gribse/nix-cluster
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
nix-cluster/configuration.nix

312 lines
14 KiB
Nix
Executable file
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Bonjoür à toüs
{
config,
lib,
pkgs,
...
}:
let
cfg = config.filouterie;
in
with builtins;
with pkgs.lib;
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
./cluster.nix
./node.nix
./wgautomesh.nix
];
config =
let
clusterNodeCfg = getAttr cfg.hostName cfg.clusterNodes;
clusterAddress = clusterNodeCfg.address;
in
{
networking.hostName = cfg.hostName;
environment.sessionVariables = rec {
NODE = cfg.hostName;
};
programs.nix-ld.enable = true; # for vscode server
# Set your time zone.
time.timeZone = "Europe/Paris";
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
#keyMap = "fr";
useXkbConfig = true; # use xkb.options in tty.
};
users.users = {
zuma = {
isNormalUser = true;
extraGroups = [ "wheel" ]; # Enable sudo for the user.
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxRk3bAqq9sRuZD2rBecM9e2XXHnaUQVCkqNjkHrugv zuma@shenanigans.cc"
];
hashedPassword = "$y$j9T$Qc23q8HQZMELvYyubvEoF/$jauiBKEGb65K03/va632gKIuGSR2Cro/CQ1yq5mOjxB";
};
mayel = {
isNormalUser = true;
extraGroups = [ "wheel" ]; # Enable sudo for the user.
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDgXUerUE+Q3nRP1NHfNYSFoKeNauYBxYXAQ9+CJy4ZBWbxnQ0lp9GEF/KM2Ww0jdpW0hRUh3UJsnTauseWgSG+wxa0+j+bRj64d44G+f7QEGJ6SxcXpJljxuEoIAkhs73bZ4oAdXDMrtcaNij/YAXy6llu1vQFTGu6OytktTsEOLzTDP0tWTdyVSToD4+lk7UR5yMbSDz8gXn8/J3C3kf3mefPDTCDzMXBCixEEctY8VXM32RjlCPdxrxLKr/v5CrY2YA4WjuRhillaLwYVabkm7s98kHUvYTN48fbB5DHfgkGK6WhbfEPfta4DorQf/2D4cXpMkBt+sG1f5r9xThsv649xQB5uTg9pGeOtYn5zH3mk5wJN/2/mdveEJeCWXsXrq0GNhq+f6SE4reUvL+7MBtdpzt06D5u59JKNfXH2dQCOiqnyl0+Ahv0LoYDetJCB1dxombrUqRZvNsyD5T6lIF0tyEoK/0CXSRjr4J3nldzjPpk1uTo7kuW/clNi3KuzpQo7V8dk6I3H+jlut2lL6h8Q/P1L3p9e7T8pVi5XxbRunJYcDsWdiAb/S0y0fb0vQfGsUbi7sqvZl4fBvxYoE2NkXkWsLCN7FiFRkaTxGDh6YIo3UNllvmOxpX7tiiCV3cNLVMhcsWpNcv/U/rlBbNihODQpy1de+U2f7H8Qw== maël@Laptop-Maël"
];
hashedPassword = "$6$mgFgg9pJKiKQptad$CTMFJGuhl3Lk4MWRJrWgZox0bQPqObn0YpcG9Cnbg3Mvny.ZxAdJ/vKwHIvPai1jDQvFgNrKu4mx8PX4KBIu41";
};
gribse = {
isNormalUser = true;
extraGroups = [ "wheel" ]; # Enable sudo for the user.
# packages = with pkgs; [
#];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC870BBey886dVmSb8AoK3uMs1t1dsHW7Wy1MVbpsraAYY0U6QXzhCKvO1geRIuwf4Q8mj8i2iuDwI7p1KoN8NIAmvGBs5YdIM0b4OGlLgF/7qBT9Rj54TDi4uCt4RLzorfVIzO66uGghOJPfUGXBw2gPCEJDE091fShcV9RK6ByQUvSLDJMz0fTKC5Z+ejxgzT+ZPBRusC54SPMiXlpROh/ZQ+VyfH2DjDwrXtt2wYigEMTI3/KtCKypUwbZ2JMeG4qVLIjdHXCHppq7EZWKj8HYywLlmWC3FIhHccCPrwTU5tfs35s1uExz3/ffqBpmhQmsgVeVf9Yz8uIccUZlF9UbhtKj9IJ88X2Doy+YWjXZAKWba48bSblWDH9I7R1f/t1o5lPml5UnTNsaMAmXL1oX7je+pveTJ7VB349AW8tv5PoRxYKuHuSu/J9hq43u8RQVAveaYoFpLvwBYMBmc6K02Oj3cLIPPQhQQSZ26z8NazHpIgVyQxgWhrckCb/vAi5yxl5htTcJqONTLJBWdKOj2huG16kF7m6NsJ4m8mReoYDOAcaIR1UPVJKALHw82mKdgSlBP/YrN7rTU9woBXt/QoWnWMabNM4YYr1UssiR+NS6fs4yuNZ58MaYsJi1Zlv1Vjwm9bj+rNCmYoXTbpVesn+rXbWZxIAeMqNCsHRQ== achille.toupin@gadz.org"
];
hashedPassword = "$y$j9T$FzX.e82AopK/3Op8mx.iX1$DFP3vU5KIaU/0JyjrdUVuePSrvhm.zPqAN6i9E0FY04";
};
};
users.motd = ''
=============== Bienvenue dans la filouterie ====================
'';
