add uranus
This commit is contained in:
parent
0d412cf40c
commit
d504ed886f
10
.sops.yaml
10
.sops.yaml
|
@ -12,6 +12,7 @@ keys:
|
|||
- &data-hoarder-borken age10wj28zkuy3ewmv6hmup7849667qmevgdv4gxa8vyljye7mpu7shsjt4jeh
|
||||
- ¬ice-me-senpai age1wxewmzwlzgtsmr29tnu76n30kv29ra5p0ptvr2e3f3ymkqh569kqm07fv4
|
||||
- &tram-borzoi age10sedt7xftzu383y8g4pxsj0hazht8tnnxhcngedcsl93s4v9uvvsk99er4
|
||||
- &uranus age1xnaw8ssrq2hpsntnt8kdu4dlqh4lz3dcq5lzwn490cskz886te6sreuale
|
||||
|
||||
# turmlabor
|
||||
- &traffic-stop-box-0 age1yxtur968m4xe0m3kj0waqpm2kuuywpp9f6t0rxl4f0262ze9n9jqehw0k5
|
||||
|
@ -204,3 +205,12 @@ creation_rules:
|
|||
- *admin_marenz-2
|
||||
age:
|
||||
- *tram-borzoi
|
||||
- path_regex: secrets/uranus/[^/]+\.yaml$
|
||||
key_groups:
|
||||
- pgp:
|
||||
- *admin_oxa
|
||||
- *admin_revol-xut
|
||||
- *admin_marenz-1
|
||||
- *admin_marenz-2
|
||||
age:
|
||||
- *uranus
|
||||
|
|
12
flake.nix
12
flake.nix
|
@ -310,6 +310,18 @@
|
|||
];
|
||||
};
|
||||
|
||||
uranus = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
specialArgs = { inherit inputs self; };
|
||||
modules = [
|
||||
sops-nix.nixosModules.sops
|
||||
microvm.nixosModules.microvm
|
||||
|
||||
./modules/TLMS
|
||||
./hosts/uranus
|
||||
];
|
||||
};
|
||||
|
||||
};
|
||||
apps."x86_64-linux".mctest = {
|
||||
type = "app";
|
||||
|
|
|
@ -0,0 +1,103 @@
|
|||
# Edit this configuration file to define what should be installed on
|
||||
# your system. Help is available in the configuration.nix(5) man page
|
||||
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
||||
|
||||
{ config, lib, ... }:
|
||||
let
|
||||
mac_addr = "00:de:5b:f9:be:ef";
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
./stateful-jupyter.nix
|
||||
./stateless-jupyter.nix
|
||||
];
|
||||
|
||||
microvm = {
|
||||
vcpu = 4;
|
||||
mem = 1024 * 6;
|
||||
hypervisor = "cloud-hypervisor";
|
||||
socket = "${config.networking.hostName}.socket";
|
||||
|
||||
interfaces = [{
|
||||
type = "tap";
|
||||
id = "serv-dvb-anus";
|
||||
mac = mac_addr;
|
||||
}];
|
||||
|
||||
shares = [
|
||||
{
|
||||
source = "/nix/store";
|
||||
mountPoint = "/nix/.ro-store";
|
||||
tag = "store";
|
||||
proto = "virtiofs";
|
||||
socket = "store.socket";
|
||||
}
|
||||
{
|
||||
source = "/var/lib/microvms/uranus/etc";
|
||||
mountPoint = "/etc";
|
||||
tag = "etc";
|
||||
proto = "virtiofs";
|
||||
socket = "etc.socket";
|
||||
}
|
||||
{
|
||||
source = "/var/lib/microvms/uranus/var";
|
||||
mountPoint = "/var";
|
||||
tag = "var";
|
||||
proto = "virtiofs";
|
||||
socket = "var.socket";
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
networking.hostName = "uranus";
|
||||
|
||||
time.timeZone = "Europe/Berlin";
|
||||
|
||||
networking.useNetworkd = true;
|
||||
|
||||
|
||||
sops.defaultSopsFile = ../../secrets/uranus/secrets.yaml;
|
||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
|
||||
sops.secrets.wg-seckey = {
|
||||
owner = config.users.users.systemd-network.name;
|
||||
};
|
||||
deployment-TLMS.net = {
|
||||
iface.uplink = {
|
||||
name = "ens3";
|
||||
mac = mac_addr;
|
||||
matchOn = "mac";
|
||||
useDHCP = false;
|
||||
addr4 = "172.20.73.37/25";
|
||||
dns = [ "172.20.73.8" "9.9.9.9" ];
|
||||
routes = [
|
||||
{
|
||||
routeConfig = {
|
||||
Gateway = "172.20.73.1";
|
||||
GatewayOnLink = true;
|
||||
Destination = "0.0.0.0/0";
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
wg = {
|
||||
addr4 = "10.13.37.9";
|
||||
prefix4 = 24;
|
||||
privateKeyFile = config.sops.secrets.wg-seckey.path;
|
||||
publicKey = "KwCG5CWPdNmrjEOYJYD2w0yhzoWpYHrjGbstdT5+pFk=";
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
users.motd = lib.mkForce (builtins.readFile ./motd.txt);
