From 7795bd1d0fa1a806493acb6fc07a7d44bae57688 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Wed, 4 Nov 2020 15:51:55 +0000 Subject: [PATCH] clouvider-lon01: init --- ops/nixos/clouvider-lon01/README.md | 18 +++ ops/nixos/clouvider-lon01/default.nix | 155 ++++++++++++++++++++++++++ ops/nixos/default.nix | 2 +- 3 files changed, 174 insertions(+), 1 deletion(-) create mode 100644 ops/nixos/clouvider-lon01/README.md create mode 100644 ops/nixos/clouvider-lon01/default.nix diff --git a/ops/nixos/clouvider-lon01/README.md b/ops/nixos/clouvider-lon01/README.md new file mode 100644 index 0000000000..115786695d --- /dev/null +++ b/ops/nixos/clouvider-lon01/README.md @@ -0,0 +1,18 @@ + + +# clouvider-lon01.as205479.net + +Dedicated host running NixOS on clouvider.co.uk. + +* Xeon E3-1275v6 @ 3.80GHz (8 cores). +* 64GiB RAM. +* 2x 256GiB Samsung SSD 850. + +Internet: + +* 185.198.188.29 +* 2a0a:54c0:0:17::2 diff --git a/ops/nixos/clouvider-lon01/default.nix b/ops/nixos/clouvider-lon01/default.nix new file mode 100644 index 0000000000..4596428131 --- /dev/null +++ b/ops/nixos/clouvider-lon01/default.nix @@ -0,0 +1,155 @@ +# SPDX-FileCopyrightText: 2020 Luke Granger-Brown +# +# SPDX-License-Identifier: Apache-2.0 + +{ depot, lib, pkgs, rebuilder, config, ... }: +let + inherit (depot.ops) secrets; + machineSecrets = secrets.machineSpecific.clouvider-lon01; +in { + imports = [ + ../lib/zfs.nix + ../lib/bgp.nix + ]; + + boot.initrd = { + availableKernelModules = [ + "xhci_pci" + "ahci" + "nvme" + "usbhid" + "usb_storage" + "sd_mod" + "sr_mod" + "igb" + ]; + network = { + enable = true; + ssh = { + enable = true; + hostKeys = ["/persist/etc/ssh/ssh_host_ed25519_key"]; + authorizedKeys = map builtins.readFile config.users.users.lukegb.openssh.authorizedKeys.keyFiles; + }; + postCommands = '' + echo "zfs load-key -a; killall zfs" >> /root/.profile + ''; + }; + }; + boot.kernelParams = [ + "ip=185.198.188.29::185.198.188.28:255.255.255.254:clouvider-lon01:enp1s0f0:none" + ]; + boot.kernelModules = [ "kvm-intel" ]; + + powerManagement.cpuFreqGovernor = lib.mkDefault "performance"; + + fileSystems = let + zfs = device: { + device = device; + fsType = "zfs"; + }; + in { + "/" = zfs "tank/local/root"; + "/nix" = zfs "tank/local/nix"; + "/persist" = zfs "tank/safe/persist"; + "/home" = zfs "tank/safe/home"; + + "/boot1" = { + device = "/dev/disk/by-partlabel/boota"; + fsType = "vfat"; + }; + "/boot2" = { + device = "/dev/disk/by-partlabel/bootb"; + fsType = "vfat"; + }; + }; + + nix.maxJobs = lib.mkDefault 8; + + # Use GRUB, so we can have mirrored bootloaders. + boot.loader.efi.canTouchEfiVariables = true; + boot.loader.grub = { + enable = true; + version = 2; + zfsSupport = true; + efiSupport = true; + mirroredBoots = map (path: { + inherit path; + devices = ["nodev"]; + efiSysMountPoint = path; + }) ["/boot1" "/boot2"]; + }; + + # Networking! + networking = { + hostName = "clouvider-lon01"; + domain = "as205479.net"; + hostId = "29aaa324"; + + nameservers = [ + "2001:4860:4860::8888" + "2001:4860:4860::8844" + "8.8.8.8" + "8.8.4.4" + ]; + useDHCP = false; + defaultGateway = { + address = "185.198.188.28"; + interface = "br-ext"; + }; + defaultGateway6 = { + address = "2a0a:54c0:0:17::1"; + interface = "br-ext"; + }; + bridges.br-ext.interfaces = ["enp1s0f0"]; + interfaces.br-ext = { + ipv4.addresses = [{ address = "185.198.188.29"; prefixLength = 31; }]; + ipv6.addresses = [{ address = "2a0a:54c0:0:17::2"; prefixLength = 126; }]; + }; + firewall.allowPing = true; + }; + + services.openssh.hostKeys = [ + { + path = "/persist/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + { + path = "/persist/etc/ssh/ssh_host_rsa_key"; + type = "rsa"; + bits = 4096; + } + ]; + + users.users = { + lukegb.extraGroups = [ "bird2" ]; + }; + + services.lukegbgp = let local = { + asn = 205479; + }; in { + enable = true; + config = { + local = { + routerID = "185.198.188.29"; + }; + peering = { + clouvider = { + local = local // { + v4 = "185.198.188.29"; + v6 = "2a0a:54c0:0:17::2"; + }; + remote = { + asn = 62240; + export_community = 3000; + routers = [{ + v4 = "185.198.188.28"; + v6 = "2a0a:54c0:0:17::1"; + }]; + }; + }; + }; + }; + }; + + system.stateVersion = "20.09"; +} diff --git a/ops/nixos/default.nix b/ops/nixos/default.nix index ada600ca88..2493ea7bf3 100644 --- a/ops/nixos/default.nix +++ b/ops/nixos/default.nix @@ -15,7 +15,7 @@ let system = builtins.currentSystem; modules = [ (baseModule systemName) (args: { imports = [ lib/common.nix config ]; }) ]; }); - systems = [ "porcorosso" "ixvm-fra01" "marukuru" "clouvider-fra01" "totoro" "kusakabe" "swann" ]; + systems = [ "porcorosso" "ixvm-fra01" "marukuru" "clouvider-fra01" "totoro" "kusakabe" "swann" "clouvider-lon01" ]; rebuilder = system: (import ./lib/rebuilder.nix (args // { system = system; })); systemCfgs = lib.genAttrs systems (name: import (./. + "/${name}"));