]>
Commit | Line | Data |
---|---|---|
1 | { config, pkgs, lib, ... }: | |
2 | { | |
3 | deployment = { | |
4 | targetUser = "root"; | |
5 | targetHost = lib.head config.hostEnv.ips.main.ip4; | |
6 | substituteOnDestination = true; | |
7 | }; | |
8 | # ssh-keyscan eldiron | nix-shell -p ssh-to-age --run ssh-to-age | |
9 | secrets.ageKeys = [ "age1dxr5lhvtnjssfaqpnf6qx80h8gfwkxg3tdf35m6n9wljmk7wadfs3kmahj" ]; | |
10 | boot = { | |
11 | kernelModules = [ "kvm-intel" ]; | |
12 | blacklistedKernelModules = [ "nvidiafb" ]; | |
13 | loader.timeout = 1; | |
14 | loader.grub.devices = [ "/dev/sda" "/dev/sdb" ]; | |
15 | kernel.sysctl = { | |
16 | # https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md | |
17 | "net.ipv4.tcp_sack" = 0; | |
18 | }; | |
19 | supportedFilesystems = [ "zfs" ]; | |
20 | kernelParams = ["zfs.zfs_arc_max=6442450944"]; | |
21 | kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; | |
22 | initrd.availableKernelModules = [ "ahci" "sd_mod" ]; | |
23 | initrd.secrets = { | |
24 | "/boot/pass.key" = "/boot/pass.key"; | |
25 | }; | |
26 | }; | |
27 | services.udev.extraRules = '' | |
28 | ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="c8:60:00:56:a0:88", NAME="eth0" | |
29 | ''; | |
30 | nix.settings.max-jobs = 8; | |
31 | powerManagement.cpuFreqGovernor = "powersave"; | |
32 | myEnv = import ../../../nixops/secrets/environment.nix; | |
33 | ||
34 | fileSystems = { | |
35 | # pools: | |
36 | # zpool: ashift=12 | |
37 | # zfast: ashift=12 | |
38 | # zfs: | |
39 | # zpool/: acltype=posixacl ; xattr=sa ; atime=off ; mountpoint=legacy | |
40 | # zpool/root: encryption=on ; keyformat=passphrase ; keylocation=file:///boot/pass.key | |
41 | # zpool/root/var: atime=on | |
42 | # zfast/: acltype=posixacl ; xattr=sa ; atime=off ; mountpoint=legacy | |
43 | # zfast/root: encryption=on ; keyformat=passphrase ; keylocation=file:///boot/pass.key | |
44 | # zfast/root/etc: ø | |
45 | # zfast/root/nix: ø | |
46 | # zfast/root/tmp: async=disabled | |
47 | # zfast/root/var: atime=on | |
48 | # zfast/root/var/lib: ø | |
49 | # zfast/root/var/lib/mysql: logbias=throughput ; atime=off ; primarycache=metadata | |
50 | # zfast/root/var/lib/postgresql: recordsize=8K ; atime=off ; logbias=throughput | |
51 | # zfast/root/var/lib/postgresql/11.0: ø | |
52 | # zfast/root/var/lib/postgresql/11.0/pg_wal: ø | |
53 | "/" = { fsType = "zfs"; device = "zpool/root"; }; | |
54 | "/boot" = { fsType = "ext4"; device = "/dev/disk/by-uuid/e6bb18fb-ff56-4b5f-ae9f-e60d40dc0622"; }; | |
55 | "/etc" = { fsType = "zfs"; device = "zpool/root/etc"; }; | |
56 | "/nix" = { fsType = "zfs"; device = "zfast/root/nix"; }; | |
57 | "/tmp" = { fsType = "zfs"; device = "zfast/root/tmp"; }; | |
58 | "/var" = { fsType = "zfs"; device = "zpool/root/var"; }; | |
59 | "/var/lib/mysql" = { fsType = "zfs"; device = "zfast/root/var/lib/mysql"; }; | |
60 | "/var/lib/postgresql" = { fsType = "zfs"; device = "zfast/root/var/lib/postgresql"; }; | |
61 | "/var/lib/postgresql/11.0" = { fsType = "zfs"; device = "zfast/root/var/lib/postgresql/11.0"; }; | |
62 | "/var/lib/postgresql/11.0/pg_wal" = { fsType = "zfs"; device = "zfast/root/var/lib/postgresql/11.0/pg_wal"; }; | |
63 | }; | |
64 | swapDevices = [ { label = "swap1"; } { label = "swap2"; } ]; | |
65 | hardware.enableRedistributableFirmware = true; | |
66 | ||
67 | services.zfs = { | |
68 | autoScrub = { | |
69 | enable = false; | |
70 | }; | |
71 | }; | |
72 | networking = { | |
