2021-02-07 21:23:23 +00:00
|
|
|
# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
|
|
|
|
#
|
|
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
|
|
|
{ depot, lib, pkgs, rebuilder, config, ... }:
|
|
|
|
let
|
|
|
|
inherit (depot.ops) secrets;
|
|
|
|
in {
|
|
|
|
imports = [
|
2022-08-27 18:38:03 +00:00
|
|
|
../lib/minimal.nix
|
2021-02-07 21:23:23 +00:00
|
|
|
../lib/zfs.nix
|
|
|
|
];
|
|
|
|
|
2021-03-12 14:47:08 +00:00
|
|
|
options.my.blade = {
|
|
|
|
bay = lib.mkOption {
|
|
|
|
type = lib.types.int;
|
|
|
|
};
|
|
|
|
macAddress.internal = lib.mkOption {
|
|
|
|
type = lib.types.str;
|
|
|
|
};
|
|
|
|
macAddress.storage = lib.mkOption {
|
2021-03-14 15:52:53 +00:00
|
|
|
type = lib.types.nullOr lib.types.str;
|
2021-02-07 21:23:23 +00:00
|
|
|
};
|
2021-03-12 14:47:08 +00:00
|
|
|
macAddress.internet = lib.mkOption {
|
|
|
|
type = lib.types.nullOr lib.types.str;
|
|
|
|
default = null;
|
2021-02-13 16:07:33 +00:00
|
|
|
};
|
2021-12-17 00:27:24 +00:00
|
|
|
macAddress.public = lib.mkOption {
|
|
|
|
# If not using a VLAN.
|
|
|
|
type = lib.types.nullOr lib.types.str;
|
|
|
|
default = null;
|
|
|
|
};
|
2021-02-07 21:23:23 +00:00
|
|
|
};
|
|
|
|
|
2021-03-12 14:47:08 +00:00
|
|
|
config = {
|
|
|
|
boot.initrd.availableKernelModules = [ "ahci" "ohci_pci" "ehci_pci" "pata_atiixp" "uhci_hcd" "be2iscsi" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
|
|
|
|
boot.kernelModules = [ "kvm-amd" "acpi_power_meter" "acpi_ipmi" "ipmi_si" ];
|
2021-03-14 17:39:07 +00:00
|
|
|
|
|
|
|
# Enable serial console.
|
|
|
|
boot.loader.grub.extraConfig = ''
|
|
|
|
serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
|
|
|
|
terminal_input console serial
|
|
|
|
terminal_output console serial
|
|
|
|
'';
|
|
|
|
boot.kernelParams = [
|
|
|
|
"console=tty1"
|
|
|
|
"console=ttyS0,115200" # <-- /dev/console
|
|
|
|
|
|
|
|
"mitigations=off"
|
|
|
|
];
|
2021-04-10 19:59:56 +00:00
|
|
|
|
|
|
|
my.rundeck.tags = [ "blade" ];
|
2021-08-30 18:58:21 +00:00
|
|
|
|
2021-03-12 14:47:08 +00:00
|
|
|
fileSystems = let
|
|
|
|
zfs = device: {
|
|
|
|
device = device;
|
|
|
|
fsType = "zfs";
|
|
|
|
};
|
2021-03-31 21:20:08 +00:00
|
|
|
tmpfs = size: {
|
|
|
|
device = "none";
|
|
|
|
fsType = "tmpfs";
|
|
|
|
options = [ "defaults" "size=${size}" "mode=755" ];
|
2021-03-31 21:20:56 +00:00
|
|
|
};
|
2021-02-24 19:58:15 +00:00
|
|
|
in {
|
2021-03-12 14:47:08 +00:00
|
|
|
"/" = zfs "tank/local/root";
|
|
|
|
"/tmp" = zfs "tank/local/tmp";
|
|
|
|
"/nix" = zfs "tank/local/nix";
|
|
|
|
"/var" = zfs "tank/safe/var";
|
|
|
|
"/home" = zfs "tank/safe/home";
|
|
|
|
"/boot" = {
|
|
|
|
device = "/dev/disk/by-label/boot";
|
|
|
|
fsType = "ext4";
|
|
|
|
};
|
2021-03-31 21:20:08 +00:00
|
|
|
"/var/log" = tmpfs "2G";
|
|
|
|
"/var/cache" = tmpfs "16G";
|
2021-03-14 14:35:36 +00:00
|
|
|
} // (lib.optionalAttrs (config.services.ceph.osd.enable || config.services.ceph.mgr.enable || config.services.ceph.mon.enable || config.services.ceph.mgr.enable) {
|
|
|
|
"/var/lib/ceph" = {
|
|
|
|
device = "/dev/disk/by-label/var-lib-ceph";
|
|
|
|
fsType = "xfs";
|
|
|
|
};
|
|
|
|
});
|
2021-08-30 18:58:21 +00:00
|
|
|
|
2021-03-12 14:47:08 +00:00
|
|
|
boot.loader.grub.enable = true;
