ops/nixos: rm marukuru
This commit is contained in:
parent
2495e3f88b
commit
6ab12dcad5
5 changed files with 2 additions and 191 deletions
|
@ -18,7 +18,6 @@ let
|
|||
systems = [
|
||||
"porcorosso"
|
||||
"howl"
|
||||
"marukuru"
|
||||
"clouvider-fra01"
|
||||
"totoro"
|
||||
"swann"
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
; SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
; MNAME RNAME SERIAL REFRESH RETRY EXPIRE TTL
|
||||
@ 600 IN SOA frantech-lux01.as205479.net. hostmaster.lukegb.com. 42 600 450 3600 300
|
||||
@ 600 IN SOA frantech-lux01.as205479.net. hostmaster.lukegb.com. 43 600 450 3600 300
|
||||
|
||||
; NB: this are also glue records in Google Domains.
|
||||
$INCLUDE tmpl.ns
|
||||
|
@ -54,10 +54,6 @@ etheroute-lon01 3600 IN A 83.97.19.68
|
|||
etheroute-lon01 3600 IN AAAA 2a07:242:800:64::68
|
||||
etheroute-lon01.int 3600 IN A 100.111.191.21
|
||||
|
||||
marukuru 3600 IN A 103.105.48.15
|
||||
marukuru 3600 IN AAAA 2402:28c0:4:104e::1
|
||||
marukuru.int 3600 IN A 100.98.193.46
|
||||
|
||||
kusakabe 3600 IN A 188.165.197.49
|
||||
kusakabe 3600 IN AAAA 2001:41d0:2:8e31::1
|
||||
kusakabe.int 3600 IN A 100.101.38.52
|
||||
|
|
|
@ -44,7 +44,6 @@ in
|
|||
extraOptions.setEnv = "TERM=xterm-256color";
|
||||
};
|
||||
in ({
|
||||
marukuru.port = 20022;
|
||||
sar1 = {
|
||||
hostname = "81.131.50.219";
|
||||
extraOptions.setEnv = "TERM=xterm-256color";
|
||||
|
|
|
@ -1,183 +0,0 @@
|
|||
# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
{ depot, lib, pkgs, rebuilder, config, ... }:
|
||||
let
|
||||
inherit (depot.ops) secrets;
|
||||
in {
|
||||
imports = [
|
||||
../../../third_party/nixpkgs/nixos/modules/profiles/qemu-guest.nix
|
||||
../lib/low-space.nix
|
||||
];
|
||||
boot.kernelModules = [ "tcp_bbr" ];
|
||||
boot.kernel.sysctl = {
|
||||
"net.ipv6.conf.default.accept_ra" = 2;
|
||||
"net.ipv6.conf.all.accept_ra" = 2;
|
||||
"net.ipv6.conf.eth0.accept_ra" = 2;
|
||||
};
|
||||
|
||||
fileSystems = {
|
||||
"/" = {
|
||||
device = "/dev/vda1";
|
||||
fsType = "ext4";
|
||||
};
|
||||
};
|
||||
|
||||
nix.maxJobs = lib.mkDefault 2;
|
||||
hardware.enableRedistributableFirmware = true;
|
||||
|
||||
nix.nixPath = [ "depot=/home/lukegb/depot/" "nixpkgs=/home/lukegb/depot/third_party/nixpkgs/" ];
|
||||
|
||||
# Use GRUB2.
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.version = 2;
|
||||
boot.loader.grub.device = "/dev/vda";
|
||||
|
||||
# Networking!
|
||||
networking = {
|
||||
hostName = "marukuru"; # Define your hostname.
|
||||
domain = "lukegb.xyz";
|
||||
nameservers = ["2001:4860:4860::8888" "8.8.8.8"];
|
||||
useDHCP = false;
|
||||
defaultGateway = {
|
||||
address = "103.105.48.1"; interface = "eth0";
|
||||
};
|
||||
dhcpcd.enable = false;
|
||||
usePredictableInterfaceNames = true;
|
||||
interfaces = {
|
||||
eth0 = {
|
||||
ipv4.addresses = [
|
||||
{ address="103.105.48.15"; prefixLength=24; }
|
||||
];
|
||||
ipv6.addresses = [
|
||||
{ address="2402:28c0:4:104e::1"; prefixLength=64; }
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
my.ip.tailscale = "100.98.193.46";
|
||||
services.udev.extraRules = ''
|
||||
ATTR{address}=="52:54:00:84:e2:2a", NAME="eth0"
|
||||
'';
|
||||
|
||||
# List packages installed in system profile. To search, run:
|
||||
# $ nix search wget
|
||||
environment.systemPackages = with pkgs; [];
|
||||
|
||||
services.openssh.ports = [ 20022 ];
|
||||
my.deploy.args = "-p 20022";
|
||||
my.rundeck.hostname = "${config.networking.fqdn}:20022";
|
||||
|
||||
networking.firewall = {
|
||||
interfaces.docker0.allowedTCPPorts = [ 25 ];
|
||||
allowedTCPPorts = [ 22 80 443 20022 ];
|
||||
# allowedUDPPorts = [];
|
||||
allowPing = true;
|
||||
};
