From 578075a9252435aaed12d2535577e18e053cd916 Mon Sep 17 00:00:00 2001
From: Alex Auvolat <alex@adnab.me>
Date: Sun, 11 Dec 2022 22:37:28 +0100
Subject: [PATCH] Add origan node in staging cluster (+ refactor
 system.stateVersion)

---
 cluster/prod/cluster.nix                      |  6 +++++
 .../staging/app/core/deploy/core-system.hcl   |  4 +++-
 cluster/staging/cluster.nix                   |  8 +++++++
 cluster/staging/node/carcajou.nix             |  2 ++
 cluster/staging/node/cariacou.nix             |  2 ++
 cluster/staging/node/caribou.nix              |  2 ++
 cluster/staging/node/origan.nix               | 24 +++++++++++++++++++
 cluster/staging/node/origan.site.nix          |  1 +
 cluster/staging/site/jupiter.nix              | 16 +++++++++++++
 cluster/staging/site/neptune.nix              |  8 -------
 cluster/staging/ssh_config                    |  3 +++
 deploy_pki                                    | 10 ++++----
 nix/configuration.nix                         |  8 -------
 ssh_known_hosts                               |  1 +
 14 files changed, 73 insertions(+), 22 deletions(-)
 create mode 100644 cluster/staging/node/origan.nix
 create mode 120000 cluster/staging/node/origan.site.nix
 create mode 100644 cluster/staging/site/jupiter.nix

diff --git a/cluster/prod/cluster.nix b/cluster/prod/cluster.nix
index 95391ac..59fbcb5 100644
--- a/cluster/prod/cluster.nix
+++ b/cluster/prod/cluster.nix
@@ -117,4 +117,10 @@
 
   # For Garage external communication
   networking.firewall.allowedTCPPorts = [ 3901 ];
+
+  # All prod nodes were deployed on the same version.
+  # This could be put in individual node .nix files if we deploy
+  # newer nodes on a different system version, OR we can bump this
+  # regularly cluster-wide
+  system.stateVersion = "21.05";
 }
diff --git a/cluster/staging/app/core/deploy/core-system.hcl b/cluster/staging/app/core/deploy/core-system.hcl
index d410573..15dc77f 100644
--- a/cluster/staging/app/core/deploy/core-system.hcl
+++ b/cluster/staging/app/core/deploy/core-system.hcl
@@ -1,5 +1,5 @@
 job "core-system" {
-  datacenters = ["neptune"]
+  datacenters = ["neptune", "jupiter"]
   type = "system"
   priority = 90
 
@@ -13,6 +13,7 @@ job "core-system" {
     stagger = "1m"
   }
 
+/*
   group "diplonat" {
     task "diplonat" {
       driver = "nix2"
@@ -68,6 +69,7 @@ EOH
       }
     }
   }
+  */
 
   group "tricot" {
     network {
diff --git a/cluster/staging/cluster.nix b/cluster/staging/cluster.nix
index b9a4fed..42353e0 100644
--- a/cluster/staging/cluster.nix
+++ b/cluster/staging/cluster.nix
@@ -32,6 +32,14 @@
       lan_endpoint = "192.168.1.23:33799";
       endpoint = "77.207.15.215:33723";
     }
+    {
+      hostname = "origan";
+      site_name = "jupiter";
+      publicKey = "smBQYUS60JDkNoqkTT7TgbpqFiM43005fcrT6472llI=";
+      IP = "10.14.2.33";
+      lan_endpoint = "192.168.1.33:33799";
+      endpoint = "192.168.1.199:33799";  # TODO NAT
+    }
   ];
 
