aboutsummaryrefslogtreecommitdiff
path: root/systems/dilion
diff options
context:
space:
mode:
Diffstat (limited to 'systems/dilion')
-rw-r--r--systems/dilion/base.nix309
-rw-r--r--systems/dilion/flake.lock695
-rw-r--r--systems/dilion/flake.nix43
-rw-r--r--systems/dilion/monitoring.nix43
-rw-r--r--systems/dilion/ssh_ldap_regular.sh19
-rw-r--r--systems/dilion/vms.nix200
-rw-r--r--systems/dilion/vms/base_configuration.nix27
-rw-r--r--systems/dilion/vms/base_image.nix98
-rw-r--r--systems/dilion/vms/buildbot_configuration.nix73
9 files changed, 1507 insertions, 0 deletions
diff --git a/systems/dilion/base.nix b/systems/dilion/base.nix
new file mode 100644
index 0000000..ac4bdaf
--- /dev/null
+++ b/systems/dilion/base.nix
@@ -0,0 +1,309 @@
1{ config, pkgs, name, lib, pkgs-no-overlay, secrets, ... }:
2{
3 # ssh-keyscan dilion | nix-shell -p ssh-to-age --run ssh-to-age
4 secrets.ageKeys = [ "age1x49n6qa0arkdpq8530s7umgm0gqkq90exv4jep97q30rfnzknpaqate06a" ];
5 boot = {
6 loader = {
7 grub = {
8 devices = [ "/dev/sda" "/dev/sdb" "/dev/sdc" "/dev/sdd" ];
9 };
10 timeout = 1;
11 };
12 blacklistedKernelModules = [ "nvidiafb" ];
13 supportedFilesystems = [ "zfs" ];
14 kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
15 kernelModules = [ "kvm-intel" ];
16 initrd.availableKernelModules = [ "ahci" "sd_mod" ];
17 initrd.secrets = {
18 "/boot/pass.key" = "/boot/pass.key";
19 };
20 kernel.sysctl."vm.nr_hugepages" = 256; # for xmr-stak
21 # available in nixos-20.09
22 #zfs.requestEncryptionCredentials = [ "zpool/root" ];
23 };
24 powerManagement.cpuFreqGovernor = "powersave";
25 hardware.enableRedistributableFirmware = true;
26
27 swapDevices = [ { label = "swap"; } ];
28 fileSystems = {
29 "/" = { fsType = "zfs"; device = "zpool/root"; };
30 "/boot" = { fsType = "ext4"; device = "/dev/disk/by-uuid/fd1c511e-2bc0-49d5-b8bb-95e7e8c8c816"; };
31 "/etc" = { fsType = "zfs"; device = "zpool/root/etc"; };
32 "/home" = { fsType = "zfs"; device = "zpool/root/home"; };
33 "/home/immae" = { fsType = "zfs"; device = "zpool/root/home/immae"; };
34 "/tmp" = { fsType = "zfs"; device = "zpool/root/tmp"; };
35 "/var" = { fsType = "zfs"; device = "zpool/root/var"; };
36 "/data" = { fsType = "ext4"; label = "data"; };
37 "/nix" = { fsType = "ext4"; label = "nix"; };
38 };
39
40 services.udev.extraRules = ''
41 ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="10:bf:48:7f:e6:3b", NAME="eth0"
42 '';
43
44 nixpkgs.config.permittedInsecurePackages = [
45 "python-2.7.18.6" # for nagios-cli
46 ];
47
48 networking = {
49 hostId = "27c3048d"; # generated with head -c4 /dev/urandom | od -A none -t x4
50 firewall.enable = false;
51 interfaces."eth0".ipv4.addresses =
52 [ { address = lib.head config.hostEnv.ips.main.ip4; prefixLength = 27; } ]
53 ++ pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
54 (n: ips: map (ip: { address = ip; prefixLength = 32; }) (ips.ip4 or []))
55 (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips));
56 interfaces."eth0".ipv6.addresses =
57 [ { address = "2a01:4f8:141:53e7::"; prefixLength = 64; } ]
58 ++ pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
59 (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or []))
60 config.hostEnv.ips);
61 defaultGateway = { address = "176.9.10.225"; interface = "eth0"; };
62 defaultGateway6 = { address = "fe80::1"; interface = "eth0"; };
63 nameservers = [
64 "213.133.98.98"
65 "213.133.99.99"
66 "213.133.100.100"
67 "2a01:4f8:0:a0a1::add:1010"
68 "2a01:4f8:0:a102::add:9999"
69 "2a01:4f8:0:a111::add:9898"
70 ];
71 };
72
73 myServices.ssh.modules.regular.snippet = builtins.readFile ./ssh_ldap_regular.sh;
74
75 imports = [
76 secrets.nixosModules.users-config-dilion
77 ./monitoring.nix
78 ./vms.nix
79 ];
80
81 myServices.vms.libvirt-guests = {
82 buildbot = {
83 pool = "zfspool";
84 network = "immae";
85 cpus = 1;
86 memory = 3;
87 diskSize = 10;
88 destroyVolumeOnExit = true;
89 };
90 };
91 myServices.vms.libvirt-images = {
92 nixos = ./vms/base_configuration.nix;
93 buildbot = ./vms/buildbot_configuration.nix;
94 };
95 myServices.vms.libvirt-networks.immae = {
96 bridgeNumber = 1;
97 ipRange = "192.168.100";
98 };
99 myServices.vms.libvirt-pools = {
100 niximages = {
101 type = "dir";
102 target = "/etc/libvirtd/base-images";
103 };
104 buildbot-disks = rec {
105 type = "dir";
106 target = "/var/lib/libvirt/images/buildbot-disks";
107 preStart = ''
108 mkdir -p ${target}
109 '';
110 };
111 zfspool = {
112 # pool-define-as --name zfspool --source-name zpool/libvirt --type zfs
113 type = "zfs";
114 xml = ''
115 <source>
116 <name>zpool/libvirt</name>
117 </source>
118 '';
119 };
120 };
121
122 system.nssModules = [ pkgs.libvirt ];
123 system.nssDatabases.hosts = lib.mkForce [ "files" "libvirt_guest" "mymachines" "dns" "myhostname" ];
124 programs.zsh.enable = true;
125
126 users.users.libvirt = {
127 hashedPassword = "!";
128 shell = pkgs.bashInteractive;
129 isSystemUser = true;
130 group = "libvirtd";
131 packages = [ pkgs.libressl.nc ];
132 openssh.authorizedKeys.keys = [
133 config.myEnv.buildbot.ssh_key.public
134 config.myEnv.sshd.rootKeys.ismael_flony
135 ];
136 };
137
138 users.groups.backup = {};
139 users.users.backup = {
140 hashedPassword = "!";
141 isSystemUser = true;
142 extraGroups = [ "keys" ];
143 group = "backup";
144 shell = pkgs.bashInteractive;
145 openssh.authorizedKeys.keys = let
