palo/nixos-config
palo/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

rc3: experiments

Browse source
This commit is contained in:
Ingolf Wagner 2020-12-30 01:18:37 +01:00
parent cfca9d1647
commit 0560fcb9df
No known key found for this signature in database
GPG key ID: 76BF5F1928B9618B
8 changed files with 309 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
configs/sterni/configuration.nix
View file

@ -66,7 +66,17 @@
# enable this to use sidequest
programs.adb.enable = true;
users.users.mainUser.extraGroups = [ "adbusers" ];
users.users.mainUser.extraGroups = [ "adbusers" "video" ];
# for congress and streaming
hardware.opengl = {
enable = true;
extraPackages = [ pkgs.vaapiIntel ];
driSupport32Bit = true;
};
nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
};
}

2
terranix/jitsi-cloud/.gitignore vendored Normal file
View file

@ -0,0 +1,2 @@
plops/generated/
sshkey*

45
terranix/jitsi-cloud/README.md Normal file
View file

@ -0,0 +1,45 @@
# NixOS Server Example with plops
This setup shows:
* how to use a terranix module
* how to use 3rd party provision software after terraform.
* how to run terranix and terraform
Setup containing opinionated modules to deploy
[NixOS servers](https://nixos.org/)
on
[hcloud](https://www.hetzner.com/cloud)
using
[nixos-infect](https://github.com/elitak/nixos-infect)
with my
[plops](https://github.com/mrVanDalo/plops)
provisioning tool for NixOS,
which is an overlay on
[krops](https://cgit.krebsco.de/krops/about/).
After server creation,
the initial provisioning uploads the
nixos-infect
script and applys it.
After server creation and initialization
terranix/terraform generates
files used for the "real" provisioning
done by plops.
Of course instead of plops you can use every provsioning tool you like
here (e.g. NixOps, Ansible, ... )
# How to Run
## What you need
* a setup [passwordstore](https://www.passwordstore.org/).
* a [hcloud token](https://docs.hetzner.cloud/#overview-getting-started)
stored under `development/hetzner.com/api-token`
## Steps
* `example-prepare`: to create ssh keys.
* `example-ssh`: to run terranix and terraform do create server.
* `example-cleanup`: to delete server, ssh keys and terraform data. (don't forget that step, or else it gets costly)

47
terranix/jitsi-cloud/config.nix Normal file
View file

@ -0,0 +1,47 @@
{ config, lib, pkgs, ... }:
let
hcloud-modules = pkgs.fetchgit {
url = "https://github.com/mrVanDalo/terranix-hcloud.git";
rev = "5fa359a482892cd973dcc6ecfc607f4709f24495";
sha256 = "0smgmdiklj98y71fmcdjsqjq8l41i66hs8msc7k4m9dpkphqk86p";
};
in {
imports = [ "${hcloud-modules}/default.nix" ];
# configure admin ssh keys
users.admins.palo.publicKey = "${lib.fileContents ./sshkey.pub}";
# configure provisioning private Key to be used when running provisioning on the machines
provisioner.privateKeyFile = toString ./sshkey;
hcloud.nixserver = {
host = {
enable = true;
serverType = "cx51"; # 35€/month
configurationFile = pkgs.writeText "configuration.nix" ''
{ pkgs, lib, config, ... }:
{
environment.systemPackages = [ pkgs.git ];
}
'';
};
};
hcloud.export.nix = toString ./plops/generated/nixos-machines.nix;
resource.local_file.sshConfig = {
filename = "${toString ./plops/generated/ssh-configuration}";
content = with lib;
let
configPart = name: ''
Host ''${ hcloud_server.nixserver-${name}.ipv4_address }
IdentityFile ${toString ./sshkey}
ServerAliveInterval 60
ServerAliveCountMax 3
'';
in concatStringsSep "\n"
(map configPart (attrNames config.hcloud.nixserver));
};
}

79
terranix/jitsi-cloud/plops/configs/nixserver-host/configuration.nix Normal file
View file

