nixos-module/server/lxc-containers: add to drbd rootfs

nix/lib/config/options.nix

@@ -293,6 +293,11 @@ let
         type = with types; nullOr str;
         default = null;
       };
+      diskSize = mkOption {
+        type = types.int;
+        default = 64;
+        description = "Root disk size for containers in MB";
+      };
       interfaces = mkOption {
         default = {};
         type = with types; attrsOf (submodule interfaceOpts);

nix/nixos-module/server/default.nix

@@ -3,8 +3,11 @@
   imports = [
     ./defaults.nix
     ./network.nix
+    ./drbd-utils.nix
     ./lxc-containers.nix
     ./qemu.nix
+    ./pacemaker.nix
+    ./ha.nix
     # host-specific configuration
     (./. + "/${hostName}.nix")
   ];

nix/nixos-module/server/defaults.nix

@@ -11,6 +11,8 @@
     wget vim git screen
     ipmitool
   ];
+
+  systemd.services."systemd-networkd-wait-online".enable = false;
   services.openssh.enable = true;
   services.openssh.permitRootLogin = "prohibit-password";
 

nix/nixos-module/server/drbd-utils.nix

@@ -0,0 +1,66 @@
+{ self, config, lib, pkgs, ... }:
+with lib;
+
+let cfg = config.services.drbd-utils; in
+{
+  ###### interface
+
+  options = {
+
+    services.drbd-utils.enable = mkOption {
+      default = false;
+      type = types.bool;
+      description = ''
+        Whether to enable support for DRBD, the Distributed Replicated
+        Block Device.
+      '';
+    };
+
+    services.drbd-utils.config = mkOption {
+      default = "";
+      type = types.lines;
+      description = ''
+        Contents of the <filename>drbd.conf</filename> configuration file.
+      '';
+    };
+
+  };
+
+
+  ###### implementation
+
+  config = mkIf cfg.enable {
+
+    # use the latest drbd-utils from outside nixpkgs
+    nixpkgs.config.packageOverrides = pkgs: {
+      drbd = self.packages.${pkgs.system}.drbd-utils;
+    };
+
+    environment.systemPackages = [ pkgs.drbd ];
+    services.udev.packages = [ pkgs.drbd ];
+    boot.kernelModules = [ "drbd" ];
+
+    boot.extraModprobeConfig =
+      ''
+        options drbd usermode_helper=/run/current-system/sw/bin/drbdadm
+      '';
+
+    environment.etc."drbd.conf" =
+      { source = pkgs.writeText "drbd.conf" cfg.config; };
+
+    systemd.services.drbd = {
+      after = [ "systemd-udev.settle.service" "network-online.target" ];
+      requires = [ "network-online.target" ];
+      wants = [ "systemd-udev.settle.service" ];
+      wantedBy = [ "multi-user.target" ];
+      path = [ pkgs.drbd ];
+      script = ''
+        drbdadm up all
+      '';
+      preStop = ''
+        drbdadm down all
+      '';
+      serviceConfig.RemainAfterExit = true;
+    };
+  };
+}

nix/nixos-module/server/ha.nix

@@ -0,0 +1,19 @@
+{ lib, config, ... }:
+{
+  services.pacemaker.enable = true;
+  services.corosync = {
+    clusterName = "zentralwerk";
+    nodelist = lib.imap1 (i: hostName: {
+      nodeid = i;
+      name = hostName;
+      ring_addrs = map (net:
+        config.site.net.${net}.hosts6.dn42.${hostName}
+      ) [ "cluster" "mgmt" ];
+    }) (
+      builtins.attrNames (
+        lib.filterAttrs (_: { role, ... }: role == "server")
+          config.site.hosts
+      )
+    );
+  };
+}

nix/nixos-module/server/lxc-containers.nix

@@ -1,6 +1,13 @@
 { hostName, self, config, lib, pkgs, ... }:
 
 let
+  drbdPortBase = 17000;
+
+  servers =
+    lib.filterAttrs (_: { role, ... }:
+      role == "server"
+    ) config.site.hosts;
+
   # Containers that are run on this host
   containers =
     lib.filterAttrs (_: { role, model, ... }:
@@ -109,14 +116,7 @@ let
       esac
 
       echo Installing $c
-      for d in \
-        bin dev etc home mnt \
-        nix/store nix/var \
-        proc root run sys tmp var usr ; \
-      do
-        mkdir -p /var/lib/lxc/$c/rootfs/$d
-      done
-      ln -fs $SYSTEM/init /var/lib/lxc/$c/rootfs/init
+      ln -fs $SYSTEM /var/lib/lxc/$c/system
     done
 
     # Activate all the desired container after all of them are
@@ -138,15 +138,6 @@ let
     set -e
   '';
 
-  enable-script = pkgs.writeScriptBin "enable-containers" ''
-    touch /etc/start-containers
-    systemctl start lxc-containers.target
-  '';
-
-  disable-script = pkgs.writeScriptBin "disable-containers" ''
-    rm /etc/start-containers
-    systemctl stop lxc-containers.target lxc@\*.service
-  '';
 in
 {
   boot.kernel.sysctl = lib.mkIf enabled {
@@ -159,6 +150,7 @@ in
     "net.ipv6.neigh.default.gc_thresh3" = 8192;
     "kernel.keys.maxkeys" = 2000;
   };
+  boot.kernelModules = [ "loop" ];
 
   virtualisation.lxc = lib.mkIf enabled {
     enable = true;
@@ -173,7 +165,6 @@ in
     # `lxc-attach` et al
     pkgs.lxc build-script
     # User scripts
-    enable-script disable-script
   ];
 
   # Create lxc.container.conf files
@@ -190,8 +181,9 @@ in
             # Handled by lxc@.service
             lxc.start.auto = 0
             lxc.rootfs.path = /var/lib/lxc/${ctName}/rootfs
-            lxc.init.cmd = "/init"
+            lxc.init.cmd = "/system/init"
 
+            lxc.mount.entry = /var/lib/lxc/${ctName}/system system none bind,ro 0 0
             lxc.mount.entry = /nix/store nix/store none bind,ro 0 0
             lxc.mount.entry = none tmp tmpfs defaults 0 0
             lxc,mount.auto = proc:mixed sys:ro cgroup:mixed
@@ -225,9 +217,9 @@ in
   systemd.services."lxc@" = {
     description = "LXC container '%i'";
     after = [ "network.target" ];
+    requires = [ "lxc-rootfs@%i.service" ];
     unitConfig.ConditionPathExists = [
-      "/var/lib/lxc/%i/rootfs/init"
-      "/etc/start-containers"
+      "/var/lib/lxc/%i/system"
     ];
     serviceConfig = with pkgs; {
       Type = "simple";
@@ -250,10 +242,125 @@ in
     };
   };
 
