DGNum/lab-infra
8
1
Fork 1
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

feat: experimental routers infra for dn42

Browse source
This commit is contained in:
sinavir 2024-12-05 09:57:42 +01:00
parent 5626bba501
commit 1d1a4ccac3
No known key found for this signature in database
14 changed files with 343 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
.gitignore vendored
View file

@ -9,3 +9,6 @@ result-*
*.qcow2 *.qcow2
.gcroots .gcroots
.pre-commit-config.yaml .pre-commit-config.yaml
# nixmoxer (proxmox declarative vms)
nixmoxer.conf

4
machines/krz01/_configuration.nix
View file

@ -8,8 +8,8 @@ lib.extra.mkConfig {
enabledServices = [ enabledServices = [
# INFO: This list needs to stay sorted alphabetically # INFO: This list needs to stay sorted alphabetically
# Machine learning API machine # Machine learning API machine
# "microvm-ml01" "microvm-ml01"
# "microvm-router01" "microvm-router01"
"nvidia-tesla-k80" "nvidia-tesla-k80"
"ollama" "ollama"
"whisper" "whisper"

1
machines/router02/secrets/secrets.nix
View file

@ -1,3 +1,4 @@
(import ../../../keys).mkSecrets [ "router02" ] [ (import ../../../keys).mkSecrets [ "router02" ] [
# List of secrets for router02 # List of secrets for router02
"systemd-network-wg_key"
] ]

44
machines/router02/wireguard.nix Normal file
View file

@ -0,0 +1,44 @@
{ config, ... }:
{
config.age-secrets.autoMatch = [ "systemd-network" ];
networking.firewall.trustedInterfaces = [ "wg0" ];
systemd.network = {
networks = {
"50-wg-mgmt" = {
name = "wg-mgmt";
address = [
"fdaa::1/64"
];
routes = [
{
Destination = "fdaa::/64";
Scope = "link";
}
];
};
};
netdevs = {
"50-wg-mgmt" = {
netdevConfig = {
Name = "wg-mgmt";
Kind = "wireguard";
};
wireguardConfig = {
ListenPort = 1194;
PrivateKeyFile = config.age.secrets."systemd-network-wg_key".path;
};
wireguardPeers = [
{
AllowedIPs = [
"fdaa::2/64"
];
PublicKey = "h4Nf+e4JIjqOMuM5JtLN298BF/fym9fWKGtRZmS5MVA=";
}
];
};
};
};
networking.firewall.allowedUDPPorts = [ 1194 ];
}

25
machines/routexp01/_configuration.nix Normal file
View file

@ -0,0 +1,25 @@
{ lib, ... }:
lib.extra.mkConfig {
enabledModules = [
# List of modules to enable
"lab-routexp"
];
enabledServices = [
# List of services to enable
];
extraConfig = {
lab-routexp = {
id = 1;
connections = [
1001
1002
];
};
};
root = ./.;
}

40
machines/routexp01/_hardware-configuration.nix Normal file
View file

@ -0,0 +1,40 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
lib,
sources,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
(sources.disko + "/module.nix")
./disko.nix
];
boot = {
initrd = {
availableKernelModules = [
"ata_piix"
"uhci_hcd"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
kernelModules = [ ];
};
kernelModules = [ ];
extraModulePackages = [ ];
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

33
machines/routexp01/disko.nix Normal file
View file

@ -0,0 +1,33 @@
_: {
disko.devices = {
disk = {
main = {
device = "/dev/sda";
type = "disk";
content = {
type = "gpt";
partitions = {
ESP = {
type = "EF00";
size = "1G";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
root = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
};
}

2
machines/routexp01/networking.nix Normal file
View file

@ -0,0 +1,2 @@
{
}

3
machines/routexp01/secrets/secrets.nix Normal file
View file

@ -0,0 +1,3 @@
(import ../../../keys).mkSecrets [ "routexp01" ] [
# List of secrets for router02
]

30
meta/network.nix
View file

@ -1,4 +1,32 @@
let
mkRoutexp =
l:
builtins.listToAttrs (
builtins.map (
{ id, hostId, ... }:
{
name = "routexp${id}";
value = {
interfaces = {
ens18 = {
ipv6 = [
{
address = "2a0e:e701:1120:1000::1000:${id}";
prefixLength = 64;
}
];
gateways = [ "2a0e:e701:1120:1000::1" ];
dns = [ "2a0e:e701:1120:1000::f:1" ];
};
};
inherit hostId;
};
}
) l
);
in
{ {
dns01 = { dns01 = {
interfaces = { interfaces = {
ens18 = { ens18 = {
@ -62,6 +90,7 @@
hostId = "bd11e8fc"; hostId = "bd11e8fc";
netbirdIp = "100.80.103.206"; netbirdIp = "100.80.103.206";
}; };
labcore01 = { labcore01 = {
interfaces = { interfaces = {
ens18 = { ens18 = {
@ -115,3 +144,4 @@
hostId = "7ce86f3d"; hostId = "7ce86f3d";
}; };
} }
// mkRoutexp (import ./routexp.nix)

