# Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). { config, pkgs, ... } @ args: # Configuration local for this cluster node (hostname, IP, etc) let node_config = import ./node.nix args; in { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix # Configuration local for this cluster node (hostname, IP, etc) ./node.nix ]; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.timeout = 20; boot.loader.efi.canTouchEfiVariables = true; nix = { binaryCaches = [ "http://binarycache.home.adnab.me" ]; binaryCachePublicKeys = [ "binarycache.home.adnab.me:ErR6pMnewf9oVyZJd5uC2nI4EZF49c7Mh86eDZWYZaw=" ]; }; # The global useDHCP flag is deprecated, therefore explicitly set to false here. # Per-interface useDHCP will be mandatory in the future, so this generated config # replicates the default behaviour. networking.useDHCP = false; # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. # Networking configuration (static IPs for each node is defined in node/*.nix) networking.nameservers = [ "9.9.9.9" ]; networking.defaultGateway = { address = "192.168.1.254"; interface = "eno1"; }; # Wireguard VPN configuration networking.wireguard.interfaces.wg0 = { privateKeyFile = "/root/wireguard-keys/private"; peers = [ { # Hammerhead publicKey = "b5hF+GSTgg3oM6wnjL7jRbfyf1jtsWdVptPPbAh3Qic="; allowedIPs = [ "10.42.0.1/32" ]; endpoint = "5.135.179.11:51349"; persistentKeepalive = 10; } { # Spoutnik publicKey = "fO8qZOZmnug84cA8nvfjl5MUqyWljP0BAz/4tHRZyEg="; allowedIPs = [ "10.42.0.2/32" ]; endpoint = "77.141.67.109:42136"; persistentKeepalive = 10; } { # Shiki publicKey = "QUiUNMk70TEQ75Ut7Uqikr5uGVSXmx8EGNkGM6tANlg="; allowedIPs = [ "10.42.0.206/32" ]; endpoint = "37.187.118.206:51820"; persistentKeepalive = 10; } { # Carcajou publicKey = "qxrtfn2zRVnN52Y5NYumyU3/FcRMnh3kJ2C37JfrczA="; allowedIPs = [ "10.42.0.21/32" ]; endpoint = "91.160.50.156:33721"; persistentKeepalive = 10; } { # Carcajou publicKey = "7Nm7pMmyS7Nts1MB+loyD8u84ODxHPTkDu+uqQR6yDk="; allowedIPs = [ "10.42.0.22/32" ]; endpoint = "91.160.50.156:33722"; persistentKeepalive = 10; } { # Caribou publicKey = "g6ZED/wPn5MPfytJKwPI19808CXtEad0IJUkEAAzwyY="; allowedIPs = [ "10.42.0.23/32" ]; endpoint = "91.160.50.156:33723"; persistentKeepalive = 10; } ]; }; # Set your time zone. time.timeZone = "Europe/Paris"; networking.extraHosts = '' 192.168.1.21 cariacou 192.168.1.22 carcajou 192.168.1.23 caribou 192.168.1.23 binarycache 192.168.1.23 binarycache.home.adnab.me ''; # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; # Select internationalisation properties. # i18n.defaultLocale = "en_US.UTF-8"; console = { font = "sun12x22"; keyMap = "fr"; }; # Enable the X11 windowing system. # services.xserver.enable = true; # Configure keymap in X11 # services.xserver.layout = "us"; # services.xserver.xkbOptions = "eurosign:e"; # Enable CUPS to print documents. # services.printing.enable = true; # Enable sound. # sound.enable = true; # hardware.pulseaudio.enable = true; # Enable touchpad support (enabled default in most desktopManager). # services.xserver.libinput.enable = true; # Define a user account. Don't forget to set a password with ‘passwd’. users.users.lx = { isNormalUser = true; extraGroups = [ "wheel" # Enable ‘sudo’ for the user. "video" # Having fun with links -g "docker" # Enable management of Docker containers ]; openssh.authorizedKeys.keys = [ # Keys for accessing nodes from outside "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJpaBZdYxHqMxhv2RExAOa7nkKhPBOHupMP3mYaZ73w9 lx@lindy" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIDdVbA9fEdqSr5UJ77NnoIqDTVp8ca5kHExhZYI4ecBExFJfonJllXMBN9KdC4ukxtY8Ug47PcMOfMaTBZQc+e+KpvDWpkBt15Xpem3RCxmMBES79sLL7LgtAdBXc5mNaCX8EOEVixWKdarjvxRyf6py6the51G5muaiMpoj5fae4ZpRGjhGTPefzc7y7zRWBUUZ8pYHW774BIaK6XT9gn3hyHV+Occjl/UODXvodktk55YtnuPi8adXTYEsHrVVz8AkFhx+cr0U/U8vtQnsTrZG+JmgQLqpXVs0RDw5bE1RefEbMuYNKxutYKUe3L+ZJtDe0M0MqOFI8a4F5TxP5 katchup@konata" # SSH access between nodes "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINOxa/9nQfPOcUPdpAhiz3s73O/eCB8tevei/VKPyiIV lx@caribou" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOrlp9pmE4cTirzBAYRfQP5DH2OXzVsKZe7lRO+MXg4Z lx@carcajou" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF+2D98laBfRGF90PlOlAo+MKmMnh1kX0Bx6Pzhf4Ym9 lx@cariacou" ]; }; users.extraUsers.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJpaBZdYxHqMxhv2RExAOa7nkKhPBOHupMP3mYaZ73w9 lx@lindy" ]; # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ vim tmux ncdu iotop jnettop nethogs wget htop links git docker-compose ]; programs.vim.defaultEditor = true; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. # programs.mtr.enable = true; # programs.gnupg.agent = { # enable = true; # enableSSHSupport = true; # }; # List services that you want to enable: # Enable Yggdrasil networking services.yggdrasil.enable = true; services.yggdrasil.persistentKeys = true; services.yggdrasil.config = { Listen = [ "tcp://0.0.0.0:54312" ]; Peers = [ "tcp://37.187.118.206:53102" "tcp://192.168.1.21:54312" "tcp://192.168.1.22:54312" "tcp://192.168.1.23:54312" ]; MulticastInterfaces = [ "eno1" ]; }; # Enable network time services.ntp.enable = true; # Enable the OpenSSH daemon. services.openssh.enable = true; # Enable netdata monitoring services.netdata.enable = true; # Enable Hashicorp Consul & Nomad services.consul.enable = true; services.consul.extraConfig = let public_ip = (builtins.head node_config.networking.interfaces.eno1.ipv4.addresses).address; in { datacenter = "neptune"; bootstrap_expect = 3; server = true; ui = true; bind_addr = public_ip; addresses.http = "0.0.0.0"; retry_join = [ "192.168.1.21" "192.168.1.22" "192.168.1.23" ]; }; services.nomad.enable = true; services.nomad.settings = let public_ip = (builtins.head node_config.networking.interfaces.eno1.ipv4.addresses).address; in { datacenter = "neptune"; server = { enabled = true; bootstrap_expect = 3; }; advertise = { rpc = public_ip; http = public_ip; serf = public_ip; }; consul.address = "127.0.0.1:8500"; client = { enabled = true; network_interface = "eno1"; }; plugin = [ { docker = [ { config = [ { volumes.enabled = true; } ]; } ]; } ]; }; # Open ports in the firewall. networking.firewall.allowedTCPPorts = [ 22 # SSH 3900 3901 # Garage (internal RPC traffic) 4646 4647 4648 # Nomad 8500 8300 8301 8302 # Consul 19999 # Netdata 54312 # Yggdrasil ]; networking.firewall.allowedUDPPorts = [ 4648 # Nomad 8301 8302 # Consul node_config.networking.wireguard.interfaces.wg0.listenPort ]; # Or disable the firewall altogether. # networking.firewall.enable = false; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "21.05"; # Did you read the comment? }