wgautomesh actually on prod

author: Alex Auvolat <alex@adnab.me> 2023-03-24 12:01:38 +0100
committer: Alex Auvolat <alex@adnab.me> 2023-03-24 12:01:38 +0100
commit: 53b9cfd8385a4cf60176df02eea7a3804b3891fb (patch)
tree: 0b797276cd000ed72320e625252ebf71d33674dd
parent: 5cd69a9ba1c2f87d9a1e294f06b74945e745e475 (diff)
download: nixcfg-53b9cfd8385a4cf60176df02eea7a3804b3891fb.tar.gz
nixcfg-53b9cfd8385a4cf60176df02eea7a3804b3891fb.zip
6 files changed, 15 insertions, 24 deletions
diff --git a/cluster/prod/cluster.nix b/cluster/prod/cluster.nix
index 802d084..44c376e 100644
--- a/cluster/prod/cluster.nix
+++ b/cluster/prod/cluster.nix
@@ -13,7 +13,6 @@
       site_name = "neptune";
       publicKey = "VvXT0fPDfWsHxumZqVShpS33dJQAdpJ1E79ZbCBJP34=";
       IP = "10.83.1.1";
-      lan_endpoint = "192.168.1.31:33799";
       endpoint = "77.207.15.215:33731";
     }
     {
@@ -21,7 +20,6 @@
       site_name = "neptune";
       publicKey = "goTkBJGmzrGDOAjUcdH9G0JekipqSMoaYQdB6IHnzi0=";
       IP = "10.83.1.2";
-      lan_endpoint = "192.168.1.32:33799";
       endpoint = "77.207.15.215:33732";
     }
     {
@@ -29,7 +27,6 @@
       site_name = "neptune";
       publicKey = "oZDAb8LoLW87ktUHyFFec0VaIar97bqq47mGbdVqJ0U=";
       IP = "10.83.1.3";
-      lan_endpoint = "192.168.1.33:33799";
       endpoint = "77.207.15.215:33733";
     }
     {
@@ -37,7 +34,6 @@
       site_name = "orion";
       publicKey = "EtRoWBYCdjqgXX0L+uWLg8KxNfIK8k9OTh30tL19bXU=";
       IP = "10.83.2.1";
-      lan_endpoint = "192.168.1.11:33799";
       endpoint = "82.66.80.201:33731";
     }
     {
@@ -45,7 +41,6 @@
       site_name = "orion";
       publicKey = "HbLC938mysadMSOxWgq8+qrv+dBKzPP/43OMJp/3phA=";
       IP = "10.83.2.2";
-      lan_endpoint = "192.168.1.12:33799";
       endpoint = "82.66.80.201:33732";
     }
     {
@@ -53,7 +48,6 @@
       site_name = "orion";
       publicKey = "e1C8jgTj9eD20ywG08G1FQZ+Js3wMK/msDUE1wO3l1Y=";
       IP = "10.83.2.3";
-      lan_endpoint = "192.168.1.13:33799";
       endpoint = "82.66.80.201:33733";
     }
     {
@@ -61,7 +55,6 @@
       site_name = "bespin";
       publicKey = "bIjxey/VhBgVrLa0FxN/KISOt2XFmQeSh1MPivUq9gg=";
       IP = "10.83.3.1";
-      lan_endpoint = "192.168.5.117:33799";
       endpoint = "109.136.55.235:33731";
     }
     {
@@ -69,7 +62,6 @@
       site_name = "bespin";
       publicKey = "pUIKv8UBl586O7DBrHBsb9BgNU7WlYQ2r2RSNkD+JAQ=";
       IP = "10.83.3.2";
-      lan_endpoint = "192.168.5.134:33799";
       endpoint = "109.136.55.235:33732";
     }
     {
@@ -77,7 +69,6 @@
       site_name = "bespin";
       publicKey = "VBmpo15iIJP7250NAsF+ryhZc3j+8TZFnE1Djvn5TXI=";
       IP = "10.83.3.3";
-      lan_endpoint = "192.168.5.116:33799";
       endpoint = "109.136.55.235:33733";
     }
     {
@@ -85,7 +76,6 @@
       site_name = "scorpio";
       publicKey = "Sm9cmNZ/BfWVPFflMO+fuyiera4r203b/dKhHTQmBFg=";
       IP = "10.83.4.1";
-      lan_endpoint = "192.168.1.41:33799";
       endpoint = "82.65.41.110:33741";
     }
   ];
diff --git a/deploy_nixos b/deploy_nixos
index 48ef9ea..b716993 100755
--- a/deploy_nixos
+++ b/deploy_nixos
@@ -7,17 +7,20 @@ copy cluster/$CLUSTER/cluster.nix /etc/nixos/cluster.nix
 copy cluster/$CLUSTER/node/$NIXHOST.nix /etc/nixos/node.nix
 copy cluster/$CLUSTER/node/$NIXHOST.site.nix /etc/nixos/site.nix
 
