Browse Source

Progress

main
Dustin Frisch 2 years ago
parent
commit
1df1e88f79
No known key found for this signature in database GPG Key ID: B4C3BF012D9B26BE
  1. 3
      .gitignore
  2. 8
      .sops.yaml
  3. 16
      flake.lock
  4. 10
      flake.nix
  5. 51
      machines.nix
  6. 5
      machines/manager/autoinstall.nix
  7. 2
      machines/manager/cache.nix
  8. 25
      machines/manager/default.nix
  9. 27
      machines/manager/disk.nix
  10. 34
      machines/manager/hardware.nix
  11. 23
      machines/manager/ldap.nix
  12. 29
      machines/manager/netinstall.nix
  13. 13
      machines/manager/network.nix
  14. 4
      machines/manager/nfs.nix
  15. 16
      machines/node/default.nix
  16. 29
      machines/node/disk.nix
  17. 35
      machines/node/hardware.nix
  18. 13
      machines/node/network.nix
  19. 31
      secrets.yaml
  20. 11
      secrets/cache-priv-key.pem
  21. 11
      shared/default.nix
  22. 13
      shared/network.nix
  23. 2
      shared/users.nix

3
.gitignore

@ -0,0 +1,3 @@
/.pre-commit-config.yaml
.gcroots
.direnv

8
.sops.yaml

@ -1,5 +1,11 @@
keys:
- &admin_fooker 3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE
- &server_manager age1ys5pskgkjsgqfy2lr0afcnl2edry8jmryhymkwtked2se74e9g4s23gunn
creation_rules:
- key_groups:
- pgp:
- 3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE
- *admin_fooker
age:
- *server_manager
path_regex: ^(secrets\.yaml|secrets/.+)$

16
flake.lock

@ -165,6 +165,21 @@
"type": "github"
}
},
"gather": {
"locked": {
"lastModified": 1685458852,
"narHash": "sha256-w05QjsDxebdO6Hsfp60Run3tECsI6ucwoS1pPR1YLbk=",
"owner": "fooker",
"repo": "gather.nix",
"rev": "cd099d749f2050370d0cc42a496d537e61b9a6f4",
"type": "github"
},
"original": {
"owner": "fooker",
"repo": "gather.nix",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
@ -368,6 +383,7 @@
"inputs": {
"colmena": "colmena",
"disko": "disko",
"gather": "gather",
"nixago": "nixago",
"nixpkgs": "nixpkgs",
"pre-commit-hooks": "pre-commit-hooks",

10
flake.nix

@ -51,14 +51,20 @@
type = "github";
owner = "nix-community";
repo = "disko";
inputs.nixpkgs.follows = "nixpkgs";
};
gather = {
type = "github";
owner = "fooker";
repo = "gather.nix";
};
};
outputs = { nixpkgs, utils, ... }@inputs: {
colmena = import ./machines.nix inputs;
devShell = utils.lib.eachSystemMap utils.lib.allSystems (system:
let
pkgs = nixpkgs.legacyPackages.${system};

51
machines.nix

@ -1,33 +1,40 @@
{ nixpkgs, disko, sops, ... }@inputs:
{ nixpkgs, disko, sops, gather, ... }@inputs:
let
deploymentPkgs = import nixpkgs {
localSystem.system = "x86_64-linux";
};
in with deploymentPkgs.lib; let
mkMachine = type: opts: { lib, ... }:
let
machine = import ./machines/${type} opts;
in {
imports = [
./shared
./modules
machine
sops.nixosModules.sops
disko.nixosModules.disko
];
};
in
with deploymentPkgs.lib; let
mkMachine = type: opts: { lib, ... }:
let
machine = import ./machines/${type} opts;
in
{
imports = [
./shared
./modules
machine
disko.nixosModules.disko
sops.nixosModules.sops
gather.nixosModules.gather
];
};
machines = {
manager = mkMachine "manager" {};
} // (listToAttrs (genList (i: nameValuePair
"node-${fixedWidthNumber 2 i}"
(mkMachine "node" { id = i; })
) 16));
manager = mkMachine "manager" { };
} // (listToAttrs (genList
(i: nameValuePair
"node-${fixedWidthNumber 2 i}"
(mkMachine "node" { id = i; })
) 16));
in {
in
{
meta = {
nixpkgs = deploymentPkgs;
@ -35,4 +42,4 @@ in {
inherit inputs;
};
};
} // machines
} // machines

