]>
Commit | Line | Data |
---|---|---|
1a64deeb | 1 | { config, pkgs, name, lib, pkgs-no-overlay, secrets, ... }: |
8a304ef4 | 2 | { |
282c67a1 IB |
3 | # ssh-keyscan dilion | nix-shell -p ssh-to-age --run ssh-to-age |
4 | secrets.ageKeys = [ "age1x49n6qa0arkdpq8530s7umgm0gqkq90exv4jep97q30rfnzknpaqate06a" ]; | |
34abd6af IB |
5 | boot = { |
6 | loader = { | |
7 | grub = { | |
34abd6af IB |
8 | devices = [ "/dev/sda" "/dev/sdb" "/dev/sdc" "/dev/sdd" ]; |
9 | }; | |
10 | timeout = 1; | |
11 | }; | |
12 | blacklistedKernelModules = [ "nvidiafb" ]; | |
13 | supportedFilesystems = [ "zfs" ]; | |
1a64deeb | 14 | kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; |
34abd6af IB |
15 | kernelModules = [ "kvm-intel" ]; |
16 | initrd.availableKernelModules = [ "ahci" "sd_mod" ]; | |
17 | initrd.secrets = { | |
18 | "/boot/pass.key" = "/boot/pass.key"; | |
19 | }; | |
20 | kernel.sysctl."vm.nr_hugepages" = 256; # for xmr-stak | |
6ee77836 IB |
21 | # available in nixos-20.09 |
22 | #zfs.requestEncryptionCredentials = [ "zpool/root" ]; | |
34abd6af | 23 | }; |
34abd6af IB |
24 | powerManagement.cpuFreqGovernor = "powersave"; |
25 | hardware.enableRedistributableFirmware = true; | |
26 | ||
34abd6af | 27 | swapDevices = [ { label = "swap"; } ]; |
740a6506 | 28 | fileSystems = { |
34abd6af | 29 | "/" = { fsType = "zfs"; device = "zpool/root"; }; |
740a6506 IB |
30 | "/boot" = { fsType = "ext4"; device = "/dev/disk/by-uuid/fd1c511e-2bc0-49d5-b8bb-95e7e8c8c816"; }; |
31 | "/etc" = { fsType = "zfs"; device = "zpool/root/etc"; }; | |
32 | "/home" = { fsType = "zfs"; device = "zpool/root/home"; }; | |
740a6506 IB |
33 | "/tmp" = { fsType = "zfs"; device = "zpool/root/tmp"; }; |
34 | "/var" = { fsType = "zfs"; device = "zpool/root/var"; }; | |
34abd6af IB |
35 | "/data" = { fsType = "ext4"; label = "data"; }; |
36 | "/nix" = { fsType = "ext4"; label = "nix"; }; | |
740a6506 | 37 | }; |
34abd6af IB |
38 | |
39 | services.udev.extraRules = '' | |
40 | ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="10:bf:48:7f:e6:3b", NAME="eth0" | |
41 | ''; | |
740a6506 | 42 | |
1a64deeb IB |
43 | nixpkgs.config.permittedInsecurePackages = [ |
44 | "python-2.7.18.6" # for nagios-cli | |
45 | ]; | |
46 | ||
8a304ef4 | 47 | networking = { |
31e11cdf | 48 | hostId = "27c3048d"; # generated with head -c4 /dev/urandom | od -A none -t x4 |
8a304ef4 | 49 | firewall.enable = false; |
34abd6af | 50 | interfaces."eth0".ipv4.addresses = |
1a64deeb IB |
51 | [ { address = lib.head config.hostEnv.ips.main.ip4; prefixLength = 27; } ] |
52 | ++ pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList | |
53 | (n: ips: map (ip: { address = ip; prefixLength = 32; }) (ips.ip4 or [])) | |
54 | (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips)); | |
34abd6af IB |
55 | interfaces."eth0".ipv6.addresses = |
56 | [ { address = "2a01:4f8:141:53e7::"; prefixLength = 64; } ] | |
57 | ++ pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList | |
58 | (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or [])) | |
59 | config.hostEnv.ips); | |
