From 208052528cc1b89faaf7c941fe4e9a257d926543 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Sat, 2 Nov 2024 11:33:22 +0000 Subject: [PATCH 1/2] decommission bvm-minecraft / bvm-netbox --- ops/nixos/bvm-minecraft/default.nix | 45 ----- ops/nixos/bvm-netbox/default.nix | 277 ---------------------------- ops/nixos/default.nix | 2 - 3 files changed, 324 deletions(-) delete mode 100644 ops/nixos/bvm-minecraft/default.nix delete mode 100644 ops/nixos/bvm-netbox/default.nix diff --git a/ops/nixos/bvm-minecraft/default.nix b/ops/nixos/bvm-minecraft/default.nix deleted file mode 100644 index 71e023f114..0000000000 --- a/ops/nixos/bvm-minecraft/default.nix +++ /dev/null @@ -1,45 +0,0 @@ -# SPDX-FileCopyrightText: 2020 Luke Granger-Brown -# -# SPDX-License-Identifier: Apache-2.0 - -{ config, depot, pkgs, lib, ... }: -let - inherit (depot.ops) secrets; -in { - imports = [ - ../lib/bvm.nix - ]; - - # Networking! - networking = { - hostName = "bvm-minecraft"; - hostId = "c88be606"; - - interfaces.enp1s0 = { - ipv4.addresses = [{ address = "92.118.28.7"; prefixLength = 24; }]; - ipv6.addresses = [{ address = "2a09:a441::7"; prefixLength = 32; }]; - }; - defaultGateway = { address = "92.118.28.1"; interface = "enp1s0"; }; - defaultGateway6 = { address = "2a09:a441::1"; interface = "enp1s0"; }; - - firewall.allowedTCPPorts = [ - 80 443 # HTTP/S - 25565 # Minecraft - ]; - }; - - programs.java = { - enable = true; - package = pkgs.jdk8; - }; - - users.groups.minecraft = { - members = [ "minecraft" "lukegb" ]; - }; - users.users.minecraft = { - isNormalUser = true; - group = "minecraft"; - }; - - system.stateVersion = "21.05"; -} diff --git a/ops/nixos/bvm-netbox/default.nix b/ops/nixos/bvm-netbox/default.nix deleted file mode 100644 index 2fe62f503f..0000000000 --- a/ops/nixos/bvm-netbox/default.nix +++ /dev/null @@ -1,277 +0,0 @@ -# SPDX-FileCopyrightText: 2020 Luke Granger-Brown -# -# SPDX-License-Identifier: Apache-2.0 - -{ config, lib, depot, pkgs, ... }: -let - inherit (depot.ops) secrets; - - netboxConfiguration = '' - SECRET_KEY = '${secrets.netbox.secretKey}' - - ADMINS = [] - ALLOWED_URL_SCHEMES = ( - 'file', 'ftp', 'ftps', 'http', 'https', 'irc', 'mailto', 'sftp', 'ssh', 'tel', 'telnet', 'tftp', 'vnc', 'xmpp', - ) - - BANNER_TOP = "" - BANNER_BOTTOM = "" - BANNER_LOGIN = "" - BASE_PATH = "" - - CHANGELOG_RETENTION = 0 - - CORS_ORIGIN_ALLOW_ALL = False - CORS_ORIGIN_WHITELIST = [] - CORS_ORIGIN_REGEX_WHITELIST = [] - - CUSTOM_VALIDATORS = {} - - DEBUG = False - - EMAIL = {} - - ENFORCE_GLOBAL_UNIQUE = True - - EXEMPT_VIEW_PERMISSIONS = [] - - GRAPHQL_ENABLED = False - - INTERNAL_IPS = ('127.0.0.1', '::1') - - LOGIN_REQUIRED = True - LOGIN_TIMEOUT = None - - MAINTENANCE_MODE = False - - MAPS_URL = 'https://maps.google.com/?q=' - - MAX_PAGE_SIZE = 1000 - - MEDIA_ROOT = '/srv/netbox/media' - - STORAGE_BACKEND = 'storages.backends.s3boto3.S3Boto3Storage' - STORAGE_CONFIG = { - 'AWS_ACCESS_KEY_ID': "${secrets.netbox.s3.accessKey}", - 'AWS_SECRET_ACCESS_KEY': "${secrets.netbox.s3.secretAccessKey}", - 'AWS_STORAGE_BUCKET_NAME': 'netbox', - 'AWS_S3_ENDPOINT_URL': 'https://objdump.zxcvbnm.ninja', - 'AWS_S3_REGION_NAME': 'london', - } - - METRICS_ENABLED = False - - NAPALM_USERNAME = "" - NAPALM_PASSWORD = "" - NAPALM_TIMEOUT = 30 - NAPALM_ARGS = {} - - PAGINATE_COUNT = 50 - - PLUGINS = [] - - PREFER_IPV4 = False - - RACK_ELEVATION_DEFAULT_UNIT_HEIGHT = 22 - RACK_ELEVATION_DEFAULT_UNIT_WIDTH = 220 - - REMOTE_AUTH_ENABLED = False - REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend' - REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER' - REMOTE_AUTH_AUTO_CREATE_USER = True - REMOTE_AUTH_DEFAULT_GROUPS = [] - REMOTE_AUTH_DEFAULT_PERMISSIONS = {} - - RELEASE_CHECK_URL = None - - REPORTS_ROOT = '/srv/netbox/reports' - - RQ_DEFAULT_TIMEOUT = 300 - - SCRIPTS_ROOT = '/srv/netbox/scripts' - - SESSION_COOKIE_NAME = 'netboxsess' - - TIME_ZONE = 'UTC' - - DATE_FORMAT = 'Y-m-d' - SHORT_DATE_FORMAT = 'Y-m-d' - TIME_FORMAT = 'g:i a' - SHORT_TIME_FORMAT = 'H:i:s' - DATETIME_FORMAT = 'Y-m-d g:i a' - SHORT_DATETIME_FORMAT = 'Y-m-d H:i' - ''; -in { - imports = [ - ../lib/bvm.nix - ]; - - # Networking! - networking = { - hostName = "bvm-netbox"; - hostId = "e70e18a5"; - - interfaces.enp1s0 = { - ipv4.addresses = [{ address = "10.100.0.206"; prefixLength = 23; }]; - }; - interfaces.enp2s0 = { - ipv4.addresses = [{ address = "92.118.28.8"; prefixLength = 24; }]; - ipv6.addresses = [{ address = "2a09:a441::8"; prefixLength = 32; }]; - }; - defaultGateway = { address = "92.118.28.1"; interface = "enp2s0"; }; - defaultGateway6 = { address = "2a09:a441::1"; interface = "enp2s0"; }; - }; - networking.firewall.allowedTCPPorts = [ 80 443 ]; - my.ip.tailscale = "100.81.27.52"; - my.ip.tailscale6 = "fd7a:115c:a1e0:ab12:4843:cd96:6251:1b34"; - - services.postgresqlBackup.enable = true; - - my.vault.secrets.netbox-secret-key = { - restartUnits = ["netbox.service"]; - group = "root"; - template = '' - {{ with secret "kv/apps/netbox" }} - {{ .Data.data.secretKey }} - {{ end }} - ''; - }; - my.vault.secrets.netbox-s3-access-key = { - restartUnits = ["netbox.service"]; - group = "root"; - template = '' - {{ with secret "kv/apps/netbox" }} - {{ .Data.data.s3AccessKey }} - {{ end }} - ''; - }; - my.vault.secrets.netbox-s3-secret-access-key = { - restartUnits = ["netbox.service"]; - group = "root"; - template = '' - {{ with secret "kv/apps/netbox" }} - {{ .Data.data.s3SecretAccessKey }} - {{ end }} - ''; - }; - - services.netbox = { - enable = true; - dataDir = "/srv/netbox"; - extraConfig = lib.mkAfter (netboxConfiguration + '' - with open("${config.my.vault.secrets.netbox-s3-access-key.path}", "r") as f: - STORAGE_CONFIG['AWS_ACCESS_KEY_ID'] = f.readline() - with open("${config.my.vault.secrets.netbox-s3-secret-access-key.path}", "r") as f: - STORAGE_CONFIG['AWS_SECRET_ACCESS_KEY'] = f.readline() - ''); - listenAddress = "127.0.0.1"; - port = 8001; - package = pkgs.netbox_3_7; - secretKeyFile = config.my.vault.secrets.netbox-secret-key.path; - settings = { - ALLOWED_HOSTS = ["netbox.int.lukegb.com"]; - }; - }; - - services.nginx = { - enable = true; - recommendedProxySettings = true; - virtualHosts."netbox.int.lukegb.com" = { - locations."/static/" = { - alias = "/srv/netbox/static"; - }; - locations."/" = { - proxyPass = "http://127.0.0.1:8001"; - }; - }; - virtualHosts."livetaild.lukegb.dev" = { - forceSSL = true; - sslCertificate = "/var/lib/acme/livetaild.lukegb.dev/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/livetaild.lukegb.dev/privkey.pem"; - sslTrustedCertificate = "/var/lib/acme/livetaild.lukegb.dev/chain.pem"; - locations."