wgautomesh actually on prod

2023-03-24 12:01:38 +01:00 · 2023-03-24 12:01:38 +01:00 · 53b9cfd838
parent 5cd69a9ba1
commit 53b9cfd838
6 changed files with 15 additions and 24 deletions
--- a/cluster/prod/cluster.nix
+++ b/cluster/prod/cluster.nix
@ -13,7 +13,6 @@
      site_name = "neptune";
      publicKey = "VvXT0fPDfWsHxumZqVShpS33dJQAdpJ1E79ZbCBJP34=";
      IP = "10.83.1.1";
-      lan_endpoint = "192.168.1.31:33799";
      endpoint = "77.207.15.215:33731";
    }
    {
@ -21,7 +20,6 @@
      site_name = "neptune";
      publicKey = "goTkBJGmzrGDOAjUcdH9G0JekipqSMoaYQdB6IHnzi0=";
      IP = "10.83.1.2";
-      lan_endpoint = "192.168.1.32:33799";
      endpoint = "77.207.15.215:33732";
    }
    {
@ -29,7 +27,6 @@
      site_name = "neptune";
      publicKey = "oZDAb8LoLW87ktUHyFFec0VaIar97bqq47mGbdVqJ0U=";
      IP = "10.83.1.3";
-      lan_endpoint = "192.168.1.33:33799";
      endpoint = "77.207.15.215:33733";
    }
    {
@ -37,7 +34,6 @@
      site_name = "orion";
      publicKey = "EtRoWBYCdjqgXX0L+uWLg8KxNfIK8k9OTh30tL19bXU=";
      IP = "10.83.2.1";
-      lan_endpoint = "192.168.1.11:33799";
      endpoint = "82.66.80.201:33731";
    }
    {
@ -45,7 +41,6 @@
      site_name = "orion";
      publicKey = "HbLC938mysadMSOxWgq8+qrv+dBKzPP/43OMJp/3phA=";
      IP = "10.83.2.2";
-      lan_endpoint = "192.168.1.12:33799";
      endpoint = "82.66.80.201:33732";
    }
    {
@ -53,7 +48,6 @@
      site_name = "orion";
      publicKey = "e1C8jgTj9eD20ywG08G1FQZ+Js3wMK/msDUE1wO3l1Y=";
      IP = "10.83.2.3";
-      lan_endpoint = "192.168.1.13:33799";
      endpoint = "82.66.80.201:33733";
    }
    {
@ -61,7 +55,6 @@
      site_name = "bespin";
      publicKey = "bIjxey/VhBgVrLa0FxN/KISOt2XFmQeSh1MPivUq9gg=";
      IP = "10.83.3.1";
-      lan_endpoint = "192.168.5.117:33799";
      endpoint = "109.136.55.235:33731";
    }
    {
@ -69,7 +62,6 @@
      site_name = "bespin";
      publicKey = "pUIKv8UBl586O7DBrHBsb9BgNU7WlYQ2r2RSNkD+JAQ=";
      IP = "10.83.3.2";
-      lan_endpoint = "192.168.5.134:33799";
      endpoint = "109.136.55.235:33732";
    }
    {
@ -77,7 +69,6 @@
      site_name = "bespin";
      publicKey = "VBmpo15iIJP7250NAsF+ryhZc3j+8TZFnE1Djvn5TXI=";
      IP = "10.83.3.3";
-      lan_endpoint = "192.168.5.116:33799";
      endpoint = "109.136.55.235:33733";
    }
    {
@ -85,7 +76,6 @@
      site_name = "scorpio";
      publicKey = "Sm9cmNZ/BfWVPFflMO+fuyiera4r203b/dKhHTQmBFg=";
      IP = "10.83.4.1";
-      lan_endpoint = "192.168.1.41:33799";
      endpoint = "82.65.41.110:33741";
    }
  ];
--- a/11
+++ b/11
@ -7,17 +7,20 @@ copy cluster/$CLUSTER/cluster.nix /etc/nixos/cluster.nix
 copy cluster/$CLUSTER/node/$NIXHOST.nix /etc/nixos/node.nix
 copy cluster/$CLUSTER/node/$NIXHOST.site.nix /etc/nixos/site.nix

