From 1d1a4ccac34987f2f33da3f0e6efe5410aab3497 Mon Sep 17 00:00:00 2001 From: sinavir Date: Thu, 5 Dec 2024 09:57:42 +0100 Subject: [PATCH] feat: experimental routers infra for dn42 --- .gitignore | 3 + machines/krz01/_configuration.nix | 4 +- machines/router02/secrets/secrets.nix | 1 + machines/router02/wireguard.nix | 44 +++++++ machines/routexp01/_configuration.nix | 25 ++++ .../routexp01/_hardware-configuration.nix | 40 ++++++ machines/routexp01/disko.nix | 33 +++++ machines/routexp01/networking.nix | 2 + machines/routexp01/secrets/secrets.nix | 3 + meta/network.nix | 30 +++++ meta/nodes.nix | 33 ++++- meta/routexp.nix | 7 ++ modules/default.nix | 6 +- modules/lab-routexp/default.nix | 116 ++++++++++++++++++ 14 files changed, 343 insertions(+), 4 deletions(-) create mode 100644 machines/router02/wireguard.nix create mode 100644 machines/routexp01/_configuration.nix create mode 100644 machines/routexp01/_hardware-configuration.nix create mode 100644 machines/routexp01/disko.nix create mode 100644 machines/routexp01/networking.nix create mode 100644 machines/routexp01/secrets/secrets.nix create mode 100644 meta/routexp.nix create mode 100644 modules/lab-routexp/default.nix diff --git a/.gitignore b/.gitignore index d50eeb8..8d7091a 100644 --- a/.gitignore +++ b/.gitignore @@ -9,3 +9,6 @@ result-* *.qcow2 .gcroots .pre-commit-config.yaml + +# nixmoxer (proxmox declarative vms) +nixmoxer.conf diff --git a/machines/krz01/_configuration.nix b/machines/krz01/_configuration.nix index 2323df4..148e83c 100644 --- a/machines/krz01/_configuration.nix +++ b/machines/krz01/_configuration.nix @@ -8,8 +8,8 @@ lib.extra.mkConfig { enabledServices = [ # INFO: This list needs to stay sorted alphabetically # Machine learning API machine - # "microvm-ml01" - # "microvm-router01" + "microvm-ml01" + "microvm-router01" "nvidia-tesla-k80" "ollama" "whisper" diff --git a/machines/router02/secrets/secrets.nix b/machines/router02/secrets/secrets.nix index 5e3898e..cc22e11 100644 --- a/machines/router02/secrets/secrets.nix +++ b/machines/router02/secrets/secrets.nix @@ -1,3 +1,4 @@ (import ../../../keys).mkSecrets [ "router02" ] [ # List of secrets for router02 + "systemd-network-wg_key" ] diff --git a/machines/router02/wireguard.nix b/machines/router02/wireguard.nix new file mode 100644 index 0000000..eef0b2d --- /dev/null +++ b/machines/router02/wireguard.nix @@ -0,0 +1,44 @@ +{ config, ... }: +{ + config.age-secrets.autoMatch = [ "systemd-network" ]; + networking.firewall.trustedInterfaces = [ "wg0" ]; + systemd.network = { + networks = { + "50-wg-mgmt" = { + name = "wg-mgmt"; + address = [ + "fdaa::1/64" + ]; + routes = [ + { + Destination = "fdaa::/64"; + Scope = "link"; + } + ]; + }; + }; + netdevs = { + "50-wg-mgmt" = { + netdevConfig = { + Name = "wg-mgmt"; + Kind = "wireguard"; + }; + wireguardConfig = { + ListenPort = 1194; + PrivateKeyFile = config.age.secrets."systemd-network-wg_key".path; + }; + + wireguardPeers = [ + { + AllowedIPs = [ + "fdaa::2/64" + ]; + PublicKey = "h4Nf+e4JIjqOMuM5JtLN298BF/fym9fWKGtRZmS5MVA="; + } + ]; + }; + }; + }; + networking.firewall.allowedUDPPorts = [ 1194 ]; +} + diff --git a/machines/routexp01/_configuration.nix b/machines/routexp01/_configuration.nix new file mode 100644 index 0000000..98d41de --- /dev/null +++ b/machines/routexp01/_configuration.nix @@ -0,0 +1,25 @@ +{ lib, ... }: + +lib.extra.mkConfig { + enabledModules = [ + # List of modules to enable + "lab-routexp" + ]; + + enabledServices = [ + # List of services to enable + ]; + + extraConfig = { + lab-routexp = { + id = 1; + + connections = [ + 1001 + 1002 + ]; + }; + }; + + root = ./.; +} diff --git a/machines/routexp01/_hardware-configuration.nix