]>
Commit | Line | Data |
---|---|---|
f807d917 | 1 | { privateFiles }: |
7e214bf9 | 2 | { config, pkgs, lib, ... }: |
f807d917 | 3 | { |
34abd6af IB |
4 | deployment = { |
5 | targetUser = "root"; | |
6 | targetHost = config.hostEnv.ips.main.ip4; | |
7 | substituteOnDestination = true; | |
8 | }; | |
9 | boot = { | |
10 | kernelModules = [ "kvm-intel" ]; | |
11 | blacklistedKernelModules = [ "nvidiafb" ]; | |
12 | loader.timeout = 1; | |
13 | loader.grub.devices = [ "/dev/sda" "/dev/sdb" ]; | |
14 | kernel.sysctl = { | |
15 | # https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md | |
16 | "net.ipv4.tcp_sack" = 0; | |
17 | }; | |
18 | supportedFilesystems = [ "zfs" ]; | |
19 | kernelParams = ["zfs.zfs_arc_max=6442450944"]; | |
20 | kernelPackages = pkgs.linuxPackages_latest; | |
21 | initrd.availableKernelModules = [ "ahci" "sd_mod" ]; | |
22 | initrd.secrets = { | |
23 | "/boot/pass.key" = "/boot/pass.key"; | |
24 | }; | |
25 | }; | |
26 | services.udev.extraRules = '' | |
27 | ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="c8:60:00:56:a0:88", NAME="eth0" | |
28 | ''; | |
29 | nix.maxJobs = 8; | |
30 | powerManagement.cpuFreqGovernor = "powersave"; | |
ab8f306d | 31 | myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; }; |
f807d917 | 32 | |
7e214bf9 | 33 | fileSystems = { |
34abd6af | 34 | "/" = { fsType = "zfs"; device = "zpool/root"; }; |
7e214bf9 IB |
35 | "/boot" = { fsType = "ext4"; device = "/dev/disk/by-uuid/e6bb18fb-ff56-4b5f-ae9f-e60d40dc0622"; }; |
36 | "/etc" = { fsType = "zfs"; device = "zpool/root/etc"; }; | |
37 | "/nix" = { fsType = "zfs"; device = "zpool/root/nix"; }; | |
38 | "/tmp" = { fsType = "zfs"; device = "zpool/root/tmp"; }; | |
39 | "/var" = { fsType = "zfs"; device = "zpool/root/var"; }; | |
40 | }; | |
34abd6af IB |
41 | swapDevices = [ { label = "swap1"; } { label = "swap2"; } ]; |
42 | hardware.enableRedistributableFirmware = true; | |
7e214bf9 IB |
43 | |
44 | services.zfs = { | |
7e214bf9 | 45 | autoScrub = { |
05a3b252 | 46 | enable = false; |
7e214bf9 IB |
47 | }; |
48 | }; | |
f807d917 | 49 | networking = { |
31e11cdf | 50 | hostId = "8262ca33"; # generated with head -c4 /dev/urandom | od -A none -t x4 |
f807d917 | 51 | firewall.enable = true; |
05a3b252 | 52 | # FIXME: on next reboot, remove the /27 and the localCommands |
34abd6af IB |
53 | interfaces."eth0".ipv4.addresses = |
54 | pkgs.lib.attrsets.mapAttrsToList | |
55 | (n: ips: { address = ips.ip4; prefixLength = 32; }) | |
56 | (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips) | |
57 | ++ [ { address = config.hostEnv.ips.main.ip4; prefixLength = 27; } ]; | |
f807d917 IB |
58 | interfaces."eth0".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList |
59 | (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or [])) | |
619e4f46 | 60 | config.hostEnv.ips); |
34abd6af IB |
61 | defaultGateway = "176.9.151.65"; |
62 | localCommands = '' | |
63 | # FIXME: Those commands were added by nixops and may not be | |
64 | # actually needed | |
65 | ip -6 addr add '2a01:4f8:160:3445::/64' dev 'eth0' || true | |
66 | ip -4 route change '176.9.151.64/27' via '176.9.151.65' dev 'eth0' || true | |
67 | ip -6 route add default via 'fe80::1' dev eth0 || true | |
68 | ''; | |
69 | nameservers = [ | |
70 | "213.133.98.98" | |
71 | "213.133.99.99" | |
72 | "213.133.100.100" | |
73 | "2a01:4f8:0:a0a1::add:1010" | |
74 | "2a01:4f8:0:a102::add:9999" | |
75 | "2a01:4f8:0:a111::add:9898" | |
76 | ]; | |
f807d917 IB |
77 | }; |
78 | ||
79 | imports = builtins.attrValues (import ../..); | |
80 | ||
81 | myServices.buildbot.enable = true; | |
82 | myServices.databases.enable = true; | |
83 | myServices.gitolite.enable = true; | |
3bc32d9e | 84 | myServices.monitoring.enable = true; |
f807d917 IB |
85 | myServices.irc.enable = true; |
86 | myServices.pub.enable = true; | |
87 | myServices.tasks.enable = true; | |
8415083e IB |
88 | myServices.mpd.enable = true; |
89 | myServices.dns.enable = true; | |
90 | myServices.certificates.enable = true; | |
91 | myServices.websites.enable = true; | |
92 | myServices.mail.enable = true; | |
3f453c7d | 93 | myServices.ejabberd.enable = true; |
ea9c6fe8 | 94 | myServices.vpn.enable = true; |
f807d917 | 95 | services.pure-ftpd.enable = true; |
5b42284e | 96 | services.duplyBackup.enable = false; |
