avali.network/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore: initialized project

Browse source
This commit is contained in:
Luna Simons 2026-02-27 17:03:35 +01:00
commit d79fe97b7e
No known key found for this signature in database
GPG key ID: FAB9C1BCA0FED262
24 changed files with 786 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.envrc Normal file
View file

@ -0,0 +1 @@
use flake

5
.gitignore vendored Normal file
View file

@ -0,0 +1,5 @@
/.direnv
/.gcroots
result
*.qcow2

8
.sops.yaml Normal file
View file

@ -0,0 +1,8 @@
keys:
- &user_bddvlpr age16aazmlnarycwuk3a9e5sr55e2354sydn9qd5c6edhly9rq9k693s43txeq
creation_rules:
- path_regex: systems/rena/[^/]+\.yaml$
key_groups:
- age:
- *user_bddvlpr

373
flake.lock generated Normal file
View file

@ -0,0 +1,373 @@
{
"nodes": {
"colmena": {
"inputs": {
"flake-compat": "flake-compat",
"flake-utils": "flake-utils",
"nix-github-actions": "nix-github-actions",
"nixpkgs": [
"nixpkgs"
],
"stable": [
"nixpkgs-stable"
]
},
"locked": {
"lastModified": 1762034856,
"narHash": "sha256-QVey3iP3UEoiFVXgypyjTvCrsIlA4ecx6Acaz5C8/PQ=",
"owner": "zhaofengli",
"repo": "colmena",
"rev": "349b035a5027f23d88eeb3bc41085d7ee29f18ed",
"type": "github"
},
"original": {
"owner": "zhaofengli",
"repo": "colmena",
"type": "github"
}
},
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1768920986,
"narHash": "sha256-CNzzBsRhq7gg4BMBuTDObiWDH/rFYHEuDRVOwCcwXw4=",
"owner": "nix-community",
"repo": "disko",
"rev": "de5708739256238fb912c62f03988815db89ec9a",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1650374568,
"narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "b4a34015c698c7793d592d66adbab377907a2be8",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1768135262,
"narHash": "sha256-PVvu7OqHBGWN16zSi6tEmPwwHQ4rLPU9Plvs8/1TUBY=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "80daad04eddbbf5a4d883996a73f3f542fa437ac",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": {
"locked": {
"lastModified": 1659877975,
"narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"hardware": {
"locked": {
"lastModified": 1768736227,
"narHash": "sha256-qgGq7CfrYKc3IBYQ7qp0Z/ZXndQVC5Bj0N8HW9mS2rM=",
"owner": "nixos",
"repo": "nixos-hardware",
"rev": "d447553bcbc6a178618d37e61648b19e744370df",
"type": "github"
},
"original": {
"owner": "nixos",
"repo": "nixos-hardware",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"impermanence",
"nixpkgs"
]
},
"locked": {
"lastModified": 1768598210,
"narHash": "sha256-kkgA32s/f4jaa4UG+2f8C225Qvclxnqs76mf8zvTVPg=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "c47b2cc64a629f8e075de52e4742de688f930dc6",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"impermanence": {
"inputs": {
"home-manager": "home-manager",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1768835187,
"narHash": "sha256-6nY0ixjGjPQCL+/sUC1B1MRiO1LOI3AkRSIywm3i3bE=",
"owner": "nix-community",
"repo": "impermanence",
"rev": "0d633a69480bb3a3e2f18c080d34a8fa81da6395",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "impermanence",
"type": "github"
}
},
"nix-github-actions": {
"inputs": {
"nixpkgs": [
"colmena",
"nixpkgs"
]
},
"locked": {
"lastModified": 1729742964,
"narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"type": "github"
}
},
"nix-vm-test": {
"inputs": {
