dump-dvb/nix-config
dump-dvb
/
nix-config
mirror of https://github.com/dump-dvb/nix-config.git
3
0
Fork 0
Code Issues Projects Releases Wiki Activity

add uranus

This commit is contained in:
oxapentane - 2023-05-30 16:00:35 +02:00
parent 0d412cf40c
commit d504ed886f
Signed by: oxapentane
GPG Key ID: 91FA5E5BF9AA901C
8 changed files with 294 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.sops.yaml
View File

@ -12,6 +12,7 @@ keys:
- &data-hoarder-borken age10wj28zkuy3ewmv6hmup7849667qmevgdv4gxa8vyljye7mpu7shsjt4jeh
- &notice-me-senpai age1wxewmzwlzgtsmr29tnu76n30kv29ra5p0ptvr2e3f3ymkqh569kqm07fv4
- &tram-borzoi age10sedt7xftzu383y8g4pxsj0hazht8tnnxhcngedcsl93s4v9uvvsk99er4
- &uranus age1xnaw8ssrq2hpsntnt8kdu4dlqh4lz3dcq5lzwn490cskz886te6sreuale
# turmlabor
- &traffic-stop-box-0 age1yxtur968m4xe0m3kj0waqpm2kuuywpp9f6t0rxl4f0262ze9n9jqehw0k5
@ -204,3 +205,12 @@ creation_rules:
- *admin_marenz-2
age:
- *tram-borzoi
- path_regex: secrets/uranus/[^/]+\.yaml$
key_groups:
- pgp:
- *admin_oxa
- *admin_revol-xut
- *admin_marenz-1
- *admin_marenz-2
age:
- *uranus

12
flake.nix
View File

@ -310,6 +310,18 @@
];
};
uranus = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit inputs self; };
modules = [
sops-nix.nixosModules.sops
microvm.nixosModules.microvm
./modules/TLMS
./hosts/uranus
];
};
};
apps."x86_64-linux".mctest = {
type = "app";

103
hosts/uranus/default.nix Normal file
View File

@ -0,0 +1,103 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, lib, ... }:
let
mac_addr = "00:de:5b:f9:be:ef";
in
{
imports = [
./stateful-jupyter.nix
./stateless-jupyter.nix
];
microvm = {
vcpu = 4;
mem = 1024 * 6;
hypervisor = "cloud-hypervisor";
socket = "${config.networking.hostName}.socket";
interfaces = [{
type = "tap";
id = "serv-dvb-anus";
mac = mac_addr;
}];
shares = [
{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "store";
proto = "virtiofs";
socket = "store.socket";
}
{
source = "/var/lib/microvms/uranus/etc";
mountPoint = "/etc";
tag = "etc";
proto = "virtiofs";
socket = "etc.socket";
}
{
source = "/var/lib/microvms/uranus/var";
mountPoint = "/var";
tag = "var";
proto = "virtiofs";
socket = "var.socket";
}
];
};
networking.hostName = "uranus";
time.timeZone = "Europe/Berlin";
networking.useNetworkd = true;
sops.defaultSopsFile = ../../secrets/uranus/secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets.wg-seckey = {
owner = config.users.users.systemd-network.name;
};
deployment-TLMS.net = {
iface.uplink = {
name = "ens3";
mac = mac_addr;
matchOn = "mac";
useDHCP = false;
addr4 = "172.20.73.37/25";
dns = [ "172.20.73.8" "9.9.9.9" ];
routes = [
{
routeConfig = {
Gateway = "172.20.73.1";
GatewayOnLink = true;
Destination = "0.0.0.0/0";
};
}
];
};
wg = {
addr4 = "10.13.37.9";
prefix4 = 24;
privateKeyFile = config.sops.secrets.wg-seckey.path;
publicKey = "KwCG5CWPdNmrjEOYJYD2w0yhzoWpYHrjGbstdT5+pFk=";
};
};
users.motd = lib.mkForce (builtins.readFile ./motd.txt);
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}

