aboutsummaryrefslogtreecommitdiff
path: root/modules/private
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2020-09-04 02:40:24 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2020-09-04 02:59:46 +0200
commit34abd6afa44c620a56416bd423a2438a09bd1ce4 (patch)
treeb7eef613348fcb9d8fabd19c0437430c30678152 /modules/private
parentf5cbc6f767ee234e9cdd53baa113d5ab26edb6d8 (diff)
downloadNix-34abd6afa44c620a56416bd423a2438a09bd1ce4.tar.gz
Nix-34abd6afa44c620a56416bd423a2438a09bd1ce4.tar.zst
Nix-34abd6afa44c620a56416bd423a2438a09bd1ce4.zip
Migrate to morph as a replacement to nixops
The deployment tasks are now independent of any state
Diffstat (limited to 'modules/private')
-rw-r--r--modules/private/system.nix10
-rw-r--r--modules/private/system/backup-2.nix20
-rw-r--r--modules/private/system/dilion.nix91
-rw-r--r--modules/private/system/eldiron.nix85
-rw-r--r--modules/private/system/monitoring-1.nix19
5 files changed, 133 insertions, 92 deletions
diff --git a/modules/private/system.nix b/modules/private/system.nix
index b667ee8..6b4ef6e 100644
--- a/modules/private/system.nix
+++ b/modules/private/system.nix
@@ -1,6 +1,12 @@
1{ pkgs, lib, config, name, ... }: 1{ pkgs, lib, config, name, nodes, ... }:
2{ 2{
3 config = { 3 config = {
4 networking.extraHosts = builtins.concatStringsSep "\n"
5 (lib.mapAttrsToList (n: v: "${v.config.hostEnv.ips.main.ip4} ${n}") nodes);
6
7 users.extraUsers.root.openssh.authorizedKeys.keyFiles = [ "${config.myEnv.privateFiles}/id_ed25519.pub" ];
8 services.openssh.enable = true;
9
4 services.duplyBackup.profiles.system = { 10 services.duplyBackup.profiles.system = {
5 rootDir = "/var/lib"; 11 rootDir = "/var/lib";
6 excludeFile = lib.mkAfter '' 12 excludeFile = lib.mkAfter ''
@@ -73,6 +79,8 @@
73 environment.systemPackages = [ 79 environment.systemPackages = [
74 pkgs.git 80 pkgs.git
75 pkgs.vim 81 pkgs.vim
82 pkgs.rsync
83 pkgs.strace
76 ] ++ 84 ] ++
77 (lib.optional (builtins.length (config.hostEnv.users pkgs) > 0) pkgs.home-manager); 85 (lib.optional (builtins.length (config.hostEnv.users pkgs) > 0) pkgs.home-manager);
78 86
diff --git a/modules/private/system/backup-2.nix b/modules/private/system/backup-2.nix
index a49c374..d1064c7 100644
--- a/modules/private/system/backup-2.nix
+++ b/modules/private/system/backup-2.nix
@@ -1,26 +1,22 @@
1{ privateFiles }: 1{ privateFiles }:
2{ config, pkgs, resources, name, ... }: 2{ config, pkgs, resources, name, ... }:
3{ 3{
4 deployment = {
5 targetUser = "root";
6 targetHost = config.hostEnv.ips.main.ip4;
7 substituteOnDestination = true;
8 };
4 boot.kernelPackages = pkgs.linuxPackages_latest; 9 boot.kernelPackages = pkgs.linuxPackages_latest;
5 myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; }; 10 myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; };
6 11
7 imports = builtins.attrValues (import ../..); 12 imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ] ++ builtins.attrValues (import ../..);
8
9 deployment = {
10 targetEnv = "hetznerCloud";
11 hetznerCloud = {
12 authToken = config.myEnv.hetznerCloud.authToken;
13 datacenter = "hel1-dc2";
14 location ="hel1";
15 serverType = "cx11";
16 };
17 };
18 13
19 fileSystems = { 14 fileSystems = {
20 "/backup2" = { 15 "/backup2" = {
21 fsType = "ext4"; 16 fsType = "ext4";
22 device = "UUID=b9425333-f567-435d-94d8-b26c22d93426"; 17 device = "UUID=b9425333-f567-435d-94d8-b26c22d93426";
23 }; 18 };
