From 7226e50139252920548b98f595d242c23aa834d1 Mon Sep 17 00:00:00 2001
From: Jonas Juselius <jonas.juselius@tromso.serit.no>
Date: Wed, 6 Oct 2021 10:59:39 +0200
Subject: [PATCH] Add ngixn with ssl in front of minio

---
 clusters/fs1/default.nix                  | 64 ++++++++++++++++++++++-
 clusters/fs1/fs1-0.nix                    |  1 -
 clusters/fs2/default.nix                  | 62 ++++++++++++++++++++++
 clusters/stokes/{stokes.nix => morph.nix} |  0
 modules                                   |  2 +-
 5 files changed, 125 insertions(+), 4 deletions(-)
 rename clusters/stokes/{stokes.nix => morph.nix} (100%)

diff --git a/clusters/fs1/default.nix b/clusters/fs1/default.nix
index da5bf63..6f47c9d 100644
--- a/clusters/fs1/default.nix
+++ b/clusters/fs1/default.nix
@@ -5,7 +5,6 @@ let
   #   sha256 = "1ckzhh24mgz6jd1xhfgx0i9mijk6xjqxwsshnvq789xsavrmsc36";
   # }) {};
   pkgs = import <nixpkgs> {};
-
   name = "fs1-0";
   address = "10.1.30.10";
 in {
@@ -20,7 +19,7 @@ in {
       loader.grub = {
         enable = true;
         version = 2;
-        device = "/dev/sda1";
+        device = "/dev/sda";
       };
     };
 
@@ -57,6 +56,36 @@ in {
         '';
         initca = ./ca;
       };
+
+      certs = {
+        enable = true;
+        caBundle = ./ca;
+        certs = [
+          {
+            name = "fs1-0";
+            SANs = [ "fs1-0.itpartner.intern" "10.1.30.10" ];
+            owner = "nginx";
+            group = "nginx";
+          }
+        ];
+      };
+    };
+
+    services.prometheus.exporters = {
+      node = {
+        enable = true;
+        openFirewall = true;
+      };
+    };
+
+    services.minio = {
+      enable = true;
+      region = "fs1";
+      browser = true;
+      accessKey = "admin";
+      secretKey = "en to tre fire";
+      listenAddress = "0.0.0.0:9000";
+      dataDir = [ "/vol/s3" ];
     };
 
     networking = {
@@ -73,8 +102,39 @@ in {
           prefixLength = 24;
         } ];
       };
+      firewall = {
+        allowedTCPPorts = [ 443 9000 9001 ];
+        allowedUDPPorts = [];
+      };
     };
 
+    services.nginx = {
+      enable = true;
+      statusPage = true;
+      virtualHosts = {
+        "fs1-0.itpartner.intern" = {
+          forceSSL = true;
+          enableACME = false;
+          sslTrustedCertificate = "/var/lib/secrets/ca.pem";
+          sslCertificate = "/var/lib/secrets/fs1-0.pem";
+          sslCertificateKey = "/var/lib/secrets/fs1-0-key.pem";
+          serverAliases = [];
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:9001";
+            extraConfig = ''
+              allow all;
+            '';
+          };
+        };
+
+      };
+    };
+
+    # nixos 21.11 will fix this properly
+    nixpkgs.overlays = [ (import ../../modules/overlays/minio.nix) ];
+    systemd.services.minio.serviceConfig.ExecStart = lib.mkForce
+      "${pkgs.minio}/bin/minio server --json --address :9000 --console-address :9001 --config-dir=/var/lib/minio/config /vol/s3";
+
     imports = [ ../../nixos ../../modules ./fs1-0.nix ];
   };
 }
diff --git a/clusters/fs1/fs1-0.nix b/clusters/fs1/fs1-0.nix
index d431995..9ed7a96 100644
--- a/clusters/fs1/fs1-0.nix
+++ b/clusters/fs1/fs1-0.nix
@@ -25,5 +25,4 @@
 
   swapDevices = [ ];
 
