Merge branch 'master' of ssh://gitea.c3d2.de:2222/C3D2/nix-config

This commit is contained in:
Daniel Poelzleithner 2020-12-09 01:23:45 +01:00
commit 60f270224b
37 changed files with 525 additions and 560 deletions

View File

@ -1,39 +1,33 @@
{
"nodes": {
"hydra": {
"info": {
"lastModified": 1587883324,
"narHash": "sha256-WQxv9rrG2HX8j2UfXjifeBkMjgea3uIAEB3Swv+IIus="
},
"inputs": {
"nix": "nix",
"nixpkgs": "nixpkgs_2"
},
"locked": {
"owner": "ehmry",
"lastModified": 1593509723,
"narHash": "sha256-ESv86LNnQQy5cYqeC1S4otpvkA8ABgs/zbge8xp35aE=",
"owner": "NixOS",
"repo": "hydra",
"rev": "e93c36aab1bf96cf392ab0e40157b0620638b599",
"rev": "d0deebc4fc95dbeb0249f7b774b03d366596fbed",
"type": "github"
},
"original": {
"owner": "ehmry",
"ref": "sotest",
"repo": "hydra",
"type": "github"
"id": "hydra",
"type": "indirect"
}
},
"nix": {
"info": {
"lastModified": 1586440843,
"narHash": "sha256-7YxrpRPmAOoCSl6KtepKCXcae5MUm1Pl+lwDunBFGoo="
},
"inputs": {
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1592818267,
"narHash": "sha256-t66Ny6NDA9sQa0U79iqo4w7tEBitUGgio9U/H6z3QpE=",
"owner": "NixOS",
"repo": "nix",
"rev": "3aaceeb7e2d3fb8a07a1aa5a21df1dca6bbaa0ef",
"rev": "334e26bfc2ce82912602e8a0f9f9c7e0fb5c3221",
"type": "github"
},
"original": {
@ -42,14 +36,12 @@
}
},
"nixpkgs": {
"info": {
"lastModified": 1585405475,
"narHash": "sha256-bESW0n4KgPmZ0luxvwJ+UyATrC6iIltVCsGdLiphVeE="
},
"locked": {
"lastModified": 1591633336,
"narHash": "sha256-oVXv4xAnDJB03LvZGbC72vSVlIbbJr8tpjEW5o/Fdek=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "b88ff468e9850410070d4e0ccd68c7011f15b2be",
"rev": "70717a337f7ae4e486ba71a500367cad697e5f09",
"type": "github"
},
"original": {
@ -59,14 +51,12 @@
}
},
"nixpkgs_2": {
"info": {
"lastModified": 1586219474,
"narHash": "sha256-fvfrMnEA2lDnXvH/eInGV5i0sO/EGLVHa4pOek8VG78="
},
"locked": {
"lastModified": 1592263354,
"narHash": "sha256-1wHPn5qKfzfG06dZhpXDEg5Zt6HwvfyPPgW1tkYFejg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "29eddfc36d720dcc4822581175217543b387b1e8",
"rev": "a84b797b28eb104db758b5cb2b61ba8face6744b",
"type": "github"
},
"original": {
@ -75,31 +65,16 @@
"type": "indirect"
}
},
"nixpkgs_3": {
"info": {
"lastModified": 1586724123,
"narHash": "sha256-VQ7zZy2xpz6dULpjar4jxNaQ0N/2q68l+EYO2nXaXDo="
},
"locked": {
"owner": "nixos",
"repo": "nixpkgs-channels",
"rev": "708cb6b307b04ad862cc50de792e57e7a4a8bb5a",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-20.03",
"repo": "nixpkgs-channels",
"type": "github"
}
},
"root": {
"inputs": {
"hydra": "hydra",
"nixpkgs": "nixpkgs_3"
"nixpkgs": [
"hydra",
"nixpkgs"
]
}
}
},
"root": "root",
"version": 5
"version": 7
}

View File

@ -1,17 +1,18 @@
{
description = "C3D2 NixOS configurations";
edition = 201909;
inputs.nixpkgs.url = "github:nixos/nixpkgs-channels/nixos-20.03";
inputs.hydra.url = "github:ehmry/hydra/sotest";
inputs = {
nixpkgs.follows = "hydra/nixpkgs";
# nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
# secrets.url = "git+file:///etc/nixos/secrets";
};
outputs = { self, nixpkgs, hydra }: {
nixosConfigurations = {
server7 = nixpkgs.lib.nixosSystem {
modules = [ ./hosts/server7 hydra.nixosModules.hydra ];
glotzbert = nixpkgs.lib.nixosSystem {
modules = [ ./hosts/glotzbert/configuration.nix ];
system = "x86_64-linux";
};
@ -20,8 +21,18 @@
system = "x86_64-linux";
};
kibana = nixpkgs.lib.nixosSystem {
modules = [ ./hosts/containers/kibana/configuration.nix ];
system = "x86_64-linux";
};
pulsebert = nixpkgs.lib.nixosSystem {
modules = [ ./hosts/pulsebert/configuration.nix ];
system = "aarch64-linux";
};
server7 = nixpkgs.lib.nixosSystem {
modules = [ ./hosts/server7 hydra.nixosModules.hydra ];
system = "x86_64-linux";
};

View File

@ -9,7 +9,7 @@ rec {
ledstripes = {};
glotzbert.publicKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHPrkD07abpTU/66fEjmiMYsUfJCSF62MVFe8BED7wu4";
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAnEWn/8CKIiCtehh6Ha3XUQqjODj0ygyo3aGAsFWgfG";
hydra.publicKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDhurL/sxsXRglKdLfiWIcK+iqpyhGrGt/MoBODsgvig";

View File

@ -25,6 +25,9 @@
htop
];
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.16"; prefixLength = 26; } ];
networking.defaultGateway = "172.20.73.1";
networking = {
hostName = "deployer";
# usePredictableInterfacenames = false;

View File

@ -31,7 +31,10 @@
services.dhcpd4 = {
enable = true;
interfaces = [ "eth0" ];
extraConfig = builtins.readFile ../../../secrets/hosts/dhcp/config;
extraConfig = ''
authoritative;
'' + builtins.readFile ../../../secrets/hosts/dhcp/config;
};
# This value determines the NixOS release with which your system is to be

View File

@ -30,8 +30,6 @@ in {
environment.systemPackages = with pkgs; [
vim
# for `vtysh`
quagga
];
# SSH for nixops
@ -41,6 +39,12 @@ in {
# No Firewalling!
networking.firewall.enable = false;
boot.postBootCommands = ''
if [ ! -c /dev/net/tun ]; then
mkdir -p /dev/net
mknod -m 666 /dev/net/tun c 10 200
fi
'';
services.openvpn =
let
openvpnNeighbors = lib.filterAttrs (_: conf: conf ? openvpn) neighbors;
@ -63,7 +67,9 @@ in {
secret ${keyfile name}
'';
up = ''
${pkgs.iproute}/bin/ip a a fe80::deca:fbad/64 dev $1
${pkgs.iproute}/bin/ip addr flush dev $1
${pkgs.iproute}/bin/ip addr add ${address4} dev ${name} peer ${conf.address4}/32
${pkgs.iproute}/bin/ip addr add ${address6}/64 dev $1
'';
};
in {

View File

@ -22,6 +22,7 @@
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.8"; prefixLength = 26; } ];
networking.defaultGateway = "172.20.73.1";
services.resolved.enable = false;
networking.nameservers = [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ];
# Set your time zone.
time.timeZone = "Europe/Berlin";
@ -73,6 +74,7 @@
"::1/128"
"172.20.72.0/21"
"10.0.0.0/24"
"10.200.0.0/15"
"172.22.99.0/24"
"127.0.0.0/8"
];
@ -217,7 +219,7 @@
Exec "collectd" "${pkgs.ruby}/bin/ruby" "${unboundScript}"
'';
network = ''
Server "grafana.hq.c3d2.de" "25826"
Server "grafana.serv.zentralwerk.dn42" "25826"
'';
};
extraConfig = ''

View File

@ -17,6 +17,8 @@
networking = {
hostName = "elastic1";
interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.15"; prefixLength = 26; } ];
defaultGateway = "172.20.73.1";
firewall = {
allowedTCPPorts = [
22

View File

@ -56,7 +56,7 @@ stdenv.mkDerivation {
--replace awk ${gawk}/bin/awk
'' +
lib.strings.concatStrings (lib.attrsets.mapAttrsToList (
var: value: "substituteInPlace sysinfo-json.cgi --replace ${lib.strings.escapeShellArg "$(nvram get ${var})"} '${value}'\n"
var: value: "substituteInPlace sysinfo-json.cgi --replace ${lib.strings.escapeShellArg "$(uci -qX get ffdd.sys.${var})"} '${value}'\n"
) nvram);
installPhase = ''
pwd

View File

@ -1,24 +1,22 @@
{ config, pkgs, lib, ... }:
{ config, pkgs, lib, modulesPath, ... }:
{
imports = [
<nixpkgs/nixos/modules/profiles/minimal.nix>
(modulesPath + "/profiles/minimal.nix")
../../../lib
../../../lib/lxc-container.nix
../../../lib/shared.nix
../../../lib/admins.nix
];
c3d2 = {
isInHq = true;
hq.interface = "eth0";
enableHail = true;
};
c3d2.isInHq = false;
services.openssh.enable = true;
networking.hostName = "grafana";
networking.useNetworkd = true;
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.43"; prefixLength = 26; } ];
networking.defaultGateway = "172.20.73.1";
# http https influxdb
networking.firewall.allowedTCPPorts = [ 80 443 8086 ];
@ -39,7 +37,7 @@
enable = true;
org_name = "Chaos";
};
users.allowSignUp = true;
users.allowSignUp = false;
};
services.influxdb = let
collectdTypes = pkgs.stdenv.mkDerivation {

View File

@ -0,0 +1,66 @@
{ config, pkgs, lib, modulesPath, ... }:
{
imports = [
(modulesPath + "/profiles/minimal.nix")
../../../lib
../../../lib/lxc-container.nix
../../../lib/shared.nix
];
networking.hostName = "kibana";
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.44"; prefixLength = 26; } ];
networking.defaultGateway = "172.20.73.1";
networking.firewall.allowedTCPPorts = [ 80 443 ];
# Required for krops
services.openssh.enable = true;
environment.systemPackages = [ pkgs.git ];
nixpkgs.config.allowUnfree = true;
services.elasticsearch = {
enable = true;
package = pkgs.elasticsearch7;
};
services.kibana = {
enable = true;
package = pkgs.kibana7;
};
security.acme = {
acceptTerms = true;
email = "mail@c3d2.de";
};
services.nginx =
let
authFile = pkgs.writeText "htpasswd" "k-ot:sawCOTsl/fIUY";
vhost = url: {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = url;
extraConfig = ''
auth_basic "Chaos";
auth_basic_user_file ${authFile};
'';
};
};
in
{
enable = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts = {
"kibana.hq.c3d2.de" =
vhost "http://127.0.0.1:${toString config.services.kibana.port}";
"kibana-es.hq.c3d2.de" =
vhost "http://127.0.0.1:${toString config.services.elasticsearch.port}";
};
};
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "20.03"; # Did you read the comment?
}

View File

@ -1,11 +1,11 @@
{ config, pkgs, lib, ... }:
{ config, pkgs, lib, modulesPath, ... }:
{
imports = [
<nixpkgs/nixos/modules/profiles/minimal.nix>
<lib>
<lib/lxc-container.nix>
<lib/shared.nix>
(modulesPath + "/profiles/minimal.nix")
../../../lib
../../../lib/lxc-container.nix
../../../lib/shared.nix
];
c3d2 = {
@ -22,8 +22,7 @@
environment.systemPackages = [ pkgs.git ];
systemd.services.ledball =
let
pile = import (toString <lib/pkgs/pile.nix>) { inherit pkgs; };
let pile = import ../../../lib/pkgs/pile.nix { inherit pkgs; };
in {
after = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];

View File

@ -17,6 +17,8 @@
networking = {
hostName = "logging";
interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.13"; prefixLength = 26; } ];
defaultGateway = "172.20.73.1";
firewall = {
allowedTCPPorts = [
22

View File

@ -2,14 +2,14 @@
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, lib, ... }:
{ config, pkgs, lib, modulesPath, ... }:
{
imports =
[ ../../lib/lxc-container.nix
imports = [
../../lib/lxc-container.nix
../../lib/shared.nix
../../lib/admins.nix
<nixpkgs/nixos/modules/profiles/minimal.nix>
(modulesPath + "/profiles/minimal.nix")
];
networking.hostName = "nixbert"; # Define your hostname.

