Compare commits
No commits in common. "main" and "main" have entirely different histories.
|
@ -1,29 +0,0 @@
|
|||
on:
|
||||
pull_request:
|
||||
types:
|
||||
- opened
|
||||
- synchronize
|
||||
- reopened
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
check-pre-commit:
|
||||
runs-on: native
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- run: nix build .#checks.x86_64-linux.pre-commit -L
|
||||
|
||||
check-website:
|
||||
runs-on: native
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- run: cd website && nix-build -A tests
|
||||
- run: cd website && nix-build -A build
|
||||
|
||||
check-peertube:
|
||||
runs-on: native
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- run: nix build .#checks.x86_64-linux.peertube -L
|
31
README.md
31
README.md
|
@ -1,31 +1,2 @@
|
|||
# The Fediversity project
|
||||
# Fediversity
|
||||
|
||||
This repository contains all the code and code-related files having to do with
|
||||
[the Fediversity project](https://fediversity.eu/), with the notable exception
|
||||
of [NixOps4 that is hosted on GitHub](https://github.com/nixops4/nixops4).
|
||||
|
||||
## Content of this repository
|
||||
|
||||
Most of the directories in this repository have their own README going into more
|
||||
details as to what they are for. As an overview:
|
||||
|
||||
- [`deployment/`](./deployment) contains bits and pieces having to do with
|
||||
auto-deployment of test VMs on a private Proxmox.
|
||||
|
||||
- [`infra/`](./infra) contains the configurations for the various VMs that are
|
||||
in production for the project, for instance the Git instances or the Wiki.
|
||||
|
||||
- [`keys/`](./keys) contains the public keys of the contributors to this project
|
||||
as well as the systems that we administrate.
|
||||
|
||||
- [`matrix/`](./matrix) contains everything having to do with setting up a
|
||||
fully-featured Matrix server.
|
||||
|
||||
- [`secrets/`](./secrets) contains the secrets that need to get injected into
|
||||
machine configurations.
|
||||
|
||||
- [`services/`](./services) contains our effort to make Fediverse applications
|
||||
work seemlessly together in our specific setting.
|
||||
|
||||
- [`website/`](./website) contains the framework and the content of [the
|
||||
Fediversity website](https://fediversity.eu/)
|
||||
|
|
8
deployment/.gitignore
vendored
Normal file
8
deployment/.gitignore
vendored
Normal file
|
@ -0,0 +1,8 @@
|
|||
.DS_Store
|
||||
.idea
|
||||
*.log
|
||||
tmp/
|
||||
*.iso
|
||||
result
|
||||
.proxmox
|
||||
.pre-commit-config.yaml
|
|
@ -1,124 +0,0 @@
|
|||
{ inputs, self, ... }:
|
||||
|
||||
let
|
||||
allVmIds = builtins.genList (x: 100 + x) 156; # 100 -- 255
|
||||
makeInstaller = import ./makeInstaller.nix;
|
||||
|
||||
in
|
||||
{
|
||||
flake.nixosConfigurations.provisioning =
|
||||
let
|
||||
inherit (builtins) map listToAttrs;
|
||||
makeProvisioningConfiguration =
|
||||
vmid:
|
||||
inputs.nixpkgs.lib.nixosSystem {
|
||||
modules = [
|
||||
{ procolix.vmid = vmid; }
|
||||
./procolixVm.nix
|
||||
inputs.disko.nixosModules.default
|
||||
];
|
||||
};
|
||||
in
|
||||
listToAttrs (
|
||||
map (vmid: {
|
||||
name = "fedi${toString vmid}";
|
||||
value = makeProvisioningConfiguration vmid;
|
||||
}) allVmIds
|
||||
);
|
||||
|
||||
flake.isoInstallers.provisioning =
|
||||
let
|
||||
inherit (builtins) mapAttrs;
|
||||
in
|
||||
mapAttrs (
|
||||
vmname:
|
||||
makeInstaller {
|
||||
inherit (inputs) nixpkgs;
|
||||
hostKeys = {
|
||||
rsa = {
|
||||
private = ./hostKeys/${vmname}/ssh_host_rsa_key;
|
||||
public = ./hostKeys/${vmname}/ssh_host_rsa_key.pub;
|
||||
};
|
||||
ed25519 = {
|
||||
private = ./hostKeys/${vmname}/ssh_host_ed25519_key;
|
||||
public = ./hostKeys/${vmname}/ssh_host_ed25519_key.pub;
|
||||
};
|
||||
};
|
||||
}
|
||||
) self.nixosConfigurations.provisioning;
|
||||
|
||||
nixops4Deployments.feditest =
|
||||
{ providers, ... }:
|
||||
|
||||
let
|
||||
inherit (builtins) readFile;
|
||||
|
||||
makeProcolixVmResource = vmid: vmconfig: {
|
||||
type = providers.local.exec;
|
||||
imports = [ inputs.nixops4-nixos.modules.nixops4Resource.nixos ];
|
||||
ssh.opts = "";
|
||||
ssh.host = "95.215.187.${toString vmid}";
|
||||
ssh.hostPublicKey = readFile ./hostKeys/fedi${toString vmid}/ssh_host_ed25519_key.pub;
|
||||
|
||||
nixpkgs = inputs.nixpkgs;
|
||||
nixos.module = {
|
||||
imports = [
|
||||
vmconfig
|
||||
{ procolix.vmid = vmid; }
|
||||
./procolixVm.nix
|
||||
inputs.snf.nixosModules.fediversity
|
||||
inputs.disko.nixosModules.default
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
in
|
||||
{
|
||||
providers.local = inputs.nixops4-nixos.modules.nixops4Provider.local;
|
||||
|
||||
resources = {
|
||||
fedi100 = makeProcolixVmResource 100 { };
|
||||
|
||||
fedi101 = makeProcolixVmResource 101 {
|
||||
fediversity = {
|
||||
enable = true;
|
||||
domain = "fedi101.abundos.eu";
|
||||
pixelfed.enable = true;
|
||||
};
|
||||
};
|
||||
|
||||
fedi102 = makeProcolixVmResource 102 {
|
||||
fediversity = {
|
||||
enable = true;
|
||||
domain = "fedi102.abundos.eu";
|
||||
mastodon.enable = true;
|
||||
|
||||
temp.cores = 1; # FIXME: should come from NixOps4 eventually
|
||||
};
|
||||
};
|
||||
|
||||
fedi103 = makeProcolixVmResource 103 (
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
fediversity = {
|
||||
enable = true;
|
||||
domain = "fedi103.abundos.eu";
|
||||
peertube.enable = true;
|
||||
|
||||
temp.peertubeSecretsFile = pkgs.writeText "secret" ''
|
||||
574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24
|
||||
'';
|
||||
};
|
||||
}
|
||||
);
|
||||
|
||||
fedi120 = makeProcolixVmResource 120 {
|
||||
fediversity = {
|
||||
enable = true;
|
||||
domain = "fedi120.abundos.eu";
|
||||
pixelfed.enable = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
File diff suppressed because it is too large
Load diff
184
deployment/flake.nix
Normal file
184
deployment/flake.nix
Normal file
|
@ -0,0 +1,184 @@
|
|||
{
|
||||
inputs = {
|
||||
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
|
||||
flake-parts.url = "github:hercules-ci/flake-parts";
|
||||
git-hooks.url = "github:cachix/git-hooks.nix";
|
||||
|
||||
# snf.url = "path:/home/niols/git/fediversity/simple-nixos-fediverse"; #dev
|
||||
snf.url = "git+https://git.fediversity.eu/fediversity/simple-nixos-fediverse.git";
|
||||
disko.url = "github:nix-community/disko";
|
||||
|
||||
nixops4.url = "github:nixops4/nixops4";
|
||||
nixops4-nixos.url = "github:nixops4/nixops4/eval";
|
||||
};
|
||||
|
||||
outputs =
|
||||
inputs@{
|
||||
self,
|
||||
flake-parts,
|
||||
nixpkgs,
|
||||
snf,
|
||||
...
