From 61f134d91f55443086a13e7c70c550ecf7a08508 Mon Sep 17 00:00:00 2001 From: Emery Hemingway Date: Thu, 21 May 2020 13:54:09 +0530 Subject: [PATCH 01/50] server7: disable radvd default route Radvd is not enabled, this is for purposes of documentation. --- hosts/server7/yggdrasil-prefix.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/server7/yggdrasil-prefix.nix b/hosts/server7/yggdrasil-prefix.nix index 3aa7271d..349b7811 100644 --- a/hosts/server7/yggdrasil-prefix.nix +++ b/hosts/server7/yggdrasil-prefix.nix @@ -15,6 +15,7 @@ in { interface enp2s0f1 { AdvSendAdvert on; + AdvRouteLifetime 0; prefix ${yggaddr.prefix}:/64 { AdvOnLink on; AdvAutonomous on; From 95b8272413b388add364b33e6d2bcf2e5ba3fce8 Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 22 May 2020 17:24:56 +0200 Subject: [PATCH 02/50] static ipv4 configuration for containers in the serv subnet --- hosts/containers/deployer/configuration.nix | 3 +++ hosts/containers/dnscache/configuration.nix | 1 + hosts/containers/elastic/configuration.nix | 2 ++ hosts/containers/logging/configuration.nix | 2 ++ hosts/containers/mongo/configuration.nix | 2 ++ hosts/containers/mucbot/configuration.nix | 6 ++---- hosts/containers/scrape/configuration.nix | 3 ++- hosts/containers/spaceapi/configuration.nix | 5 ++--- lib/lxc-container.nix | 3 +++ 9 files changed, 19 insertions(+), 8 deletions(-) diff --git a/hosts/containers/deployer/configuration.nix b/hosts/containers/deployer/configuration.nix index b42e54f3..602b52a4 100644 --- a/hosts/containers/deployer/configuration.nix +++ b/hosts/containers/deployer/configuration.nix @@ -25,6 +25,9 @@ htop ]; + networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.16"; prefixLength = 26; } ]; + networking.defaultGateway = "172.20.73.1"; + networking = { hostName = "deployer"; # usePredictableInterfacenames = false; diff --git a/hosts/containers/dnscache/configuration.nix b/hosts/containers/dnscache/configuration.nix index 81530821..1eb399bf 100644 --- a/hosts/containers/dnscache/configuration.nix +++ b/hosts/containers/dnscache/configuration.nix @@ -22,6 +22,7 @@ networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.8"; prefixLength = 26; } ]; networking.defaultGateway = "172.20.73.1"; services.resolved.enable = false; + networking.nameservers = [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ]; # Set your time zone. time.timeZone = "Europe/Berlin"; diff --git a/hosts/containers/elastic/configuration.nix b/hosts/containers/elastic/configuration.nix index a7a2fa31..16f9f8b0 100644 --- a/hosts/containers/elastic/configuration.nix +++ b/hosts/containers/elastic/configuration.nix @@ -17,6 +17,8 @@ networking = { hostName = "elastic1"; + interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.15"; prefixLength = 26; } ]; + defaultGateway = "172.20.73.1"; firewall = { allowedTCPPorts = [ 22 diff --git a/hosts/containers/logging/configuration.nix b/hosts/containers/logging/configuration.nix index 6b2cc8bc..aff727e8 100644 --- a/hosts/containers/logging/configuration.nix +++ b/hosts/containers/logging/configuration.nix @@ -17,6 +17,8 @@ networking = { hostName = "logging"; + interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.13"; prefixLength = 26; } ]; + defaultGateway = "172.20.73.1"; firewall = { allowedTCPPorts = [ 22 diff --git a/hosts/containers/mongo/configuration.nix b/hosts/containers/mongo/configuration.nix index e64e4dbc..8a0e334e 100644 --- a/hosts/containers/mongo/configuration.nix +++ b/hosts/containers/mongo/configuration.nix @@ -18,6 +18,8 @@ networking = { hostName = "mongo"; + interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.21"; prefixLength = 26; } ]; + defaultGateway = "172.20.73.1"; firewall = { allowedTCPPorts = [ 22 diff --git a/hosts/containers/mucbot/configuration.nix b/hosts/containers/mucbot/configuration.nix index 4ff67308..32b073e0 100644 --- a/hosts/containers/mucbot/configuration.nix +++ b/hosts/containers/mucbot/configuration.nix @@ -12,11 +12,9 @@ in ]; networking.hostName = "mucbot"; - networking.useNetworkd = true; - networking.useDHCP = false; - networking.interfaces.eth0.useDHCP = true; + networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.27"; prefixLength = 26; } ]; + networking.defaultGateway = "172.20.73.1"; networking.nameservers = [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ]; - services.resolved.enable = false; users.users.tigger = { createHome = true; diff --git a/hosts/containers/scrape/configuration.nix b/hosts/containers/scrape/configuration.nix index bd174df0..d9e0c187 100644 --- a/hosts/containers/scrape/configuration.nix +++ b/hosts/containers/scrape/configuration.nix @@ -16,7 +16,8 @@ networking.hostName = "scrape"; - networking.useNetworkd = true; + networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.32"; prefixLength = 26; } ]; + networking.defaultGateway = "172.20.73.1"; # Required for krops services.openssh.enable = true; diff --git a/hosts/containers/spaceapi/configuration.nix b/hosts/containers/spaceapi/configuration.nix index ceb6f4fa..95630a64 100644 --- a/hosts/containers/spaceapi/configuration.nix +++ b/hosts/containers/spaceapi/configuration.nix @@ -13,9 +13,8 @@ in ]; networking.hostName = "spaceapi"; - networking.useNetworkd = true; - networking.useDHCP = lib.mkForce true; - networking.firewall.allowedTCPPorts = [ 3000 3001 ]; + networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.25"; prefixLength = 26; } ]; + networking.defaultGateway = "172.20.73.1"; services.spaceapi = { enable = true; diff --git a/lib/lxc-container.nix b/lib/lxc-container.nix index cad10c70..9b0e9ae8 100644 --- a/lib/lxc-container.nix +++ b/lib/lxc-container.nix @@ -12,7 +12,10 @@ nix.useSandbox = false; nix.maxJobs = lib.mkDefault 1; nix.buildCores = lib.mkDefault 4; + networking.useNetworkd = true; networking.useDHCP = false; + services.resolved.enable = false; + networking.nameservers = [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ]; networking.interfaces.eth0 = { useDHCP = true; From 412bd84abdb8a096c5b90fdac18ead4f1947294b Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 22 May 2020 17:53:16 +0200 Subject: [PATCH 03/50] spaceapi: rm default-gateway.nix --- hosts/containers/spaceapi/configuration.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/hosts/containers/spaceapi/configuration.nix b/hosts/containers/spaceapi/configuration.nix index 95630a64..733b11eb 100644 --- a/hosts/containers/spaceapi/configuration.nix +++ b/hosts/containers/spaceapi/configuration.nix @@ -8,7 +8,6 @@ in [ ../../../lib/lxc-container.nix ../../../lib/shared.nix ../../../lib/admins.nix - ../../../lib/default-gateway.nix "${spacemsgGit}/spaceapi/module.nix" ]; From dcaa7656519acea43d55b406ada306842b6518e8 Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 22 May 2020 17:56:30 +0200 Subject: [PATCH 04/50] grafana: switch to serv subnet --- hosts/containers/grafana/configuration.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hosts/containers/grafana/configuration.nix b/hosts/containers/grafana/configuration.nix index e47ad8d7..2bac20fc 100644 --- a/hosts/containers/grafana/configuration.nix +++ b/hosts/containers/grafana/configuration.nix @@ -19,6 +19,8 @@ networking.hostName = "grafana"; networking.useNetworkd = true; + networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.43"; prefixLength = 26; } ]; + networking.defaultGateway = "172.20.73.1"; # http https influxdb networking.firewall.allowedTCPPorts = [ 80 443 8086 ]; From ab38d328b77d7c8e9d31c8a28c77b692c2744827 Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 22 May 2020 18:07:39 +0200 Subject: [PATCH 05/50] grafana: switch to serv subnet --- hosts/containers/grafana/configuration.nix | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/hosts/containers/grafana/configuration.nix b/hosts/containers/grafana/configuration.nix index 2bac20fc..1778403c 100644 --- a/hosts/containers/grafana/configuration.nix +++ b/hosts/containers/grafana/configuration.nix @@ -9,11 +9,7 @@ ../../../lib/admins.nix ]; - c3d2 = { - isInHq = true; - hq.interface = "eth0"; - enableHail = true; - }; + c3d2.isInHq = false; services.openssh.enable = true; From 5b6c6a880badf23db369435b69e66c8d095f90d3 Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 22 May 2020 18:24:23 +0200 Subject: [PATCH 06/50] hq.nixops: update grafana address --- hq.nixops | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hq.nixops b/hq.nixops index e1a0fe49..fdcb6ed0 100644 --- a/hq.nixops +++ b/hq.nixops @@ -8,7 +8,7 @@ hosts/containers/grafana/configuration.nix ]; deployment = { - targetHost = "grafana.hq.c3d2.de"; + targetHost = "grafana.serv.zentralwerk.dn42"; storeKeysOnMachine = true; }; }; From a2f05a16993ec5cc8c27bca66ff7d06ff6ffc4be Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 22 May 2020 18:24:37 +0200 Subject: [PATCH 07/50] public-access-proxy: add grafana, kibana --- hosts/containers/public-access-proxy/configuration.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/hosts/containers/public-access-proxy/configuration.nix b/hosts/containers/public-access-proxy/configuration.nix index f403dd03..68027578 100644 --- a/hosts/containers/public-access-proxy/configuration.nix +++ b/hosts/containers/public-access-proxy/configuration.nix @@ -24,6 +24,14 @@ hostNames = [ "cloud.bombenverleih.de" "unifi.arkom.men" ]; proxyTo = { host = "172.22.99.192"; httpPort = 80; httpsPort = 443; }; } + { + hostNames = [ "grafana.hq.c3d2.de" ]; + proxyTo = { host = "grafana.serv.zentralwerk.org"; httpPort = 80; httpsPort = 443; }; + } + { + hostNames = [ "kibana.hq.c3d2.de" ]; + proxyTo = { host = "kibana.serv.zentralwerk.org"; httpPort = 80; httpsPort = 443; }; + } ]; }; From 505ba041784f0fc43a1fa7d8547d3b504b0b73dc Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 22 May 2020 18:34:09 +0200 Subject: [PATCH 08/50] lxc-container: don;t useDHCP by default --- lib/lxc-container.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/lxc-container.nix b/lib/lxc-container.nix index 9b0e9ae8..e06881ce 100644 --- a/lib/lxc-container.nix +++ b/lib/lxc-container.nix @@ -18,7 +18,7 @@ networking.nameservers = [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ]; networking.interfaces.eth0 = { - useDHCP = true; + useDHCP = false; preferTempAddress = false; }; systemd.network.networks."40-eth0" = { From d90d5f428dac72968cbdbc8c0b5977133737b5e0 Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 22 May 2020 18:34:26 +0200 Subject: [PATCH 09/50] grafana: close signup --- hosts/containers/grafana/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/containers/grafana/configuration.nix b/hosts/containers/grafana/configuration.nix index 1778403c..cc2e77ec 100644 --- a/hosts/containers/grafana/configuration.nix +++ b/hosts/containers/grafana/configuration.nix @@ -37,7 +37,7 @@ enable = true; org_name = "Chaos"; }; - users.allowSignUp = true; + users.allowSignUp = false; }; services.influxdb = let collectdTypes = pkgs.stdenv.mkDerivation { From f80c07aaa3dd41be648cc81a76cdf54d0f578f4e Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 22 May 2020 19:07:07 +0200 Subject: [PATCH 10/50] public-access-proxy: move to serv subnet --- hosts/containers/public-access-proxy/configuration.