From e8929ff1591c4cef8af6be0dfe9b678b125b4d1b Mon Sep 17 00:00:00 2001 From: Gonne Kretschmer Date: Wed, 18 Oct 2023 17:04:30 +0200 Subject: [PATCH 01/10] Ghatanothoa (Neues Jitsi) --- nixos/machines/ghatanothoa/configuration.nix | 14 +++++++++ .../ghatanothoa/hardware-configuration.nix | 31 +++++++++++++++++++ nixos/machines/ghatanothoa/network.nix | 15 +++++++++ 3 files changed, 60 insertions(+) create mode 100644 nixos/machines/ghatanothoa/configuration.nix create mode 100644 nixos/machines/ghatanothoa/hardware-configuration.nix create mode 100644 nixos/machines/ghatanothoa/network.nix diff --git a/nixos/machines/ghatanothoa/configuration.nix b/nixos/machines/ghatanothoa/configuration.nix new file mode 100644 index 0000000..22aa65b --- /dev/null +++ b/nixos/machines/ghatanothoa/configuration.nix @@ -0,0 +1,14 @@ +flake-inputs: +{config, pkgs, lib, ... }: { + +imports = [ + ./hardware-configuration.nix + ../../roles + ./network.nix +]; + +# System configuration here + + networking.hostName = "ghatanothoa"; + system.stateVersion = "23.11"; +} diff --git a/nixos/machines/ghatanothoa/hardware-configuration.nix b/nixos/machines/ghatanothoa/hardware-configuration.nix new file mode 100644 index 0000000..ad588c9 --- /dev/null +++ b/nixos/machines/ghatanothoa/hardware-configuration.nix @@ -0,0 +1,31 @@ +{config, lib, pkgs, modulesPath, ...}: { + imports = [ ]; + + fileSystems."/" = { + device = "gha-root"; + fsType = "tmpfs"; + options = [ "size=1G" "mode=755" ]; + }; + fileSystems."/persist" = { + device = "/dev/disk/by-uuid/e0a160ef-7d46-4705-9152-a6b602898136"; + fsType = "btrfs"; + options = [ "subvol=persist" ]; + neededForBoot = true; + }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/19da7f3a-69da-4fa8-bb68-b355d7697ba7"; + fsType = "ext4"; + }; + fileSystems."/nix" = { + device = "/dev/disk/by-uuid/e0a160ef-7d46-4705-9152-a6b602898136"; + fsType = "btrfs"; + options = [ "subvol=nix" ]; + }; + + swapDevices = + [{ device = "/dev/disk/by-uuid/e6e3ba6b-c9f5-4960-b56d-f49760d76a4a"; }]; + + nix.settings.max-jobs = lib.mkDefault 4; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/nixos/machines/ghatanothoa/network.nix b/nixos/machines/ghatanothoa/network.nix new file mode 100644 index 0000000..7e26f79 --- /dev/null +++ b/nixos/machines/ghatanothoa/network.nix @@ -0,0 +1,15 @@ +# We sohuld put that config somewhere in roles and give it a parameter or something, +# everyone gets the same nameserver and the same prefixLength and address vs defaultGateway alsways +# depend on the same thing +{ + imports = [ ]; + networking = { + interfaces.enX0.ipv4.addresses = [ { + address = "192.168.0.25"; + prefixLength = 16; + } ]; + defaultGateway = "192.168.0.152"; + nameservers = ["130.83.2.22" "130.83.56.60" "130.83.22.60" "130.82.22.63"]; + }; +} + From 4318950142e0a61f79390c87830c70384f2efdb4 Mon Sep 17 00:00:00 2001 From: Gonne Kretschmer Date: Fri, 20 Oct 2023 11:04:40 +0200 Subject: [PATCH 02/10] Jitsi konfiguriert --- nixos/machines/ghatanothoa/configuration.nix | 1 + nixos/machines/ghatanothoa/jitsi.nix | 23 ++++++++++++++++++++ 2 files changed, 24 insertions(+) create mode 100644 nixos/machines/ghatanothoa/jitsi.nix diff --git a/nixos/machines/ghatanothoa/configuration.nix b/nixos/machines/ghatanothoa/configuration.nix index 22aa65b..54f3211 100644 --- a/nixos/machines/ghatanothoa/configuration.nix +++ b/nixos/machines/ghatanothoa/configuration.nix @@ -3,6 +3,7 @@ flake-inputs: imports = [ ./hardware-configuration.nix + (import ./jitsi.nix flake-inputs) ../../roles ./network.nix ]; diff --git a/nixos/machines/ghatanothoa/jitsi.nix b/nixos/machines/ghatanothoa/jitsi.nix new file mode 100644 index 0000000..547e3c7 --- /dev/null +++ b/nixos/machines/ghatanothoa/jitsi.nix @@ -0,0 +1,23 @@ +flake-inputs: +{pkgs, config, lib, modulesPath, ...