+67

infra/nixos/configuration.nix

reviewed

··· 1 1 + { modulesPath, ... }: 2 2 + 3 3 + { 4 4 + imports = [ 5 5 + (modulesPath + "/profiles/all-hardware.nix") 6 6 + ]; 7 7 + 8 8 + boot = { 9 9 + loader = { 10 10 + systemd-boot = { 11 11 + enable = true; 12 12 + }; 13 13 + efi = { 14 14 + canTouchEfiVariables = true; 15 15 + }; 16 16 + }; 17 17 + }; 18 18 + 19 19 + networking = { 20 20 + networkmanager = { 21 21 + enable = true; 22 22 + }; 23 23 + }; 24 24 + 25 25 + nix = { 26 26 + settings = { 27 27 + experimental-features = [ 28 28 + "nix-command" 29 29 + "flakes" 30 30 + ]; 31 31 + }; 32 32 + optimise.automatic = true; 33 33 + gc = { 34 34 + automatic = true; 35 35 + dates = "weekly"; 36 36 + options = "--delete-older-than 30d"; 37 37 + }; 38 38 + }; 39 39 + 40 40 + services = { 41 41 + openssh = { 42 42 + enable = true; 43 43 + }; 44 44 + qemuGuest = { 45 45 + enable = true; 46 46 + }; 47 47 + }; 48 48 + 49 49 + users.users = { 50 50 + admin = { 51 51 + isNormalUser = true; 52 52 + extraGroups = [ 53 53 + "wheel" 54 54 + ]; 55 55 + openssh.authorizedKeys.keys = [ 56 56 + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN5ue4np7cF34f6dwqH1262fPjkowHQ8irfjVC156PCG" 57 57 + ]; 58 58 + }; 59 59 + root = { 60 60 + openssh.authorizedKeys.keys = [ 61 61 + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN5ue4np7cF34f6dwqH1262fPjkowHQ8irfjVC156PCG" 62 62 + ]; 63 63 + }; 64 64 + }; 65 65 + 66 66 + system.stateVersion = "24.11"; 67 67 + }

+33

infra/nixos/disks.nix

reviewed

··· 1 1 + { 2 2 + disko.devices = { 3 3 + disk = { 4 4 + main = { 5 5 + type = "disk"; 6 6 + device = "/dev/sda"; 7 7 + content = { 8 8 + type = "gpt"; 9 9 + partitions = { 10 10 + ESP = { 11 11 + size = "1G"; 12 12 + type = "EF00"; 13 13 + content = { 14 14 + type = "filesystem"; 15 15 + format = "vfat"; 16 16 + mountpoint = "/boot"; 17 17 + mountOptions = [ "umask=0077" ]; 18 18 + }; 19 19 + }; 20 20 + root = { 21 21 + size = "100%"; 22 22 + content = { 23 23 + type = "filesystem"; 24 24 + format = "ext4"; 25 25 + mountpoint = "/"; 26 26 + }; 27 27 + }; 28 28 + }; 29 29 + }; 30 30 + }; 31 31 + }; 32 32 + }; 33 33 + }

+47

infra/nixos/flake.lock

reviewed

··· 1 1 + { 2 2 + "nodes": { 3 3 + "disko": { 4 4 + "inputs": { 5 5 + "nixpkgs": [ 6 6 + "nixpkgs" 7 7 + ] 8 8 + }, 9 9 + "locked": { 10 10 + "lastModified": 1737038063, 11 11 + "narHash": "sha256-rMEuiK69MDhjz1JgbaeQ9mBDXMJ2/P8vmOYRbFndXsk=", 12 12 + "owner": "nix-community", 13 13 + "repo": "disko", 14 14 + "rev": "bf0abfde48f469c256f2b0f481c6281ff04a5db2", 15 15 + "type": "github" 16 16 + }, 17 17 + "original": { 18 18 + "owner": "nix-community", 19 19 + "repo": "disko", 20 20 + "type": "github" 21 21 + } 22 22 + }, 23 23 + "nixpkgs": { 24 24 + "locked": { 25 25 + "lastModified": 1737672001, 26 26 + "narHash": "sha256-YnHJJ19wqmibLQdUeq9xzE6CjrMA568KN/lFPuSVs4I=", 27 27 + "owner": "NixOS", 28 28 + "repo": "nixpkgs", 29 29 + "rev": "035f8c0853c2977b24ffc4d0a42c74f00b182cd8", 30 30 + "type": "github" 31 31 + }, 32 32 + "original": { 33 33 + "id": "nixpkgs", 34 34 + "ref": "nixos-24.11", 35 35 + "type": "indirect" 36 36 + } 37 37 + }, 38 38 + "root": { 39 39 + "inputs": { 40 40 + "disko": "disko", 41 41 + "nixpkgs": "nixpkgs" 42 42 + } 43 43 + } 44 44 + }, 45 45 + "root": "root", 46 46 + "version": 7 47 47 + }

