From b8e75176e1fa9db2c58044068d4f19482f67fd0d Mon Sep 17 00:00:00 2001 From: Elias Coppens Date: Tue, 17 Dec 2024 16:32:22 +0100 Subject: [PATCH] feat(hypervisors): Init --- .forgejo/workflows/eval-nodes.yaml | 33 ++++++++ keys/default.nix | 9 +++ .../nixos/hypervisor01/_configuration.nix | 17 ++++ .../hypervisor01/_hardware-configuration.nix | 79 ++++++++++++++++++ .../nixos/hypervisor01/secrets/secrets.nix | 7 ++ .../nixos/hypervisor02/_configuration.nix | 17 ++++ .../hypervisor02/_hardware-configuration.nix | 81 +++++++++++++++++++ .../nixos/hypervisor02/secrets/secrets.nix | 7 ++ .../nixos/hypervisor03/_configuration.nix | 17 ++++ .../hypervisor03/_hardware-configuration.nix | 81 +++++++++++++++++++ .../nixos/hypervisor03/secrets/secrets.nix | 7 ++ meta/network.nix | 57 +++++++++++++ meta/nodes/nixos.nix | 57 +++++++++++++ meta/organization.nix | 4 + 14 files changed, 473 insertions(+) create mode 100644 machines/nixos/hypervisor01/_configuration.nix create mode 100644 machines/nixos/hypervisor01/_hardware-configuration.nix create mode 100644 machines/nixos/hypervisor01/secrets/secrets.nix create mode 100644 machines/nixos/hypervisor02/_configuration.nix create mode 100644 machines/nixos/hypervisor02/_hardware-configuration.nix create mode 100644 machines/nixos/hypervisor02/secrets/secrets.nix create mode 100644 machines/nixos/hypervisor03/_configuration.nix create mode 100644 machines/nixos/hypervisor03/_hardware-configuration.nix create mode 100644 machines/nixos/hypervisor03/secrets/secrets.nix diff --git a/.forgejo/workflows/eval-nodes.yaml b/.forgejo/workflows/eval-nodes.yaml index 3923765..a01b75e 100644 --- a/.forgejo/workflows/eval-nodes.yaml +++ b/.forgejo/workflows/eval-nodes.yaml @@ -54,6 +54,39 @@ jobs: STORE_USER: admin name: Build and cache geo02 run: nix-shell -A eval-nodes --run cache-node + hypervisor01: + runs-on: nix + steps: + - uses: actions/checkout@v3 + - env: + BUILD_NODE: hypervisor01 + STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/ + STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }} + STORE_USER: admin + name: Build and cache hypervisor01 + run: nix-shell -A eval-nodes --run cache-node + hypervisor02: + runs-on: nix + steps: + - uses: actions/checkout@v3 + - env: + BUILD_NODE: hypervisor02 + STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/ + STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }} + STORE_USER: admin + name: Build and cache hypervisor02 + run: nix-shell -A eval-nodes --run cache-node + hypervisor03: + runs-on: nix + steps: + - uses: actions/checkout@v3 + - env: + BUILD_NODE: hypervisor03 + STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/ + STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }} + STORE_USER: admin + name: Build and cache hypervisor03 + run: nix-shell -A eval-nodes --run cache-node netcore02: runs-on: nix steps: diff --git a/keys/default.nix b/keys/default.nix index a9314ba..f542c0e 100644 --- a/keys/default.nix +++ b/keys/default.nix @@ -21,6 +21,15 @@ rec { compute01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu" ]; geo01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4" ]; geo02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket" ]; + hypervisor01 = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPE0typcnvSioMfdLUloIfR5zcf/X0k6201xMHoQBCr" + ]; + hypervisor02 = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPETkWlOfESXQic+HgfGLV/T4Nqg0WjdDbEqtgDwkH+S" + ]; + hypervisor03 = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFLF0mxSGitsDE3/YXfrHNjtOMUt4HT2MbryyUKPLSBI" + ]; rescue01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf" ]; storage01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ" ]; vault01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW" ]; diff --git a/machines/nixos/hypervisor01/_configuration.nix b/machines/nixos/hypervisor01/_configuration.nix new file mode 100644 index 0000000..68b2c0f --- /dev/null +++ b/machines/nixos/hypervisor01/_configuration.nix @@ -0,0 +1,17 @@ +# SPDX-FileCopyrightText: 2024 Elias Coppens +# +# SPDX-License-Identifier: EUPL-1.2 + +{ lib, ... }: + +lib.extra.mkConfig { + enabledModules = [ ]; + + enabledServices = [ ]; + + extraConfig = { + services.netbird.enable = true; + }; + + root = ./.; +} diff --git a/machines/nixos/hypervisor01/_hardware-configuration.nix b/machines/nixos/hypervisor01/_hardware-configuration.nix new file mode 100644 index 0000000..e042f4e --- /dev/null +++ b/machines/nixos/hypervisor01/_hardware-configuration.nix @@ -0,0 +1,79 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + modulesPath, + ... +}: + +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot = { + initrd = { + availableKernelModules = [ + "ehci_pci" + "ahci" + "mpt3sas" + "usbhid" + "sd_mod" + ]; + kernelModules = [ ]; + }; + + kernelModules = [ "kvm-intel" ]; + extraModulePackages = [ ]; + }; + + fileSystems = { + "/" = { + device = "rootfs"; + fsType = "zfs"; + }; + + "/nix" = { + device = "rootfs/nix"; + fsType = "zfs"; + }; + + "/var" = { + device = "rootfs/var"; + fsType = "zfs"; + }; + + # boot1 = boot partition in first disk (used by default) + # boot2 = boot partition in second disk (used in backup) + + "/boot1" = { + device = "/dev/disk/by-label/BOOT1"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" + ]; + }; + + "/boot2" = { + device = "/dev/disk/by-label/BOOT2"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" + ]; + }; + }; + + swapDevices = [ + { device = "/dev/disk/by-uuid/759f1573-7593-400e-b310-c384fc6124c3"; } + { device = "/dev/disk/by-uuid/73f94cd3-3f0f-4a32-9e5b-abd6c2a9b219"; } + ]; + + networking.useDHCP = lib.mkDefault true; + networking.interfaces.eno4.useDHCP = lib.mkDefault true; + + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/machines/nixos/hypervisor01/secrets/secrets.nix b/machines/nixos/hypervisor01/secrets/secrets.nix new file mode 100644 index 0000000..3943938 --- /dev/null +++ b/machines/nixos/hypervisor01/secrets/secrets.nix @@ -0,0 +1,7 @@ +# SPDX-FileCopyrightText: 2024 La Délégation Générale Numérique +# +# SPDX-License-Identifer: EUPL-1.2 + +(import ../../../../keys).mkSecrets [ "hypervisor01" ] [ + +] diff --git a/machines/nixos/hypervisor02/_configuration.nix b/machines/nixos/hypervisor02/_configuration.nix new file mode 100644 index 0000000..68b2c0f --- /dev/null +++ b/machines/nixos/hypervisor02/_configuration.nix @@ -0,0 +1,17 @@ +# SPDX-FileCopyrightText: 2024 Elias Coppens +# +# SPDX-License-Identifier: EUPL-1.2 + +{ lib, ... }: + +lib.extra.mkConfig { + enabledModules = [ ]; + + enabledServices = [ ]; + + extraConfig = { + services.netbird.enable = true; + }; + + root = ./.; +} diff --git a/machines/nixos/hypervisor02/_hardware-configuration.nix