gribse/nix-cluster
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
nix-cluster/configuration.nix
Zuma 6a9b3f6fa0 Add garage :)
2025-11-22 22:12:01 +01:00

319 lines
14 KiB
Nix
Executable file
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Bonjoür à toüs
{
config,
lib,
pkgs,
...
}:
let
cfg = config.filouterie;
in
with builtins;
with pkgs.lib;
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
./cluster.nix
./node.nix
./wgautomesh.nix
];
config =
let
clusterNodeCfg = getAttr cfg.hostName cfg.clusterNodes;
clusterAddress = clusterNodeCfg.address;
in
{
networking.hostName = cfg.hostName;
environment.sessionVariables = rec {
NODE = cfg.hostName;
};
programs.nix-ld.enable = true; # for vscode server
# Set your time zone.
time.timeZone = "Europe/Paris";
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
#keyMap = "fr";
useXkbConfig = true; # use xkb.options in tty.
};
users.users = {
zuma = {
isNormalUser = true;
extraGroups = [ "wheel" "docker" ]; # Enable sudo for the user.
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJvcVhKVtCkAi9wy1olrAt32ESiZF7SBgQwtYlcA6dwT zuma@vault"
];
hashedPassword = "$y$j9T$Qc23q8HQZMELvYyubvEoF/$jauiBKEGb65K03/va632gKIuGSR2Cro/CQ1yq5mOjxB";
};
mayel = {
isNormalUser = true;
extraGroups = [ "wheel" "docker" ]; # Enable sudo for the user.
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDgXUerUE+Q3nRP1NHfNYSFoKeNauYBxYXAQ9+CJy4ZBWbxnQ0lp9GEF/KM2Ww0jdpW0hRUh3UJsnTauseWgSG+wxa0+j+bRj64d44G+f7QEGJ6SxcXpJljxuEoIAkhs73bZ4oAdXDMrtcaNij/YAXy6llu1vQFTGu6OytktTsEOLzTDP0tWTdyVSToD4+lk7UR5yMbSDz8gXn8/J3C3kf3mefPDTCDzMXBCixEEctY8VXM32RjlCPdxrxLKr/v5CrY2YA4WjuRhillaLwYVabkm7s98kHUvYTN48fbB5DHfgkGK6WhbfEPfta4DorQf/2D4cXpMkBt+sG1f5r9xThsv649xQB5uTg9pGeOtYn5zH3mk5wJN/2/mdveEJeCWXsXrq0GNhq+f6SE4reUvL+7MBtdpzt06D5u59JKNfXH2dQCOiqnyl0+Ahv0LoYDetJCB1dxombrUqRZvNsyD5T6lIF0tyEoK/0CXSRjr4J3nldzjPpk1uTo7kuW/clNi3KuzpQo7V8dk6I3H+jlut2lL6h8Q/P1L3p9e7T8pVi5XxbRunJYcDsWdiAb/S0y0fb0vQfGsUbi7sqvZl4fBvxYoE2NkXkWsLCN7FiFRkaTxGDh6YIo3UNllvmOxpX7tiiCV3cNLVMhcsWpNcv/U/rlBbNihODQpy1de+U2f7H8Qw== maël@Laptop-Maël"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBde7coicsn+08FdXJriPpbXEQ2qFEy+9y2Nq+rN7NPf"
];
hashedPassword = "$6$mgFgg9pJKiKQptad$CTMFJGuhl3Lk4MWRJrWgZox0bQPqObn0YpcG9Cnbg3Mvny.ZxAdJ/vKwHIvPai1jDQvFgNrKu4mx8PX4KBIu41";
};
gribse = {
isNormalUser = true;
extraGroups = [ "wheel" "docker" ]; # Enable sudo for the user.
# packages = with pkgs; [
#];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC870BBey886dVmSb8AoK3uMs1t1dsHW7Wy1MVbpsraAYY0U6QXzhCKvO1geRIuwf4Q8mj8i2iuDwI7p1KoN8NIAmvGBs5YdIM0b4OGlLgF/7qBT9Rj54TDi4uCt4RLzorfVIzO66uGghOJPfUGXBw2gPCEJDE091fShcV9RK6ByQUvSLDJMz0fTKC5Z+ejxgzT+ZPBRusC54SPMiXlpROh/ZQ+VyfH2DjDwrXtt2wYigEMTI3/KtCKypUwbZ2JMeG4qVLIjdHXCHppq7EZWKj8HYywLlmWC3FIhHccCPrwTU5tfs35s1uExz3/ffqBpmhQmsgVeVf9Yz8uIccUZlF9UbhtKj9IJ88X2Doy+YWjXZAKWba48bSblWDH9I7R1f/t1o5lPml5UnTNsaMAmXL1oX7je+pveTJ7VB349AW8tv5PoRxYKuHuSu/J9hq43u8RQVAveaYoFpLvwBYMBmc6K02Oj3cLIPPQhQQSZ26z8NazHpIgVyQxgWhrckCb/vAi5yxl5htTcJqONTLJBWdKOj2huG16kF7m6NsJ4m8mReoYDOAcaIR1UPVJKALHw82mKdgSlBP/YrN7rTU9woBXt/QoWnWMabNM4YYr1UssiR+NS6fs4yuNZ58MaYsJi1Zlv1Vjwm9bj+rNCmYoXTbpVesn+rXbWZxIAeMqNCsHRQ== achille.toupin@gadz.org"
];
hashedPassword = "$y$j9T$FzX.e82AopK/3Op8mx.iX1$DFP3vU5KIaU/0JyjrdUVuePSrvhm.zPqAN6i9E0FY04";
};
};
users.motd = ''
=============== Bienvenue dans la filouterie ====================
'';