|
||||
}:
|
||||
flake-parts.lib.mkFlake { inherit inputs; } {
|
||||
|
||||
imports = [
|
||||
inputs.nixops4-nixos.modules.flake.default
|
||||
inputs.git-hooks.flakeModule
|
||||
];
|
||||
|
||||
systems = [
|
||||
"x86_64-linux"
|
||||
"aarch64-linux"
|
||||
"aarch64-darwin"
|
||||
"x86_64-darwin"
|
||||
];
|
||||
|
||||
perSystem =
|
||||
{
|
||||
config,
|
||||
inputs',
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
{
|
||||
formatter = pkgs.nixfmt-rfc-style;
|
||||
|
||||
pre-commit.settings.hooks = {
|
||||
nixfmt-rfc-style.enable = true;
|
||||
deadnix.enable = true;
|
||||
};
|
||||
|
||||
devShells.default = pkgs.mkShell {
|
||||
packages = [ inputs'.nixops4.packages.default ];
|
||||
shellHook = config.pre-commit.installationScript;
|
||||
};
|
||||
};
|
||||
|
||||
flake.vmIdTo03d =
|
||||
id:
|
||||
let
|
||||
sid = toString id;
|
||||
in
|
||||
if id >= 0 && id <= 9 then
|
||||
"00${sid}"
|
||||
else if id >= 10 && id <= 99 then
|
||||
"0${sid}"
|
||||
else
|
||||
sid;
|
||||
|
||||
flake.allVmIds = # 100 -- 255
|
||||
let
|
||||
allVmIdsFrom = x: if x > 255 then [ ] else [ x ] ++ allVmIdsFrom (x + 1);
|
||||
in
|
||||
allVmIdsFrom 100;
|
||||
|
||||
flake.nixosConfigurations.provisioning =
|
||||
let
|
||||
inherit (builtins) map listToAttrs;
|
||||
makeProvisioningConfiguration =
|
||||
vmid:
|
||||
nixpkgs.lib.nixosSystem {
|
||||
modules = [
|
||||
{ procolix.vmid = vmid; }
|
||||
./procolixVm.nix
|
||||
inputs.disko.nixosModules.default
|
||||
];
|
||||
};
|
||||
in
|
||||
listToAttrs (
|
||||
map (vmid: {
|
||||
name = "fedi${self.vmIdTo03d vmid}";
|
||||
value = makeProvisioningConfiguration vmid;
|
||||
}) self.allVmIds
|
||||
);
|
||||
|
||||
flake.isoInstallers.provisioning =
|
||||
let
|
||||
inherit (builtins) mapAttrs;
|
||||
in
|
||||
mapAttrs (
|
||||
vmname:
|
||||
snf.mkInstaller {
|
||||
inherit nixpkgs;
|
||||
hostKeys = {
|
||||
rsa = {
|
||||
private = ./hostKeys/${vmname}/ssh_host_rsa_key;
|
||||
public = ./hostKeys/${vmname}/ssh_host_rsa_key.pub;
|
||||
};
|
||||
ed25519 = {
|
||||
private = ./hostKeys/${vmname}/ssh_host_ed25519_key;
|
||||
public = ./hostKeys/${vmname}/ssh_host_ed25519_key.pub;
|
||||
};
|
||||
};
|
||||
}
|
||||
) self.nixosConfigurations.provisioning;
|
||||
|
||||
nixops4Deployments.default =
|
||||
{ providers, ... }:
|
||||
|
||||
let
|
||||
inherit (builtins) readFile;
|
||||
|
||||
makeProcolixVmResource = vmid: vmconfig: {
|
||||
type = providers.local.exec;
|
||||
imports = [ inputs.nixops4-nixos.modules.nixops4Resource.nixos ];
|
||||
ssh.opts = "";
|
||||
ssh.host = "95.215.187.${self.vmIdTo03d vmid}";
|
||||
ssh.hostPublicKey = readFile ./hostKeys/fedi${self.vmIdTo03d vmid}/ssh_host_ed25519_key.pub;
|
||||
|
||||
nixpkgs = inputs.nixpkgs;
|
||||
nixos.module = {
|
||||
imports = [
|
||||
vmconfig
|
||||
{ procolix.vmid = vmid; }
|
||||
./procolixVm.nix
|
||||
inputs.snf.nixosModules.fediversity
|
||||
inputs.disko.nixosModules.default
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
in
|
||||
{
|
||||
providers.local = inputs.nixops4-nixos.modules.nixops4Provider.local;
|
||||
|
||||
resources = {
|
||||
fedi100 = makeProcolixVmResource 100 { };
|
||||
|
||||
fedi101 = makeProcolixVmResource 101 {
|
||||
fediversity = {
|
||||
enable = true;
|
||||
domain = "fedi101.abundos.eu";
|
||||
pixelfed.enable = true;
|
||||
};
|
||||
};
|
||||
|
||||
fedi102 = makeProcolixVmResource 102 {
|
||||
fediversity = {
|
||||
enable = true;
|
||||
domain = "fedi102.abundos.eu";
|
||||
mastodon.enable = true;
|
||||
|
||||
temp.cores = 1; # FIXME: should come from NixOps4 eventually
|
||||
};
|
||||
};
|
||||
|
||||
fedi103 = makeProcolixVmResource 103 (
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
fediversity = {
|
||||
enable = true;
|
||||
domain = "fedi103.abundos.eu";
|
||||
peertube.enable = true;
|
||||
|
||||
temp.peertubeSecretsFile = pkgs.writeText "secret" ''
|
||||
574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24
|
||||
'';
|
||||
};
|
||||
}
|
||||
);
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -8,6 +8,18 @@
|
|||
let
|
||||
inherit (lib) mkOption;
|
||||
inherit (lib.types) types;
|
||||
|
||||
vmIdTo03d =
|
||||
id:
|
||||
let
|
||||
sid = toString id;
|
||||
in
|
||||
if id >= 0 && id <= 9 then
|
||||
"00${sid}"
|
||||
else if id >= 10 && id <= 99 then
|
||||
"0${sid}"
|
||||
else
|
||||
sid;
|
||||
in
|
||||
|
||||
{
|
||||
|
@ -16,9 +28,9 @@ in
|
|||
options = {
|
||||
procolix = {
|
||||
vmid = mkOption {
|
||||
type = types.ints.between 100 255;
|
||||
type = types.int;
|
||||
description = ''
|
||||
Identifier of the machine. This is a number between 100 and 255.
|
||||
Identifier of the machine. This is a number between 10 and 255.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
@ -31,7 +43,7 @@ in
|
|||
services.openssh.enable = true;
|
||||
|
||||
networking = {
|
||||
hostName = "fedi${toString config.procolix.vmid}";
|
||||
hostName = "fedi${vmIdTo03d config.procolix.vmid}";
|
||||
domain = "procolix.com";
|
||||
|
||||
interfaces = {
|
||||
|
@ -39,7 +51,7 @@ in
|
|||
ipv4 = {
|
||||
addresses = [
|
||||
{
|
||||
address = "95.215.187.${toString config.procolix.vmid}";
|
||||
address = "95.215.187.${vmIdTo03d config.procolix.vmid}";
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
|
@ -47,7 +59,7 @@ in
|
|||
ipv6 = {
|
||||
addresses = [
|
||||
{
|
||||
address = "2a00:51c0:13:1305::${toString config.procolix.vmid}";
|
||||
address = "2a00:51c0:13:1305::${vmIdTo03d config.procolix.vmid}";
|
||||
prefixLength = 64;
|
||||
}
|
||||
];
|
||||
|
|
223
deployment/provision-vm.sh
Executable file
223
deployment/provision-vm.sh
Executable file
|
@ -0,0 +1,223 @@
|
|||
#!/usr/bin/env sh
|
||||
set -euC
|
||||
|
||||
## Proxmox API doc: https://pve.proxmox.com/pve-docs/api-viewer
|
||||
|
||||
################################################################################
|
||||
## Parse arguments
|
||||
|
||||
username=
|
||||
password=
|
||||
iso=result/iso/installer.iso
|
||||
sockets=1
|
||||
cores=1
|
||||
memory=2048
|
||||
vmid=
|
||||
|
||||
help () {
|
||||
cat <<EOF
|
||||
Usage: $0 [OPTION...]
|
||||
|
||||
Required:
|
||||
--username STR Username, with provider (eg. niols@pve)
|
||||
--password STR Password
|
||||
--vmid INT Identifier of the VM
|
||||
|
||||
If not provided via the command line, username and password will be looked for
|
||||
in a `.proxmox` file in the current working directory, the username on the
|
||||
first line, and the password on the second.
|
||||
|
||||
Optional:
|
||||
--iso PATH Installer ISO (default: $iso)
|
||||
--sockets INT Number of sockets (default: $sockets)
|
||||
--cores INT Number of cores (default: $cores)
|
||||
--memory INT Memory (default: $memory)
|
||||
|
||||
Others:
|
||||
-h|-?|--help Show this help and exit
|
||||
EOF
|
||||
}
|
||||
|
||||
die () { printf "$@"; printf '\n'; help; exit 2; }
|
||||
|
||||
while [ $# -gt 0 ]; do
|
||||
argument=$1
|
||||
shift
|
||||
case $argument in
|
||||
--username) readonly username=$1; shift ;;
|
||||
--password) readonly password=$1; shift ;;
|
||||
--vmid) readonly vmid=$1; shift ;;
|
||||
|
||||
--iso) iso=$1; shift ;;
|
||||
--sockets) sockets=$1; shift ;;
|
||||
--cores) cores=$1; shift ;;
|
||||
--memory) memory=$1; shift ;;
|
||||
|
||||
-h|-\?|--help) help; exit 0 ;;
|
||||
*) die 'Unknown argument: `%s`.' "$argument" ;;
|
||||
esac
|
||||
done
|
||||
|
||||
if [ -z "$username" ] || [ -z "$password" ]; then
|
||||
if [ -f .proxmox ]; then
|
||||
{ read username; read password; } < .proxmox
|
||||
else
|
||||
die 'Required: `--username` and `--password`.\n'
|
||||
fi
|
||||
fi
|
||||
|
||||
[ -z "$vmid" ] && die 'Required: `--vmid`.\n'
|
||||
|
||||
printf 'Configuration:\n'
|
||||
|
||||
printf ' username: %s\n' $username
|
||||
printf ' password: %s\n' $password
|
||||
printf ' vmid: %s\n' $vmid
|
||||
|
||||
readonly iso
|
||||
readonly sockets
|
||||
readonly cores
|
||||
readonly memory
|
||||
|
||||
printf ' iso: %s\n' $iso
|
||||
printf ' sockets: %d\n' $sockets
|
||||
printf ' cores: %d\n' $cores
|
||||
printf ' memory: %d\n' $memory
|
||||
|
||||
################################################################################
|
||||
## Getting started
|
||||
|
||||
readonly apiurl=https://192.168.51.81:8006/api2/json
|
||||
|
||||
## FIXME: There seems to be a problem with file upload where the task is
|
||||
## registered to `node051` no matter what node we are actually uploading to? For
|
||||
## now, let us just use `node051` everywhere.
|
||||
node=node051
|
||||
|
||||
from_response () { echo "$response" | jq -r "$1"; }
|
||||
|
||||
printf 'Authenticating...'
|
||||
response=$(
|
||||
http \
|
||||
--verify no \
|
||||
POST $apiurl/access/ticket \
|
||||
"username=$username" \
|
||||
"password=$password"
|
||||
)
|
||||
readonly csrfToken=$(from_response .data.CSRFPreventionToken)
|
||||
readonly ticket=$(from_response .data.ticket)
|
||||
printf ' done.\n'
|
||||
|
||||
http_ () {
|
||||
response=$(
|
||||
http \
|
||||
--verify no \
|
||||
"$@" \
|
||||
"Cookie:PVEAuthCookie=$ticket" \
|
||||
"CSRFPreventionToken:$csrfToken"
|
||||
)
|
||||
}
|
||||
|
||||
wait_ () {
|
||||
upid=$1
|
||||
while :; do
|
||||
http_ GET $apiurl/nodes/$node/tasks/$upid/status
|
||||
status=$(from_response .data.status)
|
||||
case $status in
|
||||
running) printf '.'; sleep 1 ;;
|
||||
stopped) break ;;
|
||||
*) printf ' unexpected status: `%s`\n' "$status"; exit 2 ;;
|
||||
esac
|
||||
done
|
||||
}
|
||||
|
||||
################################################################################
|
||||
## Upload ISO
|
||||
|
||||
if [ -z "$node" ]; then
|
||||
printf 'Picking random node...'
