tlaternet/tlaternet-server
1
0
Fork 0
Code Issues10 Pull requests Releases Activity

hetzner: Add new server config

Browse source
This commit is contained in:
Tristan Daniël Maat 2024-03-02 02:27:24 +01:00
parent 54e0826860
commit ddda6f534b
Signed by: tlater
GPG key ID: 49670FD774E43268
11 changed files with 373 additions and 337 deletions

2
configuration/default.nix
View file

@ -7,6 +7,7 @@
...
}: {
imports = [
flake-inputs.disko.nixosModules.disko
flake-inputs.sops-nix.nixosModules.sops
flake-inputs.tlaternet-webserver.nixosModules.default
@ -55,7 +56,6 @@
boot.kernelParams = ["highres=off" "nohz=off"];
networking = {
hostName = "tlaternet";
usePredictableInterfaceNames = false;
useDHCP = false;

47
configuration/hardware-specific/hetzner/default.nix Normal file
View file

@ -0,0 +1,47 @@
{
imports = [
./hardware-configuration.nix
./disko.nix
];
# Intel's special encrypted memory<->CPU feature. Hetzner's BIOS
# disables it by default.
#
# TODO(tlater): See if would be useful for anything?
boot.kernelParams = ["nosgx"];
networking.hostName = "hetzner-1";
services.nginx.domain = "tlater.net";
systemd.network.networks."eth0" = {
matchConfig.MACAddress = "90:1b:0e:c1:8c:62";
addresses = [
# IPv4
{
addressConfig = {
Address = "116.202.158.55/32";
Peer = "116.202.158.1/32"; # Gateway
};
}
# IPv6
{
addressConfig.Address = "2a01:4f8:10b:3c85::2/64";
}
];
networkConfig = {
Gateway = [
"116.202.158.1"
"fe80::1"
];
DNS = [
"185.12.64.1"
"185.12.64.2"
"2a01:4ff:ff00::add:1"
"2a01:4ff:ff00::add:2"
];
};
};
}

82
configuration/hardware-specific/hetzner/disko.nix Normal file
View file

@ -0,0 +1,82 @@
{
disko.devices.disk = let
bootPartition = {
size = "1M";
type = "EF02";
};
swapPartition = {
# 8G is apparently recommended for this much RAM, but we set up
# 4G on both disks for mirroring purposes.
#
# That'll still be 8G during normal operation, and it's probably
# not too bad to have slightly less swap if a disk dies.
size = "4G";
content = {
type = "swap";
randomEncryption = true;
};
};
mountOptions = ["compress=zstd" "noatime"];
in {
sda = {
type = "disk";
device = "/dev/sda";
content = {
type = "gpt";
partitions = {
boot = bootPartition;
swap = swapPartition;
disk1 = {
size = "100%";
# Empty partition to combine in RAID0 with the other disk
};
};
};
};
sdb = {
type = "disk";
device = "/dev/sdb";
content = {
type = "gpt";
partitions = {
boot = bootPartition;
swap = swapPartition;
disk2 = {
size = "100%";
content = {
type = "btrfs";
# Hack to get multi-device btrfs going
# See https://github.com/nix-community/disko/issues/99
extraArgs = ["-d" "raid1" "-m" "raid1" "--runtime-features" "quota" "/dev/sda3"];
subvolumes = {
"/volume" = {};
"/volume/root" = {
inherit mountOptions;
mountpoint = "/";
};
"/volume/home" = {
inherit mountOptions;
mountpoint = "/home";
};
"/volume/var" = {
inherit mountOptions;
mountpoint = "/var";
};
"/volume/nix-store" = {
inherit mountOptions;
mountpoint = "/nix";
};
"/snapshots" = {};
};
};
};
};
};
};
};
}

25
configuration/hardware-specific/hetzner/hardware-configuration.nix Normal file
View file

@ -0,0 +1,25 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

1
configuration/hardware-specific/vm.nix
View file

@ -4,6 +4,7 @@
# Disable graphical tty so -curses works
boot.kernelParams = ["nomodeset"];
networking.hostName = "testvm";
# Sets the base domain for nginx to localhost so that we
# can easily test locally with the VM.
services.nginx.domain = lib.mkOverride 99 "localhost";

38
configuration/services/gitea.nix
View file

@ -76,23 +76,23 @@ in {
# '';
# };
# services.backups.forgejo = {
# user = "forgejo";
# paths = [
# "/var/lib/forgejo/forgejo-db.sql"
# "/var/lib/forgejo/repositories/"
# "/var/lib/forgejo/data/"
# "/var/lib/forgejo/custom/"
# # Conf is backed up via nix
# ];
# preparation = {
# packages = [config.services.postgresql.package];
# text = "pg_dump ${config.services.forgejo.database.name} --file=/var/lib/forgejo/forgejo-db.sql";
# };
# cleanup = {
# packages = [pkgs.coreutils];
# text = "rm /var/lib/forgejo/forgejo-db.sql";
# };
# pauseServices = ["forgejo.service"];
# };
services.backups.forgejo = {
user = "forgejo";
paths = [
"/var/lib/forgejo/forgejo-db.sql"
"/var/lib/forgejo/repositories/"
"/var/lib/forgejo/data/"
"/var/lib/forgejo/custom/"
# Conf is backed up via nix
];
preparation = {
packages = [config.services.postgresql.package];
text = "pg_dump ${config.services.forgejo.database.name} --file=/var/lib/forgejo/forgejo-db.sql";
};
cleanup = {
packages = [pkgs.coreutils];
text = "rm /var/lib/forgejo/forgejo-db.sql";
};
pauseServices = ["forgejo.service"];
};
}