146 zreplConfig = "/etc/zrepl/zrepl.yml";
147 in
148 ["command=\"${pkgs.zrepl}/bin/zrepl stdinserver --config ${zreplConfig} eldiron\",restrict ${config.myEnv.zrepl_backup.ssh_key.public}"];
149 };
150 security.sudo.extraRules = pkgs.lib.mkAfter [
151 {
152 commands = [
153 { command = "/home/immae/.nix-profile/root_scripts/*"; options = [ "NOPASSWD" ]; }
154 ];
155 users = [ "immae" ];
156 runAs = "root";
157 }
158 ];
159
160 virtualisation.docker.enable = true;
161 virtualisation.docker.storageDriver = "zfs";
162 virtualisation.libvirtd.enable = true;
163 virtualisation.libvirtd.qemu.package = pkgs-no-overlay.qemu;
164 systemd.services.libvirtd.path = lib.mkAfter [ config.boot.zfs.package ];
165 users.groups.immae = {};
166 users.extraUsers.immae.extraGroups = [ "immae" "libvirtd" "docker" ];
167 systemd.services.libvirtd.postStart = ''
168 install -m 0770 -g libvirtd -d /var/lib/libvirt/images
169 '';
170
171 time.timeZone = "Europe/Paris";
172 nix = {
173 settings = {
174 sandbox = "relaxed";
175 max-jobs = 8;
176 substituters = [ "https://hydra.iohk.io" "https://cache.nixos.org" ];
177 trusted-public-keys = [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ];
178 trusted-users = [ "root" "@wheel"] ;
179 };
180 extraOptions = ''
181 keep-outputs = true
182 keep-derivations = true
183 allow-unsafe-native-code-during-evaluation = true
184 experimental-features = nix-command flakes
185 #Assumed in NUR
186 allow-import-from-derivation = true
187 '';
188 };
189
190 security.pki.certificateFiles = [
191 (pkgs.fetchurl {
192 url = "http://downloads.e.eriomem.net/eriomemca.pem";
193 sha256 = "1ixx4c6j3m26j8dp9a3dkvxc80v1nr5aqgmawwgs06bskasqkvvh";
194 })
195 ];
196
197 myServices.monitoring.enable = true;
198 security.acme.certs."${name}-immae" = {
199 group = "immae";
200 domain = "dilion.immae.eu";
201 };
202 security.acme.certs."${name}" = {
203 group = config.services.nginx.group;
204 extraDomainNames = [
205 "dilion.immae.dev"
206 ];
207 };
208 systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
209 services.nginx = {
210 enable = true;
211 recommendedOptimisation = true;
212 recommendedGzipSettings = true;
213 recommendedProxySettings = true;
214 virtualHosts = {
215 "dilion.immae.dev" = {
216 acmeRoot = config.security.acme.defaults.webroot;
217 useACMEHost = name;
218 forceSSL = true;
219 locations."/".root = "/home/immae/www";
220 };
221 };
222 };
223
224 secrets.keys = {
225 "zrepl/${name}.key" = {
226 permissions = "0400";
227 text = config.myEnv.zrepl_backup.certs."${name}".key;
228 user = "backup";
229 group = "root";
230 };
231 } // builtins.listToAttrs (map (x: lib.attrsets.nameValuePair "zrepl/certificates/${x}.crt" {
232 permissions = "0400";
233 text = config.myEnv.zrepl_backup.certs."${x}".certificate;
234 user = "backup";
235 group = "root";
236 }) (builtins.attrNames config.myEnv.zrepl_backup.certs));
237
238 environment.etc."mdadm.conf" = {
239 enable = true;
240 mode = "0644";
241 user = "root";
242 text = "MAILADDR ${config.myEnv.monitoring.email}";
243 };
244
245
246 systemd.services.zrepl.serviceConfig.User = "backup";
247 systemd.services.zrepl.path = [ pkgs.openssh ];
248 # pour eldiron:
249 # zfs allow backup create,mount,receive,destroy,rename,snapshot,hold,bookmark,release zpool/backup
250 # pour flony:
251 # zfs allow backup hold,release,bookmark,snapshot,send zpool
252 services.zrepl = {
253 enable = true;
254 settings = {
255 global.control.sockpath = "/run/zrepl/control";
256 global.serve.stdinserver.sockdir = "/run/zrepl/stdinserver";
257 jobs = [
258 {
259 type = "sink";
260 # must not change
261 name = "backup-from-eldiron";
262 root_fs = "zpool/backup";
263 serve.type = "tls";
264 serve.listen = ":19000";
265 serve.ca = config.secrets.fullPaths."zrepl/certificates/eldiron.crt";
266 serve.cert = config.secrets.fullPaths."zrepl/certificates/dilion.crt";
267 serve.key = config.secrets.fullPaths."zrepl/dilion.key";
268 serve.client_cns = [ "eldiron" ];
269 }
270 {
271 type = "source";
272 # must not change
273 name = "backup-to-wd-zpool";
274 # not encrypted!
275 serve.type = "tls";
276 serve.listen = ":19001";
277 serve.ca = config.secrets.fullPaths."zrepl/certificates/flony.crt";
278 serve.cert = config.secrets.fullPaths."zrepl/certificates/dilion.crt";
279 serve.key = config.secrets.fullPaths."zrepl/dilion.key";
280 serve.client_cns = [ "flony" ];
281 filesystems."zpool/libvirt<" = true;
282 filesystems."zpool/root<" = true;
283 snapshotting.type = "manual";
284 }
285 {
286 type = "source";
287 # must not change
288 name = "backup-to-wd-zpool-docker";
289 # not encrypted!
290 serve.type = "tls";
291 serve.listen = ":19002";
292 serve.ca = config.secrets.fullPaths."zrepl/certificates/flony.crt";
293 serve.cert = config.secrets.fullPaths."zrepl/certificates/dilion.crt";
294 serve.key = config.secrets.fullPaths."zrepl/dilion.key";
295 serve.client_cns = [ "flony" ];
296 filesystems."zpool/docker<" = true;
297 snapshotting.type = "manual";
298 }
299 ];
300 };
301 };
302 # This value determines the NixOS release with which your system is
303 # to be compatible, in order to avoid breaking some software such as
304 # database servers. You should change this only after NixOS release
305 # notes say you should.
306 # https://nixos.org/nixos/manual/release-notes.html
307 system.stateVersion = "23.05"; # Did you read the comment?
