nixcfg/configuration.nix

357 lines
12 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... } @ args:
# Configuration local for this cluster node (hostname, IP, etc)
let node_config = import ./node.nix args;
site_config = import ./site.nix args;
in
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
# Configuration local for this cluster node (hostname, IP, etc)
./node.nix
# Configuration local for this Deuxfleurs site (set of nodes)
./site.nix
];
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# Networking configuration (static IPs for each node is defined in node/*.nix)
networking.nameservers = [ "9.9.9.9" ];
# Wireguard VPN configuration
networking.wireguard.interfaces.wg0 = {
privateKeyFile = "/root/wireguard-keys/private";
peers = [
{ # Hammerhead
publicKey = "b5hF+GSTgg3oM6wnjL7jRbfyf1jtsWdVptPPbAh3Qic=";
allowedIPs = [ "10.42.0.1/32" ];
endpoint = "5.135.179.11:51349";
persistentKeepalive = 25;
}
{ # Spoutnik
publicKey = "fO8qZOZmnug84cA8nvfjl5MUqyWljP0BAz/4tHRZyEg=";
allowedIPs = [ "10.42.0.2/32" ];
endpoint = "77.141.67.109:42136";
persistentKeepalive = 25;
}
{ # Robinson
publicKey = "ETaZFil3mFXlJ0LaJZyWqJVLV2IZUF5PB/8M7WbQSTg=";
allowedIPs = [ "10.42.0.42/32" ];
endpoint = "77.141.67.109:33742";
persistentKeepalive = 25;
}
{ # Shiki
publicKey = "QUiUNMk70TEQ75Ut7Uqikr5uGVSXmx8EGNkGM6tANlg=";
allowedIPs = [ "10.42.0.206/32" ];
endpoint = "37.187.118.206:51820";
persistentKeepalive = 25;
}
{ # Lindy
publicKey = "wen9GnZy2iLT6RyHfn7ydS/wvdvow1XPmhZxIkrDbks=";
allowedIPs = [ "10.42.0.66/32" ];
endpoint = "82.66.112.151:33766";
persistentKeepalive = 25;
}
{ # Carcajou
publicKey = "qxrtfn2zRVnN52Y5NYumyU3/FcRMnh3kJ2C37JfrczA=";
allowedIPs = [ "10.42.0.21/32" ];
endpoint = "82.66.112.151:33721";
persistentKeepalive = 25;
}
{ # Carcajou
publicKey = "7Nm7pMmyS7Nts1MB+loyD8u84ODxHPTkDu+uqQR6yDk=";
allowedIPs = [ "10.42.0.22/32" ];
endpoint = "82.66.112.151:33722";
persistentKeepalive = 25;
}
{ # Caribou
publicKey = "g6ZED/wPn5MPfytJKwPI19808CXtEad0IJUkEAAzwyY=";
allowedIPs = [ "10.42.0.23/32" ];
endpoint = "82.66.112.151:33723";
persistentKeepalive = 25;
}
];
};
# Set your time zone.
time.timeZone = "Europe/Paris";
networking.extraHosts = ''
192.168.1.21 cariacou.lan
192.168.1.22 carcajou.lan
192.168.1.23 caribou.lan
10.42.0.1 hammerhead
10.42.0.2 spoutnik
10.42.0.21 cariacou
10.42.0.22 carcajou
10.42.0.23 caribou
10.42.0.66 lindy
10.42.0.206 shiki
'';
# Select internationalisation properties.
# i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "sun12x22";
keyMap = "fr";
};
# Enable sound.
# sound.enable = true;
# hardware.pulseaudio.enable = true;
# Define user accounts
users.users.lx = {
isNormalUser = true;
extraGroups = [
"wheel" # Enable sudo for the user.