33
meta/nodes.nix
View file

@ -18,11 +18,31 @@
- hyp01 -> Salle serveur Hypnos 1 - hyp01 -> Salle serveur Hypnos 1
- luj01 -> VM de Luj - luj01 -> VM de Luj
*/ */
let
mkRoutexp =
l:
builtins.listToAttrs (
builtins.map (
{ id, ... }:
{
name = "routexp${id}";
value = {
site = "pav01";
hashedPassword = "$y$j9T$XJTT9MWCE49axmQppQSKc0$b9OzdEaQgDdXTc.meKWNeKd.TeTui2PdzdcFI/ggKk3";
stateVersion = "24.11";
nixpkgs = "unstable";
};
}
) l
);
in
{ {
dns01 = { dns01 = {
site = "pav01"; site = "pav01";
# TODO: # TODO:
hashedPassword = "$y$j9T$eNZQgDN.J5y7KTG2hXgat1$J1i5tjx5dnSZu.C9B7swXi5zMFIkUnmRrnmyLHFAt8/"; hashedPassword = "$y$j9T$eNZQgDN.J5y7KTG2hXgat1$J1i5tjx5dnSZu.C9B7swXi5zMFIkUnmRrnmyLHFAt8/";
stateVersion = "24.05"; stateVersion = "24.05";
@ -77,4 +97,15 @@
stateVersion = "24.05"; stateVersion = "24.05";
nixpkgs = "unstable"; nixpkgs = "unstable";
}; };
roam01 = {
site = "nowhere";
hashedPassword = "$y$j9T$5OchePm5POsgveGLY/bKy/$9XkkZq9aBycg.YImEzFSiYRbAfBO0A4G7qMGIF/WEo9";
deployment.targetHost = "129.199.146.37";
stateVersion = "24.11";
nixpkgs = "unstable";
};
} }
// mkRoutexp (import ./routexp.nix)

7
meta/routexp.nix Normal file
View file

@ -0,0 +1,7 @@
# List of routers for the routexp experiment
[
{
id = "01";
hostId = "d70d0593";
}
]

6
modules/default.nix
View file

@ -4,8 +4,12 @@
(lib.extra.mkImports ./. [ (lib.extra.mkImports ./. [
"lab-acme" "lab-acme"
"lab-network" "lab-network"
"lab-routexp"
]) ])
++ [ "${sources."microvm.nix"}/nixos-modules/host" ]; ++ [
"${sources."microvm.nix"}/nixos-modules/host"
(import sources.proxmox-nixos).nixosModules.declarative-vms
];
dgn-notify.enable = false; dgn-notify.enable = false;

116
modules/lab-routexp/default.nix Normal file
View file

@ -0,0 +1,116 @@
# Copyright :
# - Tom Hubrecht <tom.hubrecht@dgnum.eu> 2023
#
# Ce logiciel est un programme informatique servant à déployer des
# configurations de serveurs via NixOS.
#
# Ce logiciel est régi par la licence CeCILL soumise au droit français et
# respectant les principes de diffusion des logiciels libres. Vous pouvez
# utiliser, modifier et/ou redistribuer ce programme sous les conditions
# de la licence CeCILL telle que diffusée par le CEA, le CNRS et l'INRIA
# sur le site "http://www.cecill.info".
#
# En contrepartie de l'accessibilité au code source et des droits de copie,
# de modification et de redistribution accordés par cette licence, il n'est
# offert aux utilisateurs qu'une garantie limitée. Pour les mêmes raisons,
# seule une responsabilité restreinte pèse sur l'auteur du programme, le
# titulaire des droits patrimoniaux et les concédants successifs.
#
# A cet égard l'attention de l'utilisateur est attirée sur les risques
# associés au chargement, à l'utilisation, à la modification et/ou au
# développement et à la reproduction du logiciel par l'utilisateur étant
# donné sa spécificité de logiciel libre, qui peut le rendre complexe à
# manipuler et qui le réserve donc à des développeurs et des professionnels
# avertis possédant des connaissances informatiques approfondies. Les
# utilisateurs sont donc invités à charger et tester l'adéquation du
# logiciel à leurs besoins dans des conditions permettant d'assurer la
# sécurité de leurs systèmes et ou de leurs données et, plus généralement,
# à l'utiliser et l'exploiter dans les mêmes conditions de sécurité.
#
# Le fait que vous puissiez accéder à cet en-tête signifie que vous avez
# pris connaissance de la licence CeCILL, et que vous en avez accepté les
# termes.
{ config, lib, ... }:
let
inherit (lib)
mkOption
types
mkEnableOption
mkIf
;
cfg = config.lab-routexp;
in
{
options.lab-routexp = {
enable = mkEnableOption "Routing experimentation settings.";
connections = mkOption {
type = types.listOf types.int;
default = { };
description = "Interface -> Address/CIDR map";
};
id = mkOption {
type = types.int;
description = "machine id";
};
};
config = mkIf cfg.enable {
virtualisation.proxmox = {
node = "krz01";
autoInstall = true;
vmid = 150 + config.lab-routexp.id;
bios = "ovmf";
memory = 4096;
cores = 2;
net =
[
{
model = "virtio";
bridge = "vmbr1";
tag = 2520;
}
]
++ builtins.map (vlan: {
model = "virtio";
bridge = "vmbr1";
tag = vlan;
}) cfg.connections;
scsi = [ { file = "zfs-noraid:16"; } ]; # This will create a 16GB volume in 'local'
};
systemd.network = {
networks =
builtins.listToAttrs (
lib.imap0 (i: vlan: {
name = "20-ens${builtins.toString (20 + i)}";
value = {
name = "ens${builtins.toString (20 + i)}";
address = [
"fdfd:1794:0:${builtins.toString vlan}::${builtins.toString cfg.id}/64"
];
};
}) cfg.connections
)
// {
"20-babel-local" = {
name = "babel-local";
address = [
"fdfd:1794::${builtins.toString cfg.id}/64"
];
};
};
netdevs = {
"babel-local" = {
netdevConfig = {
Name = "babel-local";
Kind = "dummy";
};
};
};
};
};
}