308}
309
diff --git a/systems/dilion/flake.lock b/systems/dilion/flake.lock
new file mode 100644
index 0000000..6da2d47
--- /dev/null
+++ b/systems/dilion/flake.lock
@@ -0,0 +1,695 @@
1{
2 "nodes": {
3 "backports": {
4 "inputs": {
5 "flake-utils": "flake-utils_2",
6 "nixpkgs": "nixpkgs_6"
7 },
8 "locked": {
9 "lastModified": 1,
10 "narHash": "sha256-VewHWeZvwLvWVm2bMQk5UQ0G/HyO8X87BssvmbLWbrY=",
11 "path": "../../backports",
12 "type": "path"
13 },
14 "original": {
15 "path": "../../backports",
16 "type": "path"
17 }
18 },
19 "colmena": {
20 "inputs": {
21 "flake-compat": "flake-compat",
22 "flake-utils": "flake-utils",
23 "nixpkgs": "nixpkgs",
24 "stable": "stable"
25 },
26 "locked": {
27 "lastModified": 1687954574,
28 "narHash": "sha256-YasVTaNXq2xqZdejyIhuyqvNypmx+K/Y1ZZ4+raeeII=",
29 "owner": "immae",
30 "repo": "colmena",
31 "rev": "e427171150a35e23204c4c15a2483358d22a0eff",
32 "type": "github"
33 },
34 "original": {
35 "owner": "immae",
36 "ref": "add-lib-get-flake",
37 "repo": "colmena",
38 "type": "github"
39 }
40 },
41 "disko": {
42 "inputs": {
43 "nixpkgs": "nixpkgs_2"
44 },
45 "locked": {
46 "lastModified": 1687968164,
47 "narHash": "sha256-L9jr2zCB6NIaBE3towusjGBigsnE2pMID8wBGkYbTS4=",
48 "owner": "nix-community",
49 "repo": "disko",
50 "rev": "8002e7cb899bc2a02a2ebfb7f999fcd7c18b92a1",
51 "type": "github"
52 },
53 "original": {
54 "owner": "nix-community",
55 "repo": "disko",
56 "type": "github"
57 }
58 },
59 "environment": {
60 "locked": {
61 "lastModified": 1,
62 "narHash": "sha256-rMKbM7fHqWQbI7y59BsPG8KwoDj2jyrvN2niPWB24uE=",
63 "path": "../../flakes/private/environment",
64 "type": "path"
65 },
66 "original": {
67 "path": "../../flakes/private/environment",
68 "type": "path"
69 }
70 },
71 "environment_2": {
72 "locked": {
73 "lastModified": 1,
74 "narHash": "sha256-rMKbM7fHqWQbI7y59BsPG8KwoDj2jyrvN2niPWB24uE=",
75 "path": "../environment",
76 "type": "path"
77 },
78 "original": {
79 "path": "../environment",
80 "type": "path"
81 }
82 },
83 "environment_3": {
84 "locked": {
85 "lastModified": 1,
86 "narHash": "sha256-rMKbM7fHqWQbI7y59BsPG8KwoDj2jyrvN2niPWB24uE=",
87 "path": "../environment",
88 "type": "path"
89 },
90 "original": {
91 "path": "../environment",
92 "type": "path"
93 }
94 },
95 "environment_4": {
96 "locked": {
97 "lastModified": 1,
98 "narHash": "sha256-rMKbM7fHqWQbI7y59BsPG8KwoDj2jyrvN2niPWB24uE=",
99 "path": "../environment",
100 "type": "path"
101 },
102 "original": {
103 "path": "../environment",
104 "type": "path"
105 }
106 },
107 "files-watcher": {
108 "locked": {
109 "lastModified": 1,
110 "narHash": "sha256-ZsdumUVoSPkV/DB6gO6dNDttjzalye0ToVBF9bl5W0k=",
111 "path": "../../flakes/files-watcher",
112 "type": "path"
113 },
114 "original": {
115 "path": "../../flakes/files-watcher",
116 "type": "path"
117 }
118 },
119 "flake-compat": {
120 "flake": false,
121 "locked": {
122 "lastModified": 1650374568,
123 "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
124 "owner": "edolstra",
125 "repo": "flake-compat",
126 "rev": "b4a34015c698c7793d592d66adbab377907a2be8",
127 "type": "github"
128 },
129 "original": {
130 "owner": "edolstra",
131 "repo": "flake-compat",
132 "type": "github"
133 }
134 },
135 "flake-parts": {
136 "inputs": {
137 "nixpkgs-lib": "nixpkgs-lib_2"
138 },
139 "locked": {
140 "lastModified": 1687762428,
141 "narHash": "sha256-DIf7mi45PKo+s8dOYF+UlXHzE0Wl/+k3tXUyAoAnoGE=",
142 "owner": "hercules-ci",
143 "repo": "flake-parts",
144 "rev": "37dd7bb15791c86d55c5121740a1887ab55ee836",
145 "type": "github"
146 },
147 "original": {
148 "owner": "hercules-ci",
149 "repo": "flake-parts",
150 "type": "github"
151 }
152 },
153 "flake-parts_2": {
154 "inputs": {
155 "nixpkgs-lib": "nixpkgs-lib_3"
156 },
157 "locked": {
158 "lastModified": 1675295133,
159 "narHash": "sha256-dU8fuLL98WFXG0VnRgM00bqKX6CEPBLybhiIDIgO45o=",
160 "owner": "hercules-ci",
161 "repo": "flake-parts",
162 "rev": "bf53492df08f3178ce85e0c9df8ed8d03c030c9f",
163 "type": "github"
164 },
165 "original": {
166 "owner": "hercules-ci",
167 "repo": "flake-parts",
168 "type": "github"
169 }
170 },
171 "flake-utils": {
172 "locked": {
173 "lastModified": 1659877975,
174 "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
175 "owner": "numtide",
176 "repo": "flake-utils",
177 "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
178 "type": "github"
179 },
180 "original": {
181 "owner": "numtide",
182 "repo": "flake-utils",
183 "type": "github"
184 }
185 },
186 "flake-utils_2": {
187 "locked": {
188 "lastModified": 1667395993,
189 "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
190 "owner": "numtide",
191 "repo": "flake-utils",
192 "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
193 "type": "github"
194 },
195 "original": {
196 "owner": "numtide",
197 "repo": "flake-utils",
198 "type": "github"
199 }
200 },
201 "loginctl-linger": {
202 "locked": {
203 "lastModified": 1,
204 "narHash": "sha256-TLlUOhiQzYo6SwH0E3oPCDfhgW249qPZTlVar1VmpKw=",
205 "path": "../../flakes/loginctl-linger",
206 "type": "path"
207 },
208 "original": {
209 "path": "../../flakes/loginctl-linger",
210 "type": "path"
211 }
212 },
213 "monitoring": {
214 "inputs": {
215 "environment": "environment_2",
216 "naemon": "naemon",
217 "nixpkgs-lib": "nixpkgs-lib",
218 "secrets": "secrets"
219 },
220 "locked": {
221 "lastModified": 1,
222 "narHash": "sha256-K720bqCEHPK0F7GBaxo/ioJ3LVAyhjl/ZZobWwO4ebU=",
223 "path": "../../flakes/private/monitoring",
224 "type": "path"
225 },
226 "original": {
227 "path": "../../flakes/private/monitoring",
228 "type": "path"
229 }
230 },
231 "my-lib": {
232 "inputs": {
233 "colmena": "colmena",
234 "disko": "disko",
235 "flake-parts": "flake-parts",
236 "nixos-anywhere": "nixos-anywhere",
237 "nixpkgs": "nixpkgs_4"
238 },
239 "locked": {
