Compare commits
264 Commits
d76a4f1e7a
...
1fce631c24
Author | SHA1 | Date |
---|---|---|
Tassilo - | 1fce631c24 | |
Tassilo - | 16351819ca | |
Sandro - | e43ce3b29b | |
Astro | 7d18fad68a | |
Astro | 38f69300bb | |
Astro | af9a1a6161 | |
Astro | 601c5c3716 | |
Sandro - | 845bea7584 | |
Sandro - | b549947a39 | |
Sandro - | c2e19af7e8 | |
Sandro - | 24329a062e | |
Sandro - | 93c020f582 | |
Sandro - | d6a994598b | |
Astro | 8ea43cc31d | |
Astro | 917b38a895 | |
Astro | 3571d962fa | |
Sandro - | eb39c1d403 | |
Sandro - | c2d21103f8 | |
Sandro - | fb7a393660 | |
Astro | 1affe00d39 | |
Sandro - | 59e47436f3 | |
Astro | a704213e59 | |
Astrobot | a598a46b53 | |
Sandro - | 77c6fb4dcd | |
Sandro - | 5cbd4ee6a5 | |
Sandro - | a789ba633e | |
Sandro - | 5926f0aca6 | |
Sandro - | 5640331aef | |
Astro | 0906569551 | |
Astro | 233498c9ae | |
Astro | fccd9d918d | |
Astro | 9f64181a58 | |
Astro | bfae8d96d5 | |
Astro | 49b6b5dc4d | |
Astro | 592d79a9e0 | |
Astro | 0f3810ddd8 | |
Astro | fe4deea101 | |
Astro | 8f192b81ff | |
Astro | c63d8e3f15 | |
Astro | af7b75df9e | |
astro | 3d276740a2 | |
Astro | 585a5ce6e5 | |
Astro | f12ee0f88e | |
Astro | 7cd28db298 | |
Sandro - | add3740477 | |
Sandro - | 5eecc110af | |
Astro | 1e21c9e129 | |
Sandro - | 82ecb7fea5 | |
Sandro - | 8653a20c98 | |
Astro | d918cf7d86 | |
Sandro - | 442c02f13e | |
Sandro - | 93806bd148 | |
Leon Vita | 959a0931be | |
Leon Vita | 03f9d82600 | |
Sandro - | 7f120207d5 | |
Sandro - | 618e1ed9b9 | |
Sandro - | 37c98c9ae9 | |
Sandro - | 7bc63111a2 | |
Sandro - | ff04c649c3 | |
Sandro - | 98d59e10d5 | |
Sandro - | ea2878fd36 | |
Sandro - | 5907e29413 | |
Leon Vita | 78f5cb4feb | |
Leon Vita | 0beda8f0e3 | |
Astro | 3f45c026df | |
Leon Vita | 2232760bb2 | |
Leon Vita | 4029190310 | |
astro | 689e951945 | |
Leon Vita | e011ff965b | |
Sandro - | 734a977835 | |
Sandro - | eb21d0bbb3 | |
Astro | c2337cce40 | |
Sandro - | 3992f966f3 | |
Tassilo - | e0a3393290 | |
Sandro - | 58c4f8bec5 | |
Sandro - | 2a0920904b | |
Sandro - | 870f91a3d1 | |
Astro | 92dc5ba222 | |
Sandro - | 52161e0aa1 | |
Sandro - | 59c122b82c | |
Sandro - | fff8967826 | |
Astro | 875145884c | |
Astro | 1ef51c1d32 | |
Sandro - | cc63c41ba0 | |
Sandro - | 65107fc07e | |
Sandro - | 93c283f235 | |
Sandro - | b467bb4e74 | |
Sandro - | 6b8d8541c6 | |
Sandro - | 32dd3e9d8a | |
Sandro - | 695e095d44 | |
Sandro - | a9590e3242 | |
Sandro - | dcaecc7229 | |
Sandro - | f5e671befb | |
Sandro - | e16bd28785 | |
Sandro - | c4241c25ab | |
Sandro - | f97b96387d | |
Sandro - | dc16c9d4b8 | |
Sandro - | f664a189fd | |
Astro | 5d7005342e | |
Astro | 70377149b2 | |
Sandro - | 2621bd671f | |
Sandro - | 9873b56a29 | |
Sandro - | 759df9e927 | |
Astro | 67a8de43f1 | |
Astro | 308dd5bd22 | |
Astro | 486c2a3720 | |
Astro | 3e6c35086c | |
Astro | 83b37db967 | |
Sandro - | 202942d9d0 | |
Sandro - | 0c3cdd016f | |
Astro | 263068fc32 | |
Astro | 14d2855366 | |
Astro | 72d537b742 | |
Astro | fcda09f7c4 | |
Astro | 6ce8454fd9 | |
Astro | 877d9f04c7 | |
Astro | b421de33dd | |
Astro | bf2933f574 | |
Astro | 224ddc2631 | |
Astro | 897139a46b | |
Astro | 9e97c34038 | |
Astro | a4474a5f39 | |
Astro | 7811d3c444 | |
Astrobot | 828a374f38 | |
Astro | 7d203cb0d2 | |
Astro | af51086c18 | |
Astro | 69a66f3eba | |
Astrobot | c21bae9dd6 | |
Astro | d99d4129f3 | |
Astro | 07bfd31ee7 | |
Astro | b3caf1a39b | |
Astro | 18d0694b10 | |
Astro | 71a611467d | |
Astro | c469c46ffe | |
Astro | e85c3d8c51 | |
Astro | da110aa138 | |
Astro | 27a6cdfed8 | |
Leon Vita | 4f785ca1c9 | |
Leon Vita | b53c53a6f7 | |
Leon Vita | 97b7d2d71f | |
Leon Vita | b70d9bcb78 | |
Leon Vita | e141ce6ee0 | |
Leon Vita | 6bc6834498 | |
Leon Vita | dadf8c72c7 | |
Leon Vita | 966bb7389f | |
Leon Vita | 8c1b350f1a | |
Astro | c61bb308a3 | |
Astro | 588bebc3cf | |
Astro | 9ad4bd0649 | |
Astro | 035617c112 | |
Leon Vita | 2b2982961c | |
Leon Vita | c67ba25488 | |
Leon Vita | a33b2abe29 | |
Astro | e91e69b14a | |
Astro | 7bc3b49cc3 | |
Astro | 65a91dc324 | |
Leon Vita | e6ab80fc5e | |
Astro | d95e924778 | |
Astro | de9ce610e9 | |
Astro | b9e42515c7 | |
Leon Vita | 930c3a67e0 | |
Astro | 699a043d24 | |
Leon Vita | 0669b29a23 | |
Astro | 572af7e31d | |
Astro | ebf4e41b73 | |
Astro | 27d2252d11 | |
astro | 9c9c52b659 | |
Leon Vita | 3c0c101dd7 | |
Leon Vita | deb314f8e4 | |
Astro | 7a19ac58e3 | |
Astro | 79dcef419e | |
Astro | 8c9afdf9b8 | |
Leon Vita | 69da87ecdb | |
Leon Vita | 82c6de7b9d | |
Leon Vita | aa607866d1 | |
Leon Vita | e4262a4dab | |
Leon Vita | 80c8ed5a45 | |
Leon Vita | 65eba5ebf7 | |
Leon Vita | 3d5e202ac0 | |
Leon Vita | afcd7f32a7 | |
Leon Vita | 4a1ac9dc9d | |
Leon Vita | f1203f33df | |
Astro | 9fca77eb57 | |
Astro | 3ef0df9608 | |
Astro | 7befe68673 | |
Astro | 2ecc873647 | |
Leon Vita | f377c855c5 | |
Leon Vita | 474c9f90da | |
Leon Vita | 08c7664625 | |
Leon Vita | 45d40e1e1b | |
Leon Vita | 37dd2e0591 | |
Leon Vita | f2b57ee0ec | |
Leon Vita | bcd82e69fe | |
Leon Vita | 50d29f7af3 | |
Leon Vita | 056276a579 | |
Leon Vita | 345960c777 | |
Leon Vita | ecd85a41e8 | |
Leon Vita | 9ea5e27a42 | |
Leon Vita | 7a749c9a45 | |
Leon Vita | ac039e0367 | |
Leon Vita | c3d1cb2fa6 | |
Leon Vita | b2d52e18ea | |
Leon Vita | 9032b47bba | |
Leon Vita | 1c46b25771 | |
Leon Vita | 830c9a8f97 | |
Leon Vita | d5dc241f3e | |
Leon Vita | dcc2dfd349 | |
Leon Vita | b0d3cdc14f | |
Leon Vita | 2cd2f86bc5 | |
Leon Vita | f6f280c008 | |
Leon Vita | 436f2e59f0 | |
Leon Vita | dab7d198aa | |
Leon Vita | 0475cc58b0 | |
Leon Vita | e0d42faa3c | |
Leon Vita | 200b82bd5a | |
Leon Vita | 614b3bc3b2 | |
Leon Vita | 0b64798dd1 | |
Leon Vita | 6a7d931601 | |
Astro | fd962a5133 | |
Astro | a117ac243e | |
Astro | 736f79cc2e | |
Astro | cfbb7cd933 | |
Astro | dbb7e552e5 | |
Astro | 3bdd61084b | |
Astro | 6120944b50 | |
Astro | 642ef73b16 | |
Astro | 261d4a1d78 | |
Astro | 4cf2b62ebe | |
Astro | 203cf88662 | |
Astro | 0bd2e02db7 | |
Astro | 4b6fce111a | |
Astro | ecbb8818bb | |
Astro | 2f451e841f | |
Astro | 51f8af0c52 | |
Astro | a732189ee2 | |
Astro | 905c4c0fe4 | |
Astro | 33fecdb43e | |
Astro | 3cdd41f816 | |
astro | eabf198247 | |
Astro | e685ad686d | |
Leon Vita | 6d200ea7b4 | |
astro | db1c553fb7 | |
Leon Vita | 17fbf1328d | |
Leon Vita | eef6ee53b4 | |
Astro | 4255e083c0 | |
Astro | e359623c8c | |
Astro | 992d7d0ddf | |
astro | 64b3f3cb7a | |
Leon Vita | b339f45d36 | |
Leon Vita | 0bff25fc05 | |
Astro | d60a2c7a45 | |
Astro | 5236be655b | |
Astro | 07f2829a69 | |
astro | e2aaafa1aa | |
Leon Vita | 0401cdd6db | |
Leon Vita | 6715589da7 | |
Astrobot | b32e553abb | |
Astro | 6a5395b040 | |
Astro | 4a0e9d5cfa | |
Astro | d22d137f04 | |
Astro | 330aea7cae | |
Leon Vita | b6eb71333d | |
astro | e1bce38ce4 | |
Leon Vita | 9ae97dffb7 |
22
.sops.yaml
22
.sops.yaml
|
@ -40,6 +40,7 @@ keys:
|
|||
- &leon age1cm0cjk2764s4pv5g7e67as34g9xtcltex96ga87wckndw62wqqlsvkscqc
|
||||
- &leoncloud age1aw9s4kcd6ys64ddzzfya9ajzln2tv8pm9uvz6d85v0r6eq4dudqq5vts86
|
||||
- &mailtngbert age1lgjvtszpds9flpwsstxdht00c7zlk3mz7nlc5qftyt8rhfdm330qqmhl72
|
||||
- &mastodon age1dcpd6u4psq3hehjyjrt3s7kzmnvxd20vsc8urjcdv6anr5v7ky2sq9rhtt
|
||||
- &matemat age15vmz2evhnkn26fyt4vqvgztfrsr2s8qavd2m6zfjmkh84q2g75csnc5kr6
|
||||
- &mediawiki age1xjvep7hsnfefgxvuwall8nq0486qu8yknhzwhf0cskw5xlpm8qws9txc56
|
||||
- &mucbot age1cqeh03zq0hvz5l78r678q93ey5mlw49lqy4whvgqxgenudth7g6skee6kh
|
||||
|
@ -58,6 +59,7 @@ keys:
|
|||
- &stream age1j5csp5v5s2g8am47dd85kcke8986e0qc88f0vfgd3kmvwu8azg3smslk92
|
||||
- &storage-ng age1qjvds58pedjdk9rj0yqfvad4xhpteapr9chvfucwcgwrsr8n7axqyhg2vu
|
||||
- &ticker age1kdrpaqsy7gdnf80fpq6qrrc98nqjuzzlqx955uk2pkky3xcxky8sw9cdjl
|
||||
- &prometheus age13xhxqulvswuckmpkmy2fgeqd5jx0ar8e2hst33leljt69r6hsvnsrdw63k
|
||||
|
||||
creation_rules:
|
||||
- path_regex: config/[^/]+\.yaml$
|
||||
|
@ -86,11 +88,13 @@ creation_rules:
|
|||
- *leon
|
||||
- *leoncloud
|
||||
- *mailtngbert
|
||||
- *mastodon
|
||||
- *matemat
|
||||
- *mediawiki
|
||||
- *mucbot
|
||||
- *nfsroot
|
||||
- *oparl
|
||||
- *prometheus
|
||||
- *public-access-proxy
|
||||
- *pulsebert
|
||||
- *radiobert
|
||||
|
@ -127,6 +131,12 @@ creation_rules:
|
|||
age:
|
||||
- *dn42
|
||||
- *polygon-snowflake
|
||||
- path_regex: hosts/dacbert/[^/]+\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *dacbert
|
||||
- *polygon-snowflake
|
||||
- path_regex: hosts/freifunk/[^/]+\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
|
@ -163,6 +173,12 @@ creation_rules:
|
|||
age:
|
||||
- *mailtngbert
|
||||
- *polygon-snowflake
|
||||
- path_regex: hosts/mastodon/[^/]+\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *mastodon
|
||||
- *polygon-snowflake
|
||||
- path_regex: hosts/mediawiki/[^/]+\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
|
@ -187,3 +203,9 @@ creation_rules:
|
|||
age:
|
||||
- *storage-ng
|
||||
- *polygon-snowflake
|
||||
- path_regex: hosts/prometheus/[^/]+\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *prometheus
|
||||
- *polygon-snowflake
|
||||
|
|
121
README.md
121
README.md
|
@ -139,14 +139,123 @@ so the following is all that is needed on a MicroVM-hosting server:
|
|||
microvm -Ru $hostname
|
||||
```
|
||||
|
||||
## High Availability Deployment on Nomad
|
||||
# Cluster deployment with Skyflake
|
||||
|
||||
First, stop and delete `/var/lib/microvm/$NAME` where the
|
||||
systemd-managed MicroVMs live, or move the state to
|
||||
`/glusterfs/fast/microvms/$NAME`.
|
||||
## About
|
||||
|
||||
```sh
|
||||
nix run .#nomad-$NAME
|
||||
[Skyflake](https://github.com/astro/skyflake) provides Hyperconverged
|
||||
Infrastructure to run NixOS MicroVMs on a cluster. Our setup unifies
|
||||
networking with one bridge per VLAN. Persistent storage is replicated
|
||||
with Glusterfs.
|
||||
|
||||
Recognize nixosConfiguration for our Skyflake deployment by the
|
||||
`self.nixosModules.cluster-options` module being included.
|
||||
|
||||
## User interface
|
||||
|
||||
We use the less-privileged `c3d2@` user for deployment. This flake's
|
||||
name on the cluster is `config`. Other flakes can coexist in the same
|
||||
user so that we can run separately developed projects like
|
||||
*dump-dvb*. *leon* and potentially other users can deploy Flakes and
|
||||
MicroVMs without name clashes.
|
||||
|
||||
### Deploying
|
||||
|
||||
**git push** this repo to any machine in the cluster, preferably to
|
||||
Hydra because there building won't disturb any services.
|
||||
|
||||
You don't deploy all MicroVMs at once. Instead, Skyflake allows you to
|
||||
select NixOS systems by the branches you push to. **You must commit
|
||||
before you push!**
|
||||
|
||||
**Example:** deploy nixosConfigurations `mucbot` and `sdrweb` (`HEAD` is your
|
||||
current commit)
|
||||
|
||||
```bash
|
||||
git push c3d2@hydra.serv.zentralwerk.org:config HEAD:mucbot HEAD:sdrweb
|
||||
```
|
||||
|
||||
This will:
|
||||
1. Build the configuration on Hydra, refusing the branch update on
|
||||
broken builds (through a git hook)
|
||||
2. Copy the MicroVM package and its dependencies to the binary cache
|
||||
that is accessible to all nodes with Glusterfs
|
||||
3. Submit one job per MicroVM into the Nomad cluster
|
||||
|
||||
*Deleting* a nixosConfiguration's branch will **stop** the MicroVM in Nomad.
|
||||
|
||||
### Updating
|
||||
|
||||
**TODO:** how would you like it?
|
||||
|
||||
### MicroVM status
|
||||
|
||||
```bash
|
||||
ssh c3d2@hydra.serv.zentralwerk.org status
|
||||
```
|
||||
|
||||
## Debugging for cluster admins
|
||||
|
||||
### Glusterfs
|
||||
|
||||
Glusterfs holds our MicroVMs' state. They *must always be mounted* or
|
||||
brains are split.
|
||||
|
||||
```bash
|
||||
gluster volume info
|
||||
gluster volume status
|
||||
```
|
||||
|
||||
#### Restart glusterd
|
||||
|
||||
```bash
|
||||
systemctl restart glusterd
|
||||
```
|
||||
|
||||
#### Remount volumes
|
||||
|
||||
```bash
|
||||
systemctl restart /glusterfs/fast
|
||||
systemctl restart /glusterfs/big
|
||||
```
|
||||
|
||||
### Nomad
|
||||
|
||||
#### Check the cluster state
|
||||
|
||||
```shell
|
||||
nomad server members
|
||||
```
|
||||
|
||||
Nomad *servers* **coordinate** the cluster.
|
||||
|
||||
Nomad *clients* **run** the tasks.
|
||||
|
||||
#### Browse in the terminal
|
||||
|
||||
[wander](https://github.com/robinovitch61/wander) and
|
||||
[damon](https://github.com/hashicorp/damon) are nice TUIs that are
|
||||
preinstalled on our cluster nodes.
|
||||
|
||||
#### Browse with a browser
|
||||
|
||||
First, tunnel TCP port `:4646` from a cluster server:
|
||||
|
||||
```bash
|
||||
ssh -L 4646:localhost:4646 root@server10.cluster.zentralwerk.org
|
||||
```
|
||||
|
||||
Then, visit https://localhost:4646 for for full klickibunti.
|
||||
|
||||
#### Reset the Nomad state on a node
|
||||
|
||||
After upgrades, Nomad servers may fail rejoining the cluster. Do this
|
||||
to make a *Nomad server* behave like a newborn:
|
||||
|
||||
```shell
|
||||
systemctl stop nomad
|
||||
rm -rf /var/lib/nomad/server/raft/
|
||||
systemctl start nomad
|
||||
```
|
||||
|
||||
# Secrets management
|
||||
|
|
313
flake.lock
313
flake.lock
|
@ -10,11 +10,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1663176622,
|
||||
"narHash": "sha256-ahmQXwS2P34x7PxXt8Ve2ZVKJHW6yP1m/nZoo8sHwmE=",
|
||||
"ref": "master",
|
||||
"rev": "b56ed86e45b2a8cdf811f2659644192a69ab5818",
|
||||
"revCount": 293,
|
||||
"lastModified": 1669920985,
|
||||
"narHash": "sha256-Ff9FxYqYNVovOCDcECGKHoiqpIOUvF6/q17H+k06iXw=",
|
||||
"ref": "refs/heads/master",
|
||||
"rev": "5bef189c308df9dda1449a8305a7092fb5c77827",
|
||||
"revCount": 298,
|
||||
"type": "git",
|
||||
"url": "https://gitea.nek0.eu/nek0/affection"
|
||||
},
|
||||
|
@ -23,9 +23,37 @@
|
|||
"url": "https://gitea.nek0.eu/nek0/affection"
|
||||
}
|
||||
},
|
||||
"alert2muc": {
|
||||
"inputs": {
|
||||
"naersk": [
|
||||
"naersk"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
],
|
||||
"utils": [
|
||||
"flake-utils"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1671329943,
|
||||
"narHash": "sha256-7gFF8z1ww+LoC9Pk5hflvnlrzIf8gp7UbL6o8Xyl4Dw=",
|
||||
"ref": "refs/heads/main",
|
||||
"rev": "0ae1024cc7bf45dceb03f089f3e5485c0a43b860",
|
||||
"revCount": 14,
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/astro/alert2muc"
|
||||
},
|
||||
"original": {
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/astro/alert2muc"
|
||||
}
|
||||
},
|
||||
"bevy-julia": {
|
||||
"inputs": {
|
||||
"naersk": "naersk",
|
||||
"naersk": [
|
||||
"naersk"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
],
|
||||
|
@ -91,11 +119,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1668535353,
|
||||
"narHash": "sha256-cVe++C4wg2CG80qjjSVG4H1udcRi7sbdU/xMGC5WSxc=",
|
||||
"lastModified": 1670028698,
|
||||
"narHash": "sha256-JjmRgUg5004snQL03r5n4TjJmyD4qiwKdPDmx/1GeFw=",
|
||||
"ref": "main",
|
||||
"rev": "a12dc753b3f3d145883e1de7a0c12407bbe97288",
|
||||
"revCount": 111,
|
||||
"rev": "908fb9c8d3d2b0fbe5a17895639ef478f81e3f8d",
|
||||
"revCount": 153,
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/astro/caveman.git"
|
||||
},
|
||||
|
@ -113,11 +141,11 @@
|
|||
"rust-analyzer-src": "rust-analyzer-src"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1668493618,
|
||||
"narHash": "sha256-Pw8dzHPI3My/nWthhWlD6nVLVPDAi9+NODvayVhKGKk=",
|
||||
"lastModified": 1671171782,
|
||||
"narHash": "sha256-G7FNiYVl/jOkvNEhLO8O7uq0MuhFLKGMsCxFjqATVc0=",
|
||||
"owner": "nix-community",
|
||||
"repo": "fenix",
|
||||
"rev": "3e59a48c3171664ea0797f28273f9929a2335617",
|
||||
"rev": "d3eaf97d81161bea9177cc80e07d26ba2d96569f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -144,11 +172,11 @@
|
|||
"harmonia": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1668458039,
|
||||
"narHash": "sha256-w4OCjMRPrPIY0dlUkiA1XPSmRstnNSRVmglw7hfSs3s=",
|
||||
"lastModified": 1670319728,
|
||||
"narHash": "sha256-7hsq6Sv06UcIjjlZTFlsYWDfGrc9u77OAr25SjnvZ4A=",
|
||||
"owner": "helsinki-systems",
|
||||
"repo": "harmonia",
|
||||
"rev": "9b61645fce85a7abfe6e812f68df085d688f9711",
|
||||
"rev": "f2476198fb8236c7c7eb432aab4472083cb9831d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -175,7 +203,7 @@
|
|||
"locked": {
|
||||
"lastModified": 1657923513,
|
||||
"narHash": "sha256-YzHPow09B9uSdybUxP5lQn2hXk90Q6oTDL6UXzD0/+k=",
|
||||
"ref": "master",
|
||||
"ref": "refs/heads/master",
|
||||
"rev": "f7cf04a7ad47e388121f0771651fec0df91407f3",
|
||||
"revCount": 61,
|
||||
"type": "git",
|
||||
|
@ -237,11 +265,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1668518796,
|
||||
"narHash": "sha256-DyteijJn0JZphJdQaHpPWxvkKrBPvCW3B53tCasDX8c=",
|
||||
"lastModified": 1670897870,
|
||||
"narHash": "sha256-nWLU48WlhVYm53cTUEDX8mZwZqdzObO6299hrCmdYcU=",
|
||||
"owner": "astro",
|
||||
"repo": "microvm.nix",
|
||||
"rev": "5181933ca7bbaad37ceb82a848630ea3b30d522b",
|
||||
"rev": "b12b4d426e1050479e9d571c81cda2b7ae0256da",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -251,35 +279,17 @@
|
|||
}
|
||||
},
|
||||
"naersk": {
|
||||
"inputs": {
|
||||
"nixpkgs": "nixpkgs"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1662220400,
|
||||
"narHash": "sha256-9o2OGQqu4xyLZP9K6kNe1pTHnyPz0Wr3raGYnr9AIgY=",
|
||||
"owner": "nix-community",
|
||||
"repo": "naersk",
|
||||
"rev": "6944160c19cb591eb85bbf9b2f2768a935623ed3",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"repo": "naersk",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"naersk_2": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1662220400,
|
||||
"narHash": "sha256-9o2OGQqu4xyLZP9K6kNe1pTHnyPz0Wr3raGYnr9AIgY=",
|
||||
"lastModified": 1671096816,
|
||||
"narHash": "sha256-ezQCsNgmpUHdZANDCILm3RvtO1xH8uujk/+EqNvzIOg=",
|
||||
"owner": "nix-community",
|
||||
"repo": "naersk",
|
||||
"rev": "6944160c19cb591eb85bbf9b2f2768a935623ed3",
|
||||
"rev": "d998160d6a076cfe8f9741e56aeec7e267e3e114",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -288,28 +298,6 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"naersk_3": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"ticker",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1659610603,
|
||||
"narHash": "sha256-LYgASYSPYo7O71WfeUOaEUzYfzuXm8c8eavJcel+pfI=",
|
||||
"owner": "nix-community",
|
||||
"repo": "naersk",
|
||||
"rev": "c6a45e4277fa58abd524681466d3450f896dc094",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"repo": "naersk",
|
||||
"rev": "c6a45e4277fa58abd524681466d3450f896dc094",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"newNixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1647380550,
|
||||
|
@ -329,7 +317,7 @@
|
|||
"nix": {
|
||||
"inputs": {
|
||||
"lowdown-src": "lowdown-src",
|
||||
"nixpkgs": "nixpkgs_2",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"nixpkgs-regression": "nixpkgs-regression"
|
||||
},
|
||||
"locked": {
|
||||
|
@ -349,43 +337,27 @@
|
|||
},
|
||||
"nixos": {
|
||||
"locked": {
|
||||
"lastModified": 1668459637,
|
||||
"narHash": "sha256-HqnWCKujmtu8v0CjzOT0sr7m2AR7+vpbZJOp1R0rodY=",
|
||||
"owner": "nixos",
|
||||
"lastModified": 1671217927,
|
||||
"narHash": "sha256-VjoidSKImZGWYqL1Z+ntfEzqeMjNX4zxcBr9PIqORwM=",
|
||||
"owner": "SuperSandro2000",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "16f4e04658c2ab10114545af2f39db17d51bd1bd",
|
||||
"rev": "0a597dc83e81526de48488088c92349d7170445c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nixos",
|
||||
"ref": "nixos-22.05",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixos-armv6": {
|
||||
"locked": {
|
||||
"lastModified": 1664701736,
|
||||
"narHash": "sha256-Va3NyZ+uyZztu506qM+sLxd69DBzN5CdoCAu1lzVk0U=",
|
||||
"owner": "rnhmjoj",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "10b75bee02bc7c25e596847357c70b277c534588",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "rnhmjoj",
|
||||
"ref": "pr-fix-armv6",
|
||||
"owner": "SuperSandro2000",
|
||||
"ref": "nixos-22.11",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixos-hardware": {
|
||||
"locked": {
|
||||
"lastModified": 1668334946,
|
||||
"narHash": "sha256-omMbUj4r5DVBWh7KxkoO/Z/1V1shVR6Ls4jXNB4mr3U=",
|
||||
"lastModified": 1671183612,
|
||||
"narHash": "sha256-Q6so0tBGEb9Bhx++FP6cJQ+K83hOZ99ffmcdcWtDS14=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixos-hardware",
|
||||
"rev": "e0452b33ab0ef16ffe075e980644ed92a6a200bb",
|
||||
"rev": "488931efb69a50307fa0d71e23e78c8706909416",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -394,37 +366,7 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixos-unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1668417584,
|
||||
"narHash": "sha256-yeuEyxKPwsm5fIHN49L/syn9g5coxnPp3GsVquhrv5A=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "013fcdd106823416918004bb684c3c186d3c460f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nixos",
|
||||
"ref": "nixos-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1663264531,
|
||||
"narHash": "sha256-2ncO5chPXlTxaebDlhx7MhL0gOEIWxzSyfsl0r0hxQk=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "454887a35de6317a30be284e8adc2d2f6d8a07c4",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "nixpkgs",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"nixpkgs-mobilizon": {
|
||||
"nixos-mobilizon": {
|
||||
"locked": {
|
||||
"lastModified": 1664466500,
|
||||
"narHash": "sha256-FvEUAKkf0PDZ2j2qIbI4+3oPTnuQq4HdX00iqBkvKOU=",
|
||||
|
@ -440,6 +382,53 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixos-unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1671108576,
|
||||
"narHash": "sha256-6ggOL6KoaELNA1562tnPjtAnQ9SwsKRTgeuaXvPzCwI=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "0f5996b524c91677891a432cc99c7567c7c402b1",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nixos",
|
||||
"ref": "nixos-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixos-unstable-simd": {
|
||||
"locked": {
|
||||
"lastModified": 1671211489,
|
||||
"narHash": "sha256-0AbRULr8+U70TPLiMz7PK8mTp1lD+Ct8VKElZ0WmPzE=",
|
||||
"owner": "SuperSandro2000",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "8ef6d44870fbc02b5c43922b8dbe95aa8b53091b",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "SuperSandro2000",
|
||||
"ref": "nixos-unstable-simd",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1645296114,
|
||||
"narHash": "sha256-y53N7TyIkXsjMpOG7RhvqJFGDacLs9HlyHeSTBioqYU=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "530a53dcbc9437363471167a5e4762c5fcfa34a1",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "nixpkgs",
|
||||
"ref": "nixos-21.05-small",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"nixpkgs-regression": {
|
||||
"locked": {
|
||||
"lastModified": 1643052045,
|
||||
|
@ -455,21 +444,6 @@
|
|||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1645296114,
|
||||
"narHash": "sha256-y53N7TyIkXsjMpOG7RhvqJFGDacLs9HlyHeSTBioqYU=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "530a53dcbc9437363471167a5e4762c5fcfa34a1",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "nixpkgs",
|
||||
"ref": "nixos-21.05-small",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"oparl-scraper": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
|
@ -490,11 +464,11 @@
|
|||
"openwrt": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1668297972,
|
||||
"narHash": "sha256-i39KfzBoNiiScd1M8kV/5WrGzEgG6+PxsFxoW+DT9UQ=",
|
||||
"lastModified": 1670552749,
|
||||
"narHash": "sha256-ZhbNee6F+vJRirskdiYpXVRldJTHSbClLiYtJe4wgqE=",
|
||||
"ref": "openwrt-21.02",
|
||||
"rev": "079ce0413a1e3c19dd00be1b90de737c2bc09223",
|
||||
"revCount": 51164,
|
||||
"rev": "784565b6a0ad482b19c4851b0ce8ffeddb7010c1",
|
||||
"revCount": 51264,
|
||||
"type": "git",
|
||||
"url": "https://git.openwrt.org/openwrt/openwrt.git"
|
||||
},
|
||||
|
@ -511,11 +485,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1668458369,
|
||||
"narHash": "sha256-Mv4F2AgOIpGyvfoHQtw/sDg3hU7O0K1P9ercnfrwnEQ=",
|
||||
"lastModified": 1671207552,
|
||||
"narHash": "sha256-7C3QXWM615TJJqNQlKS27HaQh/m6vctKhZ1fw9ex7xE=",
|
||||
"owner": "astro",
|
||||
"repo": "nix-openwrt-imagebuilder",
|
||||
"rev": "818db40dd8a0a22b029823ba477c5c3301bd7534",
|
||||
"rev": "a53edbc364df74d467d4f1e8d45dca6ee4e92ced",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -527,6 +501,7 @@
|
|||
"root": {
|
||||
"inputs": {
|
||||
"affection-src": "affection-src",
|
||||
"alert2muc": "alert2muc",
|
||||
"bevy-julia": "bevy-julia",
|
||||
"bevy-mandelbrot": "bevy-mandelbrot",
|
||||
"caveman": "caveman",
|
||||
|
@ -536,12 +511,12 @@
|
|||
"heliwatch": "heliwatch",
|
||||
"hydra-ca": "hydra-ca",
|
||||
"microvm": "microvm",
|
||||
"naersk": "naersk_2",
|
||||
"naersk": "naersk",
|
||||
"nixos": "nixos",
|
||||
"nixos-armv6": "nixos-armv6",
|
||||
"nixos-hardware": "nixos-hardware",
|
||||
"nixos-mobilizon": "nixos-mobilizon",
|
||||
"nixos-unstable": "nixos-unstable",
|
||||
"nixpkgs-mobilizon": "nixpkgs-mobilizon",
|
||||
"nixos-unstable-simd": "nixos-unstable-simd",
|
||||
"oparl-scraper": "oparl-scraper",
|
||||
"openwrt": "openwrt",
|
||||
"openwrt-imagebuilder": "openwrt-imagebuilder",
|
||||
|
@ -562,11 +537,11 @@
|
|||
"rust-analyzer-src": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1668182250,
|
||||
"narHash": "sha256-PYGaOCiFvnJdVz+ZCaKF8geGdffXjJUNcMwaBHv0FT4=",
|
||||
"lastModified": 1671029659,
|
||||
"narHash": "sha256-2sqAgHcLWpNGVHG2LQIXgRMuqgCArOD9frQSrrXrwSA=",
|
||||
"owner": "rust-lang",
|
||||
"repo": "rust-analyzer",
|
||||
"rev": "45ec315e01dc8dd1146dfeb65f0ef6e5c2efed78",
|
||||
"rev": "95671d53ea3063da5316784af9ef69c71219f320",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -586,11 +561,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1668479979,
|
||||
"narHash": "sha256-UI+JUCBaMpn+5Y1hSePmndbYX5zu0+bavlfzrhPrGEk=",
|
||||
"lastModified": 1671157233,
|
||||
"narHash": "sha256-gvQaOKaV1UK6IzsFzkVLsEavGxnAsQFT3zUqcg0RXLU=",
|
||||
"owner": "oxalica",
|
||||
"repo": "rust-overlay",
|
||||
"rev": "2342f70f7257046effc031333c4cfdea66c91d82",
|
||||
"rev": "7da2f6b3a0c32f661cb2864d7fbd1d7e6f0c7543",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -604,7 +579,7 @@
|
|||
"locked": {
|
||||
"lastModified": 1665446321,
|
||||
"narHash": "sha256-GuZr+BCAIe+UYmQrLHaVr8iRRajn5nSdWyqhjWDIX1Y=",
|
||||
"ref": "master",
|
||||
"ref": "refs/heads/master",
|
||||
"rev": "3700761dd06f271ef26261ed2a90dce8c22b6dca",
|
||||
"revCount": 61,
|
||||
"type": "git",
|
||||
|
@ -624,7 +599,7 @@
|
|||
"locked": {
|
||||
"lastModified": 1659890996,
|
||||
"narHash": "sha256-xURgGoznCPmpX35dn5AXcyNYicVn5ruvUKxfIMMiu8o=",
|
||||
"ref": "master",
|
||||
"ref": "refs/heads/master",
|
||||
"rev": "5ca106f648bef15d9954d956bda336eea28e8d75",
|
||||
"revCount": 149,
|
||||
"type": "git",
|
||||
|
@ -645,11 +620,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1668537992,
|
||||
"narHash": "sha256-dktkznGkVUtOXyA19J4YoSiyhBkCinqH8LDnU2o/rmw=",
|
||||
"lastModified": 1670188372,
|
||||
"narHash": "sha256-lKjP3rYsmiXb9kEU+stcsm48dTEMC6Ed+rLEClEl+Vs=",
|
||||
"owner": "astro",
|
||||
"repo": "skyflake",
|
||||
"rev": "4ccb72c616212ef2149458dade8d1199dc69477a",
|
||||
"rev": "c78a3e8f64930bf5c48b0f75e577e4294d8750c6",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -663,16 +638,16 @@
|
|||
"nixpkgs": [
|
||||
"nixos"
|
||||
],
|
||||
"nixpkgs-22_05": [
|
||||
"nixpkgs-stable": [
|
||||
"nixos"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1668311578,
|
||||
"narHash": "sha256-nF6mwSbVyvnlIICWFZlADegWdTsgrk1pZnA/0VqByNw=",
|
||||
"lastModified": 1670149631,
|
||||
"narHash": "sha256-rwmtlxx45PvOeZNP51wql/cWjY3rqzIR3Oj2Y+V7jM0=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "39f0fe57f1ef78764c1abc1de145f091fee1bbbb",
|
||||
"rev": "da98a111623101c64474a14983d83dad8f09f93d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -732,7 +707,9 @@
|
|||
"fenix": [
|
||||
"fenix"
|
||||
],
|
||||
"naersk": "naersk_3",
|
||||
"naersk": [
|
||||
"naersk"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
],
|
||||
|
@ -743,7 +720,7 @@
|
|||
"locked": {
|
||||
"lastModified": 1666559258,
|
||||
"narHash": "sha256-m4f5QQbE+usnEnM6CJ+nCgXcsi9mm0cCwFm2BhJ0pvQ=",
|
||||
"ref": "master",
|
||||
"ref": "refs/heads/master",
|
||||
"rev": "22ecb2b375bebffdfb1af3435a4c4486e6dd923b",
|
||||
"revCount": 108,
|
||||
"type": "git",
|
||||
|
@ -785,7 +762,7 @@
|
|||
"locked": {
|
||||
"lastModified": 1663279525,
|
||||
"narHash": "sha256-lUq4CY//ISplh/4i33nOU7cchpxKrw5V8mVdRnHMBaA=",
|
||||
"ref": "master",
|
||||
"ref": "refs/heads/master",
