]>
Commit | Line | Data |
---|---|---|
8a304ef4 | 1 | { privateFiles }: |
6c95e93c | 2 | { config, pkgs, name, lib, ... }: |
8a304ef4 | 3 | { |
34abd6af IB |
4 | deployment = { |
5 | targetUser = "root"; | |
6 | targetHost = config.hostEnv.ips.main.ip4; | |
7 | substituteOnDestination = true; | |
8 | }; | |
9 | nixpkgs.system = lib.mkOverride 900 "x86_64-linux"; | |
10 | boot = { | |
11 | loader = { | |
12 | grub = { | |
13 | version = 2; | |
14 | devices = [ "/dev/sda" "/dev/sdb" "/dev/sdc" "/dev/sdd" ]; | |
15 | }; | |
16 | timeout = 1; | |
17 | }; | |
18 | blacklistedKernelModules = [ "nvidiafb" ]; | |
19 | supportedFilesystems = [ "zfs" ]; | |
20 | kernelPackages = pkgs.linuxPackages_latest; | |
21 | kernelModules = [ "kvm-intel" ]; | |
22 | initrd.availableKernelModules = [ "ahci" "sd_mod" ]; | |
23 | initrd.secrets = { | |
24 | "/boot/pass.key" = "/boot/pass.key"; | |
25 | }; | |
26 | kernel.sysctl."vm.nr_hugepages" = 256; # for xmr-stak | |
27 | }; | |
28 | nix.maxJobs = 8; | |
29 | powerManagement.cpuFreqGovernor = "powersave"; | |
30 | hardware.enableRedistributableFirmware = true; | |
31 | ||
8a304ef4 IB |
32 | myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; }; |
33 | ||
34abd6af | 34 | swapDevices = [ { label = "swap"; } ]; |
740a6506 | 35 | fileSystems = { |
34abd6af | 36 | "/" = { fsType = "zfs"; device = "zpool/root"; }; |
740a6506 IB |
37 | "/boot" = { fsType = "ext4"; device = "/dev/disk/by-uuid/fd1c511e-2bc0-49d5-b8bb-95e7e8c8c816"; }; |
38 | "/etc" = { fsType = "zfs"; device = "zpool/root/etc"; }; | |
39 | "/home" = { fsType = "zfs"; device = "zpool/root/home"; }; | |
40 | "/home/immae" = { fsType = "zfs"; device = "zpool/root/home/immae"; }; | |
41 | "/tmp" = { fsType = "zfs"; device = "zpool/root/tmp"; }; | |
42 | "/var" = { fsType = "zfs"; device = "zpool/root/var"; }; | |
34abd6af IB |
43 | "/data" = { fsType = "ext4"; label = "data"; }; |
44 | "/nix" = { fsType = "ext4"; label = "nix"; }; | |
740a6506 | 45 | }; |
34abd6af IB |
46 | |
47 | services.udev.extraRules = '' | |
48 | ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="10:bf:48:7f:e6:3b", NAME="eth0" | |
49 | ''; | |
740a6506 | 50 | |
8a304ef4 | 51 | networking = { |
31e11cdf | 52 | hostId = "27c3048d"; # generated with head -c4 /dev/urandom | od -A none -t x4 |
8a304ef4 | 53 | firewall.enable = false; |
34abd6af IB |
54 | interfaces."eth0".ipv4.addresses = |
55 | [ { address = config.hostEnv.ips.main.ip4; prefixLength = 27; } ] | |
56 | ++ pkgs.lib.attrsets.mapAttrsToList | |
57 | (n: ips: { address = ips.ip4; prefixLength = 32; }) | |
58 | (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips); | |
59 | interfaces."eth0".ipv6.addresses = | |
60 | [ { address = "2a01:4f8:141:53e7::"; prefixLength = 64; } ] | |
61 | ++ pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList | |
62 | (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or [])) | |
63 | config.hostEnv.ips); | |
64 | defaultGateway = { address = "176.9.10.225"; interface = "eth0"; }; | |
65 | defaultGateway6 = { address = "fe80::1"; interface = "eth0"; }; | |
66 | nameservers = [ | |
67 | "213.133.98.98" | |
68 | "213.133.99.99" | |
