Modularize and prepare to support multiple clusters

13 files changed, 303 insertions, 0 deletions

diff --git a/cluster/staging/cluster.nix b/cluster/staging/cluster.nix
new file mode 100644
index 0000000..1292c8b
--- /dev/null
+++ b/cluster/staging/cluster.nix
@@ -0,0 +1,77 @@
+{ config, pkgs, ... } @ args:
+
+{
+  deuxfleurs.cluster_name = "staging";
+  deuxfleurs.cluster_nodes = [
+    {
+      hostname = "spoutnik";
+      publicKey = "fO8qZOZmnug84cA8nvfjl5MUqyWljP0BAz/4tHRZyEg=";
+      IP = "10.42.0.2";
+      endpoint = "77.141.67.109:42136";
+    }
+    { 
+      hostname = "cariacou";
+      publicKey = "qxrtfn2zRVnN52Y5NYumyU3/FcRMnh3kJ2C37JfrczA=";
+      IP = "10.42.0.21";
+      endpoint = "82.66.112.151:33721";
+    }
+    { 
+      hostname = "carcajou";
+      publicKey = "7Nm7pMmyS7Nts1MB+loyD8u84ODxHPTkDu+uqQR6yDk=";
+      IP = "10.42.0.22";
+      endpoint = "82.66.112.151:33722";
+    }
+    { 
+      hostname = "caribou";
+      publicKey = "g6ZED/wPn5MPfytJKwPI19808CXtEad0IJUkEAAzwyY=";
+      IP = "10.42.0.23";
+      endpoint = "82.66.112.151:33723";
+    }
+  ];
+  deuxfleurs.admin_nodes = [
+    {
+      hostname = "hammerhead";
+      publicKey = "b5hF+GSTgg3oM6wnjL7jRbfyf1jtsWdVptPPbAh3Qic=";
+      IP = "10.42.0.1";
+      endpoint = "5.135.179.11:51349";
+    }
+    {
+      hostname = "robinson";
+      publicKey = "ETaZFil3mFXlJ0LaJZyWqJVLV2IZUF5PB/8M7WbQSTg=";
+      IP = "10.42.0.42";
+      endpoint = "77.141.67.109:33742";
+    }
+    {
+      hostname = "shiki";
+      publicKey = "QUiUNMk70TEQ75Ut7Uqikr5uGVSXmx8EGNkGM6tANlg=";
+      IP = "10.42.0.206";
+      endpoint = "37.187.118.206:51820";
+    }
+    {
+      hostname = "lindy";
+      publicKey = "wen9GnZy2iLT6RyHfn7ydS/wvdvow1XPmhZxIkrDbks=";
+      IP = "10.42.0.66";
+      endpoint = "82.66.112.151:33766";
+    }
+  ];
+  deuxfleurs.admin_accounts = {
+    lx = [
+      # Keys for accessing nodes from outside
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJpaBZdYxHqMxhv2RExAOa7nkKhPBOHupMP3mYaZ73w9 lx@lindy"
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIDdVbA9fEdqSr5UJ77NnoIqDTVp8ca5kHExhZYI4ecBExFJfonJllXMBN9KdC4ukxtY8Ug47PcMOfMaTBZQc+e+KpvDWpkBt15Xpem3RCxmMBES79sLL7LgtAdBXc5mNaCX8EOEVixWKdarjvxRyf6py6the51G5muaiMpoj5fae4ZpRGjhGTPefzc7y7zRWBUUZ8pYHW774BIaK6XT9gn3hyHV+Occjl/UODXvodktk55YtnuPi8adXTYEsHrVVz8AkFhx+cr0U/U8vtQnsTrZG+JmgQLqpXVs0RDw5bE1RefEbMuYNKxutYKUe3L+ZJtDe0M0MqOFI8a4F5TxP5 katchup@konata"
+    ];
+    quentin = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDT1+H08FdUSvdPpPKdcafq4+JRHvFVjfvG5Id97LAoROmFRUb/ZOMTLdNuD7FqvW0Da5CPxIMr8ZxfrFLtpGyuG7qdI030iIRZPlKpBh37epZHaV+l9F4ZwJQMIBO9cuyLPXgsyvM/s7tDtrdK1k7JTf2EVvoirrjSzBaMhAnhi7//to8zvujDtgDZzy6aby75bAaDetlYPBq2brWehtrf9yDDG9WAMYJqp//scje/WmhbRR6eSdim1HaUcWk5+4ZPt8sQJcy8iWxQ4jtgjqTvMOe5v8ZPkxJNBine/ZKoJsv7FzKem00xEH7opzktaGukyEqH0VwOwKhmBiqsX2yN quentin@dufour.io"
