nixos/colony: Configure for real hardware

2022-06-17 00:54:28 +01:00
parent 29ffec5de7
commit 36d81cb656
15 changed files with 111 additions and 93 deletions
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -177,11 +177,11 @@ rec {
  pubDomain = "nul.ie";
  colony = rec {
-    domain = "test.int.nul.ie";
+    domain = "fra1.int.${pubDomain}";
    start = {
      all = {
        v4 = "10.100.";
-        v6 = "2a0e:97c0:4d0:bbb";
+        v6 = "2a0e:97c0:4d0:ccc";
      };
      base = {
        v4 = "${start.all.v4}0.";
--- a/nixos/boxes/colony/default.nix
+++ b/nixos/boxes/colony/default.nix
@@ -33,13 +33,16 @@
        inherit (lib.my) networkdAssignment;
      in
      {
-        imports = [ "${modulesPath}/profiles/qemu-guest.nix" ];
+        boot = {
-
+          kernelModules = [ "kvm-amd" ];
-        boot.kernelParams = [ "intel_iommu=on" ];
+          kernelParams = [ "amd_iommu=on" ];
-        boot.loader.systemd-boot.configurationLimit = 20;
+          initrd = {
            availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
          };
        };
        fileSystems = {
          "/boot" = {
-            device = "/dev/disk/by-uuid/83CA-3BCF";
+            device = "/dev/disk/by-uuid/C1C9-9CBC";
            fsType = "vfat";
          };
          "/nix" = {
@@ -63,14 +66,19 @@
        environment.systemPackages = with pkgs; [
          pciutils
          partclone
          lm_sensors
        ];
        systemd = {
          network = {
            links = {
-              "10-base-ext" = {
+              "10-wan0" = {
-                matchConfig.MACAddress = "52:54:00:81:bd:a1";
+                matchConfig.MACAddress = "d0:50:99:fa:a7:99";
-                linkConfig.Name = "base-ext";
+                linkConfig.Name = "wan0";
              };
              "10-wan1" = {
                matchConfig.MACAddress = "d0:50:99:fa:a7:9a";
                linkConfig.Name = "wan1";
              };
            };
            netdevs = {
@@ -149,7 +157,7 @@
        my = {
          #deploy.generate.system.mode = "boot";
          secrets = {
-            key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKp5WDdDr/1NS3SJIDOKwcCNZDFOxqPAD7cbZWAP7EkX";
+            key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPIijqzAWF6OxKr4aeCa1TAc5xGn4rdIjVTt0wAPU6uY";
          };