240 "lastModified": 1,
241 "narHash": "sha256-wwpT+I5/zrln85BDzlZoEDC19GwYrcZSXbrJjyvC4jk=",
242 "path": "../../flakes/lib",
243 "type": "path"
244 },
245 "original": {
246 "path": "../../flakes/lib",
247 "type": "path"
248 }
249 },
250 "mypackages": {
251 "inputs": {
252 "flake-parts": "flake-parts_2",
253 "nixpkgs": "nixpkgs_7",
254 "webapps-ttrss": "webapps-ttrss"
255 },
256 "locked": {
257 "lastModified": 1,
258 "narHash": "sha256-C0plEL+g6kv5fo/VmTjMJK45RfFcGufqPKJVnviMyGY=",
259 "path": "../../mypackages",
260 "type": "path"
261 },
262 "original": {
263 "path": "../../mypackages",
264 "type": "path"
265 }
266 },
267 "myuids": {
268 "locked": {
269 "lastModified": 1,
270 "narHash": "sha256-HkW9YCLQCNBX3Em7J7MjraVEZO3I3PizkVV2QrUdULQ=",
271 "path": "../../flakes/myuids",
272 "type": "path"
273 },
274 "original": {
275 "path": "../../flakes/myuids",
276 "type": "path"
277 }
278 },
279 "myuids_2": {
280 "locked": {
281 "lastModified": 1,
282 "narHash": "sha256-HkW9YCLQCNBX3Em7J7MjraVEZO3I3PizkVV2QrUdULQ=",
283 "path": "../../myuids",
284 "type": "path"
285 },
286 "original": {
287 "path": "../../myuids",
288 "type": "path"
289 }
290 },
291 "naemon": {
292 "locked": {
293 "lastModified": 1,
294 "narHash": "sha256-6le57WLKj1HXdhe4cgYO6N0Z9nJZC+plQY8HhOwzEIk=",
295 "path": "../../naemon",
296 "type": "path"
297 },
298 "original": {
299 "path": "../../naemon",
300 "type": "path"
301 }
302 },
303 "nixos-2305": {
304 "locked": {
305 "lastModified": 1687938137,
306 "narHash": "sha256-Z00c0Pk3aE1aw9x44lVcqHmvx+oX7dxCXCvKcUuE150=",
307 "owner": "NixOS",
308 "repo": "nixpkgs",
309 "rev": "ba2ded3227a2992f2040fad4ba6f218a701884a5",
310 "type": "github"
311 },
312 "original": {
313 "owner": "NixOS",
314 "ref": "release-23.05",
315 "repo": "nixpkgs",
316 "type": "github"
317 }
318 },
319 "nixos-anywhere": {
320 "inputs": {
321 "disko": [
322 "my-lib",
323 "disko"
324 ],
325 "flake-parts": [
326 "my-lib",
327 "flake-parts"
328 ],
329 "nixos-2305": "nixos-2305",
330 "nixos-images": "nixos-images",
331 "nixpkgs": "nixpkgs_3",
332 "treefmt-nix": "treefmt-nix"
333 },
334 "locked": {
335 "lastModified": 1689945193,
336 "narHash": "sha256-+GPRt7ouE84A7GPNKnFYGU0cQL7skKxz0BAY0sUjUmw=",
337 "owner": "numtide",
338 "repo": "nixos-anywhere",
339 "rev": "27161266077a177ac116e2cb72cc70af5f145189",
340 "type": "github"
341 },
342 "original": {
343 "owner": "numtide",
344 "repo": "nixos-anywhere",
345 "type": "github"
346 }
347 },
348 "nixos-images": {
349 "inputs": {
350 "nixos-2305": [
351 "my-lib",
352 "nixos-anywhere",
353 "nixos-2305"
354 ],
355 "nixos-unstable": [
356 "my-lib",
357 "nixos-anywhere",
358 "nixpkgs"
359 ]
360 },
361 "locked": {
362 "lastModified": 1686819168,
363 "narHash": "sha256-IbRVStbKoMC2fUX6TxNO82KgpVfI8LL4Cq0bTgdYhnY=",
364 "owner": "nix-community",
365 "repo": "nixos-images",
366 "rev": "ccc1a2c08ce2fc38bcece85d2a6e7bf17bac9e37",
367 "type": "github"
368 },
369 "original": {
370 "owner": "nix-community",
371 "repo": "nixos-images",
372 "type": "github"
373 }
374 },
375 "nixpkgs": {
376 "locked": {
377 "lastModified": 1683408522,
378 "narHash": "sha256-9kcPh6Uxo17a3kK3XCHhcWiV1Yu1kYj22RHiymUhMkU=",
379 "owner": "NixOS",
380 "repo": "nixpkgs",
381 "rev": "897876e4c484f1e8f92009fd11b7d988a121a4e7",
382 "type": "github"
383 },
384 "original": {
385 "owner": "NixOS",
386 "ref": "nixos-unstable",
387 "repo": "nixpkgs",
388 "type": "github"
389 }
390 },
391 "nixpkgs-lib": {
392 "locked": {
393 "dir": "lib",
394 "lastModified": 1691269286,
395 "narHash": "sha256-7cPTz1bPhwq8smt9rHDcFtJsd1tFDcBukzj5jOXqjfk=",
396 "owner": "NixOS",
397 "repo": "nixpkgs",
398 "rev": "85d4248a4f5aa6bc55dd2cea8131bb68b2d43804",
399 "type": "github"
400 },
401 "original": {
402 "dir": "lib",
403 "owner": "NixOS",
404 "repo": "nixpkgs",
405 "type": "github"
406 }
407 },
408 "nixpkgs-lib_2": {
409 "locked": {
410 "dir": "lib",
411 "lastModified": 1685564631,
412 "narHash": "sha256-8ywr3AkblY4++3lIVxmrWZFzac7+f32ZEhH/A8pNscI=",
413 "owner": "NixOS",
414 "repo": "nixpkgs",
415 "rev": "4f53efe34b3a8877ac923b9350c874e3dcd5dc0a",
416 "type": "github"
417 },
418 "original": {
419 "dir": "lib",
420 "owner": "NixOS",
421 "ref": "nixos-unstable",
422 "repo": "nixpkgs",
423 "type": "github"
424 }
425 },
426 "nixpkgs-lib_3": {
427 "locked": {
428 "dir": "lib",
429 "lastModified": 1675183161,
430 "narHash": "sha256-Zq8sNgAxDckpn7tJo7V1afRSk2eoVbu3OjI1QklGLNg=",
431 "owner": "NixOS",
432 "repo": "nixpkgs",
433 "rev": "e1e1b192c1a5aab2960bf0a0bd53a2e8124fa18e",
434 "type": "github"
435 },
436 "original": {
437 "dir": "lib",
438 "owner": "NixOS",
439 "ref": "nixos-unstable",
440 "repo": "nixpkgs",
441 "type": "github"
442 }
443 },
444 "nixpkgs_2": {
445 "locked": {
446 "lastModified": 1687701825,
447 "narHash": "sha256-aMC9hqsf+4tJL7aJWSdEUurW2TsjxtDcJBwM9Y4FIYM=",
448 "owner": "NixOS",
449 "repo": "nixpkgs",
450 "rev": "07059ee2fa34f1598758839b9af87eae7f7ae6ea",
451 "type": "github"
452 },
453 "original": {
454 "owner": "NixOS",
455 "ref": "nixpkgs-unstable",
456 "repo": "nixpkgs",
457 "type": "github"
458 }
459 },
460 "nixpkgs_3": {
461 "locked": {
462 "lastModified": 1687893427,
463 "narHash": "sha256-jJHj0Lxpvov1IPYQK441oLAKxxemHm16U9jf60bXAFU=",
464 "owner": "nixos",
465 "repo": "nixpkgs",
466 "rev": "4b14ab2a916508442e685089672681dff46805be",
467 "type": "github"
468 },
469 "original": {
470 "owner": "nixos",
471 "ref": "nixos-unstable-small",
472 "repo": "nixpkgs",
473 "type": "github"
474 }
475 },
476 "nixpkgs_4": {
477 "locked": {
478 "lastModified": 1648725829,
479 "narHash": "sha256-tXEzI38lLrzW2qCAIs0UAatE2xcsTsoKWaaXqAcF1NI=",
480 "owner": "NixOS",
481 "repo": "nixpkgs",
482 "rev": "72152ff5ad470ed1a5b97c0ba2737938c136c994",
483 "type": "github"
484 },
485 "original": {
486 "owner": "NixOS",