|
||||
"rev": "6d8d2cb1268d26add05baa3f21c325cfe051add3",
|
||||
"revCount": 342,
|
||||
"type": "git",
|
||||
|
@ -830,11 +807,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1668554331,
|
||||
"narHash": "sha256-QExvepHzH2QtHjeu1ZG2gIWh3bOxwsNsO2SBVmGIlRo=",
|
||||
"ref": "master",
|
||||
"rev": "9cb7dbc38595e7c213d193f2adf3cbeffcded74b",
|
||||
"revCount": 1669,
|
||||
"lastModified": 1671215340,
|
||||
"narHash": "sha256-e1+KFpcOxdz0yvThbHszq9+sXhH7SsFGP/dsIpUrvZY=",
|
||||
"ref": "refs/heads/master",
|
||||
"rev": "4f090527d4cc64305add16ba68c6f72a275a507b",
|
||||
"revCount": 1689,
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/zentralwerk/network.git"
|
||||
},
|
||||
|
|
491
flake.nix
491
flake.nix
|
@ -2,11 +2,12 @@
|
|||
description = "C3D2 NixOS configurations";
|
||||
|
||||
inputs = {
|
||||
nixos.url = "github:nixos/nixpkgs/nixos-22.05";
|
||||
nixpkgs-mobilizon.url = "github:minijackson/nixpkgs/init-mobilizon";
|
||||
nixos-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
|
||||
# use sandro's fork full with cherry-picked fixes
|
||||
nixos.url = "github:SuperSandro2000/nixpkgs/nixos-22.11";
|
||||
nixos-mobilizon.url = "github:minijackson/nixpkgs/init-mobilizon";
|
||||
nixos-hardware.url = "github:nixos/nixos-hardware";
|
||||
nixos-armv6.url = "github:rnhmjoj/nixpkgs/pr-fix-armv6";
|
||||
nixos-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
|
||||
nixos-unstable-simd.url = "github:SuperSandro2000/nixpkgs/nixos-unstable-simd";
|
||||
|
||||
affection-src = {
|
||||
url = "git+https://gitea.nek0.eu/nek0/affection";
|
||||
|
@ -15,6 +16,14 @@
|
|||
flake-utils.follows = "flake-utils";
|
||||
};
|
||||
};
|
||||
alert2muc = {
|
||||
url = "git+https://gitea.c3d2.de/astro/alert2muc";
|
||||
inputs = {
|
||||
naersk.follows = "naersk";
|
||||
nixpkgs.follows = "nixos";
|
||||
utils.follows = "flake-utils";
|
||||
};
|
||||
};
|
||||
bevy-mandelbrot = {
|
||||
# url = "github:matelab/bevy_mandelbrot";
|
||||
url = "git+https://gitea.c3d2.de/astro/bevy-mandelbrot.git?ref=main";
|
||||
|
@ -29,9 +38,7 @@
|
|||
url = "git+https://gitea.c3d2.de/astro/bevy-julia.git?ref=main";
|
||||
inputs = {
|
||||
nixpkgs.follows = "nixos";
|
||||
# breaks the build:
|
||||
# naersk.follows = "naersk";
|
||||
# naersk.inputs.nixpkgs.follows = "nixpkgs";
|
||||
naersk.follows = "naersk";
|
||||
rust-overlay.follows = "rust-overlay";
|
||||
};
|
||||
};
|
||||
|
@ -129,7 +136,7 @@
|
|||
url = "github:Mic92/sops-nix";
|
||||
inputs = {
|
||||
nixpkgs.follows = "nixos";
|
||||
nixpkgs-22_05.follows = "nixos";
|
||||
nixpkgs-stable.follows = "nixos";
|
||||
};
|
||||
};
|
||||
spacemsg = {
|
||||
|
@ -140,8 +147,7 @@
|
|||
url = "git+https://gitea.c3d2.de/astro/ticker.git";
|
||||
inputs = {
|
||||
fenix.follows = "fenix";
|
||||
# TODO: build regression in https://github.com/nix-community/naersk/commit/6944160c19cb591eb85bbf9b2f2768a935623ed3
|
||||
# naersk.follows = "naersk";
|
||||
naersk.follows = "naersk";
|
||||
nixpkgs.follows = "nixos";
|
||||
utils.follows = "flake-utils";
|
||||
};
|
||||
|
@ -173,14 +179,9 @@
|
|||
};
|
||||
};
|
||||
|
||||
outputs = inputs@{ self, fenix, harmonia, heliwatch, microvm, naersk, nixos, nixos-hardware, nixos-unstable, caveman, oparl-scraper, scrapers, secrets, skyflake, sshlogd, sops-nix, spacemsg, ticker, tigger, yammat, zentralwerk, ... }:
|
||||
outputs = inputs@{ self, alert2muc, fenix, harmonia, heliwatch, microvm, naersk, nixos, nixos-hardware, nixos-unstable, caveman, oparl-scraper, scrapers, secrets, skyflake, sshlogd, sops-nix, spacemsg, ticker, tigger, yammat, zentralwerk, ... }:
|
||||
let
|
||||
inherit (nixos) lib;
|
||||
forAllSystems = lib.genAttrs [ "aarch64-linux" "x86_64-linux" ];
|
||||
|
||||
# all the input flakes for `nix copy` to the build machine,
|
||||
# allowing --override-input
|
||||
inputPaths = lib.escapeShellArgs (builtins.attrValues inputs);
|
||||
|
||||
extractZwHosts = { hosts4, hosts6, ... }:
|
||||
lib.recursiveUpdate (
|
||||
|
@ -207,348 +208,56 @@
|
|||
extraHostRegistry.hosts = import ./host-registry.nix;
|
||||
hostRegistry = lib.recursiveUpdate zwHostRegistry extraHostRegistry;
|
||||
|
||||
getHostAddr = name:
|
||||
let
|
||||
hostConf = hostRegistry.hosts."${name}";
|
||||
in
|
||||
if hostConf ? ip4
|
||||
then hostConf.ip4
|
||||
else if hostConf ? ip6
|
||||
then hostConf.ip6
|
||||
else throw "Host ${name} has no ip4 or ip6 address";
|
||||
# Our custom NixOS builder
|
||||
nixosSystem' =
|
||||
{ nixpkgs ? inputs.nixos
|
||||
, modules
|
||||
, extraArgs ? { }
|
||||
, specialArgs ? { }
|
||||
, system ? "x86_64-linux"
|
||||
}@args:
|
||||
|
||||
{ inherit args; } // nixpkgs.lib.nixosSystem {
|
||||
inherit specialArgs system;
|
||||
|
||||
modules = [
|
||||
({ ... }: {
|
||||
_module.args = extraArgs // {
|
||||
inherit hostRegistry inputs zentralwerk;
|
||||
};
|
||||
|
||||
nixpkgs = {
|
||||
overlays = [ self.overlays ];
|
||||
};
|
||||
})
|
||||
|
||||
self.nixosModules.c3d2
|
||||
./modules/audio-server.nix
|
||||
./modules/c3d2.nix
|
||||
./modules/stats.nix
|
||||
./modules/pi-sensors.nix
|
||||
] ++ modules;
|
||||
};
|
||||
in {
|
||||
overlay = import ./overlay {
|
||||
inherit nixos-unstable;
|
||||
overlays = import ./overlays {
|
||||
inherit (inputs) tracer bevy-mandelbrot bevy-julia;
|
||||
};
|
||||
|
||||
legacyPackages = lib.attrsets.mapAttrs (system: pkgs:
|
||||
legacyPackages = lib.attrsets.mapAttrs (_: pkgs:
|
||||
pkgs.appendOverlays [
|
||||
fenix.overlay
|
||||
fenix.overlays.default
|
||||
naersk.overlay
|
||||
self.overlay
|
||||
self.overlays
|
||||
]) nixos.legacyPackages;
|
||||
|
||||
packages = lib.attrsets.mapAttrs (system: pkgs:
|
||||
let overlayPkgs = builtins.intersectAttrs (self.overlay {} {}) pkgs;
|
||||
in overlayPkgs //
|
||||
{
|
||||
host-registry = pkgs.runCommand "host-registry" {
|
||||
src = builtins.toFile "host-registry.nix" (
|
||||
lib.generators.toPretty {} hostRegistry
|
||||
);
|
||||
} ''
|
||||
ln -s $src $out
|
||||
'';
|
||||
packages = import ./packages.nix { inherit hostRegistry inputs lib microvm secrets self; };
|
||||
|
||||
list-upgradable = pkgs.writeScriptBin "list-upgradable" ''
|
||||
#! ${pkgs.runtimeShell}
|
||||
|
||||
NORMAL="\033[0m"
|
||||
RED="\033[0;31m"
|
||||
YELLOW="\033[0;33m"
|
||||
GREEN="\033[0;32m"
|
||||
|
||||
${pkgs.lib.concatMapStringsSep "\n" (name:
|
||||
let
|
||||
addr = getHostAddr name;
|
||||
in nixos.lib.optionalString (addr != null) ''
|
||||
echo -n -e "${name}: $RED"
|
||||
RUNNING=$(ssh -o PreferredAuthentications=publickey -o StrictHostKeyChecking=accept-new root@"${addr}" "readlink /run/current-system")
|
||||
if [ $? = 0 ] && [ -n "$RUNNING" ]; then
|
||||
CURRENT=$(nix eval --raw ".#nixosConfigurations.${name}.config.system.build.toplevel" 2>/dev/null)
|
||||
RUNNING_VER=$(basename $RUNNING|rev|cut -d - -f 1|rev)
|
||||
RUNNING_DATE=$(echo $RUNNING_VER|cut -d . -f 3)
|
||||
CURRENT_VER=$(basename $CURRENT|rev|cut -d - -f 1|rev)
|
||||
CURRENT_DATE=$(echo $CURRENT_VER|cut -d . -f 3)
|
||||
|
||||
if [ "$RUNNING" = "$CURRENT" ]; then
|
||||
echo -e "$GREEN"current"$NORMAL $RUNNING_VER"
|
||||
elif [ $RUNNING_DATE -gt $CURRENT_DATE ]; then
|
||||
echo -e "$GREEN"newer"$NORMAL $RUNNING_VER > $CURRENT_VER"
|
||||
elif [ "$RUNNING_VER" = "$CURRENT_VER" ]; then
|
||||
echo -e "$YELLOW"modified"$NORMAL $RUNNING_VER"
|
||||
elif [ -n "$RUNNING_VER" ]; then
|
||||
echo -e "$RED"outdated"$NORMAL $RUNNING_VER < $CURRENT_VER"
|
||||
else
|
||||
echo -e "$RED"error"$NORMAL $RUNNING_VER"
|
||||
fi
|
||||
fi
|
||||
echo -n -e "$NORMAL"
|
||||
'') (builtins.attrNames self.nixosConfigurations)}
|
||||
'';
|
||||
|
||||
prebuild-all = pkgs.runCommand "prebuild-all" {
|
||||
preferLocalBuild = true;
|
||||
} ''
|
||||
mkdir $out
|
||||
|
||||
${pkgs.lib.concatMapStrings (name: ''
|
||||
ln -s ${self.nixosConfigurations."${name}".config.system.build.toplevel} name
|
||||
'') (builtins.attrNames self.nixosConfigurations)}
|
||||
'';
|
||||
|
||||
prebuild-all-remote = pkgs.writeScriptBin "prebuild-all" ''
|
||||
#!${pkgs.runtimeShell} -e
|
||||
|
||||
nix copy --no-check-sigs --to ssh-ng://$1 ${inputPaths}
|
||||
|
||||
set -x
|
||||
ssh $1 -- nix build -L --no-link ${
|
||||
pkgs.lib.concatMapStringsSep " " (name:
|
||||
"${self}#nixosConfigurations.${name}.config.system.build.toplevel"
|
||||
) (builtins.attrNames self.nixosConfigurations)
|
||||
}
|
||||
'';
|
||||
|
||||
} //
|
||||
|
||||
builtins.foldl' (result: host: result // {
|
||||
# TODO: check if the ethernet address is reachable and if not,
|
||||
# execute wol on a machine in HQ.
|
||||
"${host}-wake" = pkgs.writeScriptBin "${host}-wake" ''
|
||||
#!${pkgs.runtimeShell}
|
||||
exec ${pkgs.wol}/bin/wol ${hostRegistry.hosts."${host}".ether}
|
||||
'';
|
||||
}) {} (builtins.attrNames (nixos.lib.filterAttrs (_: { wol ? false, ... }: wol) hostRegistry.hosts)) //
|
||||
|
||||
builtins.foldl' (result: name:
|
||||
let
|
||||
host = getHostAddr name;
|
||||
target = ''root@"${host}"'';
|
||||
rebuildArg = "--flake ${self}#${name} --option extra-substituters https://nix-serve.hq.c3d2.de";
|
||||
hostConfig = self.nixosConfigurations."${name}".config;
|
||||
profile = hostConfig.system.build.toplevel;
|
||||
# let /var/lib/microvm/*/flake point to the flake-update branch so that
|
||||
# `microvm -u $NAME` updates to what hydra built today.
|
||||
selfRef = "git+https://gitea.c3d2.de/c3d2/nix-config?ref=flake-update";
|
||||
in result // {
|
||||
# Generate a small script for copying this flake to the
|
||||
# remote machine and bulding and switching there.
|
||||
# Can be run with `nix run c3d2#…-nixos-rebuild switch`
|
||||
"${name}-nixos-rebuild" = pkgs.writeScriptBin "${name}-nixos-rebuild" ''
|
||||
#!${pkgs.runtimeShell} -ex
|
||||
[[ $(ssh ${target} cat /etc/hostname) == ${name} ]]
|
||||
nix copy --no-check-sigs --to ssh-ng://${target} ${inputPaths}
|
||||
ssh ${target} nixos-rebuild ${rebuildArg} "$@"
|
||||
'';
|
||||
|
||||
"${name}-nixos-rebuild-hydra" = pkgs.writeScriptBin "${name}-nixos-rebuild" ''
|
||||
#!${pkgs.runtimeShell} -e
|
||||
echo Copying Flakes
|
||||
nix copy --no-check-sigs --to ssh-ng://root@hydra.serv.zentralwerk.org ${inputPaths}
|
||||
echo Building on Hydra
|
||||
ssh root@hydra.serv.zentralwerk.org -- \
|
||||
nix build -L -o /tmp/nixos-system-${name} \
|
||||
${self}#nixosConfigurations.${name}.config.system.build.toplevel
|
||||
echo Built. Obtaining link to data
|
||||
TOPLEVEL=$(ssh root@hydra.serv.zentralwerk.org \
|
||||
readlink /tmp/nixos-system-${name})
|
||||
echo Checking target ${name}
|
||||
ssh ${target} -- bash -e <<EOF
|
||||
[[ \$(cat /etc/hostname) == ${name} ]]
|
||||
echo Copying data from Hydra to ${name}
|
||||
nix copy --from https://nix-serve.hq.c3d2.de \
|
||||
$TOPLEVEL
|
||||
echo Activation on ${name}: "$@"
|
||||
nix-env -p /nix/var/nix/profiles/system --set $TOPLEVEL
|
||||
$TOPLEVEL/bin/switch-to-configuration "$@"
|
||||
EOF
|
||||
'';
|
||||
|
||||
"${name}-nixos-rebuild-local" = pkgs.writeScriptBin "${name}-nixos-rebuild" ''
|
||||
#!${pkgs.runtimeShell} -ex
|
||||
[[ $1 == build || $(ssh ${target} cat /etc/hostname) == ${name} ]]
|
||||
${pkgs.nixos-rebuild}/bin/nixos-rebuild ${rebuildArg} --target-host ${target} --use-remote-sudo "$@"
|
||||
'';
|
||||
|
||||
"${name}-cleanup" = pkgs.writeScriptBin "${name}-cleanup" ''
|
||||
#!${pkgs.runtimeShell} -ex
|
||||
ssh ${target} "time nix-collect-garbage -d && time nix-store --optimise"
|
||||
'';
|
||||
|
||||
"microvm-update-${name}" = pkgs.writeScriptBin "microvm-update-${name}" ''
|
||||
#!${pkgs.runtimeShell} -e
|
||||
|
||||
${lib.optionalString (! builtins.elem (hostConfig.c3d2.deployment.server or null) [ "server9" "server10" ]) ''
|
||||
echo "MicroVM must be configured to proper server" >&2
|
||||
exit 1
|
||||
''}
|
||||
|
||||
${hostConfig.system.build.copyToServer} ${inputPaths}
|
||||
|
||||
${hostConfig.system.build.runOnServer} bash -e <<END
|
||||
mkdir -p /var/lib/microvms/${name}
|
||||
cd /var/lib/microvms/${name}
|
||||
chown root:kvm .
|
||||
chmod 0775 .
|
||||
|
||||
rm -f old
|
||||
[ -e current ] && cp --no-dereference current old
|
||||
|
||||
nix build -L \
|
||||
-o current \
|
||||
${self}#nixosConfigurations.${name}.config.microvm.declaredRunner
|
||||
echo '${selfRef}' > flake
|
||||
|
||||
[ -e old ] && nix store diff-closures ./old ./current
|
||||
ln -sfT \$PWD/current /nix/var/nix/gcroots/microvm/${name}
|
||||
ln -sfT \$PWD/booted /nix/var/nix/gcroots/microvm/booted-${name}
|
||||
ln -sfT \$PWD/old /nix/var/nix/gcroots/microvm/old-${name}
|
||||
|
||||
systemctl restart microvm@${name}.service
|
||||
END
|
||||
'';
|
||||
|
||||
"microvm-update-${name}-local" = pkgs.writeScriptBin "microvm-update-${name}" ''
|
||||
#!${pkgs.runtimeShell} -e
|
||||
|
||||
${lib.optionalString (! builtins.elem (hostConfig.c3d2.deployment.server or null) [ "server9" "server10" ]) ''
|
||||
echo "MicroVM must be configured to proper server" >&2
|
||||
exit 1
|
||||
''}
|
||||
|
||||
${hostConfig.system.build.copyToServer} ${hostConfig.microvm.declaredRunner}
|
||||
|
||||
${hostConfig.system.build.runOnServer} bash -e <<END
|
||||
mkdir -p /var/lib/microvms/${name}
|
||||
cd /var/lib/microvms/${name}
|
||||
chown root:kvm .
|
||||
chmod 0775 .
|
||||
|
||||
rm -f old
|
||||
[ -e current ] && cp --no-dereference current old
|
||||
|
||||
ln -sfT ${hostConfig.microvm.declaredRunner} current
|
||||
echo '${selfRef}' > flake
|
||||
|
||||
[ -e old ] && nix store diff-closures ./old ./current
|
||||
ln -sfT \$PWD/current /nix/var/nix/gcroots/microvm/${name}
|
||||
ln -sfT \$PWD/booted /nix/var/nix/gcroots/microvm/booted-${name}
|
||||
ln -sfT \$PWD/old /nix/var/nix/gcroots/microvm/old-${name}
|
||||
|
||||
systemctl restart microvm@${name}.service
|
||||
END
|
||||
'';
|
||||
|
||||
"nomad-${name}" = pkgs.writeScriptBin "nomad-${name}" ''
|
||||
#!${pkgs.runtimeShell} -e
|
||||
|
||||
${lib.optionalString (hostConfig.c3d2.deployment.server or null == "nomad") ''
|
||||
echo "MicroVM must be configured for nomad" >&2
|
||||
exit 1
|
||||
''}
|
||||
|
||||
echo Copying Flakes
|
||||
nix copy --no-check-sigs --to ssh-ng://root@hydra.serv.zentralwerk.org ${secrets} ${self}
|
||||
|
||||
echo Building on Hydra
|
||||
ssh root@hydra.serv.zentralwerk.org -- \
|
||||
nix build -L -o /tmp/microvm-${name}.job \
|
||||
${self}#nixosConfigurations.${name}.config.system.build.nomadJob
|
||||
|
||||
echo -n Built. Obtaining path...
|
||||
JOB=$(ssh root@hydra.serv.zentralwerk.org -- \
|
||||
readlink /tmp/microvm-${name}.job)
|
||||
echo \ $JOB
|
||||
|
||||
for h in server9 server10 ; do
|
||||
echo Sharing with $h
|
||||
ssh root@$h.cluster.zentralwerk.org -- \
|
||||
bash -e <<EOF &
|
||||
nix copy --from https://nix-serve.hq.c3d2.de $JOB
|
||||
mkdir -p /glusterfs/fast/microvms/${name}
|
||||
chown microvm:kvm /glusterfs/fast/microvms/${name}
|
||||
chmod 0775 /glusterfs/fast/microvms/${name}
|
||||
mkdir -p /nix/var/nix/gcroots/microvm
|
||||
rm -f /nix/var/nix/gcroots/microvm/${name}
|
||||
ln -sfT $JOB /nix/var/nix/gcroots/microvm/${name}
|
||||
EOF
|
||||
done
|
||||
wait
|
||||
|
||||
echo Now starting the job
|
||||
ssh root@hydra.serv.zentralwerk.org -- \
|
||||
nomad run -detach $JOB
|
||||
'';
|
||||
}) {} (builtins.attrNames self.nixosConfigurations) //
|
||||
|
||||
builtins.foldl' (result: host:
|
||||
let
|
||||
inherit (self.nixosConfigurations.${host}) config;
|
||||
in
|
||||
result // {
|
||||
# boot any machine in a microvm
|
||||
"${host}-vm" = (self.nixosConfigurations.${host}
|
||||
.extendModules {
|
||||
modules = [ {
|
||||
microvm = {
|
||||
mem = nixos.lib.mkForce 2048;
|
||||
hypervisor = nixos.lib.mkForce "qemu";
|
||||
socket = nixos.lib.mkForce null;
|
||||
shares = nixos.lib.mkForce [ {
|
||||
tag = "ro-store";
|
||||
source = "/nix/store";
|
||||
mountPoint = "/nix/.ro-store";
|
||||
} ];
|
||||
interfaces = nixos.lib.mkForce [ {
|
||||
type = "user";
|
||||
id = "eth0";
|
||||
mac = "02:23:de:ad:be:ef";
|
||||
} ];
|
||||
};
|
||||
boot.isContainer = lib.mkForce false;
|
||||
users.users.root.password = "";
|
||||
fileSystems."/".fsType = lib.mkForce "tmpfs";
|
||||
services.getty.helpLine = ''
|
||||
Log in as "root" with an empty password.
|
||||
Use "reboot" to shut qemu down.
|
||||
'';
|
||||
} ] ++ lib.optionals (! config ? microvm) [
|
||||
microvm.nixosModules.microvm
|
||||
];
|
||||
})
|
||||
.config.microvm.declaredRunner;
|
||||
|
||||
"${host}-tftproot" =
|
||||
if config.system.build ? tftproot
|
||||
then config.system.build.tftproot
|
||||
else throw "No tftproot for ${host}";
|
||||
}
|
||||
) {} (builtins.attrNames self.nixosConfigurations)
|
||||
) self.legacyPackages;
|
||||
|
||||
nixosConfigurations = let
|
||||
nixosSystem' =
|
||||
# Our custom NixOS builder
|
||||
{ nixpkgs ? inputs.nixos, modules, extraArgs ? {}, specialArgs ? { }, system ? "x86_64-linux" }:
|
||||
nixpkgs.lib.nixosSystem {
|
||||
inherit specialArgs system;
|
||||
|
||||
modules = [
|
||||
({ pkgs, ... }: {
|
||||
_module.args = extraArgs // {
|
||||
inherit hostRegistry inputs zentralwerk;
|
||||
};
|
||||
nixpkgs = {
|
||||
overlays = [ self.overlay ];
|
||||
};
|
||||
})
|
||||
|
||||
self.nixosModules.c3d2
|
||||
./modules/audio-server.nix
|
||||
./modules/c3d2.nix
|
||||
./modules/stats.nix
|
||||
./modules/pi-sensors.nix
|
||||
] ++ modules;
|
||||
};
|
||||
in {
|
||||
nixosConfigurations = {
|
||||
auth = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
./hosts/auth
|
||||
];
|
||||
nixpkgs = inputs.nixos-unstable;
|
||||
};
|
||||
|
||||
broker = nixosSystem' {
|
||||
|
@ -590,7 +299,6 @@
|
|||
self.nixosModules.microvm
|
||||
./hosts/gitea
|
||||
];
|
||||
nixpkgs = inputs.nixos-unstable;
|
||||
};
|
||||
|
||||
glotzbert = nixosSystem' {
|
||||
|
@ -608,7 +316,6 @@
|
|||
self.nixosModules.microvm
|
||||
./hosts/hedgedoc
|
||||
];
|
||||
nixpkgs = inputs.nixos-unstable;
|
||||
};
|
||||
|
||||
pulsebert = nixosSystem' {
|
||||
|
@ -624,12 +331,11 @@
|
|||
};
|
||||
}
|
||||
];
|
||||
nixpkgs = inputs.nixos-unstable;
|
||||
};
|
||||
|
||||
radiobert = nixosSystem' {
|
||||
modules = [
|
||||
({ modulesPath, ... }:
|
||||
({ ... }:
|
||||
{
|
||||
nixpkgs.overlays = [ heliwatch.overlay ];
|
||||
})
|
||||
|
@ -674,7 +380,6 @@
|
|||
};
|
||||
|
||||
schalter = nixosSystem' {
|
||||
nixpkgs = inputs.nixos-armv6;
|
||||
modules = [
|
||||
"${nixos}/nixos/modules/installer/sd-card/sd-image-raspberrypi.nix"
|
||||
({ lib, ... }: {
|
||||
|
@ -751,7 +456,6 @@
|
|||
self.nixosModules.microvm
|
||||
./hosts/grafana
|
||||
];
|
||||
nixpkgs = nixos-unstable;
|
||||
};
|
||||
|
||||
hydra = nixosSystem' {
|
||||
|
@ -767,7 +471,6 @@
|
|||
};
|
||||
}
|
||||
];
|
||||
nixpkgs = nixos-unstable;
|
||||
};
|
||||
|
||||
mucbot = nixosSystem' {
|
||||
|
@ -805,14 +508,14 @@
|
|||
|
||||
stream = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
self.nixosModules.cluster-options
|
||||
./hosts/stream
|
||||
];
|
||||
};
|
||||
|
||||
mobilizon = nixosSystem' {
|
||||
# TODO: pending https://github.com/NixOS/nixpkgs/pull/119132
|
||||
nixpkgs = inputs.nixpkgs-mobilizon;
|
||||
nixpkgs = inputs.nixos-mobilizon;
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
./hosts/mobilizon
|
||||
|
@ -835,7 +538,7 @@
|
|||
heliwatch.nixosModules.heliwatch
|
||||
./hosts/sdrweb
|
||||
];
|
||||
nixpkgs = nixos-unstable;
|
||||
# nixpkgs = nixos-unstable;
|
||||
};
|
||||
|
||||
bind = nixosSystem' {
|
||||
|
@ -862,6 +565,16 @@
|
|||
];
|
||||
};
|
||||
|
||||
server8 = nixosSystem' {
|
||||
modules = [
|
||||
./hosts/server8
|
||||
self.nixosModules.cluster-network
|
||||
self.nixosModules.cluster
|
||||
skyflake.nixosModules.default
|
||||
{ _module.args = { inherit self; }; }
|
||||
];
|
||||
};
|
||||
|
||||
server9 = nixosSystem' {
|
||||
modules = [
|
||||
./hosts/server9
|
||||
|
@ -872,7 +585,6 @@
|
|||
skyflake.nixosModules.default
|
||||
{ _module.args = { inherit self; }; }
|
||||
];
|
||||
nixpkgs = nixos-unstable;
|
||||
};
|
||||
|
||||
server10 = nixosSystem' {
|
||||
|
@ -885,7 +597,6 @@
|
|||
skyflake.nixosModules.default
|
||||
{ _module.args = { inherit self; }; }
|
||||
];
|
||||
nixpkgs = nixos-unstable;
|
||||
};
|
||||
|
||||
oparl = nixosSystem' {
|
||||
|
@ -900,14 +611,14 @@
|
|||
|
||||
leon = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
self.nixosModules.cluster-options
|
||||
./hosts/leon
|
||||
];
|
||||
};
|
||||
|
||||
leoncloud = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
self.nixosModules.cluster-options
|
||||
./hosts/leoncloud
|
||||
];
|
||||
};
|
||||
|
@ -935,7 +646,7 @@
|
|||
};
|
||||
}
|
||||
];
|
||||
nixpkgs = nixos-unstable;
|
||||
# nixpkgs = nixos-unstable;
|
||||
system = "x86_64-linux";
|
||||
};
|
||||
|
||||
|
@ -951,15 +662,15 @@
|
|||
self.nixosModules.microvm
|
||||
./hosts/mediawiki
|
||||
];
|
||||
nixpkgs = nixos-unstable;
|
||||
# nixpkgs = nixos-unstable;
|
||||
};
|
||||
|
||||
gnunet = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
self.nixosModules.cluster-options
|
||||
./hosts/gnunet
|
||||
];
|
||||
nixpkgs = nixos-unstable;
|
||||
# nixpkgs = nixos-unstable;
|
||||
};
|
||||
|
||||
zengel = nixosSystem' {
|
||||
|
@ -971,7 +682,7 @@
|
|||
|
||||
sshlog = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
self.nixosModules.cluster-options
|
||||
sshlogd.nixosModule
|
||||
./hosts/sshlog
|
||||
];
|
||||
|
@ -992,9 +703,30 @@
|
|||
];
|
||||
};
|
||||
|
||||
owncast = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.cluster-options
|
||||
./hosts/owncast
|
||||
];
|
||||
# nixpkgs = nixos-unstable;
|
||||
};
|
||||
|
||||
prometheus = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.cluster-options
|
||||
alert2muc.nixosModules.default
|
||||
./hosts/prometheus
|
||||
];
|
||||
};
|
||||
|
||||
mastodon = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.cluster-options
|
||||
./hosts/mastodon
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
nixosModule = self.nixosModules.c3d2;
|
||||
nixosModules = {
|
||||
c3d2 = {
|
||||
imports = [
|
||||
|
@ -1004,7 +736,7 @@
|
|||
./modules/backup.nix
|
||||
./modules/c3d2.nix
|
||||
./modules/nncp.nix
|
||||
./modules/logging.nix
|
||||
./modules/monitoring.nix
|
||||
./modules/stats.nix
|
||||
];
|
||||
c3d2.hosts = hostRegistry.hosts;
|
||||
|
@ -1022,7 +754,7 @@
|
|||
nncp = ./modules/nncp.nix;
|
||||
plume = {
|
||||
imports = [ ./modules/plume.nix ];
|
||||
nixpkgs.overlays = [ fenix.overlay naersk.overlay ];
|
||||
nixpkgs.overlays = [ fenix.overlays.default naersk.overlay ];
|
||||
};
|
||||
rpi-netboot = ./modules/rpi-netboot.nix;
|
||||
};
|
||||
|
@ -1039,15 +771,26 @@
|
|||
) sops-nix.packages;
|
||||
|
||||
hydraJobs =
|
||||
builtins.mapAttrs (_: nixos.lib.hydraJob) (
|
||||
builtins.mapAttrs (_: nixosSystem:
|
||||
if nixosSystem.config ? microvm.declaredRunner
|
||||
then nixosSystem.config.microvm.declaredRunner
|
||||
else nixosSystem.config.system.build.toplevel
|
||||
lib.mapAttrs (_: nixos.lib.hydraJob) (
|
||||
let
|
||||
getBuildEntryPoint = _: nixosSystem: nixosSystem.config.microvm.declaredRunner or nixosSystem.config.system.build.toplevel;
|
||||
in
|
||||
lib.mapAttrs getBuildEntryPoint self.nixosConfigurations
|
||||
// lib.mapAttrs' (hostname: nixosSystem: lib.nameValuePair
|
||||
# job display name
|
||||
(hostname + "-nox")
|
||||
(getBuildEntryPoint null (nixosSystem' (nixosSystem.args // (with nixosSystem.args; {
|
||||
modules = modules ++ [
|
||||
{
|
||||
# c3d2.simd.enable = lib.mkForce true;
|
||||
environment.noXlibs = true;
|
||||
}
|
||||
];
|
||||
# nixpkgs = nixos-unstable-simd;
|
||||
}))))
|
||||
) self.nixosConfigurations
|
||||
//
|
||||
nixos.lib.filterAttrs (name: _:
|
||||
builtins.match ".+-tftproot" name != null
|
||||
// nixos.lib.filterAttrs (name: attr:
|
||||
(builtins.match ".+-tftproot" name != null && lib.isDerivation attr)
|
||||
) self.packages.aarch64-linux
|
||||
);
|
||||
};
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ zentralwerk, config, lib, pkgs, ... }:
|
||||
{ config, ... }:
|
||||
|
||||
{
|
||||
c3d2 = {
|
||||
|
@ -58,7 +58,7 @@
|
|||
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
secrets."portunus/seed" = {
|
||||
group = config.services.portunus.group;
|
||||
inherit (config.services.portunus) group;
|
||||
owner = config.services.portunus.user;
|
||||
};
|
||||
};
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ hostRegistry, zentralwerk, config, ... }:
|
||||
{ config, ... }:
|
||||
{
|
||||
microvm.mem = 2048;
|
||||
c3d2.deployment = {
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, pkgs, lib, zentralwerk, ... }:
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
let
|
||||
mymqttui = pkgs.writeScriptBin "mqttui" ''
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ zentralwerk, nixpkgs, config, lib, pkgs, ... }:
|
||||
{ config, pkgs, ... }:
|
||||
let
|
||||
webroot = "/var/www";
|
||||
geminiRoot = "/var/gemini";
|
||||
|
@ -16,6 +16,8 @@ in
|
|||
# Network setup
|
||||
networking.hostName = "c3d2-web";
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
# telme10
|
||||
23
|
||||
# http/https
|
||||
80 443
|
||||
# gemini
|
||||
|
@ -48,11 +50,14 @@ in
|
|||
index portal.html index.html;
|
||||
'';
|
||||
locations = {
|
||||
# Mastodon
|
||||
"/.well-known/webfinger".return = "301 https://c3d2.social$request_uri";
|
||||
|
||||
# SpaceAPI
|
||||
"/status.png".proxyPass = "http://[${config.c3d2.hosts.spaceapi.ip6}]:3000/status.png";
|
||||
"/spaceapi.json".proxyPass = "http://[${config.c3d2.hosts.spaceapi.ip6}]:3000/spaceapi.json";
|
||||
|
||||
# WKD: Web Key Directory for PGP Keys
|
||||
# WKD: Web Key Directory for PGP Keys
|
||||
"/openpgp" = {
|
||||
extraConfig = ''
|
||||
autoindex off;
|
||||
|
@ -109,6 +114,15 @@ in
|
|||
contentDir = geminiRoot;
|
||||
language = "de";
|
||||
};
|
||||
|
||||
systemd.packages = with pkgs; [ telme10 ];
|
||||
|
||||
systemd.services.telme10 = {
|
||||
serviceConfig = {
|
||||
AmbientCapabilities="CAP_NET_BIND_SERVICE";
|
||||
};
|
||||
};
|
||||
|
||||
# let agate access the tls certs
|
||||
systemd.services.agate = {
|
||||
requires = [ "agate-keys.service" ];
|
||||
|
@ -147,11 +161,17 @@ in
|
|||
home = "/var/lib/c3d2-web";
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d ${webroot}/c3d2 0755 c3d2-web ${config.users.users.c3d2-web.group} -"
|
||||
"d ${webroot}/log 0755 c3d2-web ${config.users.users.c3d2-web.group} -"
|
||||
"d ${geminiRoot} 0755 c3d2-web ${config.users.users.c3d2-web.group} -"
|
||||
"d ${config.users.users.c3d2-web.home} 0700 c3d2-web ${config.users.users.c3d2-web.group} -"
|
||||
users.groups.telme10 = {};
|
||||
users.users.telme10 = {
|
||||
isSystemUser = true;
|
||||
group = "telme10";
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = with config.users.users.c3d2-web; [
|
||||
"d ${webroot}/c3d2 0755 c3d2-web ${group} -"
|
||||
"d ${webroot}/log 0755 c3d2-web ${group} -"
|
||||
"d ${geminiRoot} 0755 c3d2-web ${group} -"
|
||||
"d ${home} 0700 c3d2-web ${group} -"
|
||||
];
|
||||
|
||||
# Build script
|
||||
|
|
|
@ -10,7 +10,7 @@
|
|||
};
|
||||
microvm = {
|
||||
vcpu = 8;
|
||||
mem = 8 * 1024;
|
||||
mem = 16 * 1024;
|
||||
};
|
||||
|
||||
networking = {
|
||||
|
@ -23,7 +23,7 @@
|
|||
'';
|
||||
|
||||
services.caveman = {
|
||||
redis.maxmemory = config.microvm.mem * 1024 * 1024 * 3 / 2;
|
||||
redis.maxmemory = config.microvm.mem * 1024 * 1024 / 2;
|
||||
|
||||
hunter = {
|
||||
enable = true;
|
||||
|
@ -54,6 +54,11 @@
|
|||
];
|
||||
locations."/".proxyPass = "http://127.0.0.1:${toString config.services.caveman.gatherer.settings.listen_port}/";
|
||||
};
|
||||
virtualHosts."relay.fedi.buzz" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/".proxyPass = "http://127.0.0.1:${toString 3000}/";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,5 +1,38 @@
|
|||
{ hostRegistry, config, lib, pkgs, modulesPath, ... }:
|
||||
{ hostRegistry, config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
streamAudioToOwncastScript = pkgs.writeScriptBin "stream-audio-to-owncast" ''
|
||||
#! ${pkgs.runtimeShell} -e
|
||||
|
||||
PATH=${with pkgs; lib.makeBinPath [ coreutils pavucontrol gnome.zenity ffmpeg ]}
|
||||
|
||||
MOVIE="$(zenity --file-selection --title 'Select a video to loop')"
|
||||
MOVIE_PREENCODED="/tmp/`basename $MOVIE`.mp4"
|
||||
|
||||
echo
|
||||
echo Preencoding the movie. Wait a bit...
