X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Fsystem%2Fdilion.nix;h=cf00ba67aedd4e2f9989df69caa4c0d8d8e3156c;hb=05becbbb4be5cd18cb12d60a2d2bc0fbcda74fe4;hp=5abaac0125adb1ed75d1f5093f29e0583fc39dc3;hpb=34abd6afa44c620a56416bd423a2438a09bd1ce4;p=perso%2FImmae%2FConfig%2FNix.git

diff --git a/modules/private/system/dilion.nix b/modules/private/system/dilion.nix
index 5abaac0..cf00ba6 100644
--- a/modules/private/system/dilion.nix
+++ b/modules/private/system/dilion.nix
@@ -1,11 +1,12 @@
-{ privateFiles }:
 { config, pkgs, name, lib, ... }:
 {
   deployment = {
     targetUser = "root";
-    targetHost = config.hostEnv.ips.main.ip4;
+    targetHost = lib.head config.hostEnv.ips.main.ip4;
     substituteOnDestination = true;
   };
+  # ssh-keyscan dilion | nix-shell -p ssh-to-age --run ssh-to-age
+  secrets.ageKeys = [ "age1x49n6qa0arkdpq8530s7umgm0gqkq90exv4jep97q30rfnzknpaqate06a" ];
   nixpkgs.system = lib.mkOverride 900 "x86_64-linux";
   boot = {
     loader = {
@@ -24,12 +25,14 @@
       "/boot/pass.key" = "/boot/pass.key";
     };
     kernel.sysctl."vm.nr_hugepages" = 256; # for xmr-stak
+    # available in nixos-20.09
+    #zfs.requestEncryptionCredentials = [ "zpool/root" ];
   };
   nix.maxJobs = 8;
   powerManagement.cpuFreqGovernor = "powersave";
   hardware.enableRedistributableFirmware = true;
 
-  myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; };
+  myEnv = import ../../../nixops/secrets/environment.nix;
 
   swapDevices = [ { label = "swap"; } ];
   fileSystems = {
@@ -52,10 +55,10 @@
     hostId = "27c3048d"; # generated with head -c4 /dev/urandom | od -A none -t x4
     firewall.enable = false;
     interfaces."eth0".ipv4.addresses =
-      [ { address = config.hostEnv.ips.main.ip4; prefixLength = 27; } ]
-      ++ pkgs.lib.attrsets.mapAttrsToList
-        (n: ips: { address = ips.ip4; prefixLength = 32; })
-        (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips);
+      [ { address = lib.head config.hostEnv.ips.main.ip4; prefixLength = 27; } ]
+      ++ pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
+        (n: ips: map (ip: { address = ip; prefixLength = 32; }) (ips.ip4 or []))
+        (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips));
     interfaces."eth0".ipv6.addresses =
       [ { address = "2a01:4f8:141:53e7::"; prefixLength = 64; } ]
       ++ pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
@@ -74,12 +77,24 @@
   };
 
   myServices.ssh.modules = [ config.myServices.ssh.predefinedModules.regular ];
-  imports = builtins.attrValues (import ../..);
+  imports = builtins.attrValues (import ../..) ++ [ ./dilion/vms.nix ];
 
   system.nssModules = [ pkgs.libvirt ];
   system.nssDatabases.hosts = lib.mkForce [ "files" "libvirt_guest" "mymachines" "dns" "myhostname" ];
   programs.zsh.enable = true;
 
+  users.users.libvirt = {
+    hashedPassword = "!";
+    shell = pkgs.bashInteractive;
+    isSystemUser = true;
+    group = "libvirtd";
+    packages = [ pkgs.netcat-openbsd ];
+    openssh.authorizedKeys.keys = [
+      config.myEnv.buildbot.ssh_key.public
+      config.myEnv.sshd.rootKeys.ismael_flony
+    ];
+  };
+
   users.users.backup = {
     hashedPassword = "!";
     isSystemUser = true;
@@ -116,7 +131,7 @@
     after = [ "network.target" ];
 
     serviceConfig = {
-      ExecStart = "${pkgs.socat}/bin/socat TCP-LISTEN:8022,fork TCP:nixops-99a7e1ba-54dc-11ea-a965-10bf487fe63b-caldance:22";
+      ExecStart = "${pkgs.socat}/bin/socat TCP-LISTEN:8022,fork TCP:caldance:22";
     };
   };
 
