From 64986d2883e4f34d9701860433939cbdf425a922 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= Date: Fri, 4 Apr 2025 14:09:58 +0200 Subject: [PATCH] Remove microvm and correct build for nginx --- flake.lock | 88 +++----------------------------- flake.nix | 121 +++++++------------------------------------- secrets/secrets.nix | 3 +- 3 files changed, 28 insertions(+), 184 deletions(-) diff --git a/flake.lock b/flake.lock index a1819e7..edab3b2 100644 --- a/flake.lock +++ b/flake.lock @@ -127,23 +127,6 @@ "inputs": { "systems": "systems_3" }, - "locked": { - "lastModified": 1694529238, - "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", - "type": "github" - }, - "original": { - "id": "flake-utils", - "type": "indirect" - } - }, - "flake-utils_3": { - "inputs": { - "systems": "systems_4" - }, "locked": { "lastModified": 1731533236, "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", @@ -153,9 +136,8 @@ "type": "github" }, "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" + "id": "flake-utils", + "type": "indirect" } }, "home-manager": { @@ -187,11 +169,11 @@ ] }, "locked": { - "lastModified": 1739757849, - "narHash": "sha256-Gs076ot1YuAAsYVcyidLKUMIc4ooOaRGO0PqTY7sBzA=", + "lastModified": 1743387206, + "narHash": "sha256-24N3NAuZZbYqZ39NgToZgHUw6M7xHrtrAm18kv0+2Wo=", "owner": "nix-community", "repo": "home-manager", - "rev": "9d3d080aec2a35e05a15cedd281c2384767c2cfe", + "rev": "15c5f9d04fabd176f30286c8f52bbdb2c853a146", "type": "github" }, "original": { @@ -201,28 +183,6 @@ "type": "github" } }, - "microvm": { - "inputs": { - "flake-utils": "flake-utils_3", - "nixpkgs": [ - "nixpkgs" - ], - "spectrum": "spectrum" - }, - "locked": { - "lastModified": 1741275356, - "narHash": "sha256-VMeqnLv2O6Lg3/pka1tUzzbOjSmEb6RQOp9OuJRcx0A=", - "owner": "astro", - "repo": "microvm.nix", - "rev": "5e1b3dba5b52405dab79412392b9c799d49bd8c0", - "type": "github" - }, - "original": { - "owner": "astro", - "repo": "microvm.nix", - "type": "github" - } - }, "nixpkgs": { "locked": { "lastModified": 1741379970, @@ -241,11 +201,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1741600792, - "narHash": "sha256-yfDy6chHcM7pXpMF4wycuuV+ILSTG486Z/vLx/Bdi6Y=", + "lastModified": 1743576891, + "narHash": "sha256-vXiKURtntURybE6FMNFAVpRPr8+e8KoLPrYs9TGuAKc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ebe2788eafd539477f83775ef93c3c7e244421d3", + "rev": "44a69ed688786e98a101f02b712c313f1ade37ab", "type": "github" }, "original": { @@ -260,7 +220,6 @@ "agenix": "agenix", "crowdsec": "crowdsec", "home-manager": "home-manager_2", - "microvm": "microvm", "nixpkgs": "nixpkgs_2" } }, @@ -285,22 +244,6 @@ "type": "github" } }, - "spectrum": { - "flake": false, - "locked": { - "lastModified": 1733308308, - "narHash": "sha256-+RcbMAjSxV1wW5UpS9abIG1lFZC8bITPiFIKNnE7RLs=", - "ref": "refs/heads/main", - "rev": "80c9e9830d460c944c8f730065f18bb733bc7ee2", - "revCount": 792, - "type": "git", - "url": "https://spectrum-os.org/git/spectrum" - }, - "original": { - "type": "git", - "url": "https://spectrum-os.org/git/spectrum" - } - }, "systems": { "locked": { "lastModified": 1681028828, @@ -345,21 +288,6 @@ "repo": "default", "type": "github" } - }, - "systems_4": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 7daaf1f..cb6059f 100644 --- a/flake.nix +++ b/flake.nix @@ -7,10 +7,6 @@ url = "github:nix-community/home-manager/release-24.11"; inputs.nixpkgs.follows = "nixpkgs"; }; - microvm = { - url = "github:astro/microvm.nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; crowdsec = { url = "git+https://codeberg.org/kampka/nix-flake-crowdsec.git"; inputs.nixpkgs.follows = "nixpkgs"; @@ -22,7 +18,6 @@ self, nixpkgs, home-manager, - microvm, agenix, crowdsec, ... @@ -34,73 +29,36 @@ pkgs = import nixpkgs {inherit system;}; in { nixosConfigurations = { - nixmox-curiosity = nixpkgs.lib.nixosSystem { - inherit system; - modules = [ - agenix.nixosModules.default - ./hosts/nixmox-curiosity/configuration.nix - { - networking.hostName = "nixmox-curiosity"; - } - home-manager.nixosModules.home-manager - { - home-manager.useGlobalPkgs = true; - home-manager.useUserPackages = true; - home-manager.users.