diff --git a/nixos/machines/ghatanothoa/configuration.nix b/nixos/machines/ghatanothoa/configuration.nix new file mode 100644 index 0000000..4e60e1b --- /dev/null +++ b/nixos/machines/ghatanothoa/configuration.nix @@ -0,0 +1,19 @@ +flake-inputs: +{config, pkgs, lib, ... }: { + +imports = [ + ./hardware-configuration.nix + ../../modules/jitsi.nix + ../../roles + ./network.nix +]; + + services.mathebau-jitsi = { + enable = true; + hostName = "meet.mathebau.de"; + }; + +# System configuration here + networking.hostName = "ghatanothoa"; + system.stateVersion = "23.11"; +} diff --git a/nixos/machines/ghatanothoa/hardware-configuration.nix b/nixos/machines/ghatanothoa/hardware-configuration.nix new file mode 100644 index 0000000..ad588c9 --- /dev/null +++ b/nixos/machines/ghatanothoa/hardware-configuration.nix @@ -0,0 +1,31 @@ +{config, lib, pkgs, modulesPath, ...}: { + imports = [ ]; + + fileSystems."/" = { + device = "gha-root"; + fsType = "tmpfs"; + options = [ "size=1G" "mode=755" ]; + }; + fileSystems."/persist" = { + device = "/dev/disk/by-uuid/e0a160ef-7d46-4705-9152-a6b602898136"; + fsType = "btrfs"; + options = [ "subvol=persist" ]; + neededForBoot = true; + }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/19da7f3a-69da-4fa8-bb68-b355d7697ba7"; + fsType = "ext4"; + }; + fileSystems."/nix" = { + device = "/dev/disk/by-uuid/e0a160ef-7d46-4705-9152-a6b602898136"; + fsType = "btrfs"; + options = [ "subvol=nix" ]; + }; + + swapDevices = + [{ device = "/dev/disk/by-uuid/e6e3ba6b-c9f5-4960-b56d-f49760d76a4a"; }]; + + nix.settings.max-jobs = lib.mkDefault 4; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/nixos/machines/ghatanothoa/network.nix b/nixos/machines/ghatanothoa/network.nix new file mode 100644 index 0000000..7e26f79 --- /dev/null +++ b/nixos/machines/ghatanothoa/network.nix @@ -0,0 +1,15 @@ +# We sohuld put that config somewhere in roles and give it a parameter or something, +# everyone gets the same nameserver and the same prefixLength and address vs defaultGateway alsways +# depend on the same thing +{ + imports = [ ]; + networking = { + interfaces.enX0.ipv4.addresses = [ { + address = "192.168.0.25"; + prefixLength = 16; + } ]; + defaultGateway = "192.168.0.152"; + nameservers = ["130.83.2.22" "130.83.56.60" "130.83.22.60" "130.82.22.63"]; + }; +} + diff --git a/nixos/modules/jitsi.nix b/nixos/modules/jitsi.nix new file mode 100644 index 0000000..ca2a8a7 --- /dev/null +++ b/nixos/modules/jitsi.nix @@ -0,0 +1,55 @@ +{pkgs, config, lib, modulesPath, ...}: +let + inherit (lib) + mkIf + mkEnableOption + mkOption + head; + inherit (lib.types) str; + cfg = config.services.mathebau-jitsi; +in +{ + imports = [(modulesPath + "/services/web-apps/jitsi-meet.nix")]; + + options.services.mathebau-jitsi = { + enable = mkEnableOption "mathebau jitsi service"; + hostName = mkOption { + type = str; + }; + localAddress = mkOption { + type = str; + default = (head config.networking.interfaces.enX0.ipv4.addresses).address; + }; + }; + + config = mkIf cfg.enable { + services.jitsi-meet = { + enable = true; + hostName = cfg.hostName; + config = { + defaultLang = "de"; + }; + }; + services.jitsi-videobridge = { + openFirewall = true; + nat = { + publicAddress = "130.83.2.184"; + localAddress = cfg.localAddress; + }; + }; + environment.persistence.${config.impermanence.name} = { + directories = [ + "/var/lib/jitsi-meet" + "/var/lib/prosody" + ]; + }; + #We are behind a reverse proxy that handles TLS + services.nginx.virtualHosts."${cfg.hostName}" = { + enableACME = false; + forceSSL = false; + }; + + #The network ports for HTTP(S) are not opened automatically + networking.firewall.allowedTCPPorts = [ 80 443 ]; + }; +} diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix index 1968de3..d92b970 100644 --- a/nixos/roles/default.nix +++ b/nixos/roles/default.nix @@ -3,6 +3,7 @@ imports = [ ./admins.nix ./nix_keys.nix + ./prometheusNodeExporter.nix (modulesPath + "/virtualisation/xen-domU.nix") ../modules/impermanence.nix ]; @@ -55,5 +56,7 @@ services = { PasswordAuthentication = false; }; }; +#Prevent clock drift due to interaction problem with xen hardware clock + timesyncd.enable = lib.mkForce true; }; } diff --git a/nixos/roles/nix_keys.nix b/nixos/roles/nix_keys.nix index 85c7835..14f0b56 100644 --- a/nixos/roles/nix_keys.nix +++ b/nixos/roles/nix_keys.nix @@ -2,5 +2,6 @@ imports = [ ]; nix.settings.trusted-public-keys = [ "nerflap2-1:pDZCg0oo9PxNQxwVSQSvycw7WXTl53PGvVeZWvxuqJc=" + "gonne.mathebau.de-1:FsXFyFiBFE/JxC9MCkt/WuiXjx5dkRI9RXj0FxOQrV0=" ]; } diff --git a/nixos/roles/prometheusNodeExporter.nix b/nixos/roles/prometheusNodeExporter.nix new file mode 100644 index 0000000..9587b2f --- /dev/null +++ b/nixos/roles/prometheusNodeExporter.nix @@ -0,0 +1,40 @@ +{config, ...}: +{ + imports = [ ]; + services.prometheus.exporters.node = { + enable = true; + port = 9100; + # Aligned with https://git.rwth-aachen.de/fsdmath/server/prometheus/-/blob/main/node_exporter/etc/default/prometheus-node-exporter + # It was compiled along the following steps: + # 1. Does the current Debian release supports the collector? + # 2. Is the collector depracated in the latest release? + # 3. Could you probably use the collected metrics for monitoring or are they useless because they make no sense in our context + # (e.g. power adapter inside a VM, use fibre port connection)? + disabledCollectors = [ + "arp" + "bcache" + "btrfs" + "dmi" + "fibrechannel" + "infiniband" + "nvme" + "powersupplyclass" + "rapl" + "selinux" + "tapestats" + "thermal_zone" + "udp_queues" + "xfs" + "zfs" + ]; + enabledCollectors = [ + "buddyinfo" + "ksmd" + "logind" + "mountstats" + "processes" + ]; + }; + networking.firewall.allowedTCPPorts = [ 9100 ]; + environment.persistence.${config.impermanence.name}.directories = [ "/var/lib/${config.services.prometheus.stateDir}" ]; +}