-  # Starts all the containers after boot
-  systemd.targets.lxc-containers = {
-    wantedBy = [ "multi-user.target" ];
-    wants = map (ctName: "lxc@${ctName}.service")
-      (builtins.attrNames containers);
+  systemd.services."lxc-rootfs@" = {
+    wants = [ "drbd.service" ];
+    unitConfig.ConditionPathExists = [
+      "/dev/drbd/by-res/%i"
+    ];
+    serviceConfig =
+      let
+        mkScript = name: content:
+          "${pkgs.writeShellScriptBin name ''
+            PATH=$PATH:/run/current-system/sw/bin
+            ${content}
+          ''}/bin/${name} %i";
+      in {
+        Type = "oneshot";
+        RemainAfterExit = true;
+        ExecStart = mkScript "lxc-rootfs-start" ''
+          drbdadm primary $1
+          ROOT=/var/lib/lxc/$1/rootfs
+          mkdir -p $ROOT
+          mount /dev/drbd/by-res/$1 $ROOT
+          for DIR in \
+            bin dev etc home mnt \
+            nix/store nix/var \
+            proc root run sys \
+            system tmp var usr \
+          ; do
+            mkdir -p $ROOT/$DIR
+          done
+        '';
+        ExecStop = mkScript "lxc-rootfs-stop" ''
+          umount /var/lib/lxc/$1/rootfs
+          drbdadm secondary $1
+        '';
+      };
   };
+
+  # systemd.services.drbd.wants = [ "lxc-volumes.service" ];
+  systemd.services.lxc-volumes = {
+    description = "Create LXC rootfs for drbd";
+    wantedBy = [ "drbd.service" ];
+    path = with pkgs; [ drbd coreutils util-linux e2fsprogs ];
+    script = ''
+      create() {
+        file=$1
+        size=$2
+        [ -e $file ] || \
+          dd if=/dev/zero of=$file bs=1024 seek=$(($size - 1)) count=1
+      }
+
+      ${lib.concatStrings (lib.imap0 (i: container: ''
+        mkdir -p /var/lib/lxc/${container}
+        cd /var/lib/lxc/${container}
+
+        if [ ! -e rootfs.img ]; then
+          create rootfs.img ${toString (containers.${container}.diskSize * 1024)}
+          mkfs.ext4 rootfs.img
+        else
+          losetup -d /dev/loop${toString (2 * i)} 2> /dev/null || true
+        fi
+        # TODO: zfsPool
+        losetup /dev/loop${toString (2 * i)} rootfs.img
+
+        if [ ! -e rootfs.meta ]; then
+          create rootfs.meta ${toString (((4095 + 36 + (containers.${container}.diskSize / 32)) / 4096) * 4096)}
+          losetup /dev/loop${toString (2 * i + 1)} rootfs.meta
+          drbdadm create-md ${container}
+        else
+          losetup /dev/loop${toString (2 * i + 1)} rootfs.meta
+        fi
+      '') (builtins.attrNames containers))}
+    '';
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+  };
+
+  services.drbd-utils = {
+    enable = true;
+    config = ''
+      global {
+        # Do not participate in online survey
+        usage-count no;
+      }
+
+      common {
+        # Protocol A: write IO is reported as completed, if it has
+        # reached local disk and local TCP send buffer.
+        protocol A;
+        syncer {
+          rate 60M;
+        }
+      }
+
+      ${lib.concatStrings (lib.imap0 (i: container: ''
+        resource ${container} {
+          net {
+            cram-hmac-alg sha1;
+            shared-secret "TODO";
+          }
+          device minor ${toString i};
+          # /var/lib/lxc/${container}/rootfs.img
+          disk /dev/loop${toString (i * 2)};
+          # /var/lib/lxc/${container}/rootfs.meta
+          meta-disk /dev/loop${toString (i * 2 + 1)};
+          ${lib.concatMapStrings (server: ''
+            on ${server} {
+              address ${config.site.net.cluster.hosts4.${server}}:${toString (drbdPortBase + i)};
+            }
+          '') (builtins.attrNames servers)}
+        }
+      '') (builtins.attrNames containers))}
+    '';
+  };
+  networking.firewall.allowedTCPPorts =
+    lib.imap0 (i: _server: drbdPortBase + i)
+      (builtins.attrNames servers);
+
+  services.pacemaker.services =
+    map (ctName: "lxc@${ctName}.service")
+      (builtins.attrNames containers);
 }