          server.enable = true;
--- a/nixos/boxes/colony/vms/default.nix
+++ b/nixos/boxes/colony/vms/default.nix
@@ -10,7 +10,7 @@
    inherit (lib) mkIf mkMerge optionals;
    wanBDF =
-      if config.my.build.isDevVM then "00:02.0" else "01:00.0";
+      if config.my.build.isDevVM then "00:02.0" else "27:00.0";
    vmLVM = vm: lv: {
      "${lv}" = {
@@ -27,18 +27,40 @@
        frontend = "virtio-blk";
      };
    };
    installerDisk = {
      installer = {
        backend = {
          driver = "file";
          filename = "${systems.installer.configuration.config.my.buildAs.iso}/iso/nixos-installer-devplayer0.iso";
          read-only = "on";
        };
        format.driver = "raw";
        frontend = "ide-cd";
        frontendOpts = {
          bootindex = 1;
        };
      };
    };
  in
  {
    my = {
      vms = {
        instances = {
          estuary = {
-            uuid = "59f51efb-7e6d-477b-a263-ed9620dbc87b";
+            uuid = "27796a09-c013-4031-9595-44791d6126b9";
            smp = {
              cpus = 2;
              threads = 2;
            };
            memory = 3072;
            networks.base = {
              waitOnline = "no-carrier";
-              mac = "52:54:00:ab:f1:52";
+              mac = "52:54:00:15:1a:53";
            };
-            drives = mkMerge ([ ] ++ (optionals (!config.my.build.isDevVM) [
+            drives = mkMerge ([
              installerDisk
            ] ++ (optionals (!config.my.build.isDevVM) [
              (vmLVM "estuary" "esp")
              (vmLVM "estuary" "nix")
              (vmLVM "estuary" "persist")
@@ -48,34 +70,20 @@
          };
          shill = {
-            uuid = "e34569ec-d24e-446b-aca8-a3b27abc1f9b";
+            uuid = "fc02d8c8-6f60-4b69-838a-e7aed6ee7617";
            smp = {
-              cpus = 4;
+              cpus = 12;
              threads = 2;
            };
-            memory = 8192;
+            memory = 65536;
-            networks.vms.mac = "52:54:00:85:b3:b1";
+            networks.vms.mac = "52:54:00:27:3d:5c";
            cleanShutdown.timeout = 120;
            drives = mkMerge ([
-              {
+              installerDisk
                installer = {
                  backend = {
                    driver = "file";
                    filename = "${systems.installer.configuration.config.my.buildAs.iso}/iso/nixos-installer-devplayer0.iso";