28
hosts/uranus/jupyter-container.nix Normal file
View File

@ -0,0 +1,28 @@
{ pkgs, packages, ... }:
let
miniconda-alpine-dockerhub = pkgs.dockerTools.pullImage {
imageName = "continuumio/miniconda3";
imageDigest = "sha256:a4b665d2075d9bf4b2c5aa896c059439a0baa5538ca67589a673121c31b4c35d";
sha256 = "sha256-boIAZ8PaPckWLzYYTqrqMEL7HGbyl9grCJrXOpsBMhg=";
finalImageTag = "23.3.1-0";
finalImageName = "miniconda";
};
in
pkgs.dockerTools.buildImage {
name = "stateful-jupyterlab";
tag = "latest";
fromImage = miniconda-alpine-dockerhub;
runAsRoot = ''
#!${pkgs.runtimeShell}
mkdir -p /workdir
'';
config = {
WorkingDir = "/workdir";
run = ''
/bin/bash conda install ${packages} \
jupyterlab
'';
Cmd = [ "jupyter-lab" "--ip=0.0.0.0" "--port=8080" "--no-browser" "--allow-root" ];
};
}

16
hosts/uranus/motd.txt Normal file
View File

@ -0,0 +1,16 @@
""# ""# m"" " m
mmm # # mmm mm#mm mmm m m mmmm m m mm#mm mmm m mm
" # # # #" "# # # # # #" "# "m m" # #" # #" "
m"""# # # # # # # # # # # #m# # #"""" #
"mm"# "mm "mm "#m#" # # "mm"# ##m#" "# "mm "#mm" #
# # m"
"" " ""
"
mmm m mm m m m mm mmm m mm m m mmm
# #" # # # #" " " # #" # # # # "
# # # # # # m"""# # # # # """m
mm#mm # # "mm"# # "mm"# # # "mm"# "mmm"

32
hosts/uranus/stateful-jupyter.nix Normal file
View File

@ -0,0 +1,32 @@
{ pkgs, lib, ... }:
{
virtualisation.docker = {
enable = true;
# magic from marenz to make it work on ceph
storageDriver = "devicemapper";
extraOptions = "--storage-opt dm.basesize=40G --storage-opt dm.fs=xfs";
};
systemd.enableUnifiedCgroupHierarchy = false;
# user to run the thing
# jupyterlab container
virtualisation.oci-containers = {
backend = "docker";
containers."jupyterlab-stateful" = {
autoStart = true;
ports = [ "8080:8080" ];
volumes = [ "/var/lib/jupyter-volume:/workdir" ];
imageFile = let
package-string = lib.concatStringsSep " " [
"numpy"
"scipy"
"pandas"
"matplotlib"
];
in
(import ./jupyter-container.nix { inherit pkgs; packages = package-string; });
image = "stateful-jupyterlab";
};
};
}

2
hosts/uranus/stateless-jupyter.nix Normal file
View File

@ -0,0 +1,2 @@
# The plan is to try out how broken the stateless jupyter lab in nixos
{}