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBu+KUebaWwlugMC5fGbNhHc6IaQDAC6+1vMc4Ww7nVU1rs2nwI7L5qcWxOwNdhFaorZQZy/fJuCWdFbF61RCKGayBWPLZHGPsfqDuggYNEi1Qil1kpeCECfDQNjyMTK058ZBBhOWNMHBjlLWXUlRJDkRBBECY0vo4jRv22SvSaPUCAnkdJ9rbAp/kqb497PTIb2r1l1/ew8YdhINAlpYQFQezZVfkZdTKxt22n0QCjhupqjfh3gfNnbBX0z/iO+RvAOWRIZsjPFLC+jXl+n7cnu2cq1nvST5eHiYfXXeIgIwmeENLKqp+2Twr7PIdv22PnJkh6iR5kx7eTRxkNZdN quentin@deuxfleurs.fr"
+    ];
+    adrien = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBfVX+iQSHl3V0el3/y2Rtl9Q/nrmLoTE3oXnR+16yX7g8HvzU871q89jbE/UWvNRvO4hirTcKF8yojuq8ZRCoUcQO+6/YlPrY/2G8kFhPTlUGDQ+mLT+ancZsom4mkg3I9oQjKZ9qxMD1GuU8Ydz4eXjhJ8OGFZhBpEgnrLmdA53Y5d2fCbaZN5EYD4sWEFYN7xBLxTGNwv0gygiPs967Z4/ZfHngTvqVoS9wnQThSCIoXPTWFAJCkN8dC5tPZwnbOT1bGcYUF0VTrcaD6cU6Q1ZRrtyqXxnnyxpQCAoe2hgdIm+LnDsBx9trfPauqi0dXi36X8pLmudW1f1RmKWT adrien@bacigalupi"
+    ];
+    maximilien = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHMMR6zNzz8NQU80wFquhUCeiXJuGphjP+zNouKbn228GyESu8sfNBwnuZq86vblR11Lz8l2rtCM73GfAKg29qmUWUHRKWvRIYWv2vaUJcCdy0bAxIzcvCvjZX0SpnIKxe9y3Rp0LGO5WLYfw0ZFaavwFZP0Z8w1Kj9/zBmL2X2avbhkaYHi/C1yXhbvESYQysmqLa48EX/TS616MBrgR9zbI9AoTQ9NOHnR14Tve/AP/khcZoBJdm4hTttMbNkEc0wonzdylTDew263SPRs/uoqnQIpUtErdPHqU10Yup8HjXjEyFJsSwcZcM5sZOw5JKckKJwmcd0yjO/x/4/Mk5"
+    ];
+    kokakiwi = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFPTsEgcOtb2bij+Ih8eg8ZqO7d3IMiWykv6deMzlSSS kokakiwi@kira"
+    ];
+  };
+}
diff --git a/cluster/staging/node/carcajou.nix b/cluster/staging/node/carcajou.nix
new file mode 100644
index 0000000..9ef88ad
--- /dev/null
+++ b/cluster/staging/node/carcajou.nix
@@ -0,0 +1,33 @@
+# Configuration file local to this node
+
+{ config, pkgs, ... }:
+
+{
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.timeout = 20;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "carcajou";
+
+  networking.interfaces.eno1.useDHCP = false;
+  networking.interfaces.eno1.ipv4.addresses = [
+    {
+      address = "192.168.1.22";
+      prefixLength = 24;
+    }
+  ];
+  networking.interfaces.eno1.ipv6.addresses = [
+    {
+      address = "2a01:e0a:c:a720::22";
+      prefixLength = 64;
+    }
+  ];
+
+  deuxfleurs.vpn_ip = "10.42.0.22";
+  deuxfleurs.vpn_listen_port = 33722;
+  deuxfleurs.is_raft_server = true;
+
+  # Enable netdata monitoring
+  services.netdata.enable = true;
+}
diff --git a/cluster/staging/node/carcajou.site.nix b/cluster/staging/node/carcajou.site.nix
new file mode 120000
index 0000000..04ee36c
--- /dev/null
+++ b/cluster/staging/node/carcajou.site.nix
@@ -0,0 +1 @@
+../site/neptune.nix
\ No newline at end of file
diff --git a/cluster/staging/node/cariacou.nix b/cluster/staging/node/cariacou.nix
new file mode 100644
index 0000000..7e999d3
--- /dev/null
+++ b/cluster/staging/node/cariacou.nix
@@ -0,0 +1,33 @@
+# Configuration file local to this node
+
+{ config, pkgs, ... }:
+
+{
