xengi/infra
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

move things around

Browse source
This commit is contained in:
XenGi 2026-02-01 13:44:15 +01:00
parent 75ddfec129
commit 8b75271fef
Signed by: xengi
SSH key fingerprint: SHA256:jxWM2RTHvxxcncXycwwWkP7HCWb4VREN05UGJTbIPZg
5 changed files with 85 additions and 201 deletions
Download patch file Download diff file Expand all files Collapse all files

18
flake.nix
View file

@ -88,18 +88,7 @@
}; };
}; };
} }
./hosts/matrix.nix ./hosts/matrix
./services/openssh.nix
./services/nginx.nix
./services/postgres.nix
./services/synapse.nix
./services/draupnir.nix
./services/prometheus.nix
./services/grafana.nix
]; ];
}; };
nixosConfigurations."hedgedoc" = nixpkgs.lib.nixosSystem { nixosConfigurations."hedgedoc" = nixpkgs.lib.nixosSystem {
@ -109,10 +98,7 @@
modules = [ modules = [
agenix.nixosModules.default agenix.nixosModules.default
{ environment.systemPackages = [ (agenix.packages.${system}.default) ]; } { environment.systemPackages = [ (agenix.packages.${system}.default) ]; }
./hosts/hedgedoc
./hosts/hedgedoc.nix
./services/openssh.nix
]; ];
}; };
}; };

31
hosts/hedgedoc.nix → hosts/common.nix
View file

@ -2,12 +2,13 @@
config, config,
modulesPath, modulesPath,
pkgs, pkgs,
lib,
... ...
}: }:
{ {
imports = [ (modulesPath + "/virtualisation/proxmox-lxc.nix") ]; imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix")
];
systemd.suppressedSystemUnits = [ systemd.suppressedSystemUnits = [
"dev-mqueue.mount" "dev-mqueue.mount"
@ -68,7 +69,6 @@
}; };
networking = { networking = {
hostName = "hedgedoc";
domain = "berlin.ccc.de"; domain = "berlin.ccc.de";
nameservers = [ nameservers = [
"2606:4700:4700::1111#one.one.one.one" "2606:4700:4700::1111#one.one.one.one"
@ -81,17 +81,7 @@
dhcpcd.enable = false; dhcpcd.enable = false;
nftables.enable = true; nftables.enable = true;
tempAddresses = "disabled"; tempAddresses = "disabled";
firewall = { firewall.enable = true;
enable = true;
allowedTCPPorts = [
22 # SSH
80 # HTTP/1
443 # HTTP/2
];
allowedUDPPorts = [
443 # HTTP/3
];
};
}; };
time.timeZone = "Europe/Berlin"; time.timeZone = "Europe/Berlin";
@ -100,17 +90,6 @@
services = { services = {
fstrim.enable = false; # Let Proxmox host handle fstrim fstrim.enable = false; # Let Proxmox host handle fstrim
openssh.banner = ''
__ __ __
/\ \ /\ \ /\ \
\ \ \___ __ \_\ \ __ __ \_\ \ ___ ___
\ \ _ `\ /'__`\ /'_` \ /'_ `\ /'__`\ /'_` \ / __`\ /'___\
\ \ \ \ \/\ __//\ \L\ \/\ \L\ \/\ __//\ \L\ \/\ \L\ \/\ \__/
\ \_\ \_\ \____\ \___,_\ \____ \ \____\ \___,_\ \____/\ \____\
\/_/\/_/\/____/\/__,_ /\/___L\ \/____/\/__,_ /\/___/ \/____/
/\____/
\_/__/
'';
# Cache DNS lookups to improve performance # Cache DNS lookups to improve performance
resolved = { resolved = {
enable = true; enable = true;
@ -153,6 +132,4 @@
}; };
}; };
}; };
system.stateVersion = "25.11";
} }

38
hosts/hedgedoc/default.nix Normal file
View file

@ -0,0 +1,38 @@
{ ... }:
{
imports = [
../common.nix
../../services/openssh.nix
../../services/hedgedoc.nix
];
networking = {
hostName = "hedgedoc";
firewall = {
allowedTCPPorts = [
80 # HTTP/1
443 # HTTP/2
];
allowedUDPPorts = [
443 # HTTP/3
];
};
};
services = {
openssh.banner = ''
__ __ __
/\ \ /\ \ /\ \
\ \ \___ __ \_\ \ __ __ \_\ \ ___ ___
\ \ _ `\ /'__`\ /'_` \ /'_ `\ /'__`\ /'_` \ / __`\ /'___\
\ \ \ \ \/\ __//\ \L\ \/\ \L\ \/\ __//\ \L\ \/\ \L\ \/\ \__/
\ \_\ \_\ \____\ \___,_\ \____ \ \____\ \___,_\ \____/\ \____\
\/_/\/_/\/____/\/__,_ /\/___L\ \/____/\/__,_ /\/___/ \/____/
/\____/
\_/__/
'';
};
system.stateVersion = "25.11";
}

