Add eldiron machine handled by nixops

diff --git a/virtual/eldiron.nix b/virtual/eldiron.nix
new file mode 100644 (file)
index 0000000..04b11b8
--- /dev/null
+++ b/virtual/eldiron.nix
@@ -0,0 +1,104 @@
+{
+  network = {
+    description = "Immae's network";
+    enableRollback = true;
+  };
+
+  eldiron = { config, pkgs, ... }: {
+    networking = {
+      firewall = {
+        enable = true;
+        allowedTCPPorts = [ 22 80 443 5432 ];
+      };
+    };
+
+    deployment = {
+      targetEnv = "hetzner";
+      hetzner = {
+        #robotUser = "defined in HETZNER_ROBOT_USER";
+        #robotPass = "defined in HETZNER_ROBOT_PASS";
+        mainIPv4 = "176.9.151.89";
+        partitions = ''
+          clearpart --all --initlabel --drives=sda,sdb
+
+          part swap1 --recommended --label=swap1 --fstype=swap --ondisk=sda
+          part swap2 --recommended --label=swap2 --fstype=swap --ondisk=sdb
+
+          part raid.1 --grow --ondisk=sda
+          part raid.2 --grow --ondisk=sdb
+
+          raid / --level=1 --device=md0 --fstype=ext4 --label=root raid.1 raid.2
+        '';
+      };
+    };
+
+    # FIXME: how to run it? currently set as timer
+    security.acme.certs = {
+      "eldiron" = {
+        webroot = "/var/lib/acme/acme-challenge";
+        email = "ismael@bouya.org";
+        domain = "eldiron.immae.eu";
+        extraDomains = {
+          "db-1.immae.eu" = null;
+        };
+      };
+    };
+
+    services.nginx = rec {
+      enable = true;
+      virtualHosts = {
+        "_" = {
+          serverName = "_";
+          useACMEHost = "eldiron";
+        };
+        "eldiron.immae.eu" = {
+          forceSSL = true;
+          useACMEHost = "eldiron";
+          locations."/" = {
+            # FIXME: directory needs to exist
+            root = "/var/www";
+          };
+        };
+      };
+    };
+
+    # FIXME: initial sync
+    services.postgresql = rec {
+      enable = true;
+      package = pkgs.postgresql100.overrideAttrs(old: rec {
+        passthru = old.passthru // { psqlSchema = "11.0"; };
+        name = "postgresql-11.1";
+        src = pkgs.fetchurl {
+          url = "mirror://postgresql/source/v11.1/${name}.tar.bz2";
+          sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch";
+        };
+      });
+      enableTCPIP = true;
+      extraConfig = ''
+        max_connections = 100
+        wal_level = logical
+        shared_buffers = 128MB
+        max_wal_size = 1GB
+        min_wal_size = 80MB
+        log_timezone = 'Europe/Paris'
+        datestyle = 'iso, mdy'
+        timezone = 'Europe/Paris'
+        lc_messages = 'en_US.UTF-8'
+        lc_monetary = 'en_US.UTF-8'
+        lc_numeric = 'en_US.UTF-8'
+        lc_time = 'en_US.UTF-8'
+        default_text_search_config = 'pg_catalog.english'
+        # ssl = on
+        # ssl_cert_file = '/var/lib/acme/eldiron/fullchain.pem'
+        # ssl_key_file = '/var/lib/acme/eldiron/key.pem'
+        '';
+      authentication = ''
+        local  all     postgres                                ident
+        local  all     all                                     md5
+        host   all     all             178.33.252.96/32        md5
+        host   all     all             188.165.209.148/32      md5
+        #host  all     all             all                     pam
+      '';
+    };
+  };
+}