213c323a | 97 | services.duplyBackup.profiles.oldies.rootDir = "/var/lib/oldies"; |
f807d917 | 98 | |
e43fdf34 IB |
99 | services.netdata.enable = true; |
100 | services.netdata.config.global."memory mode" = "none"; | |
101 | services.netdata.config.health."enabled" = "no"; | |
102 | services.netdata.config.web.mode = "none"; | |
103 | environment.etc."netdata/stream.conf".text = '' | |
104 | [stream] | |
105 | enabled = yes | |
106 | destination = ${config.myEnv.monitoring.netdata_aggregator} | |
107 | api key = ${config.myEnv.monitoring.netdata_keys.eldiron} | |
108 | ''; | |
8bf83d7a IB |
109 | secrets.keys = [ |
110 | { | |
5dda316b | 111 | dest = "zrepl_backup/identity"; |
8bf83d7a IB |
112 | user = "root"; |
113 | group = "root"; | |
114 | permissions = "0400"; | |
5dda316b | 115 | text = config.myEnv.zrepl_backup.ssh_key.private; |
8bf83d7a IB |
116 | } |
117 | ]; | |
118 | programs.ssh.knownHosts.dilion = { | |
119 | hostNames = ["dilion.immae.eu"]; | |
120 | publicKey = let | |
121 | profile = config.myEnv.rsync_backup.profiles.dilion; | |
122 | in | |
123 | "${profile.host_key_type} ${profile.host_key}"; | |
124 | }; | |
125 | ||
f807d917 IB |
126 | services.cron = { |
127 | enable = true; | |
4227853a | 128 | mailto = "cron@immae.eu"; |
f807d917 IB |
129 | systemCronJobs = [ |
130 | '' | |
fb7611c1 IB |
131 | 0 0 * * * root journalctl -q --since="25 hours ago" -u postfix -t postfix/smtpd -g "immae.eu.*Recipient address rejected" |
132 | # Need a way to blacklist properly | |
133 | # 0 0 * * * root journalctl -q --since="25 hours ago" -u postfix -t postfix/smtpd -g "NOQUEUE:" | |
134 | 0 0 * * * root journalctl -q --since="25 hours ago" -u postfix -t postfix/smtp -g "status=bounced" | |
f807d917 IB |
135 | '' |
136 | ]; | |
137 | }; | |
138 | ||
f831eb7e IB |
139 | fileSystems."/var/lib/pub/immae/devtools" = { |
140 | device = "/run/current-system/sw/bin/bindfs#/var/lib/ftp/devtools.immae.eu/"; | |
141 | fsType = "fuse"; | |
142 | options = [ "force-user=pub" "create-for-user=wwwrun" "create-for-group=wwwrun" ]; | |
143 | }; | |
740a6506 | 144 | environment.systemPackages = [ pkgs.bindfs ]; |
f831eb7e | 145 | |
5dda316b IB |
146 | services.zrepl = { |
147 | enable = true; | |
148 | config = let | |
149 | redis_dump = pkgs.writeScript "redis-dump" '' | |
150 | #! ${pkgs.stdenv.shell} | |
151 | ${pkgs.redis}/bin/redis-cli bgsave | |
152 | ''; | |
153 | in '' | |
154 | jobs: | |
155 | - type: push | |
156 | # must not change | |
157 | name: "backup-to-dilion" | |
158 | filesystems: | |
159 | "zpool/root": true | |
160 | "zpool/root/etc": true | |
161 | "zpool/root/var<": true | |
162 | connect: | |
163 | type: ssh+stdinserver | |
164 | host: dilion.immae.eu | |
165 | user: backup | |
166 | port: 22 | |
167 | identity_file: ${config.secrets.fullPaths."zrepl_backup/identity"} | |
168 | snapshotting: | |
169 | type: periodic | |
170 | prefix: zrepl_ | |
8b150321 IB |
171 | interval: 1h |
172 | #hooks: | |
173 | # - type: mysql-lock-tables | |
174 | # dsn: "${config.myEnv.zrepl_backup.mysql.user}:${config.myEnv.zrepl_backup.mysql.password}@tcp(localhost)/" | |
175 | # filesystems: | |
176 | # "zpool/root/var": true | |
177 | # - type: command | |
178 | # path: ${redis_dump} | |
179 | # err_is_fatal: false | |
180 | # filesystems: | |
181 | # "zpool/root/var": true | |
5dda316b IB |
182 | send: |
183 | encrypted: true | |
184 | pruning: | |
185 | keep_sender: | |
5dda316b IB |
186 | - type: regex |
187 | regex: "^manual_.*" | |
188 | - type: grid | |
8b150321 | 189 | grid: 24x1h | 7x1d | 4x7d | 6x30d |
5dda316b IB |
190 | regex: "^zrepl_.*" |
191 | keep_receiver: | |
192 | - type: regex | |
193 | regex: "^manual_.*" | |
194 | - type: grid | |
8b150321 | 195 | grid: 6x4h | 7x1d | 4x7d | 6x30d |
5dda316b IB |
196 | regex: "^zrepl_.*" |
197 | ''; | |
198 | }; | |
f807d917 IB |
199 | # This value determines the NixOS release with which your system is |
200 | # to be compatible, in order to avoid breaking some software such as | |
201 | # database servers. You should change this only after NixOS release | |
202 | # notes say you should. | |
61ebe69b | 203 | # https://nixos.org/nixos/manual/release-notes.html |
d43e0c61 | 204 | system.stateVersion = "20.03"; # Did you read the comment? |
f807d917 | 205 | } |