==
|
@ -1 +0,0 @@
|
||||
hoyden:2soIIu8nHfG4UJT0BoN7tmIY22s7b06NW6IHXgJSP24=
|
@ -1,40 +0,0 @@
|
||||
# ops/home/network.nix
|
||||
|
||||
{
|
||||
# Configuration for the network in general.
|
||||
network = { description = "home.jowj.net cluster definition"; };
|
||||
|
||||
# This specifies the configuration for
|
||||
# `seraph` as a NixOS module.
|
||||
|
||||
# "seraph" = { config, pkgs, lib, ... }: {
|
||||
# deployment.targetUser = "alice";
|
||||
# deployment.targetHost = "seraph";
|
||||
|
||||
# # Import seraph configuration.nix
|
||||
# imports = [
|
||||
# ../../hosts/seraph/configuration.nix
|
||||
# ../../common ];
|
||||
# };
|
||||
|
||||
"exgod" = { config, pkgs, lib, ... }: {
|
||||
deployment.targetUser = "alice";
|
||||
deployment.targetHost = "exgod";
|
||||
|
||||
# Import exgod configuration.nix
|
||||
imports = [
|
||||
../../hosts/exgod/configuration.nix
|
||||
../../common ];
|
||||
};
|
||||
|
||||
"hoyden" = { config, pkgs, lib, ... }: {
|
||||
deployment.targetUser = "alice";
|
||||
deployment.targetHost = "hoyden";
|
||||
|
||||
# Import seraph configuration.nix
|
||||
imports = [
|
||||
../../hosts/hoyden/configuration.nix
|
||||
../../common ];
|
||||
};
|
||||
|
||||
}
|
@ -1,22 +0,0 @@
|
||||
#!/usr/bin/env nix-shell
|
||||
|
||||
# Specify the packages we are using in this
|
||||
# script as well as the fact that we are running it
|
||||
# in bash.
|
||||
#! nix-shell -p morph -i bash
|
||||
|
||||
# Explode on any error.
|
||||
set -e
|
||||
|
||||
# Build the system configurations for every
|
||||
# machine in this network and register them as
|
||||
# garbage collector roots so `nix-collect-garbage`
|
||||
# doesn't sweep them away.
|
||||
morph build --keep-result ~/Documents/projects/adc/nixos-configs/ops/home/network.nix
|
||||
|
||||
# Push the config to the hosts.
|
||||
morph push ~/Documents/projects/adc/nixos-configs/ops/home/network.nix
|
||||
|
||||
# Activate the NixOS configuration on the
|
||||
# network.
|
||||
morph deploy ~/Documents/projects/adc/nixos-configs/ops/home/network.nix test
|
@ -1,40 +0,0 @@
|
||||
let
|
||||
pkgs = import (import ../nixpkgs.nix) {};
|
||||
in
|
||||
{
|
||||
network = {
|
||||
inherit pkgs;
|
||||
description = "simple hosts";
|
||||
ordering = {
|
||||
tags = [ "db" "web" ];
|
||||
};
|
||||
};
|
||||
|
||||
"web01" = { config, pkgs, ... }: {
|
||||
deployment.tags = [ "web" ];
|
||||
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
services.nginx.enable = true;
|
||||
|
||||
fileSystems = {
|
||||
"/" = { label = "nixos"; fsType = "ext4"; };
|
||||
"/boot" = { label = "boot"; fsType = "vfat"; };
|
||||
};
|
||||
};
|
||||
|
||||
"db01" = { config, pkgs, ... }: {
|
||||
deployment.tags = [ "db" ];
|
||||
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
services.postgresql.enable = true;
|
||||
|
||||
fileSystems = {
|
||||
"/" = { label = "nixos"; fsType = "ext4"; };
|
||||
"/boot" = { label = "boot"; fsType = "vfat"; };
|
||||
};
|
||||
};
|
||||
}
|
Loading…
Reference in new issue