init new infra

2026-01-14 16:55:00 +01:00 · 2024-07-26 18:19:07 +02:00 · 2024-07-26 18:19:07 +02:00 · 0825d85c93
commit 0825d85c93
parent 83458998aa
6 changed files with 206 additions and 0 deletions
--- a/newinfra/nix/hive.nix
+++ b/newinfra/nix/hive.nix
@ -0,0 +1,93 @@
+{
+  meta = {
+    # Override to pin the Nixpkgs version (recommended). This option
+    # accepts one of the following:
+    # - A path to a Nixpkgs checkout
+    # - The Nixpkgs lambda (e.g., import <nixpkgs>)
+    # - An initialized Nixpkgs attribute set
+    # TODO: Pin
+    nixpkgs = import <nixpkgs>;
+
+    # If your Colmena host has nix configured to allow for remote builds
+    # (for nix-daemon, your user being included in trusted-users)
+    # you can set a machines file that will be passed to the underlying
+    # nix-store command during derivation realization as a builders option.
+    # For example, if you support multiple orginizations each with their own
+    # build machine(s) you can ensure that builds only take place on your
+    # local machine and/or the machines specified in this file.
+    # machinesFile = ./machines.client-a;
+  };
+
+  defaults = { pkgs, ... }: {
+    # This module will be imported by all hosts
+    environment.systemPackages = with pkgs; [
+      vim
+      wget
+      curl
+      traceroute
+      dnsutils
+    ];
+    time.timeZone = "Europe/Zurich";
+    users.users.root.openssh.authorizedKeys.keys = [ ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG0n1ikUG9rYqobh7WpAyXrqZqxQoQ2zNJrFPj12gTpP nilsh@PC-Nils'' ];
+
+    boot.tmp.cleanOnBoot = true;
+    zramSwap.enable = true;
+
+    services.openssh.enable = true;
+    # By default, Colmena will replace unknown remote profile
+    # (unknown means the profile isn't in the nix store on the
+    # host running Colmena) during apply (with the default goal,
+    # boot, and switch).
+    # If you share a hive with others, or use multiple machines,
+    # and are not careful to always commit/push/pull changes
+    # you can accidentaly overwrite a remote profile so in those
+    # scenarios you might want to change this default to false.
+    # deployment.replaceUnknownProfiles = true;
+  };
+
+  dns1 = { name, nodes, modulesPath, ... }: {
+    imports = [ ./modules/dns (modulesPath + "/profiles/qemu-guest.nix") ];
+
+    # The name and nodes parameters are supported in Colmena,
+    # allowing you to reference configurations in other nodes.
+    networking.hostName = name;
+
+    deployment.targetHost = "dns1.nilstrieb.dev";
+    deployment.tags = [ "dns" "us" ];
+
+    system.stateVersion = "23.11";
+
+    boot.loader.grub.device = "/dev/sda";
+    boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+    boot.initrd.kernelModules = [ "nvme" ];
+    fileSystems."/" = { device = "/dev/sda3"; fsType = "ext4"; };
+  };
+
+  /*host-b = {
+    # Like NixOps and Morph, Colmena will attempt to connect to
+    # the remote host using the attribute name by default. You
+    # can override it like:
+    deployment.targetHost = "dns2.infra.noratrieb.dev";
+
+    # It's also possible to override the target SSH port.
+    # For further customization, use the SSH_CONFIG_FILE
+    # environment variable to specify a ssh_config file.
+    deployment.targetPort = 1234;
+
+    # Override the default for this target host
+    deployment.replaceUnknownProfiles = false;
+
+    # You can filter hosts by tags with --on @tag-a,@tag-b.
+    # In this example, you can deploy to hosts with the "web" tag using:
+    #    colmena apply --on @web
+    # You can use globs in tag matching as well:
+    #    colmena apply --on '@infra-*'
+    deployment.tags = [ "dns" "eu" ];
+
+    boot.loader.grub.device = "/dev/sda";
+    fileSystems."/" = {
+      device = "/dev/sda1";
+      fsType = "ext4";
+    };
+  };*/
+}
--- a/newinfra/nix/modules/dns/default.nix
+++ b/newinfra/nix/modules/dns/default.nix
@ -0,0 +1,28 @@
+{ pkgs, ... }: {
+  # get the package for the debugging tools
+  environment.systemPackages = with pkgs; [ knot-dns ];
+
+  networking.firewall.allowedUDPPortRanges = [
+    { from = 53; to = 53; }
+  ];
+
+  services.knot = {
+    enable = true;
+    settingsFile = pkgs.writeTextFile {
+      name = "knot.conf";
+      text = ''
+        server:
+            listen: 0.0.0.0@53
+            listen: ::@53
+
+        zone:
+          - domain: noratrieb.dev
+            storage: /var/lib/knot/zones/
+            file: ${import ./noratrieb.dev.nix { inherit pkgs; }}
+        log:
+          - target: syslog
+            any: info
+      '';
+    };
+  };
+}
--- a/newinfra/nix/modules/dns/nilstrieb.dev.md
+++ b/newinfra/nix/modules/dns/nilstrieb.dev.md
@ -0,0 +1,29 @@
+@ A N/A 185.199.108.153
+@ A N/A 185.199.109.153
+@ A N/A 185.199.110.153
+@ A N/A 185.199.111.153
+@ AAAA N/A 2606:50c0:8002:0:0:0:0:153
+@ AAAA N/A 2606:50c0:8003:0:0:0:0:153
+@ AAAA N/A 2606:50c0:8000:0:0:0:0:153
+@ AAAA N/A 2606:50c0:8001:0:0:0:0:153
+@ MX 10 mail.protonmail.ch
+@ MX 20 mailsec.protonmail.ch
+@ TXT N/A protonmail-verification=86964dcc4994261eab23dbc53dad613b10bab6de
+@ TXT N/A v=spf1 include:_spf.protonmail.ch ~all
+bisect-rustc A N/A 184.174.32.252
+blog CNAME N/A nilstrieb.github.io
+_atproto.bsky TXT N/A did=did:plc:pqyzoyxk7gfcbxk65mjyncyl
+cors-school A N/A 184.174.32.252
+api.cors-school A N/A 184.174.32.252
+docker A N/A 184.174.32.252
+hugo-chat A N/A 184.174.32.252
+api.hugo-chat A N/A 184.174.32.252
+k8s-control A N/A 161.97.165.1
+localhost A N/A 127.0.0.1
+olat A N/A 184.174.32.252
+pronouns TXT N/A TODO
+uptime A N/A 184.174.32.252
+vps1 A N/A 161.97.165.1
+vps2 A N/A 184.174.32.252
+www A N/A 184.174.32.252
+dns1 A N/A 154.38.163.74
--- a/newinfra/nix/modules/dns/noratrieb.dev.nix
+++ b/newinfra/nix/modules/dns/noratrieb.dev.nix
@ -0,0 +1,43 @@
+# https://github.com/nix-community/dns.nix
+{ pkgs, ... }:
+let
+  # TODO: do this in a central place
+  dns = import (pkgs.fetchFromGitHub {
+    owner = "nix-community";
+    repo = "dns.nix";
+    rev = "v1.1.2";
+    hash = "sha256-EHiDP2jEa7Ai5ZwIf5uld9RVFcV77+2SUxjQXwJsJa0=";
+  });
+
+  data = with dns.lib.combinators;
+    {
+      SOA = {
+        nameServer = "154.38.163.74"; #"ns1.noratrieb.dev";
+        adminEmail = "void@noratrieb.dev";
+        serial = 2024072601;
+      };
+
+      NS = [
+        "154.38.163.74" #"ns1.noratrieb.dev"
+        #"ns2.noratrieb.dev"
+      ];
+
+      A = [ (a "161.97.165.1") ];
+      AAAA = [ ];
+
+      subdomains = {
+        www.CNAME = [ (cname "noratrieb.dev") ];
+        pronouns.TXT = [
+          "she/her"
+        ];
+
+        #ns1 = (host "154.38.163.74");
+
+        #"dns1.infra" = (a "154.38.163.74");
+      };
+    };
+in
+pkgs.writeTextFile {
+  name = "noratrieb.dev.zone";
+  text = dns.lib.toString "noratrieb.dev" data;
+}
--- a/newinfra/provision/README.md
+++ b/newinfra/provision/README.md
@ -0,0 +1,12 @@
+# provisioning
+
+NixOS is provisioned by running [nixos-infect](https://github.com/elitak/nixos-infect) over a default image.
+
+> Contabo sets the hostname to something like vmi######.contaboserver.net, Nixos only allows RFC 1035 compliant hostnames (see here).
+> Run `hostname something_without_dots` before running the script.
+> If you run the script before changing the hostname - remove the /etc/nixos/configuration.nix so it's regenerated with the new hostname.
+
+```
+curl -LO https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect
+bash nixos-infect
+```
--- a/shell.nix
+++ b/shell.nix
@ -4,6 +4,7 @@
    ansible-lint
    awscli
    certbot
+    colmena
    dig
    openssl
    caddy