Merge branch 'master' of ssh://gitea.c3d2.de:2222/C3D2/nix-config

This commit is contained in:
Daniel Poelzleithner 2020-12-09 01:23:45 +01:00
commit 60f270224b
37 changed files with 525 additions and 560 deletions

View File

@ -1,39 +1,33 @@
{ {
"nodes": { "nodes": {
"hydra": { "hydra": {
"info": {
"lastModified": 1587883324,
"narHash": "sha256-WQxv9rrG2HX8j2UfXjifeBkMjgea3uIAEB3Swv+IIus="
},
"inputs": { "inputs": {
"nix": "nix", "nix": "nix",
"nixpkgs": "nixpkgs_2" "nixpkgs": "nixpkgs_2"
}, },
"locked": { "locked": {
"owner": "ehmry", "lastModified": 1593509723,
"narHash": "sha256-ESv86LNnQQy5cYqeC1S4otpvkA8ABgs/zbge8xp35aE=",
"owner": "NixOS",
"repo": "hydra", "repo": "hydra",
"rev": "e93c36aab1bf96cf392ab0e40157b0620638b599", "rev": "d0deebc4fc95dbeb0249f7b774b03d366596fbed",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "ehmry", "id": "hydra",
"ref": "sotest", "type": "indirect"
"repo": "hydra",
"type": "github"
} }
}, },
"nix": { "nix": {
"info": {
"lastModified": 1586440843,
"narHash": "sha256-7YxrpRPmAOoCSl6KtepKCXcae5MUm1Pl+lwDunBFGoo="
},
"inputs": { "inputs": {
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs"
}, },
"locked": { "locked": {
"lastModified": 1592818267,
"narHash": "sha256-t66Ny6NDA9sQa0U79iqo4w7tEBitUGgio9U/H6z3QpE=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nix", "repo": "nix",
"rev": "3aaceeb7e2d3fb8a07a1aa5a21df1dca6bbaa0ef", "rev": "334e26bfc2ce82912602e8a0f9f9c7e0fb5c3221",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -42,14 +36,12 @@
} }
}, },
"nixpkgs": { "nixpkgs": {
"info": {
"lastModified": 1585405475,
"narHash": "sha256-bESW0n4KgPmZ0luxvwJ+UyATrC6iIltVCsGdLiphVeE="
},
"locked": { "locked": {
"lastModified": 1591633336,
"narHash": "sha256-oVXv4xAnDJB03LvZGbC72vSVlIbbJr8tpjEW5o/Fdek=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "b88ff468e9850410070d4e0ccd68c7011f15b2be", "rev": "70717a337f7ae4e486ba71a500367cad697e5f09",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -59,14 +51,12 @@
} }
}, },
"nixpkgs_2": { "nixpkgs_2": {
"info": {
"lastModified": 1586219474,
"narHash": "sha256-fvfrMnEA2lDnXvH/eInGV5i0sO/EGLVHa4pOek8VG78="
},
"locked": { "locked": {
"lastModified": 1592263354,
"narHash": "sha256-1wHPn5qKfzfG06dZhpXDEg5Zt6HwvfyPPgW1tkYFejg=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "29eddfc36d720dcc4822581175217543b387b1e8", "rev": "a84b797b28eb104db758b5cb2b61ba8face6744b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -75,31 +65,16 @@
"type": "indirect" "type": "indirect"
} }
}, },
"nixpkgs_3": {
"info": {
"lastModified": 1586724123,
"narHash": "sha256-VQ7zZy2xpz6dULpjar4jxNaQ0N/2q68l+EYO2nXaXDo="
},
"locked": {
"owner": "nixos",
"repo": "nixpkgs-channels",
"rev": "708cb6b307b04ad862cc50de792e57e7a4a8bb5a",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-20.03",
"repo": "nixpkgs-channels",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"hydra": "hydra", "hydra": "hydra",
"nixpkgs": "nixpkgs_3" "nixpkgs": [
"hydra",
"nixpkgs"
]
} }
} }
}, },
"root": "root", "root": "root",
"version": 5 "version": 7
} }

View File

@ -1,17 +1,18 @@
{ {
description = "C3D2 NixOS configurations"; description = "C3D2 NixOS configurations";
edition = 201909; inputs = {
nixpkgs.follows = "hydra/nixpkgs";
inputs.nixpkgs.url = "github:nixos/nixpkgs-channels/nixos-20.03"; # nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
inputs.hydra.url = "github:ehmry/hydra/sotest"; # secrets.url = "git+file:///etc/nixos/secrets";
};
outputs = { self, nixpkgs, hydra }: { outputs = { self, nixpkgs, hydra }: {
nixosConfigurations = { nixosConfigurations = {
server7 = nixpkgs.lib.nixosSystem { glotzbert = nixpkgs.lib.nixosSystem {
modules = [ ./hosts/server7 hydra.nixosModules.hydra ]; modules = [ ./hosts/glotzbert/configuration.nix ];
system = "x86_64-linux"; system = "x86_64-linux";
}; };
@ -20,8 +21,18 @@
system = "x86_64-linux"; system = "x86_64-linux";
}; };
kibana = nixpkgs.lib.nixosSystem {
modules = [ ./hosts/containers/kibana/configuration.nix ];
system = "x86_64-linux";
};
pulsebert = nixpkgs.lib.nixosSystem { pulsebert = nixpkgs.lib.nixosSystem {
modules = [ ./hosts/pulsebert/configuration.nix ]; modules = [ ./hosts/pulsebert/configuration.nix ];
system = "aarch64-linux";
};
server7 = nixpkgs.lib.nixosSystem {
modules = [ ./hosts/server7 hydra.nixosModules.hydra ];
system = "x86_64-linux"; system = "x86_64-linux";
}; };

View File

@ -9,7 +9,7 @@ rec {
ledstripes = {}; ledstripes = {};
glotzbert.publicKey = glotzbert.publicKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHPrkD07abpTU/66fEjmiMYsUfJCSF62MVFe8BED7wu4"; "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAnEWn/8CKIiCtehh6Ha3XUQqjODj0ygyo3aGAsFWgfG";
hydra.publicKey = hydra.publicKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDhurL/sxsXRglKdLfiWIcK+iqpyhGrGt/MoBODsgvig"; "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDhurL/sxsXRglKdLfiWIcK+iqpyhGrGt/MoBODsgvig";

View File

@ -25,6 +25,9 @@
htop htop
]; ];
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.16"; prefixLength = 26; } ];
networking.defaultGateway = "172.20.73.1";
networking = { networking = {
hostName = "deployer"; hostName = "deployer";
# usePredictableInterfacenames = false; # usePredictableInterfacenames = false;

View File

@ -31,7 +31,10 @@
services.dhcpd4 = { services.dhcpd4 = {
enable = true; enable = true;
interfaces = [ "eth0" ]; interfaces = [ "eth0" ];
extraConfig = builtins.readFile ../../../secrets/hosts/dhcp/config; extraConfig = ''
authoritative;
'' + builtins.readFile ../../../secrets/hosts/dhcp/config;
}; };
# This value determines the NixOS release with which your system is to be # This value determines the NixOS release with which your system is to be

