diff options
Diffstat (limited to 'modules/private/system/eldiron.nix')
-rw-r--r-- | modules/private/system/eldiron.nix | 228 |
1 files changed, 0 insertions, 228 deletions
diff --git a/modules/private/system/eldiron.nix b/modules/private/system/eldiron.nix deleted file mode 100644 index 8b2784d..0000000 --- a/modules/private/system/eldiron.nix +++ /dev/null | |||
@@ -1,228 +0,0 @@ | |||
1 | { config, pkgs, lib, ... }: | ||
2 | { | ||
3 | deployment = { | ||
4 | targetUser = "root"; | ||
5 | targetHost = config.hostEnv.ips.main.ip4; | ||
6 | substituteOnDestination = true; | ||
7 | }; | ||
8 | # ssh-keyscan eldiron | nix-shell -p ssh-to-age --run ssh-to-age | ||
9 | secrets.ageKeys = [ "age1dxr5lhvtnjssfaqpnf6qx80h8gfwkxg3tdf35m6n9wljmk7wadfs3kmahj" ]; | ||
10 | boot = { | ||
11 | kernelModules = [ "kvm-intel" ]; | ||
12 | blacklistedKernelModules = [ "nvidiafb" ]; | ||
13 | loader.timeout = 1; | ||
14 | loader.grub.devices = [ "/dev/sda" "/dev/sdb" ]; | ||
15 | kernel.sysctl = { | ||
16 | # https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md | ||
17 | "net.ipv4.tcp_sack" = 0; | ||
18 | }; | ||
19 | supportedFilesystems = [ "zfs" ]; | ||
20 | kernelParams = ["zfs.zfs_arc_max=6442450944"]; | ||
21 | kernelPackages = pkgs.linuxPackages_latest; | ||
22 | initrd.availableKernelModules = [ "ahci" "sd_mod" ]; | ||
23 | initrd.secrets = { | ||
24 | "/boot/pass.key" = "/boot/pass.key"; | ||
25 | }; | ||
26 | }; | ||
27 | services.udev.extraRules = '' | ||
28 | ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="c8:60:00:56:a0:88", NAME="eth0" | ||
29 | ''; | ||
30 | nix.maxJobs = 8; | ||
31 | powerManagement.cpuFreqGovernor = "powersave"; | ||
32 | myEnv = import ../../../nixops/secrets/environment.nix; | ||
33 | |||
34 | fileSystems = { | ||
35 | # pools: | ||
36 | # zpool: ashift=12 | ||
37 | # zfast: ashift=12 | ||
38 | # zfs: | ||
39 | # zpool/: acltype=posixacl ; xattr=sa ; atime=off ; mountpoint=legacy | ||
40 | # zpool/root: encryption=on ; keyformat=passphrase ; keylocation=file:///boot/pass.key | ||
41 | # zpool/root/var: atime=on | ||
42 | # zfast/: acltype=posixacl ; xattr=sa ; atime=off ; mountpoint=legacy | ||
43 | # zfast/root: encryption=on ; keyformat=passphrase ; keylocation=file:///boot/pass.key | ||
44 | # zfast/root/etc: ø | ||
45 | # zfast/root/nix: ø | ||
46 | # zfast/root/tmp: async=disabled | ||
47 | # zfast/root/var: atime=on | ||
48 | # zfast/root/var/lib: ø | ||
49 | # zfast/root/var/lib/mysql: logbias=throughput ; atime=off ; primarycache=metadata | ||
50 | # zfast/root/var/lib/postgresql: recordsize=8K ; atime=off ; logbias=throughput | ||
51 | # zfast/root/var/lib/postgresql/11.0: ø | ||
52 | # zfast/root/var/lib/postgresql/11.0/pg_wal: ø | ||
53 | "/" = { fsType = "zfs"; device = "zpool/root"; }; | ||
54 | "/boot" = { fsType = "ext4"; device = "/dev/disk/by-uuid/e6bb18fb-ff56-4b5f-ae9f-e60d40dc0622"; }; | ||
55 | "/etc" = { fsType = "zfs"; device = "zpool/root/etc"; }; | ||
56 | "/nix" = { fsType = "zfs"; device = "zfast/root/nix"; }; | ||
57 | "/tmp" = { fsType = "zfs"; device = "zfast/root/tmp"; }; | ||
58 | "/var" = { fsType = "zfs"; device = "zpool/root/var"; }; | ||
59 | "/var/lib/mysql" = { fsType = "zfs"; device = "zfast/root/var/lib/mysql"; }; | ||
60 | "/var/lib/postgresql" = { fsType = "zfs"; device = "zfast/root/var/lib/postgresql"; }; | ||
