home/nixos-servers
home/nixos-servers
Archived
2
0
Fork 0
Code Issues 8 Pull requests Projects Releases Packages Wiki Activity Actions

restructure code

Browse source
This commit is contained in:
Pim Kunis 2023-12-29 12:47:59 +01:00
parent c2b8131adc
commit 6d258fe5ae
28 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

106
modules/custom/backups.nix
View file

@ -1,106 +0,0 @@
{ pkgs, lib, config, ... }:
let
cfg = config.custom.backups;
snapshotFile = "/tmp/snapshot.qcow2";
snapshotMount = "/tmp/snapshot";
beforeEverything = pkgs.writeShellScriptBin "beforeEverything" ''
${pkgs.libvirt}/bin/virsh snapshot-create-as --domain ${cfg.domainName} --name backup-${cfg.domainName} --disk-only --quiesce --no-metadata --diskspec vda,snapshot=no --diskspec vdb,file=${snapshotFile} && ${pkgs.coreutils}/bin/sleep 1
${pkgs.coreutils}/bin/mkdir -p ${snapshotMount}
${pkgs.libguestfs-with-appliance}/bin/guestmount -a ${snapshotFile} -m /dev/sda1 --ro ${snapshotMount}
'';
afterEverything = pkgs.writeShellScriptBin "afterEverything" ''
set +e
${pkgs.coreutils}/bin/sleep 10
${pkgs.libguestfs-with-appliance}/bin/guestunmount ${snapshotMount} && ${pkgs.coreutils}/bin/sleep 1
${pkgs.coreutils}/bin/rm -rf ${snapshotMount}
${pkgs.libvirt}/bin/virsh blockcommit ${cfg.domainName} vdb --active --verbose --pivot
${pkgs.coreutils}/bin/rm -f ${snapshotFile}
'';
borgmaticConfig = pkgs.writeTextFile {
name = "borgmatic-config";
text = ''
source_directories:
- ${snapshotMount}
repositories:
- path: ${cfg.repoLocation}
label: ${cfg.domainName}
keep_daily: 7
keep_weekly: 4
keep_monthly: 6
unknown_unencrypted_repo_access_is_ok: true
before_everything:
- ${beforeEverything}/bin/beforeEverything
after_everything:
- ${afterEverything}/bin/afterEverything
'';
};
in
{
options.custom.backups = {
enable = lib.mkOption {
default = false;
type = lib.types.bool;
description = ''
Whether to enable backups of persistent data on this machine.
'';
};
repoLocation = lib.mkOption {
default = "${config.custom.dataDisk.mountPoint}/backups/thecloud-data.borg";
type = lib.types.str;
description = ''
Location of the Borg repository to back up to.
'';
};
domainName = lib.mkOption {
default = "thecloud";
type = lib.types.str;
description = ''
The name of the Libvirt domain with the data disk attached.
'';
};
};
config = lib.mkIf cfg.enable {
environment.systemPackages = with pkgs; [ libguestfs-with-appliance borgbackup ];
# Converted from:
# https://github.com/borgmatic-collective/borgmatic/tree/84823dfb912db650936e3492f6ead7e0e0d32a0f/sample/systemd
systemd.services.borgmatic = {
description = "borgmatic backup";
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
unitConfig = {
ConditionACPower = true;
};
serviceConfig = {
Type = "oneshot";
Nice = 19;
CPUSchedulingPolicy = "batch";
IOSchedulingClass = "best-effort";
IOSchedulingPriority = 7;
IOWeight = 100;
Restart = "no";
LogRateLimitIntervalSec = 0;
};
preStart = "${pkgs.coreutils}/bin/sleep 1m";
script = "${pkgs.systemd}/bin/systemd-inhibit --who=\"borgmatic\" --what=\"sleep:shutdown\" --why=\"Prevent interrupting scheduled backup\" ${pkgs.borgmatic}/bin/borgmatic --verbosity -2 --syslog-verbosity 1";
};
environment.etc."borgmatic/config.yaml" = {
source = borgmaticConfig;
};
# systemd.timers.borgmatic = {
# description = "Run borgmatic backup";
# wantedBy = [ "timers.target" ];
# timerConfig = {
# OnCalendar = "*-*-* 3:00:00";
# Persistent = true;
# RandomizedDelaySec = "3h";
# };
# };
};
}

37
modules/custom/data-disk.nix
View file

@ -1,37 +0,0 @@
{ lib, config, ... }:
let cfg = config.custom.dataDisk;
in {
options = {
custom = {
dataDisk = {
enable = lib.mkOption {
default = false;
type = lib.types.bool;
description = ''
Whether to automatically mount a disk to be used as a data disk.
'';
};
mountPoint = lib.mkOption {
default = "/mnt/data";
type = lib.types.str;
description = ''
Mount point of the data disk (if enabled).
'';
};
devicePath = lib.mkOption {
default = "/dev/sda1";
type = lib.types.str;
description = ''
Path of the device to be used as a data disk.
'';
};
};
};
};
config = lib.mkIf cfg.enable {
fileSystems.${cfg.mountPoint} = { device = cfg.devicePath; };
};
}

3
modules/custom/default.nix
View file

@ -1,3 +0,0 @@
{
imports = [ ./terraform-database.nix ./data-disk.nix ./ssh-certificates.nix ./k3s ./disko.nix ./backups.nix ];
}

