Improve base deployment and pki handling

2020-02-27 15:42:16 +01:00
parent 8846047f04
commit 1257542e46
5 changed files with 135 additions and 189 deletions
--- a/lib/base.nix
+++ b/lib/base.nix
@@ -0,0 +1,63 @@
+{ pkgs, lib, settings, here ? "", ...}:
+with lib;
+rec {
+  pki = import ./pki.nix { inherit pkgs; ca = settings.initca; };
+
+  baseNixos = name: {
+    users.extraUsers.admin.openssh.authorizedKeys.keys =
+     settings.adminAuthorizedKeys;
+
+    boot.kernel.sysctl = {
+      "kernel.mm.transparent_hugepage.enabled" = "never";
+      "net.core.somaxconn" = "512";
+    };
+
+    imports = [
+      ./nixos/configuration.nix
+      (here + "/${name}.nix")
+    ];
+
+    security.pki.certificateFiles = [
+      pki.ca.cert
+    ];
+
+    networking = {
+      hostName = name;
+      extraHosts = settings.clusterHosts;
+      firewall.allowedTCPPortRanges = [ { from = 5000; to = 50000; } ];
+      firewall.allowedTCPPorts = [ 80 443 111 ];
+      firewall.allowedUDPPorts = [ 111 24007 24008 ];
+    };
+    environment.systemPackages = with pkgs; [
+      nfs-utils
+    ];
+  };
+
+  hostCerts =
+    builtins.foldl'
+    (a: x: a // { ${x.name} = pki.gencert {
+        cn = x.name;
+        ca = x.ca;
+        o = settings.clusterName;
+      };
+    }) {} settings.hosts;
+
+
+  mkHost = host: self:
+    {
+      deployment.targetHost = host.address;
+      require = [
+        (baseNixos host.name)
+      ];
+    };
+
+  baseDeployment = attrs:
+    let
+      hosts =
+        builtins.foldl'
+          (a: x: a // { ${x.name} = mkHost x _; }) {} settings.hosts;
+      hosts' = lib.recursiveUpdate hosts attrs;
+      names = builtins.attrNames hosts;
+    in
+      builtins.foldl' (a: x: a // { ${x} = self: hosts'.${x}; }) {} names;
+}