From c6f0f1540ed5e36b4bb2a1ac3c635fdbef834028 Mon Sep 17 00:00:00 2001 From: Sven Slootweg Date: Mon, 18 Jun 2018 23:52:10 +0200 Subject: [PATCH] Update network configuration --- .gitignore | 1 + lib/presets/qemu-guest.nix | 5 +- networks/default.nix | 176 ++++++++++++++++++++++++++++++++++++- systems/nijaxor.nix | 37 ++++++++ systems/osmium.nix | 33 +------ systems/osmium_.nix | 43 +++++++++ systems/workbot.nix | 40 +++++++++ 7 files changed, 298 insertions(+), 37 deletions(-) create mode 100644 systems/nijaxor.nix create mode 100644 systems/osmium_.nix create mode 100644 systems/workbot.nix diff --git a/.gitignore b/.gitignore index 454b655..971c9e3 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ credentials +secrets.nix diff --git a/lib/presets/qemu-guest.nix b/lib/presets/qemu-guest.nix index 26c4dd9..00ca2b1 100644 --- a/lib/presets/qemu-guest.nix +++ b/lib/presets/qemu-guest.nix @@ -4,12 +4,13 @@ ]; boot = { - initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "sd_mod" "sr_mod" ]; + initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "sd_mod" "sr_mod" "virtio_pci" "virtio_blk" ]; loader.grub = { enable = true; version = 2; - device = "/dev/sda"; + /* Previously the below was /dev/sda; now it suddenly changed to /dev/vda? */ + device = "/dev/vda"; }; }; } diff --git a/networks/default.nix b/networks/default.nix index 982a2a8..b9ff4b7 100644 --- a/networks/default.nix +++ b/networks/default.nix @@ -1,6 +1,148 @@ -{ +let + secrets = import ../secrets.nix; +in { network.description = "Cryto"; + workbot = {config, lib, pkgs, ...}@args: + { + config = { + services.nginx = let + hostRoot = pkgs.writeTextDir "index.html" "Hello world!"; + reverseProxy = target: { + proxyPass = target; + extraConfig = '' + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-Port 443; + ''; + }; + requireTLS = { + enableACME = true; + forceSSL = true; + }; + in { + enable = true; + virtualHosts = { + "_" = { + default = true; + root = hostRoot; + }; + "hydra.cryto.net" = { + locations = { + "/" = reverseProxy "http://localhost:3333"; + }; + } // requireTLS; + "prometheus.cryto.net" = { + locations = { + "/" = reverseProxy "http://localhost:9090"; + }; + } // requireTLS; + "metrics.cryto.net" = { + locations = { + "/" = reverseProxy "http://localhost:8452"; + }; + } // requireTLS; + "nix-cache.cryto.net" = { + root = "/var/lib/hydra-builds"; + } // requireTLS; + }; + }; + + services.postgresql = { + enable = true; + }; + + services.hydra = { + enable = true; + port = 3333; + hydraURL = "http://hydra.cryto.net/"; + notificationSender = "hydra@cryto.net"; + useSubstitutes = false; + minimumDiskFree = 20; + minimumDiskFreeEvaluator = 20; + buildMachinesFiles = pkgs.lib.mkIf (config.nix.buildMachines == []) []; + extraConfig = '' + store_uri = file:///var/lib/hydra-builds?secret-key=/var/lib/hydra/binary-cache.key&write-nar-listing=1 + binary_cache_public_uri = https://nix-cache.cryto.net + ''; + }; + + /* FIXME: Declaratively define data sources; Grafana module for NixOS does not appear to support this yet? */ + services.grafana = { + enable = true; + port = 8452; + rootUrl = "https://metrics.cryto.net/"; + + security = { + adminUser = secrets.grafana.username; + adminPassword = secrets.grafana.password; + }; + + auth = { + anonymous.enable = true; + }; + }; + + services.prometheus = { + enable = true; + + globalConfig = { + scrape_interval = "30s"; + }; + + scrapeConfigs = let + nameInstance = address: name: { + source_labels = [ "__address__" ]; + target_label = "instance"; + regex = address; + replacement = name; + }; + in [ + { + job_name = "prometheus"; + static_configs = [{ + targets = [ + "localhost:9090" + ]; + }]; + relabel_configs = [ + (nameInstance "localhost:9090" "workbot") + ]; + } { + job_name = "nodes"; + scrape_interval = "10s"; + static_configs = [{ + targets = [ + "localhost:9100" + "80.255.0.137:9100" + "64.187.233.73:9100" + ]; + }]; + relabel_configs = [ + (nameInstance "localhost:9100" "workbot") + (nameInstance "80.255.0.137:9100" "osmium") + (nameInstance "64.187.233.73:9100" "nijaxor") + ]; + } + ]; + + exporters = { + node = { + enable = true; + enabledCollectors = [ + "systemd" + ]; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + }; + }; + osmium = { config, lib, pkgs, ... }@args: let pastebinStream = (import ../applications/pastebin-stream.nix) args; @@ -16,8 +158,8 @@ imports = [ (pastebinStream { errorPath = "/var/lib/pastebin-stream/errors"; - rev = "bed9fefc9cc5dcf2c8aaf32c20e48e5eb70b0920"; - sha256 = "0glj8hmx820afv1bqdjmyff1gvr20p40nl4ksh6200pnbncsbxyh"; + rev = "d7a09deda0916fa99920156e928d281a5bd3d97a"; + sha256 = "08xjcwmbzdmkzbz1al3vkryiix1y2zqc8yv4lsrw21dz0c5zl726"; }) ]; @@ -47,11 +189,21 @@ networking.firewall.allowedTCPPorts = [ 80 443 + 9100 # Prometheus node exporter ]; environment.systemPackages = with