From 9ae97dffb75abbf508162902c0a200824823a88e Mon Sep 17 00:00:00 2001 From: leon Date: Thu, 17 Nov 2022 15:07:56 +0000 Subject: [PATCH 001/247] add trusted nextcould ip --- hosts/leoncloud/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/leoncloud/default.nix b/hosts/leoncloud/default.nix index b0b6e3dc..98736a18 100644 --- a/hosts/leoncloud/default.nix +++ b/hosts/leoncloud/default.nix @@ -102,7 +102,7 @@ services.nextcloud = { dbname = "nextcloud"; adminpassFile = "/etc/nixos/next-cloud/pass"; adminuser = "root"; - extraTrustedDomains = [ "45.158.40.162" "172.20.79.254" "10.10.11.4" "10.10.11.1" ]; + extraTrustedDomains = ["45.158.40.165" "172.20.79.254" "10.10.11.4" "10.10.11.1" ]; }; }; From b6eb71333dc667d91e395a6c494c6f298f93b51c Mon Sep 17 00:00:00 2001 From: leon Date: Thu, 17 Nov 2022 16:17:00 +0000 Subject: [PATCH 002/247] remove routing kernel --- hosts/leoncloud/default.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/hosts/leoncloud/default.nix b/hosts/leoncloud/default.nix index 98736a18..50d753fc 100644 --- a/hosts/leoncloud/default.nix +++ b/hosts/leoncloud/default.nix @@ -56,8 +56,6 @@ # enable IP routing - boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = 1; - boot.kernel.sysctl."net.ipv4.conf.default.forwarding" = 1; networking.firewall = { allowedTCPPorts = [ 80 443 22 53 14000 14500 15000 ]; From 330aea7caeae57b7ca0002e38816216dc31a9782 Mon Sep 17 00:00:00 2001 From: Astro Date: Thu, 17 Nov 2022 17:47:47 +0100 Subject: [PATCH 003/247] modules/cluster/deployment: fix path to glusterfs --- modules/cluster/deployment.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/cluster/deployment.nix b/modules/cluster/deployment.nix index 2845d234..88de08f1 100644 --- a/modules/cluster/deployment.nix +++ b/modules/cluster/deployment.nix @@ -50,11 +50,11 @@ in tag = builtins.replaceStrings [ "/" ] [ "-" ] ( withoutLeadingSlash mountPoint ); - source = "/storage/glusterfs/microvms/${user}/${repo}/${vmName}/${withoutLeadingSlash mountPoint}"; + source = "/glusterfs/fast/microvms/${user}/${repo}/${vmName}/${withoutLeadingSlash mountPoint}"; inherit mountPoint; }) config.deployment.persistedShares; # volumes = [ { - # image = "/storage/glusterfs/microvms/${user}/${repo}/${vmName}/overlay.img"; + # image = "/glusterfs/fast/microvms/${user}/${repo}/${vmName}/overlay.img"; # mountPoint = "/"; # size = 8 * 1024; # } ]; From d22d137f0431b751e17158907c5265c808a9cd85 Mon Sep 17 00:00:00 2001 From: Astro Date: Thu, 17 Nov 2022 17:53:26 +0100 Subject: [PATCH 004/247] gnunet: skyflakify --- flake.nix | 2 +- hosts/gnunet/default.nix | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/flake.nix b/flake.nix index 41097be5..070db61d 100644 --- a/flake.nix +++ b/flake.nix @@ -948,7 +948,7 @@ gnunet = nixosSystem' { modules = [ - self.nixosModules.microvm + self.nixosModules.cluster-options ./hosts/gnunet ]; nixpkgs = nixos-unstable; diff --git a/hosts/gnunet/default.nix b/hosts/gnunet/default.nix index a1b50b92..f3c224b6 100644 --- a/hosts/gnunet/default.nix +++ b/hosts/gnunet/default.nix @@ -2,11 +2,11 @@ system.stateVersion = "22.05"; c3d2.hq.statistics.enable = true; - c3d2.deployment = { - server = "server10"; - mounts = [ "etc" "var" ]; + deployment = { + # needs to keep just its ssh key for sops-nix + persistedShares = [ "/etc" "/var" ]; + mem = 1024; }; - microvm.mem = 1024; networking = { hostName = "gnunet"; From 4a0e9d5cfaaa73ca036590788f92fffb67981c7a Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 18 Nov 2022 20:23:20 +0100 Subject: [PATCH 005/247] radiobert: set strict CPUAffinity for services --- hosts/radiobert/default.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/hosts/radiobert/default.nix b/hosts/radiobert/default.nix index 7112a66f..973e2daf 100644 --- a/hosts/radiobert/default.nix +++ b/hosts/radiobert/default.nix @@ -131,5 +131,14 @@ ''; }; + systemd.extraConfig = '' + # Keep cores 2-3 exclusive for SDR processing + CPUAffinity=0-1 + ''; + systemd.services = { + soapysdr-server.serviceConfig.CPUAffinity = "2-2"; + readsdb.serviceConfig.CPUAffinity = "3-3"; + }; + system.stateVersion = "21.05"; # Did you read the comment? } From 6a5395b0404556cfbb4d4d981f388e6e18a32c7c Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 18 Nov 2022 21:09:28 +0100 Subject: [PATCH 006/247] radiobert: try to make it bootable again actually try this on a day with nice weather --- hosts/radiobert/default.nix | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/hosts/radiobert/default.nix b/hosts/radiobert/default.nix index 973e2daf..69085379 100644 --- a/hosts/radiobert/default.nix +++ b/hosts/radiobert/default.nix @@ -26,14 +26,13 @@ boot = { loader = { + # generates entry for u-boot + generic-extlinux-compatible.enable = true; grub.enable = false; raspberryPi = { - enable = true; + # don't use rpi bootloader shit + enable = false; version = 4; - # TODO: this machine actually has u-boot setup but that's no - # longer working with nixos-22.05. DO NOT REBOOT! :-) - # https://github.com/NixOS/nixpkgs/pull/112677 - # uboot.enable = true; firmwareConfig = '' gpu_mem=192 dtparam=audio=on From b32e553abba426daf89b20b63b43b671a4327407 Mon Sep 17 00:00:00 2001 From: Astrobot Date: Sat, 19 Nov 2022 10:00:36 +0100 Subject: [PATCH 007/247] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'affection-src': 'git+https://gitea.nek0.eu/nek0/affection?ref=master&rev=b56ed86e45b2a8cdf811f2659644192a69ab5818' (2022-09-14) → 'git+https://gitea.nek0.eu/nek0/affection?ref=refs%2fheads%2fmaster&rev=b56ed86e45b2a8cdf811f2659644192a69ab5818' (2022-09-14) • Updated input 'caveman': 'git+https://gitea.c3d2.de/astro/caveman.git?ref=main&rev=a12dc753b3f3d145883e1de7a0c12407bbe97288' (2022-11-15) → 'git+https://gitea.c3d2.de/astro/caveman.git?ref=main&rev=91dcf74609695490cc83961518bacc269710296f' (2022-11-18) • Updated input 'fenix': 'github:nix-community/fenix/3e59a48c3171664ea0797f28273f9929a2335617' (2022-11-15) → 'github:nix-community/fenix/16ba830351ba5e7c018919e8c70ef31350755f42' (2022-11-19) • Updated input 'fenix/rust-analyzer-src': 'github:rust-lang/rust-analyzer/45ec315e01dc8dd1146dfeb65f0ef6e5c2efed78' (2022-11-11) → 'github:rust-lang/rust-analyzer/791cb87cdf47ddfd2a2b1a726dab3aa66ec2bff3' (2022-11-18) • Updated input 'heliwatch': 'git+https://gitea.c3d2.de/astro/heliwatch.git?ref=master&rev=f7cf04a7ad47e388121f0771651fec0df91407f3' (2022-07-15) → 'git+https://gitea.c3d2.de/astro/heliwatch.git?ref=refs%2fheads%2fmaster&rev=f7cf04a7ad47e388121f0771651fec0df91407f3' (2022-07-15) • Updated input 'nixos': 'github:nixos/nixpkgs/16f4e04658c2ab10114545af2f39db17d51bd1bd' (2022-11-14) → 'github:nixos/nixpkgs/f42a45c015f28ac3beeb0df360e50cdbf495d44b' (2022-11-18) • Updated input 'nixos-unstable': 'github:nixos/nixpkgs/013fcdd106823416918004bb684c3c186d3c460f' (2022-11-14) → 'github:nixos/nixpkgs/52b2ac8ae18bbad4374ff0dd5aeee0fdf1aea739' (2022-11-18) • Updated input 'openwrt-imagebuilder': 'github:astro/nix-openwrt-imagebuilder/818db40dd8a0a22b029823ba477c5c3301bd7534' (2022-11-14) → 'github:astro/nix-openwrt-imagebuilder/bd49940936c490c99c7a7f7b23b74edbd5f2f0d8' (2022-11-18) • Updated input 'rust-overlay': 'github:oxalica/rust-overlay/2342f70f7257046effc031333c4cfdea66c91d82' (2022-11-15) → 'github:oxalica/rust-overlay/a705fe51ef5cdf932ff1cb342f0fe9e5d66f1b71' (2022-11-19) • Updated input 'scrapers': 'git+https://gitea.c3d2.de/astro/scrapers.git?ref=master&rev=3700761dd06f271ef26261ed2a90dce8c22b6dca' (2022-10-10) → 'git+https://gitea.c3d2.de/astro/scrapers.git?ref=refs%2fheads%2fmaster&rev=3700761dd06f271ef26261ed2a90dce8c22b6dca' (2022-10-10) • Updated input 'secrets': 'git+ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git?ref=master&rev=5ca106f648bef15d9954d956bda336eea28e8d75' (2022-08-07) → 'git+ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git?ref=refs%2fheads%2fmaster&rev=5ca106f648bef15d9954d956bda336eea28e8d75' (2022-08-07) • Updated input 'ticker': 'git+https://gitea.c3d2.de/astro/ticker.git?ref=master&rev=22ecb2b375bebffdfb1af3435a4c4486e6dd923b' (2022-10-23) → 'git+https://gitea.c3d2.de/astro/ticker.git?ref=refs%2fheads%2fmaster&rev=22ecb2b375bebffdfb1af3435a4c4486e6dd923b' (2022-10-23) • Updated input 'tracer': 'git+https://gitea.c3d2.de/astro/tracer?ref=master&rev=6d8d2cb1268d26add05baa3f21c325cfe051add3' (2022-09-15) → 'git+https://gitea.c3d2.de/astro/tracer?ref=refs%2fheads%2fmaster&rev=6d8d2cb1268d26add05baa3f21c325cfe051add3' (2022-09-15) • Updated input 'zentralwerk': 'git+https://gitea.c3d2.de/zentralwerk/network.git?ref=master&rev=9cb7dbc38595e7c213d193f2adf3cbeffcded74b' (2022-11-15) → 'git+https://gitea.c3d2.de/zentralwerk/network.git?ref=refs%2fheads%2fmaster&rev=fe9e0fea91dc31396cbdb349b010ebd9d04cd607' (2022-11-16) --- flake.lock | 66 +++++++++++++++++++++++++++--------------------------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/flake.lock b/flake.lock index 92197e83..bde21317 100644 --- a/flake.lock +++ b/flake.lock @@ -12,7 +12,7 @@ "locked": { "lastModified": 1663176622, "narHash": "sha256-ahmQXwS2P34x7PxXt8Ve2ZVKJHW6yP1m/nZoo8sHwmE=", - "ref": "master", + "ref": "refs/heads/master", "rev": "b56ed86e45b2a8cdf811f2659644192a69ab5818", "revCount": 293, "type": "git", @@ -91,11 +91,11 @@ ] }, "locked": { - "lastModified": 1668535353, - "narHash": "sha256-cVe++C4wg2CG80qjjSVG4H1udcRi7sbdU/xMGC5WSxc=", + "lastModified": 1668798814, + "narHash": "sha256-JBXKQ/l0PmuJe3bBkLdICMX3CXG5GatyacuxnTY43RU=", "ref": "main", - "rev": "a12dc753b3f3d145883e1de7a0c12407bbe97288", - "revCount": 111, + "rev": "91dcf74609695490cc83961518bacc269710296f", + "revCount": 128, "type": "git", "url": "https://gitea.c3d2.de/astro/caveman.git" }, @@ -113,11 +113,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1668493618, - "narHash": "sha256-Pw8dzHPI3My/nWthhWlD6nVLVPDAi9+NODvayVhKGKk=", + "lastModified": 1668839162, + "narHash": "sha256-kGpqBpxEbzy/AEEKia2Hd5swMou2Pl9ATAviSTQy/NM=", "owner": "nix-community", "repo": "fenix", - "rev": "3e59a48c3171664ea0797f28273f9929a2335617", + "rev": "16ba830351ba5e7c018919e8c70ef31350755f42", "type": "github" }, "original": { @@ -175,7 +175,7 @@ "locked": { "lastModified": 1657923513, "narHash": "sha256-YzHPow09B9uSdybUxP5lQn2hXk90Q6oTDL6UXzD0/+k=", - "ref": "master", + "ref": "refs/heads/master", "rev": "f7cf04a7ad47e388121f0771651fec0df91407f3", "revCount": 61, "type": "git", @@ -349,11 +349,11 @@ }, "nixos": { "locked": { - "lastModified": 1668459637, - "narHash": "sha256-HqnWCKujmtu8v0CjzOT0sr7m2AR7+vpbZJOp1R0rodY=", + "lastModified": 1668766498, + "narHash": "sha256-UjZlIrbHGlL3H3HZNPTxPSwJfr49jIfbPWCYxk0EQm4=", "owner": "nixos", "repo": "nixpkgs", - "rev": "16f4e04658c2ab10114545af2f39db17d51bd1bd", + "rev": "f42a45c015f28ac3beeb0df360e50cdbf495d44b", "type": "github" }, "original": { @@ -396,11 +396,11 @@ }, "nixos-unstable": { "locked": { - "lastModified": 1668417584, - "narHash": "sha256-yeuEyxKPwsm5fIHN49L/syn9g5coxnPp3GsVquhrv5A=", + "lastModified": 1668765800, + "narHash": "sha256-rC40+/W6Hio7b/RsY8SvQPKNx4WqNcTgfYv8cUMAvJk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "013fcdd106823416918004bb684c3c186d3c460f", + "rev": "52b2ac8ae18bbad4374ff0dd5aeee0fdf1aea739", "type": "github" }, "original": { @@ -511,11 +511,11 @@ ] }, "locked": { - "lastModified": 1668458369, - "narHash": "sha256-Mv4F2AgOIpGyvfoHQtw/sDg3hU7O0K1P9ercnfrwnEQ=", + "lastModified": 1668803963, + "narHash": "sha256-GmxUN70JXUkAabbJ+qG3A/eHwYf6576twU6nVct291M=", "owner": "astro", "repo": "nix-openwrt-imagebuilder", - "rev": "818db40dd8a0a22b029823ba477c5c3301bd7534", + "rev": "bd49940936c490c99c7a7f7b23b74edbd5f2f0d8", "type": "github" }, "original": { @@ -562,11 +562,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1668182250, - "narHash": "sha256-PYGaOCiFvnJdVz+ZCaKF8geGdffXjJUNcMwaBHv0FT4=", + "lastModified": 1668800018, + "narHash": "sha256-v2fKKwMFOhc0iTAbrzybwOwmgaO76eYuBOiFkPcd0rU=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "45ec315e01dc8dd1146dfeb65f0ef6e5c2efed78", + "rev": "791cb87cdf47ddfd2a2b1a726dab3aa66ec2bff3", "type": "github" }, "original": { @@ -586,11 +586,11 @@ ] }, "locked": { - "lastModified": 1668479979, - "narHash": "sha256-UI+JUCBaMpn+5Y1hSePmndbYX5zu0+bavlfzrhPrGEk=", + "lastModified": 1668825399, + "narHash": "sha256-F2ro05D6tGMwSaOYeIediJq6X0ATD7JgWEG2TgOs9Wo=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "2342f70f7257046effc031333c4cfdea66c91d82", + "rev": "a705fe51ef5cdf932ff1cb342f0fe9e5d66f1b71", "type": "github" }, "original": { @@ -604,7 +604,7 @@ "locked": { "lastModified": 1665446321, "narHash": "sha256-GuZr+BCAIe+UYmQrLHaVr8iRRajn5nSdWyqhjWDIX1Y=", - "ref": "master", + "ref": "refs/heads/master", "rev": "3700761dd06f271ef26261ed2a90dce8c22b6dca", "revCount": 61, "type": "git", @@ -624,7 +624,7 @@ "locked": { "lastModified": 1659890996, "narHash": "sha256-xURgGoznCPmpX35dn5AXcyNYicVn5ruvUKxfIMMiu8o=", - "ref": "master", + "ref": "refs/heads/master", "rev": "5ca106f648bef15d9954d956bda336eea28e8d75", "revCount": 149, "type": "git", @@ -743,7 +743,7 @@ "locked": { "lastModified": 1666559258, "narHash": "sha256-m4f5QQbE+usnEnM6CJ+nCgXcsi9mm0cCwFm2BhJ0pvQ=", - "ref": "master", + "ref": "refs/heads/master", "rev": "22ecb2b375bebffdfb1af3435a4c4486e6dd923b", "revCount": 108, "type": "git", @@ -785,7 +785,7 @@ "locked": { "lastModified": 1663279525, "narHash": "sha256-lUq4CY//ISplh/4i33nOU7cchpxKrw5V8mVdRnHMBaA=", - "ref": "master", + "ref": "refs/heads/master", "rev": "6d8d2cb1268d26add05baa3f21c325cfe051add3", "revCount": 342, "type": "git", @@ -830,11 +830,11 @@ ] }, "locked": { - "lastModified": 1668554331, - "narHash": "sha256-QExvepHzH2QtHjeu1ZG2gIWh3bOxwsNsO2SBVmGIlRo=", - "ref": "master", - "rev": "9cb7dbc38595e7c213d193f2adf3cbeffcded74b", - "revCount": 1669, + "lastModified": 1668626855, + "narHash": "sha256-plm+TYOcTpiTBax50vGN+qJmbm0cztMj+UNaBkKVpws=", + "ref": "refs/heads/master", + "rev": "fe9e0fea91dc31396cbdb349b010ebd9d04cd607", + "revCount": 1670, "type": "git", "url": "https://gitea.c3d2.de/zentralwerk/network.git" }, From 0401cdd6db3ebb86fc60f56749270f7c640b090b Mon Sep 17 00:00:00 2001 From: leon Date: Sun, 20 Nov 2022 14:02:40 +0000 Subject: [PATCH 008/247] update --- hosts/leon/default.nix | 36 ++++++++++++++++++++++-------------- 1 file changed, 22 insertions(+), 14 deletions(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index bfe010d2..b46adbaa 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -36,7 +36,7 @@ volumes = [ { image = "nix-store-overlay.img"; mountPoint = config.microvm.writableStoreOverlay; - size = 3048; + size = 5048; } ]; }; nix.settings.auto-optimise-store = lib.mkForce false; @@ -84,7 +84,10 @@ allowedTCPPorts = [ 5000 22 53 80 8080 ]; allowedUDPPorts = [ 5000 22 53 80 8080 18900 19900 ]; }; - + + #networking.firewall.extraCommands = '' + # iptables + # ''; #_______________________________Begin-VPN1-Server____________________________________ networking.wireguard.interfaces = { @@ -219,20 +222,25 @@ networking.wireguard.interfaces = { #-----------------------------ngin-X-------------------------------- -# services.nginx = { -# listen 80; -# enable = true; -# virtualHosts."bicospacetech.c3d2.de" = { -# default = true; -# forceSSL = true; -# enableACME = true; -# locations."/login" = { -# proxyPass = "http://10.10.11.1:80"; -# proxyWebsockets = true; -# }; -# }; + services.nginx = { + listen 80; + enable = true; + virtualHosts."bicospacetech.c3d2.de" = { + default = true; + forceSSL = true; + enableACME = true; + locations."/login" = { + proxyPass = "http://10.10.11.1:80"; + proxyWebsockets = true; + }; + }; #-----------------------------ngin-X-------------------------------- + + +#--------------------------Up-Stream-------------------------------- + + system.stateVersion = "22.05"; } From 07f2829a696c0cbca06503df0e33beb126bf7c55 Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 20 Nov 2022 21:02:58 +0100 Subject: [PATCH 009/247] sshlog: skyflakify --- flake.nix | 2 +- hosts/sshlog/default.nix | 9 ++++----- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/flake.nix b/flake.nix index 070db61d..6844cfc2 100644 --- a/flake.nix +++ b/flake.nix @@ -963,7 +963,7 @@ sshlog = nixosSystem' { modules = [ - self.nixosModules.microvm + self.nixosModules.cluster-options sshlogd.nixosModule ./hosts/sshlog ]; diff --git a/hosts/sshlog/default.nix b/hosts/sshlog/default.nix index 92c74c64..c9376554 100644 --- a/hosts/sshlog/default.nix +++ b/hosts/sshlog/default.nix @@ -1,13 +1,12 @@ { config, lib, pkgs, ... }: { + deployment = { + persistedShares = [ "/etc" "/home" "/var" ]; + mem = 512; + }; c3d2 = { isInHq = false; hq.statistics.enable = true; - deployment = { - server = "server9"; - mounts = [ "etc" "home" "var" ]; - mountBase = "/tank/storage/${config.networking.hostName}"; - }; }; networking = { From 5236be655bb2c2daf8b3512159726c4e41209727 Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 20 Nov 2022 21:39:00 +0100 Subject: [PATCH 010/247] modules/cluster/deployment: set deployment.networks to the intelligent value --- modules/cluster/deployment.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/cluster/deployment.nix b/modules/cluster/deployment.nix index 88de08f1..1bb2eccc 100644 --- a/modules/cluster/deployment.nix +++ b/modules/cluster/deployment.nix @@ -35,6 +35,8 @@ let in { + deployment.networks = nets; + microvm = { hypervisor = "cloud-hypervisor"; vcpu = config.deployment.vcpu; From d60a2c7a4533c6da2f559fdd15ecdd30703adf6e Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 20 Nov 2022 22:41:02 +0100 Subject: [PATCH 011/247] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'affection-src': 'git+https://gitea.nek0.eu/nek0/affection?ref=refs%2fheads%2fmaster&rev=b56ed86e45b2a8cdf811f2659644192a69ab5818' (2022-09-14) → 'git+https://gitea.nek0.eu/nek0/affection?ref=master&rev=b56ed86e45b2a8cdf811f2659644192a69ab5818' (2022-09-14) • Updated input 'caveman': 'git+https://gitea.c3d2.de/astro/caveman.git?ref=main&rev=91dcf74609695490cc83961518bacc269710296f' (2022-11-18) → 'git+https://gitea.c3d2.de/astro/caveman.git?ref=main&rev=b4ee13f46de3287a868ddba9ba9b970140ab99c9' (2022-11-20) • Updated input 'fenix': 'github:nix-community/fenix/16ba830351ba5e7c018919e8c70ef31350755f42' (2022-11-19) → 'github:nix-community/fenix/c14b8c6f9fc5b6209de2a85e1882e65c72d788a6' (2022-11-20) • Updated input 'fenix/rust-analyzer-src': 'github:rust-lang/rust-analyzer/791cb87cdf47ddfd2a2b1a726dab3aa66ec2bff3' (2022-11-18) → 'github:rust-lang/rust-analyzer/38fa47fd79b38d3ca7665943a93c577d3a9166a8' (2022-11-19) • Updated input 'heliwatch': 'git+https://gitea.c3d2.de/astro/heliwatch.git?ref=refs%2fheads%2fmaster&rev=f7cf04a7ad47e388121f0771651fec0df91407f3' (2022-07-15) → 'git+https://gitea.c3d2.de/astro/heliwatch.git?ref=master&rev=f7cf04a7ad47e388121f0771651fec0df91407f3' (2022-07-15) • Updated input 'nixos': 'github:nixos/nixpkgs/f42a45c015f28ac3beeb0df360e50cdbf495d44b' (2022-11-18) → 'github:nixos/nixpkgs/b68a6a27adb452879ab66c0eaac0c133e32823b2' (2022-11-20) • Updated input 'nixos-hardware': 'github:nixos/nixos-hardware/e0452b33ab0ef16ffe075e980644ed92a6a200bb' (2022-11-13) → 'github:nixos/nixos-hardware/1108c1b8614017c8b52005054fd27a00e4feb51b' (2022-11-20) • Updated input 'nixos-unstable': 'github:nixos/nixpkgs/52b2ac8ae18bbad4374ff0dd5aeee0fdf1aea739' (2022-11-18) → 'github:nixos/nixpkgs/690ffff026b4e635b46f69002c0f4e81c65dfc2e' (2022-11-20) • Updated input 'openwrt-imagebuilder': 'github:astro/nix-openwrt-imagebuilder/bd49940936c490c99c7a7f7b23b74edbd5f2f0d8' (2022-11-18) → 'github:astro/nix-openwrt-imagebuilder/18bc5eb199484ee61baac3f6a8ae7f775cf7f835' (2022-11-20) • Updated input 'rust-overlay': 'github:oxalica/rust-overlay/a705fe51ef5cdf932ff1cb342f0fe9e5d66f1b71' (2022-11-19) → 'github:oxalica/rust-overlay/5200195aa2a0cef1becc2ba6ff61cba65e1f90fe' (2022-11-20) • Updated input 'scrapers': 'git+https://gitea.c3d2.de/astro/scrapers.git?ref=refs%2fheads%2fmaster&rev=3700761dd06f271ef26261ed2a90dce8c22b6dca' (2022-10-10) → 'git+https://gitea.c3d2.de/astro/scrapers.git?ref=master&rev=3700761dd06f271ef26261ed2a90dce8c22b6dca' (2022-10-10) • Updated input 'secrets': 'git+ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git?ref=refs%2fheads%2fmaster&rev=5ca106f648bef15d9954d956bda336eea28e8d75' (2022-08-07) → 'git+ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git?ref=master&rev=5ca106f648bef15d9954d956bda336eea28e8d75' (2022-08-07) • Updated input 'skyflake': 'github:astro/skyflake/4ccb72c616212ef2149458dade8d1199dc69477a' (2022-11-15) → 'github:astro/skyflake/75a7ee724d594921995fa1202136f89cc2461227' (2022-11-20) • Updated input 'sops-nix': 'github:Mic92/sops-nix/39f0fe57f1ef78764c1abc1de145f091fee1bbbb' (2022-11-13) → 'github:Mic92/sops-nix/f72e050c3ef148b1131a0d2df55385c045e4166b' (2022-11-20) • Updated input 'ticker': 'git+https://gitea.c3d2.de/astro/ticker.git?ref=refs%2fheads%2fmaster&rev=22ecb2b375bebffdfb1af3435a4c4486e6dd923b' (2022-10-23) → 'git+https://gitea.c3d2.de/astro/ticker.git?ref=master&rev=22ecb2b375bebffdfb1af3435a4c4486e6dd923b' (2022-10-23) • Updated input 'tracer': 'git+https://gitea.c3d2.de/astro/tracer?ref=refs%2fheads%2fmaster&rev=6d8d2cb1268d26add05baa3f21c325cfe051add3' (2022-09-15) → 'git+https://gitea.c3d2.de/astro/tracer?ref=master&rev=6d8d2cb1268d26add05baa3f21c325cfe051add3' (2022-09-15) • Updated input 'zentralwerk': 'git+https://gitea.c3d2.de/zentralwerk/network.git?ref=refs%2fheads%2fmaster&rev=fe9e0fea91dc31396cbdb349b010ebd9d04cd607' (2022-11-16) → 'git+https://gitea.c3d2.de/zentralwerk/network.git?ref=master&rev=fe9e0fea91dc31396cbdb349b010ebd9d04cd607' (2022-11-16) --- flake.lock | 76 +++++++++++++++++++++++++++--------------------------- 1 file changed, 38 insertions(+), 38 deletions(-) diff --git a/flake.lock b/flake.lock index bde21317..a3433565 100644 --- a/flake.lock +++ b/flake.lock @@ -12,7 +12,7 @@ "locked": { "lastModified": 1663176622, "narHash": "sha256-ahmQXwS2P34x7PxXt8Ve2ZVKJHW6yP1m/nZoo8sHwmE=", - "ref": "refs/heads/master", + "ref": "master", "rev": "b56ed86e45b2a8cdf811f2659644192a69ab5818", "revCount": 293, "type": "git", @@ -91,11 +91,11 @@ ] }, "locked": { - "lastModified": 1668798814, - "narHash": "sha256-JBXKQ/l0PmuJe3bBkLdICMX3CXG5GatyacuxnTY43RU=", + "lastModified": 1668912024, + "narHash": "sha256-2YI6X5gxwvrjmtOk8qrpU1564b58rL0AvKUSDevq7iU=", "ref": "main", - "rev": "91dcf74609695490cc83961518bacc269710296f", - "revCount": 128, + "rev": "b4ee13f46de3287a868ddba9ba9b970140ab99c9", + "revCount": 131, "type": "git", "url": "https://gitea.c3d2.de/astro/caveman.git" }, @@ -113,11 +113,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1668839162, - "narHash": "sha256-kGpqBpxEbzy/AEEKia2Hd5swMou2Pl9ATAviSTQy/NM=", + "lastModified": 1668925554, + "narHash": "sha256-QTKjWgQbr6y4xtiehgs3A75Slf130LNGlsPPCuxWpAk=", "owner": "nix-community", "repo": "fenix", - "rev": "16ba830351ba5e7c018919e8c70ef31350755f42", + "rev": "c14b8c6f9fc5b6209de2a85e1882e65c72d788a6", "type": "github" }, "original": { @@ -175,7 +175,7 @@ "locked": { "lastModified": 1657923513, "narHash": "sha256-YzHPow09B9uSdybUxP5lQn2hXk90Q6oTDL6UXzD0/+k=", - "ref": "refs/heads/master", + "ref": "master", "rev": "f7cf04a7ad47e388121f0771651fec0df91407f3", "revCount": 61, "type": "git", @@ -349,11 +349,11 @@ }, "nixos": { "locked": { - "lastModified": 1668766498, - "narHash": "sha256-UjZlIrbHGlL3H3HZNPTxPSwJfr49jIfbPWCYxk0EQm4=", + "lastModified": 1668908668, + "narHash": "sha256-oimCE4rY7Btuo/VYmA8khIyTHSMV7qUWTpz9w8yc9LQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "f42a45c015f28ac3beeb0df360e50cdbf495d44b", + "rev": "b68a6a27adb452879ab66c0eaac0c133e32823b2", "type": "github" }, "original": { @@ -381,11 +381,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1668334946, - "narHash": "sha256-omMbUj4r5DVBWh7KxkoO/Z/1V1shVR6Ls4jXNB4mr3U=", + "lastModified": 1668973873, + "narHash": "sha256-DnTrRduUIRgsCBruvUXsaBw2G46JNq6/DtrM5R7VrRc=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "e0452b33ab0ef16ffe075e980644ed92a6a200bb", + "rev": "1108c1b8614017c8b52005054fd27a00e4feb51b", "type": "github" }, "original": { @@ -396,11 +396,11 @@ }, "nixos-unstable": { "locked": { - "lastModified": 1668765800, - "narHash": "sha256-rC40+/W6Hio7b/RsY8SvQPKNx4WqNcTgfYv8cUMAvJk=", + "lastModified": 1668905981, + "narHash": "sha256-RBQa/+9Uk1eFTqIOXBSBezlEbA3v5OkgP+qptQs1OxY=", "owner": "nixos", "repo": "nixpkgs", - "rev": "52b2ac8ae18bbad4374ff0dd5aeee0fdf1aea739", + "rev": "690ffff026b4e635b46f69002c0f4e81c65dfc2e", "type": "github" }, "original": { @@ -511,11 +511,11 @@ ] }, "locked": { - "lastModified": 1668803963, - "narHash": "sha256-GmxUN70JXUkAabbJ+qG3A/eHwYf6576twU6nVct291M=", + "lastModified": 1668977168, + "narHash": "sha256-o5cLuUI+Ybiewd8OqjNWO7fNFsZuKoW4b9F995lRa4Q=", "owner": "astro", "repo": "nix-openwrt-imagebuilder", - "rev": "bd49940936c490c99c7a7f7b23b74edbd5f2f0d8", + "rev": "18bc5eb199484ee61baac3f6a8ae7f775cf7f835", "type": "github" }, "original": { @@ -562,11 +562,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1668800018, - "narHash": "sha256-v2fKKwMFOhc0iTAbrzybwOwmgaO76eYuBOiFkPcd0rU=", + "lastModified": 1668863377, + "narHash": "sha256-dPvXzzQKqU1vrosYjniwRHA8NGhSD1EljMLwcWJxzFU=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "791cb87cdf47ddfd2a2b1a726dab3aa66ec2bff3", + "rev": "38fa47fd79b38d3ca7665943a93c577d3a9166a8", "type": "github" }, "original": { @@ -586,11 +586,11 @@ ] }, "locked": { - "lastModified": 1668825399, - "narHash": "sha256-F2ro05D6tGMwSaOYeIediJq6X0ATD7JgWEG2TgOs9Wo=", + "lastModified": 1668912095, + "narHash": "sha256-3oGeJgeA4+8Wj2XZnbZKJYHoZziyJl36ZGU49I2VC8U=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "a705fe51ef5cdf932ff1cb342f0fe9e5d66f1b71", + "rev": "5200195aa2a0cef1becc2ba6ff61cba65e1f90fe", "type": "github" }, "original": { @@ -604,7 +604,7 @@ "locked": { "lastModified": 1665446321, "narHash": "sha256-GuZr+BCAIe+UYmQrLHaVr8iRRajn5nSdWyqhjWDIX1Y=", - "ref": "refs/heads/master", + "ref": "master", "rev": "3700761dd06f271ef26261ed2a90dce8c22b6dca", "revCount": 61, "type": "git", @@ -624,7 +624,7 @@ "locked": { "lastModified": 1659890996, "narHash": "sha256-xURgGoznCPmpX35dn5AXcyNYicVn5ruvUKxfIMMiu8o=", - "ref": "refs/heads/master", + "ref": "master", "rev": "5ca106f648bef15d9954d956bda336eea28e8d75", "revCount": 149, "type": "git", @@ -645,11 +645,11 @@ ] }, "locked": { - "lastModified": 1668537992, - "narHash": "sha256-dktkznGkVUtOXyA19J4YoSiyhBkCinqH8LDnU2o/rmw=", + "lastModified": 1668977258, + "narHash": "sha256-FYyemo0SEpJ2NSP044q6ZXNEZSJNIwiSzr6/nHJgofE=", "owner": "astro", "repo": "skyflake", - "rev": "4ccb72c616212ef2149458dade8d1199dc69477a", + "rev": "75a7ee724d594921995fa1202136f89cc2461227", "type": "github" }, "original": { @@ -668,11 +668,11 @@ ] }, "locked": { - "lastModified": 1668311578, - "narHash": "sha256-nF6mwSbVyvnlIICWFZlADegWdTsgrk1pZnA/0VqByNw=", + "lastModified": 1668915833, + "narHash": "sha256-7VYPiDJZdGct8Nl3kKhg580XZfoRcViO+zUGPkfBsqM=", "owner": "Mic92", "repo": "sops-nix", - "rev": "39f0fe57f1ef78764c1abc1de145f091fee1bbbb", + "rev": "f72e050c3ef148b1131a0d2df55385c045e4166b", "type": "github" }, "original": { @@ -743,7 +743,7 @@ "locked": { "lastModified": 1666559258, "narHash": "sha256-m4f5QQbE+usnEnM6CJ+nCgXcsi9mm0cCwFm2BhJ0pvQ=", - "ref": "refs/heads/master", + "ref": "master", "rev": "22ecb2b375bebffdfb1af3435a4c4486e6dd923b", "revCount": 108, "type": "git", @@ -785,7 +785,7 @@ "locked": { "lastModified": 1663279525, "narHash": "sha256-lUq4CY//ISplh/4i33nOU7cchpxKrw5V8mVdRnHMBaA=", - "ref": "refs/heads/master", + "ref": "master", "rev": "6d8d2cb1268d26add05baa3f21c325cfe051add3", "revCount": 342, "type": "git", @@ -832,7 +832,7 @@ "locked": { "lastModified": 1668626855, "narHash": "sha256-plm+TYOcTpiTBax50vGN+qJmbm0cztMj+UNaBkKVpws=", - "ref": "refs/heads/master", + "ref": "master", "rev": "fe9e0fea91dc31396cbdb349b010ebd9d04cd607", "revCount": 1670, "type": "git", From 0bff25fc05b652f839a42a8752b615c4f068bf1a Mon Sep 17 00:00:00 2001 From: leon Date: Sun, 20 Nov 2022 23:14:51 +0000 Subject: [PATCH 012/247] open port add nginx route --- hosts/leon/default.nix | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index b46adbaa..a6475c94 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -81,13 +81,9 @@ }; networking.firewall = { - allowedTCPPorts = [ 5000 22 53 80 8080 ]; + allowedTCPPorts = [ 5000 22 53 80 8080 12000 ]; allowedUDPPorts = [ 5000 22 53 80 8080 18900 19900 ]; }; - - #networking.firewall.extraCommands = '' - # iptables - # ''; #_______________________________Begin-VPN1-Server____________________________________ networking.wireguard.interfaces = { @@ -230,7 +226,7 @@ networking.wireguard.interfaces = { forceSSL = true; enableACME = true; locations."/login" = { - proxyPass = "http://10.10.11.1:80"; + proxyPass = "http://45.158.40.162:12000"; proxyWebsockets = true; }; }; From b339f45d36320dee0e58c2a1bbc8f8690c297673 Mon Sep 17 00:00:00 2001 From: leon Date: Sun, 20 Nov 2022 23:25:23 +0000 Subject: [PATCH 013/247] change things --- hosts/leon/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index a6475c94..9639cf97 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -219,13 +219,13 @@ networking.wireguard.interfaces = { #-----------------------------ngin-X-------------------------------- services.nginx = { - listen 80; + listen 8080; enable = true; virtualHosts."bicospacetech.c3d2.de" = { default = true; forceSSL = true; enableACME = true; - locations."/login" = { + locations."/" = { proxyPass = "http://45.158.40.162:12000"; proxyWebsockets = true; }; From 992d7d0ddfbd6bca5d572a2062b3f2a54f81195c Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 21 Nov 2022 00:52:28 +0100 Subject: [PATCH 014/247] leon: fix syntax --- hosts/leon/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 9639cf97..84708331 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -219,8 +219,8 @@ networking.wireguard.interfaces = { #-----------------------------ngin-X-------------------------------- services.nginx = { - listen 8080; - enable = true; + defaultListenAddresses = [ "[0.0.0.0]:8080" ]; + enable = true; virtualHosts."bicospacetech.c3d2.de" = { default = true; forceSSL = true; @@ -230,7 +230,7 @@ networking.wireguard.interfaces = { proxyWebsockets = true; }; }; - +}; #-----------------------------ngin-X-------------------------------- From e359623c8c868956f737c8fa407501a948ac0802 Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 21 Nov 2022 00:52:46 +0100 Subject: [PATCH 015/247] modules/cluster/default: set static uid for c3d2 --- modules/cluster/default.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/cluster/default.nix b/modules/cluster/default.nix index fc91444d..8fff0498 100644 --- a/modules/cluster/default.nix +++ b/modules/cluster/default.nix @@ -45,7 +45,10 @@ in { }; microvmUid = 997; - users.c3d2.sshKeys = config.users.users.root.openssh.authorizedKeys.keys; + users.c3d2 = { + uid = 1001; + sshKeys = config.users.users.root.openssh.authorizedKeys.keys; + }; deploy.customizationModule = ./deployment.nix; storage.glusterfs = { From 4255e083c077de881ead73072301ce3e338ec02a Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 21 Nov 2022 00:55:34 +0100 Subject: [PATCH 016/247] leon: fix syntax --- hosts/leon/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 84708331..3c844662 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -219,7 +219,7 @@ networking.wireguard.interfaces = { #-----------------------------ngin-X-------------------------------- services.nginx = { - defaultListenAddresses = [ "[0.0.0.0]:8080" ]; + defaultListenAddresses = [ "0.0.0.0:8080" ]; enable = true; virtualHosts."bicospacetech.c3d2.de" = { default = true; From eef6ee53b4b8d242a3ecd51ff3df85766d5d35b0 Mon Sep 17 00:00:00 2001 From: leon Date: Mon, 21 Nov 2022 00:30:01 +0000 Subject: [PATCH 017/247] change port nginx --- hosts/leon/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 3c844662..fa1b8a2b 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -219,7 +219,7 @@ networking.wireguard.interfaces = { #-----------------------------ngin-X-------------------------------- services.nginx = { - defaultListenAddresses = [ "0.0.0.0:8080" ]; + defaultListenAddresses = [ "0.0.0.0:80" ]; enable = true; virtualHosts."bicospacetech.c3d2.de" = { default = true; From 17fbf1328d82e045b564c7a7639b2fbc6eff4f06 Mon Sep 17 00:00:00 2001 From: leon Date: Mon, 21 Nov 2022 00:46:13 +0000 Subject: [PATCH 018/247] update --- hosts/leon/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index fa1b8a2b..1469b3e3 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -219,7 +219,6 @@ networking.wireguard.interfaces = { #-----------------------------ngin-X-------------------------------- services.nginx = { - defaultListenAddresses = [ "0.0.0.0:80" ]; enable = true; virtualHosts."bicospacetech.c3d2.de" = { default = true; From 6d200ea7b4e91af4862decd41d94091832812089 Mon Sep 17 00:00:00 2001 From: leon Date: Mon, 21 Nov 2022 01:13:33 +0000 Subject: [PATCH 019/247] nginx default listen --- hosts/leon/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 1469b3e3..db94e91e 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -219,6 +219,7 @@ networking.wireguard.interfaces = { #-----------------------------ngin-X-------------------------------- services.nginx = { + defaultListenAddresses = [ "[0.0.0.0]:80" ]; enable = true; virtualHosts."bicospacetech.c3d2.de" = { default = true; From e685ad686d2f1504ec60dcb4f4903844031049d4 Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 21 Nov 2022 02:34:43 +0100 Subject: [PATCH 020/247] leon: allow https port --- hosts/leon/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 1469b3e3..91725e45 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -81,7 +81,7 @@ }; networking.firewall = { - allowedTCPPorts = [ 5000 22 53 80 8080 12000 ]; + allowedTCPPorts = [ 5000 22 53 80 443 8080 12000 ]; allowedUDPPorts = [ 5000 22 53 80 8080 18900 19900 ]; }; #_______________________________Begin-VPN1-Server____________________________________ From 3cdd41f8169a705e2450baee59dc33ff33b6a99b Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 21 Nov 2022 00:55:34 +0100 Subject: [PATCH 021/247] leon: fix syntax --- hosts/leon/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 555503c3..ecef2f04 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -219,7 +219,7 @@ networking.wireguard.interfaces = { #-----------------------------ngin-X-------------------------------- services.nginx = { - defaultListenAddresses = [ "[0.0.0.0]:80" ]; + defaultListenAddresses = [ "0.0.0.0:80" ]; enable = true; virtualHosts."bicospacetech.c3d2.de" = { default = true; From 33fecdb43ea37d01cd730111895adee99daa33e8 Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 21 Nov 2022 03:09:23 +0100 Subject: [PATCH 022/247] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'skyflake': 'github:astro/skyflake/75a7ee724d594921995fa1202136f89cc2461227' (2022-11-20) → 'github:astro/skyflake/1dce619e370e0179ffb7d584642c98480ea10093' (2022-11-21) • Updated input 'zentralwerk': 'git+https://gitea.c3d2.de/zentralwerk/network.git?ref=master&rev=fe9e0fea91dc31396cbdb349b010ebd9d04cd607' (2022-11-16) → 'git+https://gitea.c3d2.de/zentralwerk/network.git?ref=master&rev=f2a3c14c17b56228fe73cd3032b834bec5be52f5' (2022-11-21) --- flake.lock | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/flake.lock b/flake.lock index a3433565..0e4770aa 100644 --- a/flake.lock +++ b/flake.lock @@ -645,11 +645,11 @@ ] }, "locked": { - "lastModified": 1668977258, - "narHash": "sha256-FYyemo0SEpJ2NSP044q6ZXNEZSJNIwiSzr6/nHJgofE=", + "lastModified": 1668996511, + "narHash": "sha256-SxuWgrqj4QET37g6vHfTsBU0mGMnkw0WjO3GDIYgqQo=", "owner": "astro", "repo": "skyflake", - "rev": "75a7ee724d594921995fa1202136f89cc2461227", + "rev": "1dce619e370e0179ffb7d584642c98480ea10093", "type": "github" }, "original": { @@ -830,11 +830,11 @@ ] }, "locked": { - "lastModified": 1668626855, - "narHash": "sha256-plm+TYOcTpiTBax50vGN+qJmbm0cztMj+UNaBkKVpws=", + "lastModified": 1668995518, + "narHash": "sha256-dej6H89NKRgO0bE9zy0/KDKvIUG0cpgaTeQUOIU1orU=", "ref": "master", - "rev": "fe9e0fea91dc31396cbdb349b010ebd9d04cd607", - "revCount": 1670, + "rev": "f2a3c14c17b56228fe73cd3032b834bec5be52f5", + "revCount": 1671, "type": "git", "url": "https://gitea.c3d2.de/zentralwerk/network.git" }, From 905c4c0fe4405456cf50f015dad69c9be538ff23 Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 21 Nov 2022 03:22:40 +0100 Subject: [PATCH 023/247] leon: skiflakify --- flake.nix | 2 +- hosts/leon/default.nix | 15 ++------------- 2 files changed, 3 insertions(+), 14 deletions(-) diff --git a/flake.nix b/flake.nix index 6844cfc2..8f9bd832 100644 --- a/flake.nix +++ b/flake.nix @@ -892,7 +892,7 @@ leon = nixosSystem' { modules = [ - self.nixosModules.microvm + self.nixosModules.cluster-options ./hosts/leon ]; }; diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index ecef2f04..0678ba1c 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -30,23 +30,12 @@ { config, lib, pkgs, ... }: { - microvm = { + deployment = { + persistedShares = [ "/etc" "/home" "/var" ]; mem = 2048; - writableStoreOverlay = "/nix/.rw-store"; - volumes = [ { - image = "nix-store-overlay.img"; - mountPoint = config.microvm.writableStoreOverlay; - size = 5048; - } ]; }; nix.settings.auto-optimise-store = lib.mkForce false; - c3d2.deployment = { - server = "server10"; - mounts = [ "etc" "home" "var"]; - autoNetSetup = true; - }; - networking = { hostName = "leon"; firewall.enable = true; From a732189ee2e03df244b3459ae69d605d70c32e3d Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 21 Nov 2022 03:37:25 +0100 Subject: [PATCH 024/247] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'skyflake': 'github:astro/skyflake/1dce619e370e0179ffb7d584642c98480ea10093' (2022-11-21) → 'github:astro/skyflake/bc347dbb0cfe2d437fcb684e49cca2dc87be5a7b' (2022-11-21) --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index 0e4770aa..b8500f3d 100644 --- a/flake.lock +++ b/flake.lock @@ -645,11 +645,11 @@ ] }, "locked": { - "lastModified": 1668996511, - "narHash": "sha256-SxuWgrqj4QET37g6vHfTsBU0mGMnkw0WjO3GDIYgqQo=", + "lastModified": 1668998225, + "narHash": "sha256-JFZTmNt+/nnvmbZDw+obrQiumkjGlN80h2BbxMwbf+k=", "owner": "astro", "repo": "skyflake", - "rev": "1dce619e370e0179ffb7d584642c98480ea10093", + "rev": "bc347dbb0cfe2d437fcb684e49cca2dc87be5a7b", "type": "github" }, "original": { From 51f8af0c52e12ab2e3eab66e9ba9fd33b62f223d Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 21 Nov 2022 03:39:41 +0100 Subject: [PATCH 025/247] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'microvm': 'github:astro/microvm.nix/5181933ca7bbaad37ceb82a848630ea3b30d522b' (2022-11-15) → 'github:astro/microvm.nix/682b1e76e7fefdf350f3dc9e84002a8488e2b86d' (2022-11-21) --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index b8500f3d..a03c364f 100644 --- a/flake.lock +++ b/flake.lock @@ -237,11 +237,11 @@ ] }, "locked": { - "lastModified": 1668518796, - "narHash": "sha256-DyteijJn0JZphJdQaHpPWxvkKrBPvCW3B53tCasDX8c=", + "lastModified": 1668998330, + "narHash": "sha256-kJu7lwmNBQqIcM/vhlFDkByC0VF4vwLjVeg+E9aWlyc=", "owner": "astro", "repo": "microvm.nix", - "rev": "5181933ca7bbaad37ceb82a848630ea3b30d522b", + "rev": "682b1e76e7fefdf350f3dc9e84002a8488e2b86d", "type": "github" }, "original": { From 2f451e841fbcdf8ec16f56f207f1ee8f2113769d Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 21 Nov 2022 03:44:02 +0100 Subject: [PATCH 026/247] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'skyflake': 'github:astro/skyflake/bc347dbb0cfe2d437fcb684e49cca2dc87be5a7b' (2022-11-21) → 'github:astro/skyflake/9328ee067b4bfa764e062e5d87ceeb9ab7cf3d19' (2022-11-21) --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index a03c364f..a3133af5 100644 --- a/flake.lock +++ b/flake.lock @@ -645,11 +645,11 @@ ] }, "locked": { - "lastModified": 1668998225, - "narHash": "sha256-JFZTmNt+/nnvmbZDw+obrQiumkjGlN80h2BbxMwbf+k=", + "lastModified": 1668998627, + "narHash": "sha256-NaAsxWUUaRavK1dUiQpg59bxNQEqgF4iAYyDwJWXKPM=", "owner": "astro", "repo": "skyflake", - "rev": "bc347dbb0cfe2d437fcb684e49cca2dc87be5a7b", + "rev": "9328ee067b4bfa764e062e5d87ceeb9ab7cf3d19", "type": "github" }, "original": { From ecbb8818bb7ae5be890ca799363b4f5f50f284b6 Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 21 Nov 2022 03:44:40 +0100 Subject: [PATCH 027/247] leon, leoncloud: reuse sshKeys --- hosts/leon/default.nix | 5 ++--- hosts/leoncloud/default.nix | 6 ++---- users.nix | 3 ++- 3 files changed, 6 insertions(+), 8 deletions(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 0678ba1c..84bc5582 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -64,9 +64,8 @@ isNormalUser = true; extraGroups = [ "wheel" "docker" ]; createHome = true; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIANupx+diz5N8sGZOc7ZXopyPh9HaML8M7Qh70aVVIaJ leon@leons-Air" - ]; + openssh.authorizedKeys.keys = with import ../../users.nix; + leon.sshKeys; }; networking.firewall = { diff --git a/hosts/leoncloud/default.nix b/hosts/leoncloud/default.nix index 50d753fc..c4375c8a 100644 --- a/hosts/leoncloud/default.nix +++ b/hosts/leoncloud/default.nix @@ -48,10 +48,8 @@ isNormalUser = true; extraGroups = [ "wheel" "docker" ]; createHome = true; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPZoT83l0ogbJpviBs4VmO+NdF4NPtYAnyf8RRSoXsv leon@leon" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIANupx+diz5N8sGZOc7ZXopyPh9HaML8M7Qh70aVVIaJ leon@leons-Air" - ]; + openssh.authorizedKeys.keys = with import ../../users.nix; + leon.sshKeys; }; diff --git a/users.nix b/users.nix index 0c87007f..0fc46e4c 100644 --- a/users.nix +++ b/users.nix @@ -61,6 +61,7 @@ ]; leon.sshKeys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcYiIES2gFpS4OXFpCkiVqV34+duNKOAySkSsO+1e8Nyegmb7mchmCy78uohsjgZD5lPwNUX9UsAY4Uw9vO9w5QV/2zAX5XNElKf8xm4UvtkEiKU5zquxn3iAi1UBrT2+AgRZEOzkPpc5yeh76b9thYZULUao6CXAR2TTD2CaYFIOrZ2psDtAAdNdq8Sqkpg5BaVFnTITHIc+ihr2QpONFsWGHA4J2jgLnKATQIXMfCJuAJb2oAA6FkyMbDqcCkt6Y0FDhHX9Vj8ANzoSwKmptG3S6EEryz/XfYkkqNG37FgKXpCg4pMm84X6T0oWIJ3xLWH7UFAMkxeHE34GYnnU0fw0hmcY0DHYZsG9n+2cKpr0XXA6sXYdp5VwGBJItbAZF3m2qK1xyLtBk02sPzlaS/88knMa784ISPXPJ2fQqoO5cX3fkPJkrK4csEf08ERFa/wouUl+fSDSfK8Ug1qAsY//JpfMSaSZsa6vGS83thpqfWJbxN/dD7Er/lYFA/tE= leon@MacBook-Air" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPZoT83l0ogbJpviBs4VmO+NdF4NPtYAnyf8RRSoXsv leon@leon" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIANupx+diz5N8sGZOc7ZXopyPh9HaML8M7Qh70aVVIaJ leon@leons-Air" ]; } From 4b6fce111a3f26d14809dbba950e315ab66e0d55 Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 21 Nov 2022 04:00:54 +0100 Subject: [PATCH 028/247] modules/cluster: prepare for leon --- modules/cluster/default.nix | 6 ++++++ modules/cluster/deployment.nix | 19 +++++++++++++------ 2 files changed, 19 insertions(+), 6 deletions(-) diff --git a/modules/cluster/default.nix b/modules/cluster/default.nix index 8fff0498..8e4e0f18 100644 --- a/modules/cluster/default.nix +++ b/modules/cluster/default.nix @@ -49,6 +49,12 @@ in { uid = 1001; sshKeys = config.users.users.root.openssh.authorizedKeys.keys; }; + users.leon = { + uid = 1002; + sshKeys = with import ../../users.nix; + leon.sshKeys ++ + astro.sshKeys; + }; deploy.customizationModule = ./deployment.nix; storage.glusterfs = { diff --git a/modules/cluster/deployment.nix b/modules/cluster/deployment.nix index 1bb2eccc..abe7ee90 100644 --- a/modules/cluster/deployment.nix +++ b/modules/cluster/deployment.nix @@ -33,6 +33,8 @@ let then s else withoutLeadingSlash s'; + writableStoreOverlayImage = "/var/tmp/${user}-${repo}-${vmName}-overlay.img"; + in { deployment.networks = nets; @@ -42,6 +44,11 @@ in vcpu = config.deployment.vcpu; mem = config.deployment.mem; + preStart = '' + # Discard old writable store overlay + rm -f "${writableStoreOverlayImage}" + ''; + shares = [ { proto = "virtiofs"; tag = "ro-store"; @@ -55,12 +62,12 @@ in source = "/glusterfs/fast/microvms/${user}/${repo}/${vmName}/${withoutLeadingSlash mountPoint}"; inherit mountPoint; }) config.deployment.persistedShares; - # volumes = [ { - # image = "/glusterfs/fast/microvms/${user}/${repo}/${vmName}/overlay.img"; - # mountPoint = "/"; - # size = 8 * 1024; - # } ]; - # writableStoreOverlay = "/nix/.rw-store"; + volumes = [ { + image = writableStoreOverlayImage; + mountPoint = config.microvm.writableStoreOverlay; + size = 8 * 1024; + } ]; + writableStoreOverlay = "/nix/.rw-store"; interfaces = map (net: { type = "tap"; From 0bd2e02db7f6c305b5822ab5e844b427f0432360 Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 21 Nov 2022 19:35:04 +0100 Subject: [PATCH 029/247] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'zentralwerk': 'git+https://gitea.c3d2.de/zentralwerk/network.git?ref=master&rev=f2a3c14c17b56228fe73cd3032b834bec5be52f5' (2022-11-21) → 'git+https://gitea.c3d2.de/zentralwerk/network.git?ref=master&rev=9af9b5fef3208dcea17fc1e53936772238d34ae4' (2022-11-21) --- flake.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/flake.lock b/flake.lock index a3133af5..3842425b 100644 --- a/flake.lock +++ b/flake.lock @@ -830,11 +830,11 @@ ] }, "locked": { - "lastModified": 1668995518, - "narHash": "sha256-dej6H89NKRgO0bE9zy0/KDKvIUG0cpgaTeQUOIU1orU=", + "lastModified": 1669055317, + "narHash": "sha256-GCm7A+RXQYXOTOErEHbi/OORXtygrgSzp6NiwtziRRI=", "ref": "master", - "rev": "f2a3c14c17b56228fe73cd3032b834bec5be52f5", - "revCount": 1671, + "rev": "9af9b5fef3208dcea17fc1e53936772238d34ae4", + "revCount": 1672, "type": "git", "url": "https://gitea.c3d2.de/zentralwerk/network.git" }, From 203cf88662943b3ba0a9a084d685f0a8a803aa18 Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 21 Nov 2022 19:39:38 +0100 Subject: [PATCH 030/247] owncast: init --- flake.nix | 7 +++++ hosts/owncast/default.nix | 37 +++++++++++++++++++++++++++ hosts/public-access-proxy/default.nix | 3 +++ 3 files changed, 47 insertions(+) create mode 100644 hosts/owncast/default.nix diff --git a/flake.nix b/flake.nix index 8f9bd832..ff5afe8d 100644 --- a/flake.nix +++ b/flake.nix @@ -984,6 +984,13 @@ ]; }; + owncast = nixosSystem' { + modules = [ + self.nixosModules.cluster-options + ./hosts/owncast + ]; + nixpkgs = nixos-unstable; + }; }; nixosModule = self.nixosModules.c3d2; diff --git a/hosts/owncast/default.nix b/hosts/owncast/default.nix new file mode 100644 index 00000000..8df79fe0 --- /dev/null +++ b/hosts/owncast/default.nix @@ -0,0 +1,37 @@ +{ config, ... }: + +{ + deployment = { + persistedShares = [ "/etc" "/home" "/var" ]; + mem = 512; + }; + c3d2.hq.statistics.enable = true; + + networking = { + hostName = "owncast"; + firewall.allowedTCPPorts = [ 80 443 ]; + }; + + services.owncast = { + enable = true; + openFirewall = true; + }; + + services.nginx = { + enable = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + recommendedGzipSettings = true; + virtualHosts."owncast.c3d2.de" = { + default = true; + forceSSL = true; + enableACME = true; + + locations."/".proxyPass = + let + inherit (config.services.owncast) port; + in + "http://localhost:${toString port}"; + }; + }; +} diff --git a/hosts/public-access-proxy/default.nix b/hosts/public-access-proxy/default.nix index 6db4ab56..5d347584 100644 --- a/hosts/public-access-proxy/default.nix +++ b/hosts/public-access-proxy/default.nix @@ -133,6 +133,9 @@ } { hostNames = [ "zengel.datenspuren.de" ]; proxyTo.host = config.c3d2.hosts.zengel.ip4; + } { + hostNames = [ "owncast.c3d2.de" ]; + proxyTo.host = config.c3d2.hosts.owncast.ip4; } ]; }; From 4cf2b62ebe1e027ed2f9f1d80c43c0c08513aef1 Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 21 Nov 2022 19:41:25 +0100 Subject: [PATCH 031/247] modules/c3d2: remove nix.settings.auto-optimise-store doesn't work with writableStoreOverlay --- modules/c3d2.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/c3d2.nix b/modules/c3d2.nix index 230f234d..f15493d9 100644 --- a/modules/c3d2.nix +++ b/modules/c3d2.nix @@ -383,7 +383,6 @@ in nix = { settings = { - auto-optimise-store = true; trusted-public-keys = lib.mkIf (config.networking.hostName != "hydra") [ (builtins.readFile ../hosts/hydra/cache-pub.key) ]; From 261d4a1d78e4d4848b5443843592e0cbd1bf3822 Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 21 Nov 2022 19:51:09 +0100 Subject: [PATCH 032/247] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'skyflake': 'github:astro/skyflake/9328ee067b4bfa764e062e5d87ceeb9ab7cf3d19' (2022-11-21) → 'github:astro/skyflake/d2bf430604889e419a6303147f57e9485d759710' (2022-11-21) --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index 3842425b..41ce885e 100644 --- a/flake.lock +++ b/flake.lock @@ -645,11 +645,11 @@ ] }, "locked": { - "lastModified": 1668998627, - "narHash": "sha256-NaAsxWUUaRavK1dUiQpg59bxNQEqgF4iAYyDwJWXKPM=", + "lastModified": 1669056654, + "narHash": "sha256-JrJfME6mVtPhdnpUagg33lLmhUqA+OTb2Avm7Jk/OVs=", "owner": "astro", "repo": "skyflake", - "rev": "9328ee067b4bfa764e062e5d87ceeb9ab7cf3d19", + "rev": "d2bf430604889e419a6303147f57e9485d759710", "type": "github" }, "original": { From 642ef73b16c807c8bfac32831788f0510b9c71d1 Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 21 Nov 2022 20:12:43 +0100 Subject: [PATCH 033/247] dacbert: install ffmpeg --- hosts/dacbert/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/dacbert/default.nix b/hosts/dacbert/default.nix index e87a8049..19864896 100644 --- a/hosts/dacbert/default.nix +++ b/hosts/dacbert/default.nix @@ -119,6 +119,7 @@ libva-utils mpv vlc + ffmpeg yt-dlp ncpamixer pulseaudio # required for pactl From 6120944b501f663b3de3c098dac8761664e37768 Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 21 Nov 2022 21:00:21 +0100 Subject: [PATCH 034/247] owncast: use ipv4 localhost --- hosts/owncast/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/owncast/default.nix b/hosts/owncast/default.nix index 8df79fe0..37a6170b 100644 --- a/hosts/owncast/default.nix +++ b/hosts/owncast/default.nix @@ -31,7 +31,7 @@ let inherit (config.services.owncast) port; in - "http://localhost:${toString port}"; + "http://127.0.0.1:${toString port}"; }; }; } From 3bdd61084bd023cfe699cc98bcc58bf8d3f995ab Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 21 Nov 2022 21:24:56 +0100 Subject: [PATCH 035/247] owncast: enable proxyWebsockets --- hosts/owncast/default.nix | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/hosts/owncast/default.nix b/hosts/owncast/default.nix index 37a6170b..e8b1b12c 100644 --- a/hosts/owncast/default.nix +++ b/hosts/owncast/default.nix @@ -27,11 +27,13 @@ forceSSL = true; enableACME = true; - locations."/".proxyPass = + locations."/" = let inherit (config.services.owncast) port; - in - "http://127.0.0.1:${toString port}"; + in { + proxyPass = "http://127.0.0.1:${toString port}"; + proxyWebsockets = true; + }; }; }; } From dbb7e552e5e03e3531ff87aa44ac494802a56c81 Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 21 Nov 2022 21:25:58 +0100 Subject: [PATCH 036/247] modules/cluster: enable skyflake.debug --- modules/cluster/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/cluster/default.nix b/modules/cluster/default.nix index 8e4e0f18..3c0a2605 100644 --- a/modules/cluster/default.nix +++ b/modules/cluster/default.nix @@ -31,6 +31,7 @@ in { # Cluster configuration skyflake = { + debug = true; nodes = builtins.listToAttrs ( map (name: { inherit name; From cfbb7cd933994ad1d3693af0273b15a73352bd0c Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 21 Nov 2022 21:49:06 +0100 Subject: [PATCH 037/247] owncast: bump mem from 512M to 2G --- hosts/owncast/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/owncast/default.nix b/hosts/owncast/default.nix index e8b1b12c..bec9cb48 100644 --- a/hosts/owncast/default.nix +++ b/hosts/owncast/default.nix @@ -3,7 +3,7 @@ { deployment = { persistedShares = [ "/etc" "/home" "/var" ]; - mem = 512; + mem = 2048; }; c3d2.hq.statistics.enable = true; From 736f79cc2e3fdb584961268c9bf3d661f27a7b4b Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 21 Nov 2022 21:56:21 +0100 Subject: [PATCH 038/247] owncast: bump vcpu from 2 to 8 --- hosts/owncast/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/owncast/default.nix b/hosts/owncast/default.nix index bec9cb48..12582185 100644 --- a/hosts/owncast/default.nix +++ b/hosts/owncast/default.nix @@ -3,6 +3,7 @@ { deployment = { persistedShares = [ "/etc" "/home" "/var" ]; + vcpu = 8; mem = 2048; }; c3d2.hq.statistics.enable = true; From a117ac243e0eb4e996652a902084264d7bfef743 Mon Sep 17 00:00:00 2001 From: Astro Date: Tue, 22 Nov 2022 00:40:23 +0100 Subject: [PATCH 039/247] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'skyflake': 'github:astro/skyflake/d2bf430604889e419a6303147f57e9485d759710' (2022-11-21) → 'github:astro/skyflake/58081055d3e31541df3da2153d97d1fbb504102d' (2022-11-21) --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index 41ce885e..77b9251e 100644 --- a/flake.lock +++ b/flake.lock @@ -645,11 +645,11 @@ ] }, "locked": { - "lastModified": 1669056654, - "narHash": "sha256-JrJfME6mVtPhdnpUagg33lLmhUqA+OTb2Avm7Jk/OVs=", + "lastModified": 1669073994, + "narHash": "sha256-5uL7SG0v7CXjkxHbhlt6U1ILqYMyc6vuBTw4YCVMz4g=", "owner": "astro", "repo": "skyflake", - "rev": "d2bf430604889e419a6303147f57e9485d759710", + "rev": "58081055d3e31541df3da2153d97d1fbb504102d", "type": "github" }, "original": { From fd962a513386cf21c3d4b1801e77b10e4a6a318b Mon Sep 17 00:00:00 2001 From: Astro Date: Tue, 22 Nov 2022 00:44:18 +0100 Subject: [PATCH 040/247] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'skyflake': 'github:astro/skyflake/58081055d3e31541df3da2153d97d1fbb504102d' (2022-11-21) → 'github:astro/skyflake/365bfb5aa5b42a48b18c4fc0d9cab30bcd62c74a' (2022-11-21) --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index 77b9251e..cae29f9e 100644 --- a/flake.lock +++ b/flake.lock @@ -645,11 +645,11 @@ ] }, "locked": { - "lastModified": 1669073994, - "narHash": "sha256-5uL7SG0v7CXjkxHbhlt6U1ILqYMyc6vuBTw4YCVMz4g=", + "lastModified": 1669074247, + "narHash": "sha256-UTEbPzdzfAsDubgJfEq8h3H1Cx7wNB1v466L3qxLi3U=", "owner": "astro", "repo": "skyflake", - "rev": "58081055d3e31541df3da2153d97d1fbb504102d", + "rev": "365bfb5aa5b42a48b18c4fc0d9cab30bcd62c74a", "type": "github" }, "original": { From 6a7d9316013443a3aa5ebcf14d5896f13db7de90 Mon Sep 17 00:00:00 2001 From: leon Date: Mon, 21 Nov 2022 23:46:58 +0000 Subject: [PATCH 041/247] update nginx --- hosts/leon/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 84bc5582..ceeb9f81 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -207,7 +207,7 @@ networking.wireguard.interfaces = { #-----------------------------ngin-X-------------------------------- services.nginx = { - defaultListenAddresses = [ "0.0.0.0:80" ]; + Listen = 80 enable = true; virtualHosts."bicospacetech.c3d2.de" = { default = true; From 0b64798dd1158f9ea4c9da35eede216cb1d5d01a Mon Sep 17 00:00:00 2001 From: leon Date: Mon, 21 Nov 2022 23:48:03 +0000 Subject: [PATCH 042/247] first try --- hosts/leon/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index ceeb9f81..0431c7d5 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -223,7 +223,6 @@ networking.wireguard.interfaces = { -#--------------------------Up-Stream-------------------------------- system.stateVersion = "22.05"; From 614b3bc3b2d78d9d78a2f414957b28c5e8ba430c Mon Sep 17 00:00:00 2001 From: leon Date: Mon, 21 Nov 2022 23:57:57 +0000 Subject: [PATCH 043/247] fix syntax --- hosts/leon/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 0431c7d5..3cb326fb 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -207,7 +207,7 @@ networking.wireguard.interfaces = { #-----------------------------ngin-X-------------------------------- services.nginx = { - Listen = 80 + Listen = 80; enable = true; virtualHosts."bicospacetech.c3d2.de" = { default = true; From 200b82bd5a920302818fa6d09e155a30ea973fad Mon Sep 17 00:00:00 2001 From: leon Date: Tue, 22 Nov 2022 00:01:49 +0000 Subject: [PATCH 044/247] fix --- hosts/leon/default.nix | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 3cb326fb..85e4479b 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -206,19 +206,18 @@ networking.wireguard.interfaces = { #-----------------------------ngin-X-------------------------------- - services.nginx = { - Listen = 80; - enable = true; - virtualHosts."bicospacetech.c3d2.de" = { - default = true; - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://45.158.40.162:12000"; - proxyWebsockets = true; - }; - }; -}; +# services.nginx = { +# enable = true; +# virtualHosts."bicospacetech.c3d2.de" = { +# default = true; +# forceSSL = true; +# enableACME = true; +# locations."/" = { +# proxyPass = "http://45.158.40.162:12000"; +# proxyWebsockets = true; +# }; +# }; +#}; #-----------------------------ngin-X-------------------------------- From e0d42faa3cab5ad79ec85549d8001f77462939d4 Mon Sep 17 00:00:00 2001 From: leon Date: Tue, 22 Nov 2022 00:34:54 +0000 Subject: [PATCH 045/247] update --- hosts/leon/default.nix | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 85e4479b..737ff88f 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -159,17 +159,7 @@ allowedIPs = [ "10.10.11.30" ]; } #---------------------black----------------------------. - { - #black-phone - publicKey= "3GEocBTOztOKWtWQFOmI5hynPiPcMMe54kVaHECAG1A="; - allowedIPs = [ "10.10.11.90" ]; - } - { - #black-desktop - publicKey= "24TAa1HMXTPaFNfbXLkuxVy305NjSAegMSYjKLH5Kjc="; - allowedIPs = [ "10.10.11.91" ]; - } - + ]; }; }; From 0475cc58b0205d6ac5e94180902690584ad2b253 Mon Sep 17 00:00:00 2001 From: leon Date: Tue, 22 Nov 2022 12:05:34 +0000 Subject: [PATCH 046/247] add nginx --- hosts/leon/default.nix | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 737ff88f..6f6a3979 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -196,18 +196,19 @@ networking.wireguard.interfaces = { #-----------------------------ngin-X-------------------------------- -# services.nginx = { -# enable = true; -# virtualHosts."bicospacetech.c3d2.de" = { -# default = true; -# forceSSL = true; -# enableACME = true; -# locations."/" = { -# proxyPass = "http://45.158.40.162:12000"; -# proxyWebsockets = true; -# }; -# }; -#}; + services.nginx = { + enable = true; += + virtualHosts."bicospacetech.c3d2.de" = { + default = true; + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://45.158.40.162:12000"; + proxyWebsockets = true; + }; + }; +}; #-----------------------------ngin-X-------------------------------- From dab7d198aaa9bc5520080756d68be3094c263199 Mon Sep 17 00:00:00 2001 From: leon Date: Tue, 22 Nov 2022 12:08:32 +0000 Subject: [PATCH 047/247] update --- hosts/leon/default.nix | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 6f6a3979..009684b0 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -196,19 +196,18 @@ networking.wireguard.interfaces = { #-----------------------------ngin-X-------------------------------- - services.nginx = { - enable = true; -= - virtualHosts."bicospacetech.c3d2.de" = { - default = true; - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://45.158.40.162:12000"; - proxyWebsockets = true; - }; - }; -}; +# services.nginx = { +# enable = true; +# virtualHosts."bicospacetech.c3d2.de" = { +# default = true; +# forceSSL = true; +# enableACME = true; +# locations."