Compare commits
7 Commits
before-wip
...
main
Author | SHA1 | Date | |
---|---|---|---|
dede80153f | |||
ec44cba36d | |||
97a0c9035f | |||
e8b4512af3 | |||
a08f6e85bb | |||
f981bea56a | |||
a3e0114083 |
43
deploy.sh
Normal file
43
deploy.sh
Normal file
|
@ -0,0 +1,43 @@
|
|||
set -e
|
||||
|
||||
#for f in 172.16.1.{2,3};do ssh -l james $f sudo systemctl stop pgpool ; done
|
||||
#for f in 172.16.1.{2,3};do ssh -l james $f sudo systemctl stop postgresql ; done
|
||||
|
||||
deploy() {
|
||||
TARGET="$1"
|
||||
shift
|
||||
nixos-rebuild --flake ".#$TARGET" --target-host "$TARGET" switch --impure --use-remote-sudo "$@"
|
||||
}
|
||||
spread_token() {
|
||||
#PW=$(
|
||||
# ssh snorlax sudo cat /var/lib/rancher/k3s/server/node-token /etc/k3s.token | grep . | head -1 | grep . \
|
||||
# || dd if=/dev/random bs=16 count=1 status=none | xxd -ps
|
||||
#)
|
||||
PW=$(
|
||||
ssh snorlax sudo cat /etc/k3s.token | grep . | head -1 | grep . \
|
||||
|| dd if=/dev/random bs=16 count=1 status=none | xxd -ps
|
||||
)
|
||||
for f in snorlax sobble rowlet;do
|
||||
ssh $f "sudo bash -c 'touch /etc/k3s.token; chmod 600 /etc/k3s.token; dd of=/etc/k3s.token oflag=sync'" <<<"$PW"
|
||||
done
|
||||
}
|
||||
k3s_reset() {
|
||||
ssh $1 sudo /nix/store/*k3s*/bin/k3s-killall.sh || true
|
||||
ssh $1 sudo rm -rf /var/lib/rancher/k3s /etc/rancher/k3s
|
||||
}
|
||||
#k3s_reset snorlax
|
||||
#k3s_reset sobble
|
||||
#k3s_reset rowlet
|
||||
#nix run nixpkgs#natscli -- -s 172.16.1.2 kv del kine -f || true
|
||||
#nix run nixpkgs#natscli -- -s 172.16.1.2 kv del k0-kine -f || true
|
||||
|
||||
#spread_token
|
||||
#deploy snorlax
|
||||
#spread_token
|
||||
deploy snorlax "$@"
|
||||
deploy sobble "$@"
|
||||
deploy rowlet "$@"
|
||||
|
||||
#(PW=$(dd if=/dev/random bs=16 count=1 status=none | xxd -ps);for f in 172.16.1.{2,3};do ssh $f "sudo bash -c 'cat > /etc/pool_passwd'" <<<"$PW";done)
|
||||
#for f in 172.16.1.{2,3};do ssh -l james $f sudo systemctl start postgresql ; done
|
||||
#for f in 172.16.1.{2,3};do ssh -l james $f sudo systemctl start pgpool ; done
|
101
flake.lock
101
flake.lock
|
@ -54,6 +54,24 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-utils_2": {
|
||||
"inputs": {
|
||||
"systems": "systems_3"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1710146030,
|
||||
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"interlude": {
|
||||
"inputs": {
|
||||
"flake-utils": "flake-utils",
|
||||
|
@ -90,11 +108,11 @@
|
|||
},
|
||||
"nixlib": {
|
||||
"locked": {
|
||||
"lastModified": 1719708727,
|
||||
"narHash": "sha256-XFNKtyirrGNdehpg7lMNm1skEcBApjqGhaHc/OI95HY=",
|
||||
"lastModified": 1723942470,
|
||||
"narHash": "sha256-QdSArN0xKESEOTcv+3kE6yu4B4WX9lupZ4+Htx3RXGg=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nixpkgs.lib",
|
||||
"rev": "1bba8a624b3b9d4f68db94fb63aaeb46039ce9e6",
|
||||
"rev": "531a2e8416a6d8200a53eddfbdb8f2c8dc4a1251",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -111,11 +129,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1720859326,
|
||||
"narHash": "sha256-i8BiZj5faQS6gsupE0S9xtiyZmWinGpVLwxXWV342aQ=",
|
||||
"lastModified": 1724028932,
|
||||
"narHash": "sha256-U11ZiQPrpIBdv7oS23bNdX9GCxe/hPf/ARr64P2Wj1Y=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nixos-generators",
|
||||
"rev": "076ea5b672bb1ea535ee84cfdabd0c2f0b7f20c7",
|
||||
"rev": "5fd22603892e4ec5ac6085058ed658243143aacd",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -157,11 +175,11 @@
|
|||
},
|
||||
"nixpkgs_3": {
|
||||
"locked": {
|
||||
"lastModified": 1720954236,
|
||||
"narHash": "sha256-1mEKHp4m9brvfQ0rjCca8P1WHpymK3TOr3v34ydv9bs=",
|
||||
"lastModified": 1723938990,
|
||||
"narHash": "sha256-9tUadhnZQbWIiYVXH8ncfGXGvkNq3Hag4RCBEMUk7MI=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "53e81e790209e41f0c1efa9ff26ff2fd7ab35e27",
|
||||
"rev": "c42fcfbdfeae23e68fc520f9182dde9f38ad1890",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -185,17 +203,33 @@
