nixos/colony: Configure for real hardware

2022-06-17 00:54:28 +01:00 · 2022-06-17 00:54:28 +01:00 · 36d81cb656
commit 36d81cb656
parent 29ffec5de7
15 changed files with 111 additions and 93 deletions
--- a/lib/default.nix
+++ b/lib/default.nix
@ -177,11 +177,11 @@ rec {
  pubDomain = "nul.ie";
  colony = rec {
-    domain = "test.int.nul.ie";
+    domain = "fra1.int.${pubDomain}";
    start = {
      all = {
        v4 = "10.100.";
-        v6 = "2a0e:97c0:4d0:bbb";
+        v6 = "2a0e:97c0:4d0:ccc";
      };
      base = {
        v4 = "${start.all.v4}0.";
--- a/nixos/boxes/colony/default.nix
+++ b/nixos/boxes/colony/default.nix
@ -33,13 +33,16 @@
        inherit (lib.my) networkdAssignment;
      in
      {
-        imports = [ "${modulesPath}/profiles/qemu-guest.nix" ];
+        boot = {
-
+          kernelModules = [ "kvm-amd" ];
-        boot.kernelParams = [ "intel_iommu=on" ];
+          kernelParams = [ "amd_iommu=on" ];
-        boot.loader.systemd-boot.configurationLimit = 20;
+          initrd = {
            availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
          };
        };
        fileSystems = {
          "/boot" = {
-            device = "/dev/disk/by-uuid/83CA-3BCF";
+            device = "/dev/disk/by-uuid/C1C9-9CBC";
            fsType = "vfat";
          };
          "/nix" = {
@ -63,14 +66,19 @@
        environment.systemPackages = with pkgs; [
          pciutils
          partclone
          lm_sensors
        ];
        systemd = {
          network = {
            links = {
-              "10-base-ext" = {
+              "10-wan0" = {
-                matchConfig.MACAddress = "52:54:00:81:bd:a1";
+                matchConfig.MACAddress = "d0:50:99:fa:a7:99";
-                linkConfig.Name = "base-ext";
+                linkConfig.Name = "wan0";
              };
              "10-wan1" = {
                matchConfig.MACAddress = "d0:50:99:fa:a7:9a";
                linkConfig.Name = "wan1";
              };
            };
            netdevs = {
@ -149,7 +157,7 @@
        my = {
          #deploy.generate.system.mode = "boot";
          secrets = {
-            key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKp5WDdDr/1NS3SJIDOKwcCNZDFOxqPAD7cbZWAP7EkX";
+            key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPIijqzAWF6OxKr4aeCa1TAc5xGn4rdIjVTt0wAPU6uY";
          };
          server.enable = true;
--- a/nixos/boxes/colony/vms/default.nix
+++ b/nixos/boxes/colony/vms/default.nix
@ -10,7 +10,7 @@
    inherit (lib) mkIf mkMerge optionals;
    wanBDF =
