diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-09-04 02:40:24 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-09-04 02:59:46 +0200 |
commit | 34abd6afa44c620a56416bd423a2438a09bd1ce4 (patch) | |
tree | b7eef613348fcb9d8fabd19c0437430c30678152 /modules/private/system/eldiron.nix | |
parent | f5cbc6f767ee234e9cdd53baa113d5ab26edb6d8 (diff) | |
download | Nix-34abd6afa44c620a56416bd423a2438a09bd1ce4.tar.gz Nix-34abd6afa44c620a56416bd423a2438a09bd1ce4.tar.zst Nix-34abd6afa44c620a56416bd423a2438a09bd1ce4.zip |
Migrate to morph as a replacement to nixops
The deployment tasks are now independent of any state
Diffstat (limited to 'modules/private/system/eldiron.nix')
-rw-r--r-- | modules/private/system/eldiron.nix | 85 |
1 files changed, 51 insertions, 34 deletions
diff --git a/modules/private/system/eldiron.nix b/modules/private/system/eldiron.nix index 83e52b8..bb8bbfc 100644 --- a/modules/private/system/eldiron.nix +++ b/modules/private/system/eldiron.nix | |||
@@ -1,22 +1,45 @@ | |||
1 | { privateFiles }: | 1 | { privateFiles }: |
2 | { config, pkgs, lib, ... }: | 2 | { config, pkgs, lib, ... }: |
3 | { | 3 | { |
4 | boot.supportedFilesystems = [ "zfs" ]; | 4 | deployment = { |
5 | boot.kernelParams = ["zfs.zfs_arc_max=6442450944"]; | 5 | targetUser = "root"; |
6 | boot.kernelPackages = pkgs.linuxPackages_latest; | 6 | targetHost = config.hostEnv.ips.main.ip4; |
7 | substituteOnDestination = true; | ||
8 | }; | ||
9 | boot = { | ||
10 | kernelModules = [ "kvm-intel" ]; | ||
11 | blacklistedKernelModules = [ "nvidiafb" ]; | ||
12 | loader.timeout = 1; | ||
13 | loader.grub.devices = [ "/dev/sda" "/dev/sdb" ]; | ||
14 | kernel.sysctl = { | ||
15 | # https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md | ||
16 | "net.ipv4.tcp_sack" = 0; | ||
17 | }; | ||
18 | supportedFilesystems = [ "zfs" ]; | ||
19 | kernelParams = ["zfs.zfs_arc_max=6442450944"]; | ||
20 | kernelPackages = pkgs.linuxPackages_latest; | ||
21 | initrd.availableKernelModules = [ "ahci" "sd_mod" ]; | ||
22 | initrd.secrets = { | ||
23 | "/boot/pass.key" = "/boot/pass.key"; | ||
24 | }; | ||
25 | }; | ||
26 | services.udev.extraRules = '' | ||
27 | ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="c8:60:00:56:a0:88", NAME="eth0" | ||
28 | ''; | ||
29 | nix.maxJobs = 8; | ||
30 | powerManagement.cpuFreqGovernor = "powersave"; | ||
7 | myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; }; | 31 | myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; }; |
8 | 32 | ||
9 | fileSystems = { | 33 | fileSystems = { |
10 | "/" = lib.mkForce { fsType = "zfs"; device = "zpool/root"; }; | 34 | "/" = { fsType = "zfs"; device = "zpool/root"; }; |
11 | "/boot" = { fsType = "ext4"; device = "/dev/disk/by-uuid/e6bb18fb-ff56-4b5f-ae9f-e60d40dc0622"; }; | 35 | "/boot" = { fsType = "ext4"; device = "/dev/disk/by-uuid/e6bb18fb-ff56-4b5f-ae9f-e60d40dc0622"; }; |
12 | "/etc" = { fsType = "zfs"; device = "zpool/root/etc"; }; | 36 | "/etc" = { fsType = "zfs"; device = "zpool/root/etc"; }; |
13 | "/nix" = { fsType = "zfs"; device = "zpool/root/nix"; }; | 37 | "/nix" = { fsType = "zfs"; device = "zpool/root/nix"; }; |
14 | "/tmp" = { fsType = "zfs"; device = "zpool/root/tmp"; }; | 38 | "/tmp" = { fsType = "zfs"; device = "zpool/root/tmp"; }; |
15 | "/var" = { fsType = "zfs"; device = "zpool/root/var"; }; | 39 | "/var" = { fsType = "zfs"; device = "zpool/root/var"; }; |
16 | }; | 40 | }; |
17 | boot.initrd.secrets = { | 41 | swapDevices = [ { label = "swap1"; } { label = "swap2"; } ]; |
18 | "/boot/pass.key" = "/boot/pass.key"; | 42 | hardware.enableRedistributableFirmware = true; |