|
|||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"nixpkgs_5": {
|
||||
"locked": {
|
||||
"lastModified": 1721838734,
|
||||
"narHash": "sha256-o87oh2nLDzZ1E9+j1I6GaEvd9865OWGYvxaPSiH9DEU=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "1855c9961e0bfa2e776fa4b58b7d43149eeed431",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-unstable-small",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"numbers": {
|
||||
"inputs": {
|
||||
"ipcalc": "ipcalc",
|
||||
"nixpkgs": "nixpkgs_4"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1721191005,
|
||||
"narHash": "sha256-iZn/aTs/b38+GD9sak1JgOnBTXKxxvZeqCAZocf0jr0=",
|
||||
"lastModified": 1724036520,
|
||||
"narHash": "sha256-KJU6W5qghjMTjlTFnK0F2zJVw0qmTfC6nkMBhUNgjow=",
|
||||
"ref": "refs/heads/main",
|
||||
"rev": "7dfc2d363050b5108f8a671f9d31b8387e5a6c77",
|
||||
"revCount": 15,
|
||||
"rev": "4550d62254e030c9075343a4897a985fcfda1fd6",
|
||||
"revCount": 29,
|
||||
"type": "git",
|
||||
"url": "https://git.strudelline.net/cascade/numbers"
|
||||
},
|
||||
|
@ -204,6 +238,25 @@
|
|||
"url": "https://git.strudelline.net/cascade/numbers"
|
||||
}
|
||||
},
|
||||
"putex": {
|
||||
"inputs": {
|
||||
"flake-utils": "flake-utils_2",
|
||||
"nixpkgs": "nixpkgs_5"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1721923974,
|
||||
"narHash": "sha256-yz3VioYJXUTdl4TU1RZnGbRMj3ng3OTtVDEbGPFXGLE=",
|
||||
"ref": "refs/heads/main",
|
||||
"rev": "eed14b5adada7325e916dfc3a89cbd4beef806a8",
|
||||
"revCount": 7,
|
||||
"type": "git",
|
||||
"url": "https://git.strudelline.net/james/putex"
|
||||
},
|
||||
"original": {
|
||||
"type": "git",
|
||||
"url": "https://git.strudelline.net/james/putex"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"deploy-rs": "deploy-rs",
|
||||
|
@ -211,6 +264,7 @@
|
|||
"nixos-generators": "nixos-generators",
|
||||
"nixpkgs": "nixpkgs_3",
|
||||
"numbers": "numbers",
|
||||
"putex": "putex",
|
||||
"unstable": "unstable"
|
||||
}
|
||||
},
|
||||
|
@ -244,13 +298,28 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"systems_3": {
|
||||
"locked": {
|
||||
"lastModified": 1681028828,
|
||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1721116560,
|
||||
"narHash": "sha256-++TYlGMAJM1Q+0nMVaWBSEvEUjRs7ZGiNQOpqbQApCU=",
|
||||
"lastModified": 1723985069,
|
||||
"narHash": "sha256-MGtXhZHLZGKhtZT/MYXBJEuMkZB5DLYjY679EYNL7Es=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "9355fa86e6f27422963132c2c9aeedb0fb963d93",
|
||||
"rev": "ff1c2669bbb4d0dd9e62cc94f0968cfa652ceec1",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
21
flake.nix
21
flake.nix
|
@ -4,18 +4,19 @@
|
|||
unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
|
||||
numbers.url = "git+https://git.strudelline.net/cascade/numbers";
|
||||
interlude.url = "git+https://git.strudelline.net/nix/interlude";
|
||||
putex.url = "git+https://git.strudelline.net/james/putex";
|
||||
nixos-generators = { url = "github:nix-community/nixos-generators"; inputs.nixpkgs.follows = "nixpkgs"; };
|
||||
deploy-rs.url = "github:serokell/deploy-rs";
|
||||
};
|
||||
outputs = { self, nixpkgs, unstable, numbers, interlude, nixos-generators, deploy-rs }@inputs:
|
||||
outputs = { self, nixpkgs, unstable, numbers, interlude, putex, nixos-generators, deploy-rs }@inputs:
|
||||
with builtins;
|
||||
with nixpkgs.lib;
|
||||
with interlude.lib;
|
||||
let
|
||||
includableModules =
|
||||
let localModules = "${./.}" + "/modules";
|
||||
dirContents = readDir (traceVal localModules);
|
||||
filenames = attrNames (trace "dirContents: ${toJSON dirContents}" dirContents);
|
||||
dirContents = readDir (localModules);
|
||||
filenames = attrNames (dirContents);
|
||||
dirs = (filter (n: dirContents."${n}" == "directory" &&
|
||||
readFileType "${localModules}/${n}/default.nix" == "regular" ) filenames);
|
||||
files = concatMap (filterAndStripSuffix ".nix") (filter (n: dirContents."${n}" == "regular") filenames);