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.timeout = 20;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "cariacou";
+
+  networking.interfaces.eno1.useDHCP = false;
+  networking.interfaces.eno1.ipv4.addresses = [
+    {
+      address = "192.168.1.21";
+      prefixLength = 24;
+    }
+  ];
+  networking.interfaces.eno1.ipv6.addresses = [
+    {
+      address = "2a01:e0a:c:a720::21";
+      prefixLength = 64;
+    }
+  ];
+
+  deuxfleurs.vpn_ip = "10.42.0.21";
+  deuxfleurs.vpn_listen_port = 33721;
+  deuxfleurs.is_raft_server = true;
+
+  # Enable netdata monitoring
+  services.netdata.enable = true;
+}
diff --git a/cluster/staging/node/cariacou.site.nix b/cluster/staging/node/cariacou.site.nix
new file mode 120000
index 0000000..04ee36c
--- /dev/null
+++ b/cluster/staging/node/cariacou.site.nix
@@ -0,0 +1 @@
+../site/neptune.nix
\ No newline at end of file
diff --git a/cluster/staging/node/caribou.nix b/cluster/staging/node/caribou.nix
new file mode 100644
index 0000000..474f3d3
--- /dev/null
+++ b/cluster/staging/node/caribou.nix
@@ -0,0 +1,33 @@
+# Configuration file local to this node
+
+{ config, pkgs, ... }:
+
+{
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.timeout = 20;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "caribou";
+
+  networking.interfaces.eno1.useDHCP = false;
+  networking.interfaces.eno1.ipv4.addresses = [
+    {
+      address = "192.168.1.23";
+      prefixLength = 24;
+    }
+  ];
+  networking.interfaces.eno1.ipv6.addresses = [
+    {
+      address = "2a01:e0a:c:a720::23";
+      prefixLength = 64;
+    }
+  ];
+
+  deuxfleurs.vpn_ip = "10.42.0.23";
+  deuxfleurs.vpn_listen_port = 33723;
+  deuxfleurs.is_raft_server = true;
+
+  # Enable netdata monitoring
+  services.netdata.enable = true;
+}
diff --git a/cluster/staging/node/caribou.site.nix b/cluster/staging/node/caribou.site.nix
new file mode 120000
index 0000000..04ee36c
--- /dev/null
+++ b/cluster/staging/node/caribou.site.nix
@@ -0,0 +1 @@
+../site/neptune.nix
\ No newline at end of file
diff --git a/cluster/staging/node/spoutnik.nix b/cluster/staging/node/spoutnik.nix
new file mode 100644
index 0000000..1554de9
--- /dev/null
+++ b/cluster/staging/node/spoutnik.nix
@@ -0,0 +1,68 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, ... }:
+
+{
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
+
+  networking.hostName = "spoutnik";
+  services.openssh.ports = [ 220 ];
+
+  networking.interfaces.enp0s25.useDHCP = false;
+  networking.interfaces.enp0s25.ipv4.addresses = [
+    {
+      address = "192.168.0.40";
+      prefixLength = 24;
+    }
+  ];
+
+  networking.wireguard.interfaces.wg0 = {
+    ips = [ "10.42.0.2/16" ];
+    listenPort = 42136;
+  };
+
+  # Activate as Nomad and Consul server node
+  services.nomad.settings.server.enabled = true;
+  services.consul.extraConfig.server = true;
+
+  # Nginx configuration:
+
+  services.nginx = {
+    enable = true;
+