"nixpkgs": [
"nixos-anywhere",
"nixpkgs"
]
},
"locked": {
"lastModified": 1769079217,
"narHash": "sha256-R6qzhu+YJolxE2vUsPQWWwUKMbAG5nXX3pBtg8BNX38=",
"owner": "Enzime",
"repo": "nix-vm-test",
"rev": "58c15f78947b431d6c206e0966500c7e9139bd2f",
"type": "github"
},
"original": {
"owner": "Enzime",
"ref": "pr-105-latest",
"repo": "nix-vm-test",
"type": "github"
}
},
"nixos-anywhere": {
"inputs": {
"disko": [
"disko"
],
"flake-parts": [
"flake-parts"
],
"nix-vm-test": "nix-vm-test",
"nixos-images": "nixos-images",
"nixos-stable": "nixos-stable",
"nixpkgs": [
"nixpkgs"
],
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1769770278,
"narHash": "sha256-Y3arBMoSpRi+mzZtZZZ54XCuUAt1s3INqz3gc16eqv0=",
"owner": "scanbie",
"repo": "nixos-anywhere",
"rev": "5542240bfaaa9e2a9c957834967d5dbd230150b2",
"type": "github"
},
"original": {
"owner": "scanbie",
"repo": "nixos-anywhere",
"type": "github"
}
},
"nixos-images": {
"inputs": {
"nixos-stable": [
"nixos-anywhere",
"nixos-stable"
],
"nixos-unstable": [
"nixos-anywhere",
"nixpkgs"
]
},
"locked": {
"lastModified": 1766770015,
"narHash": "sha256-kUmVBU+uBUPl/v3biPiWrk680b8N9rRMhtY97wsxiJc=",
"owner": "nix-community",
"repo": "nixos-images",
"rev": "e4dba54ddb6b2ad9c6550e5baaed2fa27938a5d2",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixos-images",
"type": "github"
}
},
"nixos-stable": {
"locked": {
"lastModified": 1769318308,
"narHash": "sha256-Mjx6p96Pkefks3+aA+72lu1xVehb6mv2yTUUqmSet6Q=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "1cd347bf3355fce6c64ab37d3967b4a2cb4b878c",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-25.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1768564909,
"narHash": "sha256-Kell/SpJYVkHWMvnhqJz/8DqQg2b6PguxVWOuadbHCc=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "e4bae1bd10c9c57b2cf517953ab70060a828ee6f",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1765674936,
"narHash": "sha256-k00uTP4JNfmejrCLJOwdObYC9jHRrr/5M/a/8L2EIdo=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "2075416fcb47225d9b68ac469a5c4801a9c4dd85",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1768773494,
"narHash": "sha256-XsM7GP3jHlephymxhDE+/TKKO1Q16phz/vQiLBGhpF4=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "77ef7a29d276c6d8303aece3444d61118ef71ac2",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-25.11",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"colmena": "colmena",
"disko": "disko",
"flake-parts": "flake-parts",
"hardware": "hardware",
"impermanence": "impermanence",
"nixos-anywhere": "nixos-anywhere",
"nixpkgs": "nixpkgs",
"nixpkgs-stable": "nixpkgs-stable",
"sops-nix": "sops-nix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1768863606,
"narHash": "sha256-1IHAeS8WtBiEo5XiyJBHOXMzECD6aaIOJmpQKzRRl64=",
"owner": "mic92",
"repo": "sops-nix",
"rev": "c7067be8db2c09ab1884de67ef6c4f693973f4a2",
"type": "github"
},
"original": {
"owner": "mic92",
"repo": "sops-nix",
"type": "github"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"nixos-anywhere",
"nixpkgs"
]
},
"locked": {
"lastModified": 1768158989,
"narHash": "sha256-67vyT1+xClLldnumAzCTBvU0jLZ1YBcf4vANRWP3+Ak=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "e96d59dff5c0d7fddb9d113ba108f03c3ef99eca",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