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/hosts/containers/public-access-proxy/configuration.nix b/hosts/containers/public-access-proxy/configuration.nix index 68027578..67f771e2 100644 --- a/hosts/containers/public-access-proxy/configuration.nix +++ b/hosts/containers/public-access-proxy/configuration.nix @@ -9,13 +9,15 @@ [ ../../../lib/lxc-container.nix ../../../lib/shared.nix ../../../lib/admins.nix - ../../../lib/default-gateway.nix ./proxy.nix ]; networking.hostName = "public-access-proxy"; networking.useNetworkd = true; - networking.dhcpcd.enable = lib.mkForce true; + networking.interfaces.eth0 = { + ipv4.addresses = [ { address = "172.20.73.45"; prefixLength = 26; } ]; + }; + networking.defaultGateway = "172.20.73.1"; my.services.proxy = { enable = true; From 449ec34f0f94cdb1ee1497ef15abe393b2e34618 Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 22 May 2020 19:09:47 +0200 Subject: [PATCH 11/50] hq.nixops: update public-access-proxy address --- hq.nixops | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hq.nixops b/hq.nixops index fdcb6ed0..f90336ee 100644 --- a/hq.nixops +++ b/hq.nixops @@ -44,7 +44,7 @@ hosts/containers/public-access-proxy/configuration.nix ]; deployment = { - targetHost = "2a02:8106:208:5201:1024:5fff:febd:9be7"; + targetHost = "172.20.73.45"; storeKeysOnMachine = true; }; }; From c3beabc3630d7baafada1bf2f9bec82390fd9f77 Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 22 May 2020 19:11:41 +0200 Subject: [PATCH 12/50] public-access-proxy: fix addresses --- hosts/containers/public-access-proxy/configuration.nix | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/hosts/containers/public-access-proxy/configuration.nix b/hosts/containers/public-access-proxy/configuration.nix index 67f771e2..2f652b2e 100644 --- a/hosts/containers/public-access-proxy/configuration.nix +++ b/hosts/containers/public-access-proxy/configuration.nix @@ -28,11 +28,7 @@ } { hostNames = [ "grafana.hq.c3d2.de" ]; - proxyTo = { host = "grafana.serv.zentralwerk.org"; httpPort = 80; httpsPort = 443; }; - } - { - hostNames = [ "kibana.hq.c3d2.de" ]; - proxyTo = { host = "kibana.serv.zentralwerk.org"; httpPort = 80; httpsPort = 443; }; + proxyTo = { host = "grafana.serv.zentralwerk.dn42"; httpPort = 80; httpsPort = 443; }; } ]; }; From 672c8e5b13bdfe3eec88a0ebac387237fe65b97c Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 22 May 2020 20:30:30 +0200 Subject: [PATCH 13/50] public-access-proxy: add kibana.hq.c3d2.de --- hosts/containers/public-access-proxy/configuration.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hosts/containers/public-access-proxy/configuration.nix b/hosts/containers/public-access-proxy/configuration.nix index 2f652b2e..231d05d7 100644 --- a/hosts/containers/public-access-proxy/configuration.nix +++ b/hosts/containers/public-access-proxy/configuration.nix @@ -30,6 +30,10 @@ hostNames = [ "grafana.hq.c3d2.de" ]; proxyTo = { host = "grafana.serv.zentralwerk.dn42"; httpPort = 80; httpsPort = 443; }; } + { + hostNames = [ "kibana.hq.c3d2.de" "kibana-es.hq.c3d2.de" ]; + proxyTo = { host = "kibana.serv.zentralwerk.dn42"; httpPort = 80; httpsPort = 443; }; + } ]; }; From d69eee2b75a2191a6b47be27d3380fe0441a44ca Mon Sep 17 00:00:00 2001 From: Astro Date: Sat, 23 May 2020 01:17:16 +0200 Subject: [PATCH 14/50] containers/kibana: init --- hosts/containers/kibana/configuration.nix | 66 +++++++++++++++++++++++ krops.nix | 1 + 2 files changed, 67 insertions(+) create mode 100644 hosts/containers/kibana/configuration.nix diff --git a/hosts/containers/kibana/configuration.nix b/hosts/containers/kibana/configuration.nix new file mode 100644 index 00000000..cd71c8f7 --- /dev/null +++ b/hosts/containers/kibana/configuration.nix @@ -0,0 +1,66 @@ +{ config, pkgs, lib, ... }: + +{ + imports = [ + + + + + ]; + + networking.hostName = "kibana"; + networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.44"; prefixLength = 26; } ]; + networking.defaultGateway = "172.20.73.1"; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + # Required for krops + services.openssh.enable = true; + environment.systemPackages = [ pkgs.git ]; + + nixpkgs.config.allowUnfree = true; + services.elasticsearch = { + enable = true; + package = pkgs.elasticsearch7; + }; + services.kibana = { + enable = true; + package = pkgs.kibana7; + }; + + security.acme = { + acceptTerms = true; + email = "mail@c3d2.de"; + }; + services.nginx = + let + authFile = pkgs.writeText "htpasswd" "k-ot:sawCOTsl/fIUY"; + vhost = url: { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = url; + extraConfig = '' + auth_basic "Chaos"; + auth_basic_user_file ${authFile}; + ''; + }; + }; + in + { + enable = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + virtualHosts = { + "kibana.hq.c3d2.de" = + vhost "http://localhost:${toString config.services.kibana.port}"; + "kibana-es.hq.c3d2.de" = + vhost "http://127.0.0.1:${toString config.services.elasticsearch.port}"; + }; + }; + + # This value determines the NixOS release with which your system is to be + # compatible, in order to avoid breaking some software such as database + # servers. You should change this only after NixOS release notes say you + # should. + system.stateVersion = "20.03"; # Did you read the comment? +} diff --git a/krops.nix b/krops.nix index 6e31df4d..daa1759c 100644 --- a/krops.nix +++ b/krops.nix @@ -31,4 +31,5 @@ in { scrape = deployContainer "scrape" "172.20.73.32"; ledstripes = deployContainer "ledstripes" "172.22.99.168"; freifunk = deployContainer "freifunk" "172.20.72.40"; + kibana = deployContainer "kibana" "172.20.73.44"; } From ef2f20658c70426676af891663dbd240c15135e4 Mon Sep 17 00:00:00 2001 From: Astro Date: Sat, 23 May 2020 02:35:16 +0200 Subject: [PATCH 15/50] kibana: tidy proxy url --- hosts/containers/kibana/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/containers/kibana/configuration.nix b/hosts/containers/kibana/configuration.nix index cd71c8f7..9a30e5da 100644 --- a/hosts/containers/kibana/configuration.nix +++ b/hosts/containers/kibana/configuration.nix @@ -52,7 +52,7 @@ recommendedProxySettings = true; virtualHosts = { "kibana.hq.c3d2.de" = - vhost "http://localhost:${toString config.services.kibana.port}"; + vhost "http://127.0.0.1:${toString config.services.kibana.port}"; "kibana-es.hq.c3d2.de" = vhost "http://127.0.0.1:${toString config.services.elasticsearch.port}"; }; From d6842d607ffe442191eda2bbec06969f171654b8 Mon Sep 17 00:00:00 2001 From: Astro Date: Sat, 23 May 2020 02:35:29 +0200 Subject: [PATCH 16/50] update grafana influxdb address --- hosts/containers/dnscache/configuration.nix | 2 +- lib/default.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/containers/dnscache/configuration.nix b/hosts/containers/dnscache/configuration.nix index 1eb399bf..dfda2a35 100644 --- a/hosts/containers/dnscache/configuration.nix +++ b/hosts/containers/dnscache/configuration.nix @@ -218,7 +218,7 @@ Exec "collectd" "${pkgs.ruby}/bin/ruby" "${unboundScript}" ''; network = '' - Server "grafana.hq.c3d2.de" "25826" + Server "grafana.serv.zentralwerk.dn42" "25826" ''; }; extraConfig = '' diff --git a/lib/default.nix b/lib/default.nix index 505a6ab1..0ee90201 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -257,7 +257,7 @@ in { File STDOUT ''; network = '' - Server "grafana.hq.c3d2.de" "25826" + Server "grafana.serv.zentralwerk.dn42" "25826" ''; memory = ""; processes = ""; From 243406e499dfed4c4dcc1a547adea9a93887c079 Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 24 May 2020 01:34:00 +0200 Subject: [PATCH 17/50] dn42: remove obsolete quagga pkg --- hosts/containers/dn42/configuration.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/hosts/containers/dn42/configuration.nix b/hosts/containers/dn42/configuration.nix index 01a49504..437140bd 100644 --- a/hosts/containers/dn42/configuration.nix +++ b/hosts/containers/dn42/configuration.nix @@ -30,8 +30,6 @@ in { environment.systemPackages = with pkgs; [ vim - # for `vtysh` - quagga ]; # SSH for nixops From 8a97a1c08a655f8244aab5a3faff934aecd117dd Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 24 May 2020 02:05:51 +0200 Subject: [PATCH 18/50] dn42: DRY address6 --- hosts/containers/dn42/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/containers/dn42/configuration.nix b/hosts/containers/dn42/configuration.nix index 437140bd..07dae647 100644 --- a/hosts/containers/dn42/configuration.nix +++ b/hosts/containers/dn42/configuration.nix @@ -61,7 +61,7 @@ in { secret ${keyfile name} ''; up = '' - ${pkgs.iproute}/bin/ip a a fe80::deca:fbad/64 dev $1 + ${pkgs.iproute}/bin/ip a a ${address6}/64 dev $1 ''; }; in { From 9e211c4a47a3f7854ef20cb2996ebee8e886fbc1 Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 24 May 2020 14:41:24 +0200 Subject: [PATCH 19/50] secrets: update --- secrets | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/secrets b/secrets index eb06c122..5cbeab68 160000 --- a/secrets +++ b/secrets @@ -1 +1 @@ -Subproject commit eb06c122762133b7831475615b1a3b039eaa389e +Subproject commit 5cbeab68b226c8cac6e439bd06af80252411a147 From 97557e3a66d08a23ed54b25272e0ea85627ad0e6 Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 24 May 2020 14:51:00 +0200 Subject: [PATCH 20/50] secrets: update --- secrets | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/secrets b/secrets index 5cbeab68..b106cae1 160000 --- a/secrets +++ b/secrets @@ -1 +1 @@ -Subproject commit 5cbeab68b226c8cac6e439bd06af80252411a147 +Subproject commit b106cae1876c49bf31875b7b77e85a1a9c0beae8 From c251ad57c0e447fbb596726433d8191d38220753 Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 24 May 2020 15:18:27 +0200 Subject: [PATCH 21/50] secrets: update --- secrets | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/secrets b/secrets index b106cae1..e5260f30 160000 --- a/secrets +++ b/secrets @@ -1 +1 @@ -Subproject commit b106cae1876c49bf31875b7b77e85a1a9c0beae8 +Subproject commit e5260f30341bdb390fc8d732120b86557afdd30c From e967ee77cbad98529ddd535581562bb32d008285 Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 24 May 2020 18:37:06 +0200 Subject: [PATCH 22/50] dn42: fix tun interfaces --- hosts/containers/dn42/configuration.nix | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/hosts/containers/dn42/configuration.nix b/hosts/containers/dn42/configuration.nix index 07dae647..eb52ddf6 100644 --- a/hosts/containers/dn42/configuration.nix +++ b/hosts/containers/dn42/configuration.nix @@ -39,6 +39,12 @@ in { # No Firewalling! networking.firewall.enable = false; + boot.postBootCommands = '' + if [ ! -c /dev/net/tun ]; then + mkdir -p /dev/net + mknod -m 666 /dev/net/tun c 10 200 + fi + ''; services.openvpn = let openvpnNeighbors = lib.filterAttrs (_: conf: conf ? openvpn) neighbors; @@ -61,7 +67,9 @@ in { secret ${keyfile name} ''; up = '' - ${pkgs.iproute}/bin/ip a a ${address6}/64 dev $1 + ${pkgs.iproute}/bin/ip addr flush dev $1 + ${pkgs.iproute}/bin/ip addr add ${address4} dev ${name} peer ${conf.address4}/32 + ${pkgs.iproute}/bin/ip addr add ${address6}/64 dev $1 ''; }; in { From c45a087dfd192a8da324390409b8ef2556849d17 Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 24 May 2020 21:58:13 +0200 Subject: [PATCH 23/50] freifunk: update to accommodate sysinfo changes in ffdd-server.git --- hosts/containers/freifunk/configuration.nix | 1 + hosts/containers/freifunk/sysinfo-json.nix | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/hosts/containers/freifunk/configuration.nix b/hosts/containers/freifunk/configuration.nix index a9c8b65f..ee45669d 100644 --- a/hosts/containers/freifunk/configuration.nix +++ b/hosts/containers/freifunk/configuration.nix @@ -154,6 +154,7 @@ in { timerConfig.OnCalendar = "daily"; }; + environment.etc."freifunk-server-version".text = "Custom NixOS configuration: 0.0.0"; # Refresh sysinfo.json systemd.services.sysinfo-json = { script = '' diff --git a/hosts/containers/freifunk/sysinfo-json.nix b/hosts/containers/freifunk/sysinfo-json.nix index 3aafe3c2..d374b5a0 100644 --- a/hosts/containers/freifunk/sysinfo-json.nix +++ b/hosts/containers/freifunk/sysinfo-json.nix @@ -56,7 +56,7 @@ stdenv.mkDerivation { --replace awk ${gawk}/bin/awk '' + lib.strings.concatStrings (lib.attrsets.mapAttrsToList ( - var: value: "substituteInPlace sysinfo-json.cgi --replace ${lib.strings.escapeShellArg "$(nvram get ${var})"} '${value}'\n" + var: value: "substituteInPlace sysinfo-json.cgi --replace ${lib.strings.escapeShellArg "$(uci -qX get ffdd.sys.