5
machines/manager/autoinstall.nix

@ -1,5 +0,0 @@
# TFTP boot with shared image
# Requests store path to install from master
# Runs disko and nixos-install
{}

2
machines/manager/cache.nix

@ -15,7 +15,7 @@
enable = true;
recommendedProxySettings = true;
virtualHosts = {
"cache.hpc.informatik.hs-fulda.de" = {
"cache.${config.networking.domain}" = {
locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
};
};

25
machines/manager/default.nix

@ -1,31 +1,24 @@
{ ... }:
{ lib, config, ... }:
_:
{ lib, config, ... }:
with lib;
{
imports = [
./hardware.nix
./disk.nix
./network.nix
./nfs.nix
#./ldap.nix
./ldap.nix
#./beegfs.nix
#./ntp.nix
./ntp.nix
#./gateway.nix
#./autoinstall.nix
#./cache.nix
#./netinstall.nix
./cache.nix
];
users.users."root".password = "asdasd123";
virtualisation.useDefaultFilesystems = false;
virtualisation.fileSystems."/" = {
device = config.virtualisation.bootDevice;
fsType = "btrfs";
autoFormat = true;
};
deployment = {
targetHost = "10.32.30.240";
targetHost = "10.32.30.93";
targetUser = "root";
tags = [ "manager" ];

27
machines/manager/disk.nix

@ -1,31 +1,44 @@
{ ... }:
{
disko.devices = {
disk.sda = {
device = "/dev/nvme0n1";
disk."system" = {
device = "/dev/disk/by-path/pci-0000:01:00.0-scsi-0:1:1:0";
type = "disk";
content = {
type = "table";
format = "gpt";
partitions = [
{
index = 1;
name = "root";
start = "100MiB";
end = "100%";
end = "-4GB";
part-type = "primary";
fs-type = "btrfs";
bootable = true;
content = {
type = "filesystem";
format = "ext4";
#format = "btrfs";
format = "btrfs";
mountpoint = "/";
};
}
{
index = 2;
name = "swap";
start = "-4G";
end = "100%";
part-type = "primary";
fs-type = "linux-swap";
content = {
type = "swap";
randomEncryption = true;
};
}
{
index = 3;
name = "ESP";
start = "1MiB";
end = "100MiB";
fs-type = "fat32";
bootable = true;
content = {
type = "filesystem";

34
machines/manager/hardware.nix

@ -0,0 +1,34 @@
{ lib, pkgs, config, modulesPath, ... }:
with lib;
{
imports = [
"${modulesPath}/installer/scan/not-detected.nix"
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.initrd.systemd.enable = true;
boot.initrd.availableKernelModules = [
"uhci_hcd"
"ehci_pci"
"ata_piix"
"mptsas"
"usb_storage"
"usbhid"
"sd_mod"
"sr_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
nixpkgs.hostPlatform = "x86_64-linux";
hardware.enableRedistributableFirmware = true;
hardware.cpu.intel.updateMicrocode = true;
}

23
machines/manager/ldap.nix

@ -1,5 +1,12 @@
{ config, ... }:
{ lib, config, ... }:
with lib;
let
baseDN = concatMapStringsSep ","
(part: "dc=${part}")
(splitString "." config.networking.domain);
in
{
services.openldap = {
enable = true;
@ -17,10 +24,10 @@
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap/db";
olcSuffix = "dc=sc,dc=informatik,dc=hs-fulda,dc=de";
olcRootDN = "cn=root,dc=sc,dc=informatik,dc=hs-fulda,dc=de";
olcSuffix = baseDN;
olcRootDN = "cn=root,${baseDN}";
olcRootPW.path = config.sops.secrets."ldap/root/password".path;
olcAccess = [
@ -40,5 +47,7 @@
};
};
sops.secrets."ldap/root/password" = { };
}
sops.secrets."ldap/root/password" = {
owner = "openldap";
};
}

29
machines/manager/netinstall.nix

@ -0,0 +1,29 @@
# TFTP boot with shared image
# Requests store path to install from master
# Runs disko and nixos-install
{ pkgs, lib, config, ... }:
{
services.pixiecore = {
enable = true;
mode = "api";
dhcpNoBind = true;
debug = true;
statusPort = 6080;
apiServer = "http://boot.${config.networking.domain}/pixiecore";
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts = {
"boot.${config.networking.domain}" = {
locations."/status".proxyPass = "http://localhost:${toString config.services.pixiecore.statusPort}";
locations."/pixiecore" = {
root = "/srv/pixieboot";
};
};
};
};
}

