rexxar: init

No BGP yet.
2024-03-25 19:13:05 +00:00 · 2024-03-25 19:13:05 +00:00 · e7a1cf462c
commit e7a1cf462c
parent 9aece1027e
8 changed files with 245 additions and 63 deletions
--- a/ops/nixos/default.nix
+++ b/ops/nixos/default.nix
@ -50,6 +50,7 @@ let
    "kerrigan"
    "cofractal-ams01"
    "laputa"
+    "rexxar"
  ];
  rebuilder = system: (import ./lib/rebuilder.nix (args // { system = system; }));
  systemCfgs = lib.genAttrs systems
--- a/ops/nixos/installcd/default.nix
+++ b/ops/nixos/installcd/default.nix
@ -13,7 +13,7 @@ in {
  isoImage.isoName = lib.mkForce "nixos-${depot.version}-${pkgs.stdenv.hostPlatform.system}.iso";

  isoImage.storeContents = [
-    depot.ops.nixos.systems.nausicaa
+    depot.ops.nixos.systems.rexxar
  ];

  system.disableInstallerTools = false;
--- a/ops/nixos/lib/coredns/zones/db.1.4.4.a.9.0.a.2.ip6.arpa
+++ b/ops/nixos/lib/coredns/zones/db.1.4.4.a.9.0.a.2.ip6.arpa
@ -21,5 +21,4 @@ $INCLUDE tmpl.ns
 3.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 3600 IN PTR lukegb01.ring.nlnog.net.
 4.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 3600 IN PTR alps22tag.quadv.com.
 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 3600 IN PTR gw.public.as205479.net.
-e.f.f.f.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 3600 IN PTR blade-paris.public.as205479.net.
-f.f.f.f.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 3600 IN PTR blade-tuvok.public.as205479.net.
+f.f.f.f.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 3600 IN PTR rexxar.public.as205479.net.
--- a/ops/nixos/lib/coredns/zones/db.28.118.92.in-addr.arpa
+++ b/ops/nixos/lib/coredns/zones/db.28.118.92.in-addr.arpa
@ -260,6 +260,6 @@ $INCLUDE tmpl.ns
 250 600 IN PTR 92-118-28-250.ptr.as205479.net.
 251 600 IN PTR 92-118-28-251.ptr.as205479.net.
 252 600 IN PTR wg-gw.public.as205479.net.
-253 600 IN PTR blade-paris.public.as205479.net.
-254 600 IN PTR blade-tuvok.public.as205479.net.
+253 600 IN PTR 92-118-28-253.ptr.as205479.net.
+254 600 IN PTR rexxar.public.as205479.net.
 255 600 IN PTR 92-118-28-255.ptr.as205479.net.
--- a/ops/nixos/lib/coredns/zones/db.as205479.net
+++ b/ops/nixos/lib/coredns/zones/db.as205479.net
@ -3,7 +3,7 @@
 ; SPDX-License-Identifier: Apache-2.0

 ;              MNAME                        RNAME                  SERIAL REFRESH RETRY EXPIRE TTL
-@ 600 IN SOA   frantech-lux01.as205479.net. hostmaster.lukegb.com. 57     600     450   3600   300
+@ 600 IN SOA   frantech-lux01.as205479.net. hostmaster.lukegb.com. 58     600     450   3600   300

 ; NB: this are also glue records in Google Domains.
 $INCLUDE tmpl.ns
@ -70,22 +70,16 @@ cofractal-ams01     3600 IN AAAA 2a09:a446:1337:ffff::10
 cofractal-ams01.int 3600 IN A    100.83.36.130
 cofractal-ams01.int 3600 IN AAAA fd7a:115c:a1e0:ab12:4843:cd96:6253:2482