nix/nixos-module/server/pacemaker.nix

@@ -0,0 +1,205 @@
+{ self, pkgs, lib, config, ... }:
+let
+  description = "Pacemaker HA cluster manager";
+  cfg = config.services.pacemaker;
+in {
+  options.services = with lib; {
+    corosync = {
+      clusterName = mkOption {
+        type = types.str;
+        default = "nixcluster";
+      };
+
+      extraOptions = mkOption {
+        type = types.str;
+        default = "";
+      };
+
+      nodelist = mkOption {
+        description = "Corosync nodelist: all cluster members";
+        default = [];
+        type = with types; listOf (submodule {
+          options = {
+            nodeid = mkOption {
+              type = int;
+            };
+            name = mkOption {
+              type = str;
+            };
+            ring_addrs = mkOption {
+              type = listOf str;
+            };
+          };
+        });
+      };
+    };
+
+    pacemaker = {
+      enable = mkEnableOption description;
+
+      package = mkOption {
+        type = types.package;
+        default = self.packages.${pkgs.system}.pacemaker;
+      };
+
+      services = mkOption {
+        description = "Systemd services to create resources for";
+        type = with types; listOf str;
+        default = [];
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    nixpkgs.config.packageOverrides = pkgs: {
+      corosync = pkgs.corosync.overrideAttrs ({ buildInputs, configureFlags, ... }: {
+        buildInputs = buildInputs ++ [
+          pkgs.systemd.dev
+        ];
+        configureFlags = configureFlags ++ [
+          # allows Type=notfiy in the systemd.service
+          "--enable-systemd"
+        ];
+      });
+    };
+
+    environment.systemPackages = with pkgs; [
+      corosync
+      cfg.package
+    ];
+
+    environment.etc."corosync/corosync.conf".text = ''
+      totem {
+        version: 2
+        secauth: off
+        cluster_name: ${config.services.corosync.clusterName}
+        transport: knet
+        # TODO: secauth
+      }
+
+      nodelist {
+        ${lib.concatMapStrings ({ nodeid, name, ring_addrs }: ''
+          node {
+                nodeid: ${toString nodeid}
+                name: ${name}
+                ${lib.concatStrings (lib.imap0 (i: addr: ''
+                  ring${toString i}_addr: ${addr}
+                '') ring_addrs)}
+          }
+        '') config.services.corosync.nodelist}
+      }
+
+      quorum {
+        # only corosync_votequorum is supported
+        provider: corosync_votequorum
+        wait_for_all: 0
+        ${lib.optionalString (builtins.length config.services.corosync.nodelist < 3) ''
+          two_node: 1
+        ''}
+      }
+
+      logging {
+        to_syslog: yes
+      }
+    '';
+    environment.etc."corosync/uidgid.d/root".text = ''
+      # allow pacemaker connection by root
+      uidgid {
+        uid: 0
+        gid: 0
+      }
+    '';
+
+    systemd.tmpfiles.rules = [
+      "d /var/lib/corosync 0700 root root -"
+      "d /var/lib/pacemaker 0700 hacluster pacemaker -"
+      "d /var/lib/pacemaker/cib 0700 hacluster pacemaker -"
+    ];
+
+    # used by pacemaker
+    users.users.hacluster = {
+      isSystemUser = true;
+      group = "pacemaker";
+    };
+    users.groups.pacemaker = {};
+
+    systemd.services = {
+      # see ${corosync.src}/init/corosync.service.in
+      corosync = {
+        requires = [ "network-online.target" ];
+        after= [ "network-online.target" ];
+        wantedBy = [ "multi-user.target" ];
+
+        serviceConfig = {
+          ExecStart = "${pkgs.corosync}/sbin/corosync -f ${config.services.corosync.extraOptions}";
+          ExecStop= "${pkgs.corosync}/sbin/corosync-cfgtool -H --force";
+          Type = "notify";
+          StandardError = "null";
+        };
+      };
+
+      # see ${pacemaker.src}/daemons/pacemakerd/pacemaker.service.in
+      pacemaker = {
+        inherit description;
+        after = [
+          "network.target" "time-sync.target" "dbus.service"
+          #"resource-agents-deps.target"
+          "corosync.service"
+        ];
+        wants = [ "dbus.service" ];
+        requires = [ "corosync.service" ];
+        wantedBy = [ "multi-user.target" ];
+
+        preStart = ''
+          cp -srf ${cfg.package}/var/lib/pacemaker/* /var/lib/pacemaker/
+        '';
+        serviceConfig = {
+          Type = "simple";
+          ExecStart = "${cfg.package}/sbin/pacemakerd";
+          KillMode = "process";
+          NotifyAccess = "main";
+          SuccessExitStatus = 100;
+          TasksMax = "infinity";
+          SendSIGKILL = false;
+          TimeoutStopSec = "30min";
+          TimeoutStartSec = "60s";
+          Restart = "on-failure";
+          StandardError = "null";
+        };
+      };
+
+      pacemaker-config = {
+        after = [ "pacemaker.service" ];
+        requires = [ "pacemaker.service" ];
+        wantedBy = [ "multi-user.target" ];
+        serviceConfig = {
+          Type = "oneshot";
+          RemainAfterExit = true;
+        };
+        path = [ cfg.package ];
+        script = let
+          mangleId = builtins.replaceStrings [ "@" ] [ "." ];
+          resources = builtins.toFile "cib-resources.xml" ''
+            <resources>
+              ${lib.concatMapStrings (service: ''
+                <primitive id="${mangleId service}" class="systemd" type="${service}">
+                  <operations>
+                    <op id="${mangleId "${service}-start"}" name="start" interval="0" timeout="5s"/>
+                    <op id="${mangleId "${service}-monitor"}" name="monitor" interval="10s" timeout="10s"/>
+                  </operations>
+                </primitive>
+              '') cfg.services}
+            </resources>
+          '';
+        in ''
+          # Give Pacemaker time to come up
+          sleep 1
+
+          crm_attribute -t crm_config -n stonith-enabled -v false
+          cibadmin --replace --scope resources --xml-file ${resources}
+        '';
+      };
+
+    };
+  };
+}

