Add dilion server

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2020-02-10 18:15:23 +0100
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2020-02-10 18:15:23 +0100
commit: 8a304ef46e1ad221253f883a8a296a12018e3d30 (patch)
tree: a3b871bdcc72a8847d73141b6e845de0475dccaa
parent: cf2a9330da390784168ac758b8d4da41855809d9 (diff)
download: Nix-8a304ef46e1ad221253f883a8a296a12018e3d30.tar.gz
Nix-8a304ef46e1ad221253f883a8a296a12018e3d30.tar.zst
Nix-8a304ef46e1ad221253f883a8a296a12018e3d30.zip
5 files changed, 145 insertions, 33 deletions
diff --git a/modules/private/environment.nix b/modules/private/environment.nix
index c4c32c8..3b51f37 100644
--- a/modules/private/environment.nix
+++ b/modules/private/environment.nix
@@ -114,6 +114,14 @@ let
        description = "Host FQDN";
        type = str;
      };
+      users = mkOption {
+        type = unspecified;
+        default = pkgs: [];
+        description = ''
+          Sublist of users from realUsers. Function that takes pkgs as
+          argument and gives an array as a result
+        '';
+      };
      emails = mkOption {
        default = [];
        description = "List of e-mails that the server can be a sender of";
@@ -287,6 +295,14 @@ in
        };
      };
    };
+    realUsers = mkOption {
+      description = ''
+        Attrset of function taking pkgs as argument.
+        Real users settings, should provide a subattr of users.users.<name>
+        with at least: name, (hashed)Password, shell
+      '';
+      type = attrsOf unspecified;
+    };
    users = mkOption {
      description = "System and regular users uid/gid";
      type = attrsOf (submodule {
diff --git a/modules/private/system.nix b/modules/private/system.nix
index 66208c4..64fc2d9 100644
--- a/modules/private/system.nix
+++ b/modules/private/system.nix
@@ -23,41 +23,63 @@
      MaxRetentionSec="1year"
      '';
-    users.mutableUsers = false;
+    users.users =
-    users.users.root.packages = let
+      builtins.listToAttrs (map (x: lib.attrsets.nameValuePair x.name ({
-      nagios-cli = pkgs.writeScriptBin "nagios-cli" ''
+        isNormalUser = true;
-        #!${pkgs.stdenv.shell}
+        home = "/home/${x.name}";
-        sudo -u naemon ${pkgs.nagios-cli}/bin/nagios-cli -c ${./monitoring/nagios-cli.cfg}
+        createHome = true;
-        '';
+        linger = true;
-    in
+      } // x)) (config.hostEnv.users pkgs))
-      [
+      // {
-        pkgs.telnet
+        root.packages = let
-        pkgs.htop
+          nagios-cli = pkgs.writeScriptBin "nagios-cli" ''
-        pkgs.iftop
+            #!${pkgs.stdenv.shell}
-        pkgs.bind.dnsutils
+            sudo -u naemon ${pkgs.nagios-cli}/bin/nagios-cli -c ${./monitoring/nagios-cli.cfg}
-        pkgs.httpie
+            '';
-        pkgs.iotop
+        in
-        pkgs.whois
+          [
-        pkgs.ngrep
+            pkgs.telnet
-        pkgs.tcpdump
+            pkgs.htop
-        pkgs.tshark
+            pkgs.iftop
-        pkgs.tcpflow
+            pkgs.bind.dnsutils
-        pkgs.mitmproxy
+            pkgs.httpie
-        pkgs.nmap
+            pkgs.iotop
-        pkgs.p0f
+            pkgs.whois
-        pkgs.socat
+            pkgs.ngrep
-        pkgs.lsof
+            pkgs.tcpdump
-        pkgs.psmisc
+            pkgs.tshark
-        pkgs.wget
+            pkgs.tcpflow
+            pkgs.mitmproxy
+            pkgs.nmap
+            pkgs.p0f
+            pkgs.socat
+            pkgs.lsof
+            pkgs.psmisc
+            pkgs.wget
-        pkgs.cnagios
+            pkgs.cnagios
-        nagios-cli
+            nagios-cli
-      ];
+          ];
+      };
-    environment.etc.cnagios.source = "${pkgs.cnagios}/share/doc/cnagios";
+    users.mutableUsers = false;
-    environment.systemPackages = [