-blade-tuvok         3600 IN A    195.74.55.21
-blade-tuvok         3600 IN AAAA 2a03:ee40:8080:9:1::2
-blade-tuvok.int     3600 IN A    100.119.123.33
-blade-tuvok.int     3600 IN AAAA fd7a:115c:a1e0:ab12:4843:cd96:6277:7b21
-
-blade-paris         3600 IN A    195.74.55.23
-blade-paris         3600 IN AAAA 2a03:ee40:8080:9:2::2
-blade-paris.int     3600 IN A    100.81.131.61
-blade-paris.int     3600 IN AAAA fd7a:115c:a1e0:ab12:4843:cd96:6251:833d
-
-blade-torres.int    3600 IN A    100.92.118.36
-blade-torres.int    3600 IN AAAA fd7a:115c:a1e0:ab12:4843:cd96:625c:7624
-blade-kim.int       3600 IN A    100.84.36.62
-blade-janeway.int   3600 IN A    100.121.116.85
-blade-janeway.int   3600 IN AAAA fd7a:115c:a1e0:ab12:4843:cd96:6279:7455
-blade-chakotay.int  3600 IN A    100.121.11.7
+rexxar              3600 IN A    195.74.55.21
+rexxar              3600 IN AAAA 2a03:ee40:8080:9:1::2
+velox1.rexxar       3600 IN A    195.74.55.21
+velox1.rexxar       3600 IN AAAA 2a03:ee40:8080:9:1::2
+rexxar              3600 IN A    195.74.55.23
+rexxar              3600 IN AAAA 2a03:ee40:8080:9:2::2
+velox2.rexxar       3600 IN A    195.74.55.23
+velox2.rexxar       3600 IN AAAA 2a03:ee40:8080:9:2::2
+rexxar.int          3600 IN A    100.97.110.48
+rexxar.int          3600 IN AAAA fd7a:115c:a1e0::3a01:6e30

 bvm-nixosmgmt.int   3600 IN A    100.65.226.19
 bvm-nixosmgmt.int 3600 IN AAAA fd7a:115c:a1e0:ab12:4843:cd96:6241:e213
@ -146,36 +140,6 @@ mldn-rd                      3600 IN AAAA 2a09:a443::1
 eduroam.mldn-rd              3600 IN A    92.118.30.253
 eduroam.mldn-rd              3600 IN AAAA 2a09:a443:2::1

-; blade internal
-blade-oa.blade               3600 IN A    10.100.1.200
-blade-vcenet1.blade          3600 IN A    10.100.1.201
-blade-vcenet2.blade          3600 IN A    10.100.1.202
-blade-vcm.blade              3600 IN A    10.100.1.203
-
-blade-kim.blade              3600 IN A    10.100.0.101
-blade-kim-ilo.blade          3600 IN A    10.100.1.101
-blade-kim.storage.blade      3600 IN A    10.100.2.101
-
-blade-paris.blade            3600 IN A    10.100.0.102
-blade-paris-ilo.blade        3600 IN A    10.100.1.102
-blade-paris.storage.blade    3600 IN A    10.100.2.102
-
-blade-janeway.blade          3600 IN A    10.100.0.103
-blade-janeway-ilo.blade      3600 IN A    10.100.1.103
-blade-janeway.storage.blade  3600 IN A    10.100.2.103
-
-blade-chakotay.blade         3600 IN A    10.100.0.105
-blade-chakotay-ilo.blade     3600 IN A    10.100.1.105
-blade-chakotay.storage.blade 3600 IN A    10.100.2.105
-
-blade-tuvok.blade            3600 IN A    10.100.0.106
-blade-tuvok-ilo.blade        3600 IN A    10.100.1.106
-blade-tuvok.storage.blade    3600 IN A    10.100.2.106
-
-blade-torres.blade           3600 IN A    10.100.0.108
-blade-torres-ilo.blade       3600 IN A    10.100.1.108
-blade-torres.storage.blade   3600 IN A    10.100.2.108
-
 bvm-nixosmgmt.blade          3600 IN A    10.100.0.200
 bvm-twitterchiver.blade      3600 IN A    10.100.0.201
 bvm-prosody.blade            3600 IN A    10.100.0.202
@ -190,23 +154,14 @@ bvm-logger.blade             3600 IN A    10.100.0.209
 bvm-paperless.blade          3600 IN A    10.100.0.211

 ; services
-; ceph-mon: blade-tuvok, blade-janeway, blade-paris
-ceph-mon.storage.blade       60   IN A    10.100.2.106
-ceph-mon.storage.blade       60   IN A    10.100.2.103
-ceph-mon.storage.blade       60   IN A    10.100.2.102
-_ceph-mon._tcp.storage.blade 60   IN SRV  10 10 6789 blade-tuvok.storage.blade.as205479.net.
-_ceph-mon._tcp.storage.blade 60   IN SRV  10 10 6789 blade-janeway.storage.blade.as205479.net.
-_ceph-mon._tcp.storage.blade 60   IN SRV  10 10 6789 blade-paris.storage.blade.as205479.net.

