C3D2
/
nix-config
Watch 14
Star 4
Fork 2
Code Issues 0 Pull Requests 2 Releases 0 Wiki Activity
configurations of hq services
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
383 Commits
5 Branches
Tree: 7ce33808f2
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '7ce33808f2'
${ noResults }
nix-config/hosts/server7/default.nix

default.nix 5.5KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213 
  1. { config, pkgs, lib, ... }:

  2. 

  3. let yggaddr = import ../../lib/server7-yggaddr.nix;

  4. in {

  5.   imports = [

  6.     ../../lib

  7.     ../../lib/default-gateway.nix

  8.     ./borgbackup.nix

  9.     ./containers

  10.     ./hardware-configuration.nix

  11.     ./hydra.nix

  12.     ./nix-serve.nix

  13.   ];

  14. 

  15.   boot.binfmt.emulatedSystems = [ "aarch64-linux" ];

  16. 

  17.   security.acme = {

  18.     email = "mail@c3d2.de";

  19.     acceptTerms = true;

  20.   };

  21. 

  22.   c3d2 = {

  23.     users = {

  24.       emery = true;

  25.       windsleep = true;

  26.     };

  27.     isInHq = true;

  28.     mapHqHosts = true;

  29.     hq = {

  30.       interface = "br0";

  31.       statistics.enable = true;

  32.     };

  33.   };

  34. 

  35.   fileSystems."/srv/ceph" = {

  36.     #device = "172.22.99.13:6789:/";

  37.     device = "172.20.72.53:6789:/";

  38.     fsType = "ceph";

  39.     options = [

  40.       "name=storage2"

  41.       "secret=AQAvRhxcaCK0IxAAnoe00oiopcpQeKZgL02RWw=="

  42.       "noatime,_netdev"

  43.       "noauto"

  44.       "x-systemd.automount"

  45.       "x-systemd.device-timeout=175"

  46.       "users"

  47.     ];

  48.   };

  49. 

  50.   fileSystems."/var/lib/ceph/osd/ceph-7" = { fsType = "tmpfs"; };

  51. 

  52.   # Route IPv6

  53.   boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;

  54.   # Obtain global IPv6 despite being a router myself

  55.   boot.kernel.sysctl."net.ipv6.conf.br0.accept_ra" = 2;

  56. 

  57.   services.yggdrasil = {

  58.     enable = true;

  59.     configFile = "/var/lib/yggdrasil/keys";

  60.     config = {

  61.       Peers = [

  62. 

  63.         # Deutschland

  64.         "tcp://45.11.19.26:5001"

  65.         "tcp://82.165.69.111:61216"

  66.         "tcp://[2001:8d8:1800:8224::1]:61216"

  67. 

  68.         # Czechia

  69.         "tcp://195.123.245.146:7743"

  70.         "tcp://37.205.14.171:46370"

  71.         "tcp://[2a03:3b40:fe:ab::1]:46370"

  72.         "tcp://[2a05:9403::8b]:7743"

  73. 

  74.         # Poland

  75.         "tcp://176.223.130.120:22632"

  76.         "tcp://51.75.44.73:50001"

  77.         "tcp://54.37.137.221:37145"

  78.         "tcp://[2001:41d0:601:1100::cf2]:37145"

  79.         "tcp://n2o.ddns.net:22632"

  80.         "tls://54.37.137.221:14987"

  81.         "tls://[2001:41d0:601:1100::cf2]:14987"

  82. 

  83.       ];

  84.       NodeInfo = {

  85.         location = "Dresden";

  86.         name = "server7.y.c3d2.de";

  87.         admin =

  88.           "toxid:DF0AC9107E0A30E7201C6832B017AC836FBD1EDAC390EE99B68625D73C3FD929FB47F1872CA4";

  89.       };

  90.     };

  91.   };

  92. 

  93.   security.sudo.wheelNeedsPassword = false;

  94.   services.openssh = {

  95.     enable = true;

  96.     passwordAuthentication = false;

  97.     # DO NOT CHANGE, KINDERGARTEN IS OVER

  98.   };

  99. 

  100.   programs.mosh.enable = true;

  101. 

  102.   nix = {

  103.     package = pkgs.nixFlakes;

  104.     gc.automatic = true;

  105.     optimise.automatic = true;

  106.     extraOptions = ''

  107.       experimental-features = nix-command flakes ca-references

  108.       post-build-hook = ${

  109.         pkgs.writeScript "post-build-sign-paths" ''

  110.           #!${pkgs.runtimeShell}

  111.           nix sign-paths --key-file /var/lib/nix-serve.key $OUT_PATHS

  112.         ''

  113.       }

  114.     '';

  115.   };

  116.   nixpkgs.overlays = [

  117.     (self: super: {

  118.       nix = super.nix // { meta.platforms = lib.platforms.linux; };

  119.     })

  120.   ];

  121. 