487 "repo": "nixpkgs",
488 "type": "github"
489 }
490 },
491 "nixpkgs_5": {
492 "locked": {
493 "lastModified": 1693158576,
494 "narHash": "sha256-aRTTXkYvhXosGx535iAFUaoFboUrZSYb1Ooih/auGp0=",
495 "owner": "nixos",
496 "repo": "nixpkgs",
497 "rev": "a999c1cc0c9eb2095729d5aa03e0d8f7ed256780",
498 "type": "github"
499 },
500 "original": {
501 "owner": "nixos",
502 "ref": "nixos-unstable",
503 "repo": "nixpkgs",
504 "type": "github"
505 }
506 },
507 "nixpkgs_6": {
508 "locked": {
509 "lastModified": 1687502512,
510 "narHash": "sha256-dBL/01TayOSZYxtY4cMXuNCBk8UMLoqRZA+94xiFpJA=",
511 "owner": "NixOS",
512 "repo": "nixpkgs",
513 "rev": "3ae20aa58a6c0d1ca95c9b11f59a2d12eebc511f",
514 "type": "github"
515 },
516 "original": {
517 "owner": "NixOS",
518 "ref": "nixos-unstable",
519 "repo": "nixpkgs",
520 "type": "github"
521 }
522 },
523 "nixpkgs_7": {
524 "locked": {
525 "lastModified": 1646497237,
526 "narHash": "sha256-Ccpot1h/rV8MgcngDp5OrdmLTMaUTbStZTR5/sI7zW0=",
527 "owner": "nixos",
528 "repo": "nixpkgs",
529 "rev": "062a0c5437b68f950b081bbfc8a699d57a4ee026",
530 "type": "github"
531 },
532 "original": {
533 "owner": "nixos",
534 "repo": "nixpkgs",
535 "rev": "062a0c5437b68f950b081bbfc8a699d57a4ee026",
536 "type": "github"
537 }
538 },
539 "root": {
540 "inputs": {
541 "environment": "environment",
542 "files-watcher": "files-watcher",
543 "loginctl-linger": "loginctl-linger",
544 "monitoring": "monitoring",
545 "my-lib": "my-lib",
546 "myuids": "myuids",
547 "nixpkgs": "nixpkgs_5",
548 "secrets": "secrets_2",
549 "ssh": "ssh",
550 "system": "system"
551 }
552 },
553 "secrets": {
554 "locked": {
555 "lastModified": 1,
556 "narHash": "sha256-5AakznhrJFmwCD7lr4JEh55MtdAJL6WA/YuBks6ISSE=",
557 "path": "../../secrets",
558 "type": "path"
559 },
560 "original": {
561 "path": "../../secrets",
562 "type": "path"
563 }
564 },
565 "secrets-public": {
566 "locked": {
567 "lastModified": 1,
568 "narHash": "sha256-5AakznhrJFmwCD7lr4JEh55MtdAJL6WA/YuBks6ISSE=",
569 "path": "../../secrets",
570 "type": "path"
571 },
572 "original": {
573 "path": "../../secrets",
574 "type": "path"
575 }
576 },
577 "secrets_2": {
578 "locked": {
579 "lastModified": 1,
580 "narHash": "sha256-5AakznhrJFmwCD7lr4JEh55MtdAJL6WA/YuBks6ISSE=",
581 "path": "../../flakes/secrets",
582 "type": "path"
583 },
584 "original": {
585 "path": "../../flakes/secrets",
586 "type": "path"
587 }
588 },
589 "secrets_3": {
590 "locked": {
591 "lastModified": 1,
592 "narHash": "sha256-5AakznhrJFmwCD7lr4JEh55MtdAJL6WA/YuBks6ISSE=",
593 "path": "../../secrets",
594 "type": "path"
595 },
596 "original": {
597 "path": "../../secrets",
598 "type": "path"
599 }
600 },
601 "ssh": {
602 "inputs": {
603 "environment": "environment_3",
604 "secrets": "secrets_3"
605 },
606 "locked": {
607 "lastModified": 1,
608 "narHash": "sha256-ckUFmIHxrUuBMxOHhzgT+4sX/ek/Op0PjdyL3NyU/Mc=",
609 "path": "../../flakes/private/ssh",
610 "type": "path"
611 },
612 "original": {
613 "path": "../../flakes/private/ssh",
614 "type": "path"
615 }
616 },
617 "stable": {
618 "locked": {
619 "lastModified": 1669735802,
620 "narHash": "sha256-qtG/o/i5ZWZLmXw108N2aPiVsxOcidpHJYNkT45ry9Q=",
621 "owner": "NixOS",
622 "repo": "nixpkgs",
623 "rev": "731cc710aeebecbf45a258e977e8b68350549522",
624 "type": "github"
625 },
626 "original": {
627 "owner": "NixOS",
628 "ref": "nixos-22.11",
629 "repo": "nixpkgs",
630 "type": "github"
631 }
632 },
633 "system": {
634 "inputs": {
635 "backports": "backports",
636 "environment": "environment_4",
637 "mypackages": "mypackages",
638 "myuids": "myuids_2",
639 "secrets-public": "secrets-public"
640 },
641 "locked": {
642 "lastModified": 1,
643 "narHash": "sha256-vOs7fcQVsOSl/gsyzFXfsWE7u0/O9mIKpHnwDwHxJTQ=",
644 "path": "../../flakes/private/system",
645 "type": "path"
646 },
647 "original": {
648 "path": "../../flakes/private/system",
649 "type": "path"
650 }
651 },
652 "treefmt-nix": {
653 "inputs": {
654 "nixpkgs": [
655 "my-lib",
656 "nixos-anywhere",
657 "nixpkgs"
658 ]
659 },
660 "locked": {
661 "lastModified": 1687940979,
662 "narHash": "sha256-D4ZFkgIG2s9Fyi78T3fVG9mqMD+/UnFDB62jS4gjZKY=",
663 "owner": "numtide",
664 "repo": "treefmt-nix",
665 "rev": "0a4f06c27610a99080b69433873885df82003aae",
666 "type": "github"
667 },
668 "original": {
669 "owner": "numtide",
670 "repo": "treefmt-nix",
671 "type": "github"
672 }
673 },
674 "webapps-ttrss": {
675 "flake": false,
676 "locked": {
677 "lastModified": 1546759381,
678 "narHash": "sha256-urjf4EoLWS7G0s0hRtaErrs2B8DUatNK/eoneuB0anY=",
679 "ref": "master",
680 "rev": "986ca251f995f7754a0470d3e0c44538a545081f",
681 "revCount": 9256,
682 "type": "git",
683 "url": "https://git.tt-rss.org/fox/tt-rss.git"
684 },
685 "original": {
686 "ref": "master",
687 "rev": "986ca251f995f7754a0470d3e0c44538a545081f",
688 "type": "git",
689 "url": "https://git.tt-rss.org/fox/tt-rss.git"
690 }
691 }
692 },
693 "root": "root",
694 "version": 7
695}
diff --git a/systems/dilion/flake.nix b/systems/dilion/flake.nix
new file mode 100644
index 0000000..9747086
--- /dev/null
+++ b/systems/dilion/flake.nix
@@ -0,0 +1,43 @@
1{
2 inputs = {
3 nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
4
5 my-lib.url = "path:../../flakes/lib";
6
7 monitoring.url = "path:../../flakes/private/monitoring";
8 ssh.url = "path:../../flakes/private/ssh";
9 environment.url = "path:../../flakes/private/environment";
10 system.url = "path:../../flakes/private/system";
11
12 myuids.url = "path:../../flakes/myuids";
13 secrets.url = "path:../../flakes/secrets";
14 files-watcher.url = "path:../../flakes/files-watcher";
15 loginctl-linger.url = "path:../../flakes/loginctl-linger";
16 };
17 outputs = inputs@{ self, my-lib, nixpkgs, ...}:
18 my-lib.lib.mkColmenaFlake {
19 name = "dilion";
20 inherit self nixpkgs;