19 | }; | ||
20 | 43 | ||
21 | services.zfs = { | 44 | services.zfs = { |
22 | autoScrub = { | 45 | autoScrub = { |
@@ -27,20 +50,34 @@ | |||
27 | hostId = "8262ca33"; # generated with head -c4 /dev/urandom | od -A none -t x4 | 50 | hostId = "8262ca33"; # generated with head -c4 /dev/urandom | od -A none -t x4 |
28 | firewall.enable = true; | 51 | firewall.enable = true; |
29 | # 176.9.151.89 declared in nixops -> infra / tools | 52 | # 176.9.151.89 declared in nixops -> infra / tools |
30 | interfaces."eth0".ipv4.addresses = pkgs.lib.attrsets.mapAttrsToList | 53 | interfaces."eth0".ipv4.addresses = |
31 | (n: ips: { address = ips.ip4; prefixLength = 32; }) | 54 | pkgs.lib.attrsets.mapAttrsToList |
32 | (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips); | 55 | (n: ips: { address = ips.ip4; prefixLength = 32; }) |
56 | (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips) | ||
57 | ++ [ { address = config.hostEnv.ips.main.ip4; prefixLength = 27; } ]; | ||
33 | interfaces."eth0".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList | 58 | interfaces."eth0".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList |
34 | (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or [])) | 59 | (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or [])) |
35 | config.hostEnv.ips); | 60 | config.hostEnv.ips); |
61 | defaultGateway = "176.9.151.65"; | ||
62 | localCommands = '' | ||
63 | # FIXME: Those commands were added by nixops and may not be | ||
64 | # actually needed | ||
65 | ip -6 addr add '2a01:4f8:160:3445::/64' dev 'eth0' || true | ||
66 | ip -4 route change '176.9.151.64/27' via '176.9.151.65' dev 'eth0' || true | ||
67 | ip -6 route add default via 'fe80::1' dev eth0 || true | ||
68 | ''; | ||
69 | nameservers = [ | ||
70 | "213.133.98.98" | ||
71 | "213.133.99.99" | ||
72 | "213.133.100.100" | ||
73 | "2a01:4f8:0:a0a1::add:1010" | ||
74 | "2a01:4f8:0:a102::add:9999" | ||
75 | "2a01:4f8:0:a111::add:9898" | ||
76 | ]; | ||
36 | }; | 77 | }; |
37 | 78 | ||
38 | imports = builtins.attrValues (import ../..); | 79 | imports = builtins.attrValues (import ../..); |
39 | 80 | ||
40 | boot.kernel.sysctl = { | ||
41 | # https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md | ||
42 | "net.ipv4.tcp_sack" = 0; | ||
43 | }; | ||
44 | myServices.buildbot.enable = true; | 81 | myServices.buildbot.enable = true; |
45 | myServices.databases.enable = true; | 82 | myServices.databases.enable = true; |
46 | myServices.gitolite.enable = true; | 83 | myServices.gitolite.enable = true; |
@@ -76,26 +113,6 @@ | |||
76 | "${profile.host_key_type} ${profile.host_key}"; | 113 | "${profile.host_key_type} ${profile.host_key}"; |
77 | }; | 114 | }; |
78 | 115 | ||
79 | deployment = { | ||
80 | targetEnv = "hetzner"; | ||
81 | hetzner = { | ||
82 | robotUser = config.myEnv.hetzner.user; | ||
83 | robotPass = config.myEnv.hetzner.pass; | ||
84 | mainIPv4 = config.hostEnv.ips.main.ip4; | ||
85 | partitions = '' | ||
86 | clearpart --all --initlabel --drives=sda,sdb | ||
87 | |||
88 | part swap1 --recommended --label=swap1 --fstype=swap --ondisk=sda | ||
89 | part swap2 --recommended --label=swap2 --fstype=swap --ondisk=sdb | ||
90 | |||
91 | part raid.1 --grow --ondisk=sda | ||
92 | part raid.2 --grow --ondisk=sdb | ||
93 | |||
94 | raid / --level=1 --device=md0 --fstype=ext4 --label=root raid.1 raid.2 | ||
95 | ''; | ||
96 | }; | ||
97 | }; | ||
98 | |||
99 | services.cron = { | 116 | services.cron = { |
100 | enable = true; | 117 | enable = true; |
101 | mailto = "cron@immae.eu"; | 118 | mailto = "cron@immae.eu"; |