|
||||
http_ GET $apiurl/nodes
|
||||
node=$(from_response .data[].node | sort -R | head -n 1)
|
||||
printf ' done. Picked `%s`.\n' "$node"
|
||||
fi
|
||||
readonly node
|
||||
|
||||
absiso=$(cd "$(dirname "$iso")"; pwd)/$(basename "$iso")
|
||||
readonly isoname=installer-$vmid.iso
|
||||
|
||||
printf 'Uploading ISO...'
|
||||
ln -sf $absiso /tmp/$isoname
|
||||
http_ --form POST $apiurl/nodes/$node/storage/local/upload \
|
||||
filename@/tmp/$isoname \
|
||||
content==iso
|
||||
rm /tmp/$isoname
|
||||
wait_ $(from_response .data)
|
||||
printf ' done.\n'
|
||||
|
||||
################################################################################
|
||||
## Create VM
|
||||
|
||||
printf 'Creating VM...'
|
||||
|
||||
http_ --form POST $apiurl/nodes/$node/qemu \
|
||||
\
|
||||
vmid==$vmid \
|
||||
name==$(printf 'fedi%03d' $vmid) \
|
||||
pool==Fediversity \
|
||||
\
|
||||
ide2=="local:iso/$isoname,media=cdrom" \
|
||||
ostype==l26 \
|
||||
\
|
||||
bios==ovmf \
|
||||
efidisk0=='linstor_storage:1,efitype=4m' \
|
||||
agent==1 \
|
||||
\
|
||||
scsihw==virtio-scsi-single \
|
||||
scsi0=='linstor_storage:32,discard=on,ssd=on,iothread=on' \
|
||||
\
|
||||
sockets==$sockets \
|
||||
cores==$cores \
|
||||
cpu==x86-64-v2-AES \
|
||||
numa==1 \
|
||||
\
|
||||
memory==$memory \
|
||||
\
|
||||
net0=='virtio,bridge=vnet1306'
|
||||
|
||||
wait_ $(from_response .data)
|
||||
printf ' done.\n'
|
||||
|
||||
################################################################################
|
||||
## Install VM
|
||||
|
||||
printf 'Installing VM...'
|
||||
|
||||
http_ POST $apiurl/nodes/$node/qemu/$vmid/status/start
|
||||
wait_ $(from_response .data)
|
||||
|
||||
while :; do
|
||||
http_ GET $apiurl/nodes/$node/qemu/$vmid/status/current
|
||||
status=$(from_response .data.status)
|
||||
case $status in
|
||||
running) printf '.'; sleep 1 ;;
|
||||
stopped) break ;;
|
||||
*) printf ' unexpected status: `%s`\n' "$status"; exit 2 ;;
|
||||
esac
|
||||
done
|
||||
|
||||
printf 'done.\n'
|
||||
|
||||
################################################################################
|
||||
## Start VM
|
||||
|
||||
printf 'Starting VM...'
|
||||
|
||||
http_ --form POST $apiurl/nodes/$node/qemu/$vmid/config \
|
||||
ide2=='none,media=cdrom' \
|
||||
net0=='virtio,bridge=vnet1305'
|
||||
wait_ $(from_response .data)
|
||||
|
||||
http_ POST $apiurl/nodes/$node/qemu/$vmid/status/start
|
||||
wait_ $(from_response .data)
|
||||
|
||||
printf 'done.\n'
|
|
@ -1,285 +0,0 @@
|
|||
#!/usr/bin/env sh
|
||||
set -euC
|
||||
|
||||
################################################################################
|
||||
## Constants
|
||||
|
||||
readonly apiurl=https://192.168.51.81:8006/api2/json
|
||||
|
||||
## FIXME: There seems to be a problem with file upload where the task is
|
||||
## registered to `node051` no matter what node we are actually uploading to? For
|
||||
## now, let us just use `node051` everywhere.
|
||||
readonly node=node051
|
||||
|
||||
readonly tmpdir=/tmp/proxmox-provision-$RANDOM$RANDOM
|
||||
mkdir $tmpdir
|
||||
|
||||
################################################################################
|
||||
## Parse arguments
|
||||
|
||||
username=
|
||||
password=
|
||||
sockets=1
|
||||
cores=1
|
||||
memory=2048
|
||||
vmids=
|
||||
|
||||
help () {
|
||||
cat <<EOF
|
||||
Usage: $0 [OPTION...] [ID...]
|
||||
|
||||
Authentication options:
|
||||
--username STR Username, with provider (eg. niols@pve)
|
||||
--password STR Password
|
||||
|
||||
If not provided via the command line, username and password will be looked for
|
||||
in a '.proxmox' file in the current working directory, the username on the
|
||||
first line, and the password on the second.
|
||||
|
||||
Other options:
|
||||
--sockets INT Number of sockets (default: $sockets)
|
||||
--cores INT Number of cores (default: $cores)
|
||||
--memory INT Memory (default: $memory)
|
||||
|
||||
Others:
|
||||
-h|-?|--help Show this help and exit
|
||||
EOF
|
||||
}
|
||||
|
||||
die () { printf '\033[31m'; printf "$@"; printf '\033[0m\n'; exit 2; }
|
||||
die_with_help () { printf '\033[31m'; printf "$@"; printf '\033[0m\n'; help; exit 2; }
|
||||
|
||||
while [ $# -gt 0 ]; do
|
||||
argument=$1
|
||||
shift
|
||||
case $argument in
|
||||
--username) readonly username=$1; shift ;;
|
||||
--password) readonly password=$1; shift ;;
|
||||
|
||||
--sockets) sockets=$1; shift ;;
|
||||
--cores) cores=$1; shift ;;
|
||||
--memory) memory=$1; shift ;;
|
||||
|
||||
-h|-\?|--help) help; exit 0 ;;
|
||||
|
||||
-*) die_with_help 'Unknown argument: `%s`.' "$argument" ;;
|
||||
|
||||
*) vmids="$vmids $argument" ;;
|
||||
esac
|
||||
done
|
||||
|
||||
if [ -z "$username" ] || [ -z "$password" ]; then
|
||||
if [ -f .proxmox ]; then
|
||||
{ read username; read password; } < .proxmox
|
||||
else
|
||||
die_with_help 'Required: `--username` and `--password`.\n'
|
||||
fi
|
||||
fi
|
||||
|
||||
readonly sockets
|
||||
readonly cores
|
||||
readonly memory
|
||||
|
||||
## FIXME: When we figure out how to use other nodes than node051.
|
||||
# if [ -z "$node" ]; then
|
||||
# printf 'Picking random node...'
|
||||
# proxmox GET $apiurl/nodes
|
||||
# node=$(from_response .data[].node | sort -R | head -n 1)
|
||||
# printf ' done. Picked `%s`.\n' "$node"
|
||||
# fi
|
||||
# readonly node
|
||||
|
||||
################################################################################
|
||||
## Getting started
|
||||
|
||||
printf 'Authenticating...'
