From 9e9284fc8638b3750074177a8c1122ae59df0b55 Mon Sep 17 00:00:00 2001 From: Vincent Ambo Date: Thu, 17 Feb 2022 02:02:14 +0300 Subject: feat(ops/machines): add configuration for sanduny.tvl.su This will be an additional web host / fallback git server for whitby incidents. Change-Id: Icd6f7ce574ffd520b5783a50ff317feed7b71fc6 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5297 Reviewed-by: sterni Tested-by: BuildkiteCI Autosubmit: tazjin --- ops/machines/all-systems.nix | 1 + ops/machines/sanduny/default.nix | 100 +++++++++++++++++++++++++++++++++++++++ ops/nixos.nix | 3 +- 3 files changed, 103 insertions(+), 1 deletion(-) create mode 100644 ops/machines/sanduny/default.nix diff --git a/ops/machines/all-systems.nix b/ops/machines/all-systems.nix index df1cfa6a48..2536958c38 100644 --- a/ops/machines/all-systems.nix +++ b/ops/machines/all-systems.nix @@ -1,6 +1,7 @@ { depot, ... }: (with depot.ops.machines; [ + sanduny whitby ]) ++ diff --git a/ops/machines/sanduny/default.nix b/ops/machines/sanduny/default.nix new file mode 100644 index 0000000000..6746917769 --- /dev/null +++ b/ops/machines/sanduny/default.nix @@ -0,0 +1,100 @@ +# sanduny.tvl.su +# +# This is a VPS hosted with Bitfolk, intended to additionally serve +# some of our public services like cgit, josh and the websites. +# +# In case of whitby going down, sanduny will keep depot available. + +_: # ignore readTree options + +{ config, depot, lib, pkgs, ... }: + +{ + networking = { + hostName = "sanduny"; + domain = "tvl.su"; + useDHCP = false; + + interfaces.eth0 = { + ipv4.addresses = lib.singleton { + address = "85.119.82.231"; + prefixLength = 21; + }; + + ipv6.addresses = lib.singleton { + address = "2001:ba8:1f1:f109::feed:edef:beef"; + prefixLength = 64; + }; + }; + + defaultGateway = "85.119.80.1"; + defaultGateway6.address = "2001:ba8:1f1:f109::1"; + + firewall.allowedTCPPorts = [ 22 80 443 ]; + }; + + users.users.tazjin = { + isNormalUser = true; + extraGroups = [ "git" "wheel" ]; + shell = pkgs.fish; + openssh.authorizedKeys.keys = depot.users.tazjin.keys.all; + }; + + security.sudo.wheelNeedsPassword = false; + + environment.systemPackages = with pkgs; [ + emacs-nox + vim + curl + unzip + htop + ]; + + programs.mtr.enable = true; + + services.openssh.enable = true; + services.fail2ban.enable = true; + + # Automatically collect garbage from the Nix store. + services.depot.automatic-gc = { + enable = true; + interval = "1 hour"; + diskThreshold = 2; # GiB + maxFreed = 5; # GiB + preserveGenerations = "90d"; + }; + + time.timeZone = "UTC"; + + # GRUB does not actually need to be installed on disk; Bitfolk have + # their own way of booting systems as long as config is in place. + boot.loader.grub.device = "nodev"; + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.initrd.availableKernelModules = [ "xen_blkfront" ]; + + hardware.cpu.intel.updateMicrocode = true; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/aabc3638-43ca-45f3-af89-c451e8448e92"; + fsType = "ext4"; + }; + + "/boot" = { + device = "/dev/disk/by-uuid/75aa99d5-fed7-4c5c-8570-7745f6cff9f5"; + fsType = "ext3"; + }; + + "/nix" = { + device = "/dev/disk/by-uuid/d1721678-c294-482b-b72e-3b15f2c56c63"; + fsType = "ext4"; + }; + }; + + swapDevices = lib.singleton { + device = "/dev/disk/by-uuid/df4ad9da-0a06-4c27-93e5-5d44e4750e55"; + }; + + system.stateVersion = "22.05"; # Did you read the comment? +} diff --git a/ops/nixos.nix b/ops/nixos.nix index 3a113ac4bb..291413c5b5 100644 --- a/ops/nixos.nix +++ b/ops/nixos.nix @@ -50,5 +50,6 @@ in rec { # Systems that should be built in CI whitbySystem = (nixosFor depot.ops.machines.whitby).system; - meta.ci.targets = [ "whitbySystem" ]; + sandunySystem = (nixosFor depot.ops.machines.sanduny).system; + meta.ci.targets = [ "sandunySystem" "whitbySystem" ]; } -- cgit 1.4.1