From 007ff1e438624f1ef048c555550afd2d9edd2a65 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 26 May 2024 14:34:19 +0200 Subject: [PATCH] Convert lewis to kubernetes node Install tmux on servers Mount jellyfin media locally --- configuration.nix | 1 + kubenix-modules/base.nix | 2 +- kubenix-modules/custom/nfs-volume.nix | 2 +- kubenix-modules/media.nix | 13 ++++- machines/atlas.nix | 4 -- machines/jefke.nix | 4 -- machines/lewis.nix | 10 +++- nixos-modules/backups.nix | 36 +----------- nixos-modules/data-sharing.nix | 23 +++----- nixos-modules/storage.nix | 80 +++------------------------ secrets/database_passwords.env.age | 16 ------ secrets/secrets.nix | 1 - 12 files changed, 39 insertions(+), 153 deletions(-) delete mode 100644 secrets/database_passwords.env.age diff --git a/configuration.nix b/configuration.nix index d26676d..bcd36ff 100644 --- a/configuration.nix +++ b/configuration.nix @@ -80,6 +80,7 @@ fio libva-utils jq + tmux ]; boot = lib.mkIf (! machine.isRaspberryPi) { diff --git a/kubenix-modules/base.nix b/kubenix-modules/base.nix index 7f29515..018f126 100644 --- a/kubenix-modules/base.nix +++ b/kubenix-modules/base.nix @@ -49,7 +49,7 @@ defaultDataPath = "/mnt/longhorn"; storageMinimalAvailablePercentage = 0; allowRecurringJobWhileVolumeDetached = true; - backupTarget = "nfs://lewis.dmz:/mnt/data/nfs/longhorn-backup"; + backupTarget = "nfs://lewis.dmz:/mnt/longhorn/persistent/longhorn-backup"; }; persistence = { diff --git a/kubenix-modules/custom/nfs-volume.nix b/kubenix-modules/custom/nfs-volume.nix index b90c831..804cc7e 100644 --- a/kubenix-modules/custom/nfs-volume.nix +++ b/kubenix-modules/custom/nfs-volume.nix @@ -26,7 +26,7 @@ in nfs = { server = "lewis.dmz"; - path = "/mnt/data/nfs/${nfsVolume.path}"; + path = "/mnt/longhorn/persistent/${nfsVolume.path}"; }; }; }) diff --git a/kubenix-modules/media.nix b/kubenix-modules/media.nix index cf191bf..5eb5c16 100644 --- a/kubenix-modules/media.nix +++ b/kubenix-modules/media.nix @@ -77,13 +77,24 @@ volumes = { config.persistentVolumeClaim.claimName = "jellyfin"; - media.persistentVolumeClaim.claimName = "media"; + media.hostPath = { + path = "/mnt/longhorn/persistent/media"; + type = "Directory"; + }; }; securityContext = { fsGroup = 0; fsGroupChangePolicy = "OnRootMismatch"; }; + + affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms = [{ + matchExpressions = [{ + key = "hasMedia"; + operator = "In"; + values = [ "true" ]; + }]; + }]; }; }; }; diff --git a/machines/atlas.nix b/machines/atlas.nix index add63f1..477fa25 100644 --- a/machines/atlas.nix +++ b/machines/atlas.nix @@ -4,10 +4,6 @@ kubernetesNodeLabels.storageType = "slow"; nixosModule.lab = { - storage = { - kubernetesNode = true; - }; - k3s = { enable = true; serverAddr = "https://jefke.dmz:6443"; diff --git a/machines/jefke.nix b/machines/jefke.nix index a326f76..877fbb9 100644 --- a/machines/jefke.nix +++ b/machines/jefke.nix @@ -4,10 +4,6 @@ kubernetesNodeLabels.storageType = "fast"; nixosModule.lab = { - storage = { - kubernetesNode = true; - }; - k3s = { enable = true; clusterInit = true; diff --git a/machines/lewis.nix b/machines/lewis.nix index 5a036b5..107f616 100644 --- a/machines/lewis.nix +++ b/machines/lewis.nix @@ -1,15 +1,19 @@ { machines.lewis = { arch = "x86_64-linux"; + kubernetesNodeLabels = { + storageType = "fast"; + hasMedia = "true"; + }; nixosModule = { lab = { backups.enable = true; data-sharing.enable = true; - storage = { - osDisk = "/dev/sda"; - dataPartition = "/dev/nvme0n1p1"; + k3s = { + enable = true; + serverAddr = "https://jefke.dmz:6443"; }; }; }; diff --git a/nixos-modules/backups.nix b/nixos-modules/backups.nix index 1b9a1f6..8ca3e87 