/" = { +# proxyPass = "http://45.158.40.162:12000"; +# proxyWebsockets = true; +# }; +# }; +#}; #-----------------------------ngin-X-------------------------------- From 436f2e59f01dfcbd6944d4e8956365ddaf77f24f Mon Sep 17 00:00:00 2001 From: leon Date: Tue, 22 Nov 2022 12:09:51 +0000 Subject: [PATCH 048/247] update --- hosts/leon/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 009684b0..792c2fe2 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -70,7 +70,7 @@ networking.firewall = { allowedTCPPorts = [ 5000 22 53 80 443 8080 12000 ]; - allowedUDPPorts = [ 5000 22 53 80 8080 18900 19900 ]; + allowedUDPPorts = [ 53 80 8080 18900 19900 ]; }; #_______________________________Begin-VPN1-Server____________________________________ From f6f280c008e9884af60d722e8300dcd3171648c2 Mon Sep 17 00:00:00 2001 From: leon Date: Tue, 22 Nov 2022 12:15:45 +0000 Subject: [PATCH 049/247] update --- hosts/leon/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 792c2fe2..e790fd20 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -26,7 +26,6 @@ # `...-' `...-' #-------------------------------------------------------------------------------- - { config, lib, pkgs, ... }: { From 2cd2f86bc5c6cdbb77ed1e1ff1eda24cde6fad09 Mon Sep 17 00:00:00 2001 From: leon Date: Tue, 22 Nov 2022 18:30:32 +0000 Subject: [PATCH 050/247] update nginx --- hosts/leon/default.nix | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index e790fd20..bc6929b9 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -195,18 +195,19 @@ networking.wireguard.interfaces = { #-----------------------------ngin-X-------------------------------- -# services.nginx = { -# enable = true; -# virtualHosts."bicospacetech.c3d2.de" = { -# default = true; -# forceSSL = true; -# enableACME = true; -# locations."/" = { -# proxyPass = "http://45.158.40.162:12000"; -# proxyWebsockets = true; -# }; -# }; -#}; + services.nginx = { + enable = true; + listen = [{port = 80; addr="0.0.0.0"; ssl=true;}]; + virtualHosts."bicospacetech.c3d2.de" = { + default = true; + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://45.158.40.162:12000"; + proxyWebsockets = true; + }; + }; +}; #-----------------------------ngin-X-------------------------------- From b0d3cdc14f431e312c347e65f08b34543564f964 Mon Sep 17 00:00:00 2001 From: leon Date: Tue, 22 Nov 2022 18:32:58 +0000 Subject: [PATCH 051/247] update nginx --- hosts/leon/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index bc6929b9..a1ac555b 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -197,8 +197,8 @@ networking.wireguard.interfaces = { services.nginx = { enable = true; - listen = [{port = 80; addr="0.0.0.0"; ssl=true;}]; virtualHosts."bicospacetech.c3d2.de" = { + listen = [{port = 80; addr="0.0.0.0"; ssl=true;}]; default = true; forceSSL = true; enableACME = true; From dcc2dfd349ecb760101e22a40bc460849b6533b8 Mon Sep 17 00:00:00 2001 From: leon Date: Tue, 22 Nov 2022 18:48:14 +0000 Subject: [PATCH 052/247] update --- hosts/leon/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index a1ac555b..b5ae2ecf 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -198,7 +198,7 @@ networking.wireguard.interfaces = { services.nginx = { enable = true; virtualHosts."bicospacetech.c3d2.de" = { - listen = [{port = 80; addr="0.0.0.0"; ssl=true;}]; + listen = [{port = 80; addr="0.0.0.0"; }]; default = true; forceSSL = true; enableACME = true; From d5dc241f3e599736519681a7dacff51b2c082ce0 Mon Sep 17 00:00:00 2001 From: leon Date: Tue, 22 Nov 2022 19:57:44 +0000 Subject: [PATCH 053/247] update --- hosts/leon/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index b5ae2ecf..94956a8f 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -198,9 +198,9 @@ networking.wireguard.interfaces = { services.nginx = { enable = true; virtualHosts."bicospacetech.c3d2.de" = { - listen = [{port = 80; addr="0.0.0.0"; }]; + listen = [{port = 80; }]; default = true; - forceSSL = true; + forceSSL = false; enableACME = true; locations."/" = { proxyPass = "http://45.158.40.162:12000"; From 830c9a8f97c2fbbd570671cb1b6536a100d131c2 Mon Sep 17 00:00:00 2001 From: leon Date: Tue, 22 Nov 2022 19:58:47 +0000 Subject: [PATCH 054/247] update --- hosts/leon/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 94956a8f..75c65953 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -198,7 +198,7 @@ networking.wireguard.interfaces = { services.nginx = { enable = true; virtualHosts."bicospacetech.c3d2.de" = { - listen = [{port = 80; }]; + listen = [port = 80 ]; default = true; forceSSL = false; enableACME = true; From 1c46b257711b795495b584c6c63d29c017fd69a8 Mon Sep 17 00:00:00 2001 From: leon Date: Tue, 22 Nov 2022 19:59:33 +0000 Subject: [PATCH 055/247] update --- hosts/leon/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 75c65953..f66926dc 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -198,7 +198,7 @@ networking.wireguard.interfaces = { services.nginx = { enable = true; virtualHosts."bicospacetech.c3d2.de" = { - listen = [port = 80 ]; + listen = [port = 80; ]; default = true; forceSSL = false; enableACME = true; From 9032b47bba6a55d4c1c31a42f371fa58642b0201 Mon Sep 17 00:00:00 2001 From: leon Date: Tue, 22 Nov 2022 20:00:19 +0000 Subject: [PATCH 056/247] update --- hosts/leon/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index f66926dc..838b619b 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -198,7 +198,7 @@ networking.wireguard.interfaces = { services.nginx = { enable = true; virtualHosts."bicospacetech.c3d2.de" = { - listen = [port = 80; ]; + listen = [{port = 80; addr="localhost";} ]; default = true; forceSSL = false; enableACME = true; From b2d52e18ea0bdd19198821daccca5f6e45f1a518 Mon Sep 17 00:00:00 2001 From: leon Date: Tue, 22 Nov 2022 20:30:48 +0000 Subject: [PATCH 057/247] add nameserver --- hosts/leon/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 838b619b..177c98b4 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -66,7 +66,7 @@ openssh.authorizedKeys.keys = with import ../../users.nix; leon.sshKeys; }; - + networking.nameservers = ["172.20.73.8","9.9.9.9"] networking.firewall = { allowedTCPPorts = [ 5000 22 53 80 443 8080 12000 ]; allowedUDPPorts = [ 53 80 8080 18900 19900 ]; From c3d1cb2fa67d424e621ae2bc0ef490f66e5e2f14 Mon Sep 17 00:00:00 2001 From: leon Date: Tue, 22 Nov 2022 20:31:51 +0000 Subject: [PATCH 058/247] update --- hosts/leon/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 177c98b4..30744384 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -66,7 +66,7 @@ openssh.authorizedKeys.keys = with import ../../users.nix; leon.sshKeys; }; - networking.nameservers = ["172.20.73.8","9.9.9.9"] + networking.nameservers = ["172.20.73.8" "9.9.9.9"] networking.firewall = { allowedTCPPorts = [ 5000 22 53 80 443 8080 12000 ]; allowedUDPPorts = [ 53 80 8080 18900 19900 ]; From ac039e0367ef2344a516a7ec551e822ef950840b Mon Sep 17 00:00:00 2001 From: leon Date: Tue, 22 Nov 2022 20:32:38 +0000 Subject: [PATCH 059/247] update --- hosts/leon/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 30744384..06ef1c68 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -66,7 +66,7 @@ openssh.authorizedKeys.keys = with import ../../users.nix; leon.sshKeys; }; - networking.nameservers = ["172.20.73.8" "9.9.9.9"] + networking.nameservers = ["172.20.73.8" "9.9.9.9"]; networking.firewall = { allowedTCPPorts = [ 5000 22 53 80 443 8080 12000 ]; allowedUDPPorts = [ 53 80 8080 18900 19900 ]; From 7a749c9a4507d2c502419f11cfdfe1b41715cf8f Mon Sep 17 00:00:00 2001 From: leon Date: Tue, 22 Nov 2022 20:43:42 +0000 Subject: [PATCH 060/247] update --- hosts/leon/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 06ef1c68..097bd250 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -198,9 +198,9 @@ networking.wireguard.interfaces = { services.nginx = { enable = true; virtualHosts."bicospacetech.c3d2.de" = { - listen = [{port = 80; addr="localhost";} ]; + # listen = [{port = 80; addr="localhost";} ]; default = true; - forceSSL = false; + forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://45.158.40.162:12000"; From 9ea5e27a42cd8b05e1d81ac2ef4dd884b95d900a Mon Sep 17 00:00:00 2001 From: leon Date: Tue, 22 Nov 2022 21:14:14 +0000 Subject: [PATCH 061/247] update nginx --- hosts/leon/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 097bd250..d2ad5895 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -198,7 +198,6 @@ networking.wireguard.interfaces = { services.nginx = { enable = true; virtualHosts."bicospacetech.c3d2.de" = { - # listen = [{port = 80; addr="localhost";} ]; default = true; forceSSL = true; enableACME = true; From ecd85a41e8a580ad4232ebc3f6b5ff32c68a4fe1 Mon Sep 17 00:00:00 2001 From: leon Date: Tue, 22 Nov 2022 21:34:16 +0000 Subject: [PATCH 062/247] update --- hosts/leon/default.nix | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index d2ad5895..e4266fd7 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -206,6 +206,17 @@ networking.wireguard.interfaces = { proxyWebsockets = true; }; }; + virtualHosts."cloud.bicospacetech.c3d2.de" = { + default = true; + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://45.158.40.162:8080"; + proxyWebsockets = true; + }; + } + + }; #-----------------------------ngin-X-------------------------------- From 345960c777d6b73bad0c17363d7068f1a1974e7c Mon Sep 17 00:00:00 2001 From: leon Date: Tue, 22 Nov 2022 21:34:51 +0000 Subject: [PATCH 063/247] update --- hosts/leon/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index e4266fd7..e1888844 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -214,7 +214,7 @@ networking.wireguard.interfaces = { proxyPass = "http://45.158.40.162:8080"; proxyWebsockets = true; }; - } + }; }; From 056276a5796f18e3562f21372c93f34e4ee8a1f1 Mon Sep 17 00:00:00 2001 From: leon Date: Tue, 22 Nov 2022 21:52:00 +0000 Subject: [PATCH 064/247] update --- hosts/leon/default.nix | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index e1888844..81913963 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -198,7 +198,7 @@ networking.wireguard.interfaces = { services.nginx = { enable = true; virtualHosts."bicospacetech.c3d2.de" = { - default = true; + # default = true; forceSSL = true; enableACME = true; locations."/" = { @@ -207,7 +207,6 @@ networking.wireguard.interfaces = { }; }; virtualHosts."cloud.bicospacetech.c3d2.de" = { - default = true; forceSSL = true; enableACME = true; locations."/" = { @@ -215,8 +214,6 @@ networking.wireguard.interfaces = { proxyWebsockets = true; }; }; - - }; #-----------------------------ngin-X-------------------------------- From 50d29f7af3aa8d77c3bc20d2832e9ae9e3e6d2ea Mon Sep 17 00:00:00 2001 From: leon Date: Tue, 22 Nov 2022 23:27:40 +0000 Subject: [PATCH 065/247] update --- hosts/leon/default.nix | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 81913963..52921d6f 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -198,7 +198,6 @@ networking.wireguard.interfaces = { services.nginx = { enable = true; virtualHosts."bicospacetech.c3d2.de" = { - # default = true; forceSSL = true; enableACME = true; locations."/" = { @@ -210,10 +209,9 @@ networking.wireguard.interfaces = { forceSSL = true; enableACME = true; locations."/" = { - proxyPass = "http://45.158.40.162:8080"; + proxyPass = "http://10.10.11.2:2500"; proxyWebsockets = true; }; - }; }; #-----------------------------ngin-X-------------------------------- From bcd82e69fefeb619d50c0e5aecab05d7ce92f19e Mon Sep 17 00:00:00 2001 From: leon Date: Tue, 22 Nov 2022 23:28:41 +0000 Subject: [PATCH 066/247] update --- hosts/leon/default.nix | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 52921d6f..0c2a4319 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -212,6 +212,11 @@ networking.wireguard.interfaces = { proxyPass = "http://10.10.11.2:2500"; proxyWebsockets = true; }; + }; + + + + }; #-----------------------------ngin-X-------------------------------- @@ -220,4 +225,5 @@ networking.wireguard.interfaces = { system.stateVersion = "22.05"; -} + +}; From f2b57ee0ec3eb6b6811a716bb9f60080d30ed65f Mon Sep 17 00:00:00 2001 From: leon Date: Tue, 22 Nov 2022 23:29:03 +0000 Subject: [PATCH 067/247] update --- hosts/leon/default.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 0c2a4319..040aab68 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -223,7 +223,5 @@ networking.wireguard.interfaces = { - system.stateVersion = "22.05"; -}; From 37dd2e059114125b5e09485bacdb168686b0082f Mon Sep 17 00:00:00 2001 From: leon Date: Tue, 22 Nov 2022 23:30:10 +0000 Subject: [PATCH 068/247] update --- hosts/leon/default.nix | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 040aab68..9f4c7a38 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -213,15 +213,9 @@ networking.wireguard.interfaces = { proxyWebsockets = true; }; }; - - - - }; #-----------------------------ngin-X-------------------------------- - - - system.stateVersion = "22.05"; +}; From 45d40e1e1be428b74561c3795ef6330ef56252ad Mon Sep 17 00:00:00 2001 From: leon Date: Tue, 22 Nov 2022 23:31:39 +0000 Subject: [PATCH 069/247] update --- hosts/leon/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 9f4c7a38..01379a8b 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -218,4 +218,4 @@ networking.wireguard.interfaces = { system.stateVersion = "22.05"; -}; +} From 08c76646254ef7d3cf38ebdd9742010b29616a50 Mon Sep 17 00:00:00 2001 From: leon Date: Tue, 22 Nov 2022 23:51:09 +0000 Subject: [PATCH 070/247] update --- hosts/leon/default.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 01379a8b..83f7e3ed 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -213,6 +213,16 @@ networking.wireguard.interfaces = { proxyWebsockets = true; }; }; + virtualHosts."portainer.netlab.ly" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://10.10.11.60:9000"; + proxyWebsockets = true; + }; + }; + + }; #-----------------------------ngin-X-------------------------------- From 474c9f90da37574e8cc7b89cc49e61b90b66adb7 Mon Sep 17 00:00:00 2001 From: leon Date: Wed, 23 Nov 2022 12:52:45 +0000 Subject: [PATCH 071/247] update ' --- hosts/leon/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 83f7e3ed..5b3677e5 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -25,7 +25,6 @@ # ' / `-----'' / | # `...-' `...-' #-------------------------------------------------------------------------------- - { config, lib, pkgs, ... }: { From f377c855c5dd773edd21923bbc408fb82d50c9a9 Mon Sep 17 00:00:00 2001 From: leon Date: Wed, 23 Nov 2022 18:33:24 +0000 Subject: [PATCH 072/247] add domain to proxy --- hosts/leon/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 5b3677e5..c74b94a7 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -212,7 +212,7 @@ networking.wireguard.interfaces = { proxyWebsockets = true; }; }; - virtualHosts."portainer.netlab.ly" = { + virtualHosts."portainer.netlab.c3d2.de" = { forceSSL = true; enableACME = true; locations."/" = { From 2ecc87364749c2fdba574406ac7b5dd912dc3757 Mon Sep 17 00:00:00 2001 From: Astro Date: Wed, 23 Nov 2022 21:30:30 +0100 Subject: [PATCH 073/247] =?UTF-8?q?flake.nix=20nixpkgs:=20=F0=9F=A5=81nixo?= =?UTF-8?q?s-22.05=20->=20nixos-22.11=F0=9F=A5=B3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index ff5afe8d..861fcf1f 100644 --- a/flake.nix +++ b/flake.nix @@ -2,7 +2,7 @@ description = "C3D2 NixOS configurations"; inputs = { - nixos.url = "github:nixos/nixpkgs/nixos-22.05"; + nixos.url = "github:nixos/nixpkgs/nixos-22.11"; nixpkgs-mobilizon.url = "github:minijackson/nixpkgs/init-mobilizon"; nixos-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; nixos-hardware.url = "github:nixos/nixos-hardware"; From 7befe68673733dab7b2e192f5c5c35c0c465c2fd Mon Sep 17 00:00:00 2001 From: Astro Date: Wed, 23 Nov 2022 21:32:19 +0100 Subject: [PATCH 074/247] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'fenix': 'github:nix-community/fenix/c14b8c6f9fc5b6209de2a85e1882e65c72d788a6' (2022-11-20) → 'github:nix-community/fenix/72b820427fbd59a55368cda4de159134764e3ff6' (2022-11-23) • Updated input 'fenix/rust-analyzer-src': 'github:rust-lang/rust-analyzer/38fa47fd79b38d3ca7665943a93c577d3a9166a8' (2022-11-19) → 'github:rust-lang/rust-analyzer/26562973b3482a635416b2b663a13016d4d90e20' (2022-11-20) • Updated input 'harmonia': 'github:helsinki-systems/harmonia/9b61645fce85a7abfe6e812f68df085d688f9711' (2022-11-14) → 'github:helsinki-systems/harmonia/20114c21d1c902a8f5ad7be7744df241a784a06d' (2022-11-21) • Updated input 'nixos': 'github:nixos/nixpkgs/b68a6a27adb452879ab66c0eaac0c133e32823b2' (2022-11-20) → 'github:nixos/nixpkgs/c9538a9b7074925ac117835c775fb81d0e7f98fa' (2022-11-22) • Updated input 'nixos-hardware': 'github:nixos/nixos-hardware/1108c1b8614017c8b52005054fd27a00e4feb51b' (2022-11-20) → 'github:nixos/nixos-hardware/0099253ad0b5283f06ffe31cf010af3f9ad7837d' (2022-11-22) • Updated input 'nixos-unstable': 'github:nixos/nixpkgs/690ffff026b4e635b46f69002c0f4e81c65dfc2e' (2022-11-20) → 'github:nixos/nixpkgs/2788904d26dda6cfa1921c5abb7a2466ffe3cb8c' (2022-11-22) • Updated input 'openwrt-imagebuilder': 'github:astro/nix-openwrt-imagebuilder/18bc5eb199484ee61baac3f6a8ae7f775cf7f835' (2022-11-20) → 'github:astro/nix-openwrt-imagebuilder/56c7ad52bb513497b458a71f34378103497847d2' (2022-11-22) • Updated input 'rust-overlay': 'github:oxalica/rust-overlay/5200195aa2a0cef1becc2ba6ff61cba65e1f90fe' (2022-11-20) → 'github:oxalica/rust-overlay/c90c223c4aef334356029b89c72bb65e26f7efe6' (2022-11-23) --- flake.lock | 50 +++++++++++++++++++++++++------------------------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/flake.lock b/flake.lock index cae29f9e..b2cff1a1 100644 --- a/flake.lock +++ b/flake.lock @@ -113,11 +113,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1668925554, - "narHash": "sha256-QTKjWgQbr6y4xtiehgs3A75Slf130LNGlsPPCuxWpAk=", + "lastModified": 1669184726, + "narHash": "sha256-YF3xLbY3eJ3d4x3fkh8pASeJ4Y7P2vTg8spdRKLDnM8=", "owner": "nix-community", "repo": "fenix", - "rev": "c14b8c6f9fc5b6209de2a85e1882e65c72d788a6", + "rev": "72b820427fbd59a55368cda4de159134764e3ff6", "type": "github" }, "original": { @@ -144,11 +144,11 @@ "harmonia": { "flake": false, "locked": { - "lastModified": 1668458039, - "narHash": "sha256-w4OCjMRPrPIY0dlUkiA1XPSmRstnNSRVmglw7hfSs3s=", + "lastModified": 1669064695, + "narHash": "sha256-f+9XR/ExbjgjTfIp2TmBf3hiVzLFBdpO/tjGLDUr6lY=", "owner": "helsinki-systems", "repo": "harmonia", - "rev": "9b61645fce85a7abfe6e812f68df085d688f9711", + "rev": "20114c21d1c902a8f5ad7be7744df241a784a06d", "type": "github" }, "original": { @@ -349,16 +349,16 @@ }, "nixos": { "locked": { - "lastModified": 1668908668, - "narHash": "sha256-oimCE4rY7Btuo/VYmA8khIyTHSMV7qUWTpz9w8yc9LQ=", + "lastModified": 1669101869, + "narHash": "sha256-gEEtP8LdTEDX/ixNL5ZmevmQcaWDiQioM2IjB+PdOgI=", "owner": "nixos", "repo": "nixpkgs", - "rev": "b68a6a27adb452879ab66c0eaac0c133e32823b2", + "rev": "c9538a9b7074925ac117835c775fb81d0e7f98fa", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-22.05", + "ref": "nixos-22.11", "repo": "nixpkgs", "type": "github" } @@ -381,11 +381,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1668973873, - "narHash": "sha256-DnTrRduUIRgsCBruvUXsaBw2G46JNq6/DtrM5R7VrRc=", + "lastModified": 1669146234, + "narHash": "sha256-HEby7EG1yaq1oT2Ze6Cvok9CFju1XHkSvVHmkptLW9U=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "1108c1b8614017c8b52005054fd27a00e4feb51b", + "rev": "0099253ad0b5283f06ffe31cf010af3f9ad7837d", "type": "github" }, "original": { @@ -396,11 +396,11 @@ }, "nixos-unstable": { "locked": { - "lastModified": 1668905981, - "narHash": "sha256-RBQa/+9Uk1eFTqIOXBSBezlEbA3v5OkgP+qptQs1OxY=", + "lastModified": 1669140675, + "narHash": "sha256-npzfyfLECsJWgzK/M4gWhykP2DNAJTYjgY2BWkz/oEQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "690ffff026b4e635b46f69002c0f4e81c65dfc2e", + "rev": "2788904d26dda6cfa1921c5abb7a2466ffe3cb8c", "type": "github" }, "original": { @@ -511,11 +511,11 @@ ] }, "locked": { - "lastModified": 1668977168, - "narHash": "sha256-o5cLuUI+Ybiewd8OqjNWO7fNFsZuKoW4b9F995lRa4Q=", + "lastModified": 1669149569, + "narHash": "sha256-2ZE6flQ95vzM2AOfng6cjPnpCf/R3tHNB039wYAOv+8=", "owner": "astro", "repo": "nix-openwrt-imagebuilder", - "rev": "18bc5eb199484ee61baac3f6a8ae7f775cf7f835", + "rev": "56c7ad52bb513497b458a71f34378103497847d2", "type": "github" }, "original": { @@ -562,11 +562,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1668863377, - "narHash": "sha256-dPvXzzQKqU1vrosYjniwRHA8NGhSD1EljMLwcWJxzFU=", + "lastModified": 1668974383, + "narHash": "sha256-ULEwMFhcr+0z4r//BSZVFV5Nh1+opwwYBk/ZzEptjqw=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "38fa47fd79b38d3ca7665943a93c577d3a9166a8", + "rev": "26562973b3482a635416b2b663a13016d4d90e20", "type": "github" }, "original": { @@ -586,11 +586,11 @@ ] }, "locked": { - "lastModified": 1668912095, - "narHash": "sha256-3oGeJgeA4+8Wj2XZnbZKJYHoZziyJl36ZGU49I2VC8U=", + "lastModified": 1669170936, + "narHash": "sha256-TKPH4Pzkjw5gAPo9hejs3O4mWJW6V/RSiOj8UuSFRTs=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "5200195aa2a0cef1becc2ba6ff61cba65e1f90fe", + "rev": "c90c223c4aef334356029b89c72bb65e26f7efe6", "type": "github" }, "original": { From 3ef0df9608b8041ed96a5bee16cae2fa6b1205df Mon Sep 17 00:00:00 2001 From: Astro Date: Thu, 24 Nov 2022 00:03:12 +0100 Subject: [PATCH 075/247] sdrweb: allot 16 cores --- hosts/sdrweb/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/sdrweb/default.nix b/hosts/sdrweb/default.nix index 798a600f..b3ebbc05 100644 --- a/hosts/sdrweb/default.nix +++ b/hosts/sdrweb/default.nix @@ -4,6 +4,7 @@ # needs to keep just its ssh key for sops-nix persistedShares = [ "/home" "/etc" "/var" ]; mem = 4096; + vcpu = 16; }; c3d2 = { isInHq = false; From 9fca77eb572836e024aa67c9cc8f5171a1e3a330 Mon Sep 17 00:00:00 2001 From: Astro Date: Thu, 24 Nov 2022 00:03:30 +0100 Subject: [PATCH 076/247] modules/cluster/deployment-options: let deployment.vcpu default to 4 --- modules/cluster/deployment-options.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/cluster/deployment-options.nix b/modules/cluster/deployment-options.nix index cea6881c..9878ce32 100644 --- a/modules/cluster/deployment-options.nix +++ b/modules/cluster/deployment-options.nix @@ -4,7 +4,7 @@ options.deployment = with lib; { vcpu = mkOption { type = types.int; - default = 2; + default = 4; }; mem = mkOption { type = types.int; From f1203f33df5766bf851b1582bd1ea74699e5f6ec Mon Sep 17 00:00:00 2001 From: leon Date: Thu, 24 Nov 2022 01:43:35 +0000 Subject: [PATCH 077/247] add html --- hosts/leon/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index c74b94a7..14359264 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -207,7 +207,8 @@ networking.wireguard.interfaces = { virtualHosts."cloud.bicospacetech.c3d2.de" = { forceSSL = true; enableACME = true; - locations."/" = { + locations."/home" = { + index dude.html; proxyPass = "http://10.10.11.2:2500"; proxyWebsockets = true; }; From 4a1ac9dc9d867ef33c427a3b76975ebeced4ef5a Mon Sep 17 00:00:00 2001 From: leon Date: Thu, 24 Nov 2022 01:44:34 +0000 Subject: [PATCH 078/247] fix --- hosts/leon/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 14359264..98c94276 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -208,7 +208,7 @@ networking.wireguard.interfaces = { forceSSL = true; enableACME = true; locations."/home" = { - index dude.html; + index = dude.html; proxyPass = "http://10.10.11.2:2500"; proxyWebsockets = true; }; From afcd7f32a72fb7055e6a88e0c5ca095671333b12 Mon Sep 17 00:00:00 2001 From: leon Date: Thu, 24 Nov 2022 01:45:39 +0000 Subject: [PATCH 079/247] fix --- hosts/leon/default.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 98c94276..272222b3 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -207,8 +207,7 @@ networking.wireguard.interfaces = { virtualHosts."cloud.bicospacetech.c3d2.de" = { forceSSL = true; enableACME = true; - locations."/home" = { - index = dude.html; + locations."/home/dude.html" = { proxyPass = "http://10.10.11.2:2500"; proxyWebsockets = true; }; From 3d5e202ac0669f51bb31dbe47854dbf53e69150a Mon Sep 17 00:00:00 2001 From: leon Date: Thu, 24 Nov 2022 01:52:57 +0000 Subject: [PATCH 080/247] update --- hosts/leon/default.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 272222b3..23886ea3 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -207,8 +207,10 @@ networking.wireguard.interfaces = { virtualHosts."cloud.bicospacetech.c3d2.de" = { forceSSL = true; enableACME = true; - locations."/home/dude.html" = { - proxyPass = "http://10.10.11.2:2500"; + locations."/html/" = { + root = "/home/html"; + index dude.html; + #proxyPass = "http://10.10.11.2:2500"; proxyWebsockets = true; }; }; From 65eba5ebf7877f9cc61b980b38d8953de7cd67e1 Mon Sep 17 00:00:00 2001 From: leon Date: Thu, 24 Nov 2022 01:53:55 +0000 Subject: [PATCH 081/247] update --- hosts/leon/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 23886ea3..40457c2f 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -208,7 +208,7 @@ networking.wireguard.interfaces = { forceSSL = true; enableACME = true; locations."/html/" = { - root = "/home/html"; + root = "/home/html/"; index dude.html; #proxyPass = "http://10.10.11.2:2500"; proxyWebsockets = true; From 80c8ed5a45dfb9d43286d809deb7f1e2527661e0 Mon Sep 17 00:00:00 2001 From: leon Date: Thu, 24 Nov 2022 02:00:27 +0000 Subject: [PATCH 082/247] update --- hosts/leon/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 40457c2f..738b3e4e 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -207,9 +207,9 @@ networking.wireguard.interfaces = { virtualHosts."cloud.bicospacetech.c3d2.de" = { forceSSL = true; enableACME = true; - locations."/html/" = { - root = "/home/html/"; - index dude.html; + root = /home/html; + index index.html; + locations."/" = { #proxyPass = "http://10.10.11.2:2500"; proxyWebsockets = true; }; From e4262a4dab2b53ffd4b32a2a99b9b772d8d954e2 Mon Sep 17 00:00:00 2001 From: leon Date: Thu, 24 Nov 2022 02:00:58 +0000 Subject: [PATCH 083/247] update --- hosts/leon/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 738b3e4e..107a29a2 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -208,7 +208,7 @@ networking.wireguard.interfaces = { forceSSL = true; enableACME = true; root = /home/html; - index index.html; + index = index.html; locations."/" = { #proxyPass = "http://10.10.11.2:2500"; proxyWebsockets = true; From aa607866d12255ed2cfc750a940d3e0c3bced49a Mon Sep 17 00:00:00 2001 From: leon Date: Thu, 24 Nov 2022 02:01:39 +0000 Subject: [PATCH 084/247] update --- hosts/leon/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 107a29a2..86f54cf1 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -207,8 +207,8 @@ networking.wireguard.interfaces = { virtualHosts."cloud.bicospacetech.c3d2.de" = { forceSSL = true; enableACME = true; - root = /home/html; - index = index.html; + root = "/home/html"; + index = "index.html"; locations."/" = { #proxyPass = "http://10.10.11.2:2500"; proxyWebsockets = true; From 82c6de7b9d9c6de17ecc43fd55d136906cfe0ab8 Mon Sep 17 00:00:00 2001 From: leon Date: Thu, 24 Nov 2022 02:04:18 +0000 Subject: [PATCH 085/247] update --- hosts/leon/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 86f54cf1..93e94d8c 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -207,9 +207,9 @@ networking.wireguard.interfaces = { virtualHosts."cloud.bicospacetech.c3d2.de" = { forceSSL = true; enableACME = true; - root = "/home/html"; - index = "index.html"; locations."/" = { + root = "/home/html"; + index = "index.html"; #proxyPass = "http://10.10.11.2:2500"; proxyWebsockets = true; }; From 69da87ecdb293ccf3c45850d8fe8acb60dc9c819 Mon Sep 17 00:00:00 2001 From: leon Date: Thu, 24 Nov 2022 02:07:13 +0000 Subject: [PATCH 086/247] update --- hosts/leon/default.nix | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 93e94d8c..81b7633c 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -208,9 +208,7 @@ networking.wireguard.interfaces = { forceSSL = true; enableACME = true; locations."/" = { - root = "/home/html"; - index = "index.html"; - #proxyPass = "http://10.10.11.2:2500"; + proxyPass = "http://10.10.11.2:2500"; proxyWebsockets = true; }; }; From 8c9afdf9b810858f975e65cd39da974e1b34ecbe Mon Sep 17 00:00:00 2001 From: Astro Date: Thu, 24 Nov 2022 18:48:34 +0100 Subject: [PATCH 087/247] server8: init --- flake.nix | 10 ++++ hosts/server8/default.nix | 41 ++++++++++++++++ hosts/server8/hardware-configuration.nix | 61 ++++++++++++++++++++++++ 3 files changed, 112 insertions(+) create mode 100644 hosts/server8/default.nix create mode 100644 hosts/server8/hardware-configuration.nix diff --git a/flake.nix b/flake.nix index 861fcf1f..c7188f67 100644 --- a/flake.nix +++ b/flake.nix @@ -854,6 +854,16 @@ ]; }; + server8 = nixosSystem' { + modules = [ + ./hosts/server8 + self.nixosModules.cluster-network + self.nixosModules.cluster + skyflake.nixosModules.default + { _module.args = { inherit self; }; } + ]; + }; + server9 = nixosSystem' { modules = [ ./hosts/server9 diff --git a/hosts/server8/default.nix b/hosts/server8/default.nix new file mode 100644 index 00000000..da572ea3 --- /dev/null +++ b/hosts/server8/default.nix @@ -0,0 +1,41 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ]; + + + boot = { + loader.grub = { + enable = true; + version = 2; + # Define on which hard drive you want to install Grub. + device = "/dev/disk/by-id/scsi-3600300570140a6102b0acad9825149f2"; # or "nodev" for efi only + }; + + # kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; + kernelParams = [ + "preempt=none" + # No server/router runs any untrusted user code + "mitigations=off" + ]; + tmpOnTmpfs = true; + tmpOnTmpfsSize = "80%"; + }; + + networking = { + hostName = "server8"; + hostId = "08080808"; + }; + system.stateVersion = "22.11"; + services.openssh.enable = true; + + services.zfs.autoScrub.enable = true; + services.smartd.enable = true; + + c3d2 = { + # deployment.microvmBaseZfsDataset = "tank/storage"; + hq.statistics.enable = true; + }; +} diff --git a/hosts/server8/hardware-configuration.nix b/hosts/server8/hardware-configuration.nix new file mode 100644 index 00000000..597568d2 --- /dev/null +++ b/hosts/server8/hardware-configuration.nix @@ -0,0 +1,61 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "megaraid_sas" "nvme" "usb_storage" "usbhid" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "server8_root/nixos"; + fsType = "zfs"; + }; + + fileSystems."/var" = + { device = "server8_root/nixos/var"; + fsType = "zfs"; + }; + + fileSystems."/nix" = + { device = "server8_root/nixos/nix"; + fsType = "zfs"; + }; + + fileSystems."/nix/store" = + { device = "server8_root/nixos/nix/store"; + fsType = "zfs"; + }; + + fileSystems."/nix/var" = + { device = "server8_root/nixos/nix/var"; + fsType = "zfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/984ea997-9591-4efb-8212-8381ad829d0b"; + fsType = "ext2"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp5s0f0.useDHCP = lib.mkDefault true; + # networking.interfaces.enp5s0f1.useDHCP = lib.mkDefault true; + # networking.interfaces.enp5s0f2.useDHCP = lib.mkDefault true; + # networking.interfaces.enp5s0f3.useDHCP = lib.mkDefault true; + # networking.interfaces.enp8s0f0.useDHCP = lib.mkDefault true; + # networking.interfaces.enp8s0f1.useDHCP = lib.mkDefault true; + + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} From 79dcef419e97ea61627c4685392da56665a963b0 Mon Sep 17 00:00:00 2001 From: Astro Date: Thu, 24 Nov 2022 19:37:42 +0100 Subject: [PATCH 088/247] modules/cluster/default: add server8 --- modules/cluster/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/cluster/default.nix b/modules/cluster/default.nix index 3c0a2605..7c4df37d 100644 --- a/modules/cluster/default.nix +++ b/modules/cluster/default.nix @@ -4,8 +4,8 @@ let # hydra does *not* use this module because it only runs a nomad # server but no client and no microvms - servers = [ "server9" "server10" "hydra" ]; - microvmServers = [ "server9" "server10" ]; + servers = [ "server8" "server9" "server10" "hydra" ]; + microvmServers = [ "server8" "server9" "server10" ]; serverNet = server: builtins.foldl' (result: net: From 7a19ac58e3022cbafa877cdadf6414f9468ec165 Mon Sep 17 00:00:00 2001 From: Astro Date: Thu, 24 Nov 2022 21:03:54 +0100 Subject: [PATCH 089/247] modules/cluster/default: add glusterfs big --- modules/cluster/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/cluster/default.nix b/modules/cluster/default.nix index 7c4df37d..029c762b 100644 --- a/modules/cluster/default.nix +++ b/modules/cluster/default.nix @@ -6,6 +6,7 @@ let # server but no client and no microvms servers = [ "server8" "server9" "server10" "hydra" ]; microvmServers = [ "server8" "server9" "server10" ]; + storageServers = [ "server8" "server9" ]; serverNet = server: builtins.foldl' (result: net: @@ -63,6 +64,10 @@ in { servers = microvmServers; mountPoint = "/glusterfs/fast"; source = "/var/glusterfs-fast"; + } { + servers = storageServers; + mountPoint = "/glusterfs/big"; + source = "/var/glusterfs-big"; } ]; }; }; From deb314f8e438bb66fa228b254e83a3ca9c695528 Mon Sep 17 00:00:00 2001 From: leon Date: Fri, 25 Nov 2022 18:05:46 +0000 Subject: [PATCH 090/247] update --- hosts/leon/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 81b7633c..9e272728 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -26,7 +26,6 @@ # `...-' `...-' #-------------------------------------------------------------------------------- { config, lib, pkgs, ... }: - { deployment = { persistedShares = [ "/etc" "/home" "/var" ]; From 3c0c101dd7aec073d7a81e7158fa59142b85a25d Mon Sep 17 00:00:00 2001 From: leon Date: Fri, 25 Nov 2022 18:33:58 +0000 Subject: [PATCH 091/247] update --- hosts/leon/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 9e272728..ca0e295a 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -25,6 +25,7 @@ # ' / `-----'' / | # `...-' `...-' #-------------------------------------------------------------------------------- + { config, lib, pkgs, ... }: { deployment = { From 27d2252d1116a82f4e391aeec015f675e17d9215 Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 25 Nov 2022 22:49:38 +0100 Subject: [PATCH 092/247] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'affection-src': 'git+https://gitea.nek0.eu/nek0/affection?ref=master&rev=b56ed86e45b2a8cdf811f2659644192a69ab5818' (2022-09-14) → 'git+https://gitea.nek0.eu/nek0/affection?ref=refs%2fheads%2fmaster&rev=b56ed86e45b2a8cdf811f2659644192a69ab5818' (2022-09-14) • Updated input 'caveman': 'git+https://gitea.c3d2.de/astro/caveman.git?ref=main&rev=b4ee13f46de3287a868ddba9ba9b970140ab99c9' (2022-11-20) → 'git+https://gitea.c3d2.de/astro/caveman.git?ref=main&rev=691af99c36ad47bdf143df027766de2b2f349175' (2022-11-25) • Updated input 'fenix': 'github:nix-community/fenix/72b820427fbd59a55368cda4de159134764e3ff6' (2022-11-23) → 'github:nix-community/fenix/0d4b86633d6c5438a7b97d485f02e7e18101a541' (2022-11-25) • Updated input 'fenix/rust-analyzer-src': 'github:rust-lang/rust-analyzer/26562973b3482a635416b2b663a13016d4d90e20' (2022-11-20) → 'github:rust-lang/rust-analyzer/1e6a49a801708a8bcbe429ce03f614a7951bdb11' (2022-11-24) • Updated input 'heliwatch': 'git+https://gitea.c3d2.de/astro/heliwatch.git?ref=master&rev=f7cf04a7ad47e388121f0771651fec0df91407f3' (2022-07-15) → 'git+https://gitea.c3d2.de/astro/heliwatch.git?ref=refs%2fheads%2fmaster&rev=f7cf04a7ad47e388121f0771651fec0df91407f3' (2022-07-15) • Updated input 'microvm': 'github:astro/microvm.nix/682b1e76e7fefdf350f3dc9e84002a8488e2b86d' (2022-11-21) → 'github:astro/microvm.nix/c21a70fe1ac05ccdfceff6506625e9d44cd91da5' (2022-11-24) • Updated input 'nixos': 'github:nixos/nixpkgs/c9538a9b7074925ac117835c775fb81d0e7f98fa' (2022-11-22) → 'github:nixos/nixpkgs/8690906c4d80db5d85f52313a8487bf2e7b8d4c5' (2022-11-25) • Updated input 'nixos-unstable': 'github:nixos/nixpkgs/2788904d26dda6cfa1921c5abb7a2466ffe3cb8c' (2022-11-22) → 'github:nixos/nixpkgs/27ccd29078f974ddbdd7edc8e38c8c8ae003c877' (2022-11-24) • Updated input 'openwrt': 'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-21.02&rev=079ce0413a1e3c19dd00be1b90de737c2bc09223' (2022-11-13) → 'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-21.02&rev=829cc60a281b9da1ede262d32f1359b4d997555f' (2022-11-24) • Updated input 'openwrt-imagebuilder': 'github:astro/nix-openwrt-imagebuilder/56c7ad52bb513497b458a71f34378103497847d2' (2022-11-22) → 'github:astro/nix-openwrt-imagebuilder/a34bbf93ead52375a103ba5ad4a147062cea8a89' (2022-11-25) • Updated input 'rust-overlay': 'github:oxalica/rust-overlay/c90c223c4aef334356029b89c72bb65e26f7efe6' (2022-11-23) → 'github:oxalica/rust-overlay/87fee4b5b0ed4bc7f6db2e878a8c93db8d631e01' (2022-11-25) • Updated input 'scrapers': 'git+https://gitea.c3d2.de/astro/scrapers.git?ref=master&rev=3700761dd06f271ef26261ed2a90dce8c22b6dca' (2022-10-10) → 'git+https://gitea.c3d2.de/astro/scrapers.git?ref=refs%2fheads%2fmaster&rev=3700761dd06f271ef26261ed2a90dce8c22b6dca' (2022-10-10) • Updated input 'secrets': 'git+ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git?ref=master&rev=5ca106f648bef15d9954d956bda336eea28e8d75' (2022-08-07) → 'git+ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git?ref=refs%2fheads%2fmaster&rev=5ca106f648bef15d9954d956bda336eea28e8d75' (2022-08-07) • Updated input 'skyflake': 'github:astro/skyflake/365bfb5aa5b42a48b18c4fc0d9cab30bcd62c74a' (2022-11-21) → 'github:astro/skyflake/162a95bbe72c91f2a43ea40773761464e2c659cc' (2022-11-25) • Updated input 'ticker': 'git+https://gitea.c3d2.de/astro/ticker.git?ref=master&rev=22ecb2b375bebffdfb1af3435a4c4486e6dd923b' (2022-10-23) → 'git+https://gitea.c3d2.de/astro/ticker.git?ref=refs%2fheads%2fmaster&rev=22ecb2b375bebffdfb1af3435a4c4486e6dd923b' (2022-10-23) • Updated input 'tracer': 'git+https://gitea.c3d2.de/astro/tracer?ref=master&rev=6d8d2cb1268d26add05baa3f21c325cfe051add3' (2022-09-15) → 'git+https://gitea.c3d2.de/astro/tracer?ref=refs%2fheads%2fmaster&rev=6d8d2cb1268d26add05baa3f21c325cfe051add3' (2022-09-15) • Updated input 'zentralwerk': 'git+https://gitea.c3d2.de/zentralwerk/network.git?ref=master&rev=9af9b5fef3208dcea17fc1e53936772238d34ae4' (2022-11-21) → 'git+https://gitea.c3d2.de/zentralwerk/network.git?ref=refs%2fheads%2fmaster&rev=5113cf888d44e8e333e3f4ae0e39e898b0151e1e' (2022-11-24) --- flake.lock | 86 +++++++++++++++++++++++++++--------------------------- 1 file changed, 43 insertions(+), 43 deletions(-) diff --git a/flake.lock b/flake.lock index b2cff1a1..8cfd49fa 100644 --- a/flake.lock +++ b/flake.lock @@ -12,7 +12,7 @@ "locked": { "lastModified": 1663176622, "narHash": "sha256-ahmQXwS2P34x7PxXt8Ve2ZVKJHW6yP1m/nZoo8sHwmE=", - "ref": "master", + "ref": "refs/heads/master", "rev": "b56ed86e45b2a8cdf811f2659644192a69ab5818", "revCount": 293, "type": "git", @@ -91,11 +91,11 @@ ] }, "locked": { - "lastModified": 1668912024, - "narHash": "sha256-2YI6X5gxwvrjmtOk8qrpU1564b58rL0AvKUSDevq7iU=", + "lastModified": 1669340633, + "narHash": "sha256-/VMi0ea0D+/sHsROVe4c+7q3n3DvpDRONcd+hko8j1g=", "ref": "main", - "rev": "b4ee13f46de3287a868ddba9ba9b970140ab99c9", - "revCount": 131, + "rev": "691af99c36ad47bdf143df027766de2b2f349175", + "revCount": 138, "type": "git", "url": "https://gitea.c3d2.de/astro/caveman.git" }, @@ -113,11 +113,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1669184726, - "narHash": "sha256-YF3xLbY3eJ3d4x3fkh8pASeJ4Y7P2vTg8spdRKLDnM8=", + "lastModified": 1669357571, + "narHash": "sha256-jKMZjewUOD6s71xP8zaTZ/oB3dtHM2D/cLgHoNQ9s80=", "owner": "nix-community", "repo": "fenix", - "rev": "72b820427fbd59a55368cda4de159134764e3ff6", + "rev": "0d4b86633d6c5438a7b97d485f02e7e18101a541", "type": "github" }, "original": { @@ -175,7 +175,7 @@ "locked": { "lastModified": 1657923513, "narHash": "sha256-YzHPow09B9uSdybUxP5lQn2hXk90Q6oTDL6UXzD0/+k=", - "ref": "master", + "ref": "refs/heads/master", "rev": "f7cf04a7ad47e388121f0771651fec0df91407f3", "revCount": 61, "type": "git", @@ -237,11 +237,11 @@ ] }, "locked": { - "lastModified": 1668998330, - "narHash": "sha256-kJu7lwmNBQqIcM/vhlFDkByC0VF4vwLjVeg+E9aWlyc=", + "lastModified": 1669306943, + "narHash": "sha256-F6xVWFJkcCXp5IcnpRlECT10H2ps8RO1yM4W0OXiXPs=", "owner": "astro", "repo": "microvm.nix", - "rev": "682b1e76e7fefdf350f3dc9e84002a8488e2b86d", + "rev": "c21a70fe1ac05ccdfceff6506625e9d44cd91da5", "type": "github" }, "original": { @@ -349,11 +349,11 @@ }, "nixos": { "locked": { - "lastModified": 1669101869, - "narHash": "sha256-gEEtP8LdTEDX/ixNL5ZmevmQcaWDiQioM2IjB+PdOgI=", + "lastModified": 1669379897, + "narHash": "sha256-XM3xBfQD5tOtV4KAhQHyh53cJdqkLwotZa5JJIUjbQc=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c9538a9b7074925ac117835c775fb81d0e7f98fa", + "rev": "8690906c4d80db5d85f52313a8487bf2e7b8d4c5", "type": "github" }, "original": { @@ -396,11 +396,11 @@ }, "nixos-unstable": { "locked": { - "lastModified": 1669140675, - "narHash": "sha256-npzfyfLECsJWgzK/M4gWhykP2DNAJTYjgY2BWkz/oEQ=", + "lastModified": 1669320964, + "narHash": "sha256-EBFw+ge12Pcr3qCk8If3/eMBAoQLR7ytndXZoRevUtM=", "owner": "nixos", "repo": "nixpkgs", - "rev": "2788904d26dda6cfa1921c5abb7a2466ffe3cb8c", + "rev": "27ccd29078f974ddbdd7edc8e38c8c8ae003c877", "type": "github" }, "original": { @@ -490,11 +490,11 @@ "openwrt": { "flake": false, "locked": { - "lastModified": 1668297972, - "narHash": "sha256-i39KfzBoNiiScd1M8kV/5WrGzEgG6+PxsFxoW+DT9UQ=", + "lastModified": 1669304702, + "narHash": "sha256-hQ61usu3bgxJMVm9BlWx89pSvLN3zR4DYkQxEAfNA0w=", "ref": "openwrt-21.02", - "rev": "079ce0413a1e3c19dd00be1b90de737c2bc09223", - "revCount": 51164, + "rev": "829cc60a281b9da1ede262d32f1359b4d997555f", + "revCount": 51165, "type": "git", "url": "https://git.openwrt.org/openwrt/openwrt.git" }, @@ -511,11 +511,11 @@ ] }, "locked": { - "lastModified": 1669149569, - "narHash": "sha256-2ZE6flQ95vzM2AOfng6cjPnpCf/R3tHNB039wYAOv+8=", + "lastModified": 1669410757, + "narHash": "sha256-eznda7OuReuwd40FKqe1spm6biiw1um+ypF2Y7XVOkA=", "owner": "astro", "repo": "nix-openwrt-imagebuilder", - "rev": "56c7ad52bb513497b458a71f34378103497847d2", + "rev": "a34bbf93ead52375a103ba5ad4a147062cea8a89", "type": "github" }, "original": { @@ -562,11 +562,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1668974383, - "narHash": "sha256-ULEwMFhcr+0z4r//BSZVFV5Nh1+opwwYBk/ZzEptjqw=", + "lastModified": 1669325252, + "narHash": "sha256-c4cqmy1lrPRC/Uwf+Sim4xxptVk7fH/STHeqe9BKOVU=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "26562973b3482a635416b2b663a13016d4d90e20", + "rev": "1e6a49a801708a8bcbe429ce03f614a7951bdb11", "type": "github" }, "original": { @@ -586,11 +586,11 @@ ] }, "locked": { - "lastModified": 1669170936, - "narHash": "sha256-TKPH4Pzkjw5gAPo9hejs3O4mWJW6V/RSiOj8UuSFRTs=", + "lastModified": 1669343666, + "narHash": "sha256-PvNbZvkgVmwDG3uDsG0rFbRBcXiPSxdbpHC7mgwcc6s=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "c90c223c4aef334356029b89c72bb65e26f7efe6", + "rev": "87fee4b5b0ed4bc7f6db2e878a8c93db8d631e01", "type": "github" }, "original": { @@ -604,7 +604,7 @@ "locked": { "lastModified": 1665446321, "narHash": "sha256-GuZr+BCAIe+UYmQrLHaVr8iRRajn5nSdWyqhjWDIX1Y=", - "ref": "master", + "ref": "refs/heads/master", "rev": "3700761dd06f271ef26261ed2a90dce8c22b6dca", "revCount": 61, "type": "git", @@ -624,7 +624,7 @@ "locked": { "lastModified": 1659890996, "narHash": "sha256-xURgGoznCPmpX35dn5AXcyNYicVn5ruvUKxfIMMiu8o=", - "ref": "master", + "ref": "refs/heads/master", "rev": "5ca106f648bef15d9954d956bda336eea28e8d75", "revCount": 149, "type": "git", @@ -645,11 +645,11 @@ ] }, "locked": { - "lastModified": 1669074247, - "narHash": "sha256-UTEbPzdzfAsDubgJfEq8h3H1Cx7wNB1v466L3qxLi3U=", + "lastModified": 1669412899, + "narHash": "sha256-UlYIzmjAHZ6LdjD/SFXJLHCBPCJ+y8oC94Rhl9pZtR0=", "owner": "astro", "repo": "skyflake", - "rev": "365bfb5aa5b42a48b18c4fc0d9cab30bcd62c74a", + "rev": "162a95bbe72c91f2a43ea40773761464e2c659cc", "type": "github" }, "original": { @@ -743,7 +743,7 @@ "locked": { "lastModified": 1666559258, "narHash": "sha256-m4f5QQbE+usnEnM6CJ+nCgXcsi9mm0cCwFm2BhJ0pvQ=", - "ref": "master", + "ref": "refs/heads/master", "rev": "22ecb2b375bebffdfb1af3435a4c4486e6dd923b", "revCount": 108, "type": "git", @@ -785,7 +785,7 @@ "locked": { "lastModified": 1663279525, "narHash": "sha256-lUq4CY//ISplh/4i33nOU7cchpxKrw5V8mVdRnHMBaA=", - "ref": "master", + "ref": "refs/heads/master", "rev": "6d8d2cb1268d26add05baa3f21c325cfe051add3", "revCount": 342, "type": "git", @@ -830,11 +830,11 @@ ] }, "locked": { - "lastModified": 1669055317, - "narHash": "sha256-GCm7A+RXQYXOTOErEHbi/OORXtygrgSzp6NiwtziRRI=", - "ref": "master", - "rev": "9af9b5fef3208dcea17fc1e53936772238d34ae4", - "revCount": 1672, + "lastModified": 1669314475, + "narHash": "sha256-Qge+r4Tjg4XaXXxh29x4+gReGHhBZJpKddzh6qdhgk0=", + "ref": "refs/heads/master", + "rev": "5113cf888d44e8e333e3f4ae0e39e898b0151e1e", + "revCount": 1673, "type": "git", "url": "https://gitea.c3d2.de/zentralwerk/network.git" }, From ebf4e41b73be5f4b31d1a735252692775928150f Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 25 Nov 2022 23:04:27 +0100 Subject: [PATCH 093/247] modules/cluster: start supporting multiple storages --- modules/cluster/default.nix | 4 ++++ modules/cluster/deployment-options.nix | 4 ++++ modules/cluster/deployment.nix | 9 ++++++++- 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/modules/cluster/default.nix b/modules/cluster/default.nix index 029c762b..e7266aa9 100644 --- a/modules/cluster/default.nix +++ b/modules/cluster/default.nix @@ -44,6 +44,10 @@ in { servers = servers; # run tasks only on these: client.enable = builtins.elem hostName microvmServers; + client.meta = + lib.optionalAttrs (builtins.elem hostName storageServers) { + "c3d2.storage" = "big"; + }; }; microvmUid = 997; diff --git a/modules/cluster/deployment-options.nix b/modules/cluster/deployment-options.nix index 9878ce32..13248180 100644 --- a/modules/cluster/deployment-options.nix +++ b/modules/cluster/deployment-options.nix @@ -18,5 +18,9 @@ type = with types; listOf str; default = [ "/etc" "/home" "/var" ]; }; + storage = mkOption { + type = types.enum [ "fast" "big" ]; + default = "fast"; + }; }; } diff --git a/modules/cluster/deployment.nix b/modules/cluster/deployment.nix index abe7ee90..46468380 100644 --- a/modules/cluster/deployment.nix +++ b/modules/cluster/deployment.nix @@ -59,7 +59,7 @@ in tag = builtins.replaceStrings [ "/" ] [ "-" ] ( withoutLeadingSlash mountPoint ); - source = "/glusterfs/fast/microvms/${user}/${repo}/${vmName}/${withoutLeadingSlash mountPoint}"; + source = "/glusterfs/${config.deployment.storage}/microvms/${user}/${repo}/${vmName}/${withoutLeadingSlash mountPoint}"; inherit mountPoint; }) config.deployment.persistedShares; volumes = [ { @@ -76,6 +76,13 @@ in }) config.deployment.networks; }; + skyflake = { + nomadJob.constraints = lib.optionals (config.deployment.storage == "big") [ { + attribute = "\${meta.c3d2.storage}"; + value = "big"; + } ]; + }; + networking = { useDHCP = false; dhcpcd.enable = false; From 572af7e31d945230448889b641b5586e28bee2a2 Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 25 Nov 2022 23:05:32 +0100 Subject: [PATCH 094/247] leoncloud: skyflakify --- flake.nix | 2 +- hosts/leoncloud/default.nix | 18 ++++-------------- 2 files changed, 5 insertions(+), 15 deletions(-) diff --git a/flake.nix b/flake.nix index c7188f67..ee47600c 100644 --- a/flake.nix +++ b/flake.nix @@ -909,7 +909,7 @@ leoncloud = nixosSystem' { modules = [ - self.nixosModules.microvm + self.nixosModules.cluster-options ./hosts/leoncloud ]; }; diff --git a/hosts/leoncloud/default.nix b/hosts/leoncloud/default.nix index c4375c8a..57165182 100644 --- a/hosts/leoncloud/default.nix +++ b/hosts/leoncloud/default.nix @@ -1,24 +1,14 @@ { zentralwerk, config, lib, pkgs, ... }: { - microvm = { - mem = 4024; - writableStoreOverlay = "/nix/.rw-store"; - volumes = [ { - image = "nix-store-overlay.img"; - mountPoint = config.microvm.writableStoreOverlay; - size = 32 * 1024; - } ]; + deployment = { + persistedShares = [ "/etc" "/home" "/var" ]; + storage = "big"; + mem = 2048; }; nix.settings.auto-optimise-store = lib.mkForce false; - c3d2.deployment = { - server = "server9"; - mounts = [ "etc" "home" "var" ]; - autoNetSetup = true; - }; - networking = { hostName = "leoncloud"; firewall.enable = true; From 699a043d2491bb105d80b794808ac9826af235d4 Mon Sep 17 00:00:00 2001 From: Astro Date: Sat, 26 Nov 2022 00:16:05 +0100 Subject: [PATCH 095/247] flake.nix: remove nixpkgs-unstable from nixosConfigurations for the nixos-22.11 upgrade --- flake.nix | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/flake.nix b/flake.nix index ee47600c..54658942 100644 --- a/flake.nix +++ b/flake.nix @@ -548,7 +548,7 @@ self.nixosModules.microvm ./hosts/auth ]; - nixpkgs = inputs.nixos-unstable; + # nixpkgs = inputs.nixos-unstable; }; broker = nixosSystem' { @@ -590,7 +590,7 @@ self.nixosModules.microvm ./hosts/gitea ]; - nixpkgs = inputs.nixos-unstable; + # nixpkgs = inputs.nixos-unstable; }; glotzbert = nixosSystem' { @@ -608,7 +608,7 @@ self.nixosModules.microvm ./hosts/hedgedoc ]; - nixpkgs = inputs.nixos-unstable; + # nixpkgs = inputs.nixos-unstable; }; pulsebert = nixosSystem' { @@ -624,7 +624,7 @@ }; } ]; - nixpkgs = inputs.nixos-unstable; + # nixpkgs = inputs.nixos-unstable; }; radiobert = nixosSystem' { @@ -743,7 +743,7 @@ self.nixosModules.microvm ./hosts/grafana ]; - nixpkgs = nixos-unstable; + # nixpkgs = nixos-unstable; }; hydra = nixosSystem' { @@ -759,7 +759,7 @@ }; } ]; - nixpkgs = nixos-unstable; + # nixpkgs = nixos-unstable; }; mucbot = nixosSystem' { @@ -827,7 +827,7 @@ heliwatch.nixosModules.heliwatch ./hosts/sdrweb ]; - nixpkgs = nixos-unstable; + # nixpkgs = nixos-unstable; }; bind = nixosSystem' { @@ -874,7 +874,6 @@ skyflake.nixosModules.default { _module.args = { inherit self; }; } ]; - nixpkgs = nixos-unstable; }; server10 = nixosSystem' { @@ -887,7 +886,6 @@ skyflake.nixosModules.default { _module.args = { inherit self; }; } ]; - nixpkgs = nixos-unstable; }; oparl = nixosSystem' { @@ -937,7 +935,7 @@ }; } ]; - nixpkgs = nixos-unstable; + # nixpkgs = nixos-unstable; system = "x86_64-linux"; }; @@ -953,7 +951,7 @@ self.nixosModules.microvm ./hosts/mediawiki ]; - nixpkgs = nixos-unstable; + # nixpkgs = nixos-unstable; }; gnunet = nixosSystem' { @@ -961,7 +959,7 @@ self.nixosModules.cluster-options ./hosts/gnunet ]; - nixpkgs = nixos-unstable; + # nixpkgs = nixos-unstable; }; zengel = nixosSystem' { @@ -999,7 +997,7 @@ self.nixosModules.cluster-options ./hosts/owncast ]; - nixpkgs = nixos-unstable; + # nixpkgs = nixos-unstable; }; }; From 930c3a67e0d1739fe240f9e7d00c741372444a36 Mon Sep 17 00:00:00 2001 From: leon Date: Fri, 25 Nov 2022 23:27:45 +0000 Subject: [PATCH 096/247] update --- hosts/leoncloud/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/leoncloud/default.nix b/hosts/leoncloud/default.nix index 57165182..97d3876c 100644 --- a/hosts/leoncloud/default.nix +++ b/hosts/leoncloud/default.nix @@ -65,7 +65,7 @@ privateKeyFile = "/etc/nixos/wireguard-keys/private-key"; peers = [ { - publicKey = "w3qegSSuqFTFrGk4XJaWBSwGDOiqbnnAIR9MzwjYVA8="; + publicKey = "iEVq4lvvKFfqjcoYYyNkA0MS8rcSGaDfPwQGN3C7+D0="; allowedIPs = [ "10.10.11.0/24" ]; endpoint = "45.158.40.162:18900"; persistentKeepalive = 25; From b9e42515c76c41a94830adc4923eb489f082643e Mon Sep 17 00:00:00 2001 From: Astro Date: Sat, 26 Nov 2022 00:30:36 +0100 Subject: [PATCH 097/247] flake.nix: s/fenix.overlay/fenix.overlays.default/ --- flake.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/flake.nix b/flake.nix index 54658942..bf89a486 100644 --- a/flake.nix +++ b/flake.nix @@ -224,7 +224,7 @@ legacyPackages = lib.attrsets.mapAttrs (system: pkgs: pkgs.appendOverlays [ - fenix.overlay + fenix.overlays.default naersk.overlay self.overlay ]) nixos.legacyPackages; @@ -1029,7 +1029,7 @@ nncp = ./modules/nncp.nix; plume = { imports = [ ./modules/plume.nix ]; - nixpkgs.overlays = [ fenix.overlay naersk.overlay ]; + nixpkgs.overlays = [ fenix.overlays.default naersk.overlay ]; }; rpi-netboot = ./modules/rpi-netboot.nix; }; From de9ce610e981297c00ecf71db7c88d886bfdb535 Mon Sep 17 00:00:00 2001 From: Astro Date: Sat, 26 Nov 2022 00:34:41 +0100 Subject: [PATCH 098/247] modules/cluster/deployment: add option deployment.needForSpeed --- hosts/server10/default.nix | 3 ++- hosts/server8/default.nix | 1 + hosts/server9/default.nix | 1 + modules/cluster/deployment-options.nix | 10 ++++++++++ modules/cluster/deployment.nix | 15 +++++++++++---- 5 files changed, 25 insertions(+), 5 deletions(-) diff --git a/hosts/server10/default.nix b/hosts/server10/default.nix index 8e985d9f..1b829a29 100644 --- a/hosts/server10/default.nix +++ b/hosts/server10/default.nix @@ -11,7 +11,7 @@ hq.statistics.enable = true; }; - boot= { + boot = { loader.grub = { enable = true; version = 2; @@ -49,6 +49,7 @@ "data-hoarder" "staging-data-hoarder" ]; + skyflake.nomad.client.meta."c3d2.cpuSpeed" = "4"; system.stateVersion = "21.11"; # Did you read the comment? } diff --git a/hosts/server8/default.nix b/hosts/server8/default.nix index da572ea3..e84a6b59 100644 --- a/hosts/server8/default.nix +++ b/hosts/server8/default.nix @@ -38,4 +38,5 @@ # deployment.microvmBaseZfsDataset = "tank/storage"; hq.statistics.enable = true; }; + skyflake.nomad.client.meta."c3d2.cpuSpeed" = "3"; } diff --git a/hosts/server9/default.nix b/hosts/server9/default.nix index 0c88f765..ea5a2b4c 100644 --- a/hosts/server9/default.nix +++ b/hosts/server9/default.nix @@ -35,6 +35,7 @@ deployment.microvmBaseZfsDataset = "tank/storage"; hq.statistics.enable = true; }; + skyflake.nomad.client.meta."c3d2.cpuSpeed" = "3"; # XXX: enable for zw-ev and poelzi-ha until we find a better solution virtualisation.libvirtd = { diff --git a/modules/cluster/deployment-options.nix b/modules/cluster/deployment-options.nix index 13248180..be567046 100644 --- a/modules/cluster/deployment-options.nix +++ b/modules/cluster/deployment-options.nix @@ -21,6 +21,16 @@ storage = mkOption { type = types.enum [ "fast" "big" ]; default = "fast"; + description = '' + Which glusterfs volume to use for persistedShares + ''; + }; + needForSpeed = mkOption { + type = types.bool; + default = false; + description = '' + Prefer deployment on Nomad clients with a higher c3d2.cpuSpeed + ''; }; }; } diff --git a/modules/cluster/deployment.nix b/modules/cluster/deployment.nix index 46468380..b6096ea3 100644 --- a/modules/cluster/deployment.nix +++ b/modules/cluster/deployment.nix @@ -77,10 +77,17 @@ in }; skyflake = { - nomadJob.constraints = lib.optionals (config.deployment.storage == "big") [ { - attribute = "\${meta.c3d2.storage}"; - value = "big"; - } ]; + nomadJob = { + constraints = lib.optionals (config.deployment.storage == "big") [ { + attribute = "\${meta.c3d2.storage}"; + value = "big"; + } ]; + affinities = lib.optionals config.deployment.needForSpeed (builtins.genList (i: { + attribute = "\${meta.c3d2.cpuSpeed}"; + value = toString (i + 1); + weight = 10 + i; + }) 10); + }; }; networking = { From d95e924778d7be828aaee7fb86beaeb98853c2a1 Mon Sep 17 00:00:00 2001 From: Astro Date: Sat, 26 Nov 2022 00:35:07 +0100 Subject: [PATCH 099/247] modules/cluster/default: remove debug output --- modules/cluster/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/cluster/default.nix b/modules/cluster/default.nix index e7266aa9..e948e110 100644 --- a/modules/cluster/default.nix +++ b/modules/cluster/default.nix @@ -36,7 +36,7 @@ in { nodes = builtins.listToAttrs ( map (name: { inherit name; - value.address = builtins.trace name hostRegistry.hosts.${name}.ip4; + value.address = hostRegistry.hosts.${name}.ip4; }) servers ); nomad = { From 65a91dc324f2acef687e532da38ce57d84cd1359 Mon Sep 17 00:00:00 2001 From: Astro Date: Sat, 26 Nov 2022 00:37:22 +0100 Subject: [PATCH 100/247] stream: skyflakify --- flake.nix | 2 +- hosts/stream/default.nix | 50 ++++++++-------------------------------- 2 files changed, 10 insertions(+), 42 deletions(-) diff --git a/flake.nix b/flake.nix index bf89a486..230b9591 100644 --- a/flake.nix +++ b/flake.nix @@ -797,7 +797,7 @@ stream = nixosSystem' { modules = [ - self.nixosModules.microvm + self.nixosModules.cluster-options ./hosts/stream ]; }; diff --git a/hosts/stream/default.nix b/hosts/stream/default.nix index ca9ea5a1..3e039421 100644 --- a/hosts/stream/default.nix +++ b/hosts/stream/default.nix @@ -1,36 +1,16 @@ -{ zentralwerk, config, pkgs, ... }: +{ zentralwerk, config, lib, pkgs, ... }: let authFile = pkgs.writeText "htpasswd" "k-ot:sawCOTsl/fIUY"; - mac = { - pub = "DE:91:C7:51:D1:C5"; - serv = "C6:40:E0:21:9B:A4"; - }; in { networking.hostName = "stream"; c3d2.hq.statistics.enable = true; - c3d2.deployment = { - server = "server9"; - autoNetSetup = false; - mounts = []; + deployment = { + persistedShares = [ "/etc" "/home" "/var" ]; + storage = "big"; + mem = 2048; + networks = lib.mkForce [ "pub" "serv" ]; }; - microvm.mem = 2048; - microvm.interfaces = [ { - type = "tap"; - id = "pub-stream"; - mac = mac.pub; - } { - type = "tap"; - id = "serv-stream"; - mac = mac.serv; - } ]; - microvm.shares = map (name: { - source = "/tank/storage/stream/${name}"; - mountPoint = "/${name}"; - tag = name; - proto = "virtiofs"; - socket = "${name}.socket"; - }) [ "etc" "home" "var" ]; systemd.network = { enable = true; @@ -39,19 +19,14 @@ in # rest of the network so that I am reachable by # public-access-proxy. - links."00-serv" = { - matchConfig.MACAddress = mac.serv; - linkConfig.Name = "serv"; - }; - - networks."00-serv" = { - matchConfig.MACAddress = mac.serv; + networks."30-serv" = { networkConfig.IPv6AcceptRA = false; # try harder disabling global ipv6 networkConfig.LinkLocalAddressing = "no"; addresses = [ { addressConfig.Address = "${config.c3d2.hosts.stream.ip4}/${toString zentralwerk.lib.config.site.net.serv.subnet4Len}"; } ]; + gateway = lib.mkForce []; routes = [ { routeConfig = { Destination = "172.20.0.0/14"; @@ -61,14 +36,7 @@ in }; # On the pub network I am a normal client. - - links."00-pub" = { - matchConfig.MACAddress = mac.pub; - linkConfig.Name = "pub"; - }; - - networks."01-pub" = { - matchConfig.MACAddress = mac.pub; + networks."30-pub" = { networkConfig.DHCP = "ipv4"; networkConfig.IPv6AcceptRA = true; }; From 7bc3b49cc356378bbaabdbfb0ffc589b210fc82c Mon Sep 17 00:00:00 2001 From: Astro Date: Sat, 26 Nov 2022 01:41:28 +0100 Subject: [PATCH 101/247] modules/cluster/deployment: let microvms specify their nets by providing just a default --- modules/cluster/deployment-options.nix | 11 +++++++++-- modules/cluster/deployment.nix | 16 +++------------- 2 files changed, 12 insertions(+), 15 deletions(-) diff --git a/modules/cluster/deployment-options.nix b/modules/cluster/deployment-options.nix index be567046..4a4afcfb 100644 --- a/modules/cluster/deployment-options.nix +++ b/modules/cluster/deployment-options.nix @@ -1,4 +1,4 @@ -{ lib, ... }: +{ zentralwerk, lib, ... }: # our custom options { options.deployment = with lib; { @@ -12,7 +12,14 @@ }; networks = mkOption { type = with types; listOf str; - default = [ "serv" ]; + default = builtins.attrNames ( + lib.filterAttrs (net: { hosts4, hosts6, ... }: + hosts4 ? ${hostName} || + lib.filterAttrs (ctx: hosts6: + hosts6 ? ${hostName} + ) hosts6 != {} + ) zentralwerk.lib.config.site.net + ); }; persistedShares = mkOption { type = with types; listOf str; diff --git a/modules/cluster/deployment.nix b/modules/cluster/deployment.nix index b6096ea3..c0d2a1cd 100644 --- a/modules/cluster/deployment.nix +++ b/modules/cluster/deployment.nix @@ -8,17 +8,9 @@ let flpk = "flpk-gw"; }; - nets = builtins.attrNames ( - lib.filterAttrs (net: { hosts4, hosts6, ... }: - hosts4 ? ${hostName} || - lib.filterAttrs (ctx: hosts6: - hosts6 ? ${hostName} - ) hosts6 != {} - ) zentralwerk.lib.config.site.net - ); - inherit (config.networking) hostName; inherit (config.system.build.skyflake-deployment) user repo vmName; + inherit (config.deployment) networks; generateMacAddress = net: let @@ -37,8 +29,6 @@ let in { - deployment.networks = nets; - microvm = { hypervisor = "cloud-hypervisor"; vcpu = config.deployment.vcpu; @@ -104,7 +94,7 @@ in # rename interface to net name linkConfig.Name = net; }; - }) {} nets; + }) {} networks; networks = builtins.foldl' (networks: net: networks // { "30-${net}" = @@ -135,6 +125,6 @@ builtins.filter (hosts6: hosts6 ? ${hostName}) ( ) ); }; - }) {} nets; + }) {} networks; }; } From e91e69b14a8bd94d37bc1e219700b3b6435edebc Mon Sep 17 00:00:00 2001 From: Astro Date: Sat, 26 Nov 2022 02:41:51 +0100 Subject: [PATCH 102/247] modules/cluster/deployment-options: add hacks to allow build on hydra --- modules/cluster/deployment-options.