                    read-only = "on";
                  };
                  format.driver = "raw";
                  frontend = "ide-cd";
                  frontendOpts = {
                    bootindex = 1;
                  };
                };
              }
            ] ++ (optionals (!config.my.build.isDevVM) [
              (vmLVM "shill" "esp")
              (vmLVM "shill" "nix")
              (vmLVM "shill" "persist")
              {
                esp.frontendOpts.bootindex = 0;
@@ -83,8 +91,12 @@
                  backend = {
                    driver = "host_device";
                    filename = "/dev/hdds/media";
                    discard = "unmap";
                  };
                  format = {
                    driver = "raw";
                    discard = "unmap";
                  };
                  format.driver = "raw";
                  frontend = "virtio-blk";
                };
              }
--- a/secrets/cloudflare-credentials.conf.age
+++ b/secrets/cloudflare-credentials.conf.age
--- a/secrets/colony-netdata-powerdns.conf.age
+++ b/secrets/colony-netdata-powerdns.conf.age
--- a/secrets/colony-netdata-powerdns_recursor.conf.age
+++ b/secrets/colony-netdata-powerdns_recursor.conf.age
--- a/secrets/colony-pdns-recursor.conf.age
+++ b/secrets/colony-pdns-recursor.conf.age
@@ -1,9 +1,10 @@
 age-encryption.org/v1
-> ssh-ed25519 B9K/XQ gNJl6io3eASmXNRrcLI3fH8UqNEeT7vbCVfks9D153g
+-> ssh-ed25519 B9K/XQ pDr63Mxy93vvgTOOeGx+P2olj58AszuoW4DMU/2vwTs
-/APb0O9268pftfeV5XY1E4CcKrCBAO69sVUBM82cmvE
+q0BfZmSo7PTHbbwX+8BdbJNiOjHflEsRVRyb96CCfJs
-> X25519 xskN26oeA5X3rvevlBvyzz/fylb1SINSR09B+DMvSCo
+-> X25519 wclqj46DLlI26z5xVt2FdTzYI5QUrZAu74y3Hgm1j18
-hk5wowfDfxjlFjQKGLwOfA/bgB2cuHR1En9hLtGcsEk
+WpK4K+hsmxjVKGbt/NuC/Khcw1mSH121AabF0fsYLVw
-> sK$y-grease `L hNh
+-> t]-grease fmXI7F 0vP#;w *
-RvgnmIYLnlj6Xzs4YWg40UXHPJrnRHzR/c+X1bg5Qby/Zg
+mlRT87J7NtBKsK1lsNBArc9Ofo92Yniki5o3deA
--- 8IqpUilyXUPSp+KdSCCOBN3GRWtciEjmi1bxzzTmC78
+--- k5dfRl70t63RfTENRTTgBzgi3lm0D26KFkj73tyHMBo
-<EFBFBD>[<5B><><13>?<3F><>R<EFBFBD>N<EFBFBD><4E>v<EFBFBD><76>O<EFBFBD>5yŬ?+XB<58>;~<7E><><EFBFBD><EFBFBD>!<21>u<EFBFBD><01><><EFBFBD>X<EFBFBD><58>m<EFBFBD>95<0F>?U<>D<EFBFBD>Ī<EFBFBD>u<06>p<EFBFBD><06><>ф_hc<EFBFBD>
