diff --git a/ops/nixos/default.nix b/ops/nixos/default.nix index d94f7793f9..3c882dfb67 100644 --- a/ops/nixos/default.nix +++ b/ops/nixos/default.nix @@ -50,6 +50,7 @@ let "kerrigan" "cofractal-ams01" "laputa" + "rexxar" ]; rebuilder = system: (import ./lib/rebuilder.nix (args // { system = system; })); systemCfgs = lib.genAttrs systems diff --git a/ops/nixos/installcd/default.nix b/ops/nixos/installcd/default.nix index 2d4031bdde..825653c9a4 100644 --- a/ops/nixos/installcd/default.nix +++ b/ops/nixos/installcd/default.nix @@ -13,7 +13,7 @@ in { isoImage.isoName = lib.mkForce "nixos-${depot.version}-${pkgs.stdenv.hostPlatform.system}.iso"; isoImage.storeContents = [ - depot.ops.nixos.systems.nausicaa + depot.ops.nixos.systems.rexxar ]; system.disableInstallerTools = false; diff --git a/ops/nixos/lib/coredns/zones/db.1.4.4.a.9.0.a.2.ip6.arpa b/ops/nixos/lib/coredns/zones/db.1.4.4.a.9.0.a.2.ip6.arpa index e7851318f9..9b6998d7ce 100644 --- a/ops/nixos/lib/coredns/zones/db.1.4.4.a.9.0.a.2.ip6.arpa +++ b/ops/nixos/lib/coredns/zones/db.1.4.4.a.9.0.a.2.ip6.arpa @@ -21,5 +21,4 @@ $INCLUDE tmpl.ns 3.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 3600 IN PTR lukegb01.ring.nlnog.net. 4.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 3600 IN PTR alps22tag.quadv.com. 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 3600 IN PTR gw.public.as205479.net. -e.f.f.f.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 3600 IN PTR blade-paris.public.as205479.net. -f.f.f.f.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 3600 IN PTR blade-tuvok.public.as205479.net. +f.f.f.f.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 3600 IN PTR rexxar.public.as205479.net. diff --git a/ops/nixos/lib/coredns/zones/db.28.118.92.in-addr.arpa b/ops/nixos/lib/coredns/zones/db.28.118.92.in-addr.arpa index 35606e0a70..f6b53acee7 100644 --- a/ops/nixos/lib/coredns/zones/db.28.118.92.in-addr.arpa +++ b/ops/nixos/lib/coredns/zones/db.28.118.92.in-addr.arpa @@ -260,6 +260,6 @@ $INCLUDE tmpl.ns 250 600 IN PTR 92-118-28-250.ptr.as205479.net. 251 600 IN PTR 92-118-28-251.ptr.as205479.net. 252 600 IN PTR wg-gw.public.as205479.net. -253 600 IN PTR blade-paris.public.as205479.net. -254 600 IN PTR blade-tuvok.public.as205479.net. +253 600 IN PTR 92-118-28-253.ptr.as205479.net. +254 600 IN PTR rexxar.public.as205479.net. 255 600 IN PTR 92-118-28-255.ptr.as205479.net. diff --git a/ops/nixos/lib/coredns/zones/db.as205479.net b/ops/nixos/lib/coredns/zones/db.as205479.net index dac62c8b5f..9a26c8947f 100644 --- a/ops/nixos/lib/coredns/zones/db.as205479.net +++ b/ops/nixos/lib/coredns/zones/db.as205479.net @@ -3,7 +3,7 @@ ; SPDX-License-Identifier: Apache-2.0 ; MNAME RNAME SERIAL REFRESH RETRY EXPIRE TTL -@ 600 IN SOA frantech-lux01.as205479.net. hostmaster.lukegb.com. 57 600 450 3600 300 +@ 600 IN SOA frantech-lux01.as205479.net. hostmaster.lukegb.com. 58 600 450 3600 300 ; NB: this are also glue records in Google Domains. $INCLUDE tmpl.ns @@ -70,22 +70,16 @@ cofractal-ams01 3600 IN AAAA 