From 3913c097828deab4d10070d5ff494abeafb4c569 Mon Sep 17 00:00:00 2001 From: Daniel Poelzleithner Date: Wed, 19 Aug 2020 00:30:34 +0200 Subject: [PATCH 01/21] fix systemd invocation for docker container --- hosts/server7/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/server7/default.nix b/hosts/server7/default.nix index 8f8ae856..a0dfbb66 100644 --- a/hosts/server7/default.nix +++ b/hosts/server7/default.nix @@ -133,7 +133,7 @@ in { }; systemd.services.docker-ceph-osd-7.serviceConfig = { ExecStartPre = [ - "-${pkgs.docker}/bin/docker run --rm --net=host --ipc=host --privileged=true -v /dev:/dev -v /etc/ceph:/etc/ceph -v /var/lib/ceph/:/var/lib/ceph -e OSD_DEVICE=/dev/sdb -it ceph/ceph:v14.2.9 ceph-volume lvm activate --all" + "-${pkgs.docker}/bin/docker run --rm --net=host --ipc=host --privileged=true -v /dev:/dev -v /etc/ceph:/etc/ceph -v /var/lib/ceph/:/var/lib/ceph -e OSD_DEVICE=/dev/sdb -it ceph/ceph:v14.2.9 ceph-volume lvm activate --all --no-systemd" ]; }; From bf568e9de30233b965b0adefa72a4f1d750b0681 Mon Sep 17 00:00:00 2001 From: Daniel Poelzleithner Date: Wed, 19 Aug 2020 00:47:25 +0200 Subject: [PATCH 02/21] use all mon servers for connecting. use preStart --- hosts/server7/default.nix | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/hosts/server7/default.nix b/hosts/server7/default.nix index a0dfbb66..3c6ba082 100644 --- a/hosts/server7/default.nix +++ b/hosts/server7/default.nix @@ -34,7 +34,7 @@ in { fileSystems."/srv/ceph" = { #device = "172.22.99.13:6789:/"; - device = "172.20.72.53:6789:/"; + device = "172.20.72.55:6789,172.20.72.56:6789,172.20.72.53:6789:/"; fsType = "ceph"; options = [ "name=storage2" @@ -131,11 +131,8 @@ in { volumes = [ "/dev:/dev" "/etc/ceph:/etc/ceph" "/var/lib/ceph/:/var/lib/ceph" ]; }; - systemd.services.docker-ceph-osd-7.serviceConfig = { - ExecStartPre = [ - "-${pkgs.docker}/bin/docker run --rm --net=host --ipc=host --privileged=true -v /dev:/dev -v /etc/ceph:/etc/ceph -v /var/lib/ceph/:/var/lib/ceph -e OSD_DEVICE=/dev/sdb -it ceph/ceph:v14.2.9 ceph-volume lvm activate --all --no-systemd" - ]; - }; + systemd.services.docker-ceph-osd-7.preStart = + "-${pkgs.docker}/bin/docker run --rm --net=host --ipc=host --privileged=true -v /dev:/dev -v /etc/ceph:/etc/ceph -v /var/lib/ceph/:/var/lib/ceph -e OSD_DEVICE=/dev/sdb -it ceph/ceph:v14.2.9 ceph-volume lvm activate --all --no-systemd"; networking = { firewall.enable = false; From 3202318820bb5c6e01089fa1bd5878df9868e81b Mon Sep 17 00:00:00 2001 From: bastiion Date: Sat, 19 Sep 2020 15:29:14 +0200 Subject: [PATCH 03/21] adding a robot to ha-proxy robot1.hq.c3d2.de --- hosts/containers/public-access-proxy/configuration.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hosts/containers/public-access-proxy/configuration.nix b/hosts/containers/public-access-proxy/configuration.nix index 231d05d7..4bc6de89 100644 --- a/hosts/containers/public-access-proxy/configuration.nix +++ b/hosts/containers/public-access-proxy/configuration.nix @@ -34,6 +34,10 @@ hostNames = [ "kibana.hq.c3d2.de" "kibana-es.hq.c3d2.de" ]; proxyTo = { host = "kibana.serv.zentralwerk.dn42"; httpPort = 80; httpsPort = 443; }; } + { + hostNames = [ "robo1.hq.c3d2.de" ]; + proxyTo = { host = "172.20.79.62"; httpPort = 80; }; + } ]; }; From 13f735c0d764f7a5c8cdf2704ef0fc4c76bc34ff Mon Sep 17 00:00:00 2001 From: Astro Date: Sat, 19 Sep 2020 19:15:13 +0200 Subject: [PATCH 04/21] public-access-proxy: add robots.datenspuren.de --- hosts/containers/public-access-proxy/configuration.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hosts/containers/public-access-proxy/configuration.nix b/hosts/containers/public-access-proxy/configuration.nix index 4bc6de89..8ae8729b 100644 --- a/hosts/containers/public-access-proxy/configuration.nix +++ b/hosts/containers/public-access-proxy/configuration.nix @@ -38,6 +38,10 @@ hostNames = [ "robo1.hq.c3d2.de" ]; proxyTo = { host = "172.20.79.62"; httpPort = 80; }; } + { + hostNames = [ "robots.datenspuren.de" ]; + proxyTo = { host = "172.22.99.170"; httpPort = 80; httpsPort = 443; }; + } ]; }; From f7230c5829f24c13bdaf79140d25a4b03782850d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sun, 18 Oct 2020 17:26:21 +0200 Subject: [PATCH 05/21] deployer: activate autoOptimiseStore --- hosts/containers/deployer/configuration.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/hosts/containers/deployer/configuration.nix b/hosts/containers/deployer/configuration.nix index 602b52a4..3f73d06a 100644 --- a/hosts/containers/deployer/configuration.nix +++ b/hosts/containers/deployer/configuration.nix @@ -60,8 +60,11 @@ permitRootLogin = "yes"; }; - nix.buildCores = 32; - nix.maxJobs = 32; + nix = { + buildCores = 32; + maxJobs = 32; + autoOptimiseStore = true; + }; users.extraUsers.k-ot = { isNormalUser = true; From 7dab4f4c8dce2c77654e322e6221a81f0c08607c Mon Sep 17 00:00:00 2001 From: Emery Hemingway Date: Mon, 26 Oct 2020 16:00:08 +0100 Subject: [PATCH 06/21] Remove server7 --- flake.nix | 5 - host-registry.nix | 2 - hosts/hydra/hydra.nix | 13 -- hosts/server7/borgbackup.nix | 10 - hosts/server7/containers/README | 4 - hosts/server7/containers/adc/default.nix | 32 --- hosts/server7/containers/default.nix | 29 --- hosts/server7/containers/hydra7/default.nix | 35 --- hosts/server7/containers/inner-defaults.nix | 8 - .../server7/containers/mpd-index/default.nix | 33 --- hosts/server7/containers/ncdc/default.nix | 29 --- hosts/server7/containers/nfs/default.nix | 23 -- hosts/server7/containers/outer-defaults.nix | 10 - hosts/server7/containers/samba/default.nix | 45 ---- hosts/server7/containers/storage/default.nix | 75 ------- hosts/server7/default.nix | 210 ------------------ hosts/server7/hardware-configuration.nix | 179 --------------- hosts/server7/hydra.nix | 49 ---- hosts/server7/hydra.svg | 163 -------------- hosts/server7/nix-serve.nix | 28 --- hosts/server7/yggdrasil-prefix.nix | 27 --- lib/default.nix | 27 +-- 22 files changed, 1 insertion(+), 1035 deletions(-) delete mode 100644 hosts/server7/borgbackup.nix delete mode 100644 hosts/server7/containers/README delete mode 100644 hosts/server7/containers/adc/default.nix delete mode 100644 hosts/server7/containers/default.nix delete mode 100644 hosts/server7/containers/hydra7/default.nix delete mode 100644 hosts/server7/containers/inner-defaults.nix delete mode 100644 hosts/server7/containers/mpd-index/default.nix delete mode 100644 hosts/server7/containers/ncdc/default.nix delete mode 100644 hosts/server7/containers/nfs/default.nix delete mode 100644 hosts/server7/containers/outer-defaults.nix delete mode 100644 hosts/server7/containers/samba/default.nix delete mode 100644 hosts/server7/containers/storage/default.nix delete mode 100644 hosts/server7/default.nix delete mode 100644 hosts/server7/hardware-configuration.nix delete mode 100644 hosts/server7/hydra.nix delete mode 100644 hosts/server7/hydra.svg delete mode 100644 hosts/server7/nix-serve.nix delete mode 100644 hosts/server7/yggdrasil-prefix.nix diff --git a/flake.nix b/flake.nix index 0d7f5fd1..37de9d59 100644 --- a/flake.nix +++ b/flake.nix @@ -31,11 +31,6 @@ system = "aarch64-linux"; }; - server7 = nixpkgs.lib.nixosSystem { - modules = [ ./hosts/server7 hydra.nixosModules.hydra ]; - system = "x86_64-linux"; - }; - }; nixosModules.c3d2 = import ./lib; diff --git a/host-registry.nix b/host-registry.nix index f26044ba..f8135a4f 100644 --- a/host-registry.nix +++ b/host-registry.nix @@ -59,8 +59,6 @@ rec { ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKQCZ7f7bqRC6B72oMu7BCItZxZnWsqx9Th/2iBRvtIFggr4YNi7Pbw3cc68NVbm0u7feUUgH5LDiXVpig3b7Gw= ''; }; - server7.publicKey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMiDm1b0NubTtcE9NuKrIpEOea5oS/yCW0Ncoaf/w3uy"; storage.publicKey = "storage.ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBbjG4uY8A0IJHRKjiQwt9JbuLDNVaTcwNJN8J4z6mgX"; }; diff --git a/hosts/hydra/hydra.nix b/hosts/hydra/hydra.nix index f00d958f..5864ec7e 100644 --- a/hosts/hydra/hydra.nix +++ b/hosts/hydra/hydra.nix @@ -3,26 +3,13 @@ { nix = { binaryCaches = [ - "https://cache.server7.hq.c3d2.de" "https://cache.nixos.org" - "https://cache.dhall-lang.org" ]; binaryCachePublicKeys = [ - "cache.server7.hq.c3d2.de:x8JLRG26zRZ8ysYZLEkPxuAYuK1VSJi/aMAEIs2Lv+U=" - "cache.dhall-lang.org:I9/H18WHd60olG5GsIjolp7CtepSgJmM2CsO813VTmM=" ]; extraOptions = '' allowed-uris = http:// https:// ''; - buildMachines = [{ - hostName = "server7.hq"; - sshUser = "hydra"; - sshKey = "/var/lib/hydra/queue-runner/id_rsa"; - system = "x86_64-linux"; - speedFactor = 2; - supportedFeatures = [ "kvm" "nixos-test" "big-parallel" "benchmark" ]; - maxJobs = 8; - }]; }; services.hydra = { diff --git a/hosts/server7/borgbackup.nix b/hosts/server7/borgbackup.nix deleted file mode 100644 index 0801a910..00000000 --- a/hosts/server7/borgbackup.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ config, ... }: - -{ - services.borgbackup.repos.emery = { - allowSubRepos = true; - authorizedKeys = config.users.users.emery.openssh.authorizedKeys.keys; - path = "/srv/ceph/c3d2/backups/emery"; - quota = "200G"; - }; -} diff --git a/hosts/server7/containers/README b/hosts/server7/containers/README deleted file mode 100644 index 2930672f..00000000 --- a/hosts/server7/containers/README +++ /dev/null @@ -1,4 +0,0 @@ -Each directory containing a file "default.nix" is -evulated as a container guest configuration. - -See ./default.nix for the implementation. diff --git a/hosts/server7/containers/adc/default.nix b/hosts/server7/containers/adc/default.nix deleted file mode 100644 index 365f3b37..00000000 --- a/hosts/server7/containers/adc/default.nix +++ /dev/null @@ -1,32 +0,0 @@ -name: - -(import ../outer-defaults.nix name) // { - config = { config, pkgs, lib, ... }: { - imports = [ ../inner-defaults.nix ]; - - c3d2.hq.yggdrasil.enableGateway = true; - - networking.firewall.allowedTCPPorts = [ config.services.uhub.port ]; - - networking.interfaces.eth0.ipv6.addresses = [{ - address = "310:5217:69c0:9afc:0:576d:1184:c3d2"; - prefixLength = 64; - }]; # Old address used by some clients - - services.uhub = { - enable = true; - enableTLS = false; - hubConfig = '' - hub_name=c3d2 - hub_description=<<> - ''; - plugins.history.enable = true; - plugins.welcome = { - enable = true; - motd = config.users.motd; - }; - }; - - }; - -} diff --git a/hosts/server7/containers/default.nix b/hosts/server7/containers/default.nix deleted file mode 100644 index e26eb748..00000000 --- a/hosts/server7/containers/default.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ lib, ... }: - -let - containerFunc = name: - # Generate a container expression from the directory at `name`. - { - inherit name; - value = import (./. + "/${name}") name; - }; - - containerDir = builtins.readDir ../containers; - containerSubdirs = - lib.filterAttrs (_: kind: kind == "directory") containerDir; - containerNames = builtins.attrNames containerSubdirs; - - containers = builtins.listToAttrs (map containerFunc containerNames); - -in { - boot.enableContainers = true; - inherit containers; - - imports = [ ../../../lib/lxc ]; - lxc.containers = { - trivial = { - nixos-config = "/tmp/trivial.nix"; - lxc = { }; - }; - }; -} diff --git a/hosts/server7/containers/hydra7/default.nix b/hosts/server7/containers/hydra7/default.nix deleted file mode 100644 index 5ad2522b..00000000 --- a/hosts/server7/containers/hydra7/default.nix +++ /dev/null @@ -1,35 +0,0 @@ -name: - -(import ../outer-defaults.nix name) // { - - ephemeral = true; - - config = { config, pkgs, lib, ... }: { - imports = [ ../inner-defaults.nix ]; - c3d2.hq.yggdrasil.enableGateway = true; - networking.firewall.enable = false; - networking.interfaces.eth0.useDHCP = true; - security.acme = { - acceptTerms = true; - email = "mail@c3d2.de"; - }; - services.nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; - virtualHosts = { - "hydra7.hq.c3d2.de" = { - forceSSL = true; - enableACME = true; - locations."/".proxyPass = "http://172.22.99.245:3000"; - }; - "hydra7.y.c3d2.de" = { - default = true; - addSSL = false; - locations."/".proxyPass = "http://172.22.99.245:3000"; - }; - }; - }; - }; - -} diff --git a/hosts/server7/containers/inner-defaults.nix b/hosts/server7/containers/inner-defaults.nix deleted file mode 100644 index 1f333307..00000000 --- a/hosts/server7/containers/inner-defaults.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ ... }: { - imports = [ ../../../lib ]; - c3d2 = { - isInHq = true; - mapHqHosts = true; - hq.interface = "eth0"; - }; -} diff --git a/hosts/server7/containers/mpd-index/default.nix b/hosts/server7/containers/mpd-index/default.nix deleted file mode 100644 index c84d0b54..00000000 --- a/hosts/server7/containers/mpd-index/default.nix +++ /dev/null @@ -1,33 +0,0 @@ -name: - -(import ../outer-defaults.nix name) // { - - bindMounts."/mnt/music" = { - hostPath = "/srv/ceph/c3d2/rpool/Music"; - isReadOnly = true; - }; - - config = { config, pkgs, lib, ... }: - - { - imports = [ ../inner-defaults.nix ]; - - services.mpd = { - enable = true; - network.listenAddress = "any"; - musicDirectory = "/mnt/music"; - extraConfig = '' - default_permissions "read,add,control,admin" - - audio_output { - type "null" - name "My Null Output" - } - - filesystem_charset "UTF-8" - ''; - }; - - }; - -} diff --git a/hosts/server7/containers/ncdc/default.nix b/hosts/server7/containers/ncdc/default.nix deleted file mode 100644 index 4fdd3bdf..00000000 --- a/hosts/server7/containers/ncdc/default.nix +++ /dev/null @@ -1,29 +0,0 @@ -name: - -(import ../outer-defaults.nix name) // { - - bindMounts."/srv/ceph/c3d2" = { - hostPath = "/srv/ceph/c3d2"; - isReadOnly = true; - }; - - config = { config, pkgs, lib, ... }: - let ncdcPort = 1512; - in { - imports = [ ../inner-defaults.nix ]; - - c3d2 = { - users.k-ot = true; - hq.statistics.enable = true; - hq.yggdrasil.enableGateway = true; - }; - - services.openssh.enable = true; - programs.mosh.enable = true; - - environment.systemPackages = with pkgs; [ tmux ncdc ]; - - networking.firewall.enable = false; - }; - -} diff --git a/hosts/server7/containers/nfs/default.nix b/hosts/server7/containers/nfs/default.nix deleted file mode 100644 index f4047864..00000000 --- a/hosts/server7/containers/nfs/default.nix +++ /dev/null @@ -1,23 +0,0 @@ -name: - -(import ../outer-defaults.nix name) // { - - bindMounts."/srv/nfs" = { - hostPath = "/srv/ceph/c3d2/nfs"; - isReadOnly = true; - }; - - config = { config, pkgs, lib, ... }: { - imports = [ ../inner-defaults.nix ]; - - c3d2.hq.statistics.enable = true; - - services.nfs.server = { - enable = true; - exports = "/srv/nfs *(rw)"; - }; - - networking.firewall.enable = false; - }; - -} diff --git a/hosts/server7/containers/outer-defaults.nix b/hosts/server7/containers/outer-defaults.nix deleted file mode 100644 index f168c4f4..00000000 --- a/hosts/server7/containers/outer-defaults.nix +++ /dev/null @@ -1,10 +0,0 @@ -name: - -let yggaddr = import ../../../lib/server7-yggaddr.nix; -in { - # These the container defaults from the perspective of the host. - - autoStart = true; - privateNetwork = true; - hostBridge = "br0"; -} diff --git a/hosts/server7/containers/samba/default.nix b/hosts/server7/containers/samba/default.nix deleted file mode 100644 index 9e1f9093..00000000 --- a/hosts/server7/containers/samba/default.nix +++ /dev/null @@ -1,45 +0,0 @@ -name: - -(import ../outer-defaults.nix name) // { - - bindMounts."/srv/files" = { - hostPath = "/srv/ceph/c3d2/files"; - isReadOnly = true; - }; - - config = { config, pkgs, lib, ... }: { - imports = [ ../inner-defaults.nix ]; - - c3d2.hq.statistics.enable = true; - - networking = { - useDHCP = false; - interfaces.eth0.useDHCP = true; - }; - - services.samba = { - enable = true; - enableNmbd = true; - extraConfig = '' - workgroup = HQ - server string = storage - netbios name = storage - hosts allow = 172.20.0.0/14 127.0.0.0/8 - hosts deny = 0.0.0.0/0 - guest account = nobody - map to guest = Bad user - ''; - shares = { - c3d2 = { - path = "/srv/files"; - browseable = "yes"; - "read only" = "yes"; - "guest ok" = "yes"; - }; - }; - }; - - networking.firewall.enable = false; - }; - -} diff --git a/hosts/server7/containers/storage/default.nix b/hosts/server7/containers/storage/default.nix deleted file mode 100644 index fbdb2a90..00000000 --- a/hosts/server7/containers/storage/default.nix +++ /dev/null @@ -1,75 +0,0 @@ -name: - -(import ../outer-defaults.nix name) // { - - bindMounts."/srv/c3d2" = { - hostPath = "/srv/ceph/c3d2"; - isReadOnly = false; - }; - - config = { config, pkgs, lib, ... }: { - imports = [ ../inner-defaults.nix ]; - - c3d2 = { - users.k-ot = true; - hq.statistics.enable = true; - hq.yggdrasil.enableGateway = true; - }; - - services.openssh = { - enable = true; - allowSFTP = true; - }; - - environment.systemPackages = with pkgs; [ git borgbackup ]; - - services.nginx = { - enable = true; - package = pkgs.nginx.override { - modules = with pkgs.nginxModules; [ fancyindex ]; - }; - virtualHosts = { - "storage-ng.hq.c3d2.de".extraConfig = '' - server_name storage-ng.hq.c3d2.de; - return 301 $scheme://storage.hq.c3d2.de$request_uri; - ''; - - "storage.hq.c3d2.de" = { - default = true; - http2 = true; - # addSSL = true; - locations = { - "/" = let authFile = pkgs.writeText "htpasswd" "k-ot:sawCOTsl/fIUY"; - in { - alias = "/srv/c3d2/files/"; - extraConfig = '' - auth_basic "Chaos"; - auth_basic_user_file ${authFile}; - fancyindex on; - # autoindex on; - dav_access all:r; - ''; - }; - }; - }; - }; - }; - - networking.interfaces.eth0 = { - ipv4 = { - addresses = [{ - address = "172.22.99.20"; - prefixLength = 24; - }]; - routes = [{ - address = "0.0.0.0"; - prefixLength = 0; - via = "172.22.99.1"; - }]; - }; - }; - - networking.firewall.enable = false; - }; - -} diff --git a/hosts/server7/default.nix b/hosts/server7/default.nix deleted file mode 100644 index 3c6ba082..00000000 --- a/hosts/server7/default.nix +++ /dev/null @@ -1,210 +0,0 @@ -{ config, pkgs, lib, ... }: - -let yggaddr = import ../../lib/server7-yggaddr.nix; -in { - imports = [ - ../../lib - ../../lib/default-gateway.nix - ./borgbackup.nix - ./containers - ./hardware-configuration.nix - ./hydra.nix - ./nix-serve.nix - ]; - - boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; - - security.acme = { - email = "mail@c3d2.de"; - acceptTerms = true; - }; - - c3d2 = { - users = { - emery = true; - windsleep = true; - }; - isInHq = true; - mapHqHosts = true; - hq = { - interface = "br0"; - statistics.enable = true; - }; - }; - - fileSystems."/srv/ceph" = { - #device = "172.22.99.13:6789:/"; - device = "172.20.72.55:6789,172.20.72.56:6789,172.20.72.53:6789:/"; - fsType = "ceph"; - options = [ - "name=storage2" - "secret=AQAvRhxcaCK0IxAAnoe00oiopcpQeKZgL02RWw==" - "noatime,_netdev" - "noauto" - "x-systemd.automount" - "x-systemd.device-timeout=175" - "users" - ]; - }; - - fileSystems."/var/lib/ceph/osd/ceph-7" = { fsType = "tmpfs"; }; - - # Route IPv6 - boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1; - # Obtain global IPv6 despite being a router myself - boot.kernel.sysctl."net.ipv6.conf.br0.accept_ra" = 2; - - services.yggdrasil = { - enable = true; - configFile = "/var/lib/yggdrasil/keys"; - config = { - Peers = [ - - # Deutschland - "tcp://45.11.19.26:5001" - "tcp://82.165.69.111:61216" - "tcp://[2001:8d8:1800:8224::1]:61216" - - # Czechia - "tcp://195.123.245.146:7743" - "tcp://37.205.14.171:46370" - "tcp://[2a03:3b40:fe:ab::1]:46370" - "tcp://[2a05:9403::8b]:7743" - - # Poland - "tcp://176.223.130.120:22632" - "tcp://51.75.44.73:50001" - "tcp://54.37.137.221:37145" - "tcp://[2001:41d0:601:1100::cf2]:37145" - "tcp://n2o.ddns.net:22632" - "tls://54.37.137.221:14987" - "tls://[2001:41d0:601:1100::cf2]:14987" - - ]; - NodeInfo = { - location = "Dresden"; - name = "server7.y.c3d2.de"; - admin = - "toxid:DF0AC9107E0A30E7201C6832B017AC836FBD1EDAC390EE99B68625D73C3FD929FB47F1872CA4"; - }; - }; - }; - - security.sudo.wheelNeedsPassword = false; - services.openssh = { - enable = true; - passwordAuthentication = false; - # DO NOT CHANGE, KINDERGARTEN IS OVER - }; - - programs.mosh.enable = true; - - nix = { - package = pkgs.nixFlakes; - gc.automatic = true; - optimise.automatic = true; - extraOptions = '' - experimental-features = nix-command flakes ca-references - post-build-hook = ${ - pkgs.writeScript "post-build-sign-paths" '' - #!