]>
Commit | Line | Data |
---|---|---|
258dd18b | 1 | { config, pkgs, resources, name, ... }: |
8415083e | 2 | { |
34abd6af IB |
3 | deployment = { |
4 | targetUser = "root"; | |
5 | targetHost = config.hostEnv.ips.main.ip4; | |
6 | substituteOnDestination = true; | |
7 | }; | |
282c67a1 IB |
8 | # ssh-keyscan backup-2 | nix-shell -p ssh-to-age --run ssh-to-age |
9 | secrets.ageKeys = [ "age1kk3nr27qu42j28mcfdag5lhq0zu2pky7gfanvne8l4z2ctevjpgskmw0sr" ]; | |
bd5c5d4e IB |
10 | secrets.keys = [ |
11 | { | |
12 | dest = "rsync_backup/identity"; | |
13 | user = "backup"; | |
14 | group = "backup"; | |
15 | permissions = "0400"; | |
16 | text = config.myEnv.rsync_backup.ssh_key.private; | |
17 | } | |
18 | { | |
19 | dest = "rsync_backup/identity.pub"; | |
20 | user = "backup"; | |
21 | group = "backup"; | |
22 | permissions = "0444"; | |
23 | text = config.myEnv.rsync_backup.ssh_key.public; | |
24 | } | |
25 | ]; | |
8415083e | 26 | boot.kernelPackages = pkgs.linuxPackages_latest; |
282c67a1 | 27 | myEnv = import ../../../nixops/secrets/environment.nix; |
ab8f306d | 28 | |
34abd6af | 29 | imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ] ++ builtins.attrValues (import ../..); |
8415083e | 30 | |
ae485806 IB |
31 | fileSystems = { |
32 | "/backup2" = { | |
33 | fsType = "ext4"; | |
34 | device = "UUID=b9425333-f567-435d-94d8-b26c22d93426"; | |
35 | }; | |
34abd6af | 36 | "/" = { device = "/dev/sda1"; fsType = "ext4"; }; |
ae485806 IB |
37 | }; |
38 | ||
39 | networking = { | |
40 | firewall.enable = true; | |
41 | interfaces."ens3".ipv4.addresses = pkgs.lib.attrsets.mapAttrsToList | |
42 | (n: ips: { address = ips.ip4; prefixLength = 32; }) | |
619e4f46 | 43 | (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips); |
ae485806 IB |
44 | interfaces."ens3".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList |
45 | (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or [])) | |
619e4f46 | 46 | config.hostEnv.ips); |
dc0e644a | 47 | defaultGateway6 = { address = "fe80::1"; interface = "ens3"; }; |
285380fe IB |
48 | }; |
49 | ||
34abd6af IB |
50 | boot.loader.grub.device = "nodev"; |
51 | ||
619e4f46 | 52 | myServices.certificates.enable = true; |
258dd18b IB |
53 | security.acme.certs."${name}" = { |
54 | user = config.services.nginx.user; | |
55 | group = config.services.nginx.group; | |
56 | }; | |
619e4f46 IB |
57 | services.nginx = { |
58 | enable = true; | |
59 | recommendedOptimisation = true; | |
60 | recommendedGzipSettings = true; | |
61 | recommendedProxySettings = true; | |
62 | }; | |
63 | networking.firewall.allowedTCPPorts = [ 80 443 ]; | |
64 | ||
4227853a IB |
65 | services.cron = { |
66 | mailto = "cron@immae.eu"; | |
67 | enable = true; | |
68 | }; | |
69 | ||
285380fe IB |
70 | services.rsyncBackup = { |
71 | mountpoint = "/backup2"; | |
ab8f306d | 72 | profiles = config.myEnv.rsync_backup.profiles; |
bd5c5d4e IB |
73 | ssh_key_public = config.secrets.fullPaths."rsync_backup/identity.pub"; |
74 | ssh_key_private = config.secrets.fullPaths."rsync_backup/identity"; | |
ae485806 IB |
75 | }; |
76 | ||
deca5e9b | 77 | myServices.mailRelay.enable = true; |
619e4f46 | 78 | myServices.mailBackup.enable = true; |
9f202523 | 79 | myServices.monitoring.enable = true; |
ec9b6564 IB |
80 | myServices.databasesReplication = { |
81 | postgresql = { | |
82 | enable = true; | |
83 | base = "/backup2"; | |
9f16e659 | 84 | mainPackage = pkgs.postgresql; |
ec9b6564 IB |
85 | hosts = { |
86 | eldiron = { | |
87 | slot = "backup_2"; | |
619e4f46 | 88 | connection = "postgresql://backup-2:${config.hostEnv.ldap.password}@eldiron.immae.eu"; |
9f16e659 | 89 | package = pkgs.postgresql; |
ec9b6564 IB |
90 | }; |
91 | }; | |
92 | }; | |
9f6a7862 IB |
93 | mariadb = { |
94 | enable = true; | |
95 | base = "/backup2"; | |
96 | hosts = { | |
97 | eldiron = { | |
98 | serverId = 2; | |
99 | # mysql resolves "backup-2" host and checks the ip, but uses /etc/hosts which only contains ip4 | |
ab8f306d | 100 | host = config.myEnv.servers.eldiron.ips.main.ip4; |
9f6a7862 IB |
101 | port = "3306"; |
102 | user = "backup-2"; | |
619e4f46 | 103 | password = config.hostEnv.ldap.password; |
9f6a7862 | 104 | dumpUser = "root"; |
ab8f306d | 105 | dumpPassword = config.myEnv.databases.mysql.systemUsers.root; |
9f6a7862 IB |
106 | }; |
107 | }; | |
108 | }; | |
dded6699 IB |
109 | redis = { |
110 | enable = true; | |
111 | base = "/backup2"; | |
112 | hosts = { | |
113 | eldiron = { | |
114 | host = "127.0.0.1"; | |
115 | port = "16379"; | |
116 | }; | |
117 | }; | |
118 | }; | |
16b80abd IB |
119 | openldap = { |
120 | enable = true; | |
121 | base = "/backup2"; | |
122 | hosts = { | |
123 | eldiron = { | |
ab8f306d IB |
124 | url = "ldaps://${config.myEnv.ldap.host}:636"; |
125 | dn = config.myEnv.ldap.replication_dn; | |
126 | password = config.myEnv.ldap.replication_pw; | |
127 | base = config.myEnv.ldap.base; | |
16b80abd IB |
128 | }; |
129 | }; | |
130 | }; | |
ec9b6564 IB |
131 | }; |
132 | ||
8415083e IB |
133 | # This value determines the NixOS release with which your system is |
134 | # to be compatible, in order to avoid breaking some software such as | |
135 | # database servers. You should change this only after NixOS release | |
136 | # notes say you should. | |
137 | # https://nixos.org/nixos/manual/release-notes.html | |
d43e0c61 | 138 | system.stateVersion = "20.03"; # Did you read the comment? |
8415083e | 139 | } |