View File

@ -18,6 +18,8 @@
networking = {
hostName = "mongo";
interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.21"; prefixLength = 26; } ];
defaultGateway = "172.20.73.1";
firewall = {
allowedTCPPorts = [
22

View File

@ -12,11 +12,9 @@ in
];
networking.hostName = "mucbot";
networking.useNetworkd = true;
networking.useDHCP = false;
networking.interfaces.eth0.useDHCP = true;
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.27"; prefixLength = 26; } ];
networking.defaultGateway = "172.20.73.1";
networking.nameservers = [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ];
services.resolved.enable = false;
users.users.tigger = {
createHome = true;

View File

@ -9,13 +9,15 @@
[ ../../../lib/lxc-container.nix
../../../lib/shared.nix
../../../lib/admins.nix
../../../lib/default-gateway.nix
./proxy.nix
];
networking.hostName = "public-access-proxy";
networking.useNetworkd = true;
networking.dhcpcd.enable = lib.mkForce true;
networking.interfaces.eth0 = {
ipv4.addresses = [ { address = "172.20.73.45"; prefixLength = 26; } ];
};
networking.defaultGateway = "172.20.73.1";
my.services.proxy = {
enable = true;
@ -24,6 +26,14 @@
hostNames = [ "cloud.bombenverleih.de" "unifi.arkom.men" ];
proxyTo = { host = "172.22.99.192"; httpPort = 80; httpsPort = 443; };
}
{
hostNames = [ "grafana.hq.c3d2.de" ];
proxyTo = { host = "grafana.serv.zentralwerk.dn42"; httpPort = 80; httpsPort = 443; };
}
{
hostNames = [ "kibana.hq.c3d2.de" "kibana-es.hq.c3d2.de" ];
proxyTo = { host = "kibana.serv.zentralwerk.dn42"; httpPort = 80; httpsPort = 443; };
}
];
};

View File

@ -1,11 +1,21 @@
{ config, pkgs, lib, ... }:
{ config, pkgs, lib, modulesPath, ... }:
{
let
freifunkNodes = {
"1139" = "10.200.4.120";
"1487" = "10.200.5.213";
"1884" = "10.200.7.100";
"1891" = "10.200.7.107";
"1768" = "10.200.6.239";
"1176" = "10.200.7.80";
"1099" = "10.200.4.80";
};
in {
imports = [
<nixpkgs/nixos/modules/profiles/minimal.nix>
<lib>
<lib/lxc-container.nix>
<lib/shared.nix>
(modulesPath + "/profiles/minimal.nix")
../../../lib
../../../lib/lxc-container.nix
../../../lib/shared.nix
];
c3d2 = {
@ -16,7 +26,8 @@
networking.hostName = "scrape";
networking.useNetworkd = true;
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.32"; prefixLength = 26; } ];
networking.defaultGateway = "172.20.73.1";
# Required for krops
services.openssh.enable = true;
@ -35,6 +46,13 @@
xeriLogin = import <secrets/hosts/scrape/xeri.nix>;
fhemLogin = import <secrets/hosts/scrape/fhem.nix>;
matematLogin = import <secrets/hosts/scrape/matemat.nix>;
makeNodeScraper = nodeId: {
name = "scrape-node${nodeId}";
value = makeService {
script = "freifunk_node";
host = freifunkNodes.${nodeId};
};
};
in {
scrape-xeri = makeService {
script = "xerox";
@ -55,81 +73,28 @@
host = "matemat.hq.c3d2.de";
inherit (matematLogin) user password;
};
scrape-node1139 = makeService {
script = "freifunk_node";
host = "10.200.4.120";
};
scrape-node1487 = makeService {
script = "freifunk_node";
host = "10.200.5.213";
};
scrape-node1884 = makeService {
script = "freifunk_node";
host = "10.200.7.100";
};
scrape-node1891 = makeService {
script = "freifunk_node";
host = "10.200.7.107";
};
scrape-node1768 = makeService {
script = "freifunk_node";
host = "10.200.6.239";
};
scrape-node1176 = makeService {
script = "freifunk_node";
host = "10.200.7.80";
};
};
systemd.timers.scrape-xeri = {
partOf = [ "scrape-xeri.service" ];
} // builtins.listToAttrs (map makeNodeScraper (builtins.attrNames freifunkNodes));
systemd.timers =
let
makeTimer = service: interval: {
partOf = [ "${service}.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
timerConfig.OnCalendar = interval;
};
systemd.timers.scrape-roxi = {
partOf = [ "scrape-roxi.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
systemd.timers.scrape-fhem = {
partOf = [ "scrape-fhem.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
systemd.timers.scrape-matemat = {
partOf = [ "scrape-matemat.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
systemd.timers.scrape-node1139 = {
partOf = [ "scrape-node1139.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
systemd.timers.scrape-node1487 = {
partOf = [ "scrape-node1487.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
systemd.timers.scrape-node1884 = {
partOf = [ "scrape-node1884.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
systemd.timers.scrape-node1891 = {
partOf = [ "scrape-node1894.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
systemd.timers.scrape-node1768 = {
partOf = [ "scrape-node1768.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
systemd.timers.scrape-node1176 = {
partOf = [ "scrape-node1176.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
makeNodeScraperTimer = nodeId:
let
name = "scrape-node${nodeId}";
in {
inherit name;
value = makeTimer name "minutely";
};
in {
scrape-xeri = makeTimer "scrape-xeri.service" "minutely";
scrape-roxi = makeTimer "scrape-roxi.service" "minutely";
scrape-fhem = makeTimer "scrape-fhem.service" "minutely";
scrape-matemat = makeTimer "scrape-matemat.service" "minutely";
} // builtins.listToAttrs (map makeNodeScraperTimer (builtins.attrNames freifunkNodes));
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database