View File

@ -30,8 +30,6 @@ in {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
vim vim
# for `vtysh`
quagga
]; ];
# SSH for nixops # SSH for nixops
@ -41,6 +39,12 @@ in {
# No Firewalling! # No Firewalling!
networking.firewall.enable = false; networking.firewall.enable = false;
boot.postBootCommands = ''
if [ ! -c /dev/net/tun ]; then
mkdir -p /dev/net
mknod -m 666 /dev/net/tun c 10 200
fi
'';
services.openvpn = services.openvpn =
let let
openvpnNeighbors = lib.filterAttrs (_: conf: conf ? openvpn) neighbors; openvpnNeighbors = lib.filterAttrs (_: conf: conf ? openvpn) neighbors;
@ -63,7 +67,9 @@ in {
secret ${keyfile name} secret ${keyfile name}
''; '';
up = '' up = ''
${pkgs.iproute}/bin/ip a a fe80::deca:fbad/64 dev $1 ${pkgs.iproute}/bin/ip addr flush dev $1
${pkgs.iproute}/bin/ip addr add ${address4} dev ${name} peer ${conf.address4}/32
${pkgs.iproute}/bin/ip addr add ${address6}/64 dev $1
''; '';
}; };
in { in {

View File

@ -22,6 +22,7 @@
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.8"; prefixLength = 26; } ]; networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.8"; prefixLength = 26; } ];
networking.defaultGateway = "172.20.73.1"; networking.defaultGateway = "172.20.73.1";
services.resolved.enable = false; services.resolved.enable = false;
networking.nameservers = [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ];
# Set your time zone. # Set your time zone.
time.timeZone = "Europe/Berlin"; time.timeZone = "Europe/Berlin";
@ -73,6 +74,7 @@
"::1/128" "::1/128"
"172.20.72.0/21" "172.20.72.0/21"
"10.0.0.0/24" "10.0.0.0/24"
"10.200.0.0/15"
"172.22.99.0/24" "172.22.99.0/24"
"127.0.0.0/8" "127.0.0.0/8"
]; ];
@ -217,7 +219,7 @@
Exec "collectd" "${pkgs.ruby}/bin/ruby" "${unboundScript}" Exec "collectd" "${pkgs.ruby}/bin/ruby" "${unboundScript}"
''; '';
network = '' network = ''
Server "grafana.hq.c3d2.de" "25826" Server "grafana.serv.zentralwerk.dn42" "25826"
''; '';
}; };
extraConfig = '' extraConfig = ''

View File

@ -17,6 +17,8 @@
networking = { networking = {
hostName = "elastic1"; hostName = "elastic1";
interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.15"; prefixLength = 26; } ];
defaultGateway = "172.20.73.1";
firewall = { firewall = {
allowedTCPPorts = [ allowedTCPPorts = [
22 22

View File

@ -56,7 +56,7 @@ stdenv.mkDerivation {
--replace awk ${gawk}/bin/awk --replace awk ${gawk}/bin/awk
'' + '' +
lib.strings.concatStrings (lib.attrsets.mapAttrsToList ( lib.strings.concatStrings (lib.attrsets.mapAttrsToList (
var: value: "substituteInPlace sysinfo-json.cgi --replace ${lib.strings.escapeShellArg "$(nvram get ${var})"} '${value}'\n" var: value: "substituteInPlace sysinfo-json.cgi --replace ${lib.strings.escapeShellArg "$(uci -qX get ffdd.sys.${var})"} '${value}'\n"
) nvram); ) nvram);
installPhase = '' installPhase = ''
pwd pwd

View File

@ -1,24 +1,22 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, modulesPath, ... }:
{ {
imports = [ imports = [
<nixpkgs/nixos/modules/profiles/minimal.nix> (modulesPath + "/profiles/minimal.nix")
../../../lib ../../../lib
../../../lib/lxc-container.nix ../../../lib/lxc-container.nix
../../../lib/shared.nix ../../../lib/shared.nix
../../../lib/admins.nix ../../../lib/admins.nix
]; ];
c3d2 = { c3d2.isInHq = false;
isInHq = true;
hq.interface = "eth0";
enableHail = true;
};
services.openssh.enable = true; services.openssh.enable = true;
networking.hostName = "grafana"; networking.hostName = "grafana";
networking.useNetworkd = true; networking.useNetworkd = true;
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.43"; prefixLength = 26; } ];
networking.defaultGateway = "172.20.73.1";
# http https influxdb # http https influxdb
networking.firewall.allowedTCPPorts = [ 80 443 8086 ]; networking.firewall.allowedTCPPorts = [ 80 443 8086 ];
@ -39,7 +37,7 @@
enable = true; enable = true;
org_name = "Chaos"; org_name = "Chaos";
}; };
users.allowSignUp = true; users.allowSignUp = false;
}; };
services.influxdb = let services.influxdb = let
collectdTypes = pkgs.stdenv.mkDerivation { collectdTypes = pkgs.stdenv.mkDerivation {

View File

@ -0,0 +1,66 @@
{ config, pkgs, lib, modulesPath, ... }:
{
imports = [
(modulesPath + "/profiles/minimal.nix")
../../../lib
../../../lib/lxc-container.nix
../../../lib/shared.nix
];
networking.hostName = "kibana";
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.44"; prefixLength = 26; } ];
networking.defaultGateway = "172.20.73.1";
networking.firewall.allowedTCPPorts = [ 80 443 ];
# Required for krops
services.openssh.enable = true;
environment.systemPackages = [ pkgs.git ];
nixpkgs.config.allowUnfree = true;
services.elasticsearch = {
enable = true;
package = pkgs.elasticsearch7;
};
services.kibana = {
enable = true;
package = pkgs.kibana7;
};
security.acme = {
acceptTerms = true;
email = "mail@c3d2.de";
};
services.nginx =
let
authFile = pkgs.writeText "htpasswd" "k-ot:sawCOTsl/fIUY";
vhost = url: {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = url;
extraConfig = ''
auth_basic "Chaos";
auth_basic_user_file ${authFile};
'';
};
};
in
{
enable = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts = {
"kibana.hq.c3d2.de" =
vhost "http://127.0.0.1:${toString config.services.kibana.port}";
"kibana-es.hq.c3d2.de" =
vhost "http://127.0.0.1:${toString config.services.elasticsearch.port}";
};
};
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "20.03"; # Did you read the comment?
}

View File

@ -1,11 +1,11 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, modulesPath, ... }:
{ {
imports = [ imports = [
<nixpkgs/nixos/modules/profiles/minimal.nix> (modulesPath + "/profiles/minimal.nix")
<lib> ../../../lib
<lib/lxc-container.nix> ../../../lib/lxc-container.nix
<lib/shared.nix> ../../../lib/shared.nix
]; ];
c3d2 = { c3d2 = {
@ -22,8 +22,7 @@
environment.systemPackages = [ pkgs.git ]; environment.systemPackages = [ pkgs.git ];
systemd.services.ledball = systemd.services.ledball =
let let pile = import ../../../lib/pkgs/pile.nix { inherit pkgs; };
pile = import (toString <lib/pkgs/pile.nix>) { inherit pkgs; };
in { in {
after = [ "network-online.target" ]; after = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];

View File

@ -17,6 +17,8 @@
networking = { networking = {
hostName = "logging"; hostName = "logging";
interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.13"; prefixLength = 26; } ];
defaultGateway = "172.20.73.1";
firewall = { firewall = {
allowedTCPPorts = [ allowedTCPPorts = [
22 22