b/machines/routexp01/_hardware-configuration.nix new file mode 100644 index 0000000..89528c1 --- /dev/null +++ b/machines/routexp01/_hardware-configuration.nix @@ -0,0 +1,40 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + lib, + sources, + modulesPath, + ... +}: +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + (sources.disko + "/module.nix") + ./disko.nix + ]; + boot = { + initrd = { + availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; + kernelModules = [ ]; + }; + kernelModules = [ ]; + extraModulePackages = [ ]; + }; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/machines/routexp01/disko.nix b/machines/routexp01/disko.nix new file mode 100644 index 0000000..cedd58c --- /dev/null +++ b/machines/routexp01/disko.nix @@ -0,0 +1,33 @@ +_: { + disko.devices = { + disk = { + main = { + device = "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + ESP = { + type = "EF00"; + size = "1G"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + root = { + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/machines/routexp01/networking.nix b/machines/routexp01/networking.nix new file mode 100644 index 0000000..2c63c08 --- /dev/null +++ b/machines/routexp01/networking.nix @@ -0,0 +1,2 @@ +{ +} diff --git a/machines/routexp01/secrets/secrets.nix b/machines/routexp01/secrets/secrets.nix new file mode 100644 index 0000000..7affbbd --- /dev/null +++ b/machines/routexp01/secrets/secrets.nix @@ -0,0 +1,3 @@ +(import ../../../keys).mkSecrets [ "routexp01" ] [ + # List of secrets for router02 +] diff --git a/meta/network.nix b/meta/network.nix index d07f62c..bb6455f 100644 --- a/meta/network.nix +++ b/meta/network.nix @@ -1,4 +1,32 @@ +let + mkRoutexp = + l: + builtins.listToAttrs ( + builtins.map ( + { id, hostId, ... }: + { + name = "routexp${id}"; + value = { + interfaces = { + ens18 = { + ipv6 = [ + { + address = "2a0e:e701:1120:1000::1000:${id}"; + prefixLength = 64; + } + ]; + gateways = [ "2a0e:e701:1120:1000::1" ]; + dns = [ "2a0e:e701:1120:1000::f:1" ]; + }; + }; + inherit hostId; + }; + } + ) l + ); +in { + dns01 = { interfaces = { ens18 = { @@ -62,6 +90,7 @@ hostId = "bd11e8fc"; netbirdIp = "100.80.103.206"; }; + labcore01 = { interfaces = { ens18 = { @@ -115,3 +144,4 @@ hostId = "7ce86f3d"; }; } +// mkRoutexp (import ./routexp.nix) diff --git a/meta/nodes.nix b/meta/nodes.nix index 1f8c650..3aa2677 100644 --- a/meta/nodes.nix +++ b/meta/nodes.nix @@ -18,11 +18,31 @@ - hyp01 -> Salle serveur Hypnos 1 - luj01 -> VM de Luj */ +let + mkRoutexp = + l: + builtins.listToAttrs ( + builtins.map ( + { id, ... }: + { + name = "routexp${id}"; + value = { + site = "pav01"; + + hashedPassword = "$y$j9T$XJTT9MWCE49axmQppQSKc0$b9OzdEaQgDdXTc.meKWNeKd.TeTui2PdzdcFI/ggKk3"; + + stateVersion = "24.11"; + nixpkgs = "unstable"; + }; + } + ) l + ); +in { dns01 = { site = "pav01"; - # TODO: + # TODO: hashedPassword = "$y$j9T$eNZQgDN.J5y7KTG2hXgat1$J1i5tjx5dnSZu.C9B7swXi5zMFIkUnmRrnmyLHFAt8/"; stateVersion = "24.05"; @@ -77,4 +97,15 @@ stateVersion = "24.05"; nixpkgs = "unstable"; }; + roam01 = { + site = "nowhere"; + + hashedPassword = "$y$j9T$5OchePm5POsgveGLY/bKy/$9XkkZq9aBycg.YImEzFSiYRbAfBO0A4G7qMGIF/WEo9"; + + deployment.targetHost = "129.199.146.37"; + + stateVersion = "24.11"; + nixpkgs = "unstable"; + }; } +// mkRoutexp (import ./routexp.nix) diff --git a/meta/routexp.nix b/meta/routexp.nix new file mode 100644 index 0000000..ac375f1 --- /dev/null +++ b/meta/routexp.nix @@ -0,0 +1,7 @@ +# List of routers for the routexp experiment +[ + { + id = "01"; + hostId = "d70d0593"; + } +] diff --git a/modules/default.nix b/modules/default.nix index c4d4b41..e7967b5 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -4,8 +4,12 @@ (lib.extra.mkImports ./. [ "lab-acme" "lab-network" + "lab-routexp" ]) - ++ [ "${sources."microvm.nix"}/nixos-modules/host" ]; + ++ [ + "${sources."microvm.nix"}/nixos-modules/host" + (import sources.proxmox-nixos).nixosModules.declarative-vms + ]; dgn-notify.enable = false; diff --git a/modules/lab-routexp/default.nix b/modules/lab-routexp/default.nix new file mode 100644 index 0000000..922686f --- /dev/null +++ b/modules/lab-routexp/default.nix @@ -0,0 +1,116 @@ +# Copyright : +# - Tom Hubrecht 2023 +# +# Ce logiciel est un programme informatique servant à déployer des +# configurations de serveurs via NixOS. +# +# Ce logiciel est régi par la licence CeCILL soumise au droit français et +# respectant les principes de diffusion des logiciels libres. Vous pouvez +# utiliser, modifier et/ou redistribuer ce programme sous les conditions +# de la licence CeCILL telle que diffusée par le CEA, le CNRS et l'INRIA +# sur le site "http://www.cecill.info". +# +# En contrepartie de l'accessibilité au code source et des droits de copie, +# de modification et de redistribution accordés par cette licence, il n'est +# offert aux utilisateurs qu'une garantie limitée. Pour les mêmes raisons, +# seule une responsabilité restreinte pèse sur l'auteur du programme, le +# titulaire des droits patrimoniaux et les concédants successifs. +# +# A cet égard l'attention de l'utilisateur est attirée sur les risques +# associés au chargement, à l'utilisation, à la modification et/ou au +# développement et à la reproduction du logiciel par l'utilisateur étant +# donné sa spécificité de logiciel libre, qui peut le rendre complexe à +# manipuler et qui le réserve donc à des développeurs et des professionnels +# avertis possédant des connaissances informatiques approfondies. Les +# utilisateurs sont donc invités à charger et tester l'adéquation du +# logiciel à leurs besoins dans des conditions permettant d'assurer la +# sécurité de leurs systèmes et ou de leurs données et, plus généralement, +# à l'utiliser et l'exploiter dans les mêmes conditions de sécurité. +# +# Le fait que vous puissiez accéder à cet en-tête signifie que vous avez +# pris connaissance de la licence CeCILL, et que vous en avez accepté les +# termes. + +{ config, lib, ... }: + +let + inherit (lib) + mkOption + types + mkEnableOption + mkIf + ; + + cfg = config.lab-routexp; +in + +{ + options.lab-routexp = { + enable = mkEnableOption "Routing experimentation settings."; + connections = mkOption { + type = types.listOf types.int; + default = { }; + description = "Interface -> Address/CIDR map"; + }; + id = mkOption { + type = types.int; + description = "machine id"; + }; + }; + + config = mkIf cfg.enable { + virtualisation.proxmox = { + node = "krz01"; + autoInstall = true; + vmid = 150 + config.lab-routexp.id; + bios = "ovmf"; + memory = 4096; + cores = 2; + net = + [ + { + model = "virtio"; + bridge = "vmbr1"; + tag = 2520; + } + ] + ++ builtins.map (vlan: { + model = "virtio"; + bridge = "vmbr1"; + tag = vlan; + }) cfg.connections; + scsi = [ { file = "zfs-noraid:16"; } ]; # This will create a 16GB volume in 'local' + }; + + systemd.network = { + networks = + builtins.listToAttrs ( + lib.imap0 (i: vlan: { + name = "20-ens${builtins.toString (20 + i)}"; + value = { + name = "ens${builtins.toString (20 + i)}"; + address = [ + "fdfd:1794:0:${builtins.toString vlan}::${builtins.toString cfg.id}/64" + ]; + }; + }) cfg.connections + ) + // { + "20-babel-local" = { + name = "babel-local"; + address = [ + "fdfd:1794::${builtins.toString cfg.id}/64" + ]; + }; + }; + netdevs = { + "babel-local" = { + netdevConfig = { + Name = "babel-local"; + Kind = "dummy"; + }; + }; + }; + }; + }; +}