|
2021-08-30 18:58:21 +00:00
|
|
|
|
2021-03-12 14:47:08 +00:00
|
|
|
# Networking!
|
|
|
|
networking = {
|
|
|
|
domain = "blade.as205479.net";
|
|
|
|
nameservers = ["8.8.8.8" "8.8.4.4"];
|
2021-03-28 12:32:01 +00:00
|
|
|
search = lib.mkBefore [
|
2021-03-28 12:18:06 +00:00
|
|
|
"blade.as205479.net"
|
|
|
|
"storage.blade.as205479.net"
|
|
|
|
];
|
2021-03-12 14:47:08 +00:00
|
|
|
bridges = let
|
|
|
|
br = interfaces: { interfaces = lib.mkDefault interfaces; rstp = false; };
|
|
|
|
in {
|
|
|
|
br-mgmt = br [ "en-int" ];
|
2021-12-17 00:27:24 +00:00
|
|
|
br-public = br [ (if config.my.blade.macAddress.public == null then "vl-int-public" else "en-public") ];
|
2021-03-12 14:47:08 +00:00
|
|
|
};
|
2021-12-17 00:27:24 +00:00
|
|
|
vlans = ({} //
|
|
|
|
(if config.my.blade.macAddress.public == null then {
|
|
|
|
vl-int-public = {
|
|
|
|
id = 100;
|
|
|
|
interface = "en-int";
|
|
|
|
};
|
|
|
|
} else {}));
|
2021-02-08 20:45:15 +00:00
|
|
|
|
2021-03-12 14:47:08 +00:00
|
|
|
interfaces.br-mgmt.ipv4.addresses = lib.mkBefore [{
|
|
|
|
address = "10.100.0.${toString (100 + config.my.blade.bay)}";
|
|
|
|
prefixLength = 23;
|
|
|
|
}];
|
|
|
|
interfaces.en-storage.ipv4.addresses = lib.mkBefore [{
|
|
|
|
address = "10.100.2.${toString (100 + config.my.blade.bay)}";
|
|
|
|
prefixLength = 24;
|
|
|
|
}];
|
2021-08-30 18:58:21 +00:00
|
|
|
|
2021-03-12 14:47:08 +00:00
|
|
|
defaultGateway = lib.mkDefault "10.100.0.1";
|
2021-08-30 18:58:21 +00:00
|
|
|
|
2021-03-13 20:58:43 +00:00
|
|
|
firewall.allowedUDPPorts = [
|
|
|
|
41641 # Tailscale
|
|
|
|
];
|
2021-03-19 21:27:15 +00:00
|
|
|
firewall.interfaces.en-storage.allowedTCPPorts = lib.mkIf config.services.ceph.enable [ 6789 3300 ];
|
|
|
|
firewall.interfaces.en-storage.allowedTCPPortRanges = lib.mkIf config.services.ceph.enable [{ from = 6800; to = 7300; }];
|
2021-03-13 16:41:05 +00:00
|
|
|
|
2021-08-31 01:37:34 +00:00
|
|
|
firewall.extraCommands = ''
|
|
|
|
iptables -A nixos-fw -i en-storage -s 10.100.2.0/23 -j ACCEPT
|
|
|
|
iptables -A nixos-fw -i br-mgmt -s 10.100.0.0/23 -j ACCEPT
|
|
|
|
'';
|
|
|
|
|
2021-03-13 16:41:05 +00:00
|
|
|
nat = lib.optionalAttrs (config.my.blade.macAddress.internet != null) {
|
|
|
|
enable = true;
|
|
|
|
internalInterfaces = [ "br-mgmt" ];
|
2021-08-15 22:02:51 +00:00
|
|
