nix-config/hosts/server7/default.nix

214 lines
5.5 KiB
Nix

{ config, pkgs, lib, ... }:
let yggaddr = import ../../lib/server7-yggaddr.nix;
in {
imports = [
../../lib
../../lib/default-gateway.nix
./borgbackup.nix
./containers
./hardware-configuration.nix
./hydra.nix
./nix-serve.nix
];
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
security.acme = {
email = "mail@c3d2.de";
acceptTerms = true;
};
c3d2 = {
users = {
emery = true;
windsleep = true;
};
isInHq = true;
mapHqHosts = true;
hq = {
interface = "br0";
statistics.enable = true;
};
};
fileSystems."/srv/ceph" = {
#device = "172.22.99.13:6789:/";
device = "172.20.72.53:6789:/";
fsType = "ceph";
options = [
"name=storage2"
"secret=AQAvRhxcaCK0IxAAnoe00oiopcpQeKZgL02RWw=="
"noatime,_netdev"
"noauto"
"x-systemd.automount"
"x-systemd.device-timeout=175"
"users"
];
};
fileSystems."/var/lib/ceph/osd/ceph-7" = { fsType = "tmpfs"; };
# Route IPv6
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
# Obtain global IPv6 despite being a router myself
boot.kernel.sysctl."net.ipv6.conf.br0.accept_ra" = 2;
services.yggdrasil = {
enable = true;
configFile = "/var/lib/yggdrasil/keys";
config = {
Peers = [
# Deutschland
"tcp://45.11.19.26:5001"
"tcp://82.165.69.111:61216"
"tcp://[2001:8d8:1800:8224::1]:61216"
# Czechia
"tcp://195.123.245.146:7743"
"tcp://37.205.14.171:46370"
"tcp://[2a03:3b40:fe:ab::1]:46370"
"tcp://[2a05:9403::8b]:7743"
# Poland
"tcp://176.223.130.120:22632"
"tcp://51.75.44.73:50001"
"tcp://54.37.137.221:37145"
"tcp://[2001:41d0:601:1100::cf2]:37145"
"tcp://n2o.ddns.net:22632"
"tls://54.37.137.221:14987"
"tls://[2001:41d0:601:1100::cf2]:14987"
];
NodeInfo = {
location = "Dresden";
name = "server7.y.c3d2.de";
admin =
"toxid:DF0AC9107E0A30E7201C6832B017AC836FBD1EDAC390EE99B68625D73C3FD929FB47F1872CA4";
};
};
};
security.sudo.wheelNeedsPassword = false;
services.openssh = {
enable = true;
passwordAuthentication = false;
# DO NOT CHANGE, KINDERGARTEN IS OVER
};
programs.mosh.enable = true;
nix = {
package = pkgs.nixFlakes;
gc.automatic = true;
optimise.automatic = true;
extraOptions = ''
experimental-features = nix-command flakes ca-references
post-build-hook = ${
pkgs.writeScript "post-build-sign-paths" ''
#!${pkgs.runtimeShell}
nix sign-paths --key-file /var/lib/nix-serve.key $OUT_PATHS
''
}
'';
};
nixpkgs.overlays = [
(self: super: {
nix = super.nix // { meta.platforms = lib.platforms.linux; };
})
];
virtualisation.docker.enable = true;
docker-containers.ceph-osd-7 = {
cmd = [ "ceph-osd" "-i" "7" "--setuser" "ceph" "--setgroup" "ceph" "-d" ];
environment = { OSD_DEVICE = "/dev/sdb"; };
image = "ceph/ceph:v14.2.9";
log-driver = "journald";
extraDockerOptions =
[ "--rm" "--net=host" "--ipc=host" "--privileged=true" ];
volumes =
[ "/dev:/dev" "/etc/ceph:/etc/ceph" "/var/lib/ceph/:/var/lib/ceph" ];
};
systemd.services.docker-ceph-osd-7.serviceConfig = {
ExecStartPre = [
"-${pkgs.docker}/bin/docker run --rm --net=host --ipc=host --privileged=true -v /dev:/dev -v /etc/ceph:/etc/ceph -v /var/lib/ceph/:/var/lib/ceph -e OSD_DEVICE=/dev/sdb -it ceph/ceph:v14.2.9 ceph-volume lvm activate --all"
];
};
networking = {
firewall.enable = false;
firewall.trustedInterfaces = [ "br0" ];
hostName = "server7";
hostId = "454fe12c";
useDHCP = false;
bridges.br0.interfaces = [ "enp2s0f0" ];
interfaces = {
br0 = {
useDHCP = true;
tempAddress = "disabled";
ipv4.addresses = [{
address = "172.22.99.245";
prefixLength = 24;
}];
ipv6.addresses = [{
address = yggaddr.prefix64 + "::1";
prefixLength = 64;
}];
};
enp2s0f1.useDHCP = false;
};
};
boot.kernel.sysctl."net.bridge.bridge-nf-call-arptables" = 0;
boot.kernel.sysctl."net.bridge.bridge-nf-call-iptables" = 0;
boot.kernel.sysctl."net.bridge.bridge-nf-call-ip6tables" = 0;
environment.systemPackages = with pkgs; [
tmux
htop
vim
gitMinimal
nixfmt
zfsStable
];
services.collectd.extraConfig = ''
LoadPlugin memory
LoadPlugin processes
LoadPlugin disk
LoadPlugin df
LoadPlugin cpu
LoadPlugin entropy
LoadPlugin load
LoadPlugin swap
LoadPlugin cgroups
LoadPlugin vmem
LoadPlugin interface
'';
boot.tmpOnTmpfs = true;
# Use the systemd-boot EFI boot loader.
boot.loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
time.timeZone = "Europe/Berlin";
system.stateVersion = "19.09"; # Did you read the comment?
users.extraUsers.hydra.openssh.authorizedKeys.keys = [
# allow the old hydra to build here
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7HuDlyTlPC4rCjwhklY8kiYIxdgPhiu6wxs29ksnpKZmJa2R7qoD02N3ACm9cTb1GVkIWukAXI3KvU9h08+WLQJqUH0cHVBj3V1sDYmkN2QecE59gz3e1gfN3zPtwmQEUe6xvHWK3X3qdH45pGPUtxk1eDTZl45037C0NClWF7RXI4m6UXng4bL9wnPvoVqCI+ySsNWaTkHDLE/D9s/VrqGxJ1w2KiJb1F73g9/x/zjL8Ixb16wkPmLE0e50MQAQa7EMFTyPZoEskFnEviLYXM9pDexABAjJfbfZ39lLyMgVYGwnzEDbjDlm68dE6wQWUY1OV6wbt8uYreB2IRrlb root@hydra"
];
services.dhcpd4 = {
enable = false;
interfaces = [ "br0" ];
extraConfig = "not authoritative;";
};
}