feat(hypervisors): Init

2024-12-17 16:32:22 +01:00 · 2024-12-17 16:32:22 +01:00 · b8e75176e1
commit b8e75176e1
parent cab2bc381c
14 changed files with 473 additions and 0 deletions
--- a/.forgejo/workflows/eval-nodes.yaml
+++ b/.forgejo/workflows/eval-nodes.yaml
@ -54,6 +54,39 @@ jobs:
        STORE_USER: admin
      name: Build and cache geo02
      run: nix-shell -A eval-nodes --run cache-node
+  hypervisor01:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: hypervisor01
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache hypervisor01
+      run: nix-shell -A eval-nodes --run cache-node
+  hypervisor02:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: hypervisor02
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache hypervisor02
+      run: nix-shell -A eval-nodes --run cache-node
+  hypervisor03:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: hypervisor03
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache hypervisor03
+      run: nix-shell -A eval-nodes --run cache-node
  netcore02:
    runs-on: nix
    steps:
--- a/keys/default.nix
+++ b/keys/default.nix
@ -21,6 +21,15 @@ rec {
    compute01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu" ];
    geo01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4" ];
    geo02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket" ];
+    hypervisor01 = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPE0typcnvSioMfdLUloIfR5zcf/X0k6201xMHoQBCr"
+    ];
+    hypervisor02 = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPETkWlOfESXQic+HgfGLV/T4Nqg0WjdDbEqtgDwkH+S"
+    ];
+    hypervisor03 = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFLF0mxSGitsDE3/YXfrHNjtOMUt4HT2MbryyUKPLSBI"
+    ];
    rescue01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf" ];
    storage01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ" ];
    vault01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW" ];
--- a/machines/nixos/hypervisor01/_configuration.nix
+++ b/machines/nixos/hypervisor01/_configuration.nix
@ -0,0 +1,17 @@
+# SPDX-FileCopyrightText: 2024 Elias Coppens <elias@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ lib, ... }:
+
+lib.extra.mkConfig {
+  enabledModules = [ ];
+
+  enabledServices = [ ];
+
+  extraConfig = {
+    services.netbird.enable = true;
+  };
+
+  root = ./.;
+}
--- a/machines/nixos/hypervisor01/_hardware-configuration.nix
+++ b/machines/nixos/hypervisor01/_hardware-configuration.nix
@ -0,0 +1,79 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "ehci_pci"
+        "ahci"
+        "mpt3sas"
+        "usbhid"
+        "sd_mod"
+      ];
+      kernelModules = [ ];
+    };
+
+    kernelModules = [ "kvm-intel" ];
+    extraModulePackages = [ ];
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "rootfs";
+      fsType = "zfs";
+    };
+
+    "/nix" = {
+      device = "rootfs/nix";
+      fsType = "zfs";
+    };
+
+    "/var" = {
+      device = "rootfs/var";
+      fsType = "zfs";
+    };
+
+    # boot1 = boot partition in first disk (used by default)
+    # boot2 = boot partition in second disk (used in backup)
+
+    "/boot1" = {
+      device = "/dev/disk/by-label/BOOT1";
+      fsType = "vfat";
+      options = [
+        "fmask=0022"
+        "dmask=0022"
+      ];
+    };
+
+    "/boot2" = {
+      device = "/dev/disk/by-label/BOOT2";
+      fsType = "vfat";
+      options = [
+        "fmask=0022"
+        "dmask=0022"
+      ];
+    };
+  };
+
+  swapDevices = [
+    { device = "/dev/disk/by-uuid/759f1573-7593-400e-b310-c384fc6124c3"; }
+    { device = "/dev/disk/by-uuid/73f94cd3-3f0f-4a32-9e5b-abd6c2a9b219"; }
+  ];
+
+  networking.useDHCP = lib.mkDefault true;
+  networking.interfaces.eno4.useDHCP = lib.mkDefault true;
+
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/machines/nixos/hypervisor01/secrets/secrets.nix
+++ b/machines/nixos/hypervisor01/secrets/secrets.nix
@ -0,0 +1,7 @@
+# SPDX-FileCopyrightText: 2024 La Délégation Générale Numérique <context@dgnum.eu>
+#
+# SPDX-License-Identifer: EUPL-1.2
+
+(import ../../../../keys).mkSecrets [ "hypervisor01" ] [
+
+]
--- a/machines/nixos/hypervisor02/_configuration.nix
+++ b/machines/nixos/hypervisor02/_configuration.nix
@ -0,0 +1,17 @@
+# SPDX-FileCopyrightText: 2024 Elias Coppens <elias@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ lib, ... }:
+