21 system = "x86_64-linux";
22 targetHost = "176.9.10.233";
23 targetUser = "root";
24 nixosModules = {
25 base = ./base.nix;
26 system = inputs.system.nixosModule;
27 monitoring = inputs.monitoring.nixosModule;
28 environment = inputs.environment.nixosModule;
29 ssh = inputs.ssh.nixosModule;
30
31 myuids = inputs.myuids.nixosModule;
32 secrets = inputs.secrets.nixosModule;
33 files-watcher = inputs.files-watcher.nixosModule;
34 loginctl-linger = inputs.loginctl-linger.nixosModule;
35 };
36 moduleArgs = {
37 nixpkgs = inputs.nixpkgs;
38 monitoring = inputs.monitoring;
39 environment = inputs.environment;
40 pkgs-no-overlay = inputs.nixpkgs.legacyPackages.x86_64-linux;
41 };
42 };
43}
diff --git a/systems/dilion/monitoring.nix b/systems/dilion/monitoring.nix
new file mode 100644
index 0000000..af7f224
--- /dev/null
+++ b/systems/dilion/monitoring.nix
@@ -0,0 +1,43 @@
1{ lib, pkgs, config, name, monitoring, ... }:
2let
3 hostFQDN = config.hostEnv.fqdn;
4 zfs_snapshot = name: {
5 service_description = "ZFS snapshot ${name} happened not too long ago";
6 use = "local-service";
7 check_command = ["check_zfs_snapshot" name];
8 __passive_servicegroups = "webstatus-resources";
9 };
10in
11{
12 config.myServices.monitoring.activatedPlugins = [ "memory" "command" "bandwidth" "mdadm" "zfs" "notify-secondary"];
13 config.myServices.monitoring.objects = lib.mkMerge [
14 (monitoring.lib.objectsCommon {
15 inherit hostFQDN;
16 hostName = name;
17 master = false;
18 processWarn = "250"; processAlert = "400";
19 loadWarn = "1.0"; loadAlert = "1.2";
20 interface = builtins.head (builtins.attrNames config.networking.interfaces);
21 })
22
23 {
24 service = [
25 {
26 service_description = "No mdadm array is degraded";
27 use = "local-service";
28 check_command = ["check_mdadm"];
29 __passive_servicegroups = "webstatus-resources";
30 }
31 {
32 service_description = "No ZFS pool is degraded";
33 use = "local-service";
34 check_command = ["check_zfs"];
35 __passive_servicegroups = "webstatus-resources";
36 }
37 (zfs_snapshot "zpool/backup/eldiron/zpool/root")
38 (zfs_snapshot "zpool/backup/eldiron/zpool/root/etc")
39 (zfs_snapshot "zpool/backup/eldiron/zpool/root/var")
40 ];
41 }
42 ];
43}
diff --git a/systems/dilion/ssh_ldap_regular.sh b/systems/dilion/ssh_ldap_regular.sh
new file mode 100644
index 0000000..4c2f47e
--- /dev/null
+++ b/systems/dilion/ssh_ldap_regular.sh
@@ -0,0 +1,19 @@
1### This snippet is not standalone and must be integrated in the global ldap_authorized_keys.sh
2LDAP_MEMBER="cn=users,cn=ssh,ou=services,dc=immae,dc=eu"
3
4ldap_search '(&(memberOf='$LDAP_MEMBER')('$KEY'=*)(uid='$user'))' $KEY | \
5 while read line ;
6 do
7 if [ ! -z "$line" ]; then
8 if [[ $line == dn* ]]; then
9 user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line")
10 elif [[ $line == $KEY* ]]; then
11 key=$(clean_key_line ssh "$line")
12 if [ ! -z "$key" ]; then
13 if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
14 echo $key
15 fi
16 fi
17 fi
18 fi
19 done
diff --git a/systems/dilion/vms.nix b/systems/dilion/vms.nix
new file mode 100644
index 0000000..189e5ff
--- /dev/null
+++ b/systems/dilion/vms.nix
@@ -0,0 +1,200 @@
1# inspired from https://nixos.wiki/wiki/Virtualization_in_NixOS
2{ config, pkgs, lib, pkgs-no-overlay, ... }@args:
3let
4 toImage = f: "${import ./vms/base_image.nix f (args // { myEnv = config.myEnv; })}/nixos.qcow2";
5in
6{
7 options = {
8 myServices.vms.libvirt-guests = lib.mkOption {
9 type = lib.types.attrsOf (lib.types.submodule {
10 options = {
11 network = lib.mkOption { type = lib.types.str; description = "network to attach the guest to"; };
12 pool = lib.mkOption { type = lib.types.str; description = "pool to attach the guest to"; };
13 cpus = lib.mkOption { type = lib.types.int; default = 1; description = "number of cpus to assign"; };
14 memory = lib.mkOption { type = lib.types.int; description = "memory in GiB to assign"; };
15 diskSize = lib.mkOption { type = lib.types.int; description = "disk size in GiB"; };
16 destroyVolumeOnExit = lib.mkOption { type = lib.types.bool; description = "Whether to destroy the volume on exit"; default = false; };
17 extraDevicesXML = lib.mkOption { type = lib.types.lines; description = "Extra device configuration"; default = ""; };
18 preStart = lib.mkOption { type = lib.types.lines; default = ""; description = "Script to run as prestart"; };
19 };
20 });
21 default = {};
22 description = "Libvirt guests to start";
23 };
24 myServices.vms.libvirt-networks = lib.mkOption {
25 type = lib.types.attrsOf (lib.types.submodule {
26 options = {
27 bridgeNumber = lib.mkOption { type = lib.types.int; description = "bridge interface to create virbr<nbr>"; };
28 ipRange = lib.mkOption { type = lib.types.str; example = "192.168.100"; description = "ip4 prefix to use"; };
29 };
30 });
31 description = "Libvirt networks to configure";
32 default = {};
33 };
34 myServices.vms.libvirt-pools = lib.mkOption {
35 type = lib.types.attrsOf (lib.types.submodule {
36 options = {
37 type = lib.mkOption { type = lib.types.enum [ "dir" "zfs" ]; description = "Pool type"; };
38 target = lib.mkOption { type = lib.types.nullOr lib.types.path; default = null; description = "where to find images"; };
39 preStart = lib.mkOption { type = lib.types.lines; default = ""; description = "Script to run as prestart"; };
40 xml = lib.mkOption { type = lib.types.lines; default = ""; description = "Additional configuration"; };
41 };
42 });
43 };
44 myServices.vms.libvirt-images = lib.mkOption {
45 type = lib.types.attrsOf lib.types.path;
46 default = {};
47 description = "Attrs of images to create in /etc/libvirtd/base-images";
48 };
49 };
50 config = lib.mkMerge [
51 # Define images
52 {
53 environment.etc = lib.mapAttrs'