View File

@ -2,15 +2,15 @@
# your system. Help is available in the configuration.nix(5) man page # your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help). # and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, lib, ... }: { config, pkgs, lib, modulesPath, ... }:
{ {
imports = imports = [
[ ../../lib/lxc-container.nix ../../lib/lxc-container.nix
../../lib/shared.nix ../../lib/shared.nix
../../lib/admins.nix ../../lib/admins.nix
<nixpkgs/nixos/modules/profiles/minimal.nix> (modulesPath + "/profiles/minimal.nix")
]; ];
networking.hostName = "nixbert"; # Define your hostname. networking.hostName = "nixbert"; # Define your hostname.
networking.useNetworkd = false; networking.useNetworkd = false;

View File

@ -18,6 +18,8 @@
networking = { networking = {
hostName = "mongo"; hostName = "mongo";
interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.21"; prefixLength = 26; } ];
defaultGateway = "172.20.73.1";
firewall = { firewall = {
allowedTCPPorts = [ allowedTCPPorts = [
22 22

View File

@ -12,11 +12,9 @@ in
]; ];
networking.hostName = "mucbot"; networking.hostName = "mucbot";
networking.useNetworkd = true; networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.27"; prefixLength = 26; } ];
networking.useDHCP = false; networking.defaultGateway = "172.20.73.1";
networking.interfaces.eth0.useDHCP = true;
networking.nameservers = [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ]; networking.nameservers = [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ];
services.resolved.enable = false;
users.users.tigger = { users.users.tigger = {
createHome = true; createHome = true;

View File

@ -9,13 +9,15 @@
[ ../../../lib/lxc-container.nix [ ../../../lib/lxc-container.nix
../../../lib/shared.nix ../../../lib/shared.nix
../../../lib/admins.nix ../../../lib/admins.nix
../../../lib/default-gateway.nix
./proxy.nix ./proxy.nix
]; ];
networking.hostName = "public-access-proxy"; networking.hostName = "public-access-proxy";
networking.useNetworkd = true; networking.useNetworkd = true;
networking.dhcpcd.enable = lib.mkForce true; networking.interfaces.eth0 = {
ipv4.addresses = [ { address = "172.20.73.45"; prefixLength = 26; } ];
};
networking.defaultGateway = "172.20.73.1";
my.services.proxy = { my.services.proxy = {
enable = true; enable = true;
@ -24,6 +26,14 @@
hostNames = [ "cloud.bombenverleih.de" "unifi.arkom.men" ]; hostNames = [ "cloud.bombenverleih.de" "unifi.arkom.men" ];
proxyTo = { host = "172.22.99.192"; httpPort = 80; httpsPort = 443; }; proxyTo = { host = "172.22.99.192"; httpPort = 80; httpsPort = 443; };
} }
{
hostNames = [ "grafana.hq.c3d2.de" ];
proxyTo = { host = "grafana.serv.zentralwerk.dn42"; httpPort = 80; httpsPort = 443; };
}
{
hostNames = [ "kibana.hq.c3d2.de" "kibana-es.hq.c3d2.de" ];
proxyTo = { host = "kibana.serv.zentralwerk.dn42"; httpPort = 80; httpsPort = 443; };
}
]; ];
}; };

View File

@ -1,11 +1,21 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, modulesPath, ... }:
{ let
freifunkNodes = {
"1139" = "10.200.4.120";
"1487" = "10.200.5.213";
"1884" = "10.200.7.100";
"1891" = "10.200.7.107";
"1768" = "10.200.6.239";
"1176" = "10.200.7.80";
"1099" = "10.200.4.80";
};
in {
imports = [ imports = [
<nixpkgs/nixos/modules/profiles/minimal.nix> (modulesPath + "/profiles/minimal.nix")
<lib> ../../../lib
<lib/lxc-container.nix> ../../../lib/lxc-container.nix
<lib/shared.nix> ../../../lib/shared.nix
]; ];
c3d2 = { c3d2 = {
@ -16,7 +26,8 @@
networking.hostName = "scrape"; networking.hostName = "scrape";
networking.useNetworkd = true; networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.32"; prefixLength = 26; } ];
networking.defaultGateway = "172.20.73.1";
# Required for krops # Required for krops
services.openssh.enable = true; services.openssh.enable = true;
@ -35,6 +46,13 @@
xeriLogin = import <secrets/hosts/scrape/xeri.nix>; xeriLogin = import <secrets/hosts/scrape/xeri.nix>;
fhemLogin = import <secrets/hosts/scrape/fhem.nix>; fhemLogin = import <secrets/hosts/scrape/fhem.nix>;
matematLogin = import <secrets/hosts/scrape/matemat.nix>; matematLogin = import <secrets/hosts/scrape/matemat.nix>;
makeNodeScraper = nodeId: {
name = "scrape-node${nodeId}";
value = makeService {
script = "freifunk_node";
host = freifunkNodes.${nodeId};
};
};
in { in {
scrape-xeri = makeService { scrape-xeri = makeService {
script = "xerox"; script = "xerox";
@ -55,81 +73,28 @@
host = "matemat.hq.c3d2.de"; host = "matemat.hq.c3d2.de";
inherit (matematLogin) user password; inherit (matematLogin) user password;
}; };
scrape-node1139 = makeService { } // builtins.listToAttrs (map makeNodeScraper (builtins.attrNames freifunkNodes));
script = "freifunk_node";
host = "10.200.4.120"; systemd.timers =
let
makeTimer = service: interval: {
partOf = [ "${service}.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = interval;
}; };
scrape-node1487 = makeService { makeNodeScraperTimer = nodeId:
script = "freifunk_node"; let
host = "10.200.5.213"; name = "scrape-node${nodeId}";
}; in {
scrape-node1884 = makeService { inherit name;
script = "freifunk_node"; value = makeTimer name "minutely";
host = "10.200.7.100"; };
}; in {
scrape-node1891 = makeService { scrape-xeri = makeTimer "scrape-xeri.service" "minutely";
script = "freifunk_node"; scrape-roxi = makeTimer "scrape-roxi.service" "minutely";
host = "10.200.7.107"; scrape-fhem = makeTimer "scrape-fhem.service" "minutely";
}; scrape-matemat = makeTimer "scrape-matemat.service" "minutely";
scrape-node1768 = makeService { } // builtins.listToAttrs (map makeNodeScraperTimer (builtins.attrNames freifunkNodes));
script = "freifunk_node";
host = "10.200.6.239";
};
scrape-node1176 = makeService {
script = "freifunk_node";
host = "10.200.7.80";
};
};
systemd.timers.scrape-xeri = {
partOf = [ "scrape-xeri.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
systemd.timers.scrape-roxi = {
partOf = [ "scrape-roxi.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
systemd.timers.scrape-fhem = {
partOf = [ "scrape-fhem.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
systemd.timers.scrape-matemat = {
partOf = [ "scrape-matemat.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
systemd.timers.scrape-node1139 = {
partOf = [ "scrape-node1139.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
systemd.timers.scrape-node1487 = {
partOf = [ "scrape-node1487.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
systemd.timers.scrape-node1884 = {
partOf = [ "scrape-node1884.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
systemd.timers.scrape-node1891 = {
partOf = [ "scrape-node1894.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
systemd.timers.scrape-node1768 = {
partOf = [ "scrape-node1768.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
systemd.timers.scrape-node1176 = {
partOf = [ "scrape-node1176.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
# This value determines the NixOS release with which your system is to be # This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database # compatible, in order to avoid breaking some software such as database

