diff --git a/flake.lock b/flake.lock index 64a1044d..67359eb1 100644 --- a/flake.lock +++ b/flake.lock @@ -1,39 +1,33 @@ { "nodes": { "hydra": { - "info": { - "lastModified": 1587883324, - "narHash": "sha256-WQxv9rrG2HX8j2UfXjifeBkMjgea3uIAEB3Swv+IIus=" - }, "inputs": { "nix": "nix", "nixpkgs": "nixpkgs_2" }, "locked": { - "owner": "ehmry", + "lastModified": 1593509723, + "narHash": "sha256-ESv86LNnQQy5cYqeC1S4otpvkA8ABgs/zbge8xp35aE=", + "owner": "NixOS", "repo": "hydra", - "rev": "e93c36aab1bf96cf392ab0e40157b0620638b599", + "rev": "d0deebc4fc95dbeb0249f7b774b03d366596fbed", "type": "github" }, "original": { - "owner": "ehmry", - "ref": "sotest", - "repo": "hydra", - "type": "github" + "id": "hydra", + "type": "indirect" } }, "nix": { - "info": { - "lastModified": 1586440843, - "narHash": "sha256-7YxrpRPmAOoCSl6KtepKCXcae5MUm1Pl+lwDunBFGoo=" - }, "inputs": { "nixpkgs": "nixpkgs" }, "locked": { + "lastModified": 1592818267, + "narHash": "sha256-t66Ny6NDA9sQa0U79iqo4w7tEBitUGgio9U/H6z3QpE=", "owner": "NixOS", "repo": "nix", - "rev": "3aaceeb7e2d3fb8a07a1aa5a21df1dca6bbaa0ef", + "rev": "334e26bfc2ce82912602e8a0f9f9c7e0fb5c3221", "type": "github" }, "original": { @@ -42,14 +36,12 @@ } }, "nixpkgs": { - "info": { - "lastModified": 1585405475, - "narHash": "sha256-bESW0n4KgPmZ0luxvwJ+UyATrC6iIltVCsGdLiphVeE=" - }, "locked": { + "lastModified": 1591633336, + "narHash": "sha256-oVXv4xAnDJB03LvZGbC72vSVlIbbJr8tpjEW5o/Fdek=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b88ff468e9850410070d4e0ccd68c7011f15b2be", + "rev": "70717a337f7ae4e486ba71a500367cad697e5f09", "type": "github" }, "original": { @@ -59,14 +51,12 @@ } }, "nixpkgs_2": { - "info": { - "lastModified": 1586219474, - "narHash": "sha256-fvfrMnEA2lDnXvH/eInGV5i0sO/EGLVHa4pOek8VG78=" - }, "locked": { + "lastModified": 1592263354, + "narHash": "sha256-1wHPn5qKfzfG06dZhpXDEg5Zt6HwvfyPPgW1tkYFejg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "29eddfc36d720dcc4822581175217543b387b1e8", + "rev": "a84b797b28eb104db758b5cb2b61ba8face6744b", "type": "github" }, "original": { @@ -75,31 +65,16 @@ "type": "indirect" } }, - "nixpkgs_3": { - "info": { - "lastModified": 1586724123, - "narHash": "sha256-VQ7zZy2xpz6dULpjar4jxNaQ0N/2q68l+EYO2nXaXDo=" - }, - "locked": { - "owner": "nixos", - "repo": "nixpkgs-channels", - "rev": "708cb6b307b04ad862cc50de792e57e7a4a8bb5a", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-20.03", - "repo": "nixpkgs-channels", - "type": "github" - } - }, "root": { "inputs": { "hydra": "hydra", - "nixpkgs": "nixpkgs_3" + "nixpkgs": [ + "hydra", + "nixpkgs" + ] } } }, "root": "root", - "version": 5 + "version": 7 } diff --git a/flake.nix b/flake.nix index d0c283f0..0d7f5fd1 100644 --- a/flake.nix +++ b/flake.nix @@ -1,17 +1,18 @@ { description = "C3D2 NixOS configurations"; - edition = 201909; - - inputs.nixpkgs.url = "github:nixos/nixpkgs-channels/nixos-20.03"; - inputs.hydra.url = "github:ehmry/hydra/sotest"; + inputs = { + nixpkgs.follows = "hydra/nixpkgs"; + # nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + # secrets.url = "git+file:///etc/nixos/secrets"; + }; outputs = { self, nixpkgs, hydra }: { nixosConfigurations = { - server7 = nixpkgs.lib.nixosSystem { - modules = [ ./hosts/server7 hydra.nixosModules.hydra ]; + glotzbert = nixpkgs.lib.nixosSystem { + modules = [ ./hosts/glotzbert/configuration.nix ]; system = "x86_64-linux"; }; @@ -20,8 +21,18 @@ system = "x86_64-linux"; }; + kibana = nixpkgs.lib.nixosSystem { + modules = [ ./hosts/containers/kibana/configuration.nix ]; + system = "x86_64-linux"; + }; + pulsebert = nixpkgs.lib.nixosSystem { modules = [ ./hosts/pulsebert/configuration.nix ]; + system = "aarch64-linux"; + }; + + server7 = nixpkgs.lib.nixosSystem { + modules = [ ./hosts/server7 hydra.nixosModules.hydra ]; system = "x86_64-linux"; }; diff --git a/host-registry.nix b/host-registry.nix index a12b7a23..f26044ba 100644 --- a/host-registry.nix +++ b/host-registry.nix @@ -9,7 +9,7 @@ rec { ledstripes = {}; glotzbert.publicKey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHPrkD07abpTU/66fEjmiMYsUfJCSF62MVFe8BED7wu4"; + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAnEWn/8CKIiCtehh6Ha3XUQqjODj0ygyo3aGAsFWgfG"; hydra.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDhurL/sxsXRglKdLfiWIcK+iqpyhGrGt/MoBODsgvig"; diff --git a/hosts/containers/deployer/configuration.nix b/hosts/containers/deployer/configuration.nix index b42e54f3..602b52a4 100644 --- a/hosts/containers/deployer/configuration.nix +++ b/hosts/containers/deployer/configuration.nix @@ -25,6 +25,9 @@ htop ]; + networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.16"; prefixLength = 26; } ]; + networking.defaultGateway = "172.20.73.1"; + networking = { hostName = "deployer"; # usePredictableInterfacenames = false; diff --git a/hosts/containers/dhcp/configuration.nix b/hosts/containers/dhcp/configuration.nix index c0dfdc06..1aaa5400 100644 --- a/hosts/containers/dhcp/configuration.nix +++ b/hosts/containers/dhcp/configuration.nix @@ -31,7 +31,10 @@ services.dhcpd4 = { enable = true; interfaces = [ "eth0" ]; - extraConfig = builtins.readFile ../../../secrets/hosts/dhcp/config; + extraConfig = '' + authoritative; + + '' + builtins.readFile ../../../secrets/hosts/dhcp/config; }; # This value determines the NixOS release with which your system is to be diff --git a/hosts/containers/dn42/configuration.nix b/hosts/containers/dn42/configuration.nix index 01a49504..eb52ddf6 100644 --- a/hosts/containers/dn42/configuration.nix +++ b/hosts/containers/dn42/configuration.nix @@ -30,8 +30,6 @@ in { environment.systemPackages = with pkgs; [ vim - # for `vtysh` - quagga ]; # SSH for nixops @@ -41,6 +39,12 @@ in { # No Firewalling! networking.firewall.enable = false; + boot.postBootCommands = '' + if [ ! -c /dev/net/tun ]; then + mkdir -p /dev/net + mknod -m 666 /dev/net/tun c 10 200 + fi + ''; services.openvpn = let openvpnNeighbors = lib.filterAttrs (_: conf: conf ? openvpn) neighbors; @@ -63,7 +67,9 @@ in { secret ${keyfile name} ''; up = '' - ${pkgs.iproute}/bin/ip a a fe80::deca:fbad/64 dev $1 + ${pkgs.iproute}/bin/ip addr flush dev $1 + ${pkgs.iproute}/bin/ip