   # Bootstrap IPs for Consul cluster,
diff --git a/cluster/staging/node/carcajou.nix b/cluster/staging/node/carcajou.nix
index b6d15df..0ec2582 100644
--- a/cluster/staging/node/carcajou.nix
+++ b/cluster/staging/node/carcajou.nix
@@ -21,4 +21,6 @@
 
   deuxfleurs.cluster_ip = "10.14.1.2";
   deuxfleurs.is_raft_server = true;
+
+  system.stateVersion = "21.05";
 }
diff --git a/cluster/staging/node/cariacou.nix b/cluster/staging/node/cariacou.nix
index 61d3f28..d8fe564 100644
--- a/cluster/staging/node/cariacou.nix
+++ b/cluster/staging/node/cariacou.nix
@@ -21,4 +21,6 @@
 
   deuxfleurs.cluster_ip = "10.14.1.1";
   deuxfleurs.is_raft_server = true;
+
+  system.stateVersion = "21.05";
 }
diff --git a/cluster/staging/node/caribou.nix b/cluster/staging/node/caribou.nix
index 65168a9..af46273 100644
--- a/cluster/staging/node/caribou.nix
+++ b/cluster/staging/node/caribou.nix
@@ -19,4 +19,6 @@
 
   # Open SSB port
   networking.firewall.allowedTCPPorts = [ 8008 ];
+
+  system.stateVersion = "21.05";
 }
diff --git a/cluster/staging/node/origan.nix b/cluster/staging/node/origan.nix
new file mode 100644
index 0000000..3085cca
--- /dev/null
+++ b/cluster/staging/node/origan.nix
@@ -0,0 +1,24 @@
+# Configuration file local to this node
+
+{ config, pkgs, ... }:
+
+{
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.timeout = 20;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "origan";
+
+  deuxfleurs.network_interface = "eno1";
+  deuxfleurs.lan_ip = "192.168.1.33";
+  deuxfleurs.ipv6 = "2a01:e0a:5e4:1d0:223:24ff:feaf:fdec";
+
+  deuxfleurs.cluster_ip = "10.14.2.33";
+  deuxfleurs.is_raft_server = false;
+
+  # Open SSB port
+  networking.firewall.allowedTCPPorts = [ 8008 ];
+
+  system.stateVersion = "22.11";
+}
diff --git a/cluster/staging/node/origan.site.nix b/cluster/staging/node/origan.site.nix
new file mode 120000
index 0000000..7cdd625
--- /dev/null
+++ b/cluster/staging/node/origan.site.nix
@@ -0,0 +1 @@
+../site/jupiter.nix
\ No newline at end of file
diff --git a/cluster/staging/site/jupiter.nix b/cluster/staging/site/jupiter.nix
new file mode 100644
index 0000000..31b9f47
--- /dev/null
+++ b/cluster/staging/site/jupiter.nix
@@ -0,0 +1,16 @@
+{ config, pkgs, ... }:
+
+{
+  deuxfleurs.site_name = "jupiter";
+  deuxfleurs.lan_default_gateway = "192.168.1.1";
+  deuxfleurs.ipv6_default_gateway = "fe80::9038:202a:73a0:e73b";
+  deuxfleurs.lan_ip_prefix_length = 24;
+  deuxfleurs.ipv6_prefix_length = 64;
+  deuxfleurs.nameservers = [ "192.168.1.1" ];
+  deuxfleurs.cname_target = "jupiter.site.staging.deuxfleurs.org.";
+
+  # no public ipv4 is used for the staging cluster on Jupiter
+  # deuxfleurs.public_ipv4 = "???";
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+}
diff --git a/cluster/staging/site/neptune.nix b/cluster/staging/site/neptune.nix
index 506da65..5399826 100644
--- a/cluster/staging/site/neptune.nix
+++ b/cluster/staging/site/neptune.nix
@@ -14,12 +14,4 @@
   # deuxfleurs.public_ipv4 = "77.207.15.215";
 
