modules/private/system/eldiron.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130

{ privateFiles }:
{ config, pkgs, lib, ... }:
{
  boot.supportedFilesystems = [ "zfs" ];
  boot.kernelParams = ["zfs.zfs_arc_max=6442450944"];
  boot.kernelPackages = pkgs.linuxPackages_latest;
  myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; };

  fileSystems = {
    "/"     = lib.mkForce { fsType = "zfs"; device = "zpool/root"; };
    "/boot" = { fsType = "ext4"; device = "/dev/disk/by-uuid/e6bb18fb-ff56-4b5f-ae9f-e60d40dc0622"; };
    "/etc"  = { fsType = "zfs"; device = "zpool/root/etc"; };
    "/nix"  = { fsType = "zfs"; device = "zpool/root/nix"; };
    "/tmp"  = { fsType = "zfs"; device = "zpool/root/tmp"; };
    "/var"  = { fsType = "zfs"; device = "zpool/root/var"; };
  };
  boot.initrd.secrets = {
    "/boot/pass.key" = "/boot/pass.key";
  };

  services.zfs = {
    autoSnapshot = {
      enable = true;
    };
    autoScrub = {
      enable = true;
    };
  };
  networking = {
    hostId = "8262ca33"; # generated with head -c4 /dev/urandom | od -A none -t x4
    firewall.enable = true;
    # 176.9.151.89 declared in nixops -> infra / tools
    interfaces."eth0".ipv4.addresses = pkgs.lib.attrsets.mapAttrsToList
      (n: ips: { address = ips.ip4; prefixLength = 32; })
      (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips);
    interfaces."eth0".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
      (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or []))
      config.hostEnv.ips);
  };

  imports = builtins.attrValues (import ../..);

  boot.kernel.sysctl = {
    # https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
    "net.ipv4.tcp_sack" = 0;
  };
  myServices.buildbot.enable = true;
  myServices.databases.enable = true;
  myServices.gitolite.enable = true;
  myServices.monitoring.enable = true;
  myServices.irc.enable = true;
  myServices.pub.enable = true;
  myServices.tasks.enable = true;
  myServices.mpd.enable = true;
  myServices.dns.enable = true;
  myServices.certificates.enable = true;
  myServices.websites.enable = true;
  myServices.mail.enable = true;
  myServices.ejabberd.enable = true;
  myServices.vpn.enable = true;
  services.pure-ftpd.enable = true;
  services.duplyBackup.enable = true;
  services.duplyBackup.profiles.oldies.rootDir = "/var/lib/oldies";

  secrets.keys = [
    {
      dest = "rsync_backup/identity";
      user = "root";
      group = "root";
      permissions = "0400";
      text = config.myEnv.rsync_backup.ssh_key.private;
    }
  ];
  programs.ssh.knownHosts.dilion = {
    hostNames = ["dilion.immae.eu"];
    publicKey = let
      profile = config.myEnv.rsync_backup.profiles.dilion;
    in
      "${profile.host_key_type} ${profile.host_key}";
  };

  deployment = {
    targetEnv = "hetzner";
    hetzner = {
      robotUser = config.myEnv.hetzner.user;
      robotPass = config.myEnv.hetzner.pass;
      mainIPv4 = config.hostEnv.ips.main.ip4;
      partitions = ''
        clearpart --all --initlabel --drives=sda,sdb

        part swap1 --recommended --label=swap1 --fstype=swap --ondisk=sda
        part swap2 --recommended --label=swap2 --fstype=swap --ondisk=sdb

        part raid.1 --grow --ondisk=sda
        part raid.2 --grow --ondisk=sdb

        raid / --level=1 --device=md0 --fstype=ext4 --label=root raid.1 raid.2
      '';
    };
  };

  services.cron = {
    enable = true;
    mailto = "cron@immae.eu";
    systemCronJobs = [
      ''
        # The star after /var/lib/* avoids deleting all folders in case of problem
        0 3,9,15,21 * * * root rsync -e "ssh -i /var/secrets/rsync_backup/identity" --new-compress -aAXv --delete --numeric-ids --super --rsync-path="sudo rsync" /var/lib/* backup@dilion.immae.eu: > /dev/null
        0 0 * * * root journalctl -q --since="25 hours ago" -u postfix -t postfix/smtpd -g "immae.eu.*Recipient address rejected"
        # Need a way to blacklist properly
        # 0 0 * * * root journalctl -q --since="25 hours ago" -u postfix -t postfix/smtpd -g "NOQUEUE:"
        0 0 * * * root journalctl -q --since="25 hours ago" -u postfix -t postfix/smtp -g "status=bounced"
      ''
    ];
  };

  fileSystems."/var/lib/pub/immae/devtools" = {
    device = "/run/current-system/sw/bin/bindfs#/var/lib/ftp/devtools.immae.eu/";
    fsType = "fuse";
    options = [ "force-user=pub" "create-for-user=wwwrun" "create-for-group=wwwrun" ];
  };
  environment.systemPackages = [ pkgs.bindfs pkgs.pv pkgs.smartmontools ];

  # This value determines the NixOS release with which your system is
  # to be compatible, in order to avoid breaking some software such as
  # database servers. You should change this only after NixOS release
  # notes say you should.
  # https://nixos.org/nixos/manual/release-notes.html
  system.stateVersion = "20.03"; # Did you read the comment?
}