+<EFBFBD>j<EFBFBD><EFBFBD><EFBFBD><EFBFBD>Mޚy<EFBFBD>-<2D>?h3k<15>W<EFBFBD><57><EFBFBD><04><><EFBFBD>v{M~P<><50>[aC<61>Cj(<28><>٦e<D9A6>l<EFBFBD>R<EFBFBD>PJ<50><4A>%V&<26><><EFBFBD><EFBFBD>[<5B><EFBFBD>
 62ԣ.<2E>
--- a/secrets/dhparams.pem.age
+++ b/secrets/dhparams.pem.age
--- a/secrets/jackflix-wg-privkey.txt.age
+++ b/secrets/jackflix-wg-privkey.txt.age
@@ -1,11 +1,9 @@
 age-encryption.org/v1
-> ssh-ed25519 vf+WVg urUmX8GQaZ9N5s4im5LjHdrqF7G1cUmOhRwJ4C6QiDo
+-> ssh-ed25519 vf+WVg +Ftq3XX892mQ+cB1nPRq6eDP7HPdFogZk/EbIsuxuk0
-rgzuokfwMMjYtbPBCBNa+9Jg4QHbdd4ynqrsVX5LSWM
+i1ihGVigQBA7pquuXO3sBABSXN9x8IIJ64sfiNQ201w
-> X25519 Kr0gKsPYyLt3PFVZlv6m1NlLedJJYxSNKvmKx9canyc
+-> X25519 YB51ze5czSe08S89gtTWQ6zuxoMJZi5+23S2GXCXT1M
-1Ki72qamPIaor+FCYy0SLVSm0GVCVsjFiRteSNv5hCA
+jlLwxefYiijkj4JH4J+sUVJxhBWYfmbGjwi3B57vphU
-> MT&kccY-grease k k>D#= -/DFm:' ufBE\
+-> f3mY-grease w kU}uSw m_ySQ R+
-1HfnD0ef5OnLrhBZL+pyaMVLjCadk+vLszSORTxyarFPKD5wqor5nPn/mMLotY79
+t7aJI+DNE57a0chgz08QlOIPpZyudJ4EjGChyO0ct9rQkrT87AQ
-mpKSMQq8ehwB+Ruv6fjys3q/1A
+--- vugV8UZzBLfeLBlFPBfiLAo1aaU28p1JLNyyGQkztNs
--- J8tifBtzNpEgeFqTxpfq+Md0vdmzU23rizI3C39gkc4
+W4<EFBFBD><EFBFBD>)<29>5-f5c<><06><><1C><>S<EFBFBD><53><EFBFBD>8<EFBFBD>Q]3<>6<>~)J<07>j<EFBFBD><18><><EFBFBD>W{<7B><><EFBFBD>K<>!<21>ϰ!H<>3<EFBFBD>(ڠ<>=<3D>><3E>w<EFBFBD><77>|
 29<EFBFBD>A7<EFBFBD>JȔ،\r=<3D><><EFBFBD>Jw<4A><77>x
 xl<0E>ՕA<D595>dd<64><64>Ԭ<EFBFBD><D4AC>Q<EFBFBD><51><EFBFBD><EFBFBD><EFBFBD><08>#r<>ɚ<EFBFBD>}ay<61>0P<30>l<EFBFBD><6C><EFBFBD><EFBFBD>&<26>
--- a/secrets/nginx-sso.yaml.age
+++ b/secrets/nginx-sso.yaml.age
--- a/secrets/pdns-file-records.key.age
+++ b/secrets/pdns-file-records.key.age
--- a/secrets/pdns.conf.age
+++ b/secrets/pdns.conf.age
@@ -1,10 +1,10 @@
 age-encryption.org/v1
-> ssh-ed25519 B9K/XQ /kv+tjtTxUS9If5ognIwNC3TmO+18KL0nOEkxy5JGz0
+-> ssh-ed25519 B9K/XQ RPTsuo5LXtXQ0yRf4lix7nOn48nJawJo/fv3mYZJfCs
-LHbhmFnFFMckiK1dRtJxfy4a5ZYUkBB8bpO8IS4WWtA
+FTIAc4/v/TQipi5I4KaOX0GDksh8TzjC7eSAl0tIOBk
-> X25519 cxHRN7s0xsX3ZPJcJ5yaZ4fVwAfcWJx8sx+EqXyKiHw
+-> X25519 pWMx1kfOtpKjB2v0nxlxsxMAgNTUcHlwd/P4+1KxJh4
-kJK3WRVizmL8b8cgfRFs0Em71aks0G8eFBHZeLJGWsw
+hgBRp0O9u9g+E27L+gFwNQQO8U9CTpO4wimbSrw5xGA
-> 8!{=+-grease 7N}9_80% GL[9 }#I`Kx}) mJw
+-> E4fsjus0-grease ?9*Pp +%i8{y
-PFJMFv12BxUgTzf305i+dqevE18VzMjjdUYtaLRc2GW5PDGEhUf58HMWsqKVSTwu
+2RUCSOqmenVa1VlGqIXGuFcs8tbJavzHAqkIeMKVRGhE8akkRwAluTvXMMSD4fXJ
-CSp9e8dSNE0JqEDR7Y9vkHGmEsoTP/4
+MqXGrxz2CpkwsUgq1nV80GHpQP6a
--- zz2KJqzb87axtYxVRiUYyOxhK2vVQ5C5oa++Jp43Q58
+--- TXdOf7GTxBUBkH3NnM+BnXif8xbGDf4xxPgHX/oTyhk
-ɲ<EFBFBD>-<2D><>Ty$<24>z<EFBFBD>u<EFBFBD>e<><65><EFBFBD>P<>[j#<<3C>Hj<48><6A>>=<3D>bi<1E>#DJ;:<3A>dX<64>-<2D>ڴ)<29><>?<3F>)Kv<4B><76>缭<EFBFBD><EFBFBD>D<EFBFBD><EFBFBD><EFBFBD>
+<EFBFBD>Eƾ<EFBFBD>Z<EFBFBD>GT<EFBFBD>%}^h<><68>!.5<EFBFBD><1C><>5u<35><75>xxHR<48><52>ȂV셐bc<62><63>u<EFBFBD><75><EFBFBD>3P𣜫<50><F0A39CAB>kc<6B><63>$N<>I<EFBFBD><EFBFBD><EFBFBD><EFBFBD>$m2<6D><EFBFBD>
--- a/secrets/synapse.yaml.age
+++ b/secrets/synapse.yaml.age
--- a/secrets/user-passwd.txt.age
+++ b/secrets/user-passwd.txt.age
@@ -1,23 +1,23 @@
 age-encryption.org/v1
-> ssh-ed25519 FAIX7A 9lwGzxHbaj59re00D+VBn31xh6lXBdqlocUWbuGl0lk
+-> ssh-ed25519 FAIX7A pl4zTRrmyNifdO8b8doSjet5gSoFpONfiguMwVpOHCU
-WWXUSz//VWPGWwNRNDOY9rNZHEMj74gJDPyPzntmONk
+7Xh//uKMTAommAVmmr4umaKT+sc1UMpyN0x5nktXd74
-> ssh-ed25519 SKXJUw 9espI6g1Y0xAOf8RZaYTnw6Y7YSTN5Wv/9JqHMOe5Wo
+-> ssh-ed25519 j67FXQ wpxRi34I+bFkP+bkOPsBRpoZXem7EBU0qEEoI7reiFw
-ZaujblPPK14BYY67ffHCmRg33xljYwl/4YygG9efKQc
+8q54R8NNM4pOybQdijpKgukvzNSKgkHMkmyvkC40aCU
-> ssh-ed25519 wbGjmA U6GrN0iOmz77kOwa1VQ/0Cn7v/EiAJh1ZUOhJuqloVA
+-> ssh-ed25519 wbGjmA 9W9Zd6IiHTAyDmtdFHICgHNBNmSv69dWIQ5PWrBmbFc
-xB8Uu6+tVXNbAqCSkHYMvBla/oJA0nOHayrHtN4yCGQ
+ypSUUmdRztDAFFMHr9KHPPZhtk9wT+nOI6fU3f/r95A
-> ssh-ed25519 B9K/XQ gMQEYYshD9fFvI0vrUER/2OWZYRICGem5bX7ZIP16kQ
+-> ssh-ed25519 B9K/XQ z9MyCdvCDmEpoQ6VAc4UL5ykKT2y7dTWkd8uC0TCqWY
-9QwTY23a5C8TZ+1wUeqYWLWM4zSQNNzUoaqhkhQLxG4
+dI48qpfve02o34ThBSuXpR+k/ZS0JdcWWS0lHZEy5Xk
-> ssh-ed25519 vf+WVg 3MU9AIwghf/IDoMuAZEX3GuFz1w7vYtSso5I5BDY/hM
+-> ssh-ed25519 vf+WVg Is1UbqPX+Wg/Z+ofr6pltx1Hd/YU7r0Cw43vYN7U834
-b1U0PexxCj4DTQB41bDi6bKktoOiA+xDDMLZYPHCMlA
+BpsNPysnx0kDPvZNx5kiHBqowGxc/ixcxLbVrEEVNEQ
-> ssh-ed25519 H162lQ 99SwlUFFeKMu8VH2264WyjJVugRKYcAFHF2aHtCGyE8
+-> ssh-ed25519 H162lQ fLD0bnsOAT8YAwRwScQmDY74CCiKz5o502ENBs3HyCk
-LL2cJEdKtqrylLZWQVCoZQ9bGkCD6xPeY0K5C+sMrm0
+4BOHx7fsMEIrKUt1wQ/wZwthMQMtJLcLRt5zrNY7pOI
-> ssh-ed25519 b6YMqg ME2+OkaFz7ZkAy4izG26lmYMl47AF5NZFojEhawj0nU
+-> ssh-ed25519 b6YMqg 87GJmhVV49B3lI74QT4GszBMWIoADwZ6Tr+gn7ai9gk
-FsMXB4ymF0e/FyySdEjE3LAJw3q0Ax5BQk9m0Zsu4cg
+oHvVeEduJ0WBl0WmXAKgn6qmC8GRZ3uKQHwaEehKemI
-> ssh-ed25519 Lqn0Yw CwGVxMt//mUhJp2Dv1juO8oWFVNML0Q+zTqsqncEo0U
+-> ssh-ed25519 Lqn0Yw 14WT2Odd9MqCJRmFnXYMT+78J5tPAoE3ZN50eY8o3wY
-/YzScABKV/949EQnf8ztFzNQGzjGOWPj9iXHy2uFDYM
+4RZjgE0MG7DkGBa7msq4cq3sSBQp+AMzghAvMWpEpds
-> X25519 I0lKCScunZXPMiHBpGhFa7nAGFg3NeAslOdutKkyuFo
+-> X25519 UWwTiaziKhTE4iW3IPYg3eVtgRp+bnyWxrcW3k66VmA
-csAlkN1jWUbUxlWRF/mAX1TT95ZU7iTDUa7uGi3Gtjk
+Qb0Sj+t22AqS0lgx7uaiDgOn7KMxnDvUKRczTQB9TG0
-> Q?#-grease @c:
+-> N6|5#-grease
-CXkWEsR63Q4TflQd95UiFCazSFterOzSMmqRaCR/uQBhUEkyPc0
+
--- aOjcucJdwzcZQ2eT5PBsU7P0o1xlCgCMqPDWczEWY28
+--- SBETWPCFXoHLlWtd8R+ZSoFVqaE1RThAP1QwkU+f9a4
-7<EFBFBD><EFBFBD>B<EFBFBD>"<12><>t<EFBFBD><74><EFBFBD>
+<EFBFBD><EFBFBD><15>d<EFBFBD><64><EFBFBD><EFBFBD>++<2B><><EFBFBD>xN<17><><EFBFBD><EFBFBD><EFBFBD>a"^<5E>w<EFBFBD><77>.<12>̕<EFBFBD>#<23><><EFBFBD><EFBFBD><EFBFBD>4=<3D><>ҳ<EFBFBD><D2B3><l3.ğ<><C49F><EFBFBD>ot"<22><>椿<EFBFBD><07><>sc<73>Ul6=<3D>6<EFBFBD><36>v9<76><39>3<EFBFBD>̻<07>[<5B>n<EFBFBD><6E><EFBFBD><EFBFBD><EFBFBD>M<EFBFBD>9)Àk2Y<32><14>1ܸg<>i<EFBFBD>>N<>-J<>=<3D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>-
--- a/secrets/vaultwarden.env.age
+++ b/secrets/vaultwarden.env.age
@@ -1,10 +1,9 @@
 age-encryption.org/v1
-> ssh-ed25519 Lqn0Yw r7XhdzWjjBP5HLeX+RwIek+vTZP1wZhhO5sr0LppdwI
+-> ssh-ed25519 Lqn0Yw 6M1t8mb0iZdJSPiz8Nu0nRywlpArnvcxizdxr6u6yGM
-4HH91EuAKYOQ5E37/dH7fgFKShxE1aX7v/njbL4cNMU
+w1PzOCZszgyc8vF5GJPI5l8RtQwFv0CNhpAxJAF6TOw
-> X25519 itbc3rl6K9BmbhNsMo/FaeOynrtrpZj5Zt0VF3McYmw
+-> X25519 +M017bsZwXazaojl9szfKRagMK1lzc+gpbaqKNhRuFU
-Cc0jPYLqyp5X4+KPfpy821mpCVSDke+z+Al/8Hp7vc0
+fx3Y7OykdZXK1g9ixdhExhAmLqoVrWlNUqvkMPYtc0Q
-> WQA%nPY-grease n&Oc2@ sf 05
+-> Lv3@gmCc-grease v5T@.
-aC3qV0yeKogkc/OdfKhxW2rv4GDlT4mMlPA5FoqMA/2lq6yCoeMjGffwzXVEsauq
+BUBGyMXy
-IRyYz3R/53ZrFtfefkBS5P4d4d/OmI6lsA
+--- PoRgQ9bY+fxY2gJXHUQbEGW/bqa7KwonajSG+ccr6Mo
--- KYxAUYn/NHyfCJO+WqH0JKJKQZMCQYSeMryS/Kw3n8s
+<1C><>	I<><49>R<EFBFBD>0<1B>?>A؆l<D886><6C><EFBFBD><EFBFBD>.<18><>E<15><><EFBFBD><EFBFBD>$<24><><EFBFBD>C<EFBFBD><43>^<5E>!f<>g<EFBFBD><67>ۆ3<DB86><33>d;i;<3B>y[<5B><><EFBFBD>;j<>ݯ<EFBFBD><DDAF><EFBFBD>0<EFBFBD><30>Wl<57><6C>:<3A><>q<EFBFBD><71>
 ;i<>7K<18><>,T&{<7B>1^<5E>]WV<57><56><EFBFBD><EFBFBD>zL<7A>K<EFBFBD>s	Y<><59><EFBFBD><EFBFBD>\<5C><>|@z`b'<27>-<2D><>lk<6C>P'a<>T<EFBFBD>'<27>'mZ<6D>k7<01>6<EFBFBD>iK<69><4B>*-t<><74>	1:<3A>m<EFBFBD>UI<55><49>qNчމs<1F>t<EFBFBD><74>)#<23><>