${pkgs.runtimeShell} - nix sign-paths --key-file /var/lib/nix-serve.key $OUT_PATHS - '' - } - ''; - }; - nixpkgs.overlays = [ - (self: super: { - nix = super.nix // { meta.platforms = lib.platforms.linux; }; - }) - ]; - - virtualisation.docker.enable = true; - - docker-containers.ceph-osd-7 = { - cmd = [ "ceph-osd" "-i" "7" "--setuser" "ceph" "--setgroup" "ceph" "-d" ]; - environment = { OSD_DEVICE = "/dev/sdb"; }; - image = "ceph/ceph:v14.2.9"; - log-driver = "journald"; - extraDockerOptions = - [ "--rm" "--net=host" "--ipc=host" "--privileged=true" ]; - volumes = - [ "/dev:/dev" "/etc/ceph:/etc/ceph" "/var/lib/ceph/:/var/lib/ceph" ]; - }; - systemd.services.docker-ceph-osd-7.preStart = - "-${pkgs.docker}/bin/docker run --rm --net=host --ipc=host --privileged=true -v /dev:/dev -v /etc/ceph:/etc/ceph -v /var/lib/ceph/:/var/lib/ceph -e OSD_DEVICE=/dev/sdb -it ceph/ceph:v14.2.9 ceph-volume lvm activate --all --no-systemd"; - - networking = { - firewall.enable = false; - firewall.trustedInterfaces = [ "br0" ]; - hostName = "server7"; - hostId = "454fe12c"; - useDHCP = false; - bridges.br0.interfaces = [ "enp2s0f0" ]; - interfaces = { - br0 = { - useDHCP = true; - tempAddress = "disabled"; - ipv4.addresses = [{ - address = "172.22.99.245"; - prefixLength = 24; - }]; - ipv6.addresses = [{ - address = yggaddr.prefix64 + "::1"; - prefixLength = 64; - }]; - }; - enp2s0f1.useDHCP = false; - }; - }; - - boot.kernel.sysctl."net.bridge.bridge-nf-call-arptables" = 0; - boot.kernel.sysctl."net.bridge.bridge-nf-call-iptables" = 0; - boot.kernel.sysctl."net.bridge.bridge-nf-call-ip6tables" = 0; - - environment.systemPackages = with pkgs; [ - tmux - htop - vim - gitMinimal - nixfmt - zfsStable - ]; - - services.collectd.extraConfig = '' - LoadPlugin memory - LoadPlugin processes - LoadPlugin disk - LoadPlugin df - LoadPlugin cpu - LoadPlugin entropy - LoadPlugin load - LoadPlugin swap - LoadPlugin cgroups - LoadPlugin vmem - LoadPlugin interface - ''; - - boot.tmpOnTmpfs = true; - - # Use the systemd-boot EFI boot loader. - boot.loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; - }; - - time.timeZone = "Europe/Berlin"; - - system.stateVersion = "19.09"; # Did you read the comment? - - users.extraUsers.hydra.openssh.authorizedKeys.keys = [ - # allow the old hydra to build here - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7HuDlyTlPC4rCjwhklY8kiYIxdgPhiu6wxs29ksnpKZmJa2R7qoD02N3ACm9cTb1GVkIWukAXI3KvU9h08+WLQJqUH0cHVBj3V1sDYmkN2QecE59gz3e1gfN3zPtwmQEUe6xvHWK3X3qdH45pGPUtxk1eDTZl45037C0NClWF7RXI4m6UXng4bL9wnPvoVqCI+ySsNWaTkHDLE/D9s/VrqGxJ1w2KiJb1F73g9/x/zjL8Ixb16wkPmLE0e50MQAQa7EMFTyPZoEskFnEviLYXM9pDexABAjJfbfZ39lLyMgVYGwnzEDbjDlm68dE6wQWUY1OV6wbt8uYreB2IRrlb root@hydra" - ]; - - services.dhcpd4 = { - enable = false; - interfaces = [ "br0" ]; - extraConfig = "not authoritative;"; - }; -} diff --git a/hosts/server7/hardware-configuration.nix b/hosts/server7/hardware-configuration.nix deleted file mode 100644 index 0f87d7fa..00000000 --- a/hosts/server7/hardware-configuration.nix +++ /dev/null @@ -1,179 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; - - boot.initrd.availableKernelModules = - [ "ehci_pci" "ahci" "nvme" "usbhid" "sd_mod" ]; - boot.initrd.kernelModules = [ "dm-snapshot" ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = { - device = "/dev/disk/by-uuid/f14628ce-0f13-4544-9197-0ddda291f48f"; - fsType = "ext4"; - }; - - fileSystems."/var/lib/ceph/osd/ceph-7" = { - device = "tmpfs"; - fsType = "tmpfs"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/9812-00B2"; - fsType = "vfat"; - }; - - fileSystems."/nvme0n1" = { - device = "nvme0n1"; - fsType = "zfs"; - }; - - fileSystems."/zones/b090f14b-0a60-4451-e82a-c5291e5951de/cores" = { - device = "nvme0n1/cores/b090f14b-0a60-4451-e82a-c5291e5951de"; - fsType = "zfs"; - }; - - fileSystems."/zones/9a9880d3-82db-c500-fcaa-d4e5a5cc617d/cores" = { - device = "nvme0n1/cores/9a9880d3-82db-c500-fcaa-d4e5a5cc617d"; - fsType = "zfs"; - }; - - fileSystems."/zones/archive" = { - device = "nvme0n1/archive"; - fsType = "zfs"; - }; - - fileSystems."/zones/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5/cores" = { - device = "nvme0n1/cores/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5"; - fsType = "zfs"; - }; - - fileSystems."/zones/9f467f1e-000b-e771-e117-b32261e48220/cores" = { - device = "nvme0n1/cores/9f467f1e-000b-e771-e117-b32261e48220"; - fsType = "zfs"; - }; - - fileSystems."/zones/e71d4460-8eef-6623-a875-dd5ec20b650f/cores" = { - device = "nvme0n1/cores/e71d4460-8eef-6623-a875-dd5ec20b650f"; - fsType = "zfs"; - }; - - fileSystems."/zones/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3/cores" = { - device = "nvme0n1/cores/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3"; - fsType = "zfs"; - }; - - fileSystems."/zones/3516ab22-69b0-e327-95ec-f9be8852ee44/cores" = { - device = "nvme0n1/cores/3516ab22-69b0-e327-95ec-f9be8852ee44"; - fsType = "zfs"; - }; - - fileSystems."/zones/global/cores" = { - device = "nvme0n1/cores/global"; - fsType = "zfs"; - }; - - fileSystems."/nvme0n1/c3d2.de" = { - device = "nvme0n1/c3d2.de"; - fsType = "zfs"; - }; - - fileSystems."/nvme0n1/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3" = { - device = "nvme0n1/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3"; - fsType = "zfs"; - }; - - fileSystems."/nvme0n1/b28b36ed-1824-3a6c-cdbb-258c7dd63317" = { - device = "nvme0n1/b28b36ed-1824-3a6c-cdbb-258c7dd63317"; - fsType = "zfs"; - }; - - fileSystems."/nvme0n1/b090f14b-0a60-4451-e82a-c5291e5951de" = { - device = "nvme0n1/b090f14b-0a60-4451-e82a-c5291e5951de"; - fsType = "zfs"; - }; - - fileSystems."/nvme0n1/55bcd862-bb70-11e9-9991-7b9a40d4e95f" = { - device = "nvme0n1/55bcd862-bb70-11e9-9991-7b9a40d4e95f"; - fsType = "zfs"; - }; - - fileSystems."/nvme0n1/a9786e8b-fce2-7567-6467-2a95086a51d4" = { - device = "nvme0n1/a9786e8b-fce2-7567-6467-2a95086a51d4"; - fsType = "zfs"; - }; - - fileSystems."/nvme0n1/9a9880d3-82db-c500-fcaa-d4e5a5cc617d" = { - device = "nvme0n1/9a9880d3-82db-c500-fcaa-d4e5a5cc617d"; - fsType = "zfs"; - }; - - fileSystems."/nvme0n1/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5" = { - device = "nvme0n1/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5"; - fsType = "zfs"; - }; - - fileSystems."/nvme0n1/9f467f1e-000b-e771-e117-b32261e48220" = { - device = "nvme0n1/9f467f1e-000b-e771-e117-b32261e48220"; - fsType = "zfs"; - }; - - fileSystems."/nvme0n1/9651893f-4b85-293a-2d72-60ea3b541bc3" = { - device = "nvme0n1/9651893f-4b85-293a-2d72-60ea3b541bc3"; - fsType = "zfs"; - }; - - fileSystems."/nvme0n1/d5a8bfc2-6d01-6d5e-ad3f-edf032eedd89" = { - device = "nvme0n1/d5a8bfc2-6d01-6d5e-ad3f-edf032eedd89"; - fsType = "zfs"; - }; - - fileSystems."/nvme0n1/7644820f-5ce5-f9f1-94b7-4537ee598f43" = { - device = "nvme0n1/7644820f-5ce5-f9f1-94b7-4537ee598f43"; - fsType = "zfs"; - }; - - fileSystems."/nvme0n1/0cc567e5-5e4c-1868-eca3-4426508cbfb9" = { - device = "nvme0n1/0cc567e5-5e4c-1868-eca3-4426508cbfb9"; - fsType = "zfs"; - }; - - fileSystems."/nvme0n1/63d6e664-3f1f-11e8-aef6-a3120cf8dd9d" = { - device = "nvme0n1/63d6e664-3f1f-11e8-aef6-a3120cf8dd9d"; - fsType = "zfs"; - }; - - fileSystems."/nvme0n1/c3d2.de/admin" = { - device = "nvme0n1/c3d2.de/admin"; - fsType = "zfs"; - }; - - fileSystems."/nvme0n1/3e65fa50-2f41-8792-df46-8c826bddab75" = { - device = "nvme0n1/3e65fa50-2f41-8792-df46-8c826bddab75"; - fsType = "zfs"; - }; - - fileSystems."/nvme0n1/c3d2.de/templates" = { - device = "nvme0n1/c3d2.de/templates"; - fsType = "zfs"; - }; - - fileSystems."/nvme0n1/e71d4460-8eef-6623-a875-dd5ec20b650f" = { - device = "nvme0n1/e71d4460-8eef-6623-a875-dd5ec20b650f"; - fsType = "zfs"; - }; - - fileSystems."/nvme0n1/c3d2.de/iso" = { - device = "nvme0n1/c3d2.de/iso"; - fsType = "zfs"; - }; - - swapDevices = [ ]; - - nix.maxJobs = lib.mkDefault 40; - powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; -} diff --git a/hosts/server7/hydra.nix b/hosts/server7/hydra.nix deleted file mode 100644 index 52692b0e..00000000 --- a/hosts/server7/hydra.nix +++ /dev/null @@ -1,49 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - services.hydra-dev = { - enable = true; - debugServer = true; - extraEnv.HYDRA_DEBUG = "1"; - hydraURL = "https://server7.hq.c3d2.de"; - logo = ./hydra.svg; - notificationSender = "hydra@spam.works"; - # package = pkgs.hydra-unstable; - listenHost = "172.22.99.245"; - # listenHost = "*"; - useSubstitutes = true; - minimumDiskFree = 2; - minimumDiskFreeEvaluator = 2; - extraConfig = '' - - authfile = /var/lib/hydra/sotest.auth - - ''; - }; - - nix.trustedUsers = [ "hydra" ]; - - nix.buildMachines = [{ - hostName = "localhost"; - system = "x86_64-linux"; - supportedFeatures = [ "kvm" "nixos-test" "big-parallel" "benchmark" ]; - maxJobs = 8; - }]; - - nix.binaryCachePublicKeys = - [ "nix-serve.hq.c3d2.de-2:elqZouiiQP4XNfmEekwXH/YRPL1pXlN5JgVSzT1Ctoc=" ]; - nix.binaryCaches = [ "http://nix-serve.hq.c3d2.de" ]; - - services.nginx = { - enable = true; - virtualHosts = { - "server7.hq.c3d2.de" = { - addSSL = true; - enableACME = true; - globalRedirect = "hydra7.hq.c3d2.de"; - }; - }; - }; - - -} diff --git a/hosts/server7/hydra.svg b/hosts/server7/hydra.svg deleted file mode 100644 index d0b05e02..00000000 --- a/hosts/server7/hydra.svg +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - - - - - image/svg+xml - - - - - - - - - - - - - - - - - - - - - - FLAKES diff --git a/hosts/server7/nix-serve.nix b/hosts/server7/nix-serve.nix deleted file mode 100644 index 13a3739a..00000000 --- a/hosts/server7/nix-serve.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ config, ... }: - -{ - nix.sshServe.enable = true; - - services.nix-serve = { - enable = true; - secretKeyFile = "/var/lib/nix-serve.key"; - }; - - services.nginx = { - enable = true; - virtualHosts = let - vhost.locations."/".proxyPass = - "http://${config.services.nix-serve.bindAddress}:${ - toString config.services.nix-serve.port - }"; - in { - "cache.server7.hq.c3d2.de" = vhost // { - addSSL = true; - enableACME = true; - }; - "nix-serve.y.c3d2.de" = vhost; - }; - }; - -} - diff --git a/hosts/server7/yggdrasil-prefix.nix b/hosts/server7/yggdrasil-prefix.nix deleted file mode 100644 index 9d1e0415..00000000 --- a/hosts/server7/yggdrasil-prefix.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ config, pkgs, lib, ... }: - -let yggaddr = import ../../lib/server7-yggaddr.nix; -in { - boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1; - - networking.interfaces.br0.ipv6.addresses = [{ - address = yggaddr.prefix + ":1"; - prefixLength = 24; - }]; - - services.radvd = { - enable = true; - config = '' - interface enp2s0f1 - { - AdvSendAdvert on; - AdvRouteLifetime 0; - prefix ${yggaddr.prefix}:/64 { - AdvOnLink on; - AdvAutonomous on; - }; - route 200::/7 {}; - }; - ''; - }; -} diff --git a/lib/default.nix b/lib/default.nix index 9724d75a..79583612 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -8,8 +8,6 @@ let hqPrefix64 = "fd23:42:c3d2:523"; # TODO: Is this stable? Is there a better place to specifiy this? - server7Ygg = import ./server7-yggaddr.nix; - # Generate a deterministic IPv6 address for a 64 bit prefix # and seed string. Prefix must not contain trailing ':'. toIpv6Address = prefix64: seed: @@ -23,8 +21,6 @@ let # for the HQ networking using a seed string. toHqPrivateAddress = toIpv6Address hqPrefix64; - toServer7Address = toIpv6Address server7Ygg.prefix64; - # toHqPublicAddress = toIpv6Address publicPrefix64; cfg = config.c3d2; @@ -171,10 +167,6 @@ in { name = ip6; value = [ "${hostName}.hq" hostName ]; } - { - name = toServer7Address hostName; - value = [ "${hostName}.y.c3d2.de" "${hostName}.y" ]; - } ] ++ lib.optional (hasAttr "ip4" host) { name = host.ip4; value = [ "${hostName}.hq" hostName ]; @@ -202,16 +194,7 @@ in { ipv6.addresses = [{ address = toHqPrivateAddress config.networking.hostName; prefixLength = 64; - }] ++ lib.optional (cfg.hq.yggdrasil.enableGateway) { - address = toServer7Address config.networking.hostName; - prefixLength = 64; - }; - ipv6.routes = lib.optional (cfg.hq.yggdrasil.enableGateway) { - address = "200::"; - options.pref = "low"; - prefixLength = 7; - via = server7Ygg.prefix64 + "::1"; - }; + }]; }; }); @@ -282,14 +265,6 @@ in { # Only builds > 19.09 }; - nix = lib.mkIf - (cfg.hq.enableBinaryCache && config.networking.hostName != "server7") { - binaryCaches = [ "https://cache.server7.hq.c3d2.de" ]; - binaryCachePublicKeys = [ - "cache.server7.hq.c3d2.de:x8JLRG26zRZ8ysYZLEkPxuAYuK1VSJi/aMAEIs2Lv+U=" - ]; - }; - services.mpd.extraConfig = lib.mkIf cfg.hq.enableMpdProxy '' database { plugin "proxy" From 3148381e42d347303208454564d53bb8f10950a1 Mon Sep 17 00:00:00 2001 From: Emery Hemingway Date: Mon, 26 Oct 2020 16:00:26 +0100 Subject: [PATCH 07/21] Add cachix to hydra --- hosts/hydra/hydra.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hosts/hydra/hydra.nix b/hosts/hydra/hydra.nix index 5864ec7e..7e4580bb 100644 --- a/hosts/hydra/hydra.nix +++ b/hosts/hydra/hydra.nix @@ -4,8 +4,10 @@ nix = { binaryCaches = [ "https://cache.nixos.org" + "https://genodepkgs.cachix.org" ]; binaryCachePublicKeys = [ + "genodepkgs.cachix.org-1:j6xcYrUP9Q9c+WbS+MbkJR26cqeytOVdC4SmhOYj2Sw=" ]; extraOptions = '' allowed-uris = http:// https:// From 2bb96335594770458e10da448f613fcf08e512a4 Mon Sep 17 00:00:00 2001 From: Emery Hemingway Date: Mon, 26 Oct 2020 16:06:42 +0100 Subject: [PATCH 08/21] Update flake nixpkgs input to 20.09 --- flake.lock | 63 +++++++++++++++++++++++------------ flake.nix | 3 +- hosts/hydra/configuration.nix | 2 +- 3 files changed, 43 insertions(+), 25 deletions(-) diff --git a/flake.lock b/flake.lock index 67359eb1..44910a7f 100644 --- a/flake.lock +++ b/flake.lock @@ -3,14 +3,18 @@ "hydra": { "inputs": { "nix": "nix", - "nixpkgs": "nixpkgs_2" + "nixpkgs": [ + "hydra", + "nix", + "nixpkgs" + ] }, "locked": { - "lastModified": 1593509723, - "narHash": "sha256-ESv86LNnQQy5cYqeC1S4otpvkA8ABgs/zbge8xp35aE=", + "lastModified": 1603366072, + "narHash": "sha256-9dK7Mx9BZHZTeJ/oolS7nMakVnCdXQlsA2ePWNPhQks=", "owner": "NixOS", "repo": "hydra", - "rev": "d0deebc4fc95dbeb0249f7b774b03d366596fbed", + "rev": "be709d450b98a384374228db51c14dc958a3a72a", "type": "github" }, "original": { @@ -18,16 +22,33 @@ "type": "indirect" } }, + "lowdown-src": { + "flake": false, + "locked": { + "lastModified": 1598695561, + "narHash": "sha256-gyH/5j+h/nWw0W8AcR2WKvNBUsiQ7QuxqSJNXAwV+8E=", + "owner": "kristapsdz", + "repo": "lowdown", + "rev": "1705b4a26fbf065d9574dce47a94e8c7c79e052f", + "type": "github" + }, + "original": { + "owner": "kristapsdz", + "repo": "lowdown", + "type": "github" + } + }, "nix": { "inputs": { + "lowdown-src": "lowdown-src", "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1592818267, - "narHash": "sha256-t66Ny6NDA9sQa0U79iqo4w7tEBitUGgio9U/H6z3QpE=", + "lastModified": 1603189103, + "narHash": "sha256-KVS/Z6FzMBOl5XCyOLwfiVoX7G2LQRa9HMGNnJRPCoo=", "owner": "NixOS", "repo": "nix", - "rev": "334e26bfc2ce82912602e8a0f9f9c7e0fb5c3221", + "rev": "e0ca98c2071b815578470e280df8fdb750c7e23b", "type": "github" }, "original": { @@ -37,41 +58,39 @@ }, "nixpkgs": { "locked": { - "lastModified": 1591633336, - "narHash": "sha256-oVXv4xAnDJB03LvZGbC72vSVlIbbJr8tpjEW5o/Fdek=", + "lastModified": 1602702596, + "narHash": "sha256-fqJ4UgOb4ZUnCDIapDb4gCrtAah5Rnr2/At3IzMitig=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "70717a337f7ae4e486ba71a500367cad697e5f09", + "rev": "ad0d20345219790533ebe06571f82ed6b034db31", "type": "github" }, "original": { "id": "nixpkgs", - "ref": "nixos-20.03-small", + "ref": "nixos-20.09-small", "type": "indirect" } }, "nixpkgs_2": { "locked": { - "lastModified": 1592263354, - "narHash": "sha256-1wHPn5qKfzfG06dZhpXDEg5Zt6HwvfyPPgW1tkYFejg=", - "owner": "NixOS", + "lastModified": 1603722914, + "narHash": "sha256-V3cst4osjvfsrR5Qpk8CYWRFQiGm1Rm4lanjMWooH2o=", + "owner": "nixos", "repo": "nixpkgs", - "rev": "a84b797b28eb104db758b5cb2b61ba8face6744b", + "rev": "e3ce7e1002de96da39e1d59dda97360f456a56ad", "type": "github" }, "original": { - "id": "nixpkgs", - "ref": "nixos-20.03", - "type": "indirect" + "owner": "nixos", + "ref": "release-20.09", + "repo": "nixpkgs", + "type": "github" } }, "root": { "inputs": { "hydra": "hydra", - "nixpkgs": [ - "hydra", - "nixpkgs" - ] + "nixpkgs": "nixpkgs_2" } } }, diff --git a/flake.nix b/flake.nix index 37de9d59..a669c59f 100644 --- a/flake.nix +++ b/flake.nix @@ -2,8 +2,7 @@ description = "C3D2 NixOS configurations"; inputs = { - nixpkgs.follows = "hydra/nixpkgs"; - # nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + nixpkgs.url = "github:nixos/nixpkgs/release-20.09"; # secrets.url = "git+file:///etc/nixos/secrets"; }; diff --git a/hosts/hydra/configuration.nix b/hosts/hydra/configuration.nix index b4b7a87d..4b7116cd 100644 --- a/hosts/hydra/configuration.nix +++ b/hosts/hydra/configuration.nix @@ -46,7 +46,7 @@ options = "--delete-older-than 14d"; }; sshServe.enable = true; - trustedUsers = [ "root" ]; + trustedUsers = [ "@wheel" ]; }; boot = { From 5f8bdae3a84841f8870123925d6e22cd3a72e78d Mon Sep 17 00:00:00 2001 From: Daniel Poelzleithner Date: Wed, 11 Nov 2020 20:13:16 +0100 Subject: [PATCH 09/21] update elastic / logging --- hosts/containers/elastic/configuration.nix | 2 +- hosts/containers/logging/configuration.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/containers/elastic/configuration.nix b/hosts/containers/elastic/configuration.nix index 16f9f8b0..bb16f1d0 100644 --- a/hosts/containers/elastic/configuration.nix +++ b/hosts/containers/elastic/configuration.nix @@ -77,6 +77,6 @@ ''; }; - system.stateVersion = "18.09"; # Did you read the comment? + system.stateVersion = "20.09"; # Did you read the comment? } diff --git a/hosts/containers/logging/configuration.nix b/hosts/containers/logging/configuration.nix index aff727e8..badcdae2 100644 --- a/hosts/containers/logging/configuration.nix +++ b/hosts/containers/logging/configuration.nix @@ -81,6 +81,6 @@ systemd.services.graylog.serviceConfig.Restart = "always"; - system.stateVersion = "19.03"; # Did you read the comment? + system.stateVersion = "20.09"; # Did you read the comment? } From 73b7aa33e645964f8d051fa017210cf2ef4d3062 Mon Sep 17 00:00:00 2001 From: Daniel Poelzleithner Date: Wed, 11 Nov 2020 20:20:44 +0100 Subject: [PATCH 10/21] Revert "Remove storage-ng" This reverts commit babf880949ab30d09205dcff5c6bd8a8b372bd80. --- hosts/storage-ng/configuration.nix | 122 ++++++++++++++++++++ hosts/storage-ng/hardware-configuration.nix | 30 +++++ hosts/storage-ng/www/index.html | 12 ++ 3 files changed, 164 insertions(+) create mode 100644 hosts/storage-ng/configuration.nix create mode 100644 hosts/storage-ng/hardware-configuration.nix create mode 100644 hosts/storage-ng/www/index.html diff --git a/hosts/storage-ng/configuration.nix b/hosts/storage-ng/configuration.nix new file mode 100644 index 00000000..53936185 --- /dev/null +++ b/hosts/storage-ng/configuration.nix @@ -0,0 +1,122 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, lib, strings, ... }: + +let eth0 = "ens18"; +in { + imports = [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ../../lib + ../../lib/hq.nix + ../../lib/shared.nix + ../../lib/default-gateway.nix + ]; + + c3d2 = { + users.k-ot = true; + isInHq = true; + mapHqHosts = true; + hq.interface = eth0; + }; + + hq.yggdrasil = { + enable = true; + interface = eth0; + }; + + boot.loader.systemd-boot.enable = true; + systemd.enableEmergencyMode = false; + + networking = { + hostName = "storage-ng"; + # usePredictableInterfacenames = false; + interfaces.${eth0} = { + ipv4.addresses = [{ + address = "172.22.99.20"; + prefixLength = 24; + }]; + ipv6.addresses = [{ + address = "2a02:8106:208:5201::20"; + prefixLength = 64; + }]; + }; + + defaultGateway.interface = eth0; + + }; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + wget + vim + screen + zsh + lftp + lsof + psmisc + gitAndTools.git-annex + gitAndTools.git + tmux + + mpv + iotop + ]; + + services.ceph = { + enable = false; + client.enable = true; + }; + + # fixme, we need a floating ip here + # correct is floating ip 172.22.99.21 + # does not exist yet + + # secretfile does not work :( + + fileSystems."/mnt/cephfs" = { + device = "172.22.99.13:6789:/"; + fsType = "ceph"; + options = [ + "name=storage2" + "secret=AQAvRhxcaCK0IxAAnoe00oiopcpQeKZgL02RWw==" + "noatime,_netdev" + "noauto" + "x-systemd.automount" + "x-systemd.device-timeout=175" + "users" + ]; + }; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + programs.bash.enableCompletion = true; + programs.mtr.enable = true; + # programs.gnupg.agent = { enable = true; enableSSHSupport = true; }; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + + services.atftpd = { + enable = true; + root = "/mnt/cephfs/c3d2/tftp"; + }; + + /* # Open ports in the firewall. + networking.firewall.allowedTCPPorts = [ + 23 + ]; + networking.firewall.allowedUDPPorts = [ + 69 + ]; + */ + + networking.firewall.enable = false; + + system.stateVersion = "19.03"; # Did you read the comment? + +} diff --git a/hosts/storage-ng/hardware-configuration.nix b/hosts/storage-ng/hardware-configuration.nix new file mode 100644 index 00000000..efaee99a --- /dev/null +++ b/hosts/storage-ng/hardware-configuration.nix @@ -0,0 +1,30 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, ... }: + +{ + imports = + [ + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/vda1"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/vda3"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/vda2"; } + ]; + + nix.maxJobs = lib.mkDefault 4; +} diff --git a/hosts/storage-ng/www/index.html b/hosts/storage-ng/www/index.html new file mode 100644 index 00000000..46027a62 --- /dev/null +++ b/hosts/storage-ng/www/index.html @@ -0,0 +1,12 @@ + + storage.hq.c3d2.de + +