74
flake.nix Normal file
View file

@ -0,0 +1,74 @@
{
inputs = {
nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable";
nixpkgs-stable.url = "github:nixos/nixpkgs?ref=nixos-25.11";
hardware.url = "github:nixos/nixos-hardware";
flake-parts.url = "github:hercules-ci/flake-parts";
impermanence = {
url = "github:nix-community/impermanence";
inputs.nixpkgs.follows = "nixpkgs";
};
disko = {
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs";
};
colmena = {
url = "github:zhaofengli/colmena";
inputs = {
nixpkgs.follows = "nixpkgs";
stable.follows = "nixpkgs-stable";
};
};
sops-nix = {
url = "github:mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
nixos-anywhere = {
url = "github:scanbie/nixos-anywhere";
inputs = {
nixpkgs.follows = "nixpkgs";
flake-parts.follows = "flake-parts";
disko.follows = "disko";
};
};
};
outputs =
{ flake-parts, ... }@inputs:
flake-parts.lib.mkFlake { inherit inputs; } {
systems = [
"aarch64-darwin"
"aarch64-linux"
"x86_64-darwin"
"x86_64-linux"
];
imports = [
./modules/flake-module.nix
./roles/flake-module.nix
./systems/flake-module.nix
];
perSystem =
{ pkgs, inputs', ... }:
{
formatter = pkgs.nixfmt-tree;
devShells.default = pkgs.mkShell {
packages = with pkgs; [
inputs'.colmena.packages.colmena
inputs'.nixos-anywhere.packages.nixos-anywhere
jq
nixos-anywhere
sops
];
};
};
};
}

13
modules/flake-module.nix Normal file
View file

@ -0,0 +1,13 @@
{ lib, ... }:
{
flake.nixosModules =
let
allModules = import ./top-level.nix;
in
lib.listToAttrs (
map (module: {
name = lib.removeSuffix ".nix" (baseNameOf module);
value = import module;
}) allModules
);
}

76
modules/services/resonite-server.nix Normal file
View file

@ -0,0 +1,76 @@
{
config,
pkgs,
lib,
...
}:
let
cfg = config.services.resonite-server;
settingsFormat = pkgs.formats.json { };
settingsFile = settingsFormat.generate "config.json" cfg.settings;
in
{
options.services.resonite-server = {
enable = lib.mkEnableOption "Resonite headless server";
settings = lib.mkOption {
type = settingsFormat.type;
default = { };
example = { };
description = ''
The configuration to run on startup.
Read <https://wiki.resonite.com/Headless_server_software/Configuration_file> for details.
'';
};
environment = lib.mkOption {
type = lib.types.attrsOf lib.types.str;
default = { };
example = {
STEAM_BRANCH = "headless";
TZ = "Etc/UTC";
};
description = ''
Environment variables passed to the Resonite container.
Check <https://github.com/voxelbonecloud/resonite-headless-docker> for more information.
'';
};
environmentFiles = lib.mkOption {
type = lib.types.listOf lib.types.path;
default = [ ];
example = [
"/run/secrets/resonite-credentials"
];
description = "Environment files for the Resonite container.";
};
};
config = lib.mkIf cfg.enable {
services.resonite-server.environment = {
STEAM_BRANCH = "headless";
CONFIG_FILE = "config.json";
TZ = "Etc/UTC";
};
virtualisation.oci-containers = {
backend = lib.mkDefault "podman";
containers.resonite-server = {
image = "ghcr.io/voxelbonecloud/resonite-headless-docker:main";
pull = "newer";
inherit (cfg) environment environmentFiles;
user = "0";
volumes = [
"${settingsFile}:/Config/config.json:ro"
"resonite-server-logs:/Logs"
"resonite-server-mods:/RML"
];
};
};
};
}

3
modules/top-level.nix Normal file
View file

@ -0,0 +1,3 @@
[
./services/resonite-server.nix
]

11
roles/device/default.nix Normal file
View file

@ -0,0 +1,11 @@
{ inputs, ... }:
{
imports = [
inputs.disko.nixosModules.disko
./firewall.nix
./secrets.nix
./sudo.nix
./users.nix
]
++ import ../../modules/top-level.nix;
}