View File

@ -8,14 +8,13 @@ in
[ ../../../lib/lxc-container.nix
../../../lib/shared.nix
../../../lib/admins.nix
../../../lib/default-gateway.nix
"${spacemsgGit}/spaceapi/module.nix"
];
networking.hostName = "spaceapi";
networking.useNetworkd = true;
networking.useDHCP = lib.mkForce true;
networking.firewall.allowedTCPPorts = [ 3000 3001 ];
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.25"; prefixLength = 26; } ];
networking.defaultGateway = "172.20.73.1";
networking.firewall.enable = false;
services.spaceapi = {
enable = true;

View File

@ -6,41 +6,48 @@
c3d2 = {
users.k-ot = true;
isInHq = true;
hq.interface = "enp0s10";
enableHail = true;
hq.interface = "eno1";
hq.enableBinaryCache = false;
enableHail = false;
};
nixpkgs.config.allowUnfree = true;
nix = {
useSandbox = true;
buildCores = 2;
buildCores = 4;
maxJobs = 4;
};
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.kernelPackages = pkgs.linuxPackages_4_19;
boot.kernelPackages = pkgs.linuxPackages_latest;
networking.hostName = "glotzbert"; # Define your hostname.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
networking.interfaces.eno1.useDHCP = true;
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Select internationalisation properties.
i18n = {
consoleFont = "Lat2-Terminus16";
consoleKeyMap = "de";
defaultLocale = "en_US.UTF-8";
console = {
font = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";
keyMap = "de";
};
i18n.defaultLocale = "en_US.UTF-8";
# Set your time zone.
time.timeZone = "Europe/Berlin";
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [ wget vim x11vnc ];
environment.systemPackages = with pkgs; [
wget vim git tmux screen
chromium firefox
mpv kodi
];
systemd.user.services.x11vnc = {
description = "X11 VNC server";
@ -108,11 +115,11 @@
user = "k-ot";
};
};
defaultSession = "gnome-xorg";
};
services.xserver.desktopManager = {
gnome3.enable = true;
kodi.enable = true;
default = "kodi";
};
security.sudo = {
@ -123,7 +130,6 @@
# Define a user account. Don't forget to set a password with passwd.
users.groups."k-ot" = { gid = 1000; };
users.users."k-ot" = {
password = "k-ot";
isNormalUser = true;
uid = 1000;
group = "k-ot";
@ -133,6 +139,8 @@
];
};
users.users.emery.cryptHomeLuks = "/home/emery.luks.img";
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you

View File

@ -1,33 +1,27 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, ... }:
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
];
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = [ "ohci_pci" "ehci_pci" "ahci" "firewire_ohci" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
boot.kernelModules = [ "kvm-intel" "wl" "forcedeth" "b43" ];
boot.kernelParams = [ "irqpoll" "hpet=off" ]; # noapic seems to improve things
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/4568bf11-6e40-4514-9bc9-3194a299c45f";
fsType = "btrfs";
{ device = "/dev/disk/by-uuid/3a8ddd25-0c5d-4fec-b957-bdcea1c52db4";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/67E3-17ED";
{ device = "/dev/disk/by-uuid/6490-45A0";
fsType = "vfat";
};
zramSwap = { enable = true; priority = 1000; };
swapDevices = [
{ device = "/dev/disk/by-uuid/f602ea23-99e5-416b-98d2-ef76cbc5c934";
} ];
swapDevices = [ ];
nix.maxJobs = lib.mkDefault 2;
services.xserver.videoDriver = "nouveau";
nix.maxJobs = lib.mkDefault 4;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
}