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/modules/cluster/deployment-options.nix b/modules/cluster/deployment-options.nix index 4a4afcfb..0b0e0907 100644 --- a/modules/cluster/deployment-options.nix +++ b/modules/cluster/deployment-options.nix @@ -40,4 +40,13 @@ ''; }; }; + + config = { + # HACK: Avoid conflicts when building a NixOS configuration on Hydra + boot.loader.grub.enable = false; + fileSystems."/" = { + device = "rootfs"; + fsType = "tmpfs"; + }; + }; } From a33b2abe29b61c6919ab9886eb540eeb05d32927 Mon Sep 17 00:00:00 2001 From: leon Date: Sat, 26 Nov 2022 01:47:34 +0000 Subject: [PATCH 103/247] update --- hosts/leoncloud/default.nix | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/hosts/leoncloud/default.nix b/hosts/leoncloud/default.nix index 97d3876c..08555920 100644 --- a/hosts/leoncloud/default.nix +++ b/hosts/leoncloud/default.nix @@ -109,7 +109,25 @@ services.nextcloud = { after = ["postgresql.service"]; }; + services.nginx.virtualHosts."localhost".listen = [ { addr = "127.0.0.1"; port = 8080; } ]; + + #<-----------------nextcloud---------------------- +#-----------------------------ngin-X-------------------------------- + + services.nginx = { + enable = true; + +# virtualHosts."bicospacetech.c3d2.de" = { +# forceSSL = true; +# enableACME = true; +# locations."/" = { +# proxyPass = "http://45.158.40.162:12000"; +# proxyWebsockets = true; +# }; + +#}; +#-----------------------------ngin-X-------------------------------- system.stateVersion = "22.05"; From c67ba25488382351270ad59401022f19e1a5cc4a Mon Sep 17 00:00:00 2001 From: leon Date: Sat, 26 Nov 2022 01:48:17 +0000 Subject: [PATCH 104/247] update --- hosts/leoncloud/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/leoncloud/default.nix b/hosts/leoncloud/default.nix index 08555920..4f990c92 100644 --- a/hosts/leoncloud/default.nix +++ b/hosts/leoncloud/default.nix @@ -115,8 +115,8 @@ services.nextcloud = { #<-----------------nextcloud---------------------- #-----------------------------ngin-X-------------------------------- - services.nginx = { - enable = true; +# services.nginx = { +# enable = true; # virtualHosts."bicospacetech.c3d2.de" = { # forceSSL = true; From 2b2982961c4c0e71542a00ce4b9a4e72c524cc09 Mon Sep 17 00:00:00 2001 From: leon Date: Sat, 26 Nov 2022 01:51:49 +0000 Subject: [PATCH 105/247] update --- hosts/leoncloud/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/leoncloud/default.nix b/hosts/leoncloud/default.nix index 4f990c92..55f691b6 100644 --- a/hosts/leoncloud/default.nix +++ b/hosts/leoncloud/default.nix @@ -9,6 +9,7 @@ nix.settings.auto-optimise-store = lib.mkForce false; + networking = { hostName = "leoncloud"; firewall.enable = true; From 035617c1122aa86e9f14f06dd50792c6a1b576aa Mon Sep 17 00:00:00 2001 From: Astro Date: Sat, 26 Nov 2022 02:52:14 +0100 Subject: [PATCH 106/247] sdrweb: enable needForSpeed to prefer server10's cpu --- hosts/sdrweb/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/sdrweb/default.nix b/hosts/sdrweb/default.nix index b3ebbc05..a5bc6a17 100644 --- a/hosts/sdrweb/default.nix +++ b/hosts/sdrweb/default.nix @@ -5,6 +5,7 @@ persistedShares = [ "/home" "/etc" "/var" ]; mem = 4096; vcpu = 16; + needForSpeed = true; }; c3d2 = { isInHq = false; From 9ad4bd06499ee67a1776f75bb84d0a504db3fe72 Mon Sep 17 00:00:00 2001 From: Astro Date: Sat, 26 Nov 2022 02:53:32 +0100 Subject: [PATCH 107/247] modules/cluster/deployment-options: fix networks --- modules/cluster/deployment-options.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/cluster/deployment-options.nix b/modules/cluster/deployment-options.nix index 0b0e0907..a205f848 100644 --- a/modules/cluster/deployment-options.nix +++ b/modules/cluster/deployment-options.nix @@ -14,9 +14,9 @@ type = with types; listOf str; default = builtins.attrNames ( lib.filterAttrs (net: { hosts4, hosts6, ... }: - hosts4 ? ${hostName} || + hosts4 ? ${config.networking.hostName} || lib.filterAttrs (ctx: hosts6: - hosts6 ? ${hostName} + hosts6 ? ${config.networking.hostName} ) hosts6 != {} ) zentralwerk.lib.config.site.net ); From 588bebc3cf167a4b93ce8a42fbeae84f4489ac64 Mon Sep 17 00:00:00 2001 From: Astro Date: Sat, 26 Nov 2022 02:55:12 +0100 Subject: [PATCH 108/247] modules/cluster/deployment-options: fix --- modules/cluster/deployment-options.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/cluster/deployment-options.nix b/modules/cluster/deployment-options.nix index a205f848..31aa761c 100644 --- a/modules/cluster/deployment-options.nix +++ b/modules/cluster/deployment-options.nix @@ -1,4 +1,4 @@ -{ zentralwerk, lib, ... }: +{ zentralwerk, config, lib, ... }: # our custom options { options.deployment = with lib; { From 8c1b350f1af9322232b7e322d790422603b30e56 Mon Sep 17 00:00:00 2001 From: leon Date: Sat, 26 Nov 2022 14:53:02 +0000 Subject: [PATCH 109/247] update --- hosts/leoncloud/default.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/hosts/leoncloud/default.nix b/hosts/leoncloud/default.nix index 55f691b6..01fe25fb 100644 --- a/hosts/leoncloud/default.nix +++ b/hosts/leoncloud/default.nix @@ -9,7 +9,6 @@ nix.settings.auto-optimise-store = lib.mkForce false; - networking = { hostName = "leoncloud"; firewall.enable = true; @@ -110,7 +109,7 @@ services.nextcloud = { after = ["postgresql.service"]; }; - services.nginx.virtualHosts."localhost".listen = [ { addr = "127.0.0.1"; port = 8080; } ]; +# services.nginx.virtualHosts."localhost".listen = [ { addr = "127.0.0.1"; port = 8080; } ]; #<-----------------nextcloud---------------------- From 966bb7389f6c1bc753bcb8fcd1188b6151d7cd30 Mon Sep 17 00:00:00 2001 From: leon Date: Sat, 26 Nov 2022 14:56:10 +0000 Subject: [PATCH 110/247] update --- hosts/leoncloud/default.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/hosts/leoncloud/default.nix b/hosts/leoncloud/default.nix index 01fe25fb..df73b59c 100644 --- a/hosts/leoncloud/default.nix +++ b/hosts/leoncloud/default.nix @@ -38,8 +38,11 @@ isNormalUser = true; extraGroups = [ "wheel" "docker" ]; createHome = true; - openssh.authorizedKeys.keys = with import ../../users.nix; - leon.sshKeys; + openssh.authorizedKeys.keys = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIANupx+diz5N8sGZOc7ZXopyPh9HaML8M7Qh70aVVIaJ leon@leons-Air" + + #with import ../../users.nix; + # leon.sshKeys; }; From dadf8c72c718e3b5c635b8686d8e9692f6bd266a Mon Sep 17 00:00:00 2001 From: leon Date: Sat, 26 Nov 2022 14:58:23 +0000 Subject: [PATCH 111/247] update --- hosts/leoncloud/default.nix | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/hosts/leoncloud/default.nix b/hosts/leoncloud/default.nix index df73b59c..954b7540 100644 --- a/hosts/leoncloud/default.nix +++ b/hosts/leoncloud/default.nix @@ -38,12 +38,10 @@ isNormalUser = true; extraGroups = [ "wheel" "docker" ]; createHome = true; - openssh.authorizedKeys.keys = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIANupx+diz5N8sGZOc7ZXopyPh9HaML8M7Qh70aVVIaJ leon@leons-Air" - - #with import ../../users.nix; - # leon.sshKeys; - }; + # openssh.authorizedKeys.keys = with import ../../users.nix; + # leon.sshKeys; + openssh.authorizedKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIANupx+diz5N8sGZOc7ZXopyPh9HaML8M7Qh70aVVIaJ leon@leons-Air"; +}; # enable IP routing From 6bc6834498a284d67aef8b2ea5bb7d84ede35360 Mon Sep 17 00:00:00 2001 From: leon Date: Sat, 26 Nov 2022 14:58:50 +0000 Subject: [PATCH 112/247] update --- hosts/leoncloud/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/leoncloud/default.nix b/hosts/leoncloud/default.nix index 954b7540..29a3b8c1 100644 --- a/hosts/leoncloud/default.nix +++ b/hosts/leoncloud/default.nix @@ -40,7 +40,7 @@ createHome = true; # openssh.authorizedKeys.keys = with import ../../users.nix; # leon.sshKeys; - openssh.authorizedKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIANupx+diz5N8sGZOc7ZXopyPh9HaML8M7Qh70aVVIaJ leon@leons-Air"; + openssh.authorizedKeys.keys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIANupx+diz5N8sGZOc7ZXopyPh9HaML8M7Qh70aVVIaJ leon@leons-Air"; }; From e141ce6ee02f5567fd364fcc1dea92286d373dda Mon Sep 17 00:00:00 2001 From: leon Date: Sat, 26 Nov 2022 14:59:39 +0000 Subject: [PATCH 113/247] update --- hosts/leoncloud/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hosts/leoncloud/default.nix b/hosts/leoncloud/default.nix index 29a3b8c1..0664ac3a 100644 --- a/hosts/leoncloud/default.nix +++ b/hosts/leoncloud/default.nix @@ -28,6 +28,7 @@ vim python3Full python310Packages.pip + python310Packages.flask nmap htop wireguard-tools @@ -38,9 +39,8 @@ isNormalUser = true; extraGroups = [ "wheel" "docker" ]; createHome = true; - # openssh.authorizedKeys.keys = with import ../../users.nix; - # leon.sshKeys; - openssh.authorizedKeys.keys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIANupx+diz5N8sGZOc7ZXopyPh9HaML8M7Qh70aVVIaJ leon@leons-Air"; + openssh.authorizedKeys.keys = with import ../../users.nix; + leon.sshKeys; }; From b70d9bcb78f5caf72a7ac289b8227dff3fcaa7e1 Mon Sep 17 00:00:00 2001 From: leon Date: Sat, 26 Nov 2022 17:30:36 +0000 Subject: [PATCH 114/247] update --- hosts/leon/default.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index ca0e295a..9e6f5dc0 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -57,7 +57,6 @@ virtualisation.docker.enable = true; - users.users.leon = { isNormalUser = true; extraGroups = [ "wheel" "docker" ]; @@ -208,7 +207,7 @@ networking.wireguard.interfaces = { forceSSL = true; enableACME = true; locations."/" = { - proxyPass = "http://10.10.11.2:2500"; + proxyPass = "http://10.10.11.4:80"; proxyWebsockets = true; }; }; From 97b7d2d71f814aac2b5a7e981af0d4113aece062 Mon Sep 17 00:00:00 2001 From: leon Date: Sat, 26 Nov 2022 17:34:22 +0000 Subject: [PATCH 115/247] update --- hosts/leon/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 9e6f5dc0..8eba7880 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -203,7 +203,7 @@ networking.wireguard.interfaces = { proxyWebsockets = true; }; }; - virtualHosts."cloud.bicospacetech.c3d2.de" = { + virtualHosts."bicospacetech.cloud.c3d2.de" = { forceSSL = true; enableACME = true; locations."/" = { From b53c53a6f7a0a1e0cfc73917183c434c19b0e1ff Mon Sep 17 00:00:00 2001 From: leon Date: Sat, 26 Nov 2022 17:37:34 +0000 Subject: [PATCH 116/247] update --- hosts/leoncloud/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/leoncloud/default.nix b/hosts/leoncloud/default.nix index 0664ac3a..e94ba0f3 100644 --- a/hosts/leoncloud/default.nix +++ b/hosts/leoncloud/default.nix @@ -89,7 +89,7 @@ services.nextcloud = { dbname = "nextcloud"; adminpassFile = "/etc/nixos/next-cloud/pass"; adminuser = "root"; - extraTrustedDomains = ["45.158.40.165" "172.20.79.254" "10.10.11.4" "10.10.11.1" ]; + extraTrustedDomains = ["10.10.11.4" "10.10.11.1" "bicospacetech.cloud.c3d2.de"]; }; }; From 4f785ca1c98cffdcdb4a0824d545fb0a8559056d Mon Sep 17 00:00:00 2001 From: leon Date: Sat, 26 Nov 2022 21:28:30 +0000 Subject: [PATCH 117/247] update --- hosts/leon/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 8eba7880..e2fc50a3 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -52,7 +52,7 @@ # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ - wget vim python3Full python310Packages.pip nmap htop wireguard-tools docker-compose + wget vim python3Full python310Packages.pip python310Packages.flask nmap htop wireguard-tools docker-compose ]; virtualisation.docker.enable = true; From 27a6cdfed8e307c642bd1331234ab70dbf70001a Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 27 Nov 2022 01:11:47 +0100 Subject: [PATCH 118/247] flake.lock: Update input zentralwerk MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'zentralwerk': 'git+https://gitea.c3d2.de/zentralwerk/network.git?ref=refs%2fheads%2fmaster&rev=5113cf888d44e8e333e3f4ae0e39e898b0151e1e' (2022-11-24) → 'git+https://gitea.c3d2.de/zentralwerk/network.git?ref=refs%2fheads%2fmaster&rev=c52991536725810f596cd25616a359a60b3d9aa7' (2022-11-27) --- flake.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/flake.lock b/flake.lock index 8cfd49fa..6777db0e 100644 --- a/flake.lock +++ b/flake.lock @@ -830,11 +830,11 @@ ] }, "locked": { - "lastModified": 1669314475, - "narHash": "sha256-Qge+r4Tjg4XaXXxh29x4+gReGHhBZJpKddzh6qdhgk0=", + "lastModified": 1669507699, + "narHash": "sha256-L1nCw1NlvxHmN2SD+HyeOrlGn+Sb1gmvJTAR4REiXj0=", "ref": "refs/heads/master", - "rev": "5113cf888d44e8e333e3f4ae0e39e898b0151e1e", - "revCount": 1673, + "rev": "c52991536725810f596cd25616a359a60b3d9aa7", + "revCount": 1674, "type": "git", "url": "https://gitea.c3d2.de/zentralwerk/network.git" }, From da110aa1380b675cb06030581bc78a97c1e066e8 Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 27 Nov 2022 01:14:30 +0100 Subject: [PATCH 119/247] prometheus: redeploy --- flake.nix | 7 + .../{configuration.nix => default.nix} | 24 +-- hosts/prometheus/secrets.yaml | 181 ++++++++++++++++++ 3 files changed, 201 insertions(+), 11 deletions(-) rename hosts/prometheus/{configuration.nix => default.nix} (70%) create mode 100644 hosts/prometheus/secrets.yaml diff --git a/flake.nix b/flake.nix index 230b9591..1e0f1394 100644 --- a/flake.nix +++ b/flake.nix @@ -999,6 +999,13 @@ ]; # nixpkgs = nixos-unstable; }; + + prometheus = nixosSystem' { + modules = [ + self.nixosModules.cluster-options + ./hosts/prometheus + ]; + }; }; nixosModule = self.nixosModules.c3d2; diff --git a/hosts/prometheus/configuration.nix b/hosts/prometheus/default.nix similarity index 70% rename from hosts/prometheus/configuration.nix rename to hosts/prometheus/default.nix index caea2e29..38b4b0bf 100644 --- a/hosts/prometheus/configuration.nix +++ b/hosts/prometheus/default.nix @@ -1,9 +1,7 @@ { config, pkgs, lib, ... }: { - imports = [ - ../../../modules/lxc-container.nix - ]; + sops.defaultSopsFile = ./secrets.yaml; networking = { hostName = "prometheus"; @@ -19,7 +17,7 @@ alertmanager = { enable = true; openFirewall = true; - webExternalUrl = "http://prometheus.serv.zentralwerk.org/alertmanager/"; + webExternalUrl = "https://prometheus.serv.zentralwerk.org/alertmanager/"; listenAddress = "0.0.0.0"; configuration = { "global" = { @@ -51,11 +49,11 @@ }; }; - # alertmanagerURL = [ "http://prometheus.serv.zentralwerk.org/alertmanager/" ]; + # alertmanagerURL = [ "https://prometheus.serv.zentralwerk.org/alertmanager/" ]; pushgateway = { enable = true; - web.external-url = "http://prometheus.serv.zentralwerk.org/push/"; + web.external-url = "https://prometheus.serv.zentralwerk.org/push/"; }; exporters.collectd.enable = true; @@ -71,13 +69,17 @@ virtualHosts."prometheus.serv.zentralwerk.org" = { # serverAliases = [ "registry.serv.zentralwerk.org" ]; enableACME = true; - onlySSL = true; - locations.".well-known/acme-challenge/" = { - root = "/var/lib/acme/acme-challenge/.well-known/acme-challenge/"; + forceSSL = true; + locations."/" = { + proxyPass = "http://localhost:9090"; + extraConfig = '' + auth_basic "Prometheus"; + auth_basic_user_file ${config.sops.secrets."nginx/httpAuth".path}; + ''; }; - locations."/" = { proxyPass = "http://localhost:9090"; }; }; }; + sops.secrets."nginx/httpAuth".owner = config.systemd.services.nginx.serviceConfig.User; - system.stateVersion = "20.09"; # Did you read the comment? + system.stateVersion = "22.11"; # Did you read the comment? } diff --git a/hosts/prometheus/secrets.yaml b/hosts/prometheus/secrets.yaml new file mode 100644 index 00000000..c4aa3278 --- /dev/null +++ b/hosts/prometheus/secrets.yaml @@ -0,0 +1,181 @@ +nginx: + httpAuth: ENC[AES256_GCM,data:PS7icDVNB4g7XBMP7mMSbalkvQ==,iv:0GOfGl97k1AjkRxm2x2f4LpeQOuJcFqAHgdRrbceW6U=,tag:GX5L0wI5zwHwuls7ZOPlOQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age13xhxqulvswuckmpkmy2fgeqd5jx0ar8e2hst33leljt69r6hsvnsrdw63k + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxZGJwdVkyejVHb1hLeU9Y + QVJ1bURJV2xwV3FaKzF6YXZHTHFyekR4TEJBCkZoUGxwU0trVXdLM3E5cmdPcmtu + bE5NNkRNNlBtclpsbXRNaVJtcnVpTW8KLS0tIFpzR1RlM2ZzYi9wSHRQWFZ6VUxs + Tml4ZENJd3Y0cmtTdnQ0ZCtTY256Sm8KRKvkk5WDaC8THCqgoKe2cD+AzdAqtfMH + GynKYyQU3rgXl4r8K4XUEkEX8g3+SLitfbo35E66531Q/+yQc79V8Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1M1F2N3FEY2xiRFZaVlJv + cXUyU1NZYXpKVmlDT2hGM2ltNmVHS0E3SFhVCkcwWmZuT2RZVzg3aC9zQXI3aDhk + cFp4RHN2b1RRcXRSNXFudmYrY3oydVEKLS0tIE1JUXdpVlFkQzZKNFBVaFFKTkxR + dkpOeVJIVnJtNDM5M0RQaWRudUcxOG8KZnHCLuyPFdx4j1WY6fk8nqMeACmpYZzU + EpNqjoBswCkUnaRMVcj5lrHvHDjdbQ0Ypn3s/YvI4UBsXMnnv9UD7w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-11-27T00:27:41Z" + mac: ENC[AES256_GCM,data:FsqddyIQqc0qZerOc6zXs39hBOOwh6Bnjd0gw+Kdq11NMxPFKd05/XGkpoHzVbAFioMc528XkpWubVO5rnCBsLKkwuCm+wtQbFU74oXXUbZKrF7Ucxk0bUSmCX1Y+YTsiO5SfUwWuO+YA5RZbdNekE19MYRnVQ4MDBnfWlrZERk=,iv:d8Rceuua4//ZEcDEoAziw70ySKv/PtPr46sM79s3Ex4=,tag:jfCwyfhjIrYlHgEyv8BaQA==,type:str] + pgp: + - created_at: "2022-11-27T00:27:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA6j84+xkv3y7AQ//bQe3Ci9UwmvIuNasPiFzRtI+872msVZWlthYHc0SkrU9 + A8exnBo0uQbA6h5sA/so+CCt4wIxhMGikzapgTQZ1oP24fzvInES0aSuUsBDfys8 + Mgp9lvRGCv5jaxhfF8gAeI46M0qvkIkbSInfaLjjFbQn9xFwPrejE4l8RQ8At4Di + NSWkvxNQlLH0qBVyXbFvToMhSYVZFsGoncHcNTOC4nEktnFNhptsjsvtA4u6aatv + QXSLrlDY5ng4hvjtDTvrzdS1UH5pE9gm9xgqdb95xiS24zwTUGbACP8sWVIUKPX/ + E38/g6H1AmaVadK/t9F/fP5sTcBI2dMHxHXbndpOb2MxS2lJ/sA4rbFmaVHmblgR + J3w1g7JqPOANEneKJ4JWVDRWYwfgQ2IpB4EAetiDtN7KJTWyUgSrB0unNcmy+4cd + 2H+/CM9ARDwnohPhypSIovjXeh8L1uHqniUXxlIUbXHoNugRybQZYMxZx3cLoH5a + WTTy+KJKLdRjeYxDyxVq00KCe9dXsxP/CTRpxZN+ejVAFvDqukzmI3yfSlgiX/M1 + Ysaa9su1NiFU5h4xsY828Vw4TsNfeiUB/MkHlQQc0f09cd0Aq7Z7lnGs9oWJQOKX + bqI6Fjw3nY1QYkfivFZ3baXq4rbt7kTN5WoA+tPXntNVibp93A4X3jl53X5coPbS + UQGz3jOgf7Vm5LUQ0VAErMClgKhddv9u+g0XH/uunfRO1ULw4fLFxBmpq/18Tfdg + YgiTyJRW/qEqXGzbRl+k2oJz49rn6uJ+Fj6quwZHU67EwA== + =kTaA + -----END PGP MESSAGE----- + fp: A5EE826D645DBE35F9B0993358512AE87A69900F + - created_at: "2022-11-27T00:27:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA8zMZ+ak7y/zARAA3O9dCE+hACJ84wcEQ+eOF9xlZo96cUbcI/v75+PX9mBG + js0ST9ykF8YFtAkAjpuS/B3dwPQY8PdA1fYX83Ke/tw4UeikF3e5kJ2SadlhryGE + XpV0qRp79QCHPMauVGYiMK9gLtkgZFGYRcy3GEIz8EDvRpgYnSKJNrJXjDOJhW++ + WyjwytvSE3WHogP+mhOMgRIn+uYuqirw5c6jIq33ZS3pPuaGe4IR3YysNL8vI+z5 + 6QFa/Vzrh+T2gE6/iGyZ+/Kc0N2Rbg8YwEec5nFGKMAyRsK4nO6e2h+nAjoCR2Hn + 3NZ4elSTJB+/yRCxcs+TECynPkFpjER49c0sHSvyaCvkoQmRc4kZChukbPEG4SDi + qMQnmYNfto5TgkM/2SDpzK+UFq3iYVt+lTySW2sdtn2Kv/oDy/iFfsqFuIix1Egu + rlwfSusdLFzvkzD0Lc8ynEevJAA2q7ZnVxSpY7EUgR+9RLfRn3m5KwHzvl20Ylvk + O3GU3tJSERY794WmCNiGlmz4q6G84WQTGFo/7e/fxGQJ1gz4btQdxnHMZFJywHzh + klO3ZxgFPWfKiBzI47ta/xHxUhcYwjVud3IG8rc/g8LSt4ZJ4aEBIRvrQk6m5v5h + 32AtP2c3bLz0uSyQWZ4z5OarAxKoReb+7aYPU7BZpoqciElQkyza/hAdC6iEf17S + UQFWWEbUvBNW3hWYNhv1sVcIownmObMP5jbwJ/1UuGVBK4MfCCpLcoJgIeVH0m5h + LHdHmgwkKO5Rpn7iO8EDn69lBYM2mhbCDeigCaAubLAnsQ== + =XHIF + -----END PGP MESSAGE----- + fp: D4E89C6A0A58EE803EF708EFA9B23715F7AA3F1A + - created_at: "2022-11-27T00:27:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcBMA45bZkLXmBFpAQgAtwj46Mv1ih23i4RUjW+WwqTrt+2d65JK4Kjm5oPvpGyO + hoYLuEV2V9dI1WoJgmp0+pUS/f8LxJdo1OxeZP82ctrOFPxcb1wLfoG+Vg94GPHx + wMtY9jNn0W3FX66a32AK0GNorSLl1miT7NRBimD2KAvoPSqKEGc1av4xDm9ue1fc + tdcFf8MJjAvaNtAfCvnQ4NqM+lJwPjNmH6CtAQlHHJMgHFuNXZvY8lYbGOw7JpKt + opGQD11FjMa5EUyxZfTk8vrPuhgTGknbj/hJOaRLJtTRjnjPfFkLULS9lwaJ0RxN + UVI0v6FfrBcC/rfRJC7Uda0UvDSaaUNAiYlSlQZ4c9JRAVKh3yUxGC4rEDP+ecGO + 8VPvF+H5c3xJ6Qe+81Q1B+vm6rq8WoguilPlQLD3fc8C3vqqNTWpA0b0vVUXm/oq + /yeF6f4+jLkZ16LNzIpQ9uyq + =qkB4 + -----END PGP MESSAGE----- + fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9 + - created_at: "2022-11-27T00:27:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMAwMCBBrc/JA6AQ/9G/+euKdVS9Jiqs9yRyqAujcPwPlYr85zAk+Rjzjo1tux + N07qtz6z7HRHgHhP4lGRw7PkvUkxdFB19nnF41jn4ohoXGJrSkHlKEXGcrCJP+Lm + 8bIKAkTqXvN3qqJH6Rbd76T3wpLAQuq9pm4fsxXl1qHU2PMxehbhVZnwHtPT5mD9 + YkJV0ZVW91tDeJT5Od93vPyD+z+vccS0kBTWVwlSG7I0fMwQsbQwkVtqrJWM2Foa + UPYHDgZEKIMEvpYwy33l9NHjrsLf/kul/xNtKxFCzcjOkw9k/pJdc6CVzX2rVhtp + shUOMdzFh/DYqdtwm1h7VVS8xGSdlcFb7nxgYGZuIY8QsWuRB/+j/p5vDmlE46P9 + SvsuwFJnNc7bE8EHuU1GJGJdQUpyVv+nPGam7L3zLoLRggB8OBS07e/z+ORLogB8 + I7AF6Pcx9g0AwZeeEczhBYQvFcGjuHGb6uJNMYLylxoNm8u197Fyu7On3l7/IJqX + q0w4ickZlkPySbx1OeqIEektiw69HwYhr3/E9B6O+0YL8JRJ5qVtDSw5cudhgIlB + b5AfMqt1l+KvjByalhCK6msfuOUDnMhbdjLvSOr8iDUXQ/ZGPtiPaJDJ2Htx32yh + zmhWfI7Ws0l/z8Ai939k5ssESccOAfsV4WaKcCcbAke581n+jYEwcTp4KQKzoLLS + UQE1vWLijpOjby3So2IMu9gBF0ZmN9EkCt12IP1oa3mMU2yZ5wV/VW1BLSezuVvE + v7/FuFnC3jvvYxLV9VUYKQ492PS8oLAwirxrL5a45IyrMA== + =of/K + -----END PGP MESSAGE----- + fp: 4F9F44A64CC2E438979329E1F122F05437696FCE + - created_at: "2022-11-27T00:27:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA9XEenRNYVGHARAAir30MBOtYtXP3K0hN++LgCtLefPi6455kns0KWkPI8Jd + tIrn7h7/O4Znd4QO8Iz1ouyubeEvLbLjS4wMc4NIUNVoDWpmlWveHDgp9ddLDLUG + MYBsswVVx2SwCzsIQHADpAa0m2MSfmhTxwBP+lieFg5T3LQi0Jo30DFrDtdIKLbN + GPeHuDFdQ8zB2dyPXvSgsOxW9ZNDXAObwewsuEAWhQtkNvtIH62fH+wopjtEdZAX + pbHwcAZCOVciWhbKo3zKme1Jq6XQE8Of+w0mBoMeeVr+f54s+1DRE6vy2hH5QDBK + 1oWRtWpoFrTKGO/KwN5QsehgP6FqZVaWiAMubAR17k2WGzlTQvIWoCxlpv+Mu7eN + tsqbLyEmMvmc1NoN06N2CP31KP1Z9bwpxPmiz9Ph8ZfzL9Qw68zJx+dFjrAJIEuo + T1KOuWkfPg6llE5Hs+1WqR4Kj0+uH7irNjRGCv6ruWVoYQXP/7dpnwcHBX/Is5IN + 2gR4Btn4t+nBNCfVcvOq0CUdFGrOr/O0sUDX7Ob0Gqu7fY3nrZpTwGQ5okPFSpJE + 1/OkWIUgAEHO1Y3X61nc2Iu5eI+jYmSaF12xjiHdKGwmkLfryt4taQBmxPJSN7ym + 0uiXf0d8SRuqHbz8keBCjp85RV/y1XGX08yltgPXpU2fmv1k5dKErBtNeAIudD/S + UQERFu1HIYfCPzAxwI3Z+WbTFo+euO0dZ1Uaw8CVMGcaMTufNQg7H99d+td2pM+D + /W8QfZAIGSYDjYWn6YffgRvDwsNZeMpGRo57XNvwZiIu7g== + =xRwC + -----END PGP MESSAGE----- + fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA + - created_at: "2022-11-27T00:27:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcBMA/Z87ylQaotQAQf/ceQh3zHJqWDRP2Q1l5rz69DfEweCJkuCxewVICRKYVie + p4LzKUjnZp+8KB3LjHzSEuQXc0eqNXNmGu908uwbwG9Z+xiFj+CIe7KMZWW42gY+ + I1/nOA0WRzOYevO3vlZSzfZgsN5tfFkQkrU4hMf6YFhuM1m3HOrz5P9pc7uJGETh + wHX7k0BSrUjmg8RYcJ+WIc2SPUqv/g0zceLSTE0Btpxg3XmrcHnvs/ThQ6afxHYN + K0QEAgIqWwzNU+1+1QkB+yFeAflY10Zbhv0K+WdTn7JzlJZrxyvY32x7lTfCH5c1 + ycZy/AvGfk5ohkLtSx9f1DxpRCUlOS5TvP7I5X47p9JRAZAaCM9HCG4uMKZwkmEF + /Yf7fTJHnIPPY7neR+2qUUg/Y3Th1mNbijBtV0A8XLFpNtWpn8Qzylmak2amYIql + l6cwBxhl5N3vg7LGxUQQJfEO + =dfLg + -----END PGP MESSAGE----- + fp: 9EA68B7F21204979645182E4287B083353C3241C + - created_at: "2022-11-27T00:27:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA9qJIVK2WMV7AQ/+JXfpbLEUdY8fSAmKo/MyaZi9K9cHDs7c4CnEU3Mi8enh + 9j1/0KTzs99zb6gZKQ/z4MMCiNQ70jK5XcTOgrKtUKeZ0sH969TDamsxxD1Ocfxh + Ts+MGTE9C+odIBFvQDOAazkWbPGQ8EheCDauFk8FFZDBj8oK3Vw7hKUxYFMBTM/z + UBLAHkbO6Sv38AHmqsHwzsP0+YZgA9pployt28arYXlwX+I7tYAK1V74SkxIWSD1 + 4YHSJvHpos25/MS/PNR4SEQFSceQGfDuFCdwfkC6bKi7tdp3Af34q4v6OqA/iFnx + hErcjrXPmlHm/YR2gd7AcLPb7WolB8/j/txl1TAxkSwCRodqcQH8L3bYoA9XxkHP + 7Yd5gfvivkQy0sjKF3dwpetu4bOdZUEwj+jY/54iHPECKTLK7TFGJ48A3v51Juw3 + 4uU4pPVCTkQnRnkknbhicvs2IzvgS/OfAJTUBKW8+3yPkWenQQfeje0VHSUfT9hO + KQ3zafhwGShqXPxbM0J9beigvL3iDE3U7YZYOfrryuHCveSkXobwQZY0Ylok52BX + 9t12lOldOKBLy127V0sQeZ4eWRiKjoyHC46DFByWN03dn6yRXrcE/8QGOyUgu2PR + 3SOEm1pnujVa5dhq0MVAxwgHH/+avI+HM0VHRsykYVVOR5O9ywpCAurgB0/wKJrS + UQEUAPEm/YDfg7no9GnD/tXCwIgjO1m+H8+Z8e3Mama4hPZV9fuSc4M8GQGhWqFY + jYvNgfR7UG/RsqAxoEA1hCoh0Jfu6uLX5/P9X0DQdM8WHA== + =KHuT + -----END PGP MESSAGE----- + fp: 53B26AEDC08246715E15504B236B6291555E8401 + - created_at: "2022-11-27T00:27:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA/YLzOYaRIJJARAAs33yYShXtNdy9N+7D0fs5EU7gWYmJfL/lETxkcmQjQg9 + baX2Zqc2z96jg9TcqFuwbvV6xb/JrSGOs/Qusq1lGPhGaSNHo1KWY8EyDM/6v04x + bE9poMb3D0HzIpm+fpDkKZyU15f3Mye5rauQm8a6qgHfd0Aus1HNs9R7RjBeU6pc + esEOFOAvbKhg5FcY+E7BVa6nHAHACaK0jiTKNEWU3qfTAqYqarGXhALhujywHMxh + YBtu1EQBGimAT6orZCaBMaLbH4LL6ozFk50jHQSgDxti/J4GHDtN4GVzIzySwfkS + 1S/8PYiM7UglxmdezxopOijzQD36DU0Sh6m44KWIWFPeN2P/Zkau16sfDQ49/K1w + sEoZK9RZlFXI+O0PsPHmUkewvUhHMbLF8oa4By8jS0I6rcR+zNPlXQ3Y44v5bEtk + y+9CaeJWg0mPf+rtqa5cwkbJhNgpMJM2k6sl5reczVzruYRkMcMO9QlIUF1Apxxa + Z6hkFS7TlY7GQ0mpeg7DgKzCOHzHxVPRetit5uH25zxluHzwxYF16G6K2fF+V71v + ERlryh/cJDuwAl64aXgIw1DBWMOwixJjO+qfyEUrb4taOXyv5wJ0p+ew6F6AeWue + RC1aHcfXN3QJsqXCRRqdI8ceu/Tfo5xTOOAqbNlDzM/kcEXj4rE8WS1cKNknLZHS + UQH9XIbJ70Nc5gWR35V7z2Lqos2TRp4WaeTbmr7z902wMDAl2GrjRoyo8EA7k2gG + 13XKgeObbkdmE7dTwOZbhzrBDFn2pcyI1NsC85iX154pKQ== + =wWjU + -----END PGP MESSAGE----- + fp: 91EBE87016391323642A6803B966009D57E69CC6 + unencrypted_suffix: _unencrypted + version: 3.7.3 From e85c3d8c51d08f403fb3c18748d4c93a2b8c6a3b Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 27 Nov 2022 01:38:19 +0100 Subject: [PATCH 120/247] prometheus: redeploy --- modules/cluster/deployment-options.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/cluster/deployment-options.nix b/modules/cluster/deployment-options.nix index 31aa761c..4f77f516 100644 --- a/modules/cluster/deployment-options.nix +++ b/modules/cluster/deployment-options.nix @@ -44,9 +44,10 @@ config = { # HACK: Avoid conflicts when building a NixOS configuration on Hydra boot.loader.grub.enable = false; - fileSystems."/" = { + fileSystems."/" = lib.mkDefault { device = "rootfs"; fsType = "tmpfs"; + options = [ "size=50%,mode=0755" ]; }; }; } From c469c46ffec9922bf63ba913c28dcf03319e3bc0 Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 27 Nov 2022 01:48:03 +0100 Subject: [PATCH 121/247] prometheus: add scrape --- hosts/prometheus/default.nix | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/hosts/prometheus/default.nix b/hosts/prometheus/default.nix index 38b4b0bf..c36ef496 100644 --- a/hosts/prometheus/default.nix +++ b/hosts/prometheus/default.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, ... }: +{ zentralwerk, config, pkgs, lib, ... }: { sops.defaultSopsFile = ./secrets.yaml; @@ -13,6 +13,7 @@ services.prometheus = { enable = true; + retentionTime = "7d"; alertmanager = { enable = true; @@ -56,6 +57,34 @@ web.external-url = "https://prometheus.serv.zentralwerk.org/push/"; }; + scrapeConfigs = [ { + # TODO: authorization? + job_name = "node"; + scrape_interval = "1m"; + static_configs = + let + zwNets = zentralwerk.lib.config.site.net; + fromNet = net: filter: + map (host: + "${host}.${net}.zentralwerk.org:9100" + ) (builtins.attrNames zwNets.${net}.hosts4); + in [ { + targets = + fromNet "serv" (_: true); + labels.__meta_net = "net-serv"; + } { + targets = + fromNet "flpk" (host: host != "flpk-gw"); + labels.__meta_net = "net-flpk"; + } { + targets = + fromNet "cluster" (host: builtins.elem host [ + "server8" "server9" "server10" + ]); + labels.__meta_net = "net-flpk"; + } ]; + } ]; + exporters.collectd.enable = true; exporters.collectd.openFirewall = true; From 71a611467d14a6f91ca276f8036ba82f2187e70c Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 27 Nov 2022 17:23:47 +0100 Subject: [PATCH 122/247] stream: fix pub network --- hosts/stream/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/stream/default.nix b/hosts/stream/default.nix index 3e039421..f16f669e 100644 --- a/hosts/stream/default.nix +++ b/hosts/stream/default.nix @@ -38,6 +38,7 @@ in # On the pub network I am a normal client. networks."30-pub" = { networkConfig.DHCP = "ipv4"; + gateway = lib.mkForce []; networkConfig.IPv6AcceptRA = true; }; }; From 18d0694b105810762d38003888e2fe2a87edf3a3 Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 28 Nov 2022 00:49:14 +0100 Subject: [PATCH 123/247] modules/cluster/default: add additional gcroots symlink --- modules/cluster/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/cluster/default.nix b/modules/cluster/default.nix index e948e110..7b698fd0 100644 --- a/modules/cluster/default.nix +++ b/modules/cluster/default.nix @@ -75,4 +75,9 @@ in { } ]; }; }; + + systemd.tmpfiles.rules = [ + # additional gcroots + "L+ /nix/var/nix/gcroots/skyflake-microvms-big - - - - /glusterfs/big/gcroots" + ]; } From 07bfd31ee7eedbbaca366b18000f29cf28060ef0 Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 28 Nov 2022 01:16:36 +0100 Subject: [PATCH 124/247] modules/cluster/deployment: disable nix.gc.automatic --- modules/cluster/deployment.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/cluster/deployment.nix b/modules/cluster/deployment.nix index c0d2a1cd..049f2f37 100644 --- a/modules/cluster/deployment.nix +++ b/modules/cluster/deployment.nix @@ -127,4 +127,8 @@ builtins.filter (hosts6: hosts6 ? ${hostName}) ( }; }) {} networks; }; + + # nix-gc breaks writable store overlays, devastating running + # MicroVMs + nix.gc.automatic = false; } From d99d4129f34c7921969277feb51d9748dfca39a5 Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 28 Nov 2022 01:16:54 +0100 Subject: [PATCH 125/247] modules/cluster/deployment: add operator to needForSpeed nomad affinity --- modules/cluster/deployment.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/cluster/deployment.nix b/modules/cluster/deployment.nix index 049f2f37..8a23ac35 100644 --- a/modules/cluster/deployment.nix +++ b/modules/cluster/deployment.nix @@ -74,6 +74,7 @@ in } ]; affinities = lib.optionals config.deployment.needForSpeed (builtins.genList (i: { attribute = "\${meta.c3d2.cpuSpeed}"; + operator = ">="; value = toString (i + 1); weight = 10 + i; }) 10); From c21bae9dd60258a7c1b13c94f2ba5af243c79f04 Mon Sep 17 00:00:00 2001 From: Astrobot Date: Mon, 28 Nov 2022 10:01:13 +0100 Subject: [PATCH 126/247] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'fenix': 'github:nix-community/fenix/0d4b86633d6c5438a7b97d485f02e7e18101a541' (2022-11-25) → 'github:nix-community/fenix/864fe18d688b0c8c0730bb179b6686eac951f613' (2022-11-28) • Updated input 'fenix/rust-analyzer-src': 'github:rust-lang/rust-analyzer/1e6a49a801708a8bcbe429ce03f614a7951bdb11' (2022-11-24) → 'github:rust-lang/rust-analyzer/6d61be8e65ac0fd45eaf178e1f7a1ec6b582de1f' (2022-11-27) • Updated input 'nixos': 'github:nixos/nixpkgs/8690906c4d80db5d85f52313a8487bf2e7b8d4c5' (2022-11-25) → 'github:nixos/nixpkgs/899e7caf59d1954882a8e2dff45ccc0387c186f6' (2022-11-26) • Updated input 'nixos-unstable': 'github:nixos/nixpkgs/27ccd29078f974ddbdd7edc8e38c8c8ae003c877' (2022-11-24) → 'github:nixos/nixpkgs/5dc7114b7b256d217fe7752f1614be2514e61bb8' (2022-11-25) • Updated input 'openwrt': 'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-21.02&rev=829cc60a281b9da1ede262d32f1359b4d997555f' (2022-11-24) → 'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-21.02&rev=b33090a0faf73d5d03e96c132c413776d6ed8b87' (2022-11-27) • Updated input 'openwrt-imagebuilder': 'github:astro/nix-openwrt-imagebuilder/a34bbf93ead52375a103ba5ad4a147062cea8a89' (2022-11-25) → 'github:astro/nix-openwrt-imagebuilder/142354dc1d32d307eaaf2c77ff56cb12c9ca3169' (2022-11-27) • Updated input 'rust-overlay': 'github:oxalica/rust-overlay/87fee4b5b0ed4bc7f6db2e878a8c93db8d631e01' (2022-11-25) → 'github:oxalica/rust-overlay/b9da8e68a08707115be750c0cf7ade33f49d8ec4' (2022-11-28) • Updated input 'sops-nix': 'github:Mic92/sops-nix/f72e050c3ef148b1131a0d2df55385c045e4166b' (2022-11-20) → 'github:Mic92/sops-nix/a01f386f34a854fe4f8754e62a6837748bc84a8a' (2022-11-27) --- flake.lock | 50 +++++++++++++++++++++++++------------------------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/flake.lock b/flake.lock index 6777db0e..81948e40 100644 --- a/flake.lock +++ b/flake.lock @@ -113,11 +113,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1669357571, - "narHash": "sha256-jKMZjewUOD6s71xP8zaTZ/oB3dtHM2D/cLgHoNQ9s80=", + "lastModified": 1669616799, + "narHash": "sha256-cTe0E41+4h3LS7NtYd+LdE2ngvIBZ5VIQflT4qu+z9I=", "owner": "nix-community", "repo": "fenix", - "rev": "0d4b86633d6c5438a7b97d485f02e7e18101a541", + "rev": "864fe18d688b0c8c0730bb179b6686eac951f613", "type": "github" }, "original": { @@ -349,11 +349,11 @@ }, "nixos": { "locked": { - "lastModified": 1669379897, - "narHash": "sha256-XM3xBfQD5tOtV4KAhQHyh53cJdqkLwotZa5JJIUjbQc=", + "lastModified": 1669465383, + "narHash": "sha256-fVbG427suESAEb8/P47O/zD/G9BSeFxLh94IUzgOchs=", "owner": "nixos", "repo": "nixpkgs", - "rev": "8690906c4d80db5d85f52313a8487bf2e7b8d4c5", + "rev": "899e7caf59d1954882a8e2dff45ccc0387c186f6", "type": "github" }, "original": { @@ -396,11 +396,11 @@ }, "nixos-unstable": { "locked": { - "lastModified": 1669320964, - "narHash": "sha256-EBFw+ge12Pcr3qCk8If3/eMBAoQLR7ytndXZoRevUtM=", + "lastModified": 1669411043, + "narHash": "sha256-LfPd3+EY+jaIHTRIEOUtHXuanxm59YKgUacmSzaqMLc=", "owner": "nixos", "repo": "nixpkgs", - "rev": "27ccd29078f974ddbdd7edc8e38c8c8ae003c877", + "rev": "5dc7114b7b256d217fe7752f1614be2514e61bb8", "type": "github" }, "original": { @@ -490,11 +490,11 @@ "openwrt": { "flake": false, "locked": { - "lastModified": 1669304702, - "narHash": "sha256-hQ61usu3bgxJMVm9BlWx89pSvLN3zR4DYkQxEAfNA0w=", + "lastModified": 1669563413, + "narHash": "sha256-v3Krt7iTBcUxMjXff3XFDhdp685UcNW4RoMZcmcJ01E=", "ref": "openwrt-21.02", - "rev": "829cc60a281b9da1ede262d32f1359b4d997555f", - "revCount": 51165, + "rev": "b33090a0faf73d5d03e96c132c413776d6ed8b87", + "revCount": 51175, "type": "git", "url": "https://git.openwrt.org/openwrt/openwrt.git" }, @@ -511,11 +511,11 @@ ] }, "locked": { - "lastModified": 1669410757, - "narHash": "sha256-eznda7OuReuwd40FKqe1spm6biiw1um+ypF2Y7XVOkA=", + "lastModified": 1669580767, + "narHash": "sha256-Wpt+NcOc5RVm0g+5jBCCF6k9FXS62lBo6K41SoCXNYE=", "owner": "astro", "repo": "nix-openwrt-imagebuilder", - "rev": "a34bbf93ead52375a103ba5ad4a147062cea8a89", + "rev": "142354dc1d32d307eaaf2c77ff56cb12c9ca3169", "type": "github" }, "original": { @@ -562,11 +562,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1669325252, - "narHash": "sha256-c4cqmy1lrPRC/Uwf+Sim4xxptVk7fH/STHeqe9BKOVU=", + "lastModified": 1669551522, + "narHash": "sha256-ScH3I2/5+tCN23U8mUUj/HoZXDF11fo1z93X9imAfOo=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "1e6a49a801708a8bcbe429ce03f614a7951bdb11", + "rev": "6d61be8e65ac0fd45eaf178e1f7a1ec6b582de1f", "type": "github" }, "original": { @@ -586,11 +586,11 @@ ] }, "locked": { - "lastModified": 1669343666, - "narHash": "sha256-PvNbZvkgVmwDG3uDsG0rFbRBcXiPSxdbpHC7mgwcc6s=", + "lastModified": 1669602829, + "narHash": "sha256-I3LBvBiVui4Rf0iQvTqUIgBovaLDzpOzsoNEzCsDowg=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "87fee4b5b0ed4bc7f6db2e878a8c93db8d631e01", + "rev": "b9da8e68a08707115be750c0cf7ade33f49d8ec4", "type": "github" }, "original": { @@ -668,11 +668,11 @@ ] }, "locked": { - "lastModified": 1668915833, - "narHash": "sha256-7VYPiDJZdGct8Nl3kKhg580XZfoRcViO+zUGPkfBsqM=", + "lastModified": 1669520266, + "narHash": "sha256-NY0lyWC5djlvAiAhGb9xvT0bknBVLh/egvd3TqmJasc=", "owner": "Mic92", "repo": "sops-nix", - "rev": "f72e050c3ef148b1131a0d2df55385c045e4166b", + "rev": "a01f386f34a854fe4f8754e62a6837748bc84a8a", "type": "github" }, "original": { From 69a66f3ebafb7bffa6bb49c25a6cb1ef49fe0174 Mon Sep 17 00:00:00 2001 From: Astro Date: Tue, 29 Nov 2022 02:10:43 +0100 Subject: [PATCH 127/247] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'caveman': 'git+https://gitea.c3d2.de/astro/caveman.git?ref=main&rev=691af99c36ad47bdf143df027766de2b2f349175' (2022-11-25) → 'git+https://gitea.c3d2.de/astro/caveman.git?ref=main&rev=404767d88b4a383b594b0a259ca6187861bf6b89' (2022-11-29) --- flake.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/flake.lock b/flake.lock index 81948e40..8441c432 100644 --- a/flake.lock +++ b/flake.lock @@ -91,11 +91,11 @@ ] }, "locked": { - "lastModified": 1669340633, - "narHash": "sha256-/VMi0ea0D+/sHsROVe4c+7q3n3DvpDRONcd+hko8j1g=", + "lastModified": 1669683082, + "narHash": "sha256-2bSuv8l6Zxi8tUwAy07vHVpIm/J335D6Qnf02mTz2cI=", "ref": "main", - "rev": "691af99c36ad47bdf143df027766de2b2f349175", - "revCount": 138, + "rev": "404767d88b4a383b594b0a259ca6187861bf6b89", + "revCount": 140, "type": "git", "url": "https://gitea.c3d2.de/astro/caveman.git" }, From af51086c18ca423a277970f4f24c23d5ff9b0acf Mon Sep 17 00:00:00 2001 From: Astro Date: Tue, 29 Nov 2022 02:10:49 +0100 Subject: [PATCH 128/247] caveman: bump microvm.mem from 8G to 16G --- hosts/caveman/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/caveman/default.nix b/hosts/caveman/default.nix index 8dda88f8..7d33a5d5 100644 --- a/hosts/caveman/default.nix +++ b/hosts/caveman/default.nix @@ -10,7 +10,7 @@ }; microvm = { vcpu = 8; - mem = 8 * 1024; + mem = 16 * 1024; }; networking = { @@ -23,7 +23,7 @@ ''; services.caveman = { - redis.maxmemory = config.microvm.mem * 1024 * 1024 * 3 / 2; + redis.maxmemory = config.microvm.mem * 1024 * 1024 / 2; hunter = { enable = true; From 7d203cb0d2b266a3b277886d6e21a46264809191 Mon Sep 17 00:00:00 2001 From: Astro Date: Tue, 29 Nov 2022 02:11:39 +0100 Subject: [PATCH 129/247] .sops.yaml: add hosts/prometheus --- .sops.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.sops.yaml b/.sops.yaml index 55ae3a7f..6957a309 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -58,6 +58,7 @@ keys: - &stream age1j5csp5v5s2g8am47dd85kcke8986e0qc88f0vfgd3kmvwu8azg3smslk92 - &storage-ng age1qjvds58pedjdk9rj0yqfvad4xhpteapr9chvfucwcgwrsr8n7axqyhg2vu - &ticker age1kdrpaqsy7gdnf80fpq6qrrc98nqjuzzlqx955uk2pkky3xcxky8sw9cdjl + - &prometheus age13xhxqulvswuckmpkmy2fgeqd5jx0ar8e2hst33leljt69r6hsvnsrdw63k creation_rules: - path_regex: config/[^/]+\.yaml$ @@ -91,6 +92,7 @@ creation_rules: - *mucbot - *nfsroot - *oparl + - *prometheus - *public-access-proxy - *pulsebert - *radiobert @@ -187,3 +189,9 @@ creation_rules: age: - *storage-ng - *polygon-snowflake + - path_regex: hosts/prometheus/[^/]+\.yaml$ + key_groups: + - pgp: *admins + age: + - *prometheus + - *polygon-snowflake From 828a374f3870c34c497c948fc0e16f037d38507e Mon Sep 17 00:00:00 2001 From: Astrobot Date: Tue, 29 Nov 2022 10:01:14 +0100 Subject: [PATCH 130/247] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'fenix': 'github:nix-community/fenix/864fe18d688b0c8c0730bb179b6686eac951f613' (2022-11-28) → 'github:nix-community/fenix/723bf93513f1331961c5251817214e64d306b24a' (2022-11-29) • Updated input 'nixos': 'github:nixos/nixpkgs/899e7caf59d1954882a8e2dff45ccc0387c186f6' (2022-11-26) → 'github:nixos/nixpkgs/ce5fe99df1f15a09a91a86be9738d68fadfbad82' (2022-11-27) • Updated input 'nixos-hardware': 'github:nixos/nixos-hardware/0099253ad0b5283f06ffe31cf010af3f9ad7837d' (2022-11-22) → 'github:nixos/nixos-hardware/7883883d135ce5b7eae5dce4bfa12262b85c1c46' (2022-11-28) • Updated input 'nixos-unstable': 'github:nixos/nixpkgs/5dc7114b7b256d217fe7752f1614be2514e61bb8' (2022-11-25) → 'github:nixos/nixpkgs/a115bb9bd56831941be3776c8a94005867f316a7' (2022-11-27) • Updated input 'openwrt-imagebuilder': 'github:astro/nix-openwrt-imagebuilder/142354dc1d32d307eaaf2c77ff56cb12c9ca3169' (2022-11-27) → 'github:astro/nix-openwrt-imagebuilder/e3b0754ab36871291da773355932c58ac81b3952' (2022-11-28) • Updated input 'rust-overlay': 'github:oxalica/rust-overlay/b9da8e68a08707115be750c0cf7ade33f49d8ec4' (2022-11-28) → 'github:oxalica/rust-overlay/4e093ce661a63aca4bcbace33695225eae4ef4e4' (2022-11-29) --- flake.lock | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/flake.lock b/flake.lock index 8441c432..c7ce41b7 100644 --- a/flake.lock +++ b/flake.lock @@ -113,11 +113,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1669616799, - "narHash": "sha256-cTe0E41+4h3LS7NtYd+LdE2ngvIBZ5VIQflT4qu+z9I=", + "lastModified": 1669703151, + "narHash": "sha256-I6EcDjBIyFv3H7uhsq7agt9eJGUzCRKsRwXexrKBxNc=", "owner": "nix-community", "repo": "fenix", - "rev": "864fe18d688b0c8c0730bb179b6686eac951f613", + "rev": "723bf93513f1331961c5251817214e64d306b24a", "type": "github" }, "original": { @@ -349,11 +349,11 @@ }, "nixos": { "locked": { - "lastModified": 1669465383, - "narHash": "sha256-fVbG427suESAEb8/P47O/zD/G9BSeFxLh94IUzgOchs=", + "lastModified": 1669558522, + "narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=", "owner": "nixos", "repo": "nixpkgs", - "rev": "899e7caf59d1954882a8e2dff45ccc0387c186f6", + "rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82", "type": "github" }, "original": { @@ -381,11 +381,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1669146234, - "narHash": "sha256-HEby7EG1yaq1oT2Ze6Cvok9CFju1XHkSvVHmkptLW9U=", + "lastModified": 1669650994, + "narHash": "sha256-uwASLUfedIQ5q01TtMwZDEV2HCZr5nVPZjzVgCG+D5I=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "0099253ad0b5283f06ffe31cf010af3f9ad7837d", + "rev": "7883883d135ce5b7eae5dce4bfa12262b85c1c46", "type": "github" }, "original": { @@ -396,11 +396,11 @@ }, "nixos-unstable": { "locked": { - "lastModified": 1669411043, - "narHash": "sha256-LfPd3+EY+jaIHTRIEOUtHXuanxm59YKgUacmSzaqMLc=", + "lastModified": 1669542132, + "narHash": "sha256-DRlg++NJAwPh8io3ExBJdNW7Djs3plVI5jgYQ+iXAZQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "5dc7114b7b256d217fe7752f1614be2514e61bb8", + "rev": "a115bb9bd56831941be3776c8a94005867f316a7", "type": "github" }, "original": { @@ -511,11 +511,11 @@ ] }, "locked": { - "lastModified": 1669580767, - "narHash": "sha256-Wpt+NcOc5RVm0g+5jBCCF6k9FXS62lBo6K41SoCXNYE=", + "lastModified": 1669668296, + "narHash": "sha256-/i1UWcpqW1f/Ulj0ZHb38uEbz+3e7XuamQhNoHYAQ48=", "owner": "astro", "repo": "nix-openwrt-imagebuilder", - "rev": "142354dc1d32d307eaaf2c77ff56cb12c9ca3169", + "rev": "e3b0754ab36871291da773355932c58ac81b3952", "type": "github" }, "original": { @@ -586,11 +586,11 @@ ] }, "locked": { - "lastModified": 1669602829, - "narHash": "sha256-I3LBvBiVui4Rf0iQvTqUIgBovaLDzpOzsoNEzCsDowg=", + "lastModified": 1669689198, + "narHash": "sha256-YsWu3C9IGbH3+xguTzEDyQorFe/igr6FGZ+Q5T2ocxE=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "b9da8e68a08707115be750c0cf7ade33f49d8ec4", + "rev": "4e093ce661a63aca4bcbace33695225eae4ef4e4", "type": "github" }, "original": { From 7811d3c444651ec63ce436040648696b78a6c998 Mon Sep 17 00:00:00 2001 From: Astro Date: Wed, 30 Nov 2022 00:22:34 +0100 Subject: [PATCH 131/247] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'zentralwerk': 'git+https://gitea.c3d2.de/zentralwerk/network.git?ref=refs%2fheads%2fmaster&rev=c52991536725810f596cd25616a359a60b3d9aa7' (2022-11-27) → 'git+https://gitea.c3d2.de/zentralwerk/network.git?ref=refs%2fheads%2fmaster&rev=15e1e9fb1c55ec5fb62f4c7e61bf63aee5c35eeb' (2022-11-29) --- flake.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/flake.lock b/flake.lock index c7ce41b7..4a3d1ffd 100644 --- a/flake.lock +++ b/flake.lock @@ -830,11 +830,11 @@ ] }, "locked": { - "lastModified": 1669507699, - "narHash": "sha256-L1nCw1NlvxHmN2SD+HyeOrlGn+Sb1gmvJTAR4REiXj0=", + "lastModified": 1669764095, + "narHash": "sha256-Ts6aOIk7EXymlKskOwNUOsoTS5ImDYBIG6+zUd+6e14=", "ref": "refs/heads/master", - "rev": "c52991536725810f596cd25616a359a60b3d9aa7", - "revCount": 1674, + "rev": "15e1e9fb1c55ec5fb62f4c7e61bf63aee5c35eeb", + "revCount": 1675, "type": "git", "url": "https://gitea.c3d2.de/zentralwerk/network.git" }, From a4474a5f398b134ff3f0b2e8c1496e37de29ae51 Mon Sep 17 00:00:00 2001 From: Astro Date: Wed, 30 Nov 2022 00:34:54 +0100 Subject: [PATCH 132/247] mastodon:init --- flake.nix | 7 ++++++ hosts/mastodon/default.nix | 51 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 58 insertions(+) create mode 100644 hosts/mastodon/default.nix diff --git a/flake.nix b/flake.nix index 1e0f1394..5d91b64b 100644 --- a/flake.nix +++ b/flake.nix @@ -1006,6 +1006,13 @@ ./hosts/prometheus ]; }; + + mastodon = nixosSystem' { + modules = [ + self.nixosModules.cluster-options + ./hosts/mastodon + ]; + }; }; nixosModule = self.nixosModules.c3d2; diff --git a/hosts/mastodon/default.nix b/hosts/mastodon/default.nix new file mode 100644 index 00000000..cbd0842e --- /dev/null +++ b/hosts/mastodon/default.nix @@ -0,0 +1,51 @@ +{ zentralwerk, config, lib, pkgs, ... }: +{ + networking.hostName = "mastodon"; + c3d2.hq.statistics.enable = true; + deployment = { + mem = 4096; + vcpu = 8; + }; + + system.stateVersion = "22.11"; + + services.postgresql.enable = true; + + services.mastodon = { + enable = true; + localDomain = "c3d2.social"; + + smtp.host = "c3d2.social"; + smtp.fromAddress = "mail@c3d2.social"; + # smtp.authenticate = true; + # smtp.user = secrets.email.smtp-user; + # smtp.passwordFile = "${pkgs.runCommand "smtp-password" {} '' + # echo "${secrets.email.smtp-password}" > $out + # ''}"; + + extraConfig.WEB_DOMAIN = "c3d2.social"; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + services.nginx = { + enable = true; + + virtualHosts."c3d2.social" = { + root = "${config.services.mastodon.package}/public/"; + forceSSL = true; + enableACME = true; + + locations."/system/".alias = "/var/lib/mastodon/public-system/"; + locations."/".tryFiles = "$uri @proxy"; + + locations."@proxy".proxyPass = "http://unix:/run/mastodon-web/web.socket"; + locations."@proxy".proxyWebsockets = true; + + locations."/api/v1/streaming/".proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket"; + locations."/api/v1/streaming/".proxyWebsockets = true; + }; + }; + + users.groups.mastodon.members = [ config.services.nginx.user ]; +} From 9e97c34038231c27a2106a7e6e503dc41fbc1a86 Mon Sep 17 00:00:00 2001 From: Astro Date: Wed, 30 Nov 2022 01:13:23 +0100 Subject: [PATCH 133/247] mastodon: use nixos' mastodon nginx config --- hosts/mastodon/default.nix | 31 +++++++++---------------------- 1 file changed, 9 insertions(+), 22 deletions(-) diff --git a/hosts/mastodon/default.nix b/hosts/mastodon/default.nix index cbd0842e..1ca2690a 100644 --- a/hosts/mastodon/default.nix +++ b/hosts/mastodon/default.nix @@ -23,29 +23,16 @@ # echo "${secrets.email.smtp-password}" > $out # ''}"; - extraConfig.WEB_DOMAIN = "c3d2.social"; + extraConfig = { + ALTERNATE_DOMAINS = lib.concatStringsSep "," [ + "${config.networking.hostName}.serv.zentralwerk.org" + ]; + DEFAULT_LOCALE = "de"; + + }; + + configureNginx = true; }; networking.firewall.allowedTCPPorts = [ 80 443 ]; - - services.nginx = { - enable = true; - - virtualHosts."c3d2.social" = { - root = "${config.services.mastodon.package}/public/"; - forceSSL = true; - enableACME = true; - - locations."/system/".alias = "/var/lib/mastodon/public-system/"; - locations."/".tryFiles = "$uri @proxy"; - - locations."@proxy".proxyPass = "http://unix:/run/mastodon-web/web.socket"; - locations."@proxy".proxyWebsockets = true; - - locations."/api/v1/streaming/".proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket"; - locations."/api/v1/streaming/".proxyWebsockets = true; - }; - }; - - users.groups.mastodon.members = [ config.services.nginx.user ]; } From 897139a46b304dabe59592a2cdfb00a8aad92a35 Mon Sep 17 00:00:00 2001 From: Astro Date: Wed, 30 Nov 2022 01:17:39 +0100 Subject: [PATCH 134/247] mastodon: enable ldap --- .sops.yaml | 8 ++ hosts/mastodon/default.nix | 30 +++++- hosts/mastodon/secrets.yaml | 181 ++++++++++++++++++++++++++++++++++++ 3 files changed, 214 insertions(+), 5 deletions(-) create mode 100644 hosts/mastodon/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index 6957a309..7d08e099 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -40,6 +40,7 @@ keys: - &leon age1cm0cjk2764s4pv5g7e67as34g9xtcltex96ga87wckndw62wqqlsvkscqc - &leoncloud age1aw9s4kcd6ys64ddzzfya9ajzln2tv8pm9uvz6d85v0r6eq4dudqq5vts86 - &mailtngbert age1lgjvtszpds9flpwsstxdht00c7zlk3mz7nlc5qftyt8rhfdm330qqmhl72 + - &mastodon age1dcpd6u4psq3hehjyjrt3s7kzmnvxd20vsc8urjcdv6anr5v7ky2sq9rhtt - &matemat age15vmz2evhnkn26fyt4vqvgztfrsr2s8qavd2m6zfjmkh84q2g75csnc5kr6 - &mediawiki age1xjvep7hsnfefgxvuwall8nq0486qu8yknhzwhf0cskw5xlpm8qws9txc56 - &mucbot age1cqeh03zq0hvz5l78r678q93ey5mlw49lqy4whvgqxgenudth7g6skee6kh @@ -87,6 +88,7 @@ creation_rules: - *leon - *leoncloud - *mailtngbert + - *mastodon - *matemat - *mediawiki - *mucbot @@ -165,6 +167,12 @@ creation_rules: age: - *mailtngbert - *polygon-snowflake + - path_regex: hosts/mastodon/[^/]+\.yaml$ + key_groups: + - pgp: *admins + age: + - *mastodon + - *polygon-snowflake - path_regex: hosts/mediawiki/[^/]+\.yaml$ key_groups: - pgp: *admins diff --git a/hosts/mastodon/default.nix b/hosts/mastodon/default.nix index 1ca2690a..82ed81d7 100644 --- a/hosts/mastodon/default.nix +++ b/hosts/mastodon/default.nix @@ -1,16 +1,21 @@ { zentralwerk, config, lib, pkgs, ... }: { - networking.hostName = "mastodon"; - c3d2.hq.statistics.enable = true; deployment = { mem = 4096; vcpu = 8; }; - + networking = { + hostName = "mastodon"; + hosts = with zentralwerk.lib.config.site.net.serv; { + ${hosts6.up4.auth} = [ "auth.c3d2.de" ]; + ${hosts4.auth} = [ "auth.c3d2.de" ]; + }; + firewall.allowedTCPPorts = [ 80 443 ]; + }; + c3d2.hq.statistics.enable = true; system.stateVersion = "22.11"; services.postgresql.enable = true; - services.mastodon = { enable = true; localDomain = "c3d2.social"; @@ -23,16 +28,31 @@ # echo "${secrets.email.smtp-password}" > $out # ''}"; + extraConfig = { ALTERNATE_DOMAINS = lib.concatStringsSep "," [ "${config.networking.hostName}.serv.zentralwerk.org" ]; DEFAULT_LOCALE = "de"; + LDAP_ENABLED = "true"; + LDAP_METHOD = "simple_tls"; + LDAP_HOST = "auth.c3d2.de"; + LDAP_PORT = "636"; + LDAP_BIND_DN = "uid=search,ou=users,dc=c3d2,dc=de"; + LDAP_BASE = "ou=users,dc=c3d2,dc=de"; + LDAP_SEARCH_FILTER = "(&(objectclass=person)(|(%{uid}=%{email})(%{mail}=%{email})))"; + LDAP_UID = "uid"; }; configureNginx = true; }; + systemd.services.mastodon-init-dirs.script = lib.mkAfter '' + cat ${config.sops.secrets."mastodon/env".path} >> /var/lib/mastodon/.secrets_env + ''; - networking.firewall.allowedTCPPorts = [ 80 443 ]; + sops.defaultSopsFile = ./secrets.yaml; + sops.secrets."mastodon/env" = { + owner = "mastodon"; + }; } diff --git a/hosts/mastodon/secrets.yaml b/hosts/mastodon/secrets.yaml new file mode 100644 index 00000000..6ed19902 --- /dev/null +++ b/hosts/mastodon/secrets.yaml @@ -0,0 +1,181 @@ +mastodon: + env: ENC[AES256_GCM,data:m7NvIAydlGvvNEShlqH8GngjPb6z3TIGkZNcFcBoAWYHCimcp+0c8NNVf4cP7sq3Xg==,iv:PMC4vVN4felWaa7FDUyoYzNk4Eiy56pxK1cOxbAfZ9c=,tag:NQXqWljloBTxXC1tlxylpQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1dcpd6u4psq3hehjyjrt3s7kzmnvxd20vsc8urjcdv6anr5v7ky2sq9rhtt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPUmZnVjR3SGs3MnJSaUxT + aVJJZDRVK2hXdDZqeTBRT2ovVmxWMm5SMGdvCm5LSGtKVkprQmlUaDdGT3krZnVl + aE5kTG5QZ1JhbjdiWVNwRUp5dkRKbk0KLS0tIFdhSnd5OU02ZTlrMGNMemdYbVNO + YlRrbklFV3lmWGRYVXhvUkNLSzdkRUEKWppsjTBRljJnyXTgMSnq4eSlXdzjF0Bc + LN6oLoylo3zeT+pWjDFG7A9+fIpCiXsIMcZsHiRR7kfX8lHGi5rv2A== + -----END AGE ENCRYPTED FILE----- + - recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBdmNOUUpxOE03UFVoN2NY + dFMrUUwyVHZjeEZYWWhCMFM4YkVFVkpQa2x3CmoyUkhYRXZORnhXVUd2N0plZEdZ + UVUvS0dudkdCRkx0YXdMbWVGV3p4dmMKLS0tIHBCQ2RSRDgyclMzeGJwNndVU3dk + ZHQwTTZVNWRRTUR5STRQb3VIODdPcEEK7emzmECdUobG5/N3TMRcUaZSTsgTF6m/ + 5f8v8Tpf0Ve6veQhC/5+MYtHJOWDkN+nD8gFgRkPn/IlNz9IAMGx2A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-11-30T00:54:21Z" + mac: ENC[AES256_GCM,data:Ys/exz5C1UO3FZ5XXSx5wolzO+yJ7p59LFOwAOQM5h5wsSd7T43gql9ecjzYZkBub238+uSJYU8kDCaxUFOwLPBIZ6rmA/MS9wRUVr8z5NB9usQFgtD53NNdcRgMWZcM3GEkCBrjB0grIEA6/Btc2klYzLdYS0Glmnn5IMNwkvE=,iv:vJRinUplCiM6m53Yz5TObXaPI2cAcGVBlfvJAgJcd1U=,tag:7DhGp4KyfaOAFG3UT7PWEw==,type:str] + pgp: + - created_at: "2022-11-30T00:52:41Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA6j84+xkv3y7AQ//THu/1WoBYLiEjUWSgMXej4xbmN5sUCSxqnyaMaekcQXK + MsUODOaqLCo/c1mfpbZ/Pv5CLHah2R92idqShogaiB5tDqxq8MTk8VCR2bzGcg4f + CJHf4dvEBzTWIygUM/TH0AaLB277C9WvLHK1ANE2GolSls6hIN5YYiMmAJboImux + QYcwZIk5DUtk8CjMMdXoWXS3Nf5LyoV8TnqwGc8KyIK/l+PSLuOX6KqG5TArCCT5 + BTCbXqpk5IPGVNiflWZfZBSrGFQ/7L+mHYABBR8bj1cCHKOtYJqVCKNQOkApRsc9 + Z8UtGHedcArwZUNilFUNYMZjK0Iyrme3Fvjt7ztY//ZvgRgBzIfeUlMMYNCD0stT + OhjlclAkh7az5LPyhKW7FxEPhr+XsJCiAaaNpHntSwv/5yjPCDLoCbKF8pkZY7xW + oaYVJk2/BuNPG8wQAHl9N15XHN5bPK0JIqT8/aSwRx6rjI2JlBk8tOo5EpmdJrLa + xPJ7cS8KEpY+mlWO+GkmB3EomjbdgRtFqx4DEjbLYV/olN4+s2RLqK53WprNjqdv + fltEZvY8vWcg6UHc3DhAy9Oa6QnR8ifraPkpKlMUZyIiQFOWcrDs9XCpKx/ATmXO + +wpQHGZXq6b47Gfp/XA4HibA7YY9qDz2PDtu4PrKg00j6wWBujdc5+HTfBn05JvS + UQG2+OgjrHFdYKIK0+vMovt3WFzbrCAeIx9AU84dUMiUZMOtyHZvL+hU3ynVZYfu + Z/yvMM78Q1qEdcKWBtgEJORXQIwWTK3JyYRC0N4/3COViw== + =ULdx + -----END PGP MESSAGE----- + fp: A5EE826D645DBE35F9B0993358512AE87A69900F + - created_at: "2022-11-30T00:52:41Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA8zMZ+ak7y/zAQ//bSruuL/XKnFtewxG3weWTIUzLjW2d4b0WffSzRogs3BM + FE0vbb6atEQVImnr8CFl8r6R1jE3lz6VEVirCAHdycPFxHFnIuzbzc5WYVgTC00E + v5L3UKJSccjzWMONdL0XaXUDHWE78vfiMKwjNMrg/SmLElkjJUvBVz1y9lih/Fwp + V/CWV/S4/v5WoO53hldoQ3jCDWLLVoJHB5rBO140hpmrLOkwTvXQNW1pK0GwJb6r + dKqzUQzJgmdQcMswNDcmtHQV59HGk7/anaWGMD5FvVz6FQdXA2bBH6WD9OmqggUw + xN5sWON3yYEkWZ7L0fmLIoNmmsH6gMnPVIpCK40g2nyFCjiqRdxf2gn5iasq9fzJ + LAZkUHt6LSNikRPsm9p/SKl5EfIWSmQfUGWYMRqwkHi+a85NfkDPgbOae2gQhaGi + TjdKy3wS5SQ1KZU1+YV19JJx8RnzevcIHv/SV8C+z4UosEDBGuncda3S8VRDvyOe + hI/ZbASGBwWXni3UIGQfLiDp0nGZz3NAGKcmbWN4DHN7tj36Xc0NkLe9AuWs+2fq + rhnfYCLl8tn8gdBQ2/sMC2K8AwpRLdcoOhZPz9CCY3Qv4edxXeSMMotQwhB3jglh + GBNFEKd/XKHMfwZsfWITxHBhtX0yL6CEG8A+OHHrYzXcphAcy981T07ThfTkU/DS + UQGAruf+SPfBRKj+jHdIXHtrVlYFtI1SHLueZzAw8vMPI4vXbvbZq2qNdWk5uLIx + AJHARp7tFLZjeVM8O3fR13HM5Ho50cJLnkCBqqDLXFKtSw== + =ZSmW + -----END PGP MESSAGE----- + fp: D4E89C6A0A58EE803EF708EFA9B23715F7AA3F1A + - created_at: "2022-11-30T00:52:41Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcBMA45bZkLXmBFpAQf7BQARnoKk+Dl65Far++0lF3CvvOeiBttUCQoV8aNmMq2V + Sy1CfGGhg53xN6qeqh0GE5gXQU6Qio86KCxKZ6yh0i6wicv0G1Ld19omKGFrD6y+ + ne6ognWNVXzOxp6jzT6bzTxN4KkIrtKwuFb6796E1N0haVzCOjxQaTqUKig7Vy8P + 0cCR1K/HiVVDs/XdK3QL47Ty4oSCAZDD/Vj9r40w/fKykTw5PBwRsBMCPL1ZxoeI + WEMhxxKdCpp5OprMHtsRkulPoArUkyFOKtsCvCRAnLtwoJaJTBb4I0RcTy+wjwEv + ONdpobMPntiXY9P8L/ovmYX+GlQKi3AEHflmPmLPFdJRAdzGII2ZnF77Z+e7WpJK + SXkWRdSRwJzatIs2TfnEYKAMevqEpzYTIu2Am0NxbTj7MgmfGw7oUc0n+oGh0gLE + Jd5EMV7E8k8nHqyCLoEa3q+3 + =poTN + -----END PGP MESSAGE----- + fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9 + - created_at: "2022-11-30T00:52:41Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMAwMCBBrc/JA6AQ/9Hz/H90Ab0cQ0mBmFWdgc+zsPVhHXLlKaTszaMbrQ0Hlh + Db/1ap7tSQviLZMJFh1O9TjMfRrbCyGE8NRRr1jM2z1KxRSENHMywE+5wR+QlNE7 + s5v5tNOYyLA5rlkyAL7tezKLnsi4CD3hj27ZVU3igtJ4GXW51rHABiwMQ1FOfVeo + vGCQdXAxcFo4TucdIjMWo9hAV8ncVYokw5jq4ufHKjb1keBFq4Ob82dkc3DWwaq7 + sbUMPGzDkgqwVS2aFk2uoaBjceZeOjY1INNtxtSrmQvjrnJTjoKKRErU11OZ19Om + gal7gIUhHb3kJKLkXDZD0l2AD4NUeeFLI7SyVv7PmHD/dI58SQ3+ofsC+Cukvqeo + KI9Xyg6+pJCF8wer0tYD1uX4avF9TsdFwVjrrOW2iXvX7ePqP9+ZdwodPOmvB5g6 + ofxgbX5clek2LCUO/Q8hytx3W/6oBHfqZgoiLitfT+Ss0NoEusGnSDnGlgUAbEyJ + KEWEMiRcj8OARw4/jbJrrBjvbIJJaWmdtHBSsqV+3/yY4GqTw8pvUYp3feocLu1Z + FwIx/TcvyOmhZ6MFu3sz+xWntyvOnDZoXfnzTLWt7XM2pNHwyWmG62fhlhAIo7jR + ENu1Zet7lpj/eUUJAbcx2sWtoClSq8rYqX4PBR4rFnLJBqyPZlVGLzFzlw/kr57S + UQGZijKUYvlcDtFjUTiVmUtYagb94Fm4v20P1N1IgwdZp5l00MYY1GT0s7+4QR7Y + rRRPLRu4wCvPsYeSpT3xf0bx5tZF7YuzuU0bcr13NcJADw== + =44mD + -----END PGP MESSAGE----- + fp: 4F9F44A64CC2E438979329E1F122F05437696FCE + - created_at: "2022-11-30T00:52:41Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA9XEenRNYVGHARAAjqd4Vk98BuS7EGmWe9asgpmuF1hBpi6EGbfIJHy/QdMu + Ug27yGxrhVoxP4mX0KcdL0GES6zpcqAuSjKuqnjRIQaBqRmLImvlwpRELQyzJCsj + fkhTe3nG14Ew1ukuAPA4LiOpydpefdHb0KiCR4GYggR+P9nPo4CIUVDXIkWdCJHF + 29b2febhwUZuxAQF0otzvFXd8VpFxP5aqiqjdVQ6wm9R0r/l5XyU8ZwtgN4TjcbO + DxvjS73i+CZhi2gPR4Q1pTOFunxQC/shyeOLHFpGnWZ/OkYO+93P9PHPIX9BSUz8 + PVrBPtLLXm8rnnklqViBTBt+AfwjzyhWTC9BGoKfJ3gmfA//oVJNraQJRXS3AtlY + awvIWtLDGSDwzR68cpdoG9DzIES5rJ3gN9u+b/IV6pwvu35E0X3CKA4FN66wdNag + VXA6RsJVM1+pCxeKHAyMwD26Udq77XJ1nAxvUaOn0+MGdXD3KKF+WQ+4wv4LW5vl + mRKMVuI884B8Qm349TZxUalEy6v7ioC6pJMj13Yn0eWx91z/Kzj8IP06nZ2y486B + b8aDmbQUNIF4g3s/LN4y7ENYRVtvL4yhL4JQfDCMeA7wn4Ne/XNIX6/mgcN70JI5 + ywS4udq+8NX6ZTDoiLNVwZwO3j2V61p1ISx5Q1vPrevCUHHRvUisFL/OzyYYDVXS + UQEfC+uXFz7eX15F0esLCcMfDZFWc73IWbGfLL+eXatw5R4Ii2nN+Q8eXLFolmg2 + DQu+qK0ovO5/9I3VmQM9Y9n0b9CFsfcBLFLA8pfNtj6DOg== + =vjG5 + -----END PGP MESSAGE----- + fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA + - created_at: "2022-11-30T00:52:41Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcBMA/Z87ylQaotQAQgAki4625tAoV04bTPWkawsYck88PbAVctHuwWVi/YprVLy + VwXM4nMao+fg16UrRd1sc0Dh1TdPq3E+4oIf9gYJXH8GLcjkj5v3L8jWdaWhC+2G + M6IrXdn0kM5uXx3PTFQA6TYkfs/BdNsjTnspfr44EBvWG/OwLmTJo3QC6MDDHZk3 + JF4cMXXhHe1gRMF5DznexxCHfrod5NYYIzGpqCo8qBtBnY5QnTf7wXwtWnFeRtQk + fA/EDgM1Xghyqx7oDxQ7ubaCWPyNREhiB6vKvF8ZnUyWW4oQmx7gmttb+Gm/Pb/G + HB9GMixRzmlo4dVGlTF9llYCxcIrvxJNasFEXnuHsdJRAXBwOvBH4JsYgjIYlo0a + l+INJ9JBJqvSqbrAadmhmtg7v6fJVaWQiwamI/N50ifHAQcKNxH/OiInuh80Qvtf + 9utJNqgbFFnzPxx5028FriVd + =rqgj + -----END PGP MESSAGE----- + fp: 9EA68B7F21204979645182E4287B083353C3241C + - created_at: "2022-11-30T00:52:41Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA9qJIVK2WMV7AQ/8Ca/FQ2eZdaIerMMiGL0wP8uClgzDqW6Xku4sdGI9nO4s + oBzmj3amCgp588PV5/TbyawVrfbMQFvr78GF2T3MQS1KOzFePITQPXceuPia6KzV + bFNpElCP80AlYZKWkPQ26Uz1gB+Dk75F+Ws5ttP+A4bgSBUpW7R3CQr4eIM9rN7G + TXgTWlbcYZK5IyVZkueOXN+vwT5N/C+rf3Ockv77Yhrasbc/OiRd3kPvwYINrBk5 + HRpaebK+/1Ku5SHIFhx/TGtyCcwS2ciPBCX1NYvcI+Kh1I2MlHKJqpgY6C0e6QHo + sByoi/cy6IIPXupuVMxs/dMzkaZJYMzM3te8D6aakO+yaR/xBlJgGZqzWVgrDZaR + 7ioncUPcSbR28cGoV4l2bYGu+Z4bQ0oAE8CSV4IYLJeInwRed45E9G5zyTU9//Zd + C4dxATU17FXeom15LSoZkFnRLbWWPi6q2SwwidG7+oK5FcMCyc4zarR65/i/02Tm + mEUc533y+t0pud9GgdQKrjNyQ654mrsPrXOYviTrBVzy3BU6dkbEjPEmfw253a0Z + SDV88+WOSVzwVK9K0EY9NR+sRYlQtBkoKDYrLgthCN+Ucl/tOBIKjwv5lnBUihG/ + ouTUDJEN5phT2tf8MDchNea31Cm6AT0ph6Iz/Pr0hqUNQOz6UmNgf1ZNH3RCehjS + UQGdPPcXxEG5JhmiltTOph024yMOkgmt+5xHyCZ6L1QaaYMjIV08Xq0I2YvJXUse + QlZRHAcOAsSI7mYd0jqFxOfj8ZrclTqn15peXweoEUzKIg== + =vX2f + -----END PGP MESSAGE----- + fp: 53B26AEDC08246715E15504B236B6291555E8401 + - created_at: "2022-11-30T00:52:41Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA/YLzOYaRIJJAQ//RPrikrIQUJ6qVHdEQVtH9CKnNBDCk/ipP4CU1sdHFx7F + S4ssLv/sTDofJzo+LFB0QG3JRWEx1+IgtRF+6JCw0Mm7ed2STMPh6/emaX0MIcgS + x1t0LMsEmGa6Iuyjm24x5I8qdLpYtOjZd4r797GNeGEXUzRAUe9zbFEY45lSrzn+ + H/mbohDAK/xEuvY0w1qYW2NgTkUqjxgpK7fx9df5GpiEE9XPHsQindpPYh7BNcau + fIqN7d+A+nMw3DI8YcmC2yYnr/5UWBe2UweQuFWyBxyI6548kKbjKOJcAboo1YVL + MPyf+Z3eySNG32MyE8vq2/d32/Sh+Cwk/YG6o4mpjwdSTT65JDNZs2eu2alOXnsi + uvGDMTlKwvUP89ynB8tDQ8HdV9bxFT3/9yOFAYa+yU9AguvV13zl6ublpO1pPY1q + iJMDc51iyRsH9jv9ALHqQ+FIptQDX1yjoIobHx64zrBaiOKeqkdWgZGUfnldbOyw + in8Ooa1qgG70h0T+tearHB0BDTCQx7FvEgUN+6eAdGLncoV9a2bGbtb2IBzm7pA3 + YHV4Ab308WyO/8MkSwd9uGqlsxE772TN5XYLuWo+7KgcSCGght6vnlLWIDhbQ+YR + /ZLMik2Gbsl5bV6cpkbzI9VBEx8vHulpQazkHSAfsxr6/aiqmz0TJM8I0oe+d7TS + UQHZoPhsqIYDwOqNDi8erCeeQzkDxSVPlBICv8+YGXd5qSAAte7Fbo/uQvn4fGdg + 9YAyhaZ/XAWnb3rL3VpKlzGXq6LAaog9OyQ+e+bnP/7x8A== + =76ZY + -----END PGP MESSAGE----- + fp: 91EBE87016391323642A6803B966009D57E69CC6 + unencrypted_suffix: _unencrypted + version: 3.7.3 From 224ddc2631cf417c38aa3e104daf653b362c3c99 Mon Sep 17 00:00:00 2001 From: Astro Date: Wed, 30 Nov 2022 17:43:25 +0100 Subject: [PATCH 135/247] mastodon: tune --- hosts/mastodon/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hosts/mastodon/default.nix b/hosts/mastodon/default.nix index 82ed81d7..cbf7afe5 100644 --- a/hosts/mastodon/default.nix +++ b/hosts/mastodon/default.nix @@ -34,6 +34,10 @@ "${config.networking.hostName}.serv.zentralwerk.org" ]; DEFAULT_LOCALE = "de"; + TRUSTED_PROXY_IP = with zentralwerk.lib.config.site.net.serv; + hosts4.public-access-proxy; + WEB_CONCURRENCY = toString config.deployment.vcpu; + # MAX_THREADS = toString 5; LDAP_ENABLED = "true"; LDAP_METHOD = "simple_tls"; From bf2933f57418afda5c9e6ccce8608f524c938aa4 Mon Sep 17 00:00:00 2001 From: Astro Date: Wed, 30 Nov 2022 17:44:34 +0100 Subject: [PATCH 136/247] mastodon: add elasticsearch --- hosts/mastodon/default.nix | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/hosts/mastodon/default.nix b/hosts/mastodon/default.nix index cbf7afe5..5b8c2b5a 100644 --- a/hosts/mastodon/default.nix +++ b/hosts/mastodon/default.nix @@ -14,8 +14,14 @@ }; c3d2.hq.statistics.enable = true; system.stateVersion = "22.11"; - + nixpkgs.config.allowUnfreePredicate = pkg: + lib.getName pkg == "elasticsearch"; + services.postgresql.enable = true; + services.elasticsearch = { + enable = true; + package = pkgs.elasticsearch7; + }; services.mastodon = { enable = true; localDomain = "c3d2.social"; @@ -28,6 +34,7 @@ # echo "${secrets.email.smtp-password}" > $out # ''}"; + elasticsearch.host = "127.0.0.1"; extraConfig = { ALTERNATE_DOMAINS = lib.concatStringsSep "," [ From b421de33dd7f0ae5fd8de8f2ebc0779989b08991 Mon Sep 17 00:00:00 2001 From: Astro Date: Wed, 30 Nov 2022 18:13:08 +0100 Subject: [PATCH 137/247] public-access-proxy: add c3d2.social --- hosts/public-access-proxy/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hosts/public-access-proxy/default.nix b/hosts/public-access-proxy/default.nix index 5d347584..e2d7a8b7 100644 --- a/hosts/public-access-proxy/default.nix +++ b/hosts/public-access-proxy/default.nix @@ -136,6 +136,9 @@ } { hostNames = [ "owncast.c3d2.de" ]; proxyTo.host = config.c3d2.hosts.owncast.ip4; + } { + hostNames = [ "c3d2.social" ]; + proxyTo.host = config.c3d2.hosts.mastodon.ip4; } ]; }; From 877d9f04c743fd00c45e05fbb661da9f22b7a7a3 Mon Sep 17 00:00:00 2001 From: Astro Date: Wed, 30 Nov 2022 20:42:23 +0100 Subject: [PATCH 138/247] mastodon: bump mem from 4G to 8G --- hosts/mastodon/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/mastodon/default.nix b/hosts/mastodon/default.nix index 5b8c2b5a..a1c8ee97 100644 --- a/hosts/mastodon/default.nix +++ b/hosts/mastodon/default.nix @@ -1,7 +1,7 @@ { zentralwerk, config, lib, pkgs, ... }: { deployment = { - mem = 4096; + mem = 8192; vcpu = 8; }; networking = { From 6ce8454fd9d89866dd542fa5edbe6cf9b299404f Mon Sep 17 00:00:00 2001 From: Astro Date: Wed, 30 Nov 2022 21:00:36 +0100 Subject: [PATCH 139/247] README: doc skyflake deployment --- README.md | 80 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) diff --git a/README.md b/README.md index 9dcad625..a28bc424 100644 --- a/README.md +++ b/README.md @@ -149,6 +149,86 @@ systemd-managed MicroVMs live, or move the state to nix run .