View File

@ -8,14 +8,13 @@ in
[ ../../../lib/lxc-container.nix [ ../../../lib/lxc-container.nix
../../../lib/shared.nix ../../../lib/shared.nix
../../../lib/admins.nix ../../../lib/admins.nix
../../../lib/default-gateway.nix
"${spacemsgGit}/spaceapi/module.nix" "${spacemsgGit}/spaceapi/module.nix"
]; ];
networking.hostName = "spaceapi"; networking.hostName = "spaceapi";
networking.useNetworkd = true; networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.25"; prefixLength = 26; } ];
networking.useDHCP = lib.mkForce true; networking.defaultGateway = "172.20.73.1";
networking.firewall.allowedTCPPorts = [ 3000 3001 ]; networking.firewall.enable = false;
services.spaceapi = { services.spaceapi = {
enable = true; enable = true;

View File

@ -6,41 +6,48 @@
c3d2 = { c3d2 = {
users.k-ot = true; users.k-ot = true;
isInHq = true; isInHq = true;
hq.interface = "enp0s10"; hq.interface = "eno1";
enableHail = true; hq.enableBinaryCache = false;
enableHail = false;
}; };
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
nix = { nix = {
useSandbox = true; useSandbox = true;
buildCores = 2; buildCores = 4;
maxJobs = 4;
}; };
# Use the systemd-boot EFI boot loader. # Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
boot.kernelPackages = pkgs.linuxPackages_4_19; boot.kernelPackages = pkgs.linuxPackages_latest;
networking.hostName = "glotzbert"; # Define your hostname. networking.hostName = "glotzbert"; # Define your hostname.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
networking.interfaces.eno1.useDHCP = true;
# Configure network proxy if necessary # Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Select internationalisation properties. # Select internationalisation properties.
i18n = { console = {
consoleFont = "Lat2-Terminus16"; font = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";
consoleKeyMap = "de"; keyMap = "de";
defaultLocale = "en_US.UTF-8";
}; };
i18n.defaultLocale = "en_US.UTF-8";
# Set your time zone. # Set your time zone.
time.timeZone = "Europe/Berlin"; time.timeZone = "Europe/Berlin";
# List packages installed in system profile. To search, run: # List packages installed in system profile. To search, run:
# $ nix search wget # $ nix search wget
environment.systemPackages = with pkgs; [ wget vim x11vnc ]; environment.systemPackages = with pkgs; [
wget vim git tmux screen
chromium firefox
mpv kodi
];
systemd.user.services.x11vnc = { systemd.user.services.x11vnc = {
description = "X11 VNC server"; description = "X11 VNC server";
@ -108,11 +115,11 @@
user = "k-ot"; user = "k-ot";
}; };
}; };
defaultSession = "gnome-xorg";
}; };
services.xserver.desktopManager = { services.xserver.desktopManager = {
gnome3.enable = true; gnome3.enable = true;
kodi.enable = true; kodi.enable = true;
default = "kodi";
}; };
security.sudo = { security.sudo = {
@ -123,7 +130,6 @@
# Define a user account. Don't forget to set a password with passwd. # Define a user account. Don't forget to set a password with passwd.
users.groups."k-ot" = { gid = 1000; }; users.groups."k-ot" = { gid = 1000; };
users.users."k-ot" = { users.users."k-ot" = {
password = "k-ot";
isNormalUser = true; isNormalUser = true;
uid = 1000; uid = 1000;
group = "k-ot"; group = "k-ot";
@ -133,6 +139,8 @@
]; ];
}; };
users.users.emery.cryptHomeLuks = "/home/emery.luks.img";
# This value determines the NixOS release with which your system is to be # This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database # compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you # servers. You should change this only after NixOS release notes say you

View File

@ -1,33 +1,27 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, ... }: { config, lib, pkgs, modulesPath, ... }:
{ {
imports = imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
[ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
];
boot.initrd.availableKernelModules = [ "ohci_pci" "ehci_pci" "ahci" "firewire_ohci" "usb_storage" "usbhid" "sd_mod" "sr_mod" ]; boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.kernelModules = [ "kvm-intel" "wl" "forcedeth" "b43" ]; boot.kernelModules = [ "kvm-intel" ];
boot.kernelParams = [ "irqpoll" "hpet=off" ]; # noapic seems to improve things boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" =
{ device = "/dev/disk/by-uuid/4568bf11-6e40-4514-9bc9-3194a299c45f"; { device = "/dev/disk/by-uuid/3a8ddd25-0c5d-4fec-b957-bdcea1c52db4";
fsType = "btrfs"; fsType = "ext4";
}; };
fileSystems."/boot" = fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/67E3-17ED"; { device = "/dev/disk/by-uuid/6490-45A0";
fsType = "vfat"; fsType = "vfat";
}; };
zramSwap = { enable = true; priority = 1000; }; swapDevices = [ ];
swapDevices = [
{ device = "/dev/disk/by-uuid/f602ea23-99e5-416b-98d2-ef76cbc5c934";
} ];
nix.maxJobs = lib.mkDefault 2; nix.maxJobs = lib.mkDefault 4;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
services.xserver.videoDriver = "nouveau";
} }