|
||||
|
@ -36,12 +37,13 @@
|
|||
self.nixosModules.vmFormats
|
||||
numbers.nixosModules.users
|
||||
self.nixosModules.session
|
||||
({...}: {
|
||||
# fixed values.
|
||||
networking.hostName = traceVal name;
|
||||
system.stateVersion = "24.05";
|
||||
nix.settings.require-sigs = false;
|
||||
})
|
||||
putex.nixosModules.default
|
||||
{
|
||||
# global fixed values.
|
||||
networking.hostName = mkForce name;
|
||||
system.stateVersion = mkForce "24.05";
|
||||
nix.settings.require-sigs = mkForce false;
|
||||
}
|
||||
] ++ mods;
|
||||
});
|
||||
};
|
||||
|
@ -106,6 +108,5 @@
|
|||
[ includableModules ]
|
||||
++ (with numbers.api; map (h: buildMachine h) deployableHosts)
|
||||
++ [(buildMachine' "cascade-installer" [self.nixosModules.installer] {} )]
|
||||
#++ [(buildMachine' "cascade-installer" [] {} )]
|
||||
);
|
||||
}
|
||||
|
|
23
k3s_reset.sh
Normal file
23
k3s_reset.sh
Normal file
|
@ -0,0 +1,23 @@
|
|||
#!/bin/bash
|
||||
|
||||
for f in snorlax sobble rowlet;do
|
||||
ssh $f sudo systemctl stop k3s || true
|
||||
ssh $f sudo k3s-killall.sh || true
|
||||
ssh $f sudo rm -rf /var/lib/rancher/k3s /etc/rancher/k3s
|
||||
done
|
||||
|
||||
deploy() {
|
||||
TARGET="$1"
|
||||
nixos-rebuild --flake ".#$TARGET" --target-host "$TARGET" switch --impure --use-remote-sudo
|
||||
}
|
||||
|
||||
deploy snorlax
|
||||
TOKEN="$(ssh snorlax sudo cat /var/lib/rancher/k3s/server/node-token)"
|
||||
echo "$TOKEN" | ssh sobble "sudo bash -c 'umask 077; cat > /etc/k3s.token'"
|
||||
echo "$TOKEN" | ssh rowlet "sudo bash -c 'umask 077; cat > /etc/k3s.token'"
|
||||
deploy sobble
|
||||
deploy rowlet
|
||||
|
||||
import-k3s-creds.sh sobble k0 172.16.1.2
|
||||
|
||||
flux bootstrap gitea --hostname=git.strudelline.net --owner=cascade --repository=k0 --token-auth
|
7
mklocks.sh
Normal file
7
mklocks.sh
Normal file
|
@ -0,0 +1,7 @@
|
|||
#!/bin/bash
|
||||
|
||||
nats() {
|
||||
command nix run nixpkgs#natscli -- -s 172.16.1.2 "$@"
|
||||
}
|
||||
|
||||
nats stream add locks --defaults --discard-per-subject --subjects='lock.router' --storage=memory --discard=new --max-msgs-per-subject=1
|
6
modules/_tmpl.nix
Normal file
6
modules/_tmpl.nix
Normal file
|
@ -0,0 +1,6 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
config = {
|
||||
};
|
||||
}
|
33
modules/cascade-router-host.nix
Normal file
33
modules/cascade-router-host.nix
Normal file
|
@ -0,0 +1,33 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
config = {
|
||||
systemd.services."cascade-router".unitConfig = {
|
||||
Wants = [ "sys-subsystem-net-devices-wan0.device" ];
|
||||
After = [ "sys-subsystem-net-devices-wan0.device" ];
|
||||
};
|
||||
|
||||
services.putex.putexes = {
|
||||
sec-router = {
|
||||
start = "/run/current-system/sw/bin/systemctl --no-block start cascade-router.service";
|
||||
stop = ''
|
||||
/run/current-system/sw/bin/systemctl stop -f -s 9 cascade-router.service
|
||||
'';
|
||||
healthcheck = ''