+    # Use recommended settings
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    # Add any further config to match your needs, e.g.:
+    virtualHosts = let
+      base = locations: {
+        inherit locations;
+
+        forceSSL = true;
+        enableACME = true;
+      };
+      proxy = addr: port: base {
+        "/".proxyPass = "http://" + addr + ":" + toString(port);
+      };
+    in {
+      "axl.deuxfleurs.fr" = proxy "192.168.0.60" 80;
+      "warez.luxeylab.net" = proxy "192.168.0.50" 80;
+    };
+  };
+
+
+  # ACME:
+
+  security.acme = {
+    acceptTerms = true;
+    email = "adrien@luxeylab.net";
+  };
+}
+
diff --git a/cluster/staging/node/spoutnik.site.nix b/cluster/staging/node/spoutnik.site.nix
new file mode 120000
index 0000000..87c7991
--- /dev/null
+++ b/cluster/staging/node/spoutnik.site.nix
@@ -0,0 +1 @@
+../site/pluton.nix
\ No newline at end of file
diff --git a/cluster/staging/secrets/rclone.conf.sample b/cluster/staging/secrets/rclone.conf.sample
new file mode 100644
index 0000000..048bdba
--- /dev/null
+++ b/cluster/staging/secrets/rclone.conf.sample
@@ -0,0 +1,8 @@
+[staging]
+type = s3
+provider = Other
+env_auth = false
+access_key_id = GK...
+secret_access_key = ...
+endpoint = http://127.0.0.1:3990
+region = garage-staging
diff --git a/cluster/staging/site/neptune.nix b/cluster/staging/site/neptune.nix
new file mode 100644
index 0000000..49e126a
--- /dev/null
+++ b/cluster/staging/site/neptune.nix
@@ -0,0 +1,20 @@
+{ config, pkgs, ... }:
+
+{
+  networking.defaultGateway = {
+    address = "192.168.1.254";
+    interface = "eno1";
+  };
+
+  deuxfleurs.site_name = "neptune";
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  services.cron = {
+    enable = true;
+    systemCronJobs = [
+      "0 2 * * * root nix-collect-garbage --delete-older-than 10d >> /root/nix_gc_log 2>&1"
+      "30 2 * * * root docker run --rm -v /var/lib/drone/nix:/nix nixpkgs/nix:nixos-21.05 nix-collect-garbage --delete-older-than 30d >> /root/drone_nix_gc_log 2>&1"
+    ];
+  };
+}
diff --git a/cluster/staging/site/pluton.nix b/cluster/staging/site/pluton.nix
new file mode 100644
index 0000000..9f972c0
--- /dev/null
+++ b/cluster/staging/site/pluton.nix
@@ -0,0 +1,13 @@
+{ config, pkgs, ... }:
+
+{
+  networking.defaultGateway = {
+    address = "192.168.0.1";
+    interface = "enp0s25";
+  };
+  networking.nameservers = [ "213.186.33.99" "172.104.136.243" ];
+
+  deuxfleurs.site_name = "pluton";
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+}
diff --git a/cluster/staging/ssh_config b/cluster/staging/ssh_config
new file mode 100644
index 0000000..74590ac
--- /dev/null
+++ b/cluster/staging/ssh_config
@@ -0,0 +1,14 @@
+UserKnownHostsFile ./ssh_known_hosts
+
+Host caribou
+	HostName 10.42.0.23
+
+Host carcajou
+	HostName 10.42.0.22
+
+Host cariacou
+	HostName 10.42.0.21
+
+Host spoutnik
+	HostName 10.42.0.2
+	Port 220