View File

@ -4,164 +4,116 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
let {
ympdPort = 8080;
mpdVhost = "mpd.hq.c3d2.de";
in {
imports = [ # Include the results of the hardware scan. imports = [ # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
../../lib
../../lib/admins.nix
../../lib/hq.nix
./mpdConsole.nix
]; ];
c3d2 = { boot.loader.grub.enable = false;
users = { boot.loader.generic-extlinux-compatible.enable = false;
emery = true; boot.loader.raspberryPi = { enable = true; version = 4; uboot.enable = false; };
k-ot = true; #boot.kernelPackages = pkgs.linuxPackages_rpi4;
}; boot.kernelPackages = pkgs.linuxPackages_latest;
isInHq = true;
mapHqHosts = true;
hq = {
interface = "eno1";
enableMpdProxy = true;
yggdrasi.enableGateway = true;
};
enableHail = true;
};
# Use the systemd-boot EFI boot loader. boot.tmpOnTmpfs = true;
boot.loader.systemd-boot.enable = true; nix.buildCores = 4;
boot.loader.efi.canTouchEfiVariables = true; nix.maxJobs = 4;
boot.kernelPackages = pkgs.linuxPackages_4_19;
networking.hostName = "pulsebert"; # Define your hostname. networking.hostName = "pulsebert"; # Define your hostname.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
networking.interfaces.eth0.useDHCP = true;
networking.interfaces.wlan0.useDHCP = true;
# Configure network proxy if necessary # Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Select internationalisation properties. # Select internationalisation properties.
i18n = { # i18n.defaultLocale = "en_US.UTF-8";
consoleFont = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz"; # console = {
consoleKeyMap = "us"; # font = "Lat2-Terminus16";
defaultLocale = "en_US.UTF-8"; # keyMap = "us";
}; # };
# Set your time zone.
# time.timeZone = "Europe/Amsterdam";
# List packages installed in system profile. To search, run: # List packages installed in system profile. To search, run:
# $ nix search wget # $ nix search wget
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
# specific printer drivers for our printers wget vim git
epson-escpr raspberrypi-tools
splix
# utilities
nix-index
usbutils
tmux
vim
git
openssl
# NCurses Music Player Client (Plus Plus)
# a commandline front-end client for mpd
# 2019-01-21 mag vater gern gleich einen schoenen lokalen Verwaltung fuer MPD haben.
# ncmpcpp
home-manager
mumble
ncpamixer
ffmpeg
]; ];
# Some programs need SUID wrappers, can be configured further or are # Some programs need SUID wrappers, can be configured further or are
# started in user sessions. # started in user sessions.
# programs.mtr.enable = true; # programs.mtr.enable = true;
# programs.gnupg.agent = { enable = true; enableSSHSupport = true; }; # programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# pinentryFlavor = "gnome3";
# };
# List services that you want to enable: # List services that you want to enable:
# Do not log to flash:
services.journald.extraConfig = ''
Storage=volatile
'';
# Enable the OpenSSH daemon. # Enable the OpenSSH daemon.
services.openssh.enable = true; services.openssh.enable = true;
services.openssh.permitRootLogin = "yes";
security.sudo = {
enable = true;
wheelNeedsPassword = false;
};
users.users.k-ot = {
isNormalUser = true;
extraGroups = [ "wheel" "audio" ];
};
# X11 Forwarding for mumble...
programs.ssh.forwardX11 = true;
services.openssh.forwardX11 = true;
# Open ports in the firewall. # Open ports in the firewall.
networking.firewall.allowedTCPPorts = [ # networking.firewall.allowedTCPPorts = [ ... ];
4713 # PulseAudio # networking.firewall.allowedUDPPorts = [ ... ];
631 # cups
80
443 # Web/ympd
5000 # shairport
config.services.mpd.network.port
];
networking.firewall.allowedUDPPorts = [ 631 ];
networking.firewall.extraCommands = ''
iptables -I INPUT -p udp --dport mdns -d 224.0.0.251 -j ACCEPT # zeroconf
iptables -I OUTPUT -p udp --dport mdns -d 224.0.0.251 -j ACCEPT # zeroconf
''; # networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether. # Or disable the firewall altogether.
# networking.firewall.enable = false; networking.firewall.enable = false;
# Enable CUPS to print documents. # Enable CUPS to print documents.
services.printing = { # services.printing.enable = true;
enable = true;
browsing = true;
listenAddresses = [ "*:631" ];
defaultShared = true;
# logLevel = "debug";
drivers = [ pkgs.gutenprint pkgs.hplip pkgs.splix ];
extraConf =
''
DefaultAuthType Basic
<Location />
Order allow,deny
Allow ALL
</Location>
<Location /admin>
Order allow,deny
Allow ALL
</Location>
<Location /admin/conf>
AuthType Basic
Require user @SYSTEM
Order allow,deny
Allow ALL
</Location>
<Policy default>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
AuthType Basic
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Cancel-Job CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
'';
};
# Enable sound. # Enable sound.
sound.enable = true; sound.enable = true;
hardware.pulseaudio.enable = true; hardware.bluetooth = {
# PulseAudio as-a-Service enable = true;
hardware.pulseaudio.systemWide = true; config = {
hardware.pulseaudio.tcp.anonymousClients.allowedIpRanges = [ Policy.AutoEnable = true;
"127.0.0.0/8" "::1/128" General = {
"172.22.99.0/24" "2a02:8106:208:5201:58::/64" Enable = "Source,Sink,Media,Socket";
]; #DiscoverableTimeout = 0;
hardware.pulseaudio.tcp.enable = true; #Discoverable = true;
hardware.pulseaudio.zeroconf.publish.enable = true; };
};
};
hardware.pulseaudio = {
enable = true;
systemWide = true;
tcp.enable = true;
tcp.anonymousClients.allowedIpRanges = [
"127.0.0.0/8" "::1/128"
"172.22.99.0/24" "2a02:8106:208:5201:58::/64"
];
zeroconf.publish.enable = true;
package = pkgs.pulseaudioFull;
extraModules = [ pkgs.pulseaudio-modules-bt ];
};
# tell Avahi to publish CUPS and PulseAudio # tell Avahi to publish CUPS and PulseAudio
services.avahi = { services.avahi = {
@ -170,9 +122,6 @@ in {
publish.userServices = true; publish.userServices = true;
}; };
# Enable Audio streaming for Mac clients
services.shairport-sync.enable = true;
# Enable the X11 windowing system. # Enable the X11 windowing system.
# services.xserver.enable = true; # services.xserver.enable = true;
# services.xserver.layout = "us"; # services.xserver.layout = "us";
@ -185,88 +134,19 @@ in {
# services.xserver.displayManager.sddm.enable = true; # services.xserver.displayManager.sddm.enable = true;
# services.xserver.desktopManager.plasma5.enable = true; # services.xserver.desktopManager.plasma5.enable = true;
security.pam.enableSSHAgentAuth = true; # Define a user account. Don't forget to set a password with passwd.
security.sudo = { # users.users.jane = {
enable = true; # isNormalUser = true;
wheelNeedsPassword = false; # extraGroups = [ "wheel" ]; # Enable sudo for the user.
}; # };
users.users.k-ot.extraGroups = [ "wheel" ]; # This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "20.09"; # Did you read the comment?
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "18.09"; # Did you read the comment?
# vater hoerte, dass menschen im space gern mpd fuer das abspielen von musik erwarten wuerden
#### https://nixos.org/nixos/options.html#services.mpd.enable
# See ../../mpd.nix
services.mpd = {
enable = true;
dbFile = null;
musicDirectory = "/mnt/storage/Music";
playlistDirectory = "/home/k-ot/Playlists";
network.listenAddress = "any";
extraConfig = ''
audio_output {
type "pulse"
name "/proc"
}
'';
};
services.caddy = {
enable = true;
agree = true;
# TODO: add auth?
config = ''
${mpdVhost} {
proxy / localhost:${toString ympdPort}
}
:80 {
redir https://${mpdVhost}{uri}
}
'';
};
fileSystems."/mnt/storage" = {
#device = "storage-ng.hq.c3d2.de:/mnt/zroot/storage/rpool";
#device = "storage-ng.hq.c3d2.de:/c3d2/rpool";
device =
"172.22.99.13:6789,172.22.99.15:6789,172.22.99.16:6789:/c3d2/rpool";
fsType = "ceph";
options = [
"rw"
"relatime"
"name=public"
"secret=AQDgER1chJcMORAAK1ysRTN59B5x/MyniwVXFQ=="
"acl"
"wsize=16777216"
"_netdev"
];
};
# MPD music playing daemon with webinterface
services.ympd = {
enable = true;
webPort = toString ympdPort;
};
nixpkgs.config.packageOverrides = pkgs: with pkgs; {
ympd = ympd.overrideAttrs (oldAttrs: {
src = fetchFromGitHub {
owner = "c3d2";
repo = "ympd";
rev = "feature/somafm_browser";
sha256 = "17x3jfys6gxghz5yp0gvd39ylvzfm59qxg75hwc5a52rj1n2jpb1";
};
});
};
programs.bash.shellAliases = {
mpv = "mpv --no-vid";
};
users.users.emery.cryptHomeLuks = "/home/emery.luks.img";
} }

View File

@ -1,29 +1,39 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, ... }: { config, lib, pkgs, modulesPath, ... }:
{ {
imports = #imports =
[ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> # [ (modulesPath + "/installer/scan/not-detected.nix")
]; # ];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; boot.initrd.availableKernelModules = [ "usbhid" ];
boot.kernelModules = [ "kvm-intel" ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
boot.kernelParams = [
"snd_bcm2835.enable_headphones=1"
];
fileSystems."/" = fileSystems."/" =
{ device = "/dev/disk/by-uuid/3a8ddd25-0c5d-4fec-b957-bdcea1c52db4"; { device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/6490-45A0"; { device = "/dev/disk/by-label/FIRMWARE";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = [ ]; swapDevices = [ ];
nix.maxJobs = lib.mkDefault 4; hardware.enableRedistributableFirmware = true;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; #networking.wireless.enable = true;
boot.loader.raspberryPi.firmwareConfig = ''
gpu_mem=192
dtparam=audio=on
'';
powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
} }