# List packages installed in system profile.
# You can use https://search.nixos.org/ to find more packages (and options).
environment.systemPackages = with pkgs; [
vim
neovim
tree
git
btop
wget
neofetch
dig
];
# Enable the OpenSSH daemon.
services.openssh.enable = true;
services.openssh.settings.PasswordAuthentication = false;
services.unbound = {
enable = true;
settings = {
server = {
interface = [
# Localhost
"127.0.0.1"
# Docker container network mask
"172.17.0.1"
];
domain-insecure = [ "consul." ];
local-zone = [ "consul. nodefault" ];
verbosity = 1;
access-control = [
"127.0.0.0/8 allow"
"172.17.0.1/16 allow"
"192.168.0.0/16 allow"
"${cfg.clusterPrefix} allow"
];
};
stub-zone = [
# Forward .consul queries to Consul daemon
{
name = "consul.";
stub-addr = "${clusterAddress}@8600";
stub-no-cache = true;
stub-tcp-upstream = false;
stub-tls-upstream = false;
}
];
};
resolveLocalQueries = true;
};
services.resolved.enable = false;
networking.wireguard.interfaces.wg0 = {
ips = [ "${clusterAddress}/16" ];
listenPort = 19720;
privateKeyFile = "/var/lib/filouterie/wireguard-keys/private";
mtu = 1420;
};
filouterie.services.wgautomesh = {
enable = true;
interface = "wg0";
gossipPort = 1600;
peers = attrValues (
mapAttrs (
hostname:
{
pubkey,
endpoint,
address,
...
}:
{
inherit pubkey address endpoint;
}
) cfg.clusterNodes
);
};
system.activationScripts.generate_filouterie_wg_key = ''
if [ ! -f /var/lib/filouterie/wireguard-keys/private ]; then
mkdir -p /var/lib/filouterie/wireguard-keys
(umask 077; ${pkgs.wireguard-tools}/bin/wg genkey > /var/lib/filouterie/wireguard-keys/private)
echo "New Wireguard key was generated."
echo "This node's Wireguard public key is: $(${pkgs.wireguard-tools}/bin/wg pubkey < /var/lib/filouterie/wireguard-keys/private)"
fi
'';
systemd.services.consul.after = [ "wgautomesh.service" ];
services.consul = {
enable = true;
extraConfig = {
node_meta = {
site = clusterNodeCfg.siteName;
};
server = true;
datacenter = cfg.clusterName;
ui_config.enabled = true;
bind_addr = "${clusterAddress}";
addresses = {
http = "0.0.0.0";
dns = "0.0.0.0";
};
# Make consul try again these nodes
retry_join = [
"10.0.1.1" # fifi
"10.0.2.1" # riri
"10.0.3.1" # loulou
];
};
};
nixpkgs.config.allowUnfree = true; # Nomad's license is BSL
systemd.services.nomad.after = [ "wgautomesh.service" ];
services.nomad = {
enable = true;
dropPrivileges = false; # We need to run Nomad as root to access docker
settings = {
server = {
enabled = true;
};
region = cfg.clusterName;
datacenter = clusterNodeCfg.siteName;
advertise = {
rpc = "${clusterAddress}";
http = "${clusterAddress}";
serf = "${clusterAddress}";
};
consul = {
address = "localhost:8500";
ssl = false;
};
client = {
enabled = true;
network_interface = "wg0";
meta = {
site = clusterNodeCfg.siteName;
};
};
plugin = [
{
docker = [
{
config = [
{
volumes.enabled = true;
allow_privileged = true;
allow_caps = [ "all" ];
}
];
}
];
}
];
};
};
virtualisation.docker = {
enable = true;
# Set the DNS to local unbound DNS so we can use the consul redirect (.consul)
extraOptions = "--config-file=${
pkgs.writeText "daemon.json" (
builtins.toJSON {
dns = [ "172.17.0.1" ];
}
)
}";
};
# Sets /etc/hosts to link all hostnames to wireguard IP
networking.extraHosts = concatStringsSep "\n" (
attrValues (mapAttrs (hostname: { address, ... }: "${address} ${hostname}") cfg.clusterNodes)
);
# Open ports in the firewall.
networking.firewall = {
enable = true;
allowedTCPPorts = [
22 # SSH
80 # HTTP
443 # HTTPS
3900 # Garage S3 Api
3901 # Garage RPC
3902 # Garage Web
3903 # Garage Admin
3904 # Garage K2V
];
allowedUDPPorts = [
19720 # Wireguard
];
extraCommands = ''
# Allow other nodes on VPN to access all ports
iptables -A INPUT -s ${cfg.clusterPrefix} -j ACCEPT
'';
extraStopCommands = ''
iptables -D INPUT -s ${cfg.clusterPrefix} -j ACCEPT
'';
};
# Garbage collection to remove old NixOs iterations
nix.gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 30d";
};
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
# system.copySystemConfiguration = true;
system.stateVersion = "25.05"; # Never bloody change this value, got it lads ?
};
}
Reference in a new issue View git blame Copy permalink