${var})"} '${value}'\n" ) nvram); installPhase = '' pwd From e5c1afdb6c2e9e8cc7c1323871f1f7784319b779 Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 24 May 2020 22:32:10 +0200 Subject: [PATCH 24/50] dnscache: allow query by freifunk range --- hosts/containers/dnscache/configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/containers/dnscache/configuration.nix b/hosts/containers/dnscache/configuration.nix index dfda2a35..8986091d 100644 --- a/hosts/containers/dnscache/configuration.nix +++ b/hosts/containers/dnscache/configuration.nix @@ -74,6 +74,7 @@ "::1/128" "172.20.72.0/21" "10.0.0.0/24" + "10.200.0.0/15" "172.22.99.0/24" "127.0.0.0/8" ]; From 9de52f1c4f230e524a7224164d1428d94c4db411 Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 24 May 2020 22:33:07 +0200 Subject: [PATCH 25/50] freifunk: forward port 53 --- hosts/containers/freifunk/configuration.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/hosts/containers/freifunk/configuration.nix b/hosts/containers/freifunk/configuration.nix index ee45669d..d8dcdad6 100644 --- a/hosts/containers/freifunk/configuration.nix +++ b/hosts/containers/freifunk/configuration.nix @@ -51,6 +51,15 @@ in { \! --source 10.200.0.0/15 -o ${meshInterface} -j SNAT --to 10.200.${ddmeshAddrPart} set -e ''; + forwardPorts = [ { + destination = "172.20.73.8"; + proto = "udp"; + sourcePort = 53; + } { + destination = "172.20.73.8"; + proto = "tcp"; + sourcePort = 53; + } ]; }; # Configure rt_table name networking.iproute2 = { From 39562676b2298d2ac50bda5a1c6e9d446abfc995 Mon Sep 17 00:00:00 2001 From: Astro Date: Wed, 3 Jun 2020 17:20:18 +0200 Subject: [PATCH 26/50] scrape: add freifunk node 1099 --- hosts/containers/scrape/configuration.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/hosts/containers/scrape/configuration.nix b/hosts/containers/scrape/configuration.nix index d9e0c187..1c931b08 100644 --- a/hosts/containers/scrape/configuration.nix +++ b/hosts/containers/scrape/configuration.nix @@ -80,6 +80,10 @@ script = "freifunk_node"; host = "10.200.7.80"; }; + scrape-node1099 = makeService { + script = "freifunk_node"; + host = "10.200.4.80"; + }; }; systemd.timers.scrape-xeri = { partOf = [ "scrape-xeri.service" ]; @@ -131,6 +135,11 @@ wantedBy = [ "timers.target" ]; timerConfig.OnCalendar = "minutely"; }; + systemd.timers.scrape-node1099 = { + partOf = [ "scrape-node1099.service" ]; + wantedBy = [ "timers.target" ]; + timerConfig.OnCalendar = "minutely"; + }; # This value determines the NixOS release with which your system is to be # compatible, in order to avoid breaking some software such as database From 30b5584555cd29b34564f904886df386b8d9d976 Mon Sep 17 00:00:00 2001 From: Astro Date: Thu, 4 Jun 2020 01:18:06 +0200 Subject: [PATCH 27/50] scrape: DRY --- hosts/containers/scrape/configuration.nix | 123 +++++++--------------- 1 file changed, 39 insertions(+), 84 deletions(-) diff --git a/hosts/containers/scrape/configuration.nix b/hosts/containers/scrape/configuration.nix index 1c931b08..92335529 100644 --- a/hosts/containers/scrape/configuration.nix +++ b/hosts/containers/scrape/configuration.nix @@ -1,6 +1,16 @@ { config, pkgs, lib, ... }: -{ +let + freifunkNodes = { + "1139" = "10.200.4.120"; + "1487" = "10.200.5.213"; + "1884" = "10.200.7.100"; + "1891" = "10.200.7.107"; + "1768" = "10.200.6.239"; + "1176" = "10.200.7.80"; + "1099" = "10.200.4.80"; + }; +in { imports = [ @@ -36,6 +46,13 @@ xeriLogin = import ; fhemLogin = import ; matematLogin = import ; + makeNodeScraper = nodeId: { + name = "scrape-node${nodeId}"; + value = makeService { + script = "freifunk_node"; + host = freifunkNodes.${nodeId}; + }; + }; in { scrape-xeri = makeService { script = "xerox"; @@ -56,90 +73,28 @@ host = "matemat.hq.c3d2.de"; inherit (matematLogin) user password; }; - scrape-node1139 = makeService { - script = "freifunk_node"; - host = "10.200.4.120"; + } // builtins.listToAttrs (map makeNodeScraper (builtins.attrNames freifunkNodes)); + + systemd.timers = + let + makeTimer = service: interval: { + partOf = [ "${service}.service" ]; + wantedBy = [ "timers.target" ]; + timerConfig.OnCalendar = interval; }; - scrape-node1487 = makeService { - script = "freifunk_node"; - host = "10.200.5.213"; - }; - scrape-node1884 = makeService { - script = "freifunk_node"; - host = "10.200.7.100"; - }; - scrape-node1891 = makeService { - script = "freifunk_node"; - host = "10.200.7.107"; - }; - scrape-node1768 = makeService { - script = "freifunk_node"; - host = "10.200.6.239"; - }; - scrape-node1176 = makeService { - script = "freifunk_node"; - host = "10.200.7.80"; - }; - scrape-node1099 = makeService { - script = "freifunk_node"; - host = "10.200.4.80"; - }; - }; - systemd.timers.scrape-xeri = { - partOf = [ "scrape-xeri.service" ]; - wantedBy = [ "timers.target" ]; - timerConfig.OnCalendar = "minutely"; - }; - systemd.timers.scrape-roxi = { - partOf = [ "scrape-roxi.service" ]; - wantedBy = [ "timers.target" ]; - timerConfig.OnCalendar = "minutely"; - }; - systemd.timers.scrape-fhem = { - partOf = [ "scrape-fhem.service" ]; - wantedBy = [ "timers.target" ]; - timerConfig.OnCalendar = "minutely"; - }; - systemd.timers.scrape-matemat = { - partOf = [ "scrape-matemat.service" ]; - wantedBy = [ "timers.target" ]; - timerConfig.OnCalendar = "minutely"; - }; - systemd.timers.scrape-node1139 = { - partOf = [ "scrape-node1139.service" ]; - wantedBy = [ "timers.target" ]; - timerConfig.OnCalendar = "minutely"; - }; - systemd.timers.scrape-node1487 = { - partOf = [ "scrape-node1487.service" ]; - wantedBy = [ "timers.target" ]; - timerConfig.OnCalendar = "minutely"; - }; - systemd.timers.scrape-node1884 = { - partOf = [ "scrape-node1884.service" ]; - wantedBy = [ "timers.target" ]; - timerConfig.OnCalendar = "minutely"; - }; - systemd.timers.scrape-node1891 = { - partOf = [ "scrape-node1894.service" ]; - wantedBy = [ "timers.target" ]; - timerConfig.OnCalendar = "minutely"; - }; - systemd.timers.scrape-node1768 = { - partOf = [ "scrape-node1768.service" ]; - wantedBy = [ "timers.target" ]; - timerConfig.OnCalendar = "minutely"; - }; - systemd.timers.scrape-node1176 = { - partOf = [ "scrape-node1176.service" ]; - wantedBy = [ "timers.target" ]; - timerConfig.OnCalendar = "minutely"; - }; - systemd.timers.scrape-node1099 = { - partOf = [ "scrape-node1099.service" ]; - wantedBy = [ "timers.target" ]; - timerConfig.OnCalendar = "minutely"; - }; + makeNodeScraperTimer = nodeId: + let + name = "scrape-node${nodeId}"; + in { + inherit name; + value = makeTimer name "minutely"; + }; + in { + scrape-xeri = makeTimer "scrape-xeri.service" "minutely"; + scrape-roxi = makeTimer "scrape-roxi.service" "minutely"; + scrape-fhem = makeTimer "scrape-fhem.service" "minutely"; + scrape-matemat = makeTimer "scrape-matemat.service" "minutely"; + } // builtins.listToAttrs (map makeNodeScraperTimer (builtins.attrNames freifunkNodes)); # This value determines the NixOS release with which your system is to be # compatible, in order to avoid breaking some software such as database From 6ac2a2c6d4376265e7adf46a6dba20bb71491c6e Mon Sep 17 00:00:00 2001 From: Emery Hemingway Date: Fri, 5 Jun 2020 19:42:07 +0200 Subject: [PATCH 28/50] Add static IPv4 to storage.hq --- hosts/server7/containers/storage/default.nix | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/hosts/server7/containers/storage/default.nix b/hosts/server7/containers/storage/default.nix index 93319fe5..fbdb2a90 100644 --- a/hosts/server7/containers/storage/default.nix +++ b/hosts/server7/containers/storage/default.nix @@ -55,6 +55,20 @@ name: }; }; + networking.interfaces.eth0 = { + ipv4 = { + addresses = [{ + address = "172.22.99.20"; + prefixLength = 24; + }]; + routes = [{ + address = "0.0.0.0"; + prefixLength = 0; + via = "172.22.99.1"; + }]; + }; + }; + networking.firewall.enable = false; }; From 0a196b0d80fb40905fed3cd120bf0847095c5e4a Mon Sep 17 00:00:00 2001 From: Emery Hemingway Date: Fri, 5 Jun 2020 19:53:54 +0200 Subject: [PATCH 29/50] server7: serve nix-serve on yggdrasil --- hosts/server7/default.nix | 20 ++++++++++++++------ hosts/server7/nix-serve.nix | 14 ++++++++------ 2 files changed, 22 insertions(+), 12 deletions(-) diff --git a/hosts/server7/default.nix b/hosts/server7/default.nix index 11fc3461..c04ad2de 100644 --- a/hosts/server7/default.nix +++ b/hosts/server7/default.nix @@ -53,12 +53,20 @@ in { services.yggdrasil = { enable = true; configFile = "/var/lib/yggdrasil/keys"; - config.Peers = [ - "tcp://[2a03:3b40:fe:ab::1]:46370" # Praha - "tcp://ygg.thingylabs.io:443" # Nürnberg - "tcp://176.223.130.120:22632" # Wrocław - "tcp://[2a05:9403::8b]:7743" # Praha - ]; + config = { + Peers = [ + "tcp://[2a03:3b40:fe:ab::1]:46370" # Praha + "tcp://ygg.thingylabs.io:443" # Nürnberg + "tcp://176.223.130.120:22632" # Wrocław + "tcp://[2a05:9403::8b]:7743" # Praha + ]; + NodeInfo = { + location = "Dresden"; + name = "server7.y.c3d2.de"; + admin = + "toxid:DF0AC9107E0A30E7201C6832B017AC836FBD1EDAC390EE99B68625D73C3FD929FB47F1872CA4"; + }; + }; }; security.sudo.wheelNeedsPassword = false; diff --git a/hosts/server7/nix-serve.nix b/hosts/server7/nix-serve.nix index 58c6d80a..13a3739a 100644 --- a/hosts/server7/nix-serve.nix +++ b/hosts/server7/nix-serve.nix @@ -10,15 +10,17 @@ services.nginx = { enable = true; - virtualHosts = { - "cache.server7.hq.c3d2.de" = { + virtualHosts = let + vhost.locations."