aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--cluster/staging/cluster.nix84
1 files changed, 61 insertions, 23 deletions
diff --git a/cluster/staging/cluster.nix b/cluster/staging/cluster.nix
index 7582992..c387a22 100644
--- a/cluster/staging/cluster.nix
+++ b/cluster/staging/cluster.nix
@@ -72,36 +72,74 @@
# For Garage ipv6 communication
networking.firewall.allowedTCPPorts = [ 3991 ];
- ## -----
+ ## ===== EXPERIMENTAL SECTION FOR STAGING CLUSTER =====
- ## EXPERIMENTAL ON STAGING: NIX NOMAD JOBS
- services.nomad.dropPrivileges = false;
+ # We're doing lots of experiments so GC periodically is usefull.
+ nix.gc.automatic = true;
- # ----- nomad-driver-nix & nomad-driver-nix2 -----
- services.nomad.extraSettingsPlugins = [
- (import ./nomad-driver-nix2.nix { inherit pkgs; })
- ];
- services.nomad.extraPackages = [
- pkgs.nix
- pkgs.git
- ];
- # default config for the nix2 driver
- services.nomad.settings.plugin = [
- {
- "nix2-driver" = [
+ imports = [
+ ## ---- Nix Nomad jobs using nomad-driver-nix2 ----
+ ({ pkgs, ... }: {
+ services.nomad.dropPrivileges = false;
+ services.nomad.extraSettingsPlugins = [
+ (import ./nomad-driver-nix2.nix { inherit pkgs; })
+ ];
+ services.nomad.extraPackages = [
+ pkgs.nix
+ pkgs.git
+ ];
+ services.nomad.settings.plugin = [
{
- config = [
+ "nix2-driver" = [
{
- # default_nixpkgs = "github:nixos/nixpkgs/nixos-22.11";
+ config = [
+ {
+ default_nixpkgs = "github:nixos/nixpkgs/nixos-22.11";
+ }
+ ];
}
];
}
];
- }
+ })
+ ## ---- Nix cache: use our cache on Garage (prod cluster) ----
+ # Use our cache as additionnal substituer (this acts the same way for
+ # our Nix packages than the Docker hub acts for our Docker images)
+ ({ pkgs, ... }: {
+ nix.settings.substituters = [ "https://nix.web.deuxfleurs.fr" ];
+ nix.settings.trusted-public-keys = [ "nix.web.deuxfleurs.fr:eTGL6kvaQn6cDR/F9lDYUIP9nCVR/kkshYfLDJf1yKs=" ];
+ })
+ ## ---- Nix mutual cache ----
+ # Let nodes in a same site/zone copy from each other's Nix stores
+ # Note that nodes will only copy from one another packages that are
+ # signed by one of the trusted public keys, i.e. packages comming
+ # from cache.nixos.org and nix.web.deuxfleurs.fr.
+ # This is good as it kind of mitigates supply-chain attacks where
+ # one node's cache would become poisonned, although arguably when
+ # an attacker has gained root access on one node, it can easily
+ # become root on all the others through Nomad. Downsides include
+ # missed opportunities for not rebuilding stuff between machines
+ # (e.g. derivations that are built in the process of doing
+ # nixos-rebuild), and warnings appearing in the logs whenever such
+ # an opportunity was not taken due to missing signatures.
+ ({ pkgs, config, ... }:
+ let substituter_port = 1728;
+ in
+ {
+ services.nix-serve = {
+ enable = true;
+ port = substituter_port;
+ openFirewall = false;
+ bindAddress = config.deuxfleurs.cluster_ip;
+ package = pkgs.haskellPackages.nix-serve-ng;
+ };
+ nix.settings.substituters = map
+ ({ IP, ... }: "http://${IP}:${builtins.toString substituter_port}")
+ (builtins.filter
+ ({ site_name, IP, ...}:
+ (IP != config.deuxfleurs.cluster_ip
+ && site_name == config.deuxfleurs.site_name))
+ config.deuxfleurs.cluster_nodes);
+ })
];
-
- # use our cache as additionnal substituer (we put precompiled packages there,
- # like we used to do on the docker hub)
- nix.settings.substituters = [ "https://nix.web.deuxfleurs.fr" ];
- nix.settings.trusted-public-keys = [ "nix.web.deuxfleurs.fr:eTGL6kvaQn6cDR/F9lDYUIP9nCVR/kkshYfLDJf1yKs=" ];
}