nix/nixos-module/server/qemu.nix

@@ -1,5 +1,5 @@
 # Options for running under qemu (vm-packages)
-{ inputs, lib, options, ... }:
+{ inputs, lib, config, options, ... }:
 {
   # Get internet from qemu user networking
   systemd.network = lib.optionalAttrs (options.virtualisation ? qemu) {
@@ -23,6 +23,11 @@
     # keep the store paths built inside the VM across reboots
     writableStoreUseTmpfs = false;
     qemu.options = [ "-enable-kvm" ];
+    qemu.networkingOptions = [
+      # Useful for cluster dev
+      "-net nic,netdev=net.0,model=virtio"
+      "-netdev tap,id=net.0,ifname=${config.networking.hostName},script=no,downscript=no"
+    ];
   };
 
   # Let the nix registry point to the state of your local checkout

nix/pkgs/default.nix

@@ -91,9 +91,35 @@ let
   subnetplans = import ./subnetplans.nix {
     inherit self nixpkgs system;
   };
+
+  drbd-utils = pkgs.callPackage ./drbd-utils.nix {
+    inherit ocf-resource-agents;
+  };
+  drbd-utilsForOCF = pkgs.callPackage ./drbd-utils.nix {
+    inherit ocf-resource-agents;
+    forOCF = true;
+  };
+
+  resource-agents = pkgs.callPackage ./resource-agents.nix {};
+
+  ocf-resource-agents = pkgs.callPackage ./ocf-resource-agents.nix {
+    inherit resource-agents
+      drbd-utilsForOCF
+      pacemakerForOCF
+    ;
+  };
+
+  pacemakerForOCF = pkgs.callPackage ./pacemaker.nix {
+    inherit ocf-resource-agents;
+    forOCF = true;
+  };
+  pacemaker = pkgs.callPackage ./pacemaker.nix {
+    inherit ocf-resource-agents;
+  };
 in
 rootfs-packages // vm-packages // device-templates // network-graphs // starlink // subnetplans // {
   inherit all-rootfs export-openwrt-models export-config dns-slaves
     encrypt-secrets decrypt-secrets switch-to-production
+    drbd-utils pacemaker
     ;
 }