  122.   virtualisation.docker.enable = true;

  123. 

  124.   docker-containers.ceph-osd-7 = {

  125.     cmd = [ "ceph-osd" "-i" "7" "--setuser" "ceph" "--setgroup" "ceph" "-d" ];

  126.     environment = { OSD_DEVICE = "/dev/sdb"; };

  127.     image = "ceph/ceph:v14.2.9";

  128.     log-driver = "journald";

  129.     extraDockerOptions =

  130.       [ "--rm" "--net=host" "--ipc=host" "--privileged=true" ];

  131.     volumes =

  132.       [ "/dev:/dev" "/etc/ceph:/etc/ceph" "/var/lib/ceph/:/var/lib/ceph" ];

  133.   };

  134.   systemd.services.docker-ceph-osd-7.serviceConfig = {

  135.     ExecStartPre = [

  136.       "-${pkgs.docker}/bin/docker run --rm --net=host --ipc=host --privileged=true -v /dev:/dev -v /etc/ceph:/etc/ceph -v /var/lib/ceph/:/var/lib/ceph -e OSD_DEVICE=/dev/sdb -it ceph/ceph:v14.2.9 ceph-volume lvm activate --all"

  137.     ];

  138.   };

  139. 

  140.   networking = {

  141.     firewall.enable = false;

  142.     firewall.trustedInterfaces = [ "br0" ];

  143.     hostName = "server7";

  144.     hostId = "454fe12c";

  145.     useDHCP = false;

  146.     bridges.br0.interfaces = [ "enp2s0f0" ];

  147.     interfaces = {

  148.       br0 = {

  149.         useDHCP = true;

  150.         tempAddress = "disabled";

  151.         ipv4.addresses = [{

  152.           address = "172.22.99.245";

  153.           prefixLength = 24;

  154.         }];

  155.         ipv6.addresses = [{

  156.           address = yggaddr.prefix64 + "::1";

  157.           prefixLength = 64;

  158.         }];

  159.       };

  160.       enp2s0f1.useDHCP = false;

  161.     };

  162.   };

  163. 

  164.   boot.kernel.sysctl."net.bridge.bridge-nf-call-arptables" = 0;

  165.   boot.kernel.sysctl."net.bridge.bridge-nf-call-iptables" = 0;

  166.   boot.kernel.sysctl."net.bridge.bridge-nf-call-ip6tables" = 0;

  167. 

  168.   environment.systemPackages = with pkgs; [

  169.     tmux

  170.     htop

  171.     vim

  172.     gitMinimal

  173.     nixfmt

  174.     zfsStable

  175.   ];

  176. 

  177.   services.collectd.extraConfig = ''

  178.     LoadPlugin memory

  179.     LoadPlugin processes

  180.     LoadPlugin disk

  181.     LoadPlugin df

  182.     LoadPlugin cpu

  183.     LoadPlugin entropy

  184.     LoadPlugin load

  185.     LoadPlugin swap

  186.     LoadPlugin cgroups

  187.     LoadPlugin vmem

  188.     LoadPlugin interface

  189.   '';

  190. 

  191.   boot.tmpOnTmpfs = true;

  192. 

  193.   # Use the systemd-boot EFI boot loader.

  194.   boot.loader = {

  195.     systemd-boot.enable = true;

  196.     efi.canTouchEfiVariables = true;

  197.   };

  198. 

  199.   time.timeZone = "Europe/Berlin";

  200. 

  201.   system.stateVersion = "19.09"; # Did you read the comment?

  202. 

  203.   users.extraUsers.hydra.openssh.authorizedKeys.keys = [

  204.     # allow the old hydra to build here

  205.     "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7HuDlyTlPC4rCjwhklY8kiYIxdgPhiu6wxs29ksnpKZmJa2R7qoD02N3ACm9cTb1GVkIWukAXI3KvU9h08+WLQJqUH0cHVBj3V1sDYmkN2QecE59gz3e1gfN3zPtwmQEUe6xvHWK3X3qdH45pGPUtxk1eDTZl45037C0NClWF7RXI4m6UXng4bL9wnPvoVqCI+ySsNWaTkHDLE/D9s/VrqGxJ1w2KiJb1F73g9/x/zjL8Ixb16wkPmLE0e50MQAQa7EMFTyPZoEskFnEviLYXM9pDexABAjJfbfZ39lLyMgVYGwnzEDbjDlm68dE6wQWUY1OV6wbt8uYreB2IRrlb root@hydra"

  206.   ];

  207. 

  208.   services.dhcpd4 = {

  209.     enable = false;

  210.     interfaces = [ "br0" ];

  211.     extraConfig = "not authoritative;";

  212.   };

  213. }