pkgs; [ htop ]; + + services.prometheus.exporters = { + node = { + enable = true; + enabledCollectors = [ + "systemd" + ]; + }; + }; }; options.systems.osmium = with lib; { @@ -65,4 +217,22 @@ }; }; }; + + nijaxor = { config, lib, pkgs, ... }@args: + { + config = { + networking.firewall.allowedTCPPorts = [ + 9100 # Prometheus node exporter + ]; + + services.prometheus.exporters = { + node = { + enable = true; + enabledCollectors = [ + "systemd" + ]; + }; + }; + }; + }; } diff --git a/systems/nijaxor.nix b/systems/nijaxor.nix new file mode 100644 index 0000000..ceadb56 --- /dev/null +++ b/systems/nijaxor.nix @@ -0,0 +1,37 @@ +let + removeNewlines = (import ../lib/util/remove-newlines.nix); + presetRootSsh = (import ../lib/presets/root-ssh.nix); +in { + nijaxor = {config, pkgs, ...}@args: let + presetTools = (import ../lib/presets/tools.nix) args; + presetQemuGuest = (import ../lib/presets/qemu-guest.nix); + in + { + deployment.targetHost = "64.187.233.73"; + + /* Begin hardware configuration section */ + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + swapDevices = [ ]; + nix.maxJobs = pkgs.lib.mkDefault 2; + /* End hardware configuration section */ + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/8750e892-eb14-4ff0-a07d-65995ebc65ea"; + fsType = "ext4"; + }; + }; + + /* networking = { + hostName = "osmium"; + defaultGateway6 = "2a01:4a0:4a::1"; + interfaces.ens3 = { + ipv6.addresses = [{ + address = "2a01:4a0:4a:5d::35c7"; + prefixLength = 48; + }]; + }; + }; */ + } // presetRootSsh // presetTools // presetQemuGuest; +} diff --git a/systems/osmium.nix b/systems/osmium.nix index 86b1dfc..d2e553a 100644 --- a/systems/osmium.nix +++ b/systems/osmium.nix @@ -1,32 +1 @@ -let - removeNewlines = (import ../lib/util/remove-newlines.nix); - presetRootSsh = (import ../lib/presets/root-ssh.nix); -in { - osmium = {config, pkgs, ...}@args: let - presetTools = (import ../lib/presets/tools.nix) args; - presetQemuGuest = (import ../lib/presets/qemu-guest.nix); - in - { - deployment.targetHost = "80.255.0.137"; - - systems.osmium = { - applications.pastebin-stream = { - hostname = "pastebin-stream.cryto.net"; - }; - }; - - fileSystems."/" = { - device = "/dev/disk/by-uuid/cf472470-0b3d-414b-93f8-b5e4298fad05"; - fsType = "ext4"; - }; - - networking = { - hostName = "osmium"; - defaultGateway6 = "2a01:4a0:4a::1"; - interfaces.enp0s3 = { - ipv6Address = "2a01:4a0:4a:5d::35c7"; - ipv6PrefixLength = 48; - }; - }; - } // presetRootSsh // presetTools // presetQemuGuest; -} +(import ./osmium_.nix) // (import ./workbot.nix) // (import ./nijaxor.nix) diff --git a/systems/osmium_.nix b/systems/osmium_.nix new file mode 100644 index 0000000..a5f4075 --- /dev/null +++ b/systems/osmium_.nix @@ -0,0 +1,43 @@ +let + removeNewlines = (import ../lib/util/remove-newlines.nix); + presetRootSsh = (import ../lib/presets/root-ssh.nix); +in { + osmium = {config, pkgs, ...}@args: let + presetTools = (import ../lib/presets/tools.nix) args; + presetQemuGuest = (import ../lib/presets/qemu-guest.nix); + in + { + deployment.targetHost = "80.255.0.137"; + + /* Begin hardware configuration section */ + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + swapDevices = [ ]; + nix.maxJobs = pkgs.lib.mkDefault 2; + /* End hardware configuration section */ + + systems.osmium = { + applications.pastebin-stream = { + hostname = "pastebin-stream.cryto.net"; + }; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/cf472470-0b3d-414b-93f8-b5e4298fad05"; + fsType = "ext4"; + }; + }; + + networking = { + hostName = "osmium"; + defaultGateway6 = "2a01:4a0:4a::1"; + interfaces.ens3 = { + ipv6.addresses = [{ + address = "2a01:4a0:4a:5d::35c7"; + prefixLength = 48; + }]; + }; + }; + } // presetRootSsh // presetTools // presetQemuGuest; +} diff --git a/systems/workbot.nix b/systems/workbot.nix new file mode 100644 index 0000000..bc90edf --- /dev/null +++ b/systems/workbot.nix @@ -0,0 +1,40 @@ +let + removeNewlines = (import ../lib/util/remove-newlines.nix); + presetRootSsh = (import ../lib/presets/root-ssh.nix); +in { + workbot = {config, pkgs, ...}@args: let + presetTools = (import ../lib/presets/tools.nix) args; + in + { + deployment.targetHost = "148.251.195.23"; + + /* Begin hardware configuration section */ + boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + swapDevices = [ ]; + nix.maxJobs = pkgs.lib.mkDefault 8; + powerManagement.cpuFreqGovernor = pkgs.lib.mkDefault "powersave"; + hardware.enableRedistributableFirmware = true; + /* End hardware configuration section */ + + boot.loader.grub = { + enable = true; + version = 2; + device = "/dev/sda"; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-label/nix"; + fsType = "ext4"; + }; + "/boot" = { + device = "/dev/disk/by-label/boot"; + fsType = "ext4"; + }; + }; + + system.stateVersion = "18.03"; + } // presetRootSsh // presetTools; +}