-{ privateFiles }:
{ config, pkgs, name, lib, ... }:
{
deployment = {
targetUser = "root";
- targetHost = config.hostEnv.ips.main.ip4;
+ targetHost = lib.head config.hostEnv.ips.main.ip4;
substituteOnDestination = true;
};
+ # ssh-keyscan dilion | nix-shell -p ssh-to-age --run ssh-to-age
+ secrets.ageKeys = [ "age1x49n6qa0arkdpq8530s7umgm0gqkq90exv4jep97q30rfnzknpaqate06a" ];
nixpkgs.system = lib.mkOverride 900 "x86_64-linux";
boot = {
loader = {
};
blacklistedKernelModules = [ "nvidiafb" ];
supportedFilesystems = [ "zfs" ];
- kernelPackages = pkgs.linuxPackages_latest;
+ kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
kernelModules = [ "kvm-intel" ];
initrd.availableKernelModules = [ "ahci" "sd_mod" ];
initrd.secrets = {
# available in nixos-20.09
#zfs.requestEncryptionCredentials = [ "zpool/root" ];
};
- nix.maxJobs = 8;
powerManagement.cpuFreqGovernor = "powersave";
hardware.enableRedistributableFirmware = true;
- myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; };
+ myEnv = import ../../../nixops/secrets/environment.nix;
swapDevices = [ { label = "swap"; } ];
fileSystems = {
hostId = "27c3048d"; # generated with head -c4 /dev/urandom | od -A none -t x4
firewall.enable = false;
interfaces."eth0".ipv4.addresses =
- [ { address = config.hostEnv.ips.main.ip4; prefixLength = 27; } ]
- ++ pkgs.lib.attrsets.mapAttrsToList
- (n: ips: { address = ips.ip4; prefixLength = 32; })
- (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips);
+ [ { address = lib.head config.hostEnv.ips.main.ip4; prefixLength = 27; } ]
+ ++ pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
+ (n: ips: map (ip: { address = ip; prefixLength = 32; }) (ips.ip4 or []))
+ (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips));
interfaces."eth0".ipv6.addresses =
[ { address = "2a01:4f8:141:53e7::"; prefixLength = 64; } ]
++ pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
};
myServices.ssh.modules = [ config.myServices.ssh.predefinedModules.regular ];
- imports = builtins.attrValues (import ../..);
+ imports = builtins.attrValues (import ../..) ++ [ ./dilion/vms.nix ];
system.nssModules = [ pkgs.libvirt ];
system.nssDatabases.hosts = lib.mkForce [ "files" "libvirt_guest" "mymachines" "dns" "myhostname" ];
programs.zsh.enable = true;
+ users.users.libvirt = {
+ hashedPassword = "!";
+ shell = pkgs.bashInteractive;
+ isSystemUser = true;
+ group = "libvirtd";
+ packages = [ pkgs.libressl.nc ];
+ openssh.authorizedKeys.keys = [
+ config.myEnv.buildbot.ssh_key.public
+ config.myEnv.sshd.rootKeys.ismael_flony
+ ];
+ };
+
+ users.groups.backup = {};
users.users.backup = {
hashedPassword = "!";
isSystemUser = true;
extraGroups = [ "keys" ];
+ group = "backup";
shell = pkgs.bashInteractive;
openssh.authorizedKeys.keys = let
zreplConfig = config.secrets.fullPaths."zrepl/zrepl.yml";
virtualisation.docker.enable = true;
virtualisation.docker.storageDriver = "zfs";
virtualisation.libvirtd.enable = true;
- users.extraUsers.immae.extraGroups = [ "libvirtd" "docker" ];
+ systemd.services.libvirtd.path = lib.mkAfter [ config.boot.zfs.package ];
+ users.groups.immae = {};
+ users.extraUsers.immae.extraGroups = [ "immae" "libvirtd" "docker" ];
systemd.services.libvirtd.postStart = ''
install -m 0770 -g libvirtd -d /var/lib/libvirt/images
'';
after = [ "network.target" ];
serviceConfig = {
- ExecStart = "${pkgs.socat}/bin/socat TCP-LISTEN:8022,fork TCP:nixops-99a7e1ba-54dc-11ea-a965-10bf487fe63b-caldance:22";
+ ExecStart = "${pkgs.socat}/bin/socat TCP-LISTEN:8022,fork TCP:caldance:22";
};
};
time.timeZone = "Europe/Paris";
nix = {
- useSandbox = "relaxed";
+ settings = {
+ sandbox = "relaxed";
+ max-jobs = 8;
+ substituters = [ "https://hydra.iohk.io" "https://cache.nixos.org" ];
+ trusted-public-keys = [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ];
+ };
extraOptions = ''
keep-outputs = true
keep-derivations = true
"home-manager=${pkgs.sources.home-manager.url}"
"nixpkgs=${pkgs.sources.nixpkgs-home-manager.url}"
];
- nix.binaryCaches = [ "https://hydra.iohk.io" "https://cache.nixos.org" ];
- nix.binaryCachePublicKeys = [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ];
myServices.monitoring.enable = true;
myServices.certificates.enable = true;
security.acme.certs."${name}-immae" = config.myServices.certificates.certConfig // {
- user = "immae";