54 (n: v: lib.nameValuePair "libvirtd/base-images/${n}.qcow2" { source = toImage v; })
55 config.myServices.vms.libvirt-images;
56 }
57
58 # Define networks
59 {
60 systemd.services = lib.mapAttrs' (name: network: lib.nameValuePair "libvirtd-network-${name}" {
61 after = [ "libvirtd.service" ];
62 requires = [ "libvirtd.service" ];
63 wantedBy = [ "multi-user.target" ];
64 serviceConfig = {
65 Type = "oneshot";
66 RemainAfterExit = "yes";
67 };
68 path = [ config.boot.zfs.package ];
69 script = let
70 xml = pkgs.writeText "libvirt-network-${name}.xml" ''
71 <network>
72 <name>${name}</name>
73 <uuid>UUID</uuid>
74 <forward mode='nat' />
75 <bridge name='virbr${builtins.toString network.bridgeNumber}' />
76 <domain name='${name}' localOnly='yes'/>
77 <ip address='${network.ipRange}.1' netmask='255.255.255.0'>
78 <dhcp>
79 <range start='${network.ipRange}.2' end='${network.ipRange}.254'/>
80 </dhcp>
81 </ip>
82 </network>
83 '';
84 in ''
85 uuid="$(${pkgs.libvirt}/bin/virsh net-uuid '${name}' || true)"
86 ${pkgs.libvirt}/bin/virsh net-define <(sed "s/UUID/$uuid/" '${xml}')
87 ${pkgs.libvirt}/bin/virsh net-start '${name}'
88 '';
89 preStop = ''
90 ${pkgs.libvirt}/bin/virsh net-destroy '${name}'
91 '';
92 }) config.myServices.vms.libvirt-networks;
93 }
94
95 # Define pools
96 {
97 systemd.services = lib.mapAttrs' (name: pool: lib.nameValuePair "libvirtd-pool-${name}" {
98 after = [ "libvirtd.service" ];
99 requires = [ "libvirtd.service" ];
100 wantedBy = [ "multi-user.target" ];
101 serviceConfig = {
102 Type = "oneshot";
103 RemainAfterExit = "yes";
104 };
105 path = [ config.boot.zfs.package ];
106 script = let
107 xml = pkgs.writeText "libvirt-pool-${name}.xml" ''
108 <pool type="${pool.type}">
109 <name>${name}</name>
110 <uuid>UUID</uuid>
111 ${pool.xml}
112 ${if pool.target != null then ''
113 <target>
114 <path>${pool.target}</path>
115 </target>
116 '' else ""}
117 </pool>
118 '';
119 in pool.preStart + ''
120 uuid="$(${pkgs.libvirt}/bin/virsh pool-uuid '${name}' || true)"
121 ${pkgs.libvirt}/bin/virsh pool-define <(sed "s/UUID/$uuid/" '${xml}')
122 ${pkgs.libvirt}/bin/virsh pool-start '${name}' || true
123 '';
124 }) config.myServices.vms.libvirt-pools;
125 }
126
127 # Define guests
128 {
129 systemd.services = lib.mapAttrs' (name: guest: lib.nameValuePair "libvirtd-guest-${name}" {
130 after = [ "libvirtd.service" "libvirtd-pool-${guest.pool}.service" "libvirtd-network-${guest.network}.service" ];
131 requires = [ "libvirtd.service" "libvirtd-pool-${guest.pool}.service" "libvirtd-network-${guest.network}.service" ];
132 wantedBy = [ "multi-user.target" ];
133 serviceConfig = {
134 Type = "oneshot";
135 RemainAfterExit = "yes";
136 };
137 path = [ config.boot.zfs.package ];
138 script =
139 let
140 xml = pkgs.writeText "libvirt-guest-${name}.xml"
141 ''
142 <domain type="kvm">
143 <name>${name}</name>
144 <uuid>UUID</uuid>
145 <memory unit="GiB">${builtins.toString guest.memory}</memory>
146 <vcpu>${builtins.toString guest.cpus}</vcpu>
147 <os>
148 <type arch="x86_64">hvm</type>
149 </os>
150 <devices>
151 <emulator>/run/current-system/sw/bin/qemu-system-x86_64</emulator>
152 <disk type="volume">
153 <source pool="${guest.pool}" volume="guest-${name}" />
154 <target dev="vda" bus="virtio"/>
155 </disk>
156 ${guest.extraDevicesXML}
157 <input type="keyboard" bus="usb"/>
158 <graphics type="vnc" port="-1" autoport="yes"/>
159 <interface type="network">
160 <source network="${guest.network}" />
161 </interface>
162 </devices>
163 <features>
164 <acpi/>
165 </features>
166 </domain>
167 '';
168 in
169 guest.preStart + ''
170 if ! ${pkgs.libvirt}/bin/virsh vol-key 'guest-${name}' --pool ${guest.pool} &> /dev/null; then
171 ${pkgs.libvirt}/bin/virsh vol-create-as --pool ${guest.pool} --name 'guest-${name}' --capacity '${builtins.toString guest.diskSize}GiB'
172 volume_path=$(${pkgs.libvirt}/bin/virsh vol-path --pool ${guest.pool} --vol 'guest-${name}')
173 ${pkgs-no-overlay.qemu}/bin/qemu-img convert /etc/libvirtd/base-images/nixos.qcow2 $volume_path
174 fi
175 uuid="$(${pkgs.libvirt}/bin/virsh domuuid '${name}' || true)"
176 ${pkgs.libvirt}/bin/virsh define <(sed "s/UUID/$uuid/" '${xml}')
177 ${pkgs.libvirt}/bin/virsh start '${name}'
178 '';
179 preStop = ''
180 ${pkgs.libvirt}/bin/virsh shutdown '${name}'
181 let "timeout = $(date +%s) + 10"
182 while [ "$(${pkgs.libvirt}/bin/virsh list --name | grep --count '^${name}$')" -gt 0 ]; do
183 if [ "$(date +%s)" -ge "$timeout" ]; then
184 # Meh, we warned it...
185 ${pkgs.libvirt}/bin/virsh destroy '${name}'
186 else
187 # The machine is still running, let's give it some time to shut down
188 sleep 0.5
189 fi
190 done
191 '' + lib.optionalString guest.destroyVolumeOnExit ''
192 if ${pkgs.libvirt}/bin/virsh vol-key 'guest-${name}' --pool ${guest.pool} &> /dev/null; then
193 ${pkgs.libvirt}/bin/virsh vol-wipe --pool ${guest.pool} --vol 'guest-${name}' || true
194 ${pkgs.libvirt}/bin/virsh vol-delete --pool ${guest.pool} --vol 'guest-${name}'
195 fi
196 '';
197 }) config.myServices.vms.libvirt-guests;
198 }
199 ];
200}
diff --git a/systems/dilion/vms/base_configuration.nix b/systems/dilion/vms/base_configuration.nix
new file mode 100644
index 0000000..7b67886
--- /dev/null
+++ b/systems/dilion/vms/base_configuration.nix
@@ -0,0 +1,27 @@
1{ lib, config, environment, ... }@args:
2{
3 options.myEnv = (environment.nixosModule (args // { name = "dummy"; })).options.myEnv;
4 config = {
5 # This value determines the NixOS release with which your system is
6 # to be compatible, in order to avoid breaking some software such as
7 # database servers. You should change this only after NixOS release
8 # notes say you should.
9 # https://nixos.org/nixos/manual/release-notes.html
10 system.stateVersion = lib.mkDefault "23.05"; # Did you read the comment?
