X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;ds=sidebyside;f=modules%2Fprivate%2Fsystem%2Feldiron.nix;fp=modules%2Fprivate%2Fsystem%2Feldiron.nix;h=0000000000000000000000000000000000000000;hb=1a64deeb894dc95e2645a75771732c6cc53a79ad;hp=8b2784d0d315ce87d0b1fbfe546f6689854e55ce;hpb=fa25ffd4583cc362075cd5e1b4130f33306103f0;p=perso%2FImmae%2FConfig%2FNix.git

diff --git a/modules/private/system/eldiron.nix b/modules/private/system/eldiron.nix
deleted file mode 100644
index 8b2784d..0000000
--- a/modules/private/system/eldiron.nix
+++ /dev/null
@@ -1,228 +0,0 @@
-{ config, pkgs, lib, ... }:
-{
-  deployment = {
-    targetUser = "root";
-    targetHost = config.hostEnv.ips.main.ip4;
-    substituteOnDestination = true;
-  };
-  # ssh-keyscan eldiron | nix-shell -p ssh-to-age --run ssh-to-age
-  secrets.ageKeys = [ "age1dxr5lhvtnjssfaqpnf6qx80h8gfwkxg3tdf35m6n9wljmk7wadfs3kmahj" ];
-  boot = {
-    kernelModules = [ "kvm-intel" ];
-    blacklistedKernelModules = [ "nvidiafb" ];
-    loader.timeout = 1;
-    loader.grub.devices = [ "/dev/sda" "/dev/sdb" ];
-    kernel.sysctl = {
-      # https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
-      "net.ipv4.tcp_sack" = 0;
-    };
-    supportedFilesystems = [ "zfs" ];
-    kernelParams = ["zfs.zfs_arc_max=6442450944"];
-    kernelPackages = pkgs.linuxPackages_latest;
-    initrd.availableKernelModules = [ "ahci" "sd_mod" ];
-    initrd.secrets = {
-      "/boot/pass.key" = "/boot/pass.key";
-    };
-  };
-  services.udev.extraRules = ''
-    ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="c8:60:00:56:a0:88", NAME="eth0"
-  '';
-  nix.maxJobs = 8;
-  powerManagement.cpuFreqGovernor = "powersave";
-  myEnv = import ../../../nixops/secrets/environment.nix;
-
-  fileSystems = {
-    # pools:
-    #     zpool: ashift=12
-    #     zfast: ashift=12
-    # zfs:
-    #     zpool/: acltype=posixacl ; xattr=sa ; atime=off ; mountpoint=legacy
-    #     zpool/root: encryption=on ; keyformat=passphrase ; keylocation=file:///boot/pass.key
-    #     zpool/root/var: atime=on
-    #     zfast/: acltype=posixacl ; xattr=sa ; atime=off ; mountpoint=legacy
-    #     zfast/root: encryption=on ; keyformat=passphrase ; keylocation=file:///boot/pass.key
-    #     zfast/root/etc: ø
-    #     zfast/root/nix: ø
-    #     zfast/root/tmp: async=disabled
-    #     zfast/root/var: atime=on
-    #     zfast/root/var/lib: ø
-    #     zfast/root/var/lib/mysql: logbias=throughput ; atime=off ; primarycache=metadata
-    #     zfast/root/var/lib/postgresql: recordsize=8K ; atime=off ; logbias=throughput
-    #     zfast/root/var/lib/postgresql/11.0: ø
-    #     zfast/root/var/lib/postgresql/11.0/pg_wal: ø
-    "/"     = { fsType = "zfs"; device = "zpool/root"; };
-    "/boot" = { fsType = "ext4"; device = "/dev/disk/by-uuid/e6bb18fb-ff56-4b5f-ae9f-e60d40dc0622"; };
-    "/etc"  = { fsType = "zfs"; device = "zpool/root/etc"; };
-    "/nix"  = { fsType = "zfs"; device = "zfast/root/nix"; };
-    "/tmp"  = { fsType = "zfs"; device = "zfast/root/tmp"; };
-    "/var"  = { fsType = "zfs"; device = "zpool/root/var"; };
-    "/var/lib/mysql" = { fsType = "zfs"; device = "zfast/root/var/lib/mysql"; };
-    "/var/lib/postgresql"             = { fsType = "zfs"; device = "zfast/root/var/lib/postgresql"; };
-    "/var/lib/postgresql/11.0"        = { fsType = "zfs"; device = "zfast/root/var/lib/postgresql/11.0"; };
-    "/var/lib/postgresql/11.0/pg_wal" = { fsType = "zfs"; device = "zfast/root/var/lib/postgresql/11.0/pg_wal"; };
-  };
-  swapDevices = [ { label = "swap1"; } { label = "swap2"; } ];
-  hardware.enableRedistributableFirmware = true;
-
-  services.zfs = {
-    autoScrub = {
-      enable = false;
-    };
-  };
-  networking = {
-    hostId = "8262ca33"; # generated with head -c4 /dev/urandom | od -A none -t x4
-    firewall.enable = true;
-    # FIXME: on next reboot, remove the /27 and the localCommands
-    interfaces."eth0".ipv4.addresses =
-      pkgs.lib.attrsets.mapAttrsToList
-        (n: ips: { address = ips.ip4; prefixLength = 32; })
-        (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips)
-      ++ [ { address = config.hostEnv.ips.main.ip4; prefixLength = 27; } ];
-    interfaces."eth0".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
-      (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or []))
-      config.hostEnv.ips);
-    defaultGateway = "176.9.151.65";
-    localCommands = ''
-      # FIXME: Those commands were added by nixops and may not be
-      # actually needed
-      ip -6 addr add '2a01:4f8:160:3445::/64' dev 'eth0' || true
-      ip -4 route change '176.9.151.64/27' via '176.9.151.65' dev 'eth0' || true
