From ef27b49ffc70d051d82911ecc6e0307e90459c55 Mon Sep 17 00:00:00 2001 From: Fabrice Bellamy <12b@distrilab.fr> Date: Wed, 25 Dec 2024 08:58:18 +0100 Subject: [PATCH] add server "framboise" (Raspberry Pi 4B --- config/framboise/configuration.nix | 119 ++++++++++++++++++++ config/framboise/hardware-configuration.nix | 32 ++++++ config/framboise/network-configuration.nix | 59 ++++++++++ generate-runner-token.sh | 5 + krops.nix | 29 ++++- runner-framboise.token | 2 + runner.token | 1 + token-injector.sh | 2 + 8 files changed, 246 insertions(+), 3 deletions(-) create mode 100644 config/framboise/configuration.nix create mode 100644 config/framboise/hardware-configuration.nix create mode 100644 config/framboise/network-configuration.nix create mode 100755 generate-runner-token.sh create mode 100644 runner-framboise.token create mode 100644 runner.token create mode 100755 token-injector.sh diff --git a/config/framboise/configuration.nix b/config/framboise/configuration.nix new file mode 100644 index 0000000..77d24d3 --- /dev/null +++ b/config/framboise/configuration.nix @@ -0,0 +1,119 @@ +{ config, pkgs, lib, ... }: + +{ + imports = + [ + ./hardware-configuration.nix + ./network-configuration.nix + /var/src/modules/nixin-base.nix + /var/src/modules/users.nix + /var/src/modules/wireguard-client.nix + /var/src/modules/reverse-proxy-traefik.nix + /var/src/modules/nginx.nix + /var/src/modules/nixin-web.nix + /var/src/modules/forgejo.nix + /var/src/modules/forgejo-runner.nix + /var/src/modules/nextcloud.nix + /var/src/modules/etherpad.nix + /var/src/modules/excalidraw.nix + ]; + + # Bootloader. + # Use the extlinux boot loader. (NixOS wants to enable GRUB by default) + boot.loader.grub.enable = false; + # Enables the generation of /boot/extlinux/extlinux.conf + boot.loader.generic-extlinux-compatible.enable = true; + + nixin.wg.client = { + ipv4 = "192.168.12.2/32"; + ipv6 = "2a01:4f9:1a:9a05::2/128"; + }; + + nixin.traefik = { + dashboard-domain = "traefik.lab12.fr"; + }; + + nixin.web = { + domain = "nixin.lab12.fr"; + http-port = 8081; + }; + + nixin.forgejo = { + http-port = 8082; + domain = "forge.lab12.fr"; + smtp-addr = "lab12.org"; + smtp-user = "mr.robot@lab12.org"; + smtp-from = "no-reply@lab12.org"; + smtp-pwd-file = toString ; + #smtp-pwd = let + # pwd = builtins.readFile ; + #in lib.strings.trim pwd; + admin-email = "sysadmin@lab12.fr"; + admin-user = "operator"; + admin-pwd = let + pwd = builtins.readFile ; + in lib.strings.trim pwd; + }; + + nixin.forgejo-runner = { + token-file = "/etc/forgejo/runner.token"; + #token = let + # pwd = builtins.readFile ; + #in lib.strings.trim pwd; + url = "https://forge.lab12.fr"; + }; + + nixin.nextcloud = { + domain = "nuage.lab12.fr"; + admin-user = "operator"; + admin-pwd = let + pwd = builtins.readFile ; + in lib.strings.trim pwd; + host-address = "10.10.10.1"; + container-address = "10.10.10.2"; + address-prefix = "/24"; + }; + + nixin.etherpad = { + domain = "pad.lab12.fr"; + }; + + nixin.excalidraw = { + domain = "draw.lab12.fr"; + }; + + + # Enable ip forwarding to route packets for the local network connected to enp3s0 + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = 1; + "net.ipv6.conf.all.forwarding" = 1; + }; + + # Open ports in the firewall. + networking.firewall.allowedTCPPorts = [ 80 144 443 ]; + #networking.firewall.allowedUDPPorts = [ 53 ]; + # allow UDP port range for mosh + networking.firewall.allowedUDPPortRanges = [ + { from = 60000; to = 61000; } + ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # Configure console keymap + # console.keyMap = "fr"; + + # Allow unfree packages + nixpkgs.config.allowUnfree = true; + + environment.systemPackages = with pkgs; [ + mtr + ]; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It's perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "24.11"; # Did you read the comment? +} diff --git a/config/framboise/hardware-configuration.nix b/config/framboise/hardware-configuration.nix new file mode 100644 index 0000000..e3913be --- /dev/null +++ b/config/framboise/hardware-configuration.nix @@ -0,0 +1,32 