91
secrets/uranus/secrets.yaml Normal file
View File

@ -0,0 +1,91 @@
wg-seckey: ENC[AES256_GCM,data:mUFBjQpHC0Flpyw82lXUInLVm0TJW1wB51evA7hXiit7JcK4z/HCyD5UGQU=,iv:O2/UP+WjCmasU6kP/58B1zXL0XAmzUOcM/1ONE31+/o=,tag:ObN6viKQm7ghuXKVeUydjg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1xnaw8ssrq2hpsntnt8kdu4dlqh4lz3dcq5lzwn490cskz886te6sreuale
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoeE84V0txS3JRYmtoaERl
aEY2Ung4MnRwUUc1VkwwZnhiTG1nTGVzSDBNCjJZMDBHWDJWckZJTUlObDlBV2Ey
V29PZDZXMG1TSVlHY3pZTzdBVVZhQzgKLS0tIC95WVB5T0l2SnVzNS9HSTIxTUVS
YVFMQ3pZYS9oM3RERDg4NHA1OHRoUEkKYIKvmU6cMiWqrDASPeDZAs3jHOn41onU
YtnMpjNQncMbvzDjuijjsCusgxL1DOEWvkg5xn8u4yGhguV6hEW4mQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-05-30T13:44:49Z"
mac: ENC[AES256_GCM,data:iLT8KrlibgljBzhZAFEdlKs/+c0XjxFkCHchjuO9dQJb576HpFsQj6LD5opWPAizdhRG0IniP1g9lUTrpE9Wb/XmQWIuVAJGpCiIWaFM0ENZ5fEcZDoWkBNJVmELe4M7yffD1N1EYffd0uwjyzHoPgEnFC8GrNMeBZdCuu08tR8=,iv:clpxUJLj8o4FRTW9oBxxnU23MYBvRDhxW9df85n4/AM=,tag:abTl8mvDRRknDHbP+01ZKg==,type:str]
pgp:
- created_at: "2023-05-30T14:29:01Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA7zUOKwzpAE7AQ//YPEvsi5RgjUojgVMxUXg7DKmpeot6cXb+QbwvlmLkxeK
mn5fQB3AdX9zhSnYZr6fgpt6aSyWupbFiDsQM3gYX7JHOB6loats/YZUwNxr8ir6
ceyQPv6hmVOkQ9A8bUn9eK0kSVnr+mBlHU58NQE66yTnjjQNo2ljB2ctZ0yuesPZ
WRMTcmmOSuu0KUXxONiBJtuywP+3mKfl1gkr8O4LCHl8eKcohjlzk/b9ByBaOxsk
71YlmT7/pMwsLOPHtbBgahFsPTbJnE7+22x+0QLPGDAMn3kX3R0bP83sgojYgsZi
mkS3+gkxAuEcwdLMnmH74FwoyzHHbtXAlnXC0uTVilJotIQayyQj2zS6nujkNlyB
kx0OghvOpH4ydua8ol9eZOMACKxqIKScYU9jT/hnSEkdXsuSsoOUlnOz+AiYlaST
/4f6Q9AhP4Z30AqaEQHXjIQasmPQYWETbgeoBrEATE/dsD9lmdXrIxoPckGyuG9V
XtRmF80KUhzv9RK5GEr++zTY2QkzPKc7RUmBF1kwJle9TCDgzk9pgHPakKm09Uzg
0x71TOoj8vqudA/R7Tey1syUJxQousROLUo++HIGO2Snmq8k7n0cAuG/PpoBVi6G
8cI7YbolkeNzSu3pco15Y5zr0lM95bDCgcotes2FSmrx7EbrtGyy42UHfTLPdg/S
UQHhqQLCsinUFP2R63afaQnTPK73Ara4UNa3BZQwyGPRqHA54XEfgV8GplDHfAR1
USd/m5qt7/D+7yRlBW2lZoBV2iQ2H+YiZIGJf8ZzbSQ8Ag==
=2LaE
-----END PGP MESSAGE-----
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
- created_at: "2023-05-30T14:29:01Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA/YLzOYaRIJJAQ//baC4RNaj9Rdsr+1ioetydAHxNdyYEV7jn5k+X/SF/E0S