|
||||
echo
|
||||
|
||||
ffmpeg -i "$MOVIE" -an -s:v 480x320 -c:v libx264 -b:v 600k -f mp4 -y "$MOVIE_PREENCODED"
|
||||
|
||||
echo
|
||||
echo "Starting stream. End with <q>"
|
||||
echo
|
||||
|
||||
pavucontrol &
|
||||
|
||||
ffmpeg -f pulse -ac 2 -i default -stream_loop -1 -i "$MOVIE_PREENCODED" -c:a aac -c:v copy -f flv rtmp://owncast.serv.zentralwerk.org:1935/live/$(cat ${config.sops.secrets."owncast/authKey".path})
|
||||
'';
|
||||
|
||||
streamAudioToOwncast = pkgs.makeDesktopItem rec {
|
||||
name = "Stream to Owncast";
|
||||
exec = "${streamAudioToOwncastScript}/bin/stream-audio-to-owncast";
|
||||
icon = "media-record";
|
||||
desktopName = name;
|
||||
terminal = true;
|
||||
};
|
||||
|
||||
in
|
||||
{
|
||||
c3d2 = {
|
||||
isInHq = true;
|
||||
|
@ -20,6 +53,11 @@
|
|||
} ];
|
||||
};
|
||||
|
||||
sops = {
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
secrets."owncast/authKey".owner = "k-ot";
|
||||
};
|
||||
|
||||
hardware.enableRedistributableFirmware = true;
|
||||
powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
|
||||
|
||||
|
@ -73,16 +111,16 @@
|
|||
};
|
||||
|
||||
nix = {
|
||||
buildCores = 4;
|
||||
maxJobs = 1;
|
||||
trustedUsers = [ "client" ];
|
||||
extraOptions = ''
|
||||
builders-use-substitutes = true
|
||||
extra-platforms = armv6l-linux
|
||||
'';
|
||||
daemonCPUSchedPolicy = "idle";
|
||||
daemonIOSchedClass = "idle";
|
||||
settings.system-features = [];
|
||||
settings = {
|
||||
builders-use-substitutes = true;
|
||||
cores = 4;
|
||||
extra-platforms = "armv6l-linux";
|
||||
max-jobs = 1;
|
||||
system-features = [];
|
||||
trusted-users = [ "client" ];
|
||||
};
|
||||
};
|
||||
# kernel 32bit personality patch from Ubuntu
|
||||
boot.kernelPatches = [
|
||||
|
@ -119,6 +157,7 @@
|
|||
libva-utils
|
||||
mpv
|
||||
vlc
|
||||
ffmpeg
|
||||
yt-dlp
|
||||
ncpamixer
|
||||
pulseaudio # required for pactl
|
||||
|
@ -130,6 +169,7 @@
|
|||
bevy_julia
|
||||
bevy_mandelbrot
|
||||
allcolors
|
||||
streamAudioToOwncast
|
||||
];
|
||||
};
|
||||
|
||||
|
|
|
@ -0,0 +1,181 @@
|
|||
owncast:
|
||||
authKey: ENC[AES256_GCM,data:Q0Zx9g==,iv:3RB7efC9t6SXEP4/yR5Or/f3GN820RiApqTJC0G5zaw=,tag:UaiJAdGefjuwVd3gGwTXTg==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1hg0mmua5y82ct7l6q9gpc8w940ce5seqcjhm4dgx7tlzvflznyas7v3hf4
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLQ1l6MkNscFl3b0FReENC
|
||||
cFozbUE4clBFSXlmSEtKaWFLV0I1aVFNVUg0ClhTTld1TkxsSWxWcDV1T2F6M0Ex
|
||||
cHNGZnprMlljc1dBcG1iWEs5WTZGaFEKLS0tIHNrVk5uTDRwUlVkSVZxT0txUmxO
|
||||
L0pDVlhTa0QyRWc5MHQ0dEJBOE1DMlkKXT0txgyo3DPYni8QKoZQqcmZckrKOehx
|
||||
UJcHM6O7gwJ1cglkByFcAwhmMB+cPerUqsxoLt7RplILr2bET2gyyg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1OTFkbXNxWEYzZVZ0ZDlS
|
||||
ak1VYlBzaThma3ZjaGVwZlNuaThXTHJFL2xjCkRMREdKdG9CTUNDZUZDY213cndI
|
||||
ZVFBdEVVbDdwVUdyYzE0d3JVcHB0RnMKLS0tIFFvbVhsR1VKbWhQTzJsUXIzRzNI
|
||||
K3I1KzNqT2RqL2I4alkrVGlBUWJjQjQKE8Icz22zUmZRlPLGBSVYK2O98jWTtsO2
|
||||
sgEx3ZDqJi47bCqUKMhPz55TpIKsCx/bAAQ+qfV8g7DaoSz9UMk+/w==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2022-12-04T21:39:27Z"
|
||||
mac: ENC[AES256_GCM,data:PQtTAEXBgp6MuPl5+6SE/zaOuYGvDRpl0w9XYgUJJHhDqiIEQfcAYIUEKv+Dvtxj94TQZ3v2kjT4Y3FF0ROYIcN8H1K1PtVXRLu+vptr2+wZ1Mahg6K4Ukk1s0eiBB3vsGrMONqaky5Jqy4My3+0NMnBuIvlqErpoUT3Gin37do=,iv:RUTAvD/hczbaX7w7ROPQZNII3kTRnEBG6aMMkTHuV/M=,tag:XLgfZnnDM1ffv6uBLYJXmg==,type:str]
|
||||
pgp:
|
||||
- created_at: "2022-12-04T21:39:01Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMA6j84+xkv3y7ARAAvea1x4I5nwUVUI5DHoflHivlVRauxetPBZoLIyfNklX3
|
||||
oO2euRsEC66ZtuqDzSSoHpUM5NIdDPPgNf0sw6YJnbRH8F88ghNE87NXyevlvGnA
|
||||
8IFOokn7ASjPk2DYLlh8xtZ+T7ZgAhIgv0lnZLa36n5h0tSL4t0OdGAnwWa9j9Mj
|
||||
2gWGKymunpXMjRqEj/PGEuXEDRCdwpvmwi+8YKrh4D9dB67tepAA28MofSfJ5295
|
||||
Sfyer+Hh41zPgYI2WeBRTS9Rn8Ea98Y5eWQsXIivG7+CnKl+uu53nzZevRJDk5NS
|
||||
0qRsyIxeJvmX0fqLgHD1jZJ/UGeUoiRNNkifN9DVIikDj8coAyVCb3ebbQWs63nn
|
||||
NL26fuONgZtfqF6DuIoFpGS+klQscWdmYQ729EIEvxzBo8jeSPnwf2ySyt8gA0J4
|
||||
Y5lxnwoPl4b6nT4TAHSQ65HWxq2y2+KUT4oE3PrN883N5702Qlr6MxN3tFJ/V98x
|
||||
7OyA9UjgkkHuFl7EnumkUOix3BqnBk5za4ABhWvYfBtm0nVVAnesEcjsIeT4ihJx
|
||||
5lhi/CiNPth+PhsIDaqA2QVU2sjswgmOK3KbQcpktAROFoXTDayr2t4QNZUTmbWF
|
||||
vwHxNIZ1CndzaPgl5WI4QJDerWErEPKVxf65HxrLtWft4MyhfevSfH63C0TO4YDS
|
||||
UQHKQhF01t0ZXKPLnQDGAwZijyA7GD493Sr6pFMzenSipvwybvNEnfDOZuc7AU9b
|
||||
4oXevCzGjpaub33hqorp1bcygwgl0aA1H3YvleyHBg5Mgw==
|
||||
=sPOS
|
||||
-----END PGP MESSAGE-----
|
||||
fp: A5EE826D645DBE35F9B0993358512AE87A69900F
|
||||
- created_at: "2022-12-04T21:39:01Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMA8zMZ+ak7y/zARAAuhnyVNytAgqL03jN9rXwwHuqgaqQ4SdjM7kTLe4WVCXJ
|
||||
PwLtPoNNjlFqRKufXPQQuOBx2FMJl1yUQsI4P7OiWGak6/0f41U0bLFczTTGRgTh
|
||||
vmEHwRtRGQAsWi5g+KqP0zAoiZNiBdk7s4THcA24tBBGViRtLS+swhV2SRvTT0NA
|
||||
pLsOB/GpA94kEjfHhZ1RunKBMIxDKYaQvXUFlEPSkv/Q6ek8Tc3wgPMUp5wiN+cz
|
||||
q628/KNM78nWCEyV0rQ3YAccnC6h1Wb6cHCOKE6jJJTfwm503tzZv1klQUkKrP0j
|
||||
BvgFGIdn76XTER47A3sPweDbnHV8Z0qxnJ4z6YGN5zYW4HVAOWCSvI1OvM1q9oIj
|
||||
SiwXVUIuhhGj1kb3LPstSWJvPmJR0bgmO4xSMYpB2d71iRTL7S82p9aWk3/Zzcr7
|
||||
DNYWFxs0r7s0L0xJCDma0fM6krGof/ZcCdo1eRgSJZWbPrGL8ips++9/Fm0/xgzf
|
||||
A8CxWpnWRE6S3dBRQZNfHOn9OyHJGKNVR85mF/gPI14viYmr9iJ4gqDzLcZF27V6
|
||||
uasJrcnaKkSL8fBah4UiT3lRfNqX24HXZnDMhTHwJD1RQHn4qvmE+FiB4m8SEYS0
|
||||
TCLTCxuWZV0p9MtzQbNyadmpCxb5JL2EugKaal2pW2cxhMuUryV8axj7QhD2UJ/S
|
||||
UQE421UkjynmGgjRa8jYiS4sFYlrbNsHLAtRlinRyNya2je8vyOZNekQl59sVYA3
|
||||
mb7bgu0XN1Y3cZtKAxughzSpkLjSGCR9GebNawKdUUcsPg==
|
||||
=VokK
|
||||
-----END PGP MESSAGE-----
|
||||
fp: D4E89C6A0A58EE803EF708EFA9B23715F7AA3F1A
|
||||
- created_at: "2022-12-04T21:39:01Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcBMA45bZkLXmBFpAQf/XjbniHgbytyURYZ3qFCzijhLi7e99Q2jdsOQTQG4sOoE
|
||||
jpPlOP4yU6lGjnYfQVYqH7CgyquqGrSB3M4ZHxUR2916xveG8vjWDUhURGWAUXwk
|
||||
ho5dGm+HZGMJdETCmmCTALqxlrv/TgrUiUfSn1C9MKloR4PxYDFqupk9Bl5RyvQT
|
||||
xdcIzVM6/7+xCasBErKoIQ3YoPKlxNWkr73S4Y/jhEVVaxEZWHoyCtK7SRDA4GOi
|
||||
nIO2TMQ/eCbnrHbftwUsZNkeP1bee3+U7wiPOXOozftLrA2FYuT+SmCOK1/xaqHT
|
||||
n4WwcPamFNqWqWMGyVNQd/rR0/Ry+hDYbY4jzm2+vtJRAXNtZLLw5BmnAbpZ0PY5
|
||||
eBUYkDMJ81ua+I9fJIzg0WtbLTBWeIo50v6SrrUuCXdBbtvtsvMBPHuGDdwoqM61
|
||||
kJoAZV8D9JDznjOnn0wUlFtF
|
||||
=55R4
|
||||
-----END PGP MESSAGE-----
|
||||
fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9
|
||||
- created_at: "2022-12-04T21:39:01Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMAwMCBBrc/JA6AQ/+Ksp81JefhSw9XHfgtutZRbx/yhPi+OX2mMDNPjPpNykT
|
||||
zSMVuZWA2Io/RxmVCOrEcJi1hHGZ989tZS8vPWyB+ddnnCx1h78PabJh0d/jqUN3
|
||||
XTKli26QtGKvMPioVg89NQjD0pTqoHc6tTXdOP1XSS7R6lZCxz4hTn39jPwrhSgA
|
||||
z5GocHUfTWoSYoG5GV8jsKrWNUqd6HwoKlucTku64SvquJQ8Ld+VeiwAbcxXtPAa
|
||||
QuQ3cXkerYen5l86Hp8NkyqOub+DW5fgPfC5LqBdEhjp3tH0HUHsK9CWHv+3tQ+l
|
||||
fDpmGt3RVQ5X5NJM1QKJeVkX33HI3ntqnhThnVbC6R1FBASaabQzyekdHpu1JWxM
|
||||
YP5gh04+VZm0qdoPMgPin1aSKvNBCzyQqNK4f7/iwz/beX5V3wnq7G2hsfDQCzBt
|
||||
W0y0bv7q0ToWlXmj/A2dytxHb0bWIRsbXU2p2Szl/ccoLDZYH5Mz/ZKrKH5xtD9Z
|
||||
z4hq6p8WO2dAe2dkN48Bd8xbddNUs0Xem73T9FoHNKIcWMP/CA7Ir7p0agnYs7id
|
||||
Dni/BB5bm6XIwqpwOPG2TqNl051MSVDLXB1ia88Z5WvRL+EYdm4o0xGzL1fPPxWX
|
||||
S85Y0pe8QGxd8qikPHlHmFc0TLB05yN3LT17+CC1T3zjlNff0uMdFgiioLJHwz7S
|
||||
UQGMPRKXvg1RZiU1GUfaXG/PFH/KAouKx+m97iCRzg2SNULNakq0tvWIV4Fp19yn
|
||||
DpQs+g2eq7KYwW/udKzDpGOM2/IDY/s07YCipn48XEfaDw==
|
||||
=7TJ4
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 4F9F44A64CC2E438979329E1F122F05437696FCE
|
||||
- created_at: "2022-12-04T21:39:01Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMA9XEenRNYVGHARAAkzr6nZaSnq88e+JHXvkKGBqxduAfWFlGvXYrp/2e1tyy
|
||||
BCpiMCXrzoend43/Kz5pTCjV3KvcYOl22OYJMi2mYObsJKoi1ftInL5mc6NPMU/O
|
||||
ixJncQ8NBa3lv3HGO1j9xETLLTt3220gUc4CKo65YkaIsJYumw2oCAbFhCdZy17g
|
||||
qlzjFRy8VfWad48nAezymnfGFdTWKThxGzvOJLo5Jm98UIt2lC5T7vZjEwQSsjra
|
||||
EnF/I6sAeT9kEVg17m2CEFK5LVb/4GtSr/rXFUDbihO3OVYRbdGk/7y4lo55pRi2
|
||||
daZcwUFCqdj83QUUYimYpXQWhgyBSgIWCK7vb6Sr0rO7j0poqncpm3gX3dlIzmDk
|
||||
bK8N+Heb7u7kZ24+p96jabgEBphLgPepE2fMoXFpnZ2P2e8QgiA8b/5Rqq2KomYD
|
||||
4hbqUmSTpG1j+77+l5LMkbg/ugzRd3VviJO5dKsNvaUsKz7e5NNRV3mvtgaakP1s
|
||||
ygQ3DBnJibKiR2QR6pJRvLAlNTy/bguKCZI8DCMO7SWlRuatBujV3htlG2AgzrKp
|
||||
KLRSU4HuoyZXiOsqNA4tVH4ZklzXzhNAELt30+yYNJbS8evcd3ZZZnfsaZmr3jWE
|
||||
jK2vXo+FUkbJHQrCLCHymURH+TijvvOgCYSYTmzvn7R+4Esfs+abrWugoXLwoznS
|
||||
UQGIyCN+1XfmWTkHiiygdNWRb4HdB8OTTe75rsPnTJSmKbYhafE/Iqhf9rDEPNUk
|
||||
e5l1I1sgwYq/bR2FKd1iWAfZlqa39dOi/C/tBD2KnuISOA==
|
||||
=Ut63
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA
|
||||
- created_at: "2022-12-04T21:39:01Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcBMA/Z87ylQaotQAQf9GF9yX0w0OwL251Ex76j3k3MF1Q0qOfgjsDBY3Ow56VO+
|
||||
KhJ0Ugn0beKoYZrVn2ezvJZaNa7YAPry/oomul/Kvv3rTZDh2bs4lBu8qrjznj+m
|
||||
bdX+dtKr3znJkkqqQkA+DF8bQ9DoZxDDz7FNQSuZocn+TpMn253cl0vBi7gyxxpb
|
||||
Rfch55vZrhpGU2+QfH9euqSv8k3fOMbMEwVHL82uGybxN7a2fe/BtRwuyeSRjyGl
|
||||
q1L4FrF1w1aUDp4M7bK+3eo2WpqCH9UxgLu74DW6SdVM3MV0B/IUXRU1rEqV4vja
|
||||
bLMxnJ6xsByKsOVUP2ivalTnLyrtZPOcJ1wDe2SCKdJRAaegKPecQEqIuGuWBlng
|
||||
t/W+RD/P0CqtDvly/2ALLZtAmyvXloCOtrMWkz/bnGpoqOlNL609FkY05RY3Quvm
|
||||
C2OTSTvQ//MP7BPV99syTVTo
|
||||
=xgMp
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 9EA68B7F21204979645182E4287B083353C3241C
|
||||
- created_at: "2022-12-04T21:39:01Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMA9qJIVK2WMV7AQ//c9HmDg63M7yWpeVOx7Eha/QVzPtXyJ7/G9dJrGltLbUj
|
||||
B8xn/BeDT+ARVDRFnGJS053RxHJz5WqCIdcEQTZlD4GHp3Ez7vtXPEUJNymTmug7
|
||||
VrCX4GhNjKdb55SlTkoeAbxdlUfyPUIhaLcdQ8pzHqyurcpRs8ZuYoSENbNoAbYY
|
||||
NZbNJZoKJTc2vmI2zrO1HtVNc8HZYtnN5dawvlCn66Q3lhNLZ1wR4AFmmKvKgKIR
|
||||
XFAjbsoEUDlYNBDw+yv8jkB179+wa6pLAhIaJ8NM2asimUz7GWxDumgesNbacTR0
|
||||
ZJXrQWyuHruQ1FbZdVJ3+Ko2S2JnAiN7Ezmauqo3IQGt++ZXNOC5dl/FusY25TQ9
|
||||
lpAW+klKkIqMfIZU0WsWWufhgv6cI8HqPY9z5TalSrGB5zyJeW2bnU2/ZAr5yNH8
|
||||
/rOJVVF/1c4xkEqE0/Coy2ZqbE1IOTq5aiqaMuZIToSn+ftvg2KIxkdEvQ8gVigU
|
||||
uZfnZ4HN0FQqJ2/9BHHFlhW8CdWdffTk8m2GEdfyjH+WIPCoRyvbf7RWAad8NFni
|
||||
RHTf8+Uee5R2hth82UO0wSlMrLrQwdS7ju6ctpag1gm2YxEHRZBs6hnD8Ade//xR
|
||||
RFkmcW5BICAPbBmJM4o1HSUjYqGhk46xU7y3UVNs4R144DtqEAMwjWE7U/IsvRTS
|
||||
UQF2/UFLDd/LgVHt1uVhpzuWl5ot97FU6HIPSYrlkOPAzI49VQ0H+tLlywMbgjcD
|
||||
0HoNDhCDgzTzp2/loq3wECS93QAx6L9+zHpUz+2db9LBFw==
|
||||
=356k
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 53B26AEDC08246715E15504B236B6291555E8401
|
||||
- created_at: "2022-12-04T21:39:01Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMA/YLzOYaRIJJAQ/8CFz+BjJA03Sgq6TeYzycAjdSFi3mTZ50L/sGvj2B5WBQ
|
||||
WnVwA7tWSSQGmt91XZwSNgf7PTCgm3v6zMTHnYN5WMwk9vaDL/WIGbqD1LZw4zgK
|
||||
fD+Lm/Yc/0vPrEahL9irCb9jrolWGagdPzQYqRLReD1aB5NnYp96FuELm6RF2YC9
|
||||
AU6ZxrtrQkEZ61SsAP9ODTruRmCtmtpbJYweN1CmkatMj8yIu4I/Y939T5lx8V8F
|
||||
ZgT89f/p795/2uFWJ4HpZk0Rkq78RJCO8HytKEw1CVS55P49PnjKKxqzyESZCaVU
|
||||
bLI5MKUQowBSmgoHZWd+B4DO/7+4sgu30A4CuldZR2SZOqW+FwdEAuwdK8HrG9G8
|
||||
d0gzujb4Iq7PtqbAMErr7h73hTXdBeFrUG8z5mgWmeEhP9o0Zlx/oXGpi2JOJYBb
|
||||
VySPDLQxWBV65XpM0Qb8zxsKYAIrouy8YmbbrbNX8nzG/KLgUaNJcj3PYp3WI/cs
|
||||
4MkBc2nh4s6OLGJ7YP5AoCayPSuFwsJ/+WZ+neQ6X1gkgSFtYmb/LoTSU4w35xPi
|
||||
rbDwqxf2Lg1MbPP+hhW/Y0fZKVWUcLs9x4EbhS5LlmlKC66mRXgATKozLpivjDOa
|
||||
kTTIwptGeo02NTIeEegP24AmMvXnvvFzUBZmN57ztCuj/Sckc7ICTMrFV8vo2fXS
|
||||
UQHWb0zzNY1kk5Ui+kL2exUHdIdGDD8lc2Cpz40Fo6emfIGVlNgCCDK/upnu/Ims
|
||||
GE35n8h33MapqihsFQpXJ2lNkzuckV/yIRUfRXTkP4miXw==
|
||||
=RITE
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 91EBE87016391323642A6803B966009D57E69CC6
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
|
@ -1,7 +1,6 @@
|
|||
{ pkgs, ... }:
|
||||
let
|
||||
domain = "direkthilfe.c3d2.de";
|
||||
in {
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
networking.hostName = "direkthilfe";
|
||||
microvm.mem = 1024;
|
||||
c3d2.deployment = {
|
||||
|
@ -27,7 +26,7 @@ in {
|
|||
|
||||
services.engelsystem = {
|
||||
enable = true;
|
||||
domain = domain;
|
||||
domain = "direkthilfe.c3d2.de";
|
||||
createDatabase = true;
|
||||
package = pkgs.engelsystem.override { php = pkgs.php74; };
|
||||
config = {
|
||||
|
@ -64,7 +63,7 @@ in {
|
|||
services.phpfpm.phpPackage = pkgs.php74;
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts."${domain}" = {
|
||||
virtualHosts."${config.services.engelsystem.domain}" = {
|
||||
default = true;
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
|
|
|
@ -140,7 +140,7 @@ in {
|
|||
}
|
||||
'' else
|
||||
"";
|
||||
interface = if conf ? interface then conf.interface else name;
|
||||
interface = conf.interface or name;
|
||||
in "${neighbor4}${neighbor6}") neighbors));
|
||||
in ''
|
||||
protocol kernel {
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ zentralwerk, config, lib, pkgs, ... }:
|
||||
{ config, lib, ... }:
|
||||
|
||||
{
|
||||
c3d2 = {
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, pkgs, lib, zentralwerk, ... }:
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
c3d2 = {
|
||||
|
|
|
@ -12,9 +12,9 @@
|
|||
|
||||
networking = {
|
||||
hostName = "gitea";
|
||||
hosts = {
|
||||
"2a00:8180:2c00:282::48" = [ "auth.c3d2.de" ];
|
||||
"172.20.73.72" = [ "auth.c3d2.de" ];
|
||||
hosts = with zentralwerk.lib.config.site.net.serv; {
|
||||
${hosts6.up4.auth} = [ "auth.c3d2.de" ];
|
||||
${hosts4.auth} = [ "auth.c3d2.de" ];
|
||||
};
|
||||
firewall.allowedTCPPorts = [ 80 443 2222 ];
|
||||
};
|
||||
|
@ -60,7 +60,7 @@
|
|||
ENABLED = true;
|
||||
};
|
||||
"cron.repo_health_check" = {
|
||||
TIMEOUT = "120s";
|
||||
TIMEOUT = "300s";
|
||||
};
|
||||
"cron.resync_all_sshkeys" = {
|
||||
ENABLED = true;
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ zentralwerk, config, pkgs, ... }:
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [ ./hardware-configuration.nix ];
|
||||
|
@ -13,9 +13,9 @@
|
|||
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
|
||||
nix = {
|
||||
buildCores = 4;
|
||||
maxJobs = 4;
|
||||
nix.settings = {
|
||||
cores = 4;
|
||||
max-jobs = 4;
|
||||
};
|
||||
|
||||
sops = {
|
||||
|
|
|
@ -1,14 +1,14 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
{ lib, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
|
||||
|
||||
boot.initrd.availableKernelModules =
|
||||
[ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.kernelModules = [ "kvm-intel" "nct6775" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" = {
|
||||
|
@ -24,6 +24,5 @@
|
|||
|
||||
swapDevices = [ ];
|
||||
|
||||
nix.maxJobs = lib.mkDefault 4;
|
||||
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
|
||||
}
|
||||
|
|
|
@ -2,11 +2,11 @@
|
|||
system.stateVersion = "22.05";
|
||||
|
||||
c3d2.hq.statistics.enable = true;
|
||||
c3d2.deployment = {
|
||||
server = "server10";
|
||||
mounts = [ "etc" "var" ];
|
||||
deployment = {
|
||||
# needs to keep just its ssh key for sops-nix
|
||||
persistedShares = [ "/etc" "/var" ];
|
||||
mem = 1024;
|
||||
};
|
||||
microvm.mem = 1024;
|
||||
|
||||
networking = {
|
||||
hostName = "gnunet";
|
||||
|
|
|
@ -3,30 +3,38 @@
|
|||
"list": [
|
||||
{
|
||||
"builtIn": 1,
|
||||
"datasource": "-- Grafana --",
|
||||
"datasource": {
|
||||
"type": "datasource",
|
||||
"uid": "grafana"
|
||||
},
|
||||
"enable": true,
|
||||
"hide": true,
|
||||
"iconColor": "rgba(0, 211, 255, 1)",
|
||||
"name": "Annotations & Alerts",
|
||||
"target": {
|
||||
"limit": 100,
|
||||
"matchAny": false,
|
||||
"tags": [],
|
||||
"type": "dashboard"
|
||||
},
|
||||
"type": "dashboard"
|
||||
}
|
||||
]
|
||||
},
|
||||
"editable": true,
|
||||
"gnetId": null,
|
||||
"fiscalYearStartMonth": 0,
|
||||
"graphTooltip": 0,
|
||||
"id": 21,
|
||||
"links": [],
|
||||
"liveNow": false,
|
||||
"panels": [
|
||||
{
|
||||
"aliasColors": {},
|
||||
"bars": false,
|
||||
"dashLength": 10,
|
||||
"dashes": false,
|
||||
"datasource": null,
|
||||
"fieldConfig": {
|
||||
"defaults": {},
|
||||
"overrides": []
|
||||
"datasource": {
|
||||
"type": "influxdb",
|
||||
"uid": "P79EA3E036FD9FF91"
|
||||
},
|
||||
"fill": 6,
|
||||
"fillGradient": 0,
|
||||
|
@ -55,7 +63,7 @@
|
|||
"alertThreshold": true
|
||||
},
|
||||
"percentage": false,
|
||||
"pluginVersion": "7.5.11",
|
||||
"pluginVersion": "9.3.1",
|
||||
"pointradius": 2,
|
||||
"points": false,
|
||||
"renderer": "flot",
|
||||
|
@ -66,6 +74,10 @@
|
|||
"targets": [
|
||||
{
|
||||
"alias": "$tag_host C2S $tag_type_instance",
|
||||
"datasource": {
|
||||
"type": "influxdb",
|
||||
"uid": "P79EA3E036FD9FF91"
|
||||
},
|
||||
"groupBy": [
|
||||
{
|
||||
"params": [
|
||||
|
@ -121,9 +133,7 @@
|
|||
}
|
||||
],
|
||||
"thresholds": [],
|
||||
"timeFrom": null,
|
||||
"timeRegions": [],
|
||||
"timeShift": null,
|
||||
"title": "Client to Server connections",
|
||||
"tooltip": {
|
||||
"shared": true,
|
||||
|
@ -132,9 +142,7 @@
|
|||
},
|
||||
"type": "graph",
|
||||
"xaxis": {
|
||||
"buckets": null,
|
||||
"mode": "time",
|
||||
"name": null,
|
||||
"show": true,
|
||||
"values": []
|
||||
},
|
||||
|
@ -142,75 +150,107 @@
|
|||
{
|
||||
"$$hashKey": "object:58",
|
||||
"format": "short",
|
||||
"label": null,
|
||||
"logBase": 1,
|
||||
"max": null,
|
||||
"min": null,
|
||||
"show": true
|
||||
},
|
||||
{
|
||||
"$$hashKey": "object:59",
|
||||
"format": "short",
|
||||
"label": null,
|
||||
"logBase": 1,
|
||||
"max": null,
|
||||
"min": null,
|
||||
"show": true
|
||||
}
|
||||
],
|
||||
"yaxis": {
|
||||
"align": false,
|
||||
"alignLevel": null
|
||||
"align": false
|
||||
}
|
||||
},
|
||||
{
|
||||
"aliasColors": {},
|
||||
"bars": false,
|
||||
"dashLength": 10,
|
||||
"dashes": false,
|
||||
"datasource": null,
|
||||
"datasource": {
|
||||
"type": "influxdb",
|
||||
"uid": "P79EA3E036FD9FF91"
|
||||
},
|
||||
"fieldConfig": {
|
||||
"defaults": {},
|
||||
"defaults": {
|
||||
"color": {
|
||||
"mode": "palette-classic"
|
||||
},
|
||||
"custom": {
|
||||
"axisCenteredZero": false,
|
||||
"axisColorMode": "text",
|
||||
"axisLabel": "",
|
||||
"axisPlacement": "auto",
|
||||
"barAlignment": 0,
|
||||
"drawStyle": "line",
|
||||
"fillOpacity": 60,
|
||||
"gradientMode": "none",
|
||||
"hideFrom": {
|
||||
"legend": false,
|
||||
"tooltip": false,
|
||||
"viz": false
|
||||
},
|
||||
"lineInterpolation": "linear",
|
||||
"lineWidth": 1,
|
||||
"pointSize": 5,
|
||||
"scaleDistribution": {
|
||||
"type": "linear"
|
||||
},
|
||||
"showPoints": "never",
|
||||
"spanNulls": false,
|
||||
"stacking": {
|
||||
"group": "A",
|
||||
"mode": "normal"
|
||||
},
|
||||
"thresholdsStyle": {
|
||||
"mode": "off"
|
||||
}
|
||||
},
|
||||
"mappings": [],
|
||||
"min": 0,
|
||||
"thresholds": {
|
||||
"mode": "absolute",
|
||||
"steps": [
|
||||
{
|
||||
"color": "green",
|
||||
"value": null
|
||||
},
|
||||
{
|
||||
"color": "red",
|
||||
"value": 80
|
||||
}
|
||||
]
|
||||
},
|
||||
"unit": "short"
|
||||
},
|
||||
"overrides": []
|
||||
},
|
||||
"fill": 6,
|
||||
"fillGradient": 0,
|
||||
"gridPos": {
|
||||
"h": 9,
|
||||
"w": 12,
|
||||
"x": 12,
|
||||
"y": 0
|
||||
},
|
||||
"hiddenSeries": false,
|
||||
"id": 3,
|
||||
"interval": "180",
|
||||
"legend": {
|
||||
"avg": false,
|
||||
"current": false,
|
||||
"max": false,
|
||||
"min": false,
|
||||
"show": true,
|
||||
"total": false,
|
||||
"values": false
|
||||
},
|
||||
"lines": true,
|
||||
"linewidth": 1,
|
||||
"nullPointMode": "null as zero",
|
||||
"options": {
|
||||
"alertThreshold": true
|
||||
"legend": {
|
||||
"calcs": [],
|
||||
"displayMode": "list",
|
||||
"placement": "bottom",
|
||||
"showLegend": true
|
||||
},
|
||||
"tooltip": {
|
||||
"mode": "multi",
|
||||
"sort": "none"
|
||||
}
|
||||
},
|
||||
"percentage": false,
|
||||
"pluginVersion": "7.5.11",
|
||||
"pointradius": 2,
|
||||
"points": false,
|
||||
"renderer": "flot",
|
||||
"seriesOverrides": [],
|
||||
"spaceLength": 10,
|
||||
"stack": true,
|
||||
"steppedLine": false,
|
||||
"pluginVersion": "9.3.1",
|
||||
"targets": [
|
||||
{
|
||||
"alias": "$tag_host S2S $tag_type_instance",
|
||||
"datasource": {
|
||||
"type": "influxdb",
|
||||
"uid": "P79EA3E036FD9FF91"
|
||||
},
|
||||
"groupBy": [
|
||||
{
|
||||
"params": [
|
||||
|
@ -266,98 +306,97 @@
|
|||
]
|
||||
}
|
||||
],
|
||||
"thresholds": [],
|
||||
"timeFrom": null,
|
||||
"timeRegions": [],
|
||||
"timeShift": null,
|
||||
"title": "Incoming Server to Server connections",
|
||||
"tooltip": {
|
||||
"shared": true,
|
||||
"sort": 0,
|
||||
"value_type": "individual"
|
||||
},
|
||||
"type": "graph",
|
||||
"xaxis": {
|
||||
"buckets": null,
|
||||
"mode": "time",
|
||||
"name": null,
|
||||
"show": true,
|
||||
"values": []
|
||||
},
|
||||
"yaxes": [
|
||||
{
|
||||
"$$hashKey": "object:58",
|
||||
"format": "short",
|
||||
"label": null,
|
||||
"logBase": 1,
|
||||
"max": null,
|
||||
"min": null,
|
||||
"show": true
|
||||
},
|
||||
{
|
||||
"$$hashKey": "object:59",
|
||||
"format": "short",
|
||||
"label": null,
|
||||
"logBase": 1,
|
||||
"max": null,
|
||||
"min": null,
|
||||
"show": true
|
||||
}
|
||||
],
|
||||
"yaxis": {
|
||||
"align": false,
|
||||
"alignLevel": null
|
||||
}
|
||||
"type": "timeseries"
|
||||
},
|
||||
{
|
||||
"aliasColors": {},
|
||||
"bars": false,
|
||||
"dashLength": 10,
|
||||
"dashes": false,
|
||||
"datasource": null,
|
||||
"datasource": {
|
||||
"type": "influxdb",
|
||||
"uid": "P79EA3E036FD9FF91"
|
||||
},
|
||||
"description": "",
|
||||
"fieldConfig": {
|
||||
"defaults": {},
|
||||
"defaults": {
|
||||
"color": {
|
||||
"mode": "palette-classic"
|
||||
},
|
||||
"custom": {
|
||||
"axisCenteredZero": false,
|
||||
"axisColorMode": "text",
|
||||
"axisLabel": "",
|
||||
"axisPlacement": "auto",
|
||||
"barAlignment": 0,
|
||||
"drawStyle": "line",
|
||||
"fillOpacity": 60,
|
||||
"gradientMode": "none",
|
||||
"hideFrom": {
|
||||
"legend": false,
|
||||
"tooltip": false,
|
||||
"viz": false
|
||||
},
|
||||
"lineInterpolation": "linear",
|
||||
"lineWidth": 1,
|
||||
"pointSize": 5,
|
||||
"scaleDistribution": {
|
||||
"type": "linear"
|
||||
},
|
||||
"showPoints": "never",
|
||||
"spanNulls": false,
|
||||
"stacking": {
|
||||
"group": "A",
|
||||
"mode": "normal"
|
||||
},
|
||||
"thresholdsStyle": {
|
||||
"mode": "off"
|
||||
}
|
||||
},
|
||||
"mappings": [],
|
||||
"min": 0,
|
||||
"thresholds": {
|
||||
"mode": "absolute",
|
||||
"steps": [
|
||||
{
|
||||
"color": "green",
|
||||
"value": null
|
||||
},
|
||||
{
|
||||
"color": "red",
|
||||
"value": 80
|
||||
}
|
||||
]
|
||||
},
|
||||
"unit": "short"
|
||||
},
|
||||
"overrides": []
|
||||
},
|
||||
"fill": 6,
|
||||
"fillGradient": 0,
|
||||
"gridPos": {
|
||||
"h": 9,
|
||||
"w": 12,
|
||||
"x": 12,
|
||||
"y": 9
|
||||
},
|
||||
"hiddenSeries": false,
|
||||
"id": 4,
|
||||
"interval": "180",
|
||||
"legend": {
|
||||
"avg": false,
|
||||
"current": false,
|
||||
"max": false,
|
||||
"min": false,
|
||||
"show": true,
|
||||
"total": false,
|
||||
"values": false
|
||||
},
|
||||
"lines": true,
|
||||
"linewidth": 1,
|
||||
"nullPointMode": "null as zero",
|
||||
"options": {
|
||||
"alertThreshold": true
|
||||
"legend": {
|
||||
"calcs": [],
|
||||
"displayMode": "list",
|
||||
"placement": "bottom",
|
||||
"showLegend": true
|
||||
},
|
||||
"tooltip": {
|
||||
"mode": "multi",
|
||||
"sort": "none"
|
||||
}
|
||||
},
|
||||
"percentage": false,
|
||||
"pluginVersion": "7.5.11",
|
||||
"pointradius": 2,
|
||||
"points": false,
|
||||
"renderer": "flot",
|
||||
"seriesOverrides": [],
|
||||
"spaceLength": 10,
|
||||
"stack": true,
|
||||
"steppedLine": false,
|
||||
"pluginVersion": "9.3.1",
|
||||
"targets": [
|
||||
{
|
||||
"alias": "$tag_host S2S out $tag_type_instance",
|
||||
"datasource": {
|
||||
"type": "influxdb",
|
||||
"uid": "P79EA3E036FD9FF91"
|
||||
},
|
||||
"groupBy": [
|
||||
{
|
||||
"params": [
|
||||
|
@ -412,64 +451,25 @@
|
|||
]
|
||||
}
|
||||
],
|
||||
"thresholds": [],
|
||||
"timeFrom": null,
|
||||
"timeRegions": [],
|
||||
"timeShift": null,
|
||||
"title": "Outgoing Server to Server connections",
|
||||
"tooltip": {
|
||||
"shared": true,
|
||||
"sort": 0,
|
||||
"value_type": "individual"
|
||||
},
|
||||
"type": "graph",
|
||||
"xaxis": {
|
||||
"buckets": null,
|
||||
"mode": "time",
|
||||
"name": null,
|
||||
"show": true,
|
||||
"values": []
|
||||
},
|
||||
"yaxes": [
|
||||
{
|
||||
"$$hashKey": "object:58",
|
||||
"format": "short",
|
||||
"label": null,
|
||||
"logBase": 1,
|
||||
"max": null,
|
||||
"min": null,
|
||||
"show": true
|
||||
},
|
||||
{
|
||||
"$$hashKey": "object:59",
|
||||
"format": "short",
|
||||
"label": null,
|
||||
"logBase": 1,
|
||||
"max": null,
|
||||
"min": null,
|
||||
"show": true
|
||||
}
|
||||
],
|
||||
"yaxis": {
|
||||
"align": false,
|
||||
"alignLevel": null
|
||||
}
|
||||
"type": "timeseries"
|
||||
}
|
||||
],
|
||||
"refresh": "5s",
|
||||
"schemaVersion": 27,
|
||||
"schemaVersion": 37,
|
||||
"style": "dark",
|
||||
"tags": [],
|
||||
"templating": {
|
||||
"list": []
|
||||
},
|
||||
"time": {
|
||||
"from": "now-2d",
|
||||
"from": "now-30d",
|
||||
"to": "now"
|
||||
},
|
||||
"timepicker": {},
|
||||
"timezone": "",
|
||||
"title": "Prosody",
|
||||
"uid": "UX0rEpd7z",
|
||||
"version": 3
|
||||
"version": 1,
|
||||
"weekStart": ""
|
||||
}
|
|
@ -26,7 +26,6 @@
|
|||
"editable": true,
|
||||
"fiscalYearStartMonth": 0,
|
||||
"graphTooltip": 0,
|
||||
"iteration": 1655678212481,
|
||||
"links": [],
|
||||
"liveNow": false,
|
||||
"panels": [
|
||||
|
@ -41,6 +40,8 @@
|
|||
"mode": "palette-classic"
|
||||
},
|
||||
"custom": {
|
||||
"axisCenteredZero": false,
|
||||
"axisColorMode": "text",
|
||||
"axisLabel": "",
|
||||
"axisPlacement": "auto",
|
||||
"barAlignment": 0,
|
||||
|
@ -99,7 +100,8 @@
|
|||
"legend": {
|
||||
"calcs": [],
|
||||
"displayMode": "list",
|
||||
"placement": "bottom"
|
||||
"placement": "bottom",
|
||||
"showLegend": true
|
||||
},
|
||||
"tooltip": {
|
||||
"mode": "multi",
|
||||
|
@ -199,7 +201,7 @@
|
|||
"alertThreshold": true
|
||||
},
|
||||
"percentage": false,
|
||||
"pluginVersion": "8.5.6",
|
||||
"pluginVersion": "9.3.1",
|
||||
"pointradius": 2,
|
||||
"points": false,
|
||||
"renderer": "flot",
|
||||
|
@ -322,6 +324,8 @@
|
|||
"mode": "palette-classic"
|
||||
},
|
||||
"custom": {
|
||||
"axisCenteredZero": false,
|
||||
"axisColorMode": "text",
|
||||
"axisLabel": "",
|
||||
"axisPlacement": "auto",
|
||||
"barAlignment": 0,
|
||||
|
@ -380,7 +384,8 @@
|
|||
"legend": {
|
||||
"calcs": [],
|
||||
"displayMode": "list",
|
||||
"placement": "bottom"
|
||||
"placement": "bottom",
|
||||
"showLegend": true
|
||||
},
|
||||
"tooltip": {
|
||||
"mode": "multi",
|
||||
|
@ -535,6 +540,8 @@
|
|||
"mode": "palette-classic"
|
||||
},
|
||||
"custom": {
|
||||
"axisCenteredZero": false,
|
||||
"axisColorMode": "text",
|
||||
"axisLabel": "Temperature",
|
||||
"axisPlacement": "auto",
|
||||
"barAlignment": 0,
|
||||
|
@ -621,8 +628,9 @@
|
|||
"options": {
|
||||
"legend": {
|
||||
"calcs": [],
|
||||
"displayMode": "hidden",
|
||||
"placement": "bottom"
|
||||
"displayMode": "list",
|
||||
"placement": "bottom",
|
||||
"showLegend": false
|
||||
},
|
||||
"tooltip": {
|
||||
"mode": "single",
|
||||
|
@ -862,7 +870,7 @@
|
|||
"alertThreshold": true
|
||||
},
|
||||
"percentage": false,
|
||||
"pluginVersion": "8.5.6",
|
||||
"pluginVersion": "9.3.1",
|
||||
"pointradius": 2,
|
||||
"points": false,
|
||||
"renderer": "flot",
|
||||
|
@ -992,6 +1000,8 @@
|
|||
"mode": "palette-classic"
|
||||
},
|
||||
"custom": {
|
||||
"axisCenteredZero": false,
|
||||
"axisColorMode": "text",
|
||||
"axisLabel": "",
|
||||
"axisPlacement": "auto",
|
||||
"barAlignment": 0,
|
||||
|
@ -1172,8 +1182,9 @@
|
|||
"options": {
|
||||
"legend": {
|
||||
"calcs": [],
|
||||
"displayMode": "hidden",
|
||||
"placement": "bottom"
|
||||
"displayMode": "list",
|
||||
"placement": "bottom",
|
||||
"showLegend": false
|
||||
},
|
||||
"tooltip": {
|
||||
"mode": "multi",
|
||||
|
@ -1269,6 +1280,8 @@
|
|||
"mode": "palette-classic"
|
||||
},
|
||||
"custom": {
|
||||
"axisCenteredZero": false,
|
||||
"axisColorMode": "text",
|
||||
"axisLabel": "",
|
||||
"axisPlacement": "auto",
|
||||
"barAlignment": 0,
|
||||
|
@ -1362,7 +1375,8 @@
|
|||
"max"
|
||||
],
|
||||
"displayMode": "table",
|
||||
"placement": "bottom"
|
||||
"placement": "bottom",
|
||||
"showLegend": true
|
||||
},
|
||||
"tooltip": {
|
||||
"mode": "multi",
|
||||
|
@ -1533,6 +1547,8 @@
|
|||
"mode": "palette-classic"
|
||||
},
|
||||
"custom": {
|
||||
"axisCenteredZero": false,
|
||||
"axisColorMode": "text",
|
||||
"axisLabel": "",
|
||||
"axisPlacement": "auto",
|
||||
"barAlignment": 0,
|
||||
|
@ -1566,8 +1582,7 @@
|
|||
"mode": "absolute",
|
||||
"steps": [
|
||||
{
|
||||
"color": "green",
|
||||
"value": null
|
||||
"color": "green"
|
||||
},
|
||||
{
|
||||
"color": "red",
|
||||
|
@ -1591,7 +1606,8 @@
|
|||
"legend": {
|
||||
"calcs": [],
|
||||
"displayMode": "list",
|
||||
"placement": "bottom"
|
||||
"placement": "bottom",
|
||||
"showLegend": true
|
||||
},
|
||||
"tooltip": {
|
||||
"mode": "multi",
|
||||
|
@ -1748,7 +1764,7 @@
|
|||
}
|
||||
],
|
||||
"refresh": false,
|
||||
"schemaVersion": 36,
|
||||
"schemaVersion": 37,
|
||||
"style": "dark",
|
||||
"tags": [],
|
||||
"templating": {
|
||||
|
@ -1756,17 +1772,10 @@
|
|||
{
|
||||
"current": {
|
||||
"selected": false,
|
||||
"text": "server10",
|
||||
"value": "server10"
|
||||
},
|
||||
"datasource": {
|
||||
"type": "influxdb",
|
||||
"uid": "000000001"
|
||||
"text": "hydra",
|
||||
"value": "hydra"
|
||||
},
|
||||
"definition": "SHOW TAG VALUES WITH KEY = \"host\"",
|
||||
"error": {
|
||||
"message": "Datasource 000000001 was not found"
|
||||
},
|
||||
"hide": 0,
|
||||
"includeAll": false,
|
||||
"multi": false,
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ zentralwerk, config, pkgs, lib, modulesPath, ... }:
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
let
|
||||
restartServices = [ "grafana" "influxdb" ];
|
||||
|
@ -11,8 +11,6 @@ in {
|
|||
c3d2.isInHq = false;
|
||||
|
||||
services.openssh.enable = true;
|
||||
# noXlibs breaks cairo:
|
||||
environment.noXlibs = false;
|
||||
|
||||
networking.hostName = "grafana";
|
||||
|
||||
|
@ -41,7 +39,7 @@ in {
|
|||
datasources.settings.datasources = map (datasource: {
|
||||
inherit (datasource) name type access orgId url password user database isDefault jsonData;
|
||||
}) (with builtins; fromJSON (readFile ./datasources.json));
|
||||
dashboards = [ {
|
||||
dashboards.settings.providers = [ {
|
||||
settings = {
|
||||
apiVersion = 1;
|
||||
providers = [ {
|
||||
|
@ -69,7 +67,7 @@ in {
|
|||
services.influxdb = let
|
||||
collectdTypes = pkgs.runCommand "collectd-types" {} ''
|
||||
mkdir -p $out/share/collectd
|
||||
cat ${config.services.collectd.package}/share/collectd/types.db >> $out/share/collectd/types.db
|
||||
cat ${pkgs.collectd-data}/share/collectd/types.db >> $out/share/collectd/types.db
|
||||
echo "stations value:GAUGE:0:U" >> $out/share/collectd/types.db
|
||||
'';
|
||||
in {
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ zentralwerk, config, lib, pkgs, ... }:
|
||||
{ config, pkgs, zentralwerk, ... }:
|
||||
|
||||
{
|
||||
c3d2 = {
|
||||
|
@ -18,9 +18,9 @@
|
|||
|
||||
networking = {
|
||||
hostName = "hedgedoc";
|
||||
hosts = {
|
||||
"2a00:8180:2c00:282::48" = [ "auth.c3d2.de" ];
|
||||
"172.20.73.72" = [ "auth.c3d2.de" ];
|
||||
hosts = with zentralwerk.lib.config.site.net.serv; {
|
||||
${hosts6.up4.auth} = [ "auth.c3d2.de" ];
|
||||
${hosts4.auth} = [ "auth.c3d2.de" ];
|
||||
};
|
||||
firewall.allowedTCPPorts = [ 80 443 ];
|
||||
};
|
||||
|
|
|
@ -1 +0,0 @@
|
|||
nix-serve.hq.c3d2.de:KZRGGnwOYzys6pxgM8jlur36RmkJQ/y8y62e52fj1ps=
|
|
@ -1,5 +1,8 @@
|
|||
{ zentralwerk, config, pkgs, lib, ... }:
|
||||
{ config, lib, pkgs, zentralwerk, ... }:
|
||||
|
||||
let
|
||||
cachePort = 5000;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
|
@ -9,28 +12,9 @@
|
|||
../../modules/c3d2.nix
|
||||
];
|
||||
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
|
||||
security.pam.enableSSHAgentAuth = true;
|
||||
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
passwordAuthentication = false;
|
||||
};
|
||||
|
||||
programs.mosh.enable = true;
|
||||
|
||||
nix = {
|
||||
sshServe.enable = true;
|
||||
trustedUsers = [ "@wheel" ];
|
||||
settings = {
|
||||
auto-optimise-store = true;
|
||||
cores = 20;
|
||||
keep-outputs = true;
|
||||
max-jobs = 8;
|
||||
# restore default overridden by harmonia
|
||||
allowed-users = lib.mkForce [ "*" ];
|
||||
};
|
||||
c3d2 = {
|
||||
hq.statistics.enable = true;
|
||||
simd.arch = "ivybridge";
|
||||
};
|
||||
|
||||
boot = {
|
||||
|
@ -43,14 +27,265 @@
|
|||
binfmt.emulatedSystems = [ "armv6l-linux" "armv7l-linux" "aarch64-linux" "riscv32-linux" "riscv64-linux" ];
|
||||
};
|
||||
|
||||
nix = {
|
||||
buildMachines = [{
|
||||
hostName = "client@dacbert.hq.c3d2.de";
|
||||
system = lib.concatStringsSep "," [
|
||||
"aarch64-linux" "armv6l-linux" "armv7l-linux"
|
||||
];
|
||||
supportedFeatures = [ "kvm" "nixos-test" ];
|
||||
maxJobs = 1;
|
||||
}];
|
||||
daemonCPUSchedPolicy = "idle";
|
||||
daemonIOSchedClass = "idle";
|
||||
daemonIOSchedPriority = 7;
|
||||
settings = {
|
||||
allowed-uris = "http:// https:// ssh://";
|
||||
auto-optimise-store = true;
|
||||
builders-use-substitutes = true;
|
||||
cores = 20;
|
||||
keep-outputs = true;
|
||||
max-jobs = 8;
|
||||
trusted-users = [ "hydra" "root" "@wheel" ];
|
||||
};
|
||||
};
|
||||
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
|
||||
# disabled because currently it display `ARRAY(0x4ec2040)` on the website and also uses a perl array in store paths instead of /nix/store
|
||||
# containers = {
|
||||
# hydra-ca = {
|
||||
# autoStart = true;
|
||||
# config = { ... }: {
|
||||
# imports = [
|
||||
# hydra-ca.nixosModules.hydra
|
||||
# ];
|
||||
|
||||
# environment.systemPackages = with pkgs; [ git ];
|
||||
|
||||
# networking.firewall.allowedTCPPorts = [ 3001 ];
|
||||
|
||||
# nix = {
|
||||
# settings = {
|
||||
# allowed-uris = "https://gitea.c3d2.de/ https://github.com/ https://gitlab.com/ ssh://gitea@gitea.c3d2.de/";
|
||||
# builders-use-substitutes = true;
|
||||
# experimental-features = "ca-derivations nix-command flakes";
|
||||
# extra-substituters = "https://cache.ngi0.nixos.org/";
|
||||
# extra-trusted-public-keys = "cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=";
|
||||
# substituters = [
|
||||
# "https://cache.ngi0.nixos.org/"
|
||||
# ];
|
||||
# trusted-public-keys = [
|
||||
# "cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA="
|
||||
# ];
|
||||
# };
|
||||
# };
|
||||
|
||||
# nixpkgs = {
|
||||
# # config.contentAddressedByDefault = true;
|
||||
# overlays = [ self.overlay ];
|
||||
# };
|
||||
|
||||
# services = {
|
||||
# hydra-dev = lib.recursiveUpdate config.services.hydra-dev {
|
||||
# hydraURL = "https://hydra-ca.hq.c3d2.de";
|
||||
# port = 3001;
|
||||
# };
|
||||
# };
|
||||
|
||||
# system.stateVersion = "22.05"; # Did you read the comment? No.
|
||||
# };
|
||||
# hostAddress = "192.168.100.1";
|
||||
# localAddress = "192.168.100.2";
|
||||
# privateNetwork = true;
|
||||
# };
|
||||
# };
|
||||
|
||||
networking = {
|
||||
hosts = with zentralwerk.lib.config.site.net.serv; {
|
||||
${hosts6.up4.auth} = [ "auth.c3d2.de" ];
|
||||
${hosts4.auth} = [ "auth.c3d2.de" ];
|
||||
};
|
||||
hostName = "hydra";
|
||||
firewall.enable = false;
|
||||
nameservers = [ "172.20.73.8" "9.9.9.9" ];
|
||||
# nat = {
|
||||
# enable = true;
|
||||
# externalInterface = "serv";
|
||||
# internalInterfaces = [ "ve-hydra-ca" ];
|
||||
# };
|
||||
};
|
||||
|
||||
c3d2.hq.statistics.enable = true;
|
||||
services.smartd.enable = true;
|
||||
services = {
|
||||
hydra = {
|
||||
enable = true;
|
||||
buildMachinesFiles = [
|
||||
"/etc/nix/machines"
|
||||
"/var/lib/hydra/machines"
|
||||
];
|
||||
hydraURL = "https://hydra.hq.c3d2.de";
|
||||
logo = ./c3d2.svg;
|
||||
minimumDiskFree = 50;
|
||||
minimumDiskFreeEvaluator = 50;
|
||||
notificationSender = "hydra@spam.works";
|
||||
useSubstitutes = true;
|
||||
extraConfig =
|
||||
let
|
||||
key = config.sops.secrets."nix-serve/secretKey".path;
|
||||
in
|
||||
''
|
||||
binary_cache_secret_key_file = ${key}
|
||||
evaluator_workers = 4
|
||||
evaluator_max_memory_size = 2048
|
||||
max_output_size = ${toString (5*1024*1024*1024)} # sd card and raw images
|
||||
store_uri = auto?secret-key=${key}&write-nar-listing=1&ls-compression=zstd&log-compression=zstd
|
||||
upload_logs_to_binary_cache = true
|
||||
|
||||
system.stateVersion = "20.09"; # Did you read the comment?
|
||||
# https://hydra.nixos.org/build/196107287/download/1/hydra/configuration.html#using-ldap-as-authentication-backend-optional
|
||||
<ldap>
|
||||
<config>
|
||||
<credential>
|
||||
class = Password
|
||||
password_field = password
|
||||
password_type = self_check
|
||||
</credential>
|
||||
<store>
|
||||
class = LDAP
|
||||
ldap_server = auth.c3d2.de
|
||||
<ldap_server_options>
|
||||
scheme = ldaps
|
||||
timeout = 10
|
||||
</ldap_server_options>
|
||||
binddn = "uid=search,ou=users,dc=c3d2,dc=de"
|
||||
include ldap-password.conf
|
||||
start_tls = 0
|
||||
<start_tls_options>
|
||||
ciphers = TLS_AES_256_GCM_SHA384
|
||||
sslversion = tlsv1_3
|
||||
# verify = none
|
||||
</start_tls_options>
|
||||
user_basedn = "ou=users,dc=c3d2,dc=de"
|
||||
user_filter = "(&(objectclass=person)(uid=%s))"
|
||||
user_scope = one
|
||||
user_field = uid
|
||||
<user_search_options>
|
||||
deref = always
|
||||
</user_search_options>
|
||||
# Important for role mappings to work:
|
||||
use_roles = 1
|
||||
role_basedn = "ou=groups,dc=c3d2,dc=de"
|
||||
role_filter = "(&(objectclass=group)(%s))"
|
||||
role_scope = one
|
||||
role_field = cn
|
||||
role_value = dn
|
||||
<role_search_options>
|
||||
deref = always
|
||||
</role_search_options>
|
||||
</store>
|
||||
</config>
|
||||
<role_mapping>
|
||||
# maps directly to user roles
|
||||
# Make all users in the hydra-admin group Hydra admins
|
||||
hydra-admins = admin
|
||||
# Allow all users in the dev group to restart jobs and cancel builds
|
||||
#dev = restart-jobs
|
||||
#dev = cancel-build
|
||||
</role_mapping>
|
||||
</ldap>
|
||||
'';
|
||||
};
|
||||
|
||||
# A rust nix binary cache
|
||||
harmonia = {
|
||||
enable = true;
|
||||
settings = {
|
||||
bind = "127.0.0.1:${toString cachePort}";
|
||||
workers = 20;
|
||||
max_connection_rate = 1024;
|
||||
priority = 30;
|
||||
sign_key_path = config.sops.secrets."nix-serve/secretKey".path;
|
||||
};
|
||||
};
|
||||
|
||||
nginx =
|
||||
let
|
||||
hydraVhost = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/".proxyPass = "http://localhost:${toString config.services.hydra.port}";
|
||||
};
|
||||
in
|
||||
{
|
||||
enable = true;
|
||||
virtualHosts = {
|
||||
"hydra.hq.c3d2.de" = hydraVhost // {
|
||||
default = true;
|
||||
};
|
||||
# "hydra-ca.hq.c3d2.de" = hydraVhost // {
|
||||
# locations."/".proxyPass = "http://192.168.100.2:3001";
|
||||
# };
|
||||
"hydra.serv.zentralwerk.org" = hydraVhost;
|
||||
"nix-serve.hq.c3d2.de" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/".proxyPass = "http://localhost:${toString cachePort}";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
smartd.enable = true;
|
||||
|
||||
resolved.enable = false;
|
||||
};
|
||||
|
||||
sops = {
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
secrets."nix-serve/secretKey" = {
|
||||
mode = "440";
|
||||
owner = config.users.users.hydra-queue-runner.name;
|
||||
inherit (config.users.users.hydra-queue-runner) group;
|
||||
};
|
||||
secrets."ldap/search-user-pw" = {
|
||||
mode = "440";
|
||||
owner = config.users.users.hydra-queue-runner.name;
|
||||
inherit (config.users.users.hydra-queue-runner) group;
|
||||
path = "/var/lib/hydra/ldap-password.conf";
|
||||
};
|
||||
};
|
||||
|
||||
system.stateVersion = "20.09";
|
||||
|
||||
systemd.services = {
|
||||
hydra-evaluator.serviceConfig = {
|
||||
CPUWeight = 2;
|
||||
MemoryHigh = "64G";
|
||||
MemoryMax = "64G";
|
||||
MemorySwapMax = "64G";
|
||||
};
|
||||
|
||||
hydra-init.preStart = let
|
||||
makesSenseForQemuUser = feature:
|
||||
! (builtins.elem feature [ "kvm" "benchmark" ]);
|
||||
# strips features that don't make sense on qemu-user
|
||||
extraPlatformSystemFeatures =
|
||||
builtins.filter makesSenseForQemuUser config.nix.settings.system-features;
|
||||
in
|
||||
# both entries cannot have localhost alone because then hydra would merge them together but we want explictily two to not allow benchmarkts for binfmt emulated arches
|
||||
''
|
||||
cat << EOF > ~/machines
|
||||
localhost x86_64-linux - ${toString config.nix.settings.max-jobs} 10 ${lib.concatStringsSep "," config.nix.settings.system-features} -
|
||||
hydra@localhost ${lib.concatStringsSep "," config.nix.settings.extra-platforms} - ${toString config.nix.settings.max-jobs} 10 ${lib.concatStringsSep "," extraPlatformSystemFeatures} -
|
||||
EOF
|
||||
'';
|
||||
|
||||
nix-daemon.serviceConfig = {
|
||||
CPUWeight = 5;
|
||||
MemoryHigh = "64G";
|
||||
MemoryMax = "64G";
|
||||
MemorySwapMax = "64G";
|
||||
};
|
||||
};
|
||||
|
||||
# allow reading nix-serve secret
|
||||
users.users.harmonia.extraGroups = [ "hydra" ];
|
||||
}
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
{ config, lib, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
|
|
|
@ -1,184 +1,2 @@
|
|||
{ self, hostRegistry, hydra-ca, config, lib, pkgs, ... }:
|
||||
{ config, lib, zentralwerk, ... }:
|
||||
|
||||
let
|
||||
cachePort = 5000;
|
||||
|
||||
in
|
||||
{
|
||||
# disabled because currently it display `ARRAY(0x4ec2040)` on the website and also uses a perl array in store paths instead of /nix/store
|
||||
# containers = {
|
||||
# hydra-ca = {
|
||||
# autoStart = true;
|
||||
# config = { ... }: {
|
||||
# imports = [
|
||||
# hydra-ca.nixosModules.hydra
|
||||
# ];
|
||||
|
||||
# environment.systemPackages = with pkgs; [ git ];
|
||||
|
||||
# networking.firewall.allowedTCPPorts = [ 3001 ];
|
||||
|
||||
# nix = {
|
||||
# settings = {
|
||||
# allowed-uris = "https://gitea.c3d2.de/ https://github.com/ https://gitlab.com/ ssh://gitea@gitea.c3d2.de/";
|
||||
# builders-use-substitutes = true;
|
||||
# experimental-features = "ca-derivations nix-command flakes";
|
||||
# extra-substituters = "https://cache.ngi0.nixos.org/";
|
||||
# extra-trusted-public-keys = "cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=";
|
||||
# substituters = [
|
||||
# "https://cache.ngi0.nixos.org/"
|
||||
# ];
|
||||
# trusted-public-keys = [
|
||||
# "cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA="
|
||||
# ];
|
||||
# };
|
||||
# };
|
||||
|
||||
# nixpkgs = {
|
||||
# # config.contentAddressedByDefault = true;
|
||||
# overlays = [ self.overlay ];
|
||||
# };
|
||||
|
||||
# services = {
|
||||
# hydra-dev = lib.recursiveUpdate config.services.hydra-dev {
|
||||
# hydraURL = "https://hydra-ca.hq.c3d2.de";
|
||||
# port = 3001;
|
||||
# };
|
||||
# };
|
||||
|
||||
# system.stateVersion = "22.05"; # Did you read the comment? No.
|
||||
# };
|
||||
# hostAddress = "192.168.100.1";
|
||||
# localAddress = "192.168.100.2";
|
||||
# privateNetwork = true;
|
||||
# };
|
||||
# };
|
||||
|
||||
# networking.nat = {
|
||||
# enable = true;
|
||||
# externalInterface = "serv";
|
||||
# internalInterfaces = [ "ve-hydra-ca" ];
|
||||
# };
|
||||
|
||||
nix = {
|
||||
buildMachines = [{
|
||||
hostName = "client@dacbert.hq.c3d2.de";
|
||||
system = lib.concatStringsSep "," [
|
||||
"aarch64-linux" "armv6l-linux" "armv7l-linux"
|
||||
];
|
||||
supportedFeatures = [ "kvm" "nixos-test" ];
|
||||
maxJobs = 1;
|
||||
}];
|
||||
daemonCPUSchedPolicy = "idle";
|
||||
daemonIOSchedClass = "idle";
|
||||
daemonIOSchedPriority = 7;
|
||||
settings = {
|
||||
allowed-uris = "http:// https:// ssh://";
|
||||
builders-use-substitutes = true;
|
||||
experimental-features = "ca-derivations nix-command flakes";
|
||||
trusted-users = [ "hydra" "root" ];
|
||||
};
|
||||
};
|
||||
|
||||
services = {
|
||||
hydra = {
|
||||
enable = true;
|
||||
buildMachinesFiles = [
|
||||
"/etc/nix/machines"
|
||||
"/var/lib/hydra/machines"
|
||||
];
|
||||
hydraURL = "https://hydra.hq.c3d2.de";
|
||||
logo = ./c3d2.svg;
|
||||
minimumDiskFree = 50;
|
||||
minimumDiskFreeEvaluator = 50;
|
||||
notificationSender = "hydra@spam.works";
|
||||
useSubstitutes = true;
|
||||
extraConfig =
|
||||
let
|
||||
key = config.sops.secrets."nix-serve/secretKey".path;
|
||||
in
|
||||
''
|
||||
binary_cache_secret_key_file = ${key}
|
||||
evaluator_workers = 4
|
||||
evaluator_max_memory_size = 2048
|
||||
max_output_size = ${toString (5*1024*1024*1024)} # sd card and raw images
|
||||
store_uri = auto?secret-key=${key}&write-nar-listing=1&ls-compression=zstd&log-compression=zstd
|
||||
upload_logs_to_binary_cache = true
|
||||
'';
|
||||
};
|
||||
|
||||
# A rust nix binary cache
|
||||
harmonia = {
|
||||
enable = true;
|
||||
|
||||
settings = {
|
||||
bind = "127.0.0.1:${toString cachePort}";
|
||||
workers = "20";
|
||||
max_connection_rate = 1024;
|
||||
priority = 30;
|
||||
sign_key_path = config.sops.secrets."nix-serve/secretKey".path;
|
||||
};
|
||||
};
|
||||
|
||||
nginx =
|
||||
let
|
||||
hydraVhost = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/".proxyPass = "http://localhost:${toString config.services.hydra.port}";
|
||||
};
|
||||
in
|
||||
{
|
||||
enable = true;
|
||||
virtualHosts = {
|
||||
"hydra.hq.c3d2.de" = hydraVhost // {
|
||||
default = true;
|
||||
};
|
||||
# "hydra-ca.hq.c3d2.de" = hydraVhost // {
|
||||
# locations."/".proxyPass = "http://192.168.100.2:3001";
|
||||
# };
|
||||
"hydra.serv.zentralwerk.org" = hydraVhost;
|
||||
"nix-serve.hq.c3d2.de" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/".proxyPass = "http://localhost:${toString cachePort}";
|
||||
};
|
||||
};
|
||||
};
|
||||
resolved.enable = false;
|
||||
};
|
||||
|
||||
sops = {
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
secrets."nix-serve/secretKey".mode = "0444";
|
||||
};
|
||||
|
||||
systemd.services = {
|
||||
hydra-evaluator.serviceConfig = {
|
||||
CPUWeight = 2;
|
||||
MemoryHigh = "64G";
|
||||
MemoryMax = "64G";
|
||||
MemorySwapMax = "64G";
|
||||
};
|
||||
|
||||
hydra-init.preStart = let
|
||||
makesSenseForQemuUser = feature:
|
||||
! (builtins.elem feature [ "kvm" "benchmark" ]);
|
||||
# strips features that don't make sense on qemu-user
|
||||
extraPlatformSystemFeatures =
|
||||
builtins.filter makesSenseForQemuUser config.nix.settings.system-features;
|
||||
in ''
|
||||
cat << EOF > ~/machines
|
||||
localhost x86_64-linux - ${toString config.nix.settings.max-jobs} 10 ${lib.concatStringsSep "," config.nix.settings.system-features} -
|
||||
hydra@localhost ${lib.concatStringsSep "," config.nix.settings.extra-platforms} - ${toString config.nix.settings.max-jobs} 10 ${lib.concatStringsSep "," extraPlatformSystemFeatures} -
|
||||
EOF
|
||||
'';
|
||||
|
||||
nix-daemon.serviceConfig = {
|
||||
CPUWeight = 5;
|
||||
MemoryHigh = "64G";
|
||||
MemoryMax = "64G";
|
||||
MemorySwapMax = "64G";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,5 +1,8 @@
|
|||
nix-serve:
|
||||
publicKey: ENC[AES256_GCM,data:sR5wk7yvH5+lLpSIP0zNqCLvDRRvR8ws4Q8rVcVJx8YkrywwPcvIsJ1h6mVEu3nc6SLoZlQsuxOGCyNGD98CBNY=,iv:fFV2D27hWoxGtqVt3EnS4hMlrqW5LnIZ3LB5k4xmFWs=,tag:g7R1ossy2On6B2nVfKC9iA==,type:str]
|
||||
secretKey: ENC[AES256_GCM,data:cm84sA7E6AnzpVoYuaYepbHGWkRigLdD2RxN21UsXCe7FXQxeTQTxxbzVxJ3G9Lt3kRXuZnODntOo5EQKhs46+wzpO8YLKQxkJXrdluXoGVIWl3/6QFVq66XLJ2i6G4eBK9IH0DYJ+anj8/i8Q==,iv:GEM8Vmx0A8LfJo7QOl0N67Cgk+JqHpp7r+41VivmTg4=,tag:O4Kq4WKgbyt354HSa/7eQQ==,type:str]
|
||||
ldap:
|
||||
search-user-pw: ENC[AES256_GCM,data:tSWin/QPIow2P5Aps/XaT42J+MXb8+a24SEri1QjF1O3bDlCxcR8RHqSX8d4Vg==,iv:P5qMaE2cdKxTaXuKO2nh+LDhKkY3psSlWf+JckmUYt4=,tag:eq8XW7P6FNlkviY5PydkZg==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
|
@ -24,8 +27,8 @@ sops:
|
|||
K3Bpb0svZ1YvVm9ha1ArdVBlN3NHM0kKM6CEQ+dStjEsgppQZYjb1zwyzfwAc0FI
|
||||
O5+vi2x8/N/1OH5jeVzLnLjOhXRXrYcR9EDsjT+KDo0ykYh+NjB0DA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2022-09-25T21:00:25Z"
|
||||
mac: ENC[AES256_GCM,data:eqaN9WFcKAl7Y0HW9liiUyn9eZmLjWOGcNGfu5CQbvQvBXq89mCDyb05gHyQmDm0AsAXI4bU0DUgmdCc846NfOT2kujPQWwiofmTQxlTwxfqt+AVqpwejVqxO3VApCSnkhDrt0jiO9WeyDYUbeVwgnL5CZoJGyYBmmU1LZ2twMo=,iv:tIQpTh0V9qiJsIQ6y0b1+rh+oLRCDrenOixi0GG1Y/M=,tag:J6QLNSH5gQpCAy+P1UAdeg==,type:str]
|
||||
lastmodified: "2022-12-18T17:49:41Z"
|
||||
mac: ENC[AES256_GCM,data:oQGsk4gJ4dGCr3zCanOpSsKQyx/OuWiYe0ef8pvWhqFq0+YvwUzoiF3jQmqahLWGLHUl1yb1kb91GEr7q47G83Z9YXVVtTTzJUWpKZQL1WD12f5ERPSlKnT251fvoMtqNqKrRirGA9ao8OxVpeh3/SQCAGTqWAcpz1J7dxvL7E4=,iv:td9t1MKcXH5RYZxsD1wA4oG61AfLLGSiVIEq/sPRZG4=,tag:UqHGkKqXeeBYXQYtvplCdA==,type:str]
|
||||
pgp:
|
||||
- created_at: "2022-07-15T23:31:58Z"
|
||||
enc: |
|
||||
|
|
|
@ -26,27 +26,14 @@
|
|||
# `...-' `...-'
|
||||
#--------------------------------------------------------------------------------
|
||||
|
||||
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{ lib, pkgs, ... }:
|
||||
{
|
||||
microvm = {
|
||||
deployment = {
|
||||
persistedShares = [ "/etc" "/home" "/var" ];
|
||||
mem = 2048;
|
||||
writableStoreOverlay = "/nix/.rw-store";
|
||||
volumes = [ {
|
||||
image = "nix-store-overlay.img";
|
||||
mountPoint = config.microvm.writableStoreOverlay;
|
||||
size = 3048;
|
||||
} ];
|
||||
};
|
||||
nix.settings.auto-optimise-store = lib.mkForce false;
|
||||
|
||||
c3d2.deployment = {
|
||||
server = "server10";
|
||||
mounts = [ "etc" "home" "var"];
|
||||
autoNetSetup = true;
|
||||
};
|
||||
|
||||
networking = {
|
||||
hostName = "leon";
|
||||
firewall.enable = true;
|
||||
|
@ -65,26 +52,23 @@
|
|||
# List packages installed in system profile. To search, run:
|
||||
# $ nix search wget
|
||||
environment.systemPackages = with pkgs; [
|
||||
wget vim python3Full python310Packages.pip nmap htop wireguard-tools docker-compose
|
||||
wget vim python3Full python310Packages.pip python310Packages.flask nmap htop wireguard-tools docker-compose
|
||||
];
|
||||
|
||||
virtualisation.docker.enable = true;
|
||||
|
||||
|
||||
users.users.leon = {
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" "docker" ];
|
||||
createHome = true;
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIANupx+diz5N8sGZOc7ZXopyPh9HaML8M7Qh70aVVIaJ leon@leons-Air"
|
||||
];
|
||||
openssh.authorizedKeys.keys = with import ../../users.nix;
|
||||
leon.sshKeys;
|
||||
};
|
||||
|
||||
networking.nameservers = ["172.20.73.8" "9.9.9.9"];
|
||||
networking.firewall = {
|
||||
allowedTCPPorts = [ 5000 22 53 80 8080 ];
|
||||
allowedUDPPorts = [ 5000 22 53 80 8080 18900 19900 ];
|
||||
allowedTCPPorts = [ 5000 22 53 80 443 8080 12000 ];
|
||||
allowedUDPPorts = [ 53 80 8080 18900 19900 ];
|
||||
};
|
||||
|
||||
#_______________________________Begin-VPN1-Server____________________________________
|
||||
|
||||
networking.wireguard.interfaces = {
|
||||
|
@ -172,16 +156,6 @@
|
|||
allowedIPs = [ "10.10.11.30" ];
|
||||
}
|
||||
#---------------------black----------------------------.
|
||||
{
|
||||
#black-phone
|
||||
publicKey= "3GEocBTOztOKWtWQFOmI5hynPiPcMMe54kVaHECAG1A=";
|
||||
allowedIPs = [ "10.10.11.90" ];
|
||||
}
|
||||
{
|
||||
#black-desktop
|
||||
publicKey= "24TAa1HMXTPaFNfbXLkuxVy305NjSAegMSYjKLH5Kjc=";
|
||||
allowedIPs = [ "10.10.11.91" ];
|
||||
}
|
||||
|
||||
];
|
||||
};
|
||||
|
@ -219,20 +193,45 @@ networking.wireguard.interfaces = {
|
|||
|
||||
#-----------------------------ngin-X--------------------------------
|
||||
|
||||
# services.nginx = {
|
||||
# listen 80;
|
||||
# enable = true;
|
||||
# virtualHosts."bicospacetech.c3d2.de" = {
|
||||
# default = true;
|
||||
# forceSSL = true;
|
||||
# enableACME = true;
|
||||
# locations."/login" = {
|
||||
# proxyPass = "http://10.10.11.1:80";
|
||||
# proxyWebsockets = true;
|
||||
# };
|
||||
# };
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts."bicospacetech.c3d2.de" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://45.158.40.162:12000";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
virtualHosts."bicospacetech.cloud.c3d2.de" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://45.158.40.165:80";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
virtualHosts."bicospacetech.stream.c3d2.de" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://10.10.11.4:14500";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
virtualHosts."portainer.netlab.c3d2.de" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://10.10.11.60:9000";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
};
|
||||
#-----------------------------ngin-X--------------------------------
|
||||
|
||||
system.stateVersion = "22.05";
|
||||
|
||||
}
|
||||
|
|
|
@ -1,24 +1,14 @@
|
|||
{ zentralwerk, config, lib, pkgs, ... }:
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
microvm = {
|
||||
mem = 4024;
|
||||
writableStoreOverlay = "/nix/.rw-store";
|
||||
volumes = [ {
|
||||
image = "nix-store-overlay.img";
|
||||
mountPoint = config.microvm.writableStoreOverlay;
|
||||
size = 32 * 1024;
|
||||
} ];
|
||||
deployment = {
|
||||
persistedShares = [ "/etc" "/home" "/var" ];
|
||||
storage = "big";
|
||||
mem = 2048;
|
||||
};
|
||||
|
||||
nix.settings.auto-optimise-store = lib.mkForce false;
|
||||
|
||||
c3d2.deployment = {
|
||||
server = "server9";
|
||||
mounts = [ "etc" "home" "var" ];
|
||||
autoNetSetup = true;
|
||||
};
|
||||
|
||||
networking = {
|
||||
hostName = "leoncloud";
|
||||
firewall.enable = true;
|
||||
|
@ -38,6 +28,7 @@
|
|||
vim
|
||||
python3Full
|
||||
python310Packages.pip
|
||||
python310Packages.flask
|
||||
nmap
|
||||
htop
|
||||
wireguard-tools
|
||||
|
@ -48,19 +39,15 @@
|
|||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" "docker" ];
|
||||
createHome = true;
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPZoT83l0ogbJpviBs4VmO+NdF4NPtYAnyf8RRSoXsv leon@leon"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIANupx+diz5N8sGZOc7ZXopyPh9HaML8M7Qh70aVVIaJ leon@leons-Air"
|
||||
];
|
||||
};
|
||||
openssh.authorizedKeys.keys = with import ../../users.nix;
|
||||
leon.sshKeys;
|
||||
};
|
||||
|
||||
|
||||
# enable IP routing
|
||||
boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = 1;
|
||||
boot.kernel.sysctl."net.ipv4.conf.default.forwarding" = 1;
|
||||
|
||||
networking.firewall = {
|
||||
allowedTCPPorts = [ 80 443 22 53 14000 14500 15000 ];
|
||||
allowedTCPPorts = [ 80 443 8080 22 53 14000 14500 15000 ];
|
||||
allowedUDPPorts = [ 18900 53 ];
|
||||
};
|
||||
|
||||
|
@ -79,7 +66,7 @@
|
|||
privateKeyFile = "/etc/nixos/wireguard-keys/private-key";
|
||||
peers = [
|
||||
{
|
||||
publicKey = "w3qegSSuqFTFrGk4XJaWBSwGDOiqbnnAIR9MzwjYVA8=";
|
||||
publicKey = "iEVq4lvvKFfqjcoYYyNkA0MS8rcSGaDfPwQGN3C7+D0=";
|
||||
allowedIPs = [ "10.10.11.0/24" ];
|
||||
endpoint = "45.158.40.162:18900";
|
||||
persistentKeepalive = 25;
|
||||
|
@ -102,8 +89,8 @@ services.nextcloud = {
|
|||
dbname = "nextcloud";
|
||||
adminpassFile = "/etc/nixos/next-cloud/pass";
|
||||
adminuser = "root";
|
||||
extraTrustedDomains = [ "45.158.40.162" "172.20.79.254" "10.10.11.4" "10.10.11.1" ];
|
||||
};
|
||||
extraTrustedDomains = ["10.10.11.4" "10.10.11.1" "45.158.40.165" "bicospacetech.cloud.c3d2.de"];
|
||||
};
|
||||
};
|
||||
|
||||
services.postgresql = {
|
||||
|
@ -123,6 +110,8 @@ services.nextcloud = {
|
|||
after = ["postgresql.service"];
|
||||
};
|
||||
|
||||
|
||||
|
||||
#<-----------------nextcloud----------------------
|
||||
|
||||
system.stateVersion = "22.05";
|
||||
|
|
|
@ -6,7 +6,8 @@ let
|
|||
ldap-auth-config = pkgs.writeText ''
|
||||
hosts = auth.c3d2.de
|
||||
dn = uid=search,ou=users,dc=c3d2,dc=de
|
||||
dnpass = #add cat sops help where credential sandro help
|
||||
|
||||
!include ${config.sops.secrets."ldap/search-user-pw".path}
|
||||
auth_bind = yes
|
||||
auth_bind_userdn = uid=%u,ou=users,dc=c3d2,dc=de
|
||||
ldap_version = 3
|
||||
|
@ -46,6 +47,11 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
sops.secrets."ldap/search-user-pw" = {
|
||||
owner = config.systemd.services.dovecot2.serviceConfig.User;
|
||||
group = config.systemd.services.dovecot2.serviceConfig.Group;
|
||||
};
|
||||
|
||||
services = {
|
||||
postfix = {
|
||||
enable = true;
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
mock-data: ENC[AES256_GCM,data:fQ88gg==,iv:TphtBcDzX9xHW8eu4BwyitiOg6D6pnTRUrVtMUOjKTo=,tag:v4xjJNFTKyA7kbjeXDDz7w==,type:bool]
|
||||
ldap:
|
||||
search-user-pw: ENC[AES256_GCM,data:Pd6Qy8Ilu1RAkIOnpHNoGV+VBNCg/IAl9InWOGDlsTSbDVqK4B5aUmX2sl0=,iv:nZQwmiWJtQ4AmzAgv3Fhh625K11U4uxTCE6Rj5okRns=,tag:v9pVGrSQoaGGYG5X8wUyoA==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
|
@ -23,8 +24,8 @@ sops:
|
|||
bTBPcjZCZFNBWWtUVGNRUWE4eTA1ZjgKF4qoSyKCL2ytTf5vZRVLFr89R5/7HCji
|
||||
hsPXdE607b+s5PAaOPMWF8Zfy7QJr6hqG9+Pbr4FnGB5nTvTsO5d3Q==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2022-02-25T18:51:17Z"
|
||||
mac: ENC[AES256_GCM,data:/xwOBXbYBd9TqosVFDEAyjVBOcZ1NdxNEz5nTmaFwiBHJSICflX54YSx+1QT44jFCkDFdvf3ZSojZ/bJ9EBsGZycaa4dQvReF5jjMnDzdwPvf+R84F/QuyHZTNnxXfneXUP9SWcenREr/ku/96x7ignKg1n4YsRq1hiot4W8sFk=,iv:7gzXGTlZ+A6ihSF6B94ttyWlREXLTUJukv45nBYPVKI=,tag:E3zlnQrMs0gCNdeuX2Bmfw==,type:str]
|
||||
lastmodified: "2022-12-18T19:16:04Z"
|
||||
mac: ENC[AES256_GCM,data:7bqWB5fzhL6J18vak2pfW0Oq8mo0iLiHefCYEklTcUVVHOJy//hO9yw95gjUpGyq6Fx77SKOgu7SaM2bnBOTSdbvoz3mUsUZUUztSlJ+vrXNeD2tNHES6laa3W+lxDwl4WYOz5rPM5oOo0jWuMkIayE+fYC6d21AK8H910fdMjQ=,iv:tYIt1vi4FQezs7LoLXiF4J++KHUOQV8tYfap3l072zY=,tag:Pu0pXHG3WI1WoWXwCvKAXg==,type:str]
|
||||
pgp:
|
||||
- created_at: "2022-07-15T23:32:09Z"
|
||||
enc: |
|
||||
|
@ -179,4 +180,4 @@ sops:
|
|||
-----END PGP MESSAGE-----
|
||||
fp: 91EBE87016391323642A6803B966009D57E69CC6
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.1
|
||||
version: 3.7.3
|
||||
|
|
|
@ -0,0 +1,168 @@
|
|||
{ zentralwerk, config, lib, pkgs, ... }:
|
||||
{
|
||||
deployment = {
|
||||
mem = 16 * 1024;
|
||||
vcpu = 16;
|
||||
needForSpeed = true;
|
||||
};
|
||||
|
||||
networking = {
|
||||
hostName = "mastodon";
|
||||
hosts = with zentralwerk.lib.config.site.net.serv; {
|
||||
${hosts6.up4.auth} = [ "auth.c3d2.de" ];
|
||||
${hosts4.auth} = [ "auth.c3d2.de" ];
|
||||
};
|
||||
firewall.allowedTCPPorts = [ 80 443 ];
|
||||
};
|
||||
|
||||
system.stateVersion = "22.11";
|
||||
nixpkgs.config.allowUnfreePredicate = pkg:
|
||||
lib.getName pkg == "elasticsearch";
|
||||
|
||||
services = {
|
||||
elasticsearch = {
|
||||
enable = true;
|
||||
package = pkgs.elasticsearch7;
|
||||
};
|
||||
|
||||
mastodon = {
|
||||
enable = true;
|
||||
localDomain = "c3d2.social";
|
||||
|
||||
smtp = {
|
||||
host = "mail.c3d2.de";
|
||||
port = 587;
|
||||
fromAddress = "mail@c3d2.social";
|
||||
authenticate = false;
|
||||
};
|
||||
|
||||
elasticsearch.host = "127.0.0.1";
|
||||
|
||||
extraConfig = {
|
||||
ALTERNATE_DOMAINS = lib.concatStringsSep "," config.services.nginx.virtualHosts.${config.services.mastodon.localDomain}.serverAliases;
|
||||
DEFAULT_LOCALE = "de";
|
||||
WEB_CONCURRENCY = toString config.deployment.vcpu;
|
||||
# MAX_THREADS = toString 5;
|
||||
LOG_LEVEL = "debug";
|
||||
|
||||
LDAP_ENABLED = "true";
|
||||
LDAP_METHOD = "simple_tls";
|
||||
LDAP_HOST = "auth.c3d2.de";
|
||||
LDAP_PORT = "636";
|
||||
LDAP_BIND_DN = "uid=search,ou=users,dc=c3d2,dc=de";
|
||||
LDAP_BASE = "ou=users,dc=c3d2,dc=de";
|
||||
LDAP_SEARCH_FILTER = "(&(objectclass=person)(|(%{uid}=%{email})(%{mail}=%{email})))";
|
||||
LDAP_UID = "uid";
|
||||
};
|
||||
|
||||
configureNginx = true;
|
||||
};
|
||||
|
||||
nginx.virtualHosts.${config.services.mastodon.localDomain}.serverAliases = [
|
||||
"${config.networking.hostName}.flpk.zentralwerk.org"
|
||||
"social.c3d2.de"
|
||||
];
|
||||
|
||||
postgresql = {
|
||||
enable = true;
|
||||
ensureUsers = [ {
|
||||
name = "collectd";
|
||||
ensurePermissions = {
|
||||
"DATABASE \"${config.services.mastodon.database.name}\"" = "ALL PRIVILEGES";
|
||||
};
|
||||
} ];
|
||||
};
|
||||
};
|
||||
|
||||
# Inject LDAP secrets
|
||||
systemd.services.mastodon-init-dirs.script = lib.mkAfter ''
|
||||
cat ${config.sops.secrets."mastodon/env".path} >> /var/lib/mastodon/.secrets_env
|
||||
'';
|
||||
|
||||
sops = {
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
secrets."mastodon/env" = {
|
||||
owner = "mastodon";
|
||||
};
|
||||
};
|
||||
|
||||
# Sidekiq monitoring
|
||||
c3d2.hq.statistics.enable = true;
|
||||
services.collectd.plugins = {
|
||||
redis =
|
||||
let
|
||||
queries = [ {
|
||||
command = "GET stat:processed";
|
||||
type = "counter";
|
||||
instance = "sidekiq_stat_processed";
|
||||
} {
|
||||
command = "GET stat:failed";
|
||||
type = "counter";
|
||||
instance = "sidekiq_stat_failed";
|
||||
} {
|
||||
command = "LLEN queue:#default";
|
||||
type = "queue_length";
|
||||
instance = "sidekiq_default_queue_len";
|
||||
} {
|
||||
command = "LLEN queue:#ingress";
|
||||
type = "queue_length";
|
||||
instance = "sidekiq_ingress_queue_len";
|
||||
} {
|
||||
command = "LLEN queue:#mailers";
|
||||
type = "queue_length";
|
||||
instance = "sidekiq_mailers_queue_len";
|
||||
} {
|
||||
command = "LLEN queue:#pull";
|
||||
type = "queue_length";
|
||||
instance = "sidekiq_pull_queue_len";
|
||||
} {
|
||||
command = "LLEN queue:#push";
|
||||
type = "queue_length";
|
||||
instance = "sidekiq_push_queue_len";
|
||||
} {
|
||||
command = "LLEN queue:#scheduler";
|
||||
type = "queue_length";
|
||||
instance = "sidekiq_scheduler_queue_len";
|
||||
} {
|
||||
command = "ZCARD schedule";
|
||||
type = "count";
|
||||
instance = "sidekiq_scheduled";
|
||||
} {
|
||||
command = "ZCARD retry";
|
||||
type = "count";
|
||||
instance = "sidekiq_retries";
|
||||
} {
|
||||
command = "ZCARD dead";
|
||||
type = "count";
|
||||
instance = "sidekiq_dead";
|
||||
} {
|
||||
command = "SCARD processes";
|
||||
type = "backends";
|
||||
instance = "sidekiq_processes";
|
||||
} ];
|
||||
in ''
|
||||
<Node "mastodon">
|
||||
Host "${config.services.mastodon.redis.host}"
|
||||
Port "${toString config.services.mastodon.redis.port}"
|
||||
Timeout 3000
|
||||
|
||||
${lib.concatMapStrings ({ command, type, instance }: ''
|
||||
<Query "${command}">
|
||||
Type "${type}"
|
||||
Instance "${instance}"
|
||||
</Query>
|
||||
'') queries}
|
||||
</Node>
|
||||
'';
|
||||
postgresql = ''
|
||||
<Database "${config.services.mastodon.database.name}">
|
||||
Param database "${config.services.mastodon.database.name}"
|
||||
Query backends
|
||||
Query transactions
|
||||
Query queries
|
||||
Query disk_io
|
||||
Query disk_usage
|
||||
</Database>
|
||||
'';
|
||||
};
|
||||
}
|
|
@ -0,0 +1,181 @@
|
|||
mastodon:
|
||||
env: ENC[AES256_GCM,data:m7NvIAydlGvvNEShlqH8GngjPb6z3TIGkZNcFcBoAWYHCimcp+0c8NNVf4cP7sq3Xg==,iv:PMC4vVN4felWaa7FDUyoYzNk4Eiy56pxK1cOxbAfZ9c=,tag:NQXqWljloBTxXC1tlxylpQ==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1dcpd6u4psq3hehjyjrt3s7kzmnvxd20vsc8urjcdv6anr5v7ky2sq9rhtt
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPUmZnVjR3SGs3MnJSaUxT
|
||||
aVJJZDRVK2hXdDZqeTBRT2ovVmxWMm5SMGdvCm5LSGtKVkprQmlUaDdGT3krZnVl
|
||||
aE5kTG5QZ1JhbjdiWVNwRUp5dkRKbk0KLS0tIFdhSnd5OU02ZTlrMGNMemdYbVNO
|
||||
YlRrbklFV3lmWGRYVXhvUkNLSzdkRUEKWppsjTBRljJnyXTgMSnq4eSlXdzjF0Bc
|
||||
LN6oLoylo3zeT+pWjDFG7A9+fIpCiXsIMcZsHiRR7kfX8lHGi5rv2A==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBdmNOUUpxOE03UFVoN2NY
|
||||
dFMrUUwyVHZjeEZYWWhCMFM4YkVFVkpQa2x3CmoyUkhYRXZORnhXVUd2N0plZEdZ
|
||||
UVUvS0dudkdCRkx0YXdMbWVGV3p4dmMKLS0tIHBCQ2RSRDgyclMzeGJwNndVU3dk
|
||||
ZHQwTTZVNWRRTUR5STRQb3VIODdPcEEK7emzmECdUobG5/N3TMRcUaZSTsgTF6m/
|
||||
5f8v8Tpf0Ve6veQhC/5+MYtHJOWDkN+nD8gFgRkPn/IlNz9IAMGx2A==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2022-11-30T00:54:21Z"
|
||||
mac: ENC[AES256_GCM,data:Ys/exz5C1UO3FZ5XXSx5wolzO+yJ7p59LFOwAOQM5h5wsSd7T43gql9ecjzYZkBub238+uSJYU8kDCaxUFOwLPBIZ6rmA/MS9wRUVr8z5NB9usQFgtD53NNdcRgMWZcM3GEkCBrjB0grIEA6/Btc2klYzLdYS0Glmnn5IMNwkvE=,iv:vJRinUplCiM6m53Yz5TObXaPI2cAcGVBlfvJAgJcd1U=,tag:7DhGp4KyfaOAFG3UT7PWEw==,type:str]
|
||||
pgp:
|
||||
- created_at: "2022-11-30T00:52:41Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMA6j84+xkv3y7AQ//THu/1WoBYLiEjUWSgMXej4xbmN5sUCSxqnyaMaekcQXK
|
||||
MsUODOaqLCo/c1mfpbZ/Pv5CLHah2R92idqShogaiB5tDqxq8MTk8VCR2bzGcg4f
|
||||
CJHf4dvEBzTWIygUM/TH0AaLB277C9WvLHK1ANE2GolSls6hIN5YYiMmAJboImux
|
||||
QYcwZIk5DUtk8CjMMdXoWXS3Nf5LyoV8TnqwGc8KyIK/l+PSLuOX6KqG5TArCCT5
|
||||
BTCbXqpk5IPGVNiflWZfZBSrGFQ/7L+mHYABBR8bj1cCHKOtYJqVCKNQOkApRsc9
|
||||
Z8UtGHedcArwZUNilFUNYMZjK0Iyrme3Fvjt7ztY//ZvgRgBzIfeUlMMYNCD0stT
|
||||
OhjlclAkh7az5LPyhKW7FxEPhr+XsJCiAaaNpHntSwv/5yjPCDLoCbKF8pkZY7xW
|
||||
oaYVJk2/BuNPG8wQAHl9N15XHN5bPK0JIqT8/aSwRx6rjI2JlBk8tOo5EpmdJrLa
|
||||
xPJ7cS8KEpY+mlWO+GkmB3EomjbdgRtFqx4DEjbLYV/olN4+s2RLqK53WprNjqdv
|
||||
fltEZvY8vWcg6UHc3DhAy9Oa6QnR8ifraPkpKlMUZyIiQFOWcrDs9XCpKx/ATmXO
|
||||
+wpQHGZXq6b47Gfp/XA4HibA7YY9qDz2PDtu4PrKg00j6wWBujdc5+HTfBn05JvS
|
||||
UQG2+OgjrHFdYKIK0+vMovt3WFzbrCAeIx9AU84dUMiUZMOtyHZvL+hU3ynVZYfu
|
||||
Z/yvMM78Q1qEdcKWBtgEJORXQIwWTK3JyYRC0N4/3COViw==
|
||||
=ULdx
|
||||
-----END PGP MESSAGE-----
|
||||
fp: A5EE826D645DBE35F9B0993358512AE87A69900F
|
||||
- created_at: "2022-11-30T00:52:41Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMA8zMZ+ak7y/zAQ//bSruuL/XKnFtewxG3weWTIUzLjW2d4b0WffSzRogs3BM
|
||||
FE0vbb6atEQVImnr8CFl8r6R1jE3lz6VEVirCAHdycPFxHFnIuzbzc5WYVgTC00E
|
||||
v5L3UKJSccjzWMONdL0XaXUDHWE78vfiMKwjNMrg/SmLElkjJUvBVz1y9lih/Fwp
|
||||
V/CWV/S4/v5WoO53hldoQ3jCDWLLVoJHB5rBO140hpmrLOkwTvXQNW1pK0GwJb6r
|
||||
dKqzUQzJgmdQcMswNDcmtHQV59HGk7/anaWGMD5FvVz6FQdXA2bBH6WD9OmqggUw
|
||||
xN5sWON3yYEkWZ7L0fmLIoNmmsH6gMnPVIpCK40g2nyFCjiqRdxf2gn5iasq9fzJ
|
||||
LAZkUHt6LSNikRPsm9p/SKl5EfIWSmQfUGWYMRqwkHi+a85NfkDPgbOae2gQhaGi
|
||||
TjdKy3wS5SQ1KZU1+YV19JJx8RnzevcIHv/SV8C+z4UosEDBGuncda3S8VRDvyOe
|
||||
hI/ZbASGBwWXni3UIGQfLiDp0nGZz3NAGKcmbWN4DHN7tj36Xc0NkLe9AuWs+2fq
|
||||
rhnfYCLl8tn8gdBQ2/sMC2K8AwpRLdcoOhZPz9CCY3Qv4edxXeSMMotQwhB3jglh
|
||||
GBNFEKd/XKHMfwZsfWITxHBhtX0yL6CEG8A+OHHrYzXcphAcy981T07ThfTkU/DS
|
||||
UQGAruf+SPfBRKj+jHdIXHtrVlYFtI1SHLueZzAw8vMPI4vXbvbZq2qNdWk5uLIx
|
||||
AJHARp7tFLZjeVM8O3fR13HM5Ho50cJLnkCBqqDLXFKtSw==
|
||||
=ZSmW
|
||||
-----END PGP MESSAGE-----
|
||||
fp: D4E89C6A0A58EE803EF708EFA9B23715F7AA3F1A
|
||||
- created_at: "2022-11-30T00:52:41Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcBMA45bZkLXmBFpAQf7BQARnoKk+Dl65Far++0lF3CvvOeiBttUCQoV8aNmMq2V
|
||||
Sy1CfGGhg53xN6qeqh0GE5gXQU6Qio86KCxKZ6yh0i6wicv0G1Ld19omKGFrD6y+
|
||||
ne6ognWNVXzOxp6jzT6bzTxN4KkIrtKwuFb6796E1N0haVzCOjxQaTqUKig7Vy8P
|
||||
0cCR1K/HiVVDs/XdK3QL47Ty4oSCAZDD/Vj9r40w/fKykTw5PBwRsBMCPL1ZxoeI
|
||||
WEMhxxKdCpp5OprMHtsRkulPoArUkyFOKtsCvCRAnLtwoJaJTBb4I0RcTy+wjwEv
|
||||
ONdpobMPntiXY9P8L/ovmYX+GlQKi3AEHflmPmLPFdJRAdzGII2ZnF77Z+e7WpJK
|
||||
SXkWRdSRwJzatIs2TfnEYKAMevqEpzYTIu2Am0NxbTj7MgmfGw7oUc0n+oGh0gLE
|
||||
Jd5EMV7E8k8nHqyCLoEa3q+3
|
||||
=poTN
|
||||
-----END PGP MESSAGE-----
|
||||
fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9
|
||||
- created_at: "2022-11-30T00:52:41Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMAwMCBBrc/JA6AQ/9Hz/H90Ab0cQ0mBmFWdgc+zsPVhHXLlKaTszaMbrQ0Hlh
|
||||
Db/1ap7tSQviLZMJFh1O9TjMfRrbCyGE8NRRr1jM2z1KxRSENHMywE+5wR+QlNE7
|
||||
s5v5tNOYyLA5rlkyAL7tezKLnsi4CD3hj27ZVU3igtJ4GXW51rHABiwMQ1FOfVeo
|
||||
vGCQdXAxcFo4TucdIjMWo9hAV8ncVYokw5jq4ufHKjb1keBFq4Ob82dkc3DWwaq7
|
||||
sbUMPGzDkgqwVS2aFk2uoaBjceZeOjY1INNtxtSrmQvjrnJTjoKKRErU11OZ19Om
|
||||
gal7gIUhHb3kJKLkXDZD0l2AD4NUeeFLI7SyVv7PmHD/dI58SQ3+ofsC+Cukvqeo
|
||||
KI9Xyg6+pJCF8wer0tYD1uX4avF9TsdFwVjrrOW2iXvX7ePqP9+ZdwodPOmvB5g6
|
||||
ofxgbX5clek2LCUO/Q8hytx3W/6oBHfqZgoiLitfT+Ss0NoEusGnSDnGlgUAbEyJ
|
||||
KEWEMiRcj8OARw4/jbJrrBjvbIJJaWmdtHBSsqV+3/yY4GqTw8pvUYp3feocLu1Z
|
||||
FwIx/TcvyOmhZ6MFu3sz+xWntyvOnDZoXfnzTLWt7XM2pNHwyWmG62fhlhAIo7jR
|
||||
ENu1Zet7lpj/eUUJAbcx2sWtoClSq8rYqX4PBR4rFnLJBqyPZlVGLzFzlw/kr57S
|
||||
UQGZijKUYvlcDtFjUTiVmUtYagb94Fm4v20P1N1IgwdZp5l00MYY1GT0s7+4QR7Y
|
||||
rRRPLRu4wCvPsYeSpT3xf0bx5tZF7YuzuU0bcr13NcJADw==
|
||||
=44mD
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 4F9F44A64CC2E438979329E1F122F05437696FCE
|
||||
- created_at: "2022-11-30T00:52:41Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMA9XEenRNYVGHARAAjqd4Vk98BuS7EGmWe9asgpmuF1hBpi6EGbfIJHy/QdMu
|
||||
Ug27yGxrhVoxP4mX0KcdL0GES6zpcqAuSjKuqnjRIQaBqRmLImvlwpRELQyzJCsj
|
||||
fkhTe3nG14Ew1ukuAPA4LiOpydpefdHb0KiCR4GYggR+P9nPo4CIUVDXIkWdCJHF
|
||||
29b2febhwUZuxAQF0otzvFXd8VpFxP5aqiqjdVQ6wm9R0r/l5XyU8ZwtgN4TjcbO
|
||||
DxvjS73i+CZhi2gPR4Q1pTOFunxQC/shyeOLHFpGnWZ/OkYO+93P9PHPIX9BSUz8
|
||||
PVrBPtLLXm8rnnklqViBTBt+AfwjzyhWTC9BGoKfJ3gmfA//oVJNraQJRXS3AtlY
|
||||
awvIWtLDGSDwzR68cpdoG9DzIES5rJ3gN9u+b/IV6pwvu35E0X3CKA4FN66wdNag
|
||||
VXA6RsJVM1+pCxeKHAyMwD26Udq77XJ1nAxvUaOn0+MGdXD3KKF+WQ+4wv4LW5vl
|
||||
mRKMVuI884B8Qm349TZxUalEy6v7ioC6pJMj13Yn0eWx91z/Kzj8IP06nZ2y486B
|
||||
b8aDmbQUNIF4g3s/LN4y7ENYRVtvL4yhL4JQfDCMeA7wn4Ne/XNIX6/mgcN70JI5
|
||||
ywS4udq+8NX6ZTDoiLNVwZwO3j2V61p1ISx5Q1vPrevCUHHRvUisFL/OzyYYDVXS
|
||||
UQEfC+uXFz7eX15F0esLCcMfDZFWc73IWbGfLL+eXatw5R4Ii2nN+Q8eXLFolmg2
|
||||
DQu+qK0ovO5/9I3VmQM9Y9n0b9CFsfcBLFLA8pfNtj6DOg==
|
||||
=vjG5
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA
|
||||
- created_at: "2022-11-30T00:52:41Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcBMA/Z87ylQaotQAQgAki4625tAoV04bTPWkawsYck88PbAVctHuwWVi/YprVLy
|
||||
VwXM4nMao+fg16UrRd1sc0Dh1TdPq3E+4oIf9gYJXH8GLcjkj5v3L8jWdaWhC+2G
|
||||
M6IrXdn0kM5uXx3PTFQA6TYkfs/BdNsjTnspfr44EBvWG/OwLmTJo3QC6MDDHZk3
|
||||
JF4cMXXhHe1gRMF5DznexxCHfrod5NYYIzGpqCo8qBtBnY5QnTf7wXwtWnFeRtQk
|
||||
fA/EDgM1Xghyqx7oDxQ7ubaCWPyNREhiB6vKvF8ZnUyWW4oQmx7gmttb+Gm/Pb/G
|
||||
HB9GMixRzmlo4dVGlTF9llYCxcIrvxJNasFEXnuHsdJRAXBwOvBH4JsYgjIYlo0a
|
||||
l+INJ9JBJqvSqbrAadmhmtg7v6fJVaWQiwamI/N50ifHAQcKNxH/OiInuh80Qvtf
|
||||
9utJNqgbFFnzPxx5028FriVd
|
||||
=rqgj
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 9EA68B7F21204979645182E4287B083353C3241C
|
||||
- created_at: "2022-11-30T00:52:41Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMA9qJIVK2WMV7AQ/8Ca/FQ2eZdaIerMMiGL0wP8uClgzDqW6Xku4sdGI9nO4s
|
||||
oBzmj3amCgp588PV5/TbyawVrfbMQFvr78GF2T3MQS1KOzFePITQPXceuPia6KzV
|
||||
bFNpElCP80AlYZKWkPQ26Uz1gB+Dk75F+Ws5ttP+A4bgSBUpW7R3CQr4eIM9rN7G
|
||||
TXgTWlbcYZK5IyVZkueOXN+vwT5N/C+rf3Ockv77Yhrasbc/OiRd3kPvwYINrBk5
|
||||
HRpaebK+/1Ku5SHIFhx/TGtyCcwS2ciPBCX1NYvcI+Kh1I2MlHKJqpgY6C0e6QHo
|
||||
sByoi/cy6IIPXupuVMxs/dMzkaZJYMzM3te8D6aakO+yaR/xBlJgGZqzWVgrDZaR
|
||||
7ioncUPcSbR28cGoV4l2bYGu+Z4bQ0oAE8CSV4IYLJeInwRed45E9G5zyTU9//Zd
|
||||
C4dxATU17FXeom15LSoZkFnRLbWWPi6q2SwwidG7+oK5FcMCyc4zarR65/i/02Tm
|
||||
mEUc533y+t0pud9GgdQKrjNyQ654mrsPrXOYviTrBVzy3BU6dkbEjPEmfw253a0Z
|
||||
SDV88+WOSVzwVK9K0EY9NR+sRYlQtBkoKDYrLgthCN+Ucl/tOBIKjwv5lnBUihG/
|
||||
ouTUDJEN5phT2tf8MDchNea31Cm6AT0ph6Iz/Pr0hqUNQOz6UmNgf1ZNH3RCehjS
|
||||
UQGdPPcXxEG5JhmiltTOph024yMOkgmt+5xHyCZ6L1QaaYMjIV08Xq0I2YvJXUse
|
||||
QlZRHAcOAsSI7mYd0jqFxOfj8ZrclTqn15peXweoEUzKIg==
|
||||
=vX2f
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 53B26AEDC08246715E15504B236B6291555E8401
|
||||
- created_at: "2022-11-30T00:52:41Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMA/YLzOYaRIJJAQ//RPrikrIQUJ6qVHdEQVtH9CKnNBDCk/ipP4CU1sdHFx7F
|
||||
S4ssLv/sTDofJzo+LFB0QG3JRWEx1+IgtRF+6JCw0Mm7ed2STMPh6/emaX0MIcgS
|
||||
x1t0LMsEmGa6Iuyjm24x5I8qdLpYtOjZd4r797GNeGEXUzRAUe9zbFEY45lSrzn+
|
||||
H/mbohDAK/xEuvY0w1qYW2NgTkUqjxgpK7fx9df5GpiEE9XPHsQindpPYh7BNcau
|
||||
fIqN7d+A+nMw3DI8YcmC2yYnr/5UWBe2UweQuFWyBxyI6548kKbjKOJcAboo1YVL
|
||||
MPyf+Z3eySNG32MyE8vq2/d32/Sh+Cwk/YG6o4mpjwdSTT65JDNZs2eu2alOXnsi
|
||||
uvGDMTlKwvUP89ynB8tDQ8HdV9bxFT3/9yOFAYa+yU9AguvV13zl6ublpO1pPY1q
|
||||
iJMDc51iyRsH9jv9ALHqQ+FIptQDX1yjoIobHx64zrBaiOKeqkdWgZGUfnldbOyw
|
||||
in8Ooa1qgG70h0T+tearHB0BDTCQx7FvEgUN+6eAdGLncoV9a2bGbtb2IBzm7pA3
|
||||
YHV4Ab308WyO/8MkSwd9uGqlsxE772TN5XYLuWo+7KgcSCGght6vnlLWIDhbQ+YR
|
||||
/ZLMik2Gbsl5bV6cpkbzI9VBEx8vHulpQazkHSAfsxr6/aiqmz0TJM8I0oe+d7TS
|
||||
UQHZoPhsqIYDwOqNDi8erCeeQzkDxSVPlBICv8+YGXd5qSAAte7Fbo/uQvn4fGdg
|
||||
9YAyhaZ/XAWnb3rL3VpKlzGXq6LAaog9OyQ+e+bnP/7x8A==
|
||||
=76ZY
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 91EBE87016391323642A6803B966009D57E69CC6
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
|
@ -1,4 +1,4 @@
|
|||
{ zentralwerk, config, lib, pkgs, ... }:
|
||||
{ pkgs, ... }:
|
||||
|
||||
{
|
||||
c3d2 = {
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ zentralwerk, config, lib, pkgs, ... }:
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
networking.hostName = "mediawiki";
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
{ zentralwerk, config, pkgs, ... }:
|
||||
{ config, pkgs, ... }:
|
||||
{
|
||||
microvm.mem = 1024;
|
||||
c3d2.isInHq = false;
|
||||
c3d2.deployment = {
|
||||
server = "server10";
|
||||
mounts = [ "etc" "home" "var"];
|
||||
};
|
||||
microvm.mem = 2048;
|
||||
system.stateVersion = "22.05";
|
||||
networking = {
|
||||
hostName = "mobilizon";
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, pkgs, tigger, ... }:
|
||||
{ pkgs, tigger, ... }:
|
||||
|
||||
{
|
||||
deployment = {
|
||||
|
|
|
@ -1,6 +1,4 @@
|
|||
{ zentralwerk, config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
{ zentralwerk, pkgs, ... }:
|
||||
|
||||
{
|
||||
system.stateVersion = "22.05";
|
||||
|
|
|
@ -1,7 +1,5 @@
|
|||
{ zentralwerk, config, lib, pkgs, ... }:
|
||||
{ lib, ... }:
|
||||
let
|
||||
netConfig = zentralwerk.lib.config.site.net.serv;
|
||||
|
||||
nfsExports = [
|
||||
"var/lib/nfsroot/dacbert"
|
||||
"var/lib/nfsroot/riscbert"
|
||||
|
|
|
@ -37,7 +37,7 @@
|
|||
xx = "tx"; # transmit only
|
||||
when-tx-exists = true;
|
||||
};
|
||||
in lib.mapAttrs (name: value:
|
||||
in lib.mapAttrs (_: value:
|
||||
value // {
|
||||
via = lib.lists.remove "c3d2" value.via;
