# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0
{ depot, lib, pkgs, rebuilder, config, ... }:
let
inherit (depot.ops) secrets;
in {
imports = [
../lib/blade.nix
../lib/fup.nix
];
boot.loader.grub.device = "/dev/disk/by-id/usb-USB_SanDisk_3.2Gen1_0101cabb1ebdbdc0fd7b18edd207d43717c39c4a59d1b138b363e315841eca15743400000000000000000000443273100087260091558107b6a8e06e-0:0";
# Networking!
networking = {
hostName = "blade-tuvok";
hostId = "525229f7";
interfaces.en-internet.ipv4.addresses = [{
address = "195.74.55.21";
prefixLength = 31;
}];
interfaces.en-internet.ipv6.addresses = [{
address = "2a03:ee40:8080:9:1::2";
prefixLength = 126;
}];
defaultGateway = "195.74.55.20";
defaultGateway6 = "2a03:ee40:8080:9:1::1";
firewall.allowedTCPPorts = [ 80 443 ];
firewall.extraCommands = "iptables -A INPUT -p vrrp -i br-mgmt -j ACCEPT";
};
my.ip.tailscale = "100.119.123.33";
my.blade.bay = 6;
my.blade.macAddress = {
internal = "e4:11:5b:ac:e3:fe";
storage = "e4:11:5b:ac:e4:02";
internet = "e4:11:5b:ac:e4:00";
};
services.ceph = {
mon.enable = true;
osd = {
enable = true;
daemons = [ "3" ];
};
};
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
virtualHosts."objdump.zxcvbnm.ninja" = {
useACMEHost = "objdump.zxcvbnm.ninja";
default = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:7480";
extraConfig = ''
proxy_redirect off;
client_max_body_size 0;
proxy_buffering off;
'';
};
};
};
security.acme = {
acceptTerms = true;
email = "letsencrypt@lukegb.com";
certs."objdump.zxcvbnm.ninja" = {
group = config.services.nginx.group;
dnsProvider = "cloudflare";
credentialsFile = secrets.cloudflareCredentials;
extraDomainNames = [
"*.objdump.zxcvbnm.ninja"
];
};
};
my.fup.listen = [
"0.0.0.0" "[::]"
];
services.keepalived = {
enable = true;
vrrpInstances.mgmtGateway = {
interface = "br-mgmt";
state = "MASTER";
priority = 50;
virtualIps = [{ addr = "10.100.0.1/23"; }];
virtualRouterId = 1;
};
};
}