sam
/
nixos
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: sam:51320794e6c725564c7387f0219388ec37f4c42a
Branches Tags
sam:master
sam:bitcoin
sam:docker
sam:docker-entrypoint
sam:incus
sam:lxd
sam:nebula
sam:overseer
sam:disko
sam:development
sam:change-decrypt-key
sam:media
sam:impermanence
sam:fileserver-host
sam:sops
sam:modules
..
compare: sam:2533603b65d4a3e898154586fd6f0ad7aac90901
Branches Tags
sam:master
sam:bitcoin
sam:docker
sam:docker-entrypoint
sam:incus
sam:lxd
sam:nebula
sam:overseer
sam:disko
sam:development
sam:change-decrypt-key
sam:media
sam:impermanence
sam:fileserver-host
sam:sops
sam:modules

No commits in common. "51320794e6c725564c7387f0219388ec37f4c42a" and "2533603b65d4a3e898154586fd6f0ad7aac90901" have entirely different histories.
51320794e6 ... 2533603b65

8 changed files with 194 additions and 256 deletions
Show Stats Expand all files Collapse all files

8
flake.lock
View File

@ -428,11 +428,11 @@
"nix-secrets": { "nix-secrets": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1728169228, "lastModified": 1728041293,
"narHash": "sha256-WT6kWWqMQE4KBdziZ/uuJ9sPcVg+6QJoOdBPdKAD0gI=", "narHash": "sha256-ttKGrtU+naTxmlHf4M142MTM4rYc5WWhRzdY1wEO5gE=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "e9709bbb9adc91fb6b4dab5b16e15546cc596695", "rev": "dc659e262931d48bc8499fbfee60d27e40cda9cd",
"revCount": 165, "revCount": 163,
"type": "git", "type": "git",
"url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
}, },

26
hosts/common/optional/docker/default.nix
View File

@ -1,26 +1,10 @@
{ {pkgs, ...}: {
pkgs,
inputs,
...
}: {
imports = [inputs.arion.nixosModules.arion];
environment.systemPackages = [
pkgs.arion
pkgs.docker-client
];
virtualisation = { virtualisation = {
podman = { docker = {
enable = true; enable = true;
dockerSocket.enable = true;
defaultNetwork.settings.dns_enabled = true;
}; };
}; };
environment.systemPackages = with pkgs; [
environment.persistence."/persist" = { docker-compose
hideMounts = true; ];
directories = [
"/var/lib/containers"
];
};
} }

145
hosts/common/optional/docker/postgres.nix Normal file
View File

@ -0,0 +1,145 @@
{
pkgs,
lib,
inputs,
config,
...
}: let
admin_dbPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/postgres/admin_db/password".path;
initScript = pkgs.writeText "init.sh" ''
#!/bin/bash
function create_user_and_database() {
local database=$1
local user=$2
local extensions=$3
echo "### admin user: $POSTGRES_USER ###"
echo " Creating database '$database'"
echo " Creating user '$user'"
psql -v --username "$POSTGRES_USER" -d "$POSTGRES_DB" <<-EOSQL
CREATE USER $user;
CREATE DATABASE $database;
GRANT ALL PRIVILEGES ON DATABASE $database TO $user;
EOSQL
# Loop through extensions and create them
for ext in $(echo "$extensions" | tr ',' ' '); do
echo " - Installing extention $ext"
psql -v --username "$POSTGRES_USER" -d "$database" -c "CREATE EXTENSION $ext;"
done
}
if [ -n "$POSTGRES_MULTIPLE_DATABASES" ]; then
# Parse the JSON string
database_names=$(echo "$POSTGRES_MULTIPLE_DATABASES" | jq -r '.[0] | keys[]')
echo "Multiple database creation requested: $(echo "$database_names" | tr "\n" " ")"
# Loop through each database and create it
for db_name in $database_names; do
user=$(echo "$POSTGRES_MULTIPLE_DATABASES" | jq -r ".[0] | .''${db_name} | .user")
extensions=$(echo "$POSTGRES_MULTIPLE_DATABASES" | jq -r ".[0] | .''${db_name} | .extensions | join(\",\")")
create_user_and_database "$db_name" "$user" "$extensions"
done
fi
'';
pg_hbaConfig = pkgs.writeText "pg_hba.conf" ''
none
'';
pgsqlConfig = pkgs.writeText "postgresql.conf" ''
listen_addresses = '*'
port = 5432
max_connections = 100
shared_buffers = 24GB
work_mem = 1GB
maintenance_work_mem = 10GB
autovacuum_work_mem = 2GB
dynamic_shared_memory_type = posix
wal_level = minimal
checkpoint_timeout = 60min
checkpoint_completion_target = 0.9
max_wal_size = 10GB
min_wal_size = 80MB
max_wal_senders = 0
random_page_cost = 1.0
effective_cache_size = 25GB
jit = off
log_line_prefix = '%m [%p] %q%u@%d '
log_timezone = 'Etc/UTC'
cluster_name = 'postgres-docker'
datestyle = 'iso, dmy'
timezone = 'Etc/UTC'
default_text_search_config = 'pg_catalog.english'
'';
in {
sops.secrets = {
"software/postgres/admin_db/password" = {};
};
virtualisation.arion = {
backend = "docker";
projects = {
"db".settings.services."db".service = {
restart = "unless-stopped";
build.context = "/nix/store";
build.dockerfile = builtins.baseNameOf "${pkgs.writeText "pgDockerfile" ''
FROM postgres:16
# install packages
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
postgresql-16-postgis \
jq \
&& rm -rf /var/lib/apt/lists/*
''}";
command = ["postgres" "-c" "config_file=/etc/postgresql/postgresql.conf"];
environment = {
POSTGRES_PASSWORD_FILE = admin_dbPasswordFile;
POSTGRES_USER = "admin";
POSTGRES_DB = "admin_db";
PGDATA = "/var/lib/postgresql/data/pgdata";
POSTGRES_MULTIPLE_DATABASES = ''
[
{
"osm": {
"user": "gis",
"extensions": [
"hstore",
"postgis"
]
},
"bitcoin": {
"user": "satoshi",
"extensions": []
},
"btc_models": {
"user": "dbt",
"extensions": []
},
"dev_btc_models": {
"user": "dbt",
"extensions": []
}
}
]
'';
};
ports = ["5432:5432"];
volumes = [
# Mount pgdata to external zfs volume
"/mnt/postgres:/var/lib/postgresql/data"
# Mount config files
# "${pg_hbaConfig}:/var/lib/postgres/data/pgdata/pg_hba.conf"
"${pgsqlConfig}:/etc/postgresql/postgresql.conf"
# Need to mount secret file
"${admin_dbPasswordFile}:${admin_dbPasswordFile}"
# PG init script to parse json specified in POSTGRES_MULTIPLE_DATABASES
# creates databases, users and installs extensions for each database.
"${initScript}:/docker-entrypoint-initdb.d/init.sh"
];
};
};
};
}