61 | "/var/lib/postgresql/11.0" = { fsType = "zfs"; device = "zfast/root/var/lib/postgresql/11.0"; }; | ||
62 | "/var/lib/postgresql/11.0/pg_wal" = { fsType = "zfs"; device = "zfast/root/var/lib/postgresql/11.0/pg_wal"; }; | ||
63 | }; | ||
64 | swapDevices = [ { label = "swap1"; } { label = "swap2"; } ]; | ||
65 | hardware.enableRedistributableFirmware = true; | ||
66 | |||
67 | services.zfs = { | ||
68 | autoScrub = { | ||
69 | enable = false; | ||
70 | }; | ||
71 | }; | ||
72 | networking = { | ||
73 | hostId = "8262ca33"; # generated with head -c4 /dev/urandom | od -A none -t x4 | ||
74 | firewall.enable = true; | ||
75 | # FIXME: on next reboot, remove the /27 and the localCommands | ||
76 | interfaces."eth0".ipv4.addresses = | ||
77 | pkgs.lib.attrsets.mapAttrsToList | ||
78 | (n: ips: { address = ips.ip4; prefixLength = 32; }) | ||
79 | (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips) | ||
80 | ++ [ { address = config.hostEnv.ips.main.ip4; prefixLength = 27; } ]; | ||
81 | interfaces."eth0".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList | ||
82 | (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or [])) | ||
83 | config.hostEnv.ips); | ||
84 | defaultGateway = "176.9.151.65"; | ||
85 | localCommands = '' | ||
86 | # FIXME: Those commands were added by nixops and may not be | ||
87 | # actually needed | ||
88 | ip -6 addr add '2a01:4f8:160:3445::/64' dev 'eth0' || true | ||
89 | ip -4 route change '176.9.151.64/27' via '176.9.151.65' dev 'eth0' || true | ||
90 | ip -6 route add default via 'fe80::1' dev eth0 || true | ||
91 | ''; | ||
92 | nameservers = [ | ||
93 | "213.133.98.98" | ||
94 | "213.133.99.99" | ||
95 | "213.133.100.100" | ||
96 | "2a01:4f8:0:a0a1::add:1010" | ||
97 | "2a01:4f8:0:a102::add:9999" | ||
98 | "2a01:4f8:0:a111::add:9898" | ||
99 | ]; | ||
100 | }; | ||
101 | |||
102 | imports = builtins.attrValues (import ../..); | ||
103 | |||
104 | myServices.buildbot.enable = true; | ||
105 | myServices.databases.enable = true; | ||
106 | myServices.gitolite.enable = true; | ||
107 | myServices.monitoring.enable = true; | ||
108 | myServices.irc.enable = true; | ||
109 | myServices.pub.enable = true; | ||
110 | myServices.tasks.enable = true; | ||
111 | myServices.mpd.enable = true; | ||
112 | myServices.dns.enable = true; | ||
113 | myServices.certificates.enable = true; | ||
114 | myServices.websites.enable = true; | ||
115 | myServices.gemini.enable = true; | ||
116 | myServices.mail.enable = true; | ||
117 | myServices.ejabberd.enable = true; | ||
118 | myServices.vpn.enable = true; | ||
119 | myServices.ftp.enable = true; | ||
120 | |||
121 | services.netdata.enable = true; | ||
122 | services.netdata.config.global."memory mode" = "none"; | ||
123 | services.netdata.config.health."enabled" = "no"; | ||
124 | services.netdata.config.web.mode = "none"; | ||
125 | users.users."${config.services.netdata.user}".extraGroups = [ "keys" ]; | ||
126 | environment.etc."netdata/stream.conf".source = config.secrets.fullPaths."netdata-stream.conf"; | ||
127 | secrets.keys = { | ||
128 | "netdata-stream.conf" = { | ||
129 | user = config.services.netdata.user; | ||
130 | group = config.services.netdata.group; | ||
131 | permissions = "0400"; | ||
132 | text = '' | ||
133 | [stream] | ||
134 | enabled = yes | ||