60 | defaultGateway = { address = "176.9.10.225"; interface = "eth0"; }; | |
61 | defaultGateway6 = { address = "fe80::1"; interface = "eth0"; }; | |
62 | nameservers = [ | |
63 | "213.133.98.98" | |
64 | "213.133.99.99" | |
65 | "213.133.100.100" | |
66 | "2a01:4f8:0:a0a1::add:1010" | |
67 | "2a01:4f8:0:a102::add:9999" | |
68 | "2a01:4f8:0:a111::add:9898" | |
69 | ]; | |
8a304ef4 IB |
70 | }; |
71 | ||
1a64deeb IB |
72 | myServices.ssh.modules.regular.snippet = builtins.readFile ./ssh_ldap_regular.sh; |
73 | ||
74 | imports = [ | |
75 | secrets.nixosModules.users-config-dilion | |
76 | ./monitoring.nix | |
77 | ./vms.nix | |
78 | ]; | |
79 | ||
80 | myServices.vms.libvirt-guests = { | |
81 | buildbot = { | |
82 | pool = "zfspool"; | |
83 | network = "immae"; | |
84 | cpus = 1; | |
85 | memory = 3; | |
86 | diskSize = 10; | |
87 | destroyVolumeOnExit = true; | |
88 | }; | |
89 | }; | |
90 | myServices.vms.libvirt-images = { | |
91 | nixos = ./vms/base_configuration.nix; | |
92 | buildbot = ./vms/buildbot_configuration.nix; | |
93 | }; | |
94 | myServices.vms.libvirt-networks.immae = { | |
95 | bridgeNumber = 1; | |
96 | ipRange = "192.168.100"; | |
97 | }; | |
98 | myServices.vms.libvirt-pools = { | |
99 | niximages = { | |
100 | type = "dir"; | |
101 | target = "/etc/libvirtd/base-images"; | |
102 | }; | |
103 | buildbot-disks = rec { | |
104 | type = "dir"; | |
105 | target = "/var/lib/libvirt/images/buildbot-disks"; | |
106 | preStart = '' | |
107 | mkdir -p ${target} | |
108 | ''; | |
109 | }; | |
110 | zfspool = { | |
111 | # pool-define-as --name zfspool --source-name zpool/libvirt --type zfs | |
112 | type = "zfs"; | |
113 | xml = '' | |
114 | <source> | |
115 | <name>zpool/libvirt</name> | |
116 | </source> | |
117 | ''; | |
118 | }; | |
119 | }; | |
8a304ef4 | 120 | |
6c95e93c | 121 | system.nssModules = [ pkgs.libvirt ]; |
2053ddac | 122 | system.nssDatabases.hosts = lib.mkForce [ "files" "libvirt_guest" "mymachines" "dns" "myhostname" ]; |
8a304ef4 IB |
123 | programs.zsh.enable = true; |
124 | ||
200690c9 IB |
125 | users.users.libvirt = { |
126 | hashedPassword = "!"; | |
127 | shell = pkgs.bashInteractive; | |
128 | isSystemUser = true; | |
129 | group = "libvirtd"; | |
1a64deeb | 130 | packages = [ pkgs.libressl.nc ]; |
282c67a1 IB |
131 | openssh.authorizedKeys.keys = [ |
132 | config.myEnv.buildbot.ssh_key.public | |
133 | config.myEnv.sshd.rootKeys.ismael_flony | |
200690c9 | 134 | ]; |
200690c9 IB |
135 | }; |
136 | ||
1a64deeb | 137 | users.groups.backup = {}; |
8bf83d7a | 138 | users.users.backup = { |
8bf83d7a IB |
139 | hashedPassword = "!"; |
140 | isSystemUser = true; | |
5dda316b | 141 | extraGroups = [ "keys" ]; |
1a64deeb | 142 | group = "backup"; |
8bf83d7a IB |
143 | shell = pkgs.bashInteractive; |
144 | openssh.authorizedKeys.keys = let | |
1a64deeb | 145 | zreplConfig = "/etc/zrepl/zrepl.yml"; |
8bf83d7a | 146 | in |
5dda316b | 147 | ["command=\"${pkgs.zrepl}/bin/zrepl stdinserver --config ${zreplConfig} eldiron\",restrict ${config.myEnv.zrepl_backup.ssh_key.public}"]; |
8bf83d7a | 148 | }; |
8bf83d7a | 149 | |
f2bc9fcc | 150 | virtualisation.docker.enable = true; |
740a6506 | 151 | virtualisation.docker.storageDriver = "zfs"; |
7067c25c | 152 | virtualisation.libvirtd.enable = true; |
1a64deeb IB |
153 | virtualisation.libvirtd.qemu.package = pkgs-no-overlay.qemu; |
154 | systemd.services.libvirtd.path = lib.mkAfter [ config.boot.zfs.package ]; | |
7067c25c IB |
155 | systemd.services.libvirtd.postStart = '' |
156 | install -m 0770 -g libvirtd -d /var/lib/libvirt/images | |
157 | ''; | |
158 | ||
8a304ef4 IB |
159 | time.timeZone = "Europe/Paris"; |
160 | nix = { | |
1a64deeb IB |
161 | settings = { |
162 | sandbox = "relaxed"; | |
163 | max-jobs = 8; | |
164 | substituters = [ "https://hydra.iohk.io" "https://cache.nixos.org" ]; | |
165 | trusted-public-keys = [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ]; | |
166 | trusted-users = [ "root" "@wheel"] ; | |
167 | }; | |
8a304ef4 IB |
168 | extraOptions = '' |
169 | keep-outputs = true | |
170 | keep-derivations = true | |
969d8daf | 171 | allow-unsafe-native-code-during-evaluation = true |
bb9bc238 | 172 | experimental-features = nix-command flakes |
8a304ef4 IB |
173 | #Assumed in NUR |
174 | allow-import-from-derivation = true | |
175 | ''; | |
176 | }; | |
177 | ||
50c100ba IB |
178 | security.pki.certificateFiles = [ |
179 | (pkgs.fetchurl { | |
180 | url = "http://downloads.e.eriomem.net/eriomemca.pem"; | |
181 | sha256 = "1ixx4c6j3m26j8dp9a3dkvxc80v1nr5aqgmawwgs06bskasqkvvh"; | |
182 | }) | |
183 | ]; | |
184 | ||
6ee77836 | 185 | myServices.monitoring.enable = true; |
1a64deeb IB |
186 | security.acme.certs."${name}-immae" = { |
187 | group = "immae"; | |
83e79a89 IB |
188 | domain = "dilion.immae.eu"; |
189 | }; | |
ba941296 | 190 | security.acme.certs."${name}" = { |
ba941296 | 191 | group = config.services.nginx.group; |
1a64deeb IB |
192 | extraDomainNames = [ |
193 | "dilion.immae.dev" | |
194 | ]; | |
ba941296 | 195 | }; |
1a64deeb | 196 | systemd.services.nginx.serviceConfig.ProtectHome = "read-only"; |
ba941296 IB |
197 | services.nginx = { |
198 | enable = true; | |
199 | recommendedOptimisation = true; | |
200 | recommendedGzipSettings = true; | |
201 | recommendedProxySettings = true; | |
202 | virtualHosts = { | |
7c5e6fe8 | 203 | "dilion.immae.dev" = { |
1a64deeb | 204 | acmeRoot = config.security.acme.defaults.webroot; |
63500b22 IB |
205 | useACMEHost = name; |
206 | forceSSL = true; | |
1a64deeb | 207 | locations."/".root = "/home/immae/www"; |
6c95e93c | 208 | }; |
ba941296 IB |
209 | }; |
210 | }; | |
211 | ||
1a64deeb IB |
212 | secrets.keys = { |
213 | "zrepl/${name}.key" = { | |
214 | permissions = "0400"; | |
215 | text = config.myEnv.zrepl_backup.certs."${name}".key; | |
216 | user = "backup"; | |
217 | group = "root"; | |
218 | }; | |
219 | } // builtins.listToAttrs (map (x: lib.attrsets.nameValuePair "zrepl/certificates/${x}.crt" { | |
220 | permissions = "0400"; | |
221 | text = config.myEnv.zrepl_backup.certs."${x}".certificate; | |
222 | user = "backup"; | |
223 | group = "root"; | |
224 | }) (builtins.attrNames config.myEnv.zrepl_backup.certs)); | |
