configurations of hq services
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

default.nix 5.5KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213
  1. { config, pkgs, lib, ... }:
  2. let yggaddr = import ../../lib/server7-yggaddr.nix;
  3. in {
  4. imports = [
  5. ../../lib
  6. ../../lib/default-gateway.nix
  7. ./borgbackup.nix
  8. ./containers
  9. ./hardware-configuration.nix
  10. ./hydra.nix
  11. ./nix-serve.nix
  12. ];
  13. boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
  14. security.acme = {
  15. email = "mail@c3d2.de";
  16. acceptTerms = true;
  17. };
  18. c3d2 = {
  19. users = {
  20. emery = true;
  21. windsleep = true;
  22. };
  23. isInHq = true;
  24. mapHqHosts = true;
  25. hq = {
  26. interface = "br0";
  27. statistics.enable = true;
  28. };
  29. };
  30. fileSystems."/srv/ceph" = {
  31. #device = "172.22.99.13:6789:/";
  32. device = "172.20.72.53:6789:/";
  33. fsType = "ceph";
  34. options = [
  35. "name=storage2"
  36. "secret=AQAvRhxcaCK0IxAAnoe00oiopcpQeKZgL02RWw=="
  37. "noatime,_netdev"
  38. "noauto"
  39. "x-systemd.automount"
  40. "x-systemd.device-timeout=175"
  41. "users"
  42. ];
  43. };
  44. fileSystems."/var/lib/ceph/osd/ceph-7" = { fsType = "tmpfs"; };
  45. # Route IPv6
  46. boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
  47. # Obtain global IPv6 despite being a router myself
  48. boot.kernel.sysctl."net.ipv6.conf.br0.accept_ra" = 2;
  49. services.yggdrasil = {
  50. enable = true;
  51. configFile = "/var/lib/yggdrasil/keys";
  52. config = {
  53. Peers = [
  54. # Deutschland
  55. "tcp://45.11.19.26:5001"
  56. "tcp://82.165.69.111:61216"
  57. "tcp://[2001:8d8:1800:8224::1]:61216"
  58. # Czechia
  59. "tcp://195.123.245.146:7743"
  60. "tcp://37.205.14.171:46370"
  61. "tcp://[2a03:3b40:fe:ab::1]:46370"
  62. "tcp://[2a05:9403::8b]:7743"
  63. # Poland
  64. "tcp://176.223.130.120:22632"
  65. "tcp://51.75.44.73:50001"
  66. "tcp://54.37.137.221:37145"
  67. "tcp://[2001:41d0:601:1100::cf2]:37145"
  68. "tcp://n2o.ddns.net:22632"
  69. "tls://54.37.137.221:14987"
  70. "tls://[2001:41d0:601:1100::cf2]:14987"
  71. ];
  72. NodeInfo = {
  73. location = "Dresden";
  74. name = "server7.y.c3d2.de";
  75. admin =
  76. "toxid:DF0AC9107E0A30E7201C6832B017AC836FBD1EDAC390EE99B68625D73C3FD929FB47F1872CA4";
  77. };
  78. };
  79. };
  80. security.sudo.wheelNeedsPassword = false;
  81. services.openssh = {
  82. enable = true;
  83. passwordAuthentication = false;
  84. # DO NOT CHANGE, KINDERGARTEN IS OVER
  85. };
  86. programs.mosh.enable = true;
  87. nix = {
  88. package = pkgs.nixFlakes;
  89. gc.automatic = true;
  90. optimise.automatic = true;
  91. extraOptions = ''
  92. experimental-features = nix-command flakes ca-references
  93. post-build-hook = ${
  94. pkgs.writeScript "post-build-sign-paths" ''
  95. #!${pkgs.runtimeShell}
  96. nix sign-paths --key-file /var/lib/nix-serve.key $OUT_PATHS
  97. ''
  98. }
  99. '';
  100. };
  101. nixpkgs.overlays = [
  102. (self: super: {
  103. nix = super.nix // { meta.platforms = lib.platforms.linux; };
