blob: ff6678d26dee7f7b35312df7dc51e86f763c5cd1 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).
{ config, pkgs, ... } @ args:
# Configuration local for this cluster node (hostname, IP, etc)
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
# Include generic Deuxfleurs module
./deuxfleurs.nix
# Configuration for this deployment (a cluster)
./cluster.nix
# Configuration local for this Deuxfleurs site (set of nodes)
./site.nix
# Configuration local for this cluster node (hostname, IP, etc)
./node.nix
];
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# Networking configuration (static IPs for each node is defined in node/*.nix)
networking.nameservers = [ "9.9.9.9" ];
# Set your time zone.
time.timeZone = "Europe/Paris";
# Select internationalisation properties.
# i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "sun12x22";
keyMap = "fr";
};
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
nmap
bind
inetutils
vim
tmux
ncdu
iotop
jnettop
nethogs
wget
htop
links
git
rclone
docker
docker-compose
];
programs.vim.defaultEditor = true;
# Enable network time
services.ntp.enable = true;
# Enable the OpenSSH daemon and disable password login.
services.openssh.enable = true;
services.openssh.passwordAuthentication = false;
# ---- CONFIG FOR DEUXFLEURS CLUSTER ----
# Mount Garage using Rclone
systemd.services.mountgarage = {
enable = false;
description = "Mount the Garage data store";
path = [
pkgs.fuse
pkgs.rclone
];
unitConfig = {
Type = "simple";
};
serviceConfig = {
ExecStartPre = "${pkgs.bash}/bin/sh -c \"mkdir -p /mnt/garage-staging; fusermount -u /mnt/garage-staging || exit 0\"";
ExecStart = "${pkgs.rclone}/bin/rclone --config /root/rclone.conf mount --vfs-cache-mode full --vfs-cache-max-size 1G --cache-dir /root/mountgarage-cache staging: /mnt/garage-staging";
};
wantedBy = [ "multi-user.target" ];
};
# Open ports in the firewall.
networking.firewall = {
enable = true;
# Allow anyone to connect on SSH port
allowedTCPPorts = [
(builtins.head ({ openssh.ports = [22]; } // config.services).openssh.ports)
];
# Allow specific hosts access to specific things in the cluster
extraCommands = ''
# Allow everything from router (usefull for UPnP/IGD)
iptables -A INPUT -s 192.168.1.254 -j ACCEPT
# Allow docker containers to access all ports
iptables -A INPUT -s 172.17.0.0/16 -j ACCEPT
# Allow other nodes on VPN to access all ports
iptables -A INPUT -s 10.42.0.0/16 -j ACCEPT
'';
# When stopping firewall, delete all rules that were configured manually above
extraStopCommands = ''
iptables -D INPUT -s 192.168.1.254 -j ACCEPT
iptables -D INPUT -s 172.17.0.0/16 -j ACCEPT
iptables -D INPUT -s 10.42.0.0/16 -j ACCEPT
'';
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. It‘s perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.05"; # Did you read the comment?
}
|