|
||||
response=$(
|
||||
http \
|
||||
--verify no \
|
||||
POST $apiurl/access/ticket \
|
||||
"username=$username" \
|
||||
"password=$password"
|
||||
)
|
||||
readonly ticket=$(echo "$response" | jq -r .data.ticket)
|
||||
readonly csrfToken=$(echo "$response" | jq -r .data.CSRFPreventionToken)
|
||||
printf ' done.\n'
|
||||
|
||||
acquire_lock () {
|
||||
until mkdir $tmpdir/lock-$1 2>/dev/null; do sleep 1; done
|
||||
}
|
||||
release_lock () {
|
||||
rmdir $tmpdir/lock-$1
|
||||
}
|
||||
|
||||
proxmox () {
|
||||
acquire_lock proxmox
|
||||
http \
|
||||
--form \
|
||||
--verify no \
|
||||
--ignore-stdin \
|
||||
"$@" \
|
||||
"Cookie:PVEAuthCookie=$ticket" \
|
||||
"CSRFPreventionToken:$csrfToken"
|
||||
release_lock proxmox
|
||||
}
|
||||
|
||||
## Synchronous variant for when the `proxmox` function would just respond an
|
||||
## UPID in the `data` JSON field.
|
||||
proxmox_sync () (
|
||||
response=$(proxmox "$@")
|
||||
upid=$(echo "$response" | jq -r .data)
|
||||
|
||||
while :; do
|
||||
response=$(proxmox GET $apiurl/nodes/$node/tasks/$upid/status)
|
||||
status=$(echo "$response" | jq -r .data.status)
|
||||
|
||||
case $status in
|
||||
running) sleep 1 ;;
|
||||
stopped) break ;;
|
||||
*) die 'unexpected status: `%s`' "$status" ;;
|
||||
esac
|
||||
done
|
||||
)
|
||||
|
||||
################################################################################
|
||||
## Build ISO
|
||||
|
||||
build_iso () {
|
||||
acquire_lock build
|
||||
printf 'Building ISO for VM %d...\n' $1
|
||||
|
||||
nix build \
|
||||
.#isoInstallers.provisioning.fedi$1 \
|
||||
--log-format raw --quiet \
|
||||
--out-link $tmpdir/installer-fedi$1
|
||||
|
||||
ln -sf $tmpdir/installer-fedi$1/iso/installer.iso $tmpdir/installer-fedi$1.iso
|
||||
|
||||
printf 'done building ISO for VM %d.\n' $1
|
||||
release_lock build
|
||||
}
|
||||
|
||||
################################################################################
|
||||
## Upload ISO
|
||||
|
||||
upload_iso () {
|
||||
acquire_lock upload
|
||||
printf 'Uploading ISO for VM %d...\n' $1
|
||||
|
||||
proxmox_sync POST $apiurl/nodes/$node/storage/local/upload \
|
||||
filename@$tmpdir/installer-fedi$1.iso \
|
||||
content==iso
|
||||
|
||||
printf 'done uploading ISO for VM %d.\n' $1
|
||||
release_lock upload
|
||||
}
|
||||
|
||||
################################################################################
|
||||
## Remove ISO
|
||||
|
||||
remove_iso () {
|
||||
printf 'Removing ISO for VM %d...\n' $1
|
||||
|
||||
proxmox_sync DELETE $apiurl/nodes/$node/storage/local/content/local:iso/installer-fedi$1.iso
|
||||
|
||||
printf 'done removing ISO for VM %d.\n' $1
|
||||
}
|
||||
|
||||
################################################################################
|
||||
## Create VM
|
||||
|
||||
create_vm () {
|
||||
printf 'Creating VM %d...\n' $1
|
||||
|
||||
proxmox_sync POST $apiurl/nodes/$node/qemu \
|
||||
\
|
||||
vmid==$1 \
|
||||
name=="fedi$1" \
|
||||
pool==Fediversity \
|
||||
\
|
||||
ide2=="local:iso/installer-fedi$1.iso,media=cdrom" \
|
||||
ostype==l26 \
|
||||
\
|
||||
bios==ovmf \
|
||||
efidisk0=='linstor_storage:1,efitype=4m' \
|
||||
agent==1 \
|
||||
\
|
||||
scsihw==virtio-scsi-single \
|
||||
scsi0=='linstor_storage:32,discard=on,ssd=on,iothread=on' \
|
||||
\
|
||||
sockets==$sockets \
|
||||
cores==$cores \
|
||||
cpu==x86-64-v2-AES \
|
||||
numa==1 \
|
||||
\
|
||||
memory==$memory \
|
||||
\
|
||||
net0=='virtio,bridge=vnet1306'
|
||||
|
||||
printf 'done creating VM %d.\n' $1
|
||||
}
|
||||
|
||||
################################################################################
|
||||
## Install VM
|
||||
|
||||
install_vm () (
|
||||
printf 'Installing VM %d...\n' $1
|
||||
|
||||
proxmox_sync POST $apiurl/nodes/$node/qemu/$1/status/start
|
||||
|
||||
while :; do
|
||||
response=$(proxmox GET $apiurl/nodes/$node/qemu/$1/status/current)
|
||||
status=$(echo "$response" | jq -r .data.status)
|
||||
case $status in
|
||||
running) sleep 1 ;;
|
||||
stopped) break ;;
|
||||
*) printf ' unexpected status: `%s`\n' "$status"; exit 2 ;;
|
||||
esac
|
||||
done
|
||||
|
||||
printf 'done installing VM %d.\n' $1
|
||||
)
|
||||
|
||||
################################################################################
|
||||
## Start VM
|
||||
|
||||
start_vm () {
|
||||
printf 'Starting VM %d...\n' $1
|
||||
|
||||
proxmox_sync POST $apiurl/nodes/$node/qemu/$1/config \
|
||||
ide2=='none,media=cdrom' \
|
||||
net0=='virtio,bridge=vnet1305'
|
||||
|
||||
proxmox_sync POST $apiurl/nodes/$node/qemu/$1/status/start
|
||||
|
||||
printf 'done starting VM %d.\n' $1
|
||||
}
|
||||
|
||||
################################################################################
|
||||
## Main loop
|
||||
|
||||
printf 'Provisioning VMs%s with:\n' "$vmids"
|
||||
printf ' sockets: %d\n' $sockets
|
||||
printf ' cores: %d\n' $cores
|
||||
printf ' memory: %d\n' $memory
|
||||
|
||||
provision_vm () {
|
||||
build_iso $1
|
||||
upload_iso $1
|
||||
create_vm $1
|
||||
install_vm $1
|
||||
start_vm $1
|
||||
remove_iso $1
|
||||
}
|
||||
|
||||
for vmid in $vmids; do
|
||||
provision_vm $vmid &
|
||||
done
|
||||
wait
|
||||
|
||||
printf 'done provisioning VMs%s.\n' "$vmids"