225 | ||
226 | environment.etc."mdadm.conf" = { | |
227 | enable = true; | |
228 | mode = "0644"; | |
229 | user = "root"; | |
230 | text = "MAILADDR ${config.myEnv.monitoring.email}"; | |
231 | }; | |
232 | ||
233 | ||
5dda316b | 234 | systemd.services.zrepl.serviceConfig.User = "backup"; |
1a64deeb IB |
235 | systemd.services.zrepl.path = [ pkgs.openssh ]; |
236 | # pour eldiron: | |
5dda316b | 237 | # zfs allow backup create,mount,receive,destroy,rename,snapshot,hold,bookmark,release zpool/backup |
1a64deeb IB |
238 | # pour flony: |
239 | # zfs allow backup hold,release,bookmark,snapshot,send zpool | |
5dda316b IB |
240 | services.zrepl = { |
241 | enable = true; | |
1a64deeb IB |
242 | settings = { |
243 | global.control.sockpath = "/run/zrepl/control"; | |
244 | global.serve.stdinserver.sockdir = "/run/zrepl/stdinserver"; | |
245 | jobs = [ | |
246 | { | |
247 | type = "sink"; | |
5dda316b | 248 | # must not change |
1a64deeb IB |
249 | name = "backup-from-eldiron"; |
250 | root_fs = "zpool/backup"; | |
251 | serve.type = "tls"; | |
252 | serve.listen = ":19000"; | |
253 | serve.ca = config.secrets.fullPaths."zrepl/certificates/eldiron.crt"; | |
254 | serve.cert = config.secrets.fullPaths."zrepl/certificates/dilion.crt"; | |
255 | serve.key = config.secrets.fullPaths."zrepl/dilion.key"; | |
256 | serve.client_cns = [ "eldiron" ]; | |
257 | } | |
258 | { | |
259 | type = "source"; | |
260 | # must not change | |
261 | name = "backup-to-wd-zpool"; | |
262 | # not encrypted! | |
263 | serve.type = "tls"; | |
264 | serve.listen = ":19001"; | |
265 | serve.ca = config.secrets.fullPaths."zrepl/certificates/flony.crt"; | |
266 | serve.cert = config.secrets.fullPaths."zrepl/certificates/dilion.crt"; | |
267 | serve.key = config.secrets.fullPaths."zrepl/dilion.key"; | |
268 | serve.client_cns = [ "flony" ]; | |
269 | filesystems."zpool/libvirt<" = true; | |
270 | filesystems."zpool/root<" = true; | |
271 | snapshotting.type = "manual"; | |
272 | } | |
273 | { | |
274 | type = "source"; | |
275 | # must not change | |
276 | name = "backup-to-wd-zpool-docker"; | |
277 | # not encrypted! | |
278 | serve.type = "tls"; | |
279 | serve.listen = ":19002"; | |
280 | serve.ca = config.secrets.fullPaths."zrepl/certificates/flony.crt"; | |
281 | serve.cert = config.secrets.fullPaths."zrepl/certificates/dilion.crt"; | |
282 | serve.key = config.secrets.fullPaths."zrepl/dilion.key"; | |
283 | serve.client_cns = [ "flony" ]; | |
284 | filesystems."zpool/docker<" = true; | |
285 | snapshotting.type = "manual"; | |
286 | } | |
287 | ]; | |
288 | }; | |
5dda316b | 289 | }; |
8a304ef4 IB |
290 | # This value determines the NixOS release with which your system is |
291 | # to be compatible, in order to avoid breaking some software such as | |
292 | # database servers. You should change this only after NixOS release | |
293 | # notes say you should. | |
294 | # https://nixos.org/nixos/manual/release-notes.html | |
1a64deeb | 295 | system.stateVersion = "23.05"; # Did you read the comment? |
8a304ef4 IB |
296 | } |
297 |