pha6PCGzwAFCkB5CAsiPFySCCxTG3UvrKH0lsZT5TTRCJGMc5RwOXqB6SedH18Lg
Q7JU4YUf+KiOCkF2xCx9LMlszcoqim9+ghDKTXGDmR+UBkyXLkMhrNmEQBWTNB9w
iFcgSR0knpmzuYMmcAAgn7nez4HAvBpqj31fkMWiHUJACdb0A+3G/ZEEQ1WIZsmE
qhHS1OdTMKWEvPQe4bNSjIMOnvam/QAHzh7DFl1ie96Jp9Q0zZKRpXN2xHdamQW2
DTk4+cpk3AE/HLYSAZVMMD3l1vcs8VpXcK5Omkn5Wtn7UzHFpCwLkv9fz70xMhP1
ia+b0GqxesmD0oPS160i+nLMbDoKTlutnSaaetBI2BvyxCktiYh0ebRfd2V7Yc7g
baHFrdbA92wXEEew+zB8n0bvMB5Vgddu7HKitk9a3VFotaBwl1gyEbbP2hE3o9Pi
kG8lckPNkctYLcL4Fkzsc3ApzjISlBwSCOngEDhtiVkYzDCn4xFjDG1S/6owxH7I
BCuQBQYxciZaHzse9GFxqJG6jzmUZQWnNO7K3z1TvBe2Wd5wLIgnrN/NYk3q/HzE
uq88r7hnPX1DY6d2/0jBIS42/PyF0PActLQEqc1xrkddWKJ0Kosthcx2ao0ATNjS
XgF9947oDqXMA2HvMaIuHc6NbuDM/hIrozxLbowcnXleJ2US3Ugs59Fn1yAB5lis
VFl/24R7mF6DQTdjtL2k6MwY3pMkL5eLTQelcLYxMQE6/NE/5z6jah9243J+Y3w=
=Wa2k
-----END PGP MESSAGE-----
fp: 91EBE87016391323642A6803B966009D57E69CC6
- created_at: "2023-05-30T14:29:01Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQEMA1N/l9+zlMQzAQf+NHtpTxXDoYH+BwO0glYgvcy96g2n6SVyYcBOaOKRpLuV
iAR/bx+YmK57/Ql/ef7k+2nJJc4c7Z4nCLU+tzTrFj/FfV7IoqmIpWb5aFYSlYiq
5yBEEAkbtDeYvkRwFV3FOiS329H9uwwR6K/R8XqhDlWxuvxXwio+rhxJTbGDvEQj
6Zpk7QNo915G/uxfk4Mfe8uTfgTSFeWkytk0zpoRbZure1frzTvfPzjf1wJJYGDv
scM7iX1EknM/2aXJe2un9gbtjiLmZKhlB4lHbRekxb9yck0hapbjP8audC07S/Jy
vMuMmSMEHgJKlfBs8wxh4Pl9Kbx0wOdUvGEIZseDRdJeAYsdrPAAc2fMPMWjTTIq
HpcakoRix4/BhheTqCMaLqO0BZf1JyZoh6ddlmbHZvJl8R4Cqd/Br91NSj76zsCI
JJ9J4VHfYojocUMwyk/VtV/45QzpXTp+zYxgO5t6VQ==
=piEQ
-----END PGP MESSAGE-----
fp: 069836A578F7939612DB4934F77D0F7E247A1EE4
- created_at: "2023-05-30T14:29:01Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQEMA1N/l9+zlMQzAQf+J3x16/phL1UJijUsddpD+xBamK3Zw7D67oof7IVDMFGd
rXh/6iVzu5gWQcV/BJhErZaeonWDi/pkSVVaiKpqHv3OQ1aJIVS6pCsrIWcMBawQ
ZqkmFIgIEBlY4kLh0qY6FXkS1Kk9YGTE/7B2Jsuq98ZO9DwDgd+s7rXknDnTwfyG
op9HYLPIjSrG3mJdkwUerzoOL0VQeiDAUQSEucXd6ZCtC1BM4ybeitaReFHVNB3v
DjNOQNpP0l+xQ8aIYwLauFOY9/E6qiwb4Xb8zmCP5yKJMkjrv96hxFtIZ7DDwcOt
aqsRZUjNmdAEsoQPrrFc7AlfPpxb7NZICQ98gcY18NJeAS2SNzAib4WsqZuvXyXg
RfWT79oyXzr07ftH8qtnd9dOp3L7PxCIb10TodL1TTK+yuYmAviIwNPM8jpUrL+0
X8G2/LKcvpa0ulvzJAqSphIEDX8kV57BVuBf2Zz2cQ==
=tKC1
-----END PGP MESSAGE-----
fp: ED06986DFAAE6A61B751DC2F537F97DFB394C433
unencrypted_suffix: _unencrypted
version: 3.7.3