13
machines/manager/network.nix

@ -0,0 +1,13 @@
{
networking.interfaces."enp11s0f0" = {
ipv4.addresses = [{
address = "10.32.30.93";
prefixLength = 24;
}];
};
networking.defaultGateway = {
address = "10.32.30.1";
interface = "enp11s0f0";
};
}

4
machines/manager/nfs.nix

@ -1,8 +1,8 @@
{
{ config, ... }: {
services.nfs.server = {
enable = true;
exports = ''
/home node*.hpc.informatik.hs-fulda.de(rw)
/home node*.${config.networking.domain}(rw)
'';
};
}

16
machines/node/default.nix

@ -1,24 +1,30 @@
{ id, ... }:
{ lib, ... }:
{ lib, config, ... }:
with lib;
{
imports = [
./hardware.nix
./disk.nix
./network.nix
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
deployment = {
targetHost = "10.32.30.94";
targetUser = "root";
tags = [ "node" ];
};
networking.hostName = "node-${fixedWidthNumber 2 id}";
nix.settings = {
substituters = [
"http://cache.hpc.informatik.hs-fulda.de"
"http://cache.${config.networking.domain}"
];
trusted-public-keys = [
"cache.hpc.informatik.hs-fulda.de:dc2abEGJAQfaZiBXhjvjPU0jx/wosQwAOQoz48/G6cA="
"cache.${config.networking.domain}:dc2abEGJAQfaZiBXhjvjPU0jx/wosQwAOQoz48/G6cA="
];
};
}

29
machines/node/disk.nix

@ -1,19 +1,19 @@
{ ... }:
{
disko.devices = {
disk.sda = {
device = "/dev/sda";
disk."system" = {
device = "/dev/disk/by-path/pci-0000:00:11.0-ata-1";
type = "disk";
content = {
type = "table";
format = "gpt";
format = "msdos";
partitions = [
{
index = 1;
name = "root";
start = "100MiB";
end = "100%";
start = "1MB";
end = "-4GB";
part-type = "primary";
fs-type = "btrfs";
bootable = true;
content = {
type = "filesystem";
@ -22,14 +22,15 @@
};
}
{
name = "ESP";
start = "1MiB";
end = "100MiB";
bootable = true;
index = 2;
name = "swap";
start = "-4G";
end = "100%";
part-type = "primary";
fs-type = "linux-swap";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
type = "swap";
randomEncryption = true;
};
}
];

35
machines/node/hardware.nix

@ -0,0 +1,35 @@
{ lib, pkgs, config, modulesPath, ... }:
with lib;
{
imports = [
"${modulesPath}/installer/scan/not-detected.nix"
];
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sda";
boot.initrd.systemd.enable = true;
boot.initrd.availableKernelModules = [
"ahci"
"ohci_pci"
"ehci_pci"
"pata_atiixp"
"usbhid"
"usb_storage"
"sd_mod"
"sr_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
nixpkgs.hostPlatform = "x86_64-linux";
hardware.enableRedistributableFirmware = true;
hardware.cpu.amd.updateMicrocode = true;
}

13
machines/node/network.nix

@ -0,0 +1,13 @@
{
networking.interfaces."enp2s0f0" = {
ipv4.addresses = [{
address = "10.32.30.94";
prefixLength = 24;
}];
};
networking.defaultGateway = {
address = "10.32.30.1";
interface = "enp2s0f0";
};
}

