lander/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor: standardize hetzner machines

Browse source 
Signed-off-by: Lander Van den Bulcke <landervandenbulcke@gmail.com>
This commit is contained in:
Lander Van den Bulcke 2025-09-18 23:20:10 +02:00
parent 6289ac038f
commit beee7044fa
Signed by: lander
GPG key ID: 0142722B4B0C536F
3 changed files with 207 additions and 78 deletions
Download patch file Download diff file Expand all files Collapse all files

137
flake.nix
View file

@ -78,74 +78,77 @@
nixosModules = import ./modules/nixos;
homeManagerModules = import ./modules/home-manager;
nixosConfigurations = {
# Workstations
wodan = nixpkgs.lib.nixosSystem {
specialArgs = { inherit inputs outputs; };
modules = [
{
nixpkgs.overlays = [
tidalcycles.overlays.default
(_: prev: {
tailscale = prev.tailscale.overrideAttrs (old: {
checkFlags = builtins.map (
flag:
if prev.lib.hasPrefix "-skip=" flag then
flag + "|^TestGetList$|^TestIgnoreLocallyBoundPorts$|^TestPoller$"
else
flag
) old.checkFlags;
});
})
];
}
{ nixpkgs.overlays = [ tidalcycles.overlays.default ]; }
./hosts/wodan
];
};
widar = nixpkgs.lib.nixosSystem {
specialArgs = { inherit inputs outputs; };
modules = [
./hosts/widar
];
};
heimdall = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit inputs outputs; };
modules = [
./hosts/heimdall
];
};
nixosConfigurations =
let
hetzner = import ./lib/hetzner.nix { inherit inputs nixpkgs; };
in
{
# Workstations
wodan = nixpkgs.lib.nixosSystem {
specialArgs = { inherit inputs outputs; };
modules = [
{
nixpkgs.overlays = [
tidalcycles.overlays.default
(_: prev: {
tailscale = prev.tailscale.overrideAttrs (old: {
checkFlags = builtins.map (
flag:
if prev.lib.hasPrefix "-skip=" flag then
flag + "|^TestGetList$|^TestIgnoreLocallyBoundPorts$|^TestPoller$"
else
flag
) old.checkFlags;
});
})
];
}
{ nixpkgs.overlays = [ tidalcycles.overlays.default ]; }
./hosts/wodan
];
};
widar = nixpkgs.lib.nixosSystem {
specialArgs = { inherit inputs outputs; };
modules = [
./hosts/widar
];
};
heimdall = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit inputs outputs; };
modules = [
./hosts/heimdall
];
};
# servers
db-01 = nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
specialArgs = { inherit inputs outputs; };
modules = [
./hosts/db-01
];
# servers
db-01 = nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
specialArgs = { inherit inputs outputs; };
modules = [
./hosts/db-01
];
};
hosting-01 = nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
specialArgs = { inherit inputs outputs; };
modules = [
./hosts/hosting-01
];
};
hosting-02 = hetzner.mkHetznerMachine "hosting-02" {
ipv6Address = "2a01:4f8:c013:7fc0::/64";
extraModules = [
./hosts/hosting-02
];
};
mail-01 = nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
specialArgs = { inherit inputs outputs; };
modules = [
./hosts/mail-01
];
};
};
hosting-01 = nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
specialArgs = { inherit inputs outputs; };
modules = [
./hosts/hosting-01
];
};
hosting-02 = nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
specialArgs = { inherit inputs outputs; };
modules = [
./hosts/hosting-02
];
};
mail-01 = nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
specialArgs = { inherit inputs outputs; };
modules = [
./hosts/mail-01
];
};
};
};
}

11
hosts/hosting-02/default.nix
View file

@ -5,13 +5,8 @@
{
_module.args.disks = [ "/dev/sda" ];
}
../common/servers
];
time.timeZone = "Europe/Berlin";
networking.hostName = "hosting-02";
networking.firewall = {
enable = true;
allowedTCPPorts = [
@ -31,12 +26,6 @@
addRouteTablesToIPRoute2 = true;
};
systemd.network.networks."30-wan" = {
address = [
"2a01:4f8:c013:7fc0::/64"
];
};
systemd.services."netns@" = {
description = "Network namespace %i";
serviceConfig = {

137
lib/hetzner.nix Normal file
View file

@ -0,0 +1,137 @@
{
inputs,
nixpkgs,
...
}:
{
mkHetznerMachine =
hostname:
{
system ? "aarch64-linux",
timeZone ? "Europe/Berlin",
ipv6Address,
tailscale ? true,
extraModules,
}:
nixpkgs.lib.nixosSystem {
inherit system;
modules = [
inputs.disko.nixosModules.disko
inputs.sops-nix.nixosModules.sops
(
{
config,
lib,
pkgs,
...
}:
{
boot = {
loader.grub = {
devices = [ "/dev/sda" ];
efiSupport = true;
efiInstallAsRemovable = true;
};
initrd.kernelModules = [ "virtio_gpu" ];
kernelParams = [ "console=tty" ];
};
time.timeZone = timeZone;
networking = {
useNetworkd = true;
hostName = hostname;
};
systemd.network = {
enable = true;
networks = {
"30-wan" = {
matchConfig.Name = "enp1s0";
networkConfig.DHCP = "ipv4";
address = [ ipv6Address ];
routes = [
{ Gateway = "fe80::1"; }
];
};
};
};
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
extraConfig = ''
PrintLastLog no
'';
};
sops.secrets.tailscale-authkey = lib.mkIf tailscale {
owner = "root";
group = "root";
sopsFile = ../hosts/common/servers/secrets.yaml;
};
services.tailscale = lib.mkIf tailscale {
enable = tailscale;
openFirewall = false;
extraUpFlags = [
"--login-server=https://headscale.escapeangle.com"
];
authKeyFile = config.sops.secrets.tailscale-authkey.path;
};
programs.zsh.enable = true;
environment.pathsToLink = [ "/share/zsh" ];
environment.shells = [ pkgs.zsh ];
environment.enableAllTerminfo = true;
users.users.lander = {
isNormalUser = true;
shell = pkgs.zsh;
extraGroups = [
"wheel"
];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPnthKtz0fE4yQ/X10cJgKVCjYCNkRNoqV28xAhD7h2M cardno:22_498_026"
];
};
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPnthKtz0fE4yQ/X10cJgKVCjYCNkRNoqV28xAhD7h2M cardno:22_498_026"
];
nix = {
settings = {
trusted-users = [ "lander" ];
accept-flake-config = true;
auto-optimise-store = true;
};
registry = {
nixpkgs = {
flake = nixpkgs;
};
};
nixPath = [
"nixpkgs=${nixpkgs.outPath}"
"nixos-config=/etc/nixos/configuration.nix"
"/nix/var/nix/profiles/per-user/root/channels"
];
package = pkgs.nixVersions.stable;
extraOptions = ''experimental-features = nix-command flakes'';
gc = {
automatic = true;
options = "--delete-older-than 7d";
};
};
}
)
] ++ extraModules;
};
}