+lib.extra.mkConfig {
+  enabledModules = [ ];
+
+  enabledServices = [ ];
+
+  extraConfig = {
+    services.netbird.enable = true;
+  };
+
+  root = ./.;
+}
--- a/machines/nixos/hypervisor02/_hardware-configuration.nix
+++ b/machines/nixos/hypervisor02/_hardware-configuration.nix
@ -0,0 +1,81 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "ehci_pci"
+        "ahci"
+        "mpt3sas"
+        "usbhid"
+        "usb_storage"
+        "sd_mod"
+        "sr_mod"
+      ];
+      kernelModules = [ ];
+    };
+
+    kernelModules = [ "kvm-intel" ];
+    extraModulePackages = [ ];
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "rootfs";
+      fsType = "zfs";
+    };
+
+    # boot1 = boot partition in first disk (used by default)
+    # boot2 = boot partition in second disk (used in backup)
+
+    "/boot1" = {
+      device = "/dev/disk/by-label/BOOT1";
+      fsType = "vfat";
+      options = [
+        "fmask=0022"
+        "dmask=0022"
+      ];
+    };
+
+    "/boot2" = {
+      device = "/dev/disk/by-label/BOOT2";
+      fsType = "vfat";
+      options = [
+        "fmask=0022"
+        "dmask=0022"
+      ];
+    };
+
+    "/nix" = {
+      device = "rootfs/nix";
+      fsType = "zfs";
+    };
+
+    "/var" = {
+      device = "rootfs/var";
+      fsType = "zfs";
+    };
+  };
+
+  swapDevices = [
+    { device = "/dev/disk/by-uuid/46e20dc0-01bc-4f26-904a-1d23cb96bdb6"; }
+    { device = "/dev/disk/by-uuid/a8938e0f-3a00-45e7-bc6f-4bd9e2b1db6c"; }
+  ];
+
+  networking.useDHCP = lib.mkDefault true;
+  networking.interfaces.eno4.useDHCP = lib.mkDefault true;
+
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/machines/nixos/hypervisor02/secrets/secrets.nix
+++ b/machines/nixos/hypervisor02/secrets/secrets.nix
@ -0,0 +1,7 @@
+# SPDX-FileCopyrightText: 2024 La Délégation Générale Numérique <context@dgnum.eu>
+#
+# SPDX-License-Identifer: EUPL-1.2
+
+(import ../../../../keys).mkSecrets [ "hypervisor02" ] [
+
+]
--- a/machines/nixos/hypervisor03/_configuration.nix
+++ b/machines/nixos/hypervisor03/_configuration.nix
@ -0,0 +1,17 @@
+# SPDX-FileCopyrightText: 2024 Elias Coppens <elias@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ lib, ... }:
+
+lib.extra.mkConfig {
+  enabledModules = [ ];
+
+  enabledServices = [ ];
+
+  extraConfig = {
+    services.netbird.enable = true;
+  };
+
+  root = ./.;
+}
--- a/machines/nixos/hypervisor03/_hardware-configuration.nix
+++ b/machines/nixos/hypervisor03/_hardware-configuration.nix
@ -0,0 +1,81 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "ehci_pci"
+        "ahci"
+        "mpt3sas"
+        "usbhid"
+        "usb_storage"
+        "sd_mod"
+        "sr_mod"
+      ];
+      kernelModules = [ ];
+    };
+    kernelModules = [ "kvm-intel" ];
+    extraModulePackages = [ ];
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "rootfs";
+      fsType = "zfs";
+    };
+
+    "/nix" = {
+      device = "rootfs/nix";
+      fsType = "zfs";
+    };
+
+    "/var" = {
+      device = "rootfs/var";
+      fsType = "zfs";
+    };
+
+    # boot1 = boot partition in first disk (used by default)
+    # boot2 = boot partition in second disk (used in backup)
+
+    "/boot1" = {
+      device = "/dev/disk/by-uuid/80E2-979C";
+      fsType = "vfat";
+      options = [
+        "fmask=0022"
+        "dmask=0022"
+      ];
+    };
+
+    # TODO: put me in automounts + autosync between both boot partitions.
+    "/boot2" = {
+      device = "/dev/disk/by-uuid/8722-1B4F";
+      fsType = "vfat";
+      options = [
+        "fmask=0022"
+        "dmask=0022"
+      ];
+    };
+  };
+
+  swapDevices = [
+    { device = "/dev/disk/by-uuid/dfe3aa01-ed46-4996-8ae3-a913ebffba76"; }
+    { device = "/dev/disk/by-uuid/5531258d-3538-4744-be1b-e08e26ad377f"; }
+  ];
+
+  networking.useDHCP = lib.mkDefault true;
+  networking.interfaces.eno4.useDHCP = lib.mkDefault true;
+
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/machines/nixos/hypervisor03/secrets/secrets.nix
+++ b/machines/nixos/hypervisor03/secrets/secrets.nix
@ -0,0 +1,7 @@
+# SPDX-FileCopyrightText: 2024 La Délégation Générale Numérique <context@dgnum.eu>
+#
+# SPDX-License-Identifer: EUPL-1.2
+
+(import ../../../../keys).mkSecrets [ "hypervisor03" ] [
+
+]
--- a/meta/network.nix
+++ b/meta/network.nix
@ -82,6 +82,63 @@
    netbirdIp = "100.80.233.249";
  };