31
secrets.yaml

@ -8,23 +8,32 @@ sops:
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
age:
- recipient: age1ys5pskgkjsgqfy2lr0afcnl2edry8jmryhymkwtked2se74e9g4s23gunn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnL2N1SVQzcVFHRC9KRmM4
Wmd0dVE1TmIxZTR3QmhVbnRxT21kcFA4VEJVCnhrRUY0d2xJVFdaR2xRQXBEM2t2
Qllha1AvRGxFNWxta1JNSzBNSUNIdjQKLS0tIEJ2TWpnTFArdzhPU2JIZjlhOGVy
REpyVVlBL3BMSnF5QThBSGxNSEVGNHcKWqozLpGac2RlrpmR9DuJTcD4ue5zjwnz
b0eyJ2gD3gr81zG9DSifjLg8BLyt1mSml4wia5uHOP4DxhX4EOLDJw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-05-29T12:51:30Z"
mac: ENC[AES256_GCM,data:02jKHbEZGs3QiNzXEQxcB8v/i5UVB/pCciz4hSI220+GEYPgQK6qR1cZJaMAyrHKjzJLhNZq3Gfgsj4zfA+FMg/d12vp2QNTMRrVD/hSh67NgloZ/iTmJC//S8OJfiHEPdGKkq7zXCVajnkGMT/0yLNWAKISAwL451ohgMzMQYw=,iv:8hqKXUolNA7WatnnYwwUN2EgOyZjTISG2bfToENYc7c=,tag:5y43RQJgZbPK8g3Cw8CBzQ==,type:str]
pgp:
- created_at: "2023-05-24T20:04:49Z"
- created_at: "2023-05-30T15:22:50Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQEMA5ntoryXZPD4AQf6A69nF8BRpYRdz3ea8acqryKoMe5p2A44drykDQR0NO9r
I6j0Hg9AksgC+rGRIQtCuj18gYybDFXgYLCE8MYfgh2NSyqeGzq2+kPDqAXRong/
Wrg1+KRlDbvIqH7IZ5BS40TGdphh/U8BIUcO8N4tgP60G6C7z9FqfjiA5YByqau3
7uAtKg3kR6lL13Cf0AUnMrQ8AOZ+6p+BwdTcXeUW2bScw8ScbEQsw/MtoiEN9Een
jvPhqTczdcZLIgTV+DvmimwYmH8xwFiMNFBrt4uzsBMv9N4pb0EzL8TcKIOuE8iw
YserGEi/sMx5QzqYmS2yPvNxwcXsZi28SQrHOs4Lv9JeAdpqwrqJjAaV3pN0OgSy
31XV/oDL8GJ3SfNqUZEULB06gkemRZscehMOi0tN+UX1gd7fJGsqsDK6geuqpShP
IpfMLriGoQb6Zy4fwEq9N5+AfWXfSZ9Kb8ab8ksvuA==
=Wm8a
hQEMA5ntoryXZPD4AQf/csXiLfUOCPX0jNdz6V2YzStTD1tiYM8+SyqS433ZC8ii
CR1vD5UlrXHEzfXX5Wt1iHO6Y5BCtvv4nVOaYPldV0n17FisXhAbKciTj5Om43uu
rbfY2xgHdZaFU3nMC147xDh5cOVa297mOY6jaCDX2bpfxp35NYz2vUNyfevG61Tl
sT6y0ISi2eN+x4xmlbDBs7/8LLiwjXvJu3UBXcEYNK18lYzALVPZWeCQvM5ALGS7
IC/vw6lhudNGXCSiT4SyPuQgIvFEyQvmIx4a/N35EARp6bXHH6gHalgJBTmulKaT
DGwewIjEw6FdmdLO4r3bpC7FvS0Pllo6HFTxh7OkVtJeASYywgWX1n/O6xT4pisQ
5dHHYoPtEe3wnuF/xb+mRsidGdKG3Tiu6rA3SoFbK6m7QSHOaDgsC8hDVDLw1XBs
FIJWhBoHIodOj+aaScZmFGZnJAbwhYiYrmZs8qJdtg==
=Vjvo
-----END PGP MESSAGE-----
fp: 3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE
unencrypted_suffix: _unencrypted