|
||||
|
||||
################################################################################
|
||||
## Cleanup
|
||||
|
||||
rm -Rf $tmpdir
|
|
@ -1,163 +0,0 @@
|
|||
#!/usr/bin/env sh
|
||||
set -euC
|
||||
|
||||
################################################################################
|
||||
## Constants
|
||||
|
||||
readonly apiurl=https://192.168.51.81:8006/api2/json
|
||||
|
||||
## FIXME: There seems to be a problem with file upload where the task is
|
||||
## registered to `node051` no matter what node we are actually uploading to? For
|
||||
## now, let us just use `node051` everywhere.
|
||||
readonly node=node051
|
||||
|
||||
readonly tmpdir=/tmp/proxmox-provision-$RANDOM$RANDOM
|
||||
mkdir $tmpdir
|
||||
|
||||
################################################################################
|
||||
## Parse arguments
|
||||
|
||||
username=
|
||||
password=
|
||||
vmids=
|
||||
|
||||
help () {
|
||||
cat <<EOF
|
||||
Usage: $0 [OPTION...] [ID...]
|
||||
|
||||
Authentication options:
|
||||
--username STR Username, with provider (eg. niols@pve)
|
||||
--password STR Password
|
||||
|
||||
If not provided via the command line, username and password will be looked for
|
||||
in a '.proxmox' file in the current working directory, the username on the
|
||||
first line, and the password on the second.
|
||||
|
||||
Others:
|
||||
-h|-?|--help Show this help and exit
|
||||
EOF
|
||||
}
|
||||
|
||||
die () { printf '\033[31m'; printf "$@"; printf '\033[0m\n'; exit 2; }
|
||||
die_with_help () { printf '\033[31m'; printf "$@"; printf '\033[0m\n'; help; exit 2; }
|
||||
|
||||
while [ $# -gt 0 ]; do
|
||||
argument=$1
|
||||
shift
|
||||
case $argument in
|
||||
--username) readonly username=$1; shift ;;
|
||||
--password) readonly password=$1; shift ;;
|
||||
|
||||
-h|-\?|--help) help; exit 0 ;;
|
||||
|
||||
-*) die_with_help 'Unknown argument: `%s`.' "$argument" ;;
|
||||
|
||||
*) vmids="$vmids $argument" ;;
|
||||
esac
|
||||
done
|
||||
|
||||
if [ -z "$username" ] || [ -z "$password" ]; then
|
||||
if [ -f .proxmox ]; then
|
||||
{ read username; read password; } < .proxmox
|
||||
else
|
||||
die_with_help 'Required: `--username` and `--password`.\n'
|
||||
fi
|
||||
fi
|
||||
|
||||
################################################################################
|
||||
## Getting started
|
||||
|
||||
printf 'Authenticating...'
|
||||
response=$(
|
||||
http \
|
||||
--verify no \
|
||||
POST $apiurl/access/ticket \
|
||||
"username=$username" \
|
||||
"password=$password"
|
||||
)
|
||||
readonly ticket=$(echo "$response" | jq -r .data.ticket)
|
||||
readonly csrfToken=$(echo "$response" | jq -r .data.CSRFPreventionToken)
|
||||
printf ' done.\n'
|
||||
|
||||
acquire_lock () {
|
||||
until mkdir $tmpdir/lock-$1 2>/dev/null; do sleep 1; done
|
||||
}
|
||||
release_lock () {
|
||||
rmdir $tmpdir/lock-$1
|
||||
}
|
||||
|
||||
proxmox () {
|
||||
acquire_lock proxmox
|
||||
http \
|
||||
--verify no \
|
||||
--form \
|
||||
"$@" \
|
||||
"Cookie:PVEAuthCookie=$ticket" \
|
||||
"CSRFPreventionToken:$csrfToken"
|
||||
release_lock proxmox
|
||||
}
|
||||
|
||||
## Synchronous variant for when the `proxmox` function would just respond an
|
||||
## UPID in the `data` JSON field.
|
||||
proxmox_sync () (
|
||||
response=$(proxmox "$@")
|
||||
upid=$(echo "$response" | jq -r .data)
|
||||
|
||||
while :; do
|
||||
response=$(proxmox GET $apiurl/nodes/$node/tasks/$upid/status)
|
||||
status=$(echo "$response" | jq -r .data.status)
|
||||
|
||||
case $status in
|
||||
running) sleep 1 ;;
|
||||
stopped) break ;;
|
||||
*) die 'unexpected status: `%s`' "$status" ;;
|
||||
esac
|
||||
done
|
||||
)
|
||||
|
||||
################################################################################
|
||||
## Stop VM
|
||||
|
||||
stop_vm () {
|
||||
printf 'Stopping VM %d...\n' $1
|
||||
|
||||
proxmox_sync POST $apiurl/nodes/$node/qemu/$1/status/stop \
|
||||
'overrule-shutdown'==1
|
||||
|
||||
printf 'done stopping VM %d.\n' $1
|
||||
}
|
||||
|
||||
################################################################################
|
||||
## Delete VM
|
||||
|
||||
delete_vm () {
|
||||
printf 'Deleting VM %d...\n' $1
|
||||
|
||||
proxmox_sync DELETE $apiurl/nodes/$node/qemu/$1 \
|
||||
'destroy-unreferenced-disks'==1 \
|
||||
'purge'==1
|
||||
|
||||
printf 'done deleting VM %d.\n' $1
|
||||
}
|
||||
|
||||
################################################################################
|
||||
## Main loop
|
||||
|
||||
printf 'Removing VMs%s...\n' "$vmids"
|
||||
|
||||
remove_vm () {
|
||||
stop_vm $1
|
||||
delete_vm $1
|
||||
}
|
||||
|
||||
for vmid in $vmids; do
|
||||
remove_vm $vmid &
|
||||
done
|
||||
wait
|
||||
|
||||
printf 'done removing VMs%s.\n' "$vmids"
|
||||
|
||||
################################################################################
|
||||
## Cleanup
|
||||
|
||||
rm -Rf $tmpdir
|
82
flake.nix
82
flake.nix
|
@ -1,82 +0,0 @@
|
|||
{
|
||||
inputs = {
|
||||
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
|
||||
flake-parts.url = "github:hercules-ci/flake-parts";
|
||||
git-hooks.url = "github:cachix/git-hooks.nix";
|
||||
agenix.url = "github:ryantm/agenix";
|
||||
|
||||
disko.url = "github:nix-community/disko";
|
||||
|
||||
nixops4.url = "github:nixops4/nixops4";
|
||||
nixops4-nixos.url = "github:nixops4/nixops4-nixos";
|
||||
};
|
||||
|
||||
outputs =
|
||||
inputs@{ flake-parts, ... }:
|
||||
flake-parts.lib.mkFlake { inherit inputs; } {
|
||||
systems = [
|
||||
"x86_64-linux"
|
||||
"aarch64-linux"
|
||||
"x86_64-darwin"
|
||||
"aarch64-darwin"
|
||||
];
|
||||
|
||||
imports = [
|
||||
inputs.git-hooks.flakeModule
|
||||
inputs.nixops4.modules.flake.default
|
||||
|
||||
./deployment/flake-part.nix
|
||||
./infra/flake-part.nix
|
||||
./services/flake-part.nix
|
||||
];
|
||||
|
||||
perSystem =
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
inputs',
|
||||
...
|
||||
}:
|
||||
{
|
||||
formatter = pkgs.nixfmt-rfc-style;
|
||||
|
||||
pre-commit.settings.hooks =
|
||||
## Not everybody might want pre-commit hooks, so we make them
|
||||
## opt-in. Maybe one day we will decide to have them everywhere.
|
||||
let
|
||||
inherit (builtins) concatStringsSep;
|
||||
optin = [
|
||||
"deployment"
|
||||
"infra"
|
||||
"keys"
|
||||
"secrets"
|
||||
"services"
|
||||
];
|
||||
files = "^((" + concatStringsSep "|" optin + ")/.*\\.nix|[^/]*\\.nix)$";
|
||||
in
|
||||
{
|
||||
nixfmt-rfc-style = {
|
||||
enable = true;
|
||||
inherit files;
|
||||
};
|
||||
deadnix = {
|
||||
enable = true;
|
||||
inherit files;
|
||||
};
|
||||
trim-trailing-whitespace = {
|
||||
enable = true;
|
||||
inherit files;
|
||||
};
|
||||
};
|
||||
|
||||
devShells.default = pkgs.mkShell {
|
||||
packages = [
|
||||
pkgs.nil
|
||||
inputs'.agenix.packages.default
|
||||
inputs'.nixops4.packages.default
|
||||
];
|
||||
shellHook = config.pre-commit.installationScript;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,58 +0,0 @@
|
|||
#+title: Infra
|
||||
|
||||
This directory contains the definition of the VMs that host our infrastructure.
|
||||
|
||||
* NixOps4
|
||||
|
||||
Their configuration can be updated via NixOps4. Run
|
||||
|
||||
#+begin_src sh
|
||||
nixops4 deployments list
|
||||
#+end_src
|
||||
|
||||
to see the available deployments. This should be done from the root of the
|
||||
repository, otherwise NixOps4 will fail with something like:
|
||||
|
||||
#+begin_src
|
||||
nixops4 error: evaluation: error:
|
||||
… while calling the 'getFlake' builtin
|
||||
|
||||
error: path '/nix/store/05nn7krhvi8wkcyl6bsysznlv60g5rrf-source/flake.nix' does not exist, evaluation: error:
|
||||
… while calling the 'getFlake' builtin
|
||||
|
||||
error: path '/nix/store/05nn7krhvi8wkcyl6bsysznlv60g5rrf-source/flake.nix' does not exist
|
||||
#+end_src
|
||||
|
||||
Then, given a deployment (eg. ~git~), run
|
||||
|
||||
#+begin_src sh
|
||||
nixops4 apply <deployment>
|
||||
#+end_src
|
||||
|
||||
Alternatively, to run the ~default~ deployment, run
|
||||
|
||||
#+begin_src sh
|
||||
nixops4 apply
|
||||
#+end_src
|
||||
|
||||
* Deployments
|
||||
|
||||
- default :: Contains everything
|
||||
- ~git~ :: Machines hosting our Git infrastructure, eg. Forgejo and its actions
|
||||
runners
|
||||
- ~web~ :: Machines hosting our online content, eg. the website or the wiki
|
||||
- ~other~ :: Machines without a specific purpose
|
||||
|
||||
* Machines
|
||||
|
||||
These machines are hosted on the Procolix Proxmox instance, to which
|
||||
non-Procolix members of the project do not have access. They host our stable
|
||||
infrastructure.
|
||||
|
||||
| Machine | Proxmox | Description | Deployment |
|
||||
|---------+-------------+------------------------+------------|
|
||||
| vm02116 | Procolix | Forgejo | ~git~ |
|
||||
| vm02179 | Procolix | /unused/ | ~other~ |
|
||||
| vm02186 | Procolix | /unused/ | ~other~ |
|
||||
| vm02187 | Procolix | Wiki | ~web~ |
|
||||
| fedi300 | Fediversity | Forgejo actions runner | ~git~ |
|
|
@ -1,44 +0,0 @@
|
|||
{ lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
inherit (lib) mkDefault;
|
||||
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
./hardware.nix
|
||||
./networking.nix
|
||||
./users.nix
|
||||
];
|
||||
|
||||
time.timeZone = "Europe/Amsterdam";
|
||||
i18n.defaultLocale = "en_US.UTF-8";
|
||||
system.stateVersion = "24.05"; # do not change
|
||||
nixpkgs.hostPlatform = mkDefault "x86_64-linux";
|
||||
|
||||
## This is just nice to have, but it is also particularly important for the
|
||||
## Forgejo CI runners because the Nix configuration in the actions is directly
|
||||
## taken from here.
|
||||
nix.extraOptions = ''
|
||||
experimental-features = nix-command flakes
|
||||
'';
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
(pkgs.vim_configurable.customize {
|
||||
name = "vim";
|
||||
vimrcConfig.packages.myplugins = with pkgs.vimPlugins; {
|
||||
start = [ vim-nix ]; # load plugin on startup
|
||||
};
|
||||
vimrcConfig.customRC = ''
|
||||
" your custom vimrc
|
||||
set nocompatible
|
||||
set backspace=indent,eol,start
|
||||
" Turn on syntax highlighting by default
|
||||
syntax on
|
||||
" ...
