diff --git a/ops/nixos/default.nix b/ops/nixos/default.nix index 6e7042b143..8df2fff134 100644 --- a/ops/nixos/default.nix +++ b/ops/nixos/default.nix @@ -15,7 +15,7 @@ let system = builtins.currentSystem; modules = [ (baseModule systemName) (args: { imports = [ lib/common.nix config ]; }) ]; }); - systems = [ "porcorosso" "ixvm-fra01" "marukuru" "clouvider-fra01" "totoro" "kusakabe" "swann" "clouvider-lon01" ]; + systems = [ "porcorosso" "ixvm-fra01" "marukuru" "clouvider-fra01" "totoro" "kusakabe" "swann" "clouvider-lon01" "etheroute-lon01" ]; rebuilder = system: (import ./lib/rebuilder.nix (args // { system = system; })); systemCfgs = lib.genAttrs systems (name: import (./. + "/${name}")); diff --git a/ops/nixos/etheroute-lon01/README.md b/ops/nixos/etheroute-lon01/README.md new file mode 100644 index 0000000000..379ca465ef --- /dev/null +++ b/ops/nixos/etheroute-lon01/README.md @@ -0,0 +1,18 @@ + + +# etheroute-lon01.as205479.net + +Dedicated host running NixOS on Etheroute. PowerEdge R210. + +* Xeon X3430 @ 2.40GHz (4 cores). +* 16GiB RAM. +* WD1002FBYS-0 1TB HDD + +Internet: + +* 83.97.19.68/27 (gw 83.97.19.65) +* 2a07:242:800:64::68/64 (gw 2a07:242:800:64::1) diff --git a/ops/nixos/etheroute-lon01/default.nix b/ops/nixos/etheroute-lon01/default.nix new file mode 100644 index 0000000000..3836185420 --- /dev/null +++ b/ops/nixos/etheroute-lon01/default.nix @@ -0,0 +1,168 @@ +# SPDX-FileCopyrightText: 2020 Luke Granger-Brown +# +# SPDX-License-Identifier: Apache-2.0 + +{ depot, lib, pkgs, rebuilder, config, ... }: +let + inherit (depot.ops) secrets; + machineSecrets = secrets.machineSpecific.etheroute-lon01; +in { + imports = [ + ../lib/bgp.nix + ../lib/zfs.nix + ]; + + boot.initrd = { + availableKernelModules = [ + "ehci_pci" + "ahci" + "usbhid" + "usb_storage" + "sd_mod" + "sr_mod" + "bnx2" # ethernet + ]; + network = { + enable = true; + ssh = { + enable = true; + hostKeys = ["/persist/etc/ssh/ssh_host_ed25519_key"]; + authorizedKeys = map builtins.readFile config.users.users.lukegb.openssh.authorizedKeys.keyFiles; + }; + postCommands = '' + echo "zfs load-key -a; killall zfs" >> /root/.profile + ''; + }; + }; + boot.kernelParams = [ + "ip=83.97.19.68::83.97.19.65:255.255.255.224:etheroute-lon01:eno1:none" + ]; + boot.kernelModules = [ "kvm-intel" ]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + powerManagement.cpuFreqGovernor = lib.mkDefault "performance"; + services.zfs.rollbackOnBoot = { + enable = true; + snapshot = "tank/local/root@blank"; + }; + + fileSystems = let + zfs = device: { + device = device; + fsType = "zfs"; + }; + in { + "/" = zfs "tank/local/root"; + "/nix" = zfs "tank/local/nix"; + "/tmp" = zfs "tank/local/tmp"; + + "/persist" = zfs "tank/safe/persist"; + "/home" = zfs "tank/safe/home"; + + "/boot" = { + device = "/dev/disk/by-partlabel/ESP"; + fsType = "vfat"; + }; + }; + + nix.maxJobs = lib.mkDefault 8; + + # Networking! + networking = { + hostName = "etheroute-lon01"; + domain = "as205479.net"; + hostId = "420bee1b"; + + nameservers = [ + "2001:4860:4860::8888" + "2001:4860:4860::8844" + "8.8.8.8" + "8.8.4.4" + ]; + useDHCP = false; + defaultGateway = { + address = "83.97.19.65"; + interface = "eno1"; + }; + defaultGateway6 = { + address = "2a07:242:800:64::1"; + interface = "eno1"; + }; + interfaces.eno1 = { + ipv4.addresses = [{ address = "83.97.19.68"; prefixLength = 27; }]; + ipv6.addresses = [{ address = "2a07:242:800:64::68"; prefixLength = 64; }]; + }; + }; + my.ip.tailscale = "100.111.191.21"; + + services.openssh.hostKeys = [ + { + path = "/persist/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + { + path = "/persist/etc/ssh/ssh_host_rsa_key"; + type = "rsa"; + bits = 4096; + } + ]; + + users.users = { + lukegb.extraGroups = [ "bird2" ]; + }; + + services.lukegbgp = let local = { + asn = 205479; + }; in { + enable = true; + config = { + local = { + routerID = "83.97.19.68"; + }; + peering = { + etheroute = { + local = local // { + v4 = "83.97.19.68"; + v6 = "2a07:242:800:64::68"; + }; + remote = { + asn = 16089; + export_community = 4000; + routers = [{ + v4 = "83.97.19.65"; + v6 = "2a07:242:800:64::1"; + }]; + }; + }; + }; + }; + }; + + systemd.mounts = let + bindMount' = dir: { + unitConfig.RequiresMountsFor = dir; + options = "bind"; + what = "/persist${dir}"; + where = dir; + }; + bindMountSvc = dir: svc: (bindMount' dir) // { + bindsTo = [svc]; + partOf = [svc]; + }; + bindMountSvcDynamic = dir: svc: (bindMount' "/var/lib/private/${dir}") // { + requiredBy = [svc]; + before = [svc]; + wantedBy = ["multi-user.target"]; + }; + bindMount = dir: (bindMount' dir) // { + wantedBy = ["multi-user.target"]; + }; + in [ + (bindMountSvc "/var/lib/tailscale" "tailscaled.service") + ]; + + system.stateVersion = "20.09"; +}