|
||||
} // (lib.attrsets.optionalAttrs (value.addrs or { } != { }) {
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
let
|
||||
exec = {
|
||||
{
|
||||
programs.nncp.settings.neigh.emery.exec = {
|
||||
# A command to asynchronously export store paths to a remote caller.
|
||||
nix-store-export = with pkgs;
|
||||
[
|
||||
|
@ -16,4 +16,4 @@ let
|
|||
# A command to import store paths from a remote caller.
|
||||
nix-store-import = [ "${config.nix.package}/bin/nix-store" "--import" ];
|
||||
};
|
||||
in { programs.nncp.settings.neigh = { emery = { inherit exec; }; }; }
|
||||
}
|
||||
|
|
|
@ -1,15 +1,14 @@
|
|||
{ zentralwerk, oparl-scraper, config, pkgs, ... }:
|
||||
{ oparl-scraper, config, pkgs, ... }:
|
||||
|
||||
let
|
||||
ratsinfo-scraper = import oparl-scraper { inherit pkgs; };
|
||||
|
||||
netConfig = zentralwerk.lib.config.site.net.serv;
|
||||
|
||||
in
|
||||
{
|
||||
c3d2.deployment = {
|
||||
server = "server10";
|
||||
mounts = [ "etc" "home" "var"];
|
||||
};
|
||||
microvm.mem = 1024;
|
||||
|
||||
networking.hostName = "oparl";
|
||||
|
||||
|
@ -41,7 +40,7 @@ in
|
|||
path = with pkgs; [
|
||||
git openssh poppler_utils ratsinfo-scraper
|
||||
];
|
||||
script = ''
|
||||
script = /* bash */ ''
|
||||
if [ -d data ]; then
|
||||
pushd data
|
||||
git pull
|
||||
|
|
|
@ -0,0 +1,58 @@
|
|||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./owncast-archiver.nix
|
||||
];
|
||||
|
||||
deployment = {
|
||||
vcpu = 8;
|
||||
mem = 2048;
|
||||
persistedShares = [ "/etc" "/home" "/var" ];
|
||||
extraShares = [ {
|
||||
source = "/glusterfs/big/microvms/c3d2/config/owncast/archive";
|
||||
mountPoint = config.services.owncast-archiver.targetDir;
|
||||
} ];
|
||||
};
|
||||
c3d2.hq.statistics.enable = true;
|
||||
|
||||
networking = {
|
||||
hostName = "owncast";
|
||||
firewall.allowedTCPPorts = [ 80 443 ];
|
||||
};
|
||||
|
||||
services.owncast = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedTlsSettings = true;
|
||||
recommendedGzipSettings = true;
|
||||
additionalModules = [ pkgs.nginxModules.fancyindex ];
|
||||
virtualHosts."owncast.c3d2.de" = {
|
||||
default = true;
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString config.services.owncast.port}";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
locations."/archive/" = {
|
||||
alias = "${config.services.owncast-archiver.targetDir}/";
|
||||
extraConfig = ''
|
||||
fancyindex on;
|
||||
fancyindex_exact_size off;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
systemd.services.nginx.serviceConfig.ReadWritePaths = [
|
||||
config.services.owncast-archiver.targetDir
|
||||
];
|
||||
|
||||
services.owncast-archiver.enable = true;
|
||||
}
|
|
@ -0,0 +1,61 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
|
||||
owncastArchiver = with pkgs; writeScript "owncast-archiver.sh" ''
|
||||
#! ${runtimeShell} -e
|
||||
|
||||
PATH=${lib.makeBinPath [ coreutils curl jq ffmpeg ]}
|
||||
|
||||
while true; do
|
||||
|
||||
STATUS="$(curl -s https://owncast.c3d2.de/api/status)"
|
||||
ONLINE="$(echo "$STATUS" | jq -r .online)"
|
||||
if [ "$ONLINE" = true ]; then
|
||||
TITLE="$(echo "$STATUS" | jq -r .streamTitle)"
|
||||
ffmpeg -i https://owncast.c3d2.de/hls/0/stream.m3u8 -c copy "$(echo "$(date -Iseconds)_$TITLE.mkv"|tr " +<>:/" "____\\-\\-")"
|
||||
fi
|
||||
|
||||
sleep ${toString cfg.pollInterval}
|
||||
done
|
||||
'';
|
||||
|
||||
cfg = config.services.owncast-archiver;
|
||||
|
||||
in
|
||||
|
||||
{
|
||||
options.services.owncast-archiver = with lib; {
|
||||
enable = mkEnableOption "owncast archiver";
|
||||
|
||||
targetDir = mkOption {
|
||||
type = types.str;
|
||||
default = "/mnt/archive";
|
||||
};
|
||||
|
||||
pollInterval = mkOption {
|
||||
type = types.int;
|
||||
default = 10;
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
users.users.archiver = {
|
||||
isSystemUser = true;
|
||||
group = "nginx";
|
||||
};
|
||||
|
||||
systemd.services.owncast-archiver = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "owncast.service" ];
|
||||
serviceConfig = {
|
||||
ReadWritePaths = cfg.targetDir;
|
||||
WorkingDirectory = cfg.targetDir;
|
||||
User = "archiver";
|
||||
ExecStart = owncastArchiver;
|
||||
Restart = "always";
|
||||
RestartSec = 60;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,83 +0,0 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
../../../modules/lxc-container.nix
|
||||
];
|
||||
|
||||
networking = {
|
||||
hostName = "prometheus";
|
||||
firewall = {
|
||||
allowedTCPPorts = [ 22 80 443 9090 9091 9093 9094 ];
|
||||
enable = true;
|
||||
};
|
||||
};
|
||||
|
||||
services.prometheus = {
|
||||
enable = true;
|
||||
|
||||
alertmanager = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
webExternalUrl = "http://prometheus.serv.zentralwerk.org/alertmanager/";
|
||||
listenAddress = "0.0.0.0";
|
||||
configuration = {
|
||||
"global" = {
|
||||
"smtp_smarthost" = "mail.serv.zentralwerk.org:587";
|
||||
"smtp_from" = "alertmanager@prometheus.serv.zentralwerk.org";
|
||||
};
|
||||
"route" = {
|
||||
"group_by" = [ "alertname" "alias" ];
|
||||
"group_wait" = "30s";
|
||||
"group_interval" = "2m";
|
||||
"repeat_interval" = "4h";
|
||||
"receiver" = "team-admins";
|
||||
};
|
||||
"receivers" = [{
|
||||
"name" = "team-admins";
|
||||
# "email_configs" = [
|
||||
# {
|
||||
# "to" = "devnull@example.com";
|
||||
# "send_resolved" = true;
|
||||
# }
|
||||
# ];
|
||||
# "webhook_configs" = [
|
||||
# {
|
||||
# "url" = "https://example.com/prometheus-alerts";
|
||||
# "send_resolved" = true;
|
||||
# }
|
||||
# ];
|
||||
}];
|
||||
};
|
||||
};
|
||||
|
||||
# alertmanagerURL = [ "http://prometheus.serv.zentralwerk.org/alertmanager/" ];
|
||||
|
||||
pushgateway = {
|
||||
enable = true;
|
||||
web.external-url = "http://prometheus.serv.zentralwerk.org/push/";
|
||||
};
|
||||
|
||||
exporters.collectd.enable = true;
|
||||
exporters.collectd.openFirewall = true;
|
||||
|
||||
exporters.nginx.enable = true;
|
||||
exporters.nginx.openFirewall = true;
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
|
||||
virtualHosts."prometheus.serv.zentralwerk.org" = {
|
||||
# serverAliases = [ "registry.serv.zentralwerk.org" ];
|
||||
enableACME = true;
|
||||
onlySSL = true;
|
||||
locations.".well-known/acme-challenge/" = {
|
||||
root = "/var/lib/acme/acme-challenge/.well-known/acme-challenge/";
|
||||
};
|
||||
locations."/" = { proxyPass = "http://localhost:9090"; };
|
||||
};
|
||||
};
|
||||
|
||||
system.stateVersion = "20.09"; # Did you read the comment?
|
||||
}
|
|
@ -0,0 +1,154 @@
|
|||
{ zentralwerk, config, lib, ... }:
|
||||
|
||||
{
|
||||
deployment = {
|
||||
mem = 1024;
|
||||
};
|
||||
|
||||
networking = {
|
||||
hostName = "prometheus";
|
||||
firewall = {
|
||||
allowedTCPPorts = [
|
||||
# nginx
|
||||
80 443
|
||||
];
|
||||
allowedUDPPorts = [
|
||||
# services.prometheus.exporters.collectd.collectdBinary
|
||||
25826
|
||||
];
|
||||
enable = true;
|
||||
};
|
||||
};
|
||||
|
||||
services.prometheus = {
|
||||
enable = true;
|
||||
retentionTime = "7d";
|
||||
|
||||
alertmanager = {
|
||||
enable = true;
|
||||
webExternalUrl = "https://prometheus.serv.zentralwerk.org/alertmanager/";
|
||||
listenAddress = "[::1]";
|
||||
configuration = {
|
||||
"route" = {
|
||||
"group_by" = [ "instance" ];
|
||||
"group_wait" = "1m";
|
||||
"group_interval" = "1m";
|
||||
"repeat_interval" = "7d";
|
||||
"receiver" = "xmpp";
|
||||
};
|
||||
"receivers" = [{
|
||||
"name" = "xmpp";
|
||||
"webhook_configs" = [{
|
||||
"url" = "http://127.0.0.1:9022/alert";
|
||||
}];
|
||||
}];
|
||||
};
|
||||
};
|
||||
|
||||
alertmanagers = [{
|
||||
static_configs = [{
|
||||
targets = [ "localhost:${toString config.services.prometheus.alertmanager.port}" ];
|
||||
}];
|
||||
path_prefix = "/alertmanager";
|
||||
} {
|
||||
static_configs = [{
|
||||
targets = [ "localhost:9022" ];
|
||||
}];
|
||||
}];
|
||||
|
||||
enableReload = true;
|
||||
ruleFiles = [ ./rules.yaml ];
|
||||
|
||||
scrapeConfigs = [{
|
||||
# TODO: authorization?
|
||||
job_name = "node";
|
||||
scrape_interval = "1m";
|
||||
static_configs =
|
||||
let
|
||||
zwNets = zentralwerk.lib.config.site.net;
|
||||
fromNet = net: _:
|
||||
map
|
||||
(host:
|
||||
"${host}.${net}.zentralwerk.org:9100"
|
||||
)
|
||||
(builtins.attrNames zwNets.${net}.hosts4);
|
||||
in
|
||||
[ {
|
||||
targets =
|
||||
fromNet "serv" (_: true);
|
||||
labels.__meta_net = "net-serv";
|
||||
} {
|
||||
targets =
|
||||
fromNet "flpk" (host: host != "flpk-gw");
|
||||
labels.__meta_net = "net-flpk";
|
||||
} {
|
||||
targets =
|
||||
fromNet "cluster" (host: builtins.elem host [
|
||||
"server8"
|
||||
"server9"
|
||||
"server10"
|
||||
]);
|
||||
labels.__meta_net = "net-flpk";
|
||||
} {
|
||||
targets = [ "localhost:${toString config.services.prometheus.exporters.collectd.port}" ];
|
||||
} ];
|
||||
}];
|
||||
|
||||
exporters = {
|
||||
collectd = {
|
||||
enable = true;
|
||||
collectdBinary.enable = true;
|
||||
};
|
||||
# TODO: deploy with every nginx
|
||||
nginx = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
};
|
||||
};
|
||||
|
||||
webExternalUrl = "https://prometheus.serv.zentralwerk.org/";
|
||||
};
|
||||
|
||||
services.alert2muc = {
|
||||
enable = true;
|
||||
configFile = config.sops.secrets."alert2muc/config".path;
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
|
||||
virtualHosts."prometheus.serv.zentralwerk.org" = {
|
||||
# serverAliases = [ "registry.serv.zentralwerk.org" ];
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://localhost:${toString config.services.prometheus.port}";
|
||||
extraConfig = ''
|
||||
auth_basic "Prometheus";
|
||||
auth_basic_user_file ${config.sops.secrets."nginx/httpAuth".path};
|
||||
'';
|
||||
};
|
||||
locations."/alertmanager" = {
|
||||
proxyPass = "http://localhost:${toString config.services.prometheus.alertmanager.port}";
|
||||
extraConfig = ''
|
||||
auth_basic "Prometheus";
|
||||
auth_basic_user_file ${config.sops.secrets."nginx/httpAuth".path};
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
sops = {
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
secrets."nginx/httpAuth".owner = config.systemd.services.nginx.serviceConfig.User;
|
||||
secrets."alertmanager/xmpp-password".owner = config.systemd.services.prometheus-xmpp-alerts.serviceConfig.User;
|
||||
secrets."alert2muc/config".owner = config.services.alert2muc.user;
|
||||
};
|
||||
|
||||
system.stateVersion = "22.11";
|
||||
|
||||
systemd.services.prometheus-xmpp-alerts.serviceConfig = {
|
||||
DynamicUser = lib.mkForce false;
|
||||
User = "prometheus";
|
||||
};
|
||||
}
|
|
@ -0,0 +1,84 @@
|
|||
groups:
|
||||
- name: default
|
||||
rules:
|
||||
- alert: oom_kills
|
||||
expr: round(increase(node_vmstat_oom_kill[7d])) >= 1
|
||||
for: 10m
|
||||
labels:
|
||||
severity: error
|
||||
annotations:
|
||||
summary: service gets oom killed
|
||||
|
||||
- alert: disk_almost_full
|
||||
expr: collectd_df_df_complex{type="free"} < 1024^3
|
||||
for: 10m
|
||||
labels:
|
||||
severity: warn
|
||||
annotations:
|
||||
summary: filesystem has less than 1GB of free space
|
||||
|
||||
- alert: disk_full
|
||||
expr: collectd_df_df_complex{type="free"} < 100 * 1024^2
|
||||
for: 10m
|
||||
labels:
|
||||
severity: warn
|
||||
annotations:
|
||||
summary: filesystem has less than 100MB of free space
|
||||
|
||||
- alert: disk_free
|
||||
expr: predict_linear(collectd_df_df_complex{type="free"}[1h], 8*3600) < 0
|
||||
for: 10m
|
||||
labels:
|
||||
severity: warn
|
||||
annotations:
|
||||
summary: filesystem will be full within 8h
|
||||
|
||||
- alert: load1
|
||||
expr: avg_over_time(node_load1[15m]) > 50
|
||||
for: 10m
|
||||
labels:
|
||||
severity: warn
|
||||
annotations:
|
||||
summary: instance has high load avg
|
||||
|
||||
- alert: systemd_unit_failed
|
||||
expr: increase(node_systemd_unit_state{state="failed"}[7d]) >= 1
|
||||
for: 10m
|
||||
labels:
|
||||
severity: error
|
||||
annotations:
|
||||
summary: service fails
|
||||
|
||||
- name: network
|
||||
rules:
|
||||
- alert: load1
|
||||
expr: avg_over_time(collectd_load_0[15m]) > 1
|
||||
for: 10m
|
||||
labels:
|
||||
severity: warn
|
||||
annotations:
|
||||
summary: network device has high load avg
|
||||
|
||||
- alert: memory_free
|
||||
expr: collectd_memory{memory="free"} < 4 * 1024^2
|
||||
for: 10m
|
||||
labels:
|
||||
severity: warn
|
||||
annotations:
|
||||
summary: memory full
|
||||
|
||||
- alert: throughput0
|
||||
expr: increase(collectd_interface_if_octets_0_total[10m]) > 10 * 3600 * 1024^2
|
||||
for: 2h
|
||||
labels:
|
||||
severity: warn
|
||||
annotations:
|
||||
summary: sustained throughput
|
||||
|
||||
- alert: throughput1
|
||||
expr: increase(collectd_interface_if_octets_1_total[10m]) > 10 * 3600 * 1024^2
|
||||
for: 2h
|
||||
labels:
|
||||
severity: warn
|
||||
annotations:
|
||||
summary: sustained throughput
|
|
@ -0,0 +1,185 @@
|
|||
alertmanager:
|
||||
xmpp-password: ENC[AES256_GCM,data:v+pRv/q4Z/ZT18PBxxKrq9P9QNbjN14edSeMCo5If6Y=,iv:oIdXFPdppgV7uTWY/eKSK9T2vDXW2Uur9iwnftQB+dQ=,tag:QD2MB3ZeMlvuGIMIpHI97Q==,type:str]
|
||||
alert2muc:
|
||||
config: ENC[AES256_GCM,data:hdVL+/bC67dP/MDfL+Jd7tq09IuP0l3uigi+kFdV6H6KVVj5XcqtTWd7ZUe6s5lo+ZHWx6QGwliSASNFyLWhF2TV6PGFnT/qQyKmQoY+R9nxeuJ8A8wib21F6qVSoiTHMxg0R13d2/Y1LqZdpsa+2KNdSe1UiBD6/LaIDxMd9rQizVUrnSQ5IDm0BNPhdlFfEvRYJO9TWkgQ0sfmt5Q7,iv:1yLsZLtUtfhJ+1+1w5lBSZ4TsDzmGgUFyA5XpJ/WZH4=,tag:78F5sgrrMezSuh8xbqTLiQ==,type:str]
|
||||
nginx:
|
||||
httpAuth: ENC[AES256_GCM,data:PS7icDVNB4g7XBMP7mMSbalkvQ==,iv:0GOfGl97k1AjkRxm2x2f4LpeQOuJcFqAHgdRrbceW6U=,tag:GX5L0wI5zwHwuls7ZOPlOQ==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age13xhxqulvswuckmpkmy2fgeqd5jx0ar8e2hst33leljt69r6hsvnsrdw63k
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxZGJwdVkyejVHb1hLeU9Y
|
||||
QVJ1bURJV2xwV3FaKzF6YXZHTHFyekR4TEJBCkZoUGxwU0trVXdLM3E5cmdPcmtu
|
||||
bE5NNkRNNlBtclpsbXRNaVJtcnVpTW8KLS0tIFpzR1RlM2ZzYi9wSHRQWFZ6VUxs
|
||||
Tml4ZENJd3Y0cmtTdnQ0ZCtTY256Sm8KRKvkk5WDaC8THCqgoKe2cD+AzdAqtfMH
|
||||
GynKYyQU3rgXl4r8K4XUEkEX8g3+SLitfbo35E66531Q/+yQc79V8Q==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1M1F2N3FEY2xiRFZaVlJv
|
||||
cXUyU1NZYXpKVmlDT2hGM2ltNmVHS0E3SFhVCkcwWmZuT2RZVzg3aC9zQXI3aDhk
|
||||
cFp4RHN2b1RRcXRSNXFudmYrY3oydVEKLS0tIE1JUXdpVlFkQzZKNFBVaFFKTkxR
|
||||
dkpOeVJIVnJtNDM5M0RQaWRudUcxOG8KZnHCLuyPFdx4j1WY6fk8nqMeACmpYZzU
|
||||
EpNqjoBswCkUnaRMVcj5lrHvHDjdbQ0Ypn3s/YvI4UBsXMnnv9UD7w==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2022-12-16T23:40:12Z"
|
||||
mac: ENC[AES256_GCM,data:GXW0hMq84q5DrbV9YLNu5fvgAwFuBoq3cK7fD+FYHdnX1hq/6pTF2ksu7K7M9DE4yetXx7RKBWERm/1DShpV7Qe0jP/+kh31uwhCws6Ay0l14UDT52lL8uQ/jDHKv6ghG4/Q58u1Hvj/xZas34YmYxxJoyEzzCbMSfSgWh6GSMM=,iv:GuBCWI6s9yLhz3tEarZ1gbtXC+gUOVlbc43bezb9nbU=,tag:2bE8yOu87ooLdqjU5Ex1MQ==,type:str]
|
||||
pgp:
|
||||
- created_at: "2022-11-27T00:27:03Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMA6j84+xkv3y7AQ//bQe3Ci9UwmvIuNasPiFzRtI+872msVZWlthYHc0SkrU9
|
||||
A8exnBo0uQbA6h5sA/so+CCt4wIxhMGikzapgTQZ1oP24fzvInES0aSuUsBDfys8
|
||||
Mgp9lvRGCv5jaxhfF8gAeI46M0qvkIkbSInfaLjjFbQn9xFwPrejE4l8RQ8At4Di
|
||||
NSWkvxNQlLH0qBVyXbFvToMhSYVZFsGoncHcNTOC4nEktnFNhptsjsvtA4u6aatv
|
||||
QXSLrlDY5ng4hvjtDTvrzdS1UH5pE9gm9xgqdb95xiS24zwTUGbACP8sWVIUKPX/
|
||||
E38/g6H1AmaVadK/t9F/fP5sTcBI2dMHxHXbndpOb2MxS2lJ/sA4rbFmaVHmblgR
|
||||
J3w1g7JqPOANEneKJ4JWVDRWYwfgQ2IpB4EAetiDtN7KJTWyUgSrB0unNcmy+4cd
|
||||
2H+/CM9ARDwnohPhypSIovjXeh8L1uHqniUXxlIUbXHoNugRybQZYMxZx3cLoH5a
|
||||
WTTy+KJKLdRjeYxDyxVq00KCe9dXsxP/CTRpxZN+ejVAFvDqukzmI3yfSlgiX/M1
|
||||
Ysaa9su1NiFU5h4xsY828Vw4TsNfeiUB/MkHlQQc0f09cd0Aq7Z7lnGs9oWJQOKX
|
||||
bqI6Fjw3nY1QYkfivFZ3baXq4rbt7kTN5WoA+tPXntNVibp93A4X3jl53X5coPbS
|
||||
UQGz3jOgf7Vm5LUQ0VAErMClgKhddv9u+g0XH/uunfRO1ULw4fLFxBmpq/18Tfdg
|
||||
YgiTyJRW/qEqXGzbRl+k2oJz49rn6uJ+Fj6quwZHU67EwA==
|
||||
=kTaA
|
||||
-----END PGP MESSAGE-----
|
||||
fp: A5EE826D645DBE35F9B0993358512AE87A69900F
|
||||
- created_at: "2022-11-27T00:27:03Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMA8zMZ+ak7y/zARAA3O9dCE+hACJ84wcEQ+eOF9xlZo96cUbcI/v75+PX9mBG
|
||||
js0ST9ykF8YFtAkAjpuS/B3dwPQY8PdA1fYX83Ke/tw4UeikF3e5kJ2SadlhryGE
|
||||
XpV0qRp79QCHPMauVGYiMK9gLtkgZFGYRcy3GEIz8EDvRpgYnSKJNrJXjDOJhW++
|
||||
WyjwytvSE3WHogP+mhOMgRIn+uYuqirw5c6jIq33ZS3pPuaGe4IR3YysNL8vI+z5
|
||||
6QFa/Vzrh+T2gE6/iGyZ+/Kc0N2Rbg8YwEec5nFGKMAyRsK4nO6e2h+nAjoCR2Hn
|
||||
3NZ4elSTJB+/yRCxcs+TECynPkFpjER49c0sHSvyaCvkoQmRc4kZChukbPEG4SDi
|
||||
qMQnmYNfto5TgkM/2SDpzK+UFq3iYVt+lTySW2sdtn2Kv/oDy/iFfsqFuIix1Egu
|
||||
rlwfSusdLFzvkzD0Lc8ynEevJAA2q7ZnVxSpY7EUgR+9RLfRn3m5KwHzvl20Ylvk
|
||||
O3GU3tJSERY794WmCNiGlmz4q6G84WQTGFo/7e/fxGQJ1gz4btQdxnHMZFJywHzh
|
||||
klO3ZxgFPWfKiBzI47ta/xHxUhcYwjVud3IG8rc/g8LSt4ZJ4aEBIRvrQk6m5v5h
|
||||
32AtP2c3bLz0uSyQWZ4z5OarAxKoReb+7aYPU7BZpoqciElQkyza/hAdC6iEf17S
|
||||
UQFWWEbUvBNW3hWYNhv1sVcIownmObMP5jbwJ/1UuGVBK4MfCCpLcoJgIeVH0m5h
|
||||
LHdHmgwkKO5Rpn7iO8EDn69lBYM2mhbCDeigCaAubLAnsQ==
|
||||
=XHIF
|
||||
-----END PGP MESSAGE-----
|
||||
fp: D4E89C6A0A58EE803EF708EFA9B23715F7AA3F1A
|
||||
- created_at: "2022-11-27T00:27:03Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcBMA45bZkLXmBFpAQgAtwj46Mv1ih23i4RUjW+WwqTrt+2d65JK4Kjm5oPvpGyO
|
||||
hoYLuEV2V9dI1WoJgmp0+pUS/f8LxJdo1OxeZP82ctrOFPxcb1wLfoG+Vg94GPHx
|
||||
wMtY9jNn0W3FX66a32AK0GNorSLl1miT7NRBimD2KAvoPSqKEGc1av4xDm9ue1fc
|
||||
tdcFf8MJjAvaNtAfCvnQ4NqM+lJwPjNmH6CtAQlHHJMgHFuNXZvY8lYbGOw7JpKt
|
||||
opGQD11FjMa5EUyxZfTk8vrPuhgTGknbj/hJOaRLJtTRjnjPfFkLULS9lwaJ0RxN
|
||||
UVI0v6FfrBcC/rfRJC7Uda0UvDSaaUNAiYlSlQZ4c9JRAVKh3yUxGC4rEDP+ecGO
|
||||
8VPvF+H5c3xJ6Qe+81Q1B+vm6rq8WoguilPlQLD3fc8C3vqqNTWpA0b0vVUXm/oq
|
||||
/yeF6f4+jLkZ16LNzIpQ9uyq
|
||||
=qkB4
|
||||
-----END PGP MESSAGE-----
|
||||
fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9
|
||||
- created_at: "2022-11-27T00:27:03Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMAwMCBBrc/JA6AQ/9G/+euKdVS9Jiqs9yRyqAujcPwPlYr85zAk+Rjzjo1tux
|
||||
N07qtz6z7HRHgHhP4lGRw7PkvUkxdFB19nnF41jn4ohoXGJrSkHlKEXGcrCJP+Lm
|
||||
8bIKAkTqXvN3qqJH6Rbd76T3wpLAQuq9pm4fsxXl1qHU2PMxehbhVZnwHtPT5mD9
|
||||
YkJV0ZVW91tDeJT5Od93vPyD+z+vccS0kBTWVwlSG7I0fMwQsbQwkVtqrJWM2Foa
|
||||
UPYHDgZEKIMEvpYwy33l9NHjrsLf/kul/xNtKxFCzcjOkw9k/pJdc6CVzX2rVhtp
|
||||
shUOMdzFh/DYqdtwm1h7VVS8xGSdlcFb7nxgYGZuIY8QsWuRB/+j/p5vDmlE46P9
|
||||
SvsuwFJnNc7bE8EHuU1GJGJdQUpyVv+nPGam7L3zLoLRggB8OBS07e/z+ORLogB8
|
||||
I7AF6Pcx9g0AwZeeEczhBYQvFcGjuHGb6uJNMYLylxoNm8u197Fyu7On3l7/IJqX
|
||||
q0w4ickZlkPySbx1OeqIEektiw69HwYhr3/E9B6O+0YL8JRJ5qVtDSw5cudhgIlB
|
||||
b5AfMqt1l+KvjByalhCK6msfuOUDnMhbdjLvSOr8iDUXQ/ZGPtiPaJDJ2Htx32yh
|
||||
zmhWfI7Ws0l/z8Ai939k5ssESccOAfsV4WaKcCcbAke581n+jYEwcTp4KQKzoLLS
|
||||
UQE1vWLijpOjby3So2IMu9gBF0ZmN9EkCt12IP1oa3mMU2yZ5wV/VW1BLSezuVvE
|
||||
v7/FuFnC3jvvYxLV9VUYKQ492PS8oLAwirxrL5a45IyrMA==
|
||||
=of/K
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 4F9F44A64CC2E438979329E1F122F05437696FCE
|
||||
- created_at: "2022-11-27T00:27:03Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMA9XEenRNYVGHARAAir30MBOtYtXP3K0hN++LgCtLefPi6455kns0KWkPI8Jd
|
||||
tIrn7h7/O4Znd4QO8Iz1ouyubeEvLbLjS4wMc4NIUNVoDWpmlWveHDgp9ddLDLUG
|
||||
MYBsswVVx2SwCzsIQHADpAa0m2MSfmhTxwBP+lieFg5T3LQi0Jo30DFrDtdIKLbN
|
||||
GPeHuDFdQ8zB2dyPXvSgsOxW9ZNDXAObwewsuEAWhQtkNvtIH62fH+wopjtEdZAX
|
||||
pbHwcAZCOVciWhbKo3zKme1Jq6XQE8Of+w0mBoMeeVr+f54s+1DRE6vy2hH5QDBK
|
||||
1oWRtWpoFrTKGO/KwN5QsehgP6FqZVaWiAMubAR17k2WGzlTQvIWoCxlpv+Mu7eN
|
||||
tsqbLyEmMvmc1NoN06N2CP31KP1Z9bwpxPmiz9Ph8ZfzL9Qw68zJx+dFjrAJIEuo
|
||||
T1KOuWkfPg6llE5Hs+1WqR4Kj0+uH7irNjRGCv6ruWVoYQXP/7dpnwcHBX/Is5IN
|
||||
2gR4Btn4t+nBNCfVcvOq0CUdFGrOr/O0sUDX7Ob0Gqu7fY3nrZpTwGQ5okPFSpJE
|
||||
1/OkWIUgAEHO1Y3X61nc2Iu5eI+jYmSaF12xjiHdKGwmkLfryt4taQBmxPJSN7ym
|
||||
0uiXf0d8SRuqHbz8keBCjp85RV/y1XGX08yltgPXpU2fmv1k5dKErBtNeAIudD/S
|
||||
UQERFu1HIYfCPzAxwI3Z+WbTFo+euO0dZ1Uaw8CVMGcaMTufNQg7H99d+td2pM+D
|
||||
/W8QfZAIGSYDjYWn6YffgRvDwsNZeMpGRo57XNvwZiIu7g==
|
||||
=xRwC
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA
|
||||
- created_at: "2022-11-27T00:27:03Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcBMA/Z87ylQaotQAQf/ceQh3zHJqWDRP2Q1l5rz69DfEweCJkuCxewVICRKYVie
|
||||
p4LzKUjnZp+8KB3LjHzSEuQXc0eqNXNmGu908uwbwG9Z+xiFj+CIe7KMZWW42gY+
|
||||
I1/nOA0WRzOYevO3vlZSzfZgsN5tfFkQkrU4hMf6YFhuM1m3HOrz5P9pc7uJGETh
|
||||
wHX7k0BSrUjmg8RYcJ+WIc2SPUqv/g0zceLSTE0Btpxg3XmrcHnvs/ThQ6afxHYN
|
||||
K0QEAgIqWwzNU+1+1QkB+yFeAflY10Zbhv0K+WdTn7JzlJZrxyvY32x7lTfCH5c1
|
||||
ycZy/AvGfk5ohkLtSx9f1DxpRCUlOS5TvP7I5X47p9JRAZAaCM9HCG4uMKZwkmEF
|
||||
/Yf7fTJHnIPPY7neR+2qUUg/Y3Th1mNbijBtV0A8XLFpNtWpn8Qzylmak2amYIql
|
||||
l6cwBxhl5N3vg7LGxUQQJfEO
|
||||
=dfLg
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 9EA68B7F21204979645182E4287B083353C3241C
|
||||
- created_at: "2022-11-27T00:27:03Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMA9qJIVK2WMV7AQ/+JXfpbLEUdY8fSAmKo/MyaZi9K9cHDs7c4CnEU3Mi8enh
|
||||
9j1/0KTzs99zb6gZKQ/z4MMCiNQ70jK5XcTOgrKtUKeZ0sH969TDamsxxD1Ocfxh
|
||||
Ts+MGTE9C+odIBFvQDOAazkWbPGQ8EheCDauFk8FFZDBj8oK3Vw7hKUxYFMBTM/z
|
||||
UBLAHkbO6Sv38AHmqsHwzsP0+YZgA9pployt28arYXlwX+I7tYAK1V74SkxIWSD1
|
||||
4YHSJvHpos25/MS/PNR4SEQFSceQGfDuFCdwfkC6bKi7tdp3Af34q4v6OqA/iFnx
|
||||
hErcjrXPmlHm/YR2gd7AcLPb7WolB8/j/txl1TAxkSwCRodqcQH8L3bYoA9XxkHP
|
||||
7Yd5gfvivkQy0sjKF3dwpetu4bOdZUEwj+jY/54iHPECKTLK7TFGJ48A3v51Juw3
|
||||
4uU4pPVCTkQnRnkknbhicvs2IzvgS/OfAJTUBKW8+3yPkWenQQfeje0VHSUfT9hO
|
||||
KQ3zafhwGShqXPxbM0J9beigvL3iDE3U7YZYOfrryuHCveSkXobwQZY0Ylok52BX
|
||||
9t12lOldOKBLy127V0sQeZ4eWRiKjoyHC46DFByWN03dn6yRXrcE/8QGOyUgu2PR
|
||||
3SOEm1pnujVa5dhq0MVAxwgHH/+avI+HM0VHRsykYVVOR5O9ywpCAurgB0/wKJrS
|
||||
UQEUAPEm/YDfg7no9GnD/tXCwIgjO1m+H8+Z8e3Mama4hPZV9fuSc4M8GQGhWqFY
|
||||
jYvNgfR7UG/RsqAxoEA1hCoh0Jfu6uLX5/P9X0DQdM8WHA==
|
||||
=KHuT
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 53B26AEDC08246715E15504B236B6291555E8401
|
||||
- created_at: "2022-11-27T00:27:03Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMA/YLzOYaRIJJARAAs33yYShXtNdy9N+7D0fs5EU7gWYmJfL/lETxkcmQjQg9
|
||||
baX2Zqc2z96jg9TcqFuwbvV6xb/JrSGOs/Qusq1lGPhGaSNHo1KWY8EyDM/6v04x
|
||||
bE9poMb3D0HzIpm+fpDkKZyU15f3Mye5rauQm8a6qgHfd0Aus1HNs9R7RjBeU6pc
|
||||
esEOFOAvbKhg5FcY+E7BVa6nHAHACaK0jiTKNEWU3qfTAqYqarGXhALhujywHMxh
|
||||
YBtu1EQBGimAT6orZCaBMaLbH4LL6ozFk50jHQSgDxti/J4GHDtN4GVzIzySwfkS
|
||||
1S/8PYiM7UglxmdezxopOijzQD36DU0Sh6m44KWIWFPeN2P/Zkau16sfDQ49/K1w
|
||||
sEoZK9RZlFXI+O0PsPHmUkewvUhHMbLF8oa4By8jS0I6rcR+zNPlXQ3Y44v5bEtk
|
||||
y+9CaeJWg0mPf+rtqa5cwkbJhNgpMJM2k6sl5reczVzruYRkMcMO9QlIUF1Apxxa
|
||||
Z6hkFS7TlY7GQ0mpeg7DgKzCOHzHxVPRetit5uH25zxluHzwxYF16G6K2fF+V71v
|
||||
ERlryh/cJDuwAl64aXgIw1DBWMOwixJjO+qfyEUrb4taOXyv5wJ0p+ew6F6AeWue
|
||||
RC1aHcfXN3QJsqXCRRqdI8ceu/Tfo5xTOOAqbNlDzM/kcEXj4rE8WS1cKNknLZHS
|
||||
UQH9XIbJ70Nc5gWR35V7z2Lqos2TRp4WaeTbmr7z902wMDAl2GrjRoyo8EA7k2gG
|
||||
13XKgeObbkdmE7dTwOZbhzrBDFn2pcyI1NsC85iX154pKQ==
|
||||
=wWjU
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 91EBE87016391323642A6803B966009D57E69CC6
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
|
@ -65,7 +65,7 @@
|
|||
"autotopia.c3d2.de"
|
||||
"c3d2-web.serv.zentralwerk.org"
|
||||
];
|
||||
proxyTo.host = config.c3d2.hosts.c3d2-web.ip4;
|
||||
proxyTo.host = zentralwerk.lib.config.site.net.flpk.hosts4.c3d2-web;
|
||||
} {
|
||||
hostNames = [
|
||||
"codimd.c3d2.de"
|
||||
|
@ -133,6 +133,12 @@
|
|||
} {
|
||||
hostNames = [ "zengel.datenspuren.de" ];
|
||||
proxyTo.host = config.c3d2.hosts.zengel.ip4;
|
||||
} {
|
||||
hostNames = [ "owncast.c3d2.de" ];
|
||||
proxyTo.host = config.c3d2.hosts.owncast.ip4;
|
||||
} {
|
||||
hostNames = [ "c3d2.social" ];
|
||||
proxyTo.host = config.c3d2.hosts.mastodon.ip4;
|
||||
} ];
|
||||
};
|
||||
|
||||
|
@ -149,7 +155,7 @@
|
|||
wantedBy = [ "multi-user.target" ];
|
||||
path = with pkgs; [ socat ];
|
||||
script = ''
|
||||
socat tcp6-listen:1965,fork "tcp6:[${zentralwerk.lib.config.site.net.serv.hosts6.dn42.c3d2-web}]:1965"
|
||||
socat tcp6-listen:1965,fork "tcp6:[${zentralwerk.lib.config.site.net.flpk.hosts6.flpk.c3d2-web}]:1965"
|
||||
'';
|
||||
serviceConfig = {
|
||||
ProtectSystem = "strict";
|
||||
|
|
|
@ -1,50 +1,48 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
{ config, lib, ... }:
|
||||
|
||||
with lib;
|
||||
let cfg = config.services.proxy;
|
||||
|
||||
canonicalize = builtins.replaceStrings ["*" "." ":" "[" "]"] ["all" "_" "_" "" ""];
|
||||
|
||||
in {
|
||||
let
|
||||
cfg = config.services.proxy;
|
||||
canonicalize = builtins.replaceStrings [ "*" "." ":" "[" "]" ] [ "all" "_" "_" "" "" ];
|
||||
in
|
||||
{
|
||||
|
||||
options.services.proxy = {
|
||||
|
||||
enable = mkOption {
|
||||
enable = lib.mkOption {
|
||||
default = false;
|
||||
description = "whether to enable proxy";
|
||||
type = types.bool;
|
||||
type = lib.types.bool;
|
||||
};
|
||||
|
||||
proxyHosts = mkOption {
|
||||
type = types.listOf (types.submodule {
|
||||
proxyHosts = lib.mkOption {
|
||||
type = lib.types.listOf (lib.types.submodule {
|
||||
options = {
|
||||
hostNames = mkOption {
|
||||
type = types.listOf types.str;
|
||||
hostNames = lib.mkOption {
|
||||
type = with lib.types; listOf str;
|
||||
default = [ ];
|
||||
description = ''
|
||||
Proxy these hostNames.