-      if config.my.build.isDevVM then "00:02.0" else "01:00.0";
+      if config.my.build.isDevVM then "00:02.0" else "27:00.0";
    vmLVM = vm: lv: {
      "${lv}" = {
@ -27,18 +27,40 @@
        frontend = "virtio-blk";
      };
    };
    installerDisk = {
      installer = {
        backend = {
          driver = "file";
          filename = "${systems.installer.configuration.config.my.buildAs.iso}/iso/nixos-installer-devplayer0.iso";
          read-only = "on";
        };
        format.driver = "raw";
        frontend = "ide-cd";
        frontendOpts = {
          bootindex = 1;
        };
      };
    };
  in
  {
    my = {
      vms = {
        instances = {
          estuary = {
-            uuid = "59f51efb-7e6d-477b-a263-ed9620dbc87b";
+            uuid = "27796a09-c013-4031-9595-44791d6126b9";
            smp = {
              cpus = 2;
              threads = 2;
            };
            memory = 3072;
            networks.base = {
              waitOnline = "no-carrier";
-              mac = "52:54:00:ab:f1:52";
+              mac = "52:54:00:15:1a:53";
            };
-            drives = mkMerge ([ ] ++ (optionals (!config.my.build.isDevVM) [
+            drives = mkMerge ([
              installerDisk
            ] ++ (optionals (!config.my.build.isDevVM) [
              (vmLVM "estuary" "esp")
              (vmLVM "estuary" "nix")
              (vmLVM "estuary" "persist")
@ -48,34 +70,20 @@
          };
          shill = {
-            uuid = "e34569ec-d24e-446b-aca8-a3b27abc1f9b";
+            uuid = "fc02d8c8-6f60-4b69-838a-e7aed6ee7617";
            smp = {
-              cpus = 4;
+              cpus = 12;
              threads = 2;
            };
-            memory = 8192;
+            memory = 65536;
-            networks.vms.mac = "52:54:00:85:b3:b1";
+            networks.vms.mac = "52:54:00:27:3d:5c";
            cleanShutdown.timeout = 120;
            drives = mkMerge ([
-              {
+              installerDisk
                installer = {
                  backend = {
                    driver = "file";
                    filename = "${systems.installer.configuration.config.my.buildAs.iso}/iso/nixos-installer-devplayer0.iso";
                    read-only = "on";
                  };
                  format.driver = "raw";
                  frontend = "ide-cd";
                  frontendOpts = {
                    bootindex = 1;
                  };
                };
              }
            ] ++ (optionals (!config.my.build.isDevVM) [
              (vmLVM "shill" "esp")
              (vmLVM "shill" "nix")
              (vmLVM "shill" "persist")
              {
                esp.frontendOpts.bootindex = 0;
@ -83,8 +91,12 @@
                  backend = {
                    driver = "host_device";
                    filename = "/dev/hdds/media";
                    discard = "unmap";
                  };
                  format = {
                    driver = "raw";
                    discard = "unmap";
                  };
                  format.driver = "raw";
                  frontend = "virtio-blk";
                };
              }
--- a/secrets/cloudflare-credentials.conf.age
+++ b/secrets/cloudflare-credentials.conf.age
--- a/secrets/colony-netdata-powerdns.conf.age
+++ b/secrets/colony-netdata-powerdns.conf.age
--- a/secrets/colony-netdata-powerdns_recursor.conf.age
+++ b/secrets/colony-netdata-powerdns_recursor.conf.age
--- a/secrets/colony-pdns-recursor.conf.age
+++ b/secrets/colony-pdns-recursor.conf.age
@ -1,9 +1,10 @@
 age-encryption.org/v1
-> ssh-ed25519 B9K/XQ gNJl6io3eASmXNRrcLI3fH8UqNEeT7vbCVfks9D153g
+-> ssh-ed25519 B9K/XQ pDr63Mxy93vvgTOOeGx+P2olj58AszuoW4DMU/2vwTs
-/APb0O9268pftfeV5XY1E4CcKrCBAO69sVUBM82cmvE
+q0BfZmSo7PTHbbwX+8BdbJNiOjHflEsRVRyb96CCfJs
-> X25519 xskN26oeA5X3rvevlBvyzz/fylb1SINSR09B+DMvSCo
+-> X25519 wclqj46DLlI26z5xVt2FdTzYI5QUrZAu74y3Hgm1j18
-hk5wowfDfxjlFjQKGLwOfA/bgB2cuHR1En9hLtGcsEk
+WpK4K+hsmxjVKGbt/NuC/Khcw1mSH121AabF0fsYLVw
-> sK$y-grease `L hNh
+-> t]-grease fmXI7F 0vP#;w *
-RvgnmIYLnlj6Xzs4YWg40UXHPJrnRHzR/c+X1bg5Qby/Zg
+mlRT87J7NtBKsK1lsNBArc9Ofo92Yniki5o3deA
--- 8IqpUilyXUPSp+KdSCCOBN3GRWtciEjmi1bxzzTmC78
+--- k5dfRl70t63RfTENRTTgBzgi3lm0D26KFkj73tyHMBo
-<EFBFBD>[ðÛÿ?¹‹RßNã•vÉÝO£5yÅ¬?+XBê;~¬ˆ±Ú!–uú‘“ýX»¥mŽ95Š?UáD¨Äª‹u”pÍžÙÑ„_hcò
+¤j<EFBFBD>÷»–MÞšy¡-š?h3kÔWÒîŽåßèv{M~PÁô[aCÚCj(øŽÙ¦e¾l¿R–PJø%V&»è<C2BB>å[†ê
 62Ô£.Ä
--- a/secrets/dhparams.pem.age
+++ b/secrets/dhparams.pem.age
--- a/secrets/jackflix-wg-privkey.txt.age
+++ b/secrets/jackflix-wg-privkey.txt.age
@ -1,11 +1,9 @@
 age-encryption.org/v1
-> ssh-ed25519 vf+WVg urUmX8GQaZ9N5s4im5LjHdrqF7G1cUmOhRwJ4C6QiDo
+-> ssh-ed25519 vf+WVg +Ftq3XX892mQ+cB1nPRq6eDP7HPdFogZk/EbIsuxuk0
-rgzuokfwMMjYtbPBCBNa+9Jg4QHbdd4ynqrsVX5LSWM
+i1ihGVigQBA7pquuXO3sBABSXN9x8IIJ64sfiNQ201w
-> X25519 Kr0gKsPYyLt3PFVZlv6m1NlLedJJYxSNKvmKx9canyc
+-> X25519 YB51ze5czSe08S89gtTWQ6zuxoMJZi5+23S2GXCXT1M
-1Ki72qamPIaor+FCYy0SLVSm0GVCVsjFiRteSNv5hCA
+jlLwxefYiijkj4JH4J+sUVJxhBWYfmbGjwi3B57vphU
-> MT&kccY-grease k k>D#= -/DFm:' ufBE\
+-> f3mY-grease w kU}uSw m_ySQ R+
-1HfnD0ef5OnLrhBZL+pyaMVLjCadk+vLszSORTxyarFPKD5wqor5nPn/mMLotY79
+t7aJI+DNE57a0chgz08QlOIPpZyudJ4EjGChyO0ct9rQkrT87AQ
-mpKSMQq8ehwB+Ruv6fjys3q/1A
+--- vugV8UZzBLfeLBlFPBfiLAo1aaU28p1JLNyyGQkztNs
--- J8tifBtzNpEgeFqTxpfq+Md0vdmzU23rizI3C39gkc4
+W4¤–)¿5-f5cÐÂ”×â<1C>—S¯³ù8ßQ]3±6è~)JÅjÍ¯”ÝW{ƒ<>ÖK“!•Ï°!HÈ3—(Ú ü=«>Šw±Ÿ|
 29ĐA7”JČ”ŘŚ\r=ŚÖÖJwˇęx
xlüŐ•Aädd‰ŹÔ¬ĽÓQ¬ďđŠŰ#rúÉš™}ayť0Pől†’Öö&Ń
 dFą|€-
--- a/secrets/nginx-sso.yaml.age
+++ b/secrets/nginx-sso.yaml.age
--- a/secrets/pdns-file-records.key.age
+++ b/secrets/pdns-file-records.key.age
--- a/secrets/pdns.conf.age
+++ b/secrets/pdns.conf.age
@ -1,10 +1,10 @@
 age-encryption.org/v1
-> ssh-ed25519 B9K/XQ /kv+tjtTxUS9If5ognIwNC3TmO+18KL0nOEkxy5JGz0
+-> ssh-ed25519 B9K/XQ RPTsuo5LXtXQ0yRf4lix7nOn48nJawJo/fv3mYZJfCs
-LHbhmFnFFMckiK1dRtJxfy4a5ZYUkBB8bpO8IS4WWtA
+FTIAc4/v/TQipi5I4KaOX0GDksh8TzjC7eSAl0tIOBk
-> X25519 cxHRN7s0xsX3ZPJcJ5yaZ4fVwAfcWJx8sx+EqXyKiHw
+-> X25519 pWMx1kfOtpKjB2v0nxlxsxMAgNTUcHlwd/P4+1KxJh4
-kJK3WRVizmL8b8cgfRFs0Em71aks0G8eFBHZeLJGWsw
+hgBRp0O9u9g+E27L+gFwNQQO8U9CTpO4wimbSrw5xGA
-> 8!{=+-grease 7N}9_80% GL[9 }#I`Kx}) mJw
+-> E4fsjus0-grease ?9*Pp +%i8{y
-PFJMFv12BxUgTzf305i+dqevE18VzMjjdUYtaLRc2GW5PDGEhUf58HMWsqKVSTwu
+2RUCSOqmenVa1VlGqIXGuFcs8tbJavzHAqkIeMKVRGhE8akkRwAluTvXMMSD4fXJ
-CSp9e8dSNE0JqEDR7Y9vkHGmEsoTP/4
+MqXGrxz2CpkwsUgq1nV80GHpQP6a
--- zz2KJqzb87axtYxVRiUYyOxhK2vVQ5C5oa++Jp43Q58
+--- TXdOf7GTxBUBkH3NnM+BnXif8xbGDf4xxPgHX/oTyhk
-É²Á-ÏßTy$§z‚uÈe³¦àP«[j#<ƒHjûõ>=Žbi<1E>#DJ;:ÊdX“-¶Ú´)ðî?ý)KvŠòç¼…ŠD<C5A0>Íæ
+<EFBFBD>EÆ¾¿ZÏGT<EFBFBD>%}^hŒÅ!.5Ø®¹5uëxxHRÆÕÈ‚Vì…<C3AC>bc‰úu£ï¾3Pð£œ«ŸÂkcìì$N‰I°áŽÎ$m2ûÿ
--- a/secrets/synapse.yaml.age
+++ b/secrets/synapse.yaml.age
--- a/secrets/user-passwd.txt.age
+++ b/secrets/user-passwd.txt.age
@ -1,23 +1,23 @@
 age-encryption.org/v1
-> ssh-ed25519 FAIX7A 9lwGzxHbaj59re00D+VBn31xh6lXBdqlocUWbuGl0lk
+-> ssh-ed25519 FAIX7A pl4zTRrmyNifdO8b8doSjet5gSoFpONfiguMwVpOHCU
-WWXUSz//VWPGWwNRNDOY9rNZHEMj74gJDPyPzntmONk
+7Xh//uKMTAommAVmmr4umaKT+sc1UMpyN0x5nktXd74
-> ssh-ed25519 SKXJUw 9espI6g1Y0xAOf8RZaYTnw6Y7YSTN5Wv/9JqHMOe5Wo
+-> ssh-ed25519 j67FXQ wpxRi34I+bFkP+bkOPsBRpoZXem7EBU0qEEoI7reiFw
-ZaujblPPK14BYY67ffHCmRg33xljYwl/4YygG9efKQc
+8q54R8NNM4pOybQdijpKgukvzNSKgkHMkmyvkC40aCU
-> ssh-ed25519 wbGjmA U6GrN0iOmz77kOwa1VQ/0Cn7v/EiAJh1ZUOhJuqloVA
+-> ssh-ed25519 wbGjmA 9W9Zd6IiHTAyDmtdFHICgHNBNmSv69dWIQ5PWrBmbFc
-xB8Uu6+tVXNbAqCSkHYMvBla/oJA0nOHayrHtN4yCGQ
+ypSUUmdRztDAFFMHr9KHPPZhtk9wT+nOI6fU3f/r95A
-> ssh-ed25519 B9K/XQ gMQEYYshD9fFvI0vrUER/2OWZYRICGem5bX7ZIP16kQ
+-> ssh-ed25519 B9K/XQ z9MyCdvCDmEpoQ6VAc4UL5ykKT2y7dTWkd8uC0TCqWY
-9QwTY23a5C8TZ+1wUeqYWLWM4zSQNNzUoaqhkhQLxG4
+dI48qpfve02o34ThBSuXpR+k/ZS0JdcWWS0lHZEy5Xk