100644 --- a/nixos-modules/backups.nix +++ b/nixos-modules/backups.nix @@ -1,19 +1,12 @@ { pkgs, lib, config, ... }: let cfg = config.lab.backups; - beforeEverything = pkgs.writeShellScriptBin "beforeEverything" '' - if [ -d "${cfg.snapshotLocation}" ]; then - ${pkgs.btrfs-progs}/bin/btrfs subvolume delete ${cfg.snapshotLocation} - fi - - ${pkgs.btrfs-progs}/bin/btrfs subvolume snapshot -r ${cfg.subvolumeLocation} ${cfg.snapshotLocation} - ''; borgmaticConfig = pkgs.writeTextFile { name = "borgmatic-config.yaml"; text = lib.generators.toYAML { } { - source_directories = [ cfg.snapshotLocation ]; + source_directories = [ "/mnt/longhorn/persistent/longhorn-backup" ]; repositories = [ { @@ -26,16 +19,12 @@ let } ]; - exclude_patterns = [ "${cfg.snapshotLocation}/media" ]; ssh_command = "${pkgs.openssh}/bin/ssh -i ${config.age.secrets."borgbase.pem".path} -o StrictHostKeychecking=no"; keep_daily = 7; keep_weekly = 4; keep_monthly = 12; keep_yearly = -1; encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.age.secrets."borg_passphrase".path}"; - before_everything = [ "${beforeEverything}/bin/beforeEverything" ]; - - postgresql_databases = [ ]; }; }; in @@ -50,32 +39,16 @@ in }; repoLocation = lib.mkOption { - default = "${config.lab.storage.dataMountPoint}/backups/nfs.borg"; + default = "/mnt/longhorn/persistent/nfs.borg"; type = lib.types.str; description = '' Location of the Borg repository to back up to. ''; }; - - subvolumeLocation = lib.mkOption { - default = "${config.lab.storage.dataMountPoint}/nfs"; - type = lib.types.str; - description = '' - Location of the btrfs subvolume holding the data. - ''; - }; - - snapshotLocation = lib.mkOption { - default = "${config.lab.storage.dataMountPoint}/snapshot-nfs"; - type = lib.types.str; - description = '' - Location to (temporary) create a snapshot of the subvolume. - ''; - }; }; config = lib.mkIf cfg.enable { - environment.systemPackages = with pkgs; [ borgbackup postgresql ]; + environment.systemPackages = with pkgs; [ borgbackup ]; # Converted from: # https://github.com/borgmatic-collective/borgmatic/tree/84823dfb912db650936e3492f6ead7e0e0d32a0f/sample/systemd systemd.services.borgmatic = { @@ -84,7 +57,6 @@ in after = [ "network-online.target" ]; unitConfig.ConditionACPower = true; preStart = "${pkgs.coreutils}/bin/sleep 10s"; - path = with pkgs; [ postgresql ]; serviceConfig = { Type = "oneshot"; @@ -95,7 +67,6 @@ in IOWeight = 100; Restart = "no"; LogRateLimitIntervalSec = 0; - EnvironmentFile = config.age.secrets."database_passwords.env".path; Environment = "BORG_PASSPHRASE_FILE=${config.age.secrets."borg_passphrase".path}"; }; @@ -113,7 +84,6 @@ in }; age.secrets = { - "database_passwords.env".file = ../secrets/database_passwords.env.age; "borg_passphrase".file = ../secrets/borg_passphrase.age; "borgbase.pem".file = ../secrets/borgbase.pem.age; }; diff --git a/nixos-modules/data-sharing.nix b/nixos-modules/data-sharing.nix index 0aadc04..b5e7440 100644 --- a/nixos-modules/data-sharing.nix +++ b/nixos-modules/data-sharing.nix @@ -3,18 +3,18 @@ let cfg = config.lab.data-sharing; nfsShares = [ - "/media" - "/media/books" - "/media/movies" - "/media/music" - "/media/shows" - "/longhorn-backup" + "/mnt/longhorn/persistent/media" + "/mnt/longhorn/persistent/media/books" + "/mnt/longhorn/persistent/media/movies" + "/mnt/longhorn/persistent/media/music" + "/mnt/longhorn/persistent/media/shows" + "/mnt/longhorn/persistent/longhorn-backup" ]; nfsExports = lib.strings.concatLines ( builtins.map (share: - "${cfg.nfsRoot}${share} 192.168.30.0/16(rw,sync,no_subtree_check,no_root_squash)" + "${share} 192.168.30.0/16(rw,sync,no_subtree_check,no_root_squash) 