}: { + imports = [(modulesPath + "/services/web-apps/jitsi-meet.nix")]; + + services.jitsi-meet = { + enable = true; + hostName = "meet.mathebau.de"; + config = { + defaultLang = "de"; + }; + }; + services.jitsi-videobridge = { + openFirewall = true; + nat = { + publicAddress = "130.83.2.184"; + localAddress = "192.168.0.25"; + }; + }; + services.nginx.virtualHosts."meet.mathebau.de".enableACME = false; + services.nginx.virtualHosts."meet.mathebau.de".forceSSL = false; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall.allowedUDPPorts = [ 10000 ]; +} From bb93d3aed57f4388a90635d86d945fc4b8a5a9c2 Mon Sep 17 00:00:00 2001 From: Gonne Kretschmer Date: Mon, 23 Oct 2023 17:43:13 +0200 Subject: [PATCH 03/10] Move Jitsi to a module --- nixos/machines/ghatanothoa/configuration.nix | 8 ++- nixos/machines/ghatanothoa/jitsi.nix | 23 -------- nixos/modules/jitsi.nix | 55 ++++++++++++++++++++ 3 files changed, 61 insertions(+), 25 deletions(-) delete mode 100644 nixos/machines/ghatanothoa/jitsi.nix create mode 100644 nixos/modules/jitsi.nix diff --git a/nixos/machines/ghatanothoa/configuration.nix b/nixos/machines/ghatanothoa/configuration.nix index 54f3211..4e60e1b 100644 --- a/nixos/machines/ghatanothoa/configuration.nix +++ b/nixos/machines/ghatanothoa/configuration.nix @@ -3,13 +3,17 @@ flake-inputs: imports = [ ./hardware-configuration.nix - (import ./jitsi.nix flake-inputs) + ../../modules/jitsi.nix ../../roles ./network.nix ]; -# System configuration here + services.mathebau-jitsi = { + enable = true; + hostName = "meet.mathebau.de"; + }; +# System configuration here networking.hostName = "ghatanothoa"; system.stateVersion = "23.11"; } diff --git a/nixos/machines/ghatanothoa/jitsi.nix b/nixos/machines/ghatanothoa/jitsi.nix deleted file mode 100644 index 547e3c7..0000000 --- a/nixos/machines/ghatanothoa/jitsi.nix +++ /dev/null @@ -1,23 +0,0 @@ -flake-inputs: -{pkgs, config, lib, modulesPath, ...}: { - imports = [(modulesPath + "/services/web-apps/jitsi-meet.nix")]; - - services.jitsi-meet = { - enable = true; - hostName = "meet.mathebau.de"; - config = { - defaultLang = "de"; - }; - }; - services.jitsi-videobridge = { - openFirewall = true; - nat = { - publicAddress = "130.83.2.184"; - localAddress = "192.168.0.25"; - }; - }; - services.nginx.virtualHosts."meet.mathebau.de".enableACME = false; - services.nginx.virtualHosts."meet.mathebau.de".forceSSL = false; - networking.firewall.allowedTCPPorts = [ 80 443 ]; - networking.firewall.allowedUDPPorts = [ 10000 ]; -} diff --git a/nixos/modules/jitsi.nix b/nixos/modules/jitsi.nix new file mode 100644 index 0000000..ca2a8a7 --- /dev/null +++ b/nixos/modules/jitsi.nix @@ -0,0 +1,55 @@ +{pkgs, config, lib, modulesPath, ...