|
||||
'';
|
||||
};
|
||||
proxyTo = mkOption {
|
||||
type = types.submodule {
|
||||
proxyTo = lib.mkOption {
|
||||
type = lib.types.submodule {
|
||||
options = {
|
||||
host = mkOption {
|
||||
type = types.nullOr types.string;
|
||||
host = lib.mkOption {
|
||||
type = with lib.types; nullOr string;
|
||||
default = null;
|
||||
description = ''
|
||||
Host to forward traffic to.
|
||||
Any hostname may only be used once
|
||||
'';
|
||||
};
|
||||
httpPort = mkOption {
|
||||
type = types.int;
|
||||
httpPort = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
default = 80;
|
||||
description = ''
|
||||
Port to forward http to.
|
||||
'';
|
||||
};
|
||||
httpsPort = mkOption {
|
||||
type = types.int;
|
||||
httpsPort = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
default = 443;
|
||||
description = ''
|
||||
Port to forward http to.
|
||||
|
@ -57,8 +55,8 @@ in {
|
|||
'';
|
||||
default = { };
|
||||
};
|
||||
matchArg = mkOption {
|
||||
type = types.str;
|
||||
matchArg = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "";
|
||||
description = "Optional argument to HAProxy `req.ssl_sni -i`";
|
||||
};
|
||||
|
@ -76,11 +74,9 @@ in {
|
|||
};
|
||||
}];
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
services.haproxy = {
|
||||
enable = true;
|
||||
config = ''
|
||||
|
@ -101,10 +97,9 @@ in {
|
|||
option forwardfor
|
||||
http-request set-header X-Forwarded-Proto http
|
||||
http-request set-header X-Forwarded-Port 80
|
||||
${
|
||||
concatMapStrings ({ proxyTo, hostNames, matchArg }:
|
||||
optionalString (hostNames != [ ] && proxyTo.host != null) (
|
||||
concatMapStrings (hostname: ''
|
||||
${lib.concatMapStrings ({ proxyTo, hostNames, matchArg }:
|
||||
lib.optionalString (hostNames != [ ] && proxyTo.host != null) (
|
||||
lib.concatMapStrings (hostname: ''
|
||||
use-server ${canonicalize hostname}-http if { req.hdr(host) -i ${matchArg} ${hostname} }
|
||||
server ${canonicalize hostname}-http ${proxyTo.host}:${
|
||||
toString proxyTo.httpPort
|
||||
|
@ -118,13 +113,13 @@ in {
|
|||
bind :::443 v4v6
|
||||
tcp-request inspect-delay 5s
|
||||
tcp-request content accept if { req.ssl_hello_type 1 }
|
||||
${concatMapStrings ({ proxyTo, hostNames, matchArg }:
|
||||
concatMapStrings (hostname: ''
|
||||
${lib.concatMapStrings ({ proxyTo, hostNames, matchArg }:
|
||||
lib.concatMapStrings (hostname: ''
|
||||
use_backend ${canonicalize proxyTo.host}-https if { req.ssl_sni -i ${matchArg} ${hostname} }
|
||||
'') hostNames
|
||||
) cfg.proxyHosts}
|
||||
|
||||
${concatMapStrings ({ proxyTo, hostNames, matchArg }: ''
|
||||
${lib.concatMapStrings ({ proxyTo, ... }: ''
|
||||
backend ${canonicalize proxyTo.host}-https
|
||||
server ${canonicalize proxyTo.host}-https ${proxyTo.host}:${
|
||||
toString proxyTo.httpsPort
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ pkgs, lib, ... }:
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
c3d2.hq.statistics.enable = true;
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
{ lib, ... }:
|
||||
|
||||
{
|
||||
#imports =
|
||||
|
|
|
@ -26,14 +26,13 @@
|
|||
|
||||
boot = {
|
||||
loader = {
|
||||
# generates entry for u-boot
|
||||
generic-extlinux-compatible.enable = true;
|
||||
grub.enable = false;
|
||||
raspberryPi = {
|
||||
enable = true;
|
||||
# don't use rpi bootloader shit
|
||||
enable = false;
|
||||
version = 4;
|
||||
# TODO: this machine actually has u-boot setup but that's no
|
||||
# longer working with nixos-22.05. DO NOT REBOOT! :-)
|
||||
# https://github.com/NixOS/nixpkgs/pull/112677
|
||||
# uboot.enable = true;
|
||||
firmwareConfig = ''
|
||||
gpu_mem=192
|
||||
dtparam=audio=on
|
||||
|
@ -86,9 +85,9 @@
|
|||
pkgs.makeModulesClosure (x // { allowMissing = true; });
|
||||
};
|
||||
|
||||
nix = {
|
||||
buildCores = 4;
|
||||
maxJobs = 2;
|
||||
nix.settings = {
|
||||
cores = 4;
|
||||
max-jobs = 2;
|
||||
};
|
||||
|
||||
sops = {
|
||||
|
@ -131,5 +130,14 @@
|
|||
'';
|
||||
};
|
||||
|
||||
systemd.extraConfig = ''
|
||||
# Keep cores 2-3 exclusive for SDR processing
|
||||
CPUAffinity=0-1
|
||||
'';
|
||||
systemd.services = {
|
||||
soapysdr-server.serviceConfig.CPUAffinity = "2-2";
|
||||
readsdb.serviceConfig.CPUAffinity = "3-3";
|
||||
};
|
||||
|
||||
system.stateVersion = "21.05"; # Did you read the comment?
|
||||
}
|
||||
|
|
|
@ -54,14 +54,14 @@
|
|||
'';
|
||||
|
||||
nix = {
|
||||
buildCores = 2;
|
||||
maxJobs = 1;
|
||||
# trustedUsers = [ "client" ];
|
||||
extraOptions = ''
|
||||
builders-use-substitutes = true
|
||||
'';
|
||||
daemonCPUSchedPolicy = "idle";
|
||||
daemonIOSchedClass = "idle";
|
||||
settings = {
|
||||
builders-use-substitutes = true;
|
||||
cores = 2;
|
||||
max-jobs = 1;
|
||||
# trusted-users = [ "client" ];
|
||||
};
|
||||
};
|
||||
|
||||
system.stateVersion = "22.05";
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ hostRegistry, nixpkgs, config, lib, pkgs, modulesPath, ... }:
|
||||
{ hostRegistry, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
c3d2 = {
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ zentralwerk, pkgs, config, scrapers, ... }:
|
||||
{ pkgs, config, scrapers, ... }:
|
||||
|
||||
let
|
||||
freifunkNodes = {
|
||||
|
|
|
@ -1,9 +1,11 @@
|
|||
{ zentralwerk, config, pkgs, ... }:
|
||||
{ config, pkgs, ... }:
|
||||
{
|
||||
deployment = {
|
||||
# needs to keep just its ssh key for sops-nix
|
||||
persistedShares = [ "/home" "/etc" "/var" ];
|
||||
mem = 4096;
|
||||
vcpu = 16;
|
||||
needForSpeed = true;
|
||||
};
|
||||
c3d2 = {
|
||||
isInHq = false;
|
||||
|
@ -86,7 +88,4 @@
|
|||
inherit (pkgs.mucbot) password;
|
||||
muc = "luftraum@chat.c3d2.de/Hubschraubereinsatz";
|
||||
};
|
||||
|
||||
# noXlibs breaks cairo:
|
||||
environment.noXlibs = false;
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, pkgs, ... }:
|
||||
{ config, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
|
@ -9,9 +9,10 @@
|
|||
c3d2 = {
|
||||
deployment.microvmBaseZfsDataset = "server10/vm";
|
||||
hq.statistics.enable = true;
|
||||
simd.arch = "ivybridge";
|
||||
};
|
||||
|
||||
boot= {
|
||||
boot = {
|
||||
loader.grub = {
|
||||
enable = true;
|
||||
version = 2;
|
||||
|
@ -49,6 +50,7 @@
|
|||
"data-hoarder"
|
||||
"staging-data-hoarder"
|
||||
];
|
||||
skyflake.nomad.client.meta."c3d2.cpuSpeed" = "4";
|
||||
|
||||
system.stateVersion = "21.11"; # Did you read the comment?
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
{ config, lib, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
|
|
|
@ -1,9 +1,7 @@
|
|||
{ config, pkgs, ... }:
|
||||
let
|
||||
microvms = {
|
||||
staging-data-hoarder = {
|
||||
flakeref = "git+file:///tmp/dvb-nix-config";
|
||||
};
|
||||
staging-data-hoarder.flakeref = "git+file:///tmp/dvb-nix-config";
|
||||
};
|
||||
|
||||
realizeFlake = with pkgs; "${writeScriptBin "realize-flake" ''
|
||||
|
|
|
@ -0,0 +1,46 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
|
||||
c3d2 = {
|
||||
# deployment.microvmBaseZfsDataset = "tank/storage";
|
||||
hq.statistics.enable = true;
|
||||
simd.arch = "westmere";
|
||||
};
|
||||
|
||||
boot = {
|
||||
loader.grub = {
|
||||
enable = true;
|
||||
version = 2;
|
||||
# Define on which hard drive you want to install Grub.
|
||||
device = "/dev/disk/by-id/scsi-3600300570140a6102b0acad9825149f2"; # or "nodev" for efi only
|
||||
};
|
||||
|
||||
# kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
|
||||
kernelParams = [
|
||||
"preempt=none"
|
||||
# No server/router runs any untrusted user code
|
||||
"mitigations=off"
|
||||
];
|
||||
tmpOnTmpfs = true;
|
||||
tmpOnTmpfsSize = "80%";
|
||||
};
|
||||
|
||||
networking = {
|
||||
hostName = "server8";
|
||||
hostId = "08080808";
|
||||
};
|
||||
|
||||
services = {
|
||||
openssh.enable = true;
|
||||
smartd.enable = true;
|
||||
zfs.autoScrub.enable = true;
|
||||
};
|
||||
|
||||
skyflake.nomad.client.meta."c3d2.cpuSpeed" = "3";
|
||||
|
||||
system.stateVersion = "22.11";
|
||||
}
|
|
@ -0,0 +1,61 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "megaraid_sas" "nvme" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "server8_root/nixos";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/var" =
|
||||
{ device = "server8_root/nixos/var";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/nix" =
|
||||
{ device = "server8_root/nixos/nix";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/nix/store" =
|
||||
{ device = "server8_root/nixos/nix/store";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/nix/var" =
|
||||
{ device = "server8_root/nixos/nix/var";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "/dev/disk/by-uuid/984ea997-9591-4efb-8212-8381ad829d0b";
|
||||
fsType = "ext2";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enp5s0f0.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enp5s0f1.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enp5s0f2.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enp5s0f3.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enp8s0f0.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enp8s0f1.useDHCP = lib.mkDefault true;
|
||||
|
||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
}
|
|
@ -1,10 +1,17 @@
|
|||
{ config, pkgs, ... }:
|
||||
_:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
boot= {
|
||||
|
||||
c3d2 = {
|
||||
deployment.microvmBaseZfsDataset = "tank/storage";
|
||||
hq.statistics.enable = true;
|
||||
simd.arch = "westmere";
|
||||
};
|
||||
|
||||
boot = {
|
||||
loader.grub = {
|
||||
enable = true;
|
||||
version = 2;
|
||||
|
@ -25,22 +32,24 @@
|
|||
hostName = "server9";
|
||||
hostId = "09090909";
|
||||
};
|
||||
system.stateVersion = "21.11";
|
||||
services.openssh.enable = true;
|
||||
|
||||
services.zfs.autoScrub.enable = true;
|
||||
services.smartd.enable = true;
|
||||
# required by libvirtd
|
||||
security.polkit.enable = true;
|
||||
|
||||
c3d2 = {
|
||||
deployment.microvmBaseZfsDataset = "tank/storage";
|
||||
hq.statistics.enable = true;
|
||||
services = {
|
||||
openssh.enable = true;
|
||||
smartd.enable = true;
|
||||
zfs.autoScrub.enable = true;
|
||||
};
|
||||
|
||||
skyflake.nomad.client.meta."c3d2.cpuSpeed" = "3";
|
||||
|
||||
system.stateVersion = "21.11";
|
||||
|
||||
# XXX: enable for zw-ev and poelzi-ha until we find a better solution
|
||||
virtualisation.libvirtd = {
|
||||
enable = true;
|
||||
onShutdown = "shutdown";
|
||||
};
|
||||
# required by libvirtd
|
||||
security.polkit.enable = true;
|
||||
|
||||
}
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
{ config, lib, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
{ zentralwerk, ... }:
|
||||
_:
|
||||
|
||||
{
|
||||
c3d2.deployment = {
|
||||
server = "server10";
|
||||
|
|
|
@ -1,13 +1,12 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
deployment = {
|
||||
persistedShares = [ "/etc" "/home" "/var" ];
|
||||
mem = 512;
|
||||
};
|
||||
c3d2 = {
|
||||
isInHq = false;
|
||||
hq.statistics.enable = true;
|
||||
deployment = {
|
||||
server = "server9";
|
||||
mounts = [ "etc" "home" "var" ];
|
||||
mountBase = "/tank/storage/${config.networking.hostName}";
|
||||
};
|
||||
};
|
||||
|
||||
networking = {
|
||||
|
|
|
@ -1,36 +1,16 @@
|
|||
{ zentralwerk, config, pkgs, ... }:
|
||||
{ zentralwerk, config, lib, pkgs, ... }:
|
||||
let
|
||||
authFile = pkgs.writeText "htpasswd" "k-ot:sawCOTsl/fIUY";
|
||||
mac = {
|
||||
pub = "DE:91:C7:51:D1:C5";
|
||||
serv = "C6:40:E0:21:9B:A4";
|
||||
};
|
||||
in
|
||||
{
|
||||
networking.hostName = "stream";
|
||||
c3d2.hq.statistics.enable = true;
|
||||
c3d2.deployment = {
|
||||
server = "server9";
|
||||
autoNetSetup = false;
|
||||
mounts = [];
|
||||
deployment = {
|
||||
persistedShares = [ "/etc" "/home" "/var" ];
|
||||
storage = "big";
|
||||
mem = 4096;
|
||||
networks = lib.mkForce [ "pub" "serv" ];
|
||||
};
|
||||
microvm.mem = 2048;
|
||||
microvm.interfaces = [ {
|
||||
type = "tap";
|
||||
id = "pub-stream";
|
||||
mac = mac.pub;
|
||||
} {
|
||||
type = "tap";
|
||||
id = "serv-stream";
|
||||
mac = mac.serv;
|
||||
} ];
|
||||
microvm.shares = map (name: {
|
||||
source = "/tank/storage/stream/${name}";
|
||||
mountPoint = "/${name}";
|
||||
tag = name;
|
||||
proto = "virtiofs";
|
||||
socket = "${name}.socket";
|
||||
}) [ "etc" "home" "var" ];
|
||||
|
||||
systemd.network = {
|
||||
enable = true;
|
||||
|
@ -39,19 +19,14 @@ in
|
|||
# rest of the network so that I am reachable by
|
||||
# public-access-proxy.
|
||||
|
||||
links."00-serv" = {
|
||||
matchConfig.MACAddress = mac.serv;
|
||||
linkConfig.Name = "serv";
|
||||
};
|
||||
|
||||
networks."00-serv" = {
|
||||
matchConfig.MACAddress = mac.serv;
|
||||
networks."30-serv" = {
|
||||
networkConfig.IPv6AcceptRA = false;
|
||||
# try harder disabling global ipv6
|
||||
networkConfig.LinkLocalAddressing = "no";
|
||||
addresses = [ {
|
||||
addressConfig.Address = "${config.c3d2.hosts.stream.ip4}/${toString zentralwerk.lib.config.site.net.serv.subnet4Len}";
|
||||
} ];
|
||||
gateway = lib.mkForce [];
|
||||
routes = [ {
|
||||
routeConfig = {
|
||||
Destination = "172.20.0.0/14";
|
||||
|
@ -61,15 +36,9 @@ in
|
|||
};
|
||||
|
||||
# On the pub network I am a normal client.
|
||||
|
||||
links."00-pub" = {
|
||||
matchConfig.MACAddress = mac.pub;
|
||||
linkConfig.Name = "pub";
|
||||
};
|
||||
|
||||
networks."01-pub" = {
|
||||
matchConfig.MACAddress = mac.pub;
|
||||
networks."30-pub" = {
|
||||
networkConfig.DHCP = "ipv4";
|
||||
gateway = lib.mkForce [];
|
||||
networkConfig.IPv6AcceptRA = true;
|
||||
};
|
||||
};
|
||||
|
|
|
@ -1,6 +1,4 @@
|
|||
{ zentralwerk, config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
{ zentralwerk, config, ... }:
|
||||
|
||||
{
|
||||
system.stateVersion = "22.05";
|
||||
|
|
|
@ -1,7 +1,6 @@
|
|||
{ pkgs, ... }:
|
||||
let
|
||||
domain = "zengel.datenspuren.de";
|
||||
in {
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
networking.hostName = "zengel";
|
||||
microvm.mem = 1024;
|
||||
c3d2.deployment = {
|
||||
|
@ -13,7 +12,7 @@ in {
|
|||
|
||||
services.engelsystem = {
|
||||
enable = true;
|
||||
domain = domain;
|
||||
domain = "zengel.datenspuren.de";
|
||||
createDatabase = true;
|
||||
package = pkgs.engelsystem.override { php = pkgs.php74; };
|
||||
config = {
|
||||
|
@ -50,7 +49,7 @@ in {
|
|||
services.phpfpm.phpPackage = pkgs.php74;
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts."${domain}" = {
|
||||
virtualHosts."${config.services.engelsystem.domain}" = {
|
||||
default = true;
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
|
|
|
@ -35,7 +35,7 @@
|
|||
bluetoothSupport = true;
|
||||
advancedBluetoothCodecs = true;
|
||||
zeroconfSupport = true;
|
||||
}).overrideAttrs (oldAttrs: {
|
||||
}).overrideAttrs (_: {
|
||||
# one test times out
|
||||
doCheck = false;
|
||||
});
|
||||
|
|
|
@ -2,10 +2,10 @@
|
|||
|
||||
{
|
||||
config.services.postgresqlBackup = {
|
||||
enable = config.services.postgresql.enable;
|
||||
inherit (config.services.postgresql) enable;
|
||||
backupAll = true;
|
||||
compression = "zstd";
|
||||
# compressionLevel = 9; # TODO: only available with 21.11
|
||||
compressionLevel = 9;
|
||||
pgdumpOptions = "--create --clean";
|
||||
startAt = "*-*-* 06:00:00";
|
||||
};
|
||||
|
|
|
@ -157,6 +157,18 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
simd = {
|
||||
enable = lib.mkEnableOption "optimized builds with simd instructions";
|
||||
arch = lib.mkOption {
|
||||
type = with lib.types; nullOr str;
|
||||
default = null;
|
||||
description = ''
|
||||
Microarchitecture string for nixpkgs.hostPlatform.gcc.march and to generate system-features.
|
||||
Can be determined with: gcc -march=native -Q --help=target | grep march
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
users = mkOption {
|
||||
type = types.attrsOf (types.submodule {
|
||||
options.sshKeys = mkOption {
|
||||
|
@ -169,21 +181,21 @@ in
|
|||
|
||||
config =
|
||||
let
|
||||
adminKeys = (with builtins; lib.lists.flatten (
|
||||
adminKeys = with builtins; lib.lists.flatten (
|
||||
map
|
||||
(getAttr "sshKeys")
|
||||
(attrValues cfg.users)
|
||||
));
|
||||
);
|
||||
mkIfIsInHq = x: lib.mkIf cfg.isInHq (lib.mkDefault x);
|
||||
in
|
||||
{
|
||||
networking.hosts = lib.mkIf cfg.mergeHostsFile
|
||||
((
|
||||
lib.attrsets.mapAttrs' (n: v: { name = v.ip4; value = [ "${n}.c3d2" ]; })
|
||||
(lib.attrsets.filterAttrs (n: v: v.ip4 != null) cfg.hosts)
|
||||
(lib.attrsets.filterAttrs (_: v: v.ip4 != null) cfg.hosts)
|
||||
) // (
|
||||
lib.attrsets.mapAttrs' (n: v: { name = v.ip6; value = [ "${n}.c3d2" ]; })
|
||||
(lib.attrsets.filterAttrs (n: v: v.ip6 != null) cfg.hosts)
|
||||
(lib.attrsets.filterAttrs (_: v: v.ip6 != null) cfg.hosts)
|
||||
));
|
||||
|
||||
programs.nncp.settings = lib.optionalAttrs cfg.mergeNncpSettings cfg.nncp;
|
||||
|
@ -383,9 +395,13 @@ in
|
|||
|
||||
nix = {
|
||||
settings = {
|
||||
auto-optimise-store = true;
|
||||
builders-use-substitutes = true;
|
||||
connect-timeout = 20;
|
||||
experimental-features = "nix-command flakes";
|
||||
fallback = true;
|
||||
# don't self feed hydra
|
||||
trusted-public-keys = lib.mkIf (config.networking.hostName != "hydra") [
|
||||
(builtins.readFile ../hosts/hydra/cache-pub.key)
|
||||
"nix-serve.hq.c3d2.de:KZRGGnwOYzys6pxgM8jlur36RmkJQ/y8y62e52fj1ps="
|
||||
];
|
||||
substituters = lib.mkIf (config.networking.hostName != "hydra") (
|
||||
lib.mkBefore [ "https://nix-serve.hq.c3d2.de" ]
|
||||
|
@ -407,10 +423,6 @@ in
|
|||
url = "https://gitea.c3d2.de/C3D2/nix-config.git";
|
||||
};
|
||||
};
|
||||
extraOptions = ''
|
||||
experimental-features = nix-command flakes
|
||||
builders-use-substitutes = true
|
||||
'';
|
||||
};
|
||||
|
||||
services.openssh = {
|
||||
|
@ -423,32 +435,22 @@ in
|
|||
|
||||
environment = {
|
||||
systemPackages = with pkgs; [
|
||||
# Network fetchers
|
||||
bmon
|
||||
curl
|
||||
wget
|
||||
ethtool
|
||||
git
|
||||
# System monitors
|
||||
htop
|
||||
iotop
|
||||
bmon
|
||||
ripgrep
|
||||
# Terminal managers
|
||||
tmux
|
||||
screen
|
||||
# Editors
|
||||
vim
|
||||
# Pipeview
|
||||
pv
|
||||
# Network debugging
|
||||
tcpdump
|
||||
ethtool
|
||||
mtr
|
||||
pv
|
||||
ripgrep
|
||||
screen
|
||||
tcpdump
|
||||
tmux
|
||||
tree
|
||||
vim
|
||||
wget
|
||||
];
|
||||
variables = {
|
||||
# TERM = "xterm-256color";
|
||||
};
|
||||
# breaks various package builds
|
||||
noXlibs = lib.mkForce false;
|
||||
};
|
||||
|
||||
programs = {
|
||||
|
|
|
@ -1,11 +1,12 @@
|
|||
{ zentralwerk, hostRegistry, config, lib, pkgs, ... }:
|
||||
{ zentralwerk, hostRegistry, config, lib, ... }:
|
||||
let
|
||||
inherit (config.networking) hostName;
|
||||
|
||||
# hydra does *not* use this module because it only runs a nomad
|
||||
# server but no client and no microvms
|
||||
servers = [ "server9" "server10" "hydra" ];
|
||||
microvmServers = [ "server9" "server10" ];
|
||||
servers = [ "server8" "server9" "server10" "hydra" ];
|
||||
microvmServers = [ "server8" "server9" "server10" ];
|
||||
storageServers = [ "server8" "server9" ];
|
||||
|
||||
serverNet = server:
|
||||
builtins.foldl' (result: net:
|
||||
|
@ -14,8 +15,6 @@ let
|
|||
then net
|
||||
else result
|
||||
) null [ "cluster" "serv" ];
|
||||
|
||||
ipv4Addr = zentralwerk.lib.config.site.net.${serverNet hostName}.hosts4.${hostName};
|
||||
in {
|
||||
# Open firewall between cluster members
|
||||
networking.firewall.extraCommands = lib.concatMapStrings (server:
|
||||
|
@ -31,21 +30,35 @@ in {
|
|||
|
||||
# Cluster configuration
|
||||
skyflake = {
|
||||
# debug = true;
|
||||
nodes = builtins.listToAttrs (
|
||||
map (name: {
|
||||
inherit name;
|
||||
value.address = builtins.trace name hostRegistry.hosts.${name}.ip4;
|
||||
value.address = hostRegistry.hosts.${name}.ip4;
|
||||
}) servers
|
||||
);
|
||||
nomad = {
|
||||
datacenter = "c3d2";
|
||||
servers = servers;
|
||||
inherit servers;
|
||||
# run tasks only on these:
|
||||
client.enable = builtins.elem hostName microvmServers;
|
||||
client.meta =
|
||||
lib.optionalAttrs (builtins.elem hostName storageServers) {
|
||||
"c3d2.storage" = "big";
|
||||
};
|
||||
};
|
||||
microvmUid = 997;
|
||||
|
||||
users.c3d2.sshKeys = config.users.users.root.openssh.authorizedKeys.keys;
|
||||
users.c3d2 = {
|
||||
uid = 1001;
|
||||
sshKeys = config.users.users.root.openssh.authorizedKeys.keys;
|
||||
};
|
||||
users.leon = {
|
||||
uid = 1002;
|
||||
sshKeys = with import ../../users.nix;
|
||||
leon.sshKeys ++
|
||||
astro.sshKeys;
|
||||
};
|
||||
deploy.customizationModule = ./deployment.nix;
|
||||
|
||||
storage.glusterfs = {
|
||||
|
@ -53,7 +66,16 @@ in {
|
|||
servers = microvmServers;
|
||||
mountPoint = "/glusterfs/fast";
|
||||
source = "/var/glusterfs-fast";
|
||||
} {
|
||||
servers = storageServers;
|
||||
mountPoint = "/glusterfs/big";
|
||||
source = "/var/glusterfs-big";
|
||||
} ];
|
||||
};
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
# additional gcroots
|
||||
"L+ /nix/var/nix/gcroots/skyflake-microvms-big - - - - /glusterfs/big/gcroots"
|
||||
];
|
||||
}
|
||||
|
|
|
@ -1,22 +1,79 @@
|
|||
{ lib, ... }:
|
||||
{ zentralwerk, config, lib, ... }:
|
||||
# our custom options
|
||||
{
|
||||
options.deployment = with lib; {
|
||||
vcpu = mkOption {
|
||||
type = types.int;
|
||||
default = 2;
|
||||
default = 4;
|
||||
};
|
||||
mem = mkOption {
|
||||
type = types.int;
|
||||
default = 512;
|
||||
};
|
||||
hypervisor = mkOption {
|
||||
type = types.enum [
|
||||
"qemu"
|
||||
"cloud-hypervisor"
|
||||
"firecracker"
|
||||
"crosvm"
|
||||
"kvmtool"
|
||||
];
|
||||
default = "cloud-hypervisor";
|
||||
};
|
||||
networks = mkOption {
|
||||
type = with types; listOf str;
|
||||
default = [ "serv" ];
|
||||
default = builtins.attrNames (
|
||||
lib.filterAttrs (_: { hosts4, hosts6, ... }:
|
||||
hosts4 ? ${config.networking.hostName} ||
|
||||
lib.filterAttrs (_: hosts6:
|
||||
hosts6 ? ${config.networking.hostName}
|
||||
) hosts6 != {}
|
||||
) zentralwerk.lib.config.site.net
|
||||
);
|
||||
};
|
||||
persistedShares = mkOption {
|
||||
type = with types; listOf str;
|
||||
default = [ "/etc" "/home" "/var" ];
|
||||
};
|
||||
storage = mkOption {
|
||||
type = types.enum [ "fast" "big" ];
|
||||
default = "fast";
|
||||
description = ''
|
||||
Which glusterfs volume to use for persistedShares
|
||||
'';
|
||||
};
|
||||
extraShares = mkOption {
|
||||
type = with types; listOf (submodule {
|
||||
options = {
|
||||
source = mkOption {
|
||||
type = str;
|
||||
};
|
||||
mountPoint = mkOption {
|
||||
type = str;
|
||||
};
|
||||
};
|
||||
});
|
||||
default = [];
|
||||
description = ''
|
||||
Extra shares. THESE MUST BE AVAILABLE ON ALL MICROVM HOSTS!
|
||||
'';
|
||||
};
|
||||
needForSpeed = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Prefer deployment on Nomad clients with a higher c3d2.cpuSpeed
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
# HACK: Avoid conflicts when building a NixOS configuration on Hydra
|
||||
boot.loader.grub.enable = false;
|
||||
fileSystems."/" = lib.mkDefault {
|
||||
device = "rootfs";
|
||||
fsType = "tmpfs";
|
||||
options = [ "size=50%,mode=0755" ];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -8,17 +8,9 @@ let
|
|||
flpk = "flpk-gw";
|
||||
};
|
||||
|
||||
nets = builtins.attrNames (
|
||||
lib.filterAttrs (net: { hosts4, hosts6, ... }:
|
||||
hosts4 ? ${hostName} ||
|
||||
lib.filterAttrs (ctx: hosts6:
|
||||
hosts6 ? ${hostName}
|
||||
) hosts6 != {}
|
||||
) zentralwerk.lib.config.site.net
|
||||
);
|
||||
|
||||
inherit (config.networking) hostName;
|
||||
inherit (config.system.build.skyflake-deployment) user repo vmName;
|
||||
inherit (config.deployment) networks;
|
||||
|
||||
generateMacAddress = net:
|
||||
let
|
||||
|
@ -33,32 +25,48 @@ let
|
|||
then s
|
||||
else withoutLeadingSlash s';
|
||||
|
||||
writableStoreOverlayImage = "/var/tmp/${user}-${repo}-${vmName}-overlay.img";
|
||||
|
||||
in
|
||||
{
|
||||
microvm = {
|
||||
hypervisor = "cloud-hypervisor";
|
||||
vcpu = config.deployment.vcpu;
|
||||
mem = config.deployment.mem;
|
||||
inherit (config.deployment) mem vcpu hypervisor;
|
||||
|
||||
shares = [ {
|
||||
proto = "virtiofs";
|
||||
tag = "ro-store";
|
||||
source = "/nix/store";
|
||||
mountPoint = "/nix/.ro-store";
|
||||
} ] ++ map (mountPoint: {
|
||||
proto = "virtiofs";
|
||||
tag = builtins.replaceStrings [ "/" ] [ "-" ] (
|
||||
withoutLeadingSlash mountPoint
|
||||
);
|
||||
source = "/storage/glusterfs/microvms/${user}/${repo}/${vmName}/${withoutLeadingSlash mountPoint}";
|
||||
inherit mountPoint;
|
||||
}) config.deployment.persistedShares;
|
||||
# volumes = [ {
|
||||
# image = "/storage/glusterfs/microvms/${user}/${repo}/${vmName}/overlay.img";
|
||||
# mountPoint = "/";
|
||||
# size = 8 * 1024;
|
||||
# } ];
|
||||
# writableStoreOverlay = "/nix/.rw-store";
|
||||
preStart = ''
|
||||
# Discard old writable store overlay
|
||||
rm -f "${writableStoreOverlayImage}"
|
||||
'';
|
||||
|
||||
shares =
|
||||
[ {
|
||||
proto = "virtiofs";
|
||||
tag = "ro-store";
|
||||
source = "/nix/store";
|
||||
mountPoint = "/nix/.ro-store";
|
||||
} ]
|
||||
++
|
||||
map (mountPoint: {
|
||||
proto = "virtiofs";
|
||||
tag = builtins.replaceStrings [ "/" ] [ "-" ] (
|
||||
withoutLeadingSlash mountPoint
|
||||
);
|
||||
source = "/glusterfs/${config.deployment.storage}/microvms/${user}/${repo}/${vmName}/${withoutLeadingSlash mountPoint}";
|
||||
inherit mountPoint;
|
||||
}) config.deployment.persistedShares
|
||||
++
|
||||
map ({ source, mountPoint }: {
|
||||
proto = "virtiofs";
|
||||
tag = builtins.replaceStrings [ "/" ] [ "-" ] (
|
||||
withoutLeadingSlash mountPoint
|
||||
);
|
||||
inherit mountPoint source;
|
||||
}) config.deployment.extraShares;
|
||||
volumes = [ {
|
||||
image = writableStoreOverlayImage;
|
||||
mountPoint = config.microvm.writableStoreOverlay;
|
||||
size = 8 * 1024;
|
||||
} ];
|
||||
writableStoreOverlay = "/nix/.rw-store";
|
||||
|
||||
interfaces = map (net: {
|
||||
type = "tap";
|
||||
|
@ -67,6 +75,21 @@ in
|
|||
}) config.deployment.networks;
|
||||
};
|
||||
|
||||
skyflake = {
|
||||
nomadJob = {
|
||||
constraints = lib.optionals (config.deployment.storage == "big") [ {
|
||||
attribute = "\${meta.c3d2.storage}";
|
||||
value = "big";
|
||||
} ];
|
||||
affinities = lib.optionals config.deployment.needForSpeed (builtins.genList (i: {
|
||||
attribute = "\${meta.c3d2.cpuSpeed}";
|
||||
operator = ">=";
|
||||
value = toString (i + 1);
|
||||
weight = 10 + i;
|
||||
}) 10);
|
||||
};
|
||||
};
|
||||
|
||||
networking = {
|
||||
useDHCP = false;
|
||||
dhcpcd.enable = false;
|
||||
|
@ -81,7 +104,7 @@ in
|
|||
# rename interface to net name
|
||||
linkConfig.Name = net;
|
||||
};
|
||||
}) {} nets;
|
||||
}) {} networks;
|
||||
|
||||
networks = builtins.foldl' (networks: net: networks // {
|
||||
"30-${net}" =
|
||||
|
@ -112,6 +135,10 @@ builtins.filter (hosts6: hosts6 ? ${hostName}) (
|
|||
)
|
||||
);
|
||||
};
|
||||
}) {} nets;
|
||||
}) {} networks;
|
||||
};
|
||||
|
||||
# nix-gc breaks writable store overlays, devastating running
|
||||
# MicroVMs
|
||||
nix.gc.automatic = false;
|
||||
}
|
||||
|
|
|
@ -1,127 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
# TODO: move to flake
|
||||
nixcloud-webservices = pkgs.fetchFromGitHub {
|
||||
owner = "nixcloud";
|
||||
repo = "nixcloud-webservices";
|
||||
rev = "3a0767f0536fac811065eb87e6342f27eac085aa";
|
||||
sha256 = "vC0vBu+0HchrevuWsmE7giouKnSt/q4F0TffwhuNJv8=";
|
||||
};
|
||||
inherit (import "${nixcloud-webservices}/pkgs" { inherit pkgs; }) nixcloud;
|
||||
|
||||
profilesDir = "/nix/var/nix/profiles/lxc";
|
||||
inherit (config.lxc) containers;
|
||||
inherit (config.nix) nixPath;
|
||||
|
||||
toLxcConfig' = path: a:
|
||||
if builtins.isString a then ''
|
||||
${path} = ${a}
|
||||
'' else if builtins.isInt a then ''
|
||||
${path} = ${toString a}
|
||||
'' else if builtins.isAttrs a then
|
||||
lib.concatMapStrings (name:
|
||||
let path' = if path == "" then name else "${path}.${name}";
|
||||
in toLxcConfig' path' (builtins.getAttr name a)) (builtins.attrNames a)
|
||||
else if builtins.isList a then
|
||||
lib.concatMapStrings (toLxcConfig' path) a
|
||||
else
|
||||
throw "Invalid LXC config value";
|
||||
toLxcConfig = toLxcConfig' "";
|
||||
|
||||
lxc-rootfs = pkgs.runCommand "lxc-rootfs" { } ''
|
||||
mkdir -p $out/share/lxc/rootfs/{dev,nix/store,proc,run,sys,tmp}
|
||||
'';
|
||||
in {
|
||||
options = with types; {
|
||||
lxc.containers = mkOption {
|
||||
type = attrs;
|
||||
default = { };
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf (containers != { }) {
|
||||
virtualisation.lxc.enable = true;
|
||||
environment.systemPackages = [ nixcloud.container ];
|
||||
|
||||
virtualisation.lxc.defaultConfig = ''
|
||||
lxc.id_map = u 0 100000 65536
|
||||
lxc.id_map = g 0 100000 65536
|
||||
'';
|
||||
users.users.root.subGidRanges = [{
|
||||
count = 65536;
|
||||
startGid = 100000;
|
||||
}];
|
||||
users.users.root.subUidRanges = [{
|
||||
count = 65536;
|
||||
startUid = 100000;
|
||||
}];
|
||||
|
||||
systemd.services = if true then
|
||||
{ }
|
||||
else
|
||||
builtins.foldl' (services: name:
|
||||
let
|
||||
systemDir = "/${profilesDir}/${name}/system";
|
||||
lxcDefaults = {
|
||||
lxc = {
|
||||
uts.name = name;
|
||||
rootfs.path = "/run/current-system/sw/share/lxc/rootfs";
|
||||
mount.entry = [
|
||||
"${systemDir}/init /init none bind,ro 0 0"
|
||||
"/nix/store /nix/store none bind,ro 0 0"
|
||||
];
|
||||
autodev = 1;
|
||||
include = "/run/current-system/sw/share/lxc/config/common.conf";
|
||||
apparmor.profile = "generated";
|
||||
environment = "TERM=linux";
|
||||
};
|
||||
};
|
||||
config = builtins.getAttr name containers;
|
||||
lxcConfig = builtins.toFile "lxc-container-${name}.conf"
|
||||
# TODO: more intelligent merging?
|
||||
(toLxcConfig (lxcDefaults // config.lxc));
|
||||
|
||||
builder = {
|
||||
description = "Build NixOS for lxc container ${name}";
|
||||
wants = [ "nix-daemon.socket" ];
|
||||
after = [ "nix-daemon.service" ];
|
||||
|
||||
path = with pkgs; [ coreutils nix ];
|
||||
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
Environment = [ "NIX_PATH=${builtins.concatStringsSep ":" nixPath}" ];
|
||||
};
|
||||
|
||||
script = ''
|
||||
mkdir -p ${profilesDir}/${name}
|
||||
|
||||
nix-env -p ${profilesDir}/${name}/system \
|
||||
-I nixos-config=${config.nixos-config} \
|
||||
-f '<nixpkgs/nixos>' \
|
||||
--set -A system
|
||||
'';
|
||||
};
|
||||
starter = {
|
||||
description = "LXC container ${name}";
|
||||
requires = [ "lxc-container-${name}-builder.service" ];
|
||||
after = [ "lxc-container-${name}-builder.service" ];
|
||||
|
||||
path = with pkgs; [ lxc apparmor-parser ];
|
||||
|
||||
script = ''
|
||||
mkdir -p /var/lib/lxc/${name}
|
||||
ln -fs ${lxcConfig} /var/lib/lxc/${name}/config
|
||||
lxc-start -F -n ${name}
|
||||
'';
|
||||
};
|
||||
in services // {
|
||||
"lxc-container-${name}-builder" = builder;
|
||||
"lxc-container-${name}" = starter;
|
||||
}) { } (builtins.attrNames containers);
|
||||
};
|
||||
}
|
|
@ -1,57 +0,0 @@
|
|||
{ hostRegistry, config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
|
||||
nginxGlobalLogging = ''
|
||||
log_format graylog2_json escape=json '{ "timestamp": "$time_iso8601", '
|
||||
'"remote_addr": "$remote_addr", '
|
||||
'"body_bytes_sent": $body_bytes_sent, '
|
||||
'"request_time": $request_time, '
|
||||
'"response_status": $status, '
|
||||
'"request": "$request", '
|
||||
'"request_method": "$request_method", '
|
||||
'"host": "$host",'
|
||||
'"upstream_cache_status": "$upstream_cache_status",'
|
||||
'"upstream_addr": "$upstream_addr",'
|
||||
'"http_x_forwarded_for": "$http_x_forwarded_for",'
|
||||
'"http_referrer": "$http_referer", '
|
||||
'"http_user_agent": "$http_user_agent" }';
|
||||
|
||||
# replace the hostnames with the IP or hostname of your Graylog2 server
|
||||
access_log syslog:server=graylog.server.org:12301 graylog2_json;
|
||||
error_log syslog:server=graylog.server.org:12302;
|
||||
'';
|
||||
|
||||
in {
|
||||
# add central logging
|
||||
services.journalbeat = {
|
||||
enable = false;
|
||||
extraConfig = ''
|
||||
journalbeat.inputs:
|
||||
# Paths that should be crawled and fetched. Possible values files and directories.
|
||||
# When setting a directory, all journals under it are merged.
|
||||
# When empty starts to read from local journal.
|
||||
- paths: []
|
||||
|
||||
journalbeat:
|
||||
seek_position: cursor
|
||||
cursor_seek_fallback: tail
|
||||
write_cursor_state: true
|
||||
cursor_flush_period: 5s
|
||||
clean_field_names: true
|
||||
convert_to_numbers: false
|
||||
move_metadata_to_field: journal
|
||||
default_type: journal
|
||||
kernel: true
|
||||
output.logstash:
|
||||
# Boolean flag to enable or disable the output module.
|
||||
enabled: true
|
||||
hosts: ["${config.c3d2.hosts.logging.ip4}:5044"]
|
||||
'';
|
||||
};
|
||||
|
||||
services.prometheus.exporters.node = lib.mkIf (pkgs.system != "riscv64-linux") {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
};
|
||||
}
|
|
@ -1,66 +0,0 @@
|
|||
{ hostRegistry, config, pkgs, lib, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
(modulesPath + "/profiles/docker-container.nix")
|
||||
];
|
||||
|
||||
boot = {
|
||||
isContainer = true;
|
||||
loader = {
|
||||
grub.enable = false;
|
||||
# /sbin/init
|
||||
initScript.enable = true;
|
||||
};
|
||||
};
|
||||
|
||||
environment.etc."resolv.conf".text = lib.concatMapStrings (ns: ''
|
||||
nameserver ${ns}
|
||||
'') config.networking.nameservers;
|
||||
|
||||
fileSystems."/" = {
|
||||
fsType = "rootfs";
|
||||
device = "rootfs";
|
||||
};
|
||||
|
||||
nix = {
|
||||
useSandbox = false;
|
||||
maxJobs = lib.mkDefault 1;
|
||||
buildCores = lib.mkDefault 4;
|
||||
};
|
||||
|
||||
networking = {
|
||||
interfaces.eth0 = {
|
||||
useDHCP = false;
|
||||
tempAddress = "disabled";
|
||||
};
|
||||
nameservers = with hostRegistry.hosts.dnscache; [
|
||||
ip4
|
||||
ip6
|
||||
"9.9.9.9"
|
||||
];
|
||||
networkmanager.dns = "unbound";
|
||||
useDHCP = false;
|
||||
useHostResolvConf = false;
|
||||
useNetworkd = true;
|
||||
};
|
||||
|
||||
services = {
|
||||
# Required for remote deployment
|
||||
openssh.enable = true;
|
||||
resolved.enable = false;
|
||||
};
|
||||
|
||||
# Create a few files early before packing tarball for Proxmox architecture/OS detection.
|
||||
system.extraSystemBuilderCmds = ''
|
||||
mkdir -m 0755 -p $out/bin
|
||||
ln -s ${pkgs.bash}/bin/bash $out/bin/sh
|
||||
mkdir -m 0755 -p $out/sbin
|
||||
ln -s ../init $out/sbin/init
|
||||
'';
|
||||
|
||||
systemd.network.networks."40-eth0".networkConfig = {
|
||||
IPv6AcceptRA = true;
|
||||
LinkLocalAddressing = "ipv6";
|
||||
};
|
||||
}
|
|
@ -59,13 +59,11 @@
|
|||
};
|
||||
|
||||
nix.settings = {
|
||||
min-free = 128000000;
|
||||
max-free = 1000000000;
|
||||
# fetch github-prebuilt microvm-kernels
|
||||
substituters = [
|
||||
"https://microvm.cachix.org"
|
||||
];
|
||||
trusted-public-keys = [
|
||||
"microvm.cachix.org-1:oXnBc6hRE3eX5rSYdRyMYXnfzcCxC7yKPTbZXALsqys="
|
||||
];
|
||||
substituters = [ "https://microvm.cachix.org" ];
|
||||
trusted-public-keys = [ "microvm.cachix.org-1:oXnBc6hRE3eX5rSYdRyMYXnfzcCxC7yKPTbZXALsqys=" ];
|
||||
};
|
||||
|
||||
environment.systemPackages = [ (
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
{ zentralwerk, options, config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
defaultGateways = {
|
||||
serv = "serv-gw";
|
||||
|
@ -19,22 +20,27 @@ let
|
|||
"${builtins.substring 0 1 hash}2:${c 2}:${c 4}:${c 6}:${c 8}:${c 10}";
|
||||
|
||||
nets = builtins.attrNames (
|
||||
lib.filterAttrs (net: { hosts4, hosts6, ... }:
|
||||
lib.filterAttrs (_: { hosts4, hosts6, ... }:
|
||||
hosts4 ? ${hostName} ||
|
||||
lib.filterAttrs (ctx: hosts6:
|
||||
lib.filterAttrs (_: hosts6:
|
||||
hosts6 ? ${hostName}
|
||||
) hosts6 != {}
|
||||
) zentralwerk.lib.config.site.net
|
||||
);
|
||||
|
||||
arch-to-host = rec {
|
||||
server9 = "westmere";
|
||||
server10 = "ivybridge";
|
||||
nomad = server9;
|
||||
};
|
||||
in
|
||||
{
|
||||
options.c3d2.deployment = with lib; {
|
||||
server = mkOption {
|
||||
type = types.enum [ "server9" "server10" "nomad" ];
|
||||
type = types.enum [ "server9" "server10" ];
|
||||
default = null;
|
||||
description = ''
|
||||
Server that is supposed to host this MicroVM,
|
||||
or \"nomad\" for HA clustering.
|
||||
Server that is supposed to host this MicroVM.
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -62,21 +68,10 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
config.system.build = with pkgs; {
|
||||
copyToServer = writeScript "copy-to-${server}" ''
|
||||
#! ${runtimeShell} -e
|
||||
|
||||
nix copy --no-check-sigs --to ssh-ng://root@${serverFQDN} $@
|
||||
'';
|
||||
|
||||
runOnServer = writeScript "run-on-${server}" ''
|
||||
#! ${runtimeShell} -e
|
||||
|
||||
ssh root@${serverFQDN} -- $@
|
||||
'';
|
||||
};
|
||||
|
||||
config = {
|
||||
# autoupdates do not make sense inside MicroVMs with read-only /nix/store
|
||||
c3d2.autoUpdate = false;
|
||||
|
||||
boot.kernelParams = [
|
||||
"preempt=none"
|
||||
# No server/router runs any untrusted user code
|
||||
|
@ -123,6 +118,9 @@ in
|
|||
useNetworkd = true;
|
||||
};
|
||||
|
||||
# nix store is mounted read only
|
||||
nix.gc.automatic = false;
|
||||
|
||||
systemd.network = lib.mkIf config.c3d2.deployment.autoNetSetup {
|
||||
links = builtins.foldl' (links: net: links // {
|
||||
"30-${net}" = {
|
||||
|
@ -165,10 +163,20 @@ in
|
|||
}) {} nets;
|
||||
};
|
||||
|
||||
# autoupdates do not make sense inside MicroVMs with read-only /nix/store
|
||||
c3d2.autoUpdate = false;
|
||||
c3d2.simd.arch = arch-to-host.${config.c3d2.deployment.server};
|
||||
|
||||
# nix store is mounted read only
|
||||
nix.gc.automatic = false;
|
||||
system.build = with pkgs; {
|
||||
copyToServer = writeScript "copy-to-${server}" ''
|
||||
#! ${runtimeShell} -e
|
||||
|
||||
nix copy --no-check-sigs --to ssh-ng://root@${serverFQDN} $@
|
||||
'';
|
||||
|
||||
runOnServer = writeScript "run-on-${server}" ''
|
||||
#! ${runtimeShell} -e
|
||||
|
||||
ssh root@${serverFQDN} -- $@
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -0,0 +1,9 @@
|
|||
{ pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
services.prometheus.exporters.node = lib.mkIf (pkgs.system != "riscv64-linux") {
|
||||
enable = true;
|
||||
enabledCollectors = [ "ethtool" "systemd" ];
|
||||
openFirewall = true;
|
||||
};
|
||||
}
|
|
@ -1,13 +1,10 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
with lib;
|
||||
{ config, lib, ... }:
|
||||
|
||||
let
|
||||
nncpCfgFile = "/run/nncp.hjson";
|
||||
programCfg = lib.optionalAttrs (config.programs ? nncp) config.programs.nncp;
|
||||
callerCfg = config.services.nncp.caller;
|
||||
daemonCfg = config.services.nncp.daemon;
|
||||
settingsFormat = pkgs.formats.json { };
|
||||
jsonCfgFile = settingsFormat.generate "nncp.json" programCfg.settings;
|
||||
pkg = programCfg.package;
|
||||
in
|
||||
{
|
||||
|
@ -15,13 +12,13 @@ in
|
|||
|
||||
services.nncp = {
|
||||
caller = {
|
||||
enable = mkEnableOption ''
|
||||
enable = lib.mkEnableOption ''
|
||||
croned NNCP TCP daemon caller.
|
||||
The daemon will take configuration from
|
||||
<xref linkend="opt-programs.nncp.settings"/>
|
||||
'';
|
||||
extraArgs = mkOption {
|
||||
type = with types; listOf str;
|
||||
extraArgs = lib.mkOption {
|
||||
type = with lib.types; listOf str;
|
||||
description = "Extra command-line arguments to pass to caller.";
|
||||
default = [ ];
|
||||
example = [ "-autotoss" ];
|
||||
|
@ -29,18 +26,18 @@ in
|
|||
};
|
||||
|
||||
daemon = {
|
||||
enable = mkEnableOption ''
|
||||
enable = lib.mkEnableOption ''
|
||||
NNCP TCP synronization daemon.
|
||||
The daemon will take configuration from
|
||||
<xref linkend="opt-programs.nncp.settings"/>
|
||||
'';
|
||||
|
||||
socketActivation = {
|
||||
enable = mkEnableOption ''
|
||||
enable = lib.mkEnableOption ''
|
||||
Whether to run nncp-daemon persistently or socket-activated.
|
||||
'';
|
||||
listenStreams = mkOption {
|
||||
type = with types; listOf str;
|
||||
listenStreams = lib.mkOption {
|
||||
type = with lib.types; listOf str;
|
||||
description = ''
|
||||
TCP sockets to bind to.
|
||||
See <xref linkend="opt-systemd.sockets._name_.listenStreams"/>.
|
||||
|
@ -49,8 +46,8 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
extraArgs = mkOption {
|
||||
type = with types; listOf str;
|
||||
extraArgs = lib.mkOption {
|
||||
type = with lib.types; listOf str;
|
||||
description = "Extra command-line arguments to pass to daemon.";
|
||||
default = [ ];
|
||||
example = [ "-autotoss" ];
|
||||
|
@ -60,15 +57,14 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
config = mkIf (programCfg.enable or callerCfg.enable or daemonCfg.enable) {
|
||||
|
||||
config = lib.mkIf (programCfg.enable or callerCfg.enable or daemonCfg.enable) {
|
||||
assertions = [{
|
||||
assertion = with builtins;
|
||||
assertion =
|
||||
let
|
||||
callerCongfigured =
|
||||
let neigh = config.programs.nncp.settings.neigh or { };
|
||||
in lib.lists.any (x: hasAttr "calls" x && x.calls != [ ])
|
||||
(attrValues neigh);
|
||||
in lib.lists.any (x: lib.hasAttr "calls" x && x.calls != [ ])
|
||||
(lib.attrValues neigh);
|
||||
in !callerCfg.enable || callerCongfigured;
|
||||
message = "NNCP caller enabled but call configuration is missing";
|
||||
}];
|
||||
|
@ -89,7 +85,7 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
systemd.services."nncp-daemon" = mkIf daemonCfg.enable {
|
||||
systemd.services."nncp-daemon" = lib.mkIf daemonCfg.enable {
|
||||
enable = !daemonCfg.socketActivation.enable;
|
||||
description = "NNCP TCP syncronization daemon.";
|
||||
documentation = [ "http://www.nncpgo.org/nncp_002ddaemon.html" ];
|
||||
|
@ -106,7 +102,7 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
systemd.services."nncp-daemon@" = mkIf daemonCfg.socketActivation.enable {
|
||||
systemd.services."nncp-daemon@" = lib.mkIf daemonCfg.socketActivation.enable {
|
||||
description = "NNCP TCP syncronization daemon.";
|
||||
documentation = [ "http://www.nncpgo.org/nncp_002ddaemon.html" ];
|
||||
after = [ "network.target" ];
|
||||
|
@ -123,7 +119,7 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
systemd.sockets.nncp-daemon = mkIf daemonCfg.socketActivation.enable {
|
||||
systemd.sockets.nncp-daemon = lib.mkIf daemonCfg.socketActivation.enable {
|
||||
inherit (daemonCfg.socketActivation) listenStreams;
|
||||
description = "socket for NNCP TCP syncronization.";
|
||||
conflicts = [ "nncp-daemon.service" ];
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
inherit (pkgs) plume;
|
||||
cfg = config.services.plume;
|
||||
in
|
||||
{
|
||||
|
@ -33,7 +32,7 @@ in
|
|||
ids.uids.plume = 499;
|
||||
users.users.${cfg.user} = {
|
||||
uid = config.ids.uids.plume;
|
||||
group = cfg.group;
|
||||
inherit (cfg) group;
|
||||
home = "/var/lib/plume";
|
||||
};
|
||||
users.groups.${cfg.group} = {};
|
||||
|
@ -52,11 +51,11 @@ in
|
|||
after = [ "postgresql.service" ];
|
||||
requires = [ "postgresql.service" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
path = [ plume ];
|
||||
path = [ pkgs.plume ];
|
||||
script = ''
|
||||
ln -sf ${cfg.envFile} .env
|
||||
mkdir -p static/media
|
||||
for f in ${plume}/share/plume/static/*; do
|
||||
for f in ${pkgs.plume}/share/plume/static/*; do
|
||||
n=$(basename "$f")
|
||||
if [ "$n" != media ]; then
|
||||
rm -f "static/$n"
|
||||
|
@ -79,7 +78,7 @@ in
|
|||
#! ${pkgs.runtimeShell} -e
|
||||
|
||||
plm() {
|
||||
sudo -u ${config.services.plume.user} -- ${plume}/bin/plm $@
|
||||
sudo -u ${config.services.plume.user} -- ${pkgs.plume}/bin/plm $@
|
||||
}
|
||||
|
||||
plm migration run
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ hostRegistry, config, pkgs, lib, ... }:
|
||||
{ config, pkgs, lib, ... }:
|
||||
{
|
||||
boot = {
|
||||
loader.generic-extlinux-compatible.enable = false;
|
||||
|
|
|
@ -1,146 +0,0 @@
|
|||
{ nixos-unstable
|
||||
, tracer
|
||||
, bevy-julia
|
||||
, bevy-mandelbrot
|
||||
}:
|
||||
|
||||
final: prev:
|
||||
|
||||
let
|
||||
pkgs-unstable = nixos-unstable.legacyPackages.${prev.system};
|
||||
in
|
||||
with final; {
|
||||
allcolors = with final; rustPlatform.buildRustPackage rec {
|
||||
pname = "allcolors";
|
||||
version = "0.1.0";
|
||||
src = fetchFromGitHub {
|
||||
owner = "polygon";
|
||||
repo = "allcolors-rs";
|
||||
rev = "023bd480245052357a7fd5f42181ff6e67d98b31";
|
||||
sha256 = "sha256-whaV+k5xh01OQNOehwkEBUDpMWn47mvVihVwchBvWoE=";
|
||||
};
|
||||
cargoPatches = [ ./allcolors-cargo-update.patch ];
|
||||
cargoSha256 = "sha256-RbfACA4hcyemGkw9bqjpIk393SBgBM939I95+grVI0c=";
|
||||
nativeBuildInputs = [ copyDesktopItems ];
|
||||
buildInputs = [
|
||||
xorg.libX11
|
||||
xorg.libXcursor
|
||||
xorg.libXrandr
|
||||
xorg.libXi
|
||||
libGL
|
||||
mesa
|
||||
];
|
||||
postFixup = ''
|
||||
patchelf --set-rpath ${lib.makeLibraryPath buildInputs} $out/bin/allcolors-rs
|
||||
'';
|
||||
desktopItems = [ (makeDesktopItem {
|
||||
name = "allcolors";
|
||||
desktopName = "Polygon's allcolors-rs";
|
||||
categories = [ "Game" ];
|
||||
exec = "allcolors-rs";
|
||||
}) ];
|
||||
};
|
||||
|
||||
# HACK: referenced by sdrweb
|
||||
# TODO: remove with 22.11
|
||||
alsaUtils = final.alsa-utils;
|
||||
|
||||
inherit (bevy-julia.packages.${system}) bevy_julia;
|
||||
inherit (bevy-mandelbrot.packages.${system}) bevy_mandelbrot;
|
||||
|
||||
bmxd = callPackage ./bmxd.nix { };
|
||||
|
||||
dump1090-influxdb = callPackage ./dump1090-influxdb { };
|
||||
|
||||
dump1090_rs = callPackage ./dump1090_rs.nix { };
|
||||
|
||||
chromium = prev.chromium.override {
|
||||
commandLineArgs = "--enable-features=VaapiVideoEncoder,VaapiVideoDecoder,CanvasOopRasterization --force-dark-mode";
|
||||
};
|
||||
|
||||
# hydra flake
|
||||
hydra = prev.hydra.overrideAttrs (oldAttrs: {
|
||||
patches = oldAttrs.patches or [ ] ++ [
|
||||
# gitea webhook support
|
||||
(fetchpatch {
|
||||
url = "https://github.com/NixOS/hydra/pull/1227/commits/750978a19232583e17620a1bd80435e957e7213a.patch";
|
||||
sha256 = "sha256-86Li0YUSVUdnw6lt6kZ56ohDRKPD13SZzukqPU1np8U=";
|
||||
})
|
||||
# fix github webhook from orgs
|
||||
(fetchpatch {
|
||||
url = "https://github.com/NixOS/hydra/commit/4d664ecb0faaf51b21673f979b543ea4694c3f1b.patch";
|
||||
sha256 = "sha256-lF5Rnz8r9ptyMLhcg/XnjiNhOK1KcLA7hi01ye4KgmI=";
|
||||
})
|
||||
];
|
||||
});
|
||||
|
||||
# hydra in nixpkgs
|
||||
hydra_unstable = prev.hydra_unstable.overrideAttrs (oldAttrs: {
|
||||
patches = oldAttrs.patches or [ ] ++ [
|
||||
# gitea webhook support
|
||||
(fetchpatch {
|
||||
url = "https://github.com/NixOS/hydra/pull/1227/commits/750978a19232583e17620a1bd80435e957e7213a.patch";
|
||||
sha256 = "sha256-86Li0YUSVUdnw6lt6kZ56ohDRKPD13SZzukqPU1np8U=";
|
||||
})
|
||||
# fix github webhook from orgs
|
||||
(fetchpatch {
|
||||
url = "https://github.com/NixOS/hydra/commit/4d664ecb0faaf51b21673f979b543ea4694c3f1b.patch";
|
||||
sha256 = "sha256-lF5Rnz8r9ptyMLhcg/XnjiNhOK1KcLA7hi01ye4KgmI=";
|
||||
})
|
||||
];
|
||||
});
|
||||
|
||||
mlat-client = prev.python3Packages.callPackage ./mlat-client.nix { };
|
||||
|
||||
nixVersions =
|
||||
prev.nixVersions // {
|
||||
stable = prev.nixVersions.stable.overrideAttrs (oldAttrs: {
|
||||
patches = oldAttrs.patches or [ ] ++ lib.optionals (lib.versionAtLeast prev.nixVersions.stable.version "2.9") [
|
||||
# use github.com archive URL instead of api.github.com
|
||||
(fetchpatch {
|
||||
url = "https://github.com/NixOS/nix/pull/6997.patch";
|
||||
sha256 = "sha256-JaQ6OY1RjxCYymkI/x0rmKH8XVXYs5psRwNJ4TPHPS0=";
|
||||
})
|
||||
];
|
||||
});
|
||||
};
|
||||
|
||||
inherit (nixos-unstable.legacyPackages.${prev.targetPlatform.system}) nomad_1_3;
|
||||
|
||||
openssh = prev.openssh.overrideAttrs (oldAttrs: {
|
||||
# takes 30 minutes
|
||||
doCheck = false;
|
||||
});
|
||||
|
||||
pile = prev.callPackage ./pile.nix { };
|
||||
|
||||
pi-sensors = prev.callPackage ./pi-sensors { };
|
||||
|
||||
plume = prev.callPackage ./plume { };
|
||||
|
||||
readsb = prev.callPackage ./readsb.nix { };
|
||||
|
||||
SimpleYggGen-CPP = prev.callPackage ./simpleygggen.nix { };
|
||||
|
||||
tracer-game =
|
||||
let
|
||||
broken = true;
|
||||
reason = "haddock runs on affection for 10 hours and more";
|
||||
in
|
||||
if broken
|
||||
then throw "tracer-game: ${reason}"
|
||||
else tracer.packages.${system}.tracer-game;
|
||||
|
||||
# HACK: referenced by hydra-module.nix but removed from nixos-unstable in 2022-09
|
||||
# TODO: remove with 22.11
|
||||
utillinux = final.util-linux;
|
||||
|
||||
# vector-0.23 + mqtt-sink
|
||||
vector = pkgs-unstable.callPackage ./vector {};
|
||||
|
||||
wander =
|
||||
if prev ? wander
|
||||
then builtins.trace "`wander` is now available on stable NixOS. Please remove from overlay!"
|
||||
prev.wander
|
||||
else pkgs-unstable.wander;
|
||||
}
|
|
@ -0,0 +1,42 @@
|
|||
{ lib
|
||||
, copyDesktopItems
|
||||
, fetchFromGitHub
|
||||
, rustPlatform
|
||||
, libGL
|
||||
, makeDesktopItem
|
||||
, mesa
|
||||
, xorg
|
||||
}:
|
||||
|
||||
rustPlatform.buildRustPackage rec {
|
||||
pname = "allcolors";
|
||||
version = "0.1.0";
|
||||
src = fetchFromGitHub {
|
||||
owner = "polygon";
|
||||
repo = "allcolors-rs";
|
||||
rev = "023bd480245052357a7fd5f42181ff6e67d98b31";
|
||||
sha256 = "sha256-whaV+k5xh01OQNOehwkEBUDpMWn47mvVihVwchBvWoE=";
|
||||
};
|
||||
cargoPatches = [ ./allcolors-cargo-update.patch ];
|
||||
cargoSha256 = "sha256-RbfACA4hcyemGkw9bqjpIk393SBgBM939I95+grVI0c=";
|
||||
nativeBuildInputs = [ copyDesktopItems ];
|
||||
buildInputs = [
|
||||
xorg.libX11
|
||||
xorg.libXcursor
|
||||
xorg.libXrandr
|
||||
xorg.libXi
|
||||
libGL
|
||||
mesa
|
||||
];
|
||||
postFixup = ''
|
||||
patchelf --set-rpath ${lib.makeLibraryPath buildInputs} $out/bin/allcolors-rs
|
||||
'';
|
||||
desktopItems = [
|
||||
(makeDesktopItem {
|
||||
name = "allcolors";
|
||||
desktopName = "Polygon's allcolors-rs";
|
||||
categories = [ "Game" ];
|
||||
exec = "allcolors-rs";
|
||||
})
|
||||
];
|
||||
}
|
|
@ -1,4 +1,4 @@
|
|||
{ stdenv, fetchgit, fetchpatch, }:
|
||||
{ stdenv, fetchgit }:
|
||||
|
||||
stdenv.mkDerivation {
|
||||
pname = "bmxd";
|
|
@ -0,0 +1,84 @@
|
|||
{ bevy-julia
|
||||
, bevy-mandelbrot
|
||||
, tracer
|
||||
}:
|
||||
|
||||
final: prev:
|
||||
|
||||
with final; {
|
||||
allcolors = callPackage ./allcolors.nix { };
|
||||
|
||||
inherit (bevy-julia.packages.${system}) bevy_julia;
|
||||
inherit (bevy-mandelbrot.packages.${system}) bevy_mandelbrot;
|
||||
|
||||
bmxd = callPackage ./bmxd.nix { };
|
||||
|
||||
boehmgc = prev.boehmgc.overrideAttrs(_: {
|
||||
# tests fail under emulation
|
||||
doCheck = false;
|
||||
});
|
||||
|
||||
dump1090-influxdb = callPackage ./dump1090-influxdb { };
|
||||
|
||||
dump1090_rs = callPackage ./dump1090_rs.nix { };
|
||||
|
||||
chromium = prev.chromium.override {
|
||||
commandLineArgs = "--enable-features=VaapiVideoEncoder,VaapiVideoDecoder,CanvasOopRasterization --force-dark-mode";
|
||||
};
|
||||
|
||||
# hydra flake
|
||||
hydra = prev.hydra.overrideAttrs (oldAttrs: {
|
||||
patches = oldAttrs.patches or [ ] ++ [
|
||||
# gitea webhook support
|
||||
(fetchpatch {
|
||||
url = "https://github.com/NixOS/hydra/pull/1227/commits/750978a19232583e17620a1bd80435e957e7213a.patch";
|
||||
sha256 = "sha256-86Li0YUSVUdnw6lt6kZ56ohDRKPD13SZzukqPU1np8U=";
|
||||
})
|
||||
# fix github webhook from orgs
|
||||
(fetchpatch {
|
||||
url = "https://github.com/NixOS/hydra/commit/4d664ecb0faaf51b21673f979b543ea4694c3f1b.patch";
|
||||
sha256 = "sha256-lF5Rnz8r9ptyMLhcg/XnjiNhOK1KcLA7hi01ye4KgmI=";
|
||||
})
|
||||
];
|
||||
});
|
||||
|
||||
# hydra in nixpkgs
|
||||
hydra_unstable = prev.hydra_unstable.overrideAttrs (oldAttrs: {
|
||||
patches = oldAttrs.patches or [ ] ++ [
|
||||
# gitea webhook support
|
||||
(fetchpatch {
|
||||
url = "https://github.com/NixOS/hydra/pull/1227/commits/750978a19232583e17620a1bd80435e957e7213a.patch";
|
||||
sha256 = "sha256-86Li0YUSVUdnw6lt6kZ56ohDRKPD13SZzukqPU1np8U=";
|
||||
})
|
||||
# fix github webhook from orgs
|
||||
(fetchpatch {
|
||||
url = "https://github.com/NixOS/hydra/commit/4d664ecb0faaf51b21673f979b543ea4694c3f1b.patch";
|
||||
sha256 = "sha256-lF5Rnz8r9ptyMLhcg/XnjiNhOK1KcLA7hi01ye4KgmI=";
|
||||
})
|
||||
];
|
||||
});
|
||||
|
||||
mlat-client = python3Packages.callPackage ./mlat-client.nix { };
|
||||
|
||||
openssh = prev.openssh.overrideAttrs (_: {
|
||||
# takes 30 minutes
|
||||
doCheck = false;
|
||||
});
|
||||
|
||||
pile = callPackage ./pile.nix { };
|
||||
|
||||
pi-sensors = callPackage ./pi-sensors { };
|
||||
|
||||
plume = callPackage ./plume { };
|
||||
|
||||
readsb = callPackage ./readsb.nix { };
|
||||
|
||||
simpleygggen-cpp = callPackage ./simpleygggen.nix { };
|
||||
|
||||
telme10 = callPackage ./telme10.nix { };
|
||||
|
||||
tracer-game =
|
||||
if true
|
||||
then throw "tracer-game: haddock runs on affection for 10 hours and more"
|
||||
else tracer.packages.${system}.tracer-game;
|
||||
}
|
|
@ -1,19 +1,19 @@
|
|||
{
|
||||
gis-distance = {
|
||||
groups = ["default"];
|
||||
platforms = [];
|
||||
groups = [ "default" ];
|
||||
platforms = [ ];
|
||||
source = {
|
||||
remotes = ["https://rubygems.org"];
|
||||
remotes = [ "https://rubygems.org" ];
|
||||
sha256 = "1kgv1scv25b65d9xfricj1ayd2iry7imgk7qw4mryd91mhriibaf";
|
||||
type = "gem";
|
||||
};
|
||||
version = "1.1.0";
|
||||
};
|
||||
influxdb = {
|
||||
groups = ["default"];
|
||||
platforms = [];
|
||||
groups = [ "default" ];
|
||||
platforms = [ ];
|
||||
source = {
|
||||
remotes = ["https://rubygems.org"];
|
||||
remotes = [ "https://rubygems.org" ];
|
||||
sha256 = "1l2sjf8kaw3adjjg3l7zg1j735yxdfldf04gl9kjc3hbpdcd7d4w";
|
||||
type = "gem";
|
||||
};
|
|
@ -1,5 +1,7 @@
|
|||
{ fetchFromGitHub, rustPlatform
|
||||
, pkg-config, llvmPackages
|
||||
{ fetchFromGitHub
|
||||
, rustPlatform
|
||||
, pkg-config
|
||||
, llvmPackages
|
||||
, soapysdr-with-plugins
|
||||
}:
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue