nixos/colony: Configure for real hardware

2022-06-17 00:54:28 +01:00 · 2022-06-17 00:54:28 +01:00 · 36d81cb656
commit 36d81cb656
parent 29ffec5de7
15 changed files with 111 additions and 93 deletions
--- a/lib/default.nix
+++ b/lib/default.nix
@ -177,11 +177,11 @@ rec {

  pubDomain = "nul.ie";
  colony = rec {
-    domain = "test.int.nul.ie";
+    domain = "fra1.int.${pubDomain}";
    start = {
      all = {
        v4 = "10.100.";
-        v6 = "2a0e:97c0:4d0:bbb";
+        v6 = "2a0e:97c0:4d0:ccc";
      };
      base = {
        v4 = "${start.all.v4}0.";
--- a/nixos/boxes/colony/default.nix
+++ b/nixos/boxes/colony/default.nix
@ -33,13 +33,16 @@
        inherit (lib.my) networkdAssignment;
      in
      {
-        imports = [ "${modulesPath}/profiles/qemu-guest.nix" ];
-
-        boot.kernelParams = [ "intel_iommu=on" ];
-        boot.loader.systemd-boot.configurationLimit = 20;
+        boot = {
+          kernelModules = [ "kvm-amd" ];
+          kernelParams = [ "amd_iommu=on" ];
+          initrd = {
+            availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
+          };
+        };
        fileSystems = {
          "/boot" = {
-            device = "/dev/disk/by-uuid/83CA-3BCF";
+            device = "/dev/disk/by-uuid/C1C9-9CBC";
            fsType = "vfat";
          };
          "/nix" = {
@ -63,14 +66,19 @@
        environment.systemPackages = with pkgs; [
          pciutils
          partclone
+          lm_sensors
        ];

        systemd = {
          network = {
            links = {
-              "10-base-ext" = {
-                matchConfig.MACAddress = "52:54:00:81:bd:a1";
-                linkConfig.Name = "base-ext";
+              "10-wan0" = {
+                matchConfig.MACAddress = "d0:50:99:fa:a7:99";
+                linkConfig.Name = "wan0";
+              };
+              "10-wan1" = {
+                matchConfig.MACAddress = "d0:50:99:fa:a7:9a";
+                linkConfig.Name = "wan1";
              };
            };
            netdevs = {
@ -149,7 +157,7 @@
        my = {
          #deploy.generate.system.mode = "boot";
          secrets = {
-            key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKp5WDdDr/1NS3SJIDOKwcCNZDFOxqPAD7cbZWAP7EkX";
+            key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPIijqzAWF6OxKr4aeCa1TAc5xGn4rdIjVTt0wAPU6uY";
          };

          server.enable = true;
--- a/nixos/boxes/colony/vms/default.nix
+++ b/nixos/boxes/colony/vms/default.nix
@ -10,7 +10,7 @@
    inherit (lib) mkIf mkMerge optionals;

    wanBDF =
-      if config.my.build.isDevVM then "00:02.0" else "01:00.0";
+      if config.my.build.isDevVM then "00:02.0" else "27:00.0";

    vmLVM = vm: lv: {
      "${lv}" = {
@ -27,18 +27,40 @@
        frontend = "virtio-blk";
      };
    };
+
+    installerDisk = {
+      installer = {
+        backend = {
+          driver = "file";
+          filename = "${systems.installer.configuration.config.my.buildAs.iso}/iso/nixos-installer-devplayer0.iso";
+          read-only = "on";
+        };
+        format.driver = "raw";
+        frontend = "ide-cd";
+        frontendOpts = {
+          bootindex = 1;
+        };
+      };
+    };
  in
  {
    my = {
      vms = {
        instances = {
          estuary = {
-            uuid = "59f51efb-7e6d-477b-a263-ed9620dbc87b";
+            uuid = "27796a09-c013-4031-9595-44791d6126b9";
+            smp = {
+              cpus = 2;
+              threads = 2;
+            };
+            memory = 3072;
            networks.base = {
              waitOnline = "no-carrier";
-              mac = "52:54:00:ab:f1:52";
+              mac = "52:54:00:15:1a:53";
            };
-            drives = mkMerge ([ ] ++ (optionals (!config.my.build.isDevVM) [
+            drives = mkMerge ([
+              installerDisk
+            ] ++ (optionals (!config.my.build.isDevVM) [
              (vmLVM "estuary" "esp")
              (vmLVM "estuary" "nix")
              (vmLVM "estuary" "persist")
@ -48,34 +70,20 @@
          };

          shill = {
-            uuid = "e34569ec-d24e-446b-aca8-a3b27abc1f9b";
+            uuid = "fc02d8c8-6f60-4b69-838a-e7aed6ee7617";
            smp = {
-              cpus = 4;
+              cpus = 12;
              threads = 2;
            };
-            memory = 8192;
-            networks.vms.mac = "52:54:00:85:b3:b1";
+            memory = 65536;
+            networks.vms.mac = "52:54:00:27:3d:5c";
            cleanShutdown.timeout = 120;
            drives = mkMerge ([
-              {
-                installer = {
-                  backend = {
-                    driver = "file";
-                    filename = "${systems.installer.configuration.config.my.buildAs.iso}/iso/nixos-installer-devplayer0.iso";
-                    read-only = "on";
-                  };
-                  format.driver = "raw";
-                  frontend = "ide-cd";
-                  frontendOpts = {
-                    bootindex = 1;
-                  };
-                };
-              }
+              installerDisk
            ] ++ (optionals (!config.my.build.isDevVM) [
              (vmLVM "shill" "esp")
              (vmLVM "shill" "nix")
              (vmLVM "shill" "persist")
-
              {
                esp.frontendOpts.bootindex = 0;

@ -83,8 +91,12 @@
                  backend = {
                    driver = "host_device";
                    filename = "/dev/hdds/media";
+                    discard = "unmap";
+                  };
+                  format = {
+                    driver = "raw";
+                    discard = "unmap";
                  };
-                  format.driver = "raw";
                  frontend = "virtio-blk";
                };
              }
--- a/secrets/cloudflare-credentials.conf.age
+++ b/secrets/cloudflare-credentials.conf.age
--- a/secrets/colony-netdata-powerdns.conf.age
+++ b/secrets/colony-netdata-powerdns.conf.age
--- a/secrets/colony-netdata-powerdns_recursor.conf.age
+++ b/secrets/colony-netdata-powerdns_recursor.conf.age
--- a/secrets/colony-pdns-recursor.conf.age
+++ b/secrets/colony-pdns-recursor.conf.age
@ -1,9 +1,10 @@
 age-encryption.org/v1
-> ssh-ed25519 B9K/XQ gNJl6io3eASmXNRrcLI3fH8UqNEeT7vbCVfks9D153g
-/APb0O9268pftfeV5XY1E4CcKrCBAO69sVUBM82cmvE
-> X25519 xskN26oeA5X3rvevlBvyzz/fylb1SINSR09B+DMvSCo
-hk5wowfDfxjlFjQKGLwOfA/bgB2cuHR1En9hLtGcsEk
-> sK$y-grease `L hNh
-RvgnmIYLnlj6Xzs4YWg40UXHPJrnRHzR/c+X1bg5Qby/Zg
--- 8IqpUilyXUPSp+KdSCCOBN3GRWtciEjmi1bxzzTmC78
-<EFBFBD>[ðÛÿ?¹‹RßNã•vÉÝO£5yÅ¬?+XBê;~¬ˆ±Ú!–uú‘“ýX»¥mŽ95Š?UáD¨Äª‹u”pÍžÙÑ„_hcò
+-> ssh-ed25519 B9K/XQ pDr63Mxy93vvgTOOeGx+P2olj58AszuoW4DMU/2vwTs
+q0BfZmSo7PTHbbwX+8BdbJNiOjHflEsRVRyb96CCfJs
+-> X25519 wclqj46DLlI26z5xVt2FdTzYI5QUrZAu74y3Hgm1j18
+WpK4K+hsmxjVKGbt/NuC/Khcw1mSH121AabF0fsYLVw
+-> t]-grease fmXI7F 0vP#;w *
+mlRT87J7NtBKsK1lsNBArc9Ofo92Yniki5o3deA
+--- k5dfRl70t63RfTENRTTgBzgi3lm0D26KFkj73tyHMBo
+¤j<EFBFBD>÷»–MÞšy¡-š?h3kÔWÒîŽåßèv{M~PÁô[aCÚCj(øŽÙ¦e¾l¿R–PJø%V&»è<C2BB>å[†ê
+62Ô£.Ä
--- a/secrets/dhparams.pem.age
+++ b/secrets/dhparams.pem.age
--- a/secrets/jackflix-wg-privkey.txt.age
+++ b/secrets/jackflix-wg-privkey.txt.age
@ -1,11 +1,9 @@
 age-encryption.org/v1
-> ssh-ed25519 vf+WVg urUmX8GQaZ9N5s4im5LjHdrqF7G1cUmOhRwJ4C6QiDo
-rgzuokfwMMjYtbPBCBNa+9Jg4QHbdd4ynqrsVX5LSWM
-> X25519 Kr0gKsPYyLt3PFVZlv6m1NlLedJJYxSNKvmKx9canyc
-1Ki72qamPIaor+FCYy0SLVSm0GVCVsjFiRteSNv5hCA
-> MT&kccY-grease k k>D#= -/DFm:' ufBE\
-1HfnD0ef5OnLrhBZL+pyaMVLjCadk+vLszSORTxyarFPKD5wqor5nPn/mMLotY79
-mpKSMQq8ehwB+Ruv6fjys3q/1A
--- J8tifBtzNpEgeFqTxpfq+Md0vdmzU23rizI3C39gkc4
-29ĐA7”JČ”ŘŚ\r=ŚÖÖJwˇęx
xlüŐ•Aädd‰ŹÔ¬ĽÓQ¬ďđŠŰ#rúÉš™}ayť0Pől†’Öö&Ń
-dFą|€-
+-> ssh-ed25519 vf+WVg +Ftq3XX892mQ+cB1nPRq6eDP7HPdFogZk/EbIsuxuk0
+i1ihGVigQBA7pquuXO3sBABSXN9x8IIJ64sfiNQ201w
+-> X25519 YB51ze5czSe08S89gtTWQ6zuxoMJZi5+23S2GXCXT1M
+jlLwxefYiijkj4JH4J+sUVJxhBWYfmbGjwi3B57vphU
+-> f3mY-grease w kU}uSw m_ySQ R+
+t7aJI+DNE57a0chgz08QlOIPpZyudJ4EjGChyO0ct9rQkrT87AQ
+--- vugV8UZzBLfeLBlFPBfiLAo1aaU28p1JLNyyGQkztNs
+W4¤–)¿5-f5cÐÂ”×â<1C>—S¯³ù8ßQ]3±6è~)JÅjÍ¯”ÝW{ƒ<>ÖK“!•Ï°!HÈ3—(Ú ü=«>Šw±Ÿ|
--- a/secrets/nginx-sso.yaml.age
+++ b/secrets/nginx-sso.yaml.age
--- a/secrets/pdns-file-records.key.age
+++ b/secrets/pdns-file-records.key.age
--- a/secrets/pdns.conf.age
+++ b/secrets/pdns.conf.age
@ -1,10 +1,10 @@
 age-encryption.org/v1
-> ssh-ed25519 B9K/XQ /kv+tjtTxUS9If5ognIwNC3TmO+18KL0nOEkxy5JGz0
-LHbhmFnFFMckiK1dRtJxfy4a5ZYUkBB8bpO8IS4WWtA
-> X25519 cxHRN7s0xsX3ZPJcJ5yaZ4fVwAfcWJx8sx+EqXyKiHw
-kJK3WRVizmL8b8cgfRFs0Em71aks0G8eFBHZeLJGWsw
-> 8!{=+-grease 7N}9_80% GL[9 }#I`Kx}) mJw
-PFJMFv12BxUgTzf305i+dqevE18VzMjjdUYtaLRc2GW5PDGEhUf58HMWsqKVSTwu
-CSp9e8dSNE0JqEDR7Y9vkHGmEsoTP/4
--- zz2KJqzb87axtYxVRiUYyOxhK2vVQ5C5oa++Jp43Q58
-É²Á-ÏßTy$§z‚uÈe³¦àP«[j#<ƒHjûõ>=Žbi<1E>#DJ;:ÊdX“-¶Ú´)ðî?ý)KvŠòç¼…ŠD<C5A0>Íæ
+-> ssh-ed25519 B9K/XQ RPTsuo5LXtXQ0yRf4lix7nOn48nJawJo/fv3mYZJfCs
+FTIAc4/v/TQipi5I4KaOX0GDksh8TzjC7eSAl0tIOBk
+-> X25519 pWMx1kfOtpKjB2v0nxlxsxMAgNTUcHlwd/P4+1KxJh4
+hgBRp0O9u9g+E27L+gFwNQQO8U9CTpO4wimbSrw5xGA
+-> E4fsjus0-grease ?9*Pp +%i8{y
+2RUCSOqmenVa1VlGqIXGuFcs8tbJavzHAqkIeMKVRGhE8akkRwAluTvXMMSD4fXJ
+MqXGrxz2CpkwsUgq1nV80GHpQP6a
+--- TXdOf7GTxBUBkH3NnM+BnXif8xbGDf4xxPgHX/oTyhk
+<EFBFBD>EÆ¾¿ZÏGT<EFBFBD>%}^hŒÅ!.5Ø®¹5uëxxHRÆÕÈ‚Vì…<C3AC>bc‰úu£ï¾3Pð£œ«ŸÂkcìì$N‰I°áŽÎ$m2ûÿ
--- a/secrets/synapse.yaml.age
+++ b/secrets/synapse.yaml.age
--- a/secrets/user-passwd.txt.age
+++ b/secrets/user-passwd.txt.age
@ -1,23 +1,23 @@
 age-encryption.org/v1
-> ssh-ed25519 FAIX7A 9lwGzxHbaj59re00D+VBn31xh6lXBdqlocUWbuGl0lk
-WWXUSz//VWPGWwNRNDOY9rNZHEMj74gJDPyPzntmONk
-> ssh-ed25519 SKXJUw 9espI6g1Y0xAOf8RZaYTnw6Y7YSTN5Wv/9JqHMOe5Wo
-ZaujblPPK14BYY67ffHCmRg33xljYwl/4YygG9efKQc
-> ssh-ed25519 wbGjmA U6GrN0iOmz77kOwa1VQ/0Cn7v/EiAJh1ZUOhJuqloVA
-xB8Uu6+tVXNbAqCSkHYMvBla/oJA0nOHayrHtN4yCGQ
-> ssh-ed25519 B9K/XQ gMQEYYshD9fFvI0vrUER/2OWZYRICGem5bX7ZIP16kQ
-9QwTY23a5C8TZ+1wUeqYWLWM4zSQNNzUoaqhkhQLxG4
-> ssh-ed25519 vf+WVg 3MU9AIwghf/IDoMuAZEX3GuFz1w7vYtSso5I5BDY/hM
-b1U0PexxCj4DTQB41bDi6bKktoOiA+xDDMLZYPHCMlA
-> ssh-ed25519 H162lQ 99SwlUFFeKMu8VH2264WyjJVugRKYcAFHF2aHtCGyE8
-LL2cJEdKtqrylLZWQVCoZQ9bGkCD6xPeY0K5C+sMrm0
-> ssh-ed25519 b6YMqg ME2+OkaFz7ZkAy4izG26lmYMl47AF5NZFojEhawj0nU
-FsMXB4ymF0e/FyySdEjE3LAJw3q0Ax5BQk9m0Zsu4cg
-> ssh-ed25519 Lqn0Yw CwGVxMt//mUhJp2Dv1juO8oWFVNML0Q+zTqsqncEo0U
-/YzScABKV/949EQnf8ztFzNQGzjGOWPj9iXHy2uFDYM