}: +let + inherit (lib) + mkIf + mkEnableOption + mkOption + head; + inherit (lib.types) str; + cfg = config.services.mathebau-jitsi; +in +{ + imports = [(modulesPath + "/services/web-apps/jitsi-meet.nix")]; + + options.services.mathebau-jitsi = { + enable = mkEnableOption "mathebau jitsi service"; + hostName = mkOption { + type = str; + }; + localAddress = mkOption { + type = str; + default = (head config.networking.interfaces.enX0.ipv4.addresses).address; + }; + }; + + config = mkIf cfg.enable { + services.jitsi-meet = { + enable = true; + hostName = cfg.hostName; + config = { + defaultLang = "de"; + }; + }; + services.jitsi-videobridge = { + openFirewall = true; + nat = { + publicAddress = "130.83.2.184"; + localAddress = cfg.localAddress; + }; + }; + environment.persistence.${config.impermanence.name} = { + directories = [ + "/var/lib/jitsi-meet" + "/var/lib/prosody" + ]; + }; + #We are behind a reverse proxy that handles TLS + services.nginx.virtualHosts."${cfg.hostName}" = { + enableACME = false; + forceSSL = false; + }; + + #The network ports for HTTP(S) are not opened automatically + networking.firewall.allowedTCPPorts = [ 80 443 ]; + }; +} From 559c5a47ad80dc56270712acc331e114785d9ba2 Mon Sep 17 00:00:00 2001 From: Gonne Kretschmer Date: Mon, 23 Oct 2023 19:39:38 +0200 Subject: [PATCH 04/10] Enable prometheus node exporter by default --- nixos/roles/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix index 1968de3..3752a32 100644 --- a/nixos/roles/default.nix +++ b/nixos/roles/default.nix @@ -55,5 +55,12 @@ services = { PasswordAuthentication = false; }; }; + + prometheus.exporters.node = { + enable = true; + port = 9100; + }; }; +# Prometheus Monitoring +networking.firewall.allowedTCPPorts = [ 9100 ]; } From 1de0d328607e3323ea6f7619c31331c28a3b69b3 Mon Sep 17 00:00:00 2001 From: Gonne Kretschmer Date: Fri, 27 Oct 2023 16:01:07 +0200 Subject: [PATCH 05/10] Prometheus Node Exporter metrics configured. --- nixos/roles/default.nix | 8 +----- nixos/roles/prometheusNodeExporter.nix | 36 ++++++++++++++++++++++++++ 2 files changed, 37 insertions(+), 7 deletions(-) create mode 100644 nixos/roles/prometheusNodeExporter.nix diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix index 3752a32..bc94eff 100644 --- a/nixos/roles/default.nix +++ b/nixos/roles/default.nix @@ -3,6 +3,7 @@ imports = [ ./admins.nix ./nix_keys.nix + ./prometheusNodeExporter.nix (modulesPath + "/virtualisation/xen-domU.nix") ../modules/impermanence.nix ]; @@ -55,12 +56,5 @@ services = { PasswordAuthentication = false; }; }; - - prometheus.exporters.node = { - enable = true; - port = 9100; }; -}; -# Prometheus Monitoring -networking.firewall.allowedTCPPorts = [ 9100 ]; } diff --git a/nixos/roles/prometheusNodeExporter.nix b/nixos/roles/prometheusNodeExporter.nix new file mode 100644 index 0000000..e717411 --- /dev/null +++ b/nixos/roles/prometheusNodeExporter.nix @@ -0,0 +1,36 @@ +{ + imports = [ ]; + services.prometheus.exporters.node = { + enable = true; + port = 9100; + # Aligned with https://git.rwth-aachen.de/fsdmath/server/prometheus/-/blob/main/node_exporter/etc/default/prometheus-node-exporter + # Original reasons are for these lists are unknown, but along the lines + # “This looks useless for VMs, but that seems nice.” + disabledCollectors = [ + "arp" + "bcache" + "btrfs" + "dmi" + "fibrechannel" + "infiniband" + "nfs" + "nvme" + "powersupplyclass" + "rapl" + "selinux" + "tapestats" + "thermal_zone" + "udp_queues" + "xfs" + "zfs" + ]; + enabledCollectors = [ + "buddyinfo" + "ksmd" + "logind" + "mountstats" + "processes" + ]; + }; + networking.firewall.allowedTCPPorts = [ 9100 ]; +} From 2c2b24d0a9c85af0fddd425b28d62d35d04989d9 Mon Sep 17 00:00:00 2001 From: Gonne Kretschmer Date: Fri, 3 Nov 2023 16:39:28 +0100 Subject: [PATCH 06/10] Setup Impermanence --- nixos/roles/default.nix | 2 +- nixos/roles/prometheusNodeExporter.nix | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix index bc94eff..b536d28 100644 --- a/nixos/roles/default.nix +++ b/nixos/roles/default.nix @@ -56,5 +56,5 @@ services = { PasswordAuthentication = false; }; }; - }; +}; } diff --git a/nixos/roles/prometheusNodeExporter.nix b/nixos/roles/prometheusNodeExporter.nix index e717411..749c6f4 100644 --- a/nixos/roles/prometheusNodeExporter.nix +++ b/nixos/roles/prometheusNodeExporter.nix @@ -1,3 +1,4 @@ +{config, ...}: { imports = [ ]; services.prometheus.exporters.node = { @@ -33,4 +34,5 @@ ]; }; networking.firewall.allowedTCPPorts = [ 9100 ]; + environment.persistence.${config.impermanence.name}.directories = [ "/var/lib/${config.services.prometheus.stateDir}" ]; } From a41d377f96235155b61791908997be5b798bc2ce Mon Sep 17 00:00:00 2001 From: Gonne Kretschmer Date: Fri, 3 Nov 2023 16:46:26 +0100 Subject: [PATCH 07/10] Reenable nfs collector --- nixos/roles/prometheusNodeExporter.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/nixos/roles/prometheusNodeExporter.nix b/nixos/roles/prometheusNodeExporter.nix index 749c6f4..59cacc1 100644 --- a/nixos/roles/prometheusNodeExporter.nix +++ b/nixos/roles/prometheusNodeExporter.nix @@ -14,7 +14,6 @@ "dmi" "fibrechannel" "infiniband" - "nfs" "nvme" "powersupplyclass" "rapl" From b2f094547390a914527628137e283871b0ff268c Mon Sep 17 00:00:00 2001 From: Gonne Kretschmer Date: Mon, 6 Nov 2023 12:47:55 +0100 Subject: [PATCH 08/10] Improve comment explaining metrics selection --- nixos/roles/prometheusNodeExporter.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/nixos/roles/prometheusNodeExporter.nix b/nixos/roles/prometheusNodeExporter.nix index 59cacc1..9587b2f 100644 --- a/nixos/roles/prometheusNodeExporter.nix +++ b/nixos/roles/prometheusNodeExporter.nix @@ -5,8 +5,11 @@ enable = true; port = 9100; # Aligned with https://git.rwth-aachen.de/fsdmath/server/prometheus/-/blob/main/node_exporter/etc/default/prometheus-node-exporter - # Original reasons are for these lists are unknown, but along the lines - # “This looks useless for VMs, but that seems nice.” + # It was compiled along the following steps: + # 1. Does the current Debian release supports the collector? + # 2. Is the collector depracated in the latest release? + # 3. Could you probably use the collected metrics for monitoring or are they useless because they make no sense in our context + # (e.g. power adapter inside a VM, use fibre port connection)? disabledCollectors = [ "arp" "bcache" From 22d8749f7ae707bdd89fb70b1d2ba27eda8d2e0a Mon Sep 17 00:00:00 2001 From: Gonne Kretschmer Date: Mon, 6 Nov 2023 16:03:35 +0100 Subject: [PATCH 09/10] Fix clock drift --- nixos/roles/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix index b536d28..d92b970 100644 --- a/nixos/roles/default.nix +++ b/nixos/roles/default.nix @@ -56,5 +56,7 @@ services = { PasswordAuthentication = false; }; }; +#Prevent clock drift due to interaction problem with xen hardware clock + timesyncd.enable = lib.mkForce true; }; } From de397fa695c086d80731a4d2397a8b7b22b0de6a Mon Sep 17 00:00:00 2001 From: Dennis Frieberg Date: Mon, 6 Nov 2023 21:57:54 +0100 Subject: [PATCH 10/10] removed .gitkeep --- nixos/machines/.gitkeep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 nixos/machines/.gitkeep diff --git a/nixos/machines/.gitkeep b/nixos/machines/.gitkeep deleted file mode 100644 index e69de29..0000000