|
||||
|
||||
# This value determines the NixOS release from which the default
|
||||
# settings for stateful data, like file locations and database versions
|
||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||||
# this value at the release version of the first install of this system.
|
||||
# Before changing this value read the documentation for this option
|
||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||
system.stateVersion = "23.05"; # Did you read the comment?
|
||||
|
||||
}
|
|
@ -0,0 +1,28 @@
|
|||
{ pkgs, packages, ... }:
|
||||
let
|
||||
miniconda-alpine-dockerhub = pkgs.dockerTools.pullImage {
|
||||
imageName = "continuumio/miniconda3";
|
||||
imageDigest = "sha256:a4b665d2075d9bf4b2c5aa896c059439a0baa5538ca67589a673121c31b4c35d";
|
||||
sha256 = "sha256-boIAZ8PaPckWLzYYTqrqMEL7HGbyl9grCJrXOpsBMhg=";
|
||||
finalImageTag = "23.3.1-0";
|
||||
finalImageName = "miniconda";
|
||||
|
||||
};
|
||||
in
|
||||
pkgs.dockerTools.buildImage {
|
||||
name = "stateful-jupyterlab";
|
||||
tag = "latest";
|
||||
fromImage = miniconda-alpine-dockerhub;
|
||||
runAsRoot = ''
|
||||
#!${pkgs.runtimeShell}
|
||||
mkdir -p /workdir
|
||||
'';
|
||||
config = {
|
||||
WorkingDir = "/workdir";
|
||||
run = ''
|
||||
/bin/bash conda install ${packages} \
|
||||
jupyterlab
|
||||
'';
|
||||
Cmd = [ "jupyter-lab" "--ip=0.0.0.0" "--port=8080" "--no-browser" "--allow-root" ];
|
||||
};
|
||||
}
|
|
@ -0,0 +1,16 @@
|
|||
|
||||
""# ""# m"" " m
|
||||
mmm # # mmm mm#mm mmm m m mmmm m m mm#mm mmm m mm
|
||||
" # # # #" "# # # # # #" "# "m m" # #" # #" "
|
||||
m"""# # # # # # # # # # # #m# # #"""" #
|
||||
"mm"# "mm "mm "#m#" # # "mm"# ##m#" "# "mm "#mm" #
|
||||
# # m"
|
||||
"" " ""
|
||||
|
||||
"
|
||||
mmm m mm m m m mm mmm m mm m m mmm
|
||||
# #" # # # #" " " # #" # # # # "
|
||||
# # # # # # m"""# # # # # """m
|
||||
mm#mm # # "mm"# # "mm"# # # "mm"# "mmm"
|
||||
|
||||
|
|
@ -0,0 +1,32 @@
|
|||
{ pkgs, lib, ... }:
|
||||
{
|
||||
virtualisation.docker = {
|
||||
enable = true;
|
||||
# magic from marenz to make it work on ceph
|
||||
storageDriver = "devicemapper";
|
||||
extraOptions = "--storage-opt dm.basesize=40G --storage-opt dm.fs=xfs";
|
||||
};
|
||||
systemd.enableUnifiedCgroupHierarchy = false;
|
||||
|
||||
# user to run the thing
|
||||
# jupyterlab container
|
||||
virtualisation.oci-containers = {
|
||||
backend = "docker";
|
||||
containers."jupyterlab-stateful" = {
|
||||
autoStart = true;
|
||||
ports = [ "8080:8080" ];
|
||||
volumes = [ "/var/lib/jupyter-volume:/workdir" ];
|
||||
imageFile = let
|
||||
package-string = lib.concatStringsSep " " [