19 "/" = { device = "/dev/sda1"; fsType = "ext4"; };
24 }; 20 };
25 21
26 networking = { 22 networking = {
@@ -34,6 +30,8 @@
34 defaultGateway6 = { address = "fe80::1"; interface = "ens3"; }; 30 defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
35 }; 31 };
36 32
33 boot.loader.grub.device = "nodev";
34
37 myServices.certificates.enable = true; 35 myServices.certificates.enable = true;
38 security.acme.certs."${name}" = { 36 security.acme.certs."${name}" = {
39 user = config.services.nginx.user; 37 user = config.services.nginx.user;
diff --git a/modules/private/system/dilion.nix b/modules/private/system/dilion.nix
index 5c24656..5abaac0 100644
--- a/modules/private/system/dilion.nix
+++ b/modules/private/system/dilion.nix
@@ -1,59 +1,81 @@
1{ privateFiles }: 1{ privateFiles }:
2{ config, pkgs, name, lib, ... }: 2{ config, pkgs, name, lib, ... }:
3{ 3{
4 boot.supportedFilesystems = [ "zfs" ]; 4 deployment = {
5 boot.kernelPackages = pkgs.linuxPackages_latest; 5 targetUser = "root";
6 targetHost = config.hostEnv.ips.main.ip4;
7 substituteOnDestination = true;
8 };
9 nixpkgs.system = lib.mkOverride 900 "x86_64-linux";
10 boot = {
11 loader = {
12 grub = {
13 version = 2;
14 devices = [ "/dev/sda" "/dev/sdb" "/dev/sdc" "/dev/sdd" ];
15 };
16 timeout = 1;
17 };
18 blacklistedKernelModules = [ "nvidiafb" ];
19 supportedFilesystems = [ "zfs" ];
20 kernelPackages = pkgs.linuxPackages_latest;
21 kernelModules = [ "kvm-intel" ];
22 initrd.availableKernelModules = [ "ahci" "sd_mod" ];
23 initrd.secrets = {
24 "/boot/pass.key" = "/boot/pass.key";
25 };
26 kernel.sysctl."vm.nr_hugepages" = 256; # for xmr-stak
27 };
28 nix.maxJobs = 8;
29 powerManagement.cpuFreqGovernor = "powersave";
30 hardware.enableRedistributableFirmware = true;
31
6 myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; }; 32 myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; };
7 33
34 swapDevices = [ { label = "swap"; } ];
8 fileSystems = { 35 fileSystems = {
9 "/" = lib.mkForce { fsType = "zfs"; device = "zpool/root"; }; 36 "/" = { fsType = "zfs"; device = "zpool/root"; };
10 "/boot" = { fsType = "ext4"; device = "/dev/disk/by-uuid/fd1c511e-2bc0-49d5-b8bb-95e7e8c8c816"; }; 37 "/boot" = { fsType = "ext4"; device = "/dev/disk/by-uuid/fd1c511e-2bc0-49d5-b8bb-95e7e8c8c816"; };
11 "/etc" = { fsType = "zfs"; device = "zpool/root/etc"; }; 38 "/etc" = { fsType = "zfs"; device = "zpool/root/etc"; };
12 "/home" = { fsType = "zfs"; device = "zpool/root/home"; }; 39 "/home" = { fsType = "zfs"; device = "zpool/root/home"; };
13 "/home/immae" = { fsType = "zfs"; device = "zpool/root/home/immae"; }; 40 "/home/immae" = { fsType = "zfs"; device = "zpool/root/home/immae"; };
14 "/tmp" = { fsType = "zfs"; device = "zpool/root/tmp"; }; 41 "/tmp" = { fsType = "zfs"; device = "zpool/root/tmp"; };
15 "/var" = { fsType = "zfs"; device = "zpool/root/var"; }; 42 "/var" = { fsType = "zfs"; device = "zpool/root/var"; };
43 "/data" = { fsType = "ext4"; label = "data"; };
44 "/nix" = { fsType = "ext4"; label = "nix"; };
16 }; 45 };
17 boot.initrd.secrets = { 46
18 "/boot/pass.key" = "/boot/pass.key"; 47 services.udev.extraRules = ''
19 }; 48 ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="10:bf:48:7f:e6:3b", NAME="eth0"
49 '';
20 50
21 networking = { 51 networking = {
22 hostId = "27c3048d"; # generated with head -c4 /dev/urandom | od -A none -t x4 52 hostId = "27c3048d"; # generated with head -c4 /dev/urandom | od -A none -t x4
23 firewall.enable = false; 53 firewall.enable = false;
24 interfaces."eth0".ipv4.addresses = pkgs.lib.attrsets.mapAttrsToList 54 interfaces."eth0".ipv4.addresses =
25 (n: ips: { address = ips.ip4; prefixLength = 32; }) 55 [ { address = config.hostEnv.ips.main.ip4; prefixLength = 27; } ]
26 (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips); 56 ++ pkgs.lib.attrsets.mapAttrsToList
27 interfaces."eth0".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList 57 (n: ips: { address = ips.ip4; prefixLength = 32; })
28 (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or [])) 58 (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips);
29 config.hostEnv.ips); 59 interfaces."eth0".ipv6.addresses =
60 [ { address = "2a01:4f8:141:53e7::"; prefixLength = 64; } ]
61 ++ pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
62 (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or []))
63 config.hostEnv.ips);
64 defaultGateway = { address = "176.9.10.225"; interface = "eth0"; };
65 defaultGateway6 = { address = "fe80::1"; interface = "eth0"; };
66 nameservers = [
67 "213.133.98.98"
68 "213.133.99.99"
69 "213.133.100.100"
70 "2a01:4f8:0:a0a1::add:1010"
71 "2a01:4f8:0:a102::add:9999"
72 "2a01:4f8:0:a111::add:9898"
73 ];
30 }; 74 };
31 75
32 myServices.ssh.modules = [ config.myServices.ssh.predefinedModules.regular ]; 76 myServices.ssh.modules = [ config.myServices.ssh.predefinedModules.regular ];
33 imports = builtins.attrValues (import ../..); 77 imports = builtins.attrValues (import ../..);
34 78
35 deployment = {
36 targetEnv = "hetzner";
37 hetzner = {
38 robotUser = config.myEnv.hetzner.user;
39 robotPass = config.myEnv.hetzner.pass;
40 mainIPv4 = config.hostEnv.ips.main.ip4;
41 partitions = ''
42 clearpart --all --initlabel --drives=sda,sdb,sdc,sdd
43
44 part swap --recommended --label=swap --fstype=swap --ondisk=sda
45
46 part raid.1 --grow --ondisk=sdc
47 part raid.2 --grow --ondisk=sdd
48
49 raid / --level=1 --device=md0 --fstype=ext4 --label=root raid.1 raid.2
50
51 part /nix --grow --label=nix --ondisk=sda
52 part /data --grow --label=data --ondisk=sdb
53 '';
54 };
55 };
56
57 system.nssModules = [ pkgs.libvirt ]; 79 system.nssModules = [ pkgs.libvirt ];
58 system.nssDatabases.hosts = lib.mkForce [ "files" "libvirt_guest" "mymachines" "dns" "myhostname" ]; 80 system.nssDatabases.hosts = lib.mkForce [ "files" "libvirt_guest" "mymachines" "dns" "myhostname" ];
59 programs.zsh.enable = true; 81 programs.zsh.enable = true;
@@ -78,7 +100,6 @@
78 } 100 }
79 ]; 101 ];
80 102
81 boot.kernel.sysctl."vm.nr_hugepages" = 256; # for xmr-stak
82 system.activationScripts.libvirtd_exports = '' 103 system.activationScripts.libvirtd_exports = ''
83 install -m 0755 -o root -g root -d /var/lib/caldance 104 install -m 0755 -o root -g root -d /var/lib/caldance
84 ''; 105 '';
diff --git a/modules/private/system/eldiron.nix b/modules/private/system/eldiron.nix
index 83e52b8..bb8bbfc 100644
--- a/modules/private/system/eldiron.nix
+++ b/modules/private/system/eldiron.nix
@@ -1,22 +1,45 @@
1{ privateFiles }: 1{ privateFiles }:
2{ config, pkgs, lib, ... }: 2{ config, pkgs, lib, ... }:
3{ 3{
4 boot.supportedFilesystems = [ "zfs" ]; 4 deployment = {
5 boot.kernelParams = ["zfs.zfs_arc_max=6442450944"]; 5 targetUser = "root";
6 boot.kernelPackages = pkgs.linuxPackages_latest; 6 targetHost = config.hostEnv.ips.main.ip4;
7 substituteOnDestination = true;
8 };
9 boot = {
10 kernelModules = [ "kvm-intel" ];
11 blacklistedKernelModules = [ "nvidiafb" ];
12 loader.timeout = 1;
13 loader.grub.devices = [ "/dev/sda" "/dev/sdb" ];
14 kernel.sysctl = {
15 # https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
16 "net.ipv4.tcp_sack" = 0;
17 };
18 supportedFilesystems = [ "zfs" ];
19 kernelParams = ["zfs.zfs_arc_max=6442450944"];
20 kernelPackages = pkgs.linuxPackages_latest;
21 initrd.availableKernelModules = [ "ahci" "sd_mod" ];
22 initrd.secrets = {
23 "/boot/pass.key" = "/boot/pass.key";
24 };
25 };
26 services.udev.extraRules = ''
27 ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="c8:60:00:56:a0:88", NAME="eth0"
28 '';
29 nix.maxJobs = 8;
30 powerManagement.cpuFreqGovernor = "powersave";
7 myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; }; 31 myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; };
8 32
9 fileSystems = { 33 fileSystems = {
10 "/" = lib.mkForce { fsType = "zfs"; device = "zpool/root"; }; 34 "/" = { fsType = "zfs"; device = "zpool/root"; };
11 "/boot" = { fsType = "ext4"; device = "/dev/disk/by-uuid/e6bb18fb-ff56-4b5f-ae9f-e60d40dc0622"; }; 35 "/boot" = { fsType = "ext4"; device = "/dev/disk/by-uuid/e6bb18fb-ff56-4b5f-ae9f-e60d40dc0622"; };
12 "/etc" = { fsType = "zfs"; device = "zpool/root/etc"; }; 36 "/etc" = { fsType = "zfs"; device = "zpool/root/etc"; };
13 "/nix" = { fsType = "zfs"; device = "zpool/root/nix"; }; 37 "/nix" = { fsType = "zfs"; device = "zpool/root/nix"; };
14 "/tmp" = { fsType = "zfs"; device = "zpool/root/tmp"; }; 38 "/tmp" = { fsType = "zfs"; device = "zpool/root/tmp"; };
15 "/var" = { fsType = "zfs"; device = "zpool/root/var"; }; 39 "/var" = { fsType = "zfs"; device = "zpool/root/var"; };
16 }; 40 };
17 boot.initrd.secrets = { 41 swapDevices = [ { label = "swap1"; } { label = "swap2"; } ];
18 "/boot/pass.key" = "/boot/pass.key"; 42 hardware.enableRedistributableFirmware = true;
19 };
20 43
21 services.zfs = { 44 services.zfs = {
22 autoScrub = { 45 autoScrub = {
@@ -27,20 +50,34 @@
27 hostId = "8262ca33"; # generated with head -c4 /dev/urandom | od -A none -t x4 50 hostId = "8262ca33"; # generated with head -c4 /dev/urandom | od -A none -t x4
28 firewall.enable = true; 51 firewall.enable = true;
29 # 176.9.151.89 declared in nixops -> infra / tools 52 # 176.9.151.89 declared in nixops -> infra / tools
30 interfaces."eth0".ipv4.addresses = pkgs.lib.attrsets.mapAttrsToList 53 interfaces."eth0".ipv4.addresses =
31 (n: ips: { address = ips.ip4; prefixLength = 32; }) 54 pkgs.lib.attrsets.mapAttrsToList
32 (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips); 55 (n: ips: { address = ips.ip4; prefixLength = 32; })
56 (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips)
57 ++ [ { address = config.hostEnv.ips.main.ip4; prefixLength = 27; } ];
33 interfaces."eth0".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList 58 interfaces."eth0".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
34 (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or [])) 59 (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or []))
35 config.hostEnv.ips); 60 config.hostEnv.ips);
61 defaultGateway = "176.9.151.65";
62 localCommands = ''
63 # FIXME: Those commands were added by nixops and may not be
64 # actually needed
65 ip -6 addr add '2a01:4f8:160:3445::/64' dev 'eth0' || true
