X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Fsystem%2Feldiron.nix;h=091c9f46e8d63ccbd564e78b1399cea81153adfd;hb=c7b16397101fd534c41ede5ae7c55e7e120c06f7;hp=102a517007594be2177a9ee94f45522e300c17c4;hpb=8b1503213b9dc55f2e938959d5996910d4533f19;p=perso%2FImmae%2FConfig%2FNix.git diff --git a/modules/private/system/eldiron.nix b/modules/private/system/eldiron.nix index 102a517..091c9f4 100644 --- a/modules/private/system/eldiron.nix +++ b/modules/private/system/eldiron.nix @@ -1,11 +1,11 @@ -{ privateFiles }: { config, pkgs, lib, ... }: { deployment = { targetUser = "root"; - targetHost = config.hostEnv.ips.main.ip4; - substituteOnDestination = true; + targetHost = lib.head config.hostEnv.ips.main.ip4; }; + # ssh-keyscan eldiron | nix-shell -p ssh-to-age --run ssh-to-age + secrets.ageKeys = [ "age1dxr5lhvtnjssfaqpnf6qx80h8gfwkxg3tdf35m6n9wljmk7wadfs3kmahj" ]; boot = { kernelModules = [ "kvm-intel" ]; blacklistedKernelModules = [ "nvidiafb" ]; @@ -17,7 +17,7 @@ }; supportedFilesystems = [ "zfs" ]; kernelParams = ["zfs.zfs_arc_max=6442450944"]; - kernelPackages = pkgs.linuxPackages_latest; + kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; initrd.availableKernelModules = [ "ahci" "sd_mod" ]; initrd.secrets = { "/boot/pass.key" = "/boot/pass.key"; @@ -26,17 +26,39 @@ services.udev.extraRules = '' ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="c8:60:00:56:a0:88", NAME="eth0" ''; - nix.maxJobs = 8; + nix.settings.max-jobs = 8; powerManagement.cpuFreqGovernor = "powersave"; - myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; }; + myEnv = import ../../../nixops/secrets/environment.nix; fileSystems = { + # pools: + # zpool: ashift=12 + # zfast: ashift=12 + # zfs: + # zpool/: acltype=posixacl ; xattr=sa ; atime=off ; mountpoint=legacy + # zpool/root: encryption=on ; keyformat=passphrase ; keylocation=file:///boot/pass.key + # zpool/root/var: atime=on + # zfast/: acltype=posixacl ; xattr=sa ; atime=off ; mountpoint=legacy + # zfast/root: encryption=on ; keyformat=passphrase ; keylocation=file:///boot/pass.key + # zfast/root/etc: ø + # zfast/root/nix: ø + # zfast/root/tmp: async=disabled + # zfast/root/var: atime=on + # zfast/root/var/lib: ø + # zfast/root/var/lib/mysql: logbias=throughput ; atime=off ; primarycache=metadata + # zfast/root/var/lib/postgresql: recordsize=8K ; atime=off ; logbias=throughput + # zfast/root/var/lib/postgresql/11.0: ø + # zfast/root/var/lib/postgresql/11.0/pg_wal: ø "/" = { fsType = "zfs"; device = "zpool/root"; }; "/boot" = { fsType = "ext4"; device = "/dev/disk/by-uuid/e6bb18fb-ff56-4b5f-ae9f-e60d40dc0622"; }; "/etc" = { fsType = "zfs"; device = "zpool/root/etc"; }; - "/nix" = { fsType = "zfs"; device = "zpool/root/nix"; }; - "/tmp" = { fsType = "zfs"; device = "zpool/root/tmp"; }; + "/nix" = { fsType = "zfs"; device = "zfast/root/nix"; }; + "/tmp" = { fsType = "zfs"; device = "zfast/root/tmp"; }; "/var" = { fsType = "zfs"; device = "zpool/root/var"; }; + "/var/lib/mysql" = { fsType = "zfs"; device = "zfast/root/var/lib/mysql"; }; + "/var/lib/postgresql" = { fsType = "zfs"; device = "zfast/root/var/lib/postgresql"; }; + "/var/lib/postgresql/11.0" = { fsType = "zfs"; device = "zfast/root/var/lib/postgresql/11.0"; }; + "/var/lib/postgresql/11.0/pg_wal" = { fsType = "zfs"; device = "zfast/root/var/lib/postgresql/11.0/pg_wal"; }; }; swapDevices = [ { label = "swap1"; } { label = "swap2"; } ]; hardware.enableRedistributableFirmware = true; @@ -49,12 +71,12 @@ networking = { hostId = "8262ca33"; # generated with head -c4 /dev/urandom | od -A none -t x4 firewall.enable = true; + firewall.allowedTCPPorts = [ config.myEnv.ports.zrepl_flony ]; # FIXME: on next reboot, remove the /27 and the localCommands - interfaces."eth0".ipv4.addresses = - pkgs.lib.attrsets.mapAttrsToList - (n: ips: { address = ips.ip4; prefixLength = 32; }) - (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips) - ++ [ { address = config.hostEnv.ips.main.ip4; prefixLength = 27; } ]; + interfaces."eth0".ipv4.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList + (n: ips: map (ip: { address = ip; prefixLength = 32; }) (ips.ip4 or [])) + (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips)) + ++ [ { address = lib.head config.hostEnv.ips.main.ip4; prefixLength = 27; } ]; interfaces."eth0".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or [])) config.hostEnv.ips); @@ -89,34 +111,39 @@ myServices.dns.enable = true; myServices.certificates.enable = true; myServices.websites.enable = true; + myServices.gemini.enable = true; myServices.mail.enable = true; myServices.ejabberd.enable = true; myServices.vpn.enable = true; - services.pure-ftpd.enable = true; - services.duplyBackup.enable = false; - services.duplyBackup.profiles.oldies.rootDir = "/var/lib/oldies"; + myServices.ftp.enable = true; services.netdata.enable = true; services.netdata.config.global."memory mode" = "none"; services.netdata.config.health."enabled" = "no"; services.netdata.config.web.mode = "none"; - environment.etc."netdata/stream.conf".text = '' - [stream] - enabled = yes - destination = ${config.myEnv.monitoring.netdata_aggregator} - api key = ${config.myEnv.monitoring.netdata_keys.eldiron} - ''; - secrets.keys = [ - { - dest = "zrepl_backup/identity"; + users.users."${config.services.netdata.user}".extraGroups = [ "keys" ]; + services.netdata.configDir."stream.conf" = config.secrets.fullPaths."netdata-stream.conf"; + secrets.keys = { + "netdata-stream.conf" = { + user = config.services.netdata.user; + group = config.services.netdata.group; + permissions = "0400"; + text = '' + [stream] + enabled = yes + destination = ${config.myEnv.monitoring.netdata_aggregator} + api key = ${config.myEnv.monitoring.netdata_keys.eldiron} + ''; + }; + "zrepl_backup/identity" = { user = "root"; group = "root"; permissions = "0400"; text = config.myEnv.zrepl_backup.ssh_key.private; - } - ]; + }; + }; programs.ssh.knownHosts.dilion = { - hostNames = ["dilion.immae.eu"]; + extraHostNames = ["dilion.immae.eu"]; publicKey = let profile = config.myEnv.rsync_backup.profiles.dilion; in @@ -136,14 +163,9 @@ ]; }; - fileSystems."/var/lib/pub/immae/devtools" = { - device = "/run/current-system/sw/bin/bindfs#/var/lib/ftp/devtools.immae.eu/"; - fsType = "fuse"; - options = [ "force-user=pub" "create-for-user=wwwrun" "create-for-group=wwwrun" ]; - }; environment.systemPackages = [ pkgs.bindfs ]; - services.zrepl = { + immaeServices.zrepl = { enable = true; config = let redis_dump = pkgs.writeScript "redis-dump" '' @@ -160,11 +182,12 @@ "zpool/root/etc": true "zpool/root/var<": true connect: - type: ssh+stdinserver - host: dilion.immae.eu - user: backup - port: 22 - identity_file: ${config.secrets.fullPaths."zrepl_backup/identity"} + address: dilion.immae.eu:19000 + type: tls + server_cn: dilion + ca: ${config.secrets.fullPaths."zrepl/certificates/dilion.crt"} + cert: ${config.secrets.fullPaths."zrepl/certificates/eldiron.crt"} + key: ${config.secrets.fullPaths."zrepl/eldiron.key"} snapshotting: type: periodic prefix: zrepl_ @@ -194,6 +217,26 @@ - type: grid grid: 6x4h | 7x1d | 4x7d | 6x30d regex: "^zrepl_.*" + - type: source + # must not change + name: "backup-to-wd-zpool" + serve: + type: tls + listen: :${builtins.toString config.myEnv.ports.zrepl_flony} + ca: ${config.secrets.fullPaths."zrepl/certificates/flony.crt"} + cert: ${config.secrets.fullPaths."zrepl/certificates/eldiron.crt"} + key: ${config.secrets.fullPaths."zrepl/eldiron.key"} + client_cns: + - flony + filesystems: + "zpool/root": true + "zpool/root/etc": true + "zpool/root/var<": true + "zfast/root/var<": true + send: + encrypted: true + snapshotting: + type: manual ''; }; # This value determines the NixOS release with which your system is