|
||||
"numpy"
|
||||
"scipy"
|
||||
"pandas"
|
||||
"matplotlib"
|
||||
];
|
||||
in
|
||||
(import ./jupyter-container.nix { inherit pkgs; packages = package-string; });
|
||||
image = "stateful-jupyterlab";
|
||||
};
|
||||
};
|
||||
|
||||
}
|
|
@ -0,0 +1,2 @@
|
|||
# The plan is to try out how broken the stateless jupyter lab in nixos
|
||||
{}
|
|
@ -0,0 +1,91 @@
|
|||
wg-seckey: ENC[AES256_GCM,data:mUFBjQpHC0Flpyw82lXUInLVm0TJW1wB51evA7hXiit7JcK4z/HCyD5UGQU=,iv:O2/UP+WjCmasU6kP/58B1zXL0XAmzUOcM/1ONE31+/o=,tag:ObN6viKQm7ghuXKVeUydjg==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1xnaw8ssrq2hpsntnt8kdu4dlqh4lz3dcq5lzwn490cskz886te6sreuale
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoeE84V0txS3JRYmtoaERl
|
||||
aEY2Ung4MnRwUUc1VkwwZnhiTG1nTGVzSDBNCjJZMDBHWDJWckZJTUlObDlBV2Ey
|
||||
V29PZDZXMG1TSVlHY3pZTzdBVVZhQzgKLS0tIC95WVB5T0l2SnVzNS9HSTIxTUVS
|
||||
YVFMQ3pZYS9oM3RERDg4NHA1OHRoUEkKYIKvmU6cMiWqrDASPeDZAs3jHOn41onU
|
||||
YtnMpjNQncMbvzDjuijjsCusgxL1DOEWvkg5xn8u4yGhguV6hEW4mQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-05-30T13:44:49Z"
|
||||
mac: ENC[AES256_GCM,data:iLT8KrlibgljBzhZAFEdlKs/+c0XjxFkCHchjuO9dQJb576HpFsQj6LD5opWPAizdhRG0IniP1g9lUTrpE9Wb/XmQWIuVAJGpCiIWaFM0ENZ5fEcZDoWkBNJVmELe4M7yffD1N1EYffd0uwjyzHoPgEnFC8GrNMeBZdCuu08tR8=,iv:clpxUJLj8o4FRTW9oBxxnU23MYBvRDhxW9df85n4/AM=,tag:abTl8mvDRRknDHbP+01ZKg==,type:str]
|
||||
pgp:
|
||||
- created_at: "2023-05-30T14:29:01Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMA7zUOKwzpAE7AQ//YPEvsi5RgjUojgVMxUXg7DKmpeot6cXb+QbwvlmLkxeK
|
||||
mn5fQB3AdX9zhSnYZr6fgpt6aSyWupbFiDsQM3gYX7JHOB6loats/YZUwNxr8ir6
|
||||
ceyQPv6hmVOkQ9A8bUn9eK0kSVnr+mBlHU58NQE66yTnjjQNo2ljB2ctZ0yuesPZ
|
||||
WRMTcmmOSuu0KUXxONiBJtuywP+3mKfl1gkr8O4LCHl8eKcohjlzk/b9ByBaOxsk
|
||||
71YlmT7/pMwsLOPHtbBgahFsPTbJnE7+22x+0QLPGDAMn3kX3R0bP83sgojYgsZi
|
||||
mkS3+gkxAuEcwdLMnmH74FwoyzHHbtXAlnXC0uTVilJotIQayyQj2zS6nujkNlyB
|
||||
kx0OghvOpH4ydua8ol9eZOMACKxqIKScYU9jT/hnSEkdXsuSsoOUlnOz+AiYlaST
|
||||
/4f6Q9AhP4Z30AqaEQHXjIQasmPQYWETbgeoBrEATE/dsD9lmdXrIxoPckGyuG9V
|
||||
XtRmF80KUhzv9RK5GEr++zTY2QkzPKc7RUmBF1kwJle9TCDgzk9pgHPakKm09Uzg
|
||||
0x71TOoj8vqudA/R7Tey1syUJxQousROLUo++HIGO2Snmq8k7n0cAuG/PpoBVi6G
|
||||
8cI7YbolkeNzSu3pco15Y5zr0lM95bDCgcotes2FSmrx7EbrtGyy42UHfTLPdg/S
|
||||
UQHhqQLCsinUFP2R63afaQnTPK73Ara4UNa3BZQwyGPRqHA54XEfgV8GplDHfAR1
|
||||
USd/m5qt7/D+7yRlBW2lZoBV2iQ2H+YiZIGJf8ZzbSQ8Ag==
|
||||
=2LaE
|
||||
-----END PGP MESSAGE-----
|
||||
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
|
||||
- created_at: "2023-05-30T14:29:01Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA/YLzOYaRIJJAQ//baC4RNaj9Rdsr+1ioetydAHxNdyYEV7jn5k+X/SF/E0S
|
||||
pha6PCGzwAFCkB5CAsiPFySCCxTG3UvrKH0lsZT5TTRCJGMc5RwOXqB6SedH18Lg
|
||||
Q7JU4YUf+KiOCkF2xCx9LMlszcoqim9+ghDKTXGDmR+UBkyXLkMhrNmEQBWTNB9w
|
||||
iFcgSR0knpmzuYMmcAAgn7nez4HAvBpqj31fkMWiHUJACdb0A+3G/ZEEQ1WIZsmE
|
||||
qhHS1OdTMKWEvPQe4bNSjIMOnvam/QAHzh7DFl1ie96Jp9Q0zZKRpXN2xHdamQW2
|
||||
DTk4+cpk3AE/HLYSAZVMMD3l1vcs8VpXcK5Omkn5Wtn7UzHFpCwLkv9fz70xMhP1
|
||||
ia+b0GqxesmD0oPS160i+nLMbDoKTlutnSaaetBI2BvyxCktiYh0ebRfd2V7Yc7g
|
||||
baHFrdbA92wXEEew+zB8n0bvMB5Vgddu7HKitk9a3VFotaBwl1gyEbbP2hE3o9Pi
|
||||
kG8lckPNkctYLcL4Fkzsc3ApzjISlBwSCOngEDhtiVkYzDCn4xFjDG1S/6owxH7I
|
||||
BCuQBQYxciZaHzse9GFxqJG6jzmUZQWnNO7K3z1TvBe2Wd5wLIgnrN/NYk3q/HzE
|
||||
uq88r7hnPX1DY6d2/0jBIS42/PyF0PActLQEqc1xrkddWKJ0Kosthcx2ao0ATNjS
|
||||
XgF9947oDqXMA2HvMaIuHc6NbuDM/hIrozxLbowcnXleJ2US3Ugs59Fn1yAB5lis
|
||||
VFl/24R7mF6DQTdjtL2k6MwY3pMkL5eLTQelcLYxMQE6/NE/5z6jah9243J+Y3w=
|
||||
=Wa2k
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 91EBE87016391323642A6803B966009D57E69CC6
|
||||
- created_at: "2023-05-30T14:29:01Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQEMA1N/l9+zlMQzAQf+NHtpTxXDoYH+BwO0glYgvcy96g2n6SVyYcBOaOKRpLuV
|
||||
iAR/bx+YmK57/Ql/ef7k+2nJJc4c7Z4nCLU+tzTrFj/FfV7IoqmIpWb5aFYSlYiq
|
||||
5yBEEAkbtDeYvkRwFV3FOiS329H9uwwR6K/R8XqhDlWxuvxXwio+rhxJTbGDvEQj
|
||||
6Zpk7QNo915G/uxfk4Mfe8uTfgTSFeWkytk0zpoRbZure1frzTvfPzjf1wJJYGDv
|
||||
scM7iX1EknM/2aXJe2un9gbtjiLmZKhlB4lHbRekxb9yck0hapbjP8audC07S/Jy
|
||||
vMuMmSMEHgJKlfBs8wxh4Pl9Kbx0wOdUvGEIZseDRdJeAYsdrPAAc2fMPMWjTTIq
|
||||
HpcakoRix4/BhheTqCMaLqO0BZf1JyZoh6ddlmbHZvJl8R4Cqd/Br91NSj76zsCI
|
||||
JJ9J4VHfYojocUMwyk/VtV/45QzpXTp+zYxgO5t6VQ==
|
||||
=piEQ
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 069836A578F7939612DB4934F77D0F7E247A1EE4
|
||||
- created_at: "2023-05-30T14:29:01Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQEMA1N/l9+zlMQzAQf+J3x16/phL1UJijUsddpD+xBamK3Zw7D67oof7IVDMFGd
|
||||
rXh/6iVzu5gWQcV/BJhErZaeonWDi/pkSVVaiKpqHv3OQ1aJIVS6pCsrIWcMBawQ
|
||||
ZqkmFIgIEBlY4kLh0qY6FXkS1Kk9YGTE/7B2Jsuq98ZO9DwDgd+s7rXknDnTwfyG
|
||||
op9HYLPIjSrG3mJdkwUerzoOL0VQeiDAUQSEucXd6ZCtC1BM4ybeitaReFHVNB3v
|
||||
DjNOQNpP0l+xQ8aIYwLauFOY9/E6qiwb4Xb8zmCP5yKJMkjrv96hxFtIZ7DDwcOt
|
||||
aqsRZUjNmdAEsoQPrrFc7AlfPpxb7NZICQ98gcY18NJeAS2SNzAib4WsqZuvXyXg
|
||||
RfWT79oyXzr07ftH8qtnd9dOp3L7PxCIb10TodL1TTK+yuYmAviIwNPM8jpUrL+0
|
||||
X8G2/LKcvpa0ulvzJAqSphIEDX8kV57BVuBf2Zz2cQ==
|
||||
=tKC1
|
||||
-----END PGP MESSAGE-----
|
||||
fp: ED06986DFAAE6A61B751DC2F537F97DFB394C433
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
Loading…
Reference in New Issue