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.end0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlan0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; +} diff --git a/config/framboise/network-configuration.nix b/config/framboise/network-configuration.nix new file mode 100644 index 0000000..250c489 --- /dev/null +++ b/config/framboise/network-configuration.nix @@ -0,0 +1,59 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, ... }: + +{ + #virtualisation.writableStore = true; + #virtualisation.additionalPaths = [ pkgs.stdenv ]; + + networking = { + hostName = "framboise"; + useDHCP = false; + defaultGateway = "192.168.36.1"; + + nat = { + enable = true; + #internalInterfaces = ["vb-+"]; + internalIPs = ["10.10.10.0/24"]; + externalInterface = "enp1s0"; + # Lazy IPv6 connectivity for the containers + #enableIPv6 = true; + }; + + # bridge for containers + bridges = { + "br0" = { + #interfaces = [ "enp4s0" ]; + interfaces = [ ]; + }; + }; + + interfaces = { + # primary network interface, connected to WAN through a router + end0 = { + useDHCP = false; + ipv4.addresses = [ { + address = "192.168.36.14"; + prefixLength = 24; + } ]; + }; + # interface for containers virtual network + br0 = { + useDHCP = false; + ipv4.addresses = [ { + address = "10.10.10.1"; + prefixLength = 24; + } ]; + #ipv6.addresses = [ + # { + # address = hostIp6; + # prefixLength = 7; + # } + #]; + }; + }; + + }; + +} diff --git a/generate-runner-token.sh b/generate-runner-token.sh new file mode 100755 index 0000000..4b6f2e6 --- /dev/null +++ b/generate-runner-token.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash +nix-build ./krops.nix -A gen-token-$1 && ./result > runner-$1.token +EDITOR=./token-injector.sh pass edit nixin-password-store/krops/$1/forgejo-runner-token +echo token generated and stored in pass nixin-password-store/krops/$1/forgejo-runner-toke : +echo $(pass nixin-password-store/krops/$1/forgejo-runner-token) diff --git a/krops.nix b/krops.nix index 514e467..72a19ff 100644 --- a/krops.nix +++ b/krops.nix @@ -29,6 +29,14 @@ let port = "144"; sudo = true; }; + }; + + framboise = pkgs.krops.writeDeploy "deploy-server-framboise" { + source = source "framboise"; + target = lib.mkTarget "douzeb@192.168.36.14" // { + port = "144"; + sudo = true; + }; # only build the configuration and do not activate it for now (could also use writeTest instead of writeDeploy for doing that) # operation = "build"; }; @@ -49,7 +57,7 @@ let ''; }; - gen-runner-token = pkgs.krops.writeCommand "generate-forgejo-runner-token" { + gen-token-arachnide = pkgs.krops.writeCommand "generate-token-arachnide" { source = source "arachnide"; target = lib.mkTarget "douzeb@192.168.36.9" // { port = "144"; @@ -62,11 +70,26 @@ let ''; }; + gen-token-framboise = pkgs.krops.writeCommand "generate-token-framboise" { + source = source "arachnide"; + target = lib.mkTarget "douzeb@192.168.36.14" // { + port = "144"; + sudo = true; + }; + command = targetPath: '' + mkdir -p /etc/forgejo + echo "TOKEN=$(forgejo forgejo-cli actions generate-runner-token)" > /etc/forgejo/runner.token + cat /etc/forgejo/runner.token + ''; + }; + in { arachnide = arachnide; + framboise = framboise; dromadaire = dromadaire; all = pkgs.writeScript "deploy-all-servers" - (lib.concatStringsSep "\n" [ arachnide dromadaire ]); + (lib.concatStringsSep "\n" [ arachnide framboise dromadaire ]); register-runner = register-runner; - gen-runner-token = gen-runner-token; + gen-token-arachnide = gen-token-arachnide; + gen-token-framboise = gen-token-framboise; } diff --git a/runner-framboise.token b/runner-framboise.token new file mode 100644 index 0000000..be839dc --- /dev/null +++ b/runner-framboise.token @@ -0,0 +1,2 @@ +Removing .version-suffix +TOKEN=nGfoo1UfFnquR6YH1zR18ILvVooNGuixV1bRccAu diff --git a/runner.token b/runner.token new file mode 100644 index 0000000..ef987c0 --- /dev/null +++ b/runner.token @@ -0,0 +1 @@ +TOKEN=LObGnzmcb7GgdW7svlLxgIjtTNzTQCXSWoPjxD9N diff --git a/token-injector.sh b/token-injector.sh new file mode 100755 index 0000000..d085a88 --- /dev/null +++ b/token-injector.sh @@ -0,0 +1,2 @@ +#!/usr/bin/env bash +cat ./runner.token > $1