tixie/nixcfg
1
0
Fork 0
forked from Deuxfleurs/nixcfg
Code Pull requests Activity

wgautomesh actually on prod

Browse source
This commit is contained in:
Alex 2023-03-24 12:01:38 +01:00
parent 5cd69a9ba1
commit 53b9cfd838
6 changed files with 15 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
cluster/prod/cluster.nix
View file

@ -13,7 +13,6 @@
site_name = "neptune"; site_name = "neptune";
publicKey = "VvXT0fPDfWsHxumZqVShpS33dJQAdpJ1E79ZbCBJP34="; publicKey = "VvXT0fPDfWsHxumZqVShpS33dJQAdpJ1E79ZbCBJP34=";
IP = "10.83.1.1"; IP = "10.83.1.1";
lan_endpoint = "192.168.1.31:33799";
endpoint = "77.207.15.215:33731"; endpoint = "77.207.15.215:33731";
} }
{ {
@ -21,7 +20,6 @@
site_name = "neptune"; site_name = "neptune";
publicKey = "goTkBJGmzrGDOAjUcdH9G0JekipqSMoaYQdB6IHnzi0="; publicKey = "goTkBJGmzrGDOAjUcdH9G0JekipqSMoaYQdB6IHnzi0=";
IP = "10.83.1.2"; IP = "10.83.1.2";
lan_endpoint = "192.168.1.32:33799";
endpoint = "77.207.15.215:33732"; endpoint = "77.207.15.215:33732";
} }
{ {
@ -29,7 +27,6 @@
site_name = "neptune"; site_name = "neptune";
publicKey = "oZDAb8LoLW87ktUHyFFec0VaIar97bqq47mGbdVqJ0U="; publicKey = "oZDAb8LoLW87ktUHyFFec0VaIar97bqq47mGbdVqJ0U=";
IP = "10.83.1.3"; IP = "10.83.1.3";
lan_endpoint = "192.168.1.33:33799";
endpoint = "77.207.15.215:33733"; endpoint = "77.207.15.215:33733";
} }
{ {
@ -37,7 +34,6 @@
site_name = "orion"; site_name = "orion";
publicKey = "EtRoWBYCdjqgXX0L+uWLg8KxNfIK8k9OTh30tL19bXU="; publicKey = "EtRoWBYCdjqgXX0L+uWLg8KxNfIK8k9OTh30tL19bXU=";
IP = "10.83.2.1"; IP = "10.83.2.1";
lan_endpoint = "192.168.1.11:33799";
endpoint = "82.66.80.201:33731"; endpoint = "82.66.80.201:33731";
} }
{ {
@ -45,7 +41,6 @@
site_name = "orion"; site_name = "orion";
publicKey = "HbLC938mysadMSOxWgq8+qrv+dBKzPP/43OMJp/3phA="; publicKey = "HbLC938mysadMSOxWgq8+qrv+dBKzPP/43OMJp/3phA=";
IP = "10.83.2.2"; IP = "10.83.2.2";
lan_endpoint = "192.168.1.12:33799";
endpoint = "82.66.80.201:33732"; endpoint = "82.66.80.201:33732";
} }
{ {
@ -53,7 +48,6 @@
site_name = "orion"; site_name = "orion";
publicKey = "e1C8jgTj9eD20ywG08G1FQZ+Js3wMK/msDUE1wO3l1Y="; publicKey = "e1C8jgTj9eD20ywG08G1FQZ+Js3wMK/msDUE1wO3l1Y=";
IP = "10.83.2.3"; IP = "10.83.2.3";
lan_endpoint = "192.168.1.13:33799";
endpoint = "82.66.80.201:33733"; endpoint = "82.66.80.201:33733";
} }
{ {
@ -61,7 +55,6 @@
site_name = "bespin"; site_name = "bespin";
publicKey = "bIjxey/VhBgVrLa0FxN/KISOt2XFmQeSh1MPivUq9gg="; publicKey = "bIjxey/VhBgVrLa0FxN/KISOt2XFmQeSh1MPivUq9gg=";
IP = "10.83.3.1"; IP = "10.83.3.1";
lan_endpoint = "192.168.5.117:33799";
endpoint = "109.136.55.235:33731"; endpoint = "109.136.55.235:33731";
} }
{ {
@ -69,7 +62,6 @@
site_name = "bespin"; site_name = "bespin";
publicKey = "pUIKv8UBl586O7DBrHBsb9BgNU7WlYQ2r2RSNkD+JAQ="; publicKey = "pUIKv8UBl586O7DBrHBsb9BgNU7WlYQ2r2RSNkD+JAQ=";
IP = "10.83.3.2"; IP = "10.83.3.2";
lan_endpoint = "192.168.5.134:33799";
endpoint = "109.136.55.235:33732"; endpoint = "109.136.55.235:33732";
} }
{ {
@ -77,7 +69,6 @@
site_name = "bespin"; site_name = "bespin";
publicKey = "VBmpo15iIJP7250NAsF+ryhZc3j+8TZFnE1Djvn5TXI="; publicKey = "VBmpo15iIJP7250NAsF+ryhZc3j+8TZFnE1Djvn5TXI=";
IP = "10.83.3.3"; IP = "10.83.3.3";
lan_endpoint = "192.168.5.116:33799";
endpoint = "109.136.55.235:33733"; endpoint = "109.136.55.235:33733";
} }
{ {
@ -85,7 +76,6 @@
site_name = "scorpio"; site_name = "scorpio";
publicKey = "Sm9cmNZ/BfWVPFflMO+fuyiera4r203b/dKhHTQmBFg="; publicKey = "Sm9cmNZ/BfWVPFflMO+fuyiera4r203b/dKhHTQmBFg=";
IP = "10.83.4.1"; IP = "10.83.4.1";
lan_endpoint = "192.168.1.41:33799";
endpoint = "82.65.41.110:33741"; endpoint = "82.65.41.110:33741";
} }
]; ];