 ; public
 gw.public                    3600 IN A    92.118.28.1
 gw.public                    3600 IN AAAA 2a09:a441::1
 wg-gw.public                 3600 IN A    92.118.28.252
 wg-gw.public                 3600 IN AAAA 2a09:a441::f00f
-blade-tuvok.public           3600 IN A    92.118.28.254
-blade-tuvok.public           3600 IN AAAA 2a09:a441::ffff
-blade-paris.public           3600 IN A    92.118.28.253
-blade-paris.public           3600 IN AAAA 2a09:a441::fffe
+rexxar.public                3600 IN A    92.118.28.254
+rexxar.public                3600 IN AAAA 2a09:a441::ffff

 bvm-korobi.public            3600 IN CNAME bvm-korobi.as205479.net.
 bvm-korobi                   3600 IN A     92.118.28.2
--- a/ops/nixos/rexxar/README.md
+++ b/ops/nixos/rexxar/README.md
@ -0,0 +1,11 @@
+<!--
+SPDX-FileCopyrightText: 2023 Luke Granger-Brown <depot@lukegb.com>
+
+SPDX-License-Identifier: Apache-2.0
+-->
+
+# rexxar.as205479.net
+
+Dedicated host running NixOS. 
+
+TODO(lukegb): all of this.
--- a/ops/nixos/rexxar/default.nix
+++ b/ops/nixos/rexxar/default.nix
@ -0,0 +1,215 @@
+# SPDX-FileCopyrightText: 2024 Luke Granger-Brown <depot@lukegb.com>
+#
+# SPDX-License-Identifier: Apache-2.0
+
+{ depot, lib, pkgs, config, ... }:
+{
+  imports = [
+    ../lib/zfs.nix
+    ../lib/bgp.nix
+  ];
+
+  # Otherwise _this_ machine won't enumerate things properly.
+  boot.zfs.devNodes = "/dev/disk/by-id";
+
+  boot.initrd = {
+    availableKernelModules = [
+      "nvme"
+      "xhci_pci"
+      "ahci"
+      "usb_storage"
+      "usbhid"
+      "sd_mod"
+      "sr_mod"
+    ];
+  };
+  boot.kernelModules = [ "kvm-amd" ];
+  hardware.cpu.amd.updateMicrocode = true;
+  boot.kernelParams = [
+    "nomodeset"
+  ];
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
+  services.zfs.rollbackOnBoot = {
+    enable = true;
+    snapshot = "zboot/local/root@blank";
+  };
+
+  fileSystems = let
+    zfs = device: {
+      device = device;
+      fsType = "zfs";
+    };
+  in {
+    "/" = zfs "zboot/local/root";
+    "/nix" = zfs "zboot/local/nix";
+    "/persist" = zfs "zboot/safe/persist";
+
+    "/store" = zfs "zu2/safe/store";
+    "/home" = (zfs "zu2/safe/home") // { neededForBoot = true; };
+
+    "/boot" = {
+      device = "/dev/disk/by-label/ESP";
+      fsType = "vfat";
+    };
+    "/boot2" = {
+      device = "/dev/disk/by-label/ESP2";
+      fsType = "vfat";
+    };
+  };
+  boot.loader.systemd-boot.extraInstallCommands = ''
+    rsync -a /boot/ /boot2/
+  '';
+
+  nix.settings.max-jobs = lib.mkDefault 8;
+
+  # Networking!
+  networking = {
+    hostName = "rexxar";
+    domain = "as205479.net";
+    hostId = "b46c2ae9";
+    useNetworkd = true;
+  };
+  systemd.network = {
+    networks."10-enp9s0f0" = {
+      matchConfig.Name = "enp9s0f0";
+      networkConfig.VLAN = [ "vl-velox1" "vl-linx" ];
+    };
+    networks."10-enp9s0f1" = {
+      matchConfig.Name = "enp9s0f1";
+      networkConfig.VLAN = [ "vl-velox2" ];
+    };
+    netdevs."20-vl-velox1" = {
+      netdevConfig = {
+        Name = "vl-velox1";
+        Kind = "vlan";
+        MACAddress = "8C:1F:64:0B:6F:00";
+      };
+      vlanConfig = {
+        Id = 100;
+      };
+    };
+    networks."20-vl-velox1" = {
+      matchConfig.Name = "vl-velox1";
+      address = [
+        "195.74.55.21/31"
