depot/ops/nixos/lib/blade.nix
Luke Granger-Brown fee02312d3 blade-tuvok: move public interface off a VLAN
Previously, the public/internal interfaces were VLANned onto the same NIC. For
some reason, sometime the Emulex adapters seem to end up not getting configured
properly, which causes me no end of pain when I spend time trying to debug why
none of my VMs can see the internet anymore.

Instead of doing this, put the public interface onto its own actual virtual
network interface.
2021-12-17 00:27:24 +00:00

210 lines
6.6 KiB
Nix

# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0
{ depot, lib, pkgs, rebuilder, config, ... }:
let
inherit (depot.ops) secrets;
in {
imports = [
../lib/zfs.nix
];
options.my.blade = {
bay = lib.mkOption {
type = lib.types.int;
};
macAddress.internal = lib.mkOption {
type = lib.types.str;
};
macAddress.storage = lib.mkOption {
type = lib.types.nullOr lib.types.str;
};
macAddress.internet = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
};
macAddress.public = lib.mkOption {
# If not using a VLAN.
type = lib.types.nullOr lib.types.str;
default = null;
};
};
config = {
boot.initrd.availableKernelModules = [ "ahci" "ohci_pci" "ehci_pci" "pata_atiixp" "uhci_hcd" "be2iscsi" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
boot.kernelModules = [ "kvm-amd" "acpi_power_meter" "acpi_ipmi" "ipmi_si" ];
# Enable serial console.
boot.loader.grub.extraConfig = ''
serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
terminal_input console serial
terminal_output console serial
'';
boot.kernelParams = [
"console=tty1"
"console=ttyS0,115200" # <-- /dev/console
"mitigations=off"
];
my.rundeck.tags = [ "blade" ];
fileSystems = let
zfs = device: {
device = device;
fsType = "zfs";
};
tmpfs = size: {
device = "none";
fsType = "tmpfs";
options = [ "defaults" "size=${size}" "mode=755" ];
};
in {
"/" = zfs "tank/local/root";
"/tmp" = zfs "tank/local/tmp";
"/nix" = zfs "tank/local/nix";
"/var" = zfs "tank/safe/var";
"/home" = zfs "tank/safe/home";
"/boot" = {
device = "/dev/disk/by-label/boot";
fsType = "ext4";
};
"/var/log" = tmpfs "2G";
"/var/cache" = tmpfs "16G";
} // (lib.optionalAttrs (config.services.ceph.osd.enable || config.services.ceph.mgr.enable || config.services.ceph.mon.enable || config.services.ceph.mgr.enable) {
"/var/lib/ceph" = {
device = "/dev/disk/by-label/var-lib-ceph";
fsType = "xfs";
};
});
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
# Networking!
networking = {
domain = "blade.as205479.net";
nameservers = ["8.8.8.8" "8.8.4.4"];
search = lib.mkBefore [
"blade.as205479.net"
"storage.blade.as205479.net"
];
useDHCP = false;
bridges = let
br = interfaces: { interfaces = lib.mkDefault interfaces; rstp = false; };
in {
br-mgmt = br [ "en-int" ];
br-public = br [ (if config.my.blade.macAddress.public == null then "vl-int-public" else "en-public") ];
};
vlans = ({} //
(if config.my.blade.macAddress.public == null then {
vl-int-public = {
id = 100;
interface = "en-int";
};
} else {}));
interfaces.br-mgmt.ipv4.addresses = lib.mkBefore [{
address = "10.100.0.${toString (100 + config.my.blade.bay)}";
prefixLength = 23;
}];
interfaces.en-storage.ipv4.addresses = lib.mkBefore [{
address = "10.100.2.${toString (100 + config.my.blade.bay)}";
prefixLength = 24;
}];
defaultGateway = lib.mkDefault "10.100.0.1";
firewall.allowedUDPPorts = [
41641 # Tailscale
];
firewall.interfaces.en-storage.allowedTCPPorts = lib.mkIf config.services.ceph.enable [ 6789 3300 ];
firewall.interfaces.en-storage.allowedTCPPortRanges = lib.mkIf config.services.ceph.enable [{ from = 6800; to = 7300; }];
firewall.extraCommands = ''
iptables -A nixos-fw -i en-storage -s 10.100.2.0/23 -j ACCEPT
iptables -A nixos-fw -i br-mgmt -s 10.100.0.0/23 -j ACCEPT
'';
nat = lib.optionalAttrs (config.my.blade.macAddress.internet != null) {
enable = true;
internalInterfaces = [ "br-mgmt" ];
externalInterface = "vl-transit";
externalIP = "92.118.28.1";
};
};
services.udev.extraRules = ''
ATTR{address}=="${config.my.blade.macAddress.internal}", NAME="en-int"
'' + (lib.optionalString (config.my.blade.macAddress.storage != null) ''
ATTR{address}=="${config.my.blade.macAddress.storage}", NAME="en-storage"
'') + (lib.optionalString (config.my.blade.macAddress.internet != null) ''
ATTR{address}=="${config.my.blade.macAddress.internet}", NAME="en-internet"
'') + (lib.optionalString (config.my.blade.macAddress.public != null) ''
ATTR{address}=="${config.my.blade.macAddress.public}", NAME="en-public"
'');
virtualisation.podman.enable = true;
environment.systemPackages = with pkgs; [
ceph
xfsprogs
];
services.ceph = {
enable = true;
global.fsid = "521a59a5-a597-4432-b248-1ecd3c76ca4c";
global.monHost = "10.100.2.103, 10.100.2.106, 10.100.2.102";
global.monInitialMembers = "blade-janeway, blade-tuvok, blade-paris";
global.publicNetwork = "10.100.2.0/24";
global.clusterNetwork = "10.100.2.0/24";
extraConfig.rgw_dns_name = "objdump.zxcvbnm.ninja";
extraConfig.rgw_data_log_backing = "omap";
extraConfig.rgw_default_data_log_backing = "omap";
mon.daemons = [ config.networking.hostName ];
mds.daemons = [ config.networking.hostName ];
rgw.daemons = [ config.networking.hostName ];
mgr.daemons = [ config.networking.hostName ];
mgr.enable = config.services.ceph.mon.enable;
rgw.enable = true;
};
systemd.services.ceph-osd-lvm-activate = lib.mkIf config.services.ceph.osd.enable {
enable = true;
description = "Ceph OSD pre-start";
before = [ "network-online.target" "ceph-osd.target" ];
wantedBy = [ "ceph-osd.target" ];
path = [ pkgs.lvm2.bin pkgs.util-linux pkgs.coreutils ];
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.ceph.out}/bin/ceph-volume lvm activate --all --no-systemd";
};
};
virtualisation.libvirtd = {
enable = true;
qemu = {
runAsRoot = true;
package = pkgs.qemu_full;
};
package = pkgs.libvirt.override {
enableCeph = true;
enableIscsi = true;
};
};
security.polkit.enable = true;
users.users.lukegb.extraGroups = lib.mkAfter [ "libvirtd" ];
# Our disk is slow; don't write to it...
services.journald.extraConfig = ''
Storage=volatile
'';
systemd.coredump.extraConfig = ''
Storage=none
ProcessSizeMax=0
'';
system.stateVersion = "21.05";
};
}