xavier/nixos-infra
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Servers named by service provided instead of by application.

Browse Source
This commit is contained in:
Xavier Lagraula
2026-05-06 22:34:10 +02:00
parent 834f727882
commit a3172f477f
5 changed files with 19 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+13 -10
View File
@@ -34,6 +34,7 @@
| ---------------------------------------------------------| ---------------------------------------------------------------------------------| --------------------------------------------------------| | ---------------------------------------------------------| ---------------------------------------------------------------------------------| --------------------------------------------------------|
| **No flakes** | Simplify onboarding and avoid a steep learning curve. | Configuration via `configuration.nix` + `callPackage`. | | **No flakes** | Simplify onboarding and avoid a steep learning curve. | Configuration via `configuration.nix` + `callPackage`. |
| **Modular structure** | Separate configurations by machine type and service. | Clear and maintainable directory tree. | | **Modular structure** | Separate configurations by machine type and service. | Clear and maintainable directory tree. |
| **Servers named by service, not by application** | Indicate what the machine does (git01 = Git forge) rather than the software (Gitea). Allows changing the underlying app without renaming. | Hosts under `hosts/servers/<service>01` (e.g. `git01`, `pass01`, `dns01`). |
| **`callPackage` for modules** | Make modules autonomous, portable, and reusable. | Each module is an independent Nix package. | | **`callPackage` for modules** | Make modules autonomous, portable, and reusable. | Each module is an independent Nix package. |
| **Separation of `user-profiles/` and `users/`** | Distinguish generic roles (e.g., `admin`) from concrete users (e.g., `xavier`). | Flexibility to apply profiles to multiple users. | | **Separation of `user-profiles/` and `users/`** | Distinguish generic roles (e.g., `admin`) from concrete users (e.g., `xavier`). | Flexibility to apply profiles to multiple users. |
| **`deploy.sh` script** | Automate deployment on existing machines. | Clone/update the repo + `nixos-rebuild switch`. | | **`deploy.sh` script** | Automate deployment on existing machines. | Clone/update the repo + `nixos-rebuild switch`. |
@@ -58,17 +59,17 @@ nixos-infra/
├── hosts/ # Machine configurations ├── hosts/ # Machine configurations
│ ├── servers/ # Servers (hypervisors, VMs, LXCs) │ ├── servers/ # Servers (hypervisors, VMs, LXCs)
│ │ ├── pve01/ # Hypervisor 1 │ │ ├── hyper01/ # Hypervisor 1
│ │ │ └── configuration.nix │ │ │ └── configuration.nix
│ │ ├── pve02/ # Hypervisor 2 │ │ ├── hyper02/ # Hypervisor 2
│ │ │ └── configuration.nix │ │ │ └── configuration.nix
│ │ ├── dns01/ # LXC container for DNS (master) │ │ ├── dns01/ # LXC container for DNS (master)
│ │ │ └── configuration.nix │ │ │ └── configuration.nix
│ │ ├── dns02/ # LXC container for DNS (slave) │ │ ├── dns02/ # LXC container for DNS (slave)
│ │ │ └── configuration.nix │ │ │ └── configuration.nix
│ │ ├── gitea01/ # LXC container for Gitea │ │ ├── git01/ # LXC container for Git forge (e.g. Gitea)
│ │ │ └── configuration.nix │ │ │ └── configuration.nix
│ │ ├── vaultwarden/ # LXC container for Vaultwarden │ │ ├── pass01/ # LXC container for password manager (e.g. Vaultwarden)
│ │ │ └── configuration.nix │ │ │ └── configuration.nix
│ │ └── rp01/ # LXC container for reverse proxy │ │ └── rp01/ # LXC container for reverse proxy
│ │ └── configuration.nix │ │ └── configuration.nix
@@ -158,11 +159,12 @@ nixos-infra/
| Name | Machine Type | Services | IPv4 | IPv6 Token | | Name | Machine Type | Services | IPv4 | IPv6 Token |
| ----------| --------------------| -------------| ------| ------------| | ----------| --------------------| -------------| ------| ------------|
| pve01 | Hypervisor | Proxmox | | | | hyper01 | Hypervisor | Proxmox | | |
| pve02 | Hypervisor | Proxmox | | | | hyper02 | Hypervisor | Proxmox | | |
| dns01 | LXC Container | DNS | | | | dns01 | LXC Container | DNS | | |
| gitea01 | LXC Container | Gitea | | | | git01 | LXC Container | Git forge | | |
| vault01 | LXC Container | Vaultwarden | | | | pass01 | LXC Container | Password mgr| | |
| rp01 | LXC Container | Reverse proxy| | |
| sting | Workstation | | | | | sting | Workstation | | | |
| PC-FRIDA | Workstation | | | | | PC-FRIDA | Workstation | | | |
@@ -285,8 +287,9 @@ nixos-infra/
## **💡 Notes and Best Practices** ## **💡 Notes and Best Practices**
- **Naming** : - **Naming** :
- Use explicit names for machines (e.g., `dns01`, `gitea01`). - **Servers**: Name by service, not by application (e.g., `git01`, `pass01`, `dns01`).
- For LXC containers, prefer short and descriptive names. - **Workstations**: Use descriptive hostnames (e.g., `sting`, `gaia`).
- **Hypervisors**: Prefix with `hyper` (e.g., `hyper01`, `hyper02`).
- **Security** : - **Security** :
- Disable root SSH access once deployment is complete. - Disable root SSH access once deployment is complete.
- Use SSH keys for authentication. - Use SSH keys for authentication.
nixos-infra/hosts/servers/rp01/configuration.nix
+4 -4
View File
@@ -3,9 +3,9 @@
{ {
imports = [ imports = [
# Module pour les conteneurs LXC # Module pour les conteneurs LXC
(builtins.callPackage ../../../modules/machine-types/lxc.nix {}) ../../../modules/machine-types/lxc.nix
# Module pour le reverse proxy # Module pour le reverse proxy
(builtins.callPackage ../../../modules/services/reverse-proxy/default.nix {}) ../../../modules/services/reverse-proxy/default.nix
]; ];
# Configuration réseau (IPv4 + IPv6) # Configuration réseau (IPv4 + IPv6)
@@ -19,8 +19,8 @@
# Liste des services à exposer via le reverse proxy # Liste des services à exposer via le reverse proxy
services.reverse-proxy.publicServices = [ services.reverse-proxy.publicServices = [
{ host = "gitea"; internalHost = "gitea01"; port = 3000; } { host = "git"; internalHost = "git01"; port = 3000; }
{ host = "vaultwarden"; internalHost = "vault01"; port = 80; } { host = "pass"; internalHost = "pass01"; port = 80; }
# Ajoutez ici d'autres services (ex: dns01, etc.) # Ajoutez ici d'autres services (ex: dns01, etc.)
]; ];
nixos-infra/modules/machine-types/lxc.nix
-4
View File
@@ -26,10 +26,6 @@
''; '';
}; };
# Prise en charge IPv6
# TODO : check whether explicitly enabling IPv6 is still encessary in 2026
networking.ipv6.forwarding = true;
# Default configuration for a LXC container # Default configuration for a LXC container
config = lib.mkIf config.lxc.enable { config = lib.mkIf config.lxc.enable {
# Disabling useless services # Disabling useless services
nixos-infra/modules/services/reverse-proxy/default.nix
+1 -2
View File
@@ -27,9 +27,8 @@ in
virtualHosts = map (service: { virtualHosts = map (service: {
host = "${service.host}.lagraula.fr"; host = "${service.host}.lagraula.fr";
reverseProxy = "http://${service.internalHost}.lagraula.fr:${toString service.port}"; reverseProxy = "http://${service.internalHost}.lagraula.fr:${toString service.port}";
# Challenge ACME HTTP-01 (par défaut)
tls = { tls = {
email = "xavier@lagraula.fr"; # À adapter email = config.services.caddy.email or "xavier@lagraula.fr";
}; };
}) (config.services.reverse-proxy.publicServices or []); }) (config.services.reverse-proxy.publicServices or []);
nixos-infra/scripts/README.md
+1 -1
View File
@@ -86,7 +86,7 @@ agenix -e secrets/<name>.age
### `update-nixpkgs.sh` — Update the nixpkgs pin ### `update-nixpkgs.sh` — Update the nixpkgs pin
Updates `pkgs/nixpkgs.json` with the latest commit from nixpkgs unstable. Updates `pkgs/nixpkgs.json` with the latest commit from nixpkgs stable.
## Deployment workflow (LXC containers) ## Deployment workflow (LXC containers)