-      ip -6 route add default via 'fe80::1' dev eth0 || true
-    '';
-    nameservers = [
-      "213.133.98.98"
-      "213.133.99.99"
-      "213.133.100.100"
-      "2a01:4f8:0:a0a1::add:1010"
-      "2a01:4f8:0:a102::add:9999"
-      "2a01:4f8:0:a111::add:9898"
-    ];
-  };
-
-  imports = builtins.attrValues (import ../..);
-
-  myServices.buildbot.enable = true;
-  myServices.databases.enable = true;
-  myServices.gitolite.enable = true;
-  myServices.monitoring.enable = true;
-  myServices.irc.enable = true;
-  myServices.pub.enable = true;
-  myServices.tasks.enable = true;
-  myServices.mpd.enable = true;
-  myServices.dns.enable = true;
-  myServices.certificates.enable = true;
-  myServices.websites.enable = true;
-  myServices.gemini.enable = true;
-  myServices.mail.enable = true;
-  myServices.ejabberd.enable = true;
-  myServices.vpn.enable = true;
-  myServices.ftp.enable = true;
-
-  services.netdata.enable = true;
-  services.netdata.config.global."memory mode" = "none";
-  services.netdata.config.health."enabled" = "no";
-  services.netdata.config.web.mode = "none";
-  users.users."${config.services.netdata.user}".extraGroups = [ "keys" ];
-  environment.etc."netdata/stream.conf".source = config.secrets.fullPaths."netdata-stream.conf";
-  secrets.keys = {
-    "netdata-stream.conf" = {
-      user = config.services.netdata.user;
-      group = config.services.netdata.group;
-      permissions = "0400";
-      text = ''
-        [stream]
-            enabled = yes
-            destination = ${config.myEnv.monitoring.netdata_aggregator}
-            api key = ${config.myEnv.monitoring.netdata_keys.eldiron}
-      '';
-    };
-    "zrepl_backup/identity" = {
-      user = "root";
-      group = "root";
-      permissions = "0400";
-      text = config.myEnv.zrepl_backup.ssh_key.private;
-    };
-  };
-  programs.ssh.knownHosts.dilion = {
-    hostNames = ["dilion.immae.eu"];
-    publicKey = let
-      profile = config.myEnv.rsync_backup.profiles.dilion;
-    in
-      "${profile.host_key_type} ${profile.host_key}";
-  };
-
-  services.cron = {
-    enable = true;
-    mailto = "cron@immae.eu";
-    systemCronJobs = [
-      ''
-        0 0 * * * root journalctl -q --since="25 hours ago" -u postfix -t postfix/smtpd -g "immae.eu.*Recipient address rejected"
-        # Need a way to blacklist properly
-        # 0 0 * * * root journalctl -q --since="25 hours ago" -u postfix -t postfix/smtpd -g "NOQUEUE:"
-        0 0 * * * root journalctl -q --since="25 hours ago" -u postfix -t postfix/smtp -g "status=bounced"
-      ''
-    ];
-  };
-
-  environment.systemPackages = [ pkgs.bindfs ];
-
-  services.zrepl = {
-    enable = true;
-    config = let
-      redis_dump = pkgs.writeScript "redis-dump" ''
-        #! ${pkgs.stdenv.shell}
-        ${pkgs.redis}/bin/redis-cli bgsave
-      '';
-    in ''
-      jobs:
-        - type: push
-          # must not change
-          name: "backup-to-dilion"
-          filesystems:
-            "zpool/root": true
-            "zpool/root/etc": true
-            "zpool/root/var<": true
-          connect:
-            type: ssh+stdinserver
-            host: dilion.immae.eu
-            user: backup
-            port: 22
-            identity_file: ${config.secrets.fullPaths."zrepl_backup/identity"}
-          snapshotting:
-            type: periodic
-            prefix: zrepl_
-            interval: 1h
-            #hooks:
-            #  - type: mysql-lock-tables
-            #    dsn: "${config.myEnv.zrepl_backup.mysql.user}:${config.myEnv.zrepl_backup.mysql.password}@tcp(localhost)/"
-            #    filesystems:
-            #      "zpool/root/var": true
-            #  - type: command
-            #    path: ${redis_dump}
-            #    err_is_fatal: false
-            #    filesystems:
-            #      "zpool/root/var": true
-          send:
-            encrypted: true
-          pruning:
-            keep_sender:
-              - type: regex
-                regex: "^manual_.*"
-              - type: grid
-                grid: 24x1h | 7x1d | 4x7d | 6x30d
-                regex: "^zrepl_.*"
-            keep_receiver:
-              - type: regex
-                regex: "^manual_.*"
-              - type: grid
-                grid: 6x4h | 7x1d | 4x7d | 6x30d
-                regex: "^zrepl_.*"
-    '';
-  };
-  # This value determines the NixOS release with which your system is
-  # to be compatible, in order to avoid breaking some software such as
-  # database servers. You should change this only after NixOS release
-  # notes say you should.
-  # https://nixos.org/nixos/manual/release-notes.html
-  system.stateVersion = "20.03"; # Did you read the comment?
-}