-      pkgs.vim
-    ];
+    environment.etc.cnagios.source = "${pkgs.cnagios}/share/doc/cnagios";
+    environment.systemPackages =
+      let
+        home-manager = builtins.fetchGit {
+          url = "https://github.com/rycee/home-manager.git";
+          rev = "ef64bc598f28818d56c86629dad98b468af9c071";
+          ref = "release-19.03";
+        };
+      in
+      [
+        pkgs.git
+        pkgs.vim
+      ] ++
+      (lib.optional
+        (builtins.length (config.hostEnv.users pkgs) > 0)
+        ((pkgs.callPackage home-manager {}).home-manager)
+      );
  };
 }
diff --git a/modules/private/system/dilion.nix b/modules/private/system/dilion.nix
new file mode 100644
index 0000000..258506b
--- /dev/null
+++ b/modules/private/system/dilion.nix
@@ -0,0 +1,68 @@
+{ privateFiles }:
+{ config, pkgs, ... }:
+{
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+  myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; };
+  networking = {
+    firewall.enable = false;
+    interfaces."eth0".ipv4.addresses = pkgs.lib.attrsets.mapAttrsToList
+      (n: ips: { address = ips.ip4; prefixLength = 32; })
+      (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips);
+    interfaces."eth0".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
+      (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or []))
+      config.hostEnv.ips);
+  };
+  myServices.ssh.modules = [ config.myServices.ssh.predefinedModules.regular ];
+  imports = builtins.attrValues (import ../..);
+  deployment = {
+    targetEnv = "hetzner";
+    hetzner = {
+      robotUser = config.myEnv.hetzner.user;
+      robotPass = config.myEnv.hetzner.pass;
+      mainIPv4 = config.hostEnv.ips.main.ip4;
+      partitions = ''
+        clearpart --all --initlabel --drives=sda,sdb,sdc,sdd
+        part swap --recommended --label=swap --fstype=swap --ondisk=sda
+        part raid.1 --grow --ondisk=sdc
+        part raid.2 --grow --ondisk=sdd
+        raid / --level=1 --device=md0 --fstype=ext4 --label=root raid.1 raid.2
+        part /nix --grow --label=nix --ondisk=sda
+        part /data --grow --label=data --ondisk=sdb
+      '';
+    };
+  };
+  programs.zsh.enable = true;
+  time.timeZone = "Europe/Paris";
+  nix = {
+    useSandbox = "relaxed";
+    extraOptions = ''
+      keep-outputs = true
+      keep-derivations = true
+      #Assumed in NUR
+      allow-import-from-derivation = true
+    '';
+  };
+  # This is equivalent to setting environment.sessionVariables.NIX_PATH
+  nix.nixPath = [
+    "home-manager=https://github.com/rycee/home-manager/archive/release-19.03.tar.gz"
+    "nixpkgs=https://nixos.org/channels/nixos-19.03/nixexprs.tar.xz"
+  ];
+  # This value determines the NixOS release with which your system is
+  # to be compatible, in order to avoid breaking some software such as
+  # database servers. You should change this only after NixOS release
+  # notes say you should.
+  # https://nixos.org/nixos/manual/release-notes.html
+  system.stateVersion = "19.03"; # Did you read the comment?
+}
diff --git a/nixops/Makefile b/nixops/Makefile
index 02d34f8..1852e75 100644
--- a/nixops/Makefile
+++ b/nixops/Makefile
@@ -33,6 +33,9 @@ SSH_ARGS ?=
 ssh-eldiron:
        $(NIXOPS_PRIV) ssh eldiron -- $(SSH_ARGS)
+ssh-dilion:
+        $(NIXOPS_PRIV) ssh dilion -- $(SSH_ARGS)
 ssh-backup-2:
        $(NIXOPS_PRIV) ssh backup-2 -- $(SSH_ARGS)
@@ -77,6 +80,7 @@ list-generations:
 delete-generations:
        nix-env -p $(profile) --delete-generations $(GEN)
        $(NIXOPS_PRIV) ssh eldiron -- nix-env -p /nix/var/nix/profiles/system --delete-generations $(GEN)
+        $(NIXOPS_PRIV) ssh dilion -- nix-env -p /nix/var/nix/profiles/system --delete-generations $(GEN)
        $(NIXOPS_PRIV) ssh backup-2 -- nix-env -p /nix/var/nix/profiles/system --delete-generations $(GEN)