${username} = import ./hosts/nixmox-curiosity/home.nix; - } - microvm.nixosModules.host - { - microvm = { - autostart = []; - vms = {}; - }; - } - ]; - - specialArgs = { - inherit inputs; - inherit username; - inherit proxy_host; - inherit pgsql_host; - inherit system; - }; - }; nginx = nixpkgs.lib.nixosSystem { inherit system; modules = [ agenix.nixosModules.default crowdsec.nixosModules.crowdsec-firewall-bouncer - ({ pkgs, lib, ... }: { - nixpkgs.overlays = [crowdsec.overlays.default]; + { services.crowdsec-firewall-bouncer = { enable = true; - settings = { - api_key = "secret_api_key"; - api_url = "http://localhost:8080"; - }; + package = inputs.crowdsec.packages."x86_64-linux".crowdsec-firewall-bouncer; }; - }) + } "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" "${inputs.self}/systems/minimalLXCConfig.nix" "${inputs.self}/services" "${inputs.self}/modules" { - networking.hostName = "nginx"; services = { vm_nginx = { enable = true; }; - crowdsec-firewall-bouncer = { - enable = true; - }; crowdsec = { enable = true; + package = pkgs.crowdsec; autoUpdateService = false; settings = { general = { api = { server = { enable = false; + #listen_uri = "127.0.0.1:8080"; }; }; prometheus.listen_addr = "0.0.0.0"; @@ -126,30 +84,11 @@ type = "syslog"; }; } - { - source = "file"; - - labels = { - type = "syslog"; - }; - } ]; }; }; }; - systemd.services.crowdsec.serviceConfig = { - ExecStartPre = let - script = pkgs.writeScriptBin "register-bouncer" '' - #!${pkgs.runtimeShell} - set -eu - set -o pipefail - - if ! cscli bouncers list | grep -q "my-bouncer"; then - cscli bouncers add "my-bouncer" --key "secret_api_key" - fi - ''; - in ["${script}/bin/register-bouncer"]; - }; + networking.hostName = "nginx"; } ]; }; @@ -215,21 +154,22 @@ } ]; }; -# template = nixpkgs.lib.nixosSystem { -# inherit system; -# modules = [ -# agenix.nixosModules.default -# "${inputs.self}/systems/minimalVMConfig.nix" -# { -# networking.hostName = "nixos"; -# } -# ]; -# }; + template = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + agenix.nixosModules.default + "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-image.nix" + "${inputs.self}/systems/minimalVMConfig.nix" + { + networking.hostName = "nixos"; + } + ]; + }; jellyfin = nixpkgs.lib.nixosSystem { inherit system; modules = [ agenix.nixosModules.default - microvm.nixosModules.microvm + "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-image.nix" "${inputs.self}/systems/minimalVMConfig.nix" "${inputs.self}/services" { @@ -271,31 +211,6 @@ } ]; }; - grafana = nixpkgs.lib.nixosSystem { - inherit system; - modules = [ - agenix.nixosModules.default - microvm.nixosModules.microvm - "${inputs.self}/systems/minimalMicrovmConfig.nix" - "${inputs.self}/services" - { - services.vm_grafana = { - enable = true; - vm_ip = "192.168.1.27"; - proxy_ip = proxy_host; - pgsql_ip = pgsql_host; - }; - services.micro_vm = { - enable = true; - hostname = "grafana"; - vm_ip = "192.168.1.20"; - vm_cpu = 1; - vm_mem = 512; - macAddr = "02:00:00:00:00:20"; - }; - } - ]; - }; }; }; } diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 305f201..759f84b 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -6,10 +6,11 @@ let onlyoffice = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAEHTFFQoi8PtzkdTEeA5lGELFS01J51GLLjrnySJM7R root@onlyoffice"; postgresql = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJW7qA7j1sICuu1RAfs9ifR9dmOlHq45tKu1ga7CKaob root@pgsql"; forgejo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILMf3Cc/S0p/LFcW+RLMEqpxOOv8q/HrKO4I9joHmRxl root@forgejo"; + nginx = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKX2wkS9bpMy1+ITPtQclRkthOwksWBZOLa3bT9oLAe1 root@nixos-nginx"; systems = [grafana onlyoffice postgresql forgejo]; in { - "secrets/initialPassword.age".publicKeys = users ++ systems; + "initialPassword.age".publicKeys = users ++ systems; "services/grafana/secrets/grafana-db.age".publicKeys = [tbarnouin grafana]; "services/grafana/secrets/grafana-oauth_secret.age".publicKeys = [tbarnouin grafana];