11
12 fileSystems."/".device = "/dev/disk/by-label/nixos";
13 boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "virtio_balloon" "virtio_blk" "virtio_pci" "virtio_ring" ];
14 boot.loader = {
15 grub = {
16 device = "/dev/vda";
17 };
18 timeout = 0;
19 };
20 services.openssh.enable = true;
21 networking.firewall.allowedTCPPorts = [ 22 ];
22 users = {
23 mutableUsers = false;
24 users.root.openssh.authorizedKeys.keys = [ config.myEnv.sshd.rootKeys.immae_dilion ];
25 };
26 };
27}
diff --git a/systems/dilion/vms/base_image.nix b/systems/dilion/vms/base_image.nix
new file mode 100644
index 0000000..46b90eb
--- /dev/null
+++ b/systems/dilion/vms/base_image.nix
@@ -0,0 +1,98 @@
1configuration_file: { pkgs, myEnv, nixpkgs, environment, pkgs-no-overlay, ... }:
2let
3 config = (import (nixpkgs + "/nixos/lib/eval-config.nix") {
4 inherit (pkgs) system;
5 modules = [ {
6 _module.args.environment = environment;
7 myEnv = myEnv;
8 imports = [
9 (nixpkgs + "/nixos/modules/profiles/qemu-guest.nix")
10 configuration_file
11 ];
12
13 # We want our template image to be as small as possible, but the deployed image should be able to be
14 # of any size. Hence we resize on the first boot.
15 systemd.services.resize-main-fs = {
16 wantedBy = [ "multi-user.target" ];
17 serviceConfig.Type = "oneshot";
18 script =
19 ''
20 # Resize main partition to fill whole disk
21 echo ", +" | ${pkgs.utillinux}/bin/sfdisk /dev/vda --no-reread -N 1
22 ${pkgs.parted}/bin/partprobe
23 # Resize filesystem
24 ${pkgs.e2fsprogs}/bin/resize2fs /dev/vda1
25 '';
26 };
27 } ];
28 }).config;
29in pkgs-no-overlay.vmTools.runInLinuxVM (
30 pkgs.runCommand "nixos-base-image"
31 {
32 memSize = 768;
33 preVM =
34 ''
35 mkdir $out
36 diskImage=image.qcow2
37 ${pkgs-no-overlay.vmTools.qemu}/bin/qemu-img create -f qcow2 $diskImage 2G
38 mv closure xchg/
39 '';
40 postVM =
41 ''
42 echo compressing VM image...
43 ${pkgs-no-overlay.vmTools.qemu}/bin/qemu-img convert -c $diskImage -O qcow2 $out/nixos.qcow2
44 '';
45 buildInputs = [ pkgs.utillinux pkgs.perl pkgs.parted pkgs.e2fsprogs ];
46 exportReferencesGraph =
47 [ "closure" config.system.build.toplevel ];
48 }
49 ''
50 # Create the partition
51 parted /dev/vda mklabel msdos
52 parted /dev/vda -- mkpart primary ext4 1M -1s
53
54 # Format the partition
55 mkfs.ext4 -L nixos /dev/vda1
56 mkdir /mnt
57 mount /dev/vda1 /mnt
58
59 for dir in dev proc sys; do
60 mkdir /mnt/$dir
61 mount --bind /$dir /mnt/$dir
62 done
63
64 storePaths=$(perl ${pkgs.pathsFromGraph} /tmp/xchg/closure)
65 echo filling Nix store...
66 mkdir -p /mnt/nix/store
67 set -f
68 cp -prd $storePaths /mnt/nix/store
69 # The permissions will be set up incorrectly if the host machine is not running NixOS
70 chown -R 0:30000 /mnt/nix/store
71
72 mkdir -p /mnt/etc/nix
73 echo 'build-users-group = ' > /mnt/etc/nix/nix.conf
74
75 # Register the paths in the Nix database.
76 export USER=root
77 printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \
78 chroot /mnt ${config.nix.package.out}/bin/nix-store --load-db
79
80 # Create the system profile to allow nixos-rebuild to work.
81 chroot /mnt ${config.nix.package.out}/bin/nix-env \
82 -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel}
83
84 # `nixos-rebuild' requires an /etc/NIXOS.
85 mkdir -p /mnt/etc/nixos
86 touch /mnt/etc/NIXOS
87
88 # `switch-to-configuration' requires a /bin/sh
89 mkdir -p /mnt/bin
90 ln -s ${config.system.build.binsh}/bin/sh /mnt/bin/sh
91
92 # Generate the GRUB menu.
93 chroot /mnt ${config.system.build.toplevel}/bin/switch-to-configuration boot
94
95 umount /mnt/{proc,dev,sys}
96 umount /mnt
97 ''
98)
diff --git a/systems/dilion/vms/buildbot_configuration.nix b/systems/dilion/vms/buildbot_configuration.nix
new file mode 100644
index 0000000..622f8ba
--- /dev/null
+++ b/systems/dilion/vms/buildbot_configuration.nix
@@ -0,0 +1,73 @@
1{ pkgs, config, lib, ... }:
2{
3 imports = [
4 ./base_configuration.nix
5 ];
6 # This value determines the NixOS release with which your system is
7 # to be compatible, in order to avoid breaking some software such as
8 # database servers. You should change this only after NixOS release
9 # notes say you should.
10 # https://nixos.org/nixos/manual/release-notes.html
11 system.stateVersion = "23.05"; # Did you read the comment?
12
13 systemd.services.buildbot-worker.serviceConfig.ExecStartPre = let
14 cfg = config.services.buildbot-worker;
15 script = pkgs.writeScript "decode-dmi" ''
16 #!${pkgs.stdenv.shell}
17
18 mkdir -vp "${cfg.buildbotDir}"
19 varfile=${cfg.buildbotDir}/variables
20 rm $varfile || true
21 echo "[DEFAULT]" > $varfile
22 strings=$(${pkgs.dmidecode}/bin/dmidecode --oem-string count)
23 for i in $(seq 1 $strings); do
24 ${pkgs.dmidecode}/bin/dmidecode --oem-string $i >> $varfile
25 done
26 chown -R ${cfg.user}:${cfg.group} ${cfg.buildbotDir}
27 '';
28 in
29 lib.mkForce ["+${script}"];
30 systemd.services.buildbot-worker.serviceConfig.ExecStart = let
31 cfg = config.services.buildbot-worker;
32 tacFile = pkgs.writeText "buildbot-worker.tac" ''
33 import os
34 from io import open
35
36 from buildbot_worker.bot import Worker
37 from twisted.application import service
38
39 basedir = '${cfg.buildbotDir}'
40
41 # note: this line is matched against to check that this is a worker
42 # directory; do not edit it.
43 application = service.Application('buildbot-worker')
44
45 import configparser
46 config = config = configparser.ConfigParser()
47 config.read("${cfg.buildbotDir}/variables")
48 master_url_split = config["DEFAULT"]["buildbot_master_url"].split(':')
49 buildmaster_host = master_url_split[0]
50 port = int(master_url_split[1])
51 workername = config["DEFAULT"]["buildbot_worker_name"]
52
53 with open('${cfg.workerPassFile}', 'r', encoding='utf-8') as passwd_file:
54 passwd = passwd_file.read().strip('\r\n')
55 keepalive = ${toString cfg.keepalive}
56 umask = None
57 maxdelay = 300
58 numcpus = None
59 allow_shutdown = None
60
61 s = Worker(buildmaster_host, port, workername, passwd, basedir,
62 keepalive, umask=umask, maxdelay=maxdelay,
63 numcpus=numcpus, allow_shutdown=allow_shutdown)
64 s.setServiceParent(application)
65 '';
66 in
67 lib.mkForce "${cfg.package.pythonModule.pkgs.twisted}/bin/twistd --nodaemon --pidfile= --logfile - --python ${tacFile}";
68 services.buildbot-worker = {
69 enable = true;
70 workerPass = config.myEnv.buildbot.workerPassword;
71 packages = [ pkgs.git pkgs.gzip pkgs.openssh ];
72 };
73}
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-01 17:21:46 +0000