From 8656a52afe62ace270b819245ac0481638880e58 Mon Sep 17 00:00:00 2001 From: Elias Coppens Date: Sat, 21 Dec 2024 23:38:36 +0100 Subject: [PATCH] feat(tower01): Init --- .forgejo/workflows/eval-nodes.yaml | 11 ++ keys/default.nix | 1 + machines/nixos/tower01/_configuration.nix | 17 +++ .../nixos/tower01/_hardware-configuration.nix | 120 ++++++++++++++++++ machines/nixos/tower01/secrets/secrets.nix | 7 + meta/network.nix | 23 ++++ meta/nodes/nixos.nix | 15 +++ 7 files changed, 194 insertions(+) create mode 100644 machines/nixos/tower01/_configuration.nix create mode 100644 machines/nixos/tower01/_hardware-configuration.nix create mode 100644 machines/nixos/tower01/secrets/secrets.nix diff --git a/.forgejo/workflows/eval-nodes.yaml b/.forgejo/workflows/eval-nodes.yaml index a01b75e..452517e 100644 --- a/.forgejo/workflows/eval-nodes.yaml +++ b/.forgejo/workflows/eval-nodes.yaml @@ -120,6 +120,17 @@ jobs: STORE_USER: admin name: Build and cache storage01 run: nix-shell -A eval-nodes --run cache-node + tower01: + runs-on: nix + steps: + - uses: actions/checkout@v3 + - env: + BUILD_NODE: tower01 + STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/ + STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }} + STORE_USER: admin + name: Build and cache tower01 + run: nix-shell -A eval-nodes --run cache-node vault01: runs-on: nix steps: diff --git a/keys/default.nix b/keys/default.nix index f542c0e..2db0640 100644 --- a/keys/default.nix +++ b/keys/default.nix @@ -32,6 +32,7 @@ rec { ]; rescue01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf" ]; storage01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ" ]; + tower01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICVpR+TMRLGAfhn7Q0C3tKOydYYjfoC/e1ZYbKpby01Z" ]; vault01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW" ]; web01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5" ]; web02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+QDE+GgZs6zONHvzRW15BzGJNW69k2BFZgB/Zh/tLX" ]; diff --git a/machines/nixos/tower01/_configuration.nix b/machines/nixos/tower01/_configuration.nix new file mode 100644 index 0000000..68b2c0f --- /dev/null +++ b/machines/nixos/tower01/_configuration.nix @@ -0,0 +1,17 @@ +# SPDX-FileCopyrightText: 2024 Elias Coppens +# +# SPDX-License-Identifier: EUPL-1.2 + +{ lib, ... }: + +lib.extra.mkConfig { + enabledModules = [ ]; + + enabledServices = [ ]; + + extraConfig = { + services.netbird.enable = true; + }; + + root = ./.; +} diff --git a/machines/nixos/tower01/_hardware-configuration.nix b/machines/nixos/tower01/_hardware-configuration.nix new file mode 100644 index 0000000..652f85b --- /dev/null +++ b/machines/nixos/tower01/_hardware-configuration.nix @@ -0,0 +1,120 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + modulesPath, + ... +}: + +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot = { + initrd = { + availableKernelModules = [ + "ehci_pci" + "ahci" + "mpt3sas" + "usbhid" + "usb_storage" + "sd_mod" + ]; + kernelModules = [ ]; + + luks.devices = { + rootfs01 = { + device = "/dev/disk/by-label/rootfs01"; + keyFile = "/dev/zero"; + keyFileSize = 1; + }; + rootfs02 = { + device = "/dev/disk/by-label/rootfs02"; + keyFile = "/dev/zero"; + keyFileSize = 1; + }; + slow0101 = { + device = "/dev/disk/by-label/slow0101"; + keyFile = "/dev/zero"; + keyFileSize = 1; + }; + slow0102 = { + device = "/dev/disk/by-label/slow0102"; + keyFile = "/dev/zero"; + keyFileSize = 1; + }; + slow0201 = { + device = "/dev/disk/by-label/slow0201"; + keyFile = "/dev/zero"; + keyFileSize = 1; + }; + slow0202 = { + device = "/dev/disk/by-label/slow0202"; + keyFile = "/dev/zero"; + keyFileSize = 1; + }; + slow0301 = { + device = "/dev/disk/by-label/slow0301"; + keyFile = "/dev/zero"; + keyFileSize = 1; + }; + slow0302 = { + device = "/dev/disk/by-label/slow0302"; + keyFile = "/dev/zero"; + keyFileSize = 1; + }; + }; + }; + + kernelModules = [ "kvm-intel" ]; + extraModulePackages = [ ]; + }; + + fileSystems = { + "/" = { + device = "rootfs"; + fsType = "zfs"; + }; + + # boot1 = boot partition (primary) + # boot2 = boot partition (backup) + + "/boot1" = { + device = "/dev/disk/by-uuid/1965-5D59"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" + ]; + }; + + "/boot2" = { + device = "/dev/disk/by-uuid/19C4-49E1"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" + ]; + }; + + "/nix" = { + device = "rootfs/nix"; + fsType = "zfs"; + }; + + "/var" = { + device = "rootfs/var"; + fsType = "zfs"; + }; + }; + + swapDevices = [ + { device = "/dev/disk/by-uuid/7614fa12-c6a7-456e-9620-eb9c0e025140"; } + { device = "/dev/disk/by-uuid/eb0aef44-b264-4f94-b847-3ad5dcc19ffd"; } + ]; + + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/machines/nixos/tower01/secrets/secrets.nix b/machines/nixos/tower01/secrets/secrets.nix new file mode 100644 index 0000000..cd9456c --- /dev/null +++ b/machines/nixos/tower01/secrets/secrets.nix @@ -0,0 +1,7 @@ +# SPDX-FileCopyrightText: 2024 La Délégation Générale Numérique +# +# SPDX-License-Identifer: EUPL-1.2 + +(import ../../../../keys).mkSecrets [ "tower01" ] [ + +] diff --git a/meta/network.nix b/meta/network.nix index 26f0541..6980e44 100644 --- a/meta/network.nix +++ b/meta/network.nix @@ -189,6 +189,29 @@ netbirdIp = "100.80.156.154"; }; + tower01 = { + interfaces = { + eno2 = { + ipv4 = [ + { + address = "129.199.210.119"; + prefixLength = 24; + } + ]; + + gateways = [ "129.199.210.254" ]; + + dns = [ + "129.199.96.11" + "129.199.72.99" + ]; + }; + }; + + hostId = "7874d06e"; + netbirdIp = "100.80.185.124"; + }; + vault01 = { interfaces = { vlan-uplink-cri = { diff --git a/meta/nodes/nixos.nix b/meta/nodes/nixos.nix index fb7d0f1..dea4288 100644 --- a/meta/nodes/nixos.nix +++ b/meta/nodes/nixos.nix @@ -182,6 +182,21 @@ ]; }; + tower01 = { + site = "oik01"; + + hashedPassword = "$y$j9T$axihKDa.CrYcyoamJWxBq1$bl4TfropTrwLqMy6XK0DKkWRyx9b74kyI/ukE8X5iiD"; + + stateVersion = "24.11"; + + nixpkgs = { + version = "24.11"; + system = "nixos"; + }; + + admins = [ "ecoppens" ]; + }; + vault01 = { site = "hyp01"; deployment.targetHost = "vault01.hyp01.infra.dgnum.eu";