Serge Bazanski | 55a486a | 2022-06-11 18:27:01 +0000 | [diff] [blame] | 1 | { config, pkgs, lib, ... }: |
| 2 | |
| 3 | with lib; |
| 4 | |
| 5 | let |
| 6 | cfg = config.hscloud.base; |
| 7 | |
| 8 | in { |
| 9 | options.hscloud.base = { |
| 10 | fqdn = mkOption { |
| 11 | type = types.str; |
| 12 | description = "Node's FQDN."; |
| 13 | default = "${config.networking.hostName}.${config.networking.domain}"; |
| 14 | }; |
| 15 | mgmtIf = mkOption { |
| 16 | type = types.str; |
| 17 | description = "Main network interface. Called mgmtIf for legacy reasons."; |
| 18 | }; |
| 19 | ipAddr = mkOption { |
| 20 | type = types.str; |
| 21 | description = "IPv4 address on main network interface."; |
| 22 | }; |
| 23 | ipAddrBits = mkOption { |
| 24 | type = types.int; |
| 25 | description = "IPv4 CIDR mask bits."; |
| 26 | }; |
| 27 | gw = mkOption { |
| 28 | type = types.str; |
| 29 | description = "IPv4 address of gateway."; |
| 30 | }; |
| 31 | }; |
Serge Bazanski | ef3aab6 | 2022-11-18 14:39:45 +0000 | [diff] [blame] | 32 | |
| 33 | # Override current nixos kubernetes with our vendored fork. |
| 34 | # Also nuke flannel from orbit. |
| 35 | disabledModules = [ |
| 36 | "services/cluster/kubernetes/apiserver.nix" |
| 37 | "services/cluster/kubernetes/controller-manager.nix" |
| 38 | "services/cluster/kubernetes/default.nix" |
| 39 | "services/cluster/kubernetes/kubelet.nix" |
| 40 | "services/cluster/kubernetes/pki.nix" |
| 41 | "services/cluster/kubernetes/proxy.nix" |
| 42 | "services/cluster/kubernetes/scheduler.nix" |
| 43 | "services/cluster/kubernetes/flannel.nix" |
| 44 | ]; |
| 45 | |
| 46 | imports = [ |
| 47 | ./vendor/apiserver.nix |
| 48 | ./vendor/controller-manager.nix |
| 49 | ./vendor/default.nix |
| 50 | ./vendor/kubelet.nix |
| 51 | ./vendor/pki.nix |
| 52 | ./vendor/proxy.nix |
| 53 | ./vendor/scheduler.nix |
| 54 | ]; |
| 55 | |
Serge Bazanski | 55a486a | 2022-06-11 18:27:01 +0000 | [diff] [blame] | 56 | config = rec { |
| 57 | boot.loader.grub.enable = true; |
| 58 | boot.loader.grub.version = 2; |
| 59 | |
| 60 | fileSystems."/" = |
| 61 | { # device = ""; needs to be defined |
| 62 | fsType = "ext4"; |
| 63 | }; |
| 64 | swapDevices = [ ]; |
| 65 | |
| 66 | boot.kernelPackages = pkgs.linuxPackages_latest; |
| 67 | boot.kernelParams = [ "boot.shell_on_fail" ]; |
| 68 | boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = "0"; |
| 69 | boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = "0"; |
| 70 | boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "megaraid_sas" "usb_storage" "usbhid" "sd_mod" "sr_mod" ]; |
| 71 | boot.kernelModules = [ "kvm-intel" ]; |
| 72 | boot.extraModulePackages = []; |
| 73 | hardware.enableRedistributableFirmware = true; |