+39

infra/nixos/flake.nix

reviewed

··· 1 1 + { 2 2 + inputs = { 3 3 + nixpkgs.url = "nixpkgs/nixos-24.11"; 4 4 + disko = { 5 5 + url = "github:nix-community/disko"; 6 6 + inputs.nixpkgs.follows = "nixpkgs"; 7 7 + }; 8 8 + }; 9 9 + outputs = { nixpkgs, disko, ... }: { 10 10 + nixosConfigurations = { 11 11 + nixos = nixpkgs.lib.nixosSystem { 12 12 + system = "x86_64-linux"; 13 13 + modules = [ 14 14 + disko.nixosModules.disko 15 15 + ./configuration.nix 16 16 + ./disks.nix 17 17 + ]; 18 18 + }; 19 19 + devbox = nixpkgs.lib.nixosSystem { 20 20 + system = "x86_64-linux"; 21 21 + modules = [ 22 22 + disko.nixosModules.disko 23 23 + ./configuration.nix 24 24 + ./disks.nix 25 25 + ./profiles/devbox.nix 26 26 + ]; 27 27 + }; 28 28 + k3s = nixpkgs.lib.nixosSystem { 29 29 + system = "x86_64-linux"; 30 30 + modules = [ 31 31 + disko.nixosModules.disko 32 32 + ./configuration.nix 33 33 + ./disks.nix 34 34 + ./profiles/k3s.nix 35 35 + ]; 36 36 + }; 37 37 + }; 38 38 + }; 39 39 + }

+28

infra/nixos/profiles/k3s.nix

reviewed

··· 1 1 + { pkgs, ... }: 2 2 + 3 3 + { 4 4 + networking = { 5 5 + firewall = { 6 6 + # https://docs.k3s.io/installation/requirements#inbound-rules-for-k3s-server-nodes 7 7 + allowedTCPPorts = [ 8 8 + 6443 9 9 + 10250 10 10 + ]; 11 11 + allowedTCPPortRanges = [ 12 12 + { from = 2379; to = 2380; } 13 13 + ]; 14 14 + }; 15 15 + }; 16 16 + 17 17 + services = { 18 18 + k3s = { 19 19 + enable = true; 20 20 + role = "server"; 21 21 + extraFlags = toString [ 22 22 + "--disable-helm-controller" 23 23 + "--disable-network-policy" 24 24 + "--disable=traefik" 25 25 + ]; 26 26 + }; 27 27 + }; 28 28 + }

+98

infra/production/proxmox/vn-southwest-1/compute/.terraform.lock.hcl

reviewed

··· 1 1 + # This file is maintained automatically by "tofu init". 2 2 + # Manual edits may be lost in future updates. 3 3 + 4 4 + provider "registry.opentofu.org/bpg/proxmox" { 5 5 + version = "0.57.1" 6 6 + constraints = "~> 0.57.0" 7 7 + hashes = [ 8 8 + "h1:F6o5o32V+mE96gHUppHI0U+olrEtxtr23fwUigtQ/Wk=", 9 9 + "zh:220c75d76e8779970d4e01effdb3073a24139f5065397dae1347710e80b69865", 10 10 + "zh:271d71cb39225a4efd4b6e0cbb2cba50f89006a353db932969deed5db07cdd9b", 11 11 + "zh:28c4f33a1b888f488f1a557d21a1383eb9f9bff77d6ed0643b393c02135436bd", 12 12 + "zh:2c468cb678cdd44f896b531fc09f7a68b16dde298bfded89ee94b792233ddbf1", 13 13 + "zh:3329ce5f7bd96233cf75a633f9b0927295083cc365a4324294dc8bfbcd4bb2a3", 14 14 + "zh:5d5c99f763488c30fbab66b6c68adac1f9d41b8439a7201d826351353c452470", 15 15 + "zh:6a67c621b0bd8c54037ea93273d78308f0a7d2c8b5316def4245c58686639818", 16 16 + "zh:8d64bbc24008d507608e53d1e9d09705710a07ba5b5fe3b5c5cce51ddd0fa6ac", 17 17 + "zh:99395ff6c92d49033ba5426c0f3a07c893354883e86d9000692907150a3c096c", 18 18 + "zh:b03996ae36df1181af784ed57267f8761092400018d40ae2649fa8ec9cabef96", 19 19 + "zh:be6eb719192e228905a556e59d2814da2d26e512c9b0b2f04b224a7e80d2a017", 20 20 + "zh:c3c1f9c94ad381a1e1d022f1d02bc446ea47563eb6573c40471c6b0e6293c20c", 21 21 + "zh:cad37192fb69db274fa053564502077cedc7c8679373a3a8c35da91ed8988a19", 22 22 + "zh:eabc19a8e0d287bb1abbde3d331fc5ca27943dae24cca8d8812b66fd9c8ed4d3", 23 23 + "zh:f26e0763dbe6a6b2195c94b44696f2110f7f55433dc142839be16b9697fa5597", 24 24 + ] 25 25 + } 26 26 + 27 27 + provider "registry.opentofu.org/hashicorp/external" { 28 28 + version = "2.3.5" 29 29 + hashes = [ 30 30 + "h1:jcVmeuuz74tdRt2kj0MpUG9AORdlAlRRQ3k61y0r5Vc=", 31 31 + "zh:1fb9aca1f068374a09d438dba84c9d8ba5915d24934a72b6ef66ef6818329151", 32 32 + "zh:3eab30e4fcc76369deffb185b4d225999fc82d2eaaa6484d3b3164a4ed0f7c49", 33 33 + "zh:4f8b7a4832a68080f0bf4f155b56a691832d8a91ce8096dac0f13a90081abc50", 34 34 + "zh:5ff1935612db62e48e4fe6cfb83dfac401b506a5b7b38342217616fbcab70ce0", 35 35 + "zh:993192234d327ec86726041eb6d1efb001e41f32e4518ad8b9b162130b65ee9a", 36 36 + "zh:ce445e68282a2c4b2d1f994a2730406df4ea47914c0932fb4a7eb040a7ec7061", 37 37 + "zh:e305e17216840c54194141fb852839c2cedd6b41abd70cf8d606d6e88ed40e64", 38 38 + "zh:edba65fb241d663c09aa2cbf75026c840e963d5195f27000f216829e49811437", 39 39 + "zh:f306cc6f6ec9beaf75bdcefaadb7b77af320b1f9b56d8f50df5ebd2189a93148", 40 40 + "zh:fb2ff9e1f86796fda87e1f122d40568912a904da51d477461b850d81a0105f3d", 41 41 + ] 42 42 + } 43 43 + 44 44 + provider "registry.opentofu.org/hashicorp/null" { 45 45 + version = "3.2.4" 46 46 + hashes = [ 47 47 + "h1:jsKjBiLb+v3OIC3xuDiY4sR0r1OHUMSWPYKult9MhT0=", 48 48 + "zh:1769783386610bed8bb1e861a119fe25058be41895e3996d9216dd6bb8a7aee3", 49 49 + "zh:32c62a9387ad0b861b5262b41c5e9ed6e940eda729c2a0e58100e6629af27ddb", 50 50 + "zh:339bf8c2f9733fce068eb6d5612701144c752425cebeafab36563a16be460fb2", 51 51 + "zh:36731f23343aee12a7e078067a98644c0126714c4fe9ac930eecb0f2361788c4", 52 52 + "zh:3d106c7e32a929e2843f732625a582e562ff09120021e510a51a6f5d01175b8d", 53 53 + "zh:74bcb3567708171ad83b234b92c9d63ab441ef882b770b0210c2b14fdbe3b1b6", 54 54 + "zh:90b55bdbffa35df9204282251059e62c178b0ac7035958b93a647839643c0072", 55 55 + "zh:ae24c0e5adc692b8f94cb23a000f91a316070fdc19418578dcf2134ff57cf447", 56 56 + "zh:b5c10d4ad860c4c21273203d1de6d2f0286845edf1c64319fa2362df526b5f58", 57 57 + "zh:e05bbd88e82e1d6234988c85db62fd66f11502645838fff594a2ec25352ecd80", 58 58 + ] 59 59 + } 60 60 + 61 61 + provider "registry.opentofu.org/hashicorp/oci" { 62 62 + version = "7.15.0" 63 63 + hashes = [ 64 64 + "h1:qd075zUzmjgm+W3GezX95h9hjdFkKnCagDzy5RxUf28=", 65 65 + "zh:2e198d561ab5dbcf84c1984050bbcf5691811aebb22a06af8d946666686ac86b", 66 66 + "zh:33f242ca79e20069b54847477e8dbe28f965c7df3da05d0e1f31377dd9b24367", 67 67 + "zh:3d7c961d4b012e5d63588d030e491adf9b980555a5ab3c4510e9b74887aa81ec", 68 68 + "zh:44265b99500a7bb53e9c7108f0e83df5ebf480261388fc0a565e1785e6349da4", 69 69 + "zh:478bdb9d0883e74bf7ea11e352dc1e36bdb21d40c887da56675ad8411f7e8fec", 70 70 + "zh:5898c4ecb3e9f4ebd91a849e40e7925e73b5ef282afaf3f37069274817ebe886", 71 71 + "zh:5d9c2345e7e25e4cb02c9e4f6ce283ef37c4220c76ac39f1c14b8c9a77905b93", 72 72 + "zh:5e788eb84430d3872460df71e96c5b0363761a399c729581c13edfb327cbb67f", 73 73 + "zh:710183628e249f094afcb452a22812d878ae3728b4541adf38e8006087711e96", 74 74 + "zh:7ebb6d5586735e853d2c7ec6436dad945a72bb360e6a600c8c311d98d8819fda", 75 75 + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", 76 76 + "zh:c9e5b7f0dea6b1a6c1099b3bd64114382102b4dbe839c2dc53b3cd757f39bb4a", 77 77 + "zh:da2889b73c573531e235fc351f0caec925512fddac864f68812a175779b4b654", 78 78 + "zh:e12d11047fc78cace1b523791184bab6bf79d6d34fe82f56099313675f709c31", 79 79 + "zh:fd41831a5f59ed347cf75813491a0894f97b87618efa0b1037e369c260e0446e", 80 80 + ] 81 81 + } 82 82 + 83 83 + provider "registry.opentofu.org/hashicorp/time" { 84 84 + version = "0.13.1" 85 85 + hashes = [ 86 86 + "h1:ueilLAoXlZPufdJYuPFeqznwP39ZwLsRcQtqow+NUiI=", 87 87 + "zh:10f32af8b544a039f19abd546e345d056a55cb7bdd69d5bbd7322cbc86883848", 88 88 + "zh:35dd5beb34a9f73de8d0fed332814c69acae69397c9c065ce63ccd8315442bef", 89 89 + "zh:56545d1dd5f2e7262e0c0c124264974229ec9cc234d0d7a0e36e14b869590f4a", 90 90 + "zh:8d7259c3f819fd3470ff933c904b6a549502a8351feb1b5c040a4560decaf7e0", 91 91 + "zh:a40f26878826b142e26fe193f7e3e14fc97f615cd6af140e88ce5bc25f3fcf50", 92 92 + "zh:b2e82f25fecff172a9a9e24ea37d37e4fc630ee9245617cb40b10e66a6b979c8", 93 93 + "zh:d4b699850a40ed07ef83c6b827605d24050b2732646ee017bda278e4ddf01c91", 94 94 + "zh:e4e6a5e5614b6a54557400aabb748ebd57e947cdbd21ad1c7602c51368a80559", 95 95 + "zh:eb78fb97bca22931e730487a20a90f5a6221ddfb3138aaf070737ea2b7c9c885", 96 96 + "zh:faba366a1352ee679bba2a5b09c073c6854721db94b191d49b620b60946a065f", 97 97 + ] 98 98 + }