158
hosts/matrix.nix
View file

@ -1,158 +0,0 @@
{
config,
modulesPath,
pkgs,
lib,
...
}:
{
imports = [ (modulesPath + "/virtualisation/proxmox-lxc.nix") ];
systemd.suppressedSystemUnits = [
"dev-mqueue.mount"
"sys-kernel-debug.mount"
"sys-fs-fuse-connections.mount"
];
nix = {
optimise = {
automatic = true;
dates = [ "11:00" ];
};
settings = {
auto-optimise-store = true;
sandbox = false;
# Allow remote updates
trusted-users = [
"root"
"@wheel"
];
experimental-features = [
"nix-command"
"flakes"
];
};
gc = {
automatic = true;
options = "--delete-older-than 14d";
};
};
nixpkgs.hostPlatform = "x86_64-linux";
environment.systemPackages = with pkgs; [
vim
git
];
proxmoxLXC = {
manageNetwork = false;
manageHostName = false;
privileged = false;
};
users.users.root = {
packages = with pkgs; [
kitty # for terminfo
fastfetch # for shits and giggles
];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICW1+Ml8R9x1LCJaZ8bIZ1qIV4HCuZ6x7DziFW+0Nn5T xengi@kanae_2022-12-09"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICmb+mJfo84IagUaRoDEqY9ROjjQUOQ7tMclpN6NDPrX xengi@kota_2022-01-16"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyklb7dvEHH0VBEMmTUQFKHN6ekBQqkDKj09+EilUIQ xengi@lucy_2018-09-08"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICjv9W8WXq9QGkgmANNPQR24/I1Pm1ghxNIHftEI+jlZ xengi@mayu_2021-06-11"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhyfD+8jMl6FDSADb11sfAsJk0KNoVzjjiDRZjUOtmf xengi@nana_2019-08-16"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMPtGqhV7io3mhIoZho4Yf7eCo0sUZvjT2NziM2PkXSo xengi@nyu_2017-10-11"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILwYcSxbP6Hon//kZFIZJSHdqvsJ6AyCwH4JP9/t4q46 xengi@yuka_2020-12-16"
];
};
networking = {
hostName = "matrix";
domain = "berlin.ccc.de";
nameservers = [
"2606:4700:4700::1111#one.one.one.one"
"2620:fe::fe#dns.quad9.net"
"1.1.1.1#one.one.one.one"
"9.9.9.9#dns.quad9.net"
];
useDHCP = false;
useNetworkd = true;
dhcpcd.enable = false;
nftables.enable = true;
tempAddresses = "disabled";
firewall = {
enable = true;
allowedTCPPorts = [
22 # SSH
80 # HTTP/1
443 # HTTP/2
8448 # Matrix federation
];
allowedUDPPorts = [
443 # HTTP/3
];
};
};
time.timeZone = "Europe/Berlin";
i18n.defaultLocale = "en_GB.UTF-8";
console.font = "Lat2-Terminus16";
services = {
fstrim.enable = false; # Let Proxmox host handle fstrim
openssh.banner = ''
__ __
/\ \__ __ /\ \
___ ___ __ \ \ ,_\ _ __ /\_\ __ _ ___ ___ ___\ \ \____
/' __` __`\ /'__`\ \ \ \/ /\`'__\/\ \ /\ \/'\ /'___\ /'___\ /'___\ \ '__`\
/\ \/\ \/\ \/\ \L\.\_\ \ \_\ \ \/ \ \ \\/> </ /\ \__//\ \__//\ \__/\ \ \L\ \
\ \_\ \_\ \_\ \__/.\_\\ \__\\ \_\ \ \_\/\_/\_\ \ \____\ \____\ \____\\ \_,__/
\/_/\/_/\/_/\/__/\/_/ \/__/ \/_/ \/_/\//\/_/ \/____/\/____/\/____/ \/___/
'';
# Cache DNS lookups to improve performance
resolved = {
enable = true;
dnssec = "allow-downgrade";
dnsovertls = "true";
extraConfig = ''
Cache=true
CacheFromLocalhost=true
'';
};
};
programs = {
mtr.enable = true;
vim = {
enable = true;
defaultEditor = true;
};
htop = {
enable = true;
};
tmux = {
enable = true;
terminal = "screen-256color";
shortcut = "a";
newSession = true;
clock24 = true;
};
ssh.startAgent = true;
};
security = {
acme = {
acceptTerms = true;
defaults = {
validMinDays = 14;
renewInterval = "daily";
email = "acme@xengi.de";
group = "nginx";
};
};
};
system.stateVersion = "25.05";
}

41
hosts/matrix/default.nix Normal file
View file

@ -0,0 +1,41 @@
{ ... }:
{
imports = [
../common.nix
../../services/nginx.nix
../../services/postgres.nix
../../services/synapse.nix
../../services/draupnir.nix
../../services/prometheus.nix
../../services/grafana.nix
];
networking = {
hostName = "matrix";
firewall = {
allowedTCPPorts = [
80 # HTTP/1
443 # HTTP/2
8448 # Matrix federation
];
allowedUDPPorts = [
443 # HTTP/3
];
};
};
services = {
openssh.banner = ''
__ __
/\ \__ __ /\ \
___ ___ __ \ \ ,_\ _ __ /\_\ __ _ ___ ___ ___\ \ \____
/' __` __`\ /'__`\ \ \ \/ /\`'__\/\ \ /\ \/'\ /'___\ /'___\ /'___\ \ '__`\
/\ \/\ \/\ \/\ \L\.\_\ \ \_\ \ \/ \ \ \\/> </ /\ \__//\ \__//\ \__/\ \ \L\ \
\ \_\ \_\ \_\ \__/.\_\\ \__\\ \_\ \ \_\/\_/\_\ \ \____\ \____\ \____\\ \_,__/
\/_/\/_/\/_/\/__/\/_/ \/__/ \/_/ \/_/\//\/_/ \/____/\/____/\/____/ \/___/
'';
};
system.stateVersion = "25.05";
}