|
||||
|
||||
# Define a user account.
|
||||
users.mutableUsers = false;
|
||||
users.users = {
|
||||
root.hashedPassword = secrets.passwordHashes.root;
|
||||
lukegb = {
|
||||
isNormalUser = true;
|
||||
uid = 1000;
|
||||
extraGroups = [ "wheel" ];
|
||||
hashedPassword = secrets.passwordHashes.root;
|
||||
};
|
||||
postfix = {
|
||||
extraGroups = [ "opendkim" ];
|
||||
};
|
||||
};
|
||||
|
||||
services.postfix = {
|
||||
enable = true;
|
||||
domain = "hg.lukegb.com";
|
||||
hostname = "hg.lukegb.com";
|
||||
extraConfig = ''
|
||||
milter_protocol = 2
|
||||
milter_default_action = accept
|
||||
smtpd_milters = ${config.services.opendkim.socket}
|
||||
non_smtpd_milters = ${config.services.opendkim.socket}
|
||||
'';
|
||||
networks = [ "172.17.0.0/16" ];
|
||||
};
|
||||
services.opendkim = {
|
||||
enable = true;
|
||||
domains = "csl:hg.lukegb.com";
|
||||
selector = "marukuru";
|
||||
};
|
||||
|
||||
virtualisation.docker.extraOptions = "--experimental --ipv6 --ip6tables --fixed-cidr-v6 2402:28c0:4:104e:d000::/68";
|
||||
|
||||
# Container networking.
|
||||
networking.nat = {
|
||||
enable = true;
|
||||
internalInterfaces = [ "ve-+" ];
|
||||
externalInterface = "eth0";
|
||||
};
|
||||
networking.networkmanager.unmanaged = [ "interface-name:ve-*" ];
|
||||
|
||||
containers.deployer = {
|
||||
config = { config, pkgs, ... }: {
|
||||
imports = [
|
||||
../lib/low-space.nix
|
||||
];
|
||||
networking.hosts = depot.ops.nixos.tailscaleIPs;
|
||||
nix = {
|
||||
binaryCaches = lib.mkForce [ "https://cache.nixos.org/" "s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1" ];
|
||||
trustedBinaryCaches = lib.mkForce [ "https://cache.nixos.org/" "s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1" ];
|
||||
envVars = {
|
||||
AWS_ACCESS_KEY_ID = "${depot.ops.secrets.nixCache.AWS_ACCESS_KEY_ID}";
|
||||
AWS_SECRET_ACCESS_KEY = "${depot.ops.secrets.nixCache.AWS_SECRET_ACCESS_KEY}";
|
||||
};
|
||||
};
|
||||
environment.etc."secrets/gitlab-runner-registration" = {
|
||||
text = ''
|
||||
CI_SERVER_URL=https://hg.lukegb.com
|
||||
REGISTRATION_TOKEN=${depot.ops.secrets.deployer.registrationToken}
|
||||
'';
|
||||
mode = "0600";
|
||||
};
|
||||
services.gitlab-runner = {
|
||||
enable = true;
|
||||
concurrent = 4;
|
||||
services = {
|
||||
deployer = {
|
||||
registrationConfigFile = "/etc/secrets/gitlab-runner-registration";
|
||||
executor = "shell";
|
||||
tagList = [ "deployer" ];
|
||||
};
|
||||
};
|
||||
gracefulTermination = true;
|
||||
gracefulTimeout = "4min";
|
||||
package = depot.nix.pkgs.heptapod-runner;
|
||||
};
|
||||
users.users.gitlab-runner = {
|
||||
isNormalUser = true;
|
||||
group = "nogroup";
|
||||
createHome = true;
|
||||
home = "/srv/gitlab-runner";
|
||||
};
|
||||
system.activationScripts.deployer-key = lib.stringAfter [ "users" "groups" ] ''
|
||||
mkdir -p /srv/gitlab-runner/.ssh
|
||||
chown -R gitlab-runner:nogroup /srv/gitlab-runner/.ssh
|
||||
chmod -R u=rwX,go= /srv/gitlab-runner/.ssh
|
||||
cp "${pkgs.writeTextFile {
|
||||
name = "gitlab-runner-key";
|
||||
destination = "/private/id_ed25519";
|
||||
text = depot.ops.secrets.deployer.privateKey;
|
||||
}}/private/id_ed25519" /srv/gitlab-runner/.ssh/id_ed25519
|
||||
chown -R gitlab-runner:nogroup /srv/gitlab-runner/.ssh
|
||||
chmod -R u=rwX,go= /srv/gitlab-runner/.ssh
|
||||
'';
|
||||
environment.systemPackages = with pkgs; [
|
||||
vim rxvt_unicode.terminfo rsync jq
|
||||
depot.nix.pkgs.heptapod-runner-mercurial
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
system.stateVersion = "20.03";
|
||||
}
|
|
@ -298,7 +298,7 @@ in {
|
|||
|
||||
# Systems
|
||||
- alert: NodeExporterDown
|
||||
expr: up{exporter="node", system=~"(blade-(tuvok|paris|janeway|torres)|kusakabe|marukuru|swann|totoro|clouvider-.*|etheroute-.*)"} < 1
|
||||
expr: up{exporter="node", system=~"(blade-(tuvok|paris|janeway|torres)|kusakabe|swann|totoro|clouvider-.*|etheroute-.*)"} < 1
|
||||
for: 30m
|
||||
labels:
|
||||
severity: page
|
||||
|
|
Loading…
Reference in a new issue