-> ssh-ed25519 vf+WVg 3MU9AIwghf/IDoMuAZEX3GuFz1w7vYtSso5I5BDY/hM
+-> ssh-ed25519 vf+WVg Is1UbqPX+Wg/Z+ofr6pltx1Hd/YU7r0Cw43vYN7U834
-b1U0PexxCj4DTQB41bDi6bKktoOiA+xDDMLZYPHCMlA
+BpsNPysnx0kDPvZNx5kiHBqowGxc/ixcxLbVrEEVNEQ
-> ssh-ed25519 H162lQ 99SwlUFFeKMu8VH2264WyjJVugRKYcAFHF2aHtCGyE8
+-> ssh-ed25519 H162lQ fLD0bnsOAT8YAwRwScQmDY74CCiKz5o502ENBs3HyCk
-LL2cJEdKtqrylLZWQVCoZQ9bGkCD6xPeY0K5C+sMrm0
+4BOHx7fsMEIrKUt1wQ/wZwthMQMtJLcLRt5zrNY7pOI
-> ssh-ed25519 b6YMqg ME2+OkaFz7ZkAy4izG26lmYMl47AF5NZFojEhawj0nU
+-> ssh-ed25519 b6YMqg 87GJmhVV49B3lI74QT4GszBMWIoADwZ6Tr+gn7ai9gk
-FsMXB4ymF0e/FyySdEjE3LAJw3q0Ax5BQk9m0Zsu4cg
+oHvVeEduJ0WBl0WmXAKgn6qmC8GRZ3uKQHwaEehKemI
-> ssh-ed25519 Lqn0Yw CwGVxMt//mUhJp2Dv1juO8oWFVNML0Q+zTqsqncEo0U
+-> ssh-ed25519 Lqn0Yw 14WT2Odd9MqCJRmFnXYMT+78J5tPAoE3ZN50eY8o3wY
-/YzScABKV/949EQnf8ztFzNQGzjGOWPj9iXHy2uFDYM
+4RZjgE0MG7DkGBa7msq4cq3sSBQp+AMzghAvMWpEpds
-> X25519 I0lKCScunZXPMiHBpGhFa7nAGFg3NeAslOdutKkyuFo
+-> X25519 UWwTiaziKhTE4iW3IPYg3eVtgRp+bnyWxrcW3k66VmA
-csAlkN1jWUbUxlWRF/mAX1TT95ZU7iTDUa7uGi3Gtjk
+Qb0Sj+t22AqS0lgx7uaiDgOn7KMxnDvUKRczTQB9TG0
-> Q?#-grease @c:
+-> N6|5#-grease
-CXkWEsR63Q4TflQd95UiFCazSFterOzSMmqRaCR/uQBhUEkyPc0
+
--- aOjcucJdwzcZQ2eT5PBsU7P0o1xlCgCMqPDWczEWY28
+--- SBETWPCFXoHLlWtd8R+ZSoFVqaE1RThAP1QwkU+f9a4
-7ÊÞBä"ËûtŠÅÖ
šG6þÆÑø€ÂB?¢`ŽÌ-ÒraÇ^Jlcl5øg<C3B8>àˆŠ–[÷9M#FŒjÁè&M˜n‰ê]‚S ÈevúÀoÞ¹}¨_<C2A8>nþ5;ðÜºÇ/1„·Ã|º§cêL¯ÂñC¤f<>¾!=ó*A»¶€t{
+™þ£d˜âÐý++ÍéÄxNÅñõùÓa"^¢w ä.—Ì•”#ìÅõ‹¾4=ØñÒ³ï×<l3.ÄŸŠ‡¾ot"<22>Ñæ¤¿Ùò¬sc Ul6=¼6ðÙv9‰<39>3<EFBFBD>Ì»¢[ônÔÔû¿…M9)Ã€k2YÂÜ1Ü¸g<>i¯>NÐ-J†=ÿ¸²àžÖé-
--- a/secrets/vaultwarden.env.age
+++ b/secrets/vaultwarden.env.age
@ -1,10 +1,9 @@
 age-encryption.org/v1
-> ssh-ed25519 Lqn0Yw r7XhdzWjjBP5HLeX+RwIek+vTZP1wZhhO5sr0LppdwI
+-> ssh-ed25519 Lqn0Yw 6M1t8mb0iZdJSPiz8Nu0nRywlpArnvcxizdxr6u6yGM
-4HH91EuAKYOQ5E37/dH7fgFKShxE1aX7v/njbL4cNMU
+w1PzOCZszgyc8vF5GJPI5l8RtQwFv0CNhpAxJAF6TOw
-> X25519 itbc3rl6K9BmbhNsMo/FaeOynrtrpZj5Zt0VF3McYmw
+-> X25519 +M017bsZwXazaojl9szfKRagMK1lzc+gpbaqKNhRuFU
-Cc0jPYLqyp5X4+KPfpy821mpCVSDke+z+Al/8Hp7vc0
+fx3Y7OykdZXK1g9ixdhExhAmLqoVrWlNUqvkMPYtc0Q
-> WQA%nPY-grease n&Oc2@ sf 05
+-> Lv3@gmCc-grease v5T@.
-aC3qV0yeKogkc/OdfKhxW2rv4GDlT4mMlPA5FoqMA/2lq6yCoeMjGffwzXVEsauq
+BUBGyMXy
-IRyYz3R/53ZrFtfefkBS5P4d4d/OmI6lsA
+--- PoRgQ9bY+fxY2gJXHUQbEGW/bqa7KwonajSG+ccr6Mo
--- KYxAUYn/NHyfCJO+WqH0JKJKQZMCQYSeMryS/Kw3n8s
+ŰŘ	IóëR‡0Ç?>AŘ†l<E280A0>óÁŢ.Ť‰E¤ˇ˙Ę$ĚĺŔCĘß^â!fËg‘ŰŰ†3¸Ęd;i;–y[‚ů<E2809A>;j‘ÝŻľâĚ0ŃýWlĄľ:ţÜq—›
<03>Ýs<C39D>ťëFiÉśMăüt-1+Ýq
 ;iˆ7KÁ†,T&{›1^™]WVñÛðÞzL¸K·s	Yóá™é\¤ó|@z`b'„-Žlk·P'aëT¯'À'mZök7¸6êiKøÔ*-tŠ 	1:ŠmÊUIûÖqNÑ‡Þ‰sÎt™ì)#¢ô