forked from Deuxfleurs/nixcfg
wgautomesh actually on prod
This commit is contained in:
parent
5cd69a9ba1
commit
53b9cfd838
6 changed files with 15 additions and 24 deletions
|
@ -13,7 +13,6 @@
|
|||
site_name = "neptune";
|
||||
publicKey = "VvXT0fPDfWsHxumZqVShpS33dJQAdpJ1E79ZbCBJP34=";
|
||||
IP = "10.83.1.1";
|
||||
lan_endpoint = "192.168.1.31:33799";
|
||||
endpoint = "77.207.15.215:33731";
|
||||
}
|
||||
{
|
||||
|
@ -21,7 +20,6 @@
|
|||
site_name = "neptune";
|
||||
publicKey = "goTkBJGmzrGDOAjUcdH9G0JekipqSMoaYQdB6IHnzi0=";
|
||||
IP = "10.83.1.2";
|
||||
lan_endpoint = "192.168.1.32:33799";
|
||||
endpoint = "77.207.15.215:33732";
|
||||
}
|
||||
{
|
||||
|
@ -29,7 +27,6 @@
|
|||
site_name = "neptune";
|
||||
publicKey = "oZDAb8LoLW87ktUHyFFec0VaIar97bqq47mGbdVqJ0U=";
|
||||
IP = "10.83.1.3";
|
||||
lan_endpoint = "192.168.1.33:33799";
|
||||
endpoint = "77.207.15.215:33733";
|
||||
}
|
||||
{
|
||||
|
@ -37,7 +34,6 @@
|
|||
site_name = "orion";
|
||||
publicKey = "EtRoWBYCdjqgXX0L+uWLg8KxNfIK8k9OTh30tL19bXU=";
|
||||
IP = "10.83.2.1";
|
||||
lan_endpoint = "192.168.1.11:33799";
|
||||
endpoint = "82.66.80.201:33731";
|
||||
}
|
||||
{
|
||||
|
@ -45,7 +41,6 @@
|
|||
site_name = "orion";
|
||||
publicKey = "HbLC938mysadMSOxWgq8+qrv+dBKzPP/43OMJp/3phA=";
|
||||
IP = "10.83.2.2";
|
||||
lan_endpoint = "192.168.1.12:33799";
|
||||
endpoint = "82.66.80.201:33732";
|
||||
}
|
||||
{
|
||||
|
@ -53,7 +48,6 @@
|
|||
site_name = "orion";
|
||||
publicKey = "e1C8jgTj9eD20ywG08G1FQZ+Js3wMK/msDUE1wO3l1Y=";
|
||||
IP = "10.83.2.3";
|
||||
lan_endpoint = "192.168.1.13:33799";
|
||||
endpoint = "82.66.80.201:33733";
|
||||
}
|
||||
{
|
||||
|
@ -61,7 +55,6 @@
|
|||
site_name = "bespin";
|
||||
publicKey = "bIjxey/VhBgVrLa0FxN/KISOt2XFmQeSh1MPivUq9gg=";
|
||||
IP = "10.83.3.1";
|
||||
lan_endpoint = "192.168.5.117:33799";
|
||||
endpoint = "109.136.55.235:33731";
|
||||
}
|
||||
{
|
||||
|
@ -69,7 +62,6 @@
|
|||
site_name = "bespin";
|
||||
publicKey = "pUIKv8UBl586O7DBrHBsb9BgNU7WlYQ2r2RSNkD+JAQ=";
|
||||
IP = "10.83.3.2";
|
||||
lan_endpoint = "192.168.5.134:33799";
|
||||
endpoint = "109.136.55.235:33732";
|
||||
}
|
||||
{
|
||||
|
@ -77,7 +69,6 @@
|
|||
site_name = "bespin";
|
||||
publicKey = "VBmpo15iIJP7250NAsF+ryhZc3j+8TZFnE1Djvn5TXI=";
|
||||
IP = "10.83.3.3";
|
||||
lan_endpoint = "192.168.5.116:33799";
|
||||
endpoint = "109.136.55.235:33733";
|
||||
}
|
||||
{
|
||||
|
@ -85,7 +76,6 @@
|
|||
site_name = "scorpio";
|
||||
publicKey = "Sm9cmNZ/BfWVPFflMO+fuyiera4r203b/dKhHTQmBFg=";
|
||||
IP = "10.83.4.1";
|
||||
lan_endpoint = "192.168.1.41:33799";
|
||||
endpoint = "82.65.41.110:33741";
|
||||
}
|
||||
];
|
||||
|
|
11
deploy_nixos
11
deploy_nixos
|
@ -7,17 +7,20 @@ copy cluster/$CLUSTER/cluster.nix /etc/nixos/cluster.nix
|
|||
copy cluster/$CLUSTER/node/$NIXHOST.nix /etc/nixos/node.nix
|
||||
copy cluster/$CLUSTER/node/$NIXHOST.site.nix /etc/nixos/site.nix
|
||||
|
||||
cmd mkdir -p /var/lib/wgautomesh
|
||||
write_pass deuxfleurs/cluster/$CLUSTER/wgautomesh_gossip_secret /var/lib/wgautomesh/gossip_secret
|
||||