73 | hostId = "8262ca33"; # generated with head -c4 /dev/urandom | od -A none -t x4 | |
74 | firewall.enable = true; | |
75 | firewall.allowedTCPPorts = [ config.myEnv.ports.zrepl_flony ]; | |
76 | # FIXME: on next reboot, remove the /27 and the localCommands | |
77 | interfaces."eth0".ipv4.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList | |
78 | (n: ips: map (ip: { address = ip; prefixLength = 32; }) (ips.ip4 or [])) | |
79 | (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips)) | |
80 | ++ [ { address = lib.head config.hostEnv.ips.main.ip4; prefixLength = 27; } ]; | |
81 | interfaces."eth0".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList | |
82 | (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or [])) | |
83 | config.hostEnv.ips); | |
84 | defaultGateway = "176.9.151.65"; | |
85 | localCommands = '' | |
86 | # FIXME: Those commands were added by nixops and may not be | |
87 | # actually needed | |
88 | ip -6 addr add '2a01:4f8:160:3445::/64' dev 'eth0' || true | |
89 | ip -4 route change '176.9.151.64/27' via '176.9.151.65' dev 'eth0' || true | |
90 | ip -6 route add default via 'fe80::1' dev eth0 || true | |
91 | ''; | |
92 | nameservers = [ | |
93 | "213.133.98.98" | |
94 | "213.133.99.99" | |
95 | "213.133.100.100" | |
96 | "2a01:4f8:0:a0a1::add:1010" | |
97 | "2a01:4f8:0:a102::add:9999" | |
98 | "2a01:4f8:0:a111::add:9898" | |
99 | ]; | |
100 | }; | |
101 | ||
102 | imports = builtins.attrValues (import ../..); | |
103 | ||
104 | myServices.buildbot.enable = true; | |
105 | myServices.databases.enable = true; | |
106 | myServices.gitolite.enable = true; | |
107 | myServices.monitoring.enable = true; | |
108 | myServices.irc.enable = true; | |
109 | myServices.pub.enable = true; | |
110 | myServices.tasks.enable = true; | |
111 | myServices.mpd.enable = true; | |
112 | myServices.dns.enable = true; | |
113 | myServices.certificates.enable = true; | |
114 | myServices.websites.enable = true; | |
115 | myServices.gemini.enable = true; | |
116 | myServices.mail.enable = true; | |
117 | myServices.ejabberd.enable = true; | |
118 | myServices.vpn.enable = true; | |
119 | myServices.ftp.enable = true; | |
120 | ||
121 | services.netdata.enable = true; | |
122 | services.netdata.config.global."memory mode" = "none"; | |
123 | services.netdata.config.health."enabled" = "no"; | |
124 | services.netdata.config.web.mode = "none"; | |
125 | users.users."${config.services.netdata.user}".extraGroups = [ "keys" ]; | |
126 | services.netdata.configDir."stream.conf" = config.secrets.fullPaths."netdata-stream.conf"; | |
127 | secrets.keys = { | |
128 | "netdata-stream.conf" = { | |
129 | user = config.services.netdata.user; | |
130 | group = config.services.netdata.group; | |
131 | permissions = "0400"; | |
132 | text = '' | |
133 | [stream] | |
134 | enabled = yes | |
135 | destination = ${config.myEnv.monitoring.netdata_aggregator} | |
136 | api key = ${config.myEnv.monitoring.netdata_keys.eldiron} | |
137 | ''; | |
138 | }; | |
139 | "zrepl_backup/identity" = { | |
140 | user = "root"; | |
141 | group = "root"; | |
142 | permissions = "0400"; | |
143 | text = config.myEnv.zrepl_backup.ssh_key.private; | |
144 | }; | |
145 | }; | |
146 | programs.ssh.knownHosts.dilion = { | |
147 | extraHostNames = ["dilion.immae.eu"]; | |
148 | publicKey = let | |
149 | profile = config.myEnv.rsync_backup.profiles.dilion; | |
150 | in | |
151 | "${profile.host_key_type} ${profile.host_key}"; | |