"video" # Having fun with links -g
];
openssh.authorizedKeys.keys = [
# Keys for accessing nodes from outside
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJpaBZdYxHqMxhv2RExAOa7nkKhPBOHupMP3mYaZ73w9 lx@lindy"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIDdVbA9fEdqSr5UJ77NnoIqDTVp8ca5kHExhZYI4ecBExFJfonJllXMBN9KdC4ukxtY8Ug47PcMOfMaTBZQc+e+KpvDWpkBt15Xpem3RCxmMBES79sLL7LgtAdBXc5mNaCX8EOEVixWKdarjvxRyf6py6the51G5muaiMpoj5fae4ZpRGjhGTPefzc7y7zRWBUUZ8pYHW774BIaK6XT9gn3hyHV+Occjl/UODXvodktk55YtnuPi8adXTYEsHrVVz8AkFhx+cr0U/U8vtQnsTrZG+JmgQLqpXVs0RDw5bE1RefEbMuYNKxutYKUe3L+ZJtDe0M0MqOFI8a4F5TxP5 katchup@konata"
];
};
users.users.quentin = {
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDT1+H08FdUSvdPpPKdcafq4+JRHvFVjfvG5Id97LAoROmFRUb/ZOMTLdNuD7FqvW0Da5CPxIMr8ZxfrFLtpGyuG7qdI030iIRZPlKpBh37epZHaV+l9F4ZwJQMIBO9cuyLPXgsyvM/s7tDtrdK1k7JTf2EVvoirrjSzBaMhAnhi7//to8zvujDtgDZzy6aby75bAaDetlYPBq2brWehtrf9yDDG9WAMYJqp//scje/WmhbRR6eSdim1HaUcWk5+4ZPt8sQJcy8iWxQ4jtgjqTvMOe5v8ZPkxJNBine/ZKoJsv7FzKem00xEH7opzktaGukyEqH0VwOwKhmBiqsX2yN quentin@dufour.io"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBu+KUebaWwlugMC5fGbNhHc6IaQDAC6+1vMc4Ww7nVU1rs2nwI7L5qcWxOwNdhFaorZQZy/fJuCWdFbF61RCKGayBWPLZHGPsfqDuggYNEi1Qil1kpeCECfDQNjyMTK058ZBBhOWNMHBjlLWXUlRJDkRBBECY0vo4jRv22SvSaPUCAnkdJ9rbAp/kqb497PTIb2r1l1/ew8YdhINAlpYQFQezZVfkZdTKxt22n0QCjhupqjfh3gfNnbBX0z/iO+RvAOWRIZsjPFLC+jXl+n7cnu2cq1nvST5eHiYfXXeIgIwmeENLKqp+2Twr7PIdv22PnJkh6iR5kx7eTRxkNZdN quentin@deuxfleurs.fr"
];
};
users.users.adrien = {
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBfVX+iQSHl3V0el3/y2Rtl9Q/nrmLoTE3oXnR+16yX7g8HvzU871q89jbE/UWvNRvO4hirTcKF8yojuq8ZRCoUcQO+6/YlPrY/2G8kFhPTlUGDQ+mLT+ancZsom4mkg3I9oQjKZ9qxMD1GuU8Ydz4eXjhJ8OGFZhBpEgnrLmdA53Y5d2fCbaZN5EYD4sWEFYN7xBLxTGNwv0gygiPs967Z4/ZfHngTvqVoS9wnQThSCIoXPTWFAJCkN8dC5tPZwnbOT1bGcYUF0VTrcaD6cU6Q1ZRrtyqXxnnyxpQCAoe2hgdIm+LnDsBx9trfPauqi0dXi36X8pLmudW1f1RmKWT adrien@bacigalupi"
];
};
users.users.maximilien = {
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHMMR6zNzz8NQU80wFquhUCeiXJuGphjP+zNouKbn228GyESu8sfNBwnuZq86vblR11Lz8l2rtCM73GfAKg29qmUWUHRKWvRIYWv2vaUJcCdy0bAxIzcvCvjZX0SpnIKxe9y3Rp0LGO5WLYfw0ZFaavwFZP0Z8w1Kj9/zBmL2X2avbhkaYHi/C1yXhbvESYQysmqLa48EX/TS616MBrgR9zbI9AoTQ9NOHnR14Tve/AP/khcZoBJdm4hTttMbNkEc0wonzdylTDew263SPRs/uoqnQIpUtErdPHqU10Yup8HjXjEyFJsSwcZcM5sZOw5JKckKJwmcd0yjO/x/4/Mk5"
];
};
users.users.kokakiwi = {
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFPTsEgcOtb2bij+Ih8eg8ZqO7d3IMiWykv6deMzlSSS kokakiwi@kira"
];
};
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
nmap
bind
inetutils
vim
tmux
ncdu
iotop
jnettop
nethogs
wget
htop
links
git
rclone
docker
docker-compose
];
programs.vim.defaultEditor = true;
# Enable network time
services.ntp.enable = true;