Bartosz Stebel | 3320155 | 2023-03-05 19:54:13 +0100 | [diff] [blame] | 74 | hardware.cpu.intel.updateMicrocode = true; |
| 75 | hardware.cpu.amd.updateMicrocode = true; |
Serge Bazanski | 55a486a | 2022-06-11 18:27:01 +0000 | [diff] [blame] | 76 | |
| 77 | time.timeZone = "Europe/Warsaw"; |
| 78 | |
| 79 | environment.systemPackages = with pkgs; [ |
Bartosz Stebel | c783390 | 2023-10-29 21:42:10 +0100 | [diff] [blame] | 80 | wget vim htop tcpdump screen tmux smartmontools pciutils lm_sensors ipmitool |
Serge Bazanski | 55a486a | 2022-06-11 18:27:01 +0000 | [diff] [blame] | 81 | rxvt_unicode.terminfo |
| 82 | ]; |
| 83 | programs.mtr.enable = true; |
| 84 | |
| 85 | networking.useDHCP = false; |
| 86 | networking.interfaces."${cfg.mgmtIf}" = { |
| 87 | ipv4.addresses = [ |
| 88 | { |
| 89 | address = cfg.ipAddr; |
| 90 | prefixLength = cfg.ipAddrBits; |
| 91 | } |
| 92 | ]; |
| 93 | }; |
| 94 | networking.defaultGateway = cfg.gw; |
| 95 | networking.nameservers = ["185.236.240.1"]; |
| 96 | |
| 97 | # Instead of using nixpkgs from the root/nixos channel, use pkgs pin from this file. |
| 98 | nix.nixPath = [ "nixpkgs=${pkgs.path}" "nixos-config=/etc/nixos/configuration.nix" ]; |
| 99 | |
| 100 | # Otherwise fetchGit nixpkgs pin fails. |
| 101 | systemd.services.nixos-upgrade.path = [ pkgs.git ]; |
| 102 | |
| 103 | # Use Chrony instead of systemd-timesyncd |
Bartosz Stebel | b37b70c | 2023-11-03 01:45:56 +0100 | [diff] [blame] | 104 | services.chrony = { |
| 105 | enable = true; |
| 106 | # cockroach will refuse to start up at error>500ms, so let's just step |
| 107 | # aggresively so it's correct ASAP |
| 108 | initstepslew = { |
| 109 | enabled = true; |
| 110 | threshold = 1; |
| 111 | }; |
| 112 | extraConfig = '' |
| 113 | rtcfile /var/lib/chrony/rtc |
| 114 | rtcautotrim 10 |
| 115 | ''; |
| 116 | }; |
Serge Bazanski | 55a486a | 2022-06-11 18:27:01 +0000 | [diff] [blame] | 117 | |
| 118 | # Symlink lvm into /sbin/lvm on activation. This is needed by Rook OSD |
| 119 | # instances running on Kubernetes. |
| 120 | # See: https://github.com/rook/rook/commit/f3c4975e353e3ce3599c958ec6d2cae8ee8f6f61 |
| 121 | system.activationScripts.sbinlvm = |
| 122 | '' |
| 123 | mkdir -m 0755 -p /sbin |
| 124 | ln -sfn ${pkgs.lvm2.bin}/bin/lvm /sbin/lvm |
| 125 | ''; |
| 126 | |
| 127 | # Enable the OpenSSH daemon. |
| 128 | services.openssh.enable = true; |
Serge Bazanski | a5ba554 | 2023-10-11 23:08:39 +0000 | [diff] [blame] | 129 | |
| 130 | # Enable fstrim, as we run / on SSDs everywhere. |
| 131 | services.fstrim = { |
| 132 | enable = true; |
| 133 | interval = "daily"; |
| 134 | }; |
| 135 | |
Serge Bazanski | 55a486a | 2022-06-11 18:27:01 +0000 | [diff] [blame] | 136 | users.users.root.openssh.authorizedKeys.keys = [ |