|
externalInterface = "vl-transit";
|
2021-08-20 23:34:54 +00:00
|
|
|
externalIP = "92.118.28.1";
|
2021-03-13 16:41:05 +00:00
|
|
|
};
|
2021-02-13 16:29:18 +00:00
|
|
|
};
|
2021-03-12 14:47:08 +00:00
|
|
|
services.udev.extraRules = ''
|
|
|
|
ATTR{address}=="${config.my.blade.macAddress.internal}", NAME="en-int"
|
2021-03-14 15:52:53 +00:00
|
|
|
'' + (lib.optionalString (config.my.blade.macAddress.storage != null) ''
|
2021-03-12 14:47:08 +00:00
|
|
|
ATTR{address}=="${config.my.blade.macAddress.storage}", NAME="en-storage"
|
2021-03-14 15:56:58 +00:00
|
|
|
'') + (lib.optionalString (config.my.blade.macAddress.internet != null) ''
|
2021-03-12 14:47:08 +00:00
|
|
|
ATTR{address}=="${config.my.blade.macAddress.internet}", NAME="en-internet"
|
2021-12-17 00:27:24 +00:00
|
|
|
'') + (lib.optionalString (config.my.blade.macAddress.public != null) ''
|
|
|
|
ATTR{address}=="${config.my.blade.macAddress.public}", NAME="en-public"
|
2021-03-12 14:47:08 +00:00
|
|
|
'');
|
2021-08-30 18:58:21 +00:00
|
|
|
|
2021-03-12 14:47:08 +00:00
|
|
|
environment.systemPackages = with pkgs; [
|
|
|
|
ceph
|
|
|
|
xfsprogs
|
|
|
|
];
|
2021-08-30 18:58:21 +00:00
|
|
|
|
2021-03-12 14:47:08 +00:00
|
|
|
services.ceph = {
|
|
|
|
enable = true;
|
|
|
|
global.fsid = "521a59a5-a597-4432-b248-1ecd3c76ca4c";
|
2021-03-14 14:35:32 +00:00
|
|
|
global.monHost = "10.100.2.103, 10.100.2.106, 10.100.2.102";
|
2021-03-12 14:47:08 +00:00
|
|
|
global.monInitialMembers = "blade-janeway, blade-tuvok, blade-paris";
|
2021-03-14 14:35:32 +00:00
|
|
|
global.publicNetwork = "10.100.2.0/24";
|
|
|
|
global.clusterNetwork = "10.100.2.0/24";
|
2021-03-19 19:45:03 +00:00
|
|
|
extraConfig.rgw_dns_name = "objdump.zxcvbnm.ninja";
|
2021-04-23 13:32:34 +00:00
|
|
|
extraConfig.rgw_data_log_backing = "omap";
|
|
|
|
extraConfig.rgw_default_data_log_backing = "omap";
|
2021-03-12 14:47:08 +00:00
|
|
|
mon.daemons = [ config.networking.hostName ];
|
|
|
|
mds.daemons = [ config.networking.hostName ];
|
|
|
|
rgw.daemons = [ config.networking.hostName ];
|
|
|
|
mgr.daemons = [ config.networking.hostName ];
|
|
|
|
mgr.enable = config.services.ceph.mon.enable;
|
|
|
|
rgw.enable = true;
|
2022-05-02 16:40:32 +00:00
|
|
|
client.enable = true;
|
|
|
|
client.extraConfig = {
|
|
|
|
"client.libvirt" = {
|
|
|
|