nix/pkgs/drbd-utils.nix

@@ -0,0 +1,128 @@
+{ lib
+, stdenv
+, docbook_xml_dtd_44
+, docbook_xml_dtd_45
+, docbook_xsl
+, asciidoctor
+, fetchurl
+, flex
+, kmod
+, libxslt
+, nixosTests
+, perl
+, systemd
+
+# drbd-utils are compiled twice, once with forOCF = true to extract
+# its OCF definitions for use in the ocf-resource-agents derivation,
+# then again with forOCF = false, where the ocf-resource-agents is
+# provided as the OCF_ROOT.
+, forOCF ? false
+, ocf-resource-agents
+}:
+
+stdenv.mkDerivation rec {
+  pname = "drbd-utils";
+  version = "9.19.1";
+
+  src = fetchurl {
+    url = "https://pkg.linbit.com/downloads/drbd/utils/${pname}-${version}.tar.gz";
+    sha256 = "1l99kcrb0j85wxxmrdihpx9bk1a4sdi7wlp5m1x5l24k8ck1m5cf";
+  };
+
+  nativeBuildInputs = [
+    flex
+    libxslt
+    docbook_xsl
+    asciidoctor
+  ];
+
+  buildInputs = [
+    perl
+    # perlPackages.Po4a used by ja documentation
+  ];
+
+  configureFlags = [
+    "--libdir=${placeholder "out"}/lib"
+    "--sbindir=${placeholder "out"}/bin"
+    "--localstatedir=/var"
+    "--sysconfdir=/etc"
+    "--without-distro"
+  ];
+
+  makeFlags = [
+    "SOURCE_DATE_EPOCH=1"
+    "WANT_DRBD_REPRODUCIBLE_BUILD=1"
+  ] ++ lib.optional (!forOCF) "OCF_ROOT=${ocf-resource-agents}/usr/lib/ocf}";
+
+  installFlags = [
+    "prefix="
+    "DESTDIR=${placeholder "out"}"
+    "localstatedir=/var"
+    "DRBD_LIB_DIR=/var/lib"
+    "INITDIR=/etc/init.d"
+    "udevrulesdir=/etc/udev/rules.d"
+    "sysconfdir=/etc"
+    "sbindir=/bin"
+    "datadir="
+    "LIBDIR=/lib/drbd"
+    "mandir=/share/man"
+  ];
+
+  postPatch = ''
+    patchShebangs .
+    substituteInPlace user/v84/drbdadm_usage_cnt.c \
+      --replace '"/lib/drbd");' \
+                '"${placeholder "out"}/lib/drbd");'
+    substituteInPlace user/v9/drbdsetup_linux.c \
+      --replace 'ret = system("/sbin/modprobe drbd");' \
+                'ret = system("${kmod}/bin/modprobe drbd");'
+    substituteInPlace user/v84/drbdsetup.c \
+      --replace 'system("/sbin/modprobe drbd")' \
+                'system("${kmod}/bin/modprobe drbd")'
+    substituteInPlace documentation/ra2refentry.xsl \
+      --replace "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" \
+                "${docbook_xml_dtd_44}/xml/dtd/docbook/docbookx.dtd"
+    function patch_docbook45() {
+      substituteInPlace $1 \
+        --replace "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" \
+                  "${docbook_xml_dtd_45}/xml/dtd/docbook/docbookx.dtd"
+    }
+    patch_docbook45 documentation/v9/drbd.conf.xml.in
+    patch_docbook45 documentation/v9/drbdsetup.xml.in
+    patch_docbook45 documentation/v84/drbdsetup.xml
+    patch_docbook45 documentation/v84/drbd.conf.xml
+    # The ja documentation is disabled because:
+    # make[1]: Entering directory '/build/drbd-utils-9.16.0/documentation/ja/v84'
+    # /nix/store/wyx2nn2pjcn50lc95c6qgsgm606rn0x2-perl5.32.1-po4a-0.62/bin/po4a-translate -f docbook -M utf-8 -L utf-8 -keep 0 -m ../../v84/drbdsetup.xml -p drbdsetup.xml.po -l drbdsetup.xml
+    # Use of uninitialized value $args[1] in sprintf at /nix/store/wyx2nn2pjcn50lc95c6qgsgm606rn0x2-perl5.32.1-po4a-0.62/lib/perl5/site_perl/Locale/Po4a/Common.pm line 134.
+    # Invalid po file drbdsetup.xml.po:
+    substituteInPlace Makefile.in \
+      --replace 'DOC_DIRS    := documentation/v9 documentation/ja/v9' \
+                'DOC_DIRS    := documentation/v9' \
+      --replace 'DOC_DIRS    += documentation/v84 documentation/ja/v84' \
+                'DOC_DIRS    += documentation/v84' \
+      --replace '$(MAKE) -C documentation/ja/v9 doc' \
+                "" \
+      --replace '$(MAKE) -C documentation/ja/v84 doc' \
+                ""
+    substituteInPlace user/v9/drbdtool_common.c \
+      --replace 'add_component_to_path("/lib/drbd");' \
+                'add_component_to_path("${placeholder "out"}/lib/drbd");'
+  '';
+
+  preConfigure = ''
+    export PATH=${systemd}/sbin:$PATH
+  '';
+
+  enableParallelBuilding = true;
+
+  passthru.tests.drbd = nixosTests.drbd;
+
+  meta = with lib; {
+    homepage = "https://linbit.com/drbd/";
+    description = "DRBD userspace utilities";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ ryantm ];
+  };
+}