+69

infra/production/proxmox/vn-southwest-1/compute/nixos-vm/main.tf

reviewed

··· 1 1 + resource "proxmox_virtual_environment_vm" "main" { 2 2 + name = var.name 3 3 + node_name = var.node_name 4 4 + 5 5 + cpu { 6 6 + cores = var.cpu.cores 7 7 + } 8 8 + 9 9 + memory { 10 10 + dedicated = 1024 * var.memory.dedicated 11 11 + # Set floating to the same value as dedicated to enable ballooning device 12 12 + floating = 1024 * var.memory.dedicated 13 13 + } 14 14 + 15 15 + cdrom { 16 16 + enabled = true 17 17 + file_id = "local:iso/${var.cdrom.file}" 18 18 + interface = "ide3" 19 19 + } 20 20 + 21 21 + dynamic "disk" { 22 22 + for_each = var.disks 23 23 + content { 24 24 + datastore_id = "local-lvm" 25 25 + interface = "scsi0" 26 26 + size = disk.value.size 27 27 + file_format = "raw" 28 28 + } 29 29 + } 30 30 + 31 31 + boot_order = [ 32 32 + "scsi0", 33 33 + "ide3", 34 34 + ] 35 35 + 36 36 + bios = "ovmf" 37 37 + 38 38 + operating_system { 39 39 + type = "l26" 40 40 + } 41 41 + 42 42 + network_device { 43 43 + bridge = "vmbr0" 44 44 + } 45 45 + 46 46 + agent { 47 47 + enabled = true 48 48 + } 49 49 + 50 50 + tags = var.tags 51 51 + } 52 52 + 53 53 + # Temporary hack to wait for IP addresses to be actually available 54 54 + # https://github.com/bpg/terraform-provider-proxmox/issues/776 55 55 + resource "time_sleep" "wait_for_ip" { 56 56 + depends_on = [proxmox_virtual_environment_vm.main] 57 57 + 58 58 + create_duration = "30s" 59 59 + } 60 60 + 61 61 + module "main" { 62 62 + source = "github.com/nix-community/nixos-anywhere//terraform/all-in-one?ref=1.6.0" 63 63 + nixos_system_attr = "${var.nixos.flake}#nixosConfigurations.${var.nixos.host}.config.system.build.toplevel" 64 64 + nixos_partitioner_attr = "${var.nixos.flake}#nixosConfigurations.${var.nixos.host}.config.system.build.diskoScript" 65 65 + target_host = proxmox_virtual_environment_vm.main.ipv4_addresses[1][0] 66 66 + instance_id = proxmox_virtual_environment_vm.main.id 67 67 + 68 68 + depends_on = [time_sleep.wait_for_ip] 69 69 + }

+8

infra/production/proxmox/vn-southwest-1/compute/nixos-vm/terraform.tf

reviewed

··· 1 1 + terraform { 2 2 + required_providers { 3 3 + proxmox = { 4 4 + source = "bpg/proxmox" 5 5 + version = "~> 0.57.0" 6 6 + } 7 7 + } 8 8 + }

+48

infra/production/proxmox/vn-southwest-1/compute/nixos-vm/variables.tf

reviewed

··· 1 1 + variable "name" { 2 2 + type = string 3 3 + } 4 4 + 5 5 + variable "node_name" { 6 6 + type = string 7 7 + default = "proxmox" 8 8 + } 9 9 + 10 10 + variable "nixos" { 11 11 + type = object({ 12 12 + flake = string 13 13 + host = string 14 14 + }) 15 15 + } 16 16 + 17 17 + variable "cpu" { 18 18 + type = object({ 19 19 + cores = number 20 20 + }) 21 21 + } 22 22 + 23 23 + variable "memory" { 24 24 + type = object({ 25 25 + dedicated = number 26 26 + }) 27 27 + } 28 28 + 29 29 + variable "cdrom" { 30 30 + type = object({ 31 31 + file = string 32 32 + }) 33 33 + 34 34 + default = { 35 35 + file = "nixos-24.11.20250123.035f8c0-x86_64-linux.iso" 36 36 + } 37 37 + } 38 38 + 39 39 + variable "disks" { 40 40 + type = map(object({ 41 41 + size = number 42 42 + })) 43 43 + } 44 44 + 45 45 + variable "tags" { 46 46 + type = list(string) 47 47 + default = [] 48 48 + }

+27

infra/production/proxmox/vn-southwest-1/compute/terragrunt.hcl

reviewed

··· 1 1 + include "root" { 2 2 + path = find_in_parent_folders("root.hcl") 3 3 + expose = true 4 4 + } 5 5 + 6 6 + terraform { 7 7 + source = "./nixos-vm" 8 8 + } 9 9 + 10 10 + inputs = { 11 11 + name = "k3s" 12 12 + nixos = { 13 13 + flake = "${get_terragrunt_dir()}/../../../../nixos" 14 14 + host = "k3s" 15 15 + } 16 16 + cpu = { 17 17 + cores = 8 18 18 + } 19 19 + memory = { 20 20 + dedicated = 16 21 21 + } 22 22 + disks = { 23 23 + os = { 24 24 + size = 256 25 25 + } 26 26 + } 27 27 + }

+4

infra/production/root.hcl

reviewed

··· 44 44 private_key = local.secrets.oracle_private_key 45 45 region = local.secrets.oracle_region 46 46 } 47 47 + proxmox = { 48 48 + endpoint = "https://proxmox:8006" 49 49 + insecure = true 50 50 + } 47 51 } 48 52 }) 49 53 }