+cmd mkdir -p /var/lib/wgautomesh
+write_pass deuxfleurs/cluster/$CLUSTER/wgautomesh_gossip_secret /var/lib/wgautomesh/gossip_secret
+copy nix/wgautomesh.nix /etc/nixos/wgautomesh.nix
+
 if [ "$CLUSTER" = "staging" ]; then
 	copy nix/nomad-driver-nix2.nix /etc/nixos/nomad-driver-nix2.nix
-
-	cmd mkdir -p /var/lib/wgautomesh
-	write_pass deuxfleurs/cluster/$CLUSTER/wgautomesh_gossip_secret /var/lib/wgautomesh/gossip_secret
-	copy nix/wgautomesh.nix /etc/nixos/wgautomesh.nix
 fi

 if [ "$CLUSTER" = "prod" ]; then
 	cmd nixos-rebuild boot
 	message "-------------------------------------------------------------------------------------"
+	message "NIXOS CHANGES THAT WOULD BE APPLIED UPON SWITCH OR REBOOT:"
+	cmd nixos-rebuild dry-activate
+	message "-------------------------------------------------------------------------------------"
 	message "New NixOS configuration hasn't been applied, to avoid disturbing production services."
 	message "Please apply the following procedure to node '$NIXHOST':"
 	message "1. Drain node in Nomad so that all jobs are relocated elsewhere"
--- a/doc/ports
+++ b/doc/ports
@ -16,7 +16,7 @@ ports so that we can avoid conflicts when adding services.
 587     postfix submission
 993     dovecot imaps
 1337    dovecot zauthoentication
-1666    wgautomesh (staging)
+1666    wgautomesh
 1728    nix-serve
 3719    grafana
 3900    garage S3 (prod)
--- a/nix/configuration.nix
+++ b/nix/configuration.nix
@ -84,5 +84,8 @@ SystemMaxUse=1G
      dns = [ "172.17.0.1" ];
    })}";
  };
+
+  nix.gc.automatic = true;
+  nix.gc.options = "--delete-older-than 30d";
 }

--- a/nix/deuxfleurs.nix
+++ b/nix/deuxfleurs.nix
@ -31,11 +31,6 @@ in
          default = null;
          description = "Wireguard endpoint on the public Internet";
        };
-        lan_endpoint = mkOption {
-          type = nullOr str;
-          description = "Wireguard endpoint for nodes in the same site";
-          default = null;
-        };
      };
    };
  in
@ -271,7 +266,7 @@ in
    #   listenPort = cfg.wireguard_port;
    #   privateKeyFile = "/var/lib/deuxfleurs/wireguard-keys/private";
    #   mtu = 1420;
-    #   peers = map ({ publicKey, endpoint, IP, site_name, lan_endpoint, ... }: {
+    #   peers = map ({ publicKey, endpoint, IP, ... }: {
    #     inherit publicKey endpoint;
    #     allowedIPs = [ "${IP}/32" ];
    #     persistentKeepalive = 25;
@ -332,7 +327,7 @@ in

    services.nomad.enable = true;
    systemd.services.nomad.after = [ "wg-quick-wg0.service" ];
-    services.nomad.package = pkgs.nomad_1_3;
+    services.nomad.package = pkgs.nomad_1_4;
    services.nomad.extraPackages = [
      pkgs.glibc
      pkgs.zstd
--- a/nix/wgautomesh.nix
+++ b/nix/wgautomesh.nix
@ -118,8 +118,8 @@ in
          User = "wgautomesh";
          StateDirectory = "wgautomesh";
          StateDirectoryMode = "0700";
-          AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
-          CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
+          AmbientCapabilities = "CAP_NET_ADMIN";
+          CapabilityBoundingSet = "CAP_NET_ADMIN";
        };
        wantedBy = [ "multi-user.target" ];
      };