   networking.firewall.allowedTCPPorts = [ 80 443 ];
-
-  services.cron = {
-    enable = true;
-    systemCronJobs = [
-      "0 2 * * * root nix-collect-garbage --delete-older-than 10d >> /root/nix_gc_log 2>&1"
-      "30 2 1 * * root docker run --rm -v /var/lib/drone/nix:/nix nixpkgs/nix:nixos-21.05 nix-collect-garbage --delete-older-than 30d >> /root/drone_nix_gc_log 2>&1"
-    ];
-  };
 }
diff --git a/cluster/staging/ssh_config b/cluster/staging/ssh_config
index 0f8ea0a..407d39b 100644
--- a/cluster/staging/ssh_config
+++ b/cluster/staging/ssh_config
@@ -15,3 +15,6 @@ Host cariacou
 Host spoutnik
 	HostName 10.42.0.2
 	Port 220
+
+Host origan
+	HostName 2a01:e0a:5e4:1d0:223:24ff:feaf:fdec
diff --git a/deploy_pki b/deploy_pki
index d6b0d3a..d7f5832 100755
--- a/deploy_pki
+++ b/deploy_pki
@@ -23,7 +23,7 @@ for file in nomad-ca.crt nomad$YEAR.crt nomad$YEAR.key \
 do
 	if pass $PKI/$file >/dev/null; then
 		write_pass $PKI/$file /var/lib/nomad/pki/$file
-		cmd "chown \$(stat -c %u /var/lib/private/nomad) /var/lib/nomad/pki/$file"
+		cmd "chown \$(stat -c %u /var/lib/nomad) /var/lib/nomad/pki/$file"
 	fi
 done
 
@@ -39,7 +39,7 @@ cmd "consul kv put secrets/consul/consul.crt - < /var/lib/consul/pki/consul$YEAR
 cmd "consul kv put secrets/consul/consul-client.crt - < /var/lib/consul/pki/consul$YEAR-client.crt"
 cmd "consul kv put secrets/consul/consul-client.key - < /var/lib/consul/pki/consul$YEAR-client.key"
 
-cmd "consul kv put secrets/nomad/nomad-ca.crt - < /var/lib/private/nomad/pki/nomad-ca.crt"
-cmd "consul kv put secrets/nomad/nomad.crt - < /var/lib/private/nomad/pki/nomad$YEAR.crt"
-cmd "consul kv put secrets/nomad/nomad-client.crt - < /var/lib/private/nomad/pki/nomad$YEAR-client.crt"
-cmd "consul kv put secrets/nomad/nomad-client.key - < /var/lib/private/nomad/pki/nomad$YEAR-client.key"
+cmd "consul kv put secrets/nomad/nomad-ca.crt - < /var/lib/nomad/pki/nomad-ca.crt"
+cmd "consul kv put secrets/nomad/nomad.crt - < /var/lib/nomad/pki/nomad$YEAR.crt"
+cmd "consul kv put secrets/nomad/nomad-client.crt - < /var/lib/nomad/pki/nomad$YEAR-client.crt"
+cmd "consul kv put secrets/nomad/nomad-client.key - < /var/lib/nomad/pki/nomad$YEAR-client.key"
diff --git a/nix/configuration.nix b/nix/configuration.nix
index aa979db..0b07056 100644
--- a/nix/configuration.nix
+++ b/nix/configuration.nix
@@ -84,13 +84,5 @@ SystemMaxUse=1G
       dns = [ "172.17.0.1" ];
     })}";
   };
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "21.05"; # Did you read the comment?
 }
 
diff --git a/ssh_known_hosts b/ssh_known_hosts
index 9b1c4d1..530df33 100644
--- a/ssh_known_hosts
+++ b/ssh_known_hosts
@@ -24,3 +24,4 @@ df-ymf.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB2el374ejNXqF+
 2001:910:1204:1::31 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL3N0QOFNGkCpVLuOHFdpnBaxIFH925KpdIHV/3F9+BR
 2001:910:1204:1::32 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPCXJeo6yeQeTN7D7OZwLd8zbyU1jWywlhQ29yyk7x+G
 192.168.1.23 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPtsVFIoIu6tnYrzlcCbBiQXxNkFSWVMhMznUuSxGZ22
+2a01:e0a:5e4:1d0:223:24ff:feaf:fdec ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsZas74RT6lCZwuUOPR23nPdbSdpWORyAmRgjoiMVHK