/" = { - extraConfig = '' - return 403; - ''; - }; - locations."/.auth/return" = { - extraConfig = '' - if ($arg_state ~ ^a-) { - return 303 https://a.livetaild.lukegb.dev$request_uri; - } - if ($arg_state ~ ^b-) { - return 303 https://b.livetaild.lukegb.dev$request_uri; - } - if ($arg_state ~ ^localhost-) { - return 303 http://localhost:13371$request_uri; - } - return 403; - ''; - }; - }; - virtualHosts."a.livetaild.lukegb.dev" = { - forceSSL = true; - sslCertificate = "/var/lib/acme/livetaild.lukegb.dev/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/livetaild.lukegb.dev/privkey.pem"; - sslTrustedCertificate = "/var/lib/acme/livetaild.lukegb.dev/chain.pem"; - locations."/" = { - proxyPass = "http://10.222.0.2:13371"; - }; - }; - virtualHosts."b.livetaild.lukegb.dev" = { - forceSSL = true; - sslCertificate = "/var/lib/acme/livetaild.lukegb.dev/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/livetaild.lukegb.dev/privkey.pem"; - sslTrustedCertificate = "/var/lib/acme/livetaild.lukegb.dev/chain.pem"; - locations."/" = { - proxyPass = "http://10.222.0.3:13371"; - }; - }; - }; - my.vault.acmeCertificates."livetaild.lukegb.dev" = { - hostnames = [ - "livetaild.lukegb.dev" - "*.livetaild.lukegb.dev" - ]; - reloadOrRestartUnits = [ "nginx.service" ]; - }; - users.groups.acme = {}; - users.users.nginx.extraGroups = lib.mkAfter [ "acme" ]; - - users.groups.ninovpn = {}; - users.users.ninovpn = { - group = "ninovpn"; - isNormalUser = true; - openssh.authorizedKeys.keys = [ - "command=\"/bin/false\",restrict,port-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIISTSUEIzxpqa9kZwfryFlYA5FJaHJiDJHnw13Vg4NHg root@nino-010-worker" - "command=\"/bin/false\",restrict,port-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHGK5a+5jekPlsI+44PCy9CZWQFqFzNVEuCo4LVZxo3O root@nino-011-worker" - ]; - }; - - systemd.network.netdevs."20-wg0" = { - netdevConfig = { - Kind = "wireguard"; - Name = "wg0"; - }; - wireguardConfig = { - Address = "10.222.0.1/24"; - PrivateKeyFile = "/home/ninovpn/wg-priv"; - }; - wireguardPeers = [{ - PublicKey = "0WX1QmQaSDavNTAIp5vRsoG+UNXOP1ttZ+2VahoHR0c="; - AllowedIPs = ["10.222.0.2/32"]; - } { - PublicKey = "oeRBlP5C3vHc3GDqgRT9F2qly6MAoy1+CjRHsU4F6Bo="; - AllowedIPs = ["10.222.0.3/32"]; - }]; - }; - systemd.network.networks."20-wg0" = { - matchConfig.Name = "wg0"; - linkConfig.RequiredForOnline = "no"; - addresses = [{ - Address = "10.222.0.1/24"; - }]; - }; - - system.stateVersion = "23.11"; -} diff --git a/ops/nixos/default.nix b/ops/nixos/default.nix index 2eacf9b9bd..2fc3f6b04b 100644 --- a/ops/nixos/default.nix +++ b/ops/nixos/default.nix @@ -34,8 +34,6 @@ let "bvm-prosody" "bvm-ipfs" "bvm-matrix" - "bvm-minecraft" - "bvm-netbox" "bvm-radius" "bvm-heptapod" "bvm-logger" From 588ad5d50a1a658194c054a30d2e6a2c2d9fae8d Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Sat, 2 Nov 2024 12:33:44 +0000 Subject: [PATCH 2/2] bvm-forgejo: init --- ops/nixos/bvm-forgejo/default.nix | 71 +++++++++++++++++++ ops/nixos/default.nix | 1 + ops/nixos/installcd/default.nix | 2 +- .../coredns/zones/db.1.4.4.a.9.0.a.2.ip6.arpa | 4 +- .../coredns/zones/db.28.118.92.in-addr.arpa | 4 +- ops/nixos/lib/coredns/zones/db.as205479.net | 9 +-- 6 files