#nomad-$NAME ``` +# Cluster deployment with Skyflake + +## About + +Skyflake provides Hyperconverged Infrastructure to run NixOS MicroVMs +on a cluster. Our setup unifies networking with one bridge per +VLAN. Persistent storage is replicated with Glusterfs. + +Recognize MicroVMs for Skyflake by modules containing +`self.nixosModules.cluster-options`. + +## Deploying + +Push our repo to any machine on the cluster, preferably to Hydra +because it just builds stuff and probably has most packages already in +store. + +You don't deploy all MicroVMs at once. Instead, Skyflake allows you to +select NixOS systems by the branches you push to. + +**Example:** deploy hosts `mucbot` and `sdrweb` + +```bash +git push c3d2@hydra.serv.zentralwerk.org:config HEAD:mucbot HEAD:sdrweb +``` + +## Debugging + +### Glusterfs + +```bash +gluster volume info +gluster volume status +``` + +#### Restart glusterd + +```bash +systemctl restart glusterd +``` + +#### Remount volumes + +```bash +systemctl restart /glusterfs/fast +systemctl restart /glusterfs/big +``` + +### Nomad + +#### Check the cluster state + +```shell +nomad server members +``` + +#### Browse in the terminal + +Use `wander` and `damon` + +#### Browse with a browser + +First, tunnel TCP port `:4646` from a cluster server: + +```bash +ssh -L 4646:localhost:4646 root@server10.cluster.zentralwerk.org +``` + +Then, visit https://localhost:4646 for for full klickibunti. + +#### Reset the Nomad state on a node + +After upgrades, Nomad servers may fail rejoining the cluster. Do: + +```shell +systemctl stop nomad +rm -rf /var/lib/nomad/server/raft/ +systemctl start nomad +``` + # Secrets management ## Secrets managment with PGP From fcda09f7c4978492215e6c59f85395010302c7c6 Mon Sep 17 00:00:00 2001 From: Astro Date: Wed, 30 Nov 2022 21:10:13 +0100 Subject: [PATCH 140/247] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'zentralwerk': 'git+https://gitea.c3d2.de/zentralwerk/network.git?ref=refs%2fheads%2fmaster&rev=15e1e9fb1c55ec5fb62f4c7e61bf63aee5c35eeb' (2022-11-29) → 'git+https://gitea.c3d2.de/zentralwerk/network.git?ref=refs%2fheads%2fmaster&rev=db0f8817002137d57c811cc2e59b011d6cc97124' (2022-11-30) --- flake.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/flake.lock b/flake.lock index 4a3d1ffd..a94603ab 100644 --- a/flake.lock +++ b/flake.lock @@ -830,11 +830,11 @@ ] }, "locked": { - "lastModified": 1669764095, - "narHash": "sha256-Ts6aOIk7EXymlKskOwNUOsoTS5ImDYBIG6+zUd+6e14=", + "lastModified": 1669838903, + "narHash": "sha256-zvzK1yC7ziQyZN7ZEb8CtuXKhag/nBBuU99oYVF80Ig=", "ref": "refs/heads/master", - "rev": "15e1e9fb1c55ec5fb62f4c7e61bf63aee5c35eeb", - "revCount": 1675, + "rev": "db0f8817002137d57c811cc2e59b011d6cc97124", + "revCount": 1677, "type": "git", "url": "https://gitea.c3d2.de/zentralwerk/network.git" }, From 72d537b742a733841c1dd47f975fb0968e3b856f Mon Sep 17 00:00:00 2001 From: Astro Date: Wed, 30 Nov 2022 21:15:23 +0100 Subject: [PATCH 141/247] mastodon: move from serv to flpk --- hosts/mastodon/default.nix | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/hosts/mastodon/default.nix b/hosts/mastodon/default.nix index a1c8ee97..e9da0f40 100644 --- a/hosts/mastodon/default.nix +++ b/hosts/mastodon/default.nix @@ -38,11 +38,9 @@ extraConfig = { ALTERNATE_DOMAINS = lib.concatStringsSep "," [ - "${config.networking.hostName}.serv.zentralwerk.org" + "${config.networking.hostName}.flpk.zentralwerk.org" ]; DEFAULT_LOCALE = "de"; - TRUSTED_PROXY_IP = with zentralwerk.lib.config.site.net.serv; - hosts4.public-access-proxy; WEB_CONCURRENCY = toString config.deployment.vcpu; # MAX_THREADS = toString 5; From 14d285536630c5fd7a23334e85e1fd2a0fe529e6 Mon Sep 17 00:00:00 2001 From: Astro Date: Wed, 30 Nov 2022 22:07:45 +0100 Subject: [PATCH 142/247] mastodon: more cpu --- hosts/mastodon/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hosts/mastodon/default.nix b/hosts/mastodon/default.nix index e9da0f40..2f3a04fa 100644 --- a/hosts/mastodon/default.nix +++ b/hosts/mastodon/default.nix @@ -2,7 +2,8 @@ { deployment = { mem = 8192; - vcpu = 8; + vcpu = 16; + needForSpeed = true; }; networking = { hostName = "mastodon"; From 263068fc32f5cbd3bbddd450974a51ee85a9ec2f Mon Sep 17 00:00:00 2001 From: Astro Date: Wed, 30 Nov 2022 22:07:56 +0100 Subject: [PATCH 143/247] mastodon: add collectd monitoring of sidekiq and postgresql --- hosts/mastodon/default.nix | 107 +++++++++++++++++++++++++++++++++---- 1 file changed, 98 insertions(+), 9 deletions(-) diff --git a/hosts/mastodon/default.nix b/hosts/mastodon/default.nix index 2f3a04fa..420d42da 100644 --- a/hosts/mastodon/default.nix +++ b/hosts/mastodon/default.nix @@ -13,12 +13,19 @@ }; firewall.allowedTCPPorts = [ 80 443 ]; }; - c3d2.hq.statistics.enable = true; system.stateVersion = "22.11"; nixpkgs.config.allowUnfreePredicate = pkg: lib.getName pkg == "elasticsearch"; - services.postgresql.enable = true; + services.postgresql = { + enable = true; + ensureUsers = [ { + name = "collectd"; + ensurePermissions = { + "DATABASE \"${config.services.mastodon.database.name}\"" = "ALL PRIVILEGES"; + }; + } ]; + }; services.elasticsearch = { enable = true; package = pkgs.elasticsearch7; @@ -27,13 +34,14 @@ enable = true; localDomain = "c3d2.social"; - smtp.host = "c3d2.social"; - smtp.fromAddress = "mail@c3d2.social"; - # smtp.authenticate = true; - # smtp.user = secrets.email.smtp-user; - # smtp.passwordFile = "${pkgs.runCommand "smtp-password" {} '' - # echo "${secrets.email.smtp-password}" > $out - # ''}"; + smtp = { + # TODO + host = "c3d2.social"; + fromAddress = "mail@c3d2.social"; + authenticate = false; + # user + # passwordFile + }; elasticsearch.host = "127.0.0.1"; @@ -57,6 +65,7 @@ configureNginx = true; }; + # Inject LDAP secrets systemd.services.mastodon-init-dirs.script = lib.mkAfter '' cat ${config.sops.secrets."mastodon/env".path} >> /var/lib/mastodon/.secrets_env ''; @@ -65,4 +74,84 @@ sops.secrets."mastodon/env" = { owner = "mastodon"; }; + + # Sidekiq monitoring + c3d2.hq.statistics.enable = true; + services.collectd.plugins = { + redis = + let + queries = [ { + command = "GET stat:processed"; + type = "counter"; + instance = "sidekiq_stat_processed"; + } { + command = "GET stat:failed"; + type = "counter"; + instance = "sidekiq_stat_failed"; + } { + command = "LLEN queue:#default"; + type = "queue_length"; + instance = "sidekiq_default_queue_len"; + } { + command = "LLEN queue:#ingress"; + type = "queue_length"; + instance = "sidekiq_ingress_queue_len"; + } { + command = "LLEN queue:#mailers"; + type = "queue_length"; + instance = "sidekiq_mailers_queue_len"; + } { + command = "LLEN queue:#pull"; + type = "queue_length"; + instance = "sidekiq_pull_queue_len"; + } { + command = "LLEN queue:#push"; + type = "queue_length"; + instance = "sidekiq_push_queue_len"; + } { + command = "LLEN queue:#scheduler"; + type = "queue_length"; + instance = "sidekiq_scheduler_queue_len"; + } { + command = "ZCARD schedule"; + type = "count"; + instance = "sidekiq_scheduled"; + } { + command = "ZCARD retry"; + type = "count"; + instance = "sidekiq_retries"; + } { + command = "ZCARD dead"; + type = "count"; + instance = "sidekiq_dead"; + } { + command = "SCARD processes"; + type = "backends"; + instance = "sidekiq_processes"; + } ]; + in '' + + Host "${config.services.mastodon.redis.host}" + Port "${toString config.services.mastodon.redis.port}" + Timeout 3000 + + ${lib.concatMapStrings ({ command, type, instance }: '' + + Type "${type}" + Instance "${instance}" + + '') queries} + + ''; + postgresql = '' + + Param database "${config.services.mastodon.database.name}" + Query backends + Query transactions + Query queries + Query disk_io + Query disk_usage + + ''; + }; } From 0c3cdd016f85f5e1ada253943f6eb249d5a55040 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Wed, 30 Nov 2022 22:49:44 +0100 Subject: [PATCH 144/247] Switch to nixpkgs stable fork for cherry-picked fixes --- flake.lock | 46 +++++++++++++++++++++++----------------------- flake.nix | 3 ++- 2 files changed, 25 insertions(+), 24 deletions(-) diff --git a/flake.lock b/flake.lock index a94603ab..94428017 100644 --- a/flake.lock +++ b/flake.lock @@ -113,11 +113,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1669703151, - "narHash": "sha256-I6EcDjBIyFv3H7uhsq7agt9eJGUzCRKsRwXexrKBxNc=", + "lastModified": 1669789565, + "narHash": "sha256-9fBxYzp0cnkHygZOY5HTM7QMYr1WsC062Yc8glQNIgM=", "owner": "nix-community", "repo": "fenix", - "rev": "723bf93513f1331961c5251817214e64d306b24a", + "rev": "bba229a06ca03938a1abd4ce6361bf9bf4f651cd", "type": "github" }, "original": { @@ -349,15 +349,15 @@ }, "nixos": { "locked": { - "lastModified": 1669558522, - "narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=", - "owner": "nixos", + "lastModified": 1669842486, + "narHash": "sha256-ogRw+3pxB+I/FwTppNolpdgwJGrU7xsgqTfFUjuys8o=", + "owner": "SuperSandro2000", "repo": "nixpkgs", - "rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82", + "rev": "07e0bf5ccddcabe20d2b3bd89aaace918a4a6402", "type": "github" }, "original": { - "owner": "nixos", + "owner": "SuperSandro2000", "ref": "nixos-22.11", "repo": "nixpkgs", "type": "github" @@ -511,11 +511,11 @@ ] }, "locked": { - "lastModified": 1669668296, - "narHash": "sha256-/i1UWcpqW1f/Ulj0ZHb38uEbz+3e7XuamQhNoHYAQ48=", + "lastModified": 1669840858, + "narHash": "sha256-ptLvigZ91boFMYhSOXKFsycrjSiIQ1ZmjiYC1iZ3US0=", "owner": "astro", "repo": "nix-openwrt-imagebuilder", - "rev": "e3b0754ab36871291da773355932c58ac81b3952", + "rev": "e3e2f451ce6255dce904427c83b11ef2a6eba755", "type": "github" }, "original": { @@ -562,11 +562,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1669551522, - "narHash": "sha256-ScH3I2/5+tCN23U8mUUj/HoZXDF11fo1z93X9imAfOo=", + "lastModified": 1669747020, + "narHash": "sha256-kNfchCXcI4jcwBdU57f4ifdgPAvLKLJIHKUCiZVv+v0=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "6d61be8e65ac0fd45eaf178e1f7a1ec6b582de1f", + "rev": "398a71affb05aeeea1991044ec9ca1229e68f0f3", "type": "github" }, "original": { @@ -586,11 +586,11 @@ ] }, "locked": { - "lastModified": 1669689198, - "narHash": "sha256-YsWu3C9IGbH3+xguTzEDyQorFe/igr6FGZ+Q5T2ocxE=", + "lastModified": 1669775522, + "narHash": "sha256-6xxGArBqssX38DdHpDoPcPvB/e79uXyQBwpBcaO/BwY=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "4e093ce661a63aca4bcbace33695225eae4ef4e4", + "rev": "3158e47f6b85a288d12948aeb9a048e0ed4434d6", "type": "github" }, "original": { @@ -645,11 +645,11 @@ ] }, "locked": { - "lastModified": 1669412899, - "narHash": "sha256-UlYIzmjAHZ6LdjD/SFXJLHCBPCJ+y8oC94Rhl9pZtR0=", + "lastModified": 1669843159, + "narHash": "sha256-FVW/rRnuWahLhmBVO9svpVsK2yPYNc5hh2e9BoMCZHk=", "owner": "astro", "repo": "skyflake", - "rev": "162a95bbe72c91f2a43ea40773761464e2c659cc", + "rev": "54853b3efeaf57ab08cee76680fe0e2d5c144fe7", "type": "github" }, "original": { @@ -668,11 +668,11 @@ ] }, "locked": { - "lastModified": 1669520266, - "narHash": "sha256-NY0lyWC5djlvAiAhGb9xvT0bknBVLh/egvd3TqmJasc=", + "lastModified": 1669714206, + "narHash": "sha256-9aiMbzRL8REsyi9U0eZ+lT4s7HaILA1gh9n2apKzLxU=", "owner": "Mic92", "repo": "sops-nix", - "rev": "a01f386f34a854fe4f8754e62a6837748bc84a8a", + "rev": "8295b8139ef7baadeb90c5cad7a40c4c9297ebf7", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 5d91b64b..ad170611 100644 --- a/flake.nix +++ b/flake.nix @@ -2,7 +2,8 @@ description = "C3D2 NixOS configurations"; inputs = { - nixos.url = "github:nixos/nixpkgs/nixos-22.11"; + # use sandro's fork full with cherry-picked fixes + nixos.url = "github:SuperSandro2000/nixpkgs/nixos-22.11"; nixpkgs-mobilizon.url = "github:minijackson/nixpkgs/init-mobilizon"; nixos-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; nixos-hardware.url = "github:nixos/nixos-hardware"; From 202942d9d0b44711111f4a82aa1bf82d567a80f4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Wed, 30 Nov 2022 23:28:09 +0100 Subject: [PATCH 145/247] Add social.c3d2.de for frontend --- hosts/mastodon/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/mastodon/default.nix b/hosts/mastodon/default.nix index 420d42da..1a49de01 100644 --- a/hosts/mastodon/default.nix +++ b/hosts/mastodon/default.nix @@ -48,6 +48,7 @@ extraConfig = { ALTERNATE_DOMAINS = lib.concatStringsSep "," [ "${config.networking.hostName}.flpk.zentralwerk.org" + "social.c3d2.de" ]; DEFAULT_LOCALE = "de"; WEB_CONCURRENCY = toString config.deployment.vcpu; From 83b37db967a8e6108ea0ced11b27f3e9c09defe8 Mon Sep 17 00:00:00 2001 From: Astro Date: Thu, 1 Dec 2022 21:33:09 +0100 Subject: [PATCH 146/247] mastodon: attempt smtp configuration --- hosts/mastodon/default.nix | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/hosts/mastodon/default.nix b/hosts/mastodon/default.nix index 1a49de01..9d78768d 100644 --- a/hosts/mastodon/default.nix +++ b/hosts/mastodon/default.nix @@ -35,12 +35,10 @@ localDomain = "c3d2.social"; smtp = { - # TODO - host = "c3d2.social"; + host = "mail.c3d2.de"; + port = 587; fromAddress = "mail@c3d2.social"; authenticate = false; - # user - # passwordFile }; elasticsearch.host = "127.0.0.1"; From 3e6c35086c559927ac27f5be8eccaaca5a650d90 Mon Sep 17 00:00:00 2001 From: Astro Date: Thu, 1 Dec 2022 22:16:19 +0100 Subject: [PATCH 147/247] mastodon: install chaos.social theme --- hosts/mastodon/default.nix | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/hosts/mastodon/default.nix b/hosts/mastodon/default.nix index 9d78768d..a394cafa 100644 --- a/hosts/mastodon/default.nix +++ b/hosts/mastodon/default.nix @@ -34,6 +34,22 @@ enable = true; localDomain = "c3d2.social"; + package = pkgs.mastodon.overrideAttrs (oa: { + # install chaos.social theme for eri + postPatch = + let + chaos_social_custom = pkgs.fetchzip { + url = "https://github.com/chaossocial/custom/archive/dadb72e258e56a4773d58d242d9fd1048d9560c7.zip"; + sha256 = "sha256-0yfor0cpPGUZbZHP7RXs5Ls6uNzcXi8Zb3AMaNqPz5s="; + }; + in '' + for F in {custom,custom_wide,mastodon-light}.scss ; do + cp ${chaos_social_custom}/themes/$F app/javascript/styles/ + done + echo "chaos-social-wide: styles/custom_wide.scss" >> config/themes.yml + ''; + }); + smtp = { host = "mail.c3d2.de"; port = 587; From 486c2a37201d34677619614e38a9bf11b1b0fd6e Mon Sep 17 00:00:00 2001 From: Astro Date: Thu, 1 Dec 2022 22:28:22 +0100 Subject: [PATCH 148/247] mastodon: also copy chaos.social's mascot.scss --- hosts/mastodon/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/mastodon/default.nix b/hosts/mastodon/default.nix index a394cafa..15108596 100644 --- a/hosts/mastodon/default.nix +++ b/hosts/mastodon/default.nix @@ -43,7 +43,7 @@ sha256 = "sha256-0yfor0cpPGUZbZHP7RXs5Ls6uNzcXi8Zb3AMaNqPz5s="; }; in '' - for F in {custom,custom_wide,mastodon-light}.scss ; do + for F in {custom,custom_wide,mascot,mastodon-light}.scss ; do cp ${chaos_social_custom}/themes/$F app/javascript/styles/ done echo "chaos-social-wide: styles/custom_wide.scss" >> config/themes.yml From 308dd5bd2250b06c345be3fc243798cb2ed7010a Mon Sep 17 00:00:00 2001 From: Astro Date: Thu, 1 Dec 2022 22:35:47 +0100 Subject: [PATCH 149/247] mastodon: remove packs to regenerate shit --- hosts/mastodon/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hosts/mastodon/default.nix b/hosts/mastodon/default.nix index 15108596..2f2eabfb 100644 --- a/hosts/mastodon/default.nix +++ b/hosts/mastodon/default.nix @@ -47,6 +47,8 @@ cp ${chaos_social_custom}/themes/$F app/javascript/styles/ done echo "chaos-social-wide: styles/custom_wide.scss" >> config/themes.yml + + rm -fr public/packs tmp/ ''; }); From 67a8de43f13562561bdbf5e81437be013a7b92b2 Mon Sep 17 00:00:00 2001 From: Astro Date: Thu, 1 Dec 2022 22:39:21 +0100 Subject: [PATCH 150/247] mastodon: revert broken custom theme --- hosts/mastodon/default.nix | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/hosts/mastodon/default.nix b/hosts/mastodon/default.nix index 2f2eabfb..9d78768d 100644 --- a/hosts/mastodon/default.nix +++ b/hosts/mastodon/default.nix @@ -34,24 +34,6 @@ enable = true; localDomain = "c3d2.social"; - package = pkgs.mastodon.overrideAttrs (oa: { - # install chaos.social theme for eri - postPatch = - let - chaos_social_custom = pkgs.fetchzip { - url = "https://github.com/chaossocial/custom/archive/dadb72e258e56a4773d58d242d9fd1048d9560c7.zip"; - sha256 = "sha256-0yfor0cpPGUZbZHP7RXs5Ls6uNzcXi8Zb3AMaNqPz5s="; - }; - in '' - for F in {custom,custom_wide,mascot,mastodon-light}.scss ; do - cp ${chaos_social_custom}/themes/$F app/javascript/styles/ - done - echo "chaos-social-wide: styles/custom_wide.scss" >> config/themes.yml - - rm -fr public/packs tmp/ - ''; - }); - smtp = { host = "mail.c3d2.de"; port = 587; From 759df9e9277bf039976828deeb2513f08a3135d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Fri, 2 Dec 2022 00:33:14 +0100 Subject: [PATCH 151/247] Add certificate social.c3d2.de --- hosts/mastodon/default.nix | 97 +++++++++++++++++++++----------------- 1 file changed, 54 insertions(+), 43 deletions(-) diff --git a/hosts/mastodon/default.nix b/hosts/mastodon/default.nix index 9d78768d..9557b126 100644 --- a/hosts/mastodon/default.nix +++ b/hosts/mastodon/default.nix @@ -5,6 +5,7 @@ vcpu = 16; needForSpeed = true; }; + networking = { hostName = "mastodon"; hosts = with zentralwerk.lib.config.site.net.serv; { @@ -13,65 +14,75 @@ }; firewall.allowedTCPPorts = [ 80 443 ]; }; + system.stateVersion = "22.11"; nixpkgs.config.allowUnfreePredicate = pkg: lib.getName pkg == "elasticsearch"; - services.postgresql = { - enable = true; - ensureUsers = [ { - name = "collectd"; - ensurePermissions = { - "DATABASE \"${config.services.mastodon.database.name}\"" = "ALL PRIVILEGES"; + services = { + elasticsearch = { + enable = true; + package = pkgs.elasticsearch7; + }; + + mastodon = { + enable = true; + localDomain = "c3d2.social"; + + smtp = { + host = "mail.c3d2.de"; + port = 587; + fromAddress = "mail@c3d2.social"; + authenticate = false; }; - } ]; - }; - services.elasticsearch = { - enable = true; - package = pkgs.elasticsearch7; - }; - services.mastodon = { - enable = true; - localDomain = "c3d2.social"; - smtp = { - host = "mail.c3d2.de"; - port = 587; - fromAddress = "mail@c3d2.social"; - authenticate = false; + elasticsearch.host = "127.0.0.1"; + + extraConfig = { + ALTERNATE_DOMAINS = lib.concatStringsSep "," config.security.acme.certs."c3d2.social".extraDomainNames; + DEFAULT_LOCALE = "de"; + WEB_CONCURRENCY = toString config.deployment.vcpu; + # MAX_THREADS = toString 5; + + LDAP_ENABLED = "true"; + LDAP_METHOD = "simple_tls"; + LDAP_HOST = "auth.c3d2.de"; + LDAP_PORT = "636"; + LDAP_BIND_DN = "uid=search,ou=users,dc=c3d2,dc=de"; + LDAP_BASE = "ou=users,dc=c3d2,dc=de"; + LDAP_SEARCH_FILTER = "(&(objectclass=person)(|(%{uid}=%{email})(%{mail}=%{email})))"; + LDAP_UID = "uid"; + }; + + configureNginx = true; }; - elasticsearch.host = "127.0.0.1"; + nginx.virtualHosts.${config.services.mastodon.localDomain}.serverAliases = [ + "${config.networking.hostName}.flpk.zentralwerk.org" + "social.c3d2.de" + ]; - extraConfig = { - ALTERNATE_DOMAINS = lib.concatStringsSep "," [ - "${config.networking.hostName}.flpk.zentralwerk.org" - "social.c3d2.de" - ]; - DEFAULT_LOCALE = "de"; - WEB_CONCURRENCY = toString config.deployment.vcpu; - # MAX_THREADS = toString 5; - - LDAP_ENABLED = "true"; - LDAP_METHOD = "simple_tls"; - LDAP_HOST = "auth.c3d2.de"; - LDAP_PORT = "636"; - LDAP_BIND_DN = "uid=search,ou=users,dc=c3d2,dc=de"; - LDAP_BASE = "ou=users,dc=c3d2,dc=de"; - LDAP_SEARCH_FILTER = "(&(objectclass=person)(|(%{uid}=%{email})(%{mail}=%{email})))"; - LDAP_UID = "uid"; + postgresql = { + enable = true; + ensureUsers = [ { + name = "collectd"; + ensurePermissions = { + "DATABASE \"${config.services.mastodon.database.name}\"" = "ALL PRIVILEGES"; + }; + } ]; }; - - configureNginx = true; }; + # Inject LDAP secrets systemd.services.mastodon-init-dirs.script = lib.mkAfter '' cat ${config.sops.secrets."mastodon/env".path} >> /var/lib/mastodon/.secrets_env ''; - sops.defaultSopsFile = ./secrets.yaml; - sops.secrets."mastodon/env" = { - owner = "mastodon"; + sops = { + defaultSopsFile = ./secrets.yaml; + secrets."mastodon/env" = { + owner = "mastodon"; + }; }; # Sidekiq monitoring From 9873b56a29474d3dd6057e9415775bcbf0d14484 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Fri, 2 Dec 2022 01:00:45 +0100 Subject: [PATCH 152/247] Fix ALTERNATE_DOMAINS --- hosts/mastodon/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/mastodon/default.nix b/hosts/mastodon/default.nix index 9557b126..3b3e0be5 100644 --- a/hosts/mastodon/default.nix +++ b/hosts/mastodon/default.nix @@ -39,7 +39,7 @@ elasticsearch.host = "127.0.0.1"; extraConfig = { - ALTERNATE_DOMAINS = lib.concatStringsSep "," config.security.acme.certs."c3d2.social".extraDomainNames; + ALTERNATE_DOMAINS = lib.concatStringsSep "," config.services.nginx.virtualHosts.${config.services.mastodon.localDomain}.serverAliases; DEFAULT_LOCALE = "de"; WEB_CONCURRENCY = toString config.deployment.vcpu; # MAX_THREADS = toString 5; From 2621bd671ffdfc93b54321777d15fdb35bd079ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Fri, 2 Dec 2022 02:11:16 +0100 Subject: [PATCH 153/247] web: add mastodon webfinger --- hosts/c3d2-web/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hosts/c3d2-web/default.nix b/hosts/c3d2-web/default.nix index 61cdbb54..ae29141b 100644 --- a/hosts/c3d2-web/default.nix +++ b/hosts/c3d2-web/default.nix @@ -48,6 +48,9 @@ in index portal.html index.html; ''; locations = { + # Mastodon + "/.well-known/webfinger".return = "301 https://c3d2.social$request_uri"; + # SpaceAPI "/status.png".proxyPass = "http://[${config.c3d2.hosts.spaceapi.ip6}]:3000/status.png"; "/spaceapi.json".proxyPass = "http://[${config.c3d2.hosts.spaceapi.ip6}]:3000/spaceapi.json"; From 70377149b2642d147537ce3e63cec9385d19e00d Mon Sep 17 00:00:00 2001 From: Astro Date: Sat, 3 Dec 2022 01:10:15 +0100 Subject: [PATCH 154/247] README: more skyflake --- README.md | 55 +++++++++++++++++++++++++++++++++++++------------------ 1 file changed, 37 insertions(+), 18 deletions(-) diff --git a/README.md b/README.md index a28bc424..7d4d623d 100644 --- a/README.md +++ b/README.md @@ -139,30 +139,29 @@ so the following is all that is needed on a MicroVM-hosting server: microvm -Ru $hostname ``` -## High Availability Deployment on Nomad - -First, stop and delete `/var/lib/microvm/$NAME` where the -systemd-managed MicroVMs live, or move the state to -`/glusterfs/fast/microvms/$NAME`. - -```sh -nix run .#nomad-$NAME -``` - # Cluster deployment with Skyflake ## About -Skyflake provides Hyperconverged Infrastructure to run NixOS MicroVMs -on a cluster. Our setup unifies networking with one bridge per -VLAN. Persistent storage is replicated with Glusterfs. +[Skyflake](https://github.com/astro/skyflake) provides Hyperconverged +Infrastructure to run NixOS MicroVMs on a cluster. Our setup unifies +networking with one bridge per VLAN. Persistent storage is replicated +with Glusterfs. Recognize MicroVMs for Skyflake by modules containing `self.nixosModules.cluster-options`. -## Deploying +## User interface -Push our repo to any machine on the cluster, preferably to Hydra +We use the less-privileged `c3d2@` user for deployment. This flake's +name on the cluster is `config`. Other flakes can coexist in the same +user so that we can run separately developed projects like +*dump-dvb*. *leon* and potentially other users can deploy Flakes and +MicroVMs without name clashes. + +### Deploying + +Push our repo to any machine in the cluster, preferably to Hydra because it just builds stuff and probably has most packages already in store. @@ -175,10 +174,23 @@ select NixOS systems by the branches you push to. git push c3d2@hydra.serv.zentralwerk.org:config HEAD:mucbot HEAD:sdrweb ``` -## Debugging +### Updating + +**TODO:** how would you like it? + +### MicroVM status + +```bash +ssh c3d2@hydra.serv.zentralwerk.org status +``` + +## Debugging for cluster admins ### Glusterfs +Glusterfs holds our MicroVMs' state. They *must always be mounted* or +brains are split. + ```bash gluster volume info gluster volume status @@ -205,9 +217,15 @@ systemctl restart /glusterfs/big nomad server members ``` +Nomad *servers* **coordinate** the cluster. + +Nomad *clients* **run** the tasks. + #### Browse in the terminal -Use `wander` and `damon` +[wander](https://github.com/robinovitch61/wander) and +[damon](https://github.com/hashicorp/damon) are nice TUIs that are +preinstalled on our cluster nodes. #### Browse with a browser @@ -221,7 +239,8 @@ Then, visit https://localhost:4646 for for full klickibunti. #### Reset the Nomad state on a node -After upgrades, Nomad servers may fail rejoining the cluster. Do: +After upgrades, Nomad servers may fail rejoining the cluster. Do this +to make a *Nomad server* behave like a newborn: ```shell systemctl stop nomad From 5d7005342e397b5c3eed6bc5d7d6c67a8c598cff Mon Sep 17 00:00:00 2001 From: Astro Date: Sat, 3 Dec 2022 04:10:31 +0100 Subject: [PATCH 155/247] README: more skyflake --- README.md | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 7d4d623d..26aeaf38 100644 --- a/README.md +++ b/README.md @@ -148,8 +148,8 @@ Infrastructure to run NixOS MicroVMs on a cluster. Our setup unifies networking with one bridge per VLAN. Persistent storage is replicated with Glusterfs. -Recognize MicroVMs for Skyflake by modules containing -`self.nixosModules.cluster-options`. +Recognize nixosConfiguration for our Skyflake deployment by the +`self.nixosModules.cluster-options` module being included. ## User interface @@ -161,19 +161,29 @@ MicroVMs without name clashes. ### Deploying -Push our repo to any machine in the cluster, preferably to Hydra -because it just builds stuff and probably has most packages already in -store. +**git push** this repo to any machine in the cluster, preferably to +Hydra because there building won't disturb any services. You don't deploy all MicroVMs at once. Instead, Skyflake allows you to -select NixOS systems by the branches you push to. +select NixOS systems by the branches you push to. **You must commit +before you push!** -**Example:** deploy hosts `mucbot` and `sdrweb` +**Example:** deploy nixosConfigurations `mucbot` and `sdrweb` (`HEAD` is your +current commit) ```bash git push c3d2@hydra.serv.zentralwerk.org:config HEAD:mucbot HEAD:sdrweb ``` +This will: +1. Build the configuration on Hydra, refusing the branch update on + broken builds (through a git hook) +2. Copy the MicroVM package and its dependencies to the binary cache + that is accessible to all nodes with Glusterfs +3. Submit one job per MicroVM into the Nomad cluster + +*Deleting* a nixosConfiguration's branch will **stop** the MicroVM in Nomad. + ### Updating **TODO:** how would you like it? From f664a189fda2e797766251e878ddcd1d3d25f585 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sun, 4 Dec 2022 04:14:16 +0100 Subject: [PATCH 156/247] Cleanup overlays, remove 22.11 todos --- overlay/default.nix | 16 +--------------- 1 file changed, 1 insertion(+), 15 deletions(-) diff --git a/overlay/default.nix b/overlay/default.nix index f54f855a..25a2afb6 100644 --- a/overlay/default.nix +++ b/overlay/default.nix @@ -10,7 +10,7 @@ let pkgs-unstable = nixos-unstable.legacyPackages.${prev.system}; in with final; { - allcolors = with final; rustPlatform.buildRustPackage rec { + allcolors = rustPlatform.buildRustPackage rec { pname = "allcolors"; version = "0.1.0"; src = fetchFromGitHub { @@ -41,10 +41,6 @@ with final; { }) ]; }; - # HACK: referenced by sdrweb - # TODO: remove with 22.11 - alsaUtils = final.alsa-utils; - inherit (bevy-julia.packages.${system}) bevy_julia; inherit (bevy-mandelbrot.packages.${system}) bevy_mandelbrot; @@ -131,16 +127,6 @@ with final; { then throw "tracer-game: ${reason}" else tracer.packages.${system}.tracer-game; - # HACK: referenced by hydra-module.nix but removed from nixos-unstable in 2022-09 - # TODO: remove with 22.11 - utillinux = final.util-linux; - # vector-0.23 + mqtt-sink vector = pkgs-unstable.callPackage ./vector {}; - - wander = - if prev ? wander - then builtins.trace "`wander` is now available on stable NixOS. Please remove from overlay!" - prev.wander - else pkgs-unstable.wander; } From dc16c9d4b88744ae7cb336688536192aa5241d59 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sun, 4 Dec 2022 04:25:50 +0100 Subject: [PATCH 157/247] Remove merged armv6 fix branch --- flake.lock | 17 ----------------- flake.nix | 2 -- 2 files changed, 19 deletions(-) diff --git a/flake.lock b/flake.lock index 94428017..47802ec9 100644 --- a/flake.lock +++ b/flake.lock @@ -363,22 +363,6 @@ "type": "github" } }, - "nixos-armv6": { - "locked": { - "lastModified": 1664701736, - "narHash": "sha256-Va3NyZ+uyZztu506qM+sLxd69DBzN5CdoCAu1lzVk0U=", - "owner": "rnhmjoj", - "repo": "nixpkgs", - "rev": "10b75bee02bc7c25e596847357c70b277c534588", - "type": "github" - }, - "original": { - "owner": "rnhmjoj", - "ref": "pr-fix-armv6", - "repo": "nixpkgs", - "type": "github" - } - }, "nixos-hardware": { "locked": { "lastModified": 1669650994, @@ -538,7 +522,6 @@ "microvm": "microvm", "naersk": "naersk_2", "nixos": "nixos", - "nixos-armv6": "nixos-armv6", "nixos-hardware": "nixos-hardware", "nixos-unstable": "nixos-unstable", "nixpkgs-mobilizon": "nixpkgs-mobilizon", diff --git a/flake.nix b/flake.nix index ad170611..34a72240 100644 --- a/flake.nix +++ b/flake.nix @@ -7,7 +7,6 @@ nixpkgs-mobilizon.url = "github:minijackson/nixpkgs/init-mobilizon"; nixos-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; nixos-hardware.url = "github:nixos/nixos-hardware"; - nixos-armv6.url = "github:rnhmjoj/nixpkgs/pr-fix-armv6"; affection-src = { url = "git+https://gitea.nek0.eu/nek0/affection"; @@ -667,7 +666,6 @@ }; schalter = nixosSystem' { - nixpkgs = inputs.nixos-armv6; modules = [ "${nixos}/nixos/modules/installer/sd-card/sd-image-raspberrypi.nix" ({ lib, ... }: { From f97b96387dcc5cf417943ebb40ac293db237d6d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sun, 4 Dec 2022 04:27:44 +0100 Subject: [PATCH 158/247] Cleanup unused variable, remove global with lib --- flake.nix | 3 --- modules/default.nix | 10 ++-------- 2 files changed, 2 insertions(+), 11 deletions(-) diff --git a/flake.nix b/flake.nix index 34a72240..4a35cbd7 100644 --- a/flake.nix +++ b/flake.nix @@ -176,7 +176,6 @@ outputs = inputs@{ self, fenix, harmonia, heliwatch, microvm, naersk, nixos, nixos-hardware, nixos-unstable, caveman, oparl-scraper, scrapers, secrets, skyflake, sshlogd, sops-nix, spacemsg, ticker, tigger, yammat, zentralwerk, ... }: let inherit (nixos) lib; - forAllSystems = lib.genAttrs [ "aarch64-linux" "x86_64-linux" ]; # all the input flakes for `nix copy` to the build machine, # allowing --override-input @@ -318,7 +317,6 @@ target = ''root@"${host}"''; rebuildArg = "--flake ${self}#${name} --option extra-substituters https://nix-serve.hq.c3d2.de"; hostConfig = self.nixosConfigurations."${name}".config; - profile = hostConfig.system.build.toplevel; # let /var/lib/microvm/*/flake point to the flake-update branch so that # `microvm -u $NAME` updates to what hydra built today. selfRef = "git+https://gitea.c3d2.de/c3d2/nix-config?ref=flake-update"; @@ -1014,7 +1012,6 @@ }; }; - nixosModule = self.nixosModules.c3d2; nixosModules = { c3d2 = { imports = [ diff --git a/modules/default.nix b/modules/default.nix index 575d04ab..4cae18bd 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, ... }: -with lib; - let # TODO: move to flake nixcloud-webservices = pkgs.fetchFromGitHub { @@ -30,19 +28,15 @@ let else throw "Invalid LXC config value"; toLxcConfig = toLxcConfig' ""; - - lxc-rootfs = pkgs.runCommand "lxc-rootfs" { } '' - mkdir -p $out/share/lxc/rootfs/{dev,nix/store,proc,run,sys,tmp} - ''; in { - options = with types; { + options = with lib.types; { lxc.containers = mkOption { type = attrs; default = { }; }; }; - config = mkIf (containers != { }) { + config = lib.mkIf (containers != { }) { virtualisation.lxc.enable = true; environment.systemPackages = [ nixcloud.container ]; From c4241c25ab0406fda9f5797c7acc3740c3fa4180 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sun, 4 Dec 2022 05:04:07 +0100 Subject: [PATCH 159/247] Sort --- modules/microvm.nix | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/modules/microvm.nix b/modules/microvm.nix index b44048e8..8df5d8a8 100644 --- a/modules/microvm.nix +++ b/modules/microvm.nix @@ -62,21 +62,10 @@ in }; }; - config.system.build = with pkgs; { - copyToServer = writeScript "copy-to-${server}" '' - #! ${runtimeShell} -e - - nix copy --no-check-sigs --to ssh-ng://root@${serverFQDN} $@ - ''; - - runOnServer = writeScript "run-on-${server}" '' - #! ${runtimeShell} -e - - ssh root@${serverFQDN} -- $@ - ''; - }; - config = { + # autoupdates do not make sense inside MicroVMs with read-only /nix/store + c3d2.autoUpdate = false; + boot.kernelParams = [ "preempt=none" # No server/router runs any untrusted user code @@ -123,6 +112,9 @@ in useNetworkd = true; }; + # nix store is mounted read only + nix.gc.automatic = false; + systemd.network = lib.mkIf config.c3d2.deployment.autoNetSetup { links = builtins.foldl' (links: net: links // { "30-${net}" = { @@ -165,10 +157,18 @@ in }) {} nets; }; - # autoupdates do not make sense inside MicroVMs with read-only /nix/store - c3d2.autoUpdate = false; + system.build = with pkgs; { + copyToServer = writeScript "copy-to-${server}" '' + #! ${runtimeShell} -e - # nix store is mounted read only - nix.gc.automatic = false; + nix copy --no-check-sigs --to ssh-ng://root@${serverFQDN} $@ + ''; + + runOnServer = writeScript "run-on-${server}" '' + #! ${runtimeShell} -e + + ssh root@${serverFQDN} -- $@ + ''; + }; }; } From e16bd28785bdf89ef1bb4f541b3ba20c9111bacb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sun, 4 Dec 2022 06:36:57 +0100 Subject: [PATCH 160/247] Convert nix settings --- hosts/dacbert/default.nix | 16 ++++++++-------- hosts/hydra/default.nix | 6 +++--- hosts/riscbert/default.nix | 12 ++++++------ 3 files changed, 17 insertions(+), 17 deletions(-) diff --git a/hosts/dacbert/default.nix b/hosts/dacbert/default.nix index 19864896..90bbd332 100644 --- a/hosts/dacbert/default.nix +++ b/hosts/dacbert/default.nix @@ -73,16 +73,16 @@ }; nix = { - buildCores = 4; - maxJobs = 1; - trustedUsers = [ "client" ]; - extraOptions = '' - builders-use-substitutes = true - extra-platforms = armv6l-linux - ''; daemonCPUSchedPolicy = "idle"; daemonIOSchedClass = "idle"; - settings.system-features = []; + settings = { + builders-use-substitutes = true; + cores = 4; + extra-platforms = "armv6l-linux"; + max-jobs = 1; + system-features = []; + trusted-users = [ "client" ]; + }; }; # kernel 32bit personality patch from Ubuntu boot.kernelPatches = [ diff --git a/hosts/hydra/default.nix b/hosts/hydra/default.nix index 0e6a954e..3277103e 100644 --- a/hosts/hydra/default.nix +++ b/hosts/hydra/default.nix @@ -22,14 +22,14 @@ nix = { sshServe.enable = true; - trustedUsers = [ "@wheel" ]; settings = { + # # restore default overridden by harmonia + # allowed-users = lib.mkForce [ "*" ]; auto-optimise-store = true; cores = 20; keep-outputs = true; max-jobs = 8; - # restore default overridden by harmonia - allowed-users = lib.mkForce [ "*" ]; + trusted-users = [ "@wheel" ]; }; }; diff --git a/hosts/riscbert/default.nix b/hosts/riscbert/default.nix index 32a80066..906cd5b8 100644 --- a/hosts/riscbert/default.nix +++ b/hosts/riscbert/default.nix @@ -54,14 +54,14 @@ ''; nix = { - buildCores = 2; - maxJobs = 1; - # trustedUsers = [ "client" ]; - extraOptions = '' - builders-use-substitutes = true - ''; daemonCPUSchedPolicy = "idle"; daemonIOSchedClass = "idle"; + settings = { + builders-use-substitutes = true; + cores = 2; + max-jobs = 1; + # trusted-users = [ "client" ]; + }; }; system.stateVersion = "22.05"; From f5e671befb9898384a09c0cd9194d6baa0adf718 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sun, 4 Dec 2022 07:30:23 +0100 Subject: [PATCH 161/247] Do not generate jobs for tftproot if it is known to fail --- flake.nix | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/flake.nix b/flake.nix index 4a35cbd7..b21ff503 100644 --- a/flake.nix +++ b/flake.nix @@ -511,7 +511,7 @@ "${host}-tftproot" = if config.system.build ? tftproot then config.system.build.tftproot - else throw "No tftproot for ${host}"; + else lib.trace "No tftproot for ${host}" null; } ) {} (builtins.attrNames self.nixosConfigurations) ) self.legacyPackages; @@ -1062,9 +1062,8 @@ then nixosSystem.config.microvm.declaredRunner else nixosSystem.config.system.build.toplevel ) self.nixosConfigurations - // - nixos.lib.filterAttrs (name: _: - builtins.match ".+-tftproot" name != null + // nixos.lib.filterAttrs (name: attr: + (builtins.match ".+-tftproot" name != null && lib.isDerivation attr) ) self.packages.aarch64-linux ); }; From dcaecc7229866c334aa525ee03e126f0ceaf2b90 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sun, 4 Dec 2022 07:46:56 +0100 Subject: [PATCH 162/247] Move flake packages into its own file --- flake.nix | 302 +------------------------------------------------- packages.nix | 305 +++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 306 insertions(+), 301 deletions(-) create mode 100644 packages.nix diff --git a/flake.nix b/flake.nix index b21ff503..186b5d93 100644 --- a/flake.nix +++ b/flake.nix @@ -177,10 +177,6 @@ let inherit (nixos) lib; - # all the input flakes for `nix copy` to the build machine, - # allowing --override-input - inputPaths = lib.escapeShellArgs (builtins.attrValues inputs); - extractZwHosts = { hosts4, hosts6, ... }: lib.recursiveUpdate ( builtins.foldl' (result: name: @@ -205,16 +201,6 @@ }; extraHostRegistry.hosts = import ./host-registry.nix; hostRegistry = lib.recursiveUpdate zwHostRegistry extraHostRegistry; - - getHostAddr = name: - let - hostConf = hostRegistry.hosts."${name}"; - in - if hostConf ? ip4 - then hostConf.ip4 - else if hostConf ? ip6 - then hostConf.ip6 - else throw "Host ${name} has no ip4 or ip6 address"; in { overlay = import ./overlay { inherit nixos-unstable; @@ -228,293 +214,7 @@ self.overlay ]) nixos.legacyPackages; - packages = lib.attrsets.mapAttrs (system: pkgs: - let overlayPkgs = builtins.intersectAttrs (self.overlay {} {}) pkgs; - in overlayPkgs // - { - host-registry = pkgs.runCommand "host-registry" { - src = builtins.toFile "host-registry.nix" ( - lib.generators.toPretty {} hostRegistry - ); - } '' - ln -s $src $out - ''; - - list-upgradable = pkgs.writeScriptBin "list-upgradable" '' - #! ${pkgs.runtimeShell} - - NORMAL="\033[0m" - RED="\033[0;31m" - YELLOW="\033[0;33m" - GREEN="\033[0;32m" - - ${pkgs.lib.concatMapStringsSep "\n" (name: - let - addr = getHostAddr name; - in nixos.lib.optionalString (addr != null) '' - echo -n -e "${name}: $RED" - RUNNING=$(ssh -o PreferredAuthentications=publickey -o StrictHostKeyChecking=accept-new root@"${addr}" "readlink /run/current-system") - if [ $? = 0 ] && [ -n "$RUNNING" ]; then - CURRENT=$(nix eval --raw ".#nixosConfigurations.${name}.config.system.build.toplevel" 2>/dev/null) - RUNNING_VER=$(basename $RUNNING|rev|cut -d - -f 1|rev) - RUNNING_DATE=$(echo $RUNNING_VER|cut -d . -f 3) - CURRENT_VER=$(basename $CURRENT|rev|cut -d - -f 1|rev) - CURRENT_DATE=$(echo $CURRENT_VER|cut -d . -f 3) - - if [ "$RUNNING" = "$CURRENT" ]; then - echo -e "$GREEN"current"$NORMAL $RUNNING_VER" - elif [ $RUNNING_DATE -gt $CURRENT_DATE ]; then - echo -e "$GREEN"newer"$NORMAL $RUNNING_VER > $CURRENT_VER" - elif [ "$RUNNING_VER" = "$CURRENT_VER" ]; then - echo -e "$YELLOW"modified"$NORMAL $RUNNING_VER" - elif [ -n "$RUNNING_VER" ]; then - echo -e "$RED"outdated"$NORMAL $RUNNING_VER < $CURRENT_VER" - else - echo -e "$RED"error"$NORMAL $RUNNING_VER" - fi - fi - echo -n -e "$NORMAL" - '') (builtins.attrNames self.nixosConfigurations)} - ''; - - prebuild-all = pkgs.runCommand "prebuild-all" { - preferLocalBuild = true; - } '' - mkdir $out - - ${pkgs.lib.concatMapStrings (name: '' - ln -s ${self.nixosConfigurations."${name}".config.system.build.toplevel} name - '') (builtins.attrNames self.nixosConfigurations)} - ''; - - prebuild-all-remote = pkgs.writeScriptBin "prebuild-all" '' - #!${pkgs.runtimeShell} -e - - nix copy --no-check-sigs --to ssh-ng://$1 ${inputPaths} - - set -x - ssh $1 -- nix build -L --no-link ${ - pkgs.lib.concatMapStringsSep " " (name: - "${self}#nixosConfigurations.${name}.config.system.build.toplevel" - ) (builtins.attrNames self.nixosConfigurations) - } - ''; - - } // - - builtins.foldl' (result: host: result // { - # TODO: check if the ethernet address is reachable and if not, - # execute wol on a machine in HQ. - "${host}-wake" = pkgs.writeScriptBin "${host}-wake" '' - #!${pkgs.runtimeShell} - exec ${pkgs.wol}/bin/wol ${hostRegistry.hosts."${host}".ether} - ''; - }) {} (builtins.attrNames (nixos.lib.filterAttrs (_: { wol ? false, ... }: wol) hostRegistry.hosts)) // - - builtins.foldl' (result: name: - let - host = getHostAddr name; - target = ''root@"${host}"''; - rebuildArg = "--flake ${self}#${name} --option extra-substituters https://nix-serve.hq.c3d2.de"; - hostConfig = self.nixosConfigurations."${name}".config; - # let /var/lib/microvm/*/flake point to the flake-update branch so that - # `microvm -u $NAME` updates to what hydra built today. - selfRef = "git+https://gitea.c3d2.de/c3d2/nix-config?ref=flake-update"; - in result // { - # Generate a small script for copying this flake to the - # remote machine and bulding and switching there. - # Can be run with `nix run c3d2#…-nixos-rebuild switch` - "${name}-nixos-rebuild" = pkgs.writeScriptBin "${name}-nixos-rebuild" '' - #!${pkgs.runtimeShell} -ex - [[ $(ssh ${target} cat /etc/hostname) == ${name} ]] - nix copy --no-check-sigs --to ssh-ng://${target} ${inputPaths} - ssh ${target} nixos-rebuild ${rebuildArg} "$@" - ''; - - "${name}-nixos-rebuild-hydra" = pkgs.writeScriptBin "${name}-nixos-rebuild" '' - #!${pkgs.runtimeShell} -e - echo Copying Flakes - nix copy --no-check-sigs --to ssh-ng://root@hydra.serv.zentralwerk.org ${inputPaths} - echo Building on Hydra - ssh root@hydra.serv.zentralwerk.org -- \ - nix build -L -o /tmp/nixos-system-${name} \ - ${self}#nixosConfigurations.${name}.config.system.build.toplevel - echo Built. Obtaining link to data - TOPLEVEL=$(ssh root@hydra.serv.zentralwerk.org \ - readlink /tmp/nixos-system-${name}) - echo Checking target ${name} - ssh ${target} -- bash -e <&2 - exit 1 - ''} - - ${hostConfig.system.build.copyToServer} ${inputPaths} - - ${hostConfig.system.build.runOnServer} bash -e < flake - - [ -e old ] && nix store diff-closures ./old ./current - ln -sfT \$PWD/current /nix/var/nix/gcroots/microvm/${name} - ln -sfT \$PWD/booted /nix/var/nix/gcroots/microvm/booted-${name} - ln -sfT \$PWD/old /nix/var/nix/gcroots/microvm/old-${name} - - systemctl restart microvm@${name}.service - END - ''; - - "microvm-update-${name}-local" = pkgs.writeScriptBin "microvm-update-${name}" '' - #!${pkgs.runtimeShell} -e - - ${lib.optionalString (! builtins.elem (hostConfig.c3d2.deployment.server or null) [ "server9" "server10" ]) '' - echo "MicroVM must be configured to proper server" >&2 - exit 1 - ''} - - ${hostConfig.system.build.copyToServer} ${hostConfig.microvm.declaredRunner} - - ${hostConfig.system.build.runOnServer} bash -e < flake - - [ -e old ] && nix store diff-closures ./old ./current - ln -sfT \$PWD/current /nix/var/nix/gcroots/microvm/${name} - ln -sfT \$PWD/booted /nix/var/nix/gcroots/microvm/booted-${name} - ln -sfT \$PWD/old /nix/var/nix/gcroots/microvm/old-${name} - - systemctl restart microvm@${name}.service - END - ''; - - "nomad-${name}" = pkgs.writeScriptBin "nomad-${name}" '' - #!${pkgs.runtimeShell} -e - - ${lib.optionalString (hostConfig.c3d2.deployment.server or null == "nomad") '' - echo "MicroVM must be configured for nomad" >&2 - exit 1 - ''} - - echo Copying Flakes - nix copy --no-check-sigs --to ssh-ng://root@hydra.serv.zentralwerk.org ${secrets} ${self} - - echo Building on Hydra - ssh root@hydra.serv.zentralwerk.org -- \ - nix build -L -o /tmp/microvm-${name}.job \ - ${self}#nixosConfigurations.${name}.config.system.build.nomadJob - - echo -n Built. Obtaining path... - JOB=$(ssh root@hydra.serv.zentralwerk.org -- \ - readlink /tmp/microvm-${name}.job) - echo \ $JOB - - for h in server9 server10 ; do - echo Sharing with $h - ssh root@$h.cluster.zentralwerk.org -- \ - bash -e </dev/null) + RUNNING_VER=$(basename $RUNNING|rev|cut -d - -f 1|rev) + RUNNING_DATE=$(echo $RUNNING_VER|cut -d . -f 3) + CURRENT_VER=$(basename $CURRENT|rev|cut -d - -f 1|rev) + CURRENT_DATE=$(echo $CURRENT_VER|cut -d . -f 3) + + if [ "$RUNNING" = "$CURRENT" ]; then + echo -e "$GREEN"current"$NORMAL $RUNNING_VER" + elif [ $RUNNING_DATE -gt $CURRENT_DATE ]; then + echo -e "$GREEN"newer"$NORMAL $RUNNING_VER > $CURRENT_VER" + elif [ "$RUNNING_VER" = "$CURRENT_VER" ]; then + echo -e "$YELLOW"modified"$NORMAL $RUNNING_VER" + elif [ -n "$RUNNING_VER" ]; then + echo -e "$RED"outdated"$NORMAL $RUNNING_VER < $CURRENT_VER" + else + echo -e "$RED"error"$NORMAL $RUNNING_VER" + fi + fi + echo -n -e "$NORMAL" + '') (builtins.attrNames self.nixosConfigurations)} + ''; + + prebuild-all = pkgs.runCommand "prebuild-all" { + preferLocalBuild = true; + } '' + mkdir $out + + ${pkgs.lib.concatMapStrings (name: '' + ln -s ${self.nixosConfigurations."${name}".config.system.build.toplevel} name + '') (builtins.attrNames self.nixosConfigurations)} + ''; + + prebuild-all-remote = pkgs.writeScriptBin "prebuild-all" '' + #!${pkgs.runtimeShell} -e + + nix copy --no-check-sigs --to ssh-ng://$1 ${inputPaths} + + set -x + ssh $1 -- nix build -L --no-link ${ + pkgs.lib.concatMapStringsSep " " (name: + "${self}#nixosConfigurations.${name}.config.system.build.toplevel" + ) (builtins.attrNames self.nixosConfigurations) + } + ''; + + } // + + builtins.foldl' (result: host: result // { + # TODO: check if the ethernet address is reachable and if not, + # execute wol on a machine in HQ. + "${host}-wake" = pkgs.writeScriptBin "${host}-wake" '' + #!${pkgs.runtimeShell} + exec ${pkgs.wol}/bin/wol ${hostRegistry.hosts."${host}".ether} + ''; + }) {} (builtins.attrNames (lib.filterAttrs (_: { wol ? false, ... }: wol) hostRegistry.hosts)) // + + builtins.foldl' (result: name: + let + host = getHostAddr name; + target = ''root@"${host}"''; + rebuildArg = "--flake ${self}#${name} --option extra-substituters https://nix-serve.hq.c3d2.de"; + hostConfig = self.nixosConfigurations."${name}".config; + # let /var/lib/microvm/*/flake point to the flake-update branch so that + # `microvm -u $NAME` updates to what hydra built today. + selfRef = "git+https://gitea.c3d2.de/c3d2/nix-config?ref=flake-update"; + in result // { + # Generate a small script for copying this flake to the + # remote machine and bulding and switching there. + # Can be run with `nix run c3d2#…-nixos-rebuild switch` + "${name}-nixos-rebuild" = pkgs.writeScriptBin "${name}-nixos-rebuild" '' + #!${pkgs.runtimeShell} -ex + [[ $(ssh ${target} cat /etc/hostname) == ${name} ]] + nix copy --no-check-sigs --to ssh-ng://${target} ${inputPaths} + ssh ${target} nixos-rebuild ${rebuildArg} "$@" + ''; + + "${name}-nixos-rebuild-hydra" = pkgs.writeScriptBin "${name}-nixos-rebuild" '' + #!${pkgs.runtimeShell} -e + echo Copying Flakes + nix copy --no-check-sigs --to ssh-ng://root@hydra.serv.zentralwerk.org ${inputPaths} + echo Building on Hydra + ssh root@hydra.serv.zentralwerk.org -- \ + nix build -L -o /tmp/nixos-system-${name} \ + ${self}#nixosConfigurations.${name}.config.system.build.toplevel + echo Built. Obtaining link to data + TOPLEVEL=$(ssh root@hydra.serv.zentralwerk.org \ + readlink /tmp/nixos-system-${name}) + echo Checking target ${name} + ssh ${target} -- bash -e <&2 + exit 1 + ''} + + ${hostConfig.system.build.copyToServer} ${inputPaths} + + ${hostConfig.system.build.runOnServer} bash -e < flake + + [ -e old ] && nix store diff-closures ./old ./current + ln -sfT \$PWD/current /nix/var/nix/gcroots/microvm/${name} + ln -sfT \$PWD/booted /nix/var/nix/gcroots/microvm/booted-${name} + ln -sfT \$PWD/old /nix/var/nix/gcroots/microvm/old-${name} + + systemctl restart microvm@${name}.service + END + ''; + + "microvm-update-${name}-local" = pkgs.writeScriptBin "microvm-update-${name}" '' + #!${pkgs.runtimeShell} -e + + ${lib.optionalString (! builtins.elem (hostConfig.c3d2.deployment.server or null) [ "server9" "server10" ]) '' + echo "MicroVM must be configured to proper server" >&2 + exit 1 + ''} + + ${hostConfig.system.build.copyToServer} ${hostConfig.microvm.declaredRunner} + + ${hostConfig.system.build.runOnServer} bash -e < flake + + [ -e old ] && nix store diff-closures ./old ./current + ln -sfT \$PWD/current /nix/var/nix/gcroots/microvm/${name} + ln -sfT \$PWD/booted /nix/var/nix/gcroots/microvm/booted-${name} + ln -sfT \$PWD/old /nix/var/nix/gcroots/microvm/old-${name} + + systemctl restart microvm@${name}.service + END + ''; + + "nomad-${name}" = pkgs.writeScriptBin "nomad-${name}" '' + #!${pkgs.runtimeShell} -e + + ${lib.optionalString (hostConfig.c3d2.deployment.server or null == "nomad") '' + echo "MicroVM must be configured for nomad" >&2 + exit 1 + ''} + + echo Copying Flakes + nix copy --no-check-sigs --to ssh-ng://root@hydra.serv.zentralwerk.org ${secrets} ${self} + + echo Building on Hydra + ssh root@hydra.serv.zentralwerk.org -- \ + nix build -L -o /tmp/microvm-${name}.job \ + ${self}#nixosConfigurations.${name}.config.system.build.nomadJob + + echo -n Built. Obtaining path... + JOB=$(ssh root@hydra.serv.zentralwerk.org -- \ + readlink /tmp/microvm-${name}.job) + echo \ $JOB + + for h in server9 server10 ; do + echo Sharing with $h + ssh root@$h.cluster.zentralwerk.org -- \ + bash -e < Date: Sun, 4 Dec 2022 07:47:13 +0100 Subject: [PATCH 163/247] hydra: unify localhost machine --- hosts/hydra/hydra.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/hydra/hydra.nix b/hosts/hydra/hydra.nix index c4facb7a..663c1225 100644 --- a/hosts/hydra/hydra.nix +++ b/hosts/hydra/hydra.nix @@ -170,7 +170,7 @@ in in '' cat << EOF > ~/machines localhost x86_64-linux - ${toString config.nix.settings.max-jobs} 10 ${lib.concatStringsSep "," config.nix.settings.system-features} - - hydra@localhost ${lib.concatStringsSep "," config.nix.settings.extra-platforms} - ${toString config.nix.settings.max-jobs} 10 ${lib.concatStringsSep "," extraPlatformSystemFeatures} - + localhost ${lib.concatStringsSep "," config.nix.settings.extra-platforms} - ${toString config.nix.settings.max-jobs} 10 ${lib.concatStringsSep "," extraPlatformSystemFeatures} - EOF ''; From 695e095d44f512000feee06c462c57750ba629ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sun, 4 Dec 2022 07:48:45 +0100 Subject: [PATCH 164/247] Format, move overlay to overlays to match ~/.config/nixpkgs/overlays/ --- flake.nix | 2 +- .../allcolors-cargo-update.patch | 0 {overlay => overlays}/bmxd.nix | 0 {overlay => overlays}/default.nix | 22 +- .../dump1090-influxdb/Gemfile | 0 .../dump1090-influxdb/Gemfile.lock | 0 .../dump1090-influxdb/default.nix | 0 .../dump1090-influxdb/gemset.nix | 12 +- .../dump1090-influxdb/main.rb | 0 {overlay => overlays}/dump1090_rs.nix | 6 +- {overlay => overlays}/mlat-client.nix | 0 {overlay => overlays}/pi-sensors/Cargo.lock | 0 {overlay => overlays}/pi-sensors/Cargo.toml | 0 {overlay => overlays}/pi-sensors/default.nix | 0 {overlay => overlays}/pi-sensors/src/dht.rs | 0 {overlay => overlays}/pi-sensors/src/main.rs | 0 .../pi-sensors/src/open_pin.rs | 0 {overlay => overlays}/pile.nix | 0 .../plume/0001-cargo-update.patch | 0 {overlay => overlays}/plume/default.nix | 31 +- {overlay => overlays}/readsb.nix | 25 +- {overlay => overlays}/simpleygggen.nix | 0 {overlay => overlays}/vector/default.nix | 2 +- packages.nix | 520 +++++++++--------- 24 files changed, 332 insertions(+), 288 deletions(-) rename {overlay => overlays}/allcolors-cargo-update.patch (100%) rename {overlay => overlays}/bmxd.nix (100%) rename {overlay => overlays}/default.nix (91%) rename {overlay => overlays}/dump1090-influxdb/Gemfile (100%) rename {overlay => overlays}/dump1090-influxdb/Gemfile.lock (100%) rename {overlay => overlays}/dump1090-influxdb/default.nix (100%) rename {overlay => overlays}/dump1090-influxdb/gemset.nix (63%) rename {overlay => overlays}/dump1090-influxdb/main.rb (100%) rename {overlay => overlays}/dump1090_rs.nix (89%) rename {overlay => overlays}/mlat-client.nix (100%) rename {overlay => overlays}/pi-sensors/Cargo.lock (100%) rename {overlay => overlays}/pi-sensors/Cargo.toml (100%) rename {overlay => overlays}/pi-sensors/default.nix (100%) rename {overlay => overlays}/pi-sensors/src/dht.rs (100%) rename {overlay => overlays}/pi-sensors/src/main.rs (100%) rename {overlay => overlays}/pi-sensors/src/open_pin.rs (100%) rename {overlay => overlays}/pile.nix (100%) rename {overlay => overlays}/plume/0001-cargo-update.patch (100%) rename {overlay => overlays}/plume/default.nix (91%) rename {overlay => overlays}/readsb.nix (73%) rename {overlay => overlays}/simpleygggen.nix (100%) rename {overlay => overlays}/vector/default.nix (98%) diff --git a/flake.nix b/flake.nix index 186b5d93..7fbb644e 100644 --- a/flake.nix +++ b/flake.nix @@ -202,7 +202,7 @@ extraHostRegistry.hosts = import ./host-registry.nix; hostRegistry = lib.recursiveUpdate zwHostRegistry extraHostRegistry; in { - overlay = import ./overlay { + overlay = import ./overlays { inherit nixos-unstable; inherit (inputs) tracer bevy-mandelbrot bevy-julia; }; diff --git a/overlay/allcolors-cargo-update.patch b/overlays/allcolors-cargo-update.patch similarity index 100% rename from overlay/allcolors-cargo-update.patch rename to overlays/allcolors-cargo-update.patch diff --git a/overlay/bmxd.nix b/overlays/bmxd.nix similarity index 100% rename from overlay/bmxd.nix rename to overlays/bmxd.nix diff --git a/overlay/default.nix b/overlays/default.nix similarity index 91% rename from overlay/default.nix rename to overlays/default.nix index 25a2afb6..c358a542 100644 --- a/overlay/default.nix +++ b/overlays/default.nix @@ -33,12 +33,14 @@ with final; { postFixup = '' patchelf --set-rpath ${lib.makeLibraryPath buildInputs} $out/bin/allcolors-rs ''; - desktopItems = [ (makeDesktopItem { - name = "allcolors"; - desktopName = "Polygon's allcolors-rs"; - categories = [ "Game" ]; - exec = "allcolors-rs"; - }) ]; + desktopItems = [ + (makeDesktopItem { + name = "allcolors"; + desktopName = "Polygon's allcolors-rs"; + categories = [ "Game" ]; + exec = "allcolors-rs"; + }) + ]; }; inherit (bevy-julia.packages.${system}) bevy_julia; @@ -123,10 +125,10 @@ with final; { broken = true; reason = "haddock runs on affection for 10 hours and more"; in - if broken - then throw "tracer-game: ${reason}" - else tracer.packages.${system}.tracer-game; + if broken + then throw "tracer-game: ${reason}" + else tracer.packages.