2a09:a446:1337:ffff::10 cofractal-ams01.int 3600 IN A 100.83.36.130 cofractal-ams01.int 3600 IN AAAA fd7a:115c:a1e0:ab12:4843:cd96:6253:2482 -blade-tuvok 3600 IN A 195.74.55.21 -blade-tuvok 3600 IN AAAA 2a03:ee40:8080:9:1::2 -blade-tuvok.int 3600 IN A 100.119.123.33 -blade-tuvok.int 3600 IN AAAA fd7a:115c:a1e0:ab12:4843:cd96:6277:7b21 - -blade-paris 3600 IN A 195.74.55.23 -blade-paris 3600 IN AAAA 2a03:ee40:8080:9:2::2 -blade-paris.int 3600 IN A 100.81.131.61 -blade-paris.int 3600 IN AAAA fd7a:115c:a1e0:ab12:4843:cd96:6251:833d - -blade-torres.int 3600 IN A 100.92.118.36 -blade-torres.int 3600 IN AAAA fd7a:115c:a1e0:ab12:4843:cd96:625c:7624 -blade-kim.int 3600 IN A 100.84.36.62 -blade-janeway.int 3600 IN A 100.121.116.85 -blade-janeway.int 3600 IN AAAA fd7a:115c:a1e0:ab12:4843:cd96:6279:7455 -blade-chakotay.int 3600 IN A 100.121.11.7 +rexxar 3600 IN A 195.74.55.21 +rexxar 3600 IN AAAA 2a03:ee40:8080:9:1::2 +velox1.rexxar 3600 IN A 195.74.55.21 +velox1.rexxar 3600 IN AAAA 2a03:ee40:8080:9:1::2 +rexxar 3600 IN A 195.74.55.23 +rexxar 3600 IN AAAA 2a03:ee40:8080:9:2::2 +velox2.rexxar 3600 IN A 195.74.55.23 +velox2.rexxar 3600 IN AAAA 2a03:ee40:8080:9:2::2 +rexxar.int 3600 IN A 100.97.110.48 +rexxar.int 3600 IN AAAA fd7a:115c:a1e0::3a01:6e30 bvm-nixosmgmt.int 3600 IN A 100.65.226.19 bvm-nixosmgmt.int 3600 IN AAAA fd7a:115c:a1e0:ab12:4843:cd96:6241:e213 @@ -146,36 +140,6 @@ mldn-rd 3600 IN AAAA 2a09:a443::1 eduroam.mldn-rd 3600 IN A 92.118.30.253 eduroam.mldn-rd 3600 IN AAAA 2a09:a443:2::1 -; blade internal -blade-oa.blade 3600 IN A 10.100.1.200 -blade-vcenet1.blade 3600 IN A 10.100.1.201 -blade-vcenet2.blade 3600 IN A 10.100.1.202 -blade-vcm.blade 3600 IN A 10.100.1.203 - -blade-kim.blade 3600 IN A 10.100.0.101 -blade-kim-ilo.blade 3600 IN A 10.100.1.101 -blade-kim.storage.blade 3600 IN A 10.100.2.101 - -blade-paris.blade 3600 IN A 10.100.0.102 -blade-paris-ilo.blade 3600 IN A 10.100.1.102 -blade-paris.storage.blade 3600 IN A 10.100.2.102 - -blade-janeway.blade 3600 IN A 10.100.0.103 -blade-janeway-ilo.blade 3600 IN A 10.100.1.103 -blade-janeway.storage.blade 3600 IN A 10.100.2.103 - -blade-chakotay.blade 3600 IN A 10.100.0.105 -blade-chakotay-ilo.blade 3600 IN A 10.100.1.105 -blade-chakotay.storage.blade 3600 IN A 10.100.2.105 - -blade-tuvok.blade 3600 IN A 10.100.0.106 -blade-tuvok-ilo.blade 3600 IN A 10.100.1.106 -blade-tuvok.storage.blade 3600 IN A 10.100.2.106 - -blade-torres.blade 3600 IN A 10.100.0.108 -blade-torres-ilo.blade 3600 IN A 10.100.1.108 -blade-torres.storage.blade 3600 IN A 10.100.2.108 - bvm-nixosmgmt.blade 3600 IN A 10.100.0.200 bvm-twitterchiver.blade 3600 IN A 10.100.0.201 bvm-prosody.blade 3600 IN A 10.100.0.202 @@ -190,23 +154,14 @@ bvm-logger.blade 3600 IN A 10.100.0.209 bvm-paperless.blade 3600 IN A 10.100.0.211 ; services -; ceph-mon: blade-tuvok, blade-janeway, blade-paris -ceph-mon.storage.blade 60 IN A 10.100.2.106 -ceph-mon.storage.blade 60 IN A 10.100.2.103 -ceph-mon.storage.blade 60 IN A 10.100.2.102 -_ceph-mon._tcp.storage.blade 60 IN SRV 10 10 