127.0.0.1/8(rw,sync,no_subtree_check,no_root_squash)" ) nfsShares ); @@ -28,20 +28,11 @@ in Configure this server to serve our data using NFS and PostgreSQL. ''; }; - - nfsRoot = lib.mkOption { - default = "/mnt/data/nfs"; - type = lib.types.str; - description = '' - Root directory of NFS data. - ''; - }; }; config = lib.mkIf cfg.enable { networking.firewall.allowedTCPPorts = [ 2049 # NFS - 5432 # PostgeSQL 111 # NFS 20048 # NFS ]; diff --git a/nixos-modules/storage.nix b/nixos-modules/storage.nix index c2d3c59..13b9297 100644 --- a/nixos-modules/storage.nix +++ b/nixos-modules/storage.nix @@ -8,47 +8,16 @@ in { The disk to be used for the machine's operating system. ''; }; - - dataPartition = lib.mkOption { - default = null; - type = lib.types.nullOr lib.types.str; - description = '' - Partition to be used for data storage on this machine. - ''; - }; - - dataMountPoint = lib.mkOption { - default = "/mnt/data"; - type = lib.types.str; - description = '' - Mount point of the machine's data partition. - ''; - }; - - kubernetesNode = lib.mkOption { - default = false; - type = lib.types.bool; - description = '' - Whether to apply the Kubernetes disk setup. - ''; - }; }; config = { - fileSystems = lib.attrsets.mergeAttrsList [ - (lib.optionalAttrs ((! machine.isRaspberryPi) && (! cfg.kubernetesNode)) { - "${cfg.dataMountPoint}".device = cfg.dataPartition; - }) - (lib.optionalAttrs machine.isRaspberryPi { - "/" = { - device = "/dev/disk/by-label/NIXOS_SD"; - fsType = "ext4"; - options = [ "noatime" ]; - }; - }) - ]; + fileSystems."/" = lib.mkIf machine.isRaspberryPi { + device = "/dev/disk/by-label/NIXOS_SD"; + fsType = "ext4"; + options = [ "noatime" ]; + }; - disko = lib.mkIf (! machine.isRaspberryPi) (if cfg.kubernetesNode then { + disko = lib.mkIf (! machine.isRaspberryPi) { devices = { disk = { nvme = { @@ -148,41 +117,6 @@ in { }; }; }; - } else { - # TODO: Rename this to 'osDisk'. Unfortunately, we would need to run nixos-anywhere again then. - devices.disk.vdb = { - device = cfg.osDisk; - type = "disk"; - - content = { - type = "gpt"; - - partitions = { - swap.size = "100%"; - - ESP = { - type = "EF00"; - size = "500M"; - - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - }; - }; - - root = { - end = "-4G"; - - content = { - type = "filesystem"; - format = "btrfs"; - mountpoint = "/"; - }; - }; - }; - }; - }; - }); + }; }; } diff --git a/secrets/database_passwords.env.age b/secrets/database_passwords.env.age deleted file mode 100644 index 89f0254..0000000 --- a/secrets/database_passwords.env.age +++ /dev/null @@ -1,16 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 UwNSRQ XKuX/onJklTJ1ws0svIwJy1PZN1MHsf5+N3z7XGvCyY -JkyemSdV/ZcbjWLrwYLhKCE4Ln2seLR0WyYXGMepgBw --> ssh-ed25519 JJ7S4A 9wzkTABOPcmTG7LNWvZa7dKG0Ingf+KDckZ1tL2c3QQ -IkxcStI4kwXkWj+j3PWl7FdyoVMVsiH9SZBnyffbcYQ --> ssh-ed25519 aqswPA 3i/v1qWLseD+FrPrnAXtSoK98a6Nrb3XrHinp2QPTn0 -RxuPM1oICEoF5oZAyQlCm+fOivI9sfZenZSlOGBIZK8 --> ssh-ed25519 LAPUww MkvAMN/fZiV66+ub4Q/CDTIxJ3N3cMWBT0SQajespR0 -uh6SGtxR3BvsU/fTTTOnsNXD+bHNYMhTAFoc3QUtMr8 --> ssh-ed25519 vBZj5g Jiu1sEmlws4eFPriuL2oS99Q9tFCyf4Zkv/khLONvT0 -cLLHcvmIb1Nb7eVmKJyYdvfulgbcZ73N0x6GWyKeJPs --> ssh-ed25519 QP0PgA A1Raf1CiVJ5tnJXRIeS0VpCUNX/iYNzGozQxApY9KGM -998c6IZfPNW8uMttkK8xGp1hgKXBcrwuBOgOpXWPCu8 ---- /Qv6sfhphlYb9WtWdmPt6RZJPHxBO4jCSgauazsHIt8 -1kYiL7-}`NVoC'ۧh[vDUpv~e0y2`ݐƱѥ8/ -MEЎhsq| kت<Ӱ+9e0󟑸;)?IL-JYgpk+HR5ۥp:8o1zs`_MSQ;Q_o] \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index dff31d8..a236427 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -8,7 +8,6 @@ let ]; encryptedFileNames = [ - "database_passwords.env.age" "borg_passphrase.age" "borgbase.pem.age" "k3s-server-token.age"