From 576896970a54b0955a7055e161e04d461e851236 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Sat, 18 Dec 2021 04:15:53 +0000 Subject: [PATCH] bvm-heptapod: add more heptapod --- ops/nixos/bvm-heptapod/default.nix | 80 +++++++++++++++++++++++++++++- 1 file changed, 79 insertions(+), 1 deletion(-) diff --git a/ops/nixos/bvm-heptapod/default.nix b/ops/nixos/bvm-heptapod/default.nix index 56adbd6570..eeadf3bafa 100644 --- a/ops/nixos/bvm-heptapod/default.nix +++ b/ops/nixos/bvm-heptapod/default.nix @@ -23,15 +23,93 @@ in { ipv4.addresses = [{ address = "92.118.28.10"; prefixLength = 24; }]; ipv6.addresses = [{ address = "2a09:a441::10"; prefixLength = 32; }]; }; + interfaces.lo = { + ipv4.addresses = [ + { address = "127.0.0.1"; prefixLength = 8; } + { address = "92.118.28.11"; prefixLength = 32; } + ]; + ipv6.addresses = [ + { address = "::1"; prefixLength = 128; } + { address = "2a09:a441::11"; prefixLength = 128; } + ]; + }; defaultGateway = { address = "92.118.28.1"; interface = "enp2s0"; }; defaultGateway6 = { address = "2a09:a441::1"; interface = "enp2s0"; }; firewall = { - allowedTCPPorts = [ 80 443 ]; + interfaces.docker0.allowedTCPPorts = [ 25 ]; + allowedTCPPorts = [ 22 80 443 20022 ]; allowedUDPPorts = [ 443 ]; }; }; my.ip.tailscale = "100.94.23.105"; + services.openssh.ports = [ 20022 ]; + my.deploy.args = "-p 20022"; + my.rundeck.hostname = "${config.networking.fqdn}:20022"; + + users.users.postfix.extraGroups = [ "opendkim" ]; + + services.postfix = { + enable = true; + domain = "hg.lukegb.com"; + hostname = "hg.lukegb.com"; + extraConfig = '' + milter_protocol = 2 + milter_default_action = accept + smtpd_milters = ${config.services.opendkim.socket} + non_smtpd_milters = ${config.services.opendkim.socket} + ''; + networks = [ "172.17.0.0/16" ]; + }; + services.opendkim = { + enable = true; + domains = "csl:hg.lukegb.com"; + selector = "marukuru"; + }; + + virtualisation.docker.extraOptions = "--experimental --ipv6 --ip6tables --fixed-cidr-v6 2a09:a441:10::/64"; + virtualisation.oci-containers.containers = { + heptapod-runner = { + image = "octobus/heptapod-runner:0.2.0"; + volumes = [ + "/srv/gitlab-runner/config:/etc/gitlab-runner" + "/var/run/docker.sock:/var/run/docker.sock" + ]; + }; + heptapod = let img = depot.nix.docker.heptapod; in { + image = "${img.meta.name}:${img.meta.tag}"; + imageFile = img; + ports = [ + # host:container + "22:22" + "80:80" + "443:443" + ]; + volumes = [ + "/srv/gitlab/config:/etc/gitlab" + "/srv/gitlab/logs:/var/log/gitlab" + "/srv/gitlab/data:/var/opt/gitlab" + ]; + environment = { + GITLAB_OMNIBUS_CONFIG = builtins.replaceStrings ["\n"] [";"] '' + external_url "https://hg.lukegb.com" + letsencrypt['enable'] = true + letsencrypt['contact_emails'] = ['letsencrypt@lukegb.com'] + nginx['redirect_http_to_https'] = true + nginx['listen_addresses'] = ["0.0.0.0", "[::]"] + + gitlab_rails['smtp_enable'] = true + gitlab_rails['smtp_address'] = '92.118.28.10' + gitlab_rails['smtp_port'] = 25 + gitlab_rails['gitlab_email_from'] = 'heptapod@hg.lukegb.com' + gitlab_rails['gitlab_email_reply_to'] = 'noreply@hg.lukegb.com' + + prometheus['enable'] = false + ''; + }; + }; + }; + system.stateVersion = "21.11"; }