${system}.tracer-game; # vector-0.23 + mqtt-sink - vector = pkgs-unstable.callPackage ./vector {}; + vector = pkgs-unstable.callPackage ./vector { }; } diff --git a/overlay/dump1090-influxdb/Gemfile b/overlays/dump1090-influxdb/Gemfile similarity index 100% rename from overlay/dump1090-influxdb/Gemfile rename to overlays/dump1090-influxdb/Gemfile diff --git a/overlay/dump1090-influxdb/Gemfile.lock b/overlays/dump1090-influxdb/Gemfile.lock similarity index 100% rename from overlay/dump1090-influxdb/Gemfile.lock rename to overlays/dump1090-influxdb/Gemfile.lock diff --git a/overlay/dump1090-influxdb/default.nix b/overlays/dump1090-influxdb/default.nix similarity index 100% rename from overlay/dump1090-influxdb/default.nix rename to overlays/dump1090-influxdb/default.nix diff --git a/overlay/dump1090-influxdb/gemset.nix b/overlays/dump1090-influxdb/gemset.nix similarity index 63% rename from overlay/dump1090-influxdb/gemset.nix rename to overlays/dump1090-influxdb/gemset.nix index d9b0f3af..11502705 100644 --- a/overlay/dump1090-influxdb/gemset.nix +++ b/overlays/dump1090-influxdb/gemset.nix @@ -1,19 +1,19 @@ { gis-distance = { - groups = ["default"]; - platforms = []; + groups = [ "default" ]; + platforms = [ ]; source = { - remotes = ["https://rubygems.org"]; + remotes = [ "https://rubygems.org" ]; sha256 = "1kgv1scv25b65d9xfricj1ayd2iry7imgk7qw4mryd91mhriibaf"; type = "gem"; }; version = "1.1.0"; }; influxdb = { - groups = ["default"]; - platforms = []; + groups = [ "default" ]; + platforms = [ ]; source = { - remotes = ["https://rubygems.org"]; + remotes = [ "https://rubygems.org" ]; sha256 = "1l2sjf8kaw3adjjg3l7zg1j735yxdfldf04gl9kjc3hbpdcd7d4w"; type = "gem"; }; diff --git a/overlay/dump1090-influxdb/main.rb b/overlays/dump1090-influxdb/main.rb similarity index 100% rename from overlay/dump1090-influxdb/main.rb rename to overlays/dump1090-influxdb/main.rb diff --git a/overlay/dump1090_rs.nix b/overlays/dump1090_rs.nix similarity index 89% rename from overlay/dump1090_rs.nix rename to overlays/dump1090_rs.nix index 3b2ea3f4..cfd704cb 100644 --- a/overlay/dump1090_rs.nix +++ b/overlays/dump1090_rs.nix @@ -1,5 +1,7 @@ -{ fetchFromGitHub, rustPlatform -, pkg-config, llvmPackages +{ fetchFromGitHub +, rustPlatform +, pkg-config +, llvmPackages , soapysdr-with-plugins }: diff --git a/overlay/mlat-client.nix b/overlays/mlat-client.nix similarity index 100% rename from overlay/mlat-client.nix rename to overlays/mlat-client.nix diff --git a/overlay/pi-sensors/Cargo.lock b/overlays/pi-sensors/Cargo.lock similarity index 100% rename from overlay/pi-sensors/Cargo.lock rename to overlays/pi-sensors/Cargo.lock diff --git a/overlay/pi-sensors/Cargo.toml b/overlays/pi-sensors/Cargo.toml similarity index 100% rename from overlay/pi-sensors/Cargo.toml rename to overlays/pi-sensors/Cargo.toml diff --git a/overlay/pi-sensors/default.nix b/overlays/pi-sensors/default.nix similarity index 100% rename from overlay/pi-sensors/default.nix rename to overlays/pi-sensors/default.nix diff --git a/overlay/pi-sensors/src/dht.rs b/overlays/pi-sensors/src/dht.rs similarity index 100% rename from overlay/pi-sensors/src/dht.rs rename to overlays/pi-sensors/src/dht.rs diff --git a/overlay/pi-sensors/src/main.rs b/overlays/pi-sensors/src/main.rs similarity index 100% rename from overlay/pi-sensors/src/main.rs rename to overlays/pi-sensors/src/main.rs diff --git a/overlay/pi-sensors/src/open_pin.rs b/overlays/pi-sensors/src/open_pin.rs similarity index 100% rename from overlay/pi-sensors/src/open_pin.rs rename to overlays/pi-sensors/src/open_pin.rs diff --git a/overlay/pile.nix b/overlays/pile.nix similarity index 100% rename from overlay/pile.nix rename to overlays/pile.nix diff --git a/overlay/plume/0001-cargo-update.patch b/overlays/plume/0001-cargo-update.patch similarity index 100% rename from overlay/plume/0001-cargo-update.patch rename to overlays/plume/0001-cargo-update.patch diff --git a/overlay/plume/default.nix b/overlays/plume/default.nix similarity index 91% rename from overlay/plume/default.nix rename to overlays/plume/default.nix index c07463c3..ad4ce17c 100644 --- a/overlay/plume/default.nix +++ b/overlays/plume/default.nix @@ -1,8 +1,18 @@ -{ naersk, fenix -, curl, nodejs, rustPlatform -, stdenv, fetchFromGitHub, buildEnv, fetchCrate -, pkg-config, gettext, wasm-pack, binaryen -, openssl, postgresql +{ naersk +, fenix +, curl +, nodejs +, rustPlatform +, stdenv +, fetchFromGitHub +, buildEnv +, fetchCrate +, pkg-config +, gettext +, wasm-pack +, binaryen +, openssl +, postgresql }: let @@ -80,7 +90,8 @@ let inherit src version; nativeBuildInputs = [ - pkg-config gettext + pkg-config + gettext wasm-bindgen-cli ]; buildInputs = [ @@ -115,7 +126,10 @@ let pname = "plume-front"; root = src; nativeBuildInputs = [ - gettext wasm-pack wasm-bindgen-cli binaryen + gettext + wasm-pack + wasm-bindgen-cli + binaryen ]; CARGO_BUILD_TARGET = "wasm32-unknown-unknown"; cargoBuildOptions = x: @@ -133,7 +147,8 @@ let ''; }; }; -in buildEnv { +in +buildEnv { name = "plume-env"; paths = [ plume plume-front plm ]; passthru = { inherit plume plm; }; diff --git a/overlay/readsb.nix b/overlays/readsb.nix similarity index 73% rename from overlay/readsb.nix rename to overlays/readsb.nix index 15bb96a9..97cb74f3 100644 --- a/overlay/readsb.nix +++ b/overlays/readsb.nix @@ -1,8 +1,13 @@ -{ stdenv, fetchFromGitHub -, pkg-config, protobufc -, ncurses, rrdtool, libusb1 -, libbladeRF, librtlsdr -# , libad9361, libiio +{ stdenv +, fetchFromGitHub +, pkg-config +, protobufc +, ncurses +, rrdtool +, libusb1 +, libbladeRF +, librtlsdr + # , libad9361, libiio }: stdenv.mkDerivation rec { pname = "readsb-protobuf"; @@ -17,12 +22,16 @@ stdenv.mkDerivation rec { }; nativeBuildInputs = [ - pkg-config protobufc + pkg-config + protobufc ]; buildInputs = [ - ncurses rrdtool libusb1 - libbladeRF librtlsdr + ncurses + rrdtool + libusb1 + libbladeRF + librtlsdr # libad9361 libiio ]; diff --git a/overlay/simpleygggen.nix b/overlays/simpleygggen.nix similarity index 100% rename from overlay/simpleygggen.nix rename to overlays/simpleygggen.nix diff --git a/overlay/vector/default.nix b/overlays/vector/default.nix similarity index 98% rename from overlay/vector/default.nix rename to overlays/vector/default.nix index d9a9e21e..376d13fc 100644 --- a/overlay/vector/default.nix +++ b/overlays/vector/default.nix @@ -51,7 +51,7 @@ rustPlatform.buildRustPackage { TZDIR = "${tzdata}/share/zoneinfo"; # needed to dynamically link rdkafka - CARGO_FEATURE_DYNAMIC_LINKING=1; + CARGO_FEATURE_DYNAMIC_LINKING = 1; buildNoDefaultFeatures = true; buildFeatures = features; diff --git a/packages.nix b/packages.nix index 7b16d037..83f9d90b 100644 --- a/packages.nix +++ b/packages.nix @@ -5,301 +5,317 @@ let let hostConf = hostRegistry.hosts."${name}"; in - if hostConf ? ip4 - then hostConf.ip4 - else if hostConf ? ip6 - then hostConf.ip6 - else throw "Host ${name} has no ip4 or ip6 address"; + if hostConf ? ip4 + then hostConf.ip4 + else if hostConf ? ip6 + then hostConf.ip6 + else throw "Host ${name} has no ip4 or ip6 address"; # all the input flakes for `nix copy` to the build machine, # allowing --override-input inputPaths = lib.escapeShellArgs (builtins.attrValues inputs); in -lib.attrsets.mapAttrs (system: pkgs: - let overlayPkgs = builtins.intersectAttrs (self.overlay {} {}) pkgs; - in overlayPkgs // - { - host-registry = pkgs.runCommand "host-registry" { - src = builtins.toFile "host-registry.nix" ( - lib.generators.toPretty {} hostRegistry - ); - } '' - ln -s $src $out - ''; +lib.attrsets.mapAttrs + (system: pkgs: + let + overlayPkgs = builtins.intersectAttrs (self.overlay { } { }) pkgs; + in + overlayPkgs // + { + host-registry = pkgs.runCommand "host-registry" + { + src = builtins.toFile "host-registry.nix" ( + lib.generators.toPretty { } hostRegistry + ); + } + '' + ln -s $src $out + ''; - list-upgradable = pkgs.writeScriptBin "list-upgradable" '' - #! ${pkgs.runtimeShell} + list-upgradable = pkgs.writeScriptBin "list-upgradable" '' + #! ${pkgs.runtimeShell} - NORMAL="\033[0m" - RED="\033[0;31m" - YELLOW="\033[0;33m" - GREEN="\033[0;32m" + NORMAL="\033[0m" + RED="\033[0;31m" + YELLOW="\033[0;33m" + GREEN="\033[0;32m" - ${pkgs.lib.concatMapStringsSep "\n" (name: - let - addr = getHostAddr name; - in lib.optionalString (addr != null) '' - echo -n -e "${name}: $RED" - RUNNING=$(ssh -o PreferredAuthentications=publickey -o StrictHostKeyChecking=accept-new root@"${addr}" "readlink /run/current-system") - if [ $? = 0 ] && [ -n "$RUNNING" ]; then - CURRENT=$(nix eval --raw ".#nixosConfigurations.${name}.config.system.build.toplevel" 2>/dev/null) - RUNNING_VER=$(basename $RUNNING|rev|cut -d - -f 1|rev) - RUNNING_DATE=$(echo $RUNNING_VER|cut -d . -f 3) - CURRENT_VER=$(basename $CURRENT|rev|cut -d - -f 1|rev) - CURRENT_DATE=$(echo $CURRENT_VER|cut -d . -f 3) + ${pkgs.lib.concatMapStringsSep "\n" (name: + let + addr = getHostAddr name; + in lib.optionalString (addr != null) '' + echo -n -e "${name}: $RED" + RUNNING=$(ssh -o PreferredAuthentications=publickey -o StrictHostKeyChecking=accept-new root@"${addr}" "readlink /run/current-system") + if [ $? = 0 ] && [ -n "$RUNNING" ]; then + CURRENT=$(nix eval --raw ".#nixosConfigurations.${name}.config.system.build.toplevel" 2>/dev/null) + RUNNING_VER=$(basename $RUNNING|rev|cut -d - -f 1|rev) + RUNNING_DATE=$(echo $RUNNING_VER|cut -d . -f 3) + CURRENT_VER=$(basename $CURRENT|rev|cut -d - -f 1|rev) + CURRENT_DATE=$(echo $CURRENT_VER|cut -d . -f 3) - if [ "$RUNNING" = "$CURRENT" ]; then - echo -e "$GREEN"current"$NORMAL $RUNNING_VER" - elif [ $RUNNING_DATE -gt $CURRENT_DATE ]; then - echo -e "$GREEN"newer"$NORMAL $RUNNING_VER > $CURRENT_VER" - elif [ "$RUNNING_VER" = "$CURRENT_VER" ]; then - echo -e "$YELLOW"modified"$NORMAL $RUNNING_VER" - elif [ -n "$RUNNING_VER" ]; then - echo -e "$RED"outdated"$NORMAL $RUNNING_VER < $CURRENT_VER" - else - echo -e "$RED"error"$NORMAL $RUNNING_VER" - fi - fi - echo -n -e "$NORMAL" - '') (builtins.attrNames self.nixosConfigurations)} - ''; + if [ "$RUNNING" = "$CURRENT" ]; then + echo -e "$GREEN"current"$NORMAL $RUNNING_VER" + elif [ $RUNNING_DATE -gt $CURRENT_DATE ]; then + echo -e "$GREEN"newer"$NORMAL $RUNNING_VER > $CURRENT_VER" + elif [ "$RUNNING_VER" = "$CURRENT_VER" ]; then + echo -e "$YELLOW"modified"$NORMAL $RUNNING_VER" + elif [ -n "$RUNNING_VER" ]; then + echo -e "$RED"outdated"$NORMAL $RUNNING_VER < $CURRENT_VER" + else + echo -e "$RED"error"$NORMAL $RUNNING_VER" + fi + fi + echo -n -e "$NORMAL" + '') (builtins.attrNames self.nixosConfigurations)} + ''; - prebuild-all = pkgs.runCommand "prebuild-all" { - preferLocalBuild = true; - } '' - mkdir $out + prebuild-all = pkgs.runCommand "prebuild-all" + { + preferLocalBuild = true; + } + '' + mkdir $out - ${pkgs.lib.concatMapStrings (name: '' - ln -s ${self.nixosConfigurations."${name}".config.system.build.toplevel} name - '') (builtins.attrNames self.nixosConfigurations)} - ''; + ${pkgs.lib.concatMapStrings (name: '' + ln -s ${self.nixosConfigurations."${name}".config.system.build.toplevel} name + '') (builtins.attrNames self.nixosConfigurations)} + ''; - prebuild-all-remote = pkgs.writeScriptBin "prebuild-all" '' - #!${pkgs.runtimeShell} -e + prebuild-all-remote = pkgs.writeScriptBin "prebuild-all" '' + #!${pkgs.runtimeShell} -e - nix copy --no-check-sigs --to ssh-ng://$1 ${inputPaths} + nix copy --no-check-sigs --to ssh-ng://$1 ${inputPaths} - set -x - ssh $1 -- nix build -L --no-link ${ - pkgs.lib.concatMapStringsSep " " (name: - "${self}#nixosConfigurations.${name}.config.system.build.toplevel" - ) (builtins.attrNames self.nixosConfigurations) - } - ''; + set -x + ssh $1 -- nix build -L --no-link ${ + pkgs.lib.concatMapStringsSep " " (name: + "${self}#nixosConfigurations.${name}.config.system.build.toplevel" + ) (builtins.attrNames self.nixosConfigurations) + } + ''; - } // + } // - builtins.foldl' (result: host: result // { - # TODO: check if the ethernet address is reachable and if not, - # execute wol on a machine in HQ. - "${host}-wake" = pkgs.writeScriptBin "${host}-wake" '' - #!${pkgs.runtimeShell} - exec ${pkgs.wol}/bin/wol ${hostRegistry.hosts."${host}".ether} - ''; - }) {} (builtins.attrNames (lib.filterAttrs (_: { wol ? false, ... }: wol) hostRegistry.hosts)) // + builtins.foldl' + (result: host: result // { + # TODO: check if the ethernet address is reachable and if not, + # execute wol on a machine in HQ. + "${host}-wake" = pkgs.writeScriptBin "${host}-wake" '' + #!${pkgs.runtimeShell} + exec ${pkgs.wol}/bin/wol ${hostRegistry.hosts."${host}".ether} + ''; + }) + { } + (builtins.attrNames (lib.filterAttrs (_: { wol ? false, ... }: wol) hostRegistry.hosts)) // - builtins.foldl' (result: name: - let - host = getHostAddr name; - target = ''root@"${host}"''; - rebuildArg = "--flake ${self}#${name} --option extra-substituters https://nix-serve.hq.c3d2.de"; - hostConfig = self.nixosConfigurations."${name}".config; - # let /var/lib/microvm/*/flake point to the flake-update branch so that - # `microvm -u $NAME` updates to what hydra built today. - selfRef = "git+https://gitea.c3d2.de/c3d2/nix-config?ref=flake-update"; - in result // { - # Generate a small script for copying this flake to the - # remote machine and bulding and switching there. - # Can be run with `nix run c3d2#…-nixos-rebuild switch` - "${name}-nixos-rebuild" = pkgs.writeScriptBin "${name}-nixos-rebuild" '' - #!${pkgs.runtimeShell} -ex - [[ $(ssh ${target} cat /etc/hostname) == ${name} ]] - nix copy --no-check-sigs --to ssh-ng://${target} ${inputPaths} - ssh ${target} nixos-rebuild ${rebuildArg} "$@" - ''; + builtins.foldl' + (result: name: + let + host = getHostAddr name; + target = ''root@"${host}"''; + rebuildArg = "--flake ${self}#${name} --option extra-substituters https://nix-serve.hq.c3d2.de"; + hostConfig = self.nixosConfigurations."${name}".config; + # let /var/lib/microvm/*/flake point to the flake-update branch so that + # `microvm -u $NAME` updates to what hydra built today. + selfRef = "git+https://gitea.c3d2.de/c3d2/nix-config?ref=flake-update"; + in + result // { + # Generate a small script for copying this flake to the + # remote machine and bulding and switching there. + # Can be run with `nix run c3d2#…-nixos-rebuild switch` + "${name}-nixos-rebuild" = pkgs.writeScriptBin "${name}-nixos-rebuild" '' + #!${pkgs.runtimeShell} -ex + [[ $(ssh ${target} cat /etc/hostname) == ${name} ]] + nix copy --no-check-sigs --to ssh-ng://${target} ${inputPaths} + ssh ${target} nixos-rebuild ${rebuildArg} "$@" + ''; - "${name}-nixos-rebuild-hydra" = pkgs.writeScriptBin "${name}-nixos-rebuild" '' - #!${pkgs.runtimeShell} -e - echo Copying Flakes - nix copy --no-check-sigs --to ssh-ng://root@hydra.serv.zentralwerk.org ${inputPaths} - echo Building on Hydra - ssh root@hydra.serv.zentralwerk.org -- \ - nix build -L -o /tmp/nixos-system-${name} \ - ${self}#nixosConfigurations.${name}.config.system.build.toplevel - echo Built. Obtaining link to data - TOPLEVEL=$(ssh root@hydra.serv.zentralwerk.org \ - readlink /tmp/nixos-system-${name}) - echo Checking target ${name} - ssh ${target} -- bash -e <&2 - exit 1 - ''} + ${lib.optionalString (! builtins.elem (hostConfig.c3d2.deployment.server or null) [ "server9" "server10" ]) '' + echo "MicroVM must be configured to proper server" >&2 + exit 1 + ''} - ${hostConfig.system.build.copyToServer} ${inputPaths} + ${hostConfig.system.build.copyToServer} ${inputPaths} - ${hostConfig.system.build.runOnServer} bash -e < flake + nix build -L \ + -o current \ + ${self}#nixosConfigurations.${name}.config.microvm.declaredRunner + echo '${selfRef}' > flake - [ -e old ] && nix store diff-closures ./old ./current - ln -sfT \$PWD/current /nix/var/nix/gcroots/microvm/${name} - ln -sfT \$PWD/booted /nix/var/nix/gcroots/microvm/booted-${name} - ln -sfT \$PWD/old /nix/var/nix/gcroots/microvm/old-${name} + [ -e old ] && nix store diff-closures ./old ./current + ln -sfT \$PWD/current /nix/var/nix/gcroots/microvm/${name} + ln -sfT \$PWD/booted /nix/var/nix/gcroots/microvm/booted-${name} + ln -sfT \$PWD/old /nix/var/nix/gcroots/microvm/old-${name} - systemctl restart microvm@${name}.service - END - ''; + systemctl restart microvm@${name}.service + END + ''; - "microvm-update-${name}-local" = pkgs.writeScriptBin "microvm-update-${name}" '' - #!${pkgs.runtimeShell} -e + "microvm-update-${name}-local" = pkgs.writeScriptBin "microvm-update-${name}" '' + #!${pkgs.runtimeShell} -e - ${lib.optionalString (! builtins.elem (hostConfig.c3d2.deployment.server or null) [ "server9" "server10" ]) '' - echo "MicroVM must be configured to proper server" >&2 - exit 1 - ''} + ${lib.optionalString (! builtins.elem (hostConfig.c3d2.deployment.server or null) [ "server9" "server10" ]) '' + echo "MicroVM must be configured to proper server" >&2 + exit 1 + ''} - ${hostConfig.system.build.copyToServer} ${hostConfig.microvm.declaredRunner} + ${hostConfig.system.build.copyToServer} ${hostConfig.microvm.declaredRunner} - ${hostConfig.system.build.runOnServer} bash -e < flake + ln -sfT ${hostConfig.microvm.declaredRunner} current + echo '${selfRef}' > flake - [ -e old ] && nix store diff-closures ./old ./current - ln -sfT \$PWD/current /nix/var/nix/gcroots/microvm/${name} - ln -sfT \$PWD/booted /nix/var/nix/gcroots/microvm/booted-${name} - ln -sfT \$PWD/old /nix/var/nix/gcroots/microvm/old-${name} + [ -e old ] && nix store diff-closures ./old ./current + ln -sfT \$PWD/current /nix/var/nix/gcroots/microvm/${name} + ln -sfT \$PWD/booted /nix/var/nix/gcroots/microvm/booted-${name} + ln -sfT \$PWD/old /nix/var/nix/gcroots/microvm/old-${name} - systemctl restart microvm@${name}.service - END - ''; + systemctl restart microvm@${name}.service + END + ''; - "nomad-${name}" = pkgs.writeScriptBin "nomad-${name}" '' - #!${pkgs.runtimeShell} -e + "nomad-${name}" = pkgs.writeScriptBin "nomad-${name}" '' + #!${pkgs.runtimeShell} -e - ${lib.optionalString (hostConfig.c3d2.deployment.server or null == "nomad") '' - echo "MicroVM must be configured for nomad" >&2 - exit 1 - ''} + ${lib.optionalString (hostConfig.c3d2.deployment.server or null == "nomad") '' + echo "MicroVM must be configured for nomad" >&2 + exit 1 + ''} - echo Copying Flakes - nix copy --no-check-sigs --to ssh-ng://root@hydra.serv.zentralwerk.org ${secrets} ${self} + echo Copying Flakes + nix copy --no-check-sigs --to ssh-ng://root@hydra.serv.zentralwerk.org ${secrets} ${self} - echo Building on Hydra - ssh root@hydra.serv.zentralwerk.org -- \ - nix build -L -o /tmp/microvm-${name}.job \ - ${self}#nixosConfigurations.${name}.config.system.build.nomadJob + echo Building on Hydra + ssh root@hydra.serv.zentralwerk.org -- \ + nix build -L -o /tmp/microvm-${name}.job \ + ${self}#nixosConfigurations.${name}.config.system.build.nomadJob - echo -n Built. Obtaining path... - JOB=$(ssh root@hydra.serv.zentralwerk.org -- \ - readlink /tmp/microvm-${name}.job) - echo \ $JOB + echo -n Built. Obtaining path... + JOB=$(ssh root@hydra.serv.zentralwerk.org -- \ + readlink /tmp/microvm-${name}.job) + echo \ $JOB - for h in server9 server10 ; do - echo Sharing with $h - ssh root@$h.cluster.zentralwerk.org -- \ - bash -e < Date: Sun, 4 Dec 2022 07:56:27 +0100 Subject: [PATCH 165/247] overlays cleanup, remove package updates that are in stable by now --- flake.nix | 4 +-- overlays/allcolors.nix | 42 ++++++++++++++++++++++++++++++ overlays/default.nix | 58 +++++++----------------------------------- 3 files changed, 53 insertions(+), 51 deletions(-) create mode 100644 overlays/allcolors.nix diff --git a/flake.nix b/flake.nix index 7fbb644e..950d9da1 100644 --- a/flake.nix +++ b/flake.nix @@ -202,7 +202,7 @@ extraHostRegistry.hosts = import ./host-registry.nix; hostRegistry = lib.recursiveUpdate zwHostRegistry extraHostRegistry; in { - overlay = import ./overlays { + overlays = import ./overlays { inherit nixos-unstable; inherit (inputs) tracer bevy-mandelbrot bevy-julia; }; @@ -211,7 +211,7 @@ pkgs.appendOverlays [ fenix.overlays.default naersk.overlay - self.overlay + self.overlays ]) nixos.legacyPackages; packages = import ./packages.nix { inherit hostRegistry inputs lib microvm secrets self; }; diff --git a/overlays/allcolors.nix b/overlays/allcolors.nix new file mode 100644 index 00000000..521046e4 --- /dev/null +++ b/overlays/allcolors.nix @@ -0,0 +1,42 @@ +{ lib +, copyDesktopItems +, fetchFromGitHub +, rustPlatform +, libGL +, makeDesktopItem +, mesa +, xorg +}: + +rustPlatform.buildRustPackage rec { + pname = "allcolors"; + version = "0.1.0"; + src = fetchFromGitHub { + owner = "polygon"; + repo = "allcolors-rs"; + rev = "023bd480245052357a7fd5f42181ff6e67d98b31"; + sha256 = "sha256-whaV+k5xh01OQNOehwkEBUDpMWn47mvVihVwchBvWoE="; + }; + cargoPatches = [ ./allcolors-cargo-update.patch ]; + cargoSha256 = "sha256-RbfACA4hcyemGkw9bqjpIk393SBgBM939I95+grVI0c="; + nativeBuildInputs = [ copyDesktopItems ]; + buildInputs = [ + xorg.libX11 + xorg.libXcursor + xorg.libXrandr + xorg.libXi + libGL + mesa + ]; + postFixup = '' + patchelf --set-rpath ${lib.makeLibraryPath buildInputs} $out/bin/allcolors-rs + ''; + desktopItems = [ + (makeDesktopItem { + name = "allcolors"; + desktopName = "Polygon's allcolors-rs"; + categories = [ "Game" ]; + exec = "allcolors-rs"; + }) + ]; +} diff --git a/overlays/default.nix b/overlays/default.nix index c358a542..c8c7793d 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -10,38 +10,7 @@ let pkgs-unstable = nixos-unstable.legacyPackages.${prev.system}; in with final; { - allcolors = rustPlatform.buildRustPackage rec { - pname = "allcolors"; - version = "0.1.0"; - src = fetchFromGitHub { - owner = "polygon"; - repo = "allcolors-rs"; - rev = "023bd480245052357a7fd5f42181ff6e67d98b31"; - sha256 = "sha256-whaV+k5xh01OQNOehwkEBUDpMWn47mvVihVwchBvWoE="; - }; - cargoPatches = [ ./allcolors-cargo-update.patch ]; - cargoSha256 = "sha256-RbfACA4hcyemGkw9bqjpIk393SBgBM939I95+grVI0c="; - nativeBuildInputs = [ copyDesktopItems ]; - buildInputs = [ - xorg.libX11 - xorg.libXcursor - xorg.libXrandr - xorg.libXi - libGL - mesa - ]; - postFixup = '' - patchelf --set-rpath ${lib.makeLibraryPath buildInputs} $out/bin/allcolors-rs - ''; - desktopItems = [ - (makeDesktopItem { - name = "allcolors"; - desktopName = "Polygon's allcolors-rs"; - categories = [ "Game" ]; - exec = "allcolors-rs"; - }) - ]; - }; + allcolors = callPackage ./allcolors.nix; inherit (bevy-julia.packages.${system}) bevy_julia; inherit (bevy-mandelbrot.packages.${system}) bevy_mandelbrot; @@ -88,7 +57,7 @@ with final; { ]; }); - mlat-client = prev.python3Packages.callPackage ./mlat-client.nix { }; + mlat-client = python3Packages.callPackage ./mlat-client.nix { }; nixVersions = prev.nixVersions // { @@ -103,32 +72,23 @@ with final; { }); }; - inherit (nixos-unstable.legacyPackages.${prev.targetPlatform.system}) nomad_1_3; - openssh = prev.openssh.overrideAttrs (oldAttrs: { # takes 30 minutes doCheck = false; }); - pile = prev.callPackage ./pile.nix { }; + pile = callPackage ./pile.nix { }; - pi-sensors = prev.callPackage ./pi-sensors { }; + pi-sensors = callPackage ./pi-sensors { }; - plume = prev.callPackage ./plume { }; + plume = callPackage ./plume { }; - readsb = prev.callPackage ./readsb.nix { }; + readsb = callPackage ./readsb.nix { }; - SimpleYggGen-CPP = prev.callPackage ./simpleygggen.nix { }; + simpleygggen-cpp = callPackage ./simpleygggen.nix { }; tracer-game = - let - broken = true; - reason = "haddock runs on affection for 10 hours and more"; - in - if broken - then throw "tracer-game: ${reason}" + if true + then throw "tracer-game: haddock runs on affection for 10 hours and more" else tracer.packages.${system}.tracer-game; - - # vector-0.23 + mqtt-sink - vector = pkgs-unstable.callPackage ./vector { }; } From 6b8d8541c6e4efd8f0d583f05205f4ad1c21bee7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sun, 4 Dec 2022 08:53:28 +0100 Subject: [PATCH 166/247] Deadnix, statix, other cleanups --- flake.nix | 8 +-- hosts/auth/default.nix | 4 +- hosts/blogs/default.nix | 2 +- hosts/broker/default.nix | 2 +- hosts/c3d2-web/default.nix | 12 ++--- hosts/dacbert/default.nix | 2 +- hosts/direkthilfe/default.nix | 11 ++-- hosts/dn42/default.nix | 2 +- hosts/factorio/default.nix | 2 +- hosts/ftp/default.nix | 2 +- hosts/gitea/default.nix | 2 +- hosts/glotzbert/default.nix | 2 +- hosts/glotzbert/hardware-configuration.nix | 2 +- hosts/grafana/default.nix | 2 +- hosts/hedgedoc/default.nix | 2 +- hosts/hydra/default.nix | 4 +- hosts/hydra/hardware-configuration.nix | 2 +- hosts/hydra/hydra.nix | 2 +- hosts/leon/default.nix | 2 +- hosts/leoncloud/default.nix | 2 +- hosts/matemat/default.nix | 2 +- hosts/mediawiki/default.nix | 2 +- hosts/mobilizon/default.nix | 2 +- hosts/mucbot/default.nix | 2 +- hosts/network-homepage/default.nix | 4 +- hosts/nfsroot/default.nix | 4 +- hosts/nncp/default.nix | 2 +- hosts/nncp/neighbours.nix | 8 +-- hosts/oparl/default.nix | 8 ++- hosts/prometheus/default.nix | 4 +- hosts/public-access-proxy/proxy.nix | 63 ++++++++++------------ hosts/public-access-proxy/stats.nix | 2 +- hosts/pulsebert/hardware-configuration.nix | 2 +- hosts/rpi-netboot/default.nix | 2 +- hosts/scrape/default.nix | 2 +- hosts/sdrweb/default.nix | 2 +- hosts/server10/default.nix | 2 +- hosts/server10/hardware-configuration.nix | 2 +- hosts/server8/default.nix | 2 +- hosts/server8/hardware-configuration.nix | 2 +- hosts/server9/default.nix | 2 +- hosts/server9/hardware-configuration.nix | 2 +- hosts/spaceapi/default.nix | 3 +- hosts/ticker/default.nix | 4 +- hosts/zengel/default.nix | 11 ++-- modules/audio-server.nix | 2 +- modules/backup.nix | 2 +- modules/c3d2.nix | 8 +-- modules/cluster/default.nix | 6 +-- modules/cluster/deployment-options.nix | 4 +- modules/cluster/deployment.nix | 3 +- modules/logging.nix | 26 +-------- modules/microvm.nix | 4 +- modules/nncp.nix | 38 ++++++------- modules/plume.nix | 9 ++-- modules/rpi-netboot.nix | 2 +- overlays/bmxd.nix | 2 +- overlays/plume/default.nix | 3 +- packages.nix | 12 +---- 59 files changed, 139 insertions(+), 192 deletions(-) diff --git a/flake.nix b/flake.nix index 950d9da1..3d32b924 100644 --- a/flake.nix +++ b/flake.nix @@ -207,7 +207,7 @@ inherit (inputs) tracer bevy-mandelbrot bevy-julia; }; - legacyPackages = lib.attrsets.mapAttrs (system: pkgs: + legacyPackages = lib.attrsets.mapAttrs (_: pkgs: pkgs.appendOverlays [ fenix.overlays.default naersk.overlay @@ -224,7 +224,7 @@ inherit specialArgs system; modules = [ - ({ pkgs, ... }: { + ({ ... }: { _module.args = extraArgs // { inherit hostRegistry inputs zentralwerk; }; @@ -327,7 +327,7 @@ radiobert = nixosSystem' { modules = [ - ({ modulesPath, ... }: + ({ ... }: { nixpkgs.overlays = [ heliwatch.overlay ]; }) @@ -763,7 +763,7 @@ else nixosSystem.config.system.build.toplevel ) self.nixosConfigurations // nixos.lib.filterAttrs (name: attr: - (builtins.match ".+-tftproot" name != null && lib.isDerivation attr) + (lib.match ".+-tftproot" name != null && lib.isDerivation attr) ) self.packages.aarch64-linux ); }; diff --git a/hosts/auth/default.nix b/hosts/auth/default.nix index 813e8ebb..eb535c3c 100644 --- a/hosts/auth/default.nix +++ b/hosts/auth/default.nix @@ -1,4 +1,4 @@ -{ zentralwerk, config, lib, pkgs, ... }: +{ config, ... }: { c3d2 = { @@ -58,7 +58,7 @@ age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; defaultSopsFile = ./secrets.yaml; secrets."portunus/seed" = { - group = config.services.portunus.group; + inherit (config.services.portunus) group; owner = config.services.portunus.user; }; }; diff --git a/hosts/blogs/default.nix b/hosts/blogs/default.nix index a45d968e..357bf17a 100644 --- a/hosts/blogs/default.nix +++ b/hosts/blogs/default.nix @@ -1,4 +1,4 @@ -{ hostRegistry, zentralwerk, config, ... }: +{ config, ... }: { microvm.mem = 2048; c3d2.deployment = { diff --git a/hosts/broker/default.nix b/hosts/broker/default.nix index 6664c55a..3c31cc64 100644 --- a/hosts/broker/default.nix +++ b/hosts/broker/default.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, zentralwerk, ... }: +{ config, pkgs, ... }: let mymqttui = pkgs.writeScriptBin "mqttui" '' diff --git a/hosts/c3d2-web/default.nix b/hosts/c3d2-web/default.nix index ae29141b..4b5a66ac 100644 --- a/hosts/c3d2-web/default.nix +++ b/hosts/c3d2-web/default.nix @@ -1,4 +1,4 @@ -{ zentralwerk, nixpkgs, config, lib, pkgs, ... }: +{ config, pkgs, ... }: let webroot = "/var/www"; geminiRoot = "/var/gemini"; @@ -150,11 +150,11 @@ in home = "/var/lib/c3d2-web"; }; - systemd.tmpfiles.rules = [ - "d ${webroot}/c3d2 0755 c3d2-web ${config.users.users.c3d2-web.group} -" - "d ${webroot}/log 0755 c3d2-web ${config.users.users.c3d2-web.group} -" - "d ${geminiRoot} 0755 c3d2-web ${config.users.users.c3d2-web.group} -" - "d ${config.users.users.c3d2-web.home} 0700 c3d2-web ${config.users.users.c3d2-web.group} -" + systemd.tmpfiles.rules = with config.users.users.c3d2-web; [ + "d ${webroot}/c3d2 0755 c3d2-web ${group} -" + "d ${webroot}/log 0755 c3d2-web ${group} -" + "d ${geminiRoot} 0755 c3d2-web ${group} -" + "d ${home} 0700 c3d2-web ${group} -" ]; # Build script diff --git a/hosts/dacbert/default.nix b/hosts/dacbert/default.nix index 90bbd332..cb34dc1d 100644 --- a/hosts/dacbert/default.nix +++ b/hosts/dacbert/default.nix @@ -1,4 +1,4 @@ -{ hostRegistry, config, lib, pkgs, modulesPath, ... }: +{ hostRegistry, config, lib, pkgs, ... }: { c3d2 = { diff --git a/hosts/direkthilfe/default.nix b/hosts/direkthilfe/default.nix index 89674680..e289dc4a 100644 --- a/hosts/direkthilfe/default.nix +++ b/hosts/direkthilfe/default.nix @@ -1,7 +1,6 @@ -{ pkgs, ... }: -let - domain = "direkthilfe.c3d2.de"; -in { +{ config, pkgs, ... }: + +{ networking.hostName = "direkthilfe"; microvm.mem = 1024; c3d2.deployment = { @@ -27,7 +26,7 @@ in { services.engelsystem = { enable = true; - domain = domain; + domain = "direkthilfe.c3d2.de"; createDatabase = true; package = pkgs.engelsystem.override { php = pkgs.php74; }; config = { @@ -64,7 +63,7 @@ in { services.phpfpm.phpPackage = pkgs.php74; services.nginx = { enable = true; - virtualHosts."${domain}" = { + virtualHosts."${config.services.engelsystem.domain}" = { default = true; forceSSL = true; enableACME = true; diff --git a/hosts/dn42/default.nix b/hosts/dn42/default.nix index 879ca71d..f2db903a 100644 --- a/hosts/dn42/default.nix +++ b/hosts/dn42/default.nix @@ -140,7 +140,7 @@ in { } '' else ""; - interface = if conf ? interface then conf.interface else name; + interface = conf.interface or name; in "${neighbor4}${neighbor6}") neighbors)); in '' protocol kernel { diff --git a/hosts/factorio/default.nix b/hosts/factorio/default.nix index fbd4585d..9a7109ff 100644 --- a/hosts/factorio/default.nix +++ b/hosts/factorio/default.nix @@ -1,4 +1,4 @@ -{ zentralwerk, config, lib, pkgs, ... }: +{ config, lib, ... }: { c3d2 = { diff --git a/hosts/ftp/default.nix b/hosts/ftp/default.nix index 245deebc..63afffdb 100644 --- a/hosts/ftp/default.nix +++ b/hosts/ftp/default.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, zentralwerk, ... }: +{ config, pkgs, ... }: { c3d2 = { diff --git a/hosts/gitea/default.nix b/hosts/gitea/default.nix index e160679d..dff1a079 100644 --- a/hosts/gitea/default.nix +++ b/hosts/gitea/default.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, zentralwerk, ... }: +{ config, pkgs, lib, ... }: { c3d2 = { diff --git a/hosts/glotzbert/default.nix b/hosts/glotzbert/default.nix index 2d6e201e..5847dc3a 100644 --- a/hosts/glotzbert/default.nix +++ b/hosts/glotzbert/default.nix @@ -1,4 +1,4 @@ -{ zentralwerk, config, pkgs, ... }: +{ config, pkgs, ... }: { imports = [ ./hardware-configuration.nix ]; diff --git a/hosts/glotzbert/hardware-configuration.nix b/hosts/glotzbert/hardware-configuration.nix index 700acaed..37ee602f 100644 --- a/hosts/glotzbert/hardware-configuration.nix +++ b/hosts/glotzbert/hardware-configuration.nix @@ -1,7 +1,7 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ lib, modulesPath, ... }: { imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; diff --git a/hosts/grafana/default.nix b/hosts/grafana/default.nix index 3661cebb..9b2e0f75 100644 --- a/hosts/grafana/default.nix +++ b/hosts/grafana/default.nix @@ -1,4 +1,4 @@ -{ zentralwerk, config, pkgs, lib, modulesPath, ... }: +{ config, pkgs, ... }: let restartServices = [ "grafana" "influxdb" ]; diff --git a/hosts/hedgedoc/default.nix b/hosts/hedgedoc/default.nix index 08b6ef76..c0c7fa30 100644 --- a/hosts/hedgedoc/default.nix +++ b/hosts/hedgedoc/default.nix @@ -1,4 +1,4 @@ -{ zentralwerk, config, lib, pkgs, ... }: +{ config, pkgs, ... }: { c3d2 = { diff --git a/hosts/hydra/default.nix b/hosts/hydra/default.nix index 3277103e..93ffdba1 100644 --- a/hosts/hydra/default.nix +++ b/hosts/hydra/default.nix @@ -1,4 +1,4 @@ -{ zentralwerk, config, pkgs, lib, ... }: +{ config, pkgs, ... }: { imports = [ @@ -52,5 +52,5 @@ c3d2.hq.statistics.enable = true; services.smartd.enable = true; - system.stateVersion = "20.09"; # Did you read the comment? + system.stateVersion = "20.09"; } diff --git a/hosts/hydra/hardware-configuration.nix b/hosts/hydra/hardware-configuration.nix index 51876ce3..5340469a 100644 --- a/hosts/hydra/hardware-configuration.nix +++ b/hosts/hydra/hardware-configuration.nix @@ -1,7 +1,7 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ config, lib, modulesPath, ... }: { imports = diff --git a/hosts/hydra/hydra.nix b/hosts/hydra/hydra.nix index 663c1225..77f5e8e4 100644 --- a/hosts/hydra/hydra.nix +++ b/hosts/hydra/hydra.nix @@ -1,4 +1,4 @@ -{ self, hostRegistry, hydra-ca, config, lib, pkgs, ... }: +{ config, lib, ... }: let cachePort = 5000; diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index e2fc50a3..ced6c838 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -26,7 +26,7 @@ # `...-' `...-' #-------------------------------------------------------------------------------- -{ config, lib, pkgs, ... }: +{ lib, pkgs, ... }: { deployment = { persistedShares = [ "/etc" "/home" "/var" ]; diff --git a/hosts/leoncloud/default.nix b/hosts/leoncloud/default.nix index e94ba0f3..ed126e07 100644 --- a/hosts/leoncloud/default.nix +++ b/hosts/leoncloud/default.nix @@ -1,4 +1,4 @@ -{ zentralwerk, config, lib, pkgs, ... }: +{ config, lib, pkgs, ... }: { deployment = { diff --git a/hosts/matemat/default.nix b/hosts/matemat/default.nix index e1ea56b8..0ca0bceb 100644 --- a/hosts/matemat/default.nix +++ b/hosts/matemat/default.nix @@ -1,4 +1,4 @@ -{ zentralwerk, config, lib, pkgs, ... }: +{ pkgs, ... }: { c3d2 = { diff --git a/hosts/mediawiki/default.nix b/hosts/mediawiki/default.nix index 0422d64f..1a561f31 100644 --- a/hosts/mediawiki/default.nix +++ b/hosts/mediawiki/default.nix @@ -1,4 +1,4 @@ -{ zentralwerk, config, lib, pkgs, ... }: +{ config, lib, pkgs, ... }: { networking.hostName = "mediawiki"; diff --git a/hosts/mobilizon/default.nix b/hosts/mobilizon/default.nix index b996ad0c..689d3422 100644 --- a/hosts/mobilizon/default.nix +++ b/hosts/mobilizon/default.nix @@ -1,4 +1,4 @@ -{ zentralwerk, config, pkgs, ... }: +{ config, pkgs, ... }: { microvm.mem = 1024; c3d2.isInHq = false; diff --git a/hosts/mucbot/default.nix b/hosts/mucbot/default.nix index b3d13456..e681656a 100644 --- a/hosts/mucbot/default.nix +++ b/hosts/mucbot/default.nix @@ -1,4 +1,4 @@ -{ config, pkgs, tigger, ... }: +{ pkgs, tigger, ... }: { deployment = { diff --git a/hosts/network-homepage/default.nix b/hosts/network-homepage/default.nix index fdcf2285..6143ab63 100644 --- a/hosts/network-homepage/default.nix +++ b/hosts/network-homepage/default.nix @@ -1,6 +1,4 @@ -{ zentralwerk, config, lib, pkgs, ... }: - -with lib; +{ zentralwerk, pkgs, ... }: { system.stateVersion = "22.05"; diff --git a/hosts/nfsroot/default.nix b/hosts/nfsroot/default.nix index 7187b395..c913d0b0 100644 --- a/hosts/nfsroot/default.nix +++ b/hosts/nfsroot/default.nix @@ -1,7 +1,5 @@ -{ zentralwerk, config, lib, pkgs, ... }: +{ lib, ... }: let - netConfig = zentralwerk.lib.config.site.net.serv; - nfsExports = [ "var/lib/nfsroot/dacbert" "var/lib/nfsroot/riscbert" diff --git a/hosts/nncp/default.nix b/hosts/nncp/default.nix index 32307479..997115df 100644 --- a/hosts/nncp/default.nix +++ b/hosts/nncp/default.nix @@ -37,7 +37,7 @@ xx = "tx"; # transmit only when-tx-exists = true; }; - in lib.mapAttrs (name: value: + in lib.mapAttrs (_: value: value // { via = lib.lists.remove "c3d2" value.via; } // (lib.attrsets.optionalAttrs (value.addrs or { } != { }) { diff --git a/hosts/nncp/neighbours.nix b/hosts/nncp/neighbours.nix index d10158ea..fc77799c 100644 --- a/hosts/nncp/neighbours.nix +++ b/hosts/nncp/neighbours.nix @@ -1,7 +1,7 @@ -{ config, lib, pkgs, ... }: +{ config, pkgs, ... }: -let - exec = { +{ + programs.nncp.settings.neigh.emery.exec = { # A command to asynchronously export store paths to a remote caller. nix-store-export = with pkgs; [ @@ -16,4 +16,4 @@ let # A command to import store paths from a remote caller. nix-store-import = [ "${config.nix.package}/bin/nix-store" "--import" ]; }; -in { programs.nncp.settings.neigh = { emery = { inherit exec; }; }; } +} diff --git a/hosts/oparl/default.nix b/hosts/oparl/default.nix index 32f1c6fb..713ca79e 100644 --- a/hosts/oparl/default.nix +++ b/hosts/oparl/default.nix @@ -1,9 +1,7 @@ -{ zentralwerk, oparl-scraper, config, pkgs, ... }: +{ oparl-scraper, config, pkgs, ... }: + let ratsinfo-scraper = import oparl-scraper { inherit pkgs; }; - - netConfig = zentralwerk.lib.config.site.net.serv; - in { c3d2.deployment = { @@ -41,7 +39,7 @@ in path = with pkgs; [ git openssh poppler_utils ratsinfo-scraper ]; - script = '' + script = /* bash */ '' if [ -d data ]; then pushd data git pull diff --git a/hosts/prometheus/default.nix b/hosts/prometheus/default.nix index c36ef496..c3c366e0 100644 --- a/hosts/prometheus/default.nix +++ b/hosts/prometheus/default.nix @@ -1,4 +1,4 @@ -{ zentralwerk, config, pkgs, lib, ... }: +{ zentralwerk, config, lib, ... }: { sops.defaultSopsFile = ./secrets.yaml; @@ -64,7 +64,7 @@ static_configs = let zwNets = zentralwerk.lib.config.site.net; - fromNet = net: filter: + fromNet = net: _: map (host: "${host}.${net}.zentralwerk.org:9100" ) (builtins.attrNames zwNets.${net}.hosts4); diff --git a/hosts/public-access-proxy/proxy.nix b/hosts/public-access-proxy/proxy.nix index eb3b65e0..21f5070e 100644 --- a/hosts/public-access-proxy/proxy.nix +++ b/hosts/public-access-proxy/proxy.nix @@ -1,50 +1,48 @@ -{ config, lib, pkgs, ... }: +{ config, lib, ... }: -with lib; -let cfg = config.services.proxy; - - canonicalize = builtins.replaceStrings ["*" "." ":" "[" "]"] ["all" "_" "_" "" ""]; - -in { +let + cfg = config.services.proxy; + canonicalize = builtins.replaceStrings [ "*" "." ":" "[" "]" ] [ "all" "_" "_" "" "" ]; +in +{ options.services.proxy = { - - enable = mkOption { + enable = lib.mkOption { default = false; description = "whether to enable proxy"; - type = types.bool; + type = lib.types.bool; }; - proxyHosts = mkOption { - type = types.listOf (types.submodule { + proxyHosts = lib.mkOption { + type = lib.types.listOf (lib.types.submodule { options = { - hostNames = mkOption { - type = types.listOf types.str; + hostNames = lib.mkOption { + type = with lib.types; listOf str; default = [ ]; description = '' Proxy these hostNames. ''; }; - proxyTo = mkOption { - type = types.submodule { + proxyTo = lib.mkOption { + type = lib.types.submodule { options = { - host = mkOption { - type = types.nullOr types.string; + host = lib.mkOption { + type = with lib.types; nullOr string; default = null; description = '' Host to forward traffic to. Any hostname may only be used once ''; }; - httpPort = mkOption { - type = types.int; + httpPort = lib.mkOption { + type = lib.types.int; default = 80; description = '' Port to forward http to. ''; }; - httpsPort = mkOption { - type = types.int; + httpsPort = lib.mkOption { + type = lib.types.int; default = 443; description = '' Port to forward http to. @@ -57,8 +55,8 @@ in { ''; default = { }; }; - matchArg = mkOption { - type = types.str; + matchArg = lib.mkOption { + type = lib.types.str; default = ""; description = "Optional argument to HAProxy `req.ssl_sni -i`"; }; @@ -76,11 +74,9 @@ in { }; }]; }; - }; - config = mkIf cfg.enable { - + config = lib.mkIf cfg.enable { services.haproxy = { enable = true; config = '' @@ -101,10 +97,9 @@ in { option forwardfor http-request set-header X-Forwarded-Proto http http-request set-header X-Forwarded-Port 80 - ${ - concatMapStrings ({ proxyTo, hostNames, matchArg }: - optionalString (hostNames != [ ] && proxyTo.host != null) ( - concatMapStrings (hostname: '' + ${lib.concatMapStrings ({ proxyTo, hostNames, matchArg }: + lib.optionalString (hostNames != [ ] && proxyTo.host != null) ( + lib.concatMapStrings (hostname: '' use-server ${canonicalize hostname}-http if { req.hdr(host) -i ${matchArg} ${hostname} } server ${canonicalize hostname}-http ${proxyTo.host}:${ toString proxyTo.httpPort @@ -118,13 +113,13 @@ in { bind :::443 v4v6 tcp-request inspect-delay 5s tcp-request content accept if { req.ssl_hello_type 1 } - ${concatMapStrings ({ proxyTo, hostNames, matchArg }: - concatMapStrings (hostname: '' + ${lib.concatMapStrings ({ proxyTo, hostNames, matchArg }: + lib.concatMapStrings (hostname: '' use_backend ${canonicalize proxyTo.host}-https if { req.ssl_sni -i ${matchArg} ${hostname} } '') hostNames ) cfg.proxyHosts} - ${concatMapStrings ({ proxyTo, hostNames, matchArg }: '' + ${lib.concatMapStrings ({ proxyTo, ... }: '' backend ${canonicalize proxyTo.host}-https server ${canonicalize proxyTo.host}-https ${proxyTo.host}:${ toString proxyTo.httpsPort diff --git a/hosts/public-access-proxy/stats.nix b/hosts/public-access-proxy/stats.nix index 09fac918..1656fbeb 100644 --- a/hosts/public-access-proxy/stats.nix +++ b/hosts/public-access-proxy/stats.nix @@ -1,4 +1,4 @@ -{ pkgs, lib, ... }: +{ pkgs, ... }: { c3d2.hq.statistics.enable = true; diff --git a/hosts/pulsebert/hardware-configuration.nix b/hosts/pulsebert/hardware-configuration.nix index 26675d11..caf973a7 100644 --- a/hosts/pulsebert/hardware-configuration.nix +++ b/hosts/pulsebert/hardware-configuration.nix @@ -1,7 +1,7 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ lib, ... }: { #imports = diff --git a/hosts/rpi-netboot/default.nix b/hosts/rpi-netboot/default.nix index 40fb2ff1..017dec7c 100644 --- a/hosts/rpi-netboot/default.nix +++ b/hosts/rpi-netboot/default.nix @@ -1,4 +1,4 @@ -{ hostRegistry, nixpkgs, config, lib, pkgs, modulesPath, ... }: +{ hostRegistry, lib, pkgs, ... }: { c3d2 = { diff --git a/hosts/scrape/default.nix b/hosts/scrape/default.nix index 4bbf9290..fe8fa315 100644 --- a/hosts/scrape/default.nix +++ b/hosts/scrape/default.nix @@ -1,4 +1,4 @@ -{ zentralwerk, pkgs, config, scrapers, ... }: +{ pkgs, config, scrapers, ... }: let freifunkNodes = { diff --git a/hosts/sdrweb/default.nix b/hosts/sdrweb/default.nix index a5bc6a17..f6e53b0f 100644 --- a/hosts/sdrweb/default.nix +++ b/hosts/sdrweb/default.nix @@ -1,4 +1,4 @@ -{ zentralwerk, config, pkgs, ... }: +{ config, pkgs, ... }: { deployment = { # needs to keep just its ssh key for sops-nix diff --git a/hosts/server10/default.nix b/hosts/server10/default.nix index 1b829a29..a16d803e 100644 --- a/hosts/server10/default.nix +++ b/hosts/server10/default.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, ... }: { imports = [ diff --git a/hosts/server10/hardware-configuration.nix b/hosts/server10/hardware-configuration.nix index 50ffe4f0..fb2caeed 100644 --- a/hosts/server10/hardware-configuration.nix +++ b/hosts/server10/hardware-configuration.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, modulesPath, ... }: +{ config, lib, modulesPath, ... }: { imports = diff --git a/hosts/server8/default.nix b/hosts/server8/default.nix index e84a6b59..a8bb6654 100644 --- a/hosts/server8/default.nix +++ b/hosts/server8/default.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ ... }: { imports = [ diff --git a/hosts/server8/hardware-configuration.nix b/hosts/server8/hardware-configuration.nix index 597568d2..17de888d 100644 --- a/hosts/server8/hardware-configuration.nix +++ b/hosts/server8/hardware-configuration.nix @@ -1,7 +1,7 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ config, lib, modulesPath, ... }: { imports = diff --git a/hosts/server9/default.nix b/hosts/server9/default.nix index ea5a2b4c..1f28e789 100644 --- a/hosts/server9/default.nix +++ b/hosts/server9/default.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +_: { imports = [ diff --git a/hosts/server9/hardware-configuration.nix b/hosts/server9/hardware-configuration.nix index c1abba41..0a9b72d9 100644 --- a/hosts/server9/hardware-configuration.nix +++ b/hosts/server9/hardware-configuration.nix @@ -1,7 +1,7 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ config, lib, modulesPath, ... }: { imports = diff --git a/hosts/spaceapi/default.nix b/hosts/spaceapi/default.nix index 2475fb3a..5861ef59 100644 --- a/hosts/spaceapi/default.nix +++ b/hosts/spaceapi/default.nix @@ -1,4 +1,5 @@ -{ zentralwerk, ... }: +_: + { c3d2.deployment = { server = "server10"; diff --git a/hosts/ticker/default.nix b/hosts/ticker/default.nix index 152c6a25..154daefd 100644 --- a/hosts/ticker/default.nix +++ b/hosts/ticker/default.nix @@ -1,6 +1,4 @@ -{ zentralwerk, config, lib, pkgs, ... }: - -with lib; +{ zentralwerk, config, ... }: { system.stateVersion = "22.05"; diff --git a/hosts/zengel/default.nix b/hosts/zengel/default.nix index 1a423801..57ef41a5 100644 --- a/hosts/zengel/default.nix +++ b/hosts/zengel/default.nix @@ -1,7 +1,6 @@ -{ pkgs, ... }: -let - domain = "zengel.datenspuren.de"; -in { +{ config, pkgs, ... }: + +{ networking.hostName = "zengel"; microvm.mem = 1024; c3d2.deployment = { @@ -13,7 +12,7 @@ in { services.engelsystem = { enable = true; - domain = domain; + domain = "zengel.datenspuren.de"; createDatabase = true; package = pkgs.engelsystem.override { php = pkgs.php74; }; config = { @@ -50,7 +49,7 @@ in { services.phpfpm.phpPackage = pkgs.php74; services.nginx = { enable = true; - virtualHosts."${domain}" = { + virtualHosts."${config.services.engelsystem.domain}" = { default = true; forceSSL = true; enableACME = true; diff --git a/modules/audio-server.nix b/modules/audio-server.nix index ad6fe887..107314b7 100644 --- a/modules/audio-server.nix +++ b/modules/audio-server.nix @@ -35,7 +35,7 @@ bluetoothSupport = true; advancedBluetoothCodecs = true; zeroconfSupport = true; - }).overrideAttrs (oldAttrs: { + }).overrideAttrs (_: { # one test times out doCheck = false; }); diff --git a/modules/backup.nix b/modules/backup.nix index 936fa1e2..2c0585ef 100644 --- a/modules/backup.nix +++ b/modules/backup.nix @@ -2,7 +2,7 @@ { config.services.postgresqlBackup = { - enable = config.services.postgresql.enable; + inherit (config.services.postgresql) enable; backupAll = true; compression = "zstd"; # compressionLevel = 9; # TODO: only available with 21.11 diff --git a/modules/c3d2.nix b/modules/c3d2.nix index f15493d9..60d6f2f2 100644 --- a/modules/c3d2.nix +++ b/modules/c3d2.nix @@ -169,21 +169,21 @@ in config = let - adminKeys = (with builtins; lib.lists.flatten ( + adminKeys = with builtins; lib.lists.flatten ( map (getAttr "sshKeys") (attrValues cfg.users) - )); + ); mkIfIsInHq = x: lib.mkIf cfg.isInHq (lib.mkDefault x); in { networking.hosts = lib.mkIf cfg.mergeHostsFile (( lib.attrsets.mapAttrs' (n: v: { name = v.ip4; value = [ "${n}.c3d2" ]; }) - (lib.attrsets.filterAttrs (n: v: v.ip4 != null) cfg.hosts) + (lib.attrsets.filterAttrs (_: v: v.ip4 != null) cfg.hosts) ) // ( lib.attrsets.mapAttrs' (n: v: { name = v.ip6; value = [ "${n}.c3d2" ]; }) - (lib.attrsets.filterAttrs (n: v: v.ip6 != null) cfg.hosts) + (lib.attrsets.filterAttrs (_: v: v.ip6 != null) cfg.hosts) )); programs.nncp.settings = lib.optionalAttrs cfg.mergeNncpSettings cfg.nncp; diff --git a/modules/cluster/default.nix b/modules/cluster/default.nix index 7b698fd0..7acbbe57 100644 --- a/modules/cluster/default.nix +++ b/modules/cluster/default.nix @@ -1,4 +1,4 @@ -{ zentralwerk, hostRegistry, config, lib, pkgs, ... }: +{ zentralwerk, hostRegistry, config, lib, ... }: let inherit (config.networking) hostName; @@ -15,8 +15,6 @@ let then net else result ) null [ "cluster" "serv" ]; - - ipv4Addr = zentralwerk.lib.config.site.net.${serverNet hostName}.hosts4.${hostName}; in { # Open firewall between cluster members networking.firewall.extraCommands = lib.concatMapStrings (server: @@ -41,7 +39,7 @@ in { ); nomad = { datacenter = "c3d2"; - servers = servers; + inherit servers; # run tasks only on these: client.enable = builtins.elem hostName microvmServers; client.meta = diff --git a/modules/cluster/deployment-options.nix b/modules/cluster/deployment-options.nix index 4f77f516..c7ee785a 100644 --- a/modules/cluster/deployment-options.nix +++ b/modules/cluster/deployment-options.nix @@ -13,9 +13,9 @@ networks = mkOption { type = with types; listOf str; default = builtins.attrNames ( - lib.filterAttrs (net: { hosts4, hosts6, ... }: + lib.filterAttrs (_: { hosts4, hosts6, ... }: hosts4 ? ${config.networking.hostName} || - lib.filterAttrs (ctx: hosts6: + lib.filterAttrs (_: hosts6: hosts6 ? ${config.networking.hostName} ) hosts6 != {} ) zentralwerk.lib.config.site.net diff --git a/modules/cluster/deployment.nix b/modules/cluster/deployment.nix index 8a23ac35..ceedabd0 100644 --- a/modules/cluster/deployment.nix +++ b/modules/cluster/deployment.nix @@ -31,8 +31,7 @@ in { microvm = { hypervisor = "cloud-hypervisor"; - vcpu = config.deployment.vcpu; - mem = config.deployment.mem; + inherit (config.deployment) mem vcpu; preStart = '' # Discard old writable store overlay diff --git a/modules/logging.nix b/modules/logging.nix index 13681b10..683af85d 100644 --- a/modules/logging.nix +++ b/modules/logging.nix @@ -1,28 +1,6 @@ -{ hostRegistry, config, pkgs, lib, ... }: +{ config, pkgs, lib, ... }: -let - - nginxGlobalLogging = '' - log_format graylog2_json escape=json '{ "timestamp": "$time_iso8601", ' - '"remote_addr": "$remote_addr", ' - '"body_bytes_sent": $body_bytes_sent, ' - '"request_time": $request_time, ' - '"response_status": $status, ' - '"request": "$request", ' - '"request_method": "$request_method", ' - '"host": "$host",' - '"upstream_cache_status": "$upstream_cache_status",' - '"upstream_addr": "$upstream_addr",' - '"http_x_forwarded_for": "$http_x_forwarded_for",' - '"http_referrer": "$http_referer", ' - '"http_user_agent": "$http_user_agent" }'; - - # replace the hostnames with the IP or hostname of your Graylog2 server - access_log syslog:server=graylog.server.org:12301 graylog2_json; - error_log syslog:server=graylog.server.org:12302; - ''; - -in { +{ # add central logging services.journalbeat = { enable = false; diff --git a/modules/microvm.nix b/modules/microvm.nix index 8df5d8a8..fad57689 100644 --- a/modules/microvm.nix +++ b/modules/microvm.nix @@ -19,9 +19,9 @@ let "${builtins.substring 0 1 hash}2:${c 2}:${c 4}:${c 6}:${c 8}:${c 10}"; nets = builtins.attrNames ( - lib.filterAttrs (net: { hosts4, hosts6, ... }: + lib.filterAttrs (_: { hosts4, hosts6, ... }: hosts4 ? ${hostName} || - lib.filterAttrs (ctx: hosts6: + lib.filterAttrs (_: hosts6: hosts6 ? ${hostName} ) hosts6 != {} ) zentralwerk.lib.config.site.net diff --git a/modules/nncp.nix b/modules/nncp.nix index f605a7a7..23aa135f 100644 --- a/modules/nncp.nix +++ b/modules/nncp.nix @@ -1,13 +1,10 @@ -{ config, lib, pkgs, ... }: -with lib; +{ config, lib, ... }: let nncpCfgFile = "/run/nncp.hjson"; programCfg = lib.optionalAttrs (config.programs ? nncp) config.programs.nncp; callerCfg = config.services.nncp.caller; daemonCfg = config.services.nncp.daemon; - settingsFormat = pkgs.formats.json { }; - jsonCfgFile = settingsFormat.generate "nncp.json" programCfg.settings; pkg = programCfg.package; in { @@ -15,13 +12,13 @@ in services.nncp = { caller = { - enable = mkEnableOption '' + enable = lib.mkEnableOption '' croned NNCP TCP daemon caller. The daemon will take configuration from ''; - extraArgs = mkOption { - type = with types; listOf str; + extraArgs = lib.mkOption { + type = with lib.types; listOf str; description = "Extra command-line arguments to pass to caller."; default = [ ]; example = [ "-autotoss" ]; @@ -29,18 +26,18 @@ in }; daemon = { - enable = mkEnableOption '' + enable = lib.mkEnableOption '' NNCP TCP synronization daemon. The daemon will take configuration from ''; socketActivation = { - enable = mkEnableOption '' + enable = lib.mkEnableOption '' Whether to run nncp-daemon persistently or socket-activated. ''; - listenStreams = mkOption { - type = with types; listOf str; + listenStreams = lib.mkOption { + type = with lib.types; listOf str; description = '' TCP sockets to bind to. See . @@ -49,8 +46,8 @@ in }; }; - extraArgs = mkOption { - type = with types; listOf str; + extraArgs = lib.mkOption { + type = with lib.types; listOf str; description = "Extra command-line arguments to pass to daemon."; default = [ ]; example = [ "-autotoss" ]; @@ -60,15 +57,14 @@ in }; }; - config = mkIf (programCfg.enable or callerCfg.enable or daemonCfg.enable) { - + config = lib.mkIf (programCfg.enable or callerCfg.enable or daemonCfg.enable) { assertions = [{ - assertion = with builtins; + assertion = let callerCongfigured = let neigh = config.programs.nncp.settings.neigh or { }; - in lib.lists.any (x: hasAttr "calls" x && x.calls != [ ]) - (attrValues neigh); + in lib.lists.any (x: lib.hasAttr "calls" x && x.calls != [ ]) + (lib.attrValues neigh); in !callerCfg.enable || callerCongfigured; message = "NNCP caller enabled but call configuration is missing"; }]; @@ -89,7 +85,7 @@ in }; }; - systemd.services."nncp-daemon" = mkIf daemonCfg.enable { + systemd.services."nncp-daemon" = lib.mkIf daemonCfg.enable { enable = !daemonCfg.socketActivation.enable; description = "NNCP TCP syncronization daemon."; documentation = [ "http://www.nncpgo.org/nncp_002ddaemon.html" ]; @@ -106,7 +102,7 @@ in }; }; - systemd.services."nncp-daemon@" = mkIf daemonCfg.socketActivation.enable { + systemd.services."nncp-daemon@" = lib.mkIf daemonCfg.socketActivation.enable { description = "NNCP TCP syncronization daemon."; documentation = [ "http://www.nncpgo.org/nncp_002ddaemon.html" ]; after = [ "network.target" ]; @@ -123,7 +119,7 @@ in }; }; - systemd.sockets.nncp-daemon = mkIf daemonCfg.socketActivation.enable { + systemd.sockets.nncp-daemon = lib.mkIf daemonCfg.socketActivation.enable { inherit (daemonCfg.socketActivation) listenStreams; description = "socket for NNCP TCP syncronization."; conflicts = [ "nncp-daemon.service" ]; diff --git a/modules/plume.nix b/modules/plume.nix index 530c5abd..1a9a0534 100644 --- a/modules/plume.nix +++ b/modules/plume.nix @@ -1,6 +1,5 @@ { config, lib, pkgs, ... }: let - inherit (pkgs) plume; cfg = config.services.plume; in { @@ -33,7 +32,7 @@ in ids.uids.plume = 499; users.users.${cfg.user} = { uid = config.ids.uids.plume; - group = cfg.group; + inherit (cfg) group; home = "/var/lib/plume"; }; users.groups.${cfg.group} = {}; @@ -52,11 +51,11 @@ in after = [ "postgresql.service" ]; requires = [ "postgresql.service" ]; wantedBy = [ "multi-user.target" ]; - path = [ plume ]; + path = [ pkgs.plume ]; script = '' ln -sf ${cfg.envFile} .env mkdir -p static/media - for f in ${plume}/share/plume/static/*; do + for f in ${pkgs.plume}/share/plume/static/*; do n=$(basename "$f") if [ "$n" != media ]; then rm -f "static/$n" @@ -79,7 +78,7 @@ in #! ${pkgs.runtimeShell} -e plm() { - sudo -u ${config.services.plume.user} -- ${plume}/bin/plm $@ + sudo -u ${config.services.plume.user} -- ${pkgs.plume}/bin/plm $@ } plm migration run diff --git a/modules/rpi-netboot.nix b/modules/rpi-netboot.nix index 8de21ce2..3c0782ac 100644 --- a/modules/rpi-netboot.nix +++ b/modules/rpi-netboot.nix @@ -1,4 +1,4 @@ -{ hostRegistry, config, pkgs, lib, ... }: +{ config, pkgs, lib, ... }: { boot = { loader.generic-extlinux-compatible.enable = false; diff --git a/overlays/bmxd.nix b/overlays/bmxd.nix index f5741fa5..8a4e9324 100644 --- a/overlays/bmxd.nix +++ b/overlays/bmxd.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchgit, fetchpatch, }: +{ stdenv, fetchgit }: stdenv.mkDerivation { pname = "bmxd"; diff --git a/overlays/plume/default.nix b/overlays/plume/default.nix index ad4ce17c..70149ff7 100644 --- a/overlays/plume/default.nix +++ b/overlays/plume/default.nix @@ -1,6 +1,5 @@ { naersk , fenix -, curl , nodejs , rustPlatform , stdenv @@ -137,7 +136,7 @@ let "--package=plume-front" ]; copyLibs = true; - overrideMain = oa: { + overrideMain = _: { buildPhase = '' wasm-pack build --mode no-install --target web --release plume-front ''; diff --git a/packages.nix b/packages.nix index 83f9d90b..7ffdf033 100644 --- a/packages.nix +++ b/packages.nix @@ -5,12 +5,7 @@ let let hostConf = hostRegistry.hosts."${name}"; in - if hostConf ? ip4 - then hostConf.ip4 - else if hostConf ? ip6 - then hostConf.ip6 - else throw "Host ${name} has no ip4 or ip6 address"; - + hostConf.ip4 or (hostConf.ip6 or (throw "Host ${name} has no ip4 or ip6 address")); # all the input flakes for `nix copy` to the build machine, # allowing --override-input @@ -309,10 +304,7 @@ lib.attrsets.mapAttrs ]; }).config.microvm.declaredRunner; - "${host}-tftproot" = - if config.system.build ? tftproot - then config.system.build.tftproot - else lib.trace "No tftproot for ${host}" null; + "${host}-tftproot" = config.system.build.tftproot or (lib.trace "No tftproot for ${host}" null); } ) { } From b467bb4e742653c66aaf568851a5b9739e61e33d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sun, 4 Dec 2022 04:58:36 +0100 Subject: [PATCH 167/247] Generate simd variants of each host, delete unused module --- flake.nix | 22 +++++-- hosts/hydra/hydra.nix | 2 + hosts/server10/default.nix | 1 + hosts/server8/default.nix | 20 +++--- hosts/server9/default.nix | 28 ++++++--- modules/c3d2.nix | 12 ++++ modules/default.nix | 121 ------------------------------------- modules/microvm.nix | 9 +++ 8 files changed, 71 insertions(+), 144 deletions(-) delete mode 100644 modules/default.nix diff --git a/flake.nix b/flake.nix index 3d32b924..08e39c37 100644 --- a/flake.nix +++ b/flake.nix @@ -756,11 +756,23 @@ ) sops-nix.packages; hydraJobs = - builtins.mapAttrs (_: nixos.lib.hydraJob) ( - builtins.mapAttrs (_: nixosSystem: - if nixosSystem.config ? microvm.declaredRunner - then nixosSystem.config.microvm.declaredRunner - else nixosSystem.config.system.build.toplevel + lib.mapAttrs (_: nixos.lib.hydraJob) ( + lib.mapAttrs (_: nixosSystem: + nixosSystem.config.microvm.declaredRunner or nixosSystem.config.system.build.toplevel + ) self.nixosConfigurations + // lib.mapAttrs' (hostname: nixosSystem: lib.nameValuePair + (hostname + "-simd") + (nixosSystem.config.microvm.declaredRunner or nixosSystem.config.system.build.toplevel hostname + (nixosSystem (nixosSystem.args // (with nixosSystem.args; { + hostname = hostname + "-simd"; + modules = modules ++ [ + { + sandro.simd.enable = lib.mkForce true; + } + ]; + inherit (inputs) nixpkgs; + }))) + ) ) self.nixosConfigurations // nixos.lib.filterAttrs (name: attr: (lib.match ".+-tftproot" name != null && lib.isDerivation attr) diff --git a/hosts/hydra/hydra.nix b/hosts/hydra/hydra.nix index 77f5e8e4..6c09b5cd 100644 --- a/hosts/hydra/hydra.nix +++ b/hosts/hydra/hydra.nix @@ -80,6 +80,8 @@ in }; }; + c3d2.simd.arch = "ivybridge"; + services = { hydra = { enable = true; diff --git a/hosts/server10/default.nix b/hosts/server10/default.nix index a16d803e..7cc2d455 100644 --- a/hosts/server10/default.nix +++ b/hosts/server10/default.nix @@ -9,6 +9,7 @@ c3d2 = { deployment.microvmBaseZfsDataset = "server10/vm"; hq.statistics.enable = true; + simd.arch = "ivybridge"; }; boot = { diff --git a/hosts/server8/default.nix b/hosts/server8/default.nix index a8bb6654..4a89b78b 100644 --- a/hosts/server8/default.nix +++ b/hosts/server8/default.nix @@ -5,6 +5,11 @@ ./hardware-configuration.nix ]; + c3d2 = { + # deployment.microvmBaseZfsDataset = "tank/storage"; + hq.statistics.enable = true; + simd.arch = "westmere"; + }; boot = { loader.grub = { @@ -28,15 +33,14 @@ hostName = "server8"; hostId = "08080808"; }; - system.stateVersion = "22.11"; - services.openssh.enable = true; - services.zfs.autoScrub.enable = true; - services.smartd.enable = true; - - c3d2 = { - # deployment.microvmBaseZfsDataset = "tank/storage"; - hq.statistics.enable = true; + services = { + openssh.enable = true; + smartd.enable = true; + zfs.autoScrub.enable = true; }; + skyflake.nomad.client.meta."c3d2.cpuSpeed" = "3"; + + system.stateVersion = "22.11"; } diff --git a/hosts/server9/default.nix b/hosts/server9/default.nix index 1f28e789..ea23cbbe 100644 --- a/hosts/server9/default.nix +++ b/hosts/server9/default.nix @@ -4,7 +4,14 @@ _: imports = [ ./hardware-configuration.nix ]; - boot= { + + c3d2 = { + deployment.microvmBaseZfsDataset = "tank/storage"; + hq.statistics.enable = true; + simd.arch = "westmere"; + }; + + boot = { loader.grub = { enable = true; version = 2; @@ -25,23 +32,24 @@ _: hostName = "server9"; hostId = "09090909"; }; - system.stateVersion = "21.11"; - services.openssh.enable = true; - services.zfs.autoScrub.enable = true; - services.smartd.enable = true; + # required by libvirtd + security.polkit.enable = true; - c3d2 = { - deployment.microvmBaseZfsDataset = "tank/storage"; - hq.statistics.enable = true; + services = { + openssh.enable = true; + smartd.enable = true; + zfs.autoScrub.enable = true; }; + skyflake.nomad.client.meta."c3d2.cpuSpeed" = "3"; + system.stateVersion = "21.11"; + # XXX: enable for zw-ev and poelzi-ha until we find a better solution virtualisation.libvirtd = { enable = true; onShutdown = "shutdown"; }; - # required by libvirtd - security.polkit.enable = true; + } diff --git a/modules/c3d2.nix b/modules/c3d2.nix index 60d6f2f2..3e27722d 100644 --- a/modules/c3d2.nix +++ b/modules/c3d2.nix @@ -157,6 +157,18 @@ in }; }; + simd = { + enable = lib.mkEnableOption "optimized builds with simd instructions"; + arch = lib.mkOption { + type = with lib.types; nullOr str; + default = null; + description = '' + Microarchitecture string for nixpkgs.hostPlatform.gcc.march and to generate system-features. + Can be determined with: gcc -march=native -Q --help=target | grep march + ''; + }; + }; + users = mkOption { type = types.attrsOf (types.submodule { options.sshKeys = mkOption { diff --git a/modules/default.nix b/modules/default.nix deleted file mode 100644 index 4cae18bd..00000000 --- a/modules/default.nix +++ /dev/null @@ -1,121 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - # TODO: move to flake - nixcloud-webservices = pkgs.fetchFromGitHub { - owner = "nixcloud"; - repo = "nixcloud-webservices"; - rev = "3a0767f0536fac811065eb87e6342f27eac085aa"; - sha256 = "vC0vBu+0HchrevuWsmE7giouKnSt/q4F0TffwhuNJv8="; - }; - inherit (import "${nixcloud-webservices}/pkgs" { inherit pkgs; }) nixcloud; - - profilesDir = "/nix/var/nix/profiles/lxc"; - inherit (config.lxc) containers; - inherit (config.nix) nixPath; - - toLxcConfig' = path: a: - if builtins.isString a then '' - ${path} = ${a} - '' else if builtins.isInt a then '' - ${path} = ${toString a} - '' else if builtins.isAttrs a then - lib.concatMapStrings (name: - let path' = if path == "" then name else "${path}.