|
||||
set -e
|
||||
cd /sys/class/net
|
||||
|
||||
# cat all carrier values we care about,
|
||||
# filter out the ones that are 1
|
||||
# if there's anything left, exit 1.
|
||||
if (for f in wan0 sec0 lan0;do echo "$f $(cat "$f"/carrier)"; done|grep -v 1|grep -q .) ;then
|
||||
exit 1
|
||||
fi
|
||||
exit 0
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
virtualisation.libvirtd.allowedBridges = [ "sec0" "lan0" "wan0" ];
|
||||
};
|
||||
}
|
32
modules/cascade-router.nix
Normal file
32
modules/cascade-router.nix
Normal file
|
@ -0,0 +1,32 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
config = {
|
||||
#system.activationScripts."arpFilter" = ''
|
||||
#PATH=${pkgs.procps}/bin:${pkgs.iptables}/bin:$PATH
|
||||
# sysctl net.ipv4.conf.all.arp_filter=1
|
||||
# sysctl net.ipv4.conf.default.arp_filter=1
|
||||
#'';
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
tcpdump
|
||||
];
|
||||
|
||||
networking = {
|
||||
nat = {
|
||||
enable = true;
|
||||
externalInterface = "wan0";
|
||||
internalInterfaces = [ "lan0" "sec0" ];
|
||||
};
|
||||
useHostResolvConf = false;
|
||||
useNetworkd = true;
|
||||
useDHCP = false;
|
||||
interfaces."wan0" = {
|
||||
useDHCP = true;
|
||||
#macAddress = "a0:ce:c8:c6:d2:5f";
|
||||
};
|
||||
};
|
||||
|
||||
system.stateVersion = "24.05";
|
||||
};
|
||||
}
|
5
modules/corenet-flux.yaml
Normal file
5
modules/corenet-flux.yaml
Normal file
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
kind: Namespace
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: test-wow
|
|
@ -1,12 +1,91 @@
|
|||
{config, ...}:
|
||||
{config, numbers, pkgs, lib, ...}:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
hasIface = iface: elem iface (numbers.api.hostIfaces config.networking.hostName);
|
||||
strIfHasIface = iface: s: if hasIface iface then s else "";
|
||||
attrsetIfHasIface = iface: as: if hasIface iface then as else {};
|
||||
eltIfHasIface = iface: elt: if hasIface iface then [ elt ] else [];
|
||||
|
||||
nameservers = filter (x: x != "") [
|
||||
"127.0.0.1"
|
||||
(if config.networking.hostName != "snorlax" then (numbers.api.hostIface "snorlax" "sec0").ip else "")
|
||||
(if config.networking.hostName != "sobble" then (numbers.api.hostIface "sobble" "sec0").ip else "")
|
||||
(if config.networking.hostName != "rowlet" then (numbers.api.hostIface "rowlet" "sec0").ip else "")
|
||||
];
|
||||
|
||||
in
|
||||
|
||||
{
|
||||
imports = [
|
||||
#./pgpool.nix
|
||||
./udp514.nix
|
||||
];
|
||||
|
||||
services.udp514-journal.enable = true;
|
||||
services.coredns = {
|
||||
enable = true;
|
||||
config = ''
|
||||
. {
|
||||
whoami
|
||||
${strIfHasIface "sxxxxec0" "bind sec0"}
|
||||
${strIfHasIface "xxxxlan0" "bind lan0"}
|
||||
nsid ${config.networking.hostName}
|
||||
forward . 172.16.1.8
|
||||
template IN A server.dns {
|
||||
answer "{{ .Name }} 0 IN A ${(numbers.api.hostIface config.networking.hostName "sec0").ip}"
|
||||
}
|
||||
}
|
||||
'';
|
||||
};
|
||||
services.resolved.enable = false;
|
||||
#networking.resolvconf.enable = false;
|
||||
|
||||
environment.etc."resolv.conf".text = foldl'
|
||||
(a: s: if s == "" then a else "${a}nameserver ${s}\n")
|
||||
"" nameservers;
|
||||
networking.nameservers = nameservers;
|
||||
|
||||
|
||||
system.activationScripts."corenet-flux" = mkIf true ''
|
||||