nix/pkgs/ocf-resource-agents.nix

@@ -0,0 +1,17 @@
+# This combines together OCF definitions from other derivations.
+# https://github.com/ClusterLabs/resource-agents/blob/master/doc/dev-guides/ra-dev-guide.asc
+{ stdenv
+, lib
+, runCommand
+, lndir
+, resource-agents
+, drbd-utilsForOCF
+, pacemakerForOCF
+} :
+
+runCommand "ocf-resource-agents" {} ''
+  mkdir -p $out/usr/lib/ocf
+  ${lndir}/bin/lndir -silent "${resource-agents}/lib/ocf/" $out/usr/lib/ocf
+  ${lndir}/bin/lndir -silent "${drbd-utilsForOCF}/usr/lib/ocf/" $out/usr/lib/ocf
+  ${lndir}/bin/lndir -silent "${pacemakerForOCF}/usr/lib/ocf/" $out/usr/lib/ocf
+''

nix/pkgs/pacemaker.nix

@@ -0,0 +1,94 @@
+{ lib
+, stdenv
+, autoconf
+, automake
+, bash
+, bzip2
+, corosync
+, dbus
+, fetchFromGitHub
+, glib
+, gnutls
+, libqb
+, libtool
+, libuuid
+, libxml2
+, libxslt
+, pam
+, pkg-config
+, python3
+
+# Pacemaker is compiled twice, once with forOCF = true to extract its
+# OCF definitions for use in the ocf-resource-agents derivation, then
+# again with forOCF = false, where the ocf-resource-agents is provided
+# as the OCF_ROOT.
+, forOCF ? false
+, ocf-resource-agents
+}:
+
+stdenv.mkDerivation rec {
+  pname = "pacemaker";
+  version = "2.1.1";
+
+  src = fetchFromGitHub {
+    owner = "ClusterLabs";
+    repo = pname;
+    rev = "Pacemaker-${version}";
+    sha256 = "0grzw3yv6l8l83pi0pdn1fps3qh7hk3fl2xbv3vx1ixri29m3438";
+  };
+
+  nativeBuildInputs = [
+    autoconf
+    automake
+    libtool
+    pkg-config
+  ];
+
+  buildInputs = [
+    bash
+    bzip2
+    corosync
+    dbus.dev
+    glib
+    gnutls
+    libqb
+    libuuid
+    libxml2.dev
+    libxslt.dev
+    pam
+    python3
+  ];
+
+  preConfigure = "./autogen.sh";
+
+  configureFlags = [
+    "--exec-prefix=${placeholder "out"}"
+    "--sysconfdir=/etc"
+    "--datadir=/var/lib"
+    "--localstatedir=/var"
+    "--enable-systemd"
+    "--with-systemdsystemunitdir=/etc/systemd/system"
+    "--with-corosync"
+  ] ++ lib.optional (!forOCF) "--with-ocfdir=${ocf-resource-agents}/usr/lib/ocf";
+
+  installFlags = [ "DESTDIR=${placeholder "out"}" ];
+
+  NIX_CFLAGS_COMPILE = lib.optionals stdenv.cc.isGNU [
+    "-Wno-error=strict-prototypes"
+  ];
+  enableParallelBuilding = true;
+
+  postInstall = ''
+    mv $out$out/* $out
+    rm -r $out/nix
+    ln -sf /var/lib/pacemaker/cib $out/var/lib/pacemaker/cib
+  '';
+
+  meta = with lib; {
+    homepage = "https://clusterlabs.org/pacemaker/";
+    description = "Pacemaker is an open source, high availability resource manager suitable for both small and large clusters.";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ ryantm ];
+  };
+}

nix/pkgs/resource-agents.nix

@@ -0,0 +1,37 @@
+{ lib, stdenv
+, fetchFromGitHub
+, autoreconfHook
+, pkg-config
+, python3
+, glib
+}:
+
+stdenv.mkDerivation rec {
+  pname = "resource-agents";
+  version = "4.8.0";
+
+  src = fetchFromGitHub {
+    owner = "ClusterLabs";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256:1mdrwr3yqdqaifh3ynnhzdc59yfn4x00iygxqvh33p53jgf7cqir";
+  };
+
+  nativeBuildInputs = [
+    autoreconfHook
+    pkg-config
+  ];
+
+  buildInputs = [
+    glib
+    python3
+  ];
+
+  meta = with lib; {
+    homepage = "https://github.com/ClusterLabs/resource-agents";
+    description = "Combined repository of OCF agents from the RHCS and Linux-HA projects";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ ryantm ];
+  };
+}