48
hosts/common/optional/nixos-containers/nix-bitcoin.nix → hosts/common/optional/nix-bitcoin.nix
View File

@ -9,9 +9,7 @@
bitcoin-rpcpassword-public = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-rpcpassword-public".path; bitcoin-rpcpassword-public = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-rpcpassword-public".path;
bitcoin-HMAC-privileged = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-HMAC-privileged".path; bitcoin-HMAC-privileged = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-HMAC-privileged".path;
bitcoin-HMAC-public = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-HMAC-public".path; bitcoin-HMAC-public = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-HMAC-public".path;
container_name = "bitcoin-node"; pubKeys = lib.filesystem.listFilesRecursive ../users/keys;
container_ip = "10.0.10.5";
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
in { in {
sops.secrets = { sops.secrets = {
"software/bitcoind/bitcoin-rpcpassword-privileged" = {}; "software/bitcoind/bitcoin-rpcpassword-privileged" = {};
@ -20,18 +18,14 @@ in {
"software/bitcoind/bitcoin-HMAC-public" = {}; "software/bitcoind/bitcoin-HMAC-public" = {};
}; };
environment.persistence."/persist" = {
hideMounts = true;
directories = [
"/var/lib/nixos-containers/${container_name}"
];
};
networking.nat.enable = true; networking.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"]; networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "br0"; networking.nat.externalInterface = "br0";
# networking.firewall.enable = true;
# networking.firewall.allowedTCPPorts = [80 443 22];
# networking.firewall.trustedInterfaces = ["ve-btcnode"];
containers.${container_name} = { containers.bitcoin-node = {
autoStart = true; autoStart = true;
privateNetwork = true; privateNetwork = true;
hostBridge = "br0"; hostBridge = "br0";
@ -71,6 +65,14 @@ in {
}; };
}; };
# forwardPorts = [
# {
# containerPort = 50001;
# hostPort = 50001;
# protocol = "tcp";
# }
# ];
config = { config = {
pkgs, pkgs,
lib, lib,
@ -86,7 +88,7 @@ in {
]; ];
networking = { networking = {
defaultGateway = "10.0.10.1"; defaultGateway = "10.0.10.1";
interfaces.eth0.ipv4.addresses = [ { "address" = "${container_ip}"; "prefixLength" = 24; } ]; interfaces.eth0.ipv4.addresses = [ { "address" = "10.0.10.4"; "prefixLength" = 24; } ];
firewall = { firewall = {
enable = true; enable = true;
allowedTCPPorts = [ allowedTCPPorts = [
@ -103,8 +105,18 @@ in {
services.resolved.enable = true; services.resolved.enable = true;
# node services here services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
nix-bitcoin.generateSecrets = true; nix-bitcoin.generateSecrets = true;
users.users.root = {
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
};
# node services here
services = { services = {
tor = { tor = {
enable = true; enable = true;
@ -153,16 +165,6 @@ in {
electrs.enable = true; electrs.enable = true;
mempool-frontend.enable = true; mempool-frontend.enable = true;
}; };
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
users.users.root = {
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
};
system.stateVersion = "24.05"; system.stateVersion = "24.05";
}; };
}; };

75
hosts/common/optional/nixos-containers/jellyfin.nix
View File

@ -1,75 +0,0 @@
{
lib,
pkgs,
...
}: let
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
container_name = "jellyfin";
container_ip = "10.0.10.6";
in {
environment.persistence."/persist" = {
hideMounts = true;
directories = [
"/var/lib/nixos-containers/${container_name}"
];
};
networking.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "br0";
containers.postgres = {
autoStart = true;
privateNetwork = true;
hostBridge = "br0";
nixpkgs = pkgs.path;
config = {
pkgs,
lib,
...
}: {
networking = {
defaultGateway = "10.0.10.1";
interfaces.eth0.ipv4.addresses = [
{
"address" = "${container_ip}";
"prefixLength" = 24;
}
];
firewall = {
enable = true;
allowedTCPPorts = [
5432
];
};
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
services.jellyfin = {
enable = true;
openFirewall = true;
};
environment.systemPackages = [
pkgs.jellyfin
pkgs.jellyfin-web
pkgs.jellyfin-ffmpeg
pkgs.lsof
];
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
users.users.root = {
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
};
system.stateVersion = "24.05";
};
};
}

113
hosts/common/optional/nixos-containers/postgres.nix
View File

@ -1,113 +0,0 @@
{
inputs,
lib,
config,
pkgs,
...
}: let
postgresPasswordPath = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/postgres/postgres/password".path;
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
container_name = "postgres";
container_ip = "10.0.10.5";
in {
sops.secrets = {
"software/postgres/postgres/password" = {
};
};
environment.persistence."/persist" = {
hideMounts = true;
directories = [
"/var/lib/nixos-containers/${container_name}"
];
};
networking.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "br0";
containers.postgres = {
autoStart = true;
privateNetwork = true;
hostBridge = "br0";
nixpkgs = pkgs.path;
bindMounts = {
"/var/lib/postgresql" = {
hostPath = "/media/main-ssd/postgresql";
isReadOnly = false;
};
};
config = {
pkgs,
lib,
...
}: {
networking = {
defaultGateway = "10.0.10.1";
interfaces.eth0.ipv4.addresses = [
{
"address" = "${container_ip}";
"prefixLength" = 24;
}
];
firewall = {
enable = true;
allowedTCPPorts = [
5432
];
};
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
environment.systemPackages = with pkgs; [
lsof
];
services.postgresql = {
enable = true;
enableJIT = true;
package = pkgs.postgresql_16;
extraPlugins = with pkgs.postgresql_16.pkgs; [ postgis ];
settings = {
max_worker_processes = "12";
max_parallel_workers = "8";
max_parallel_workers_per_gather = "4";
max_connections = "100";
autovacuum_work_mem = "2GB";
shared_buffers = "32GB";
work_mem = "0.32GB";
maintenance_work_mem = "64MB";
};
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all all trust
'';
};
systemd.services.postgresql.postStart = ''
$PSQL -tA <<'EOF'
DO $$
DECLARE password TEXT;
BEGIN
password := trim(both from replace(pg_read_file('${postgresPasswordPath}'), E'\n', '''));
EXECUTE format('ALTER ROLE postgres WITH PASSWORD '''%s''';', password);
END $$;
EOF
'';
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
users.users.root = {
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
};
system.stateVersion = "24.05";
};
};
}

1
hosts/common/users/sam/default.nix
View File

@ -24,7 +24,6 @@ in {
"scanner" "scanner"
"lp" "lp"
"docker" "docker"
"podman"
]; ];
}; };

34
hosts/semita/default.nix
View File

@ -47,8 +47,8 @@ in {
../common/optional/nfs-mounts/homeshare.nix ../common/optional/nfs-mounts/homeshare.nix
../common/optional/printing.nix ../common/optional/printing.nix
../common/optional/docker ../common/optional/docker
../common/optional/nixos-containers/nix-bitcoin.nix ../common/optional/docker/postgres.nix
../common/optional/nixos-containers/postgres.nix ../common/optional/nix-bitcoin.nix
]; ];
fileSystems."/media/main-ssd" = { fileSystems."/media/main-ssd" = {
@ -85,23 +85,6 @@ in {
pkgs.sof-firmware pkgs.sof-firmware
]; ];
nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override {enableHybridCodec = true;};
};
hardware.opengl = {
enable = true;
extraPackages = with pkgs; [
intel-media-driver
intel-vaapi-driver
vaapiVdpau
libvdpau-va-gl
intel-compute-runtime
vpl-gpu-rt
intel-media-sdk
];
};
networking = { networking = {
hostName = "semita"; hostName = "semita";
nameservers = ["10.0.10.60" "10.0.10.1" "8.8.8.8"]; nameservers = ["10.0.10.60" "10.0.10.1" "8.8.8.8"];
@ -120,6 +103,19 @@ in {
} }
]; ];
}; };
# interfaces.br0 = {
# useDHCP = false;
# ipv4.addresses = [
# {
# address = "10.0.10.3";
# prefixLength = 24;
# }
# ];
# };
# defaultGateway = {
# address = "10.0.10.1";
# interface = "eth0";
# };
}; };
services.libinput.enable = true; services.libinput.enable = true;