+ group = "immae";
domain = "dilion.immae.eu";
};
security.acme.certs."${name}" = {
- user = config.services.nginx.user;
group = config.services.nginx.group;
- extraDomains = {
- "dev.immae.eu" = null;
- "caldance.immae.eu" = null;
- };
+ extraDomainNames = [
+ "dilion.immae.dev"
+ "caldance.cs.immae.dev"
+ "zulip.carpentier.earth"
+ "zulip.tof.carpentier.earth"
+ "zulip.dine.carpentier.earth"
+ "zulip.quentin.carpentier.earth"
+ "zulip.agnes.carpentier.earth"
+
+ "ofn.nc.immae.dev"
+
+ "bookstack.cc.immae.dev"
+ ];
};
+ systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
services.nginx = {
enable = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
upstreams = {
- caldance.servers."nixops-99a7e1ba-54dc-11ea-a965-10bf487fe63b-caldance:3031" = {};
+ caldance.servers."caldance:3031" = {};
};
virtualHosts = {
- "dev.immae.eu" = {
+ "dilion.immae.dev" = {
acmeRoot = config.myServices.certificates.webroot;
useACMEHost = name;
forceSSL = true;
- root = "/home/immae/www";
+ locations."/".root = "/home/immae/www";
};
- "caldance.immae.eu" = {
+ "caldance.cs.immae.dev" = {
acmeRoot = config.myServices.certificates.webroot;
useACMEHost = name;
forceSSL = true;
auth_basic_user_file ${pkgs.writeText "htpasswd" config.myEnv.websites.caldance.integration.password};
'';
};
+ "bookstack.cc.immae.dev" = {
+ acmeRoot = config.myServices.certificates.webroot;
+ useACMEHost = name;
+ forceSSL = true;
+ locations."/".proxyPass = "http://localhost:4003";
+ };
+ "ofn.nc.immae.dev" = {
+ acmeRoot = config.myServices.certificates.webroot;
+ useACMEHost = name;
+ forceSSL = true;
+ locations."/".proxyPass = "http://localhost:3000";
+ };
+ "zulip.carpentier.earth" = {
+ acmeRoot = config.myServices.certificates.webroot;
+ useACMEHost = name;
+ forceSSL = true;
+ locations."/".proxyPass = "http://localhost:4002";
+ };
+ "zulip.tof.carpentier.earth" = {
+ acmeRoot = config.myServices.certificates.webroot;
+ useACMEHost = name;
+ forceSSL = true;
+ locations."/".proxyPass = "http://localhost:4002";
+ };
+ "zulip.dine.carpentier.earth" = {
+ acmeRoot = config.myServices.certificates.webroot;
+ useACMEHost = name;
+ forceSSL = true;
+ locations."/".proxyPass = "http://localhost:4002";
+ };
+ "zulip.quentin.carpentier.earth" = {
+ acmeRoot = config.myServices.certificates.webroot;
+ useACMEHost = name;
+ forceSSL = true;
+ locations."/".proxyPass = "http://localhost:4002";
+ };
+ "zulip.agnes.carpentier.earth" = {
+ acmeRoot = config.myServices.certificates.webroot;
+ useACMEHost = name;
+ forceSSL = true;
+ locations."/".proxyPass = "http://localhost:4002";
+ };
};
};
systemd.services.zrepl.serviceConfig.RuntimeDirectory = lib.mkForce "zrepl zrepl/stdinserver";
systemd.services.zrepl.serviceConfig.User = "backup";
+ # pour eldiron:
# zfs allow backup create,mount,receive,destroy,rename,snapshot,hold,bookmark,release zpool/backup
- services.zrepl = {
+ # pour flony:
+ # zfs allow backup hold,release,bookmark,snapshot,send zpool
+ immaeServices.zrepl = {
enable = true;
config = ''
global:
name: "backup-from-eldiron"
root_fs: "zpool/backup"
serve:
- type: stdinserver
- client_identities:
+ type: tls
+ listen: :19000
+ ca: ${config.secrets.fullPaths."zrepl/certificates/eldiron.crt"}
+ cert: ${config.secrets.fullPaths."zrepl/certificates/dilion.crt"}
+ key: ${config.secrets.fullPaths."zrepl/dilion.key"}
+ client_cns:
- eldiron
+ - type: source
+ # must not change
+ name: "backup-to-wd-zpool"
+ # not encrypted!
+ serve:
+ type: tls
+ listen: :19001
+ ca: ${config.secrets.fullPaths."zrepl/certificates/flony.crt"}
+ cert: ${config.secrets.fullPaths."zrepl/certificates/dilion.crt"}
+ key: ${config.secrets.fullPaths."zrepl/dilion.key"}
+ client_cns:
+ - flony
+ filesystems:
+ "zpool/libvirt<": true
+ "zpool/root<": true
+ snapshotting:
+ type: manual
+ - type: source
+ # must not change
+ name: "backup-to-wd-zpool-docker"
+ # not encrypted!
+ serve:
+ type: tls
+ listen: :19002
+ ca: ${config.secrets.fullPaths."zrepl/certificates/flony.crt"}
+ cert: ${config.secrets.fullPaths."zrepl/certificates/dilion.crt"}
+ key: ${config.secrets.fullPaths."zrepl/dilion.key"}
+ client_cns:
+ - flony
+ filesystems:
+ "zpool/docker<": true
+ snapshotting:
+ type: manual
'';
};
# This value determines the NixOS release with which your system is
projects / perso / Immae / Config / Nix.git / blobdiff