addr add ${address4} dev ${name} peer ${conf.address4}/32 + ${pkgs.iproute}/bin/ip addr add ${address6}/64 dev $1 ''; }; in { diff --git a/hosts/containers/dnscache/configuration.nix b/hosts/containers/dnscache/configuration.nix index 81530821..8986091d 100644 --- a/hosts/containers/dnscache/configuration.nix +++ b/hosts/containers/dnscache/configuration.nix @@ -22,6 +22,7 @@ networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.8"; prefixLength = 26; } ]; networking.defaultGateway = "172.20.73.1"; services.resolved.enable = false; + networking.nameservers = [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ]; # Set your time zone. time.timeZone = "Europe/Berlin"; @@ -73,6 +74,7 @@ "::1/128" "172.20.72.0/21" "10.0.0.0/24" + "10.200.0.0/15" "172.22.99.0/24" "127.0.0.0/8" ]; @@ -217,7 +219,7 @@ Exec "collectd" "${pkgs.ruby}/bin/ruby" "${unboundScript}" ''; network = '' - Server "grafana.hq.c3d2.de" "25826" + Server "grafana.serv.zentralwerk.dn42" "25826" ''; }; extraConfig = '' diff --git a/hosts/containers/elastic/configuration.nix b/hosts/containers/elastic/configuration.nix index a7a2fa31..16f9f8b0 100644 --- a/hosts/containers/elastic/configuration.nix +++ b/hosts/containers/elastic/configuration.nix @@ -17,6 +17,8 @@ networking = { hostName = "elastic1"; + interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.15"; prefixLength = 26; } ]; + defaultGateway = "172.20.73.1"; firewall = { allowedTCPPorts = [ 22 diff --git a/hosts/containers/freifunk/sysinfo-json.nix b/hosts/containers/freifunk/sysinfo-json.nix index 3aafe3c2..d374b5a0 100644 --- a/hosts/containers/freifunk/sysinfo-json.nix +++ b/hosts/containers/freifunk/sysinfo-json.nix @@ -56,7 +56,7 @@ stdenv.mkDerivation { --replace awk ${gawk}/bin/awk '' + lib.strings.concatStrings (lib.attrsets.mapAttrsToList ( - var: value: "substituteInPlace sysinfo-json.cgi --replace ${lib.strings.escapeShellArg "$(nvram get ${var})"} '${value}'\n" + var: value: "substituteInPlace sysinfo-json.cgi --replace ${lib.strings.escapeShellArg "$(uci -qX get ffdd.sys.${var})"} '${value}'\n" ) nvram); installPhase = '' pwd diff --git a/hosts/containers/grafana/configuration.nix b/hosts/containers/grafana/configuration.nix index e47ad8d7..ad061778 100644 --- a/hosts/containers/grafana/configuration.nix +++ b/hosts/containers/grafana/configuration.nix @@ -1,24 +1,22 @@ -{ config, pkgs, lib, ... }: +{ config, pkgs, lib, modulesPath, ... }: { imports = [ - + (modulesPath + "/profiles/minimal.nix") ../../../lib ../../../lib/lxc-container.nix ../../../lib/shared.nix ../../../lib/admins.nix ]; - c3d2 = { - isInHq = true; - hq.interface = "eth0"; - enableHail = true; - }; + c3d2.isInHq = false; services.openssh.enable = true; networking.hostName = "grafana"; networking.useNetworkd = true; + networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.43"; prefixLength = 26; } ]; + networking.defaultGateway = "172.20.73.1"; # http https influxdb networking.firewall.allowedTCPPorts = [ 80 443 8086 ]; @@ -39,7 +37,7 @@ enable = true; org_name = "Chaos"; }; - users.allowSignUp = true; + users.allowSignUp = false; }; services.influxdb = let collectdTypes = pkgs.stdenv.mkDerivation { diff --git a/hosts/containers/kibana/configuration.nix b/hosts/containers/kibana/configuration.nix new file mode 100644 index 00000000..ce543d4c --- /dev/null +++ b/hosts/containers/kibana/configuration.nix @@ -0,0 +1,66 @@ +{ config, pkgs, lib, modulesPath, ... }: + +{ + imports = [ + (modulesPath + "/profiles/minimal.nix") + ../../../lib + ../../../lib/lxc-container.nix + ../../../lib/shared.nix + ]; + + networking.hostName = "kibana"; + networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.44"; prefixLength = 26; } ]; + networking.defaultGateway = "172.20.73.1"; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + # Required for krops + services.openssh.enable = true; + environment.systemPackages = [ pkgs.git ]; + + nixpkgs.config.allowUnfree = true; + services.elasticsearch = { + enable = true; + package = pkgs.elasticsearch7; + }; + services.kibana = { + enable = true; + package = pkgs.kibana7; + }; + + security.acme = { + acceptTerms = true; + email = "mail@c3d2.de"; + }; + services.nginx = + let + authFile = pkgs.writeText "htpasswd" "k-ot:sawCOTsl/fIUY"; + vhost = url: { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = url; + extraConfig = '' + auth_basic "Chaos"; + auth_basic_user_file ${authFile}; + ''; + }; + }; + in + { + enable = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + virtualHosts = { + "kibana.hq.c3d2.de" = + vhost "http://127.0.0.1:${toString config.services.kibana.port}"; + "kibana-es.hq.c3d2.de" = + vhost "http://127.0.0.1:${toString config.services.elasticsearch.port}"; + }; + }; + + # This value determines the NixOS release with which your system is to be + # compatible, in order to avoid breaking some software such as database + # servers. You should change this only after NixOS release notes say you + # should. + system.stateVersion = "20.03"; # Did you read the comment? +} diff --git a/hosts/containers/ledstripes/configuration.nix b/hosts/containers/ledstripes/configuration.nix index 55d9a129..e549161e 100644 --- a/hosts/containers/ledstripes/configuration.nix +++ b/hosts/containers/ledstripes/configuration.nix @@ -1,11 +1,11 @@ -{ config, pkgs, lib, ... }: +{ config, pkgs, lib, modulesPath, ... }: { imports = [ - - - - + (modulesPath + "/profiles/minimal.nix") + ../../../lib + ../../../lib/lxc-container.nix + ../../../lib/shared.nix ]; c3d2 = { @@ -22,8 +22,7 @@ environment.systemPackages = [ pkgs.git ]; systemd.services.ledball = - let - pile = import (toString ) { inherit pkgs; }; + let pile = import ../../../lib/pkgs/pile.nix { inherit pkgs; }; in { after = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; diff --git a/hosts/containers/logging/configuration.nix b/hosts/containers/logging/configuration.nix index 6b2cc8bc..aff727e8 100644 --- a/hosts/containers/logging/configuration.nix +++ b/hosts/containers/logging/configuration.nix @@ -17,6 +17,8 @@ networking = { hostName = "logging"; + interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.13"; prefixLength = 26; } ]; + defaultGateway = "172.20.73.1"; firewall = { allowedTCPPorts = [ 22 diff --git a/hosts/containers/lxc-template.nix b/hosts/containers/lxc-template.nix index f33129df..dbb6ba58 100644 --- a/hosts/containers/lxc-template.nix +++ b/hosts/containers/lxc-template.nix @@ -2,15 +2,15 @@ # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ config, pkgs, lib, ... }: +{ config, pkgs, lib, modulesPath, ... }: { - imports = - [ ../../lib/lxc-container.nix - ../../lib/shared.nix - ../../lib/admins.nix - - ]; + imports = [ + ../../lib/lxc-container.nix + ../../lib/shared.nix + ../../lib/admins.nix + (modulesPath + "/profiles/minimal.nix") + ]; networking.hostName = "nixbert"; # Define your hostname. networking.useNetworkd = false; diff --git a/hosts/containers/mongo/configuration.nix b/hosts/containers/mongo/configuration.nix index e64e4dbc..8a0e334e 100644 --- a/hosts/containers/mongo/configuration.nix +++ b/hosts/containers/mongo/configuration.nix @@ -18,6 +18,8 @@ networking = { hostName = "mongo"; + interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.21"; prefixLength = 26; } ]; + defaultGateway = "172.20.73.1"; firewall = { allowedTCPPorts = [ 22 diff --git a/hosts/containers/mucbot/configuration.nix b/hosts/containers/mucbot/configuration.nix index 4ff67308..32b073e0 100644 --- a/hosts/containers/mucbot/configuration.nix +++ b/hosts/containers/mucbot/configuration.nix @@ -12,11 +12,9 @@ in ]; networking.hostName = "mucbot"; - networking.useNetworkd = true; - networking.useDHCP = false; - networking.interfaces.eth0.useDHCP = true; + networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.27"; prefixLength = 26; } ]; + networking.defaultGateway = "172.20.73.1"; networking.nameservers = [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ]; - services.resolved.enable = false; users.users.tigger = { createHome = true; diff --git a/hosts/containers/public-access-proxy/configuration.nix b/hosts/containers/public-access-proxy/configuration.nix index f403dd03..231d05d7 100644 --- a/hosts/containers/public-access-proxy/configuration.nix +++ b/hosts/containers/public-access-proxy/configuration.nix @@ -9,13 +9,15 @@ [ ../../../lib/lxc-container.nix ../../../lib/shared.nix ../../../lib/admins.nix - ../../../lib/default-gateway.nix ./proxy.nix ]; networking.hostName = "public-access-proxy"; networking.useNetworkd = true; - networking.dhcpcd.enable = lib.mkForce true; + networking.interfaces.eth0 = { + ipv4.addresses = [ { address = "172.20.73.45"; prefixLength = 26; } ]; + }; + networking.defaultGateway = "172.20.73.1"; my.services.proxy = { enable = true; @@ -24,6 +26,14 @@ hostNames = [ "cloud.bombenverleih.de" "unifi.arkom.men" ]; proxyTo = { host = "172.22.99.192"; httpPort = 80; httpsPort = 443; }; } + { + hostNames = [ "grafana.hq.c3d2.de" ]; + proxyTo = { host = "grafana.serv.zentralwerk.dn42"; httpPort = 80; httpsPort = 443; }; + } + { + hostNames = [ "kibana.hq.c3d2.de" "kibana-es.hq.c3d2.de" ]; + proxyTo = { host = "kibana.serv.zentralwerk.dn42"; httpPort = 80; httpsPort = 443; }; + } ]; }; diff --git a/hosts/containers/scrape/configuration.nix b/hosts/containers/scrape/configuration.nix index bd174df0..e1aa115e 100644 --- a/hosts/containers/scrape/configuration.nix +++ b/hosts/containers/scrape/configuration.nix @@ -1,11 +1,21 @@ -{ config, pkgs, lib, ... }: +{ config, pkgs, lib, modulesPath, ... }: -{ +let + freifunkNodes = { + "1139" = "10.200.4.120"; + "1487" = "10.200.5.213"; + "1884" = "10.200.7.100"; + "1891" = "10.200.7.107"; + "1768" = "10.200.6.239"; + "1176" = "10.200.7.80"; + "1099" = "10.200.4.80"; + }; +in { imports = [ - - - - + (modulesPath + "/profiles/minimal.nix") + ../../../lib + ../../../lib/lxc-container.nix + ../../../lib/shared.nix ]; c3d2 = { @@ -16,7 +26,8 @@ networking.hostName = "scrape"; - networking.useNetworkd = true; + networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.32"; prefixLength = 26; } ]; + networking.defaultGateway = "172.20.73.1"; # Required for krops services.openssh.enable = true; @@ -35,6 +46,13 @@ xeriLogin = import ; fhemLogin = import ; matematLogin = import ; + makeNodeScraper = nodeId: { + name = "scrape-node${nodeId}"; + value = makeService { + script = "freifunk_node"; + host = freifunkNodes.${nodeId}; + }; + }; in { scrape-xeri = makeService { script = "xerox"; @@ -55,81 +73,28 @@ host = "matemat.hq.c3d2.de"; inherit (matematLogin) user password; }; - scrape-node1139 = makeService { - script = "freifunk_node"; - host = "10.200.4.120"; + } // builtins.listToAttrs (map makeNodeScraper (builtins.attrNames freifunkNodes)); + + systemd.timers = + let + makeTimer = service: interval: { + partOf = [ "${service}.service" ]; + wantedBy = [ "timers.target" ]; + timerConfig.OnCalendar = interval; }; - scrape-node1487 = makeService { - script = "freifunk_node"; - host = "10.200.5.213"; - }; - scrape-node1884 = makeService { - script = "freifunk_node"; - host = "10.200.7.100"; - }; - scrape-node1891 = makeService { - script = "freifunk_node"; - host = "10.200.7.107"; - }; - scrape-node1768 = makeService { - script = "freifunk_node"; - host = "10.200.6.239"; - }; - scrape-node1176 = makeService { - script = "freifunk_node"; - host = "10.200.7.80"; - }; - }; - systemd.timers.scrape-xeri = { - partOf = [ "scrape-xeri.service" ]; - wantedBy = [ "timers.target" ]; - timerConfig.OnCalendar = "minutely"; - }; - systemd.timers.scrape-roxi = { - partOf = [ "scrape-roxi.service" ]; - wantedBy = [ "timers.target" ]; - timerConfig.OnCalendar = "minutely"; - }; - systemd.timers.scrape-fhem = { - partOf = [ "scrape-fhem.service" ]; - wantedBy = [ "timers.target" ]; - timerConfig.OnCalendar = "minutely"; - }; - systemd.timers.scrape-matemat = { - partOf = [ "scrape-matemat.service" ]; - wantedBy = [ "timers.target" ]; - timerConfig.OnCalendar = "minutely"; - }; - systemd.timers.scrape-node1139 = { - partOf = [ "scrape-node1139.service" ]; - wantedBy = [ "timers.target" ]; - timerConfig.OnCalendar = "minutely"; - }; - systemd.timers.scrape-node1487 = { - partOf = [ "scrape-node1487.service" ]; - wantedBy = [ "timers.target" ]; - timerConfig.OnCalendar = "minutely"; - }; - systemd.timers.scrape-node1884 = { - partOf = [ "scrape-node1884.service" ]; - wantedBy = [ "timers.target" ]; - timerConfig.OnCalendar = "minutely"; - }; - systemd.timers.scrape-node1891 = { - partOf = [ "scrape-node1894.service" ]; - wantedBy = [ "timers.target" ]; - timerConfig.OnCalendar = "minutely"; - }; - systemd.timers.scrape-node1768 = { - partOf = [ "scrape-node1768.service" ]; - wantedBy = [ "timers.target" ]; - timerConfig.OnCalendar = "minutely"; - }; - systemd.timers.scrape-node1176 = { - partOf = [ "scrape-node1176.service" ]; - wantedBy = [ "timers.target" ]; - timerConfig.OnCalendar = "minutely"; - }; + makeNodeScraperTimer = nodeId: + let + name = "scrape-node${nodeId}"; + in { + inherit name; + value = makeTimer name "minutely"; + }; + in { + scrape-xeri = makeTimer "scrape-xeri.service" "minutely"; + scrape-roxi = makeTimer "scrape-roxi.service" "minutely"; + scrape-fhem = makeTimer "scrape-fhem.service" "minutely"; + scrape-matemat = makeTimer "scrape-matemat.service" "minutely"; + } // builtins.listToAttrs (map makeNodeScraperTimer (builtins.attrNames freifunkNodes)); # This value determines the NixOS release with which your system is to be # compatible, in order to avoid breaking some software such as database diff --git a/hosts/containers/spaceapi/configuration.nix b/hosts/containers/spaceapi/configuration.nix index ceb6f4fa..9aa7b5e1 100644 --- a/hosts/containers/spaceapi/configuration.nix +++ b/hosts/containers/spaceapi/configuration.nix @@ -8,14 +8,13 @@ in [ ../../../lib/lxc-container.nix ../../../lib/shared.nix ../../../lib/admins.nix - ../../../lib/default-gateway.nix "${spacemsgGit}/spaceapi/module.nix" ]; networking.hostName = "spaceapi"; - networking.useNetworkd = true; - networking.useDHCP = lib.mkForce true; - networking.firewall.allowedTCPPorts = [ 3000 3001 ]; + networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.25"; prefixLength = 26; } ]; + networking.defaultGateway = "172.20.73.1"; + networking.firewall.enable = false; services.spaceapi = { enable = true; diff --git a/hosts/glotzbert/configuration.nix b/hosts/glotzbert/configuration.nix index b9fe982d..3d2e0b35 100644 --- a/hosts/glotzbert/configuration.nix +++ b/hosts/glotzbert/configuration.nix @@ -6,41 +6,48 @@ c3d2 = { users.k-ot = true; isInHq = true; - hq.interface = "enp0s10"; - enableHail = true; + hq.interface = "eno1"; + hq.enableBinaryCache = false; + enableHail = false; }; nixpkgs.config.allowUnfree = true; nix = { useSandbox = true; - buildCores = 2; + buildCores = 4; + maxJobs = 4; }; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - boot.kernelPackages = pkgs.linuxPackages_4_19; + boot.kernelPackages = pkgs.linuxPackages_latest; networking.hostName = "glotzbert"; # Define your hostname. # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + networking.interfaces.eno1.useDHCP = true; # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; # Select internationalisation properties. - i18n = { - consoleFont = "Lat2-Terminus16"; - consoleKeyMap = "de"; - defaultLocale = "en_US.UTF-8"; + console = { + font = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz"; + keyMap = "de"; }; + i18n.defaultLocale = "en_US.UTF-8"; # Set your time zone. time.timeZone = "Europe/Berlin"; # List packages installed in system profile. To search, run: # $ nix search wget - environment.systemPackages = with pkgs; [ wget vim x11vnc ]; + environment.systemPackages = with pkgs; [ + wget vim git tmux screen + chromium firefox + mpv kodi + ]; systemd.user.services.x11vnc = { description = "X11 VNC server"; @@ -108,11 +115,11 @@ user = "k-ot"; }; }; + defaultSession = "gnome-xorg"; }; services.xserver.desktopManager = { gnome3.enable = true; kodi.enable = true; - default = "kodi"; }; security.sudo = { @@ -123,7 +130,6 @@ # Define a user account. Don't forget to set a password with ‘passwd’. users.groups."k-ot" = { gid = 1000; }; users.users."k-ot" = { - password = "k-ot"; isNormalUser = true; uid = 1000; group = "k-ot"; @@ -133,6 +139,8 @@ ]; }; + users.users.emery.cryptHomeLuks = "/home/emery.luks.img"; + # This value determines the NixOS release with which your system is to be # compatible, in order to avoid breaking some software such as database # servers. You should change this only after NixOS release notes say you diff --git a/hosts/glotzbert/hardware-configuration.nix b/hosts/glotzbert/hardware-configuration.nix index 35dd37d0..c61b5897 100644 --- a/hosts/glotzbert/hardware-configuration.nix +++ b/hosts/glotzbert/hardware-configuration.nix @@ -1,33 +1,27 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, modulesPath, ... }: { - imports = - [ - ]; + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = [ "ohci_pci" "ehci_pci" "ahci" "firewire_ohci" "usb_storage" "usbhid" "sd_mod" "sr_mod" ]; - boot.kernelModules = [ "kvm-intel" "wl" "forcedeth" "b43" ]; - boot.kernelParams = [ "irqpoll" "hpet=off" ]; # noapic seems to improve things + boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; fileSystems."/" = - { device = "/dev/disk/by-uuid/4568bf11-6e40-4514-9bc9-3194a299c45f"; - fsType = "btrfs"; + { device = "/dev/disk/by-uuid/3a8ddd25-0c5d-4fec-b957-bdcea1c52db4"; + fsType = "ext4"; }; fileSystems."/boot" = - { device = "/dev/disk/by-uuid/67E3-17ED"; + { device = "/dev/disk/by-uuid/6490-45A0"; fsType = "vfat"; }; - zramSwap = { enable = true; priority = 1000; }; - swapDevices = [ - { device = "/dev/disk/by-uuid/f602ea23-99e5-416b-98d2-ef76cbc5c934"; - } ]; + swapDevices = [ ]; - nix.maxJobs = lib.mkDefault 2; - - services.xserver.videoDriver = "nouveau"; + nix.maxJobs = lib.mkDefault 4; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; } diff --git a/hosts/pulsebert/configuration.nix b/hosts/pulsebert/configuration.nix index ff33c871..78b6b6d0 100644 --- a/hosts/pulsebert/configuration.nix +++ b/hosts/pulsebert/configuration.nix @@ -4,164 +4,116 @@ { config, pkgs, ... }: -let - ympdPort = 8080; - mpdVhost = "mpd.hq.c3d2.de"; -in { +{ imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix - ../../lib - ../../lib/admins.nix - ../../lib/hq.nix - ./mpdConsole.nix ]; - c3d2 = { - users = { - emery = true; - k-ot = true; - }; - isInHq = true; - mapHqHosts = true; - hq = { - interface = "eno1"; - enableMpdProxy = true; - yggdrasi.enableGateway = true; - }; - enableHail = true; - }; + boot.loader.grub.enable = false; + boot.loader.generic-extlinux-compatible.enable = false; + boot.loader.raspberryPi = { enable = true; version = 4; uboot.enable = false; }; + #boot.kernelPackages = pkgs.linuxPackages_rpi4; + boot.kernelPackages = pkgs.linuxPackages_latest; - # Use the systemd-boot EFI boot loader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - boot.kernelPackages = pkgs.linuxPackages_4_19; + boot.tmpOnTmpfs = true; + nix.buildCores = 4; + nix.maxJobs = 4; networking.hostName = "pulsebert"; # Define your hostname. # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.useDHCP = false; + networking.interfaces.eth0.useDHCP = true; + networking.interfaces.wlan0.useDHCP = true; + # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; # Select internationalisation properties. - i18n = { - consoleFont = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz"; - consoleKeyMap = "us"; - defaultLocale = "en_US.UTF-8"; - }; + # i18n.defaultLocale = "en_US.UTF-8"; + # console = { + # font = "Lat2-Terminus16"; + # keyMap = "us"; + # }; + + # Set your time zone. + # time.timeZone = "Europe/Amsterdam"; # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ - # specific printer drivers for our printers - epson-escpr - splix - # utilities - nix-index - usbutils - tmux - vim - git - openssl - # NCurses Music Player Client (Plus Plus) - # a commandline front-end client for mpd - # 2019-01-21 mag vater gern gleich einen schoenen lokalen Verwaltung fuer MPD haben. -# ncmpcpp - home-manager - mumble - ncpamixer - ffmpeg + wget vim git + raspberrypi-tools ]; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. # programs.mtr.enable = true; - # programs.gnupg.agent = { enable = true; enableSSHSupport = true; }; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # pinentryFlavor = "gnome3"; + # }; # List services that you want to enable: + # Do not log to flash: + services.journald.extraConfig = '' + Storage=volatile + ''; + # Enable the OpenSSH daemon. services.openssh.enable = true; + services.openssh.permitRootLogin = "yes"; + security.sudo = { + enable = true; + wheelNeedsPassword = false; + }; + + users.users.k-ot = { + isNormalUser = true; + extraGroups = [ "wheel" "audio" ]; + }; - # X11 Forwarding for mumble... - programs.ssh.forwardX11 = true; - services.openssh.forwardX11 = true; # Open ports in the firewall. - networking.firewall.allowedTCPPorts = [ - 4713 # PulseAudio - 631 # cups - 80 - 443 # Web/ympd - 5000 # shairport - config.services.mpd.network.port - ]; - networking.firewall.allowedUDPPorts = [ 631 ]; - networking.firewall.extraCommands = '' - iptables -I INPUT -p udp --dport mdns -d 224.0.0.251 -j ACCEPT # zeroconf - iptables -I OUTPUT -p udp --dport mdns -d 224.0.0.251 -j ACCEPT # zeroconf - ''; # networking.firewall.allowedUDPPorts = [ ... ]; + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether. - # networking.firewall.enable = false; + networking.firewall.enable = false; # Enable CUPS to print documents. - services.printing = { - enable = true; - browsing = true; - listenAddresses = [ "*:631" ]; - defaultShared = true; - # logLevel = "debug"; - drivers = [ pkgs.gutenprint pkgs.hplip pkgs.splix ]; - extraConf = - '' - DefaultAuthType Basic - - Order allow,deny - Allow ALL - - - Order allow,deny - Allow ALL - - - AuthType Basic - Require user @SYSTEM - Order allow,deny - Allow ALL - - - - Require user @OWNER @SYSTEM - Order deny,allow - - - AuthType Basic - Require user @SYSTEM - Order deny,allow - - - Require user @OWNER @SYSTEM - Order deny,allow - - - Order deny,allow - - - ''; - - }; + # services.printing.enable = true; # Enable sound. sound.enable = true; - hardware.pulseaudio.enable = true; - # PulseAudio as-a-Service - hardware.pulseaudio.systemWide = true; - hardware.pulseaudio.tcp.anonymousClients.allowedIpRanges = [ - "127.0.0.0/8" "::1/128" - "172.22.99.0/24" "2a02:8106:208:5201:58::/64" - ]; - hardware.pulseaudio.tcp.enable = true; - hardware.pulseaudio.zeroconf.publish.enable = true; + hardware.bluetooth = { + enable = true; + config = { + Policy.AutoEnable = true; + General = { + Enable = "Source,Sink,Media,Socket"; + #DiscoverableTimeout = 0; + #Discoverable = true; + }; + }; + }; + hardware.pulseaudio = { + enable = true; + systemWide = true; + tcp.enable = true; + tcp.anonymousClients.allowedIpRanges = [ + "127.0.0.0/8" "::1/128" + "172.22.99.0/24" "2a02:8106:208:5201:58::/64" + ]; + zeroconf.publish.enable = true; + package = pkgs.pulseaudioFull; + extraModules = [ pkgs.pulseaudio-modules-bt ]; + }; # tell Avahi to publish CUPS and PulseAudio services.avahi = { @@ -170,9 +122,6 @@ in { publish.userServices = true; }; - # Enable Audio streaming for Mac clients - services.shairport-sync.enable = true; - # Enable the X11 windowing system. # services.xserver.enable = true; # services.xserver.layout = "us"; @@ -185,88 +134,19 @@ in { # services.xserver.displayManager.sddm.enable = true; # services.xserver.desktopManager.plasma5.enable = true; - security.pam.enableSSHAgentAuth = true; - security.sudo = { - enable = true; - wheelNeedsPassword = false; - }; + # Define a user account. Don't forget to set a password with ‘passwd’. + # users.users.jane = { + # isNormalUser = true; + # extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. + # }; - users.users.k-ot.extraGroups = [ "wheel" ]; + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "20.09"; # Did you read the comment? - # This value determines the NixOS release with which your system is to be - # compatible, in order to avoid breaking some software such as database - # servers. You should change this only after NixOS release notes say you - # should. - system.stateVersion = "18.09"; # Did you read the comment? - - # vater hoerte, dass menschen im space gern mpd fuer das abspielen von musik erwarten wuerden - #### https://nixos.org/nixos/options.html#services.mpd.enable - # See ../../mpd.nix - services.mpd = { - enable = true; - dbFile = null; - musicDirectory = "/mnt/storage/Music"; - playlistDirectory = "/home/k-ot/Playlists"; - network.listenAddress = "any"; - - extraConfig = '' - audio_output { - type "pulse" - name "/proc" - } - ''; - }; - - services.caddy = { - enable = true; - agree = true; - # TODO: add auth? - config = '' - ${mpdVhost} { - proxy / localhost:${toString ympdPort} - } - - :80 { - redir https://${mpdVhost}{uri} - } - ''; - }; - - fileSystems."