View File

@ -1,17 +0,0 @@
{ pkgs, ... }:
{
home.packages = with pkgs; [
htop
fortune
ddate
mpv
ncmpcpp
schedtool
screen
tmux
pulsemixer
ncpamixer
python35.withPackages(ps: with ps; [ youtube-dl ])
];
}

View File

@ -1,23 +0,0 @@
{ pkgs, ... }:
let tty = "tty1";
in {
boot.extraTTYs = [ tty ];
systemd.services.ncmpcpp = {
description = "Mpd console";
wantedBy = [ "multi-user.target" ];
conflicts = [ "getty@${tty}.service" ];
serviceConfig = {
User = "k-ot";
ExecStart = "${pkgs.ncmpcpp}/bin/ncmpcpp";
StandardInput = "tty";
StandardOutput = "tty";
TTYPath = "/dev/${tty}";
TTYReset = true;
TTYVTDisallocate = true;
Restart = "always";
};
};
}

View File

@ -1,6 +1,6 @@
name: name:
let yggaddr = import ../yggaddr.nix; let yggaddr = import ../../../lib/server7-yggaddr.nix;
in { in {
# These the container defaults from the perspective of the host. # These the container defaults from the perspective of the host.

View File

@ -55,6 +55,20 @@ name:
}; };
}; };
networking.interfaces.eth0 = {
ipv4 = {
addresses = [{
address = "172.22.99.20";
prefixLength = 24;
}];
routes = [{
address = "0.0.0.0";
prefixLength = 0;
via = "172.22.99.1";
}];
};
};
networking.firewall.enable = false; networking.firewall.enable = false;
}; };

View File

@ -1,9 +1,8 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let yggaddr = import ./yggaddr.nix; let yggaddr = import ../../lib/server7-yggaddr.nix;
in { in {
imports = [ imports = [
# <nixpkgs/nixos/modules/profiles/minimal.nix>
../../lib ../../lib
../../lib/default-gateway.nix ../../lib/default-gateway.nix
./borgbackup.nix ./borgbackup.nix
@ -13,8 +12,10 @@ in {
./nix-serve.nix ./nix-serve.nix
]; ];
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
security.acme = { security.acme = {
email = " mail@c3d2.de"; email = "mail@c3d2.de";
acceptTerms = true; acceptTerms = true;
}; };
@ -32,7 +33,8 @@ in {
}; };
fileSystems."/srv/ceph" = { fileSystems."/srv/ceph" = {
device = "172.22.99.13:6789:/"; #device = "172.22.99.13:6789:/";
device = "172.20.72.53:6789:/";
fsType = "ceph"; fsType = "ceph";
options = [ options = [
"name=storage2" "name=storage2"
@ -45,20 +47,47 @@ in {
]; ];
}; };
fileSystems."/var/lib/ceph/osd/ceph-7" = { fsType = "tmpfs"; };
# Route IPv6 # Route IPv6
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1; boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
# Obtain global IPv6 despite being a router myself # Obtain global IPv6 despite being a router myself
boot.kernel.sysctl."net.ipv6.conf.eth0.accept_ra" = 2; boot.kernel.sysctl."net.ipv6.conf.br0.accept_ra" = 2;
services.yggdrasil = { services.yggdrasil = {
enable = true; enable = true;
configFile = "/var/lib/yggdrasil/keys"; configFile = "/var/lib/yggdrasil/keys";
config.Peers = [ config = {
"tcp://[2a03:3b40:fe:ab::1]:46370" # Praha Peers = [
"tcp://ygg.thingylabs.io:443" # Nürnberg
"tcp://176.223.130.120:22632" # Wrocław # Deutschland
"tcp://[2a05:9403::8b]:7743" # Praha "tcp://45.11.19.26:5001"
]; "tcp://82.165.69.111:61216"
"tcp://[2001:8d8:1800:8224::1]:61216"
# Czechia
"tcp://195.123.245.146:7743"
"tcp://37.205.14.171:46370"
"tcp://[2a03:3b40:fe:ab::1]:46370"
"tcp://[2a05:9403::8b]:7743"
# Poland
"tcp://176.223.130.120:22632"
"tcp://51.75.44.73:50001"
"tcp://54.37.137.221:37145"
"tcp://[2001:41d0:601:1100::cf2]:37145"
"tcp://n2o.ddns.net:22632"
"tls://54.37.137.221:14987"
"tls://[2001:41d0:601:1100::cf2]:14987"
];
NodeInfo = {
location = "Dresden";
name = "server7.y.c3d2.de";
admin =
"toxid:DF0AC9107E0A30E7201C6832B017AC836FBD1EDAC390EE99B68625D73C3FD929FB47F1872CA4";
};
};
}; };
security.sudo.wheelNeedsPassword = false; security.sudo.wheelNeedsPassword = false;
@ -188,4 +217,10 @@ in {
# allow the old hydra to build here # allow the old hydra to build here
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7HuDlyTlPC4rCjwhklY8kiYIxdgPhiu6wxs29ksnpKZmJa2R7qoD02N3ACm9cTb1GVkIWukAXI3KvU9h08+WLQJqUH0cHVBj3V1sDYmkN2QecE59gz3e1gfN3zPtwmQEUe6xvHWK3X3qdH45pGPUtxk1eDTZl45037C0NClWF7RXI4m6UXng4bL9wnPvoVqCI+ySsNWaTkHDLE/D9s/VrqGxJ1w2KiJb1F73g9/x/zjL8Ixb16wkPmLE0e50MQAQa7EMFTyPZoEskFnEviLYXM9pDexABAjJfbfZ39lLyMgVYGwnzEDbjDlm68dE6wQWUY1OV6wbt8uYreB2IRrlb root@hydra" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7HuDlyTlPC4rCjwhklY8kiYIxdgPhiu6wxs29ksnpKZmJa2R7qoD02N3ACm9cTb1GVkIWukAXI3KvU9h08+WLQJqUH0cHVBj3V1sDYmkN2QecE59gz3e1gfN3zPtwmQEUe6xvHWK3X3qdH45pGPUtxk1eDTZl45037C0NClWF7RXI4m6UXng4bL9wnPvoVqCI+ySsNWaTkHDLE/D9s/VrqGxJ1w2KiJb1F73g9/x/zjL8Ixb16wkPmLE0e50MQAQa7EMFTyPZoEskFnEviLYXM9pDexABAjJfbfZ39lLyMgVYGwnzEDbjDlm68dE6wQWUY1OV6wbt8uYreB2IRrlb root@hydra"
]; ];
services.dhcpd4 = {
enable = false;
interfaces = [ "br0" ];
extraConfig = "not authoritative;";
};
} }