${name}"; - in toLxcConfig' path' (builtins.getAttr name a)) (builtins.attrNames a) - else if builtins.isList a then - lib.concatMapStrings (toLxcConfig' path) a - else - throw "Invalid LXC config value"; - toLxcConfig = toLxcConfig' ""; -in { - options = with lib.types; { - lxc.containers = mkOption { - type = attrs; - default = { }; - }; - }; - - config = lib.mkIf (containers != { }) { - virtualisation.lxc.enable = true; - environment.systemPackages = [ nixcloud.container ]; - - virtualisation.lxc.defaultConfig = '' - lxc.id_map = u 0 100000 65536 - lxc.id_map = g 0 100000 65536 - ''; - users.users.root.subGidRanges = [{ - count = 65536; - startGid = 100000; - }]; - users.users.root.subUidRanges = [{ - count = 65536; - startUid = 100000; - }]; - - systemd.services = if true then - { } - else - builtins.foldl' (services: name: - let - systemDir = "/${profilesDir}/${name}/system"; - lxcDefaults = { - lxc = { - uts.name = name; - rootfs.path = "/run/current-system/sw/share/lxc/rootfs"; - mount.entry = [ - "${systemDir}/init /init none bind,ro 0 0" - "/nix/store /nix/store none bind,ro 0 0" - ]; - autodev = 1; - include = "/run/current-system/sw/share/lxc/config/common.conf"; - apparmor.profile = "generated"; - environment = "TERM=linux"; - }; - }; - config = builtins.getAttr name containers; - lxcConfig = builtins.toFile "lxc-container-${name}.conf" - # TODO: more intelligent merging? - (toLxcConfig (lxcDefaults // config.lxc)); - - builder = { - description = "Build NixOS for lxc container ${name}"; - wants = [ "nix-daemon.socket" ]; - after = [ "nix-daemon.service" ]; - - path = with pkgs; [ coreutils nix ]; - - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - Environment = [ "NIX_PATH=${builtins.concatStringsSep ":" nixPath}" ]; - }; - - script = '' - mkdir -p ${profilesDir}/${name} - - nix-env -p ${profilesDir}/${name}/system \ - -I nixos-config=${config.nixos-config} \ - -f '' \ - --set -A system - ''; - }; - starter = { - description = "LXC container ${name}"; - requires = [ "lxc-container-${name}-builder.service" ]; - after = [ "lxc-container-${name}-builder.service" ]; - - path = with pkgs; [ lxc apparmor-parser ]; - - script = '' - mkdir -p /var/lib/lxc/${name} - ln -fs ${lxcConfig} /var/lib/lxc/${name}/config - lxc-start -F -n ${name} - ''; - }; - in services // { - "lxc-container-${name}-builder" = builder; - "lxc-container-${name}" = starter; - }) { } (builtins.attrNames containers); - }; -} diff --git a/modules/microvm.nix b/modules/microvm.nix index fad57689..b93b6d2a 100644 --- a/modules/microvm.nix +++ b/modules/microvm.nix @@ -1,4 +1,5 @@ { zentralwerk, options, config, lib, pkgs, ... }: + let defaultGateways = { serv = "serv-gw"; @@ -26,6 +27,12 @@ let ) hosts6 != {} ) zentralwerk.lib.config.site.net ); + + arch-to-host = rec { + server9 = "westmere"; + server10 = "ivybridge"; + nomad = server9; + }; in { options.c3d2.deployment = with lib; { @@ -157,6 +164,8 @@ in }) {} nets; }; + c3d2.simd.arch = arch-to-host.${config.c3d2.deployment.server}; + system.build = with pkgs; { copyToServer = writeScript "copy-to-${server}" '' #! ${runtimeShell} -e From 93c283f235be60c2eaa867ddf2fea7890a1d91bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sun, 4 Dec 2022 09:17:37 +0100 Subject: [PATCH 168/247] Fix eval --- flake.nix | 2 +- packages.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/flake.nix b/flake.nix index 08e39c37..aa28b820 100644 --- a/flake.nix +++ b/flake.nix @@ -229,7 +229,7 @@ inherit hostRegistry inputs zentralwerk; }; nixpkgs = { - overlays = [ self.overlay ]; + overlays = [ self.overlays ]; }; }) diff --git a/packages.nix b/packages.nix index 7ffdf033..cbd06fcf 100644 --- a/packages.nix +++ b/packages.nix @@ -14,7 +14,7 @@ in lib.attrsets.mapAttrs (system: pkgs: let - overlayPkgs = builtins.intersectAttrs (self.overlay { } { }) pkgs; + overlayPkgs = builtins.intersectAttrs (self.overlays { } { }) pkgs; in overlayPkgs // { From 65107fc07ee0276c1bd01f4b256c65a55695c1d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sun, 4 Dec 2022 11:23:44 +0100 Subject: [PATCH 169/247] Fix eval --- flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index aa28b820..df218a3e 100644 --- a/flake.nix +++ b/flake.nix @@ -775,7 +775,7 @@ ) ) self.nixosConfigurations // nixos.lib.filterAttrs (name: attr: - (lib.match ".+-tftproot" name != null && lib.isDerivation attr) + (builtins.match ".+-tftproot" name != null && lib.isDerivation attr) ) self.packages.aarch64-linux ); }; From cc63c41ba07bf75a6189e5a3447c9fa3d2d07acd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sun, 4 Dec 2022 20:53:20 +0100 Subject: [PATCH 170/247] Fix simd jobs --- flake.lock | 51 ++++++++++++++++++++---------- flake.nix | 92 +++++++++++++++++++++++++++++------------------------- 2 files changed, 83 insertions(+), 60 deletions(-) diff --git a/flake.lock b/flake.lock index 47802ec9..93798775 100644 --- a/flake.lock +++ b/flake.lock @@ -378,6 +378,22 @@ "type": "github" } }, + "nixos-mobilizon": { + "locked": { + "lastModified": 1664466500, + "narHash": "sha256-FvEUAKkf0PDZ2j2qIbI4+3oPTnuQq4HdX00iqBkvKOU=", + "owner": "minijackson", + "repo": "nixpkgs", + "rev": "8a43afd5579f58092d4bf616a0206f83d8062e1f", + "type": "github" + }, + "original": { + "owner": "minijackson", + "ref": "init-mobilizon", + "repo": "nixpkgs", + "type": "github" + } + }, "nixos-unstable": { "locked": { "lastModified": 1669542132, @@ -394,6 +410,22 @@ "type": "github" } }, + "nixos-unstable-simd": { + "locked": { + "lastModified": 1670178567, + "narHash": "sha256-mTUbgiMxtXRg0VL0518HlZhF/CSYUJmBuZnNkc1mlaU=", + "owner": "SuperSandro2000", + "repo": "nixpkgs", + "rev": "9f915b466b047207d391a8b651f2949cc528e1b6", + "type": "github" + }, + "original": { + "owner": "SuperSandro2000", + "ref": "nixos-unstable-simd", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1663264531, @@ -408,22 +440,6 @@ "type": "indirect" } }, - "nixpkgs-mobilizon": { - "locked": { - "lastModified": 1664466500, - "narHash": "sha256-FvEUAKkf0PDZ2j2qIbI4+3oPTnuQq4HdX00iqBkvKOU=", - "owner": "minijackson", - "repo": "nixpkgs", - "rev": "8a43afd5579f58092d4bf616a0206f83d8062e1f", - "type": "github" - }, - "original": { - "owner": "minijackson", - "ref": "init-mobilizon", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs-regression": { "locked": { "lastModified": 1643052045, @@ -523,8 +539,9 @@ "naersk": "naersk_2", "nixos": "nixos", "nixos-hardware": "nixos-hardware", + "nixos-mobilizon": "nixos-mobilizon", "nixos-unstable": "nixos-unstable", - "nixpkgs-mobilizon": "nixpkgs-mobilizon", + "nixos-unstable-simd": "nixos-unstable-simd", "oparl-scraper": "oparl-scraper", "openwrt": "openwrt", "openwrt-imagebuilder": "openwrt-imagebuilder", diff --git a/flake.nix b/flake.nix index df218a3e..354a9d1f 100644 --- a/flake.nix +++ b/flake.nix @@ -4,9 +4,10 @@ inputs = { # use sandro's fork full with cherry-picked fixes nixos.url = "github:SuperSandro2000/nixpkgs/nixos-22.11"; - nixpkgs-mobilizon.url = "github:minijackson/nixpkgs/init-mobilizon"; - nixos-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + nixos-mobilizon.url = "github:minijackson/nixpkgs/init-mobilizon"; nixos-hardware.url = "github:nixos/nixos-hardware"; + nixos-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + nixos-unstable-simd.url = "github:SuperSandro2000/nixpkgs/nixos-unstable-simd"; affection-src = { url = "git+https://gitea.nek0.eu/nek0/affection"; @@ -173,7 +174,7 @@ }; }; - outputs = inputs@{ self, fenix, harmonia, heliwatch, microvm, naersk, nixos, nixos-hardware, nixos-unstable, caveman, oparl-scraper, scrapers, secrets, skyflake, sshlogd, sops-nix, spacemsg, ticker, tigger, yammat, zentralwerk, ... }: + outputs = inputs@{ self, fenix, harmonia, heliwatch, microvm, naersk, nixos, nixos-hardware, nixos-unstable, nixos-unstable-simd, caveman, oparl-scraper, scrapers, secrets, skyflake, sshlogd, sops-nix, spacemsg, ticker, tigger, yammat, zentralwerk, ... }: let inherit (nixos) lib; @@ -201,6 +202,37 @@ }; extraHostRegistry.hosts = import ./host-registry.nix; hostRegistry = lib.recursiveUpdate zwHostRegistry extraHostRegistry; + + # Our custom NixOS builder + nixosSystem' = + { nixpkgs ? inputs.nixos + , modules + , extraArgs ? { } + , specialArgs ? { } + , system ? "x86_64-linux" + }@args: + + { inherit args; } // nixpkgs.lib.nixosSystem { + inherit specialArgs system; + + modules = [ + ({ ... }: { + _module.args = extraArgs // { + inherit hostRegistry inputs zentralwerk; + }; + + nixpkgs = { + overlays = [ self.overlays ]; + }; + }) + + self.nixosModules.c3d2 + ./modules/audio-server.nix + ./modules/c3d2.nix + ./modules/stats.nix + ./modules/pi-sensors.nix + ] ++ modules; + }; in { overlays = import ./overlays { inherit nixos-unstable; @@ -216,31 +248,7 @@ packages = import ./packages.nix { inherit hostRegistry inputs lib microvm secrets self; }; - nixosConfigurations = let - nixosSystem' = - # Our custom NixOS builder - { nixpkgs ? inputs.nixos, modules, extraArgs ? {}, specialArgs ? { }, system ? "x86_64-linux" }: - nixpkgs.lib.nixosSystem { - inherit specialArgs system; - - modules = [ - ({ ... }: { - _module.args = extraArgs // { - inherit hostRegistry inputs zentralwerk; - }; - nixpkgs = { - overlays = [ self.overlays ]; - }; - }) - - self.nixosModules.c3d2 - ./modules/audio-server.nix - ./modules/c3d2.nix - ./modules/stats.nix - ./modules/pi-sensors.nix - ] ++ modules; - }; - in { + nixosConfigurations = { auth = nixosSystem' { modules = [ self.nixosModules.microvm @@ -501,7 +509,7 @@ mobilizon = nixosSystem' { # TODO: pending https://github.com/NixOS/nixpkgs/pull/119132 - nixpkgs = inputs.nixpkgs-mobilizon; + nixpkgs = inputs.nixos-mobilizon; modules = [ self.nixosModules.microvm ./hosts/mobilizon @@ -757,22 +765,20 @@ hydraJobs = lib.mapAttrs (_: nixos.lib.hydraJob) ( - lib.mapAttrs (_: nixosSystem: - nixosSystem.config.microvm.declaredRunner or nixosSystem.config.system.build.toplevel - ) self.nixosConfigurations + let + getBuildEntryPoint = _: nixosSystem: nixosSystem.config.microvm.declaredRunner or nixosSystem.config.system.build.toplevel; + in + lib.mapAttrs getBuildEntryPoint self.nixosConfigurations // lib.mapAttrs' (hostname: nixosSystem: lib.nameValuePair (hostname + "-simd") - (nixosSystem.config.microvm.declaredRunner or nixosSystem.config.system.build.toplevel hostname - (nixosSystem (nixosSystem.args // (with nixosSystem.args; { - hostname = hostname + "-simd"; - modules = modules ++ [ - { - sandro.simd.enable = lib.mkForce true; - } - ]; - inherit (inputs) nixpkgs; - }))) - ) + (getBuildEntryPoint null (nixosSystem' (nixosSystem.args // (with nixosSystem.args; { + modules = modules ++ [ + { + c3d2.simd.enable = lib.mkForce true; + } + ]; + nixpkgs = nixos-unstable-simd; + })))) ) self.nixosConfigurations // nixos.lib.filterAttrs (name: attr: (builtins.match ".+-tftproot" name != null && lib.isDerivation attr) From 1ef51c1d32fdea772913ff239323fd8082a5d820 Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 4 Dec 2022 21:32:16 +0100 Subject: [PATCH 171/247] modules/cluster/deployment: make microvm.hypervisor configurable as requested by marenz --- modules/cluster/deployment-options.nix | 10 ++++++++++ modules/cluster/deployment.nix | 3 +-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/modules/cluster/deployment-options.nix b/modules/cluster/deployment-options.nix index c7ee785a..2d0379ba 100644 --- a/modules/cluster/deployment-options.nix +++ b/modules/cluster/deployment-options.nix @@ -10,6 +10,16 @@ type = types.int; default = 512; }; + hypervisor = mkOption { + type = types.enum [ + "qemu" + "cloud-hypervisor" + "firecracker" + "crosvm" + "kvmtool" + ]; + default = "cloud-hypervisor"; + }; networks = mkOption { type = with types; listOf str; default = builtins.attrNames ( diff --git a/modules/cluster/deployment.nix b/modules/cluster/deployment.nix index ceedabd0..6e77fea5 100644 --- a/modules/cluster/deployment.nix +++ b/modules/cluster/deployment.nix @@ -30,8 +30,7 @@ let in { microvm = { - hypervisor = "cloud-hypervisor"; - inherit (config.deployment) mem vcpu; + inherit (config.deployment) mem vcpu hypervisor; preStart = '' # Discard old writable store overlay From 875145884c9e2a4b90c83a0f1b12e21da0fa8510 Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 4 Dec 2022 21:42:34 +0100 Subject: [PATCH 172/247] server10: disable microvm-update@staging-data-hoarder.timer for now --- hosts/server10/microvm-staging.nix | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/hosts/server10/microvm-staging.nix b/hosts/server10/microvm-staging.nix index 8b93162b..04a3020f 100644 --- a/hosts/server10/microvm-staging.nix +++ b/hosts/server10/microvm-staging.nix @@ -1,9 +1,8 @@ { config, pkgs, ... }: let microvms = { - staging-data-hoarder = { - flakeref = "git+file:///tmp/dvb-nix-config"; - }; + # TODO: BROKEN since 2022-12-03 + # staging-data-hoarder.flakeref = "git+file:///tmp/dvb-nix-config"; }; realizeFlake = with pkgs; "${writeScriptBin "realize-flake" '' From fff8967826650abe12bb98c901ea554c057f579b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sun, 4 Dec 2022 22:04:56 +0100 Subject: [PATCH 173/247] allcolors: fix eval --- overlays/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/overlays/default.nix b/overlays/default.nix index c8c7793d..3001a99b 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -10,7 +10,7 @@ let pkgs-unstable = nixos-unstable.legacyPackages.${prev.system}; in with final; { - allcolors = callPackage ./allcolors.nix; + allcolors = callPackage ./allcolors.nix { }; inherit (bevy-julia.packages.${system}) bevy_julia; inherit (bevy-mandelbrot.packages.${system}) bevy_mandelbrot; From 59c122b82c5af611d95c54c2ecac372742550cf3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sun, 4 Dec 2022 22:05:06 +0100 Subject: [PATCH 174/247] Delete old comments --- flake.nix | 6 ------ 1 file changed, 6 deletions(-) diff --git a/flake.nix b/flake.nix index 354a9d1f..a6fbbfa1 100644 --- a/flake.nix +++ b/flake.nix @@ -254,7 +254,6 @@ self.nixosModules.microvm ./hosts/auth ]; - # nixpkgs = inputs.nixos-unstable; }; broker = nixosSystem' { @@ -296,7 +295,6 @@ self.nixosModules.microvm ./hosts/gitea ]; - # nixpkgs = inputs.nixos-unstable; }; glotzbert = nixosSystem' { @@ -314,7 +312,6 @@ self.nixosModules.microvm ./hosts/hedgedoc ]; - # nixpkgs = inputs.nixos-unstable; }; pulsebert = nixosSystem' { @@ -330,7 +327,6 @@ }; } ]; - # nixpkgs = inputs.nixos-unstable; }; radiobert = nixosSystem' { @@ -448,7 +444,6 @@ self.nixosModules.microvm ./hosts/grafana ]; - # nixpkgs = nixos-unstable; }; hydra = nixosSystem' { @@ -464,7 +459,6 @@ }; } ]; - # nixpkgs = nixos-unstable; }; mucbot = nixosSystem' { From 52161e0aa1c056cb9012c1452e3dce9edfedca4e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sun, 4 Dec 2022 22:05:16 +0100 Subject: [PATCH 175/247] backup: compress postgres dumps --- modules/backup.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/backup.nix b/modules/backup.nix index 2c0585ef..7ac2d3ca 100644 --- a/modules/backup.nix +++ b/modules/backup.nix @@ -5,7 +5,7 @@ inherit (config.services.postgresql) enable; backupAll = true; compression = "zstd"; - # compressionLevel = 9; # TODO: only available with 21.11 + compressionLevel = 9; pgdumpOptions = "--create --clean"; startAt = "*-*-* 06:00:00"; }; From 92dc5ba2229d45c17b95af0341df85eb7b8d4eda Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 4 Dec 2022 23:22:21 +0100 Subject: [PATCH 176/247] dacbert: add stream-audio-to-owncast --- hosts/dacbert/default.nix | 39 ++++++++ hosts/dacbert/secrets.yaml | 181 +++++++++++++++++++++++++++++++++++++ 2 files changed, 220 insertions(+) create mode 100644 hosts/dacbert/secrets.yaml diff --git a/hosts/dacbert/default.nix b/hosts/dacbert/default.nix index cb34dc1d..ec809989 100644 --- a/hosts/dacbert/default.nix +++ b/hosts/dacbert/default.nix @@ -1,5 +1,38 @@ { hostRegistry, config, lib, pkgs, ... }: +let + streamAudioToOwncastScript = pkgs.writeScriptBin "stream-audio-to-owncast" '' + #! ${pkgs.runtimeShell} -e + + PATH=${with pkgs; lib.makeBinPath [ coreutils pavucontrol gnome.zenity ffmpeg ]} + + MOVIE="$(zenity --file-selection --title 'Select a video to loop')" + MOVIE_PREENCODED="/tmp/`basename $MOVIE`.mp4" + + echo + echo Preencoding the movie. Wait a bit... + echo + + ffmpeg -i "$MOVIE" -an -s:v 480x320 -c:v libx264 -b:v 600k -f mp4 -y "$MOVIE_PREENCODED" + + echo + echo "Starting stream. End with " + echo + + pavucontrol & + + ffmpeg -f pulse -ac 2 -i default -stream_loop -1 -i "$MOVIE_PREENCODED" -c:a aac -c:v copy -f flv rtmp://owncast.serv.zentralwerk.org:1935/live/$(cat ${config.sops.secrets."owncast/authKey".path}) + ''; + + streamAudioToOwncast = pkgs.makeDesktopItem rec { + name = "Stream to Owncast"; + exec = "${streamAudioToOwncastScript}/bin/stream-audio-to-owncast"; + icon = "media-record"; + desktopName = name; + terminal = true; + }; + +in { c3d2 = { isInHq = true; @@ -20,6 +53,11 @@ } ]; }; + sops = { + defaultSopsFile = ./secrets.yaml; + secrets."owncast/authKey".owner = "k-ot"; + }; + hardware.enableRedistributableFirmware = true; powerManagement.cpuFreqGovernor = lib.mkDefault "performance"; @@ -131,6 +169,7 @@ bevy_julia bevy_mandelbrot allcolors + streamAudioToOwncast ]; }; diff --git a/hosts/dacbert/secrets.yaml b/hosts/dacbert/secrets.yaml new file mode 100644 index 00000000..96a25e5f --- /dev/null +++ b/hosts/dacbert/secrets.yaml @@ -0,0 +1,181 @@ +owncast: + authKey: ENC[AES256_GCM,data:Q0Zx9g==,iv:3RB7efC9t6SXEP4/yR5Or/f3GN820RiApqTJC0G5zaw=,tag:UaiJAdGefjuwVd3gGwTXTg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1hg0mmua5y82ct7l6q9gpc8w940ce5seqcjhm4dgx7tlzvflznyas7v3hf4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLQ1l6MkNscFl3b0FReENC + cFozbUE4clBFSXlmSEtKaWFLV0I1aVFNVUg0ClhTTld1TkxsSWxWcDV1T2F6M0Ex + cHNGZnprMlljc1dBcG1iWEs5WTZGaFEKLS0tIHNrVk5uTDRwUlVkSVZxT0txUmxO + L0pDVlhTa0QyRWc5MHQ0dEJBOE1DMlkKXT0txgyo3DPYni8QKoZQqcmZckrKOehx + UJcHM6O7gwJ1cglkByFcAwhmMB+cPerUqsxoLt7RplILr2bET2gyyg== + -----END AGE ENCRYPTED FILE----- + - recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1OTFkbXNxWEYzZVZ0ZDlS + ak1VYlBzaThma3ZjaGVwZlNuaThXTHJFL2xjCkRMREdKdG9CTUNDZUZDY213cndI + ZVFBdEVVbDdwVUdyYzE0d3JVcHB0RnMKLS0tIFFvbVhsR1VKbWhQTzJsUXIzRzNI + K3I1KzNqT2RqL2I4alkrVGlBUWJjQjQKE8Icz22zUmZRlPLGBSVYK2O98jWTtsO2 + sgEx3ZDqJi47bCqUKMhPz55TpIKsCx/bAAQ+qfV8g7DaoSz9UMk+/w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-12-04T21:39:27Z" + mac: ENC[AES256_GCM,data:PQtTAEXBgp6MuPl5+6SE/zaOuYGvDRpl0w9XYgUJJHhDqiIEQfcAYIUEKv+Dvtxj94TQZ3v2kjT4Y3FF0ROYIcN8H1K1PtVXRLu+vptr2+wZ1Mahg6K4Ukk1s0eiBB3vsGrMONqaky5Jqy4My3+0NMnBuIvlqErpoUT3Gin37do=,iv:RUTAvD/hczbaX7w7ROPQZNII3kTRnEBG6aMMkTHuV/M=,tag:XLgfZnnDM1ffv6uBLYJXmg==,type:str] + pgp: + - created_at: "2022-12-04T21:39:01Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA6j84+xkv3y7ARAAvea1x4I5nwUVUI5DHoflHivlVRauxetPBZoLIyfNklX3 + oO2euRsEC66ZtuqDzSSoHpUM5NIdDPPgNf0sw6YJnbRH8F88ghNE87NXyevlvGnA + 8IFOokn7ASjPk2DYLlh8xtZ+T7ZgAhIgv0lnZLa36n5h0tSL4t0OdGAnwWa9j9Mj + 2gWGKymunpXMjRqEj/PGEuXEDRCdwpvmwi+8YKrh4D9dB67tepAA28MofSfJ5295 + Sfyer+Hh41zPgYI2WeBRTS9Rn8Ea98Y5eWQsXIivG7+CnKl+uu53nzZevRJDk5NS + 0qRsyIxeJvmX0fqLgHD1jZJ/UGeUoiRNNkifN9DVIikDj8coAyVCb3ebbQWs63nn + NL26fuONgZtfqF6DuIoFpGS+klQscWdmYQ729EIEvxzBo8jeSPnwf2ySyt8gA0J4 + Y5lxnwoPl4b6nT4TAHSQ65HWxq2y2+KUT4oE3PrN883N5702Qlr6MxN3tFJ/V98x + 7OyA9UjgkkHuFl7EnumkUOix3BqnBk5za4ABhWvYfBtm0nVVAnesEcjsIeT4ihJx + 5lhi/CiNPth+PhsIDaqA2QVU2sjswgmOK3KbQcpktAROFoXTDayr2t4QNZUTmbWF + vwHxNIZ1CndzaPgl5WI4QJDerWErEPKVxf65HxrLtWft4MyhfevSfH63C0TO4YDS + UQHKQhF01t0ZXKPLnQDGAwZijyA7GD493Sr6pFMzenSipvwybvNEnfDOZuc7AU9b + 4oXevCzGjpaub33hqorp1bcygwgl0aA1H3YvleyHBg5Mgw== + =sPOS + -----END PGP MESSAGE----- + fp: A5EE826D645DBE35F9B0993358512AE87A69900F + - created_at: "2022-12-04T21:39:01Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA8zMZ+ak7y/zARAAuhnyVNytAgqL03jN9rXwwHuqgaqQ4SdjM7kTLe4WVCXJ + PwLtPoNNjlFqRKufXPQQuOBx2FMJl1yUQsI4P7OiWGak6/0f41U0bLFczTTGRgTh + vmEHwRtRGQAsWi5g+KqP0zAoiZNiBdk7s4THcA24tBBGViRtLS+swhV2SRvTT0NA + pLsOB/GpA94kEjfHhZ1RunKBMIxDKYaQvXUFlEPSkv/Q6ek8Tc3wgPMUp5wiN+cz + q628/KNM78nWCEyV0rQ3YAccnC6h1Wb6cHCOKE6jJJTfwm503tzZv1klQUkKrP0j + BvgFGIdn76XTER47A3sPweDbnHV8Z0qxnJ4z6YGN5zYW4HVAOWCSvI1OvM1q9oIj + SiwXVUIuhhGj1kb3LPstSWJvPmJR0bgmO4xSMYpB2d71iRTL7S82p9aWk3/Zzcr7 + DNYWFxs0r7s0L0xJCDma0fM6krGof/ZcCdo1eRgSJZWbPrGL8ips++9/Fm0/xgzf + A8CxWpnWRE6S3dBRQZNfHOn9OyHJGKNVR85mF/gPI14viYmr9iJ4gqDzLcZF27V6 + uasJrcnaKkSL8fBah4UiT3lRfNqX24HXZnDMhTHwJD1RQHn4qvmE+FiB4m8SEYS0 + TCLTCxuWZV0p9MtzQbNyadmpCxb5JL2EugKaal2pW2cxhMuUryV8axj7QhD2UJ/S + UQE421UkjynmGgjRa8jYiS4sFYlrbNsHLAtRlinRyNya2je8vyOZNekQl59sVYA3 + mb7bgu0XN1Y3cZtKAxughzSpkLjSGCR9GebNawKdUUcsPg== + =VokK + -----END PGP MESSAGE----- + fp: D4E89C6A0A58EE803EF708EFA9B23715F7AA3F1A + - created_at: "2022-12-04T21:39:01Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcBMA45bZkLXmBFpAQf/XjbniHgbytyURYZ3qFCzijhLi7e99Q2jdsOQTQG4sOoE + jpPlOP4yU6lGjnYfQVYqH7CgyquqGrSB3M4ZHxUR2916xveG8vjWDUhURGWAUXwk + ho5dGm+HZGMJdETCmmCTALqxlrv/TgrUiUfSn1C9MKloR4PxYDFqupk9Bl5RyvQT + xdcIzVM6/7+xCasBErKoIQ3YoPKlxNWkr73S4Y/jhEVVaxEZWHoyCtK7SRDA4GOi + nIO2TMQ/eCbnrHbftwUsZNkeP1bee3+U7wiPOXOozftLrA2FYuT+SmCOK1/xaqHT + n4WwcPamFNqWqWMGyVNQd/rR0/Ry+hDYbY4jzm2+vtJRAXNtZLLw5BmnAbpZ0PY5 + eBUYkDMJ81ua+I9fJIzg0WtbLTBWeIo50v6SrrUuCXdBbtvtsvMBPHuGDdwoqM61 + kJoAZV8D9JDznjOnn0wUlFtF + =55R4 + -----END PGP MESSAGE----- + fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9 + - created_at: "2022-12-04T21:39:01Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMAwMCBBrc/JA6AQ/+Ksp81JefhSw9XHfgtutZRbx/yhPi+OX2mMDNPjPpNykT + zSMVuZWA2Io/RxmVCOrEcJi1hHGZ989tZS8vPWyB+ddnnCx1h78PabJh0d/jqUN3 + XTKli26QtGKvMPioVg89NQjD0pTqoHc6tTXdOP1XSS7R6lZCxz4hTn39jPwrhSgA + z5GocHUfTWoSYoG5GV8jsKrWNUqd6HwoKlucTku64SvquJQ8Ld+VeiwAbcxXtPAa + QuQ3cXkerYen5l86Hp8NkyqOub+DW5fgPfC5LqBdEhjp3tH0HUHsK9CWHv+3tQ+l + fDpmGt3RVQ5X5NJM1QKJeVkX33HI3ntqnhThnVbC6R1FBASaabQzyekdHpu1JWxM + YP5gh04+VZm0qdoPMgPin1aSKvNBCzyQqNK4f7/iwz/beX5V3wnq7G2hsfDQCzBt + W0y0bv7q0ToWlXmj/A2dytxHb0bWIRsbXU2p2Szl/ccoLDZYH5Mz/ZKrKH5xtD9Z + z4hq6p8WO2dAe2dkN48Bd8xbddNUs0Xem73T9FoHNKIcWMP/CA7Ir7p0agnYs7id + Dni/BB5bm6XIwqpwOPG2TqNl051MSVDLXB1ia88Z5WvRL+EYdm4o0xGzL1fPPxWX + S85Y0pe8QGxd8qikPHlHmFc0TLB05yN3LT17+CC1T3zjlNff0uMdFgiioLJHwz7S + UQGMPRKXvg1RZiU1GUfaXG/PFH/KAouKx+m97iCRzg2SNULNakq0tvWIV4Fp19yn + DpQs+g2eq7KYwW/udKzDpGOM2/IDY/s07YCipn48XEfaDw== + =7TJ4 + -----END PGP MESSAGE----- + fp: 4F9F44A64CC2E438979329E1F122F05437696FCE + - created_at: "2022-12-04T21:39:01Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA9XEenRNYVGHARAAkzr6nZaSnq88e+JHXvkKGBqxduAfWFlGvXYrp/2e1tyy + BCpiMCXrzoend43/Kz5pTCjV3KvcYOl22OYJMi2mYObsJKoi1ftInL5mc6NPMU/O + ixJncQ8NBa3lv3HGO1j9xETLLTt3220gUc4CKo65YkaIsJYumw2oCAbFhCdZy17g + qlzjFRy8VfWad48nAezymnfGFdTWKThxGzvOJLo5Jm98UIt2lC5T7vZjEwQSsjra + EnF/I6sAeT9kEVg17m2CEFK5LVb/4GtSr/rXFUDbihO3OVYRbdGk/7y4lo55pRi2 + daZcwUFCqdj83QUUYimYpXQWhgyBSgIWCK7vb6Sr0rO7j0poqncpm3gX3dlIzmDk + bK8N+Heb7u7kZ24+p96jabgEBphLgPepE2fMoXFpnZ2P2e8QgiA8b/5Rqq2KomYD + 4hbqUmSTpG1j+77+l5LMkbg/ugzRd3VviJO5dKsNvaUsKz7e5NNRV3mvtgaakP1s + ygQ3DBnJibKiR2QR6pJRvLAlNTy/bguKCZI8DCMO7SWlRuatBujV3htlG2AgzrKp + KLRSU4HuoyZXiOsqNA4tVH4ZklzXzhNAELt30+yYNJbS8evcd3ZZZnfsaZmr3jWE + jK2vXo+FUkbJHQrCLCHymURH+TijvvOgCYSYTmzvn7R+4Esfs+abrWugoXLwoznS + UQGIyCN+1XfmWTkHiiygdNWRb4HdB8OTTe75rsPnTJSmKbYhafE/Iqhf9rDEPNUk + e5l1I1sgwYq/bR2FKd1iWAfZlqa39dOi/C/tBD2KnuISOA== + =Ut63 + -----END PGP MESSAGE----- + fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA + - created_at: "2022-12-04T21:39:01Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcBMA/Z87ylQaotQAQf9GF9yX0w0OwL251Ex76j3k3MF1Q0qOfgjsDBY3Ow56VO+ + KhJ0Ugn0beKoYZrVn2ezvJZaNa7YAPry/oomul/Kvv3rTZDh2bs4lBu8qrjznj+m + bdX+dtKr3znJkkqqQkA+DF8bQ9DoZxDDz7FNQSuZocn+TpMn253cl0vBi7gyxxpb + Rfch55vZrhpGU2+QfH9euqSv8k3fOMbMEwVHL82uGybxN7a2fe/BtRwuyeSRjyGl + q1L4FrF1w1aUDp4M7bK+3eo2WpqCH9UxgLu74DW6SdVM3MV0B/IUXRU1rEqV4vja + bLMxnJ6xsByKsOVUP2ivalTnLyrtZPOcJ1wDe2SCKdJRAaegKPecQEqIuGuWBlng + t/W+RD/P0CqtDvly/2ALLZtAmyvXloCOtrMWkz/bnGpoqOlNL609FkY05RY3Quvm + C2OTSTvQ//MP7BPV99syTVTo + =xgMp + -----END PGP MESSAGE----- + fp: 9EA68B7F21204979645182E4287B083353C3241C + - created_at: "2022-12-04T21:39:01Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA9qJIVK2WMV7AQ//c9HmDg63M7yWpeVOx7Eha/QVzPtXyJ7/G9dJrGltLbUj + B8xn/BeDT+ARVDRFnGJS053RxHJz5WqCIdcEQTZlD4GHp3Ez7vtXPEUJNymTmug7 + VrCX4GhNjKdb55SlTkoeAbxdlUfyPUIhaLcdQ8pzHqyurcpRs8ZuYoSENbNoAbYY + NZbNJZoKJTc2vmI2zrO1HtVNc8HZYtnN5dawvlCn66Q3lhNLZ1wR4AFmmKvKgKIR + XFAjbsoEUDlYNBDw+yv8jkB179+wa6pLAhIaJ8NM2asimUz7GWxDumgesNbacTR0 + ZJXrQWyuHruQ1FbZdVJ3+Ko2S2JnAiN7Ezmauqo3IQGt++ZXNOC5dl/FusY25TQ9 + lpAW+klKkIqMfIZU0WsWWufhgv6cI8HqPY9z5TalSrGB5zyJeW2bnU2/ZAr5yNH8 + /rOJVVF/1c4xkEqE0/Coy2ZqbE1IOTq5aiqaMuZIToSn+ftvg2KIxkdEvQ8gVigU + uZfnZ4HN0FQqJ2/9BHHFlhW8CdWdffTk8m2GEdfyjH+WIPCoRyvbf7RWAad8NFni + RHTf8+Uee5R2hth82UO0wSlMrLrQwdS7ju6ctpag1gm2YxEHRZBs6hnD8Ade//xR + RFkmcW5BICAPbBmJM4o1HSUjYqGhk46xU7y3UVNs4R144DtqEAMwjWE7U/IsvRTS + UQF2/UFLDd/LgVHt1uVhpzuWl5ot97FU6HIPSYrlkOPAzI49VQ0H+tLlywMbgjcD + 0HoNDhCDgzTzp2/loq3wECS93QAx6L9+zHpUz+2db9LBFw== + =356k + -----END PGP MESSAGE----- + fp: 53B26AEDC08246715E15504B236B6291555E8401 + - created_at: "2022-12-04T21:39:01Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA/YLzOYaRIJJAQ/8CFz+BjJA03Sgq6TeYzycAjdSFi3mTZ50L/sGvj2B5WBQ + WnVwA7tWSSQGmt91XZwSNgf7PTCgm3v6zMTHnYN5WMwk9vaDL/WIGbqD1LZw4zgK + fD+Lm/Yc/0vPrEahL9irCb9jrolWGagdPzQYqRLReD1aB5NnYp96FuELm6RF2YC9 + AU6ZxrtrQkEZ61SsAP9ODTruRmCtmtpbJYweN1CmkatMj8yIu4I/Y939T5lx8V8F + ZgT89f/p795/2uFWJ4HpZk0Rkq78RJCO8HytKEw1CVS55P49PnjKKxqzyESZCaVU + bLI5MKUQowBSmgoHZWd+B4DO/7+4sgu30A4CuldZR2SZOqW+FwdEAuwdK8HrG9G8 + d0gzujb4Iq7PtqbAMErr7h73hTXdBeFrUG8z5mgWmeEhP9o0Zlx/oXGpi2JOJYBb + VySPDLQxWBV65XpM0Qb8zxsKYAIrouy8YmbbrbNX8nzG/KLgUaNJcj3PYp3WI/cs + 4MkBc2nh4s6OLGJ7YP5AoCayPSuFwsJ/+WZ+neQ6X1gkgSFtYmb/LoTSU4w35xPi + rbDwqxf2Lg1MbPP+hhW/Y0fZKVWUcLs9x4EbhS5LlmlKC66mRXgATKozLpivjDOa + kTTIwptGeo02NTIeEegP24AmMvXnvvFzUBZmN57ztCuj/Sckc7ICTMrFV8vo2fXS + UQHWb0zzNY1kk5Ui+kL2exUHdIdGDD8lc2Cpz40Fo6emfIGVlNgCCDK/upnu/Ims + GE35n8h33MapqihsFQpXJ2lNkzuckV/yIRUfRXTkP4miXw== + =RITE + -----END PGP MESSAGE----- + fp: 91EBE87016391323642A6803B966009D57E69CC6 + unencrypted_suffix: _unencrypted + version: 3.7.3 From 870f91a3d1731ebbe19fcfe724d52217c4d1ad0d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Mon, 5 Dec 2022 01:54:49 +0100 Subject: [PATCH 177/247] Don't hardcode auth ip --- hosts/gitea/default.nix | 8 ++++---- hosts/hedgedoc/default.nix | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/hosts/gitea/default.nix b/hosts/gitea/default.nix index dff1a079..1dd86955 100644 --- a/hosts/gitea/default.nix +++ b/hosts/gitea/default.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, ... }: +{ config, pkgs, lib, zentralwerk, ... }: { c3d2 = { @@ -12,9 +12,9 @@ networking = { hostName = "gitea"; - hosts = { - "2a00:8180:2c00:282::48" = [ "auth.c3d2.de" ]; - "172.20.73.72" = [ "auth.c3d2.de" ]; + hosts = with zentralwerk.lib.config.site.net.serv; { + ${hosts6.up4.auth} = [ "auth.c3d2.de" ]; + ${hosts4.auth} = [ "auth.c3d2.de" ]; }; firewall.allowedTCPPorts = [ 80 443 2222 ]; }; diff --git a/hosts/hedgedoc/default.nix b/hosts/hedgedoc/default.nix index c0c7fa30..74525e36 100644 --- a/hosts/hedgedoc/default.nix +++ b/hosts/hedgedoc/default.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, pkgs, zentralwerk, ... }: { c3d2 = { @@ -18,9 +18,9 @@ networking = { hostName = "hedgedoc"; - hosts = { - "2a00:8180:2c00:282::48" = [ "auth.c3d2.de" ]; - "172.20.73.72" = [ "auth.c3d2.de" ]; + hosts = with zentralwerk.lib.config.site.net.serv; { + ${hosts6.up4.auth} = [ "auth.c3d2.de" ]; + ${hosts4.auth} = [ "auth.c3d2.de" ]; }; firewall.allowedTCPPorts = [ 80 443 ]; }; From 2a0920904b4376411ac7501f9491ad641b9bc707 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Mon, 5 Dec 2022 01:55:19 +0100 Subject: [PATCH 178/247] Fix hydra builder --- hosts/hydra/hydra.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/hosts/hydra/hydra.nix b/hosts/hydra/hydra.nix index 6c09b5cd..7713df48 100644 --- a/hosts/hydra/hydra.nix +++ b/hosts/hydra/hydra.nix @@ -169,10 +169,12 @@ in # strips features that don't make sense on qemu-user extraPlatformSystemFeatures = builtins.filter makesSenseForQemuUser config.nix.settings.system-features; - in '' + in + # both entries cannot have localhost alone because then hydra would merge them together but we want explictily two to not allow benchmarkts for binfmt emulated arches + '' cat << EOF > ~/machines localhost x86_64-linux - ${toString config.nix.settings.max-jobs} 10 ${lib.concatStringsSep "," config.nix.settings.system-features} - - localhost ${lib.concatStringsSep "," config.nix.settings.extra-platforms} - ${toString config.nix.settings.max-jobs} 10 ${lib.concatStringsSep "," extraPlatformSystemFeatures} - + hydra@localhost ${lib.concatStringsSep "," config.nix.settings.extra-platforms} - ${toString config.nix.settings.max-jobs} 10 ${lib.concatStringsSep "," extraPlatformSystemFeatures} - EOF ''; From 58c4f8bec5100cf6053a9bb1ea1b396293c1c472 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Mon, 5 Dec 2022 01:57:19 +0100 Subject: [PATCH 179/247] Restrict secrets --- hosts/hydra/hydra.nix | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/hosts/hydra/hydra.nix b/hosts/hydra/hydra.nix index 7713df48..10b54c9c 100644 --- a/hosts/hydra/hydra.nix +++ b/hosts/hydra/hydra.nix @@ -152,7 +152,11 @@ in sops = { defaultSopsFile = ./secrets.yaml; - secrets."nix-serve/secretKey".mode = "0444"; + secrets."nix-serve/secretKey" = { + mode = "440"; + owner = config.users.users.hydra-queue-runner.name; + inherit (config.users.users.hydra-queue-runner) group; + }; }; systemd.services = { @@ -185,4 +189,7 @@ in MemorySwapMax = "64G"; }; }; + + # allow reading nix-serve secret + users.users.harmonia.extraGroups = [ "hydra" ]; } From e0a3393290e14d95131a3e42b60a962e5f616ba1 Mon Sep 17 00:00:00 2001 From: revol-xut Date: Mon, 5 Dec 2022 22:05:46 +0100 Subject: [PATCH 180/247] adding flake back --- hosts/server10/microvm-staging.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/hosts/server10/microvm-staging.nix b/hosts/server10/microvm-staging.nix index 04a3020f..711da37e 100644 --- a/hosts/server10/microvm-staging.nix +++ b/hosts/server10/microvm-staging.nix @@ -1,8 +1,7 @@ { config, pkgs, ... }: let microvms = { - # TODO: BROKEN since 2022-12-03 - # staging-data-hoarder.flakeref = "git+file:///tmp/dvb-nix-config"; + staging-data-hoarder.flakeref = "git+file:///tmp/dvb-nix-config"; }; realizeFlake = with pkgs; "${writeScriptBin "realize-flake" '' From 3992f966f3e32e596e377590950e7e39c7680cd7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Mon, 5 Dec 2022 23:51:03 +0100 Subject: [PATCH 181/247] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'affection-src': 'git+https://gitea.nek0.eu/nek0/affection?ref=refs%2fheads%2fmaster&rev=b56ed86e45b2a8cdf811f2659644192a69ab5818' (2022-09-14) → 'git+https://gitea.nek0.eu/nek0/affection?ref=refs%2fheads%2fmaster&rev=5bef189c308df9dda1449a8305a7092fb5c77827' (2022-12-01) • Updated input 'caveman': 'git+https://gitea.c3d2.de/astro/caveman.git?ref=main&rev=404767d88b4a383b594b0a259ca6187861bf6b89' (2022-11-29) → 'git+https://gitea.c3d2.de/astro/caveman.git?ref=main&rev=908fb9c8d3d2b0fbe5a17895639ef478f81e3f8d' (2022-12-03) • Updated input 'fenix': 'github:nix-community/fenix/bba229a06ca03938a1abd4ce6361bf9bf4f651cd' (2022-11-30) → 'github:nix-community/fenix/cb671e285ffc9a6f549bc6ac0f6c497e96f1f3ef' (2022-12-05) • Updated input 'fenix/rust-analyzer-src': 'github:rust-lang/rust-analyzer/398a71affb05aeeea1991044ec9ca1229e68f0f3' (2022-11-29) → 'github:rust-lang/rust-analyzer/a2beeb8dbb5f4596f8c6f28a09c20355ea4c4628' (2022-12-04) • Updated input 'harmonia': 'github:helsinki-systems/harmonia/20114c21d1c902a8f5ad7be7744df241a784a06d' (2022-11-21) → 'github:helsinki-systems/harmonia/634dc577437ab4e1c4071e5fb0f62325ff1a0df7' (2022-12-04) • Updated input 'microvm': 'github:astro/microvm.nix/c21a70fe1ac05ccdfceff6506625e9d44cd91da5' (2022-11-24) → 'github:astro/microvm.nix/e2a1bf59987544faec4d27ce5700e5ef96201a5f' (2022-12-01) • Updated input 'nixos': 'github:SuperSandro2000/nixpkgs/07e0bf5ccddcabe20d2b3bd89aaace918a4a6402' (2022-11-30) → 'github:SuperSandro2000/nixpkgs/0992478bb4eeaa1c9b28ad433dd683e12037de2e' (2022-12-04) • Updated input 'nixos-hardware': 'github:nixos/nixos-hardware/7883883d135ce5b7eae5dce4bfa12262b85c1c46' (2022-11-28) → 'github:nixos/nixos-hardware/9d87bc030a0bf3f00e953dbf095a7d8e852dab6b' (2022-12-04) • Updated input 'nixos-unstable': 'github:nixos/nixpkgs/a115bb9bd56831941be3776c8a94005867f316a7' (2022-11-27) → 'github:nixos/nixpkgs/61a8a98e6d557e6dd7ed0cdb54c3a3e3bbc5e25c' (2022-12-03) • Updated input 'nixos-unstable-simd': 'github:SuperSandro2000/nixpkgs/9f915b466b047207d391a8b651f2949cc528e1b6' (2022-12-04) → 'github:SuperSandro2000/nixpkgs/2e4dc4db26662d1aebfb6028d5aa7c5aef4bd523' (2022-12-05) • Updated input 'openwrt': 'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-21.02&rev=b33090a0faf73d5d03e96c132c413776d6ed8b87' (2022-11-27) → 'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-21.02&rev=be3b061d7bbf425c95ef9108a37c51747c0025e9' (2022-12-04) • Updated input 'openwrt-imagebuilder': 'github:astro/nix-openwrt-imagebuilder/e3e2f451ce6255dce904427c83b11ef2a6eba755' (2022-11-30) → 'github:astro/nix-openwrt-imagebuilder/10a85914617f218942b7f5daa36ef619f495c372' (2022-12-05) • Updated input 'rust-overlay': 'github:oxalica/rust-overlay/3158e47f6b85a288d12948aeb9a048e0ed4434d6' (2022-11-30) → 'github:oxalica/rust-overlay/18823e511bc85ed27bfabe33cccecb389f9aa92d' (2022-12-05) • Updated input 'skyflake': 'github:astro/skyflake/54853b3efeaf57ab08cee76680fe0e2d5c144fe7' (2022-11-30) → 'github:astro/skyflake/c78a3e8f64930bf5c48b0f75e577e4294d8750c6' (2022-12-04) • Updated input 'sops-nix': 'github:Mic92/sops-nix/8295b8139ef7baadeb90c5cad7a40c4c9297ebf7' (2022-11-29) → 'github:Mic92/sops-nix/da98a111623101c64474a14983d83dad8f09f93d' (2022-12-04) • Removed input 'sops-nix/nixpkgs-22_05' • Added input 'sops-nix/nixpkgs-stable': 'github:NixOS/nixpkgs/86370507cb20c905800527539fc049a2bf09c667' (2022-12-04) --- flake.lock | 98 +++++++++++++++++++++++++++--------------------------- flake.nix | 2 +- 2 files changed, 50 insertions(+), 50 deletions(-) diff --git a/flake.lock b/flake.lock index 93798775..adb5f48d 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ ] }, "locked": { - "lastModified": 1663176622, - "narHash": "sha256-ahmQXwS2P34x7PxXt8Ve2ZVKJHW6yP1m/nZoo8sHwmE=", + "lastModified": 1669920985, + "narHash": "sha256-Ff9FxYqYNVovOCDcECGKHoiqpIOUvF6/q17H+k06iXw=", "ref": "refs/heads/master", - "rev": "b56ed86e45b2a8cdf811f2659644192a69ab5818", - "revCount": 293, + "rev": "5bef189c308df9dda1449a8305a7092fb5c77827", + "revCount": 298, "type": "git", "url": "https://gitea.nek0.eu/nek0/affection" }, @@ -91,11 +91,11 @@ ] }, "locked": { - "lastModified": 1669683082, - "narHash": "sha256-2bSuv8l6Zxi8tUwAy07vHVpIm/J335D6Qnf02mTz2cI=", + "lastModified": 1670028698, + "narHash": "sha256-JjmRgUg5004snQL03r5n4TjJmyD4qiwKdPDmx/1GeFw=", "ref": "main", - "rev": "404767d88b4a383b594b0a259ca6187861bf6b89", - "revCount": 140, + "rev": "908fb9c8d3d2b0fbe5a17895639ef478f81e3f8d", + "revCount": 153, "type": "git", "url": "https://gitea.c3d2.de/astro/caveman.git" }, @@ -113,11 +113,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1669789565, - "narHash": "sha256-9fBxYzp0cnkHygZOY5HTM7QMYr1WsC062Yc8glQNIgM=", + "lastModified": 1670221471, + "narHash": "sha256-rNoTqumt7a1VDZt46N/zPX1cAqKyXREM6HE8Zmo32mU=", "owner": "nix-community", "repo": "fenix", - "rev": "bba229a06ca03938a1abd4ce6361bf9bf4f651cd", + "rev": "cb671e285ffc9a6f549bc6ac0f6c497e96f1f3ef", "type": "github" }, "original": { @@ -144,11 +144,11 @@ "harmonia": { "flake": false, "locked": { - "lastModified": 1669064695, - "narHash": "sha256-f+9XR/ExbjgjTfIp2TmBf3hiVzLFBdpO/tjGLDUr6lY=", + "lastModified": 1670144089, + "narHash": "sha256-DJG52W6fcXaLwFnEYapDYmxJ0Hd0+uxk9O/HmtPQaN4=", "owner": "helsinki-systems", "repo": "harmonia", - "rev": "20114c21d1c902a8f5ad7be7744df241a784a06d", + "rev": "634dc577437ab4e1c4071e5fb0f62325ff1a0df7", "type": "github" }, "original": { @@ -237,11 +237,11 @@ ] }, "locked": { - "lastModified": 1669306943, - "narHash": "sha256-F6xVWFJkcCXp5IcnpRlECT10H2ps8RO1yM4W0OXiXPs=", + "lastModified": 1669921518, + "narHash": "sha256-OWSXXmVzceV6Ild0nVEJjMsP9doCK+F4og30Mareaog=", "owner": "astro", "repo": "microvm.nix", - "rev": "c21a70fe1ac05ccdfceff6506625e9d44cd91da5", + "rev": "e2a1bf59987544faec4d27ce5700e5ef96201a5f", "type": "github" }, "original": { @@ -349,11 +349,11 @@ }, "nixos": { "locked": { - "lastModified": 1669842486, - "narHash": "sha256-ogRw+3pxB+I/FwTppNolpdgwJGrU7xsgqTfFUjuys8o=", + "lastModified": 1670178589, + "narHash": "sha256-+lpmb4I7PfyhNl+GGmI5yopxdcGGO+z55dI4ZTfkDps=", "owner": "SuperSandro2000", "repo": "nixpkgs", - "rev": "07e0bf5ccddcabe20d2b3bd89aaace918a4a6402", + "rev": "0992478bb4eeaa1c9b28ad433dd683e12037de2e", "type": "github" }, "original": { @@ -365,11 +365,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1669650994, - "narHash": "sha256-uwASLUfedIQ5q01TtMwZDEV2HCZr5nVPZjzVgCG+D5I=", + "lastModified": 1670174919, + "narHash": "sha256-XdQr3BUnrvVLRFunLWrZORhwYHDG0+9jUUe0Jv1pths=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "7883883d135ce5b7eae5dce4bfa12262b85c1c46", + "rev": "9d87bc030a0bf3f00e953dbf095a7d8e852dab6b", "type": "github" }, "original": { @@ -396,11 +396,11 @@ }, "nixos-unstable": { "locked": { - "lastModified": 1669542132, - "narHash": "sha256-DRlg++NJAwPh8io3ExBJdNW7Djs3plVI5jgYQ+iXAZQ=", + "lastModified": 1670064435, + "narHash": "sha256-+ELoY30UN+Pl3Yn7RWRPabykwebsVK/kYE9JsIsUMxQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "a115bb9bd56831941be3776c8a94005867f316a7", + "rev": "61a8a98e6d557e6dd7ed0cdb54c3a3e3bbc5e25c", "type": "github" }, "original": { @@ -412,11 +412,11 @@ }, "nixos-unstable-simd": { "locked": { - "lastModified": 1670178567, - "narHash": "sha256-mTUbgiMxtXRg0VL0518HlZhF/CSYUJmBuZnNkc1mlaU=", + "lastModified": 1670271117, + "narHash": "sha256-VOc60s3DHdHaQWolLOahpLTzWm3C5oaDWyn9Sx5yk3s=", "owner": "SuperSandro2000", "repo": "nixpkgs", - "rev": "9f915b466b047207d391a8b651f2949cc528e1b6", + "rev": "2e4dc4db26662d1aebfb6028d5aa7c5aef4bd523", "type": "github" }, "original": { @@ -490,11 +490,11 @@ "openwrt": { "flake": false, "locked": { - "lastModified": 1669563413, - "narHash": "sha256-v3Krt7iTBcUxMjXff3XFDhdp685UcNW4RoMZcmcJ01E=", + "lastModified": 1670184827, + "narHash": "sha256-kVCvQKdH6Og/ue4IIBJe7oHDWA4b5HcbnbB7NN9gS0M=", "ref": "openwrt-21.02", - "rev": "b33090a0faf73d5d03e96c132c413776d6ed8b87", - "revCount": 51175, + "rev": "be3b061d7bbf425c95ef9108a37c51747c0025e9", + "revCount": 51253, "type": "git", "url": "https://git.openwrt.org/openwrt/openwrt.git" }, @@ -511,11 +511,11 @@ ] }, "locked": { - "lastModified": 1669840858, - "narHash": "sha256-ptLvigZ91boFMYhSOXKFsycrjSiIQ1ZmjiYC1iZ3US0=", + "lastModified": 1670272639, + "narHash": "sha256-IRMBjDehUXHPDlhE2WoZ+QCHZ+sxnFf+h8VzewUUm/4=", "owner": "astro", "repo": "nix-openwrt-imagebuilder", - "rev": "e3e2f451ce6255dce904427c83b11ef2a6eba755", + "rev": "10a85914617f218942b7f5daa36ef619f495c372", "type": "github" }, "original": { @@ -562,11 +562,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1669747020, - "narHash": "sha256-kNfchCXcI4jcwBdU57f4ifdgPAvLKLJIHKUCiZVv+v0=", + "lastModified": 1670182646, + "narHash": "sha256-2Syd2jVpY0UIfsYlmzvWICZTDVRG4UchcbRlNhuJSpM=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "398a71affb05aeeea1991044ec9ca1229e68f0f3", + "rev": "a2beeb8dbb5f4596f8c6f28a09c20355ea4c4628", "type": "github" }, "original": { @@ -586,11 +586,11 @@ ] }, "locked": { - "lastModified": 1669775522, - "narHash": "sha256-6xxGArBqssX38DdHpDoPcPvB/e79uXyQBwpBcaO/BwY=", + "lastModified": 1670207212, + "narHash": "sha256-uuKbbv0L+QoXiqO7METP9BihY0F7hJqGdKn7xDVfyFw=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "3158e47f6b85a288d12948aeb9a048e0ed4434d6", + "rev": "18823e511bc85ed27bfabe33cccecb389f9aa92d", "type": "github" }, "original": { @@ -645,11 +645,11 @@ ] }, "locked": { - "lastModified": 1669843159, - "narHash": "sha256-FVW/rRnuWahLhmBVO9svpVsK2yPYNc5hh2e9BoMCZHk=", + "lastModified": 1670188372, + "narHash": "sha256-lKjP3rYsmiXb9kEU+stcsm48dTEMC6Ed+rLEClEl+Vs=", "owner": "astro", "repo": "skyflake", - "rev": "54853b3efeaf57ab08cee76680fe0e2d5c144fe7", + "rev": "c78a3e8f64930bf5c48b0f75e577e4294d8750c6", "type": "github" }, "original": { @@ -663,16 +663,16 @@ "nixpkgs": [ "nixos" ], - "nixpkgs-22_05": [ + "nixpkgs-stable": [ "nixos" ] }, "locked": { - "lastModified": 1669714206, - "narHash": "sha256-9aiMbzRL8REsyi9U0eZ+lT4s7HaILA1gh9n2apKzLxU=", + "lastModified": 1670149631, + "narHash": "sha256-rwmtlxx45PvOeZNP51wql/cWjY3rqzIR3Oj2Y+V7jM0=", "owner": "Mic92", "repo": "sops-nix", - "rev": "8295b8139ef7baadeb90c5cad7a40c4c9297ebf7", + "rev": "da98a111623101c64474a14983d83dad8f09f93d", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index a6fbbfa1..01ba6e47 100644 --- a/flake.nix +++ b/flake.nix @@ -130,7 +130,7 @@ url = "github:Mic92/sops-nix"; inputs = { nixpkgs.follows = "nixos"; - nixpkgs-22_05.follows = "nixos"; + nixpkgs-stable.follows = "nixos"; }; }; spacemsg = { From c2337cce40f199369fe09fbf658c47ead65b3d30 Mon Sep 17 00:00:00 2001 From: Astro Date: Tue, 6 Dec 2022 00:26:18 +0100 Subject: [PATCH 182/247] .sops.yaml: add forgotten hosts/dacbert/ path_regex --- .sops.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.sops.yaml b/.sops.yaml index 7d08e099..820638b2 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -131,6 +131,12 @@ creation_rules: age: - *dn42 - *polygon-snowflake + - path_regex: hosts/dacbert/[^/]+\.yaml$ + key_groups: + - pgp: *admins + age: + - *dacbert + - *polygon-snowflake - path_regex: hosts/freifunk/[^/]+\.yaml$ key_groups: - pgp: *admins From eb21d0bbb34a797166c12e98766e0b41366392fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Tue, 6 Dec 2022 15:58:17 +0100 Subject: [PATCH 183/247] hydra: add ldap login --- hosts/hydra/hydra.nix | 79 ++++++++++++++++++++++++++++++++++++---- hosts/hydra/secrets.yaml | 6 ++- 2 files changed, 75 insertions(+), 10 deletions(-) diff --git a/hosts/hydra/hydra.nix b/hosts/hydra/hydra.nix index 10b54c9c..25bb9c5b 100644 --- a/hosts/hydra/hydra.nix +++ b/hosts/hydra/hydra.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ config, lib, zentralwerk, ... }: let cachePort = 5000; @@ -54,11 +54,17 @@ in # }; # }; - # networking.nat = { - # enable = true; - # externalInterface = "serv"; - # internalInterfaces = [ "ve-hydra-ca" ]; - # }; + networking = { + hosts = with zentralwerk.lib.config.site.net.serv; { + ${hosts6.up4.auth} = [ "auth.c3d2.de" ]; + ${hosts4.auth} = [ "auth.c3d2.de" ]; + }; + # nat = { + # enable = true; + # externalInterface = "serv"; + # internalInterfaces = [ "ve-hydra-ca" ]; + # }; + }; nix = { buildMachines = [{ @@ -106,16 +112,67 @@ in max_output_size = ${toString (5*1024*1024*1024)} # sd card and raw images store_uri = auto?secret-key=${key}&write-nar-listing=1&ls-compression=zstd&log-compression=zstd upload_logs_to_binary_cache = true + + # https://hydra.nixos.org/build/196107287/download/1/hydra/configuration.html#using-ldap-as-authentication-backend-optional + + + + class = Password + password_field = password + password_type = self_check + + + class = LDAP + ldap_server = auth.c3d2.de + + scheme = ldaps + timeout = 10 + + binddn = "uid=search,ou=users,dc=c3d2,dc=de" + include ldap-password.conf + start_tls = 0 + + ciphers = TLS_AES_256_GCM_SHA384 + sslversion = tlsv1_3 + # verify = none + + user_basedn = "ou=users,dc=c3d2,dc=de" + user_filter = "(&(objectclass=person)(uid=%s))" + user_scope = one + user_field = uid + + deref = always + + # Important for role mappings to work: + use_roles = 1 + role_basedn = "ou=groups,dc=c3d2,dc=de" + role_filter = "(&(objectclass=group)(%s))" + role_scope = one + role_field = cn + role_value = dn + + deref = always + + + + + # maps directly to user roles + # Make all users in the hydra-admin group Hydra admins + hydra-admins = admin + # Allow all users in the dev group to restart jobs and cancel builds + #dev = restart-jobs + #dev = cancel-build + + ''; }; # A rust nix binary cache harmonia = { enable = true; - settings = { bind = "127.0.0.1:${toString cachePort}"; - workers = "20"; + workers = 20; max_connection_rate = 1024; priority = 30; sign_key_path = config.sops.secrets."nix-serve/secretKey".path; @@ -157,6 +214,12 @@ in owner = config.users.users.hydra-queue-runner.name; inherit (config.users.users.hydra-queue-runner) group; }; + secrets."ldap/search-user-pw" = { + mode = "440"; + owner = config.users.users.hydra-queue-runner.name; + inherit (config.users.users.hydra-queue-runner) group; + path = "/var/lib/hydra/ldap-password.conf"; + }; }; systemd.services = { diff --git a/hosts/hydra/secrets.yaml b/hosts/hydra/secrets.yaml index 49d9552e..0d7a1dcf 100644 --- a/hosts/hydra/secrets.yaml +++ b/hosts/hydra/secrets.yaml @@ -1,5 +1,7 @@ nix-serve: secretKey: ENC[AES256_GCM,data:cm84sA7E6AnzpVoYuaYepbHGWkRigLdD2RxN21UsXCe7FXQxeTQTxxbzVxJ3G9Lt3kRXuZnODntOo5EQKhs46+wzpO8YLKQxkJXrdluXoGVIWl3/6QFVq66XLJ2i6G4eBK9IH0DYJ+anj8/i8Q==,iv:GEM8Vmx0A8LfJo7QOl0N67Cgk+JqHpp7r+41VivmTg4=,tag:O4Kq4WKgbyt354HSa/7eQQ==,type:str] +ldap: + search-user-pw: ENC[AES256_GCM,data:tSWin/QPIow2P5Aps/XaT42J+MXb8+a24SEri1QjF1O3bDlCxcR8RHqSX8d4Vg==,iv:P5qMaE2cdKxTaXuKO2nh+LDhKkY3psSlWf+JckmUYt4=,tag:eq8XW7P6FNlkviY5PydkZg==,type:str] sops: kms: [] gcp_kms: [] @@ -24,8 +26,8 @@ sops: K3Bpb0svZ1YvVm9ha1ArdVBlN3NHM0kKM6CEQ+dStjEsgppQZYjb1zwyzfwAc0FI O5+vi2x8/N/1OH5jeVzLnLjOhXRXrYcR9EDsjT+KDo0ykYh+NjB0DA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-09-25T21:00:25Z" - mac: ENC[AES256_GCM,data:eqaN9WFcKAl7Y0HW9liiUyn9eZmLjWOGcNGfu5CQbvQvBXq89mCDyb05gHyQmDm0AsAXI4bU0DUgmdCc846NfOT2kujPQWwiofmTQxlTwxfqt+AVqpwejVqxO3VApCSnkhDrt0jiO9WeyDYUbeVwgnL5CZoJGyYBmmU1LZ2twMo=,iv:tIQpTh0V9qiJsIQ6y0b1+rh+oLRCDrenOixi0GG1Y/M=,tag:J6QLNSH5gQpCAy+P1UAdeg==,type:str] + lastmodified: "2022-12-06T14:25:54Z" + mac: ENC[AES256_GCM,data:4cOG88FIG7UhVb/r8Aq1Nme5+qCpEdpjV+BLOISm1Y6MYgxFTDqCzV2FOdKztpVou5Nly9JUvKfz6eiCWbbIbaO5/DYUObiTKZXv6B1x6blnIW8vMtqcdYWOXH62ycHMV+Sha0D41eXmNp3K1Vs+k3OwYZyHK1HFOqqQ2jpy+Ps=,iv:u0O/A/GBBpDTJVFBfiFzDOIIR5o479YI11fgrv0mR0A=,tag:E9OuAAOhfbzPcnA6Ij6LMA==,type:str] pgp: - created_at: "2022-07-15T23:31:58Z" enc: | From 734a97783564228dba2b5fa2fcbca8f80bd0d8ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Tue, 6 Dec 2022 21:15:06 +0100 Subject: [PATCH 184/247] Disable boehmgc tests --- overlays/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/overlays/default.nix b/overlays/default.nix index 3001a99b..a734f614 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -17,6 +17,11 @@ with final; { bmxd = callPackage ./bmxd.nix { }; + boehmgc = prev.boehmgc.overrideAttrs(_: { + # tests fail under emulation + doCheck = false; + }); + dump1090-influxdb = callPackage ./dump1090-influxdb { }; dump1090_rs = callPackage ./dump1090_rs.nix { }; From e011ff965b12da89e9cf0a4a9258548bd91dbb9c Mon Sep 17 00:00:00 2001 From: leon Date: Wed, 7 Dec 2022 17:41:07 +0000 Subject: [PATCH 185/247] fixing commit mesg && adding new config --- hosts/leon/default.nix | 12 ++++++++++-- hosts/leoncloud/default.nix | 6 +++--- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index ced6c838..4548e942 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -207,8 +207,16 @@ networking.wireguard.interfaces = { forceSSL = true; enableACME = true; locations."/" = { - proxyPass = "http://10.10.11.4:80"; - proxyWebsockets = true; + proxyPass = "http://45.158.40.165:80"; + proxyWebsockets = true; + }; + }; + virtualHosts."bicospacetech.stream.c3d2.de" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://10.10.11.4:145000"; + proxyWebsockets = true; }; }; virtualHosts."portainer.netlab.c3d2.de" = { diff --git a/hosts/leoncloud/default.nix b/hosts/leoncloud/default.nix index ed126e07..337ced35 100644 --- a/hosts/leoncloud/default.nix +++ b/hosts/leoncloud/default.nix @@ -47,7 +47,7 @@ # enable IP routing networking.firewall = { - allowedTCPPorts = [ 80 443 22 53 14000 14500 15000 ]; + allowedTCPPorts = [ 80 443 8080 22 53 14000 14500 15000 ]; allowedUDPPorts = [ 18900 53 ]; }; @@ -89,8 +89,8 @@ services.nextcloud = { dbname = "nextcloud"; adminpassFile = "/etc/nixos/next-cloud/pass"; adminuser = "root"; - extraTrustedDomains = ["10.10.11.4" "10.10.11.1" "bicospacetech.cloud.c3d2.de"]; - }; + extraTrustedDomains = ["10.10.11.4" "10.10.11.1" "45.158.40.165" "bicospacetech.cloud.c3d2.de"]; + }; }; services.postgresql = { From 40291903109b97989671bd34dd4f8cb4998fdbd4 Mon Sep 17 00:00:00 2001 From: leon Date: Wed, 7 Dec 2022 18:04:46 +0000 Subject: [PATCH 186/247] fixing ngix --- hosts/leon/default.nix | 8 -------- 1 file changed, 8 deletions(-) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 4548e942..90a3bb90 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -209,14 +209,6 @@ networking.wireguard.interfaces = { locations."/" = { proxyPass = "http://45.158.40.165:80"; proxyWebsockets = true; - }; - }; - virtualHosts."bicospacetech.stream.c3d2.de" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://10.10.11.4:145000"; - proxyWebsockets = true; }; }; virtualHosts."portainer.netlab.c3d2.de" = { From 2232760bb2f49dcf790f6dc83268a87933f327c5 Mon Sep 17 00:00:00 2001 From: leon Date: Wed, 7 Dec 2022 18:10:21 +0000 Subject: [PATCH 187/247] add stream site --- hosts/leon/default.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 90a3bb90..147c93a9 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -209,6 +209,14 @@ networking.wireguard.interfaces = { locations."/" = { proxyPass = "http://45.158.40.165:80"; proxyWebsockets = true; + }; + }; + virtualHosts."bicospacetech.stream.c3d2.de" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://10.10.11.4:14500"; + proxyWebsockets = true; }; }; virtualHosts."portainer.netlab.c3d2.de" = { From 3f45c026df269c2690c4250dd392ca34e5aff618 Mon Sep 17 00:00:00 2001 From: Astro Date: Wed, 7 Dec 2022 20:54:41 +0100 Subject: [PATCH 188/247] glotzbert: add kernel module for hwmon2 --- hosts/glotzbert/hardware-configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/glotzbert/hardware-configuration.nix b/hosts/glotzbert/hardware-configuration.nix index 37ee602f..4d5aa8da 100644 --- a/hosts/glotzbert/hardware-configuration.nix +++ b/hosts/glotzbert/hardware-configuration.nix @@ -8,7 +8,7 @@ boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; - boot.kernelModules = [ "kvm-intel" ]; + boot.kernelModules = [ "kvm-intel" "nct6775" ]; boot.extraModulePackages = [ ]; fileSystems."/" = { From 0beda8f0e384d78c123c3fac8b5c44dc6036566e Mon Sep 17 00:00:00 2001 From: leon Date: Wed, 7 Dec 2022 20:55:34 +0000 Subject: [PATCH 189/247] remove docker --- hosts/leoncloud/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/leoncloud/default.nix b/hosts/leoncloud/default.nix index 337ced35..227ca659 100644 --- a/hosts/leoncloud/default.nix +++ b/hosts/leoncloud/default.nix @@ -32,7 +32,7 @@ nmap htop wireguard-tools - docker-compose + # docker-compose ]; users.users.leon-docker = { @@ -53,7 +53,7 @@ #>-----------------docker------------------------- - virtualisation.docker.enable = true; +# virtualisation.docker.enable = true; #<-----------------docker------------------------- From 78f5cb4feb64fe1d621c10d6ea88f927f1c50783 Mon Sep 17 00:00:00 2001 From: leon Date: Wed, 7 Dec 2022 20:58:32 +0000 Subject: [PATCH 190/247] add docker and docker-compose --- hosts/leoncloud/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/leoncloud/default.nix b/hosts/leoncloud/default.nix index 227ca659..337ced35 100644 --- a/hosts/leoncloud/default.nix +++ b/hosts/leoncloud/default.nix @@ -32,7 +32,7 @@ nmap htop wireguard-tools - # docker-compose + docker-compose ]; users.users.leon-docker = { @@ -53,7 +53,7 @@ #>-----------------docker------------------------- -# virtualisation.docker.enable = true; + virtualisation.docker.enable = true; #<-----------------docker------------------------- From 5907e29413c6400358194c51500c2c436e6276ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Thu, 8 Dec 2022 20:26:32 +0100 Subject: [PATCH 191/247] Bump --- flake.lock | 56 +++++++++++++++++++++++++++--------------------------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/flake.lock b/flake.lock index adb5f48d..c82f5173 100644 --- a/flake.lock +++ b/flake.lock @@ -113,11 +113,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1670221471, - "narHash": "sha256-rNoTqumt7a1VDZt46N/zPX1cAqKyXREM6HE8Zmo32mU=", + "lastModified": 1670480689, + "narHash": "sha256-DADoR6R7DpnQaZjuUr6Z5EeNxr9ClP6u3Oqf7PpS9yA=", "owner": "nix-community", "repo": "fenix", - "rev": "cb671e285ffc9a6f549bc6ac0f6c497e96f1f3ef", + "rev": "e7941faba7f6cd0a6058330ad8c40d8dc52d741c", "type": "github" }, "original": { @@ -144,11 +144,11 @@ "harmonia": { "flake": false, "locked": { - "lastModified": 1670144089, - "narHash": "sha256-DJG52W6fcXaLwFnEYapDYmxJ0Hd0+uxk9O/HmtPQaN4=", + "lastModified": 1670319728, + "narHash": "sha256-7hsq6Sv06UcIjjlZTFlsYWDfGrc9u77OAr25SjnvZ4A=", "owner": "helsinki-systems", "repo": "harmonia", - "rev": "634dc577437ab4e1c4071e5fb0f62325ff1a0df7", + "rev": "f2476198fb8236c7c7eb432aab4472083cb9831d", "type": "github" }, "original": { @@ -349,11 +349,11 @@ }, "nixos": { "locked": { - "lastModified": 1670178589, - "narHash": "sha256-+lpmb4I7PfyhNl+GGmI5yopxdcGGO+z55dI4ZTfkDps=", + "lastModified": 1670359138, + "narHash": "sha256-lrEtzODeYn30qDB2mI26S3K4/tXjdhWluaOOQ7I+dcY=", "owner": "SuperSandro2000", "repo": "nixpkgs", - "rev": "0992478bb4eeaa1c9b28ad433dd683e12037de2e", + "rev": "1bcc1d778d140ec91d4cb74b973f3037c1ed8695", "type": "github" }, "original": { @@ -396,11 +396,11 @@ }, "nixos-unstable": { "locked": { - "lastModified": 1670064435, - "narHash": "sha256-+ELoY30UN+Pl3Yn7RWRPabykwebsVK/kYE9JsIsUMxQ=", + "lastModified": 1670332253, + "narHash": "sha256-O5SmhlIUt1s+vK4NXeGYqwcBIMwbBPAEZ3GHE3XT28c=", "owner": "nixos", "repo": "nixpkgs", - "rev": "61a8a98e6d557e6dd7ed0cdb54c3a3e3bbc5e25c", + "rev": "1c9ffcf70786f0966982ce0fc76ec05df2e1dec2", "type": "github" }, "original": { @@ -412,11 +412,11 @@ }, "nixos-unstable-simd": { "locked": { - "lastModified": 1670271117, - "narHash": "sha256-VOc60s3DHdHaQWolLOahpLTzWm3C5oaDWyn9Sx5yk3s=", + "lastModified": 1670518490, + "narHash": "sha256-J0Ckjl7Q+l2DZRneuC+HTId3Itc0C9NToG8N72uevjY=", "owner": "SuperSandro2000", "repo": "nixpkgs", - "rev": "2e4dc4db26662d1aebfb6028d5aa7c5aef4bd523", + "rev": "d03760999bbaf63b848f3bb58b9e1ee0c034721e", "type": "github" }, "original": { @@ -490,11 +490,11 @@ "openwrt": { "flake": false, "locked": { - "lastModified": 1670184827, - "narHash": "sha256-kVCvQKdH6Og/ue4IIBJe7oHDWA4b5HcbnbB7NN9gS0M=", + "lastModified": 1670433513, + "narHash": "sha256-gqlSkpWgC6rONYGZLzM5Fwc+ssoC7NiR2O3DCFtRRMM=", "ref": "openwrt-21.02", - "rev": "be3b061d7bbf425c95ef9108a37c51747c0025e9", - "revCount": 51253, + "rev": "295c612a4a76e9f0860e2efdb609a38bc74d3e4a", + "revCount": 51263, "type": "git", "url": "https://git.openwrt.org/openwrt/openwrt.git" }, @@ -511,11 +511,11 @@ ] }, "locked": { - "lastModified": 1670272639, - "narHash": "sha256-IRMBjDehUXHPDlhE2WoZ+QCHZ+sxnFf+h8VzewUUm/4=", + "lastModified": 1670445795, + "narHash": "sha256-iJOOUSXwdESq+ngieBAfHAcdIJOJYGeNwMwmjI8zCJo=", "owner": "astro", "repo": "nix-openwrt-imagebuilder", - "rev": "10a85914617f218942b7f5daa36ef619f495c372", + "rev": "36500ee9cb86e4c309793e4f6bb6e26892e29eed", "type": "github" }, "original": { @@ -562,11 +562,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1670182646, - "narHash": "sha256-2Syd2jVpY0UIfsYlmzvWICZTDVRG4UchcbRlNhuJSpM=", + "lastModified": 1670426523, + "narHash": "sha256-Zh+pAuj4PmBmISXCz+54yVSwSXZwbn+ZELgM85xVUE0=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "a2beeb8dbb5f4596f8c6f28a09c20355ea4c4628", + "rev": "6e8a54d0f68702cf7981c8299357838eb0f4d5b2", "type": "github" }, "original": { @@ -586,11 +586,11 @@ ] }, "locked": { - "lastModified": 1670207212, - "narHash": "sha256-uuKbbv0L+QoXiqO7METP9BihY0F7hJqGdKn7xDVfyFw=", + "lastModified": 1670466538, + "narHash": "sha256-qz3MwPVTHJb62vPRJMXJ+waqjEUHrjTyjXyLHqF0DrE=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "18823e511bc85ed27bfabe33cccecb389f9aa92d", + "rev": "073959f0687277a54bfaa3ac7a77feb072f88186", "type": "github" }, "original": { From ea2878fd36f7793d78c243b2322cd285e4aac37b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Fri, 9 Dec 2022 00:41:33 +0100 Subject: [PATCH 192/247] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixos': 'github:SuperSandro2000/nixpkgs/1bcc1d778d140ec91d4cb74b973f3037c1ed8695' (2022-12-06) → 'github:SuperSandro2000/nixpkgs/9eab792f91cb76e1ad5bc3e73b05eb2d4828f4a9' (2022-12-08) • Updated input 'openwrt-imagebuilder': 'github:astro/nix-openwrt-imagebuilder/36500ee9cb86e4c309793e4f6bb6e26892e29eed' (2022-12-07) → 'github:astro/nix-openwrt-imagebuilder/29733301042477d878af2985c1367047030f2f5e' (2022-12-08) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index c82f5173..21fc671a 100644 --- a/flake.lock +++ b/flake.lock @@ -349,11 +349,11 @@ }, "nixos": { "locked": { - "lastModified": 1670359138, - "narHash": "sha256-lrEtzODeYn30qDB2mI26S3K4/tXjdhWluaOOQ7I+dcY=", + "lastModified": 1670542845, + "narHash": "sha256-gSrX2Pq5FlYQVRfNw5elO/QX7O48SnItyXeEc/4jZxI=", "owner": "SuperSandro2000", "repo": "nixpkgs", - "rev": "1bcc1d778d140ec91d4cb74b973f3037c1ed8695", + "rev": "9eab792f91cb76e1ad5bc3e73b05eb2d4828f4a9", "type": "github" }, "original": { @@ -511,11 +511,11 @@ ] }, "locked": { - "lastModified": 1670445795, - "narHash": "sha256-iJOOUSXwdESq+ngieBAfHAcdIJOJYGeNwMwmjI8zCJo=", + "lastModified": 1670531824, + "narHash": "sha256-jRD5CVLdXTyXn8uqOGBqDllNjz3ZzUSKInXQETUwowg=", "owner": "astro", "repo": "nix-openwrt-imagebuilder", - "rev": "36500ee9cb86e4c309793e4f6bb6e26892e29eed", + "rev": "29733301042477d878af2985c1367047030f2f5e", "type": "github" }, "original": { From 98d59e10d5688b7b897e6ff61d327d345727f886 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Fri, 9 Dec 2022 22:23:07 +0100 Subject: [PATCH 193/247] Replace simd jobs with nox --- flake.nix | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/flake.nix b/flake.nix index 01ba6e47..9da6a673 100644 --- a/flake.nix +++ b/flake.nix @@ -764,14 +764,16 @@ in lib.mapAttrs getBuildEntryPoint self.nixosConfigurations // lib.mapAttrs' (hostname: nixosSystem: lib.nameValuePair - (hostname + "-simd") + # job display name + (hostname + "-nox") (getBuildEntryPoint null (nixosSystem' (nixosSystem.args // (with nixosSystem.args; { modules = modules ++ [ { - c3d2.simd.enable = lib.mkForce true; + # c3d2.simd.enable = lib.mkForce true; + environment.noXlibs = true; } ]; - nixpkgs = nixos-unstable-simd; + # nixpkgs = nixos-unstable-simd; })))) ) self.nixosConfigurations // nixos.lib.filterAttrs (name: attr: From ff04c649c38c16fd56fcc2c8b4f0135d8eb3f09d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Fri, 9 Dec 2022 22:41:39 +0100 Subject: [PATCH 194/247] Actually enable noXlibs --- hosts/grafana/default.nix | 2 -- hosts/sdrweb/default.nix | 3 --- modules/c3d2.nix | 5 ----- 3 files changed, 10 deletions(-) diff --git a/hosts/grafana/default.nix b/hosts/grafana/default.nix index 9b2e0f75..375f3d20 100644 --- a/hosts/grafana/default.nix +++ b/hosts/grafana/default.nix @@ -11,8 +11,6 @@ in { c3d2.isInHq = false; services.openssh.enable = true; - # noXlibs breaks cairo: - environment.noXlibs = false; networking.hostName = "grafana"; diff --git a/hosts/sdrweb/default.nix b/hosts/sdrweb/default.nix index f6e53b0f..19586799 100644 --- a/hosts/sdrweb/default.nix +++ b/hosts/sdrweb/default.nix @@ -88,7 +88,4 @@ inherit (pkgs.mucbot) password; muc = "luftraum@chat.c3d2.de/Hubschraubereinsatz"; }; - - # noXlibs breaks cairo: - environment.noXlibs = false; } diff --git a/modules/c3d2.nix b/modules/c3d2.nix index 3e27722d..213e3d17 100644 --- a/modules/c3d2.nix +++ b/modules/c3d2.nix @@ -455,11 +455,6 @@ in ethtool mtr ]; - variables = { - # TERM = "xterm-256color"; - }; - # breaks various package builds - noXlibs = lib.mkForce false; }; programs = { From 7bc63111a23bd0527522d0e0d2dbae3f5c2b97ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sat, 10 Dec 2022 19:42:05 +0100 Subject: [PATCH 195/247] grafana: fix eval --- hosts/grafana/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/grafana/default.nix b/hosts/grafana/default.nix index 375f3d20..b84c667f 100644 --- a/hosts/grafana/default.nix +++ b/hosts/grafana/default.nix @@ -39,7 +39,7 @@ in { datasources.settings.datasources = map (datasource: { inherit (datasource) name type access orgId url password user database isDefault jsonData; }) (with builtins; fromJSON (readFile ./datasources.json)); - dashboards = [ { + dashboards.settings.providers = [ { settings = { apiVersion = 1; providers = [ { From 37c98c9ae9fef7c7b5a58a58ba698b913eccb8c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sat, 10 Dec 2022 19:42:12 +0100 Subject: [PATCH 196/247] Use collectd-data package to reduce build time closure by 500 packages --- hosts/grafana/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/grafana/default.nix b/hosts/grafana/default.nix index b84c667f..936cce9c 100644 --- a/hosts/grafana/default.nix +++ b/hosts/grafana/default.nix @@ -67,7 +67,7 @@ in { services.influxdb = let collectdTypes = pkgs.runCommand "collectd-types" {} '' mkdir -p $out/share/collectd - cat ${config.services.collectd.package}/share/collectd/types.db >> $out/share/collectd/types.db + cat ${pkgs.collectd-data}/share/collectd/types.db >> $out/share/collectd/types.db echo "stations value:GAUGE:0:U" >> $out/share/collectd/types.db ''; in { From 618e1ed9b9fefb8bb4514faf0774961efe78266b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sat, 10 Dec 2022 19:46:37 +0100 Subject: [PATCH 197/247] Commit migrations done by grafana --- hosts/grafana/dashboards/pVoyupoZk.json | 46 ++++++++++++++++--------- 1 file changed, 30 insertions(+), 16 deletions(-) diff --git a/hosts/grafana/dashboards/pVoyupoZk.json b/hosts/grafana/dashboards/pVoyupoZk.json index e19b7555..656b5901 100644 --- a/hosts/grafana/dashboards/pVoyupoZk.json +++ b/hosts/grafana/dashboards/pVoyupoZk.json @@ -26,7 +26,6 @@ "editable": true, "fiscalYearStartMonth": 0, "graphTooltip": 0, - "iteration": 1655678212481, "links": [], "liveNow": false, "panels": [ @@ -41,6 +40,8 @@ "mode": "palette-classic" }, "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", "axisLabel": "", "axisPlacement": "auto", "barAlignment": 0, @@ -99,7 +100,8 @@ "legend": { "calcs": [], "displayMode": "list", - "placement": "bottom" + "placement": "bottom", + "showLegend": true }, "tooltip": { "mode": "multi", @@ -199,7 +201,7 @@ "alertThreshold": true }, "percentage": false, - "pluginVersion": "8.5.6", + "pluginVersion": "9.3.1", "pointradius": 2, "points": false, "renderer": "flot", @@ -322,6 +324,8 @@ "mode": "palette-classic" }, "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", "axisLabel": "", "axisPlacement": "auto", "barAlignment": 0, @@ -380,7 +384,8 @@ "legend": { "calcs": [], "displayMode": "list", - "placement": "bottom" + "placement": "bottom", + "showLegend": true }, "tooltip": { "mode": "multi", @@ -535,6 +540,8 @@ "mode": "palette-classic" }, "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", "axisLabel": "Temperature", "axisPlacement": "auto", "barAlignment": 0, @@ -621,8 +628,9 @@ "options": { "legend": { "calcs": [], - "displayMode": "hidden", - "placement": "bottom" + "displayMode": "list", + "placement": "bottom", + "showLegend": false }, "tooltip": { "mode": "single", @@ -862,7 +870,7 @@ "alertThreshold": true }, "percentage": false, - "pluginVersion": "8.5.6", + "pluginVersion": "9.3.1", "pointradius": 2, "points": false, "renderer": "flot", @@ -992,6 +1000,8 @@ "mode": "palette-classic" }, "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", "axisLabel": "", "axisPlacement": "auto", "barAlignment": 0, @@ -1172,8 +1182,9 @@ "options": { "legend": { "calcs": [], - "displayMode": "hidden", - "placement": "bottom" + "displayMode": "list", + "placement": "bottom", + "showLegend": false }, "tooltip": { "mode": "multi", @@ -1269,6 +1280,8 @@ "mode": "palette-classic" }, "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", "axisLabel": "", "axisPlacement": "auto", "barAlignment": 0, @@ -1362,7 +1375,8 @@ "max" ], "displayMode": "table", - "placement": "bottom" + "placement": "bottom", + "showLegend": true }, "tooltip": { "mode": "multi", @@ -1533,6 +1547,8 @@ "mode": "palette-classic" }, "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", "axisLabel": "", "axisPlacement": "auto", "barAlignment": 0, @@ -1591,7 +1607,8 @@ "legend": { "calcs": [], "displayMode": "list", - "placement": "bottom" + "placement": "bottom", + "showLegend": true }, "tooltip": { "mode": "multi", @@ -1748,7 +1765,7 @@ } ], "refresh": false, - "schemaVersion": 36, + "schemaVersion": 37, "style": "dark", "tags": [], "templating": { @@ -1764,9 +1781,6 @@ "uid": "000000001" }, "definition": "SHOW TAG VALUES WITH KEY = \"host\"", - "error": { - "message": "Datasource 000000001 was not found" - }, "hide": 0, "includeAll": false, "multi": false, @@ -1807,4 +1821,4 @@ "uid": "pVoyupoZk", "version": 1, "weekStart": "" -} \ No newline at end of file +} From 7f120207d52537bbe3829085a78d10dd7be5f627 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sat, 10 Dec 2022 19:52:03 +0100 Subject: [PATCH 198/247] Fix datasource --- hosts/grafana/dashboards/pVoyupoZk.json | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/hosts/grafana/dashboards/pVoyupoZk.json b/hosts/grafana/dashboards/pVoyupoZk.json index 656b5901..d6707add 100644 --- a/hosts/grafana/dashboards/pVoyupoZk.json +++ b/hosts/grafana/dashboards/pVoyupoZk.json @@ -1582,8 +1582,7 @@ "mode": "absolute", "steps": [ { - "color": "green", - "value": null + "color": "green" }, { "color": "red", @@ -1773,12 +1772,8 @@ { "current": { "selected": false, - "text": "server10", - "value": "server10" - }, - "datasource": { - "type": "influxdb", - "uid": "000000001" + "text": "hydra", + "value": "hydra" }, "definition": "SHOW TAG VALUES WITH KEY = \"host\"", "hide": 0, From 959a0931be9ce5dfd2a1bf95a8ca02d8287339d3 Mon Sep 17 00:00:00 2001 From: leon Date: Sat, 10 Dec 2022 19:41:45 +0000 Subject: [PATCH 199/247] remove nginx --- hosts/leoncloud/default.nix | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/hosts/leoncloud/default.nix b/hosts/leoncloud/default.nix index 337ced35..41e3f26c 100644 --- a/hosts/leoncloud/default.nix +++ b/hosts/leoncloud/default.nix @@ -110,25 +110,9 @@ services.nextcloud = { after = ["postgresql.service"]; }; -# services.nginx.virtualHosts."localhost".listen = [ { addr = "127.0.0.1"; port = 8080; } ]; #<-----------------nextcloud---------------------- -#-----------------------------ngin-X-------------------------------- - -# services.nginx = { -# enable = true; - -# virtualHosts."bicospacetech.c3d2.de" = { -# forceSSL = true; -# enableACME = true; -# locations."