# Enable the OpenSSH daemon and disable password login.
services.openssh.enable = true;
services.openssh.passwordAuthentication = false;
# ---- CONFIG FOR DEUXFLEURS CLUSTER ----
# Enable Hashicorp Consul & Nomad
services.consul.enable = true;
services.consul.extraConfig =
let public_ip = (builtins.head (builtins.split "/" (builtins.head node_config.networking.wireguard.interfaces.wg0.ips)));
in
(if node_config.services.consul.extraConfig.server or false
then { bootstrap_expect = 3; }
else {}) //
{
datacenter = "staging";
ui = true;
bind_addr = public_ip;
ports.http = -1;
addresses.https = "0.0.0.0";
ports.https = 8501;
retry_join = [ "10.42.0.2" "10.42.0.21" "10.42.0.22" "10.42.0.23" ];
ca_file = "/var/lib/consul/pki/consul-ca.crt";
cert_file = "/var/lib/consul/pki/consul2022.crt";
key_file = "/var/lib/consul/pki/consul2022.key";
verify_incoming = true;
verify_outgoing = true;
verify_server_hostname = true;
};
services.nomad.enable = true;
services.nomad.package = pkgs.nomad_1_1;
services.nomad.settings =
let public_ip = (builtins.head (builtins.split "/" (builtins.head node_config.networking.wireguard.interfaces.wg0.ips)));
in
(if node_config.services.nomad.settings.server.enabled or false
then { server = { bootstrap_expect = 3; }; }
else {}) //
{
region = "staging";
advertise = {
rpc = public_ip;
http = public_ip;
serf = public_ip;
};
consul = {
address = "localhost:8501";
ca_file = "/var/lib/nomad/pki/consul2022.crt";
cert_file = "/var/lib/nomad/pki/consul2022-client.crt";
key_file = "/var/lib/nomad/pki/consul2022-client.key";
ssl = true;
};
client = {
enabled = true;
network_interface = "wg0";
};
tls = {
http = true;
rpc = true;
ca_file = "/var/lib/nomad/pki/nomad-ca.crt";
cert_file = "/var/lib/nomad/pki/nomad2022.crt";
key_file = "/var/lib/nomad/pki/nomad2022.key";
verify_server_hostname = true;
verify_https_client = true;
};
plugin = [
{
docker = [
{
config = [
{
volumes.enabled = true;
allow_privileged = true;
}
];
}
];
}
];
};
# Mount Garage using Rclone
systemd.services.mountgarage = {
enable = false;
description = "Mount the Garage data store";
path = [
pkgs.fuse
pkgs.rclone
];
unitConfig = {
Type = "simple";
};
serviceConfig = {
ExecStartPre = "${pkgs.bash}/bin/sh -c \"mkdir -p /mnt/garage-staging; fusermount -u /mnt/garage-staging || exit 0\"";
ExecStart = "${pkgs.rclone}/bin/rclone --config /root/rclone.conf mount --vfs-cache-mode full --vfs-cache-max-size 1G --cache-dir /root/mountgarage-cache staging: /mnt/garage-staging";
};
wantedBy = [ "multi-user.target" ];
};
# Open ports in the firewall.
networking.firewall = {
enable = true;
# Allow anyone to connect on SSH port
allowedTCPPorts = [
(builtins.head ({ openssh.ports = [22]; } // node_config.services).openssh.ports)
];
# Allow anyone to contact Wireguard VPN server
allowedUDPPorts = [
node_config.networking.wireguard.interfaces.wg0.listenPort
];
# Allow specific hosts access to specific things in the cluster
extraCommands = ''
# Allow everything from router (usefull for UPnP/IGD)
iptables -A INPUT -s 192.168.1.254 -j ACCEPT
# Allow Docker containers to access a few things
iptables -N CONTAINERS
iptables -A INPUT -s 172.17.0.0/16 -j CONTAINERS
# Yugabyte YSQL
iptables -A CONTAINERS -p tcp --dport 5433 -j ACCEPT
# Specific rules for VPN nodes
iptables -N VPN
iptables -A INPUT -s 10.42.0.0/16 -j VPN
# Allow server nodes to communicate between themselves on all ports
iptables -A VPN -s 10.42.0.2 -j ACCEPT
iptables -A VPN -s 10.42.0.21 -j ACCEPT
iptables -A VPN -s 10.42.0.22 -j ACCEPT
iptables -A VPN -s 10.42.0.23 -j ACCEPT
# Allow all VPN users to access Nomad API
iptables -A VPN -p tcp --dport 4646 -j ACCEPT
# Same for Consul API
iptables -A VPN -p tcp --dport 8500 -j ACCEPT
# Same for YugabyteDB YSQL and Admin ports
iptables -A VPN -p tcp --dport 5433 -j ACCEPT
iptables -A VPN -p tcp --dport 7000 -j ACCEPT
# Same for Netdata monitoring
iptables -A VPN -p tcp --dport 19999 -j ACCEPT
'';
# When stopping firewall, delete all rules that were configured manually above
extraStopCommands = ''
iptables -D INPUT -s 192.168.1.254 -j ACCEPT
iptables -D INPUT -s 10.42.0.0/16 -j VPN
iptables -F VPN
iptables -X VPN
iptables -D INPUT -s 172.17.0.0/16 -j CONTAINERS
iptables -F CONTAINERS
iptables -X CONTAINERS
'';
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.05"; # Did you read the comment?
}