View File

@ -1,70 +1,59 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, ... }: { config, lib, pkgs, modulesPath, ... }:
{ {
# imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ]; imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = boot.initrd.availableKernelModules =
[ "ehci_pci" "ahci" "nvme" "usbhid" "sd_mod" ]; [ "ehci_pci" "ahci" "nvme" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
boot.supportedFilesystems = [ "zfs" ];
fileSystems."/" = { fileSystems."/" = {
device = "/dev/disk/by-uuid/f14628ce-0f13-4544-9197-0ddda291f48f"; device = "/dev/disk/by-uuid/f14628ce-0f13-4544-9197-0ddda291f48f";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/var/lib/ceph/osd/ceph-7" = {
device = "tmpfs";
fsType = "tmpfs";
};
fileSystems."/boot" = { fileSystems."/boot" = {
device = "/dev/disk/by-uuid/9812-00B2"; device = "/dev/disk/by-uuid/9812-00B2";
fsType = "vfat"; fsType = "vfat";
}; };
fileSystems."/zones/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3/cores" = {
device = "nvme0n1/cores/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3";
fsType = "zfs";
};
fileSystems."/nvme0n1" = { fileSystems."/nvme0n1" = {
device = "nvme0n1"; device = "nvme0n1";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/zones/9f467f1e-000b-e771-e117-b32261e48220/cores" = {
device = "nvme0n1/cores/9f467f1e-000b-e771-e117-b32261e48220";
fsType = "zfs";
};
fileSystems."/zones/archive" = {
device = "nvme0n1/archive";
fsType = "zfs";
};
fileSystems."/zones/9a9880d3-82db-c500-fcaa-d4e5a5cc617d/cores" = {
device = "nvme0n1/cores/9a9880d3-82db-c500-fcaa-d4e5a5cc617d";
fsType = "zfs";
};
fileSystems."/zones/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5/cores" = {
device = "nvme0n1/cores/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5";
fsType = "zfs";
};
fileSystems."/zones/global/cores" = {
device = "nvme0n1/cores/global";
fsType = "zfs";
};
fileSystems."/zones/b090f14b-0a60-4451-e82a-c5291e5951de/cores" = { fileSystems."/zones/b090f14b-0a60-4451-e82a-c5291e5951de/cores" = {
device = "nvme0n1/cores/b090f14b-0a60-4451-e82a-c5291e5951de"; device = "nvme0n1/cores/b090f14b-0a60-4451-e82a-c5291e5951de";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/zones/3516ab22-69b0-e327-95ec-f9be8852ee44/cores" = { fileSystems."/zones/9a9880d3-82db-c500-fcaa-d4e5a5cc617d/cores" = {
device = "nvme0n1/cores/3516ab22-69b0-e327-95ec-f9be8852ee44"; device = "nvme0n1/cores/9a9880d3-82db-c500-fcaa-d4e5a5cc617d";
fsType = "zfs";
};
fileSystems."/zones/archive" = {
device = "nvme0n1/archive";
fsType = "zfs";
};
fileSystems."/zones/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5/cores" = {
device = "nvme0n1/cores/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5";
fsType = "zfs";
};
fileSystems."/zones/9f467f1e-000b-e771-e117-b32261e48220/cores" = {
device = "nvme0n1/cores/9f467f1e-000b-e771-e117-b32261e48220";
fsType = "zfs"; fsType = "zfs";
}; };
@ -73,11 +62,36 @@
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/zones/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3/cores" = {
device = "nvme0n1/cores/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3";
fsType = "zfs";
};
fileSystems."/zones/3516ab22-69b0-e327-95ec-f9be8852ee44/cores" = {
device = "nvme0n1/cores/3516ab22-69b0-e327-95ec-f9be8852ee44";
fsType = "zfs";
};
fileSystems."/zones/global/cores" = {
device = "nvme0n1/cores/global";
fsType = "zfs";
};
fileSystems."/nvme0n1/c3d2.de" = { fileSystems."/nvme0n1/c3d2.de" = {
device = "nvme0n1/c3d2.de"; device = "nvme0n1/c3d2.de";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/nvme0n1/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3" = {
device = "nvme0n1/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3";
fsType = "zfs";
};
fileSystems."/nvme0n1/b28b36ed-1824-3a6c-cdbb-258c7dd63317" = {
device = "nvme0n1/b28b36ed-1824-3a6c-cdbb-258c7dd63317";
fsType = "zfs";
};
fileSystems."/nvme0n1/b090f14b-0a60-4451-e82a-c5291e5951de" = { fileSystems."/nvme0n1/b090f14b-0a60-4451-e82a-c5291e5951de" = {
device = "nvme0n1/b090f14b-0a60-4451-e82a-c5291e5951de"; device = "nvme0n1/b090f14b-0a60-4451-e82a-c5291e5951de";
fsType = "zfs"; fsType = "zfs";
@ -88,43 +102,13 @@
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/nvme0n1/9a9880d3-82db-c500-fcaa-d4e5a5cc617d" = {
device = "nvme0n1/9a9880d3-82db-c500-fcaa-d4e5a5cc617d";
fsType = "zfs";
};
fileSystems."/nvme0n1/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3" = {
device = "nvme0n1/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3";
fsType = "zfs";
};
fileSystems."/nvme0n1/c3d2.de/admin" = {
device = "nvme0n1/c3d2.de/admin";
fsType = "zfs";
};
fileSystems."/nvme0n1/c3d2.de/templates" = {
device = "nvme0n1/c3d2.de/templates";
fsType = "zfs";
};
fileSystems."/nvme0n1/d5a8bfc2-6d01-6d5e-ad3f-edf032eedd89" = {
device = "nvme0n1/d5a8bfc2-6d01-6d5e-ad3f-edf032eedd89";
fsType = "zfs";
};
fileSystems."/nvme0n1/a9786e8b-fce2-7567-6467-2a95086a51d4" = { fileSystems."/nvme0n1/a9786e8b-fce2-7567-6467-2a95086a51d4" = {
device = "nvme0n1/a9786e8b-fce2-7567-6467-2a95086a51d4"; device = "nvme0n1/a9786e8b-fce2-7567-6467-2a95086a51d4";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/nvme0n1/3e65fa50-2f41-8792-df46-8c826bddab75" = { fileSystems."/nvme0n1/9a9880d3-82db-c500-fcaa-d4e5a5cc617d" = {
device = "nvme0n1/3e65fa50-2f41-8792-df46-8c826bddab75"; device = "nvme0n1/9a9880d3-82db-c500-fcaa-d4e5a5cc617d";
fsType = "zfs";
};
fileSystems."/nvme0n1/9f467f1e-000b-e771-e117-b32261e48220" = {
device = "nvme0n1/9f467f1e-000b-e771-e117-b32261e48220";
fsType = "zfs"; fsType = "zfs";
}; };
@ -133,8 +117,8 @@
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/nvme0n1/b28b36ed-1824-3a6c-cdbb-258c7dd63317" = { fileSystems."/nvme0n1/9f467f1e-000b-e771-e117-b32261e48220" = {
device = "nvme0n1/b28b36ed-1824-3a6c-cdbb-258c7dd63317"; device = "nvme0n1/9f467f1e-000b-e771-e117-b32261e48220";
fsType = "zfs"; fsType = "zfs";
}; };
@ -143,8 +127,8 @@
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/nvme0n1/0cc567e5-5e4c-1868-eca3-4426508cbfb9" = { fileSystems."/nvme0n1/d5a8bfc2-6d01-6d5e-ad3f-edf032eedd89" = {
device = "nvme0n1/0cc567e5-5e4c-1868-eca3-4426508cbfb9"; device = "nvme0n1/d5a8bfc2-6d01-6d5e-ad3f-edf032eedd89";
fsType = "zfs"; fsType = "zfs";
}; };
@ -153,11 +137,31 @@
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/nvme0n1/0cc567e5-5e4c-1868-eca3-4426508cbfb9" = {
device = "nvme0n1/0cc567e5-5e4c-1868-eca3-4426508cbfb9";
fsType = "zfs";
};
fileSystems."/nvme0n1/63d6e664-3f1f-11e8-aef6-a3120cf8dd9d" = { fileSystems."/nvme0n1/63d6e664-3f1f-11e8-aef6-a3120cf8dd9d" = {
device = "nvme0n1/63d6e664-3f1f-11e8-aef6-a3120cf8dd9d"; device = "nvme0n1/63d6e664-3f1f-11e8-aef6-a3120cf8dd9d";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/nvme0n1/c3d2.de/admin" = {
device = "nvme0n1/c3d2.de/admin";
fsType = "zfs";
};
fileSystems."/nvme0n1/3e65fa50-2f41-8792-df46-8c826bddab75" = {
device = "nvme0n1/3e65fa50-2f41-8792-df46-8c826bddab75";
fsType = "zfs";
};
fileSystems."/nvme0n1/c3d2.de/templates" = {
device = "nvme0n1/c3d2.de/templates";
fsType = "zfs";
};
fileSystems."/nvme0n1/e71d4460-8eef-6623-a875-dd5ec20b650f" = { fileSystems."/nvme0n1/e71d4460-8eef-6623-a875-dd5ec20b650f" = {
device = "nvme0n1/e71d4460-8eef-6623-a875-dd5ec20b650f"; device = "nvme0n1/e71d4460-8eef-6623-a875-dd5ec20b650f";
fsType = "zfs"; fsType = "zfs";
@ -170,7 +174,6 @@
swapDevices = [ ]; swapDevices = [ ];
nix.maxJobs = lib.mkDefault 10; nix.maxJobs = lib.mkDefault 40;
nix.buildCores = lib.mkDefault 40; powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
} }