152 | }; | |
153 | ||
154 | services.cron = { | |
155 | enable = true; | |
156 | mailto = "cron@immae.eu"; | |
157 | systemCronJobs = [ | |
158 | '' | |
159 | 0 0 * * * root journalctl -q --since="25 hours ago" -u postfix -t postfix/smtpd -g "immae.eu.*Recipient address rejected" | |
160 | # Need a way to blacklist properly | |
161 | # 0 0 * * * root journalctl -q --since="25 hours ago" -u postfix -t postfix/smtpd -g "NOQUEUE:" | |
162 | 0 0 * * * root journalctl -q --since="25 hours ago" -u postfix -t postfix/smtp -g "status=bounced" | |
163 | '' | |
164 | ]; | |
165 | }; | |
166 | ||
167 | environment.systemPackages = [ pkgs.bindfs ]; | |
168 | ||
169 | immaeServices.zrepl = { | |
170 | enable = true; | |
171 | config = let | |
172 | redis_dump = pkgs.writeScript "redis-dump" '' | |
173 | #! ${pkgs.stdenv.shell} | |
174 | ${pkgs.redis}/bin/redis-cli bgsave | |
175 | ''; | |
176 | in '' | |
177 | jobs: | |
178 | - type: push | |
179 | # must not change | |
180 | name: "backup-to-dilion" | |
181 | filesystems: | |
182 | "zpool/root": true | |
183 | "zpool/root/etc": true | |
184 | "zpool/root/var<": true | |
185 | connect: | |
186 | address: dilion.immae.eu:19000 | |
187 | type: tls | |
188 | server_cn: dilion | |
189 | ca: ${config.secrets.fullPaths."zrepl/certificates/dilion.crt"} | |
190 | cert: ${config.secrets.fullPaths."zrepl/certificates/eldiron.crt"} | |
191 | key: ${config.secrets.fullPaths."zrepl/eldiron.key"} | |
192 | snapshotting: | |
193 | type: periodic | |
194 | prefix: zrepl_ | |
195 | interval: 1h | |
196 | #hooks: | |
197 | # - type: mysql-lock-tables | |
198 | # dsn: "${config.myEnv.zrepl_backup.mysql.user}:${config.myEnv.zrepl_backup.mysql.password}@tcp(localhost)/" | |
199 | # filesystems: | |
200 | # "zpool/root/var": true | |
201 | # - type: command | |
202 | # path: ${redis_dump} | |
203 | # err_is_fatal: false | |
204 | # filesystems: | |
205 | # "zpool/root/var": true | |
206 | send: | |
207 | encrypted: true | |
208 | pruning: | |
209 | keep_sender: | |
210 | - type: regex | |
211 | regex: "^manual_.*" | |
212 | - type: grid | |
213 | grid: 24x1h | 7x1d | 4x7d | 6x30d | |
214 | regex: "^zrepl_.*" | |
215 | keep_receiver: | |
216 | - type: regex | |
217 | regex: "^manual_.*" | |
218 | - type: grid | |
219 | grid: 6x4h | 7x1d | 4x7d | 6x30d | |
220 | regex: "^zrepl_.*" | |
221 | - type: source | |
222 | # must not change | |
223 | name: "backup-to-wd-zpool" | |
224 | serve: | |
225 | type: tls | |
226 | listen: :${builtins.toString config.myEnv.ports.zrepl_flony} | |
227 | ca: ${config.secrets.fullPaths."zrepl/certificates/flony.crt"} | |
228 | cert: ${config.secrets.fullPaths."zrepl/certificates/eldiron.crt"} | |
229 | key: ${config.secrets.fullPaths."zrepl/eldiron.key"} | |
230 | client_cns: | |
231 | - flony | |
232 | filesystems: | |
233 | "zpool/root": true | |
234 | "zpool/root/etc": true | |
235 | "zpool/root/var<": true | |
236 | "zfast/root/var<": true | |
237 | send: | |
238 | encrypted: true | |
239 | snapshotting: | |
240 | type: manual | |
241 | ''; | |
242 | }; | |
243 | # This value determines the NixOS release with which your system is | |
244 | # to be compatible, in order to avoid breaking some software such as | |
245 | # database servers. You should change this only after NixOS release | |
246 | # notes say you should. | |
247 | # https://nixos.org/nixos/manual/release-notes.html | |
248 | system.stateVersion = "20.03"; # Did you read the comment? | |
249 | } |