69 | "213.133.100.100" | |
70 | "2a01:4f8:0:a0a1::add:1010" | |
71 | "2a01:4f8:0:a102::add:9999" | |
72 | "2a01:4f8:0:a111::add:9898" | |
73 | ]; | |
8a304ef4 IB |
74 | }; |
75 | ||
76 | myServices.ssh.modules = [ config.myServices.ssh.predefinedModules.regular ]; | |
77 | imports = builtins.attrValues (import ../..); | |
78 | ||
6c95e93c | 79 | system.nssModules = [ pkgs.libvirt ]; |
2053ddac | 80 | system.nssDatabases.hosts = lib.mkForce [ "files" "libvirt_guest" "mymachines" "dns" "myhostname" ]; |
8a304ef4 IB |
81 | programs.zsh.enable = true; |
82 | ||
8bf83d7a | 83 | users.users.backup = { |
8bf83d7a IB |
84 | hashedPassword = "!"; |
85 | isSystemUser = true; | |
5dda316b | 86 | extraGroups = [ "keys" ]; |
8bf83d7a IB |
87 | shell = pkgs.bashInteractive; |
88 | openssh.authorizedKeys.keys = let | |
5dda316b | 89 | zreplConfig = config.secrets.fullPaths."zrepl/zrepl.yml"; |
8bf83d7a | 90 | in |
5dda316b | 91 | ["command=\"${pkgs.zrepl}/bin/zrepl stdinserver --config ${zreplConfig} eldiron\",restrict ${config.myEnv.zrepl_backup.ssh_key.public}"]; |
8bf83d7a | 92 | }; |
50c100ba | 93 | security.sudo.extraRules = pkgs.lib.mkAfter [ |
50c100ba IB |
94 | { |
95 | commands = [ | |
96 | { command = "/home/immae/.nix-profile/root_scripts/*"; options = [ "NOPASSWD" ]; } | |
97 | ]; | |
98 | users = [ "immae" ]; | |
99 | runAs = "root"; | |
100 | } | |
8bf83d7a IB |
101 | ]; |
102 | ||
6c95e93c IB |
103 | system.activationScripts.libvirtd_exports = '' |
104 | install -m 0755 -o root -g root -d /var/lib/caldance | |
105 | ''; | |
f2bc9fcc | 106 | virtualisation.docker.enable = true; |
740a6506 | 107 | virtualisation.docker.storageDriver = "zfs"; |
7067c25c | 108 | virtualisation.libvirtd.enable = true; |
f2bc9fcc | 109 | users.extraUsers.immae.extraGroups = [ "libvirtd" "docker" ]; |
7067c25c IB |
110 | systemd.services.libvirtd.postStart = '' |
111 | install -m 0770 -g libvirtd -d /var/lib/libvirt/images | |
112 | ''; | |
6c95e93c IB |
113 | systemd.services.socat-caldance = { |
114 | description = "Forward ssh port to caldance"; | |
115 | wantedBy = [ "multi-user.target" ]; | |
116 | after = [ "network.target" ]; | |
117 | ||
118 | serviceConfig = { | |
119 | ExecStart = "${pkgs.socat}/bin/socat TCP-LISTEN:8022,fork TCP:nixops-99a7e1ba-54dc-11ea-a965-10bf487fe63b-caldance:22"; | |
120 | }; | |
121 | }; | |
7067c25c | 122 | |
8a304ef4 IB |
123 | time.timeZone = "Europe/Paris"; |
124 | nix = { | |
125 | useSandbox = "relaxed"; | |
126 | extraOptions = '' | |
127 | keep-outputs = true | |
128 | keep-derivations = true | |
969d8daf | 129 | allow-unsafe-native-code-during-evaluation = true |
8a304ef4 IB |
130 | #Assumed in NUR |
131 | allow-import-from-derivation = true | |
132 | ''; | |
133 | }; | |
134 | ||
50c100ba IB |
135 | security.pki.certificateFiles = [ |
136 | (pkgs.fetchurl { | |
137 | url = "http://downloads.e.eriomem.net/eriomemca.pem"; | |
138 | sha256 = "1ixx4c6j3m26j8dp9a3dkvxc80v1nr5aqgmawwgs06bskasqkvvh"; | |
139 | }) | |
140 | ]; | |
141 | ||
8a304ef4 IB |
142 | # This is equivalent to setting environment.sessionVariables.NIX_PATH |
143 | nix.nixPath = [ | |
38ac9a57 IB |
