blob: 83e52b8989636d50328060d97412329c2bfc0f66 (
plain) (
tree)
|
|
{ privateFiles }:
{ config, pkgs, lib, ... }:
{
boot.supportedFilesystems = [ "zfs" ];
boot.kernelParams = ["zfs.zfs_arc_max=6442450944"];
boot.kernelPackages = pkgs.linuxPackages_latest;
myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; };
fileSystems = {
"/" = lib.mkForce { fsType = "zfs"; device = "zpool/root"; };
"/boot" = { fsType = "ext4"; device = "/dev/disk/by-uuid/e6bb18fb-ff56-4b5f-ae9f-e60d40dc0622"; };
"/etc" = { fsType = "zfs"; device = "zpool/root/etc"; };
"/nix" = { fsType = "zfs"; device = "zpool/root/nix"; };
"/tmp" = { fsType = "zfs"; device = "zpool/root/tmp"; };
"/var" = { fsType = "zfs"; device = "zpool/root/var"; };
};
boot.initrd.secrets = {
"/boot/pass.key" = "/boot/pass.key";
};
services.zfs = {
autoScrub = {
enable = true;
};
};
networking = {
hostId = "8262ca33"; # generated with head -c4 /dev/urandom | od -A none -t x4
firewall.enable = true;
# 176.9.151.89 declared in nixops -> infra / tools
interfaces."eth0".ipv4.addresses = pkgs.lib.attrsets.mapAttrsToList
(n: ips: { address = ips.ip4; prefixLength = 32; })
(pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips);
interfaces."eth0".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
(n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or []))
config.hostEnv.ips);
};
imports = builtins.attrValues (import ../..);
boot.kernel.sysctl = {
# https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
"net.ipv4.tcp_sack" = 0;
};
myServices.buildbot.enable = true;
myServices.databases.enable = true;
myServices.gitolite.enable = true;
myServices.monitoring.enable = true;
myServices.irc.enable = true;
myServices.pub.enable = true;
myServices.tasks.enable = true;
myServices.mpd.enable = true;
myServices.dns.enable = true;
myServices.certificates.enable = true;
myServices.websites.enable = true;
myServices.mail.enable = true;
myServices.ejabberd.enable = true;
myServices.vpn.enable = true;
services.pure-ftpd.enable = true;
services.duplyBackup.enable = true;
services.duplyBackup.profiles.oldies.rootDir = "/var/lib/oldies";
secrets.keys = [
{
dest = "zrepl_backup/identity";
user = "root";
group = "root";
permissions = "0400";
text = config.myEnv.zrepl_backup.ssh_key.private;
}
];
programs.ssh.knownHosts.dilion = {
hostNames = ["dilion.immae.eu"];
publicKey = let
profile = config.myEnv.rsync_backup.profiles.dilion;
in
"${profile.host_key_type} ${profile.host_key}";
};
deployment = {
targetEnv = "hetzner";
hetzner = {
robotUser = config.myEnv.hetzner.user;
robotPass = config.myEnv.hetzner.pass;
mainIPv4 = config.hostEnv.ips.main.ip4;
partitions = ''
clearpart --all --initlabel --drives=sda,sdb
part swap1 --recommended --label=swap1 --fstype=swap --ondisk=sda
part swap2 --recommended --label=swap2 --fstype=swap --ondisk=sdb
part raid.1 --grow --ondisk=sda
part raid.2 --grow --ondisk=sdb
raid / --level=1 --device=md0 --fstype=ext4 --label=root raid.1 raid.2
'';
};
};
services.cron = {
enable = true;
mailto = "cron@immae.eu";
systemCronJobs = [
''
0 0 * * * root journalctl -q --since="25 hours ago" -u postfix -t postfix/smtpd -g "immae.eu.*Recipient address rejected"
# Need a way to blacklist properly
# 0 0 * * * root journalctl -q --since="25 hours ago" -u postfix -t postfix/smtpd -g "NOQUEUE:"
0 0 * * * root journalctl -q --since="25 hours ago" -u postfix -t postfix/smtp -g "status=bounced"
''
];
};
fileSystems."/var/lib/pub/immae/devtools" = {
device = "/run/current-system/sw/bin/bindfs#/var/lib/ftp/devtools.immae.eu/";
fsType = "fuse";
options = [ "force-user=pub" "create-for-user=wwwrun" "create-for-group=wwwrun" ];
};
environment.systemPackages = [ pkgs.bindfs ];
services.zrepl = {
enable = true;
config = let
redis_dump = pkgs.writeScript "redis-dump" ''
#! ${pkgs.stdenv.shell}
${pkgs.redis}/bin/redis-cli bgsave
'';
in ''
jobs:
- type: push
# must not change
name: "backup-to-dilion"
filesystems:
"zpool/root": true
"zpool/root/etc": true
"zpool/root/var<": true
connect:
type: ssh+stdinserver
host: dilion.immae.eu
user: backup
port: 22
identity_file: ${config.secrets.fullPaths."zrepl_backup/identity"}
snapshotting:
type: periodic
prefix: zrepl_
interval: 15m
hooks:
- type: mysql-lock-tables
dsn: "${config.myEnv.zrepl_backup.mysql.user}:${config.myEnv.zrepl_backup.mysql.password}@tcp(localhost)/"
filesystems:
"zpool/root/var": true
- type: command
path: ${redis_dump}
err_is_fatal: false
filesystems:
"zpool/root/var": true
send:
encrypted: true
pruning:
keep_sender:
- type: not_replicated
- type: regex
regex: "^manual_.*"
- type: grid
grid: 1x1h(keep=all) | 24x1h | 7x1d | 4x7d | 6x30d
regex: "^zrepl_.*"
keep_receiver:
- type: regex
regex: "^manual_.*"
- type: grid
grid: 1x1h(keep=all) | 24x1h | 7x1d | 4x7d | 6x30d
regex: "^zrepl_.*"
'';
};
# This value determines the NixOS release with which your system is
# to be compatible, in order to avoid breaking some software such as
# database servers. You should change this only after NixOS release
# notes say you should.
# https://nixos.org/nixos/manual/release-notes.html
system.stateVersion = "20.03"; # Did you read the comment?
}
|