/mnt/storage" = { - #device = "storage-ng.hq.c3d2.de:/mnt/zroot/storage/rpool"; - #device = "storage-ng.hq.c3d2.de:/c3d2/rpool"; - device = - "172.22.99.13:6789,172.22.99.15:6789,172.22.99.16:6789:/c3d2/rpool"; - fsType = "ceph"; - options = [ - "rw" - "relatime" - "name=public" - "secret=AQDgER1chJcMORAAK1ysRTN59B5x/MyniwVXFQ==" - "acl" - "wsize=16777216" - "_netdev" - ]; - }; - - # MPD music playing daemon with webinterface - services.ympd = { - enable = true; - webPort = toString ympdPort; - }; - nixpkgs.config.packageOverrides = pkgs: with pkgs; { - ympd = ympd.overrideAttrs (oldAttrs: { - src = fetchFromGitHub { - owner = "c3d2"; - repo = "ympd"; - rev = "feature/somafm_browser"; - sha256 = "17x3jfys6gxghz5yp0gvd39ylvzfm59qxg75hwc5a52rj1n2jpb1"; - }; - }); - }; - programs.bash.shellAliases = { - mpv = "mpv --no-vid"; - }; - - users.users.emery.cryptHomeLuks = "/home/emery.luks.img"; } + diff --git a/hosts/pulsebert/hardware-configuration.nix b/hosts/pulsebert/hardware-configuration.nix index 162a8fe6..f6bbb311 100644 --- a/hosts/pulsebert/hardware-configuration.nix +++ b/hosts/pulsebert/hardware-configuration.nix @@ -1,29 +1,39 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, modulesPath, ... }: { - imports = - [ - ]; + #imports = + # [ (modulesPath + "/installer/scan/not-detected.nix") + # ]; - boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; - boot.kernelModules = [ "kvm-intel" ]; + boot.initrd.availableKernelModules = [ "usbhid" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; + boot.kernelParams = [ + "snd_bcm2835.enable_headphones=1" + ]; fileSystems."/" = - { device = "/dev/disk/by-uuid/3a8ddd25-0c5d-4fec-b957-bdcea1c52db4"; + { device = "/dev/disk/by-label/NIXOS_SD"; fsType = "ext4"; }; fileSystems."/boot" = - { device = "/dev/disk/by-uuid/6490-45A0"; + { device = "/dev/disk/by-label/FIRMWARE"; fsType = "vfat"; }; swapDevices = [ ]; - nix.maxJobs = lib.mkDefault 4; - powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + hardware.enableRedistributableFirmware = true; + #networking.wireless.enable = true; + boot.loader.raspberryPi.firmwareConfig = '' + gpu_mem=192 + dtparam=audio=on + ''; + + powerManagement.cpuFreqGovernor = lib.mkDefault "performance"; } diff --git a/hosts/pulsebert/home.nix b/hosts/pulsebert/home.nix deleted file mode 100644 index 5821e300..00000000 --- a/hosts/pulsebert/home.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ pkgs, ... }: - -{ - home.packages = with pkgs; [ - htop - fortune - ddate - mpv - ncmpcpp - schedtool - screen - tmux - pulsemixer - ncpamixer - python35.withPackages(ps: with ps; [ youtube-dl ]) - ]; -} diff --git a/hosts/pulsebert/mpdConsole.nix b/hosts/pulsebert/mpdConsole.nix deleted file mode 100644 index f584cd24..00000000 --- a/hosts/pulsebert/mpdConsole.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ pkgs, ... }: - -let tty = "tty1"; -in { - boot.extraTTYs = [ tty ]; - - systemd.services.ncmpcpp = { - description = "Mpd console"; - wantedBy = [ "multi-user.target" ]; - conflicts = [ "getty@${tty}.service" ]; - serviceConfig = { - User = "k-ot"; - ExecStart = "${pkgs.ncmpcpp}/bin/ncmpcpp"; - StandardInput = "tty"; - StandardOutput = "tty"; - TTYPath = "/dev/${tty}"; - TTYReset = true; - TTYVTDisallocate = true; - Restart = "always"; - }; - }; - -} diff --git a/hosts/server7/containers/outer-defaults.nix b/hosts/server7/containers/outer-defaults.nix index 680bec38..f168c4f4 100644 --- a/hosts/server7/containers/outer-defaults.nix +++ b/hosts/server7/containers/outer-defaults.nix @@ -1,6 +1,6 @@ name: -let yggaddr = import ../yggaddr.nix; +let yggaddr = import ../../../lib/server7-yggaddr.nix; in { # These the container defaults from the perspective of the host. diff --git a/hosts/server7/containers/storage/default.nix b/hosts/server7/containers/storage/default.nix index 93319fe5..fbdb2a90 100644 --- a/hosts/server7/containers/storage/default.nix +++ b/hosts/server7/containers/storage/default.nix @@ -55,6 +55,20 @@ name: }; }; + networking.interfaces.eth0 = { + ipv4 = { + addresses = [{ + address = "172.22.99.20"; + prefixLength = 24; + }]; + routes = [{ + address = "0.0.0.0"; + prefixLength = 0; + via = "172.22.99.1"; + }]; + }; + }; + networking.firewall.enable = false; }; diff --git a/hosts/server7/default.nix b/hosts/server7/default.nix index 3930f872..39cdd48a 100644 --- a/hosts/server7/default.nix +++ b/hosts/server7/default.nix @@ -1,9 +1,8 @@ { config, pkgs, lib, ... }: -let yggaddr = import ./yggaddr.nix; +let yggaddr = import ../../lib/server7-yggaddr.nix; in { imports = [ - # ../../lib ../../lib/default-gateway.nix ./borgbackup.nix @@ -13,8 +12,10 @@ in { ./nix-serve.nix ]; + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + security.acme = { - email = " mail@c3d2.de"; + email = "mail@c3d2.de"; acceptTerms = true; }; @@ -32,7 +33,8 @@ in { }; fileSystems."/srv/ceph" = { - device = "172.22.99.13:6789:/"; + #device = "172.22.99.13:6789:/"; + device = "172.20.72.53:6789:/"; fsType = "ceph"; options = [ "name=storage2" @@ -45,20 +47,47 @@ in { ]; }; + fileSystems."