add options.c3d2.mountCeph, clean up sops code
This commit is contained in:
parent
a155538eb9
commit
b788033951
|
@ -351,11 +351,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1641509208,
|
"lastModified": 1641664373,
|
||||||
"narHash": "sha256-W6BJOARYB3bUTBsOT4mBw3sEWNNOzWmlIv/LXlH99y4=",
|
"narHash": "sha256-/F17oCX99lBf1IyypncSPL2dCH1qZ5ddgCiYXbjf+Tg=",
|
||||||
"ref": "master",
|
"ref": "master",
|
||||||
"rev": "c5957e417db3bd82d14c5b3c2198a04e13dc3f7e",
|
"rev": "4d3e2f68d22fa73effc45a32f675fbe125775ab4",
|
||||||
"revCount": 117,
|
"revCount": 118,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
|
"url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
|
||||||
},
|
},
|
||||||
|
|
33
flake.nix
33
flake.nix
|
@ -197,15 +197,19 @@
|
||||||
{ nixpkgs ? inputs.nixpkgs, modules, extraArgs ? {}, system }:
|
{ nixpkgs ? inputs.nixpkgs, modules, extraArgs ? {}, system }:
|
||||||
nixpkgs.lib.nixosSystem {
|
nixpkgs.lib.nixosSystem {
|
||||||
inherit system;
|
inherit system;
|
||||||
modules = modules ++ [
|
|
||||||
self.nixosModules.c3d2
|
modules = [
|
||||||
({ pkgs, ... }: {
|
({ pkgs, ... }: {
|
||||||
_module.args = extraArgs // {
|
_module.args = extraArgs // {
|
||||||
inherit hostRegistry inputs zentralwerk;
|
inherit hostRegistry inputs zentralwerk;
|
||||||
};
|
};
|
||||||
nixpkgs.overlays = [ self.overlay ];
|
nixpkgs.overlays = [ self.overlay ];
|
||||||
})
|
})
|
||||||
];
|
|
||||||
|
sops-nix.nixosModules.sops
|
||||||
|
self.nixosModules.c3d2
|
||||||
|
] ++ modules;
|
||||||
|
|
||||||
};
|
};
|
||||||
in {
|
in {
|
||||||
|
|
||||||
|
@ -236,11 +240,10 @@
|
||||||
nixos-hardware.nixosModules.common-cpu-intel
|
nixos-hardware.nixosModules.common-cpu-intel
|
||||||
nixos-hardware.nixosModules.common-pc-ssd
|
nixos-hardware.nixosModules.common-pc-ssd
|
||||||
secrets.nixosModules.admins
|
secrets.nixosModules.admins
|
||||||
sops-nix.nixosModules.sops
|
{
|
||||||
|
sops.defaultSopsFile = "${secrets}/hosts/glotzbert/secrets.yaml";
|
||||||
|
}
|
||||||
];
|
];
|
||||||
extraArgs = {
|
|
||||||
secretsFile = "${secrets}/hosts/glotzbert/secrets.yaml";
|
|
||||||
};
|
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -266,7 +269,6 @@
|
||||||
nixpkgs.overlays = [ heliwatch.overlay ];
|
nixpkgs.overlays = [ heliwatch.overlay ];
|
||||||
sops.defaultSopsFile = "${secrets}/hosts/radiobert/secrets.yaml";
|
sops.defaultSopsFile = "${secrets}/hosts/radiobert/secrets.yaml";
|
||||||
}
|
}
|
||||||
sops-nix.nixosModules.sops
|
|
||||||
./hosts/radiobert
|
./hosts/radiobert
|
||||||
];
|
];
|
||||||
system = "aarch64-linux";
|
system = "aarch64-linux";
|
||||||
|
@ -355,11 +357,10 @@
|
||||||
modules = [
|
modules = [
|
||||||
./lib/lxc-container.nix
|
./lib/lxc-container.nix
|
||||||
./hosts/containers/dn42
|
./hosts/containers/dn42
|
||||||
(_: {
|
{
|
||||||
nixpkgs.overlays = [ secrets.overlays.dn42 ];
|
nixpkgs.overlays = [ secrets.overlays.dn42 ];
|
||||||
sops.defaultSopsFile = "${secrets}/hosts/dn42/secrets.yaml";
|
sops.defaultSopsFile = "${secrets}/hosts/dn42/secrets.yaml";
|
||||||
})
|
}
|
||||||
sops-nix.nixosModules.sops
|
|
||||||
];
|
];
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
};
|
};
|
||||||
|
@ -529,6 +530,9 @@
|
||||||
modules = [
|
modules = [
|
||||||
./hosts/storage-ng
|
./hosts/storage-ng
|
||||||
secrets.nixosModules.admins
|
secrets.nixosModules.admins
|
||||||
|
{
|
||||||
|
sops.defaultSopsFile = "${secrets}/hosts/storage-ng/secrets.yaml";
|
||||||
|
}
|
||||||
];
|
];
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
};
|
};
|
||||||
|
@ -538,11 +542,10 @@
|
||||||
self.nixosModules.plume
|
self.nixosModules.plume
|
||||||
./lib/lxc-container.nix
|
./lib/lxc-container.nix
|
||||||
./hosts/containers/blogs
|
./hosts/containers/blogs
|
||||||
sops-nix.nixosModules.sops
|
{
|
||||||
|
sops.defaultSopsFile = "${secrets}/hosts/blogs/secrets.yaml";
|
||||||
|
}
|
||||||
];
|
];
|
||||||
extraArgs = {
|
|
||||||
secretsFile = "${secrets}/hosts/blogs/secrets.yaml";
|
|
||||||
};
|
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ hostRegistry, zentralwerk, secretsFile, config, ... }:
|
{ hostRegistry, zentralwerk, config, ... }:
|
||||||
{
|
{
|
||||||
networking = {
|
networking = {
|
||||||
hostName = "blogs";
|
hostName = "blogs";
|
||||||
|
@ -19,7 +19,6 @@
|
||||||
envFile = config.sops.secrets."plume/env".path;
|
envFile = config.sops.secrets."plume/env".path;
|
||||||
};
|
};
|
||||||
|
|
||||||
sops.defaultSopsFile = secretsFile;
|
|
||||||
sops.secrets = {
|
sops.secrets = {
|
||||||
"plume/env".owner = config.systemd.services.plume.serviceConfig.User;
|
"plume/env".owner = config.systemd.services.plume.serviceConfig.User;
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ zentralwerk, secretsFile, config, pkgs, ... }:
|
{ zentralwerk, config, pkgs, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
imports = [ ./hardware-configuration.nix ];
|
imports = [ ./hardware-configuration.nix ];
|
||||||
|
@ -9,6 +9,7 @@
|
||||||
hq.enableBinaryCache = false;
|
hq.enableBinaryCache = false;
|
||||||
users.k-ot = true;
|
users.k-ot = true;
|
||||||
users.emery = true;
|
users.emery = true;
|
||||||
|
mountCeph = "/mnt/storage";
|
||||||
};
|
};
|
||||||
users.users.emery.cryptHomeLuks = "/home/emery.luks.img";
|
users.users.emery.cryptHomeLuks = "/home/emery.luks.img";
|
||||||
|
|
||||||
|
@ -19,10 +20,6 @@
|
||||||
maxJobs = 4;
|
maxJobs = 4;
|
||||||
};
|
};
|
||||||
|
|
||||||
sops.defaultSopsFile = secretsFile;
|
|
||||||
sops.secrets = {
|
|
||||||
"ceph/secret" = {};
|
|
||||||
};
|
|
||||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||||
|
|
||||||
# Use the systemd-boot EFI boot loader.
|
# Use the systemd-boot EFI boot loader.
|
||||||
|
@ -124,29 +121,6 @@
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
services.ceph = {
|
|
||||||
enable = true;
|
|
||||||
global.fsid = "d7c5c9c7-a227-4e33-ab43-3f4aa1eb0630";
|
|
||||||
client.enable = true;
|
|
||||||
};
|
|
||||||
fileSystems."/mnt/storage" =
|
|
||||||
let
|
|
||||||
monHosts = pkgs.lib.concatMapStringsSep "," (host:
|
|
||||||
zentralwerk.lib.config.site.net.cluster.hosts4.${host}
|
|
||||||
) [ "server5" "server6" "server8" ];
|
|
||||||
in {
|
|
||||||
fsType = "ceph";
|
|
||||||
device = "${monHosts}:/";
|
|
||||||
options = [
|
|
||||||
"_netdev"
|
|
||||||
"name=c3d2"
|
|
||||||
"secretfile=${config.sops.secrets."ceph/secret".path}"
|
|
||||||
"noatime"
|
|
||||||
"x-systemd.automount"
|
|
||||||
"x-systemd.device-timeout=5"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
# This value determines the NixOS release with which your system is to be
|
# This value determines the NixOS release with which your system is to be
|
||||||
# compatible, in order to avoid breaking some software such as database
|
# compatible, in order to avoid breaking some software such as database
|
||||||
# servers. You should change this only after NixOS release notes say you
|
# servers. You should change this only after NixOS release notes say you
|
||||||
|
|
|
@ -17,8 +17,11 @@ in
|
||||||
isInHq = true;
|
isInHq = true;
|
||||||
mapHqHosts = true;
|
mapHqHosts = true;
|
||||||
hq.interface = eth0;
|
hq.interface = eth0;
|
||||||
|
mountCeph = "/mnt/cephfs";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||||
|
|
||||||
boot.loader.grub = {
|
boot.loader.grub = {
|
||||||
enable = true;
|
enable = true;
|
||||||
version = 2;
|
version = 2;
|
||||||
|
@ -58,31 +61,6 @@ in
|
||||||
iotop
|
iotop
|
||||||
];
|
];
|
||||||
|
|
||||||
services.ceph = {
|
|
||||||
enable = false;
