diff --git a/cluster/prod/cluster.nix b/cluster/prod/cluster.nix index 802d084..44c376e 100644 --- a/cluster/prod/cluster.nix +++ b/cluster/prod/cluster.nix @@ -13,7 +13,6 @@ site_name = "neptune"; publicKey = "VvXT0fPDfWsHxumZqVShpS33dJQAdpJ1E79ZbCBJP34="; IP = "10.83.1.1"; - lan_endpoint = "192.168.1.31:33799"; endpoint = "77.207.15.215:33731"; } { @@ -21,7 +20,6 @@ site_name = "neptune"; publicKey = "goTkBJGmzrGDOAjUcdH9G0JekipqSMoaYQdB6IHnzi0="; IP = "10.83.1.2"; - lan_endpoint = "192.168.1.32:33799"; endpoint = "77.207.15.215:33732"; } { @@ -29,7 +27,6 @@ site_name = "neptune"; publicKey = "oZDAb8LoLW87ktUHyFFec0VaIar97bqq47mGbdVqJ0U="; IP = "10.83.1.3"; - lan_endpoint = "192.168.1.33:33799"; endpoint = "77.207.15.215:33733"; } { @@ -37,7 +34,6 @@ site_name = "orion"; publicKey = "EtRoWBYCdjqgXX0L+uWLg8KxNfIK8k9OTh30tL19bXU="; IP = "10.83.2.1"; - lan_endpoint = "192.168.1.11:33799"; endpoint = "82.66.80.201:33731"; } { @@ -45,7 +41,6 @@ site_name = "orion"; publicKey = "HbLC938mysadMSOxWgq8+qrv+dBKzPP/43OMJp/3phA="; IP = "10.83.2.2"; - lan_endpoint = "192.168.1.12:33799"; endpoint = "82.66.80.201:33732"; } { @@ -53,7 +48,6 @@ site_name = "orion"; publicKey = "e1C8jgTj9eD20ywG08G1FQZ+Js3wMK/msDUE1wO3l1Y="; IP = "10.83.2.3"; - lan_endpoint = "192.168.1.13:33799"; endpoint = "82.66.80.201:33733"; } { @@ -61,7 +55,6 @@ site_name = "bespin"; publicKey = "bIjxey/VhBgVrLa0FxN/KISOt2XFmQeSh1MPivUq9gg="; IP = "10.83.3.1"; - lan_endpoint = "192.168.5.117:33799"; endpoint = "109.136.55.235:33731"; } { @@ -69,7 +62,6 @@ site_name = "bespin"; publicKey = "pUIKv8UBl586O7DBrHBsb9BgNU7WlYQ2r2RSNkD+JAQ="; IP = "10.83.3.2"; - lan_endpoint = "192.168.5.134:33799"; endpoint = "109.136.55.235:33732"; } { @@ -77,7 +69,6 @@ site_name = "bespin"; publicKey = "VBmpo15iIJP7250NAsF+ryhZc3j+8TZFnE1Djvn5TXI="; IP = "10.83.3.3"; - lan_endpoint = "192.168.5.116:33799"; endpoint = "109.136.55.235:33733"; } { @@ -85,7 +76,6 @@ site_name = "scorpio"; publicKey = "Sm9cmNZ/BfWVPFflMO+fuyiera4r203b/dKhHTQmBFg="; IP = "10.83.4.1"; - lan_endpoint = "192.168.1.41:33799"; endpoint = "82.65.41.110:33741"; } ]; diff --git a/deploy_nixos b/deploy_nixos index 48ef9ea..b716993 100755 --- a/deploy_nixos +++ b/deploy_nixos @@ -7,17 +7,20 @@ copy cluster/$CLUSTER/cluster.nix /etc/nixos/cluster.nix copy cluster/$CLUSTER/node/$NIXHOST.nix /etc/nixos/node.nix copy cluster/$CLUSTER/node/$NIXHOST.site.nix /etc/nixos/site.nix +cmd mkdir -p /var/lib/wgautomesh +write_pass deuxfleurs/cluster/$CLUSTER/wgautomesh_gossip_secret /var/lib/wgautomesh/gossip_secret +copy nix/wgautomesh.nix /etc/nixos/wgautomesh.nix + if [ "$CLUSTER" = "staging" ]; then copy nix/nomad-driver-nix2.nix /etc/nixos/nomad-driver-nix2.nix - - cmd mkdir -p /var/lib/wgautomesh - write_pass deuxfleurs/cluster/$CLUSTER/wgautomesh_gossip_secret /var/lib/wgautomesh/gossip_secret - copy nix/wgautomesh.nix /etc/nixos/wgautomesh.nix fi if [ "$CLUSTER" = "prod" ]; then cmd nixos-rebuild boot message "-------------------------------------------------------------------------------------" + message "NIXOS CHANGES THAT WOULD BE APPLIED UPON SWITCH OR REBOOT:" + cmd nixos-rebuild dry-activate + message "-------------------------------------------------------------------------------------" message "New NixOS configuration hasn't been applied, to avoid disturbing production services." message "Please apply the following procedure to node '$NIXHOST':" message "1. Drain node in Nomad so that all jobs are relocated elsewhere" diff --git a/doc/ports b/doc/ports index 98c2819..73fdb48 100644 --- a/doc/ports +++ b/doc/ports @@ -16,7 +16,7 @@ ports so that we can avoid conflicts when adding services. 587 postfix submission 993 dovecot imaps 1337 dovecot zauthoentication -1666 wgautomesh (staging) +1666 wgautomesh 1728 nix-serve 3719 grafana 3900 garage S3 (prod) diff --git a/nix/configuration.nix b/nix/configuration.nix index 0b07056..9d3169b 100644 --- a/nix/configuration.nix +++ b/nix/configuration.nix @@ -84,5 +84,8 @@ SystemMaxUse=1G dns = [ "172.17.0.1" ]; })}"; }; + + nix.gc.automatic = true; + nix.gc.options = "--delete-older-than 30d"; } diff --git a/nix/deuxfleurs.nix b/nix/deuxfleurs.nix index ba8cdfc..f7b70d7 100644 --- a/nix/deuxfleurs.nix +++ b/nix/deuxfleurs.nix @@ -31,11 +31,6 @@ in default = null; description = "Wireguard endpoint on the public Internet"; }; - lan_endpoint = mkOption { - type = nullOr str; - description = "Wireguard endpoint for nodes in the same site"; - default = null; - }; }; }; in @@ -271,7 +266,7 @@ in # listenPort = cfg.wireguard_port; # privateKeyFile = "/var/lib/deuxfleurs/wireguard-keys/private"; # mtu = 1420; - # peers = map ({ publicKey, endpoint, IP, site_name, lan_endpoint, ... }: { + # peers = map ({ publicKey, endpoint, IP, ... }: { # inherit publicKey endpoint; # allowedIPs = [ "${IP}/32" ]; # persistentKeepalive = 25; @@ -332,7 +327,7 @@ in services.nomad.enable = true; systemd.services.nomad.after = [ "wg-quick-wg0.service" ]; - services.nomad.package = pkgs.nomad_1_3; + services.nomad.package = pkgs.nomad_1_4; services.nomad.extraPackages = [ pkgs.glibc pkgs.zstd diff --git a/nix/wgautomesh.nix b/nix/wgautomesh.nix index c64c4af..55aa73f 100644 --- a/nix/wgautomesh.nix +++ b/nix/wgautomesh.nix @@ -118,8 +118,8 @@ in User = "wgautomesh"; StateDirectory = "wgautomesh"; StateDirectoryMode = "0700"; - AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE"; - CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE"; + AmbientCapabilities = "CAP_NET_ADMIN"; + CapabilityBoundingSet = "CAP_NET_ADMIN"; }; wantedBy = [ "multi-user.target" ]; };