+cmd mkdir -p /var/lib/wgautomesh
+write_pass deuxfleurs/cluster/$CLUSTER/wgautomesh_gossip_secret /var/lib/wgautomesh/gossip_secret
+copy nix/wgautomesh.nix /etc/nixos/wgautomesh.nix
+
 if [ "$CLUSTER" = "staging" ]; then
 	copy nix/nomad-driver-nix2.nix /etc/nixos/nomad-driver-nix2.nix
-
-	cmd mkdir -p /var/lib/wgautomesh
-	write_pass deuxfleurs/cluster/$CLUSTER/wgautomesh_gossip_secret /var/lib/wgautomesh/gossip_secret
-	copy nix/wgautomesh.nix /etc/nixos/wgautomesh.nix
 fi
 
 if [ "$CLUSTER" = "prod" ]; then
 	cmd nixos-rebuild boot
 	message "-------------------------------------------------------------------------------------"
+	message "NIXOS CHANGES THAT WOULD BE APPLIED UPON SWITCH OR REBOOT:"
+	cmd nixos-rebuild dry-activate
+	message "-------------------------------------------------------------------------------------"
 	message "New NixOS configuration hasn't been applied, to avoid disturbing production services."
 	message "Please apply the following procedure to node '$NIXHOST':"
 	message "1. Drain node in Nomad so that all jobs are relocated elsewhere"
diff --git a/doc/ports b/doc/ports
index 98c2819..73fdb48 100644
--- a/doc/ports
+++ b/doc/ports
@@ -16,7 +16,7 @@ ports so that we can avoid conflicts when adding services.
 587     postfix submission
 993     dovecot imaps
 1337    dovecot zauthoentication
-1666    wgautomesh (staging)
+1666    wgautomesh
 1728    nix-serve
 3719    grafana
 3900    garage S3 (prod)
diff --git a/nix/configuration.nix b/nix/configuration.nix
index 0b07056..9d3169b 100644
--- a/nix/configuration.nix
+++ b/nix/configuration.nix
@@ -84,5 +84,8 @@ SystemMaxUse=1G
       dns = [ "172.17.0.1" ];
     })}";
   };
+
+  nix.gc.automatic = true;
+  nix.gc.options = "--delete-older-than 30d";
 }
 
diff --git a/nix/deuxfleurs.nix b/nix/deuxfleurs.nix
index ba8cdfc..f7b70d7 100644
--- a/nix/deuxfleurs.nix
+++ b/nix/deuxfleurs.nix
@@ -31,11 +31,6 @@ in
           default = null;
           description = "Wireguard endpoint on the public Internet";
         };
-        lan_endpoint = mkOption {
-          type = nullOr str;
-          description = "Wireguard endpoint for nodes in the same site";
-          default = null;
-        };
       };
     };
   in
@@ -271,7 +266,7 @@ in
     #   listenPort = cfg.wireguard_port;
     #   privateKeyFile = "/var/lib/deuxfleurs/wireguard-keys/private";
     #   mtu = 1420;
-    #   peers = map ({ publicKey, endpoint, IP, site_name, lan_endpoint, ... }: {
+    #   peers = map ({ publicKey, endpoint, IP, ... }: {
     #     inherit publicKey endpoint;
     #     allowedIPs = [ "${IP}/32" ];
     #     persistentKeepalive = 25;
@@ -332,7 +327,7 @@ in
 
     services.nomad.enable = true;
     systemd.services.nomad.after = [ "wg-quick-wg0.service" ];
-    services.nomad.package = pkgs.nomad_1_3;
+    services.nomad.package = pkgs.nomad_1_4;
     services.nomad.extraPackages = [
       pkgs.glibc
       pkgs.zstd
diff --git a/nix/wgautomesh.nix b/nix/wgautomesh.nix
index c64c4af..55aa73f 100644
--- a/nix/wgautomesh.nix
+++ b/nix/wgautomesh.nix
@@ -118,8 +118,8 @@ in
           User = "wgautomesh";
           StateDirectory = "wgautomesh";
           StateDirectoryMode = "0700";
-          AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
-          CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
+          AmbientCapabilities = "CAP_NET_ADMIN";
+          CapabilityBoundingSet = "CAP_NET_ADMIN";
         };
         wantedBy = [ "multi-user.target" ];
       };
author	Alex Auvolat <alex@adnab.me>	2023-03-24 12:01:38 +0100
committer	Alex Auvolat <alex@adnab.me>	2023-03-24 12:01:38 +0100
commit	53b9cfd8385a4cf60176df02eea7a3804b3891fb (patch)
tree	0b797276cd000ed72320e625252ebf71d33674dd
parent	5cd69a9ba1c2f87d9a1e294f06b74945e745e475 (diff)
download	nixcfg-53b9cfd8385a4cf60176df02eea7a3804b3891fb.tar.gz nixcfg-53b9cfd8385a4cf60176df02eea7a3804b3891fb.zip