11
deploy_nixos
View file

@ -7,17 +7,20 @@ copy cluster/$CLUSTER/cluster.nix /etc/nixos/cluster.nix
copy cluster/$CLUSTER/node/$NIXHOST.nix /etc/nixos/node.nix copy cluster/$CLUSTER/node/$NIXHOST.nix /etc/nixos/node.nix
copy cluster/$CLUSTER/node/$NIXHOST.site.nix /etc/nixos/site.nix copy cluster/$CLUSTER/node/$NIXHOST.site.nix /etc/nixos/site.nix
cmd mkdir -p /var/lib/wgautomesh
write_pass deuxfleurs/cluster/$CLUSTER/wgautomesh_gossip_secret /var/lib/wgautomesh/gossip_secret
copy nix/wgautomesh.nix /etc/nixos/wgautomesh.nix
if [ "$CLUSTER" = "staging" ]; then if [ "$CLUSTER" = "staging" ]; then
copy nix/nomad-driver-nix2.nix /etc/nixos/nomad-driver-nix2.nix copy nix/nomad-driver-nix2.nix /etc/nixos/nomad-driver-nix2.nix
cmd mkdir -p /var/lib/wgautomesh
write_pass deuxfleurs/cluster/$CLUSTER/wgautomesh_gossip_secret /var/lib/wgautomesh/gossip_secret
copy nix/wgautomesh.nix /etc/nixos/wgautomesh.nix
fi fi
if [ "$CLUSTER" = "prod" ]; then if [ "$CLUSTER" = "prod" ]; then
cmd nixos-rebuild boot cmd nixos-rebuild boot
message "-------------------------------------------------------------------------------------" message "-------------------------------------------------------------------------------------"
message "NIXOS CHANGES THAT WOULD BE APPLIED UPON SWITCH OR REBOOT:"
cmd nixos-rebuild dry-activate
message "-------------------------------------------------------------------------------------"
message "New NixOS configuration hasn't been applied, to avoid disturbing production services." message "New NixOS configuration hasn't been applied, to avoid disturbing production services."
message "Please apply the following procedure to node '$NIXHOST':" message "Please apply the following procedure to node '$NIXHOST':"
message "1. Drain node in Nomad so that all jobs are relocated elsewhere" message "1. Drain node in Nomad so that all jobs are relocated elsewhere"

2
doc/ports
View file

@ -16,7 +16,7 @@ ports so that we can avoid conflicts when adding services.
587 postfix submission 587 postfix submission
993 dovecot imaps 993 dovecot imaps
1337 dovecot zauthoentication 1337 dovecot zauthoentication
1666 wgautomesh (staging) 1666 wgautomesh
1728 nix-serve 1728 nix-serve
3719 grafana 3719 grafana
3900 garage S3 (prod) 3900 garage S3 (prod)

3
nix/configuration.nix
View file

@ -84,5 +84,8 @@ SystemMaxUse=1G
dns = [ "172.17.0.1" ]; dns = [ "172.17.0.1" ];
})}"; })}";
}; };
nix.gc.automatic = true;
nix.gc.options = "--delete-older-than 30d";
} }

9
nix/deuxfleurs.nix
View file

@ -31,11 +31,6 @@ in
default = null; default = null;
description = "Wireguard endpoint on the public Internet"; description = "Wireguard endpoint on the public Internet";
}; };
lan_endpoint = mkOption {
type = nullOr str;
description = "Wireguard endpoint for nodes in the same site";
default = null;
};
}; };
}; };
in in
@ -271,7 +266,7 @@ in
# listenPort = cfg.wireguard_port; # listenPort = cfg.wireguard_port;
# privateKeyFile = "/var/lib/deuxfleurs/wireguard-keys/private"; # privateKeyFile = "/var/lib/deuxfleurs/wireguard-keys/private";
# mtu = 1420; # mtu = 1420;
# peers = map ({ publicKey, endpoint, IP, site_name, lan_endpoint, ... }: { # peers = map ({ publicKey, endpoint, IP, ... }: {
# inherit publicKey endpoint; # inherit publicKey endpoint;
# allowedIPs = [ "${IP}/32" ]; # allowedIPs = [ "${IP}/32" ];
# persistentKeepalive = 25; # persistentKeepalive = 25;
@ -332,7 +327,7 @@ in
services.nomad.enable = true; services.nomad.enable = true;
systemd.services.nomad.after = [ "wg-quick-wg0.service" ]; systemd.services.nomad.after = [ "wg-quick-wg0.service" ];
services.nomad.package = pkgs.nomad_1_3; services.nomad.package = pkgs.nomad_1_4;
services.nomad.extraPackages = [ services.nomad.extraPackages = [
pkgs.glibc pkgs.glibc
pkgs.zstd pkgs.zstd

4
nix/wgautomesh.nix
View file

@ -118,8 +118,8 @@ in
User = "wgautomesh"; User = "wgautomesh";
StateDirectory = "wgautomesh"; StateDirectory = "wgautomesh";
StateDirectoryMode = "0700"; StateDirectoryMode = "0700";
AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE"; AmbientCapabilities = "CAP_NET_ADMIN";
CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE"; CapabilityBoundingSet = "CAP_NET_ADMIN";
}; };
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
}; };