-> X25519 I0lKCScunZXPMiHBpGhFa7nAGFg3NeAslOdutKkyuFo
-csAlkN1jWUbUxlWRF/mAX1TT95ZU7iTDUa7uGi3Gtjk
-> Q?#-grease @c:
-CXkWEsR63Q4TflQd95UiFCazSFterOzSMmqRaCR/uQBhUEkyPc0
--- aOjcucJdwzcZQ2eT5PBsU7P0o1xlCgCMqPDWczEWY28
-7ÊÞBä"ËûtŠÅÖ
šG6þÆÑø€ÂB?¢`ŽÌ-ÒraÇ^Jlcl5øg<C3B8>àˆŠ–[÷9M#FŒjÁè&M˜n‰ê]‚S ÈevúÀoÞ¹}¨_<C2A8>nþ5;ðÜºÇ/1„·Ã|º§cêL¯ÂñC¤f<>¾!=ó*A»¶€t{
+-> ssh-ed25519 FAIX7A pl4zTRrmyNifdO8b8doSjet5gSoFpONfiguMwVpOHCU
+7Xh//uKMTAommAVmmr4umaKT+sc1UMpyN0x5nktXd74
+-> ssh-ed25519 j67FXQ wpxRi34I+bFkP+bkOPsBRpoZXem7EBU0qEEoI7reiFw
+8q54R8NNM4pOybQdijpKgukvzNSKgkHMkmyvkC40aCU
+-> ssh-ed25519 wbGjmA 9W9Zd6IiHTAyDmtdFHICgHNBNmSv69dWIQ5PWrBmbFc
+ypSUUmdRztDAFFMHr9KHPPZhtk9wT+nOI6fU3f/r95A
+-> ssh-ed25519 B9K/XQ z9MyCdvCDmEpoQ6VAc4UL5ykKT2y7dTWkd8uC0TCqWY
+dI48qpfve02o34ThBSuXpR+k/ZS0JdcWWS0lHZEy5Xk
+-> ssh-ed25519 vf+WVg Is1UbqPX+Wg/Z+ofr6pltx1Hd/YU7r0Cw43vYN7U834
+BpsNPysnx0kDPvZNx5kiHBqowGxc/ixcxLbVrEEVNEQ
+-> ssh-ed25519 H162lQ fLD0bnsOAT8YAwRwScQmDY74CCiKz5o502ENBs3HyCk
+4BOHx7fsMEIrKUt1wQ/wZwthMQMtJLcLRt5zrNY7pOI
+-> ssh-ed25519 b6YMqg 87GJmhVV49B3lI74QT4GszBMWIoADwZ6Tr+gn7ai9gk
+oHvVeEduJ0WBl0WmXAKgn6qmC8GRZ3uKQHwaEehKemI
+-> ssh-ed25519 Lqn0Yw 14WT2Odd9MqCJRmFnXYMT+78J5tPAoE3ZN50eY8o3wY
+4RZjgE0MG7DkGBa7msq4cq3sSBQp+AMzghAvMWpEpds
+-> X25519 UWwTiaziKhTE4iW3IPYg3eVtgRp+bnyWxrcW3k66VmA
+Qb0Sj+t22AqS0lgx7uaiDgOn7KMxnDvUKRczTQB9TG0
+-> N6|5#-grease
+
+--- SBETWPCFXoHLlWtd8R+ZSoFVqaE1RThAP1QwkU+f9a4
+™þ£d˜âÐý++ÍéÄxNÅñõùÓa"^¢w ä.—Ì•”#ìÅõ‹¾4=ØñÒ³ï×<l3.ÄŸŠ‡¾ot"<22>Ñæ¤¿Ùò¬sc Ul6=¼6ðÙv9‰<39>3<EFBFBD>Ì»¢[ônÔÔû¿…M9)Ã€k2YÂÜ1Ü¸g<>i¯>NÐ-J†=ÿ¸²àžÖé-
--- a/secrets/vaultwarden.env.age
+++ b/secrets/vaultwarden.env.age
@ -1,10 +1,9 @@
 age-encryption.org/v1
-> ssh-ed25519 Lqn0Yw r7XhdzWjjBP5HLeX+RwIek+vTZP1wZhhO5sr0LppdwI
-4HH91EuAKYOQ5E37/dH7fgFKShxE1aX7v/njbL4cNMU
-> X25519 itbc3rl6K9BmbhNsMo/FaeOynrtrpZj5Zt0VF3McYmw
-Cc0jPYLqyp5X4+KPfpy821mpCVSDke+z+Al/8Hp7vc0
-> WQA%nPY-grease n&Oc2@ sf 05
-aC3qV0yeKogkc/OdfKhxW2rv4GDlT4mMlPA5FoqMA/2lq6yCoeMjGffwzXVEsauq
-IRyYz3R/53ZrFtfefkBS5P4d4d/OmI6lsA
--- KYxAUYn/NHyfCJO+WqH0JKJKQZMCQYSeMryS/Kw3n8s
-;iˆ7KÁ†,T&{›1^™]WVñÛðÞzL¸K·s	Yóá™é\¤ó|@z`b'„-Žlk·P'aëT¯'À'mZök7¸6êiKøÔ*-tŠ 	1:ŠmÊUIûÖqNÑ‡Þ‰sÎt™ì)#¢ô
+-> ssh-ed25519 Lqn0Yw 6M1t8mb0iZdJSPiz8Nu0nRywlpArnvcxizdxr6u6yGM
+w1PzOCZszgyc8vF5GJPI5l8RtQwFv0CNhpAxJAF6TOw
+-> X25519 +M017bsZwXazaojl9szfKRagMK1lzc+gpbaqKNhRuFU
+fx3Y7OykdZXK1g9ixdhExhAmLqoVrWlNUqvkMPYtc0Q
+-> Lv3@gmCc-grease v5T@.
+BUBGyMXy
+--- PoRgQ9bY+fxY2gJXHUQbEGW/bqa7KwonajSG+ccr6Mo
+ŰŘ	IóëR‡0Ç?>AŘ†l<E280A0>óÁŢ.Ť‰E¤ˇ˙Ę$ĚĺŔCĘß^â!fËg‘ŰŰ†3¸Ęd;i;–y[‚ů<E2809A>;j‘ÝŻľâĚ0ŃýWlĄľ:ţÜq—›
<03>Ýs<C39D>ťëFiÉśMăüt-1+Ýq