/var/lib/ceph/osd/ceph-7" = { fsType = "tmpfs"; }; + # Route IPv6 boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1; # Obtain global IPv6 despite being a router myself - boot.kernel.sysctl."net.ipv6.conf.eth0.accept_ra" = 2; + boot.kernel.sysctl."net.ipv6.conf.br0.accept_ra" = 2; services.yggdrasil = { enable = true; configFile = "/var/lib/yggdrasil/keys"; - config.Peers = [ - "tcp://[2a03:3b40:fe:ab::1]:46370" # Praha - "tcp://ygg.thingylabs.io:443" # Nürnberg - "tcp://176.223.130.120:22632" # Wrocław - "tcp://[2a05:9403::8b]:7743" # Praha - ]; + config = { + Peers = [ + + # Deutschland + "tcp://45.11.19.26:5001" + "tcp://82.165.69.111:61216" + "tcp://[2001:8d8:1800:8224::1]:61216" + + # Czechia + "tcp://195.123.245.146:7743" + "tcp://37.205.14.171:46370" + "tcp://[2a03:3b40:fe:ab::1]:46370" + "tcp://[2a05:9403::8b]:7743" + + # Poland + "tcp://176.223.130.120:22632" + "tcp://51.75.44.73:50001" + "tcp://54.37.137.221:37145" + "tcp://[2001:41d0:601:1100::cf2]:37145" + "tcp://n2o.ddns.net:22632" + "tls://54.37.137.221:14987" + "tls://[2001:41d0:601:1100::cf2]:14987" + + ]; + NodeInfo = { + location = "Dresden"; + name = "server7.y.c3d2.de"; + admin = + "toxid:DF0AC9107E0A30E7201C6832B017AC836FBD1EDAC390EE99B68625D73C3FD929FB47F1872CA4"; + }; + }; }; security.sudo.wheelNeedsPassword = false; @@ -188,4 +217,10 @@ in { # allow the old hydra to build here "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7HuDlyTlPC4rCjwhklY8kiYIxdgPhiu6wxs29ksnpKZmJa2R7qoD02N3ACm9cTb1GVkIWukAXI3KvU9h08+WLQJqUH0cHVBj3V1sDYmkN2QecE59gz3e1gfN3zPtwmQEUe6xvHWK3X3qdH45pGPUtxk1eDTZl45037C0NClWF7RXI4m6UXng4bL9wnPvoVqCI+ySsNWaTkHDLE/D9s/VrqGxJ1w2KiJb1F73g9/x/zjL8Ixb16wkPmLE0e50MQAQa7EMFTyPZoEskFnEviLYXM9pDexABAjJfbfZ39lLyMgVYGwnzEDbjDlm68dE6wQWUY1OV6wbt8uYreB2IRrlb root@hydra" ]; + + services.dhcpd4 = { + enable = false; + interfaces = [ "br0" ]; + extraConfig = "not authoritative;"; + }; } diff --git a/hosts/server7/hardware-configuration.nix b/hosts/server7/hardware-configuration.nix index e198467f..0f87d7fa 100644 --- a/hosts/server7/hardware-configuration.nix +++ b/hosts/server7/hardware-configuration.nix @@ -1,70 +1,59 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, modulesPath, ... }: { - # imports = [ ]; + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "nvme" "usbhid" "sd_mod" ]; - boot.initrd.kernelModules = [ ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; - boot.supportedFilesystems = [ "zfs" ]; fileSystems."/" = { device = "/dev/disk/by-uuid/f14628ce-0f13-4544-9197-0ddda291f48f"; fsType = "ext4"; }; + fileSystems."/var/lib/ceph/osd/ceph-7" = { + device = "tmpfs"; + fsType = "tmpfs"; + }; + fileSystems."/boot" = { device = "/dev/disk/by-uuid/9812-00B2"; fsType = "vfat"; }; - fileSystems."/zones/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3/cores" = { - device = "nvme0n1/cores/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3"; - fsType = "zfs"; - }; - fileSystems."/nvme0n1" = { device = "nvme0n1"; fsType = "zfs"; }; - fileSystems."/zones/9f467f1e-000b-e771-e117-b32261e48220/cores" = { - device = "nvme0n1/cores/9f467f1e-000b-e771-e117-b32261e48220"; - fsType = "zfs"; - }; - - fileSystems."/zones/archive" = { - device = "nvme0n1/archive"; - fsType = "zfs"; - }; - - fileSystems."/zones/9a9880d3-82db-c500-fcaa-d4e5a5cc617d/cores" = { - device = "nvme0n1/cores/9a9880d3-82db-c500-fcaa-d4e5a5cc617d"; - fsType = "zfs"; - }; - - fileSystems."/zones/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5/cores" = { - device = "nvme0n1/cores/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5"; - fsType = "zfs"; - }; - - fileSystems."/zones/global/cores" = { - device = "nvme0n1/cores/global"; - fsType = "zfs"; - }; - fileSystems."/zones/b090f14b-0a60-4451-e82a-c5291e5951de/cores" = { device = "nvme0n1/cores/b090f14b-0a60-4451-e82a-c5291e5951de"; fsType = "zfs"; }; - fileSystems."/zones/3516ab22-69b0-e327-95ec-f9be8852ee44/cores" = { - device = "nvme0n1/cores/3516ab22-69b0-e327-95ec-f9be8852ee44"; + fileSystems."/zones/9a9880d3-82db-c500-fcaa-d4e5a5cc617d/cores" = { + device = "nvme0n1/cores/9a9880d3-82db-c500-fcaa-d4e5a5cc617d"; + fsType = "zfs"; + }; + + fileSystems."/zones/archive" = { + device = "nvme0n1/archive"; + fsType = "zfs"; + }; + + fileSystems."/zones/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5/cores" = { + device = "nvme0n1/cores/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5"; + fsType = "zfs"; + }; + + fileSystems."/zones/9f467f1e-000b-e771-e117-b32261e48220/cores" = { + device = "nvme0n1/cores/9f467f1e-000b-e771-e117-b32261e48220"; fsType = "zfs"; }; @@ -73,11 +62,36 @@ fsType = "zfs"; }; + fileSystems."/zones/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3/cores" = { + device = "nvme0n1/cores/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3"; + fsType = "zfs"; + }; + + fileSystems."/zones/3516ab22-69b0-e327-95ec-f9be8852ee44/cores" = { + device = "nvme0n1/cores/3516ab22-69b0-e327-95ec-f9be8852ee44"; + fsType = "zfs"; + }; + + fileSystems."/zones/global/cores" = { + device = "nvme0n1/cores/global"; + fsType = "zfs"; + }; + fileSystems."/nvme0n1/c3d2.de" = { device = "nvme0n1/c3d2.de"; fsType = "zfs"; }; + fileSystems."/nvme0n1/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3" = { + device = "nvme0n1/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3"; + fsType = "zfs"; + }; + + fileSystems."/nvme0n1/b28b36ed-1824-3a6c-cdbb-258c7dd63317" = { + device = "nvme0n1/b28b36ed-1824-3a6c-cdbb-258c7dd63317"; + fsType = "zfs"; + }; + fileSystems."/nvme0n1/b090f14b-0a60-4451-e82a-c5291e5951de" = { device = "nvme0n1/b090f14b-0a60-4451-e82a-c5291e5951de"; fsType = "zfs"; @@ -88,43 +102,13 @@ fsType = "zfs"; }; - fileSystems."/nvme0n1/9a9880d3-82db-c500-fcaa-d4e5a5cc617d" = { - device = "nvme0n1/9a9880d3-82db-c500-fcaa-d4e5a5cc617d"; - fsType = "zfs"; - }; - - fileSystems."/nvme0n1/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3" = { - device = "nvme0n1/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3"; - fsType = "zfs"; - }; - - fileSystems."/nvme0n1/c3d2.de/admin" = { - device = "nvme0n1/c3d2.de/admin"; - fsType = "zfs"; - }; - - fileSystems."/nvme0n1/c3d2.de/templates" = { - device = "nvme0n1/c3d2.de/templates"; - fsType = "zfs"; - }; - - fileSystems."/nvme0n1/d5a8bfc2-6d01-6d5e-ad3f-edf032eedd89" = { - device = "nvme0n1/d5a8bfc2-6d01-6d5e-ad3f-edf032eedd89"; - fsType = "zfs"; - }; - fileSystems."/nvme0n1/a9786e8b-fce2-7567-6467-2a95086a51d4" = { device = "nvme0n1/a9786e8b-fce2-7567-6467-2a95086a51d4"; fsType = "zfs"; }; - fileSystems."/nvme0n1/3e65fa50-2f41-8792-df46-8c826bddab75" = { - device = "nvme0n1/3e65fa50-2f41-8792-df46-8c826bddab75"; - fsType = "zfs"; - }; - - fileSystems."/nvme0n1/9f467f1e-000b-e771-e117-b32261e48220" = { - device = "nvme0n1/9f467f1e-000b-e771-e117-b32261e48220"; + fileSystems."