colmena + multi location #64
23 changed files with 26 additions and 12 deletions
19
flake.nix
19
flake.nix
|
@ -25,17 +25,21 @@
|
|||
{ self, nixpkgs, vault-secrets, serokell-nix, minecraft-servers, colmena, ... }@inputs:
|
||||
let
|
||||
inherit (nixpkgs) lib;
|
||||
inherit (builtins) filter mapAttrs;
|
||||
inherit (builtins) filter mapAttrs attrValues concatLists;
|
||||
system = "x86_64-linux";
|
||||
hosts = import ./hosts.nix;
|
||||
specialArgs = { inherit hosts inputs; };
|
||||
# import and add location qualifier to all hosts
|
||||
hosts = mapAttrs (location: lhosts: map ({ tags ? [ ], ... }@x: x // { tags = [ location ] ++ tags; inherit location; }) lhosts) (import ./nixos/hosts);
|
||||
# flatten hosts to single list
|
||||
flat_hosts = concatLists (attrValues hosts);
|
||||
# Filter all nixos host definitions that are actual nix machines
|
||||
nixHosts = filter ({ nix ? true, ... }: nix) hosts;
|
||||
nixHosts = filter ({ nix ? true, ... }: nix) flat_hosts;
|
||||
# Define args each module gets access to (access to hosts is useful for DNS/DHCP)
|
||||
specialArgs = { inherit hosts flat_hosts inputs; };
|
||||
|
||||
# Resolve imports based on a foldername (nixname) and if the host is an LXC container or a VM.
|
||||
resolveImports = { hostname, profile ? hostname, lxc ? true, ... }: [
|
||||
resolveImports = { hostname, location, profile ? hostname, lxc ? true, ... }: [
|
||||
./nixos/common
|
||||
"${./.}/nixos/hosts/${profile}/configuration.nix"
|
||||
"${./.}/nixos/hosts/${location}/${profile}/configuration.nix"
|
||||
] ++ (if lxc then [
|
||||
"${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
|
||||
./nixos/common/generic-lxc.nix
|
||||
|
@ -49,10 +53,11 @@
|
|||
};
|
||||
};
|
||||
|
||||
mkColmenaHost = { ip, hostname, ... }@host: {
|
||||
mkColmenaHost = { ip, hostname, tags, ... }@host: {
|
||||
"${hostname}" = {
|
||||
imports = resolveImports host;
|
||||
deployment = {
|
||||
inherit tags;
|
||||
targetHost = ip;
|
||||
targetUser = null; # Defaults to $USER
|
||||
};
|
||||
|
|
|
@ -40,7 +40,7 @@
|
|||
};
|
||||
optimise = {
|
||||
automatic = true;
|
||||
dates = "weekly";
|
||||
dates = [ "weekly" ];
|
||||
};
|
||||
extraOptions = ''
|
||||
experimental-features = nix-command flakes
|
||||
|
@ -63,6 +63,7 @@
|
|||
permitRootLogin = "no";
|
||||
};
|
||||
|
||||
# TODO: Location dependent
|
||||
vault-secrets = {
|
||||
vaultPrefix = "secrets/nixos";
|
||||
vaultAddress = "http://vault.olympus:8200/";
|
||||
|
|
4
nixos/hosts/default.nix
Normal file
4
nixos/hosts/default.nix
Normal file
|
@ -0,0 +1,4 @@
|
|||
{
|
||||
olympus = import ./olympus;
|
||||
hades = [];
|
||||
}
|
|
@ -46,6 +46,7 @@
|
|||
ip = "10.42.42.9";
|
||||
ip6 = "2001:41f0:9639:1:68c2:89ff:fe85:cfa6";
|
||||
mac = "6A:C2:89:85:CF:A6";
|
||||
tags = [ "web" ];
|
||||
}
|
||||
{
|
||||
hostname = "k3s-node1";
|
|
@ -5,6 +5,7 @@ let
|
|||
hostName = hostname;
|
||||
ipAddress = ip;
|
||||
};
|
||||
hosts' = hosts.olympus;
|
||||
in {
|
||||
imports = [ ];
|
||||
|
||||
|
@ -47,6 +48,6 @@ in {
|
|||
range 10.42.43.1 10.42.43.254;
|
||||
}
|
||||
'';
|
||||
machines = map hostToDhcp hosts;
|
||||
machines = map hostToDhcp hosts';
|
||||
};
|
||||
}
|
|
@ -2,7 +2,9 @@
|
|||
let
|
||||
inherit (builtins) filter hasAttr;
|
||||
localdomain = "olympus";
|
||||
ipv6Hosts = filter (hasAttr "ip6") hosts;
|
||||
# TODO: use location attr in hosts
|
||||
hosts' = hosts.${localdomain};
|
||||
ipv6Hosts = filter (hasAttr "ip6") hosts';
|
||||
|
||||
localData = { hostname, ip, ... }: ''"${hostname}.${localdomain}. A ${ip}"'';
|
||||
local6Data = { hostname, ip6, ... }: ''"${hostname}.${localdomain}. AAAA ${ip6}"'';
|
||||
|
@ -38,8 +40,8 @@ in {
|
|||
interface = [ "0.0.0.0" "::0" ];
|
||||
|
||||
local-zone = ''"${localdomain}." transparent'';
|
||||
local-data = (map localData hosts) ++ (map local6Data ipv6Hosts);
|
||||
local-data-ptr = (map ptrData hosts) ++ (map ptr6Data ipv6Hosts);
|
||||
local-data = (map localData hosts') ++ (map local6Data ipv6Hosts);
|
||||
local-data-ptr = (map ptrData hosts') ++ (map ptr6Data ipv6Hosts);
|
||||
|
||||
access-control = [
|
||||
"127.0.0.1/32 allow_snoop"
|
Loading…
Reference in a new issue