View File

@ -4,164 +4,116 @@
{ config, pkgs, ... }:
let
ympdPort = 8080;
mpdVhost = "mpd.hq.c3d2.de";
in {
{
imports = [ # Include the results of the hardware scan.
./hardware-configuration.nix
../../lib
../../lib/admins.nix
../../lib/hq.nix
./mpdConsole.nix
];
c3d2 = {
users = {
emery = true;
k-ot = true;
};
isInHq = true;
mapHqHosts = true;
hq = {
interface = "eno1";
enableMpdProxy = true;
yggdrasi.enableGateway = true;
};
enableHail = true;
};
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = false;
boot.loader.raspberryPi = { enable = true; version = 4; uboot.enable = false; };
#boot.kernelPackages = pkgs.linuxPackages_rpi4;
boot.kernelPackages = pkgs.linuxPackages_latest;
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.kernelPackages = pkgs.linuxPackages_4_19;
boot.tmpOnTmpfs = true;
nix.buildCores = 4;
nix.maxJobs = 4;
networking.hostName = "pulsebert"; # Define your hostname.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
networking.interfaces.eth0.useDHCP = true;
networking.interfaces.wlan0.useDHCP = true;
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Select internationalisation properties.
i18n = {
consoleFont = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";
consoleKeyMap = "us";
defaultLocale = "en_US.UTF-8";
};
# i18n.defaultLocale = "en_US.UTF-8";
# console = {
# font = "Lat2-Terminus16";
# keyMap = "us";
# };
# Set your time zone.
# time.timeZone = "Europe/Amsterdam";
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
# specific printer drivers for our printers
epson-escpr
splix
# utilities
nix-index
usbutils
tmux
vim
git
openssl
# NCurses Music Player Client (Plus Plus)
# a commandline front-end client for mpd
# 2019-01-21 mag vater gern gleich einen schoenen lokalen Verwaltung fuer MPD haben.
# ncmpcpp
home-manager
mumble
ncpamixer
ffmpeg
wget vim git
raspberrypi-tools
];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# pinentryFlavor = "gnome3";
# };
# List services that you want to enable:
# Enable the OpenSSH daemon.
services.openssh.enable = true;
# X11 Forwarding for mumble...
programs.ssh.forwardX11 = true;
services.openssh.forwardX11 = true;
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [
4713 # PulseAudio
631 # cups
80
443 # Web/ympd
5000 # shairport
config.services.mpd.network.port
];
networking.firewall.allowedUDPPorts = [ 631 ];
networking.firewall.extraCommands = ''
iptables -I INPUT -p udp --dport mdns -d 224.0.0.251 -j ACCEPT # zeroconf
iptables -I OUTPUT -p udp --dport mdns -d 224.0.0.251 -j ACCEPT # zeroconf
''; # networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# Enable CUPS to print documents.
services.printing = {
enable = true;
browsing = true;
listenAddresses = [ "*:631" ];
defaultShared = true;
# logLevel = "debug";
drivers = [ pkgs.gutenprint pkgs.hplip pkgs.splix ];
extraConf =
''
DefaultAuthType Basic
<Location />
Order allow,deny
Allow ALL
</Location>
<Location /admin>
Order allow,deny
Allow ALL
</Location>
<Location /admin/conf>
AuthType Basic
Require user @SYSTEM
Order allow,deny
Allow ALL
</Location>
<Policy default>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
AuthType Basic
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Cancel-Job CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
# Do not log to flash:
services.journald.extraConfig = ''
Storage=volatile
'';
# Enable the OpenSSH daemon.
services.openssh.enable = true;
services.openssh.permitRootLogin = "yes";
security.sudo = {
enable = true;
wheelNeedsPassword = false;
};
users.users.k-ot = {
isNormalUser = true;
extraGroups = [ "wheel" "audio" ];
};
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
networking.firewall.enable = false;
# Enable CUPS to print documents.
# services.printing.enable = true;
# Enable sound.
sound.enable = true;
hardware.pulseaudio.enable = true;
# PulseAudio as-a-Service
hardware.pulseaudio.systemWide = true;
hardware.pulseaudio.tcp.anonymousClients.allowedIpRanges = [
hardware.bluetooth = {
enable = true;
config = {
Policy.AutoEnable = true;
General = {
Enable = "Source,Sink,Media,Socket";
#DiscoverableTimeout = 0;
#Discoverable = true;
};
};
};
hardware.pulseaudio = {
enable = true;
systemWide = true;
tcp.enable = true;
tcp.anonymousClients.allowedIpRanges = [
"127.0.0.0/8" "::1/128"
"172.22.99.0/24" "2a02:8106:208:5201:58::/64"
];
hardware.pulseaudio.tcp.enable = true;
hardware.pulseaudio.zeroconf.publish.enable = true;
zeroconf.publish.enable = true;
package = pkgs.pulseaudioFull;
extraModules = [ pkgs.pulseaudio-modules-bt ];
};
# tell Avahi to publish CUPS and PulseAudio
services.avahi = {
@ -170,9 +122,6 @@ in {
publish.userServices = true;
};
# Enable Audio streaming for Mac clients
services.shairport-sync.enable = true;
# Enable the X11 windowing system.
# services.xserver.enable = true;
# services.xserver.layout = "us";
@ -185,88 +134,19 @@ in {
# services.xserver.displayManager.sddm.enable = true;
# services.xserver.desktopManager.plasma5.enable = true;
security.pam.enableSSHAgentAuth = true;
security.sudo = {
enable = true;
wheelNeedsPassword = false;
};
# Define a user account. Don't forget to set a password with passwd.
# users.users.jane = {
# isNormalUser = true;
# extraGroups = [ "wheel" ]; # Enable sudo for the user.
# };
users.users.k-ot.extraGroups = [ "wheel" ];
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "20.09"; # Did you read the comment?
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "18.09"; # Did you read the comment?
# vater hoerte, dass menschen im space gern mpd fuer das abspielen von musik erwarten wuerden
#### https://nixos.org/nixos/options.html#services.mpd.enable
# See ../../mpd.nix
services.mpd = {
enable = true;
dbFile = null;
musicDirectory = "/mnt/storage/Music";
playlistDirectory = "/home/k-ot/Playlists";
network.listenAddress = "any";
extraConfig = ''
audio_output {
type "pulse"
name "/proc"
}
'';
};
services.caddy = {
enable = true;
agree = true;
# TODO: add auth?
config = ''
${mpdVhost} {
proxy / localhost:${toString ympdPort}
}
:80 {
redir https://${mpdVhost}{uri}
}
'';
};
fileSystems."/mnt/storage" = {
#device = "storage-ng.hq.c3d2.de:/mnt/zroot/storage/rpool";
#device = "storage-ng.hq.c3d2.de:/c3d2/rpool";
device =
"172.22.99.13:6789,172.22.99.15:6789,172.22.99.16:6789:/c3d2/rpool";
fsType = "ceph";
options = [
"rw"
"relatime"
"name=public"
"secret=AQDgER1chJcMORAAK1ysRTN59B5x/MyniwVXFQ=="
"acl"
"wsize=16777216"
"_netdev"
];
};
# MPD music playing daemon with webinterface
services.ympd = {
enable = true;
webPort = toString ympdPort;
};
nixpkgs.config.packageOverrides = pkgs: with pkgs; {
ympd = ympd.overrideAttrs (oldAttrs: {
src = fetchFromGitHub {
owner = "c3d2";
repo = "ympd";
rev = "feature/somafm_browser";
sha256 = "17x3jfys6gxghz5yp0gvd39ylvzfm59qxg75hwc5a52rj1n2jpb1";
};
});
};
programs.bash.shellAliases = {
mpv = "mpv --no-vid";
};
users.users.emery.cryptHomeLuks = "/home/emery.luks.img";
}