b/machines/nixos/hypervisor02/_hardware-configuration.nix new file mode 100644 index 0000000..c0b0ba4 --- /dev/null +++ b/machines/nixos/hypervisor02/_hardware-configuration.nix @@ -0,0 +1,81 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + modulesPath, + ... +}: + +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot = { + initrd = { + availableKernelModules = [ + "ehci_pci" + "ahci" + "mpt3sas" + "usbhid" + "usb_storage" + "sd_mod" + "sr_mod" + ]; + kernelModules = [ ]; + }; + + kernelModules = [ "kvm-intel" ]; + extraModulePackages = [ ]; + }; + + fileSystems = { + "/" = { + device = "rootfs"; + fsType = "zfs"; + }; + + # boot1 = boot partition in first disk (used by default) + # boot2 = boot partition in second disk (used in backup) + + "/boot1" = { + device = "/dev/disk/by-label/BOOT1"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" + ]; + }; + + "/boot2" = { + device = "/dev/disk/by-label/BOOT2"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" + ]; + }; + + "/nix" = { + device = "rootfs/nix"; + fsType = "zfs"; + }; + + "/var" = { + device = "rootfs/var"; + fsType = "zfs"; + }; + }; + + swapDevices = [ + { device = "/dev/disk/by-uuid/46e20dc0-01bc-4f26-904a-1d23cb96bdb6"; } + { device = "/dev/disk/by-uuid/a8938e0f-3a00-45e7-bc6f-4bd9e2b1db6c"; } + ]; + + networking.useDHCP = lib.mkDefault true; + networking.interfaces.eno4.useDHCP = lib.mkDefault true; + + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/machines/nixos/hypervisor02/secrets/secrets.nix b/machines/nixos/hypervisor02/secrets/secrets.nix new file mode 100644 index 0000000..90c0541 --- /dev/null +++ b/machines/nixos/hypervisor02/secrets/secrets.nix @@ -0,0 +1,7 @@ +# SPDX-FileCopyrightText: 2024 La Délégation Générale Numérique +# +# SPDX-License-Identifer: EUPL-1.2 + +(import ../../../../keys).mkSecrets [ "hypervisor02" ] [ + +] diff --git a/machines/nixos/hypervisor03/_configuration.nix b/machines/nixos/hypervisor03/_configuration.nix new file mode 100644 index 0000000..68b2c0f --- /dev/null +++ b/machines/nixos/hypervisor03/_configuration.nix @@ -0,0 +1,17 @@ +# SPDX-FileCopyrightText: 2024 Elias Coppens +# +# SPDX-License-Identifier: EUPL-1.2 + +{ lib, ... }: + +lib.extra.mkConfig { + enabledModules = [ ]; + + enabledServices = [ ]; + + extraConfig = { + services.netbird.enable = true; + }; + + root = ./.; +} diff --git a/machines/nixos/hypervisor03/_hardware-configuration.nix b/machines/nixos/hypervisor03/_hardware-configuration.nix new file mode 100644 index 0000000..958bed4 --- /dev/null +++ b/machines/nixos/hypervisor03/_hardware-configuration.nix @@ -0,0 +1,81 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + modulesPath, + ... +}: + +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot = { + initrd = { + availableKernelModules = [ + "ehci_pci" + "ahci" + "mpt3sas" + "usbhid" + "usb_storage" + "sd_mod" + "sr_mod" + ]; + kernelModules = [ ]; + }; + kernelModules = [ "kvm-intel" ]; + extraModulePackages = [ ]; + }; + + fileSystems = { + "/" = { + device = "rootfs"; + fsType = "zfs"; + }; + + "/nix" = { + device = "rootfs/nix"; + fsType = "zfs"; + }; + + "/var" = { + device = "rootfs/var"; + fsType = "zfs"; + }; + + # boot1 = boot partition in first disk (used by default) + # boot2 = boot partition in second disk (used in backup) + + "/boot1" = { + device = "/dev/disk/by-uuid/80E2-979C"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" + ]; + }; + + # TODO: put me in automounts + autosync between both boot partitions. + "/boot2" = { + device = "/dev/disk/by-uuid/8722-1B4F"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" + ]; + }; + }; + + swapDevices = [ + { device = "/dev/disk/by-uuid/dfe3aa01-ed46-4996-8ae3-a913ebffba76"; } + { device = "/dev/disk/by-uuid/5531258d-3538-4744-be1b-e08e26ad377f"; } + ]; + + networking.useDHCP = lib.mkDefault true; + networking.interfaces.eno4.useDHCP = lib.mkDefault true; + + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/machines/nixos/hypervisor03/secrets/secrets.nix b/machines/nixos/hypervisor03/secrets/secrets.nix new file mode 100644 index 0000000..a66cb2b --- /dev/null +++ b/machines/nixos/hypervisor03/secrets/secrets.nix @@ -0,0 +1,7 @@ +# SPDX-FileCopyrightText: 2024 La Délégation Générale Numérique +# +# SPDX-License-Identifer: EUPL-1.2 + +(import ../../../../keys).mkSecrets [ "hypervisor03" ] [ + +] diff --git a/meta/network.nix b/meta/network.nix index 1c50637..26f0541 100644 --- a/meta/network.nix +++ b/meta/network.nix @@ -82,6 +82,63 @@ netbirdIp = "100.80.233.249"; }; + hypervisor01 = { + interfaces = { + eno4 = { + ipv4 = [ + { + address = "10.0.254.11"; + prefixLength = 24; + } + ]; + + gateways = [ "10.0.254.1" ]; + enableDefaultDNS = true; + }; + }; + + hostId = "4dbbd76a"; + netbirdIp = "100.80.242.115"; + }; + + hypervisor02 = { + interfaces = { + eno4 = { + ipv4 = [ + { + address = "10.0.254.12"; + prefixLength = 24; + } + ]; + + gateways = [ "10.0.254.1" ]; + enableDefaultDNS = true; + }; + }; + + hostId = "d0b48483"; + netbirdIp = "100.80.37.202"; + }; + + hypervisor03 = { + interfaces = { + eno4 = { + ipv4 = [ + { + address = "10.0.254.13"; + prefixLength = 24; + } + ]; + + gateways = [ "10.0.254.1" ]; + enableDefaultDNS = true; + }; + }; + + hostId = "1c407ea8"; + netbirdIp = "100.80.58.178"; + }; + rescue01 = { interfaces = { ens18 = { diff --git a/meta/nodes/nixos.nix b/meta/nodes/nixos.nix index 34e5f62..fb7d0f1 100644 --- a/meta/nodes/nixos.nix +++ b/meta/nodes/nixos.nix @@ -91,6 +91,63 @@ }; }; + hypervisor01 = { + site = "pot01"; + + hashedPassword = "$y$j9T$Yw.M.epJj/sakb4Gq/9WV0$P85aQPo/FmFM1.ap413UL3vlGk3mavHwmaALKKDd4n."; + + stateVersion = "24.11"; + + nixpkgs = { + version = "24.11"; + system = "nixos"; + }; + + adminGroups = [ "hypervisors" ]; + + deployment = { + targetHost = "hypervisor01.dgnum"; + }; + }; + + hypervisor02 = { + site = "pot01"; + + hashedPassword = "$y$j9T$Zu98DVlKq7KP5GmIHOwBy1$Bd7W6LstWDm8zjbZ9JSPLnhMFPmZgmU4e7t7u6EhavA"; + + stateVersion = "24.11"; + + nixpkgs = { + version = "24.11"; + system = "nixos"; + }; + + adminGroups = [ "hypervisors" ]; + + deployment = { + targetHost = "hypervisor02.dgnum"; + }; + }; + + hypervisor03 = { + site = "pot01"; + + hashedPassword = "$y$j9T$plTv9.UwmkTODagd4docj0$3zd35wPSsamygiYngwfDGICapKbx5UbzyLBhAwOUSfC"; + + stateVersion = "24.11"; + + nixpkgs = { + version = "24.11"; + system = "nixos"; + }; + + adminGroups = [ "hypervisors" ]; + + deployment = { + targetHost = "hypervisor03.dgnum"; + }; + }; + rescue01 = { site = "luj01"; diff --git a/meta/organization.nix b/meta/organization.nix index 0b75855..af2247b 100644 --- a/meta/organization.nix +++ b/meta/organization.nix @@ -91,6 +91,10 @@ "ecoppens" ]; + hypervisors = [ + "catvayor" + "ecoppens" + ]; }; external = {