|
|
||||||
client.enable = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
# fixme, we need a floating ip here
|
|
||||||
# correct is floating ip 172.22.99.21
|
|
||||||
# does not exist yet
|
|
||||||
# TODO: where, exactly?
|
|
||||||
|
|
||||||
# secretfile does not work :(
|
|
||||||
fileSystems."/mnt/cephfs" = {
|
|
||||||
device = "${lib.concatMapStringsSep "," (i: hostRegistry.hosts."server${i}".ip4) [ "3" "4" "5" "6" "7" "8" ]}:/";
|
|
||||||
fsType = "ceph";
|
|
||||||
options = [
|
|
||||||
"name=storage2"
|
|
||||||
"secret=AQAvRhxcaCK0IxAAnoe00oiopcpQeKZgL02RWw=="
|
|
||||||
"noatime,_netdev"
|
|
||||||
"noauto"
|
|
||||||
"x-systemd.automount"
|
|
||||||
"x-systemd.device-timeout=175"
|
|
||||||
"users"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
programs.bash.enableCompletion = true;
|
programs.bash.enableCompletion = true;
|
||||||
programs.mtr.enable = true;
|
programs.mtr.enable = true;
|
||||||
# programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
|
# programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
|
||||||
|
|
44
lib/ceph-storage.nix
Normal file
44
lib/ceph-storage.nix
Normal file
|
@ -0,0 +1,44 @@
|
||||||
|
{ zentralwerk, config, lib, pkgs, ... }:
|
||||||
|
let
|
||||||
|
enabled = config.c3d2.mountCeph != null;
|
||||||
|
in {
|
||||||
|
options.c3d2 = with lib; {
|
||||||
|
mountCeph = mkOption {
|
||||||
|
type = with types; nullOr str;
|
||||||
|
default = null;
|
||||||
|
description = "If set, mountpoint of ceph storage";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = lib.mkIf enabled {
|
||||||
|
sops.secrets."ceph/secret" = {};
|
||||||
|
|
||||||
|
services.ceph = {
|
||||||
|
global.fsid = "d7c5c9c7-a227-4e33-ab43-3f4aa1eb0630";
|
||||||
|
client.enable = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."${config.c3d2.mountCeph}" =
|
||||||
|
let
|
||||||
|
monHosts = lib.concatMapStringsSep "," (host:
|
||||||
|
zentralwerk.lib.config.site.net.cluster.hosts4.${host}
|
||||||
|
) [ "server5" "server6" "server8" ];
|
||||||
|
in {
|
||||||
|
fsType = "ceph";
|
||||||
|
device = "${monHosts}:/";
|
||||||
|
options = [
|
||||||
|
"_netdev"
|
||||||
|
"name=c3d2"
|
||||||
|
"secretfile=${config.sops.secrets."ceph/secret".path}"
|
||||||
|
"noatime"
|
||||||
|
"x-systemd.automount"
|
||||||
|
"x-systemd.device-timeout=5"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
warnings = lib.optionals config.boot.isContainer [ ''
|
||||||
|
Mounting CephFS on containers (on the same kernel that
|
||||||
|
runs the servers) is discouraged! Ask Poelzi why.
|
||||||
|
'' ];
|
||||||
|
};
|
||||||
|
}
|
|
@ -32,6 +32,7 @@ in {
|
||||||
./stats.nix
|
./stats.nix
|
||||||
./audio-server
|
./audio-server
|
||||||
./pi-sensors.nix
|
./pi-sensors.nix
|
||||||
|
./ceph-storage.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
options.c3d2 = with lib;
|
options.c3d2 = with lib;
|
||||||
|
|
Loading…
Reference in New Issue
Block a user