add options.c3d2.mountCeph, clean up sops code
This commit is contained in:
parent
a155538eb9
commit
b788033951
|
@ -351,11 +351,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1641509208,
|
||||
"narHash": "sha256-W6BJOARYB3bUTBsOT4mBw3sEWNNOzWmlIv/LXlH99y4=",
|
||||
"lastModified": 1641664373,
|
||||
"narHash": "sha256-/F17oCX99lBf1IyypncSPL2dCH1qZ5ddgCiYXbjf+Tg=",
|
||||
"ref": "master",
|
||||
"rev": "c5957e417db3bd82d14c5b3c2198a04e13dc3f7e",
|
||||
"revCount": 117,
|
||||
"rev": "4d3e2f68d22fa73effc45a32f675fbe125775ab4",
|
||||
"revCount": 118,
|
||||
"type": "git",
|
||||
"url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
|
||||
},
|
||||
|
|
33
flake.nix
33
flake.nix
|
@ -197,15 +197,19 @@
|
|||
{ nixpkgs ? inputs.nixpkgs, modules, extraArgs ? {}, system }:
|
||||
nixpkgs.lib.nixosSystem {
|
||||
inherit system;
|
||||
modules = modules ++ [
|
||||
self.nixosModules.c3d2
|
||||
|
||||
modules = [
|
||||
({ pkgs, ... }: {
|
||||
_module.args = extraArgs // {
|
||||
inherit hostRegistry inputs zentralwerk;
|
||||
};
|
||||
nixpkgs.overlays = [ self.overlay ];
|
||||
})
|
||||
];
|
||||
|
||||
sops-nix.nixosModules.sops
|
||||
self.nixosModules.c3d2
|
||||
] ++ modules;
|
||||
|
||||
};
|
||||
in {
|
||||
|
||||
|
@ -236,11 +240,10 @@
|
|||
nixos-hardware.nixosModules.common-cpu-intel
|
||||
nixos-hardware.nixosModules.common-pc-ssd
|
||||
secrets.nixosModules.admins
|
||||
sops-nix.nixosModules.sops
|
||||
{
|
||||
sops.defaultSopsFile = "${secrets}/hosts/glotzbert/secrets.yaml";
|
||||
}
|
||||
];
|
||||
extraArgs = {
|
||||
secretsFile = "${secrets}/hosts/glotzbert/secrets.yaml";
|
||||
};
|
||||
system = "x86_64-linux";
|
||||
};
|
||||
|
||||
|
@ -266,7 +269,6 @@
|
|||
nixpkgs.overlays = [ heliwatch.overlay ];
|
||||
sops.defaultSopsFile = "${secrets}/hosts/radiobert/secrets.yaml";
|
||||
}
|
||||
sops-nix.nixosModules.sops
|
||||
./hosts/radiobert
|
||||
];
|
||||
system = "aarch64-linux";
|
||||
|
@ -355,11 +357,10 @@
|
|||
modules = [
|
||||
./lib/lxc-container.nix
|
||||
./hosts/containers/dn42
|
||||
(_: {
|
||||
{
|
||||
nixpkgs.overlays = [ secrets.overlays.dn42 ];
|
||||
sops.defaultSopsFile = "${secrets}/hosts/dn42/secrets.yaml";
|
||||
})
|
||||
sops-nix.nixosModules.sops
|
||||
}
|
||||
];
|
||||
system = "x86_64-linux";
|
||||
};
|
||||
|
@ -529,6 +530,9 @@
|
|||
modules = [
|
||||
./hosts/storage-ng
|
||||
secrets.nixosModules.admins
|
||||
{
|
||||
sops.defaultSopsFile = "${secrets}/hosts/storage-ng/secrets.yaml";
|
||||
}
|
||||
];
|
||||
system = "x86_64-linux";
|
||||
};
|
||||
|
@ -538,11 +542,10 @@
|
|||
self.nixosModules.plume
|
||||
./lib/lxc-container.nix
|
||||
./hosts/containers/blogs
|
||||
sops-nix.nixosModules.sops
|
||||
{
|
||||
sops.defaultSopsFile = "${secrets}/hosts/blogs/secrets.yaml";
|
||||
}
|
||||
];
|
||||
extraArgs = {
|
||||
secretsFile = "${secrets}/hosts/blogs/secrets.yaml";
|
||||
};
|
||||
system = "x86_64-linux";
|
||||
};
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ hostRegistry, zentralwerk, secretsFile, config, ... }:
|
||||
{ hostRegistry, zentralwerk, config, ... }:
|
||||
{
|
||||
networking = {
|
||||
hostName = "blogs";
|
||||
|
@ -19,7 +19,6 @@
|
|||
envFile = config.sops.secrets."plume/env".path;
|
||||
};
|
||||
|
||||
sops.defaultSopsFile = secretsFile;
|
||||
sops.secrets = {
|
||||
"plume/env".owner = config.systemd.services.plume.serviceConfig.User;
|
||||
};
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ zentralwerk, secretsFile, config, pkgs, ... }:
|
||||
{ zentralwerk, config, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [ ./hardware-configuration.nix ];
|
||||
|
@ -9,6 +9,7 @@
|
|||
hq.enableBinaryCache = false;
|
||||
users.k-ot = true;
|
||||
users.emery = true;
|
||||
mountCeph = "/mnt/storage";
|
||||
};
|
||||
users.users.emery.cryptHomeLuks = "/home/emery.luks.img";
|
||||
|
||||
|
@ -19,10 +20,6 @@
|
|||
maxJobs = 4;
|
||||
};
|
||||
|
||||
sops.defaultSopsFile = secretsFile;
|
||||
sops.secrets = {
|
||||
"ceph/secret" = {};
|
||||
};
|
||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
|
||||
# Use the systemd-boot EFI boot loader.
|
||||
|
@ -124,29 +121,6 @@
|
|||
];
|
||||
};
|
||||
|
||||
services.ceph = {
|
||||
enable = true;
|
||||
global.fsid = "d7c5c9c7-a227-4e33-ab43-3f4aa1eb0630";
|
||||
client.enable = true;
|
||||
};
|
||||
fileSystems."/mnt/storage" =
|
||||
let
|
||||
monHosts = pkgs.lib.concatMapStringsSep "," (host:
|
||||
zentralwerk.lib.config.site.net.cluster.hosts4.${host}
|
||||
) [ "server5" "server6" "server8" ];
|
||||
in {
|
||||
fsType = "ceph";
|
||||
device = "${monHosts}:/";
|
||||
options = [
|
||||
"_netdev"
|
||||
"name=c3d2"
|
||||
"secretfile=${config.sops.secrets."ceph/secret".path}"
|
||||
"noatime"
|
||||
"x-systemd.automount"
|
||||
"x-systemd.device-timeout=5"
|
||||
];
|
||||
};
|
||||
|
||||
# This value determines the NixOS release with which your system is to be
|
||||
# compatible, in order to avoid breaking some software such as database
|
||||
# servers. You should change this only after NixOS release notes say you
|
||||
|
|
|
@ -17,8 +17,11 @@ in
|
|||
isInHq = true;
|
||||
mapHqHosts = true;
|
||||
hq.interface = eth0;
|
||||
mountCeph = "/mnt/cephfs";
|
||||
};
|
||||
|
||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
|
||||
boot.loader.grub = {
|
||||
enable = true;
|
||||
version = 2;
|
||||
|
@ -58,31 +61,6 @@ in
|
|||
iotop
|
||||
];
|
||||
|
||||
services.ceph = {
|
||||
enable = false;
|
||||
client.enable = true;
|
||||
};
|
||||
|
||||
# fixme, we need a floating ip here
|
||||
# correct is floating ip 172.22.99.21
|
||||
# does not exist yet
|
||||
# TODO: where, exactly?
|
||||
|
||||
# secretfile does not work :(
|
||||
fileSystems."/mnt/cephfs" = {
|
||||
device = "${lib.concatMapStringsSep "," (i: hostRegistry.hosts."server${i}".ip4) [ "3" "4" "5" "6" "7" "8" ]}:/";
|
||||
fsType = "ceph";
|
||||
options = [
|
||||
"name=storage2"
|
||||
"secret=AQAvRhxcaCK0IxAAnoe00oiopcpQeKZgL02RWw=="
|
||||
"noatime,_netdev"
|
||||
"noauto"
|
||||
"x-systemd.automount"
|
||||
"x-systemd.device-timeout=175"
|
||||
"users"
|
||||
];
|
||||
};
|
||||
|
||||
programs.bash.enableCompletion = true;
|
||||
programs.mtr.enable = true;
|
||||
# programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
|
||||
|
|
|
@ -0,0 +1,44 @@
|
|||
{ zentralwerk, config, lib, pkgs, ... }:
|
||||
let
|
||||
enabled = config.c3d2.mountCeph != null;
|
||||
in {
|
||||
options.c3d2 = with lib; {
|
||||
mountCeph = mkOption {
|
||||
type = with types; nullOr str;
|
||||
default = null;
|
||||
description = "If set, mountpoint of ceph storage";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf enabled {
|
||||
sops.secrets."ceph/secret" = {};
|
||||
|
||||
services.ceph = {
|
||||
global.fsid = "d7c5c9c7-a227-4e33-ab43-3f4aa1eb0630";
|
||||
client.enable = true;
|
||||
};
|
||||
|
||||
fileSystems."${config.c3d2.mountCeph}" =
|
||||
let
|
||||
monHosts = lib.concatMapStringsSep "," (host:
|
||||
zentralwerk.lib.config.site.net.cluster.hosts4.${host}
|
||||
) [ "server5" "server6" "server8" ];
|
||||
in {
|
||||
fsType = "ceph";
|
||||
device = "${monHosts}:/";
|
||||
options = [
|
||||
"_netdev"
|
||||
"name=c3d2"
|
||||
"secretfile=${config.sops.secrets."ceph/secret".path}"
|
||||
"noatime"
|
||||
"x-systemd.automount"
|
||||
"x-systemd.device-timeout=5"
|
||||
];
|
||||
};
|
||||
|
||||
warnings = lib.optionals config.boot.isContainer [ ''
|
||||
Mounting CephFS on containers (on the same kernel that
|
||||
runs the servers) is discouraged! Ask Poelzi why.
|
||||
'' ];
|
||||
};
|
||||
}
|
|
@ -32,6 +32,7 @@ in {
|
|||
./stats.nix
|
||||
./audio-server
|
||||
./pi-sensors.nix
|
||||
./ceph-storage.nix
|
||||
];
|
||||
|
||||
options.c3d2 = with lib;
|
||||
|
|
Loading…
Reference in New Issue