View File

@ -1,29 +1,39 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, ... }:
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
#imports =
# [ (modulesPath + "/installer/scan/not-detected.nix")
# ];
boot.initrd.availableKernelModules = [ "usbhid" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
boot.kernelParams = [
"snd_bcm2835.enable_headphones=1"
];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/3a8ddd25-0c5d-4fec-b957-bdcea1c52db4";
{ device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/6490-45A0";
{ device = "/dev/disk/by-label/FIRMWARE";
fsType = "vfat";
};
swapDevices = [ ];
nix.maxJobs = lib.mkDefault 4;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.enableRedistributableFirmware = true;
#networking.wireless.enable = true;
boot.loader.raspberryPi.firmwareConfig = ''
gpu_mem=192
dtparam=audio=on
'';
powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
}

View File

@ -1,17 +0,0 @@
{ pkgs, ... }:
{
home.packages = with pkgs; [
htop
fortune
ddate
mpv
ncmpcpp
schedtool
screen
tmux
pulsemixer
ncpamixer
python35.withPackages(ps: with ps; [ youtube-dl ])
];
}

View File

@ -1,23 +0,0 @@
{ pkgs, ... }:
let tty = "tty1";
in {
boot.extraTTYs = [ tty ];
systemd.services.ncmpcpp = {
description = "Mpd console";
wantedBy = [ "multi-user.target" ];
conflicts = [ "getty@${tty}.service" ];
serviceConfig = {
User = "k-ot";
ExecStart = "${pkgs.ncmpcpp}/bin/ncmpcpp";
StandardInput = "tty";
StandardOutput = "tty";
TTYPath = "/dev/${tty}";
TTYReset = true;
TTYVTDisallocate = true;
Restart = "always";
};
};
}

View File

@ -1,6 +1,6 @@
name:
let yggaddr = import ../yggaddr.nix;
let yggaddr = import ../../../lib/server7-yggaddr.nix;
in {
# These the container defaults from the perspective of the host.

View File

@ -55,6 +55,20 @@ name:
};
};
networking.interfaces.eth0 = {
ipv4 = {
addresses = [{
address = "172.22.99.20";
prefixLength = 24;
}];
routes = [{
address = "0.0.0.0";
prefixLength = 0;
via = "172.22.99.1";
}];
};
};
networking.firewall.enable = false;
};

View File

@ -1,9 +1,8 @@
{ config, pkgs, lib, ... }:
let yggaddr = import ./yggaddr.nix;
let yggaddr = import ../../lib/server7-yggaddr.nix;
in {
imports = [
# <nixpkgs/nixos/modules/profiles/minimal.nix>
../../lib
../../lib/default-gateway.nix
./borgbackup.nix
@ -13,8 +12,10 @@ in {
./nix-serve.nix
];
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
security.acme = {
email = " mail@c3d2.de";
email = "mail@c3d2.de";
acceptTerms = true;
};
@ -32,7 +33,8 @@ in {
};
fileSystems."/srv/ceph" = {
device = "172.22.99.13:6789:/";
#device = "172.22.99.13:6789:/";
device = "172.20.72.53:6789:/";
fsType = "ceph";
options = [
"name=storage2"
@ -45,20 +47,47 @@ in {
];
};
fileSystems."/var/lib/ceph/osd/ceph-7" = { fsType = "tmpfs"; };
# Route IPv6
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
# Obtain global IPv6 despite being a router myself
boot.kernel.sysctl."net.ipv6.conf.eth0.accept_ra" = 2;
boot.kernel.sysctl."net.ipv6.conf.br0.accept_ra" = 2;
services.yggdrasil = {
enable = true;
configFile = "/var/lib/yggdrasil/keys";
config.Peers = [
"tcp://[2a03:3b40:fe:ab::1]:46370" # Praha
"tcp://ygg.thingylabs.io:443" # Nürnberg
"tcp://176.223.130.120:22632" # Wrocław
"tcp://[2a05:9403::8b]:7743" # Praha
config = {
Peers = [
# Deutschland
"tcp://45.11.19.26:5001"
"tcp://82.165.69.111:61216"
"tcp://[2001:8d8:1800:8224::1]:61216"
# Czechia
"tcp://195.123.245.146:7743"
"tcp://37.205.14.171:46370"
"tcp://[2a03:3b40:fe:ab::1]:46370"
"tcp://[2a05:9403::8b]:7743"
# Poland
"tcp://176.223.130.120:22632"
"tcp://51.75.44.73:50001"
"tcp://54.37.137.221:37145"
"tcp://[2001:41d0:601:1100::cf2]:37145"
"tcp://n2o.ddns.net:22632"
"tls://54.37.137.221:14987"
"tls://[2001:41d0:601:1100::cf2]:14987"
];
NodeInfo = {
location = "Dresden";
name = "server7.y.c3d2.de";
admin =
"toxid:DF0AC9107E0A30E7201C6832B017AC836FBD1EDAC390EE99B68625D73C3FD929FB47F1872CA4";
};
};
};
security.sudo.wheelNeedsPassword = false;
@ -188,4 +217,10 @@ in {
# allow the old hydra to build here
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7HuDlyTlPC4rCjwhklY8kiYIxdgPhiu6wxs29ksnpKZmJa2R7qoD02N3ACm9cTb1GVkIWukAXI3KvU9h08+WLQJqUH0cHVBj3V1sDYmkN2QecE59gz3e1gfN3zPtwmQEUe6xvHWK3X3qdH45pGPUtxk1eDTZl45037C0NClWF7RXI4m6UXng4bL9wnPvoVqCI+ySsNWaTkHDLE/D9s/VrqGxJ1w2KiJb1F73g9/x/zjL8Ixb16wkPmLE0e50MQAQa7EMFTyPZoEskFnEviLYXM9pDexABAjJfbfZ39lLyMgVYGwnzEDbjDlm68dE6wQWUY1OV6wbt8uYreB2IRrlb root@hydra"
];
services.dhcpd4 = {
enable = false;
interfaces = [ "br0" ];
extraConfig = "not authoritative;";
};
}