11
secrets/cache-priv-key.pem

@ -5,13 +5,18 @@
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": null,
"age": [
{
"recipient": "age1ys5pskgkjsgqfy2lr0afcnl2edry8jmryhymkwtked2se74e9g4s23gunn",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1bkJEK1lXZDRpbHd1WXNL\nYkdId3NicUwrK09ScVVuWnhIUjA3QTRXZDA0CkticldtQUUvK1E2emhLckxDaklx\nNDdMT2VxOGVSdEwxS1FZRldYMzRvQmcKLS0tIE5UeUFVVGVrdEkxNUltYUs5RUNV\nSEIwNzFXUk4xZStiYm5JRWRZUDBPblEKjM4GZg+YPgoQl9pXp7SM1SOBO1vH1rfb\nEWIHIZc5kx2VPnD+jSUqqFApZuPSpDtdyWXJWJQLIWBOXeUmx/KJKA==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2023-05-26T08:59:34Z",
"mac": "ENC[AES256_GCM,data:8h8NREXye3DDL7DpvT7sVr1lyaAfEgDwOoaDMuCzzRyHFWPSELQHnjLjEjmexoRrrsE/U608/h62PU7m9EDSYuWlJsvuNBZ+HezR/Ve8oFrZ5ZE3HIoEt2aeM2enSEHGP+aYFL4jEZJJDn9xoW3chFu3JLTSez0NOAhuejghjnU=,iv:Dfxlfa/mwKswYL077oPV+rylKk5y67qKPz+6UFCje9c=,tag:lmM0U8H5FlVRMO51mqTZgg==,type:str]",
"pgp": [
{
"created_at": "2023-05-26T08:54:32Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA5ntoryXZPD4AQf/WmHVgATZ4cl/zI+aRMYGrWyAHAWJ/gtXzTbY2oGHdonw\nx4+5XBsFg28JcJXlI9Aq643e8+/2BPie4tawyrNfWBcaovHbFzEvc4EK0wPbx0Ax\nYW2P237lKyCfOhC4uzeghlr/IpX+SGZGvSDmg6R99/sXZ8pnPFG6PwPp2rdE1JMJ\nZRupMzZfSgJWgZXQIxJhiymHh1ddAMGuLhDzRSj7eVZiN8kl39Y0wEKzmCqCSvIl\n5nn3EmGsB2sSNo8W6C91WQRyxRBP48wWUSZ0P7lHXQEqJW9ioLGq+1qLaL2ZVA3h\nr++vjXf+v9yIsOSGVJAehVV4rXF1pJJJSDMewG6bJdJeAQOiR8+mLvdtwIQOfEFM\nQVvNJ6RfRKSYIrRxBqBJx4vDKTUtktmcBRZJazB7s+TWkhAtrFHyZXCcO9L9Uz7/\nePJ8xD8z6SDZTUa7Y2mJx416mVZwvz7yEWThIBrGGA==\n=Xn2g\n-----END PGP MESSAGE-----\n",
"created_at": "2023-05-30T15:22:58Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA5ntoryXZPD4AQf+M9eb4mKfNadMmoAZ/OHOpKTl52jUDympCZblXF6yHS+8\ny7uchp+69vtXif+ZPLC+NMEZLtAnwPG3KhBXTK5c+6+dqZN4DI3MvGq1HKy3nEU0\nDqk2vQKPH29EvsVO4QgEZqGoNRVW7MXHzcq8WYKkKWXvNRcGzNPANqp1pCS+Chns\neeFCVynsd7QUTYkvSw1/BZuMY135+Ubd2Vm9At6GI6xI87KTVQh/o+vFKQpdnRHj\nENuPBF2z4TbZHweH4gGYibfdiWsyWzAlu7G9OtNww+AdoydctaMDeH+N4LGCCqBS\nnLfNY7aRYfLxQ/zcuPhzl1jiJeQeLcMiXyssoyNwRtJeASov2wKOpLAYlSVE+frW\n4CY9iw2694Cidw66l2i15hk/Q9IiUSPYpghdiowVvZgNnNaAl8TYhcN08uPFhLvT\nASzWUOwnhgVTu11bhqYEIjt3tY4JrKzynY8tDy+Z3Q==\n=ZSOF\n-----END PGP MESSAGE-----\n",
"fp": "3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE"
}
],

11
shared/default.nix

@ -3,9 +3,9 @@
{
imports = [
./network.nix
./root.nix
#"${modulesPath}/profiles/headless.nix"
./users.nix
"${modulesPath}/profiles/headless.nix"
"${modulesPath}/profiles/all-hardware.nix"
];
@ -16,11 +16,6 @@
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
};
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.initrd.systemd.enable = true;
time.timeZone = "Europe/Berlin";
console.keyMap = "de";

13
shared/network.nix

@ -1,7 +1,18 @@
{ config, ... }:
{
networking.domain = "hpc.informatik.hs-fulda.de";
networking.useDHCP = true;
networking.search = [
config.networking.domain
];
networking.nameservers = [
"10.0.0.52"
"10.1.1.10"
];
networking.useDHCP = false;
services.openssh = {
enable = true;

2
shared/root.nix → shared/users.nix

@ -3,7 +3,7 @@
users.users."root" = {
hashedPassword = "$y$j9T$tz8ojZ2gVOQ5AUp6GMhoj.$mAeE0eTGGsKNGddC7ebk/zFr5IMDyIpOpMP/6o.GI6D";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2nkarN0+uSuP5sGwDCb9KRu+FCjO/+da4VypGanPUZ fooker@k-2so"
];
Loading…
Cancel
Save