+        "2a03:ee40:8080:9:1::2/126"
+      ];
+      networkConfig.DNS = [
+        "2001:4860:4860::8888"
+        "2001:4860:4860::8844"
+        "8.8.8.8"
+        "8.8.4.4"
+        "1.1.1.1"
+      ];
+      networkConfig.DNSDefaultRoute = true;
+      routes = [{ routeConfig = {
+        Gateway = "195.74.55.20";
+      }; } { routeConfig = {
+        Gateway = "2a03:ee40:8080:9:1::1";
+      }; }];
+    };
+    netdevs."20-vl-velox2" = {
+      netdevConfig = {
+        Name = "vl-velox2";
+        Kind = "vlan";
+        MACAddress = "8C:1F:64:0B:6F:01";
+      };
+      vlanConfig = {
+        Id = 100;
+      };
+    };
+    networks."20-vl-velox2" = {
+      matchConfig.Name = "vl-velox2";
+      address = [
+        "195.74.55.23/31"
+        "2a03:ee40:8080:9:2::2/126"
+      ];
+      networkConfig.DNS = [
+        "2001:4860:4860::8888"
+        "2001:4860:4860::8844"
+        "8.8.8.8"
+        "8.8.4.4"
+        "1.1.1.1"
+      ];
+      networkConfig.DNSDefaultRoute = true;
+      routes = [{ routeConfig = {
+        Gateway = "195.74.55.22";
+      }; } { routeConfig = {
+        Gateway = "2a03:ee40:8080:9:2::1";
+      }; }];
+    };
+    netdevs."20-vl-linx" = {
+      netdevConfig = {
+        Name = "vl-linx";
+        Kind = "vlan";
+        MACAddress = "8C:1F:64:0B:6F:02";
+      };
+      vlanConfig = {
+        Id = 200;
+      };
+    };
+    networks."20-vl-linx" = {
+      matchConfig.Name = "vl-linx";
+      address = [
+        "195.66.224.58/21"
+        "2001:7f8:4::3:22a7:1/48"
+      ];
+      networkConfig = {
+        IPv6LinkLocalAddressGenerationMode = "eui64";
+        LLMNR = false;
+        MulticastDNS = false;
+        IPv6AcceptRA = false;
+        IPv4ProxyARP = false;
+        IPv6ProxyNDP = false;
+        IPv6SendRA = false;
+      };
+    };
+  };
+  my.ip.tailscale = "100.97.110.48";
+  my.ip.tailscale6 = "fd7a:115c:a1e0::3a01:6e30";
+  #my.coredns.bind = [ "bond0" "tailscale0" "127.0.0.1" "::1" ];
+
+  services.openssh.hostKeys = [
+    {
+      path = "/persist/etc/ssh/ssh_host_ed25519_key";
+      type = "ed25519";
+    }
+    {
+      path = "/persist/etc/ssh/ssh_host_rsa_key";
+      type = "rsa";
+      bits = 4096;
+    }
+  ];
+
+  systemd.mounts = let
+    bindMount' = dir: {
+      unitConfig.RequiresMountsFor = dir;
+      options = "bind";
+      what = "/persist${dir}";
+      where = dir;
+    };
+    bindMountSvc = dir: svc: (bindMount' dir) // {
+      requiredBy = [svc];
+      before = [svc];
+      wantedBy = ["multi-user.target"];
+    };
+    bindMountSvcDynamic = dir: svc: (bindMount' "/var/lib/private/${dir}") // {
+      requiredBy = [svc];
+      before = [svc];
+      wantedBy = ["multi-user.target"];
+    };
+    bindMount = dir: (bindMount' dir) // {
+      wantedBy = ["multi-user.target"];
+    };
+  in [
+    (bindMountSvc "/var/lib/tailscale" "tailscaled.service")
+    (bindMountSvc "/var/lib/libvirt" "libvirt.service")
+  ];
+
+  system.stateVersion = "24.05";
+}
--- a/ops/vault/cfg/config.nix
+++ b/ops/vault/cfg/config.nix
@ -88,4 +88,5 @@
  my.servers.bvm-nixosmgmt.apps = [ "plex-pass" ];
  my.servers.blade-tuvok.apps = [ "fup" ];
  my.servers.bvm-netbox.apps = [ "netbox" ];
+  my.servers.rexxar.apps = [ "deluge" "gitlab-runner" "nixbuild" ];
 }