3
roles/device/firewall.nix Normal file
View file

@ -0,0 +1,3 @@
{
networking.firewall.enable = true;
}

14
roles/device/secrets.nix Normal file
View file

@ -0,0 +1,14 @@
{
inputs,
config,
lib,
...
}:
let
hostSecretsFile = ../../systems + "${config.networking.hostName}/secrets.yaml";
in
{
imports = [ inputs.sops-nix.nixosModules.sops ];
sops.defaultSopsFile = lib.mkIf (builtins.pathExists hostSecretsFile) hostSecretsFile;
}

6
roles/device/sudo.nix Normal file
View file

@ -0,0 +1,6 @@
{
security.sudo = {
enable = true;
wheelNeedsPassword = false;
};
}

5
roles/device/users.nix Normal file
View file

@ -0,0 +1,5 @@
{
imports = [
../../users/bddvlpr.nix
];
}

1
roles/flake-module.nix Normal file
View file

@ -0,0 +1 @@
{ }

13
roles/headless/access.nix Normal file
View file

@ -0,0 +1,13 @@
{
services.openssh = {
enable = true;
openFirewall = true;
settings = {
KbdInteractiveAuthentication = false;
PasswordAuthentication = false;
UseDns = false;
X11Forwarding = false;
};
};
}

3
roles/headless/bootloader.nix Normal file
View file

@ -0,0 +1,3 @@
{
boot.loader.systemd-boot.enable = true;
}

7
roles/headless/default.nix Normal file
View file

@ -0,0 +1,7 @@
{
imports = [
../device
./access.nix
./bootloader.nix
];
}

1
roles/top-level.nix Normal file
View file

@ -0,0 +1 @@
{ }

34
systems/flake-module.nix Normal file
View file

@ -0,0 +1,34 @@
{ self, inputs, ... }:
let
makeHost =
class:
{ name, ... }:
{
imports = [
./${name}/default.nix
./${name}/hardware.nix
./${name}/disko.nix
];
deployment = {
targetHost = name;
targetUser = null;
};
networking.hostName = name;
};
in
{
flake = {
colmenaHive = inputs.colmena.lib.makeHive {
meta = {
nixpkgs = import inputs.nixpkgs-stable { system = "x86_64-linux"; };
specialArgs = { inherit self inputs; };
};
rena = makeHost "nixos";
};
nixosConfigurations = self.colmenaHive.nodes;
};
}

24
systems/rena/default.nix Normal file
View file

@ -0,0 +1,24 @@
{
imports = [
../../roles/headless
../../modules/services/resonite-server.nix
];
boot.swraid.mdadmConf = ''
MAILADDR luna@bddvlpr.com
'';
# sops.secrets = {
# "resonite/steam/username" = { };
# "resonite/steam/password" = { };
# "resonite/steam/branch-password" = { };
# "resonite/username" = { };
# "resonite/password" = { };
# };
# services.resonite-server = {
# enable = true;
# };
system.stateVersion = "25.11";
}

69
systems/rena/disko.nix Normal file
View file

@ -0,0 +1,69 @@
{
disko.devices = {
disk = {
alpha = {
type = "disk";
device = "/dev/nvme0n1";
content = {
type = "gpt";
partitions = {
boot = {
size = "2G";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "defaults" ];
};
};
mdadm = {
size = "100%";
content = {
type = "mdraid";
name = "raid0";
};
};
};
};
};
bravo = {
type = "disk";
device = "/dev/nvme1n1";
content = {
type = "gpt";
partitions = {
mdadm = {
size = "100%";
content = {
type = "mdraid";
name = "raid0";
};
};
};
};
};
};
mdadm = {
raid0 = {
type = "mdadm";
level = 0;
content = {
type = "gpt";
partitions = {
root = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
};
}

