Modularize and prepare to support multiple clusters

1 files changed, 7 insertions, 214 deletions

diff --git a/configuration.nix b/configuration.nix
index ca403ec..ff6678d 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -5,17 +5,18 @@
 { config, pkgs, ... } @ args:
 
 # Configuration local for this cluster node (hostname, IP, etc)
-let node_config = import ./node.nix args;
-    site_config = import ./site.nix args;
-in
 {
   imports =
     [ # Include the results of the hardware scan.
       ./hardware-configuration.nix
-      # Configuration local for this cluster node (hostname, IP, etc)
-      ./node.nix
+      # Include generic Deuxfleurs module
+      ./deuxfleurs.nix
+      # Configuration for this deployment (a cluster)
+      ./cluster.nix
       # Configuration local for this Deuxfleurs site (set of nodes)
       ./site.nix
+      # Configuration local for this cluster node (hostname, IP, etc)
+      ./node.nix
     ];
 
   # The global useDHCP flag is deprecated, therefore explicitly set to false here.
@@ -27,77 +28,9 @@ in
   # Networking configuration (static IPs for each node is defined in node/*.nix)
   networking.nameservers = [ "9.9.9.9" ];
 
-  # Wireguard VPN configuration
-  networking.wireguard.interfaces.wg0 = {
-    privateKeyFile = "/root/wireguard-keys/private";
-    peers = [
-      { # Hammerhead
-        publicKey = "b5hF+GSTgg3oM6wnjL7jRbfyf1jtsWdVptPPbAh3Qic=";
-        allowedIPs = [ "10.42.0.1/32" ];
-        endpoint = "5.135.179.11:51349";
-        persistentKeepalive = 25;
-      }
-      { # Spoutnik
-        publicKey = "fO8qZOZmnug84cA8nvfjl5MUqyWljP0BAz/4tHRZyEg=";
-        allowedIPs = [ "10.42.0.2/32" ];
-        endpoint = "77.141.67.109:42136";
-        persistentKeepalive = 25;
-      }
-      { # Robinson
-        publicKey = "ETaZFil3mFXlJ0LaJZyWqJVLV2IZUF5PB/8M7WbQSTg=";
-        allowedIPs = [ "10.42.0.42/32" ];
-        endpoint = "77.141.67.109:33742";
-        persistentKeepalive = 25;
-      }
-      { # Shiki
-        publicKey = "QUiUNMk70TEQ75Ut7Uqikr5uGVSXmx8EGNkGM6tANlg=";
-        allowedIPs = [ "10.42.0.206/32" ];
-        endpoint = "37.187.118.206:51820";
-        persistentKeepalive = 25;
-      }
-      { # Lindy
-        publicKey = "wen9GnZy2iLT6RyHfn7ydS/wvdvow1XPmhZxIkrDbks=";
-        allowedIPs = [ "10.42.0.66/32" ];
-        endpoint = "82.66.112.151:33766";
-        persistentKeepalive = 25;
-      }
-      { # Carcajou
-        publicKey = "qxrtfn2zRVnN52Y5NYumyU3/FcRMnh3kJ2C37JfrczA=";
-        allowedIPs = [ "10.42.0.21/32" ];
-        endpoint = "82.66.112.151:33721";
-        persistentKeepalive = 25;
-      }
-      { # Carcajou
-        publicKey = "7Nm7pMmyS7Nts1MB+loyD8u84ODxHPTkDu+uqQR6yDk=";
-        allowedIPs = [ "10.42.0.22/32" ];
-        endpoint = "82.66.112.151:33722";
-        persistentKeepalive = 25;
-      }
-      { # Caribou
-        publicKey = "g6ZED/wPn5MPfytJKwPI19808CXtEad0IJUkEAAzwyY=";
-        allowedIPs = [ "10.42.0.23/32" ];
-        endpoint = "82.66.112.151:33723";
-        persistentKeepalive = 25;
-      }
-    ];
-  };
-
   # Set your time zone.
   time.timeZone = "Europe/Paris";
 
-  networking.extraHosts = ''
-192.168.1.21 cariacou.lan
-192.168.1.22 carcajou.lan
-192.168.1.23 caribou.lan
-10.42.0.1 hammerhead
-10.42.0.2 spoutnik
-10.42.0.21 cariacou
-10.42.0.22 carcajou
-10.42.0.23 caribou
-10.42.0.66 lindy
-10.42.0.206 shiki
-  '';
-
   # Select internationalisation properties.
   # i18n.defaultLocale = "en_US.UTF-8";
   console = {
@@ -105,57 +38,6 @@ in
     keyMap = "fr";
   };
 
-  # Enable sound.
-  # sound.enable = true;
-  # hardware.pulseaudio.enable = true;
-
-  # Define user accounts
-  users.users.lx = {
-    isNormalUser = true;
-    extraGroups = [
-      "wheel"    # Enable ‘sudo’ for the user.
-      "video"    # Having fun with links -g
-    ];
-    openssh.authorizedKeys.keys = [
-      # Keys for accessing nodes from outside
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJpaBZdYxHqMxhv2RExAOa7nkKhPBOHupMP3mYaZ73w9 lx@lindy"
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIDdVbA9fEdqSr5UJ77NnoIqDTVp8ca5kHExhZYI4ecBExFJfonJllXMBN9KdC4ukxtY8Ug47PcMOfMaTBZQc+e+KpvDWpkBt15Xpem3RCxmMBES79sLL7LgtAdBXc5mNaCX8EOEVixWKdarjvxRyf6py6the51G5muaiMpoj5fae4ZpRGjhGTPefzc7y7zRWBUUZ8pYHW774BIaK6XT9gn3hyHV+Occjl/UODXvodktk55YtnuPi8adXTYEsHrVVz8AkFhx+cr0U/U8vtQnsTrZG+JmgQLqpXVs0RDw5bE1RefEbMuYNKxutYKUe3L+ZJtDe0M0MqOFI8a4F5TxP5 katchup@konata"
-    ];
-  };
-
-  users.users.quentin = {
-    isNormalUser = true;
-    extraGroups = [ "wheel" ];
-    openssh.authorizedKeys.keys = [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDT1+H08FdUSvdPpPKdcafq4+JRHvFVjfvG5Id97LAoROmFRUb/ZOMTLdNuD7FqvW0Da5CPxIMr8ZxfrFLtpGyuG7qdI030iIRZPlKpBh37epZHaV+l9F4ZwJQMIBO9cuyLPXgsyvM/s7tDtrdK1k7JTf2EVvoirrjSzBaMhAnhi7//to8zvujDtgDZzy6aby75bAaDetlYPBq2brWehtrf9yDDG9WAMYJqp//scje/WmhbRR6eSdim1HaUcWk5+4ZPt8sQJcy8iWxQ4jtgjqTvMOe5v8ZPkxJNBine/ZKoJsv7FzKem00xEH7opzktaGukyEqH0VwOwKhmBiqsX2yN quentin@dufour.io"
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBu+KUebaWwlugMC5fGbNhHc6IaQDAC6+1vMc4Ww7nVU1rs2nwI7L5qcWxOwNdhFaorZQZy/fJuCWdFbF61RCKGayBWPLZHGPsfqDuggYNEi1Qil1kpeCECfDQNjyMTK058ZBBhOWNMHBjlLWXUlRJDkRBBECY0vo4jRv22SvSaPUCAnkdJ9rbAp/kqb497PTIb2r1l1/ew8YdhINAlpYQFQezZVfkZdTKxt22n0QCjhupqjfh3gfNnbBX0z/iO+RvAOWRIZsjPFLC+jXl+n7cnu2cq1nvST5eHiYfXXeIgIwmeENLKqp+2Twr7PIdv22PnJkh6iR5kx7eTRxkNZdN quentin@deuxfleurs.fr"
-    ];
-  };
-
-  users.users.adrien = {
-    isNormalUser = true;
-    extraGroups = [ "wheel" ];
-    openssh.authorizedKeys.keys = [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBfVX+iQSHl3V0el3/y2Rtl9Q/nrmLoTE3oXnR+16yX7g8HvzU871q89jbE/UWvNRvO4hirTcKF8yojuq8ZRCoUcQO+6/YlPrY/2G8kFhPTlUGDQ+mLT+ancZsom4mkg3I9oQjKZ9qxMD1GuU8Ydz4eXjhJ8OGFZhBpEgnrLmdA53Y5d2fCbaZN5EYD4sWEFYN7xBLxTGNwv0gygiPs967Z4/ZfHngTvqVoS9wnQThSCIoXPTWFAJCkN8dC5tPZwnbOT1bGcYUF0VTrcaD6cU6Q1ZRrtyqXxnnyxpQCAoe2hgdIm+LnDsBx9trfPauqi0dXi36X8pLmudW1f1RmKWT adrien@bacigalupi"
-    ];
-  };
-
-  users.users.maximilien = {
-    isNormalUser = true;
-    extraGroups = [ "wheel" ];
-    openssh.authorizedKeys.keys = [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHMMR6zNzz8NQU80wFquhUCeiXJuGphjP+zNouKbn228GyESu8sfNBwnuZq86vblR11Lz8l2rtCM73GfAKg29qmUWUHRKWvRIYWv2vaUJcCdy0bAxIzcvCvjZX0SpnIKxe9y3Rp0LGO5WLYfw0ZFaavwFZP0Z8w1Kj9/zBmL2X2avbhkaYHi/C1yXhbvESYQysmqLa48EX/TS616MBrgR9zbI9AoTQ9NOHnR14Tve/AP/khcZoBJdm4hTttMbNkEc0wonzdylTDew263SPRs/uoqnQIpUtErdPHqU10Yup8HjXjEyFJsSwcZcM5sZOw5JKckKJwmcd0yjO/x/4/Mk5"
-    ];
-  };
-
-  users.users.kokakiwi = {
-    isNormalUser = true;
-    extraGroups = [ "wheel" ];
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFPTsEgcOtb2bij+Ih8eg8ZqO7d3IMiWykv6deMzlSSS kokakiwi@kira"
-    ];
-  };
-
   # List packages installed in system profile. To search, run:
   # $ nix search wget
   environment.systemPackages = with pkgs; [
@@ -188,90 +70,6 @@ in
 
   # ---- CONFIG FOR DEUXFLEURS CLUSTER ----
 
-  # Enable Hashicorp Consul & Nomad
-  services.consul.enable = true;
-  services.consul.extraConfig =
-    let public_ip = (builtins.head (builtins.split "/" (builtins.head node_config.networking.wireguard.interfaces.wg0.ips)));
-    in
-    (if node_config.services.consul.extraConfig.server or false
-    then { bootstrap_expect = 3; }
-    else {}) //
-  {
-    datacenter = "staging";
-    node_meta = {
-      "site" = site_config.services.nomad.settings.datacenter;
-    };
-    ui = true;
-    bind_addr = public_ip;
-
-    ports.http = -1;
-    addresses.https = "0.0.0.0";
-    ports.https = 8501;
-
-    retry_join = [ "10.42.0.2" "10.42.0.21" "10.42.0.22" "10.42.0.23" ];
-
-    ca_file = "/var/lib/consul/pki/consul-ca.crt";
-    cert_file = "/var/lib/consul/pki/consul2022.crt";
-    key_file = "/var/lib/consul/pki/consul2022.key";
-    verify_incoming = true;
-    verify_outgoing = true;
-    verify_server_hostname = true;
-  };
-
-  services.nomad.enable = true;
-  services.nomad.package = pkgs.nomad_1_1;
-  services.nomad.settings =
-    let public_ip = (builtins.head (builtins.split "/" (builtins.head node_config.networking.wireguard.interfaces.wg0.ips)));
-    in
-    (if node_config.services.nomad.settings.server.enabled or false
-    then { server = { bootstrap_expect = 3; }; }
-    else {}) //
-  {
-    region = "staging";
-    advertise = {
-      rpc = public_ip;
-      http = public_ip;
-      serf = public_ip;
-    };
-    consul = {
-      address = "localhost:8501";
-      ca_file = "/var/lib/nomad/pki/consul2022.crt";
-      cert_file = "/var/lib/nomad/pki/consul2022-client.crt";
-      key_file = "/var/lib/nomad/pki/consul2022-client.key";
-      ssl = true;
-    };
-    client = {
-      enabled = true;
-      network_interface = "wg0";
-      meta = {
-        "site" = site_config.services.nomad.settings.datacenter;
-      };
-    };
-    tls = {
-      http = true;
-      rpc = true;
-      ca_file = "/var/lib/nomad/pki/nomad-ca.crt";
-      cert_file = "/var/lib/nomad/pki/nomad2022.crt";
-      key_file = "/var/lib/nomad/pki/nomad2022.key";
-      verify_server_hostname = true;
-      verify_https_client = true;
-    };
-    plugin = [
-      {
-        docker = [
-          {
-            config = [
-              {
-                volumes.enabled = true;
-                allow_privileged = true;
-              }
-            ];
-          }
-        ];
-      }
-    ];
-  };
-
   # Mount Garage using Rclone
   systemd.services.mountgarage = {
     enable = false;
@@ -296,12 +94,7 @@ in
 
     # Allow anyone to connect on SSH port
     allowedTCPPorts = [
-      (builtins.head ({ openssh.ports = [22]; } // node_config.services).openssh.ports)
-    ];
-
-    # Allow anyone to contact Wireguard VPN server
-    allowedUDPPorts = [
-      node_config.networking.wireguard.interfaces.wg0.listenPort
+      (builtins.head ({ openssh.ports = [22]; } // config.services).openssh.ports)
     ];
 
     # Allow specific hosts access to specific things in the cluster