6789 blade-tuvok.storage.blade.as205479.net. -_ceph-mon._tcp.storage.blade 60 IN SRV 10 10 6789 blade-janeway.storage.blade.as205479.net. -_ceph-mon._tcp.storage.blade 60 IN SRV 10 10 6789 blade-paris.storage.blade.as205479.net. ; public gw.public 3600 IN A 92.118.28.1 gw.public 3600 IN AAAA 2a09:a441::1 wg-gw.public 3600 IN A 92.118.28.252 wg-gw.public 3600 IN AAAA 2a09:a441::f00f -blade-tuvok.public 3600 IN A 92.118.28.254 -blade-tuvok.public 3600 IN AAAA 2a09:a441::ffff -blade-paris.public 3600 IN A 92.118.28.253 -blade-paris.public 3600 IN AAAA 2a09:a441::fffe +rexxar.public 3600 IN A 92.118.28.254 +rexxar.public 3600 IN AAAA 2a09:a441::ffff bvm-korobi.public 3600 IN CNAME bvm-korobi.as205479.net. bvm-korobi 3600 IN A 92.118.28.2 diff --git a/ops/nixos/rexxar/README.md b/ops/nixos/rexxar/README.md new file mode 100644 index 0000000000..76cb0a0e76 --- /dev/null +++ b/ops/nixos/rexxar/README.md @@ -0,0 +1,11 @@ + + +# rexxar.as205479.net + +Dedicated host running NixOS. + +TODO(lukegb): all of this. diff --git a/ops/nixos/rexxar/default.nix b/ops/nixos/rexxar/default.nix new file mode 100644 index 0000000000..3c5822f047 --- /dev/null +++ b/ops/nixos/rexxar/default.nix @@ -0,0 +1,215 @@ +# SPDX-FileCopyrightText: 2024 Luke Granger-Brown +# +# SPDX-License-Identifier: Apache-2.0 + +{ depot, lib, pkgs, config, ... }: +{ + imports = [ + ../lib/zfs.nix + ../lib/bgp.nix + ]; + + # Otherwise _this_ machine won't enumerate things properly. + boot.zfs.devNodes = "/dev/disk/by-id"; + + boot.initrd = { + availableKernelModules = [ + "nvme" + "xhci_pci" + "ahci" + "usb_storage" + "usbhid" + "sd_mod" + "sr_mod" + ]; + }; + boot.kernelModules = [ "kvm-amd" ]; + hardware.cpu.amd.updateMicrocode = true; + boot.kernelParams = [ + "nomodeset" + ]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + powerManagement.cpuFreqGovernor = lib.mkDefault "performance"; + services.zfs.rollbackOnBoot = { + enable = true; + snapshot = "zboot/local/root@blank"; + }; + + fileSystems = let + zfs = device: { + device = device; + fsType = "zfs"; + }; + in { + "/" = zfs "zboot/local/root"; + "/nix" = zfs "zboot/local/nix"; + "/persist" = zfs "zboot/safe/persist"; + + "/store" = zfs "zu2/safe/store"; + "/home" = (zfs "zu2/safe/home") // { neededForBoot = true; }; + + "/boot" = { + device = "/dev/disk/by-label/ESP"; + fsType = "vfat"; + }; + "/boot2" = { + device = "/dev/disk/by-label/ESP2"; + fsType = "vfat"; + }; + }; + boot.loader.systemd-boot.extraInstallCommands = '' + rsync -a /boot/ /boot2/ + ''; + + nix.settings.max-jobs = lib.mkDefault 8; + + # Networking! + networking = { + hostName = "rexxar"; + domain = "as205479.net"; + hostId = "b46c2ae9"; + useNetworkd = true; + }; + systemd.network = { + networks."10-enp9s0f0" = { + matchConfig.Name = "enp9s0f0"; + networkConfig.VLAN = [ "vl-velox1" "vl-linx" ]; + }; + networks."10-enp9s0f1" = { + matchConfig.Name = "enp9s0f1"; + networkConfig.VLAN = [ "vl-velox2" ]; + }; + netdevs."20-vl-velox1" = { + netdevConfig = { + Name = "vl-velox1"; + Kind = "vlan"; + MACAddress = "8C:1F:64:0B:6F:00"; + }; + vlanConfig = { + Id = 100; + }; + }; + networks."20-vl-velox1" = { + matchConfig.Name = "vl-velox1"; + address = [ + "195.74.55.21/31" + "2a03:ee40:8080:9:1::2/126" + ]; + networkConfig.DNS = [ + "2001:4860:4860::8888" + "2001:4860:4860::8844" + "8.8.8.8" + "8.8.4.4" + "1.1.1.1" + ]; + networkConfig.DNSDefaultRoute = true; + routes = [{ routeConfig = { + Gateway = "195.74.55.20"; + }; } { routeConfig = { + Gateway = "2a03:ee40:8080:9:1::1"; + }; }]; + }; + netdevs."20-vl-velox2" = { + netdevConfig = { + Name = "vl-velox2"; + Kind = "vlan"; + MACAddress = "8C:1F:64:0B:6F:01"; + }; + vlanConfig = { + Id = 100; + }; + }; + networks."20-vl-velox2" = { + matchConfig.Name = "vl-velox2"; + address = [ + "195.74.55.23/31" + "2a03:ee40:8080:9:2::2/126" + ]; + networkConfig.DNS = [ + "2001:4860:4860::8888" + "2001:4860:4860::8844" + "8.8.8.8" + "8.8.4.4" + "1.1.1.1" + ]; + networkConfig.DNSDefaultRoute = true; + routes = [{ routeConfig = { + Gateway = "195.74.55.22"; + }; } { routeConfig = { + Gateway = "2a03:ee40:8080:9:2::1"; + }; }]; + }; + netdevs."20-vl-linx" = { + netdevConfig = { + Name = "vl-linx"; + Kind = "vlan"; + MACAddress = "8C:1F:64:0B:6F:02"; + }; + vlanConfig = { + Id = 200; + }; + }; + networks."20-vl-linx" = { + matchConfig.Name = "vl-linx"; + address = [ + "195.66.224.58/21" + "2001:7f8:4::3:22a7:1/48" + ]; + networkConfig = { + IPv6LinkLocalAddressGenerationMode = "eui64"; + LLMNR = false; + MulticastDNS = false; + IPv6AcceptRA = false; + IPv4ProxyARP = false; + IPv6ProxyNDP = false; + IPv6SendRA = false; + }; + }; + }; + my.ip.tailscale = "100.97.110.48"; + my.ip.tailscale6 = "fd7a:115c:a1e0::3a01:6e30"; + #my.coredns.bind = [ "bond0" "tailscale0" "127.0.0.1" "::1" ]; + + services.openssh.hostKeys = [ + { + path = "/persist/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + { + path = "/persist/etc/ssh/ssh_host_rsa_key"; + type = "rsa"; + bits = 4096; + } + ]; + + systemd.mounts = let + bindMount' = dir: { + unitConfig.RequiresMountsFor = dir; + options = "bind"; + what = "/persist${dir}"; + where = dir; + }; + bindMountSvc = dir: svc: (bindMount' dir) // { + requiredBy = [svc]; + before = [svc]; + wantedBy = ["multi-user.target"]; + }; + bindMountSvcDynamic = dir: svc: (bindMount' "/var/lib/private/${dir}") // { + requiredBy = [svc]; + before = [svc]; + wantedBy = ["multi-user.target"]; + }; + bindMount = dir: (bindMount' dir) // { + wantedBy = ["multi-user.target"]; + }; + in [ + (bindMountSvc "/var/lib/tailscale" "tailscaled.service") + (bindMountSvc "/var/lib/libvirt" "libvirt.service") + ]; + + system.stateVersion = "24.05"; +} diff --git a/ops/vault/cfg/config.nix b/ops/vault/cfg/config.nix index a95dbc72f4..6552056fcc 100644 --- a/ops/vault/cfg/config.nix +++ b/ops/vault/cfg/config.nix @@ -88,4 +88,5 @@ my.servers.bvm-nixosmgmt.apps = [ "plex-pass" ]; my.servers.blade-tuvok.apps = [ "fup" ]; my.servers.bvm-netbox.apps = [ "netbox" ]; + my.servers.rexxar.apps = [ "deluge" "gitlab-runner" "nixbuild" ]; }