nixos/modules/corenet.nix

127 lines
3.6 KiB
Nix

{config, numbers, pkgs, lib, ...}:
with lib;
let
hasIface = iface: elem iface (numbers.api.hostIfaces config.networking.hostName);
strIfHasIface = iface: s: if hasIface iface then s else "";
attrsetIfHasIface = iface: as: if hasIface iface then as else {};
eltIfHasIface = iface: elt: if hasIface iface then [ elt ] else [];
in
{
imports = [
#./pgpool.nix
./udp514.nix
];
services.udp514-journal.enable = true;
services.coredns = {
enable = true;
config = ''
. {
${strIfHasIface "sec0" "bind sec0"}
${strIfHasIface "lan0" "bind lan0"}
whoami
}
'';
};
#services.postgresql = {
# enable = true;
# dataDir = "/srv/pgdata";
# settings = {
# default_transaction_isolation = "repeatable read";
# };
# authentication = ''
# host all all 10.127.1.2/29 trust
# '';
# enableTCPIP = true;
#};
#systemd.tmpfiles.rules = [
# "d /srv/pgdata 775 postgres postgres -"
#];
#services.pgpool = {
# enable = true;
# config = ''
# backend_clustering_mode = 'snapshot_isolation'
# backend_hostname0 = '10.127.1.2'
# backend_port0 = 5432
# backend_weight0 = 1
# backend_data_directory0 = '/srv/pgdata'
# backend_flag0 = ALLOW_TO_FAILOVER
# backend_hostname1 = '10.127.1.3'
# backend_port1 = 5432
# backend_weight1 = 1
# backend_data_directory1 = '/srv/pgdata'
# backend_flag1 = ALLOW_TO_FAILOVER
# listen_address = '*'
# logging_collector = true
# log_destination = 'syslog,stderr'
# log_min_messages = 'INFO'
# '';
#};
services.k3s = {
enable = true;
tokenFile = "/etc/k3s.token";
#serverAddr =
# mkIf (config.networking.hostName != "snorlax")
# "https://${(numbers.api.hostIface "snorlax" "sec0").ip}:6443";
#clusterInit = config.networking.hostName == "snorlax";
extraFlags = (
" --datastore-endpoint=nats://localhost:4222?noEmbed=true&bucket=k0-kine&replicas=2,nats://10.127.1.2:4222,nats://10.127.1.3:4222,nats://10.127.1.4:4222"+
" --disable=traefik"+
" --disable=local-storage"+
" --cluster-cidr=10.128.0.0/16"+
" --flannel-backend=host-gw"+
(strIfHasIface "sec0" " --node-ip=${(numbers.api.hostIface config.networking.hostName "sec0").ip}")+
(strIfHasIface "lan0" " --node-external-ip=${(numbers.api.hostIface config.networking.hostName "lan0").ip}")+
"");
#"--node-ip=${config.systemd.network
};
systemd.services.nats-datadir = {
requiredBy = [ "nats.service" ];
before = [ "nats.service" ];
serviceConfig = {
Type = "oneshot";
ExecStart = pkgs.writeScript "nats-datadir" ''
#!${pkgs.bash}/bin/bash
${pkgs.coreutils}/bin/mkdir -p /srv/nats
${pkgs.coreutils}/bin/chown -R nats:nats /srv/nats
${pkgs.coreutils}/bin/chmod 750 /srv/nats
'';
};
};
systemd.services.nats.unitConfig.Requires = [ "systemd-tmpfiles-resetup.service" ];
systemd.services.nats.unitConfig.After = [ "systemd-tmpfiles-resetup.service" ];
services.nats = {
enable = true;
serverName = config.networking.hostName;
dataDir = "/srv/nats";
jetstream = true;
settings = {
cluster = {
name = "cascade";
no_advertise = true;
port = 6222;
routes = [
"nats://10.127.1.2:6222"
"nats://10.127.1.3:6222"
"nats://10.127.1.4:6222"
];
};
http_port = 8222;
};
};
networking.firewall.allowedUDPPorts = [ 53 5432 9898 9999 6443 4222 6222 8222 ];
networking.firewall.allowedTCPPorts = [ 53 5432 9898 9999 6443 4222 6222 8222 ];
}