View File

@ -10,15 +10,17 @@
services.nginx = { services.nginx = {
enable = true; enable = true;
virtualHosts = { virtualHosts = let
"cache.server7.hq.c3d2.de" = { vhost.locations."/".proxyPass =
"http://${config.services.nix-serve.bindAddress}:${
toString config.services.nix-serve.port
}";
in {
"cache.server7.hq.c3d2.de" = vhost // {
addSSL = true; addSSL = true;
enableACME = true; enableACME = true;
locations."/".proxyPass =
"http://${config.services.nix-serve.bindAddress}:${
toString config.services.nix-serve.port
}";
}; };
"nix-serve.y.c3d2.de" = vhost;
}; };
}; };

View File

@ -1,6 +1,6 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let yggaddr = import ./yggaddr.nix; let yggaddr = import ../../lib/server7-yggaddr.nix;
in { in {
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1; boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
@ -15,6 +15,7 @@ in {
interface enp2s0f1 interface enp2s0f1
{ {
AdvSendAdvert on; AdvSendAdvert on;
AdvRouteLifetime 0;
prefix ${yggaddr.prefix}:/64 { prefix ${yggaddr.prefix}:/64 {
AdvOnLink on; AdvOnLink on;
AdvAutonomous on; AdvAutonomous on;

View File

@ -8,7 +8,7 @@
hosts/containers/grafana/configuration.nix hosts/containers/grafana/configuration.nix
]; ];
deployment = { deployment = {
targetHost = "grafana.hq.c3d2.de"; targetHost = "grafana.serv.zentralwerk.dn42";
storeKeysOnMachine = true; storeKeysOnMachine = true;
}; };
}; };
@ -44,7 +44,7 @@
hosts/containers/public-access-proxy/configuration.nix hosts/containers/public-access-proxy/configuration.nix
]; ];
deployment = { deployment = {
targetHost = "2a02:8106:208:5201:1024:5fff:febd:9be7"; targetHost = "172.20.73.45";
storeKeysOnMachine = true; storeKeysOnMachine = true;
}; };
}; };

View File

@ -31,4 +31,18 @@ in {
scrape = deployContainer "scrape" "172.20.73.32"; scrape = deployContainer "scrape" "172.20.73.32";
ledstripes = deployContainer "ledstripes" "172.22.99.168"; ledstripes = deployContainer "ledstripes" "172.22.99.168";
freifunk = deployContainer "freifunk" "172.20.72.40"; freifunk = deployContainer "freifunk" "172.20.72.40";
kibana = deployContainer "kibana" "172.20.73.44";
glotzbert = pkgs.krops.writeDeploy "glotzbert" {
source = hostSource "glotzbert";
target = lib.mkTarget "k-ot@glotzbert.hq.c3d2.de" // {
sudo = true;
};
};
pulsebert = pkgs.krops.writeDeploy "pulsebert" {
source = hostSource "pulsebert";
target = lib.mkTarget "k-ot@pulsebert.hq.c3d2.de" // {
sudo = true;
};
};
} }

View File

@ -8,7 +8,7 @@ let
hqPrefix64 = "fd23:42:c3d2:523"; hqPrefix64 = "fd23:42:c3d2:523";
# TODO: Is this stable? Is there a better place to specifiy this? # TODO: Is this stable? Is there a better place to specifiy this?
server7Ygg = import ../hosts/server7/yggaddr.nix; server7Ygg = import ./server7-yggaddr.nix;
# Generate a deterministic IPv6 address for a 64 bit prefix # Generate a deterministic IPv6 address for a 64 bit prefix
# and seed string. Prefix must not contain trailing ':'. # and seed string. Prefix must not contain trailing ':'.
@ -257,7 +257,7 @@ in {
File STDOUT File STDOUT
''; '';
network = '' network = ''
Server "grafana.hq.c3d2.de" "25826" Server "grafana.serv.zentralwerk.dn42" "25826"
''; '';
memory = ""; memory = "";
processes = ""; processes = "";

View File

@ -1,10 +1,10 @@
{ pkgs, lib, ... }: { pkgs, lib, modulesPath, ... }:
{ {
imports = imports = [
[ <nixpkgs/nixos/modules/profiles/minimal.nix> (modulesPath + "/profiles/minimal.nix")
<nixpkgs/nixos/modules/profiles/docker-container.nix> (modulesPath + "/profiles/docker-container.nix")
]; ];
networking.networkmanager.dns = "unbound"; networking.networkmanager.dns = "unbound";
networking.useHostResolvConf = false; networking.useHostResolvConf = false;
@ -12,10 +12,13 @@
nix.useSandbox = false; nix.useSandbox = false;
nix.maxJobs = lib.mkDefault 1; nix.maxJobs = lib.mkDefault 1;
nix.buildCores = lib.mkDefault 4; nix.buildCores = lib.mkDefault 4;
networking.useNetworkd = true;
networking.useDHCP = false; networking.useDHCP = false;
services.resolved.enable = false;
networking.nameservers = [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ];
networking.interfaces.eth0 = { networking.interfaces.eth0 = {
useDHCP = true; useDHCP = false;
preferTempAddress = false; preferTempAddress = false;
}; };
systemd.network.networks."40-eth0" = { systemd.network.networks."40-eth0" = {

@ -1 +1 @@
Subproject commit edfc43c84dfd93bb7df12d2125ba94bf3f6d1081 Subproject commit 0efb7df81d358c033a72fcc0c65016ff86f54858