43
modules/custom/disko.nix
View file

@ -1,43 +0,0 @@
{ lib, config, ... }:
let cfg = config.custom.disko;
in {
options = {
custom = {
disko.osDiskDevice = lib.mkOption {
type = lib.types.str;
description = ''
The disk device to be used for the operating system.
'';
};
};
};
# TODO: rename this to 'osDisk'. Unfortunately, we would need to run nixos-anywhere again then
config.disko.devices.disk.vdb = {
device = cfg.osDiskDevice;
type = "disk";
content = {
type = "gpt";
partitions = {
ESP = {
type = "EF00";
size = "500M";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
end = "-4G";
content = {
type = "filesystem";
format = "btrfs";
mountpoint = "/";
};
};
swap = { size = "100%"; };
};
};
};
}

16
modules/custom/k3s/bootstrap.nix
View file

@ -1,16 +0,0 @@
{ kubenix, ... }: {
imports = [ kubenix.modules.k8s ];
kubernetes.resources.clusterRoleBindings.pim-cluster-admin = {
roleRef = {
apiGroup = "rbac.authorization.k8s.io";
kind = "ClusterRole";
name = "cluster-admin";
};
subjects = [
{
kind = "User";
name = "pim";
}
];
};
}

36
modules/custom/k3s/default.nix
View file

@ -1,36 +0,0 @@
{ pkgs, lib, config, kubenix, ... }:
let cfg = config.custom.k3s;
in {
options = {
custom = {
k3s.enable = lib.mkOption {
default = false;
type = lib.types.bool;
description = ''
Whether to start k3s with custom configuration.
'';
};
};
};
config = lib.mkIf cfg.enable {
environment.systemPackages = [ pkgs.k3s ];
networking.firewall.allowedTCPPorts = [ 6443 ];
services.k3s = {
enable = true;
role = "server";
extraFlags = "--tls-san ${config.networking.fqdn} --data-dir ${config.custom.dataDisk.mountPoint}/k3s";
};
system.activationScripts.k3s-bootstrap.text =
let
k3sBootstrapFile = (kubenix.evalModules.x86_64-linux {
module = import ./bootstrap.nix;
}).config.kubernetes.result;
in
''
ln -sf ${k3sBootstrapFile} ${config.custom.dataDisk.mountPoint}/k3s/server/manifests/k3s-bootstrap.json
'';
};
}

73
modules/custom/ssh-certificates.nix
View file

@ -1,73 +0,0 @@
{ lib, config, ... }:
let
cfg = config.custom.ssh;
hostCert = builtins.toFile "host_ed25519-cert.pub" cfg.hostCert;
userCert = builtins.toFile "user_ed25519-cert.pub" cfg.userCert;
in {
options = {
custom = {
ssh = {
useCertificates = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether to use certificates at all.
'';
};
hostCert = lib.mkOption {
type = lib.types.str;
description = ''
SSH host certificate
'';
};
userCert = lib.mkOption {
type = lib.types.str;
description = ''
SSH user certificate
'';
};
hostKey = lib.mkOption {
default =
../../secrets/${config.networking.hostName}_host_ed25519.age;
type = lib.types.path;
description = ''
SSH host key
'';
};
userKey = lib.mkOption {
default =
../../secrets/${config.networking.hostName}_user_ed25519.age;
type = lib.types.path;
description = ''
SSH user key
'';
};
};
};
};
config = lib.mkIf cfg.useCertificates {
services.openssh = {
extraConfig = ''
HostCertificate ${hostCert}
HostKey ${config.age.secrets.host_ed25519.path}
'';
};
programs.ssh = {
extraConfig = ''
CertificateFile ${userCert}
IdentityFile ${config.age.secrets.user_ed25519.path}
'';
};
age.secrets = {
"host_ed25519".file = cfg.hostKey;
"user_ed25519".file = cfg.userKey;
};
};
}

57
modules/custom/terraform-database.nix
View file

@ -1,57 +0,0 @@
{ pkgs, lib, config, ... }:
let cfg = config.custom.terraformDatabase;
in {
options = {
custom = {
terraformDatabase.enable = lib.mkOption {
default = false;
type = lib.types.bool;
description = ''
Whether to start a postgreSQL database for Terraform states
'';
};
};
};
config = lib.mkIf cfg.enable {
services.postgresql = {
enable = true;
ensureDatabases = [ "terraformstates" ];
package = pkgs.postgresql_15;
enableTCPIP = true;
dataDir = lib.mkIf config.custom.dataDisk.enable
"${config.custom.dataDisk.mountPoint}/postgresql/${config.services.postgresql.package.psqlSchema}";
authentication = ''
hostssl terraformstates terraform all cert
'';
settings =
let
serverCert = builtins.toFile "postgresql_server.crt"
(builtins.readFile ../../postgresql_server.crt);
in
{
ssl = true;
ssl_cert_file = serverCert;
ssl_key_file = config.age.secrets."postgresql_server.key".path;
ssl_ca_file = serverCert;
};
ensureUsers = [{
name = "terraform";
ensurePermissions = { "DATABASE terraformstates" = "ALL PRIVILEGES"; };
}];
};
networking.firewall.allowedTCPPorts = [ 5432 ];
age.secrets."postgresql_server.key" = {
file = ../../secrets/postgresql_server.key.age;
mode = "400";
owner = builtins.toString config.ids.uids.postgres;
group = builtins.toString config.ids.gids.postgres;
};
};
}

33
modules/disk-config.nix
View file

@ -1,33 +0,0 @@
{
disko.devices = {
disk = {
vdb = {
device = "/dev/nvme0n1";
type = "disk";
content = {
type = "gpt";
partitions = {
ESP = {
type = "EF00";
size = "500M";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
end = "-4G";
content = {
type = "filesystem";
format = "btrfs";
mountpoint = "/";
};
};
swap = { size = "100%"; };
};
};
};
};
};
}