View File

@ -1,70 +1,59 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, ... }:
{ config, lib, pkgs, modulesPath, ... }:
{
# imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules =
[ "ehci_pci" "ahci" "nvme" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.supportedFilesystems = [ "zfs" ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/f14628ce-0f13-4544-9197-0ddda291f48f";
fsType = "ext4";
};
fileSystems."/var/lib/ceph/osd/ceph-7" = {
device = "tmpfs";
fsType = "tmpfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/9812-00B2";
fsType = "vfat";
};
fileSystems."/zones/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3/cores" = {
device = "nvme0n1/cores/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3";
fsType = "zfs";
};
fileSystems."/nvme0n1" = {
device = "nvme0n1";
fsType = "zfs";
};
fileSystems."/zones/9f467f1e-000b-e771-e117-b32261e48220/cores" = {
device = "nvme0n1/cores/9f467f1e-000b-e771-e117-b32261e48220";
fsType = "zfs";
};
fileSystems."/zones/archive" = {
device = "nvme0n1/archive";
fsType = "zfs";
};
fileSystems."/zones/9a9880d3-82db-c500-fcaa-d4e5a5cc617d/cores" = {
device = "nvme0n1/cores/9a9880d3-82db-c500-fcaa-d4e5a5cc617d";
fsType = "zfs";
};
fileSystems."/zones/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5/cores" = {
device = "nvme0n1/cores/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5";
fsType = "zfs";
};
fileSystems."/zones/global/cores" = {
device = "nvme0n1/cores/global";
fsType = "zfs";
};
fileSystems."/zones/b090f14b-0a60-4451-e82a-c5291e5951de/cores" = {
device = "nvme0n1/cores/b090f14b-0a60-4451-e82a-c5291e5951de";
fsType = "zfs";
};
fileSystems."/zones/3516ab22-69b0-e327-95ec-f9be8852ee44/cores" = {
device = "nvme0n1/cores/3516ab22-69b0-e327-95ec-f9be8852ee44";
fileSystems."/zones/9a9880d3-82db-c500-fcaa-d4e5a5cc617d/cores" = {
device = "nvme0n1/cores/9a9880d3-82db-c500-fcaa-d4e5a5cc617d";
fsType = "zfs";
};
fileSystems."/zones/archive" = {
device = "nvme0n1/archive";
fsType = "zfs";
};
fileSystems."/zones/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5/cores" = {
device = "nvme0n1/cores/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5";
fsType = "zfs";
};
fileSystems."/zones/9f467f1e-000b-e771-e117-b32261e48220/cores" = {
device = "nvme0n1/cores/9f467f1e-000b-e771-e117-b32261e48220";
fsType = "zfs";
};
@ -73,11 +62,36 @@
fsType = "zfs";
};
fileSystems."/zones/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3/cores" = {
device = "nvme0n1/cores/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3";
fsType = "zfs";
};
fileSystems."/zones/3516ab22-69b0-e327-95ec-f9be8852ee44/cores" = {
device = "nvme0n1/cores/3516ab22-69b0-e327-95ec-f9be8852ee44";
fsType = "zfs";
};
fileSystems."/zones/global/cores" = {
device = "nvme0n1/cores/global";
fsType = "zfs";
};
fileSystems."/nvme0n1/c3d2.de" = {
device = "nvme0n1/c3d2.de";
fsType = "zfs";
};
fileSystems."/nvme0n1/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3" = {
device = "nvme0n1/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3";
fsType = "zfs";
};
fileSystems."/nvme0n1/b28b36ed-1824-3a6c-cdbb-258c7dd63317" = {
device = "nvme0n1/b28b36ed-1824-3a6c-cdbb-258c7dd63317";
fsType = "zfs";
};
fileSystems."/nvme0n1/b090f14b-0a60-4451-e82a-c5291e5951de" = {
device = "nvme0n1/b090f14b-0a60-4451-e82a-c5291e5951de";
fsType = "zfs";
@ -88,43 +102,13 @@
fsType = "zfs";
};
fileSystems."/nvme0n1/9a9880d3-82db-c500-fcaa-d4e5a5cc617d" = {
device = "nvme0n1/9a9880d3-82db-c500-fcaa-d4e5a5cc617d";
fsType = "zfs";
};
fileSystems."/nvme0n1/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3" = {
device = "nvme0n1/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3";
fsType = "zfs";
};
fileSystems."/nvme0n1/c3d2.de/admin" = {
device = "nvme0n1/c3d2.de/admin";
fsType = "zfs";
};
fileSystems."/nvme0n1/c3d2.de/templates" = {
device = "nvme0n1/c3d2.de/templates";
fsType = "zfs";
};
fileSystems."/nvme0n1/d5a8bfc2-6d01-6d5e-ad3f-edf032eedd89" = {
device = "nvme0n1/d5a8bfc2-6d01-6d5e-ad3f-edf032eedd89";
fsType = "zfs";
};
fileSystems."/nvme0n1/a9786e8b-fce2-7567-6467-2a95086a51d4" = {
device = "nvme0n1/a9786e8b-fce2-7567-6467-2a95086a51d4";
fsType = "zfs";
};
fileSystems."/nvme0n1/3e65fa50-2f41-8792-df46-8c826bddab75" = {
device = "nvme0n1/3e65fa50-2f41-8792-df46-8c826bddab75";
fsType = "zfs";
};
fileSystems."/nvme0n1/9f467f1e-000b-e771-e117-b32261e48220" = {
device = "nvme0n1/9f467f1e-000b-e771-e117-b32261e48220";
fileSystems."/nvme0n1/9a9880d3-82db-c500-fcaa-d4e5a5cc617d" = {
device = "nvme0n1/9a9880d3-82db-c500-fcaa-d4e5a5cc617d";
fsType = "zfs";
};
@ -133,8 +117,8 @@
fsType = "zfs";
};
fileSystems."/nvme0n1/b28b36ed-1824-3a6c-cdbb-258c7dd63317" = {
device = "nvme0n1/b28b36ed-1824-3a6c-cdbb-258c7dd63317";
fileSystems."/nvme0n1/9f467f1e-000b-e771-e117-b32261e48220" = {
device = "nvme0n1/9f467f1e-000b-e771-e117-b32261e48220";
fsType = "zfs";
};
@ -143,8 +127,8 @@
fsType = "zfs";
};
fileSystems."/nvme0n1/0cc567e5-5e4c-1868-eca3-4426508cbfb9" = {
device = "nvme0n1/0cc567e5-5e4c-1868-eca3-4426508cbfb9";
fileSystems."/nvme0n1/d5a8bfc2-6d01-6d5e-ad3f-edf032eedd89" = {
device = "nvme0n1/d5a8bfc2-6d01-6d5e-ad3f-edf032eedd89";
fsType = "zfs";
};
@ -153,11 +137,31 @@
fsType = "zfs";
};
fileSystems."/nvme0n1/0cc567e5-5e4c-1868-eca3-4426508cbfb9" = {
device = "nvme0n1/0cc567e5-5e4c-1868-eca3-4426508cbfb9";
fsType = "zfs";
};
fileSystems."/nvme0n1/63d6e664-3f1f-11e8-aef6-a3120cf8dd9d" = {
device = "nvme0n1/63d6e664-3f1f-11e8-aef6-a3120cf8dd9d";
fsType = "zfs";
};
fileSystems."/nvme0n1/c3d2.de/admin" = {
device = "nvme0n1/c3d2.de/admin";
fsType = "zfs";
};
fileSystems."/nvme0n1/3e65fa50-2f41-8792-df46-8c826bddab75" = {
device = "nvme0n1/3e65fa50-2f41-8792-df46-8c826bddab75";
fsType = "zfs";
};
fileSystems."/nvme0n1/c3d2.de/templates" = {
device = "nvme0n1/c3d2.de/templates";
fsType = "zfs";
};
fileSystems."/nvme0n1/e71d4460-8eef-6623-a875-dd5ec20b650f" = {
device = "nvme0n1/e71d4460-8eef-6623-a875-dd5ec20b650f";
fsType = "zfs";
@ -170,7 +174,6 @@
swapDevices = [ ];
nix.maxJobs = lib.mkDefault 10;
nix.buildCores = lib.mkDefault 40;
powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
nix.maxJobs = lib.mkDefault 40;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
}