changed, 82 insertions(+), 9 deletions(-) create mode 100644 ops/nixos/bvm-forgejo/default.nix diff --git a/ops/nixos/bvm-forgejo/default.nix b/ops/nixos/bvm-forgejo/default.nix new file mode 100644 index 0000000000..cb42b5575b --- /dev/null +++ b/ops/nixos/bvm-forgejo/default.nix @@ -0,0 +1,71 @@ +# SPDX-FileCopyrightText: 2020 Luke Granger-Brown +# +# SPDX-License-Identifier: Apache-2.0 + +{ config, depot, lib, pkgs, ... }: +let + inherit (depot.ops) secrets; + systemConfig = config; +in { + imports = [ + ../lib/bvm.nix + ]; + + # Networking! + networking = { + hostName = "bvm-forgejo"; + hostId = "9cdd4290"; + tempAddresses = "disabled"; + + interfaces.enp1s0 = { + ipv4.addresses = [{ address = "10.100.0.208"; prefixLength = 23; }]; + }; + interfaces.enp2s0 = { + ipv4.addresses = [{ address = "92.118.28.7"; prefixLength = 24; }]; + ipv6.addresses = [{ address = "2a09:a441::7"; prefixLength = 32; }]; + }; + interfaces.lo = { + ipv4.addresses = [ + { address = "127.0.0.1"; prefixLength = 8; } + ]; + ipv6.addresses = [ + { address = "::1"; prefixLength = 128; } + ]; + }; + defaultGateway = { address = "92.118.28.1"; interface = "enp2s0"; }; + defaultGateway6 = { address = "2a09:a441::1"; interface = "enp2s0"; }; + + firewall = { + allowedTCPPorts = [ 22 80 443 20022 ]; + allowedUDPPorts = [ 443 ]; + }; + }; + #my.ip.tailscale = "100.94.23.105"; + #my.ip.tailscale6 = "fd7a:115c:a1e0:ab12:4843:cd96:625e:1769"; + + services.openssh.ports = [ 20022 ]; + my.deploy.args = "-p 20022"; + my.rundeck.hostname = "${config.networking.fqdn}:20022"; + + users.users.postfix.extraGroups = [ "opendkim" ]; + + services.postfix = { + enable = true; + domain = "hg.lukegb.com"; + hostname = "hg.lukegb.com"; + extraConfig = '' + milter_protocol = 2 + milter_default_action = accept + smtpd_milters = ${config.services.opendkim.socket} + non_smtpd_milters = ${config.services.opendkim.socket} + ''; + networks = [ "172.17.0.0/16" ]; + }; + services.opendkim = { + enable = true; + domains = "csl:hg.lukegb.com"; + selector = "bvm-forgejo"; + }; + + system.stateVersion = "24.11"; +} diff --git a/ops/nixos/default.nix b/ops/nixos/default.nix index 2fc3f6b04b..10598bc6da 100644 --- a/ops/nixos/default.nix +++ b/ops/nixos/default.nix @@ -38,6 +38,7 @@ let "bvm-heptapod" "bvm-logger" "bvm-paperless" + "bvm-forgejo" "oracle-lon01" "kerrigan" "cofractal-ams01" diff --git a/ops/nixos/installcd/default.nix b/ops/nixos/installcd/default.nix index 825653c9a4..d9a5bfa53d 100644 --- a/ops/nixos/installcd/default.nix +++ b/ops/nixos/installcd/default.nix @@ -13,7 +13,7 @@ in { isoImage.isoName = lib.mkForce "nixos-${depot.version}-${pkgs.stdenv.hostPlatform.system}.iso"; isoImage.storeContents = [ - depot.ops.nixos.systems.rexxar + depot.ops.nixos.systems.bvm-forgejo ]; system.disableInstallerTools = false; diff --git a/ops/nixos/lib/coredns/zones/db.1.4.4.a.9.0.a.2.ip6.arpa b/ops/nixos/lib/coredns/zones/db.1.4.4.a.9.0.a.2.ip6.arpa index 9b6998d7ce..bdb8bf9618 100644 --- a/ops/nixos/lib/coredns/zones/db.1.4.4.a.9.0.a.2.ip6.arpa +++ b/ops/nixos/lib/coredns/zones/db.1.4.4.a.9.0.a.2.ip6.arpa @@ -3,7 +3,7 @@ ; SPDX-License-Identifier: Apache-2.0 ; MNAME RNAME SERIAL REFRESH RETRY EXPIRE TTL -@ 600 IN SOA frantech-lux01.as205479.net. hostmaster.lukegb.com. 15 600 450 