/" = { -# proxyPass = "http://45.158.40.162:12000"; -# proxyWebsockets = true; -# }; - -#}; -#-----------------------------ngin-X-------------------------------- system.stateVersion = "22.05"; From 93806bd14870c293b312bc40f789a2a9d01806d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sat, 10 Dec 2022 20:47:39 +0100 Subject: [PATCH 200/247] Remove old journalbeat config, enable more node-exporter modules --- flake.nix | 2 +- modules/logging.nix | 35 ----------------------------------- modules/monitoring.nix | 9 +++++++++ 3 files changed, 10 insertions(+), 36 deletions(-) delete mode 100644 modules/logging.nix create mode 100644 modules/monitoring.nix diff --git a/flake.nix b/flake.nix index 9da6a673..78420d9c 100644 --- a/flake.nix +++ b/flake.nix @@ -723,7 +723,7 @@ ./modules/backup.nix ./modules/c3d2.nix ./modules/nncp.nix - ./modules/logging.nix + ./modules/monitoring.nix ./modules/stats.nix ]; c3d2.hosts = hostRegistry.hosts; diff --git a/modules/logging.nix b/modules/logging.nix deleted file mode 100644 index 683af85d..00000000 --- a/modules/logging.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ config, pkgs, lib, ... }: - -{ - # add central logging - services.journalbeat = { - enable = false; - extraConfig = '' - journalbeat.inputs: - # Paths that should be crawled and fetched. Possible values files and directories. - # When setting a directory, all journals under it are merged. - # When empty starts to read from local journal. - - paths: [] - - journalbeat: - seek_position: cursor - cursor_seek_fallback: tail - write_cursor_state: true - cursor_flush_period: 5s - clean_field_names: true - convert_to_numbers: false - move_metadata_to_field: journal - default_type: journal - kernel: true - output.logstash: - # Boolean flag to enable or disable the output module. - enabled: true - hosts: ["${config.c3d2.hosts.logging.ip4}:5044"] - ''; - }; - - services.prometheus.exporters.node = lib.mkIf (pkgs.system != "riscv64-linux") { - enable = true; - openFirewall = true; - }; -} diff --git a/modules/monitoring.nix b/modules/monitoring.nix new file mode 100644 index 00000000..c9cf9a49 --- /dev/null +++ b/modules/monitoring.nix @@ -0,0 +1,9 @@ +{ pkgs, lib, ... }: + +{ + services.prometheus.exporters.node = lib.mkIf (pkgs.system != "riscv64-linux") { + enable = true; + enabledCollectors = [ "ethtool" "systemd" ]; + openFirewall = true; + }; +} From 442c02f13ea5424ace51c434b6ee9245db6efb72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sat, 10 Dec 2022 20:08:03 +0100 Subject: [PATCH 201/247] Configure alertmanager --- hosts/prometheus/default.nix | 121 ++++++++++++++++++++++++----------- 1 file changed, 85 insertions(+), 36 deletions(-) diff --git a/hosts/prometheus/default.nix b/hosts/prometheus/default.nix index c3c366e0..42fab5ce 100644 --- a/hosts/prometheus/default.nix +++ b/hosts/prometheus/default.nix @@ -1,12 +1,10 @@ { zentralwerk, config, lib, ... }: { - sops.defaultSopsFile = ./secrets.yaml; - networking = { hostName = "prometheus"; firewall = { - allowedTCPPorts = [ 22 80 443 9090 9091 9093 9094 ]; + allowedTCPPorts = [ /*22*/ 80 443 /*9090 9091 9093 9094*/ ]; enable = true; }; }; @@ -19,11 +17,11 @@ enable = true; openFirewall = true; webExternalUrl = "https://prometheus.serv.zentralwerk.org/alertmanager/"; - listenAddress = "0.0.0.0"; + listenAddress = "127.0.0.1"; configuration = { "global" = { - "smtp_smarthost" = "mail.serv.zentralwerk.org:587"; - "smtp_from" = "alertmanager@prometheus.serv.zentralwerk.org"; + # "smtp_smarthost" = "mail.serv.zentralwerk.org:587"; + # "smtp_from" = "alertmanager@prometheus.serv.zentralwerk.org"; }; "route" = { "group_by" = [ "alertname" "alias" ]; @@ -50,14 +48,42 @@ }; }; - # alertmanagerURL = [ "https://prometheus.serv.zentralwerk.org/alertmanager/" ]; + # pushgateway = { + # enable = true; + # web.external-url = "https://prometheus.serv.zentralwerk.org/push/"; + # }; - pushgateway = { - enable = true; - web.external-url = "https://prometheus.serv.zentralwerk.org/push/"; - }; + # rules = [{ + # groups = [{ + # alert = "oom_kills"; + # expr = "increase(node_vmstat_oom_kill[7d]) > 0.999"; + # for = "10m"; + # labels = { + # severity = "error"; + # }; + # annotations = { + # summary = "Service gets oom killed"; + # # description = ""; + # }; + # }]; + # }]; - scrapeConfigs = [ { + rules = [ + '' + groups: + - name: default + rules: + - alert: oom_kills + expr: increase(node_vmstat_oom_kill[7d]) > 0.999 + for: 10m + labels: + severity: error + annotations: + summary: service gets oom killed + '' + ]; + + scrapeConfigs = [{ # TODO: authorization? job_name = "node"; scrape_interval = "1m"; @@ -65,31 +91,43 @@ let zwNets = zentralwerk.lib.config.site.net; fromNet = net: _: - map (host: - "${host}.${net}.zentralwerk.org:9100" - ) (builtins.attrNames zwNets.${net}.hosts4); - in [ { + map + (host: + "${host}.${net}.zentralwerk.org:9100" + ) + (builtins.attrNames zwNets.${net}.hosts4); + in + [{ targets = fromNet "serv" (_: true); labels.__meta_net = "net-serv"; - } { - targets = - fromNet "flpk" (host: host != "flpk-gw"); - labels.__meta_net = "net-flpk"; - } { - targets = - fromNet "cluster" (host: builtins.elem host [ - "server8" "server9" "server10" - ]); - labels.__meta_net = "net-flpk"; - } ]; - } ]; + } + { + targets = + fromNet "flpk" (host: host != "flpk-gw"); + labels.__meta_net = "net-flpk"; + } + { + targets = + fromNet "cluster" (host: builtins.elem host [ + "server8" + "server9" + "server10" + ]); + labels.__meta_net = "net-flpk"; + }]; + }]; - exporters.collectd.enable = true; - exporters.collectd.openFirewall = true; - - exporters.nginx.enable = true; - exporters.nginx.openFirewall = true; + exporters = { + collectd = { + enable = true; + openFirewall = true; + }; + nginx = { + enable = true; + openFirewall = true; + }; + }; }; services.nginx = { @@ -100,7 +138,14 @@ enableACME = true; forceSSL = true; locations."/" = { - proxyPass = "http://localhost:9090"; + proxyPass = "http://localhost:${toString config.services.prometheus.port}"; + extraConfig = '' + auth_basic "Prometheus"; + auth_basic_user_file ${config.sops.secrets."nginx/httpAuth".path}; + ''; + }; + locations."/alertmanager" = { + proxyPass = "http://localhost:${toString config.services.prometheus.alertmanager.port}"; extraConfig = '' auth_basic "Prometheus"; auth_basic_user_file ${config.sops.secrets."nginx/httpAuth".path}; @@ -108,7 +153,11 @@ }; }; }; - sops.secrets."nginx/httpAuth".owner = config.systemd.services.nginx.serviceConfig.User; - system.stateVersion = "22.11"; # Did you read the comment? + sops = { + defaultSopsFile = ./secrets.yaml; + secrets."nginx/httpAuth".owner = config.systemd.services.nginx.serviceConfig.User; + }; + + system.stateVersion = "22.11"; } From d918cf7d863874b820af214f3a1642cbf38794b0 Mon Sep 17 00:00:00 2001 From: Astro Date: Sat, 10 Dec 2022 22:00:45 +0100 Subject: [PATCH 202/247] prometheus: enable collectdBinary receiver --- hosts/prometheus/default.nix | 43 +++++++++++++++++++++--------------- 1 file changed, 25 insertions(+), 18 deletions(-) diff --git a/hosts/prometheus/default.nix b/hosts/prometheus/default.nix index 42fab5ce..98f157db 100644 --- a/hosts/prometheus/default.nix +++ b/hosts/prometheus/default.nix @@ -4,7 +4,14 @@ networking = { hostName = "prometheus"; firewall = { - allowedTCPPorts = [ /*22*/ 80 443 /*9090 9091 9093 9094*/ ]; + allowedTCPPorts = [ + # nginx + 80 443 + ]; + allowedUDPPorts = [ + # services.prometheus.exporters.collectd.collectdBinary + 25826 + ]; enable = true; }; }; @@ -97,31 +104,31 @@ ) (builtins.attrNames zwNets.${net}.hosts4); in - [{ + [ { targets = fromNet "serv" (_: true); labels.__meta_net = "net-serv"; - } - { - targets = - fromNet "flpk" (host: host != "flpk-gw"); - labels.__meta_net = "net-flpk"; - } - { - targets = - fromNet "cluster" (host: builtins.elem host [ - "server8" - "server9" - "server10" - ]); - labels.__meta_net = "net-flpk"; - }]; + } { + targets = + fromNet "flpk" (host: host != "flpk-gw"); + labels.__meta_net = "net-flpk"; + } { + targets = + fromNet "cluster" (host: builtins.elem host [ + "server8" + "server9" + "server10" + ]); + labels.__meta_net = "net-flpk"; + } { + targets = [ "http://localhost:${toString config.services.prometheus.exporters.collectd.port}/metrics" ]; + } ]; }]; exporters = { collectd = { enable = true; - openFirewall = true; + collectdBinary.enable = true; }; nginx = { enable = true; From 8653a20c98c24c5003c7329b4188346fa19bf8f2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sat, 10 Dec 2022 21:44:44 +0100 Subject: [PATCH 203/247] Fix alertmanager forwarding --- hosts/prometheus/default.nix | 80 ++++++++++++++++------------------- hosts/prometheus/secrets.yaml | 6 ++- 2 files changed, 41 insertions(+), 45 deletions(-) diff --git a/hosts/prometheus/default.nix b/hosts/prometheus/default.nix index 98f157db..c2ca5569 100644 --- a/hosts/prometheus/default.nix +++ b/hosts/prometheus/default.nix @@ -22,58 +22,32 @@ alertmanager = { enable = true; - openFirewall = true; webExternalUrl = "https://prometheus.serv.zentralwerk.org/alertmanager/"; - listenAddress = "127.0.0.1"; + listenAddress = "[::1]"; configuration = { - "global" = { - # "smtp_smarthost" = "mail.serv.zentralwerk.org:587"; - # "smtp_from" = "alertmanager@prometheus.serv.zentralwerk.org"; - }; + "global" = { }; "route" = { - "group_by" = [ "alertname" "alias" ]; - "group_wait" = "30s"; - "group_interval" = "2m"; + "group_by" = [ "instance" ]; + "group_wait" = "1m"; + "group_interval" = "1m"; "repeat_interval" = "4h"; - "receiver" = "team-admins"; + "receiver" = "xmpp"; }; "receivers" = [{ - "name" = "team-admins"; - # "email_configs" = [ - # { - # "to" = "devnull@example.com"; - # "send_resolved" = true; - # } - # ]; - # "webhook_configs" = [ - # { - # "url" = "https://example.com/prometheus-alerts"; - # "send_resolved" = true; - # } - # ]; + "name" = "xmpp"; + "webhook_configs" = with config.services.prometheus.xmpp-alerts.settings; [{ + "url" = "http://${listen_address}:${toString listen_port}/alert"; + }]; }]; }; }; - # pushgateway = { - # enable = true; - # web.external-url = "https://prometheus.serv.zentralwerk.org/push/"; - # }; - - # rules = [{ - # groups = [{ - # alert = "oom_kills"; - # expr = "increase(node_vmstat_oom_kill[7d]) > 0.999"; - # for = "10m"; - # labels = { - # severity = "error"; - # }; - # annotations = { - # summary = "Service gets oom killed"; - # # description = ""; - # }; - # }]; - # }]; + alertmanagers = [{ + static_configs = [{ + targets = [ "localhost:${toString config.services.prometheus.alertmanager.port}" ]; + }]; + path_prefix = "/alertmanager"; + }]; rules = [ '' @@ -121,7 +95,7 @@ ]); labels.__meta_net = "net-flpk"; } { - targets = [ "http://localhost:${toString config.services.prometheus.exporters.collectd.port}/metrics" ]; + targets = [ "localhost:${toString config.services.prometheus.exporters.collectd.port}" ]; } ]; }]; @@ -130,11 +104,25 @@ enable = true; collectdBinary.enable = true; }; + # TODO: deploy with every nginx nginx = { enable = true; openFirewall = true; }; }; + + webExternalUrl = "https://prometheus.serv.zentralwerk.org/"; + + xmpp-alerts = { + enable = true; + settings = { + jid = "alerta@jabber.c3d2.de"; + password_command = "cat ${config.sops.secrets."alertmanager/xmpp-password".path}"; + to_jid = "admins@chat.c3d2.de"; + listen_address = "127.0.0.1"; + listen_port = 9199; + }; + }; }; services.nginx = { @@ -164,7 +152,13 @@ sops = { defaultSopsFile = ./secrets.yaml; secrets."nginx/httpAuth".owner = config.systemd.services.nginx.serviceConfig.User; + secrets."alertmanager/xmpp-password".owner = config.systemd.services.prometheus-xmpp-alerts.serviceConfig.User; }; system.stateVersion = "22.11"; + + systemd.services.prometheus-xmpp-alerts.serviceConfig = { + DynamicUser = lib.mkForce false; + User = "prometheus"; + }; } diff --git a/hosts/prometheus/secrets.yaml b/hosts/prometheus/secrets.yaml index c4aa3278..29bce232 100644 --- a/hosts/prometheus/secrets.yaml +++ b/hosts/prometheus/secrets.yaml @@ -1,3 +1,5 @@ +alertmanager: + xmpp-password: ENC[AES256_GCM,data:v+pRv/q4Z/ZT18PBxxKrq9P9QNbjN14edSeMCo5If6Y=,iv:oIdXFPdppgV7uTWY/eKSK9T2vDXW2Uur9iwnftQB+dQ=,tag:QD2MB3ZeMlvuGIMIpHI97Q==,type:str] nginx: httpAuth: ENC[AES256_GCM,data:PS7icDVNB4g7XBMP7mMSbalkvQ==,iv:0GOfGl97k1AjkRxm2x2f4LpeQOuJcFqAHgdRrbceW6U=,tag:GX5L0wI5zwHwuls7ZOPlOQ==,type:str] sops: @@ -24,8 +26,8 @@ sops: dkpOeVJIVnJtNDM5M0RQaWRudUcxOG8KZnHCLuyPFdx4j1WY6fk8nqMeACmpYZzU EpNqjoBswCkUnaRMVcj5lrHvHDjdbQ0Ypn3s/YvI4UBsXMnnv9UD7w== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-11-27T00:27:41Z" - mac: ENC[AES256_GCM,data:FsqddyIQqc0qZerOc6zXs39hBOOwh6Bnjd0gw+Kdq11NMxPFKd05/XGkpoHzVbAFioMc528XkpWubVO5rnCBsLKkwuCm+wtQbFU74oXXUbZKrF7Ucxk0bUSmCX1Y+YTsiO5SfUwWuO+YA5RZbdNekE19MYRnVQ4MDBnfWlrZERk=,iv:d8Rceuua4//ZEcDEoAziw70ySKv/PtPr46sM79s3Ex4=,tag:jfCwyfhjIrYlHgEyv8BaQA==,type:str] + lastmodified: "2022-12-10T21:16:19Z" + mac: ENC[AES256_GCM,data:yZyBuZE5Gb6TSViqZaugZeloGxbsspc1oDMVVaoNZ7fcDXT7ELg85qWTokLV5PcySeh2IUpDtaqt+QV8tqHlWbREOHHWi+gwBGfBWww7k+H6h9+Vj3hpydPBBohklMpYYWK0F8fAuJjLhE6Usv96N8/CnCv4NJUIjK33pca5vMY=,iv:s8jumWZMU52PKHq0FAdl8IDv7aSym9cOG0W/cSn9XUI=,tag:Rh3oCJ2jucubvqRs7A+abQ==,type:str] pgp: - created_at: "2022-11-27T00:27:03Z" enc: |- From 82ecb7fea53df71014ba24d5469d576746f76086 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sat, 10 Dec 2022 21:44:44 +0100 Subject: [PATCH 204/247] Fix alertmanager forwarding --- hosts/prometheus/default.nix | 80 ++++++++++++++++------------------- hosts/prometheus/secrets.yaml | 6 ++- 2 files changed, 41 insertions(+), 45 deletions(-) diff --git a/hosts/prometheus/default.nix b/hosts/prometheus/default.nix index 98f157db..c2ca5569 100644 --- a/hosts/prometheus/default.nix +++ b/hosts/prometheus/default.nix @@ -22,58 +22,32 @@ alertmanager = { enable = true; - openFirewall = true; webExternalUrl = "https://prometheus.serv.zentralwerk.org/alertmanager/"; - listenAddress = "127.0.0.1"; + listenAddress = "[::1]"; configuration = { - "global" = { - # "smtp_smarthost" = "mail.serv.zentralwerk.org:587"; - # "smtp_from" = "alertmanager@prometheus.serv.zentralwerk.org"; - }; + "global" = { }; "route" = { - "group_by" = [ "alertname" "alias" ]; - "group_wait" = "30s"; - "group_interval" = "2m"; + "group_by" = [ "instance" ]; + "group_wait" = "1m"; + "group_interval" = "1m"; "repeat_interval" = "4h"; - "receiver" = "team-admins"; + "receiver" = "xmpp"; }; "receivers" = [{ - "name" = "team-admins"; - # "email_configs" = [ - # { - # "to" = "devnull@example.com"; - # "send_resolved" = true; - # } - # ]; - # "webhook_configs" = [ - # { - # "url" = "https://example.com/prometheus-alerts"; - # "send_resolved" = true; - # } - # ]; + "name" = "xmpp"; + "webhook_configs" = with config.services.prometheus.xmpp-alerts.settings; [{ + "url" = "http://${listen_address}:${toString listen_port}/alert"; + }]; }]; }; }; - # pushgateway = { - # enable = true; - # web.external-url = "https://prometheus.serv.zentralwerk.org/push/"; - # }; - - # rules = [{ - # groups = [{ - # alert = "oom_kills"; - # expr = "increase(node_vmstat_oom_kill[7d]) > 0.999"; - # for = "10m"; - # labels = { - # severity = "error"; - # }; - # annotations = { - # summary = "Service gets oom killed"; - # # description = ""; - # }; - # }]; - # }]; + alertmanagers = [{ + static_configs = [{ + targets = [ "localhost:${toString config.services.prometheus.alertmanager.port}" ]; + }]; + path_prefix = "/alertmanager"; + }]; rules = [ '' @@ -121,7 +95,7 @@ ]); labels.__meta_net = "net-flpk"; } { - targets = [ "http://localhost:${toString config.services.prometheus.exporters.collectd.port}/metrics" ]; + targets = [ "localhost:${toString config.services.prometheus.exporters.collectd.port}" ]; } ]; }]; @@ -130,11 +104,25 @@ enable = true; collectdBinary.enable = true; }; + # TODO: deploy with every nginx nginx = { enable = true; openFirewall = true; }; }; + + webExternalUrl = "https://prometheus.serv.zentralwerk.org/"; + + xmpp-alerts = { + enable = true; + settings = { + jid = "alerta@jabber.c3d2.de"; + password_command = "cat ${config.sops.secrets."alertmanager/xmpp-password".path}"; + to_jid = "admins@chat.c3d2.de"; + listen_address = "127.0.0.1"; + listen_port = 9199; + }; + }; }; services.nginx = { @@ -164,7 +152,13 @@ sops = { defaultSopsFile = ./secrets.yaml; secrets."nginx/httpAuth".owner = config.systemd.services.nginx.serviceConfig.User; + secrets."alertmanager/xmpp-password".owner = config.systemd.services.prometheus-xmpp-alerts.serviceConfig.User; }; system.stateVersion = "22.11"; + + systemd.services.prometheus-xmpp-alerts.serviceConfig = { + DynamicUser = lib.mkForce false; + User = "prometheus"; + }; } diff --git a/hosts/prometheus/secrets.yaml b/hosts/prometheus/secrets.yaml index c4aa3278..29bce232 100644 --- a/hosts/prometheus/secrets.yaml +++ b/hosts/prometheus/secrets.yaml @@ -1,3 +1,5 @@ +alertmanager: + xmpp-password: ENC[AES256_GCM,data:v+pRv/q4Z/ZT18PBxxKrq9P9QNbjN14edSeMCo5If6Y=,iv:oIdXFPdppgV7uTWY/eKSK9T2vDXW2Uur9iwnftQB+dQ=,tag:QD2MB3ZeMlvuGIMIpHI97Q==,type:str] nginx: httpAuth: ENC[AES256_GCM,data:PS7icDVNB4g7XBMP7mMSbalkvQ==,iv:0GOfGl97k1AjkRxm2x2f4LpeQOuJcFqAHgdRrbceW6U=,tag:GX5L0wI5zwHwuls7ZOPlOQ==,type:str] sops: @@ -24,8 +26,8 @@ sops: dkpOeVJIVnJtNDM5M0RQaWRudUcxOG8KZnHCLuyPFdx4j1WY6fk8nqMeACmpYZzU EpNqjoBswCkUnaRMVcj5lrHvHDjdbQ0Ypn3s/YvI4UBsXMnnv9UD7w== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-11-27T00:27:41Z" - mac: ENC[AES256_GCM,data:FsqddyIQqc0qZerOc6zXs39hBOOwh6Bnjd0gw+Kdq11NMxPFKd05/XGkpoHzVbAFioMc528XkpWubVO5rnCBsLKkwuCm+wtQbFU74oXXUbZKrF7Ucxk0bUSmCX1Y+YTsiO5SfUwWuO+YA5RZbdNekE19MYRnVQ4MDBnfWlrZERk=,iv:d8Rceuua4//ZEcDEoAziw70ySKv/PtPr46sM79s3Ex4=,tag:jfCwyfhjIrYlHgEyv8BaQA==,type:str] + lastmodified: "2022-12-10T21:16:19Z" + mac: ENC[AES256_GCM,data:yZyBuZE5Gb6TSViqZaugZeloGxbsspc1oDMVVaoNZ7fcDXT7ELg85qWTokLV5PcySeh2IUpDtaqt+QV8tqHlWbREOHHWi+gwBGfBWww7k+H6h9+Vj3hpydPBBohklMpYYWK0F8fAuJjLhE6Usv96N8/CnCv4NJUIjK33pca5vMY=,iv:s8jumWZMU52PKHq0FAdl8IDv7aSym9cOG0W/cSn9XUI=,tag:Rh3oCJ2jucubvqRs7A+abQ==,type:str] pgp: - created_at: "2022-11-27T00:27:03Z" enc: |- From 1e21c9e1299124184b60f6add5ec4971516990a2 Mon Sep 17 00:00:00 2001 From: Astro Date: Sat, 10 Dec 2022 23:37:36 +0100 Subject: [PATCH 205/247] mobilizon, oparl: bump deployment.mem these hosts have been ooming --- hosts/mobilizon/default.nix | 2 +- hosts/oparl/default.nix | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/hosts/mobilizon/default.nix b/hosts/mobilizon/default.nix index 689d3422..d69dbcea 100644 --- a/hosts/mobilizon/default.nix +++ b/hosts/mobilizon/default.nix @@ -1,10 +1,10 @@ { config, pkgs, ... }: { - microvm.mem = 1024; c3d2.isInHq = false; c3d2.deployment = { server = "server10"; mounts = [ "etc" "home" "var"]; + mem = 2048; }; system.stateVersion = "22.05"; networking = { diff --git a/hosts/oparl/default.nix b/hosts/oparl/default.nix index 713ca79e..0d373ad2 100644 --- a/hosts/oparl/default.nix +++ b/hosts/oparl/default.nix @@ -7,6 +7,7 @@ in c3d2.deployment = { server = "server10"; mounts = [ "etc" "home" "var"]; + mem = 1024; }; networking.hostName = "oparl"; From 5eecc110af85285b3a45e8128f4dd5614d92f040 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sun, 11 Dec 2022 01:38:05 +0100 Subject: [PATCH 206/247] Fix mixed intend --- hosts/c3d2-web/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/c3d2-web/default.nix b/hosts/c3d2-web/default.nix index 4b5a66ac..41caf0a0 100644 --- a/hosts/c3d2-web/default.nix +++ b/hosts/c3d2-web/default.nix @@ -55,7 +55,7 @@ in "/status.png".proxyPass = "http://[${config.c3d2.hosts.spaceapi.ip6}]:3000/status.png"; "/spaceapi.json".proxyPass = "http://[${config.c3d2.hosts.spaceapi.ip6}]:3000/spaceapi.json"; - # WKD: Web Key Directory for PGP Keys + # WKD: Web Key Directory for PGP Keys "/openpgp" = { extraConfig = '' autoindex off; From add374047793be41dc082f80dc327fcb55703709 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sun, 11 Dec 2022 02:07:56 +0100 Subject: [PATCH 207/247] Add telme10 --- hosts/c3d2-web/default.nix | 17 +++++++++++++++++ overlays/default.nix | 2 ++ overlays/telme10.nix | 21 +++++++++++++++++++++ 3 files changed, 40 insertions(+) create mode 100644 overlays/telme10.nix diff --git a/hosts/c3d2-web/default.nix b/hosts/c3d2-web/default.nix index 41caf0a0..10e7fb41 100644 --- a/hosts/c3d2-web/default.nix +++ b/hosts/c3d2-web/default.nix @@ -16,6 +16,8 @@ in # Network setup networking.hostName = "c3d2-web"; networking.firewall.allowedTCPPorts = [ + # telme10 + 23 # http/https 80 443 # gemini @@ -112,6 +114,15 @@ in contentDir = geminiRoot; language = "de"; }; + + systemd.packages = with pkgs; [ telme10 ]; + + systemd.services.telme10 = { + serviceConfig = { + AmbientCapabilities="CAP_NET_BIND_SERVICE"; + }; + }; + # let agate access the tls certs systemd.services.agate = { requires = [ "agate-keys.service" ]; @@ -150,6 +161,12 @@ in home = "/var/lib/c3d2-web"; }; + users.groups.telme10 = {}; + users.users.telme10 = { + isSystemUser = true; + group = "telme10"; + }; + systemd.tmpfiles.rules = with config.users.users.c3d2-web; [ "d ${webroot}/c3d2 0755 c3d2-web ${group} -" "d ${webroot}/log 0755 c3d2-web ${group} -" diff --git a/overlays/default.nix b/overlays/default.nix index a734f614..2ded9bf2 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -92,6 +92,8 @@ with final; { simpleygggen-cpp = callPackage ./simpleygggen.nix { }; + telme10 = callPackage ./telme10.nix { }; + tracer-game = if true then throw "tracer-game: haddock runs on affection for 10 hours and more" diff --git a/overlays/telme10.nix b/overlays/telme10.nix new file mode 100644 index 00000000..d9e83d91 --- /dev/null +++ b/overlays/telme10.nix @@ -0,0 +1,21 @@ +{ stdenv +, buildGoModule +, fetchFromGitHub +}: + +buildGoModule { + pname = "telmet10"; + version = "unstable"; + + src = fetchFromGitHub { + owner = "c3d2"; + repo = "telmet10"; + rev = "5962266909bada6993a500ecce8707ec486d4cc0"; + sha256 = ""; + }; + + postInstall = '' + install -t $out/etc/systemd/system telme10.service + install -t $out/etc/systemd/system telme10.socket + ''; +} From 7cd28db298da1bacccdede760bbffdf429f93472 Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 11 Dec 2022 00:27:55 +0100 Subject: [PATCH 208/247] mastodon: set LOG_LEVEL=debug --- hosts/mastodon/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/mastodon/default.nix b/hosts/mastodon/default.nix index 3b3e0be5..3a899d9a 100644 --- a/hosts/mastodon/default.nix +++ b/hosts/mastodon/default.nix @@ -43,6 +43,7 @@ DEFAULT_LOCALE = "de"; WEB_CONCURRENCY = toString config.deployment.vcpu; # MAX_THREADS = toString 5; + LOG_LEVEL = "debug"; LDAP_ENABLED = "true"; LDAP_METHOD = "simple_tls"; From f12ee0f88e444ae5e71108543496d654e0f91170 Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 11 Dec 2022 02:47:55 +0100 Subject: [PATCH 209/247] mobilizon, oparl: fix microvm.vm setting --- hosts/mobilizon/default.nix | 2 +- hosts/oparl/default.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/mobilizon/default.nix b/hosts/mobilizon/default.nix index d69dbcea..8dec9874 100644 --- a/hosts/mobilizon/default.nix +++ b/hosts/mobilizon/default.nix @@ -4,8 +4,8 @@ c3d2.deployment = { server = "server10"; mounts = [ "etc" "home" "var"]; - mem = 2048; }; + microvm.mem = 2048; system.stateVersion = "22.05"; networking = { hostName = "mobilizon"; diff --git a/hosts/oparl/default.nix b/hosts/oparl/default.nix index 0d373ad2..fd741dc6 100644 --- a/hosts/oparl/default.nix +++ b/hosts/oparl/default.nix @@ -7,8 +7,8 @@ in c3d2.deployment = { server = "server10"; mounts = [ "etc" "home" "var"]; - mem = 1024; }; + microvm.mem = 1024; networking.hostName = "oparl"; From 585a5ce6e50b3b8dc3f20f5c8417fedfc4290df0 Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 11 Dec 2022 02:48:14 +0100 Subject: [PATCH 210/247] caveman: add nginx vhost "relay.fedi.buzz" --- hosts/caveman/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hosts/caveman/default.nix b/hosts/caveman/default.nix index 7d33a5d5..ea127a8c 100644 --- a/hosts/caveman/default.nix +++ b/hosts/caveman/default.nix @@ -54,6 +54,11 @@ ]; locations."/".proxyPass = "http://127.0.0.1:${toString config.services.caveman.gatherer.settings.listen_port}/"; }; + virtualHosts."relay.fedi.buzz" = { + forceSSL = true; + enableACME = true; + locations."/".proxyPass = "http://127.0.0.1:${toString 3000}/"; + }; }; }; } From af7b75df9e3b0a7940c8cebb84b5ac25b35ec9a0 Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 12 Dec 2022 01:45:17 +0100 Subject: [PATCH 211/247] packages: let microvm-update-* bail out with elaborative exception --- packages.nix | 51 +++++++++++++++++++++++++-------------------------- 1 file changed, 25 insertions(+), 26 deletions(-) diff --git a/packages.nix b/packages.nix index cbd06fcf..e6601039 100644 --- a/packages.nix +++ b/packages.nix @@ -160,38 +160,37 @@ lib.attrsets.mapAttrs ssh ${target} "time nix-collect-garbage -d && time nix-store --optimise" ''; - "microvm-update-${name}" = pkgs.writeScriptBin "microvm-update-${name}" '' - #!${pkgs.runtimeShell} -e + "microvm-update-${name}" = pkgs.writeScriptBin "microvm-update-${name}" ( + if builtins.elem (hostConfig.c3d2.deployment.server or null) [ "server9" "server10" ] + then '' + #!${pkgs.runtimeShell} -e - ${lib.optionalString (! builtins.elem (hostConfig.c3d2.deployment.server or null) [ "server9" "server10" ]) '' - echo "MicroVM must be configured to proper server" >&2 - exit 1 - ''} + ${hostConfig.system.build.copyToServer} ${inputPaths} - ${hostConfig.system.build.copyToServer} ${inputPaths} + ${hostConfig.system.build.runOnServer} bash -e < flake - nix build -L \ - -o current \ - ${self}#nixosConfigurations.${name}.config.microvm.declaredRunner - echo '${selfRef}' > flake + [ -e old ] && nix store diff-closures ./old ./current + ln -sfT \$PWD/current /nix/var/nix/gcroots/microvm/${name} + ln -sfT \$PWD/booted /nix/var/nix/gcroots/microvm/booted-${name} + ln -sfT \$PWD/old /nix/var/nix/gcroots/microvm/old-${name} - [ -e old ] && nix store diff-closures ./old ./current - ln -sfT \$PWD/current /nix/var/nix/gcroots/microvm/${name} - ln -sfT \$PWD/booted /nix/var/nix/gcroots/microvm/booted-${name} - ln -sfT \$PWD/old /nix/var/nix/gcroots/microvm/old-${name} - - systemctl restart microvm@${name}.service - END - ''; + systemctl restart microvm@${name}.service + END + '' + else throw "${name} is not configured to run on microvm.nix. Is it a physical host or is it deployed in Skyflake?" + ); "microvm-update-${name}-local" = pkgs.writeScriptBin "microvm-update-${name}" '' #!${pkgs.runtimeShell} -e From c63d8e3f1597112c51570235b3d8a5271a872874 Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 12 Dec 2022 01:45:53 +0100 Subject: [PATCH 212/247] modules/microvm: remove legacy nomad leftover --- modules/microvm.nix | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/modules/microvm.nix b/modules/microvm.nix index b93b6d2a..9f1db3c3 100644 --- a/modules/microvm.nix +++ b/modules/microvm.nix @@ -37,11 +37,10 @@ in { options.c3d2.deployment = with lib; { server = mkOption { - type = types.enum [ "server9" "server10" "nomad" ]; + type = types.enum [ "server9" "server10" ]; default = null; description = '' - Server that is supposed to host this MicroVM, - or \"nomad\" for HA clustering. + Server that is supposed to host this MicroVM. ''; }; From 8f192b81ff44a02a238b8f56583002ba40db0653 Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 12 Dec 2022 01:46:24 +0100 Subject: [PATCH 213/247] stream: increase deployment.mem from 2G to 4G OOMs happened? --- hosts/stream/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/stream/default.nix b/hosts/stream/default.nix index f16f669e..9994c370 100644 --- a/hosts/stream/default.nix +++ b/hosts/stream/default.nix @@ -8,7 +8,7 @@ in deployment = { persistedShares = [ "/etc" "/home" "/var" ]; storage = "big"; - mem = 2048; + mem = 4096; networks = lib.mkForce [ "pub" "serv" ]; }; From fe4deea101bf75e50ba6b06938594a28604d5e72 Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 12 Dec 2022 02:16:31 +0100 Subject: [PATCH 214/247] prometheus: add some alerts --- hosts/prometheus/default.nix | 51 ++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/hosts/prometheus/default.nix b/hosts/prometheus/default.nix index c2ca5569..f994e9c1 100644 --- a/hosts/prometheus/default.nix +++ b/hosts/prometheus/default.nix @@ -61,6 +61,57 @@ severity: error annotations: summary: service gets oom killed + - alert: disk_free + expr: collectd_df_df_complex{type="free"} < 1024*1024*1024 + for: 10m + labels: + severity: warn + annotations: + summary: filesystem has less than 1GB of free space + - alert: load1 + expr: node_load1 > 100 + for: 1m + labels: + severity: warn + annotations: + summary: high loadavg + - alert: systemd_unit_failed + expr: node_systemd_unit_state{state="failed"} > 0 + for: 10m + labels: + severity: error + annotations: + summary: failed systemd units + - name: network + rules: + - alert: load1 + expr: collectd_load_0 > 4 + for: 1m + labels: + severity: warn + annotations: + summary: high loadavg + - alert: memory_free + expr: collectd_memory{memory="free"} < 4*1024*1024 + for: 10m + labels: + severity: warn + annotations: + summary: memory full + - alert: throughput0 + expr: increase(collectd_interface_if_octets_0_total[10m]) > 600 * 60 * 1024 * 1024 + for: 2h + labels: + severity: warn + annotations: + summary: sustained throughput + - alert: throughput1 + expr: increase(collectd_interface_if_octets_1_total[10m]) > 600 * 60 * 1024 * 1024 + for: 2h + labels: + severity: warn + annotations: + summary: sustained throughput '' ]; From 592d79a9e09e51f5dead09f992dcf4d769d4d2a5 Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 12 Dec 2022 21:15:04 +0100 Subject: [PATCH 215/247] owncast: mount archive --- hosts/owncast/default.nix | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/hosts/owncast/default.nix b/hosts/owncast/default.nix index 12582185..20443038 100644 --- a/hosts/owncast/default.nix +++ b/hosts/owncast/default.nix @@ -2,9 +2,13 @@ { deployment = { - persistedShares = [ "/etc" "/home" "/var" ]; vcpu = 8; mem = 2048; + persistedShares = [ "/etc" "/home" "/var" ]; + extraShares = [ { + source = "/glusterfs/big/microvms/c3d2/config/owncast/archive"; + mountPoint = "/mnt/archive"; + } ]; }; c3d2.hq.statistics.enable = true; @@ -35,6 +39,13 @@ proxyPass = "http://127.0.0.1:${toString port}"; proxyWebsockets = true; }; + locations."/archive" = { + root = "/mnt/archive"; + extraConfig = '' + fancyindex on; + fancyindex_exact_size off; + ''; + }; }; }; } From 49b6b5dc4d15d01b56964b5c61e62f8bff526430 Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 12 Dec 2022 21:16:20 +0100 Subject: [PATCH 216/247] modules/cluster/deployment: add option extraShares --- modules/cluster/deployment-options.nix | 16 +++++++++++ modules/cluster/deployment.nix | 37 +++++++++++++++++--------- 2 files changed, 40 insertions(+), 13 deletions(-) diff --git a/modules/cluster/deployment-options.nix b/modules/cluster/deployment-options.nix index 2d0379ba..0a68d9fe 100644 --- a/modules/cluster/deployment-options.nix +++ b/modules/cluster/deployment-options.nix @@ -42,6 +42,22 @@ Which glusterfs volume to use for persistedShares ''; }; + extraShares = mkOption { + type = with types; listOf (submodule { + options = { + source = mkOption { + type = str; + }; + mountPoint = mkOption { + type = str; + }; + }; + }); + default = []; + description = '' + Extra shares. THESE MUST BE AVAILABLE ON ALL MICROVM HOSTS! + ''; + }; needForSpeed = mkOption { type = types.bool; default = false; diff --git a/modules/cluster/deployment.nix b/modules/cluster/deployment.nix index 6e77fea5..00225480 100644 --- a/modules/cluster/deployment.nix +++ b/modules/cluster/deployment.nix @@ -37,19 +37,30 @@ in rm -f "${writableStoreOverlayImage}" ''; - shares = [ { - proto = "virtiofs"; - tag = "ro-store"; - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - } ] ++ map (mountPoint: { - proto = "virtiofs"; - tag = builtins.replaceStrings [ "/" ] [ "-" ] ( - withoutLeadingSlash mountPoint - ); - source = "/glusterfs/${config.deployment.storage}/microvms/${user}/${repo}/${vmName}/${withoutLeadingSlash mountPoint}"; - inherit mountPoint; - }) config.deployment.persistedShares; + shares = + [ { + proto = "virtiofs"; + tag = "ro-store"; + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + } ] + ++ + map (mountPoint: { + proto = "virtiofs"; + tag = builtins.replaceStrings [ "/" ] [ "-" ] ( + withoutLeadingSlash mountPoint + ); + source = "/glusterfs/${config.deployment.storage}/microvms/${user}/${repo}/${vmName}/${withoutLeadingSlash mountPoint}"; + inherit mountPoint; + }) config.deployment.persistedShares + ++ + map ({ source, mountPoint }: { + proto = "virtiofs"; + tag = builtins.replaceStrings [ "/" ] [ "-" ] ( + withoutLeadingSlash mountPoint + ); + inherit mountPoint source; + }) config.deployment.extraShares; volumes = [ { image = writableStoreOverlayImage; mountPoint = config.microvm.writableStoreOverlay; From bfae8d96d5c7a145238c3f0096b8e4e1a1c94703 Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 12 Dec 2022 21:20:41 +0100 Subject: [PATCH 217/247] owncast: fix nginx fancyindex --- hosts/owncast/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hosts/owncast/default.nix b/hosts/owncast/default.nix index 20443038..d68eb1e8 100644 --- a/hosts/owncast/default.nix +++ b/hosts/owncast/default.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ config, pkgs, ... }: { deployment = { @@ -27,6 +27,7 @@ recommendedOptimisation = true; recommendedTlsSettings = true; recommendedGzipSettings = true; + additionalModules = [ pkgs.nginxModules.fancyindex ]; virtualHosts."owncast.c3d2.de" = { default = true; forceSSL = true; From 9f64181a58174399fdf658f7e77519b94e587217 Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 12 Dec 2022 21:22:57 +0100 Subject: [PATCH 218/247] owncast: location subdir needs alias not root --- hosts/owncast/default.nix | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/hosts/owncast/default.nix b/hosts/owncast/default.nix index d68eb1e8..14e60c7a 100644 --- a/hosts/owncast/default.nix +++ b/hosts/owncast/default.nix @@ -33,15 +33,12 @@ forceSSL = true; enableACME = true; - locations."/" = - let - inherit (config.services.owncast) port; - in { - proxyPass = "http://127.0.0.1:${toString port}"; - proxyWebsockets = true; - }; - locations."/archive" = { - root = "/mnt/archive"; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString config.services.owncast.port}"; + proxyWebsockets = true; + }; + locations."/archive/" = { + alias = "/mnt/archive"; extraConfig = '' fancyindex on; fancyindex_exact_size off; From fccd9d918de01894f2cdd043cfe1fa1f18d13864 Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 12 Dec 2022 21:28:29 +0100 Subject: [PATCH 219/247] owncast: allow nginx access to archive --- hosts/owncast/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/owncast/default.nix b/hosts/owncast/default.nix index 14e60c7a..134014d4 100644 --- a/hosts/owncast/default.nix +++ b/hosts/owncast/default.nix @@ -46,4 +46,5 @@ }; }; }; + systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/mnt/archive" ]; } From 233498c9aef724aa5eab2af89c6f511ce1571eb3 Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 12 Dec 2022 21:31:06 +0100 Subject: [PATCH 220/247] owncast: fix? --- hosts/owncast/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/owncast/default.nix b/hosts/owncast/default.nix index 134014d4..cb599069 100644 --- a/hosts/owncast/default.nix +++ b/hosts/owncast/default.nix @@ -38,7 +38,7 @@ proxyWebsockets = true; }; locations."/archive/" = { - alias = "/mnt/archive"; + alias = "/mnt/archive/"; extraConfig = '' fancyindex on; fancyindex_exact_size off; From 09065695512aa05530e038d9b589104958639bcb Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 12 Dec 2022 21:57:00 +0100 Subject: [PATCH 221/247] owncast: add archiver --- hosts/owncast/default.nix | 14 +++++-- hosts/owncast/owncast-archiver.nix | 61 ++++++++++++++++++++++++++++++ 2 files changed, 72 insertions(+), 3 deletions(-) create mode 100644 hosts/owncast/owncast-archiver.nix diff --git a/hosts/owncast/default.nix b/hosts/owncast/default.nix index cb599069..7d7a3759 100644 --- a/hosts/owncast/default.nix +++ b/hosts/owncast/default.nix @@ -1,13 +1,17 @@ { config, pkgs, ... }: { + imports = [ + ./owncast-archiver.nix + ]; + deployment = { vcpu = 8; mem = 2048; persistedShares = [ "/etc" "/home" "/var" ]; extraShares = [ { source = "/glusterfs/big/microvms/c3d2/config/owncast/archive"; - mountPoint = "/mnt/archive"; + mountPoint = config.services.owncast-archiver.targetDir; } ]; }; c3d2.hq.statistics.enable = true; @@ -38,7 +42,7 @@ proxyWebsockets = true; }; locations."/archive/" = { - alias = "/mnt/archive/"; + alias = "${config.services.owncast-archiver.targetDir}/"; extraConfig = '' fancyindex on; fancyindex_exact_size off; @@ -46,5 +50,9 @@ }; }; }; - systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/mnt/archive" ]; + systemd.services.nginx.serviceConfig.ReadWritePaths = [ + config.services.owncast-archiver.targetDir + ]; + + services.owncast-archiver.enable = true; } diff --git a/hosts/owncast/owncast-archiver.nix b/hosts/owncast/owncast-archiver.nix new file mode 100644 index 00000000..15938a04 --- /dev/null +++ b/hosts/owncast/owncast-archiver.nix @@ -0,0 +1,61 @@ +{ config, lib, pkgs, ... }: + +let + + owncastArchiver = with pkgs; writeScript "owncast-archiver.sh" '' + #! ${runtimeShell} -e + + PATH=${lib.makeBinPath [ coreutils curl jq ffmpeg ]} + + while true; do + + STATUS="$(curl -s https://owncast.c3d2.de/api/status)" + ONLINE="$(echo "$STATUS" | jq -r .online)" + if [ "$ONLINE" = true ]; then + TITLE="$(echo "$STATUS" | jq -r .streamTitle)" + ffmpeg -i https://owncast.c3d2.de/hls/0/stream.m3u8 -c copy "$(echo "$(date -Iseconds)_$TITLE.mkv"|tr " +<>:/" "____\\-\\-")" + fi + + sleep ${toString cfg.pollInterval} + done + ''; + + cfg = config.services.owncast-archiver; + +in + +{ + options.services.owncast-archiver = with lib; { + enable = mkEnableOption "owncast archiver"; + + targetDir = mkOption { + type = types.str; + default = "/mnt/archive"; + }; + + pollInterval = mkOption { + type = types.int; + default = 10; + }; + }; + + config = lib.mkIf cfg.enable { + users.users.archiver = { + isSystemUser = true; + group = "nginx"; + }; + + systemd.services.owncast-archiver = { + wantedBy = [ "multi-user.target" ]; + after = [ "owncast.service" ]; + serviceConfig = { + ReadWritePaths = cfg.targetDir; + WorkingDirectory = cfg.targetDir; + User = "archiver"; + ExecStart = owncastArchiver; + Restart = "always"; + RestartSec = 60; + }; + }; + }; +} From 5640331aefb9f9ab08c4dd715282b364164450bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Mon, 12 Dec 2022 23:51:18 +0100 Subject: [PATCH 222/247] Add tree globally --- modules/c3d2.nix | 25 ++++++++++--------------- 1 file changed, 10 insertions(+), 15 deletions(-) diff --git a/modules/c3d2.nix b/modules/c3d2.nix index 213e3d17..2d6e7122 100644 --- a/modules/c3d2.nix +++ b/modules/c3d2.nix @@ -434,26 +434,21 @@ in environment = { systemPackages = with pkgs; [ - # Network fetchers + bmon curl - wget + ethtool git - # System monitors htop iotop - bmon - ripgrep - # Terminal managers - tmux - screen - # Editors - vim - # Pipeview - pv - # Network debugging - tcpdump - ethtool mtr + pv + ripgrep + screen + tcpdump + tmux + tree + vim + wget ]; }; From 5926f0aca6b4ee6c8374a2215b8ccdf9b85ce1a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Mon, 12 Dec 2022 23:51:28 +0100 Subject: [PATCH 223/247] Fix telme10 overlay --- overlays/telme10.nix | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/overlays/telme10.nix b/overlays/telme10.nix index d9e83d91..f692d629 100644 --- a/overlays/telme10.nix +++ b/overlays/telme10.nix @@ -4,18 +4,25 @@ }: buildGoModule { - pname = "telmet10"; + pname = "telme10"; version = "unstable"; src = fetchFromGitHub { owner = "c3d2"; - repo = "telmet10"; + repo = "telme10"; rev = "5962266909bada6993a500ecce8707ec486d4cc0"; - sha256 = ""; + sha256 = "sha256-i6jKT2on8s9z5bLhCC4nYoLbngcbfTJykMW9JGc0/dY="; }; + postPatch = '' + substituteInPlace telme10.service \ + --replace "/usr/local/bin/telme10" "${placeholder "out"}/bin/telme10 [::]:23" + ''; + + vendorSha256 = "sha256-SzYAXvWE2qt7aPX99AhgTQe7tmGuaBuOUZNNg7+CvCQ="; + postInstall = '' - install -t $out/etc/systemd/system telme10.service - install -t $out/etc/systemd/system telme10.socket + install -Dt $out/etc/systemd/system telme10.service + install -Dt $out/etc/systemd/system telme10.socket ''; } From a789ba633e384e8db999ed15dd21be727648c596 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Tue, 13 Dec 2022 00:15:49 +0100 Subject: [PATCH 224/247] gitea: increase healthcheck timeout --- hosts/gitea/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/gitea/default.nix b/hosts/gitea/default.nix index 1dd86955..0b32c641 100644 --- a/hosts/gitea/default.nix +++ b/hosts/gitea/default.nix @@ -60,7 +60,7 @@ ENABLED = true; }; "cron.repo_health_check" = { - TIMEOUT = "120s"; + TIMEOUT = "300s"; }; "cron.resync_all_sshkeys" = { ENABLED = true; From 5cbd4ee6a573c324f7ea933eb89b8f4318b370a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Wed, 14 Dec 2022 20:55:02 +0100 Subject: [PATCH 225/247] Auto free nix store when almost full --- modules/c3d2.nix | 9 +++++---- modules/microvm-host.nix | 10 ++++------ 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/modules/c3d2.nix b/modules/c3d2.nix index 2d6e7122..bb2b1191 100644 --- a/modules/c3d2.nix +++ b/modules/c3d2.nix @@ -395,6 +395,11 @@ in nix = { settings = { + builders-use-substitutes = true; + connect-timeout = 20; + experimental-features = "nix-command flakes"; + fallback = true; + # don't self feed hydra trusted-public-keys = lib.mkIf (config.networking.hostName != "hydra") [ (builtins.readFile ../hosts/hydra/cache-pub.key) ]; @@ -418,10 +423,6 @@ in url = "https://gitea.c3d2.de/C3D2/nix-config.git"; }; }; - extraOptions = '' - experimental-features = nix-command flakes - builders-use-substitutes = true - ''; }; services.openssh = { diff --git a/modules/microvm-host.nix b/modules/microvm-host.nix index 447bc573..8f66f3a4 100644 --- a/modules/microvm-host.nix +++ b/modules/microvm-host.nix @@ -59,13 +59,11 @@ }; nix.settings = { + min-free = 128000000; + max-free = 1000000000; # fetch github-prebuilt microvm-kernels - substituters = [ - "https://microvm.cachix.org" - ]; - trusted-public-keys = [ - "microvm.cachix.org-1:oXnBc6hRE3eX5rSYdRyMYXnfzcCxC7yKPTbZXALsqys=" - ]; + substituters = [ "https://microvm.cachix.org" ]; + trusted-public-keys = [ "microvm.cachix.org-1:oXnBc6hRE3eX5rSYdRyMYXnfzcCxC7yKPTbZXALsqys=" ]; }; environment.systemPackages = [ ( From 77c6fb4dcda5d694775d5afb8c1ec3ce62a23009 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Thu, 15 Dec 2022 00:23:20 +0100 Subject: [PATCH 226/247] Fix eval --- hosts/hydra/hydra.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/hosts/hydra/hydra.nix b/hosts/hydra/hydra.nix index 25bb9c5b..9e91e45e 100644 --- a/hosts/hydra/hydra.nix +++ b/hosts/hydra/hydra.nix @@ -81,7 +81,6 @@ in settings = { allowed-uris = "http:// https:// ssh://"; builders-use-substitutes = true; - experimental-features = "ca-derivations nix-command flakes"; trusted-users = [ "hydra" "root" ]; }; }; From a598a46b537afc612ad42ccc6b27a2f4e6244802 Mon Sep 17 00:00:00 2001 From: Astrobot Date: Fri, 16 Dec 2022 10:01:08 +0100 Subject: [PATCH 227/247] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'fenix': 'github:nix-community/fenix/e7941faba7f6cd0a6058330ad8c40d8dc52d741c' (2022-12-08) → 'github:nix-community/fenix/d3eaf97d81161bea9177cc80e07d26ba2d96569f' (2022-12-16) • Updated input 'fenix/rust-analyzer-src': 'github:rust-lang/rust-analyzer/6e8a54d0f68702cf7981c8299357838eb0f4d5b2' (2022-12-07) → 'github:rust-lang/rust-analyzer/95671d53ea3063da5316784af9ef69c71219f320' (2022-12-14) • Updated input 'microvm': 'github:astro/microvm.nix/e2a1bf59987544faec4d27ce5700e5ef96201a5f' (2022-12-01) → 'github:astro/microvm.nix/b12b4d426e1050479e9d571c81cda2b7ae0256da' (2022-12-13) • Updated input 'naersk': 'github:nix-community/naersk/6944160c19cb591eb85bbf9b2f2768a935623ed3' (2022-09-03) → 'github:nix-community/naersk/d998160d6a076cfe8f9741e56aeec7e267e3e114' (2022-12-15) • Updated input 'nixos': 'github:SuperSandro2000/nixpkgs/9eab792f91cb76e1ad5bc3e73b05eb2d4828f4a9' (2022-12-08) → 'github:SuperSandro2000/nixpkgs/6581f2938bce05daa57958df381c78e20cb86379' (2022-12-10) • Updated input 'nixos-hardware': 'github:nixos/nixos-hardware/9d87bc030a0bf3f00e953dbf095a7d8e852dab6b' (2022-12-04) → 'github:nixos/nixos-hardware/1f6067272161d03d1c9f0b46fbf7cb090d016a9c' (2022-12-15) • Updated input 'nixos-unstable': 'github:nixos/nixpkgs/1c9ffcf70786f0966982ce0fc76ec05df2e1dec2' (2022-12-06) → 'github:nixos/nixpkgs/0f5996b524c91677891a432cc99c7567c7c402b1' (2022-12-15) • Updated input 'nixos-unstable-simd': 'github:SuperSandro2000/nixpkgs/d03760999bbaf63b848f3bb58b9e1ee0c034721e' (2022-12-08) → 'github:SuperSandro2000/nixpkgs/81300b7b86eada9c92aa19e5d9b8e96d642d7fea' (2022-12-16) • Updated input 'openwrt': 'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-21.02&rev=295c612a4a76e9f0860e2efdb609a38bc74d3e4a' (2022-12-07) → 'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-21.02&rev=784565b6a0ad482b19c4851b0ce8ffeddb7010c1' (2022-12-09) • Updated input 'openwrt-imagebuilder': 'github:astro/nix-openwrt-imagebuilder/29733301042477d878af2985c1367047030f2f5e' (2022-12-08) → 'github:astro/nix-openwrt-imagebuilder/ceff07e297c470656ae8ea17c33a35e6bcf19c4d' (2022-12-15) • Updated input 'rust-overlay': 'github:oxalica/rust-overlay/073959f0687277a54bfaa3ac7a77feb072f88186' (2022-12-08) → 'github:oxalica/rust-overlay/7da2f6b3a0c32f661cb2864d7fbd1d7e6f0c7543' (2022-12-16) • Updated input 'zentralwerk': 'git+https://gitea.c3d2.de/zentralwerk/network.git?ref=refs%2fheads%2fmaster&rev=db0f8817002137d57c811cc2e59b011d6cc97124' (2022-11-30) → 'git+https://gitea.c3d2.de/zentralwerk/network.git?ref=refs%2fheads%2fmaster&rev=b3674af31ddc80aaae95b2b94438e70aa1147dc0' (2022-12-14) --- flake.lock | 76 +++++++++++++++++++++++++++--------------------------- 1 file changed, 38 insertions(+), 38 deletions(-) diff --git a/flake.lock b/flake.lock index 21fc671a..83326f96 100644 --- a/flake.lock +++ b/flake.lock @@ -113,11 +113,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1670480689, - "narHash": "sha256-DADoR6R7DpnQaZjuUr6Z5EeNxr9ClP6u3Oqf7PpS9yA=", + "lastModified": 1671171782, + "narHash": "sha256-G7FNiYVl/jOkvNEhLO8O7uq0MuhFLKGMsCxFjqATVc0=", "owner": "nix-community", "repo": "fenix", - "rev": "e7941faba7f6cd0a6058330ad8c40d8dc52d741c", + "rev": "d3eaf97d81161bea9177cc80e07d26ba2d96569f", "type": "github" }, "original": { @@ -237,11 +237,11 @@ ] }, "locked": { - "lastModified": 1669921518, - "narHash": "sha256-OWSXXmVzceV6Ild0nVEJjMsP9doCK+F4og30Mareaog=", + "lastModified": 1670897870, + "narHash": "sha256-nWLU48WlhVYm53cTUEDX8mZwZqdzObO6299hrCmdYcU=", "owner": "astro", "repo": "microvm.nix", - "rev": "e2a1bf59987544faec4d27ce5700e5ef96201a5f", + "rev": "b12b4d426e1050479e9d571c81cda2b7ae0256da", "type": "github" }, "original": { @@ -275,11 +275,11 @@ ] }, "locked": { - "lastModified": 1662220400, - "narHash": "sha256-9o2OGQqu4xyLZP9K6kNe1pTHnyPz0Wr3raGYnr9AIgY=", + "lastModified": 1671096816, + "narHash": "sha256-ezQCsNgmpUHdZANDCILm3RvtO1xH8uujk/+EqNvzIOg=", "owner": "nix-community", "repo": "naersk", - "rev": "6944160c19cb591eb85bbf9b2f2768a935623ed3", + "rev": "d998160d6a076cfe8f9741e56aeec7e267e3e114", "type": "github" }, "original": { @@ -349,11 +349,11 @@ }, "nixos": { "locked": { - "lastModified": 1670542845, - "narHash": "sha256-gSrX2Pq5FlYQVRfNw5elO/QX7O48SnItyXeEc/4jZxI=", + "lastModified": 1670643121, + "narHash": "sha256-wPJHuOlamTwm5FE3aiowzs4SY1rzpg10dDKmBMgCpxI=", "owner": "SuperSandro2000", "repo": "nixpkgs", - "rev": "9eab792f91cb76e1ad5bc3e73b05eb2d4828f4a9", + "rev": "6581f2938bce05daa57958df381c78e20cb86379", "type": "github" }, "original": { @@ -365,11 +365,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1670174919, - "narHash": "sha256-XdQr3BUnrvVLRFunLWrZORhwYHDG0+9jUUe0Jv1pths=", + "lastModified": 1671106796, + "narHash": "sha256-moAUZMJeGmZAccpZYbAbNVTsmLTkhNU3CdatGg1oKUE=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "9d87bc030a0bf3f00e953dbf095a7d8e852dab6b", + "rev": "1f6067272161d03d1c9f0b46fbf7cb090d016a9c", "type": "github" }, "original": { @@ -396,11 +396,11 @@ }, "nixos-unstable": { "locked": { - "lastModified": 1670332253, - "narHash": "sha256-O5SmhlIUt1s+vK4NXeGYqwcBIMwbBPAEZ3GHE3XT28c=", + "lastModified": 1671108576, + "narHash": "sha256-6ggOL6KoaELNA1562tnPjtAnQ9SwsKRTgeuaXvPzCwI=", "owner": "nixos", "repo": "nixpkgs", - "rev": "1c9ffcf70786f0966982ce0fc76ec05df2e1dec2", + "rev": "0f5996b524c91677891a432cc99c7567c7c402b1", "type": "github" }, "original": { @@ -412,11 +412,11 @@ }, "nixos-unstable-simd": { "locked": { - "lastModified": 1670518490, - "narHash": "sha256-J0Ckjl7Q+l2DZRneuC+HTId3Itc0C9NToG8N72uevjY=", + "lastModified": 1671152257, + "narHash": "sha256-gwzN2k9hK2yPXNuXDzycv1R9dHN2P3PAHsm7EsIDKUw=", "owner": "SuperSandro2000", "repo": "nixpkgs", - "rev": "d03760999bbaf63b848f3bb58b9e1ee0c034721e", + "rev": "81300b7b86eada9c92aa19e5d9b8e96d642d7fea", "type": "github" }, "original": { @@ -490,11 +490,11 @@ "openwrt": { "flake": false, "locked": { - "lastModified": 1670433513, - "narHash": "sha256-gqlSkpWgC6rONYGZLzM5Fwc+ssoC7NiR2O3DCFtRRMM=", + "lastModified": 1670552749, + "narHash": "sha256-ZhbNee6F+vJRirskdiYpXVRldJTHSbClLiYtJe4wgqE=", "ref": "openwrt-21.02", - "rev": "295c612a4a76e9f0860e2efdb609a38bc74d3e4a", - "revCount": 51263, + "rev": "784565b6a0ad482b19c4851b0ce8ffeddb7010c1", + "revCount": 51264, "type": "git", "url": "https://git.openwrt.org/openwrt/openwrt.git" }, @@ -511,11 +511,11 @@ ] }, "locked": { - "lastModified": 1670531824, - "narHash": "sha256-jRD5CVLdXTyXn8uqOGBqDllNjz3ZzUSKInXQETUwowg=", + "lastModified": 1671135768, + "narHash": "sha256-B05nP6LXLs8L1/uqNgxIOTO6df6l4UFwXEqmtLOjVYM=", "owner": "astro", "repo": "nix-openwrt-imagebuilder", - "rev": "29733301042477d878af2985c1367047030f2f5e", + "rev": "ceff07e297c470656ae8ea17c33a35e6bcf19c4d", "type": "github" }, "original": { @@ -562,11 +562,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1670426523, - "narHash": "sha256-Zh+pAuj4PmBmISXCz+54yVSwSXZwbn+ZELgM85xVUE0=", + "lastModified": 1671029659, + "narHash": "sha256-2sqAgHcLWpNGVHG2LQIXgRMuqgCArOD9frQSrrXrwSA=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "6e8a54d0f68702cf7981c8299357838eb0f4d5b2", + "rev": "95671d53ea3063da5316784af9ef69c71219f320", "type": "github" }, "original": { @@ -586,11 +586,11 @@ ] }, "locked": { - "lastModified": 1670466538, - "narHash": "sha256-qz3MwPVTHJb62vPRJMXJ+waqjEUHrjTyjXyLHqF0DrE=", + "lastModified": 1671157233, + "narHash": "sha256-gvQaOKaV1UK6IzsFzkVLsEavGxnAsQFT3zUqcg0RXLU=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "073959f0687277a54bfaa3ac7a77feb072f88186", + "rev": "7da2f6b3a0c32f661cb2864d7fbd1d7e6f0c7543", "type": "github" }, "original": { @@ -830,11 +830,11 @@ ] }, "locked": { - "lastModified": 1669838903, - "narHash": "sha256-zvzK1yC7ziQyZN7ZEb8CtuXKhag/nBBuU99oYVF80Ig=", + "lastModified": 1671049716, + "narHash": "sha256-gqNiogKXwn3qzrka821yHmfVdYh3VW+RFB8pR69YXyw=", "ref": "refs/heads/master", - "rev": "db0f8817002137d57c811cc2e59b011d6cc97124", - "revCount": 1677, + "rev": "b3674af31ddc80aaae95b2b94438e70aa1147dc0", + "revCount": 1683, "type": "git", "url": "https://gitea.c3d2.de/zentralwerk/network.git" }, From a704213e594faa2950cbeac38361d343a361e0da Mon Sep 17 00:00:00 2001 From: Astro Date: Wed, 14 Dec 2022 23:22:20 +0100 Subject: [PATCH 228/247] mastodon: bump mem --- hosts/mastodon/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/mastodon/default.nix b/hosts/mastodon/default.nix index 3a899d9a..055d4795 100644 --- a/hosts/mastodon/default.nix +++ b/hosts/mastodon/default.nix @@ -1,7 +1,7 @@ { zentralwerk, config, lib, pkgs, ... }: { deployment = { - mem = 8192; + mem = 16 * 1024; vcpu = 16; needForSpeed = true; }; From 59e47436f39e41097b0ac03b2cf7517a35272d8d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Fri, 16 Dec 2022 21:14:26 +0100 Subject: [PATCH 229/247] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixos': 'github:SuperSandro2000/nixpkgs/6581f2938bce05daa57958df381c78e20cb86379' (2022-12-10) → 'github:SuperSandro2000/nixpkgs/0a597dc83e81526de48488088c92349d7170445c' (2022-12-16) • Updated input 'nixos-hardware': 'github:nixos/nixos-hardware/1f6067272161d03d1c9f0b46fbf7cb090d016a9c' (2022-12-15) → 'github:nixos/nixos-hardware/488931efb69a50307fa0d71e23e78c8706909416' (2022-12-16) • Updated input 'nixos-unstable-simd': 'github:SuperSandro2000/nixpkgs/81300b7b86eada9c92aa19e5d9b8e96d642d7fea' (2022-12-16) → 'github:SuperSandro2000/nixpkgs/8ef6d44870fbc02b5c43922b8dbe95aa8b53091b' (2022-12-16) • Updated input 'openwrt-imagebuilder': 'github:astro/nix-openwrt-imagebuilder/ceff07e297c470656ae8ea17c33a35e6bcf19c4d' (2022-12-15) → 'github:astro/nix-openwrt-imagebuilder/a53edbc364df74d467d4f1e8d45dca6ee4e92ced' (2022-12-16) • Updated input 'zentralwerk': 'git+https://gitea.c3d2.de/zentralwerk/network.git?ref=refs%2fheads%2fmaster&rev=b3674af31ddc80aaae95b2b94438e70aa1147dc0' (2022-12-14) → 'git+https://gitea.c3d2.de/zentralwerk/network.git?ref=refs%2fheads%2fmaster&rev=4f090527d4cc64305add16ba68c6f72a275a507b' (2022-12-16) --- flake.lock | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/flake.lock b/flake.lock index 83326f96..8f67b160 100644 --- a/flake.lock +++ b/flake.lock @@ -349,11 +349,11 @@ }, "nixos": { "locked": { - "lastModified": 1670643121, - "narHash": "sha256-wPJHuOlamTwm5FE3aiowzs4SY1rzpg10dDKmBMgCpxI=", + "lastModified": 1671217927, + "narHash": "sha256-VjoidSKImZGWYqL1Z+ntfEzqeMjNX4zxcBr9PIqORwM=", "owner": "SuperSandro2000", "repo": "nixpkgs", - "rev": "6581f2938bce05daa57958df381c78e20cb86379", + "rev": "0a597dc83e81526de48488088c92349d7170445c", "type": "github" }, "original": { @@ -365,11 +365,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1671106796, - "narHash": "sha256-moAUZMJeGmZAccpZYbAbNVTsmLTkhNU3CdatGg1oKUE=", + "lastModified": 1671183612, + "narHash": "sha256-Q6so0tBGEb9Bhx++FP6cJQ+K83hOZ99ffmcdcWtDS14=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "1f6067272161d03d1c9f0b46fbf7cb090d016a9c", + "rev": "488931efb69a50307fa0d71e23e78c8706909416", "type": "github" }, "original": { @@ -412,11 +412,11 @@ }, "nixos-unstable-simd": { "locked": { - "lastModified": 1671152257, - "narHash": "sha256-gwzN2k9hK2yPXNuXDzycv1R9dHN2P3PAHsm7EsIDKUw=", + "lastModified": 1671211489, + "narHash": "sha256-0AbRULr8+U70TPLiMz7PK8mTp1lD+Ct8VKElZ0WmPzE=", "owner": "SuperSandro2000", "repo": "nixpkgs", - "rev": "81300b7b86eada9c92aa19e5d9b8e96d642d7fea", + "rev": "8ef6d44870fbc02b5c43922b8dbe95aa8b53091b", "type": "github" }, "original": { @@ -511,11 +511,11 @@ ] }, "locked": { - "lastModified": 1671135768, - "narHash": "sha256-B05nP6LXLs8L1/uqNgxIOTO6df6l4UFwXEqmtLOjVYM=", + "lastModified": 1671207552, + "narHash": "sha256-7C3QXWM615TJJqNQlKS27HaQh/m6vctKhZ1fw9ex7xE=", "owner": "astro", "repo": "nix-openwrt-imagebuilder", - "rev": "ceff07e297c470656ae8ea17c33a35e6bcf19c4d", + "rev": "a53edbc364df74d467d4f1e8d45dca6ee4e92ced", "type": "github" }, "original": { @@ -830,11 +830,11 @@ ] }, "locked": { - "lastModified": 1671049716, - "narHash": "sha256-gqNiogKXwn3qzrka821yHmfVdYh3VW+RFB8pR69YXyw=", + "lastModified": 1671215340, + "narHash": "sha256-e1+KFpcOxdz0yvThbHszq9+sXhH7SsFGP/dsIpUrvZY=", "ref": "refs/heads/master", - "rev": "b3674af31ddc80aaae95b2b94438e70aa1147dc0", - "revCount": 1683, + "rev": "4f090527d4cc64305add16ba68c6f72a275a507b", + "revCount": 1689, "type": "git", "url": "https://gitea.c3d2.de/zentralwerk/network.git" }, From 1affe00d39bb4e6fa901c7473502222df9b980ba Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 16 Dec 2022 21:25:56 +0100 Subject: [PATCH 230/247] public-access-proxy: fix c3d2-web addrs --- hosts/public-access-proxy/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/public-access-proxy/default.nix b/hosts/public-access-proxy/default.nix index e2d7a8b7..e2e16cc0 100644 --- a/hosts/public-access-proxy/default.nix +++ b/hosts/public-access-proxy/default.nix @@ -65,7 +65,7 @@ "autotopia.c3d2.de" "c3d2-web.serv.zentralwerk.org" ]; - proxyTo.host = config.c3d2.hosts.c3d2-web.ip4; + proxyTo.host = zentralwerk.lib.config.site.net.flpk.hosts4.c3d2-web; } { hostNames = [ "codimd.c3d2.de" @@ -155,7 +155,7 @@ wantedBy = [ "multi-user.target" ]; path = with pkgs; [ socat ]; script = '' - socat tcp6-listen:1965,fork "tcp6:[${zentralwerk.lib.config.site.net.serv.hosts6.dn42.c3d2-web}]:1965" + socat tcp6-listen:1965,fork "tcp6:[${zentralwerk.lib.config.site.net.flpk.hosts6.flpk.c3d2-web}]:1965" ''; serviceConfig = { ProtectSystem = "strict"; From fb7a3936602994097d882d46aef5cda0a14154c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Fri, 16 Dec 2022 21:26:18 +0100 Subject: [PATCH 231/247] overlays: remove upstream nix patch --- overlays/default.nix | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/overlays/default.nix b/overlays/default.nix index 2ded9bf2..ebd36aee 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -64,19 +64,6 @@ with final; { mlat-client = python3Packages.callPackage ./mlat-client.nix { }; - nixVersions = - prev.nixVersions // { - stable = prev.nixVersions.stable.overrideAttrs (oldAttrs: { - patches = oldAttrs.patches or [ ] ++ lib.optionals (lib.versionAtLeast prev.nixVersions.stable.version "2.9") [ - # use github.com archive URL instead of api.github.com - (fetchpatch { - url = "https://github.com/NixOS/nix/pull/6997.patch"; - sha256 = "sha256-JaQ6OY1RjxCYymkI/x0rmKH8XVXYs5psRwNJ4TPHPS0="; - }) - ]; - }); - }; - openssh = prev.openssh.overrideAttrs (oldAttrs: { # takes 30 minutes doCheck = false; From c2d21103f80d909d4d76eabfb338b61f2f2cbb51 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Fri, 16 Dec 2022 21:55:47 +0100 Subject: [PATCH 232/247] Remove unused module --- modules/lxc-container.nix | 66 --------------------------------------- 1 file changed, 66 deletions(-) delete mode 100644 modules/lxc-container.nix diff --git a/modules/lxc-container.nix b/modules/lxc-container.nix deleted file mode 100644 index 807b45cd..00000000 --- a/modules/lxc-container.nix +++ /dev/null @@ -1,66 +0,0 @@ -{ hostRegistry, config, pkgs, lib, modulesPath, ... }: - -{ - imports = [ - (modulesPath + "/profiles/docker-container.nix") - ]; - - boot = { - isContainer = true; - loader = { - grub.enable = false; - # /sbin/init - initScript.enable = true; - }; - }; - - environment.etc."resolv.conf".text = lib.concatMapStrings (ns: '' - nameserver ${ns} - '') config.networking.nameservers; - - fileSystems."