130 lines
3.5 KiB
Nix
130 lines
3.5 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
let hostname = "nostromo";
|
|
in {
|
|
|
|
networking = {
|
|
interfaces = {
|
|
eno1.useDHCP = false;
|
|
eno2.useDHCP = false;
|
|
eno3.useDHCP = false;
|
|
eno4.useDHCP = false;
|
|
enp33s0f0.useDHCP = false;
|
|
enp33s0f1.useDHCP = false;
|
|
enp9s0f0.useDHCP = false;
|
|
enp9s0f1.useDHCP = false;
|
|
|
|
intif0 = { useDHCP = true; };
|
|
};
|
|
|
|
firewall.enable = false;
|
|
};
|
|
|
|
# Hopefully this'll help with NFS...
|
|
boot.kernelModules = [ "rpcsec_gss_krb5" ];
|
|
|
|
services = {
|
|
murmur.enable = true;
|
|
|
|
nfs = {
|
|
# See ../user-config.nix for the user@REALM -> user mapping
|
|
server = {
|
|
enable = true;
|
|
createMountPoints = false;
|
|
exports = let
|
|
exportList = [
|
|
"/export/documents 10.0.0.0/24(rw,sync,no_root_squash,no_subtree_check,fsid=10,sec=krb5p)"
|
|
"/export/downloads 10.0.0.0/24(rw,sync,no_root_squash,no_subtree_check,fsid=11,sec=krb5i)"
|
|
"/export/projects 10.0.0.0/24(rw,sync,no_root_squash,no_subtree_check,fsid=12,sec=krb5p)"
|
|
];
|
|
in ''
|
|
${concatStringsSep "\n" exportList}
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
systemd = {
|
|
tmpfiles.rules = [ "d /state/services 0755 root root - -" ];
|
|
|
|
services = {
|
|
nfs-server = {
|
|
# Don't start on boot
|
|
wantedBy = mkForce [ "sea-store.target" ];
|
|
# Only start after filesystem mounts are available
|
|
after = [
|
|
"export-documents.mount"
|
|
"export-downloads.mount"
|
|
"export-projects.mount"
|
|
];
|
|
};
|
|
|
|
grafana = {
|
|
requires = [ "postgresql.service" ];
|
|
bindsTo = [ "postgresql.service" ];
|
|
};
|
|
};
|
|
};
|
|
|
|
fudo = let
|
|
grafana-database-passwd-file = pkgs.lib.passwd.stablerandom-passwd-file
|
|
"grafana-database-nostromo-password"
|
|
"grafana-database-nostromo-password-${config.instance.build-seed}";
|
|
|
|
host-secrets = config.fudo.secrets.host-secrets.${hostname};
|
|
in {
|
|
secrets.host-secrets.${hostname} = {
|
|
grafana-database-password = {
|
|
source-file = grafana-database-passwd-file;
|
|
target-file = "/run/services/grafana/db.passwd";
|
|
user = config.systemd.services.grafana.serviceConfig.User;
|
|
};
|
|
postgres-grafana-password = {
|
|
source-file = grafana-database-passwd-file;
|
|
target-file = "/run/services/postgres/db.passwd";
|
|
user = config.services.postgresql.superUser;
|
|
};
|
|
};
|
|
|
|
services = {
|
|
logging.loki.state-directory = "/state/services/loki";
|
|
|
|
metrics.grafana = {
|
|
state-directory = "/state/services/grafana";
|
|
smtp.hostname = "mail.fudo.org";
|
|
database = {
|
|
user = "grafana";
|
|
password-file = host-secrets.grafana-database-password.target-file;
|
|
};
|
|
ldap.base-dn = "dc=fudo,dc=org";
|
|
};
|
|
};
|
|
|
|
postgresql = {
|
|
enable = true;
|
|
local-networks = config.instance.local-networks;
|
|
state-directory = "/state/services/postgresql";
|
|
|
|
databases.grafana.users = config.instance.local-admins;
|
|
|
|
users.grafana = {
|
|
password-file = host-secrets.postgres-grafana-password.target-file;
|
|
databases.grafana = {
|
|
entity-access = {
|
|
"ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
|
|
"ALL SEQUENCES IN SCHEMA public" = "ALL PRIVILEGES";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
## Until I can figure out how to use one common host API, forget this
|
|
# fudo.ipfs = {
|
|
# enable = true;
|
|
# users = [ "niten" ];
|
|
# api-address = "/ip4/0.0.0.0/tcp/5001";
|
|
# };
|
|
}
|