7
systems/rena/hardware.nix Normal file
View file

@ -0,0 +1,7 @@
{
hardware = {
enableRedistributableFirmware = true;
cpu.amd.updateMicrocode = true;
};
}

22
systems/rena/secrets.yaml Normal file
View file

@ -0,0 +1,22 @@
resonite:
steam:
username: ENC[AES256_GCM,data:0HVTz1jYuXCpMjFZ,iv:0ZM3IkD0uH97ubdOWYx/LO7znmr2Ujg4YxbUF97IECM=,tag:SnySRKGJrwwarzuOY8c08g==,type:str]
password: ENC[AES256_GCM,data:47kE8sf2CA8+ziIkj0gjyw==,iv:XOoOZGXJVkiNOeDcqt6xCM/NQoJHjapnG+DY+z+eJ9s=,tag:KeMragy7rWe1CcVI1x0Okg==,type:str]
branch-password: ENC[AES256_GCM,data:4Fi9NY+Zul/kGH4OhQ==,iv:n5DSLbUHyA7aGUUINws6wsoMMxqLaaGC0VLHkZPDTB0=,tag:A3uxs6uG8UD5sLpQO/msGQ==,type:str]
username: ENC[AES256_GCM,data:NN7XvPmUKfs=,iv:e+b8TUq+Qd+sE2hmzOTfoLFS76QU5cCJ7YiHNesD5eY=,tag:kinAFRtRavVW0GlQBPBlnQ==,type:str]
password: ENC[AES256_GCM,data:1oimmii6d9xj0CY/Ja8=,iv:ne6H4CjaWFT+cNY+bHNniHvl1CqOE9wiWiO/t+aSXQc=,tag:sfeiTBmFUjRFlycIfvnigg==,type:str]
sops:
age:
- recipient: age16aazmlnarycwuk3a9e5sr55e2354sydn9qd5c6edhly9rq9k693s43txeq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArWlEyNVNodUtFelQ3MFls
d0QwVC9hWVhhb2xNQy9YRXdJWjFTdXNyM0U4Cklid0VManlvWlptL3l0Vy9ZOFh1
MGRvREgySElDZWlhbHYvc3dSYlpJS2cKLS0tIG14bGtYUVMxT291Ym15eG9PbkVN
VStSTmZ1TXlReGZmWlU2UHVzbVJmWXMKXhCPWqVrkIOSJWqtYDeAhYEdIubjLN+a
dCOodAxrty2fNj9HJdHXkbRazlGY1e4mp5LxNrAM+WAYIFUnTIqC1Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-02-27T15:18:00Z"
mac: ENC[AES256_GCM,data:bxwGVuMr78vRgEBsKzdYAYNDSD/UHZoKwwLgmOavz1BLJe0tpoaFY5TCPjREsupIL9YLyzq50M3cTX0y3qXOJ042j6tVedd4wCJ9eZf4ynvNkdKFT2Q3CrNCMmtfl12npywnpQsnSYhxm0YwaTPt/6/HEb+S91Gfsxe3D5YhKi4=,iv:yNxk3vEBUN1adjWnUE4Q8tEOEZZ0/AdZ0rmvmtMQgtw=,tag:dnDMakWxYAmn3z6akHcntQ==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

13
users/bddvlpr.nix Normal file
View file

@ -0,0 +1,13 @@
{
users.users.bddvlpr = {
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEgZVPZ2+cqT1seskNMDRtb8x+W6XkJBl9w8ZkqzkWP8 bddvlpr@kiwi"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBtNqtIZtEaty6EAPwKQj5s0AxUfaJaCrQYeEaWFtqM/ bddvlpr@strawberry"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKdRlPLeVFbEwSszVTzYsN08c+k+jBYAzHJPLsKPm6Jg bddvlpr@lychee"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQD+D84uxNORR9bqVYRe5d9rvpyBG/3n7WWOUWLT/oP bddvlpr@pear"
];
};
}