storage-ng

+ services available: + + + \ No newline at end of file From 5d82c3aa017e7c714b8a0c8feb495a40ab6523d0 Mon Sep 17 00:00:00 2001 From: Daniel Poelzleithner Date: Wed, 11 Nov 2020 20:50:30 +0100 Subject: [PATCH 11/21] add user poelzi --- lib/users/poelzi.nix | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 lib/users/poelzi.nix diff --git a/lib/users/poelzi.nix b/lib/users/poelzi.nix new file mode 100644 index 00000000..2ce0b4e5 --- /dev/null +++ b/lib/users/poelzi.nix @@ -0,0 +1,29 @@ +{ pkgs, ... }: + +let + keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuQbziwBjiSZqzE2b4iOqz1HxjinqHbGjAv1XHLOq+AFfNwMc4wiyQ/u2LpuRG2HlwK9pBeIY/gZSUP3YJZ1RumnrEOxY2Tgmzko0W9ME+hvK1OHZcXI69QA/ctxEVgOUMvTtS8XssFLAbQfkXJYeTL/5yr/Qrs3MDDfa+1UGY7LQlyzh6c4pQ+pBgWJALyzztc0orqgSVUJ2u8naQ210Jv3dQnpE+bwfeG9IuWjQqBXWHwlqxwRDxnnDBVcUj4z24XsMmHHWd/zizD+4C0Qx/rBiFhYBDXP+320U5gpgFzRl3t1HQXiPCb/LAgp2CLpZ8Eh4u9tgIhp6Z6l9r0B+vQ== poelzi@poelzi.org" + ]; +in { + + nix.trustedUsers = [ "poelzi" ]; + + programs = { + fish.enable = true; + tmux.enable = true; + }; + + users.users.poelzi = { + isNormalUser = true; + description = "poelzi"; + extraGroups = [ "users" "wheel" ]; + hashedPassword = + "$6$SoesSFadpfcSfEOe$pmkiIMvxTAaEAyqDoZ3a7jk7GZsEXqX1N8r8UvGnaPsb85csX6FC2bwFQyyu8I8QoG/wO85WnHIMMMQAglKSK/"; + openssh.authorizedKeys.keys = keys; + shell = pkgs.fish; + }; + + users.users.root.openssh.authorizedKeys.keys = keys; + + nix.sshServe.keys = keys; +} From b4c5afaeccc05b5b89c467411cbfe5db42d6b3a8 Mon Sep 17 00:00:00 2001 From: Daniel Poelzleithner Date: Wed, 11 Nov 2020 20:50:46 +0100 Subject: [PATCH 12/21] enable sftp on storage-ng --- hosts/storage-ng/configuration.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/hosts/storage-ng/configuration.nix b/hosts/storage-ng/configuration.nix index 53936185..d1614d56 100644 --- a/hosts/storage-ng/configuration.nix +++ b/hosts/storage-ng/configuration.nix @@ -99,7 +99,10 @@ in { # List services that you want to enable: # Enable the OpenSSH daemon. - services.openssh.enable = true; + services.openssh = { + enable = true; + allowSFTP = true; + }; services.atftpd = { enable = true; From 5f073a7394a663b74c42e68e4ea087437358d895 Mon Sep 17 00:00:00 2001 From: Daniel Poelzleithner Date: Thu, 12 Nov 2020 02:31:45 +0100 Subject: [PATCH 13/21] update prometheus --- hosts/containers/prometheus/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/containers/prometheus/configuration.nix b/hosts/containers/prometheus/configuration.nix index 1a8eb98d..bbf693a3 100644 --- a/hosts/containers/prometheus/configuration.nix +++ b/hosts/containers/prometheus/configuration.nix @@ -100,6 +100,6 @@ }; }; - system.stateVersion = "19.03"; # Did you read the comment? + system.stateVersion = "20.09"; # Did you read the comment? } From 633a0e5b8c525fa63693be82583dd7c90cfd8bac Mon Sep 17 00:00:00 2001 From: Astro Date: Thu, 19 Nov 2020 17:52:20 +0100 Subject: [PATCH 14/21] glotzbert: revert to krops deployment --- hosts/glotzbert/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/glotzbert/configuration.nix b/hosts/glotzbert/configuration.nix index 3d2e0b35..617c5ded 100644 --- a/hosts/glotzbert/configuration.nix +++ b/hosts/glotzbert/configuration.nix @@ -1,7 +1,7 @@ { config, pkgs, ... }: { - imports = [ ./hardware-configuration.nix ../../lib ]; + imports = [ ]; c3d2 = { users.k-ot = true; From a7c49d0ab3b0d8fff1f4412eb9cb1f61edbe229a Mon Sep 17 00:00:00 2001 From: Astro Date: Thu, 19 Nov 2020 17:52:44 +0100 Subject: [PATCH 15/21] krops.nix: upgrade to nixos-20.09 --- krops.nix | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/krops.nix b/krops.nix index 30399369..124ee6d4 100644 --- a/krops.nix +++ b/krops.nix @@ -5,11 +5,11 @@ let lib = import "${krops}/lib"; pkgs = import "${krops}/pkgs" {}; - hostSource = path: + hostSource = path: nixos-branch: lib.evalSource [ { nixpkgs.git = { - ref = "origin/nixos-20.03"; - url = "https://github.com/NixOS/nixpkgs-channels.git"; + ref = "origin/${nixos-branch}"; + url = "https://github.com/NixOS/nixpkgs.git"; }; nixpkgs-unstable.git = { ref = "origin/master"; @@ -24,7 +24,7 @@ let deployContainer = containerName: host: pkgs.krops.writeDeploy containerName { - source = hostSource "containers/${containerName}"; + source = hostSource "containers/${containerName}" "nixos-20.09"; target = "root@${host}"; }; in { @@ -34,13 +34,13 @@ in { kibana = deployContainer "kibana" "172.20.73.44"; glotzbert = pkgs.krops.writeDeploy "glotzbert" { - source = hostSource "glotzbert"; + source = hostSource "glotzbert" "nixos-20.09"; target = lib.mkTarget "k-ot@glotzbert.hq.c3d2.de" // { sudo = true; }; }; pulsebert = pkgs.krops.writeDeploy "pulsebert" { - source = hostSource "pulsebert"; + source = hostSource "pulsebert" "nixos-unstable"; target = lib.mkTarget "k-ot@pulsebert.hq.c3d2.de" // { sudo = true; }; From 02887763e7921159378a5f95b1c7e238a4115c52 Mon Sep 17 00:00:00 2001 From: Astro Date: Thu, 19 Nov 2020 17:53:08 +0100 Subject: [PATCH 16/21] glotzbert: update configuration.nix for 20.09 --- hosts/glotzbert/configuration.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/hosts/glotzbert/configuration.nix b/hosts/glotzbert/configuration.nix index 617c5ded..daad353e 100644 --- a/hosts/glotzbert/configuration.nix +++ b/hosts/glotzbert/configuration.nix @@ -110,10 +110,10 @@ services.xserver.displayManager = { lightdm = { enable = true; - autoLogin = { - enable = true; - user = "k-ot"; - }; + }; + autoLogin = { + enable = true; + user = "k-ot"; }; defaultSession = "gnome-xorg"; }; From 971c267912c6e74285efbac42fb83b568c3f12ab Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 22 Nov 2020 21:26:25 +0100 Subject: [PATCH 17/21] glotzbert: remove stale x11vnc-service.nix --- hosts/glotzbert/x11vnc-service.nix | 24 ------------------------ 1 file changed, 24 deletions(-) delete mode 100644 hosts/glotzbert/x11vnc-service.nix diff --git a/hosts/glotzbert/x11vnc-service.nix b/hosts/glotzbert/x11vnc-service.nix deleted file mode 100644 index fbd18c24..00000000 --- a/hosts/glotzbert/x11vnc-service.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ stdenv, pkgs, ... }: - -with pkgs; -stdenv.mkDerivation rec { - name = "x11vnc-service"; - version = "0.0.0"; - src = ./.; - - buildInputs = [ x11vnc ]; - - dontBuild = true; - installPhase = '' - cat > $out/lib/systemd/user/x11vnc.service <<_EOF_ - [Unit] - Description=VNC server - - [Service] - Type=simple - ExecStart=${x11vnc}/bin/x11vnc -shared -forever -passwd k-ot - Restart=on-failure - - _EOF_ - ''; -} From 9a01f098f217bc4ea2e6bc4b6a128e4c677dbca2 Mon Sep 17 00:00:00 2001 From: Astro Date: Wed, 2 Dec 2020 21:32:22 +0100 Subject: [PATCH 18/21] ticker: update configuration.nix --- .../ticker/configuration.nix | 81 +++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 hosts/inbert-containers/ticker/configuration.nix diff --git a/hosts/inbert-containers/ticker/configuration.nix b/hosts/inbert-containers/ticker/configuration.nix new file mode 100644 index 00000000..4afba5c3 --- /dev/null +++ b/hosts/inbert-containers/ticker/configuration.nix @@ -0,0 +1,81 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + tickerSrc = builtins.fetchGit { + url = "https://gitea.c3d2.de/astro/ticker.git"; + }; +in +{ boot.isContainer = true; + #boot.loader.initScript.enable = true; + networking.hostName = mkDefault "ticker"; + networking.useDHCP = false; + networking.firewall.allowedTCPPorts = [ 8400 ]; + nix.useSandbox = false; + environment.systemPackages = with pkgs; [ vim git ]; + imports = [ "${tickerSrc}/nixos-module.nix" ]; + services.ticker.updateInterval = "hourly"; + services.ticker.config.calendars = { + c3d2 = { + url = "https://c3d2.de/ical.ics"; + color = "#BFBF3F"; + }; + dresden-science = { + url = "https://www.dresden-science-calendar.de/calendar/de/iCalSync.ics"; + color = "#00007F"; + }; + gruenes-brett = { + url = "https://gruenesbrett.net/events.ics"; + color = "#00BF00"; + }; + stura-htw = { + url = "http://www.stura.htw-dresden.de/events/aggregator/ics_view"; + color = "#BFA73F"; + }; + malobeo = { + url = "https://malobeo.org/events/list/?ical=1&tribe_display=all"; + color = "#FF3F3F"; + }; + hicknhack = { + url = "https://www.google.com/calendar/ical/grhnk1uaotql6gv2dkf9ldmqjc%40group.calendar.google.com/public/basic.ics"; + color = "#A700A7"; + }; + palaissommer = { + url = "https://palaissommer.de/programm/?event=all"; + color = "#BF003F"; + }; + kreta = { + url = "https://www.kreta-dresden.org/kreta.ics"; + color = "#BF3F7F"; + }; + zentralwerk = { + url = "https://ics.teamup.com/feed/ksayh65fgotv2prcas/0.ics"; + color = "#FF3F3F"; + }; + and = { + url = "https://and.notraces.net/events/?ical=1"; + color = "#FF7F00"; + }; + rosenwerk-home = { + url = "https://www.google.com/calendar/ical/bj85d742g31mgkblbaiusmk3s8%40group.calendar.google.com/public/basic.ics"; + color = "#BF003F"; + }; + rosenwerk-extern = { + url = "https://www.google.com/calendar/ical/ogo94kraeq5ckmu3jsr0uus2mo%40group.calendar.google.com/private-8d048bfa99cca84705ffa675aacfe22a/basic.ics"; + color = "#BF002F"; + }; + rosenwerk-kultur = { + url = "https://www.google.com/calendar/ical/93enn926ddhgr79hnqp83ipj3g%40group.calendar.google.com/public/basic.ics"; + color = "#BF001F"; + }; + haengemathe = { + url = "https://club-haengemathe.de/termine.ics"; + color = "#FF7F3F"; + }; + bitsundbaeumedresden = { + url = "https://dresden.bits-und-baeume.org/termine.ics"; + color = "#3FBF3F"; + }; + }; +} From dcfa8cda5662524716023159683178973429288f Mon Sep 17 00:00:00 2001 From: Astro Date: Thu, 3 Dec 2020 16:22:09 +0100 Subject: [PATCH 19/21] public-access-proxy: add error.hq.c3d2.de vhost --- hosts/containers/public-access-proxy/configuration.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hosts/containers/public-access-proxy/configuration.nix b/hosts/containers/public-access-proxy/configuration.nix index 8ae8729b..e0a8a7b1 100644 --- a/hosts/containers/public-access-proxy/configuration.nix +++ b/hosts/containers/public-access-proxy/configuration.nix @@ -42,6 +42,10 @@ hostNames = [ "robots.datenspuren.de" ]; proxyTo = { host = "172.22.99.170"; httpPort = 80; httpsPort = 443; }; } + { + hostNames = [ "error.hq.c3d2.de.de" ]; + proxyTo = { host = "172.20.73.47"; httpPort = 80; httpsPort = 443; }; + } ]; }; From 3475c13a56995a1f143db2d67143154949504ea5 Mon Sep 17 00:00:00 2001 From: Astro Date: Thu, 3 Dec 2020 16:48:28 +0100 Subject: [PATCH 20/21] public-access-proxy: update haproxy settings to 2.1 --- hosts/containers/public-access-proxy/proxy.nix | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/hosts/containers/public-access-proxy/proxy.nix b/hosts/containers/public-access-proxy/proxy.nix index 5d7d24bc..50692115 100644 --- a/hosts/containers/public-access-proxy/proxy.nix +++ b/hosts/containers/public-access-proxy/proxy.nix @@ -79,7 +79,7 @@ in { frontend http-in bind :::80 v4v6 timeout client 30000 - option http-tunnel + option http-keep-alive default_backend proxy-backend-http backend proxy-backend-http @@ -89,8 +89,8 @@ in { mode http option http-server-close option forwardfor - reqadd X-Forwarded-Proto:\ http - reqadd X-Forwarded-Port:\ 80 + http-request add-header X-Forwarded-Proto:\ http + http-request add-header X-Forwarded-Port:\ 80 ${concatMapStringsSep "\n" (proxyHost: optionalString (proxyHost.hostNames != [] && proxyHost.proxyTo.host != null) ( concatMapStringsSep "\n" (hostname: '' @@ -112,8 +112,8 @@ in { timeout check 5000 timeout server 30000 option http-server-close - reqadd X-Forwarded-Proto:\ https - reqadd X-Forwarded-Port:\ 443 + http-request add-header X-Forwarded-Proto:\ https + http-request add-header X-Forwarded-Port:\ 443 ${concatMapStringsSep "\n" (proxyHost: optionalString (proxyHost.hostNames != [] && proxyHost.proxyTo.host != null) ( concatMapStringsSep "\n" (hostname: '' From e66639bad962a229642bcf03c07a1cad23c19688 Mon Sep 17 00:00:00 2001 From: Astro Date: Thu, 3 Dec 2020 16:52:12 +0100 Subject: [PATCH 21/21] public-access-proxy: fix haproxy conf syntax --- hosts/containers/public-access-proxy/proxy.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/hosts/containers/public-access-proxy/proxy.nix b/hosts/containers/public-access-proxy/proxy.nix index 50692115..f0caa18a 100644 --- a/hosts/containers/public-access-proxy/proxy.nix +++ b/hosts/containers/public-access-proxy/proxy.nix @@ -89,8 +89,8 @@ in { mode http option http-server-close option forwardfor - http-request add-header X-Forwarded-Proto:\ http - http-request add-header X-Forwarded-Port:\ 80 + http-request set-header X-Forwarded-Proto http + http-request set-header X-Forwarded-Port 80 ${concatMapStringsSep "\n" (proxyHost: optionalString (proxyHost.hostNames != [] && proxyHost.proxyTo.host != null) ( concatMapStringsSep "\n" (hostname: '' @@ -112,8 +112,8 @@ in { timeout check 5000 timeout server 30000 option http-server-close - http-request add-header X-Forwarded-Proto:\ https - http-request add-header X-Forwarded-Port:\ 443 + http-request set-header X-Forwarded-Proto https + http-request set-header X-Forwarded-Port 443 ${concatMapStringsSep "\n" (proxyHost: optionalString (proxyHost.hostNames != [] && proxyHost.proxyTo.host != null) ( concatMapStringsSep "\n" (hostname: ''