{ privateFiles }:
{ config, pkgs, lib, ... }:
{
- boot.supportedFilesystems = [ "zfs" ];
- boot.kernelParams = ["zfs.zfs_arc_max=6442450944"];
- boot.kernelPackages = pkgs.linuxPackages_latest;
+ deployment = {
+ targetUser = "root";
+ targetHost = config.hostEnv.ips.main.ip4;
+ substituteOnDestination = true;
+ };
+ boot = {
+ kernelModules = [ "kvm-intel" ];
+ blacklistedKernelModules = [ "nvidiafb" ];
+ loader.timeout = 1;
+ loader.grub.devices = [ "/dev/sda" "/dev/sdb" ];
+ kernel.sysctl = {
+ # https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
+ "net.ipv4.tcp_sack" = 0;
+ };
+ supportedFilesystems = [ "zfs" ];
+ kernelParams = ["zfs.zfs_arc_max=6442450944"];
+ kernelPackages = pkgs.linuxPackages_latest;
+ initrd.availableKernelModules = [ "ahci" "sd_mod" ];
+ initrd.secrets = {
+ "/boot/pass.key" = "/boot/pass.key";
+ };
+ };
+ services.udev.extraRules = ''
+ ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="c8:60:00:56:a0:88", NAME="eth0"
+ '';
+ nix.maxJobs = 8;
+ powerManagement.cpuFreqGovernor = "powersave";
myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; };
fileSystems = {
- "/" = lib.mkForce { fsType = "zfs"; device = "zpool/root"; };
+ "/" = { fsType = "zfs"; device = "zpool/root"; };
"/boot" = { fsType = "ext4"; device = "/dev/disk/by-uuid/e6bb18fb-ff56-4b5f-ae9f-e60d40dc0622"; };
"/etc" = { fsType = "zfs"; device = "zpool/root/etc"; };
"/nix" = { fsType = "zfs"; device = "zpool/root/nix"; };
"/tmp" = { fsType = "zfs"; device = "zpool/root/tmp"; };
"/var" = { fsType = "zfs"; device = "zpool/root/var"; };
};
- boot.initrd.secrets = {
- "/boot/pass.key" = "/boot/pass.key";
- };
+ swapDevices = [ { label = "swap1"; } { label = "swap2"; } ];
+ hardware.enableRedistributableFirmware = true;
services.zfs = {
autoScrub = {
- enable = true;
+ enable = false;
};
};
networking = {
hostId = "8262ca33"; # generated with head -c4 /dev/urandom | od -A none -t x4
firewall.enable = true;
- # 176.9.151.89 declared in nixops -> infra / tools
- interfaces."eth0".ipv4.addresses = pkgs.lib.attrsets.mapAttrsToList
- (n: ips: { address = ips.ip4; prefixLength = 32; })
- (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips);
+ # FIXME: on next reboot, remove the /27 and the localCommands
+ interfaces."eth0".ipv4.addresses =
+ pkgs.lib.attrsets.mapAttrsToList
+ (n: ips: { address = ips.ip4; prefixLength = 32; })
+ (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips)
+ ++ [ { address = config.hostEnv.ips.main.ip4; prefixLength = 27; } ];
interfaces."eth0".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
(n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or []))
config.hostEnv.ips);
+ defaultGateway = "176.9.151.65";
+ localCommands = ''
+ # FIXME: Those commands were added by nixops and may not be
+ # actually needed
+ ip -6 addr add '2a01:4f8:160:3445::/64' dev 'eth0' || true
+ ip -4 route change '176.9.151.64/27' via '176.9.151.65' dev 'eth0' || true
+ ip -6 route add default via 'fe80::1' dev eth0 || true
+ '';
+ nameservers = [
+ "213.133.98.98"
+ "213.133.99.99"
+ "213.133.100.100"
+ "2a01:4f8:0:a0a1::add:1010"
+ "2a01:4f8:0:a102::add:9999"
+ "2a01:4f8:0:a111::add:9898"
+ ];
};
imports = builtins.attrValues (import ../..);
- boot.kernel.sysctl = {
- # https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
- "net.ipv4.tcp_sack" = 0;
- };
myServices.buildbot.enable = true;
myServices.databases.enable = true;
myServices.gitolite.enable = true;
myServices.ejabberd.enable = true;
myServices.vpn.enable = true;
services.pure-ftpd.enable = true;
- services.duplyBackup.enable = true;
+ services.duplyBackup.enable = false;
services.duplyBackup.profiles.oldies.rootDir = "/var/lib/oldies";
+ services.netdata.enable = true;
+ services.netdata.config.global."memory mode" = "none";
+ services.netdata.config.health."enabled" = "no";
+ services.netdata.config.web.mode = "none";
+ environment.etc."netdata/stream.conf".text = ''
+ [stream]
+ enabled = yes
+ destination = ${config.myEnv.monitoring.netdata_aggregator}
+ api key = ${config.myEnv.monitoring.netdata_keys.eldiron}
+ '';
secrets.keys = [
{
dest = "zrepl_backup/identity";
"${profile.host_key_type} ${profile.host_key}";
};
- deployment = {
- targetEnv = "hetzner";
- hetzner = {
- robotUser = config.myEnv.hetzner.user;
- robotPass = config.myEnv.hetzner.pass;
- mainIPv4 = config.hostEnv.ips.main.ip4;
- partitions = ''
- clearpart --all --initlabel --drives=sda,sdb
-
- part swap1 --recommended --label=swap1 --fstype=swap --ondisk=sda
- part swap2 --recommended --label=swap2 --fstype=swap --ondisk=sdb
-
- part raid.1 --grow --ondisk=sda
- part raid.2 --grow --ondisk=sdb
-
- raid / --level=1 --device=md0 --fstype=ext4 --label=root raid.1 raid.2
- '';
- };
- };
-
services.cron = {
enable = true;
mailto = "cron@immae.eu";
projects / perso / Immae / Config / Nix.git / blobdiff