feat(servers): move oksys services to cluster
All checks were successful
Discord / discord commits (push) Successful in 28s
All checks were successful
Discord / discord commits (push) Successful in 28s
This commit is contained in:
parent
6dc386046b
commit
8cd7cf258c
8 changed files with 76 additions and 40 deletions
|
@ -1,5 +1,7 @@
|
||||||
deviceName: {config, ...}: let
|
deviceName: {config, ...}: let
|
||||||
inherit (config.vars) mainUser hostName;
|
inherit (config.vars) mainUser hostName;
|
||||||
|
|
||||||
|
clusterIP = (builtins.elemAt config.services.pacemaker.resources.caddy.virtualIps 0).ip;
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
|
@ -34,6 +36,10 @@ in {
|
||||||
networking = {
|
networking = {
|
||||||
inherit hostName;
|
inherit hostName;
|
||||||
resolvconf.enable = true;
|
resolvconf.enable = true;
|
||||||
|
nameservers = [
|
||||||
|
clusterIP
|
||||||
|
"1.0.0.1"
|
||||||
|
];
|
||||||
firewall.enable = false;
|
firewall.enable = false;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -8,6 +8,8 @@
|
||||||
inherit (config.sops) secrets;
|
inherit (config.sops) secrets;
|
||||||
|
|
||||||
caddy = caddy-plugins.packages.${pkgs.system}.default;
|
caddy = caddy-plugins.packages.${pkgs.system}.default;
|
||||||
|
|
||||||
|
clusterIP = (builtins.elemAt config.services.pacemaker.resources.caddy.virtualIps 0).ip;
|
||||||
in {
|
in {
|
||||||
imports = [caddy-plugins.nixosModules.default];
|
imports = [caddy-plugins.nixosModules.default];
|
||||||
|
|
||||||
|
@ -33,7 +35,6 @@ in {
|
||||||
dockerIP = "10.0.0.122";
|
dockerIP = "10.0.0.122";
|
||||||
jellyIP = "10.0.0.123";
|
jellyIP = "10.0.0.123";
|
||||||
servivi = "10.0.0.249";
|
servivi = "10.0.0.249";
|
||||||
oksysIP = "10.0.0.213";
|
|
||||||
in {
|
in {
|
||||||
"nelim.org" = {
|
"nelim.org" = {
|
||||||
serverAliases = ["*.nelim.org"];
|
serverAliases = ["*.nelim.org"];
|
||||||
|
@ -48,7 +49,7 @@ in {
|
||||||
# Misc one-liners
|
# Misc one-liners
|
||||||
vault.reverseProxy = "${dockerIP}:8781";
|
vault.reverseProxy = "${dockerIP}:8781";
|
||||||
hauk.reverseProxy = "${dockerIP}:3003";
|
hauk.reverseProxy = "${dockerIP}:3003";
|
||||||
headscale.reverseProxy = "${oksysIP}:8085";
|
headscale.reverseProxy = "${clusterIP}:8085";
|
||||||
jelly.reverseProxy = "${jellyIP}:80";
|
jelly.reverseProxy = "${jellyIP}:80";
|
||||||
|
|
||||||
# Resume builder
|
# Resume builder
|
||||||
|
|
|
@ -6,8 +6,10 @@
|
||||||
...
|
...
|
||||||
}: let
|
}: let
|
||||||
inherit (builtins) readFile;
|
inherit (builtins) readFile;
|
||||||
inherit (config.vars) mainUser;
|
inherit (config.vars) mainUser hostName;
|
||||||
headscale-flake = headscale.packages.${pkgs.system}.headscale;
|
headscale-flake = headscale.packages.${pkgs.system}.headscale;
|
||||||
|
|
||||||
|
clusterIP = (builtins.elemAt config.services.pacemaker.resources.caddy.virtualIps 0).ip;
|
||||||
in {
|
in {
|
||||||
environment.systemPackages = [headscale-flake];
|
environment.systemPackages = [headscale-flake];
|
||||||
users.users.${mainUser}.extraGroups = ["headscale"];
|
users.users.${mainUser}.extraGroups = ["headscale"];
|
||||||
|
@ -19,7 +21,7 @@ in {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = headscale-flake;
|
package = headscale-flake;
|
||||||
|
|
||||||
address = "10.0.0.213";
|
address = clusterIP;
|
||||||
port = 8085;
|
port = 8085;
|
||||||
|
|
||||||
settings = {
|
settings = {
|
||||||
|
@ -36,10 +38,15 @@ in {
|
||||||
private_key_path = "/var/lib/headscale/private.key";
|
private_key_path = "/var/lib/headscale/private.key";
|
||||||
noise.private_key_path = "/var/lib/headscale/noise_private.key";
|
noise.private_key_path = "/var/lib/headscale/noise_private.key";
|
||||||
|
|
||||||
dns_config = {
|
dns_config = let
|
||||||
|
caddyIp =
|
||||||
|
if hostName == "thingone"
|
||||||
|
then "100.64.0.8"
|
||||||
|
else "100.64.0.9";
|
||||||
|
in {
|
||||||
magic_dns = false;
|
magic_dns = false;
|
||||||
override_local_dns = true;
|
override_local_dns = true;
|
||||||
nameservers = ["100.64.0.1"];
|
nameservers = [caddyIp];
|
||||||
};
|
};
|
||||||
|
|
||||||
derp = {
|
derp = {
|
||||||
|
@ -47,7 +54,7 @@ in {
|
||||||
|
|
||||||
server = {
|
server = {
|
||||||
enabled = true;
|
enabled = true;
|
||||||
stun_listen_addr = "0.0.0.0:3479";
|
stun_listen_addr = "${clusterIP}:3479";
|
||||||
private_key_path = "/var/lib/headscale/derp_server_private.key";
|
private_key_path = "/var/lib/headscale/derp_server_private.key";
|
||||||
|
|
||||||
region_id = 995;
|
region_id = 995;
|
|
@ -3,15 +3,22 @@
|
||||||
./options.nix
|
./options.nix
|
||||||
../corosync.nix
|
../corosync.nix
|
||||||
|
|
||||||
|
../blocky.nix
|
||||||
../caddy.nix
|
../caddy.nix
|
||||||
|
../headscale
|
||||||
|
../unbound.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
# TODO: update script
|
# TODO: update script
|
||||||
services = {
|
services.pacemaker = {
|
||||||
pacemaker = {
|
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
||||||
resources = {
|
resources = {
|
||||||
|
"blocky" = {
|
||||||
|
enable = true;
|
||||||
|
dependsOn = ["unbound"];
|
||||||
|
};
|
||||||
|
|
||||||
"caddy" = {
|
"caddy" = {
|
||||||
enable = true;
|
enable = true;
|
||||||
virtualIps = [
|
virtualIps = [
|
||||||
|
@ -22,23 +29,45 @@
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
"headscale" = {
|
||||||
|
enable = true;
|
||||||
|
dependsOn = ["caddy"];
|
||||||
|
};
|
||||||
|
|
||||||
|
"unbound" = {
|
||||||
|
enable = true;
|
||||||
|
dependsOn = ["caddy"];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
rpcbind.enable = true; # needed for NFS
|
# NFS client setup
|
||||||
};
|
services.rpcbind.enable = true;
|
||||||
boot.supportedFilesystems = ["nfs"];
|
boot.supportedFilesystems = ["nfs"];
|
||||||
environment.systemPackages = with pkgs; [nfs-utils];
|
environment.systemPackages = with pkgs; [nfs-utils];
|
||||||
|
|
||||||
systemd.mounts = [
|
systemd.mounts = let
|
||||||
|
host = "10.0.0.249";
|
||||||
|
in [
|
||||||
{
|
{
|
||||||
type = "nfs";
|
type = "nfs";
|
||||||
mountConfig = {
|
mountConfig = {
|
||||||
Options = "noatime";
|
Options = "noatime";
|
||||||
};
|
};
|
||||||
what = "servivi:/caddy";
|
what = "${host}:/caddy";
|
||||||
where = "/var/lib/caddy";
|
where = "/var/lib/caddy";
|
||||||
requiredBy = ["caddy.service"];
|
requiredBy = ["caddy.service"];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
{
|
||||||
|
type = "nfs";
|
||||||
|
mountConfig = {
|
||||||
|
Options = "noatime";
|
||||||
|
};
|
||||||
|
what = "${host}:/headscale";
|
||||||
|
where = "/var/lib/headscale";
|
||||||
|
requiredBy = ["headscale.service"];
|
||||||
|
}
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
{config, ...}: let
|
{config, ...}: let
|
||||||
inherit (config.vars) mainUser;
|
inherit (config.vars) mainUser hostName;
|
||||||
in {
|
in {
|
||||||
# https://github.com/MatthewVance/unbound-docker-rpi/issues/4#issuecomment-1001879602
|
# https://github.com/MatthewVance/unbound-docker-rpi/issues/4#issuecomment-1001879602
|
||||||
boot.kernel.sysctl."net.core.rmem_max" = 1048576;
|
boot.kernel.sysctl."net.core.rmem_max" = 1048576;
|
||||||
|
@ -27,7 +27,12 @@ in {
|
||||||
"ota.nelim.org redirect"
|
"ota.nelim.org redirect"
|
||||||
"nelim.org redirect"
|
"nelim.org redirect"
|
||||||
];
|
];
|
||||||
local-data = [
|
local-data = let
|
||||||
|
caddyIp =
|
||||||
|
if hostName == "thingone"
|
||||||
|
then "100.64.0.8"
|
||||||
|
else "100.64.0.9";
|
||||||
|
in [
|
||||||
"\"pve.nelim.org IN A 100.64.0.4\""
|
"\"pve.nelim.org IN A 100.64.0.4\""
|
||||||
|
|
||||||
"\"headscale.nelim.org. IN A 24.200.126.219\""
|
"\"headscale.nelim.org. IN A 24.200.126.219\""
|
||||||
|
@ -45,9 +50,8 @@ in {
|
||||||
|
|
||||||
"\"ota.nelim.org. IN A 100.64.0.5\""
|
"\"ota.nelim.org. IN A 100.64.0.5\""
|
||||||
|
|
||||||
"\"nelim.org IN A 100.64.0.1\""
|
"\"nelim.org 0 A ${caddyIp}\""
|
||||||
];
|
];
|
||||||
#
|
|
||||||
|
|
||||||
do-ip4 = true;
|
do-ip4 = true;
|
||||||
do-ip6 = false;
|
do-ip6 = false;
|
|
@ -1,12 +1,5 @@
|
||||||
{config, ...}: let
|
{config, ...}: let
|
||||||
inherit (config.vars) mainUser hostName;
|
inherit (config.vars) mainUser hostName;
|
||||||
tailscaleNameservers =
|
|
||||||
config
|
|
||||||
.services
|
|
||||||
.headscale
|
|
||||||
.settings
|
|
||||||
.dns_config
|
|
||||||
.nameservers;
|
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
|
@ -14,10 +7,7 @@ in {
|
||||||
../../modules/sshd.nix
|
../../modules/sshd.nix
|
||||||
../../modules/tailscale.nix
|
../../modules/tailscale.nix
|
||||||
|
|
||||||
./modules/blocky.nix
|
|
||||||
./modules/headscale
|
|
||||||
./modules/remote-builder.nix
|
./modules/remote-builder.nix
|
||||||
./modules/unbound.nix
|
|
||||||
];
|
];
|
||||||
|
|
||||||
vars = {
|
vars = {
|
||||||
|
@ -43,7 +33,6 @@ in {
|
||||||
networking = {
|
networking = {
|
||||||
inherit hostName;
|
inherit hostName;
|
||||||
resolvconf.enable = true;
|
resolvconf.enable = true;
|
||||||
nameservers = tailscaleNameservers ++ ["1.0.0.1"];
|
|
||||||
firewall.enable = false;
|
firewall.enable = false;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue