Migrate to morph as a replacement to nixops

The deployment tasks are now independent of any state
author: Ismaël Bouya <ismael.bouya@normalesup.org> 2020-09-04 02:40:24 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2020-09-04 02:59:46 +0200
commit: 34abd6afa44c620a56416bd423a2438a09bd1ce4 (patch)
tree: b7eef613348fcb9d8fabd19c0437430c30678152 /modules/private/system/eldiron.nix
parent: f5cbc6f767ee234e9cdd53baa113d5ab26edb6d8 (diff)
download: Nix-34abd6afa44c620a56416bd423a2438a09bd1ce4.tar.gz
Nix-34abd6afa44c620a56416bd423a2438a09bd1ce4.tar.zst
Nix-34abd6afa44c620a56416bd423a2438a09bd1ce4.zip
1 files changed, 51 insertions, 34 deletions
diff --git a/modules/private/system/eldiron.nix b/modules/private/system/eldiron.nix
index 83e52b8..bb8bbfc 100644
--- a/modules/private/system/eldiron.nix
+++ b/modules/private/system/eldiron.nix
@@ -1,22 +1,45 @@
 { privateFiles }:
 { config, pkgs, lib, ... }:
 {
-  boot.supportedFilesystems = [ "zfs" ];
+  deployment = {
-  boot.kernelParams = ["zfs.zfs_arc_max=6442450944"];
+    targetUser = "root";
-  boot.kernelPackages = pkgs.linuxPackages_latest;
+    targetHost = config.hostEnv.ips.main.ip4;
+    substituteOnDestination = true;
+  };
+  boot = {
+    kernelModules = [ "kvm-intel" ];
+    blacklistedKernelModules = [ "nvidiafb" ];
+    loader.timeout = 1;
+    loader.grub.devices = [ "/dev/sda" "/dev/sdb" ];
+    kernel.sysctl = {
+      # https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
+      "net.ipv4.tcp_sack" = 0;
+    };
+    supportedFilesystems = [ "zfs" ];
+    kernelParams = ["zfs.zfs_arc_max=6442450944"];
+    kernelPackages = pkgs.linuxPackages_latest;
+    initrd.availableKernelModules = [ "ahci" "sd_mod" ];
+    initrd.secrets = {
+      "/boot/pass.key" = "/boot/pass.key";
+    };
+  };
+  services.udev.extraRules = ''
+    ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="c8:60:00:56:a0:88", NAME="eth0"
+  '';
+  nix.maxJobs = 8;
+  powerManagement.cpuFreqGovernor = "powersave";
  myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; };
  fileSystems = {
-    "/"     = lib.mkForce { fsType = "zfs"; device = "zpool/root"; };
+    "/"     = { fsType = "zfs"; device = "zpool/root"; };
    "/boot" = { fsType = "ext4"; device = "/dev/disk/by-uuid/e6bb18fb-ff56-4b5f-ae9f-e60d40dc0622"; };
    "/etc"  = { fsType = "zfs"; device = "zpool/root/etc"; };
    "/nix"  = { fsType = "zfs"; device = "zpool/root/nix"; };
    "/tmp"  = { fsType = "zfs"; device = "zpool/root/tmp"; };
    "/var"  = { fsType = "zfs"; device = "zpool/root/var"; };
  };
-  boot.initrd.secrets = {
+  swapDevices = [ { label = "swap1"; } { label = "swap2"; } ];
-    "/boot/pass.key" = "/boot/pass.key";
+  hardware.enableRedistributableFirmware = true;
-  };
  services.zfs = {
    autoScrub = {
@@ -27,20 +50,34 @@
    hostId = "8262ca33"; # generated with head -c4 /dev/urandom | od -A none -t x4
    firewall.enable = true;
    # 176.9.151.89 declared in nixops -> infra / tools
-    interfaces."eth0".ipv4.addresses = pkgs.lib.attrsets.mapAttrsToList
+    interfaces."eth0".ipv4.addresses =
-      (n: ips: { address = ips.ip4; prefixLength = 32; })
+      pkgs.lib.attrsets.mapAttrsToList
-      (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips);
+        (n: ips: { address = ips.ip4; prefixLength = 32; })
+        (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips)
+      ++ [ { address = config.hostEnv.ips.main.ip4; prefixLength = 27; } ];
    interfaces."eth0".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
      (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or []))
      config.hostEnv.ips);
+    defaultGateway = "176.9.151.65";
+    localCommands = ''
+      # FIXME: Those commands were added by nixops and may not be
+      # actually needed
+      ip -6 addr add '2a01:4f8:160:3445::/64' dev 'eth0' || true
+      ip -4 route change '176.9.151.64/27' via '176.9.151.65' dev 'eth0' || true
+      ip -6 route add default via 'fe80::1' dev eth0 || true
+    '';
+    nameservers = [
+      "213.133.98.98"
+      "213.133.99.99"
+      "213.133.100.100"
+      "2a01:4f8:0:a0a1::add:1010"
+      "2a01:4f8:0:a102::add:9999"
+      "2a01:4f8:0:a111::add:9898"
+    ];
  };
  imports = builtins.attrValues (import ../..);
-  boot.kernel.sysctl = {
-    # https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
-    "net.ipv4.tcp_sack" = 0;
-  };
  myServices.buildbot.enable = true;
  myServices.databases.enable = true;
  myServices.gitolite.enable = true;
@@ -76,26 +113,6 @@
      "${profile.host_key_type} ${profile.host_key}";
  };
-  deployment = {
-    targetEnv = "hetzner";
-    hetzner = {
-      robotUser = config.myEnv.hetzner.user;
-      robotPass = config.myEnv.hetzner.pass;
-      mainIPv4 = config.hostEnv.ips.main.ip4;
-      partitions = ''
-        clearpart --all --initlabel --drives=sda,sdb
-        part swap1 --recommended --label=swap1 --fstype=swap --ondisk=sda
-        part swap2 --recommended --label=swap2 --fstype=swap --ondisk=sdb
-        part raid.1 --grow --ondisk=sda
-        part raid.2 --grow --ondisk=sdb
-        raid / --level=1 --device=md0 --fstype=ext4 --label=root raid.1 raid.2
-      '';
-    };
-  };
  services.cron = {
    enable = true;
    mailto = "cron@immae.eu";
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2020-09-04 02:40:24 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2020-09-04 02:59:46 +0200
commit	34abd6afa44c620a56416bd423a2438a09bd1ce4 (patch)
tree	b7eef613348fcb9d8fabd19c0437430c30678152 /modules/private/system/eldiron.nix
parent	f5cbc6f767ee234e9cdd53baa113d5ab26edb6d8 (diff)
download	Nix-34abd6afa44c620a56416bd423a2438a09bd1ce4.tar.gz Nix-34abd6afa44c620a56416bd423a2438a09bd1ce4.tar.zst Nix-34abd6afa44c620a56416bd423a2438a09bd1ce4.zip