/" = { - fsType = "rootfs"; - device = "rootfs"; - }; - - nix = { - useSandbox = false; - maxJobs = lib.mkDefault 1; - buildCores = lib.mkDefault 4; - }; - - networking = { - interfaces.eth0 = { - useDHCP = false; - tempAddress = "disabled"; - }; - nameservers = with hostRegistry.hosts.dnscache; [ - ip4 - ip6 - "9.9.9.9" - ]; - networkmanager.dns = "unbound"; - useDHCP = false; - useHostResolvConf = false; - useNetworkd = true; - }; - - services = { - # Required for remote deployment - openssh.enable = true; - resolved.enable = false; - }; - - # Create a few files early before packing tarball for Proxmox architecture/OS detection. - system.extraSystemBuilderCmds = '' - mkdir -m 0755 -p $out/bin - ln -s ${pkgs.bash}/bin/bash $out/bin/sh - mkdir -m 0755 -p $out/sbin - ln -s ../init $out/sbin/init - ''; - - systemd.network.networks."40-eth0".networkConfig = { - IPv6AcceptRA = true; - LinkLocalAddressing = "ipv6"; - }; -} From eb39c1d4039e81f2f9c9ca47640c3e784371943f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Fri, 16 Dec 2022 21:56:22 +0100 Subject: [PATCH 233/247] Migrate deprecated options --- hosts/glotzbert/default.nix | 6 +++--- hosts/glotzbert/hardware-configuration.nix | 1 - hosts/radiobert/default.nix | 6 +++--- 3 files changed, 6 insertions(+), 7 deletions(-) diff --git a/hosts/glotzbert/default.nix b/hosts/glotzbert/default.nix index 5847dc3a..b3474ad7 100644 --- a/hosts/glotzbert/default.nix +++ b/hosts/glotzbert/default.nix @@ -13,9 +13,9 @@ nixpkgs.config.allowUnfree = true; - nix = { - buildCores = 4; - maxJobs = 4; + nix.settings = { + cores = 4; + max-jobs = 4; }; sops = { diff --git a/hosts/glotzbert/hardware-configuration.nix b/hosts/glotzbert/hardware-configuration.nix index 4d5aa8da..d2478121 100644 --- a/hosts/glotzbert/hardware-configuration.nix +++ b/hosts/glotzbert/hardware-configuration.nix @@ -24,6 +24,5 @@ swapDevices = [ ]; - nix.maxJobs = lib.mkDefault 4; powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; } diff --git a/hosts/radiobert/default.nix b/hosts/radiobert/default.nix index 69085379..f55406bb 100644 --- a/hosts/radiobert/default.nix +++ b/hosts/radiobert/default.nix @@ -85,9 +85,9 @@ pkgs.makeModulesClosure (x // { allowMissing = true; }); }; - nix = { - buildCores = 4; - maxJobs = 2; + nix.settings = { + cores = 4; + max-jobs = 2; }; sops = { From 3571d962fa2babbfc53d5d53a857eb3e12070219 Mon Sep 17 00:00:00 2001 From: Astro Date: Sat, 17 Dec 2022 00:47:47 +0100 Subject: [PATCH 234/247] prometheus: add alert2muc --- flake.lock | 70 ++++++++++++++++++++++++++++++++--- flake.nix | 7 +++- hosts/prometheus/default.nix | 17 +++------ hosts/prometheus/secrets.yaml | 6 ++- 4 files changed, 81 insertions(+), 19 deletions(-) diff --git a/flake.lock b/flake.lock index 8f67b160..f25be350 100644 --- a/flake.lock +++ b/flake.lock @@ -23,12 +23,34 @@ "url": "https://gitea.nek0.eu/nek0/affection" } }, - "bevy-julia": { + "alert2muc": { "inputs": { "naersk": "naersk", "nixpkgs": [ "nixos" ], + "utils": "utils" + }, + "locked": { + "lastModified": 1671235085, + "narHash": "sha256-ii7LsyYrnm3puQrCpfsYvIjVpLoPW5qhBmVdSybvTUA=", + "ref": "refs/heads/main", + "rev": "2cf4e1dbc0c6ceb96387f2d6445b784abc537f8f", + "revCount": 12, + "type": "git", + "url": "https://gitea.c3d2.de/astro/alert2muc" + }, + "original": { + "type": "git", + "url": "https://gitea.c3d2.de/astro/alert2muc" + } + }, + "bevy-julia": { + "inputs": { + "naersk": "naersk_2", + "nixpkgs": [ + "nixos" + ], "rust-overlay": [ "rust-overlay" ] @@ -251,6 +273,28 @@ } }, "naersk": { + "inputs": { + "nixpkgs": [ + "alert2muc", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1671096816, + "narHash": "sha256-ezQCsNgmpUHdZANDCILm3RvtO1xH8uujk/+EqNvzIOg=", + "owner": "nix-community", + "repo": "naersk", + "rev": "d998160d6a076cfe8f9741e56aeec7e267e3e114", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "master", + "repo": "naersk", + "type": "github" + } + }, + "naersk_2": { "inputs": { "nixpkgs": "nixpkgs" }, @@ -268,7 +312,7 @@ "type": "github" } }, - "naersk_2": { + "naersk_3": { "inputs": { "nixpkgs": [ "nixos" @@ -288,7 +332,7 @@ "type": "github" } }, - "naersk_3": { + "naersk_4": { "inputs": { "nixpkgs": [ "ticker", @@ -527,6 +571,7 @@ "root": { "inputs": { "affection-src": "affection-src", + "alert2muc": "alert2muc", "bevy-julia": "bevy-julia", "bevy-mandelbrot": "bevy-mandelbrot", "caveman": "caveman", @@ -536,7 +581,7 @@ "heliwatch": "heliwatch", "hydra-ca": "hydra-ca", "microvm": "microvm", - "naersk": "naersk_2", + "naersk": "naersk_3", "nixos": "nixos", "nixos-hardware": "nixos-hardware", "nixos-mobilizon": "nixos-mobilizon", @@ -732,7 +777,7 @@ "fenix": [ "fenix" ], - "naersk": "naersk_3", + "naersk": "naersk_4", "nixpkgs": [ "nixos" ], @@ -796,6 +841,21 @@ "url": "https://gitea.c3d2.de/astro/tracer" } }, + "utils": { + "locked": { + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "yammat": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index 78420d9c..f6c4c062 100644 --- a/flake.nix +++ b/flake.nix @@ -16,6 +16,10 @@ flake-utils.follows = "flake-utils"; }; }; + alert2muc = { + url = "git+https://gitea.c3d2.de/astro/alert2muc"; + inputs.nixpkgs.follows = "nixos"; + }; bevy-mandelbrot = { # url = "github:matelab/bevy_mandelbrot"; url = "git+https://gitea.c3d2.de/astro/bevy-mandelbrot.git?ref=main"; @@ -174,7 +178,7 @@ }; }; - outputs = inputs@{ self, fenix, harmonia, heliwatch, microvm, naersk, nixos, nixos-hardware, nixos-unstable, nixos-unstable-simd, caveman, oparl-scraper, scrapers, secrets, skyflake, sshlogd, sops-nix, spacemsg, ticker, tigger, yammat, zentralwerk, ... }: + outputs = inputs@{ self, alert2muc, fenix, harmonia, heliwatch, microvm, naersk, nixos, nixos-hardware, nixos-unstable, nixos-unstable-simd, caveman, oparl-scraper, scrapers, secrets, skyflake, sshlogd, sops-nix, spacemsg, ticker, tigger, yammat, zentralwerk, ... }: let inherit (nixos) lib; @@ -702,6 +706,7 @@ prometheus = nixosSystem' { modules = [ self.nixosModules.cluster-options + alert2muc.nixosModules.default ./hosts/prometheus ]; }; diff --git a/hosts/prometheus/default.nix b/hosts/prometheus/default.nix index f994e9c1..9688b83c 100644 --- a/hosts/prometheus/default.nix +++ b/hosts/prometheus/default.nix @@ -36,7 +36,7 @@ "receivers" = [{ "name" = "xmpp"; "webhook_configs" = with config.services.prometheus.xmpp-alerts.settings; [{ - "url" = "http://${listen_address}:${toString listen_port}/alert"; + "url" = "http://127.0.0.1:9022/"; }]; }]; }; @@ -163,17 +163,11 @@ }; webExternalUrl = "https://prometheus.serv.zentralwerk.org/"; + }; - xmpp-alerts = { - enable = true; - settings = { - jid = "alerta@jabber.c3d2.de"; - password_command = "cat ${config.sops.secrets."alertmanager/xmpp-password".path}"; - to_jid = "admins@chat.c3d2.de"; - listen_address = "127.0.0.1"; - listen_port = 9199; - }; - }; + services.alert2muc = { + enable = true; + configFile = config.sops.secrets."alert2muc/config".path; }; services.nginx = { @@ -204,6 +198,7 @@ defaultSopsFile = ./secrets.yaml; secrets."nginx/httpAuth".owner = config.systemd.services.nginx.serviceConfig.User; secrets."alertmanager/xmpp-password".owner = config.systemd.services.prometheus-xmpp-alerts.serviceConfig.User; + secrets."alert2muc/config".owner = config.services.alert2muc.user; }; system.stateVersion = "22.11"; diff --git a/hosts/prometheus/secrets.yaml b/hosts/prometheus/secrets.yaml index 29bce232..038ee873 100644 --- a/hosts/prometheus/secrets.yaml +++ b/hosts/prometheus/secrets.yaml @@ -1,5 +1,7 @@ alertmanager: xmpp-password: ENC[AES256_GCM,data:v+pRv/q4Z/ZT18PBxxKrq9P9QNbjN14edSeMCo5If6Y=,iv:oIdXFPdppgV7uTWY/eKSK9T2vDXW2Uur9iwnftQB+dQ=,tag:QD2MB3ZeMlvuGIMIpHI97Q==,type:str] +alert2muc: + config: ENC[AES256_GCM,data:hdVL+/bC67dP/MDfL+Jd7tq09IuP0l3uigi+kFdV6H6KVVj5XcqtTWd7ZUe6s5lo+ZHWx6QGwliSASNFyLWhF2TV6PGFnT/qQyKmQoY+R9nxeuJ8A8wib21F6qVSoiTHMxg0R13d2/Y1LqZdpsa+2KNdSe1UiBD6/LaIDxMd9rQizVUrnSQ5IDm0BNPhdlFfEvRYJO9TWkgQ0sfmt5Q7,iv:1yLsZLtUtfhJ+1+1w5lBSZ4TsDzmGgUFyA5XpJ/WZH4=,tag:78F5sgrrMezSuh8xbqTLiQ==,type:str] nginx: httpAuth: ENC[AES256_GCM,data:PS7icDVNB4g7XBMP7mMSbalkvQ==,iv:0GOfGl97k1AjkRxm2x2f4LpeQOuJcFqAHgdRrbceW6U=,tag:GX5L0wI5zwHwuls7ZOPlOQ==,type:str] sops: @@ -26,8 +28,8 @@ sops: dkpOeVJIVnJtNDM5M0RQaWRudUcxOG8KZnHCLuyPFdx4j1WY6fk8nqMeACmpYZzU EpNqjoBswCkUnaRMVcj5lrHvHDjdbQ0Ypn3s/YvI4UBsXMnnv9UD7w== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-12-10T21:16:19Z" - mac: ENC[AES256_GCM,data:yZyBuZE5Gb6TSViqZaugZeloGxbsspc1oDMVVaoNZ7fcDXT7ELg85qWTokLV5PcySeh2IUpDtaqt+QV8tqHlWbREOHHWi+gwBGfBWww7k+H6h9+Vj3hpydPBBohklMpYYWK0F8fAuJjLhE6Usv96N8/CnCv4NJUIjK33pca5vMY=,iv:s8jumWZMU52PKHq0FAdl8IDv7aSym9cOG0W/cSn9XUI=,tag:Rh3oCJ2jucubvqRs7A+abQ==,type:str] + lastmodified: "2022-12-16T23:40:12Z" + mac: ENC[AES256_GCM,data:GXW0hMq84q5DrbV9YLNu5fvgAwFuBoq3cK7fD+FYHdnX1hq/6pTF2ksu7K7M9DE4yetXx7RKBWERm/1DShpV7Qe0jP/+kh31uwhCws6Ay0l14UDT52lL8uQ/jDHKv6ghG4/Q58u1Hvj/xZas34YmYxxJoyEzzCbMSfSgWh6GSMM=,iv:GuBCWI6s9yLhz3tEarZ1gbtXC+gUOVlbc43bezb9nbU=,tag:2bE8yOu87ooLdqjU5Ex1MQ==,type:str] pgp: - created_at: "2022-11-27T00:27:03Z" enc: |- From 917b38a895b39e710641d0409ed3963ea64ba6d4 Mon Sep 17 00:00:00 2001 From: Astro Date: Sat, 17 Dec 2022 01:14:28 +0100 Subject: [PATCH 235/247] prometheus: feed alert2muc directly not through alertmanager --- hosts/prometheus/default.nix | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/hosts/prometheus/default.nix b/hosts/prometheus/default.nix index 9688b83c..75be9df1 100644 --- a/hosts/prometheus/default.nix +++ b/hosts/prometheus/default.nix @@ -31,14 +31,14 @@ "group_wait" = "1m"; "group_interval" = "1m"; "repeat_interval" = "4h"; - "receiver" = "xmpp"; + # "receiver" = "xmpp"; }; - "receivers" = [{ - "name" = "xmpp"; - "webhook_configs" = with config.services.prometheus.xmpp-alerts.settings; [{ - "url" = "http://127.0.0.1:9022/"; - }]; - }]; + # "receivers" = [{ + # "name" = "xmpp"; + # "webhook_configs" = with config.services.prometheus.xmpp-alerts.settings; [{ + # "url" = "http://127.0.0.1:9022/"; + # }]; + # }]; }; }; @@ -47,6 +47,10 @@ targets = [ "localhost:${toString config.services.prometheus.alertmanager.port}" ]; }]; path_prefix = "/alertmanager"; + } { + static_configs = [{ + targets = [ "localhost:9022" ]; + }]; }]; rules = [ From 8ea43cc31d46608ae2a1d6f6556f8cfa8607f0b1 Mon Sep 17 00:00:00 2001 From: Astro Date: Sat, 17 Dec 2022 01:17:01 +0100 Subject: [PATCH 236/247] prometheus: restore half of the legacy xmpp alerter so that the alertmanager configuration builds at all --- hosts/prometheus/default.nix | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/hosts/prometheus/default.nix b/hosts/prometheus/default.nix index 75be9df1..61db242e 100644 --- a/hosts/prometheus/default.nix +++ b/hosts/prometheus/default.nix @@ -31,14 +31,14 @@ "group_wait" = "1m"; "group_interval" = "1m"; "repeat_interval" = "4h"; - # "receiver" = "xmpp"; + "receiver" = "xmpp"; }; - # "receivers" = [{ - # "name" = "xmpp"; - # "webhook_configs" = with config.services.prometheus.xmpp-alerts.settings; [{ - # "url" = "http://127.0.0.1:9022/"; - # }]; - # }]; + "receivers" = [{ + "name" = "xmpp"; + "webhook_configs" = with config.services.prometheus.xmpp-alerts.settings; [{ + "url" = "http://127.0.0.1:9022/"; + }]; + }]; }; }; From d6a994598be0d2dd20d848eac35de76b464f7996 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sat, 17 Dec 2022 20:07:45 +0100 Subject: [PATCH 237/247] Cleanup inputs --- flake.lock | 119 ++++++++--------------------------------------------- flake.nix | 13 +++--- 2 files changed, 25 insertions(+), 107 deletions(-) diff --git a/flake.lock b/flake.lock index f25be350..b96b10f7 100644 --- a/flake.lock +++ b/flake.lock @@ -25,11 +25,15 @@ }, "alert2muc": { "inputs": { - "naersk": "naersk", + "naersk": [ + "naersk" + ], "nixpkgs": [ "nixos" ], - "utils": "utils" + "utils": [ + "flake-utils" + ] }, "locked": { "lastModified": 1671235085, @@ -47,7 +51,9 @@ }, "bevy-julia": { "inputs": { - "naersk": "naersk_2", + "naersk": [ + "naersk" + ], "nixpkgs": [ "nixos" ], @@ -273,46 +279,6 @@ } }, "naersk": { - "inputs": { - "nixpkgs": [ - "alert2muc", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1671096816, - "narHash": "sha256-ezQCsNgmpUHdZANDCILm3RvtO1xH8uujk/+EqNvzIOg=", - "owner": "nix-community", - "repo": "naersk", - "rev": "d998160d6a076cfe8f9741e56aeec7e267e3e114", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "master", - "repo": "naersk", - "type": "github" - } - }, - "naersk_2": { - "inputs": { - "nixpkgs": "nixpkgs" - }, - "locked": { - "lastModified": 1662220400, - "narHash": "sha256-9o2OGQqu4xyLZP9K6kNe1pTHnyPz0Wr3raGYnr9AIgY=", - "owner": "nix-community", - "repo": "naersk", - "rev": "6944160c19cb591eb85bbf9b2f2768a935623ed3", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "naersk", - "type": "github" - } - }, - "naersk_3": { "inputs": { "nixpkgs": [ "nixos" @@ -332,28 +298,6 @@ "type": "github" } }, - "naersk_4": { - "inputs": { - "nixpkgs": [ - "ticker", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1659610603, - "narHash": "sha256-LYgASYSPYo7O71WfeUOaEUzYfzuXm8c8eavJcel+pfI=", - "owner": "nix-community", - "repo": "naersk", - "rev": "c6a45e4277fa58abd524681466d3450f896dc094", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "naersk", - "rev": "c6a45e4277fa58abd524681466d3450f896dc094", - "type": "github" - } - }, "newNixpkgs": { "locked": { "lastModified": 1647380550, @@ -373,7 +317,7 @@ "nix": { "inputs": { "lowdown-src": "lowdown-src", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs", "nixpkgs-regression": "nixpkgs-regression" }, "locked": { @@ -472,15 +416,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1663264531, - "narHash": "sha256-2ncO5chPXlTxaebDlhx7MhL0gOEIWxzSyfsl0r0hxQk=", + "lastModified": 1645296114, + "narHash": "sha256-y53N7TyIkXsjMpOG7RhvqJFGDacLs9HlyHeSTBioqYU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "454887a35de6317a30be284e8adc2d2f6d8a07c4", + "rev": "530a53dcbc9437363471167a5e4762c5fcfa34a1", "type": "github" }, "original": { "id": "nixpkgs", + "ref": "nixos-21.05-small", "type": "indirect" } }, @@ -499,21 +444,6 @@ "type": "indirect" } }, - "nixpkgs_2": { - "locked": { - "lastModified": 1645296114, - "narHash": "sha256-y53N7TyIkXsjMpOG7RhvqJFGDacLs9HlyHeSTBioqYU=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "530a53dcbc9437363471167a5e4762c5fcfa34a1", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "ref": "nixos-21.05-small", - "type": "indirect" - } - }, "oparl-scraper": { "flake": false, "locked": { @@ -581,7 +511,7 @@ "heliwatch": "heliwatch", "hydra-ca": "hydra-ca", "microvm": "microvm", - "naersk": "naersk_3", + "naersk": "naersk", "nixos": "nixos", "nixos-hardware": "nixos-hardware", "nixos-mobilizon": "nixos-mobilizon", @@ -777,7 +707,9 @@ "fenix": [ "fenix" ], - "naersk": "naersk_4", + "naersk": [ + "naersk" + ], "nixpkgs": [ "nixos" ], @@ -841,21 +773,6 @@ "url": "https://gitea.c3d2.de/astro/tracer" } }, - "utils": { - "locked": { - "lastModified": 1667395993, - "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, "yammat": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index f6c4c062..a0a57cbd 100644 --- a/flake.nix +++ b/flake.nix @@ -18,7 +18,11 @@ }; alert2muc = { url = "git+https://gitea.c3d2.de/astro/alert2muc"; - inputs.nixpkgs.follows = "nixos"; + inputs = { + naersk.follows = "naersk"; + nixpkgs.follows = "nixos"; + utils.follows = "flake-utils"; + }; }; bevy-mandelbrot = { # url = "github:matelab/bevy_mandelbrot"; @@ -34,9 +38,7 @@ url = "git+https://gitea.c3d2.de/astro/bevy-julia.git?ref=main"; inputs = { nixpkgs.follows = "nixos"; - # breaks the build: - # naersk.follows = "naersk"; - # naersk.inputs.nixpkgs.follows = "nixpkgs"; + naersk.follows = "naersk"; rust-overlay.follows = "rust-overlay"; }; }; @@ -145,8 +147,7 @@ url = "git+https://gitea.c3d2.de/astro/ticker.git"; inputs = { fenix.follows = "fenix"; - # TODO: build regression in https://github.com/nix-community/naersk/commit/6944160c19cb591eb85bbf9b2f2768a935623ed3 - # naersk.follows = "naersk"; + naersk.follows = "naersk"; nixpkgs.follows = "nixos"; utils.follows = "flake-utils"; }; From 93c020f582914770db75d55c64d79b227f36f823 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sat, 17 Dec 2022 21:56:07 +0100 Subject: [PATCH 238/247] Cleanups --- flake.nix | 3 +-- hosts/prometheus/default.nix | 2 +- hosts/radiobert/base.nix | 0 overlays/default.nix | 10 +++------- overlays/telme10.nix | 3 +-- 5 files changed, 6 insertions(+), 12 deletions(-) delete mode 100644 hosts/radiobert/base.nix diff --git a/flake.nix b/flake.nix index a0a57cbd..2c2ede4f 100644 --- a/flake.nix +++ b/flake.nix @@ -179,7 +179,7 @@ }; }; - outputs = inputs@{ self, alert2muc, fenix, harmonia, heliwatch, microvm, naersk, nixos, nixos-hardware, nixos-unstable, nixos-unstable-simd, caveman, oparl-scraper, scrapers, secrets, skyflake, sshlogd, sops-nix, spacemsg, ticker, tigger, yammat, zentralwerk, ... }: + outputs = inputs@{ self, alert2muc, fenix, harmonia, heliwatch, microvm, naersk, nixos, nixos-hardware, nixos-unstable, caveman, oparl-scraper, scrapers, secrets, skyflake, sshlogd, sops-nix, spacemsg, ticker, tigger, yammat, zentralwerk, ... }: let inherit (nixos) lib; @@ -240,7 +240,6 @@ }; in { overlays = import ./overlays { - inherit nixos-unstable; inherit (inputs) tracer bevy-mandelbrot bevy-julia; }; diff --git a/hosts/prometheus/default.nix b/hosts/prometheus/default.nix index 61db242e..feabdf50 100644 --- a/hosts/prometheus/default.nix +++ b/hosts/prometheus/default.nix @@ -35,7 +35,7 @@ }; "receivers" = [{ "name" = "xmpp"; - "webhook_configs" = with config.services.prometheus.xmpp-alerts.settings; [{ + "webhook_configs" = [{ "url" = "http://127.0.0.1:9022/"; }]; }]; diff --git a/hosts/radiobert/base.nix b/hosts/radiobert/base.nix deleted file mode 100644 index e69de29b..00000000 diff --git a/overlays/default.nix b/overlays/default.nix index ebd36aee..268ab659 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -1,14 +1,10 @@ -{ nixos-unstable -, tracer -, bevy-julia +{ bevy-julia , bevy-mandelbrot +, tracer }: final: prev: -let - pkgs-unstable = nixos-unstable.legacyPackages.${prev.system}; -in with final; { allcolors = callPackage ./allcolors.nix { }; @@ -64,7 +60,7 @@ with final; { mlat-client = python3Packages.callPackage ./mlat-client.nix { }; - openssh = prev.openssh.overrideAttrs (oldAttrs: { + openssh = prev.openssh.overrideAttrs (_: { # takes 30 minutes doCheck = false; }); diff --git a/overlays/telme10.nix b/overlays/telme10.nix index f692d629..b0a55288 100644 --- a/overlays/telme10.nix +++ b/overlays/telme10.nix @@ -1,5 +1,4 @@ -{ stdenv -, buildGoModule +{ buildGoModule , fetchFromGitHub }: From 24329a062edb102a89f62ed0fd6c613402bc3df9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sat, 17 Dec 2022 21:56:20 +0100 Subject: [PATCH 239/247] prometheus: increase RAM --- hosts/prometheus/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hosts/prometheus/default.nix b/hosts/prometheus/default.nix index feabdf50..38a8c2d7 100644 --- a/hosts/prometheus/default.nix +++ b/hosts/prometheus/default.nix @@ -1,6 +1,10 @@ { zentralwerk, config, lib, ... }: { + deployment = { + mem = 1024; + }; + networking = { hostName = "prometheus"; firewall = { From c2e19af7e8d5d30a558f7539fd81333f960561c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sat, 17 Dec 2022 22:04:45 +0100 Subject: [PATCH 240/247] Cleanup and improve prometheus alerts --- hosts/prometheus/default.nix | 55 +++++++++++++++++++++++++----------- 1 file changed, 39 insertions(+), 16 deletions(-) diff --git a/hosts/prometheus/default.nix b/hosts/prometheus/default.nix index 38a8c2d7..b87bf371 100644 --- a/hosts/prometheus/default.nix +++ b/hosts/prometheus/default.nix @@ -58,63 +58,86 @@ }]; rules = [ - '' + /* yaml */ '' groups: - name: default rules: - alert: oom_kills - expr: increase(node_vmstat_oom_kill[7d]) > 0.999 + expr: increase(node_vmstat_oom_kill[7d]) >= 1 for: 10m labels: severity: error annotations: summary: service gets oom killed - - alert: disk_free - expr: collectd_df_df_complex{type="free"} < 1024*1024*1024 + + - alert: disk_almost_full + expr: collectd_df_df_complex{type="free"} < 1024^3 for: 10m labels: severity: warn annotations: summary: filesystem has less than 1GB of free space - - alert: load1 - expr: node_load1 > 100 - for: 1m + + - alert: disk_full + expr: collectd_df_df_complex{type="free"} < 100 * 1024^2 + for: 10m labels: severity: warn annotations: - summary: high loadavg + summary: filesystem has less than 100MB of free space + + - alert: disk_free + expr: predict_linear(collectd_df_df_complex{type="free"}[1h], 8*3600) < 0 + for: 10m + labels: + severity: warn + annotations: + summary: filesystem will be full within 8h + + - alert: load1 + expr: avg_over_time(node_load1[15m]) > 50 + for: 10m + labels: + severity: warn + annotations: + summary: instance has high load avg + - alert: systemd_unit_failed - expr: node_systemd_unit_state{state="failed"} > 0 + expr: increase(node_systemd_unit_state{state="failed"}[7d]) >= 1 for: 10m labels: severity: error annotations: - summary: failed systemd units + summary: service fails + - name: network rules: - alert: load1 - expr: collectd_load_0 > 4 - for: 1m + expr: avg_over_time(collectd_load_0[15m]) > 1 + for: 10m labels: severity: warn annotations: - summary: high loadavg + summary: network device has high load avg + - alert: memory_free - expr: collectd_memory{memory="free"} < 4*1024*1024 + expr: collectd_memory{memory="free"} < 4 * 1024^2 for: 10m labels: severity: warn annotations: summary: memory full + - alert: throughput0 - expr: increase(collectd_interface_if_octets_0_total[10m]) > 600 * 60 * 1024 * 1024 + expr: increase(collectd_interface_if_octets_0_total[10m]) > 10 * 3600 * 1024^2 for: 2h labels: severity: warn annotations: summary: sustained throughput + - alert: throughput1 - expr: increase(collectd_interface_if_octets_1_total[10m]) > 600 * 60 * 1024 * 1024 + expr: increase(collectd_interface_if_octets_1_total[10m]) > 10 * 3600 * 1024^2 for: 2h labels: severity: warn From b549947a397808823d10aa6870bc393bc3fc4640 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sun, 18 Dec 2022 00:42:00 +0100 Subject: [PATCH 241/247] Extract rules to extra file, round oom kills --- hosts/prometheus/default.nix | 90 +----------------------------------- hosts/prometheus/rules.yaml | 84 +++++++++++++++++++++++++++++++++ 2 files changed, 86 insertions(+), 88 deletions(-) create mode 100644 hosts/prometheus/rules.yaml diff --git a/hosts/prometheus/default.nix b/hosts/prometheus/default.nix index b87bf371..f19241d9 100644 --- a/hosts/prometheus/default.nix +++ b/hosts/prometheus/default.nix @@ -57,94 +57,8 @@ }]; }]; - rules = [ - /* yaml */ '' - groups: - - name: default - rules: - - alert: oom_kills - expr: increase(node_vmstat_oom_kill[7d]) >= 1 - for: 10m - labels: - severity: error - annotations: - summary: service gets oom killed - - - alert: disk_almost_full - expr: collectd_df_df_complex{type="free"} < 1024^3 - for: 10m - labels: - severity: warn - annotations: - summary: filesystem has less than 1GB of free space - - - alert: disk_full - expr: collectd_df_df_complex{type="free"} < 100 * 1024^2 - for: 10m - labels: - severity: warn - annotations: - summary: filesystem has less than 100MB of free space - - - alert: disk_free - expr: predict_linear(collectd_df_df_complex{type="free"}[1h], 8*3600) < 0 - for: 10m - labels: - severity: warn - annotations: - summary: filesystem will be full within 8h - - - alert: load1 - expr: avg_over_time(node_load1[15m]) > 50 - for: 10m - labels: - severity: warn - annotations: - summary: instance has high load avg - - - alert: systemd_unit_failed - expr: increase(node_systemd_unit_state{state="failed"}[7d]) >= 1 - for: 10m - labels: - severity: error - annotations: - summary: service fails - - - name: network - rules: - - alert: load1 - expr: avg_over_time(collectd_load_0[15m]) > 1 - for: 10m - labels: - severity: warn - annotations: - summary: network device has high load avg - - - alert: memory_free - expr: collectd_memory{memory="free"} < 4 * 1024^2 - for: 10m - labels: - severity: warn - annotations: - summary: memory full - - - alert: throughput0 - expr: increase(collectd_interface_if_octets_0_total[10m]) > 10 * 3600 * 1024^2 - for: 2h - labels: - severity: warn - annotations: - summary: sustained throughput - - - alert: throughput1 - expr: increase(collectd_interface_if_octets_1_total[10m]) > 10 * 3600 * 1024^2 - for: 2h - labels: - severity: warn - annotations: - summary: sustained throughput - '' - ]; + enableReload = true; + ruleFiles = [ ./rules.yaml ]; scrapeConfigs = [{ # TODO: authorization? diff --git a/hosts/prometheus/rules.yaml b/hosts/prometheus/rules.yaml new file mode 100644 index 00000000..88d730d7 --- /dev/null +++ b/hosts/prometheus/rules.yaml @@ -0,0 +1,84 @@ +groups: + - name: default + rules: + - alert: oom_kills + expr: round(increase(node_vmstat_oom_kill[7d])) >= 1 + for: 10m + labels: + severity: error + annotations: + summary: service gets oom killed + + - alert: disk_almost_full + expr: collectd_df_df_complex{type="free"} < 1024^3 + for: 10m + labels: + severity: warn + annotations: + summary: filesystem has less than 1GB of free space + + - alert: disk_full + expr: collectd_df_df_complex{type="free"} < 100 * 1024^2 + for: 10m + labels: + severity: warn + annotations: + summary: filesystem has less than 100MB of free space + + - alert: disk_free + expr: predict_linear(collectd_df_df_complex{type="free"}[1h], 8*3600) < 0 + for: 10m + labels: + severity: warn + annotations: + summary: filesystem will be full within 8h + + - alert: load1 + expr: avg_over_time(node_load1[15m]) > 50 + for: 10m + labels: + severity: warn + annotations: + summary: instance has high load avg + + - alert: systemd_unit_failed + expr: increase(node_systemd_unit_state{state="failed"}[7d]) >= 1 + for: 10m + labels: + severity: error + annotations: + summary: service fails + + - name: network + rules: + - alert: load1 + expr: avg_over_time(collectd_load_0[15m]) > 1 + for: 10m + labels: + severity: warn + annotations: + summary: network device has high load avg + + - alert: memory_free + expr: collectd_memory{memory="free"} < 4 * 1024^2 + for: 10m + labels: + severity: warn + annotations: + summary: memory full + + - alert: throughput0 + expr: increase(collectd_interface_if_octets_0_total[10m]) > 10 * 3600 * 1024^2 + for: 2h + labels: + severity: warn + annotations: + summary: sustained throughput + + - alert: throughput1 + expr: increase(collectd_interface_if_octets_1_total[10m]) > 10 * 3600 * 1024^2 + for: 2h + labels: + severity: warn + annotations: + summary: sustained throughput From 845bea758478133a78650a805f1b19dee5b28729 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sun, 18 Dec 2022 00:47:35 +0100 Subject: [PATCH 242/247] Increase repeat to 7 days --- hosts/prometheus/default.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/hosts/prometheus/default.nix b/hosts/prometheus/default.nix index f19241d9..943e9245 100644 --- a/hosts/prometheus/default.nix +++ b/hosts/prometheus/default.nix @@ -29,12 +29,11 @@ webExternalUrl = "https://prometheus.serv.zentralwerk.org/alertmanager/"; listenAddress = "[::1]"; configuration = { - "global" = { }; "route" = { "group_by" = [ "instance" ]; "group_wait" = "1m"; "group_interval" = "1m"; - "repeat_interval" = "4h"; + "repeat_interval" = "7d"; "receiver" = "xmpp"; }; "receivers" = [{ From 601c5c371651603f54d34c48b2c00dc00ddf29c8 Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 18 Dec 2022 02:15:27 +0100 Subject: [PATCH 243/247] grafana: update prosody dashboard --- hosts/grafana/dashboards/UX0rEpd7z.json | 336 ++++++++++++------------ 1 file changed, 168 insertions(+), 168 deletions(-) diff --git a/hosts/grafana/dashboards/UX0rEpd7z.json b/hosts/grafana/dashboards/UX0rEpd7z.json index bf73abf4..59681e62 100644 --- a/hosts/grafana/dashboards/UX0rEpd7z.json +++ b/hosts/grafana/dashboards/UX0rEpd7z.json @@ -3,30 +3,38 @@ "list": [ { "builtIn": 1, - "datasource": "-- Grafana --", + "datasource": { + "type": "datasource", + "uid": "grafana" + }, "enable": true, "hide": true, "iconColor": "rgba(0, 211, 255, 1)", "name": "Annotations & Alerts", + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, "type": "dashboard" } ] }, "editable": true, - "gnetId": null, + "fiscalYearStartMonth": 0, "graphTooltip": 0, - "id": 21, "links": [], + "liveNow": false, "panels": [ { "aliasColors": {}, "bars": false, "dashLength": 10, "dashes": false, - "datasource": null, - "fieldConfig": { - "defaults": {}, - "overrides": [] + "datasource": { + "type": "influxdb", + "uid": "P79EA3E036FD9FF91" }, "fill": 6, "fillGradient": 0, @@ -55,7 +63,7 @@ "alertThreshold": true }, "percentage": false, - "pluginVersion": "7.5.11", + "pluginVersion": "9.3.1", "pointradius": 2, "points": false, "renderer": "flot", @@ -66,6 +74,10 @@ "targets": [ { "alias": "$tag_host C2S $tag_type_instance", + "datasource": { + "type": "influxdb", + "uid": "P79EA3E036FD9FF91" + }, "groupBy": [ { "params": [ @@ -121,9 +133,7 @@ } ], "thresholds": [], - "timeFrom": null, "timeRegions": [], - "timeShift": null, "title": "Client to Server connections", "tooltip": { "shared": true, @@ -132,9 +142,7 @@ }, "type": "graph", "xaxis": { - "buckets": null, "mode": "time", - "name": null, "show": true, "values": [] }, @@ -142,75 +150,107 @@ { "$$hashKey": "object:58", "format": "short", - "label": null, "logBase": 1, - "max": null, - "min": null, "show": true }, { "$$hashKey": "object:59", "format": "short", - "label": null, "logBase": 1, - "max": null, - "min": null, "show": true } ], "yaxis": { - "align": false, - "alignLevel": null + "align": false } }, { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": null, + "datasource": { + "type": "influxdb", + "uid": "P79EA3E036FD9FF91" + }, "fieldConfig": { - "defaults": {}, + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 60, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, "overrides": [] }, - "fill": 6, - "fillGradient": 0, "gridPos": { "h": 9, "w": 12, "x": 12, "y": 0 }, - "hiddenSeries": false, "id": 3, "interval": "180", - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null as zero", "options": { - "alertThreshold": true + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } }, - "percentage": false, - "pluginVersion": "7.5.11", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": true, - "steppedLine": false, + "pluginVersion": "9.3.1", "targets": [ { "alias": "$tag_host S2S $tag_type_instance", + "datasource": { + "type": "influxdb", + "uid": "P79EA3E036FD9FF91" + }, "groupBy": [ { "params": [ @@ -266,98 +306,97 @@ ] } ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, "title": "Incoming Server to Server connections", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "$$hashKey": "object:58", - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "$$hashKey": "object:59", - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } + "type": "timeseries" }, { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": null, + "datasource": { + "type": "influxdb", + "uid": "P79EA3E036FD9FF91" + }, "description": "", "fieldConfig": { - "defaults": {}, + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 60, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, "overrides": [] }, - "fill": 6, - "fillGradient": 0, "gridPos": { "h": 9, "w": 12, "x": 12, "y": 9 }, - "hiddenSeries": false, "id": 4, "interval": "180", - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null as zero", "options": { - "alertThreshold": true + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } }, - "percentage": false, - "pluginVersion": "7.5.11", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": true, - "steppedLine": false, + "pluginVersion": "9.3.1", "targets": [ { "alias": "$tag_host S2S out $tag_type_instance", + "datasource": { + "type": "influxdb", + "uid": "P79EA3E036FD9FF91" + }, "groupBy": [ { "params": [ @@ -412,64 +451,25 @@ ] } ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, "title": "Outgoing Server to Server connections", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "$$hashKey": "object:58", - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "$$hashKey": "object:59", - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } + "type": "timeseries" } ], "refresh": "5s", - "schemaVersion": 27, + "schemaVersion": 37, "style": "dark", "tags": [], "templating": { "list": [] }, "time": { - "from": "now-2d", + "from": "now-30d", "to": "now" }, "timepicker": {}, "timezone": "", "title": "Prosody", "uid": "UX0rEpd7z", - "version": 3 -} + "version": 1, + "weekStart": "" +} \ No newline at end of file From af9a1a6161963fe86a1e69812629eaa55bc90205 Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 18 Dec 2022 03:19:25 +0100 Subject: [PATCH 244/247] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'alert2muc': 'git+https://gitea.c3d2.de/astro/alert2muc?ref=refs%2fheads%2fmain&rev=2cf4e1dbc0c6ceb96387f2d6445b784abc537f8f' (2022-12-16) → 'git+https://gitea.c3d2.de/astro/alert2muc?ref=refs%2fheads%2fmain&rev=0ae1024cc7bf45dceb03f089f3e5485c0a43b860' (2022-12-18) --- flake.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/flake.lock b/flake.lock index b96b10f7..f41f306f 100644 --- a/flake.lock +++ b/flake.lock @@ -36,11 +36,11 @@ ] }, "locked": { - "lastModified": 1671235085, - "narHash": "sha256-ii7LsyYrnm3puQrCpfsYvIjVpLoPW5qhBmVdSybvTUA=", + "lastModified": 1671329943, + "narHash": "sha256-7gFF8z1ww+LoC9Pk5hflvnlrzIf8gp7UbL6o8Xyl4Dw=", "ref": "refs/heads/main", - "rev": "2cf4e1dbc0c6ceb96387f2d6445b784abc537f8f", - "revCount": 12, + "rev": "0ae1024cc7bf45dceb03f089f3e5485c0a43b860", + "revCount": 14, "type": "git", "url": "https://gitea.c3d2.de/astro/alert2muc" }, From 38f69300bb30009cf75e3b6b769b31e4b6287d63 Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 18 Dec 2022 03:19:40 +0100 Subject: [PATCH 245/247] prometheus: update alert2muc url --- hosts/prometheus/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/prometheus/default.nix b/hosts/prometheus/default.nix index 943e9245..81bb23b6 100644 --- a/hosts/prometheus/default.nix +++ b/hosts/prometheus/default.nix @@ -39,7 +39,7 @@ "receivers" = [{ "name" = "xmpp"; "webhook_configs" = [{ - "url" = "http://127.0.0.1:9022/"; + "url" = "http://127.0.0.1:9022/alert"; }]; }]; }; From 7d18fad68acc0b38c0ed261e0e87a0ab6c3ff8ad Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 18 Dec 2022 03:20:13 +0100 Subject: [PATCH 246/247] modules/cluster/default.nix: disable skyflake.debug for now --- modules/cluster/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/cluster/default.nix b/modules/cluster/default.nix index 7acbbe57..f18b7101 100644 --- a/modules/cluster/default.nix +++ b/modules/cluster/default.nix @@ -30,7 +30,7 @@ in { # Cluster configuration skyflake = { - debug = true; + # debug = true; nodes = builtins.listToAttrs ( map (name: { inherit name; From e43ce3b29bf91659523a768f5689dbdb4e443551 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sun, 18 Dec 2022 19:03:24 +0100 Subject: [PATCH 247/247] hydra: combine default.nix and hydra.nix, remove nix store over ssh --- hosts/hydra/cache-pub.key | 1 - hosts/hydra/default.nix | 285 ++++++++++++++++++++++++++++++++++---- hosts/hydra/hydra.nix | 255 ---------------------------------- hosts/hydra/secrets.yaml | 5 +- modules/c3d2.nix | 2 +- 5 files changed, 264 insertions(+), 284 deletions(-) delete mode 100644 hosts/hydra/cache-pub.key diff --git a/hosts/hydra/cache-pub.key b/hosts/hydra/cache-pub.key deleted file mode 100644 index be3677da..00000000 --- a/hosts/hydra/cache-pub.key +++ /dev/null @@ -1 +0,0 @@ -nix-serve.hq.c3d2.de:KZRGGnwOYzys6pxgM8jlur36RmkJQ/y8y62e52fj1ps= \ No newline at end of file diff --git a/hosts/hydra/default.nix b/hosts/hydra/default.nix index 93ffdba1..5353f738 100644 --- a/hosts/hydra/default.nix +++ b/hosts/hydra/default.nix @@ -1,5 +1,8 @@ -{ config, pkgs, ... }: +{ config, lib, pkgs, zentralwerk, ... }: +let + cachePort = 5000; +in { imports = [ ./hardware-configuration.nix @@ -9,28 +12,9 @@ ../../modules/c3d2.nix ]; - nixpkgs.config.allowUnfree = true; - - security.pam.enableSSHAgentAuth = true; - - services.openssh = { - enable = true; - passwordAuthentication = false; - }; - - programs.mosh.enable = true; - - nix = { - sshServe.enable = true; - settings = { - # # restore default overridden by harmonia - # allowed-users = lib.mkForce [ "*" ]; - auto-optimise-store = true; - cores = 20; - keep-outputs = true; - max-jobs = 8; - trusted-users = [ "@wheel" ]; - }; + c3d2 = { + hq.statistics.enable = true; + simd.arch = "ivybridge"; }; boot = { @@ -43,14 +27,265 @@ binfmt.emulatedSystems = [ "armv6l-linux" "armv7l-linux" "aarch64-linux" "riscv32-linux" "riscv64-linux" ]; }; + nix = { + buildMachines = [{ + hostName = "client@dacbert.hq.c3d2.de"; + system = lib.concatStringsSep "," [ + "aarch64-linux" "armv6l-linux" "armv7l-linux" + ]; + supportedFeatures = [ "kvm" "nixos-test" ]; + maxJobs = 1; + }]; + daemonCPUSchedPolicy = "idle"; + daemonIOSchedClass = "idle"; + daemonIOSchedPriority = 7; + settings = { + allowed-uris = "http:// https:// ssh://"; + auto-optimise-store = true; + builders-use-substitutes = true; + cores = 20; + keep-outputs = true; + max-jobs = 8; + trusted-users = [ "hydra" "root" "@wheel" ]; + }; + }; + + nixpkgs.config.allowUnfree = true; + + # disabled because currently it display `ARRAY(0x4ec2040)` on the website and also uses a perl array in store paths instead of /nix/store + # containers = { + # hydra-ca = { + # autoStart = true; + # config = { ... }: { + # imports = [ + # hydra-ca.nixosModules.hydra + # ]; + + # environment.systemPackages = with pkgs; [ git ]; + + # networking.firewall.allowedTCPPorts = [ 3001 ]; + + # nix = { + # settings = { + # allowed-uris = "https://gitea.c3d2.de/ https://github.com/ https://gitlab.com/ ssh://gitea@gitea.c3d2.de/"; + # builders-use-substitutes = true; + # experimental-features = "ca-derivations nix-command flakes"; + # extra-substituters = "https://cache.ngi0.nixos.org/"; + # extra-trusted-public-keys = "cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA="; + # substituters = [ + # "https://cache.ngi0.nixos.org/" + # ]; + # trusted-public-keys = [ + # "cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=" + # ]; + # }; + # }; + + # nixpkgs = { + # # config.contentAddressedByDefault = true; + # overlays = [ self.overlay ]; + # }; + + # services = { + # hydra-dev = lib.recursiveUpdate config.services.hydra-dev { + # hydraURL = "https://hydra-ca.hq.c3d2.de"; + # port = 3001; + # }; + # }; + + # system.stateVersion = "22.05"; # Did you read the comment? No. + # }; + # hostAddress = "192.168.100.1"; + # localAddress = "192.168.100.2"; + # privateNetwork = true; + # }; + # }; + networking = { + hosts = with zentralwerk.lib.config.site.net.serv; { + ${hosts6.up4.auth} = [ "auth.c3d2.de" ]; + ${hosts4.auth} = [ "auth.c3d2.de" ]; + }; hostName = "hydra"; firewall.enable = false; nameservers = [ "172.20.73.8" "9.9.9.9" ]; + # nat = { + # enable = true; + # externalInterface = "serv"; + # internalInterfaces = [ "ve-hydra-ca" ]; + # }; }; - c3d2.hq.statistics.enable = true; - services.smartd.enable = true; + services = { + hydra = { + enable = true; + buildMachinesFiles = [ + "/etc/nix/machines" + "/var/lib/hydra/machines" + ]; + hydraURL = "https://hydra.hq.c3d2.de"; + logo = ./c3d2.svg; + minimumDiskFree = 50; + minimumDiskFreeEvaluator = 50; + notificationSender = "hydra@spam.works"; + useSubstitutes = true; + extraConfig = + let + key = config.sops.secrets."nix-serve/secretKey".path; + in + '' + binary_cache_secret_key_file = ${key} + evaluator_workers = 4 + evaluator_max_memory_size = 2048 + max_output_size = ${toString (5*1024*1024*1024)} # sd card and raw images + store_uri = auto?secret-key=${key}&write-nar-listing=1&ls-compression=zstd&log-compression=zstd + upload_logs_to_binary_cache = true + + # https://hydra.nixos.org/build/196107287/download/1/hydra/configuration.html#using-ldap-as-authentication-backend-optional + + + + class = Password + password_field = password + password_type = self_check + + + class = LDAP + ldap_server = auth.c3d2.de + + scheme = ldaps + timeout = 10 + + binddn = "uid=search,ou=users,dc=c3d2,dc=de" + include ldap-password.conf + start_tls = 0 + + ciphers = TLS_AES_256_GCM_SHA384 + sslversion = tlsv1_3 + # verify = none + + user_basedn = "ou=users,dc=c3d2,dc=de" + user_filter = "(&(objectclass=person)(uid=%s))" + user_scope = one + user_field = uid + + deref = always + + # Important for role mappings to work: + use_roles = 1 + role_basedn = "ou=groups,dc=c3d2,dc=de" + role_filter = "(&(objectclass=group)(%s))" + role_scope = one + role_field = cn + role_value = dn + + deref = always + + + + + # maps directly to user roles + # Make all users in the hydra-admin group Hydra admins + hydra-admins = admin + # Allow all users in the dev group to restart jobs and cancel builds + #dev = restart-jobs + #dev = cancel-build + + + ''; + }; + + # A rust nix binary cache + harmonia = { + enable = true; + settings = { + bind = "127.0.0.1:${toString cachePort}"; + workers = 20; + max_connection_rate = 1024; + priority = 30; + sign_key_path = config.sops.secrets."nix-serve/secretKey".path; + }; + }; + + nginx = + let + hydraVhost = { + forceSSL = true; + enableACME = true; + locations."/".proxyPass = "http://localhost:${toString config.services.hydra.port}"; + }; + in + { + enable = true; + virtualHosts = { + "hydra.hq.c3d2.de" = hydraVhost // { + default = true; + }; + # "hydra-ca.hq.c3d2.de" = hydraVhost // { + # locations."/".proxyPass = "http://192.168.100.2:3001"; + # }; + "hydra.serv.zentralwerk.org" = hydraVhost; + "nix-serve.hq.c3d2.de" = { + forceSSL = true; + enableACME = true; + locations."/".proxyPass = "http://localhost:${toString cachePort}"; + }; + }; + }; + + smartd.enable = true; + + resolved.enable = false; + }; + + sops = { + defaultSopsFile = ./secrets.yaml; + secrets."nix-serve/secretKey" = { + mode = "440"; + owner = config.users.users.hydra-queue-runner.name; + inherit (config.users.users.hydra-queue-runner) group; + }; + secrets."ldap/search-user-pw" = { + mode = "440"; + owner = config.users.users.hydra-queue-runner.name; + inherit (config.users.users.hydra-queue-runner) group; + path = "/var/lib/hydra/ldap-password.conf"; + }; + }; system.stateVersion = "20.09"; + + systemd.services = { + hydra-evaluator.serviceConfig = { + CPUWeight = 2; + MemoryHigh = "64G"; + MemoryMax = "64G"; + MemorySwapMax = "64G"; + }; + + hydra-init.preStart = let + makesSenseForQemuUser = feature: + ! (builtins.elem feature [ "kvm" "benchmark" ]); + # strips features that don't make sense on qemu-user + extraPlatformSystemFeatures = + builtins.filter makesSenseForQemuUser config.nix.settings.system-features; + in + # both entries cannot have localhost alone because then hydra would merge them together but we want explictily two to not allow benchmarkts for binfmt emulated arches + '' + cat << EOF > ~/machines + localhost x86_64-linux - ${toString config.nix.settings.max-jobs} 10 ${lib.concatStringsSep "," config.nix.settings.system-features} - + hydra@localhost ${lib.concatStringsSep "," config.nix.settings.extra-platforms} - ${toString config.nix.settings.max-jobs} 10 ${lib.concatStringsSep "," extraPlatformSystemFeatures} - + EOF + ''; + + nix-daemon.serviceConfig = { + CPUWeight = 5; + MemoryHigh = "64G"; + MemoryMax = "64G"; + MemorySwapMax = "64G"; + }; + }; + + # allow reading nix-serve secret + users.users.harmonia.extraGroups = [ "hydra" ]; } diff --git a/hosts/hydra/hydra.nix b/hosts/hydra/hydra.nix index 9e91e45e..7f69a84e 100644 --- a/hosts/hydra/hydra.nix +++ b/hosts/hydra/hydra.nix @@ -1,257 +1,2 @@ { config, lib, zentralwerk, ... }: -let - cachePort = 5000; - -in -{ - # disabled because currently it display `ARRAY(0x4ec2040)` on the website and also uses a perl array in store paths instead of /nix/store - # containers = { - # hydra-ca = { - # autoStart = true; - # config = { ... }: { - # imports = [ - # hydra-ca.nixosModules.hydra - # ]; - - # environment.systemPackages = with pkgs; [ git ]; - - # networking.firewall.allowedTCPPorts = [ 3001 ]; - - # nix = { - # settings = { - # allowed-uris = "https://gitea.c3d2.de/ https://github.com/ https://gitlab.com/ ssh://gitea@gitea.c3d2.de/"; - # builders-use-substitutes = true; - # experimental-features = "ca-derivations nix-command flakes"; - # extra-substituters = "https://cache.ngi0.nixos.org/"; - # extra-trusted-public-keys = "cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA="; - # substituters = [ - # "https://cache.ngi0.nixos.org/" - # ]; - # trusted-public-keys = [ - # "cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=" - # ]; - # }; - # }; - - # nixpkgs = { - # # config.contentAddressedByDefault = true; - # overlays = [ self.overlay ]; - # }; - - # services = { - # hydra-dev = lib.recursiveUpdate config.services.hydra-dev { - # hydraURL = "https://hydra-ca.hq.c3d2.de"; - # port = 3001; - # }; - # }; - - # system.stateVersion = "22.05"; # Did you read the comment? No. - # }; - # hostAddress = "192.168.100.1"; - # localAddress = "192.168.100.2"; - # privateNetwork = true; - # }; - # }; - - networking = { - hosts = with zentralwerk.lib.config.site.net.serv; { - ${hosts6.up4.auth} = [ "auth.c3d2.de" ]; - ${hosts4.auth} = [ "auth.c3d2.de" ]; - }; - # nat = { - # enable = true; - # externalInterface = "serv"; - # internalInterfaces = [ "ve-hydra-ca" ]; - # }; - }; - - nix = { - buildMachines = [{ - hostName = "client@dacbert.hq.c3d2.de"; - system = lib.concatStringsSep "," [ - "aarch64-linux" "armv6l-linux" "armv7l-linux" - ]; - supportedFeatures = [ "kvm" "nixos-test" ]; - maxJobs = 1; - }]; - daemonCPUSchedPolicy = "idle"; - daemonIOSchedClass = "idle"; - daemonIOSchedPriority = 7; - settings = { - allowed-uris = "http:// https:// ssh://"; - builders-use-substitutes = true; - trusted-users = [ "hydra" "root" ]; - }; - }; - - c3d2.simd.arch = "ivybridge"; - - services = { - hydra = { - enable = true; - buildMachinesFiles = [ - "/etc/nix/machines" - "/var/lib/hydra/machines" - ]; - hydraURL = "https://hydra.hq.c3d2.de"; - logo = ./c3d2.svg; - minimumDiskFree = 50; - minimumDiskFreeEvaluator = 50; - notificationSender = "hydra@spam.works"; - useSubstitutes = true; - extraConfig = - let - key = config.sops.secrets."nix-serve/secretKey".path; - in - '' - binary_cache_secret_key_file = ${key} - evaluator_workers = 4 - evaluator_max_memory_size = 2048 - max_output_size = ${toString (5*1024*1024*1024)} # sd card and raw images - store_uri = auto?secret-key=${key}&write-nar-listing=1&ls-compression=zstd&log-compression=zstd - upload_logs_to_binary_cache = true - - # https://hydra.nixos.org/build/196107287/download/1/hydra/configuration.html#using-ldap-as-authentication-backend-optional - - - - class = Password - password_field = password - password_type = self_check - - - class = LDAP - ldap_server = auth.c3d2.de - - scheme = ldaps - timeout = 10 - - binddn = "uid=search,ou=users,dc=c3d2,dc=de" - include ldap-password.conf - start_tls = 0 - - ciphers = TLS_AES_256_GCM_SHA384 - sslversion = tlsv1_3 - # verify = none - - user_basedn = "ou=users,dc=c3d2,dc=de" - user_filter = "(&(objectclass=person)(uid=%s))" - user_scope = one - user_field = uid - - deref = always - - # Important for role mappings to work: - use_roles = 1 - role_basedn = "ou=groups,dc=c3d2,dc=de" - role_filter = "(&(objectclass=group)(%s))" - role_scope = one - role_field = cn - role_value = dn - - deref = always - - - - - # maps directly to user roles - # Make all users in the hydra-admin group Hydra admins - hydra-admins = admin - # Allow all users in the dev group to restart jobs and cancel builds - #dev = restart-jobs - #dev = cancel-build - - - ''; - }; - - # A rust nix binary cache - harmonia = { - enable = true; - settings = { - bind = "127.0.0.1:${toString cachePort}"; - workers = 20; - max_connection_rate = 1024; - priority = 30; - sign_key_path = config.sops.secrets."nix-serve/secretKey".path; - }; - }; - - nginx = - let - hydraVhost = { - forceSSL = true; - enableACME = true; - locations."/".proxyPass = "http://localhost:${toString config.services.hydra.port}"; - }; - in - { - enable = true; - virtualHosts = { - "hydra.hq.c3d2.de" = hydraVhost // { - default = true; - }; - # "hydra-ca.hq.c3d2.de" = hydraVhost // { - # locations."/".proxyPass = "http://192.168.100.2:3001"; - # }; - "hydra.serv.zentralwerk.org" = hydraVhost; - "nix-serve.hq.c3d2.de" = { - forceSSL = true; - enableACME = true; - locations."/".proxyPass = "http://localhost:${toString cachePort}"; - }; - }; - }; - resolved.enable = false; - }; - - sops = { - defaultSopsFile = ./secrets.yaml; - secrets."nix-serve/secretKey" = { - mode = "440"; - owner = config.users.users.hydra-queue-runner.name; - inherit (config.users.users.hydra-queue-runner) group; - }; - secrets."ldap/search-user-pw" = { - mode = "440"; - owner = config.users.users.hydra-queue-runner.name; - inherit (config.users.users.hydra-queue-runner) group; - path = "/var/lib/hydra/ldap-password.conf"; - }; - }; - - systemd.services = { - hydra-evaluator.serviceConfig = { - CPUWeight = 2; - MemoryHigh = "64G"; - MemoryMax = "64G"; - MemorySwapMax = "64G"; - }; - - hydra-init.preStart = let - makesSenseForQemuUser = feature: - ! (builtins.elem feature [ "kvm" "benchmark" ]); - # strips features that don't make sense on qemu-user - extraPlatformSystemFeatures = - builtins.filter makesSenseForQemuUser config.nix.settings.system-features; - in - # both entries cannot have localhost alone because then hydra would merge them together but we want explictily two to not allow benchmarkts for binfmt emulated arches - '' - cat << EOF > ~/machines - localhost x86_64-linux - ${toString config.nix.settings.max-jobs} 10 ${lib.concatStringsSep "," config.nix.settings.system-features} - - hydra@localhost ${lib.concatStringsSep "," config.nix.settings.extra-platforms} - ${toString config.nix.settings.max-jobs} 10 ${lib.concatStringsSep "," extraPlatformSystemFeatures} - - EOF - ''; - - nix-daemon.serviceConfig = { - CPUWeight = 5; - MemoryHigh = "64G"; - MemoryMax = "64G"; - MemorySwapMax = "64G"; - }; - }; - - # allow reading nix-serve secret - users.users.harmonia.extraGroups = [ "hydra" ]; -} diff --git a/hosts/hydra/secrets.yaml b/hosts/hydra/secrets.yaml index 0d7a1dcf..bd0179f4 100644 --- a/hosts/hydra/secrets.yaml +++ b/hosts/hydra/secrets.yaml @@ -1,4 +1,5 @@ nix-serve: + publicKey: ENC[AES256_GCM,data:sR5wk7yvH5+lLpSIP0zNqCLvDRRvR8ws4Q8rVcVJx8YkrywwPcvIsJ1h6mVEu3nc6SLoZlQsuxOGCyNGD98CBNY=,iv:fFV2D27hWoxGtqVt3EnS4hMlrqW5LnIZ3LB5k4xmFWs=,tag:g7R1ossy2On6B2nVfKC9iA==,type:str] secretKey: ENC[AES256_GCM,data:cm84sA7E6AnzpVoYuaYepbHGWkRigLdD2RxN21UsXCe7FXQxeTQTxxbzVxJ3G9Lt3kRXuZnODntOo5EQKhs46+wzpO8YLKQxkJXrdluXoGVIWl3/6QFVq66XLJ2i6G4eBK9IH0DYJ+anj8/i8Q==,iv:GEM8Vmx0A8LfJo7QOl0N67Cgk+JqHpp7r+41VivmTg4=,tag:O4Kq4WKgbyt354HSa/7eQQ==,type:str] ldap: search-user-pw: ENC[AES256_GCM,data:tSWin/QPIow2P5Aps/XaT42J+MXb8+a24SEri1QjF1O3bDlCxcR8RHqSX8d4Vg==,iv:P5qMaE2cdKxTaXuKO2nh+LDhKkY3psSlWf+JckmUYt4=,tag:eq8XW7P6FNlkviY5PydkZg==,type:str] @@ -26,8 +27,8 @@ sops: K3Bpb0svZ1YvVm9ha1ArdVBlN3NHM0kKM6CEQ+dStjEsgppQZYjb1zwyzfwAc0FI O5+vi2x8/N/1OH5jeVzLnLjOhXRXrYcR9EDsjT+KDo0ykYh+NjB0DA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-12-06T14:25:54Z" - mac: ENC[AES256_GCM,data:4cOG88FIG7UhVb/r8Aq1Nme5+qCpEdpjV+BLOISm1Y6MYgxFTDqCzV2FOdKztpVou5Nly9JUvKfz6eiCWbbIbaO5/DYUObiTKZXv6B1x6blnIW8vMtqcdYWOXH62ycHMV+Sha0D41eXmNp3K1Vs+k3OwYZyHK1HFOqqQ2jpy+Ps=,iv:u0O/A/GBBpDTJVFBfiFzDOIIR5o479YI11fgrv0mR0A=,tag:E9OuAAOhfbzPcnA6Ij6LMA==,type:str] + lastmodified: "2022-12-18T17:49:41Z" + mac: ENC[AES256_GCM,data:oQGsk4gJ4dGCr3zCanOpSsKQyx/OuWiYe0ef8pvWhqFq0+YvwUzoiF3jQmqahLWGLHUl1yb1kb91GEr7q47G83Z9YXVVtTTzJUWpKZQL1WD12f5ERPSlKnT251fvoMtqNqKrRirGA9ao8OxVpeh3/SQCAGTqWAcpz1J7dxvL7E4=,iv:td9t1MKcXH5RYZxsD1wA4oG61AfLLGSiVIEq/sPRZG4=,tag:UqHGkKqXeeBYXQYtvplCdA==,type:str] pgp: - created_at: "2022-07-15T23:31:58Z" enc: | diff --git a/modules/c3d2.nix b/modules/c3d2.nix index bb2b1191..7f989ef7 100644 --- a/modules/c3d2.nix +++ b/modules/c3d2.nix @@ -401,7 +401,7 @@ in fallback = true; # don't self feed hydra trusted-public-keys = lib.mkIf (config.networking.hostName != "hydra") [ - (builtins.readFile ../hosts/hydra/cache-pub.key) + "nix-serve.hq.c3d2.de:KZRGGnwOYzys6pxgM8jlur36RmkJQ/y8y62e52fj1ps=" ]; substituters = lib.mkIf (config.networking.hostName != "hydra") ( lib.mkBefore [ "https://nix-serve.hq.c3d2.de" ]