-  virtualisation.vmware.guest.enable = true;
 }
diff --git a/clusters/fs2/default.nix b/clusters/fs2/default.nix
index 8edc9ce..cb8e99f 100644
--- a/clusters/fs2/default.nix
+++ b/clusters/fs2/default.nix
@@ -42,6 +42,7 @@ in {
           "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC2tox0uyFGfU1zPNU6yAVSoGOUkeU959aiTMrqu1U9MCCOP2o4IhZIlRpZ08XVnUU/AhycCUF4HgGqdcco8oIVX0P0Cn83KJoD/DOqAiz+1VwIUUV1ylrRdNqCgf4wnmLni3sUPHJdQnuq57+pzDDjHMr9CcBL2KzOHD/QanfR+jZmv9K3OS5oDcWquSCziXkpbkWQURPactmtyzGK2FRRxONZgYrB8gRTDstlWQg/t6GHNVelzuJ7SEf+t8pk/S2e/XAvfZyRJhrVJ35iZKpmxkIn5v0g1Z+z0yX/KRSAPRtNg9uM44cmto77MFx7iFs0CuleL3zHvRvZYW1ZnsKAiP07UkEK87luMpkTzFr9CSHJGpgk1RZYA3qidQti44n6NU9YRNhzO4v+KQE6XDqO80gZCJboSXr3fnYn/QHpPXzK5JcZNWmClyMURYj10qv9So3Fh0o3LV5GThA6JgN874vUywUZanPEdn8ePBcAsjLRzA4YBGEuvJCc6FELSuY2s+/pFba8NXQvrOdJKSRC0g5USQFfaWDln4Q4zZ1G5z76p1u6GtRWxvakkUQ0fze9KAW7msxeKaw+B7uMtyvCL8V2zEE8WKFP1sNyYEe7Sgp3RVfym2VPMNTZVhEImfM/3D+WbzfoJztnJvFKXeeMCcne4G8swyef3o1s3b+CvQ== ski027@uit.no"
         ];
       };
+
       fs = {
         enable = true;
         nfs.enable = true;
@@ -50,6 +51,36 @@ in {
         '';
         initca = ./ca;
       };
+
+      certs = {
+        enable = true;
+        caBundle = ./ca;
+        certs = [
+          {
+            name = "fs2-0";
+            SANs = [ "fs2-0.itpartner.intern" "10.1.8.10" ];
+            owner = "nginx";
+            group = "nginx";
+          }
+        ];
+      };
+    };
+
+    services.minio = {
+      enable = true;
+      region = "fs2";
+      browser = true;
+      accessKey = "admin";
+      secretKey = "en to tre fire";
+      listenAddress = "0.0.0.0:9000";
+      dataDir = [ "/vol/s3" ];
+    };
+
+    services.prometheus.exporters = {
+      node = {
+        enable = true;
+        openFirewall = true;
+      };
     };
 
     networking = {
@@ -66,8 +97,39 @@ in {
           prefixLength = 24;
         } ];
       };
+      firewall = {
+        allowedTCPPorts = [ 443 9000 9001 ];
+        allowedUDPPorts = [];
+      };
     };
 
+    services.nginx = {
+      enable = true;
+      statusPage = true;
+      virtualHosts = {
+        "fs2-0.itpartner.intern" = {
+          forceSSL = true;
+          enableACME = false;
+          sslTrustedCertificate = "/var/lib/secrets/ca.pem";
+          sslCertificate = "/var/lib/secrets/fs2-0.pem";
+          sslCertificateKey = "/var/lib/secrets/fs2-0-key.pem";
+          serverAliases = [];
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:9001";
+            extraConfig = ''
+              allow all;
+            '';
+          };
+        };
+
+      };
+    };
+
+    # nixos 21.11 will fix this properly
+    nixpkgs.overlays = [ (import ../../modules/overlays/minio.nix) ];
+    systemd.services.minio.serviceConfig.ExecStart = lib.mkForce
+      "${pkgs.minio}/bin/minio server --json --address :9000 --console-address :9001 --config-dir=/var/lib/minio/config /vol/s3";
+
     imports = [ ../../nixos ../../modules ./fs2-0.nix ];
   };
 }
diff --git a/clusters/stokes/stokes.nix b/clusters/stokes/morph.nix
similarity index 100%
rename from clusters/stokes/stokes.nix
rename to clusters/stokes/morph.nix
diff --git a/modules b/modules
index 6880bb8..328fe7a 160000
--- a/modules
+++ b/modules
@@ -1 +1 @@
-Subproject commit 6880bb839e43861995ca4a506958c4317aa0cc5e
+Subproject commit 328fe7a33aab16ffa96cf875e4f2e2faad9465fd