devhost: wip

flyingcircusio · May 17, 2023 · 82d3a24 · 82d3a24
1 parent a944ac6
commit 82d3a24
Show file tree

Hide file tree

Showing 9 changed files with 626 additions and 357 deletions.
diff --git a/nixos/infrastructure/default.nix b/nixos/infrastructure/default.nix
@@ -4,6 +4,7 @@
 
   imports = [
     ./container.nix
+    ./dev-vm.nix
     ./testing.nix
     ./flyingcircus-physical.nix
     ./flyingcircus-virtual.nix
@@ -12,7 +13,7 @@
 
   options = with lib; {
     flyingcircus.infrastructureModule = mkOption {
-      type = types.enum [ "testing" "flyingcircus" "flyingcircus-physical" "virtualbox" "container" ];
+      type = types.enum [ "testing" "flyingcircus" "flyingcircus-physical" "virtualbox" "container" "dev-vm" ];
       default = "testing";
       example = "flyingcircus";
       description = "Load config module for specific infrastructure.";

diff --git a/nixos/infrastructure/dev-vm.nix b/nixos/infrastructure/dev-vm.nix
@@ -0,0 +1,213 @@
+{ config, lib, ... }:
+
+let
+  fclib = config.fclib;
+
+  # Only check "visible" roles, skipping roles that are marked as removed by
+  # `mkRemovedOptionModule` or manually set to `visible = false`.
+  # The `tryEval` is needed because visiting the role option throws an error if
+  # the option is declared by `mkRemovedOptionModule`.
+  visibleFCRoles = (lib.filterAttrs
+    (n: v: (builtins.tryEval v.enable.visible or true).value)
+    config.flyingcircus.roles);
+in
+{
+  config = lib.mkMerge [
+    (lib.mkIf (config.flyingcircus.infrastructureModule == "dev-vm") {  
+      boot = {
+        initrd.kernelModules = [
+          "virtio_blk"
+          "virtio_console"
+          "virtio_net"
+          "virtio_pci"
+          "virtio_rng"
+          "virtio_scsi"
+          "i6300esb"
+        ];
+
+        kernelParams = [
+          "console=ttyS0"
+          "nosetmode"
+        ];
+
+        loader.grub = {
+          device = "/dev/disk/device-by-alias/root";
+          fsIdentifier = "provided";
+          gfxmodeBios = "text";
+        };
+        growPartition = true;
+      };
+
+      fileSystems."/" = {
+        device = "/dev/disk/by-label/root";
+        autoResize = true;
+        fsType = "xfs";
+      };
+
+      services.udev.extraRules = ''
+        # GRUB boot device should be device-by-alias/root
+        SUBSYSTEM=="block", KERNEL=="vda", SYMLINK+="disk/device-by-alias/root"
+      '';
+
+      networking = {
+        hostName = fclib.mkPlatform config.flyingcircus.enc.name;
+
+        firewall.allowedTCPPorts = [ 80 ];
+        firewall.allowPing = true;
+      };
+
+      flyingcircus.agent.enable = false;
+      flyingcircus.agent.collect-garbage = lib.mkForce false;
+
+      services.timesyncd.servers = [ "pool.ntp.org" ];
+      services.telegraf.enable = false;
+
+      systemd.services."network-addresses-ethsrv" = {
+        wantedBy = [ "multi-user.target" ];
+        script = ''
+          echo "Ready."
+        '';
+        serviceConfig = {
+          Type = "oneshot";
+          RemainAfterExit = true;
+        };
+      };
+
+      environment.sessionVariables = { NIX_REMOTE = "daemon"; };
+
+      services.mongodb.bind_ip = "[::]";
+
+      services.postgresql.settings.listen_addresses = lib.mkOverride 20 "0.0.0.0,::";
+      services.postgresql.settings.fsync = "off";
+      services.postgresql.settings.full_page_writes = "off";
+      services.postgresql.settings.synchronous_commit = "off";
+
+      flyingcircus.roles.antivirus.listenAddresses = [ "[::]" ];
+
+      flyingcircus.roles.coturn.hostName = config.networking.hostName;
+      flyingcircus.roles.coturn.config.listening-ips =  [ "[::]" ];
+
+      flyingcircus.roles.memcached.listenAddresses = [ "0.0.0.0" "[::]" ];
+
+      flyingcircus.roles.mailserver.smtpBind4 = [ "127.0.0.1" ];
+      flyingcircus.roles.mailserver.smtpBind6 = [ "::1" ];
+      flyingcircus.roles.mailserver.explicitSmtpBind = false;
+
+      flyingcircus.roles.mysql.listenAddresses = [ "::" ];
+
+      flyingcircus.roles.webproxy.listenAddresses = [ "[::]" ];
+
+      flyingcircus.services.nginx.defaultListenAddresses = [ "0.0.0.0" "[::]" ];
+      flyingcircus.services.redis.listenAddresses = [ "[::]" ];
+      flyingcircus.services.rabbitmq.listenAddress = "::";
+
+      services.mysql.settings.mysqld = {        
+        # We don't really care about the data and this speeds up things.
+        innodb_flush_method = "nosync";
+
+        innodb_buffer_pool_size = "200M";
+        innodb_log_buffer_size = "64M";
+        innodb_file_per_table = 1;
+        innodb_read_io_threads = 1;
+        innodb_write_io_threads = 1;
+        # Percentage. Probably needs local tuning depending on the workload.
+        innodb_change_buffer_max_size = 50;
+        innodb_doublewrite = 1;
+        innodb_log_file_size = "64M";
+        innodb_log_files_in_group = 2;
+      };
+
+      services.redis.bind = lib.mkForce "0.0.0.0 ::";
+
+      # This is the insecure key pair to allow bootstrapping containers.
+      # -----BEGIN OPENSSH PRIVATE KEY-----
+      # b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+      # QyNTUxOQAAACBnO1dnNsxT0TJfP4Jgb9fzBJXRLiWrvIx44cftqs4mLAAAAJjYNRR+2DUU
+      # fgAAAAtzc2gtZWQyNTUxOQAAACBnO1dnNsxT0TJfP4Jgb9fzBJXRLiWrvIx44cftqs4mLA
+      # AAAEDKN3GvoFkLLQdFN+Blk3y/+HQ5rvt7/GALRAWofc/LFGc7V2c2zFPRMl8/gmBv1/ME
+      # ldEuJau8jHjhx+2qziYsAAAAEHJvb3RAY3QtZGlyLWRldjIBAgMEBQ==
+      # -----END OPENSSH PRIVATE KEY-----
+
+      # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGc7V2c2zFPRMl8/gmBv1/MEldEuJau8jHjhx+2qziYs root@ct-dir-dev2
+
+      users.users.root.password = "";
+
+      time.timeZone = fclib.mkPlatformOverride "Europe/Berlin";
+
+      flyingcircus.encServices = [
+        { service = "nfs_rg_share-server";
+          address = config.networking.hostName;
+        }
+      ];
+
+      flyingcircus.encServiceClients = [
+        { service = "nfs_rg_share-server";
+          node = config.networking.hostName;
+        }
+      ];
+
+      flyingcircus.users.userData = [
+        { class = "human";
+          gid = 100;
+          home_directory = "/home/developer";
+          id = 1000;
+          login_shell = "/bin/bash";
+          name = "Developer";
+          # password: vagrant
+          password = "$5$xS9kX8R5VNC0g$ZS7QkUYTk/61dUyUgq9r0jLAX1NbiScBT5v1PODz4UC";
+          permissions = { container = [ "admins" "login" "manager" "sudo-srv" ]; };
+          ssh_pubkey = [
+           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGc7V2c2zFPRMl8/gmBv1/MEldEuJau8jHjhx+2qziYs root@ct-dir-dev2"
+          ];
+          uid = "developer";}
+        { class = "service";
+          gid = 100;
+          home_directory = "/srv/s-dev";
+          id = 1001;
+          login_shell = "/bin/bash";
+          password = "*";
+          name = "s-dev";
+          ssh_pubkey = [] ;
+          permissions = { container = []; };
+          uid = "s-dev"; } ];
+
+      flyingcircus.users.permissions = [
+        { description = "commit to VCS repository";
+          id = 2029;
+          name = "code"; }
+        { description = "perform interactive or web logins (e.g., ssh, monitoring)";
+          id = 502;
+          name = "login"; }
+        { description = "access web statistics";
+          id = 2046;
+          name = "stats"; }
+        { description = "sudo to service user";
+          id = 2028;
+          name = "sudo-srv"; }
+        { description = "sudo to root";
+          id = 10;
+          name = "wheel"; }
+        { description = "Manage users of RG";
+          id = 2272;
+          name = "manager"; } ];
+
+      users.users.developer = {
+        # Make the human user a service user, too so that we can place stuff in
+        # /etc/local/nixos for provisioning.
+        extraGroups = [ "service" "login" ];
+      };
+
+      flyingcircus.passwordlessSudoRules = [
+        { # Grant unrestricted access to developer
+          commands = [ "ALL" ];
+          users = [ "developer" ];
+        }
+      ];
+
+      system.activationScripts.relaxHomePermissions = lib.stringAfter [ "users" ] ''
+        mkdir -p /nix/var/nix/profiles/per-user/s-dev
+        chown s-dev: /nix/var/nix/profiles/per-user/s-dev
+      '';
+    }) ];
+
+}
diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix
@@ -1,14 +1,18 @@
 { config, lib, ... }:
-
-with builtins;
-
 let
+  # Map list of roles to a list of attribute sets enabling each role.
+  # Turn the list of role names (["a", "b"]) into an attribute set
+  # ala { <role> = { enable = true;}; }
+  roleSet = lib.listToAttrs (
+    map (role: { name = role; value = { enable = true; }; })
+      config.flyingcircus.active-roles);
   fclib = config.fclib;
 in {
   imports = with lib; [
     ./antivirus.nix
     ./backyserver.nix
     ./coturn.nix
+    ./consul
     ./docker.nix
     ./ceph/mon.nix
     ./ceph/osd.nix
@@ -17,40 +21,37 @@ in {
     ./external_net
     ./elasticsearch.nix
     ./gitlab.nix
+    ./graylog.nix
     ./jitsi
+    ./kibana.nix
     ./k3s
+    ./kvm.nix
     ./lamp.nix
+    ./loghost
     ./mailout.nix
     ./mailserver.nix
-    ./matomo.nix
     ./memcached.nix
     ./mongodb.nix
     ./mysql.nix
     ./nfs.nix
     ./nginx.nix
-    ./opensearch.nix
-    ./opensearch_dashboards.nix
     ./postgresql.nix
     ./rabbitmq.nix
     ./redis.nix
+    ./sensuserver.nix
     ./servicecheck.nix
-    ./slurm
     ./statshost
     ./webdata_blackbee.nix
     ./webgateway.nix
     ./webproxy.nix
 
-    # Removed
-    (mkRemovedOptionModule [ "flyingcircus" "roles" "graylog" "enable" ] "Last platform version that supported graylog/loghost was 22.05.")
-    (mkRemovedOptionModule [ "flyingcircus" "roles" "loghost" "enable" ] "Last platform version that supported graylog/loghost was 22.05.")
-    (mkRemovedOptionModule [ "flyingcircus" "roles" "loghost-location" "enable" ] "Last platform version that supported graylog/loghost was 22.05.")
-    (mkRemovedOptionModule [ "flyingcircus" "roles" "mysql" "rootPassword" ] "Change the root password via MySQL and modify secret files.")
-    (mkRemovedOptionModule [ "flyingcircus" "roles" "statshost" "enable" ] "Use flyingcircus.roles.statshost-global.enable instead.")
-    (mkRemovedOptionModule [ "flyingcircus" "roles" "statshostproxy" "enable" ] "Use flyingcircus.roles.statshost-location-proxy.enable instead.")
-
-    # Renamed
-    (mkRenamedOptionModule [ "flyingcircus" "roles" "elasticsearch" "dataDir" ] [ "services" "elasticsearch" "dataDir" ])
+    (mkRemovedOptionModule [ "flyingcircus" "roles" "mysql" "rootPassword" ] "Change the root password via MySQL and modify secret files")
+    (mkRenamedOptionModule [ "flyingcircus" "roles" "rabbitmq38" ] [ "flyingcircus" "roles" "rabbitmq" ])
+    (mkRenamedOptionModule [ "flyingcircus" "roles" "redis4" ] [ "flyingcircus" "roles" "redis" ])
+    (mkRenamedOptionModule [ "flyingcircus" "roles" "statshost" "enable" ] [ "flyingcircus" "roles" "statshost-global" "enable" ])
     (mkRenamedOptionModule [ "flyingcircus" "roles" "statshost" "globalAllowedMetrics" ] [ "flyingcircus" "roles" "statshost-global" "allowedMetricPrefixes" ])
+    (mkRenamedOptionModule [ "flyingcircus" "roles" "statshostproxy" ] [ "flyingcircus" "roles" "statshost-location-proxy" ])
+    (mkRenamedOptionModule [ "flyingcircus" "roles" "kibana" "enable" ] [ "flyingcircus" "roles" "kibana6" "enable" ])
   ];
 
   options = {
@@ -61,17 +62,7 @@ in {
   };
 
   config = {
-    # Map list of roles to a list of attribute sets enabling each role.
-    # Turn the list of role names (["a", "b"]) into an attribute set
-    # ala { <role> = { enable = true;}; }
-    # Roles are ignored if the initial run marker of fc-agent is still present
-    # to get the new system ready for SSH connections more quickly and reliably.
-    flyingcircus.roles =
-      (lib.optionalAttrs
-        (!pathExists "/etc/nixos/fc_agent_initial_run")
-        (lib.listToAttrs (
-          map (role: { name = role; value = { enable = true; }; })
-            config.flyingcircus.active-roles)));
+    flyingcircus.roles = roleSet;
   };
 
 }