ln -sf ${./corenet-flux.yaml} /var/lib/rancher/k3s/server/manifests/corenet-flux.yaml
|
||||
'';
|
||||
|
||||
services.k3s = {
|
||||
enable = true;
|
||||
tokenFile = mkIf (config.networking.hostName != "snorlax") "/etc/k3s.token";
|
||||
serverAddr =
|
||||
mkIf (config.networking.hostName != "snorlax")
|
||||
"https://${(numbers.api.hostIface "snorlax" "sec0").ip}:6443";
|
||||
clusterInit = config.networking.hostName == "snorlax";
|
||||
extraFlags = (
|
||||
#" --datastore-endpoint=nats://localhost:4222?noEmbed=true&bucket=k0-kine&replicas=2"+
|
||||
" --disable=traefik"+
|
||||
" --disable=local-storage"+
|
||||
" --cluster-cidr=10.128.0.0/16"+
|
||||
" --service-cidr=10.129.0.0/16"+
|
||||
" --flannel-backend=vxlan"+
|
||||
" --embedded-registry"+
|
||||
(strIfHasIface "sec0" " --node-ip=${(numbers.api.hostIface config.networking.hostName "sec0").ip}")+
|
||||
#(strIfHasIface "lan0" " --tls-san=${(numbers.api.hostIface config.networking.hostName "lan0").ip}")+
|
||||
"");
|
||||
};
|
||||
|
||||
environment.etc."rancher/k3s/registries.yaml".text = ''
|
||||
mirrors:
|
||||
"*":
|
||||
'';
|
||||
|
||||
networking.firewall.allowedUDPPorts = [
|
||||
53 80 443 5432 5001 9898 9999 6443 4222 6222 8222 2379 2380 8472 10250
|
||||
];
|
||||
networking.firewall.allowedUDPPortRanges = [
|
||||
{ from = 5000; to = 32767; }
|
||||
];
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
53 80 443 5432 5001 9898 9999 6443 4222 6222 8222 2379 2380 10250
|
||||
];
|
||||
networking.firewall.allowedTCPPortRanges = [
|
||||
{ from = 5000; to = 32767; }
|
||||
];
|
||||
}
|
||||
|
|
|
@ -7,20 +7,20 @@
|
|||
{
|
||||
environment.systemPackages = with pkgs; [
|
||||
seatd
|
||||
emacs-nox
|
||||
#emacs-nox
|
||||
inetutils
|
||||
unzip
|
||||
buildah
|
||||
curl
|
||||
vim
|
||||
neovim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
|
||||
neovim
|
||||
wget
|
||||
sshfs
|
||||
dig
|
||||
gost
|
||||
elinks
|
||||
dislocker
|
||||
ntfs3g
|
||||
#dislocker
|
||||
#ntfs3g
|
||||
kubectl
|
||||
sops
|
||||
git
|
||||
|
@ -32,6 +32,7 @@
|
|||
brightnessctl
|
||||
kubernetes-helm
|
||||
ripgrep
|
||||
bridge-utils
|
||||
nettools
|
||||
psmisc
|
||||
|
||||
|
|
101
modules/pgpool.nix
Normal file
101
modules/pgpool.nix
Normal file
|
@ -0,0 +1,101 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.services.pgpool;
|
||||
shq = lib.escapeShellArg;
|
||||
configFile = pkgs.writeText "pgpool.conf" cfg.config;
|
||||
in
|
||||
{
|
||||
|
||||
options = {
|
||||
services.pgpool = {
|
||||
enable = mkEnableOption "pgpool-II";
|
||||
config = mkOption {
|
||||
default = ''
|
||||
backend_clustering_mode = 'snapshot_isolation'
|
||||
backend_hostname0 = '127.0.0.1'
|
||||
backend_port0 = 5432
|
||||
backend_weight0 = 1
|
||||
logging_collector = true
|
||||
log_destination = 'syslog,stderr'
|
||||
log_min_messages = 'INFO'
|
||||
'';
|
||||
example = ''
|
||||
backend_clustering_mode = 'snapshot_isolation'
|
||||
backend_hostname0 = '127.0.0.1'
|
||||
backend_port0 = 5432
|
||||
backend_weight0 = 1
|
||||
logging_collector = true
|
||||
log_destination = 'syslog,stderr'
|
||||
log_min_messages = 'INFO'
|
||||
'';
|
||||
description = ''
|
||||
Verbatim pgpool.conf to use
|
||||
'';
|
||||
};
|
||||
|
||||
user = mkOption {
|
||||
type = types.str;
|
||||
default = "pgpool";
|
||||
description = ''
|
||||
User account under which pgpool runs.
|
||||
'';
|
||||
};
|
||||
|
||||
group = mkOption {
|
||||
type = types.str;
|
||||
default = "pgpool";
|
||||
description = ''
|
||||
User group under which pgpool runs.
|
||||
'';
|
||||
};
|
||||
|
||||
package = mkPackageOption pkgs "pgpool" { };
|
||||
extraArgs = mkOption {
|
||||
default = [];
|
||||
example = [ "-dns.port=53" ];
|
||||
type = types.listOf types.str;
|
||||
description = "Extra arguments to pass to coredns.";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
users.users.${cfg.user} = {
|
||||
isSystemUser = true;
|
||||
group = cfg.group;
|
||||
extraGroups = mkIf config.services.postgresql.enable [ "postgres" ];
|
||||
};
|
||||
users.groups.${cfg.group} = {};
|
||||
|
||||
environment.etc."pgpool.conf" = {
|
||||
source = configFile;
|
||||
};
|
||||
|
||||
environment.systemPackages = [ cfg.package ];
|
||||
|
||||
systemd.services.pgpool = {
|
||||
description = "pgpool-II postgresql load balancer and replication manager";
|
||||
after = [ "network.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig = {
|
||||
PermissionsStartOnly = true;
|
||||
LimitNPROC = 512;
|
||||
LimitNOFILE = 1048576;
|
||||
#CapabilityBoundingSet = "cap_net_bind_service";
|
||||
#AmbientCapabilities = "cap_net_bind_service";
|
||||
NoNewPrivileges = true;
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
PIDFile = "/run/pgpool/pgpool.pid";
|
||||
RuntimeDirectory = "pgpool";
|
||||
ExecStart = "${getBin cfg.package}/bin/pgpool ${lib.escapeShellArgs cfg.extraArgs}";
|
||||
ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID";
|
||||
Restart = "no";
|
||||
Type = "forking";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -9,23 +9,6 @@
|
|||
|
||||
virtualisation = {
|
||||
kvmgt.enable = true;
|
||||
libvirtd = {
|
||||
enable = true;
|
||||
qemu = {
|
||||
runAsRoot = true;
|
||||
verbatimConfig = ''
|
||||
cgroup_device_acl = ["/dev/kvmfr0", "/dev/kvm"]
|
||||
'';
|
||||
swtpm = {
|
||||
enable = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
docker = {
|
||||
enable = true;
|
||||
enableNvidia = false;
|
||||
};
|
||||
|
||||
containers = {
|
||||
enable = true;
|
||||
policy = {
|
||||
|
@ -39,6 +22,8 @@
|
|||
};
|
||||
};
|
||||
|
||||
#hardware.nvidia-container-toolkit.enable = true;
|
||||
|
||||
services.openssh.enable = true;
|
||||
networking.firewall.enable = true;
|
||||
|
||||
|
@ -50,4 +35,14 @@
|
|||
|
||||
systemd.network.wait-online.enable = lib.mkDefault false;
|
||||
networking.useDHCP = false;
|
||||
#services.tcsd.enable = true;
|
||||
|
||||
security.sudo = {
|
||||
enable = true;
|
||||
extraRules = [
|
||||
{ users = [ "%wheel" ];
|
||||
commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ];
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
4
modules/stateless-vm.nix
Normal file
4
modules/stateless-vm.nix
Normal file
|
@ -0,0 +1,4 @@
|
|||
{
|
||||
imports = [ ./vm.nix ];
|
||||
config.virtualisation.diskImage = null;
|
||||
}
|
33
modules/tank-nvme-luks.nix
Normal file
33
modules/tank-nvme-luks.nix
Normal file
|
@ -0,0 +1,33 @@
|
|||
{config,...}:
|
||||
|
||||
# to use this, you must have created the lvm devices for the host
|
||||
# in this example, my hostname is sobble and the disk is /dev/sda:
|
||||
#
|
||||
# fdisk /dev/sda
|
||||
# n # new partition, assuming this is a blank disk.
|
||||
# # (enter for all defauls until you're back at the prompt)
|
||||
# t # set type
|
||||
# 1 # first partition, again assuming this was a blank disk
|
||||
# 8e # lvm
|
||||
# w # write and quit
|
||||
#
|
||||
# either make the lv inside an existing vg like the root luks one
|
||||
# ----------
|
||||
# lvcreate -L50G -n sobble-tank-nvme sobble-luks
|
||||
# --- or ---
|
||||
# pvcreate /dev/nvme0n2p15
|
||||
# vgcreate sobble-tank-nvme /dev/nvme0n2p15
|
||||
# lvcreate -l 100%FREE -n sobble-tank-nvme sobble-tank-nvme
|
||||
# -- then --
|
||||
# mkfs.ext4 /dev/sobble-tank-nvme/sobble-tank-nvme
|
||||
|
||||
let
|
||||
m = "${config.networking.hostName}-luks";
|
||||
n = "${config.networking.hostName}-tank-nvme";
|
||||
in
|
||||
{
|
||||
fileSystems."/tank/nvme" = {
|
||||
device = "/dev/${m}/${n}";
|
||||
fsType = "ext4";
|
||||
};
|
||||
}
|
26
modules/tank-nvme.nix
Normal file
26
modules/tank-nvme.nix
Normal file
|
@ -0,0 +1,26 @@
|
|||
{config,...}:
|
||||
|
||||
# to use this, you must have created the lvm devices for the host
|
||||
# in this example, my hostname is sobble and the disk is /dev/sda:
|
||||
#
|
||||
# fdisk /dev/sda
|
||||
# n # new partition, assuming this is a blank disk.
|
||||
# # (enter for all defauls until you're back at the prompt)
|
||||
# t # set type
|
||||
# 1 # first partition, again assuming this was a blank disk
|
||||
# 8e # lvm
|
||||
# w # write and quit
|
||||
#
|
||||
# pvcreate /dev/nvme5n7p9
|
||||
# vgcreate sobble-tank-nvme /dev/nvme5n7p9
|
||||
# lvcreate -l 100%FREE -n sobble-tank-nvme sobble-tank-nvme
|
||||
# mkfs.ext4 /dev/sobble-tank-nvme/sobble-tank-nvme
|
||||
|
||||
let n = "${config.networking.hostName}-tank-nvme";
|
||||
in
|
||||
{
|
||||
fileSystems."/tank/nvme" = {
|
||||
device = "/dev/${n}/${n}";
|
||||
fsType = "ext4";
|
||||
};
|
||||
}
|
28
modules/tank-ssd-luks.nix
Normal file
28
modules/tank-ssd-luks.nix
Normal file
|
@ -0,0 +1,28 @@
|
|||
{config,...}:
|
||||
|
||||
# to use this, you must have created the lvm devices for the host
|
||||
# in this example, my hostname is sobble and the disk is /dev/sda:
|
||||
#
|
||||
# fdisk /dev/sda
|
||||
# n # new partition, assuming this is a blank disk.
|
||||
# # (enter for all defauls until you're back at the prompt)
|
||||
# t # set type
|
||||
# 1 # first partition, again assuming this was a blank disk
|
||||
# 8e # lvm
|
||||
# w # write and quit
|
||||
#
|
||||
# pvcreate /dev/sda1
|
||||
# vgcreate sobble-tank-ssd /dev/sda1
|
||||
# lvcreate -l 100%FREE -n sobble-tank-ssd sobble-tank-ssd
|
||||
# mkfs.ext4 /dev/sobble-tank-ssd/sobble-tank-ssd
|
||||
|
||||
let
|
||||
m = "${config.networking.hostName}-luks";
|
||||
n = "${config.networking.hostName}-tank-ssd";
|
||||
in
|
||||
{
|
||||
fileSystems."/tank/ssd" = {
|
||||
device = "/dev/${m}/${n}";
|
||||
fsType = "ext4";
|
||||
};
|
||||
}
|
26
modules/tank-ssd.nix
Normal file
26
modules/tank-ssd.nix
Normal file
|
@ -0,0 +1,26 @@
|
|||
{config,...}:
|
||||
|
||||
# to use this, you must have created the lvm devices for the host
|
||||
# in this example, my hostname is sobble and the disk is /dev/sda:
|
||||
#
|
||||
# fdisk /dev/sda
|
||||
# n # new partition, assuming this is a blank disk.
|
||||
# # (enter for all defauls until you're back at the prompt)
|
||||
# t # set type
|
||||
# 1 # first partition, again assuming this was a blank disk
|
||||
# 8e # lvm
|
||||
# w # write and quit
|
||||
#
|
||||
# pvcreate /dev/sda1
|
||||
# vgcreate sobble-tank-ssd /dev/sda1
|
||||
# lvcreate -l 100%FREE -n sobble-tank-ssd sobble-tank-ssd
|
||||
# mkfs.ext4 /dev/sobble-tank-ssd/sobble-tank-ssd
|
||||
|
||||
let n = "${config.networking.hostName}-tank-ssd";
|
||||
in
|
||||
{
|
||||
fileSystems."/tank/ssd" = {
|
||||
device = "/dev/${n}/${n}";
|
||||
fsType = "ext4";
|
||||
};
|
||||
}
|
19
modules/udp514-pkg.nix
Normal file
19
modules/udp514-pkg.nix
Normal file
|
@ -0,0 +1,19 @@
|
|||
{ pkgs ? import <nixpkgs> {}, ... }:
|
||||
with pkgs;
|
||||
|
||||
stdenv.mkDerivation {
|
||||
name = "udp514-journal";
|
||||
src = fetchFromGitHub {
|
||||
owner = "eworm-de"; repo = "udp514-journal"; rev = "main";
|
||||
hash = "sha256-lk2Uz3OemhXd4MMR2zFi54XCQiGjibgvT1iz0a7R1j4=";
|
||||
};
|
||||
buildInputs = [ systemd ];
|
||||
nativeBuildInputs = [ pkg-config multimarkdown ];
|
||||
buildPhase = ''
|
||||
make udp514-journal
|
||||
'';
|
||||
installPhase = ''
|
||||
mkdir -p $out/bin
|
||||
cp udp514-journal $out/bin/udp514-journal
|
||||
'';
|
||||
}
|
48
modules/udp514.nix
Normal file
48
modules/udp514.nix
Normal file
|
@ -0,0 +1,48 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let udp514-journal = import ./udp514-pkg.nix { inherit pkgs; };
|
||||
cfg = config.services.udp514-journal;
|
||||
port = 514;
|
||||
# not configurable yet.
|
||||
# cfg.port;
|
||||
in
|
||||
|
||||
{
|
||||
options = {
|
||||
services.udp514-journal = {
|
||||
enable = mkEnableOption "udp514-journal";
|
||||
openFirewall = mkOption {
|
||||
default = true;
|
||||
type = types.bool;
|
||||
description = "Whether to open the firewall for the specified port.";
|
||||
};
|
||||
# this is apparently not configurable yet.
|
||||
#port = mkOption {
|
||||
# default = 514;
|
||||
# type = types.port;
|
||||
# description = "udp514-journal syslog ingest port";
|
||||
#};
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
systemd.services."udp514-journal" = {
|
||||
description = "udp514-journal syslog to journald adapter";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig = {
|
||||
DynamicUser = true;
|
||||
ProtectSystem = "full";
|
||||
CapabilityBoundingSet = "cap_net_bind_service";
|
||||
AmbientCapabilities = "cap_net_bind_service";
|
||||
Type = "notify";
|
||||
Restart = "always";
|
||||
ExecStart = "${udp514-journal}/bin/udp514-journal";
|
||||
ProtectHome = true;
|
||||
PrivateDevices = true;
|
||||
};
|
||||
};
|
||||
networking.firewall.allowedUDPPorts = mkIf cfg.openFirewall [ port ];
|
||||
};
|
||||
}
|
27
modules/vm.nix
Normal file
27
modules/vm.nix
Normal file
|
@ -0,0 +1,27 @@
|
|||
{ config, lib, modulesPath, numbers, ... }:
|
||||
with lib;
|
||||
|
||||
let
|
||||
makeNic = { matchMac, iface, media, ... }:
|
||||
# because of the bridge logic, br=iface _and_ internal-iface=iface
|
||||
if media != "eth" then [] else [ "-nic bridge,id=${iface},br=${iface},model=virtio,mac=${matchMac}" ];
|
||||
makeNicFromHostIface = host: iface: makeNic (numbers.api.hostIface host iface);
|
||||
makeNics = host: concatMap (makeNicFromHostIface host) (numbers.api.hostIfaces host);
|
||||
makeQemuNetworkingOptions = host:
|
||||
(makeNics host) ++ [
|
||||
# "-net nic,netdev=user.0,model=virtio"
|
||||
# "-netdev user,id=user.0,\${QEMU_NET_OPTS:+,$QEMU_NET_OPTS}"
|
||||
];
|
||||
in
|
||||
|
||||
{
|
||||
imports = [
|
||||
"${modulesPath}/virtualisation/qemu-vm.nix"
|
||||
./server.nix
|
||||
];
|
||||
|
||||
config = {
|
||||
virtualisation.graphics = false;
|
||||
virtualisation.qemu.networkingOptions = makeQemuNetworkingOptions config.networking.hostName;
|
||||
};
|
||||
}
|
|
@ -7,7 +7,6 @@
|
|||
{
|
||||
imports =
|
||||
[ # Include the results of the hardware scan.
|
||||
#./hardware-configuration.nix
|
||||
./lib/packages.nix
|
||||
./lib/server.nix
|
||||
./lib/session.nix
|
||||
|
|
Loading…
Reference in New Issue
Block a user