3600 300 +@ 600 IN SOA frantech-lux01.as205479.net. hostmaster.lukegb.com. 16 600 450 3600 300 $INCLUDE tmpl.ns @@ -12,7 +12,7 @@ $INCLUDE tmpl.ns 4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 3600 IN PTR bvm-ipfs.public.as205479.net. 5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 3600 IN PTR bvm-nixosmgmt.public.as205479.net. 6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 3600 IN PTR bvm-matrix.public.as205479.net. -7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 3600 IN PTR bvm-minecraft.public.as205479.net. +7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 3600 IN PTR bvm-forgejo.public.as205479.net. 8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 3600 IN PTR bvm-netbox.public.as205479.net. 9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 3600 IN PTR bvm-radius.public.as205479.net. 0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 3600 IN PTR bvm-heptapod.public.as205479.net. diff --git a/ops/nixos/lib/coredns/zones/db.28.118.92.in-addr.arpa b/ops/nixos/lib/coredns/zones/db.28.118.92.in-addr.arpa index f6b53acee7..a60c2c2459 100644 --- a/ops/nixos/lib/coredns/zones/db.28.118.92.in-addr.arpa +++ b/ops/nixos/lib/coredns/zones/db.28.118.92.in-addr.arpa @@ -3,7 +3,7 @@ ; SPDX-License-Identifier: Apache-2.0 ; MNAME RNAME SERIAL REFRESH RETRY EXPIRE TTL -@ 600 IN SOA frantech-lux01.as205479.net. hostmaster.lukegb.com. 18 600 450 3600 300 +@ 600 IN SOA frantech-lux01.as205479.net. hostmaster.lukegb.com. 19 600 450 3600 300 $INCLUDE tmpl.ns @@ -14,7 +14,7 @@ $INCLUDE tmpl.ns 4 600 IN PTR bvm-ipfs.as205479.net. 5 600 IN PTR bvm-nixosmgmt.as205479.net. 6 600 IN PTR bvm-matrix.as205479.net. -7 600 IN PTR bvm-minecraft.as205479.net. +7 600 IN PTR bvm-forgejo.as205479.net. 8 600 IN PTR bvm-netbox.as205479.net. 9 600 IN PTR bvm-radius.as205479.net. 10 600 IN PTR bvm-heptapod.as205479.net. diff --git a/ops/nixos/lib/coredns/zones/db.as205479.net b/ops/nixos/lib/coredns/zones/db.as205479.net index 93d66ce8c5..d2c5ebd0eb 100644 --- a/ops/nixos/lib/coredns/zones/db.as205479.net +++ b/ops/nixos/lib/coredns/zones/db.as205479.net @@ -3,7 +3,7 @@ ; SPDX-License-Identifier: Apache-2.0 ; MNAME RNAME SERIAL REFRESH RETRY EXPIRE TTL -@ 600 IN SOA frantech-lux01.as205479.net. hostmaster.lukegb.com. 58 600 450 3600 300 +@ 600 IN SOA frantech-lux01.as205479.net. hostmaster.lukegb.com. 59 600 450 3600 300 ; NB: this are also glue records in Google Domains. $INCLUDE tmpl.ns @@ -160,6 +160,7 @@ bvm-heptapod.blade 3600 IN A 10.100.0.208 bvm-logger.blade 3600 IN A 10.100.0.209 ; bvm-oliver-snipeit.blade 3600 IN A 10.100.0.210 bvm-paperless.blade 3600 IN A 10.100.0.211 +bvm-forgejo.blade 3600 IN A 10.100.0.212 ; services @@ -186,9 +187,9 @@ bvm-nixosmgmt 3600 IN AAAA 2a09:a441::5 bvm-matrix.public 3600 IN CNAME bvm-matrix.as205479.net. bvm-matrix 3600 IN A 92.118.28.6 bvm-matrix 3600 IN AAAA 2a09:a441::6 -bvm-minecraft.public 3600 IN CNAME bvm-minecraft.as205479.net. -bvm-minecraft 3600 IN A 92.118.28.7 -bvm-minecraft 3600 IN AAAA 2a09:a441::7 +bvm-forgejo.public 3600 IN CNAME bvm-forgejo.as205479.net. +bvm-forgejo 3600 IN A 92.118.28.7 +bvm-forgejo 3600 IN AAAA 2a09:a441::7 bvm-netbox.public 3600 IN CNAME bvm-netbox.as205479.net. bvm-netbox 3600 IN A 92.118.28.8 bvm-netbox 3600 IN AAAA 2a09:a441::8