+  hypervisor01 = {
+    interfaces = {
+      eno4 = {
+        ipv4 = [
+          {
+            address = "10.0.254.11";
+            prefixLength = 24;
+          }
+        ];
+
+        gateways = [ "10.0.254.1" ];
+        enableDefaultDNS = true;
+      };
+    };
+
+    hostId = "4dbbd76a";
+    netbirdIp = "100.80.242.115";
+  };
+
+  hypervisor02 = {
+    interfaces = {
+      eno4 = {
+        ipv4 = [
+          {
+            address = "10.0.254.12";
+            prefixLength = 24;
+          }
+        ];
+
+        gateways = [ "10.0.254.1" ];
+        enableDefaultDNS = true;
+      };
+    };
+
+    hostId = "d0b48483";
+    netbirdIp = "100.80.37.202";
+  };
+
+  hypervisor03 = {
+    interfaces = {
+      eno4 = {
+        ipv4 = [
+          {
+            address = "10.0.254.13";
+            prefixLength = 24;
+          }
+        ];
+
+        gateways = [ "10.0.254.1" ];
+        enableDefaultDNS = true;
+      };
+    };
+
+    hostId = "1c407ea8";
+    netbirdIp = "100.80.58.178";
+  };
+
  rescue01 = {
    interfaces = {
      ens18 = {
--- a/meta/nodes/nixos.nix
+++ b/meta/nodes/nixos.nix
@ -91,6 +91,63 @@
    };
  };

+  hypervisor01 = {
+    site = "pot01";
+
+    hashedPassword = "$y$j9T$Yw.M.epJj/sakb4Gq/9WV0$P85aQPo/FmFM1.ap413UL3vlGk3mavHwmaALKKDd4n.";
+
+    stateVersion = "24.11";
+
+    nixpkgs = {
+      version = "24.11";
+      system = "nixos";
+    };
+
+    adminGroups = [ "hypervisors" ];
+
+    deployment = {
+      targetHost = "hypervisor01.dgnum";
+    };
+  };
+
+  hypervisor02 = {
+    site = "pot01";
+
+    hashedPassword = "$y$j9T$Zu98DVlKq7KP5GmIHOwBy1$Bd7W6LstWDm8zjbZ9JSPLnhMFPmZgmU4e7t7u6EhavA";
+
+    stateVersion = "24.11";
+
+    nixpkgs = {
+      version = "24.11";
+      system = "nixos";
+    };
+
+    adminGroups = [ "hypervisors" ];
+
+    deployment = {
+      targetHost = "hypervisor02.dgnum";
+    };
+  };
+
+  hypervisor03 = {
+    site = "pot01";
+
+    hashedPassword = "$y$j9T$plTv9.UwmkTODagd4docj0$3zd35wPSsamygiYngwfDGICapKbx5UbzyLBhAwOUSfC";
+
+    stateVersion = "24.11";
+
+    nixpkgs = {
+      version = "24.11";
+      system = "nixos";
+    };
+
+    adminGroups = [ "hypervisors" ];
+
+    deployment = {
+      targetHost = "hypervisor03.dgnum";
+    };
+  };
+
  rescue01 = {
    site = "luj01";

--- a/meta/organization.nix
+++ b/meta/organization.nix
@ -91,6 +91,10 @@
      "ecoppens"
    ];

+    hypervisors = [
+      "catvayor"
+      "ecoppens"
+    ];
  };

  external = {