|
||||
'';
|
||||
})
|
||||
wget
|
||||
subversion
|
||||
];
|
||||
}
|
|
@ -1,24 +0,0 @@
|
|||
{ modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
|
||||
|
||||
boot = {
|
||||
loader = {
|
||||
systemd-boot.enable = true;
|
||||
efi.canTouchEfiVariables = true;
|
||||
};
|
||||
|
||||
initrd = {
|
||||
availableKernelModules = [
|
||||
"ata_piix"
|
||||
"uhci_hcd"
|
||||
"virtio_pci"
|
||||
"virtio_scsi"
|
||||
"sd_mod"
|
||||
"sr_mod"
|
||||
];
|
||||
kernelModules = [ "dm-snapshot" ];
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,63 +0,0 @@
|
|||
{ config, lib, ... }:
|
||||
|
||||
let
|
||||
inherit (lib) mkDefault;
|
||||
|
||||
in
|
||||
{
|
||||
config = {
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
settings.PasswordAuthentication = false;
|
||||
};
|
||||
|
||||
networking = {
|
||||
hostName = config.procolixVm.name;
|
||||
domain = config.procolixVm.domain;
|
||||
|
||||
## REVIEW: Do we actually need that, considering that we have static IPs?
|
||||
useDHCP = mkDefault true;
|
||||
|
||||
interfaces = {
|
||||
eth0 = {
|
||||
ipv4 = {
|
||||
addresses = [
|
||||
{
|
||||
inherit (config.procolixVm.ipv4) address prefixLength;
|
||||
}
|
||||
];
|
||||
};
|
||||
ipv6 = {
|
||||
addresses = [
|
||||
{
|
||||
inherit (config.procolixVm.ipv6) address prefixLength;
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
defaultGateway = {
|
||||
address = config.procolixVm.ipv4.gateway;
|
||||
interface = "eth0";
|
||||
};
|
||||
defaultGateway6 = {
|
||||
address = config.procolixVm.ipv6.gateway;
|
||||
interface = "eth0";
|
||||
};
|
||||
|
||||
nameservers = [
|
||||
"95.215.185.6"
|
||||
"95.215.185.7"
|
||||
"2a00:51c0::5fd7:b906"
|
||||
"2a00:51c0::5fd7:b907"
|
||||
];
|
||||
|
||||
firewall.enable = false;
|
||||
nftables = {
|
||||
enable = true;
|
||||
rulesetFile = ./nftables-ruleset.nft;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,70 +0,0 @@
|
|||
#!/usr/sbin/nft -f
|
||||
|
||||
flush ruleset
|
||||
|
||||
########### define usefull variables here #####################
|
||||
|
||||
define wan = eth0
|
||||
define ssh_allow = {
|
||||
83.161.147.127/32, # host801 ipv4
|
||||
95.215.185.92/32, # host088 ipv4
|
||||
95.215.185.211/32, # host089 ipv4
|
||||
95.215.185.34/32, # nagios2 ipv4
|
||||
95.215.185.235/32, # ansible-hq
|
||||
}
|
||||
define snmp_allow = {
|
||||
95.215.185.31/32, # cacti ipv4
|
||||
}
|
||||
define nrpe_allow = {
|
||||
95.215.185.34/32, # nagios2 ipv4
|
||||
}
|
||||
|
||||
########### here starts the automated bit #####################
|
||||
|
||||
table inet filter {
|
||||
chain input {
|
||||
type filter hook input priority 0;
|
||||
policy drop;
|
||||
|
||||
# established/related connections
|
||||
ct state established,related accept
|
||||
ct state invalid drop
|
||||
|
||||
# Limit ping requests.
|
||||
ip protocol icmp icmp type echo-request limit rate over 10/second burst 50 packets drop
|
||||
ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 50 packets drop
|
||||
|
||||
# loopback interface
|
||||
iifname lo accept
|
||||
|
||||
# icmp
|
||||
ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept
|
||||
# Without the nd-* ones ipv6 will not work.
|
||||
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept
|
||||
|
||||
# open tcp ports: sshd (22)
|
||||
tcp dport {ssh} accept
|
||||
|
||||
# open tcp ports: snmp (161)
|
||||
ip saddr $snmp_allow udp dport {snmp} accept
|
||||
|
||||
# open tcp ports: nrpe (5666)
|
||||
ip saddr $nrpe_allow tcp dport {nrpe} accept
|
||||
|
||||
# open tcp ports: http (80,443)
|
||||
tcp dport {http,https} accept
|
||||
}
|
||||
chain forward {
|
||||
type filter hook forward priority 0;
|
||||
}
|
||||
chain output {
|
||||
type filter hook output priority 0;
|
||||
}
|
||||
}
|
||||
|
||||
table ip nat {
|
||||
chain postrouting {
|
||||
}
|
||||
chain prerouting {
|
||||
}
|
||||
}
|
|
@ -1,33 +0,0 @@
|
|||
{
|
||||
users.users = {
|
||||
procolix = {
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" ];
|
||||
hashedPassword = "$y$j9T$UH8Dh/poTCCZ3PXk43au6/$iYen8VUEVvv7SIPqteNtTPKktLxny3TbqvjUwhvi.6B";
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAotfCIjLoDlHOe+++kVS1xiBPaS8mC5FypgrxDrDVst6SHxMTca2+IScMajzUZajenvNAoZOwIsyAPacT8OHeyFvV5Y7G874Qa+cZVqJxLht9gdXxr1GNabU3RfhhCh272dUeIKIqfgsRsM2HzdnZCMDavS1Yo+f+RhhHhnJIua+NdVFo21vPrpsz+Cd0M1NhojARLajrTHvEXW0KskUnkbfgxT0vL9jeRZxdgMS+a9ZoR5dbzOxQHWfbP8N04Xc+7CweMlvKwlWuAE/xDb5XLNHorfGWFvZuVhptJN8jPaaVS25wsmsF5IbaAuSZfzCtBdFQhIloUhy0L6ZisubHjQ== procolix@sshnode1"
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuT3C0f3nyQ7SwUvXcFmEYEgwL+crY6iK0Bhoi9yfn4soz3fhfMKyKSwc/0RIlRnrz3xnkyJiV0vFeU7AC1ixbGCS3T9uc0G1x0Yedd9n2yR8ZJmkdyfjZ5KE4YvqZ3f6UZn5Mtj+7tGmyp+ee+clLSHzsqeyDiX0FIgFmqiiAVJD6qeKPFAHeWz9b2MOXIBIw+fSLOpx0rosCgesOmPc8lgFvo+dMKpSlPkCuGLBPj2ObT4sLjc98NC5z8sNJMu3o5bMbiCDR9JWgx9nKj+NlALwk3Y/nzHSL/DNcnP5vz2zbX2CBKjx6ju0IXh6YKlJJVyMsH9QjwYkgDQVmy8amQ== procolix@sshnode2"
|
||||
];
|
||||
};
|
||||
|
||||
niols = {
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" ];
|
||||