View File

@ -10,15 +10,17 @@
services.nginx = {
enable = true;
virtualHosts = {
"cache.server7.hq.c3d2.de" = {
addSSL = true;
enableACME = true;
locations."/".proxyPass =
virtualHosts = let
vhost.locations."/".proxyPass =
"http://${config.services.nix-serve.bindAddress}:${
toString config.services.nix-serve.port
}";
in {
"cache.server7.hq.c3d2.de" = vhost // {
addSSL = true;
enableACME = true;
};
"nix-serve.y.c3d2.de" = vhost;
};
};

View File

@ -1,6 +1,6 @@
{ config, pkgs, lib, ... }:
let yggaddr = import ./yggaddr.nix;
let yggaddr = import ../../lib/server7-yggaddr.nix;
in {
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
@ -15,6 +15,7 @@ in {
interface enp2s0f1
{
AdvSendAdvert on;
AdvRouteLifetime 0;
prefix ${yggaddr.prefix}:/64 {
AdvOnLink on;
AdvAutonomous on;

View File

@ -8,7 +8,7 @@
hosts/containers/grafana/configuration.nix
];
deployment = {
targetHost = "grafana.hq.c3d2.de";
targetHost = "grafana.serv.zentralwerk.dn42";
storeKeysOnMachine = true;
};
};
@ -44,7 +44,7 @@
hosts/containers/public-access-proxy/configuration.nix
];
deployment = {
targetHost = "2a02:8106:208:5201:1024:5fff:febd:9be7";
targetHost = "172.20.73.45";
storeKeysOnMachine = true;
};
};

View File

@ -31,4 +31,18 @@ in {
scrape = deployContainer "scrape" "172.20.73.32";
ledstripes = deployContainer "ledstripes" "172.22.99.168";
freifunk = deployContainer "freifunk" "172.20.72.40";
kibana = deployContainer "kibana" "172.20.73.44";
glotzbert = pkgs.krops.writeDeploy "glotzbert" {
source = hostSource "glotzbert";
target = lib.mkTarget "k-ot@glotzbert.hq.c3d2.de" // {
sudo = true;
};
};
pulsebert = pkgs.krops.writeDeploy "pulsebert" {
source = hostSource "pulsebert";
target = lib.mkTarget "k-ot@pulsebert.hq.c3d2.de" // {
sudo = true;
};
};
}

View File

@ -8,7 +8,7 @@ let
hqPrefix64 = "fd23:42:c3d2:523";
# TODO: Is this stable? Is there a better place to specifiy this?
server7Ygg = import ../hosts/server7/yggaddr.nix;
server7Ygg = import ./server7-yggaddr.nix;
# Generate a deterministic IPv6 address for a 64 bit prefix
# and seed string. Prefix must not contain trailing ':'.
@ -257,7 +257,7 @@ in {
File STDOUT
'';
network = ''
Server "grafana.hq.c3d2.de" "25826"
Server "grafana.serv.zentralwerk.dn42" "25826"
'';
memory = "";
processes = "";

View File

@ -1,9 +1,9 @@
{ pkgs, lib, ... }:
{ pkgs, lib, modulesPath, ... }:
{
imports =
[ <nixpkgs/nixos/modules/profiles/minimal.nix>
<nixpkgs/nixos/modules/profiles/docker-container.nix>
imports = [
(modulesPath + "/profiles/minimal.nix")
(modulesPath + "/profiles/docker-container.nix")
];
networking.networkmanager.dns = "unbound";
@ -12,10 +12,13 @@
nix.useSandbox = false;
nix.maxJobs = lib.mkDefault 1;
nix.buildCores = lib.mkDefault 4;
networking.useNetworkd = true;
networking.useDHCP = false;
services.resolved.enable = false;
networking.nameservers = [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ];
networking.interfaces.eth0 = {
useDHCP = true;
useDHCP = false;
preferTempAddress = false;
};
systemd.network.networks."40-eth0" = {

@ -1 +1 @@
Subproject commit edfc43c84dfd93bb7df12d2125ba94bf3f6d1081
Subproject commit 0efb7df81d358c033a72fcc0c65016ff86f54858