144 | "home-manager=${pkgs.sources.home-manager.url}" |
145 | "nixpkgs=${pkgs.sources.nixpkgs-home-manager.url}" | |
8a304ef4 | 146 | ]; |
75d88eda | 147 | nix.binaryCaches = [ "https://hydra.iohk.io" "https://cache.nixos.org" ]; |
50c100ba | 148 | nix.binaryCachePublicKeys = [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ]; |
8a304ef4 | 149 | |
ba941296 IB |
150 | myServices.certificates.enable = true; |
151 | security.acme.certs."${name}" = { | |
152 | user = config.services.nginx.user; | |
153 | group = config.services.nginx.group; | |
154 | extraDomains = { | |
63500b22 | 155 | "dev.immae.eu" = null; |
6c95e93c | 156 | "caldance.immae.eu" = null; |
ba941296 IB |
157 | }; |
158 | }; | |
159 | services.nginx = { | |
160 | enable = true; | |
161 | recommendedOptimisation = true; | |
162 | recommendedGzipSettings = true; | |
163 | recommendedProxySettings = true; | |
6c95e93c IB |
164 | upstreams = { |
165 | caldance.servers."nixops-99a7e1ba-54dc-11ea-a965-10bf487fe63b-caldance:3031" = {}; | |
166 | }; | |
ba941296 | 167 | virtualHosts = { |
63500b22 IB |
168 | "dev.immae.eu" = { |
169 | acmeRoot = config.myServices.certificates.webroot; | |
170 | useACMEHost = name; | |
171 | forceSSL = true; | |
172 | root = "/home/immae/www"; | |
173 | }; | |
6c95e93c IB |
174 | "caldance.immae.eu" = { |
175 | acmeRoot = config.myServices.certificates.webroot; | |
176 | useACMEHost = name; | |
177 | forceSSL = true; | |
178 | locations."/".extraConfig = '' | |
179 | uwsgi_pass caldance; | |
180 | ''; | |
181 | locations."/static/".alias = "/var/lib/caldance/caldance/app/www/static/"; | |
182 | locations."/media/".alias = "/var/lib/caldance/caldance/media/"; | |
183 | extraConfig = '' | |
184 | auth_basic "Authentification requise"; | |
185 | auth_basic_user_file ${pkgs.writeText "htpasswd" config.myEnv.websites.caldance.integration.password}; | |
186 | ''; | |
187 | }; | |
ba941296 IB |
188 | }; |
189 | }; | |
190 | ||
5dda316b IB |
191 | systemd.services.zrepl.serviceConfig.RuntimeDirectory = lib.mkForce "zrepl zrepl/stdinserver"; |
192 | systemd.services.zrepl.serviceConfig.User = "backup"; | |
193 | # zfs allow backup create,mount,receive,destroy,rename,snapshot,hold,bookmark,release zpool/backup | |
194 | services.zrepl = { | |
195 | enable = true; | |
196 | config = '' | |
197 | global: | |
198 | control: | |
199 | sockpath: /run/zrepl/control | |
200 | serve: | |
201 | stdinserver: | |
202 | sockdir: /run/zrepl/stdinserver | |
203 | jobs: | |
204 | - type: sink | |
205 | # must not change | |
206 | name: "backup-from-eldiron" | |
207 | root_fs: "zpool/backup" | |
208 | serve: | |
209 | type: stdinserver | |
210 | client_identities: | |
211 | - eldiron | |
212 | ''; | |
213 | }; | |
8a304ef4 IB |
214 | # This value determines the NixOS release with which your system is |
215 | # to be compatible, in order to avoid breaking some software such as | |
216 | # database servers. You should change this only after NixOS release | |
217 | # notes say you should. | |
218 | # https://nixos.org/nixos/manual/release-notes.html | |
d43e0c61 | 219 | system.stateVersion = "20.03"; # Did you read the comment? |
8a304ef4 IB |
220 | } |
221 |