135 | destination = ${config.myEnv.monitoring.netdata_aggregator} | ||
136 | api key = ${config.myEnv.monitoring.netdata_keys.eldiron} | ||
137 | ''; | ||
138 | }; | ||
139 | "zrepl_backup/identity" = { | ||
140 | user = "root"; | ||
141 | group = "root"; | ||
142 | permissions = "0400"; | ||
143 | text = config.myEnv.zrepl_backup.ssh_key.private; | ||
144 | }; | ||
145 | }; | ||
146 | programs.ssh.knownHosts.dilion = { | ||
147 | hostNames = ["dilion.immae.eu"]; | ||
148 | publicKey = let | ||
149 | profile = config.myEnv.rsync_backup.profiles.dilion; | ||
150 | in | ||
151 | "${profile.host_key_type} ${profile.host_key}"; | ||
152 | }; | ||
153 | |||
154 | services.cron = { | ||
155 | enable = true; | ||
156 | mailto = "cron@immae.eu"; | ||
157 | systemCronJobs = [ | ||
158 | '' | ||
159 | 0 0 * * * root journalctl -q --since="25 hours ago" -u postfix -t postfix/smtpd -g "immae.eu.*Recipient address rejected" | ||
160 | # Need a way to blacklist properly | ||
161 | # 0 0 * * * root journalctl -q --since="25 hours ago" -u postfix -t postfix/smtpd -g "NOQUEUE:" | ||
162 | 0 0 * * * root journalctl -q --since="25 hours ago" -u postfix -t postfix/smtp -g "status=bounced" | ||
163 | '' | ||
164 | ]; | ||
165 | }; | ||
166 | |||
167 | environment.systemPackages = [ pkgs.bindfs ]; | ||
168 | |||
169 | services.zrepl = { | ||
170 | enable = true; | ||
171 | config = let | ||
172 | redis_dump = pkgs.writeScript "redis-dump" '' | ||
173 | #! ${pkgs.stdenv.shell} | ||
174 | ${pkgs.redis}/bin/redis-cli bgsave | ||
175 | ''; | ||
176 | in '' | ||
177 | jobs: | ||
178 | - type: push | ||
179 | # must not change | ||
180 | name: "backup-to-dilion" | ||
181 | filesystems: | ||
182 | "zpool/root": true | ||
183 | "zpool/root/etc": true | ||
184 | "zpool/root/var<": true | ||
185 | connect: | ||
186 | type: ssh+stdinserver | ||
187 | host: dilion.immae.eu | ||
188 | user: backup | ||
189 | port: 22 | ||
190 | identity_file: ${config.secrets.fullPaths."zrepl_backup/identity"} | ||
191 | snapshotting: | ||
192 | type: periodic | ||
193 | prefix: zrepl_ | ||
194 | interval: 1h | ||
195 | #hooks: | ||
196 | # - type: mysql-lock-tables | ||
197 | # dsn: "${config.myEnv.zrepl_backup.mysql.user}:${config.myEnv.zrepl_backup.mysql.password}@tcp(localhost)/" | ||
198 | # filesystems: | ||
199 | # "zpool/root/var": true | ||
200 | # - type: command | ||
201 | # path: ${redis_dump} | ||
202 | # err_is_fatal: false | ||
203 | # filesystems: | ||
204 | # "zpool/root/var": true | ||
205 | send: | ||
206 | encrypted: true | ||
207 | pruning: | ||
208 | keep_sender: | ||
209 | - type: regex | ||
210 | regex: "^manual_.*" | ||
211 | - type: grid | ||
212 | grid: 24x1h | 7x1d | 4x7d | 6x30d | ||
213 | regex: "^zrepl_.*" | ||
214 | keep_receiver: | ||
215 | - type: regex | ||
216 | regex: "^manual_.*" | ||
217 | - type: grid | ||
218 | grid: 6x4h | 7x1d | 4x7d | 6x30d | ||
219 | regex: "^zrepl_.*" | ||
220 | ''; | ||
221 | }; | ||
222 | # This value determines the NixOS release with which your system is | ||
223 | # to be compatible, in order to avoid breaking some software such as | ||
224 | # database servers. You should change this only after NixOS release | ||
225 | # notes say you should. | ||
226 | # https://nixos.org/nixos/manual/release-notes.html | ||
227 | system.stateVersion = "20.03"; # Did you read the comment? | ||
228 | } | ||