| 137 | "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDD4VJXAXEHEXZk2dxNwehneuJcEGkfXG/U7z4fO79vDVIENdedtXQUyLyhZJc5RTEfHhQj66FwIqzl7mzBHd9x9PuDp6QAYXrkVNMj48s6JXqZqBvF6H/weRqFMf4a2TZv+hG8D0kpvmLheCwWAVRls7Jofnp/My+yDd57GMdsbG/yFEf6WPMiOnA7hxdSJSVihCsCSw2p8PD4GhBe8CVt7xIuinhutjm9zYBjV78NT8acjDUfJh0B1ODTjs7nuW1CC4jybSe2j/OU3Yczj4AxRxBNWuFxUq+jBo9BfpbKLh+Tt7re+zBkaicM77KM/oV6943JJxgHNBBOsv9scZE7 q3k@amnesia" |
| 138 | "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG599UildOrAq+LIOQjKqtGMwjgjIxozI1jtQQRKHtCP q3k@mimeomia" |
| 139 | "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQb3YQoiYFZLKwvHYKbu1bMqzNeDCAszQhAe1+QI5SLDOotclyY/vFmOReZOsmyMFl71G2d7d+FbYNusUnNNjTxRYQ021tVc+RkMdLJaORRURmQfEFEKbai6QSFTwErXzuoIzyEPK0lbsQuGgqT9WaVnRzHJ2Q/4+qQbxAS34PuR5NqEkmn4G6LMo3OyJ5mwPkCj9lsqz4BcxRaMWFO3mNcwGDfSW+sqgc3E8N6LKrTpZq3ke7xacpQmcG5DU9VO+2QVPdltl9jWbs3gXjmF92YRNOuKPVfAOZBBsp8JOznfx8s9wDgs7RwPmDpjIAJEyoABqW5hlXfqRbTnfnMvuR informatic@InformaticPC" |
| 140 | "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDGkMgEVwQM8yeuFUYL2TwlJIq9yUNBmHnwce46zeL2PK2CkMz7sxT/om7sp/K5XDiqeD05Nioe+Dr3drP6B8uI33S5NgxPIfaqQsRS+CBEgk6cqFlcdlKETU/DT+/WsdoO173n7mgGeafPInEuQuGDUID0Fl099kIxtqfAhdeZFMM6/szAZEZsElLJ8K6dp1Ni/jmnXCZhjivZH3AZUlnqrmtDG7FY1bgcOfDXAal45LItughGPtrdiigXe9DK2fW3+9DBZZduh5DMJTNlphAZ+nfSrbyHVKUg6WsgMSprur4KdU47q1QwzqqvEj75JcdP1jOWoZi4F6VJDte9Wb9lhD1jGgjxY9O6Gs4CH35bx15W7CN9hgNa0C8NbPJe/fZYIeMZmJ1m7O2xmnYwP8j+t7RNJWu7Pa3Em4mOEXvhBF07Zfq+Ye/4SluoRgADy5eII2x5fFo5EBhInxK0/X8wF6XZvysalVifoCh7T4Edejoi91oAxFgYAxbboXGlod0eEHIi2hla8SM9+IBHOChmgawKBYp2kzAJyAmHNBF+Pah9G4arVCj/axp/SJZDZbJQoI7UT/fJzEtvlb5RWrHXRq+y6IvjpUq4pzpDWW04+9UMqEEXRmhWOakHfEVM9rN8h3aJBflLUBBnh0Z/hVsKNh8bCRHaKtah8TrD9i+wMw== patryk.jakuszew@gmail.com" |
| 141 | "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC33naG1ptCvUcRWX9cj9wXM1nW1lyQC4SvMJzWlr9aMD96O8hQ2JMkuIUgUJvorAY02QRplQ2BuoVoVkdkzwjMyi1bL3OdgcKo7Z1yByClGTTocqNJYY0lcUb6EJH8+6e6F9ydrQlSxNzL1uCaA7phZr+yPcmAmWbSfioXn98yXNkE0emHxzJv/nypJY56sDCMC2IXDRd8L2goDtPwgPEW7bWfAQdIFMJ75xOidZOTxJ8eqyXLw/kxY5UlyX66jdoYz1sE5XUHuoQl1AOG9UdlMo0aMhUvP4pX5l7r7EnA9OttKMFB3oWqkVK/R6ynZ52YNOU5BZ9V+Ppaj34W0xNu+p0mbHcCtXYCTrf/OU0hcZDbDaNTjs6Vtcm2wYw9iAKX7Tex+eOMwUwlrlcyPNRV5BTot7lGNYfauHCSIuWJKN4NhCLR/NtVNh4/94eKkPTwJsY6XqDcS7q49wPAs4DAH7BJgsbHPOqygVHrY0YYEfz3Pj0HTxJHQMCP/hQX4fXEGt0BjgoVJbXPAQtPyeg0JuxiUg+b4CgVVfQ6R060MlM1BZzhmh+FY5MJH6nJppS0aHYCvSg8Z68NUlCPKy0jpcyfuAIWQWwSGG1O010WShQG2ELsvNdg5/4HVdCGNl5mmoom6JOd72FOZyQlHDFfeQUQRn9HOeCq/c51rK99SQ== bartek@IHM" |
| 142 | "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICTR292kx/2CNuWYIsZ6gykQ036aBGrmheIuZa6S1D2x implr@thonk" |
| 143 | ]; |
| 144 | }; |
| 145 | } |