        $(NIXOPS_PRIV) ssh monitoring-1 -- nix-env -p /nix/var/nix/profiles/system --delete-generations $(GEN)
 .PHONY: delete-generations
@@ -84,6 +88,7 @@ delete-generations:
 cleanup: delete-generations
        nix-store --gc
        $(NIXOPS_PRIV) ssh eldiron -- nix-store --gc
+        $(NIXOPS_PRIV) ssh dilion -- nix-store --gc
        $(NIXOPS_PRIV) ssh backup-2 -- nix-store --gc
        $(NIXOPS_PRIV) ssh monitoring-1 -- nix-store --gc
 .PHONY: cleanup
diff --git a/nixops/default.nix b/nixops/default.nix
index 5f4f4d2..56b86e8 100644
--- a/nixops/default.nix
+++ b/nixops/default.nix
@@ -7,6 +7,7 @@
  # Used by hetzner cloud to provision machines
  resources.sshKeyPairs.ssh-key = {};
+  dilion = import ../modules/private/system/dilion.nix { inherit privateFiles; };
  eldiron = import ../modules/private/system/eldiron.nix { inherit privateFiles; };
  backup-2 = import ../modules/private/system/backup-2.nix { inherit privateFiles; };
  monitoring-1 = import ../modules/private/system/monitoring-1.nix { inherit privateFiles; };
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2020-02-10 18:15:23 +0100
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2020-02-10 18:15:23 +0100
commit	8a304ef46e1ad221253f883a8a296a12018e3d30 (patch)
tree	a3b871bdcc72a8847d73141b6e845de0475dccaa
parent	cf2a9330da390784168ac758b8d4da41855809d9 (diff)
download	Nix-8a304ef46e1ad221253f883a8a296a12018e3d30.tar.gz Nix-8a304ef46e1ad221253f883a8a296a12018e3d30.tar.zst Nix-8a304ef46e1ad221253f883a8a296a12018e3d30.zip

diff --git a/modules/private/environment.nix b/modules/private/environment.nix index c4c32c8..3b51f37 100644 --- a/modules/private/environment.nix +++ b/modules/private/environment.nix
@@ -114,6 +114,14 @@ let
114	description = "Host FQDN";	114	description = "Host FQDN";
115	type = str;	115	type = str;
116	};	116	};
		117	users = mkOption {
		118	type = unspecified;
		119	default = pkgs: [];
		120	description = ''
		121	Sublist of users from realUsers. Function that takes pkgs as
		122	argument and gives an array as a result
		123	'';
		124	};
117	emails = mkOption {	125	emails = mkOption {
118	default = [];	126	default = [];
119	description = "List of e-mails that the server can be a sender of";	127	description = "List of e-mails that the server can be a sender of";
@@ -287,6 +295,14 @@ in
287	};	295	};
288	};	296	};
289	};	297	};
		298	realUsers = mkOption {
		299	description = ''
		300	Attrset of function taking pkgs as argument.
		301	Real users settings, should provide a subattr of users.users.<name>
		302	with at least: name, (hashed)Password, shell
		303	'';
		304	type = attrsOf unspecified;
		305	};
290	users = mkOption {	306	users = mkOption {
291	description = "System and regular users uid/gid";	307	description = "System and regular users uid/gid";
292	type = attrsOf (submodule {	308	type = attrsOf (submodule {


diff --git a/modules/private/system.nix b/modules/private/system.nix index 66208c4..64fc2d9 100644 --- a/modules/private/system.nix +++ b/modules/private/system.nix
@@ -23,41 +23,63 @@
23	MaxRetentionSec="1year"	23	MaxRetentionSec="1year"
24	'';	24	'';
25		25
26	users.mutableUsers = false;	26	users.users =
27	users.users.root.packages = let	27	builtins.listToAttrs (map (x: lib.attrsets.nameValuePair x.name ({
28	nagios-cli = pkgs.writeScriptBin "nagios-cli" ''	28	isNormalUser = true;
29	#!${pkgs.stdenv.shell}	29	home = "/home/${x.name}";
30	sudo -u naemon ${pkgs.nagios-cli}/bin/nagios-cli -c ${./monitoring/nagios-cli.cfg}	30	createHome = true;
31	'';	31	linger = true;
32	in	32	} // x)) (config.hostEnv.users pkgs))
33	[	33	// {
34	pkgs.telnet	34	root.packages = let
35	pkgs.htop	35	nagios-cli = pkgs.writeScriptBin "nagios-cli" ''
36	pkgs.iftop	36	#!${pkgs.stdenv.shell}
37	pkgs.bind.dnsutils	37	sudo -u naemon ${pkgs.nagios-cli}/bin/nagios-cli -c ${./monitoring/nagios-cli.cfg}
38	pkgs.httpie	38	'';
39	pkgs.iotop	39	in
40	pkgs.whois	40	[
41	pkgs.ngrep	41	pkgs.telnet
42	pkgs.tcpdump	42	pkgs.htop
43	pkgs.tshark	43	pkgs.iftop
44	pkgs.tcpflow	44	pkgs.bind.dnsutils
45	pkgs.mitmproxy	45	pkgs.httpie
46	pkgs.nmap	46	pkgs.iotop
47	pkgs.p0f	47	pkgs.whois
48	pkgs.socat	48	pkgs.ngrep
49	pkgs.lsof	49	pkgs.tcpdump
50	pkgs.psmisc	50	pkgs.tshark
51	pkgs.wget	51	pkgs.tcpflow
		52	pkgs.mitmproxy
		53	pkgs.nmap
		54	pkgs.p0f
		55	pkgs.socat
		56	pkgs.lsof
		57	pkgs.psmisc
		58	pkgs.wget
52		59
53	pkgs.cnagios	60	pkgs.cnagios
54	nagios-cli	61	nagios-cli
55	];	62	];
		63	};
56		64
57	environment.etc.cnagios.source = "${pkgs.cnagios}/share/doc/cnagios";	65	users.mutableUsers = false;
58	environment.systemPackages = [
59	pkgs.vim
60	];
61		66
		67	environment.etc.cnagios.source = "${pkgs.cnagios}/share/doc/cnagios";
		68	environment.systemPackages =
		69	let
		70	home-manager = builtins.fetchGit {
		71	url = "https://github.com/rycee/home-manager.git";
		72	rev = "ef64bc598f28818d56c86629dad98b468af9c071";
		73	ref = "release-19.03";
		74	};
		75	in
		76	[
		77	pkgs.git
		78	pkgs.vim
		79	] ++
		80	(lib.optional
		81	(builtins.length (config.hostEnv.users pkgs) > 0)
		82	((pkgs.callPackage home-manager {}).home-manager)
		83	);
62	};	84	};
63	}	85	}


diff --git a/modules/private/system/dilion.nix b/modules/private/system/dilion.nix new file mode 100644 index 0000000..258506b --- /dev/null +++ b/modules/private/system/dilion.nix
@@ -0,0 +1,68 @@
		1	{ privateFiles }:
		2	{ config, pkgs, ... }:
		3	{
		4	boot.kernelPackages = pkgs.linuxPackages_latest;
		5	myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; };
		6
		7	networking = {
		8	firewall.enable = false;
		9	interfaces."eth0".ipv4.addresses = pkgs.lib.attrsets.mapAttrsToList
		10	(n: ips: { address = ips.ip4; prefixLength = 32; })
		11	(pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips);
		12	interfaces."eth0".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
		13	(n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or []))
		14	config.hostEnv.ips);
		15	};
		16
		17	myServices.ssh.modules = [ config.myServices.ssh.predefinedModules.regular ];
		18	imports = builtins.attrValues (import ../..);
		19
		20	deployment = {
		21	targetEnv = "hetzner";
		22	hetzner = {
		23	robotUser = config.myEnv.hetzner.user;
		24	robotPass = config.myEnv.hetzner.pass;
		25	mainIPv4 = config.hostEnv.ips.main.ip4;
		26	partitions = ''
		27	clearpart --all --initlabel --drives=sda,sdb,sdc,sdd
		28
		29	part swap --recommended --label=swap --fstype=swap --ondisk=sda
		30
		31	part raid.1 --grow --ondisk=sdc
		32	part raid.2 --grow --ondisk=sdd
		33
		34	raid / --level=1 --device=md0 --fstype=ext4 --label=root raid.1 raid.2
		35
		36	part /nix --grow --label=nix --ondisk=sda
		37	part /data --grow --label=data --ondisk=sdb
		38	'';
		39	};
		40	};
		41
		42	programs.zsh.enable = true;
		43
		44	time.timeZone = "Europe/Paris";
		45	nix = {
		46	useSandbox = "relaxed";
		47	extraOptions = ''
		48	keep-outputs = true
		49	keep-derivations = true
		50	#Assumed in NUR
		51	allow-import-from-derivation = true
		52	'';
		53	};
		54
		55	# This is equivalent to setting environment.sessionVariables.NIX_PATH
		56	nix.nixPath = [
		57	"home-manager=https://github.com/rycee/home-manager/archive/release-19.03.tar.gz"
		58	"nixpkgs=https://nixos.org/channels/nixos-19.03/nixexprs.tar.xz"
		59	];
		60
		61	# This value determines the NixOS release with which your system is
		62	# to be compatible, in order to avoid breaking some software such as
		63	# database servers. You should change this only after NixOS release
		64	# notes say you should.
		65	# https://nixos.org/nixos/manual/release-notes.html
		66	system.stateVersion = "19.03"; # Did you read the comment?
		67	}
		68


diff --git a/nixops/Makefile b/nixops/Makefile index 02d34f8..1852e75 100644 --- a/nixops/Makefile +++ b/nixops/Makefile
@@ -33,6 +33,9 @@ SSH_ARGS ?=
33	ssh-eldiron:	33	ssh-eldiron:
34	$(NIXOPS_PRIV) ssh eldiron -- $(SSH_ARGS)	34	$(NIXOPS_PRIV) ssh eldiron -- $(SSH_ARGS)
35		35
		36	ssh-dilion:
		37	$(NIXOPS_PRIV) ssh dilion -- $(SSH_ARGS)
		38
36	ssh-backup-2:	39	ssh-backup-2:
37	$(NIXOPS_PRIV) ssh backup-2 -- $(SSH_ARGS)	40	$(NIXOPS_PRIV) ssh backup-2 -- $(SSH_ARGS)
38		41
@@ -77,6 +80,7 @@ list-generations:
77	delete-generations:	80	delete-generations:
78	nix-env -p $(profile) --delete-generations $(GEN)	81	nix-env -p $(profile) --delete-generations $(GEN)
79	$(NIXOPS_PRIV) ssh eldiron -- nix-env -p /nix/var/nix/profiles/system --delete-generations $(GEN)	82	$(NIXOPS_PRIV) ssh eldiron -- nix-env -p /nix/var/nix/profiles/system --delete-generations $(GEN)
		83	$(NIXOPS_PRIV) ssh dilion -- nix-env -p /nix/var/nix/profiles/system --delete-generations $(GEN)
80	$(NIXOPS_PRIV) ssh backup-2 -- nix-env -p /nix/var/nix/profiles/system --delete-generations $(GEN)	84	$(NIXOPS_PRIV) ssh backup-2 -- nix-env -p /nix/var/nix/profiles/system --delete-generations $(GEN)
81	$(NIXOPS_PRIV) ssh monitoring-1 -- nix-env -p /nix/var/nix/profiles/system --delete-generations $(GEN)	85	$(NIXOPS_PRIV) ssh monitoring-1 -- nix-env -p /nix/var/nix/profiles/system --delete-generations $(GEN)
82	.PHONY: delete-generations	86	.PHONY: delete-generations
@@ -84,6 +88,7 @@ delete-generations:
84	cleanup: delete-generations	88	cleanup: delete-generations
85	nix-store --gc	89	nix-store --gc
86	$(NIXOPS_PRIV) ssh eldiron -- nix-store --gc	90	$(NIXOPS_PRIV) ssh eldiron -- nix-store --gc
		91	$(NIXOPS_PRIV) ssh dilion -- nix-store --gc
87	$(NIXOPS_PRIV) ssh backup-2 -- nix-store --gc	92	$(NIXOPS_PRIV) ssh backup-2 -- nix-store --gc
88	$(NIXOPS_PRIV) ssh monitoring-1 -- nix-store --gc	93	$(NIXOPS_PRIV) ssh monitoring-1 -- nix-store --gc
89	.PHONY: cleanup	94	.PHONY: cleanup


diff --git a/nixops/default.nix b/nixops/default.nix index 5f4f4d2..56b86e8 100644 --- a/nixops/default.nix +++ b/nixops/default.nix
@@ -7,6 +7,7 @@
7		7
8	# Used by hetzner cloud to provision machines	8	# Used by hetzner cloud to provision machines
9	resources.sshKeyPairs.ssh-key = {};	9	resources.sshKeyPairs.ssh-key = {};
		10	dilion = import ../modules/private/system/dilion.nix { inherit privateFiles; };
10	eldiron = import ../modules/private/system/eldiron.nix { inherit privateFiles; };	11	eldiron = import ../modules/private/system/eldiron.nix { inherit privateFiles; };
11	backup-2 = import ../modules/private/system/backup-2.nix { inherit privateFiles; };	12	backup-2 = import ../modules/private/system/backup-2.nix { inherit privateFiles; };
12	monitoring-1 = import ../modules/private/system/monitoring-1.nix { inherit privateFiles; };	13	monitoring-1 = import ../modules/private/system/monitoring-1.nix { inherit privateFiles; };