rbd_cache = "true";
|
|
|
|
rbd_cache_policy = "writeback";
|
|
|
|
rbd_cache_size = "2Gi";
|
|
|
|
rbd_cache_max_dirty = "1792Mi";
|
|
|
|
rbd_cache_target_dirty = "128Mi";
|
|
|
|
};
|
|
|
|
};
|
2021-03-12 14:47:08 +00:00
|
|
|
};
|
|
|
|
systemd.services.ceph-osd-lvm-activate = lib.mkIf config.services.ceph.osd.enable {
|
|
|
|
enable = true;
|
|
|
|
description = "Ceph OSD pre-start";
|
|
|
|
before = [ "network-online.target" "ceph-osd.target" ];
|
|
|
|
wantedBy = [ "ceph-osd.target" ];
|
2021-08-30 18:58:21 +00:00
|
|
|
|
2021-03-12 14:47:08 +00:00
|
|
|
path = [ pkgs.lvm2.bin pkgs.util-linux pkgs.coreutils ];
|
2021-08-30 18:58:21 +00:00
|
|
|
|
2021-03-12 14:47:08 +00:00
|
|
|
serviceConfig = {
|
|
|
|
Type = "oneshot";
|
|
|
|
ExecStart = "${pkgs.ceph.out}/bin/ceph-volume lvm activate --all --no-systemd";
|
|
|
|
};
|
2021-02-11 02:21:59 +00:00
|
|
|
};
|
2021-08-30 18:58:21 +00:00
|
|
|
|
2021-03-12 14:47:08 +00:00
|
|
|
virtualisation.libvirtd = {
|
|
|
|
enable = true;
|
2021-11-05 01:34:04 +00:00
|
|
|
qemu = {
|
|
|
|
runAsRoot = true;
|
2022-04-10 02:20:41 +00:00
|
|
|
package = pkgs.qemu.override {
|
|
|
|
gtkSupport = false;
|
|
|
|
sdlSupport = false;
|
2022-08-26 20:00:52 +00:00
|
|
|
spiceSupport = true;
|
2022-04-10 02:20:41 +00:00
|
|
|
cephSupport = true;
|
|
|
|
smartcardSupport = false;
|
|
|
|
pulseSupport = false;
|
|
|
|
alsaSupport = false;
|
|
|
|
libiscsiSupport = false;
|
|
|
|
|
|
|
|
hostCpuOnly = true;
|
|
|
|
};
|
2021-11-05 01:34:04 +00:00
|
|
|
};
|
2021-03-12 14:47:08 +00:00
|
|
|
package = pkgs.libvirt.override {
|
|
|
|
enableCeph = true;
|
|
|
|
enableIscsi = true;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
security.polkit.enable = true;
|
|
|
|
users.users.lukegb.extraGroups = lib.mkAfter [ "libvirtd" ];
|
2021-03-13 20:57:04 +00:00
|
|
|
|
2021-03-14 17:25:03 +00:00
|
|
|
# Our disk is slow; don't write to it...
|
2021-03-13 20:57:04 +00:00
|
|
|
services.journald.extraConfig = ''
|
|
|
|
Storage=volatile
|
|
|
|
'';
|
2021-03-14 17:25:03 +00:00
|
|
|
systemd.coredump.extraConfig = ''
|
|
|
|
Storage=none
|
|
|
|
ProcessSizeMax=0
|
|
|
|
'';
|
2021-08-30 18:58:21 +00:00
|
|
|
|
2021-03-12 14:47:08 +00:00
|
|
|
system.stateVersion = "21.05";
|
2021-02-10 23:38:05 +00:00
|
|
|
};
|
2021-02-07 21:23:23 +00:00
|
|
|
}
|