add options.c3d2.mountCeph, clean up sops code

2022-01-08 21:21:51 +01:00 · 2022-01-08 21:21:51 +01:00 · b788033951
parent a155538eb9
commit b788033951
7 changed files with 73 additions and 74 deletions
--- a/flake.lock
+++ b/flake.lock
@ -351,11 +351,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1641509208,
-        "narHash": "sha256-W6BJOARYB3bUTBsOT4mBw3sEWNNOzWmlIv/LXlH99y4=",
+        "lastModified": 1641664373,
+        "narHash": "sha256-/F17oCX99lBf1IyypncSPL2dCH1qZ5ddgCiYXbjf+Tg=",
        "ref": "master",
-        "rev": "c5957e417db3bd82d14c5b3c2198a04e13dc3f7e",
-        "revCount": 117,
+        "rev": "4d3e2f68d22fa73effc45a32f675fbe125775ab4",
+        "revCount": 118,
        "type": "git",
        "url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
      },
--- a/flake.nix
+++ b/flake.nix
@ -197,15 +197,19 @@
          { nixpkgs ? inputs.nixpkgs, modules, extraArgs ? {}, system }:
          nixpkgs.lib.nixosSystem {
            inherit system;
-            modules = modules ++ [
-              self.nixosModules.c3d2
+
+            modules = [
              ({ pkgs, ... }: {
                _module.args = extraArgs // {
                  inherit hostRegistry inputs zentralwerk;
                };
                nixpkgs.overlays = [ self.overlay ];
              })
-            ];
+
+              sops-nix.nixosModules.sops
+              self.nixosModules.c3d2
+            ] ++ modules;
+
          };
      in {

@ -236,11 +240,10 @@
            nixos-hardware.nixosModules.common-cpu-intel
            nixos-hardware.nixosModules.common-pc-ssd
            secrets.nixosModules.admins
-            sops-nix.nixosModules.sops
+            {
+              sops.defaultSopsFile = "${secrets}/hosts/glotzbert/secrets.yaml";
+            }
          ];
-          extraArgs = {
-            secretsFile = "${secrets}/hosts/glotzbert/secrets.yaml";
-          };
          system = "x86_64-linux";
        };

@ -266,7 +269,6 @@
              nixpkgs.overlays = [ heliwatch.overlay ];
              sops.defaultSopsFile = "${secrets}/hosts/radiobert/secrets.yaml";
            }
-            sops-nix.nixosModules.sops
            ./hosts/radiobert
          ];
          system = "aarch64-linux";
@ -355,11 +357,10 @@
          modules = [
            ./lib/lxc-container.nix
            ./hosts/containers/dn42
-            (_: {
+            {
              nixpkgs.overlays = [ secrets.overlays.dn42 ];
              sops.defaultSopsFile = "${secrets}/hosts/dn42/secrets.yaml";
-            })
-            sops-nix.nixosModules.sops
+            }
          ];
          system = "x86_64-linux";
        };
@ -529,6 +530,9 @@
          modules = [
            ./hosts/storage-ng
            secrets.nixosModules.admins
+            {
+              sops.defaultSopsFile = "${secrets}/hosts/storage-ng/secrets.yaml";
+            }
          ];
          system = "x86_64-linux";
        };
@ -538,11 +542,10 @@
            self.nixosModules.plume
            ./lib/lxc-container.nix
            ./hosts/containers/blogs
-            sops-nix.nixosModules.sops
+            {
+              sops.defaultSopsFile = "${secrets}/hosts/blogs/secrets.yaml";
+            }
          ];
-          extraArgs = {
-            secretsFile = "${secrets}/hosts/blogs/secrets.yaml";
-          };
          system = "x86_64-linux";
        };

--- a/hosts/containers/blogs/default.nix
+++ b/hosts/containers/blogs/default.nix
@ -1,4 +1,4 @@
-{ hostRegistry, zentralwerk, secretsFile, config, ... }:
+{ hostRegistry, zentralwerk, config, ... }:
 {
  networking = {
    hostName = "blogs";
@ -19,7 +19,6 @@
    envFile = config.sops.secrets."plume/env".path;
  };

-  sops.defaultSopsFile = secretsFile;
  sops.secrets = {
    "plume/env".owner = config.systemd.services.plume.serviceConfig.User;
  };
--- a/hosts/glotzbert/default.nix
+++ b/hosts/glotzbert/default.nix
@ -1,4 +1,4 @@
-{ zentralwerk, secretsFile, config, pkgs, ... }:
+{ zentralwerk, config, pkgs, ... }:

 {
  imports = [ ./hardware-configuration.nix ];
@ -9,6 +9,7 @@
    hq.enableBinaryCache = false;
    users.k-ot = true;
    users.emery = true;
+    mountCeph = "/mnt/storage";
  };
  users.users.emery.cryptHomeLuks = "/home/emery.luks.img";

@ -19,10 +20,6 @@
    maxJobs = 4;
  };

-  sops.defaultSopsFile = secretsFile;
-  sops.secrets = {
-    "ceph/secret" = {};
-  };
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

  # Use the systemd-boot EFI boot loader.
@ -124,29 +121,6 @@
    ];
  };

-  services.ceph = {
-    enable = true;
-    global.fsid = "d7c5c9c7-a227-4e33-ab43-3f4aa1eb0630";
-    client.enable = true;
-  };
-  fileSystems."/mnt/storage" =
-    let
-      monHosts = pkgs.lib.concatMapStringsSep "," (host:
-        zentralwerk.lib.config.site.net.cluster.hosts4.${host}
-      ) [ "server5" "server6" "server8" ];
-    in {
-      fsType = "ceph";
-      device = "${monHosts}:/";
-      options = [
-        "_netdev"
-        "name=c3d2"
-        "secretfile=${config.sops.secrets."ceph/secret".path}"
-        "noatime"
-        "x-systemd.automount"
-        "x-systemd.device-timeout=5"
-      ];
-    };
-
  # This value determines the NixOS release with which your system is to be
  # compatible, in order to avoid breaking some software such as database
  # servers. You should change this only after NixOS release notes say you
--- a/hosts/storage-ng/default.nix
+++ b/hosts/storage-ng/default.nix
@ -17,8 +17,11 @@ in
    isInHq = true;
    mapHqHosts = true;
    hq.interface = eth0;
+    mountCeph = "/mnt/cephfs";
  };

+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
  boot.loader.grub = {
    enable = true;
    version = 2;
@ -58,31 +61,6 @@ in
    iotop
  ];

-  services.ceph = {
-    enable = false;
-    client.enable = true;
-  };
-
-  # fixme, we need a floating ip here
-  # correct is floating ip 172.22.99.21
-  # does not exist yet
-  # TODO: where, exactly?
-
-  # secretfile does not work :(
-  fileSystems."/mnt/cephfs" = {
-    device = "${lib.concatMapStringsSep "," (i: hostRegistry.hosts."server${i}".ip4) [ "3" "4" "5" "6" "7" "8" ]}:/";
-    fsType = "ceph";
-    options = [
-      "name=storage2"
-      "secret=AQAvRhxcaCK0IxAAnoe00oiopcpQeKZgL02RWw=="
-      "noatime,_netdev"
-      "noauto"
-      "x-systemd.automount"
-      "x-systemd.device-timeout=175"
-      "users"
-    ];
-  };
-
  programs.bash.enableCompletion = true;
  programs.mtr.enable = true;
  # programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
--- a/lib/ceph-storage.nix
+++ b/lib/ceph-storage.nix
@ -0,0 +1,44 @@
+{ zentralwerk, config, lib, pkgs, ... }:
+let
+  enabled = config.c3d2.mountCeph != null;
+in {
+  options.c3d2 = with lib; {
+    mountCeph = mkOption {
+      type = with types; nullOr str;
+      default = null;
+      description = "If set, mountpoint of ceph storage";
+    };
+  };
+
+  config = lib.mkIf enabled {
+    sops.secrets."ceph/secret" = {};
+
+    services.ceph = {
+      global.fsid = "d7c5c9c7-a227-4e33-ab43-3f4aa1eb0630";
+      client.enable = true;
+    };
+
+    fileSystems."${config.c3d2.mountCeph}" =
+      let
+        monHosts = lib.concatMapStringsSep "," (host:
+          zentralwerk.lib.config.site.net.cluster.hosts4.${host}
+        ) [ "server5" "server6" "server8" ];
+      in {
+        fsType = "ceph";
+        device = "${monHosts}:/";
+        options = [
+          "_netdev"
+          "name=c3d2"
+          "secretfile=${config.sops.secrets."ceph/secret".path}"
+          "noatime"
+          "x-systemd.automount"
+          "x-systemd.device-timeout=5"
+        ];
+      };
+
+    warnings = lib.optionals config.boot.isContainer [ ''
+      Mounting CephFS on containers (on the same kernel that
+      runs the servers) is discouraged! Ask Poelzi why.
+    '' ];
+  };
+}
--- a/lib/default.nix
+++ b/lib/default.nix
@ -32,6 +32,7 @@ in {
    ./stats.nix
    ./audio-server
    ./pi-sensors.nix
+    ./ceph-storage.nix
  ];

  options.c3d2 = with lib;