/nvme0n1/9a9880d3-82db-c500-fcaa-d4e5a5cc617d" = { + device = "nvme0n1/9a9880d3-82db-c500-fcaa-d4e5a5cc617d"; fsType = "zfs"; }; @@ -133,8 +117,8 @@ fsType = "zfs"; }; - fileSystems."/nvme0n1/b28b36ed-1824-3a6c-cdbb-258c7dd63317" = { - device = "nvme0n1/b28b36ed-1824-3a6c-cdbb-258c7dd63317"; + fileSystems."/nvme0n1/9f467f1e-000b-e771-e117-b32261e48220" = { + device = "nvme0n1/9f467f1e-000b-e771-e117-b32261e48220"; fsType = "zfs"; }; @@ -143,8 +127,8 @@ fsType = "zfs"; }; - fileSystems."/nvme0n1/0cc567e5-5e4c-1868-eca3-4426508cbfb9" = { - device = "nvme0n1/0cc567e5-5e4c-1868-eca3-4426508cbfb9"; + fileSystems."/nvme0n1/d5a8bfc2-6d01-6d5e-ad3f-edf032eedd89" = { + device = "nvme0n1/d5a8bfc2-6d01-6d5e-ad3f-edf032eedd89"; fsType = "zfs"; }; @@ -153,11 +137,31 @@ fsType = "zfs"; }; + fileSystems."/nvme0n1/0cc567e5-5e4c-1868-eca3-4426508cbfb9" = { + device = "nvme0n1/0cc567e5-5e4c-1868-eca3-4426508cbfb9"; + fsType = "zfs"; + }; + fileSystems."/nvme0n1/63d6e664-3f1f-11e8-aef6-a3120cf8dd9d" = { device = "nvme0n1/63d6e664-3f1f-11e8-aef6-a3120cf8dd9d"; fsType = "zfs"; }; + fileSystems."/nvme0n1/c3d2.de/admin" = { + device = "nvme0n1/c3d2.de/admin"; + fsType = "zfs"; + }; + + fileSystems."/nvme0n1/3e65fa50-2f41-8792-df46-8c826bddab75" = { + device = "nvme0n1/3e65fa50-2f41-8792-df46-8c826bddab75"; + fsType = "zfs"; + }; + + fileSystems."/nvme0n1/c3d2.de/templates" = { + device = "nvme0n1/c3d2.de/templates"; + fsType = "zfs"; + }; + fileSystems."/nvme0n1/e71d4460-8eef-6623-a875-dd5ec20b650f" = { device = "nvme0n1/e71d4460-8eef-6623-a875-dd5ec20b650f"; fsType = "zfs"; @@ -170,7 +174,6 @@ swapDevices = [ ]; - nix.maxJobs = lib.mkDefault 10; - nix.buildCores = lib.mkDefault 40; - powerManagement.cpuFreqGovernor = lib.mkDefault "performance"; + nix.maxJobs = lib.mkDefault 40; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; } diff --git a/hosts/server7/nix-serve.nix b/hosts/server7/nix-serve.nix index 58c6d80a..13a3739a 100644 --- a/hosts/server7/nix-serve.nix +++ b/hosts/server7/nix-serve.nix @@ -10,15 +10,17 @@ services.nginx = { enable = true; - virtualHosts = { - "cache.server7.hq.c3d2.de" = { + virtualHosts = let + vhost.locations."/".proxyPass = + "http://${config.services.nix-serve.bindAddress}:${ + toString config.services.nix-serve.port + }"; + in { + "cache.server7.hq.c3d2.de" = vhost // { addSSL = true; enableACME = true; - locations."/".proxyPass = - "http://${config.services.nix-serve.bindAddress}:${ - toString config.services.nix-serve.port - }"; }; + "nix-serve.y.c3d2.de" = vhost; }; }; diff --git a/hosts/server7/yggdrasil-prefix.nix b/hosts/server7/yggdrasil-prefix.nix index 3aa7271d..9d1e0415 100644 --- a/hosts/server7/yggdrasil-prefix.nix +++ b/hosts/server7/yggdrasil-prefix.nix @@ -1,6 +1,6 @@ { config, pkgs, lib, ... }: -let yggaddr = import ./yggaddr.nix; +let yggaddr = import ../../lib/server7-yggaddr.nix; in { boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1; @@ -15,6 +15,7 @@ in { interface enp2s0f1 { AdvSendAdvert on; + AdvRouteLifetime 0; prefix ${yggaddr.prefix}:/64 { AdvOnLink on; AdvAutonomous on; diff --git a/hq.nixops b/hq.nixops index e1a0fe49..f90336ee 100644 --- a/hq.nixops +++ b/hq.nixops @@ -8,7 +8,7 @@ hosts/containers/grafana/configuration.nix ]; deployment = { - targetHost = "grafana.hq.c3d2.de"; + targetHost = "grafana.serv.zentralwerk.dn42"; storeKeysOnMachine = true; }; }; @@ -44,7 +44,7 @@ hosts/containers/public-access-proxy/configuration.nix ]; deployment = { - targetHost = "2a02:8106:208:5201:1024:5fff:febd:9be7"; + targetHost = "172.20.73.45"; storeKeysOnMachine = true; }; }; diff --git a/krops.nix b/krops.nix index 6e31df4d..30399369 100644 --- a/krops.nix +++ b/krops.nix @@ -31,4 +31,18 @@ in { scrape = deployContainer "scrape" "172.20.73.32"; ledstripes = deployContainer "ledstripes" "172.22.99.168"; freifunk = deployContainer "freifunk" "172.20.72.40"; + kibana = deployContainer "kibana" "172.20.73.44"; + + glotzbert = pkgs.krops.writeDeploy "glotzbert" { + source = hostSource "glotzbert"; + target = lib.mkTarget "k-ot@glotzbert.hq.c3d2.de" // { + sudo = true; + }; + }; + pulsebert = pkgs.krops.writeDeploy "pulsebert" { + source = hostSource "pulsebert"; + target = lib.mkTarget "k-ot@pulsebert.hq.c3d2.de" // { + sudo = true; + }; + }; } diff --git a/lib/default.nix b/lib/default.nix index 505a6ab1..9724d75a 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -8,7 +8,7 @@ let hqPrefix64 = "fd23:42:c3d2:523"; # TODO: Is this stable? Is there a better place to specifiy this? - server7Ygg = import ../hosts/server7/yggaddr.nix; + server7Ygg = import ./server7-yggaddr.nix; # Generate a deterministic IPv6 address for a 64 bit prefix # and seed string. Prefix must not contain trailing ':'. @@ -257,7 +257,7 @@ in { File STDOUT ''; network = '' - Server "grafana.hq.c3d2.de" "25826" + Server "grafana.serv.zentralwerk.dn42" "25826" ''; memory = ""; processes = ""; diff --git a/lib/lxc-container.nix b/lib/lxc-container.nix index cad10c70..a70daeda 100644 --- a/lib/lxc-container.nix +++ b/lib/lxc-container.nix @@ -1,10 +1,10 @@ -{ pkgs, lib, ... }: +{ pkgs, lib, modulesPath, ... }: { - imports = - [ - - ]; + imports = [ + (modulesPath + "/profiles/minimal.nix") + (modulesPath + "/profiles/docker-container.nix") + ]; networking.networkmanager.dns = "unbound"; networking.useHostResolvConf = false; @@ -12,10 +12,13 @@ nix.useSandbox = false; nix.maxJobs = lib.mkDefault 1; nix.buildCores = lib.mkDefault 4; + networking.useNetworkd = true; networking.useDHCP = false; + services.resolved.enable = false; + networking.nameservers = [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ]; networking.interfaces.eth0 = { - useDHCP = true; + useDHCP = false; preferTempAddress = false; }; systemd.network.networks."40-eth0" = { diff --git a/hosts/server7/yggaddr.nix b/lib/server7-yggaddr.nix similarity index 100% rename from hosts/server7/yggaddr.nix rename to lib/server7-yggaddr.nix diff --git a/secrets b/secrets index edfc43c8..0efb7df8 160000 --- a/secrets +++ b/secrets @@ -1 +1 @@ -Subproject commit edfc43c84dfd93bb7df12d2125ba94bf3f6d1081 +Subproject commit 0efb7df81d358c033a72fcc0c65016ff86f54858