66 ip -4 route change '176.9.151.64/27' via '176.9.151.65' dev 'eth0' || true
67 ip -6 route add default via 'fe80::1' dev eth0 || true
68 '';
69 nameservers = [
70 "213.133.98.98"
71 "213.133.99.99"
72 "213.133.100.100"
73 "2a01:4f8:0:a0a1::add:1010"
74 "2a01:4f8:0:a102::add:9999"
75 "2a01:4f8:0:a111::add:9898"
76 ];
36 }; 77 };
37 78
38 imports = builtins.attrValues (import ../..); 79 imports = builtins.attrValues (import ../..);
39 80
40 boot.kernel.sysctl = {
41 # https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
42 "net.ipv4.tcp_sack" = 0;
43 };
44 myServices.buildbot.enable = true; 81 myServices.buildbot.enable = true;
45 myServices.databases.enable = true; 82 myServices.databases.enable = true;
46 myServices.gitolite.enable = true; 83 myServices.gitolite.enable = true;
@@ -76,26 +113,6 @@
76 "${profile.host_key_type} ${profile.host_key}"; 113 "${profile.host_key_type} ${profile.host_key}";
77 }; 114 };
78 115
79 deployment = {
80 targetEnv = "hetzner";
81 hetzner = {
82 robotUser = config.myEnv.hetzner.user;
83 robotPass = config.myEnv.hetzner.pass;
84 mainIPv4 = config.hostEnv.ips.main.ip4;
85 partitions = ''
86 clearpart --all --initlabel --drives=sda,sdb
87
88 part swap1 --recommended --label=swap1 --fstype=swap --ondisk=sda
89 part swap2 --recommended --label=swap2 --fstype=swap --ondisk=sdb
90
91 part raid.1 --grow --ondisk=sda
92 part raid.2 --grow --ondisk=sdb
93
94 raid / --level=1 --device=md0 --fstype=ext4 --label=root raid.1 raid.2
95 '';
96 };
97 };
98
99 services.cron = { 116 services.cron = {
100 enable = true; 117 enable = true;
101 mailto = "cron@immae.eu"; 118 mailto = "cron@immae.eu";
diff --git a/modules/private/system/monitoring-1.nix b/modules/private/system/monitoring-1.nix
index c87c784..2241b2b 100644
--- a/modules/private/system/monitoring-1.nix
+++ b/modules/private/system/monitoring-1.nix
@@ -1,20 +1,15 @@
1{ privateFiles }: 1{ privateFiles }:
2{ config, pkgs, resources, ... }: 2{ config, pkgs, resources, ... }:
3{ 3{
4 deployment = {
5 targetUser = "root";
6 targetHost = config.hostEnv.ips.main.ip4;
7 substituteOnDestination = true;
8 };
4 boot.kernelPackages = pkgs.linuxPackages_latest; 9 boot.kernelPackages = pkgs.linuxPackages_latest;
5 myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; }; 10 myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; };
6 11
7 imports = builtins.attrValues (import ../..); 12 imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ] ++ builtins.attrValues (import ../..);
8
9 deployment = {
10 targetEnv = "hetznerCloud";
11 hetznerCloud = {
12 authToken = config.myEnv.hetznerCloud.authToken;
13 datacenter = "hel1-dc2";
14 location ="hel1";
15 serverType = "cx11";
16 };
17 };
18 13
19 myServices.monitoring.enable = true; 14 myServices.monitoring.enable = true;
20 myServices.monitoring.master = true; 15 myServices.monitoring.master = true;
@@ -29,6 +24,8 @@
29 config.hostEnv.ips); 24 config.hostEnv.ips);
30 defaultGateway6 = { address = "fe80::1"; interface = "ens3"; }; 25 defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
31 }; 26 };
27 boot.loader.grub.device = "nodev";
28 fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
32 myServices.mailRelay.enable = true; 29 myServices.mailRelay.enable = true;
33 30
34 security.pki.certificateFiles = [ 31 security.pki.certificateFiles = [
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-01 04:28:39 +0000