@ -0,0 +1,79 @@
{ config, pkgs, lib, ... }: {
imports = [ ./hardware-configuration.nix ];
services.sshd.enable = true;
environment.systemPackages = [ pkgs.git ];
networking.hostName = "host";
security.acme.email = "contact@ingolf-wagner.de";
security.acme.acceptTerms = true;
# the public ssh key used at deployment
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw=="
];
# + +
# | |
# | |
# v v
# 80, 443 TCP 443 TCP, 10000 UDP
# +--------------+ +---------------------+
# | nginx | 5222, 5347 TCP | |
# | jitsi-meet |<-------------------+| jitsi-videobridge |
# | prosody | | | |
# | jicofo | | +---------------------+
# +--------------+ |
# | +---------------------+
# | | |
# +----------+| jitsi-videobridge |
# | | |
# | +---------------------+
# |
# | +---------------------+
# | | |
# +----------+| jitsi-videobridge |
# | |
# +---------------------+
# This is a one server setup
services.jitsi-meet = {
enable = true;
hostName = "meet.palovandalo.com";
# JItsi COnference FOcus is a server side focus component used in Jitsi Meet conferences.
# https://github.com/jitsi/jicofo
jicofo.enable = true;
# Whether to enable nginx virtual host that will serve the javascript application and act as a proxy for the XMPP server.
# Further nginx configuration can be done by adapting services.nginx.virtualHosts.<hostName>. When this is enabled, ACME
# will be used to retrieve a TLS certificate by default. To disable this, set the
# services.nginx.virtualHosts.<hostName>.enableACME to false and if appropriate do the same for
# services.nginx.virtualHosts.<hostName>.forceSSL.
nginx.enable = true;
# https://github.com/jitsi/jitsi-meet/blob/master/config.js
config = {
enableWelcomePage = false;
defaultLang = "en";
};
# https://github.com/jitsi/jitsi-meet/blob/master/interface_config.js
interfaceConfig = {
SHOW_JITSI_WATERMARK = false;
SHOW_WATERMARK_FOR_GUESTS = false;
};
};
# todo : ssh nur mit ssh key machen
networking.firewall = {
allowedTCPPorts = [ 80 443 ];
allowedUDPPorts = [ 10000 ];
};
}

10
terranix/jitsi-cloud/plops/configs/nixserver-host/hardware-configuration.nix Normal file
View file

@ -0,0 +1,10 @@
{ ... }: {
imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ];
boot.initrd.availableKernelModules =
[ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ];
boot.loader.grub.device = "/dev/sda";
fileSystems."/" = {
device = "/dev/sda1";
fsType = "ext4";
};
}

71
terranix/jitsi-cloud/plops/shell.nix Normal file
View file

@ -0,0 +1,71 @@
let
# import plops with pkgs and lib
opsImport = import ((import <nixpkgs> { }).fetchgit {
url = "https://github.com/mrVanDalo/plops.git";
rev = "9fabba016a3553ae6e13d5d17d279c4de2eb00ad";
sha256 = "193pajq1gcd9jyd12nii06q1sf49xdhbjbfqk3lcq83s0miqfs63";
});
ops = let
overlay = self: super: {
# overwrite ssh to use the generated ssh configuration
openssh = super.writeShellScriptBin "ssh" ''
${super.openssh}/bin/ssh -F ${
toString ./generated/ssh-configuration
} "$@"
'';
};
in opsImport { overlays = [ overlay ]; };
lib = ops.lib;
pkgs = ops.pkgs;
# define all sources
source = {
# nixpkgs (no need for channels anymore)
nixPkgs.nixpkgs.git = {
ref = "nixos-20.09";
url = "https://github.com/NixOS/nixpkgs";
};
# system configurations
system = name: {
configs.file = toString ./configs;
nixos-config.symlink = "configs/${name}/configuration.nix";
};
# secrets which are hold and stored by pass
secrets = name: {
secrets.pass = {
dir = toString ./secrets;
name = name;
};
};
};
servers = import ./generated/nixos-machines.nix;
deployServer = name:
{ user ? "root", host, ... }:
with ops;
jobs "deploy-${name}" "${user}@${host.ipv4}" [
# deploy secrets to /run/plops-secrets/secrets
# (populateTmpfs (source.secrets name))
# deploy system to /var/src/system
(populate (source.system name))
# deploy nixpkgs to /var/src/nixpkgs
(populate source.nixPkgs)
switch
];
in pkgs.mkShell {
buildInputs = lib.mapAttrsToList deployServer servers;
shellHook = ''
export PASSWORD_STORE_DIR=./secrets
'';
}

44
terranix/jitsi-cloud/shell.nix Normal file
View file

@ -0,0 +1,44 @@
{ pkgs ? import <nixpkgs> { } }:
let
terranix = pkgs.callPackage (pkgs.fetchgit {
url = "https://github.com/mrVanDalo/terranix.git";
rev = "2.3.0";
sha256 = "030067h3gjc02llaa7rx5iml0ikvw6szadm0nrss2sqzshsfimm4";
}) { };
terraform = pkgs.writers.writeBashBin "terraform" ''
export TF_VAR_hcloud_api_token=`${pkgs.pass}/bin/pass development/hetzner.com/api-token`
${pkgs.terraform_0_12}/bin/terraform "$@"
'';
in pkgs.mkShell {
buildInputs = [
terranix
terraform
(pkgs.writers.writeBashBin "example-prepare" ''
${pkgs.openssh}/bin/ssh-keygen -P "" -f ${toString ./.}/sshkey
'')
(pkgs.writers.writeBashBin "example-run" ''
set -e
set -o pipefail
${terranix}/bin/terranix | ${pkgs.jq}/bin/jq '.' > config.tf.json
${terraform}/bin/terraform init
${terraform}/bin/terraform apply
'')
(pkgs.writers.writeBashBin "example-cleanup" ''
${terraform}/bin/terraform destroy
rm ${toString ./.}/config.tf.json
rm ${toString ./.}/sshkey
rm ${toString ./.}/sshkey.pub
rm ${toString ./.}/terraform.tfstate*
'')
];
}