/".proxyPass = + "http://${config.services.nix-serve.bindAddress}:${ + toString config.services.nix-serve.port + }"; + in { + "cache.server7.hq.c3d2.de" = vhost // { addSSL = true; enableACME = true; - locations."/".proxyPass = - "http://${config.services.nix-serve.bindAddress}:${ - toString config.services.nix-serve.port - }"; }; + "nix-serve.y.c3d2.de" = vhost; }; }; From 03a7ab421e5b725217d0a307a1cf59a81791d03f Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 19 Jun 2020 18:12:42 +0200 Subject: [PATCH 30/50] rename pulsebert to glotzbert --- hosts/glotzbert/configuration.nix | 29 ++- hosts/glotzbert/hardware-configuration.nix | 22 +- hosts/pulsebert/configuration.nix | 272 --------------------- hosts/pulsebert/hardware-configuration.nix | 29 --- hosts/pulsebert/home.nix | 17 -- hosts/pulsebert/mpdConsole.nix | 23 -- 6 files changed, 33 insertions(+), 359 deletions(-) delete mode 100644 hosts/pulsebert/configuration.nix delete mode 100644 hosts/pulsebert/hardware-configuration.nix delete mode 100644 hosts/pulsebert/home.nix delete mode 100644 hosts/pulsebert/mpdConsole.nix diff --git a/hosts/glotzbert/configuration.nix b/hosts/glotzbert/configuration.nix index b9fe982d..030e53d7 100644 --- a/hosts/glotzbert/configuration.nix +++ b/hosts/glotzbert/configuration.nix @@ -1,13 +1,13 @@ { config, pkgs, ... }: { - imports = [ ./hardware-configuration.nix ../../lib ]; + imports = [ ]; c3d2 = { users.k-ot = true; isInHq = true; - hq.interface = "enp0s10"; - enableHail = true; + hq.interface = "eno1"; + enableHail = false; }; nixpkgs.config.allowUnfree = true; @@ -30,8 +30,8 @@ # Select internationalisation properties. i18n = { - consoleFont = "Lat2-Terminus16"; - consoleKeyMap = "de"; + consoleFont = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz"; + consoleKeyMap = "us"; defaultLocale = "en_US.UTF-8"; }; @@ -133,6 +133,25 @@ ]; }; + fileSystems."/mnt/storage" = { + #device = "storage-ng.hq.c3d2.de:/mnt/zroot/storage/rpool"; + #device = "storage-ng.hq.c3d2.de:/c3d2/rpool"; + device = + "172.22.99.13:6789,172.22.99.15:6789,172.22.99.16:6789:/c3d2/rpool"; + fsType = "ceph"; + options = [ + "rw" + "relatime" + "name=public" + "secret=AQDgER1chJcMORAAK1ysRTN59B5x/MyniwVXFQ==" + "acl" + "wsize=16777216" + "_netdev" + ]; + }; + + users.users.emery.cryptHomeLuks = "/home/emery.luks.img"; + # This value determines the NixOS release with which your system is to be # compatible, in order to avoid breaking some software such as database # servers. You should change this only after NixOS release notes say you diff --git a/hosts/glotzbert/hardware-configuration.nix b/hosts/glotzbert/hardware-configuration.nix index 35dd37d0..162a8fe6 100644 --- a/hosts/glotzbert/hardware-configuration.nix +++ b/hosts/glotzbert/hardware-configuration.nix @@ -8,26 +8,22 @@ [ ]; - boot.initrd.availableKernelModules = [ "ohci_pci" "ehci_pci" "ahci" "firewire_ohci" "usb_storage" "usbhid" "sd_mod" "sr_mod" ]; - boot.kernelModules = [ "kvm-intel" "wl" "forcedeth" "b43" ]; - boot.kernelParams = [ "irqpoll" "hpet=off" ]; # noapic seems to improve things + boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; fileSystems."/" = - { device = "/dev/disk/by-uuid/4568bf11-6e40-4514-9bc9-3194a299c45f"; - fsType = "btrfs"; + { device = "/dev/disk/by-uuid/3a8ddd25-0c5d-4fec-b957-bdcea1c52db4"; + fsType = "ext4"; }; fileSystems."/boot" = - { device = "/dev/disk/by-uuid/67E3-17ED"; + { device = "/dev/disk/by-uuid/6490-45A0"; fsType = "vfat"; }; - zramSwap = { enable = true; priority = 1000; }; - swapDevices = [ - { device = "/dev/disk/by-uuid/f602ea23-99e5-416b-98d2-ef76cbc5c934"; - } ]; + swapDevices = [ ]; - nix.maxJobs = lib.mkDefault 2; - - services.xserver.videoDriver = "nouveau"; + nix.maxJobs = lib.mkDefault 4; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; } diff --git a/hosts/pulsebert/configuration.nix b/hosts/pulsebert/configuration.nix deleted file mode 100644 index ff33c871..00000000 --- a/hosts/pulsebert/configuration.nix +++ /dev/null @@ -1,272 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - -{ config, pkgs, ... }: - -let - ympdPort = 8080; - mpdVhost = "mpd.hq.c3d2.de"; -in { - imports = [ # Include the results of the hardware scan. - ./hardware-configuration.nix - ../../lib - ../../lib/admins.nix - ../../lib/hq.nix - ./mpdConsole.nix - ]; - - c3d2 = { - users = { - emery = true; - k-ot = true; - }; - isInHq = true; - mapHqHosts = true; - hq = { - interface = "eno1"; - enableMpdProxy = true; - yggdrasi.enableGateway = true; - }; - enableHail = true; - }; - - # Use the systemd-boot EFI boot loader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - boot.kernelPackages = pkgs.linuxPackages_4_19; - - networking.hostName = "pulsebert"; # Define your hostname. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Select internationalisation properties. - i18n = { - consoleFont = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz"; - consoleKeyMap = "us"; - defaultLocale = "en_US.UTF-8"; - }; - - # List packages installed in system profile. To search, run: - # $ nix search wget - environment.systemPackages = with pkgs; [ - # specific printer drivers for our printers - epson-escpr - splix - # utilities - nix-index - usbutils - tmux - vim - git - openssl - # NCurses Music Player Client (Plus Plus) - # a commandline front-end client for mpd - # 2019-01-21 mag vater gern gleich einen schoenen lokalen Verwaltung fuer MPD haben. -# ncmpcpp - home-manager - mumble - ncpamixer - ffmpeg - ]; - - # Some programs need SUID wrappers, can be configured further or are - # started in user sessions. - # programs.mtr.enable = true; - # programs.gnupg.agent = { enable = true; enableSSHSupport = true; }; - - # List services that you want to enable: - - # Enable the OpenSSH daemon. - services.openssh.enable = true; - - # X11 Forwarding for mumble... - programs.ssh.forwardX11 = true; - services.openssh.forwardX11 = true; - - # Open ports in the firewall. - networking.firewall.allowedTCPPorts = [ - 4713 # PulseAudio - 631 # cups - 80 - 443 # Web/ympd - 5000 # shairport - config.services.mpd.network.port - ]; - networking.firewall.allowedUDPPorts = [ 631 ]; - networking.firewall.extraCommands = '' - iptables -I INPUT -p udp --dport mdns -d 224.0.0.251 -j ACCEPT # zeroconf - iptables -I OUTPUT -p udp --dport mdns -d 224.0.0.251 -j ACCEPT # zeroconf - ''; # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - # networking.firewall.enable = false; - - # Enable CUPS to print documents. - services.printing = { - enable = true; - browsing = true; - listenAddresses = [ "*:631" ]; - defaultShared = true; - # logLevel = "debug"; - drivers = [ pkgs.gutenprint pkgs.hplip pkgs.splix ]; - extraConf = - '' - DefaultAuthType Basic - - Order allow,deny - Allow ALL - - - Order allow,deny - Allow ALL - - - AuthType Basic - Require user @SYSTEM - Order allow,deny - Allow ALL - - - - Require user @OWNER @SYSTEM - Order deny,allow - - - AuthType Basic - Require user @SYSTEM - Order deny,allow - - - Require user @OWNER @SYSTEM - Order deny,allow - - - Order deny,allow - - - ''; - - }; - - # Enable sound. - sound.enable = true; - hardware.pulseaudio.enable = true; - # PulseAudio as-a-Service - hardware.pulseaudio.systemWide = true; - hardware.pulseaudio.tcp.anonymousClients.allowedIpRanges = [ - "127.0.0.0/8" "::1/128" - "172.22.99.0/24" "2a02:8106:208:5201:58::/64" - ]; - hardware.pulseaudio.tcp.enable = true; - hardware.pulseaudio.zeroconf.publish.enable = true; - - # tell Avahi to publish CUPS and PulseAudio - services.avahi = { - enable = true; - publish.enable = true; - publish.userServices = true; - }; - - # Enable Audio streaming for Mac clients - services.shairport-sync.enable = true; - - # Enable the X11 windowing system. - # services.xserver.enable = true; - # services.xserver.layout = "us"; - # services.xserver.xkbOptions = "eurosign:e"; - - # Enable touchpad support. - # services.xserver.libinput.enable = true; - - # Enable the KDE Desktop Environment. - # services.xserver.displayManager.sddm.enable = true; - # services.xserver.desktopManager.plasma5.enable = true; - - security.pam.enableSSHAgentAuth = true; - security.sudo = { - enable = true; - wheelNeedsPassword = false; - }; - - users.users.k-ot.extraGroups = [ "wheel" ]; - - # This value determines the NixOS release with which your system is to be - # compatible, in order to avoid breaking some software such as database - # servers. You should change this only after NixOS release notes say you - # should. - system.stateVersion = "18.09"; # Did you read the comment? - - # vater hoerte, dass menschen im space gern mpd fuer das abspielen von musik erwarten wuerden - #### https://nixos.org/nixos/options.html#services.mpd.enable - # See ../../mpd.nix - services.mpd = { - enable = true; - dbFile = null; - musicDirectory = "/mnt/storage/Music"; - playlistDirectory = "/home/k-ot/Playlists"; - network.listenAddress = "any"; - - extraConfig = '' - audio_output { - type "pulse" - name "/proc" - } - ''; - }; - - services.caddy = { - enable = true; - agree = true; - # TODO: add auth? - config = '' - ${mpdVhost} { - proxy / localhost:${toString ympdPort} - } - - :80 { - redir https://${mpdVhost}{uri} - } - ''; - }; - - fileSystems."/mnt/storage" = { - #device = "storage-ng.hq.c3d2.de:/mnt/zroot/storage/rpool"; - #device = "storage-ng.hq.c3d2.de:/c3d2/rpool"; - device = - "172.22.99.13:6789,172.22.99.15:6789,172.22.99.16:6789:/c3d2/rpool"; - fsType = "ceph"; - options = [ - "rw" - "relatime" - "name=public" - "secret=AQDgER1chJcMORAAK1ysRTN59B5x/MyniwVXFQ==" - "acl" - "wsize=16777216" - "_netdev" - ]; - }; - - # MPD music playing daemon with webinterface - services.ympd = { - enable = true; - webPort = toString ympdPort; - }; - nixpkgs.config.packageOverrides = pkgs: with pkgs; { - ympd = ympd.overrideAttrs (oldAttrs: { - src = fetchFromGitHub { - owner = "c3d2"; - repo = "ympd"; - rev = "feature/somafm_browser"; - sha256 = "17x3jfys6gxghz5yp0gvd39ylvzfm59qxg75hwc5a52rj1n2jpb1"; - }; - }); - }; - programs.bash.shellAliases = { - mpv = "mpv --no-vid"; - }; - - users.users.emery.cryptHomeLuks = "/home/emery.luks.img"; -} diff --git a/hosts/pulsebert/hardware-configuration.nix b/hosts/pulsebert/hardware-configuration.nix deleted file mode 100644 index 162a8fe6..00000000 --- a/hosts/pulsebert/hardware-configuration.nix +++ /dev/null @@ -1,29 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, ... }: - -{ - imports = - [ - ]; - - boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/3a8ddd25-0c5d-4fec-b957-bdcea1c52db4"; - fsType = "ext4"; - }; - - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/6490-45A0"; - fsType = "vfat"; - }; - - swapDevices = [ ]; - - nix.maxJobs = lib.mkDefault 4; - powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; -} diff --git a/hosts/pulsebert/home.nix b/hosts/pulsebert/home.nix deleted file mode 100644 index 5821e300..00000000 --- a/hosts/pulsebert/home.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ pkgs, ... }: - -{ - home.packages = with pkgs; [ - htop - fortune - ddate - mpv - ncmpcpp - schedtool - screen - tmux - pulsemixer - ncpamixer - python35.withPackages(ps: with ps; [ youtube-dl ]) - ]; -} diff --git a/hosts/pulsebert/mpdConsole.nix b/hosts/pulsebert/mpdConsole.nix deleted file mode 100644 index f584cd24..00000000 --- a/hosts/pulsebert/mpdConsole.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ pkgs, ... }: - -let tty = "tty1"; -in { - boot.extraTTYs = [ tty ]; - - systemd.services.ncmpcpp = { - description = "Mpd console"; - wantedBy = [ "multi-user.target" ]; - conflicts = [ "getty@${tty}.service" ]; - serviceConfig = { - User = "k-ot"; - ExecStart = "${pkgs.ncmpcpp}/bin/ncmpcpp"; - StandardInput = "tty"; - StandardOutput = "tty"; - TTYPath = "/dev/${tty}"; - TTYReset = true; - TTYVTDisallocate = true; - Restart = "always"; - }; - }; - -} From 611dabf6530fb0231bfb48dc1866309836aa05c1 Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 19 Jun 2020 18:20:10 +0200 Subject: [PATCH 31/50] server7: move yggaddr.nix out to shared lib/ directory --- hosts/server7/containers/outer-defaults.nix | 2 +- hosts/server7/default.nix | 2 +- hosts/server7/yggdrasil-prefix.nix | 2 +- lib/default.nix | 2 +- hosts/server7/yggaddr.nix => lib/server7-yggaddr.nix | 0 5 files changed, 4 insertions(+), 4 deletions(-) rename hosts/server7/yggaddr.nix => lib/server7-yggaddr.nix (100%) diff --git a/hosts/server7/containers/outer-defaults.nix b/hosts/server7/containers/outer-defaults.nix index 680bec38..f168c4f4 100644 --- a/hosts/server7/containers/outer-defaults.nix +++ b/hosts/server7/containers/outer-defaults.nix @@ -1,6 +1,6 @@ name: -let yggaddr = import ../yggaddr.nix; +let yggaddr = import ../../../lib/server7-yggaddr.nix; in { # These the container defaults from the perspective of the host. diff --git a/hosts/server7/default.nix b/hosts/server7/default.nix index c04ad2de..267b409c 100644 --- a/hosts/server7/default.nix +++ b/hosts/server7/default.nix @@ -1,6 +1,6 @@ { config, pkgs, lib, ... }: -let yggaddr = import ./yggaddr.nix; +let yggaddr = import ../../lib/server7-yggaddr.nix; in { imports = [ # diff --git a/hosts/server7/yggdrasil-prefix.nix b/hosts/server7/yggdrasil-prefix.nix index 349b7811..9d1e0415 100644 --- a/hosts/server7/yggdrasil-prefix.nix +++ b/hosts/server7/yggdrasil-prefix.nix @@ -1,6 +1,6 @@ { config, pkgs, lib, ... }: -let yggaddr = import ./yggaddr.nix; +let yggaddr = import ../../lib/server7-yggaddr.nix; in { boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1; diff --git a/lib/default.nix b/lib/default.nix index 0ee90201..9724d75a 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -8,7 +8,7 @@ let hqPrefix64 = "fd23:42:c3d2:523"; # TODO: Is this stable? Is there a better place to specifiy this? - server7Ygg = import ../hosts/server7/yggaddr.nix; + server7Ygg = import ./server7-yggaddr.nix; # Generate a deterministic IPv6 address for a 64 bit prefix # and seed string. Prefix must not contain trailing ':'. diff --git a/hosts/server7/yggaddr.nix b/lib/server7-yggaddr.nix similarity index 100% rename from hosts/server7/yggaddr.nix rename to lib/server7-yggaddr.nix From 7cd1def1d6c963773f8dd5bffaa059957f3f88c9 Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 19 Jun 2020 18:29:58 +0200 Subject: [PATCH 32/50] secrets: update --- secrets | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/secrets b/secrets index e5260f30..3ae294f8 160000 --- a/secrets +++ b/secrets @@ -1 +1 @@ -Subproject commit e5260f30341bdb390fc8d732120b86557afdd30c +Subproject commit 3ae294f84afa3a399a73fedf60418009cc330598 From f8e232b2e4b6e735ff0025669adb852d5cb2d671 Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 19 Jun 2020 19:05:46 +0200 Subject: [PATCH 33/50] add new pulsebert --- hosts/pulsebert/configuration.nix | 154 +++++++++++++++++++++ hosts/pulsebert/hardware-configuration.nix | 39 ++++++ 2 files changed, 193 insertions(+) create mode 100644 hosts/pulsebert/configuration.nix create mode 100644 hosts/pulsebert/hardware-configuration.nix diff --git a/hosts/pulsebert/configuration.nix b/hosts/pulsebert/configuration.nix new file mode 100644 index 00000000..9c8e2d04 --- /dev/null +++ b/hosts/pulsebert/configuration.nix @@ -0,0 +1,154 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + boot.loader.grub.enable = false; + boot.loader.generic-extlinux-compatible.enable = false; + boot.loader.raspberryPi = { enable = true; version = 4; uboot.enable = false; }; + #boot.kernelPackages = pkgs.linuxPackages_rpi4; + boot.kernelPackages = pkgs.linuxPackages_latest; + + boot.tmpOnTmpfs = true; + nix.buildCores = 4; + nix.maxJobs = 4; + + networking.hostName = "pulsebert"; # Define your hostname. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.useDHCP = false; + networking.interfaces.eth0.useDHCP = true; + networking.interfaces.wlan0.useDHCP = true; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + # i18n.defaultLocale = "en_US.UTF-8"; + # console = { + # font = "Lat2-Terminus16"; + # keyMap = "us"; + # }; + + # Set your time zone. + # time.timeZone = "Europe/Amsterdam"; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + wget vim + raspberrypi-tools + ]; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # pinentryFlavor = "gnome3"; + # }; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + services.openssh.permitRootLogin = "yes"; + security.sudo = { + enable = true; + wheelNeedsPassword = false; + }; + + users.users.k-ot = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + }; + + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + networking.firewall.enable = false; + + # Enable CUPS to print documents. + # services.printing.enable = true; + + # Enable sound. + sound.enable = true; + hardware.bluetooth = { + enable = true; + config = { + Policy.AutoEnable = true; + General = { + Enable = "Source,Sink,Media,Socket"; + #DiscoverableTimeout = 0; + #Discoverable = true; + }; + }; + }; + hardware.pulseaudio = { + enable = true; + systemWide = true; + tcp.enable = true; + tcp.anonymousClients.allowedIpRanges = [ + "127.0.0.0/8" "::1/128" + "172.22.99.0/24" "2a02:8106:208:5201:58::/64" + ]; + zeroconf.publish.enable = true; + package = pkgs.pulseaudioFull; + extraModules = [ pkgs.pulseaudio-modules-bt ]; + }; + + # tell Avahi to publish CUPS and PulseAudio + services.avahi = { + enable = true; + publish.enable = true; + publish.userServices = true; + }; + + # Enable Audio streaming for Mac clients + services.shairport-sync.enable = true; + + # DLNA + services.gnome3.rygel.enable = true; + + # Enable the X11 windowing system. + # services.xserver.enable = true; + # services.xserver.layout = "us"; + # services.xserver.xkbOptions = "eurosign:e"; + + # Enable touchpad support. + # services.xserver.libinput.enable = true; + + # Enable the KDE Desktop Environment. + # services.xserver.displayManager.sddm.enable = true; + # services.xserver.desktopManager.plasma5.enable = true; + + # Define a user account. Don't forget to set a password with ‘passwd’. + # users.users.jane = { + # isNormalUser = true; + # extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. + # }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "20.09"; # Did you read the comment? + +} + diff --git a/hosts/pulsebert/hardware-configuration.nix b/hosts/pulsebert/hardware-configuration.nix new file mode 100644 index 00000000..f6bbb311 --- /dev/null +++ b/hosts/pulsebert/hardware-configuration.nix @@ -0,0 +1,39 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + #imports = + # [ (modulesPath + "/installer/scan/not-detected.nix") + # ]; + + boot.initrd.availableKernelModules = [ "usbhid" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + boot.kernelParams = [ + "snd_bcm2835.enable_headphones=1" + ]; + + fileSystems."/" = + { device = "/dev/disk/by-label/NIXOS_SD"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-label/FIRMWARE"; + fsType = "vfat"; + }; + + swapDevices = [ ]; + + hardware.enableRedistributableFirmware = true; + #networking.wireless.enable = true; + boot.loader.raspberryPi.firmwareConfig = '' + gpu_mem=192 + dtparam=audio=on + ''; + + powerManagement.cpuFreqGovernor = lib.mkDefault "performance"; +} From a376aaad012a56d1d7701a0e16d55f6732ac088d Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 19 Jun 2020 19:32:53 +0200 Subject: [PATCH 34/50] glotzbert: setup --- hosts/glotzbert/configuration.nix | 41 +++++++++++-------------------- 1 file changed, 15 insertions(+), 26 deletions(-) diff --git a/hosts/glotzbert/configuration.nix b/hosts/glotzbert/configuration.nix index 030e53d7..617c5ded 100644 --- a/hosts/glotzbert/configuration.nix +++ b/hosts/glotzbert/configuration.nix @@ -7,40 +7,47 @@ users.k-ot = true; isInHq = true; hq.interface = "eno1"; + hq.enableBinaryCache = false; enableHail = false; }; nixpkgs.config.allowUnfree = true; nix = { useSandbox = true; - buildCores = 2; + buildCores = 4; + maxJobs = 4; }; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - boot.kernelPackages = pkgs.linuxPackages_4_19; + boot.kernelPackages = pkgs.linuxPackages_latest; networking.hostName = "glotzbert"; # Define your hostname. # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + networking.interfaces.eno1.useDHCP = true; # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; # Select internationalisation properties. - i18n = { - consoleFont = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz"; - consoleKeyMap = "us"; - defaultLocale = "en_US.UTF-8"; + console = { + font = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz"; + keyMap = "de"; }; + i18n.defaultLocale = "en_US.UTF-8"; # Set your time zone. time.timeZone = "Europe/Berlin"; # List packages installed in system profile. To search, run: # $ nix search wget - environment.systemPackages = with pkgs; [ wget vim x11vnc ]; + environment.systemPackages = with pkgs; [ + wget vim git tmux screen + chromium firefox + mpv kodi + ]; systemd.user.services.x11vnc = { description = "X11 VNC server"; @@ -108,11 +115,11 @@ user = "k-ot"; }; }; + defaultSession = "gnome-xorg"; }; services.xserver.desktopManager = { gnome3.enable = true; kodi.enable = true; - default = "kodi"; }; security.sudo = { @@ -123,7 +130,6 @@ # Define a user account. Don't forget to set a password with ‘passwd’. users.groups."k-ot" = { gid = 1000; }; users.users."k-ot" = { - password = "k-ot"; isNormalUser = true; uid = 1000; group = "k-ot"; @@ -133,23 +139,6 @@ ]; }; - fileSystems."/mnt/storage" = { - #device = "storage-ng.hq.c3d2.de:/mnt/zroot/storage/rpool"; - #device = "storage-ng.hq.c3d2.de:/c3d2/rpool"; - device = - "172.22.99.13:6789,172.22.99.15:6789,172.22.99.16:6789:/c3d2/rpool"; - fsType = "ceph"; - options = [ - "rw" - "relatime" - "name=public" - "secret=AQDgER1chJcMORAAK1ysRTN59B5x/MyniwVXFQ==" - "acl" - "wsize=16777216" - "_netdev" - ]; - }; - users.users.emery.cryptHomeLuks = "/home/emery.luks.img"; # This value determines the NixOS release with which your system is to be From 48c592070860f5b3c97fe530433bbc96080ab3ae Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 19 Jun 2020 19:33:07 +0200 Subject: [PATCH 35/50] krops: add glotzbert --- krops.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/krops.nix b/krops.nix index daa1759c..42bbeef1 100644 --- a/krops.nix +++ b/krops.nix @@ -32,4 +32,11 @@ in { ledstripes = deployContainer "ledstripes" "172.22.99.168"; freifunk = deployContainer "freifunk" "172.20.72.40"; kibana = deployContainer "kibana" "172.20.73.44"; + + glotzbert = pkgs.krops.writeDeploy "glotzbert" { + source = hostSource "glotzbert"; + target = lib.mkTarget "k-ot@glotzbert.hq.c3d2.de" // { + sudo = true; + }; + }; } From 73e129f72aff311f3b64857a565862de4c93aae6 Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 21 Jun 2020 22:26:30 +0200 Subject: [PATCH 36/50] pulsebert: don't let journald write to fs --- hosts/pulsebert/configuration.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hosts/pulsebert/configuration.nix b/hosts/pulsebert/configuration.nix index 9c8e2d04..ce438498 100644 --- a/hosts/pulsebert/configuration.nix +++ b/hosts/pulsebert/configuration.nix @@ -62,6 +62,11 @@ # List services that you want to enable: + # Do not log to flash: + services.journald.extraConfig = '' + Storage=volatile + ''; + # Enable the OpenSSH daemon. services.openssh.enable = true; services.openssh.permitRootLogin = "yes"; From eafa584ee8858b46f2920901510897f46df04a78 Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 21 Jun 2020 22:26:51 +0200 Subject: [PATCH 37/50] pulsebert: remove broken services --- hosts/pulsebert/configuration.nix | 6 ------ 1 file changed, 6 deletions(-) diff --git a/hosts/pulsebert/configuration.nix b/hosts/pulsebert/configuration.nix index ce438498..5d92baed 100644 --- a/hosts/pulsebert/configuration.nix +++ b/hosts/pulsebert/configuration.nix @@ -123,12 +123,6 @@ publish.userServices = true; }; - # Enable Audio streaming for Mac clients - services.shairport-sync.enable = true; - - # DLNA - services.gnome3.rygel.enable = true; - # Enable the X11 windowing system. # services.xserver.enable = true; # services.xserver.layout = "us"; From 1fe0da3080994362e84c5650c5491c57d8d3e67f Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 21 Jun 2020 22:27:17 +0200 Subject: [PATCH 38/50] pulsebert: deploy with krops --- hosts/pulsebert/configuration.nix | 4 ++-- krops.nix | 6 ++++++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/hosts/pulsebert/configuration.nix b/hosts/pulsebert/configuration.nix index 5d92baed..9ac1b3c3 100644 --- a/hosts/pulsebert/configuration.nix +++ b/hosts/pulsebert/configuration.nix @@ -7,7 +7,7 @@ { imports = [ # Include the results of the hardware scan. - ./hardware-configuration.nix + ]; boot.loader.grub.enable = false; @@ -47,7 +47,7 @@ # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ - wget vim + wget vim git raspberrypi-tools ]; diff --git a/krops.nix b/krops.nix index 42bbeef1..30399369 100644 --- a/krops.nix +++ b/krops.nix @@ -39,4 +39,10 @@ in { sudo = true; }; }; + pulsebert = pkgs.krops.writeDeploy "pulsebert" { + source = hostSource "pulsebert"; + target = lib.mkTarget "k-ot@pulsebert.hq.c3d2.de" // { + sudo = true; + }; + }; } From cee19e7e3e2daeb871a972650749789bbd8bd0b8 Mon Sep 17 00:00:00 2001 From: Astro Date: Wed, 24 Jun 2020 18:30:11 +0200 Subject: [PATCH 39/50] spaceapi: disable firewall --- hosts/containers/spaceapi/configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/containers/spaceapi/configuration.nix b/hosts/containers/spaceapi/configuration.nix index 733b11eb..9aa7b5e1 100644 --- a/hosts/containers/spaceapi/configuration.nix +++ b/hosts/containers/spaceapi/configuration.nix @@ -14,6 +14,7 @@ in networking.hostName = "spaceapi"; networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.25"; prefixLength = 26; } ]; networking.defaultGateway = "172.20.73.1"; + networking.firewall.enable = false; services.spaceapi = { enable = true; From a3db001870d5bda24d3bba3a40f551a01b9609f3 Mon Sep 17 00:00:00 2001 From: Emery Hemingway Date: Tue, 7 Jul 2020 17:17:55 +0200 Subject: [PATCH 40/50] hosts/containers/dhcp: make dhcp server authoritative Make the dhcp server explicitly authoritative before importing the configuration from the secrets submodule. --- hosts/containers/dhcp/configuration.nix | 5 ++++- secrets | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/hosts/containers/dhcp/configuration.nix b/hosts/containers/dhcp/configuration.nix index c0dfdc06..1aaa5400 100644 --- a/hosts/containers/dhcp/configuration.nix +++ b/hosts/containers/dhcp/configuration.nix @@ -31,7 +31,10 @@ services.dhcpd4 = { enable = true; interfaces = [ "eth0" ]; - extraConfig = builtins.readFile ../../../secrets/hosts/dhcp/config; + extraConfig = '' + authoritative; + + '' + builtins.readFile ../../../secrets/hosts/dhcp/config; }; # This value determines the NixOS release with which your system is to be diff --git a/secrets b/secrets index 3ae294f8..bd190b8b 160000 --- a/secrets +++ b/secrets @@ -1 +1 @@ -Subproject commit 3ae294f84afa3a399a73fedf60418009cc330598 +Subproject commit bd190b8b1f925a7b781eea72e60c3a10fae83bcc From 7e01c98da21805c775f75ee715083e28f2b7ad06 Mon Sep 17 00:00:00 2001 From: Emery Hemingway Date: Thu, 11 Jun 2020 07:47:30 +0200 Subject: [PATCH 41/50] server7: docker-containers.ceph-osd-7? --- hosts/server7/default.nix | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/hosts/server7/default.nix b/hosts/server7/default.nix index 267b409c..250d75a3 100644 --- a/hosts/server7/default.nix +++ b/hosts/server7/default.nix @@ -100,6 +100,22 @@ in { virtualisation.docker.enable = true; + docker-containers.ceph-osd-7 = { + cmd = [ "ceph-osd" "-i" "7" "--setuser" "ceph" "--setgroup" "ceph" "-d" ]; + environment = { OSD_DEVICE = "/dev/sdb"; }; + image = "ceph/ceph:v14.2.9"; + log-driver = "journald"; + extraDockerOptions = + [ "--rm" "--net=host" "--ipc=host" "--privileged=true" ]; + volumes = + [ "/dev:/dev" "/etc/ceph:/etc/ceph" "/var/lib/ceph/:/var/lib/ceph" ]; + }; + # systemd.services.docker-ceph-osd-7.serviceConfig = { + # ExecStartPre = ["mount | grep ^/var/lib/ceph/osd/ceph-7 || mount -t tmpfs tmpfs /var/lib/ceph/osd/ceph-7" + # ''docker run --rm --net=host --ipc=host --privileged=true -v /dev:/dev -v /etc/ceph:/etc/ceph -v /var/lib/ceph/:/var/lib/ceph -e OSD_DEVICE=/dev/sdb -it ceph/ceph:v14.2.9 ceph-volume lvm activate --all'' + # ]; + # }; + networking = { firewall.enable = false; firewall.trustedInterfaces = [ "br0" ]; From f55081d081998890d6562cfaeba09721093d3c41 Mon Sep 17 00:00:00 2001 From: Emery Hemingway Date: Tue, 7 Jul 2020 15:47:49 +0200 Subject: [PATCH 42/50] Update glotzbert ssh key --- host-registry.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/host-registry.nix b/host-registry.nix index a12b7a23..f26044ba 100644 --- a/host-registry.nix +++ b/host-registry.nix @@ -9,7 +9,7 @@ rec { ledstripes = {}; glotzbert.publicKey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHPrkD07abpTU/66fEjmiMYsUfJCSF62MVFe8BED7wu4"; + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAnEWn/8CKIiCtehh6Ha3XUQqjODj0ygyo3aGAsFWgfG"; hydra.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDhurL/sxsXRglKdLfiWIcK+iqpyhGrGt/MoBODsgvig"; From 91078207fbfc61e4dc997b16594739addc223802 Mon Sep 17 00:00:00 2001 From: Emery Hemingway Date: Tue, 7 Jul 2020 15:59:02 +0200 Subject: [PATCH 43/50] server7: uncomment systemd.services.docker-ceph-osd-7.serviceConfig Wasn't me, I found it this way --- hosts/server7/default.nix | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/hosts/server7/default.nix b/hosts/server7/default.nix index 250d75a3..1d2939aa 100644 --- a/hosts/server7/default.nix +++ b/hosts/server7/default.nix @@ -45,6 +45,11 @@ in { ]; }; + fileSystems."/var/lib/ceph/osd/ceph-7" = { + fsType = "tmpfs"; + }; + + # Route IPv6 boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1; # Obtain global IPv6 despite being a router myself @@ -110,11 +115,9 @@ in { volumes = [ "/dev:/dev" "/etc/ceph:/etc/ceph" "/var/lib/ceph/:/var/lib/ceph" ]; }; - # systemd.services.docker-ceph-osd-7.serviceConfig = { - # ExecStartPre = ["mount | grep ^/var/lib/ceph/osd/ceph-7 || mount -t tmpfs tmpfs /var/lib/ceph/osd/ceph-7" - # ''docker run --rm --net=host --ipc=host --privileged=true -v /dev:/dev -v /etc/ceph:/etc/ceph -v /var/lib/ceph/:/var/lib/ceph -e OSD_DEVICE=/dev/sdb -it ceph/ceph:v14.2.9 ceph-volume lvm activate --all'' - # ]; - # }; + systemd.services.docker-ceph-osd-7.serviceConfig = { + ExecStartPre = [''-${pkgs.docker}/bin/docker run --rm --net=host --ipc=host --privileged=true -v /dev:/dev -v /etc/ceph:/etc/ceph -v /var/lib/ceph/:/var/lib/ceph -e OSD_DEVICE=/dev/sdb -it ceph/ceph:v14.2.9 ceph-volume lvm activate --all'']; + }; networking = { firewall.enable = false; From 59a85a3f3dc2a629b24e7fcaaac48a066193020b Mon Sep 17 00:00:00 2001 From: Emery Hemingway Date: Thu, 11 Jun 2020 07:50:42 +0200 Subject: [PATCH 44/50] Update flake inputs --- flake.lock | 65 +++++++++++++++++------------------------------------- flake.nix | 24 ++++++++------------ 2 files changed, 29 insertions(+), 60 deletions(-) diff --git a/flake.lock b/flake.lock index 64a1044d..67359eb1 100644 --- a/flake.lock +++ b/flake.lock @@ -1,39 +1,33 @@ { "nodes": { "hydra": { - "info": { - "lastModified": 1587883324, - "narHash": "sha256-WQxv9rrG2HX8j2UfXjifeBkMjgea3uIAEB3Swv+IIus=" - }, "inputs": { "nix": "nix", "nixpkgs": "nixpkgs_2" }, "locked": { - "owner": "ehmry", + "lastModified": 1593509723, + "narHash": "sha256-ESv86LNnQQy5cYqeC1S4otpvkA8ABgs/zbge8xp35aE=", + "owner": "NixOS", "repo": "hydra", - "rev": "e93c36aab1bf96cf392ab0e40157b0620638b599", + "rev": "d0deebc4fc95dbeb0249f7b774b03d366596fbed", "type": "github" }, "original": { - "owner": "ehmry", - "ref": "sotest", - "repo": "hydra", - "type": "github" + "id": "hydra", + "type": "indirect" } }, "nix": { - "info": { - "lastModified": 1586440843, - "narHash": "sha256-7YxrpRPmAOoCSl6KtepKCXcae5MUm1Pl+lwDunBFGoo=" - }, "inputs": { "nixpkgs": "nixpkgs" }, "locked": { + "lastModified": 1592818267, + "narHash": "sha256-t66Ny6NDA9sQa0U79iqo4w7tEBitUGgio9U/H6z3QpE=", "owner": "NixOS", "repo": "nix", - "rev": "3aaceeb7e2d3fb8a07a1aa5a21df1dca6bbaa0ef", + "rev": "334e26bfc2ce82912602e8a0f9f9c7e0fb5c3221", "type": "github" }, "original": { @@ -42,14 +36,12 @@ } }, "nixpkgs": { - "info": { - "lastModified": 1585405475, - "narHash": "sha256-bESW0n4KgPmZ0luxvwJ+UyATrC6iIltVCsGdLiphVeE=" - }, "locked": { + "lastModified": 1591633336, + "narHash": "sha256-oVXv4xAnDJB03LvZGbC72vSVlIbbJr8tpjEW5o/Fdek=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b88ff468e9850410070d4e0ccd68c7011f15b2be", + "rev": "70717a337f7ae4e486ba71a500367cad697e5f09", "type": "github" }, "original": { @@ -59,14 +51,12 @@ } }, "nixpkgs_2": { - "info": { - "lastModified": 1586219474, - "narHash": "sha256-fvfrMnEA2lDnXvH/eInGV5i0sO/EGLVHa4pOek8VG78=" - }, "locked": { + "lastModified": 1592263354, + "narHash": "sha256-1wHPn5qKfzfG06dZhpXDEg5Zt6HwvfyPPgW1tkYFejg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "29eddfc36d720dcc4822581175217543b387b1e8", + "rev": "a84b797b28eb104db758b5cb2b61ba8face6744b", "type": "github" }, "original": { @@ -75,31 +65,16 @@ "type": "indirect" } }, - "nixpkgs_3": { - "info": { - "lastModified": 1586724123, - "narHash": "sha256-VQ7zZy2xpz6dULpjar4jxNaQ0N/2q68l+EYO2nXaXDo=" - }, - "locked": { - "owner": "nixos", - "repo": "nixpkgs-channels", - "rev": "708cb6b307b04ad862cc50de792e57e7a4a8bb5a", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-20.03", - "repo": "nixpkgs-channels", - "type": "github" - } - }, "root": { "inputs": { "hydra": "hydra", - "nixpkgs": "nixpkgs_3" + "nixpkgs": [ + "hydra", + "nixpkgs" + ] } } }, "root": "root", - "version": 5 + "version": 7 } diff --git a/flake.nix b/flake.nix index d0c283f0..d825442f 100644 --- a/flake.nix +++ b/flake.nix @@ -1,27 +1,21 @@ { description = "C3D2 NixOS configurations"; - edition = 201909; - - inputs.nixpkgs.url = "github:nixos/nixpkgs-channels/nixos-20.03"; - inputs.hydra.url = "github:ehmry/hydra/sotest"; + inputs = { + nixpkgs.follows = "hydra/nixpkgs"; + # nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + # secrets.url = "git+file:///etc/nixos/secrets"; + }; outputs = { self, nixpkgs, hydra }: { nixosConfigurations = { server7 = nixpkgs.lib.nixosSystem { - modules = [ ./hosts/server7 hydra.nixosModules.hydra ]; - system = "x86_64-linux"; - }; - - hydra = nixpkgs.lib.nixosSystem { - modules = [ ./hosts/hydra/configuration.nix ]; - system = "x86_64-linux"; - }; - - pulsebert = nixpkgs.lib.nixosSystem { - modules = [ ./hosts/pulsebert/configuration.nix ]; + modules = [ + ./hosts/server7 + hydra.nixosModules.hydra + ]; system = "x86_64-linux"; }; From 5238abc7a72b7e6500cfda99910cf88a3201eeae Mon Sep 17 00:00:00 2001 From: Emery Hemingway Date: Tue, 7 Jul 2020 20:49:20 +0200 Subject: [PATCH 45/50] server7: disable ceph mount --- hosts/server7/default.nix | 44 ++++++++++++++++++++++----------------- 1 file changed, 25 insertions(+), 19 deletions(-) diff --git a/hosts/server7/default.nix b/hosts/server7/default.nix index 1d2939aa..be38781e 100644 --- a/hosts/server7/default.nix +++ b/hosts/server7/default.nix @@ -14,7 +14,7 @@ in { ]; security.acme = { - email = " mail@c3d2.de"; + email = "mail@c3d2.de"; acceptTerms = true; }; @@ -31,24 +31,22 @@ in { }; }; - fileSystems."/srv/ceph" = { - device = "172.22.99.13:6789:/"; - fsType = "ceph"; - options = [ - "name=storage2" - "secret=AQAvRhxcaCK0IxAAnoe00oiopcpQeKZgL02RWw==" - "noatime,_netdev" - "noauto" - "x-systemd.automount" - "x-systemd.device-timeout=175" - "users" - ]; - }; - - fileSystems."/var/lib/ceph/osd/ceph-7" = { - fsType = "tmpfs"; - }; + /* fileSystems."/srv/ceph" = { + device = "172.22.99.13:6789:/"; + fsType = "ceph"; + options = [ + "name=storage2" + "secret=AQAvRhxcaCK0IxAAnoe00oiopcpQeKZgL02RWw==" + "noatime,_netdev" + "noauto" + "x-systemd.automount" + "x-systemd.device-timeout=175" + "users" + ]; + }; + */ + fileSystems."/var/lib/ceph/osd/ceph-7" = { fsType = "tmpfs"; }; # Route IPv6 boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1; @@ -116,7 +114,9 @@ in { [ "/dev:/dev" "/etc/ceph:/etc/ceph" "/var/lib/ceph/:/var/lib/ceph" ]; }; systemd.services.docker-ceph-osd-7.serviceConfig = { - ExecStartPre = [''-${pkgs.docker}/bin/docker run --rm --net=host --ipc=host --privileged=true -v /dev:/dev -v /etc/ceph:/etc/ceph -v /var/lib/ceph/:/var/lib/ceph -e OSD_DEVICE=/dev/sdb -it ceph/ceph:v14.2.9 ceph-volume lvm activate --all'']; + ExecStartPre = [ + "-${pkgs.docker}/bin/docker run --rm --net=host --ipc=host --privileged=true -v /dev:/dev -v /etc/ceph:/etc/ceph -v /var/lib/ceph/:/var/lib/ceph -e OSD_DEVICE=/dev/sdb -it ceph/ceph:v14.2.9 ceph-volume lvm activate --all" + ]; }; networking = { @@ -186,4 +186,10 @@ in { # allow the old hydra to build here "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7HuDlyTlPC4rCjwhklY8kiYIxdgPhiu6wxs29ksnpKZmJa2R7qoD02N3ACm9cTb1GVkIWukAXI3KvU9h08+WLQJqUH0cHVBj3V1sDYmkN2QecE59gz3e1gfN3zPtwmQEUe6xvHWK3X3qdH45pGPUtxk1eDTZl45037C0NClWF7RXI4m6UXng4bL9wnPvoVqCI+ySsNWaTkHDLE/D9s/VrqGxJ1w2KiJb1F73g9/x/zjL8Ixb16wkPmLE0e50MQAQa7EMFTyPZoEskFnEviLYXM9pDexABAjJfbfZ39lLyMgVYGwnzEDbjDlm68dE6wQWUY1OV6wbt8uYreB2IRrlb root@hydra" ]; + + services.dhcpd4 = { + enable = false; + interfaces = [ "br0" ]; + extraConfig = "not authoritative;"; + }; } From 449a8175f3de6d2237043790672dc7fe10211e8b Mon Sep 17 00:00:00 2001 From: Emery Hemingway Date: Wed, 29 Jul 2020 13:27:50 +0200 Subject: [PATCH 46/50] server7: aarch64 emulation --- hosts/server7/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hosts/server7/default.nix b/hosts/server7/default.nix index be38781e..d4223387 100644 --- a/hosts/server7/default.nix +++ b/hosts/server7/default.nix @@ -13,6 +13,8 @@ in { ./nix-serve.nix ]; + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + security.acme = { email = "mail@c3d2.de"; acceptTerms = true; From c66946030e8fc5e431297ab5a523c758a82d3ed1 Mon Sep 17 00:00:00 2001 From: Emery Hemingway Date: Wed, 29 Jul 2020 13:30:08 +0200 Subject: [PATCH 47/50] server7: generate new hardware-configuration.nix --- hosts/server7/hardware-configuration.nix | 153 ++++++++++++----------- 1 file changed, 78 insertions(+), 75 deletions(-) diff --git a/hosts/server7/hardware-configuration.nix b/hosts/server7/hardware-configuration.nix index e198467f..0f87d7fa 100644 --- a/hosts/server7/hardware-configuration.nix +++ b/hosts/server7/hardware-configuration.nix @@ -1,70 +1,59 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, modulesPath, ... }: { - # imports = [ ]; + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "nvme" "usbhid" "sd_mod" ]; - boot.initrd.kernelModules = [ ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; - boot.supportedFilesystems = [ "zfs" ]; fileSystems."/" = { device = "/dev/disk/by-uuid/f14628ce-0f13-4544-9197-0ddda291f48f"; fsType = "ext4"; }; + fileSystems."/var/lib/ceph/osd/ceph-7" = { + device = "tmpfs"; + fsType = "tmpfs"; + }; + fileSystems."/boot" = { device = "/dev/disk/by-uuid/9812-00B2"; fsType = "vfat"; }; - fileSystems."/zones/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3/cores" = { - device = "nvme0n1/cores/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3"; - fsType = "zfs"; - }; - fileSystems."/nvme0n1" = { device = "nvme0n1"; fsType = "zfs"; }; - fileSystems."/zones/9f467f1e-000b-e771-e117-b32261e48220/cores" = { - device = "nvme0n1/cores/9f467f1e-000b-e771-e117-b32261e48220"; - fsType = "zfs"; - }; - - fileSystems."/zones/archive" = { - device = "nvme0n1/archive"; - fsType = "zfs"; - }; - - fileSystems."/zones/9a9880d3-82db-c500-fcaa-d4e5a5cc617d/cores" = { - device = "nvme0n1/cores/9a9880d3-82db-c500-fcaa-d4e5a5cc617d"; - fsType = "zfs"; - }; - - fileSystems."/zones/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5/cores" = { - device = "nvme0n1/cores/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5"; - fsType = "zfs"; - }; - - fileSystems."/zones/global/cores" = { - device = "nvme0n1/cores/global"; - fsType = "zfs"; - }; - fileSystems."/zones/b090f14b-0a60-4451-e82a-c5291e5951de/cores" = { device = "nvme0n1/cores/b090f14b-0a60-4451-e82a-c5291e5951de"; fsType = "zfs"; }; - fileSystems."/zones/3516ab22-69b0-e327-95ec-f9be8852ee44/cores" = { - device = "nvme0n1/cores/3516ab22-69b0-e327-95ec-f9be8852ee44"; + fileSystems."/zones/9a9880d3-82db-c500-fcaa-d4e5a5cc617d/cores" = { + device = "nvme0n1/cores/9a9880d3-82db-c500-fcaa-d4e5a5cc617d"; + fsType = "zfs"; + }; + + fileSystems."/zones/archive" = { + device = "nvme0n1/archive"; + fsType = "zfs"; + }; + + fileSystems."/zones/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5/cores" = { + device = "nvme0n1/cores/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5"; + fsType = "zfs"; + }; + + fileSystems."/zones/9f467f1e-000b-e771-e117-b32261e48220/cores" = { + device = "nvme0n1/cores/9f467f1e-000b-e771-e117-b32261e48220"; fsType = "zfs"; }; @@ -73,11 +62,36 @@ fsType = "zfs"; }; + fileSystems."/zones/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3/cores" = { + device = "nvme0n1/cores/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3"; + fsType = "zfs"; + }; + + fileSystems."/zones/3516ab22-69b0-e327-95ec-f9be8852ee44/cores" = { + device = "nvme0n1/cores/3516ab22-69b0-e327-95ec-f9be8852ee44"; + fsType = "zfs"; + }; + + fileSystems."/zones/global/cores" = { + device = "nvme0n1/cores/global"; + fsType = "zfs"; + }; + fileSystems."/nvme0n1/c3d2.de" = { device = "nvme0n1/c3d2.de"; fsType = "zfs"; }; + fileSystems."/nvme0n1/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3" = { + device = "nvme0n1/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3"; + fsType = "zfs"; + }; + + fileSystems."/nvme0n1/b28b36ed-1824-3a6c-cdbb-258c7dd63317" = { + device = "nvme0n1/b28b36ed-1824-3a6c-cdbb-258c7dd63317"; + fsType = "zfs"; + }; + fileSystems."/nvme0n1/b090f14b-0a60-4451-e82a-c5291e5951de" = { device = "nvme0n1/b090f14b-0a60-4451-e82a-c5291e5951de"; fsType = "zfs"; @@ -88,43 +102,13 @@ fsType = "zfs"; }; - fileSystems."/nvme0n1/9a9880d3-82db-c500-fcaa-d4e5a5cc617d" = { - device = "nvme0n1/9a9880d3-82db-c500-fcaa-d4e5a5cc617d"; - fsType = "zfs"; - }; - - fileSystems."/nvme0n1/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3" = { - device = "nvme0n1/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3"; - fsType = "zfs"; - }; - - fileSystems."/nvme0n1/c3d2.de/admin" = { - device = "nvme0n1/c3d2.de/admin"; - fsType = "zfs"; - }; - - fileSystems."/nvme0n1/c3d2.de/templates" = { - device = "nvme0n1/c3d2.de/templates"; - fsType = "zfs"; - }; - - fileSystems."/nvme0n1/d5a8bfc2-6d01-6d5e-ad3f-edf032eedd89" = { - device = "nvme0n1/d5a8bfc2-6d01-6d5e-ad3f-edf032eedd89"; - fsType = "zfs"; - }; - fileSystems."/nvme0n1/a9786e8b-fce2-7567-6467-2a95086a51d4" = { device = "nvme0n1/a9786e8b-fce2-7567-6467-2a95086a51d4"; fsType = "zfs"; }; - fileSystems."/nvme0n1/3e65fa50-2f41-8792-df46-8c826bddab75" = { - device = "nvme0n1/3e65fa50-2f41-8792-df46-8c826bddab75"; - fsType = "zfs"; - }; - - fileSystems."/nvme0n1/9f467f1e-000b-e771-e117-b32261e48220" = { - device = "nvme0n1/9f467f1e-000b-e771-e117-b32261e48220"; + fileSystems."/nvme0n1/9a9880d3-82db-c500-fcaa-d4e5a5cc617d" = { + device = "nvme0n1/9a9880d3-82db-c500-fcaa-d4e5a5cc617d"; fsType = "zfs"; }; @@ -133,8 +117,8 @@ fsType = "zfs"; }; - fileSystems."/nvme0n1/b28b36ed-1824-3a6c-cdbb-258c7dd63317" = { - device = "nvme0n1/b28b36ed-1824-3a6c-cdbb-258c7dd63317"; + fileSystems."/nvme0n1/9f467f1e-000b-e771-e117-b32261e48220" = { + device = "nvme0n1/9f467f1e-000b-e771-e117-b32261e48220"; fsType = "zfs"; }; @@ -143,8 +127,8 @@ fsType = "zfs"; }; - fileSystems."/nvme0n1/0cc567e5-5e4c-1868-eca3-4426508cbfb9" = { - device = "nvme0n1/0cc567e5-5e4c-1868-eca3-4426508cbfb9"; + fileSystems."/nvme0n1/d5a8bfc2-6d01-6d5e-ad3f-edf032eedd89" = { + device = "nvme0n1/d5a8bfc2-6d01-6d5e-ad3f-edf032eedd89"; fsType = "zfs"; }; @@ -153,11 +137,31 @@ fsType = "zfs"; }; + fileSystems."/nvme0n1/0cc567e5-5e4c-1868-eca3-4426508cbfb9" = { + device = "nvme0n1/0cc567e5-5e4c-1868-eca3-4426508cbfb9"; + fsType = "zfs"; + }; + fileSystems."/nvme0n1/63d6e664-3f1f-11e8-aef6-a3120cf8dd9d" = { device = "nvme0n1/63d6e664-3f1f-11e8-aef6-a3120cf8dd9d"; fsType = "zfs"; }; + fileSystems."/nvme0n1/c3d2.de/admin" = { + device = "nvme0n1/c3d2.de/admin"; + fsType = "zfs"; + }; + + fileSystems."/nvme0n1/3e65fa50-2f41-8792-df46-8c826bddab75" = { + device = "nvme0n1/3e65fa50-2f41-8792-df46-8c826bddab75"; + fsType = "zfs"; + }; + + fileSystems."/nvme0n1/c3d2.de/templates" = { + device = "nvme0n1/c3d2.de/templates"; + fsType = "zfs"; + }; + fileSystems."/nvme0n1/e71d4460-8eef-6623-a875-dd5ec20b650f" = { device = "nvme0n1/e71d4460-8eef-6623-a875-dd5ec20b650f"; fsType = "zfs"; @@ -170,7 +174,6 @@ swapDevices = [ ]; - nix.maxJobs = lib.mkDefault 10; - nix.buildCores = lib.mkDefault 40; - powerManagement.cpuFreqGovernor = lib.mkDefault "performance"; + nix.maxJobs = lib.mkDefault 40; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; } From 9b04ebedde7aa2bccd1536fe11eab55aea5a5c3b Mon Sep 17 00:00:00 2001 From: Emery Hemingway Date: Tue, 4 Aug 2020 08:52:41 +0200 Subject: [PATCH 48/50] server7: update yggdrasil peers --- hosts/server7/default.nix | 55 +++++++++++++++++++++++++-------------- 1 file changed, 36 insertions(+), 19 deletions(-) diff --git a/hosts/server7/default.nix b/hosts/server7/default.nix index d4223387..a0490694 100644 --- a/hosts/server7/default.nix +++ b/hosts/server7/default.nix @@ -33,37 +33,54 @@ in { }; }; - /* fileSystems."/srv/ceph" = { - device = "172.22.99.13:6789:/"; - fsType = "ceph"; - options = [ - "name=storage2" - "secret=AQAvRhxcaCK0IxAAnoe00oiopcpQeKZgL02RWw==" - "noatime,_netdev" - "noauto" - "x-systemd.automount" - "x-systemd.device-timeout=175" - "users" - ]; - }; - */ + fileSystems."/srv/ceph" = { + #device = "172.22.99.13:6789:/"; + device = "172.20.72.53:6789:/"; + fsType = "ceph"; + options = [ + "name=storage2" + "secret=AQAvRhxcaCK0IxAAnoe00oiopcpQeKZgL02RWw==" + "noatime,_netdev" + "noauto" + "x-systemd.automount" + "x-systemd.device-timeout=175" + "users" + ]; + }; fileSystems."/var/lib/ceph/osd/ceph-7" = { fsType = "tmpfs"; }; # Route IPv6 boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1; # Obtain global IPv6 despite being a router myself - boot.kernel.sysctl."net.ipv6.conf.eth0.accept_ra" = 2; + boot.kernel.sysctl."net.ipv6.conf.br0.accept_ra" = 2; services.yggdrasil = { enable = true; configFile = "/var/lib/yggdrasil/keys"; config = { Peers = [ - "tcp://[2a03:3b40:fe:ab::1]:46370" # Praha - "tcp://ygg.thingylabs.io:443" # Nürnberg - "tcp://176.223.130.120:22632" # Wrocław - "tcp://[2a05:9403::8b]:7743" # Praha + + # Deutschland + "tcp://45.11.19.26:5001" + "tcp://82.165.69.111:61216" + "tcp://[2001:8d8:1800:8224::1]:61216" + + # Czechia + "tcp://195.123.245.146:7743" + "tcp://37.205.14.171:46370" + "tcp://[2a03:3b40:fe:ab::1]:46370" + "tcp://[2a05:9403::8b]:7743" + + # Poland + "tcp://176.223.130.120:22632" + "tcp://51.75.44.73:50001" + "tcp://54.37.137.221:37145" + "tcp://[2001:41d0:601:1100::cf2]:37145" + "tcp://n2o.ddns.net:22632" + "tls://54.37.137.221:14987" + "tls://[2001:41d0:601:1100::cf2]:14987" + ]; NodeInfo = { location = "Dresden"; From 7ce33808f274469ea69a41b85c29f8ee396e2b03 Mon Sep 17 00:00:00 2001 From: Emery Hemingway Date: Tue, 4 Aug 2020 17:15:07 +0200 Subject: [PATCH 49/50] Use modulesPath where appropriate --- flake.nix | 25 ++++++++++++++++--- hosts/containers/freifunk/configuration.nix | 17 ++++++------- hosts/containers/grafana/configuration.nix | 4 +-- hosts/containers/kibana/configuration.nix | 10 ++++---- hosts/containers/ledstripes/configuration.nix | 13 +++++----- hosts/containers/lxc-template.nix | 14 +++++------ hosts/containers/scrape/configuration.nix | 10 ++++---- hosts/glotzbert/configuration.nix | 2 +- hosts/glotzbert/hardware-configuration.nix | 6 ++--- hosts/pulsebert/configuration.nix | 7 +++--- hosts/server7/default.nix | 1 - lib/lxc-container.nix | 10 ++++---- 12 files changed, 65 insertions(+), 54 deletions(-) diff --git a/flake.nix b/flake.nix index d825442f..0d7f5fd1 100644 --- a/flake.nix +++ b/flake.nix @@ -11,11 +11,28 @@ nixosConfigurations = { + glotzbert = nixpkgs.lib.nixosSystem { + modules = [ ./hosts/glotzbert/configuration.nix ]; + system = "x86_64-linux"; + }; + + hydra = nixpkgs.lib.nixosSystem { + modules = [ ./hosts/hydra/configuration.nix ]; + system = "x86_64-linux"; + }; + + kibana = nixpkgs.lib.nixosSystem { + modules = [ ./hosts/containers/kibana/configuration.nix ]; + system = "x86_64-linux"; + }; + + pulsebert = nixpkgs.lib.nixosSystem { + modules = [ ./hosts/pulsebert/configuration.nix ]; + system = "aarch64-linux"; + }; + server7 = nixpkgs.lib.nixosSystem { - modules = [ - ./hosts/server7 - hydra.nixosModules.hydra - ]; + modules = [ ./hosts/server7 hydra.nixosModules.hydra ]; system = "x86_64-linux"; }; diff --git a/hosts/containers/freifunk/configuration.nix b/hosts/containers/freifunk/configuration.nix index d8dcdad6..f212667b 100644 --- a/hosts/containers/freifunk/configuration.nix +++ b/hosts/containers/freifunk/configuration.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, ... }: +{ config, pkgs, lib, modulesPath, ... }: let coreAddress = "172.20.72.40"; @@ -11,16 +11,15 @@ let ddmeshNode = 51073; ddmeshAddrPart = "200.74"; rt_table = 7; - bmxd = import (toString ) { inherit pkgs; }; - sysinfo-json = import { - inherit pkgs bmxd ddmeshNode; - }; + bmxd = import ../../../lib/pkgs/bmxd.nix { inherit pkgs; }; + sysinfo-json = + import ./sysinfo-json.nix { inherit pkgs bmxd ddmeshNode; }; in { imports = [ - - - - + (modulesPath + "/profiles/minimal.nix") + ../../../lib + ../../../lib/lxc-container.nix + ../../../lib/shared.nix ]; boot.tmpOnTmpfs = true; diff --git a/hosts/containers/grafana/configuration.nix b/hosts/containers/grafana/configuration.nix index cc2e77ec..ad061778 100644 --- a/hosts/containers/grafana/configuration.nix +++ b/hosts/containers/grafana/configuration.nix @@ -1,8 +1,8 @@ -{ config, pkgs, lib, ... }: +{ config, pkgs, lib, modulesPath, ... }: { imports = [ - + (modulesPath + "/profiles/minimal.nix") ../../../lib ../../../lib/lxc-container.nix ../../../lib/shared.nix diff --git a/hosts/containers/kibana/configuration.nix b/hosts/containers/kibana/configuration.nix index 9a30e5da..ce543d4c 100644 --- a/hosts/containers/kibana/configuration.nix +++ b/hosts/containers/kibana/configuration.nix @@ -1,11 +1,11 @@ -{ config, pkgs, lib, ... }: +{ config, pkgs, lib, modulesPath, ... }: { imports = [ - - - - + (modulesPath + "/profiles/minimal.nix") + ../../../lib + ../../../lib/lxc-container.nix + ../../../lib/shared.nix ]; networking.hostName = "kibana"; diff --git a/hosts/containers/ledstripes/configuration.nix b/hosts/containers/ledstripes/configuration.nix index 55d9a129..e549161e 100644 --- a/hosts/containers/ledstripes/configuration.nix +++ b/hosts/containers/ledstripes/configuration.nix @@ -1,11 +1,11 @@ -{ config, pkgs, lib, ... }: +{ config, pkgs, lib, modulesPath, ... }: { imports = [ - - - - + (modulesPath + "/profiles/minimal.nix") + ../../../lib + ../../../lib/lxc-container.nix + ../../../lib/shared.nix ]; c3d2 = { @@ -22,8 +22,7 @@ environment.systemPackages = [ pkgs.git ]; systemd.services.ledball = - let - pile = import (toString ) { inherit pkgs; }; + let pile = import ../../../lib/pkgs/pile.nix { inherit pkgs; }; in { after = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; diff --git a/hosts/containers/lxc-template.nix b/hosts/containers/lxc-template.nix index f33129df..dbb6ba58 100644 --- a/hosts/containers/lxc-template.nix +++ b/hosts/containers/lxc-template.nix @@ -2,15 +2,15 @@ # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ config, pkgs, lib, ... }: +{ config, pkgs, lib, modulesPath, ... }: { - imports = - [ ../../lib/lxc-container.nix - ../../lib/shared.nix - ../../lib/admins.nix - - ]; + imports = [ + ../../lib/lxc-container.nix + ../../lib/shared.nix + ../../lib/admins.nix + (modulesPath + "/profiles/minimal.nix") + ]; networking.hostName = "nixbert"; # Define your hostname. networking.useNetworkd = false; diff --git a/hosts/containers/scrape/configuration.nix b/hosts/containers/scrape/configuration.nix index 92335529..e1aa115e 100644 --- a/hosts/containers/scrape/configuration.nix +++ b/hosts/containers/scrape/configuration.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, ... }: +{ config, pkgs, lib, modulesPath, ... }: let freifunkNodes = { @@ -12,10 +12,10 @@ let }; in { imports = [ - - - - + (modulesPath + "/profiles/minimal.nix") + ../../../lib + ../../../lib/lxc-container.nix + ../../../lib/shared.nix ]; c3d2 = { diff --git a/hosts/glotzbert/configuration.nix b/hosts/glotzbert/configuration.nix index 617c5ded..3d2e0b35 100644 --- a/hosts/glotzbert/configuration.nix +++ b/hosts/glotzbert/configuration.nix @@ -1,7 +1,7 @@ { config, pkgs, ... }: { - imports = [ ]; + imports = [ ./hardware-configuration.nix ../../lib ]; c3d2 = { users.k-ot = true; diff --git a/hosts/glotzbert/hardware-configuration.nix b/hosts/glotzbert/hardware-configuration.nix index 162a8fe6..c61b5897 100644 --- a/hosts/glotzbert/hardware-configuration.nix +++ b/hosts/glotzbert/hardware-configuration.nix @@ -1,12 +1,10 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, modulesPath, ... }: { - imports = - [ - ]; + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; boot.kernelModules = [ "kvm-intel" ]; diff --git a/hosts/pulsebert/configuration.nix b/hosts/pulsebert/configuration.nix index 9ac1b3c3..8c747b7a 100644 --- a/hosts/pulsebert/configuration.nix +++ b/hosts/pulsebert/configuration.nix @@ -5,10 +5,9 @@ { config, pkgs, ... }: { - imports = - [ # Include the results of the hardware scan. - - ]; + imports = [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; boot.loader.grub.enable = false; boot.loader.generic-extlinux-compatible.enable = false; diff --git a/hosts/server7/default.nix b/hosts/server7/default.nix index a0490694..8f8ae856 100644 --- a/hosts/server7/default.nix +++ b/hosts/server7/default.nix @@ -3,7 +3,6 @@ let yggaddr = import ../../lib/server7-yggaddr.nix; in { imports = [ - # ../../lib ../../lib/default-gateway.nix ./borgbackup.nix diff --git a/lib/lxc-container.nix b/lib/lxc-container.nix index e06881ce..a70daeda 100644 --- a/lib/lxc-container.nix +++ b/lib/lxc-container.nix @@ -1,10 +1,10 @@ -{ pkgs, lib, ... }: +{ pkgs, lib, modulesPath, ... }: { - imports = - [ - - ]; + imports = [ + (modulesPath + "/profiles/minimal.nix") + (modulesPath + "/profiles/docker-container.nix") + ]; networking.networkmanager.dns = "unbound"; networking.useHostResolvConf = false; From f121b5d4b2edd1beb6d00099daabcbdd59275771 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sat, 15 Aug 2020 19:45:55 +0200 Subject: [PATCH 50/50] pulsebert: add k-ot to audio group this is needed for pulseaudio --- hosts/pulsebert/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/pulsebert/configuration.nix b/hosts/pulsebert/configuration.nix index 8c747b7a..78b6b6d0 100644 --- a/hosts/pulsebert/configuration.nix +++ b/hosts/pulsebert/configuration.nix @@ -76,7 +76,7 @@ users.users.k-ot = { isNormalUser = true; - extraGroups = [ "wheel" ]; + extraGroups = [ "wheel" "audio" ]; };