# List packages installed in system profile.
# You can use https://search.nixos.org/ to find more packages (and options).
environment.systemPackages = with pkgs; [
vim
neovim
tree
git
btop
wget
neofetch
];
# Enable the OpenSSH daemon.
services.openssh.enable = true;
services.openssh.settings.PasswordAuthentication = false;
services.unbound = {
enable = true;
settings = {
server = {
interface = [
# Localhost
"127.0.0.1"
# Docker container network mask
"172.17.0.1"
];
domain-insecure = [ "consul." ];
local-zone = [ "consul. nodefault" ];
verbosity = 1;
access-control = [
"127.0.0.0/8 allow"
"172.17.0.1/16 allow"
"192.168.0.0/16 allow"
"${cfg.clusterPrefix} allow"
];
};
stub-zone = [
# Forward .consul queries to Consul daemon
{
name = "consul.";
stub-addr = "${clusterAddress}@8600";
stub-no-cache = true;
stub-tcp-upstream = false;
stub-tls-upstream = false;
}
];
};
resolveLocalQueries = true;
};
services.resolved.enable = false;
networking.wireguard.interfaces.wg0 = {
ips = [ "${clusterAddress}/16" ];
listenPort = 19720;
privateKeyFile = "/var/lib/filouterie/wireguard-keys/private";
mtu = 1420;
};
filouterie.services.wgautomesh = {
enable = true;
interface = "wg0";
gossipPort = 1600;
peers = attrValues (
mapAttrs (
hostname:
{
pubkey,
endpoint,
address,
...
}:
{
inherit pubkey address endpoint;
}
) cfg.clusterNodes
);
};
system.activationScripts.generate_filouterie_wg_key = ''
if [ ! -f /var/lib/filouterie/wireguard-keys/private ]; then
mkdir -p /var/lib/filouterie/wireguard-keys
(umask 077; ${pkgs.wireguard-tools}/bin/wg genkey > /var/lib/filouterie/wireguard-keys/private)
echo "New Wireguard key was generated."
echo "This node's Wireguard public key is: $(${pkgs.wireguard-tools}/bin/wg pubkey < /var/lib/filouterie/wireguard-keys/private)"
fi
'';
systemd.services.consul.after = [ "wgautomesh.service" ];
services.consul = {
enable = true;
extraConfig = {
node_meta = {
site = clusterNodeCfg.siteName;
};
server = true;
datacenter = cfg.clusterName;
ui_config.enabled = true;
bind_addr = "${clusterAddress}";
addresses = {
http = "0.0.0.0";
dns = "0.0.0.0";
};
# Make consul try again these nodes
retry_join = [
"10.0.1.1" # fifi
"10.0.2.1" # riri
"10.0.3.1" # loulou
];
};
};
nixpkgs.config.allowUnfree = true; # Nomad's license is BSL
systemd.services.nomad.after = [ "wgautomesh.service" ];
services.nomad = {
enable = true;
dropPrivileges = false; # We need to run Nomad as root to access docker
settings = {
server = {
enabled = true;
};
region = cfg.clusterName;
datacenter = clusterNodeCfg.siteName;
advertise = {
rpc = "${clusterAddress}";
http = "${clusterAddress}";
serf = "${clusterAddress}";
};
consul = {
address = "localhost:8500";
ssl = false;
};
client = {
enabled = true;
network_interface = "wg0";
meta = {
site = clusterNodeCfg.siteName;
};
};
plugin = [
{
docker = [
{
config = [
{
volumes.enabled = true;
allow_privileged = true;
allow_caps = [ "all" ];
}
];
}
];
}
];
};
};
virtualisation.docker = {
enable = true;
# Set the DNS to local unbound DNS so we can use the consul redirect (.consul)
extraOptions = "--config-file=${
pkgs.writeText "daemon.json" (
builtins.toJSON {
dns = [ "172.17.0.1" ];
}
)
}";
};
# Sets /etc/hosts to link all hostnames to wireguard IP
networking.extraHosts = concatStringsSep "\n" (
attrValues (mapAttrs (hostname: { address, ... }: "${address} ${hostname}") cfg.clusterNodes)
);
# Open ports in the firewall.
networking.firewall = {
enable = true;
allowedTCPPorts = [
22 # SSH
80 # HTTP
443 # HTTPS
];
allowedUDPPorts = [
19720 # Wireguard
];
extraCommands = ''
# Allow other nodes on VPN to access all ports
iptables -A INPUT -s ${cfg.clusterPrefix} -j ACCEPT
'';
extraStopCommands = ''
iptables -D INPUT -s ${cfg.clusterPrefix} -j ACCEPT
'';
};
# Garbage collection to remove old NixOs iterations
nix.gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 30d";
};
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
# system.copySystemConfiguration = true;
system.stateVersion = "25.05"; # Never bloody change this value, got it lads ?
};
}
Reference in a new issue View git blame Copy permalink