  104. })
  105. ];
  106. virtualisation.docker.enable = true;
  107. docker-containers.ceph-osd-7 = {
  108. cmd = [ "ceph-osd" "-i" "7" "--setuser" "ceph" "--setgroup" "ceph" "-d" ];
  109. environment = { OSD_DEVICE = "/dev/sdb"; };
  110. image = "ceph/ceph:v14.2.9";
  111. log-driver = "journald";
  112. extraDockerOptions =
  113. [ "--rm" "--net=host" "--ipc=host" "--privileged=true" ];
  114. volumes =
  115. [ "/dev:/dev" "/etc/ceph:/etc/ceph" "/var/lib/ceph/:/var/lib/ceph" ];
  116. };
  117. systemd.services.docker-ceph-osd-7.serviceConfig = {
  118. ExecStartPre = [
  119. "-${pkgs.docker}/bin/docker run --rm --net=host --ipc=host --privileged=true -v /dev:/dev -v /etc/ceph:/etc/ceph -v /var/lib/ceph/:/var/lib/ceph -e OSD_DEVICE=/dev/sdb -it ceph/ceph:v14.2.9 ceph-volume lvm activate --all"
  120. ];
  121. };
  122. networking = {
  123. firewall.enable = false;
  124. firewall.trustedInterfaces = [ "br0" ];
  125. hostName = "server7";
  126. hostId = "454fe12c";
  127. useDHCP = false;
  128. bridges.br0.interfaces = [ "enp2s0f0" ];
  129. interfaces = {
  130. br0 = {
  131. useDHCP = true;
  132. tempAddress = "disabled";
  133. ipv4.addresses = [{
  134. address = "172.22.99.245";
  135. prefixLength = 24;
  136. }];
  137. ipv6.addresses = [{
  138. address = yggaddr.prefix64 + "::1";
  139. prefixLength = 64;
  140. }];
  141. };
  142. enp2s0f1.useDHCP = false;
  143. };
  144. };
  145. boot.kernel.sysctl."net.bridge.bridge-nf-call-arptables" = 0;
  146. boot.kernel.sysctl."net.bridge.bridge-nf-call-iptables" = 0;
  147. boot.kernel.sysctl."net.bridge.bridge-nf-call-ip6tables" = 0;
  148. environment.systemPackages = with pkgs; [
  149. tmux
  150. htop
  151. vim
  152. gitMinimal
  153. nixfmt
  154. zfsStable
  155. ];
  156. services.collectd.extraConfig = ''
  157. LoadPlugin memory
  158. LoadPlugin processes
  159. LoadPlugin disk
  160. LoadPlugin df
  161. LoadPlugin cpu
  162. LoadPlugin entropy
  163. LoadPlugin load
  164. LoadPlugin swap
  165. LoadPlugin cgroups
  166. LoadPlugin vmem
  167. LoadPlugin interface
  168. '';
  169. boot.tmpOnTmpfs = true;
  170. # Use the systemd-boot EFI boot loader.
  171. boot.loader = {
  172. systemd-boot.enable = true;
  173. efi.canTouchEfiVariables = true;
  174. };
  175. time.timeZone = "Europe/Berlin";
  176. system.stateVersion = "19.09"; # Did you read the comment?
  177. users.extraUsers.hydra.openssh.authorizedKeys.keys = [
  178. # allow the old hydra to build here
  179. "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7HuDlyTlPC4rCjwhklY8kiYIxdgPhiu6wxs29ksnpKZmJa2R7qoD02N3ACm9cTb1GVkIWukAXI3KvU9h08+WLQJqUH0cHVBj3V1sDYmkN2QecE59gz3e1gfN3zPtwmQEUe6xvHWK3X3qdH45pGPUtxk1eDTZl45037C0NClWF7RXI4m6UXng4bL9wnPvoVqCI+ySsNWaTkHDLE/D9s/VrqGxJ1w2KiJb1F73g9/x/zjL8Ixb16wkPmLE0e50MQAQa7EMFTyPZoEskFnEviLYXM9pDexABAjJfbfZ39lLyMgVYGwnzEDbjDlm68dE6wQWUY1OV6wbt8uYreB2IRrlb root@hydra"
  180. ];
  181. services.dhcpd4 = {
  182. enable = false;
  183. interfaces = [ "br0" ];
  184. extraConfig = "not authoritative;";
  185. };
  186. }