@@ -126,6 +141,8 @@
     extraOptions = ''
       keep-outputs = true
       keep-derivations = true
+      allow-unsafe-native-code-during-evaluation = true
+      experimental-features = nix-command flakes
       #Assumed in NUR
       allow-import-from-derivation = true
     '';
@@ -146,13 +163,27 @@
   nix.binaryCaches = [ "https://hydra.iohk.io" "https://cache.nixos.org" ];
   nix.binaryCachePublicKeys = [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ];
 
+  myServices.monitoring.enable = true;
   myServices.certificates.enable = true;
+  security.acme.certs."${name}-immae" = config.myServices.certificates.certConfig // {
+    user = "immae";
+    domain = "dilion.immae.eu";
+  };
   security.acme.certs."${name}" = {
     user = config.services.nginx.user;
     group = config.services.nginx.group;
     extraDomains = {
-      "dev.immae.eu" = null;
-      "caldance.immae.eu" = null;
+      "dilion.immae.dev" = null;
+      "caldance.cs.immae.dev" = null;
+      "zulip.carpentier.earth" = null;
+      "zulip.tof.carpentier.earth" = null;
+      "zulip.dine.carpentier.earth" = null;
+      "zulip.quentin.carpentier.earth" = null;
+      "zulip.agnes.carpentier.earth" = null;
+
+      "ofn.nc.immae.dev" = null;
+
+      "bookstack.cc.immae.dev" = null;
     };
   };
   services.nginx = {
@@ -161,16 +192,16 @@
     recommendedGzipSettings = true;
     recommendedProxySettings = true;
     upstreams = {
-      caldance.servers."nixops-99a7e1ba-54dc-11ea-a965-10bf487fe63b-caldance:3031" = {};
+      caldance.servers."caldance:3031" = {};
     };
     virtualHosts = {
-      "dev.immae.eu" = {
+      "dilion.immae.dev" = {
         acmeRoot = config.myServices.certificates.webroot;
         useACMEHost = name;
         forceSSL = true;
         root = "/home/immae/www";
       };
-      "caldance.immae.eu" = {
+      "caldance.cs.immae.dev" = {
         acmeRoot = config.myServices.certificates.webroot;
         useACMEHost = name;
         forceSSL = true;
@@ -184,6 +215,48 @@
           auth_basic_user_file ${pkgs.writeText "htpasswd" config.myEnv.websites.caldance.integration.password};
         '';
       };
+      "bookstack.cc.immae.dev" = {
+        acmeRoot = config.myServices.certificates.webroot;
+        useACMEHost = name;
+        forceSSL = true;
+        locations."/".proxyPass = "http://localhost:4003";
+      };
+      "ofn.nc.immae.dev" = {
+        acmeRoot = config.myServices.certificates.webroot;
+        useACMEHost = name;
+        forceSSL = true;
+        locations."/".proxyPass = "http://localhost:3000";
+      };
+      "zulip.carpentier.earth" = {
+        acmeRoot = config.myServices.certificates.webroot;
+        useACMEHost = name;
+        forceSSL = true;
+        locations."/".proxyPass = "http://localhost:4002";
+      };
+      "zulip.tof.carpentier.earth" = {
+        acmeRoot = config.myServices.certificates.webroot;
+        useACMEHost = name;
+        forceSSL = true;
+        locations."/".proxyPass = "http://localhost:4002";
+      };
+      "zulip.dine.carpentier.earth" = {
+        acmeRoot = config.myServices.certificates.webroot;
+        useACMEHost = name;
+        forceSSL = true;
+        locations."/".proxyPass = "http://localhost:4002";
+      };
+      "zulip.quentin.carpentier.earth" = {
+        acmeRoot = config.myServices.certificates.webroot;
+        useACMEHost = name;
+        forceSSL = true;
+        locations."/".proxyPass = "http://localhost:4002";
+      };
+      "zulip.agnes.carpentier.earth" = {
+        acmeRoot = config.myServices.certificates.webroot;
+        useACMEHost = name;
+        forceSSL = true;
+        locations."/".proxyPass = "http://localhost:4002";
+      };
     };
   };