diff --git a/flake.lock b/flake.lock index 62b317b9..f6e0e0b2 100644 --- a/flake.lock +++ b/flake.lock @@ -351,11 +351,11 @@ ] }, "locked": { - "lastModified": 1641509208, - "narHash": "sha256-W6BJOARYB3bUTBsOT4mBw3sEWNNOzWmlIv/LXlH99y4=", + "lastModified": 1641664373, + "narHash": "sha256-/F17oCX99lBf1IyypncSPL2dCH1qZ5ddgCiYXbjf+Tg=", "ref": "master", - "rev": "c5957e417db3bd82d14c5b3c2198a04e13dc3f7e", - "revCount": 117, + "rev": "4d3e2f68d22fa73effc45a32f675fbe125775ab4", + "revCount": 118, "type": "git", "url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git" }, diff --git a/flake.nix b/flake.nix index 635e4559..fb1f7ec2 100644 --- a/flake.nix +++ b/flake.nix @@ -197,15 +197,19 @@ { nixpkgs ? inputs.nixpkgs, modules, extraArgs ? {}, system }: nixpkgs.lib.nixosSystem { inherit system; - modules = modules ++ [ - self.nixosModules.c3d2 + + modules = [ ({ pkgs, ... }: { _module.args = extraArgs // { inherit hostRegistry inputs zentralwerk; }; nixpkgs.overlays = [ self.overlay ]; }) - ]; + + sops-nix.nixosModules.sops + self.nixosModules.c3d2 + ] ++ modules; + }; in { @@ -236,11 +240,10 @@ nixos-hardware.nixosModules.common-cpu-intel nixos-hardware.nixosModules.common-pc-ssd secrets.nixosModules.admins - sops-nix.nixosModules.sops + { + sops.defaultSopsFile = "${secrets}/hosts/glotzbert/secrets.yaml"; + } ]; - extraArgs = { - secretsFile = "${secrets}/hosts/glotzbert/secrets.yaml"; - }; system = "x86_64-linux"; }; @@ -266,7 +269,6 @@ nixpkgs.overlays = [ heliwatch.overlay ]; sops.defaultSopsFile = "${secrets}/hosts/radiobert/secrets.yaml"; } - sops-nix.nixosModules.sops ./hosts/radiobert ]; system = "aarch64-linux"; @@ -355,11 +357,10 @@ modules = [ ./lib/lxc-container.nix ./hosts/containers/dn42 - (_: { + { nixpkgs.overlays = [ secrets.overlays.dn42 ]; sops.defaultSopsFile = "${secrets}/hosts/dn42/secrets.yaml"; - }) - sops-nix.nixosModules.sops + } ]; system = "x86_64-linux"; }; @@ -529,6 +530,9 @@ modules = [ ./hosts/storage-ng secrets.nixosModules.admins + { + sops.defaultSopsFile = "${secrets}/hosts/storage-ng/secrets.yaml"; + } ]; system = "x86_64-linux"; }; @@ -538,11 +542,10 @@ self.nixosModules.plume ./lib/lxc-container.nix ./hosts/containers/blogs - sops-nix.nixosModules.sops + { + sops.defaultSopsFile = "${secrets}/hosts/blogs/secrets.yaml"; + } ]; - extraArgs = { - secretsFile = "${secrets}/hosts/blogs/secrets.yaml"; - }; system = "x86_64-linux"; }; diff --git a/hosts/containers/blogs/default.nix b/hosts/containers/blogs/default.nix index cf238c99..1a5c66ec 100644 --- a/hosts/containers/blogs/default.nix +++ b/hosts/containers/blogs/default.nix @@ -1,4 +1,4 @@ -{ hostRegistry, zentralwerk, secretsFile, config, ... }: +{ hostRegistry, zentralwerk, config, ... }: { networking = { hostName = "blogs"; @@ -19,7 +19,6 @@ envFile = config.sops.secrets."plume/env".path; }; - sops.defaultSopsFile = secretsFile; sops.secrets = { "plume/env".owner = config.systemd.services.plume.serviceConfig.User; }; diff --git a/hosts/glotzbert/default.nix b/hosts/glotzbert/default.nix index ab2afb03..ab86e12e 100644 --- a/hosts/glotzbert/default.nix +++ b/hosts/glotzbert/default.nix @@ -1,4 +1,4 @@ -{ zentralwerk, secretsFile, config, pkgs, ... }: +{ zentralwerk, config, pkgs, ... }: { imports = [ ./hardware-configuration.nix ]; @@ -9,6 +9,7 @@ hq.enableBinaryCache = false; users.k-ot = true; users.emery = true; + mountCeph = "/mnt/storage"; }; users.users.emery.cryptHomeLuks = "/home/emery.luks.img"; @@ -19,10 +20,6 @@ maxJobs = 4; }; - sops.defaultSopsFile = secretsFile; - sops.secrets = { - "ceph/secret" = {}; - }; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; # Use the systemd-boot EFI boot loader. @@ -124,29 +121,6 @@ ]; }; - services.ceph = { - enable = true; - global.fsid = "d7c5c9c7-a227-4e33-ab43-3f4aa1eb0630"; - client.enable = true; - }; - fileSystems."/mnt/storage" = - let - monHosts = pkgs.lib.concatMapStringsSep "," (host: - zentralwerk.lib.config.site.net.cluster.hosts4.${host} - ) [ "server5" "server6" "server8" ]; - in { - fsType = "ceph"; - device = "${monHosts}:/"; - options = [ - "_netdev" - "name=c3d2" - "secretfile=${config.sops.secrets."ceph/secret".path}" - "noatime" - "x-systemd.automount" - "x-systemd.device-timeout=5" - ]; - }; - # This value determines the NixOS release with which your system is to be # compatible, in order to avoid breaking some software such as database # servers. You should change this only after NixOS release notes say you diff --git a/hosts/storage-ng/default.nix b/hosts/storage-ng/default.nix index 5b59874c..0fcc9a40 100644 --- a/hosts/storage-ng/default.nix +++ b/hosts/storage-ng/default.nix @@ -17,8 +17,11 @@ in isInHq = true; mapHqHosts = true; hq.interface = eth0; + mountCeph = "/mnt/cephfs"; }; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + boot.loader.grub = { enable = true; version = 2; @@ -58,31 +61,6 @@ in iotop ]; - services.ceph = { - enable = false; - client.enable = true; - }; - - # fixme, we need a floating ip here - # correct is floating ip 172.22.99.21 - # does not exist yet - # TODO: where, exactly? - - # secretfile does not work :( - fileSystems."/mnt/cephfs" = { - device = "${lib.concatMapStringsSep "," (i: hostRegistry.hosts."server${i}".ip4) [ "3" "4" "5" "6" "7" "8" ]}:/"; - fsType = "ceph"; - options = [ - "name=storage2" - "secret=AQAvRhxcaCK0IxAAnoe00oiopcpQeKZgL02RWw==" - "noatime,_netdev" - "noauto" - "x-systemd.automount" - "x-systemd.device-timeout=175" - "users" - ]; - }; - programs.bash.enableCompletion = true; programs.mtr.enable = true; # programs.gnupg.agent = { enable = true; enableSSHSupport = true; }; diff --git a/lib/ceph-storage.nix b/lib/ceph-storage.nix new file mode 100644 index 00000000..a6e6958a --- /dev/null +++ b/lib/ceph-storage.nix @@ -0,0 +1,44 @@ +{ zentralwerk, config, lib, pkgs, ... }: +let + enabled = config.c3d2.mountCeph != null; +in { + options.c3d2 = with lib; { + mountCeph = mkOption { + type = with types; nullOr str; + default = null; + description = "If set, mountpoint of ceph storage"; + }; + }; + + config = lib.mkIf enabled { + sops.secrets."ceph/secret" = {}; + + services.ceph = { + global.fsid = "d7c5c9c7-a227-4e33-ab43-3f4aa1eb0630"; + client.enable = true; + }; + + fileSystems."${config.c3d2.mountCeph}" = + let + monHosts = lib.concatMapStringsSep "," (host: + zentralwerk.lib.config.site.net.cluster.hosts4.${host} + ) [ "server5" "server6" "server8" ]; + in { + fsType = "ceph"; + device = "${monHosts}:/"; + options = [ + "_netdev" + "name=c3d2" + "secretfile=${config.sops.secrets."ceph/secret".path}" + "noatime" + "x-systemd.automount" + "x-systemd.device-timeout=5" + ]; + }; + + warnings = lib.optionals config.boot.isContainer [ '' + Mounting CephFS on containers (on the same kernel that + runs the servers) is discouraged! Ask Poelzi why. + '' ]; + }; +} diff --git a/lib/default.nix b/lib/default.nix index 16fad0ea..8efc818b 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -32,6 +32,7 @@ in { ./stats.nix ./audio-server ./pi-sensors.nix + ./ceph-storage.nix ]; options.c3d2 = with lib;