copy nix/wgautomesh.nix /etc/nixos/wgautomesh.nix
|
||||
|
||||
if [ "$CLUSTER" = "staging" ]; then
|
||||
copy nix/nomad-driver-nix2.nix /etc/nixos/nomad-driver-nix2.nix
|
||||
|
||||
cmd mkdir -p /var/lib/wgautomesh
|
||||
write_pass deuxfleurs/cluster/$CLUSTER/wgautomesh_gossip_secret /var/lib/wgautomesh/gossip_secret
|
||||
copy nix/wgautomesh.nix /etc/nixos/wgautomesh.nix
|
||||
fi
|
||||
|
||||
if [ "$CLUSTER" = "prod" ]; then
|
||||
cmd nixos-rebuild boot
|
||||
message "-------------------------------------------------------------------------------------"
|
||||
message "NIXOS CHANGES THAT WOULD BE APPLIED UPON SWITCH OR REBOOT:"
|
||||
cmd nixos-rebuild dry-activate
|
||||
message "-------------------------------------------------------------------------------------"
|
||||
message "New NixOS configuration hasn't been applied, to avoid disturbing production services."
|
||||
message "Please apply the following procedure to node '$NIXHOST':"
|
||||
message "1. Drain node in Nomad so that all jobs are relocated elsewhere"
|
||||
|
|
|
@ -16,7 +16,7 @@ ports so that we can avoid conflicts when adding services.
|
|||
587 postfix submission
|
||||
993 dovecot imaps
|
||||
1337 dovecot zauthoentication
|
||||
1666 wgautomesh (staging)
|
||||
1666 wgautomesh
|
||||
1728 nix-serve
|
||||
3719 grafana
|
||||
3900 garage S3 (prod)
|
||||
|
|
|
@ -84,5 +84,8 @@ SystemMaxUse=1G
|
|||
dns = [ "172.17.0.1" ];
|
||||
})}";
|
||||
};
|
||||
|
||||
nix.gc.automatic = true;
|
||||
nix.gc.options = "--delete-older-than 30d";
|
||||
}
|
||||
|
||||
|
|
|
@ -31,11 +31,6 @@ in
|
|||
default = null;
|
||||
description = "Wireguard endpoint on the public Internet";
|
||||
};
|
||||
lan_endpoint = mkOption {
|
||||
type = nullOr str;
|
||||
description = "Wireguard endpoint for nodes in the same site";
|
||||
default = null;
|
||||
};
|
||||
};
|
||||
};
|
||||
in
|
||||
|
@ -271,7 +266,7 @@ in
|
|||
# listenPort = cfg.wireguard_port;
|
||||
# privateKeyFile = "/var/lib/deuxfleurs/wireguard-keys/private";
|
||||
# mtu = 1420;
|
||||
# peers = map ({ publicKey, endpoint, IP, site_name, lan_endpoint, ... }: {
|
||||
# peers = map ({ publicKey, endpoint, IP, ... }: {
|
||||
# inherit publicKey endpoint;
|
||||
# allowedIPs = [ "${IP}/32" ];
|
||||
# persistentKeepalive = 25;
|
||||
|
@ -332,7 +327,7 @@ in
|
|||
|
||||
services.nomad.enable = true;
|
||||
systemd.services.nomad.after = [ "wg-quick-wg0.service" ];
|
||||
services.nomad.package = pkgs.nomad_1_3;
|
||||
services.nomad.package = pkgs.nomad_1_4;
|
||||
services.nomad.extraPackages = [
|
||||
pkgs.glibc
|
||||
pkgs.zstd
|
||||
|
|
|
@ -118,8 +118,8 @@ in
|
|||
User = "wgautomesh";
|
||||
StateDirectory = "wgautomesh";
|
||||
StateDirectoryMode = "0700";
|
||||
AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
|
||||
CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
|
||||
AmbientCapabilities = "CAP_NET_ADMIN";
|
||||
CapabilityBoundingSet = "CAP_NET_ADMIN";
|
||||
};
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
};
|
||||
|
|
Loading…
Reference in a new issue