From d504ed886fddb4269b51060b02abe423140b3c80 Mon Sep 17 00:00:00 2001 From: Grigory Shipunov Date: Tue, 30 May 2023 16:00:35 +0200 Subject: [PATCH] add uranus --- .sops.yaml | 10 +++ flake.nix | 12 ++++ hosts/uranus/default.nix | 103 +++++++++++++++++++++++++++++ hosts/uranus/jupyter-container.nix | 28 ++++++++ hosts/uranus/motd.txt | 16 +++++ hosts/uranus/stateful-jupyter.nix | 32 +++++++++ hosts/uranus/stateless-jupyter.nix | 2 + secrets/uranus/secrets.yaml | 91 +++++++++++++++++++++++++ 8 files changed, 294 insertions(+) create mode 100644 hosts/uranus/default.nix create mode 100644 hosts/uranus/jupyter-container.nix create mode 100644 hosts/uranus/motd.txt create mode 100644 hosts/uranus/stateful-jupyter.nix create mode 100644 hosts/uranus/stateless-jupyter.nix create mode 100644 secrets/uranus/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index 386b9b1..d611d94 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -12,6 +12,7 @@ keys: - &data-hoarder-borken age10wj28zkuy3ewmv6hmup7849667qmevgdv4gxa8vyljye7mpu7shsjt4jeh - ¬ice-me-senpai age1wxewmzwlzgtsmr29tnu76n30kv29ra5p0ptvr2e3f3ymkqh569kqm07fv4 - &tram-borzoi age10sedt7xftzu383y8g4pxsj0hazht8tnnxhcngedcsl93s4v9uvvsk99er4 + - &uranus age1xnaw8ssrq2hpsntnt8kdu4dlqh4lz3dcq5lzwn490cskz886te6sreuale # turmlabor - &traffic-stop-box-0 age1yxtur968m4xe0m3kj0waqpm2kuuywpp9f6t0rxl4f0262ze9n9jqehw0k5 @@ -204,3 +205,12 @@ creation_rules: - *admin_marenz-2 age: - *tram-borzoi + - path_regex: secrets/uranus/[^/]+\.yaml$ + key_groups: + - pgp: + - *admin_oxa + - *admin_revol-xut + - *admin_marenz-1 + - *admin_marenz-2 + age: + - *uranus diff --git a/flake.nix b/flake.nix index c942158..283ce4e 100644 --- a/flake.nix +++ b/flake.nix @@ -310,6 +310,18 @@ ]; }; + uranus = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = { inherit inputs self; }; + modules = [ + sops-nix.nixosModules.sops + microvm.nixosModules.microvm + + ./modules/TLMS + ./hosts/uranus + ]; + }; + }; apps."x86_64-linux".mctest = { type = "app"; diff --git a/hosts/uranus/default.nix b/hosts/uranus/default.nix new file mode 100644 index 0000000..79e8546 --- /dev/null +++ b/hosts/uranus/default.nix @@ -0,0 +1,103 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, lib, ... }: +let + mac_addr = "00:de:5b:f9:be:ef"; +in +{ + imports = [ + ./stateful-jupyter.nix + ./stateless-jupyter.nix + ]; + + microvm = { + vcpu = 4; + mem = 1024 * 6; + hypervisor = "cloud-hypervisor"; + socket = "${config.networking.hostName}.socket"; + + interfaces = [{ + type = "tap"; + id = "serv-dvb-anus"; + mac = mac_addr; + }]; + + shares = [ + { + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + tag = "store"; + proto = "virtiofs"; + socket = "store.socket"; + } + { + source = "/var/lib/microvms/uranus/etc"; + mountPoint = "/etc"; + tag = "etc"; + proto = "virtiofs"; + socket = "etc.socket"; + } + { + source = "/var/lib/microvms/uranus/var"; + mountPoint = "/var"; + tag = "var"; + proto = "virtiofs"; + socket = "var.socket"; + } + ]; + }; + + networking.hostName = "uranus"; + + time.timeZone = "Europe/Berlin"; + + networking.useNetworkd = true; + + + sops.defaultSopsFile = ../../secrets/uranus/secrets.yaml; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + + sops.secrets.wg-seckey = { + owner = config.users.users.systemd-network.name; + }; + deployment-TLMS.net = { + iface.uplink = { + name = "ens3"; + mac = mac_addr; + matchOn = "mac"; + useDHCP = false; + addr4 = "172.20.73.37/25"; + dns = [ "172.20.73.8" "9.9.9.9" ]; + routes = [ + { + routeConfig = { + Gateway = "172.20.73.1"; + GatewayOnLink = true; + Destination = "0.0.0.0/0"; + }; + } + ]; + }; + + wg = { + addr4 = "10.13.37.9"; + prefix4 = 24; + privateKeyFile = config.sops.secrets.wg-seckey.path; + publicKey = "KwCG5CWPdNmrjEOYJYD2w0yhzoWpYHrjGbstdT5+pFk="; + }; + + }; + + users.motd = lib.mkForce (builtins.readFile ./motd.txt); + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.05"; # Did you read the comment? + +} diff --git a/hosts/uranus/jupyter-container.nix b/hosts/uranus/jupyter-container.nix new file mode 100644 index 0000000..4b875f1 --- /dev/null +++ b/hosts/uranus/jupyter-container.nix @@ -0,0 +1,28 @@ +{ pkgs, packages, ... }: +let + miniconda-alpine-dockerhub = pkgs.dockerTools.pullImage { + imageName = "continuumio/miniconda3"; + imageDigest = "sha256:a4b665d2075d9bf4b2c5aa896c059439a0baa5538ca67589a673121c31b4c35d"; + sha256 = "sha256-boIAZ8PaPckWLzYYTqrqMEL7HGbyl9grCJrXOpsBMhg="; + finalImageTag = "23.3.1-0"; + finalImageName = "miniconda"; + + }; +in +pkgs.dockerTools.buildImage { + name = "stateful-jupyterlab"; + tag = "latest"; + fromImage = miniconda-alpine-dockerhub; + runAsRoot = '' + #!${pkgs.runtimeShell} + mkdir -p /workdir + ''; + config = { + WorkingDir = "/workdir"; + run = '' + /bin/bash conda install ${packages} \ + jupyterlab + ''; + Cmd = [ "jupyter-lab" "--ip=0.0.0.0" "--port=8080" "--no-browser" "--allow-root" ]; + }; +} diff --git a/hosts/uranus/motd.txt b/hosts/uranus/motd.txt new file mode 100644 index 0000000..c8f4354 --- /dev/null +++ b/hosts/uranus/motd.txt @@ -0,0 +1,16 @@ + + ""# ""# m"" " m + mmm # # mmm mm#mm mmm m m mmmm m m mm#mm mmm m mm + " # # # #" "# # # # # #" "# "m m" # #" # #" " + m"""# # # # # # # # # # # #m# # #"""" # + "mm"# "mm "mm "#m#" # # "mm"# ##m#" "# "mm "#mm" # + # # m" + "" " "" + + " + mmm m mm m m m mm mmm m mm m m mmm + # #" # # # #" " " # #" # # # # " + # # # # # # m"""# # # # # """m + mm#mm # # "mm"# # "mm"# # # "mm"# "mmm" + + diff --git a/hosts/uranus/stateful-jupyter.nix b/hosts/uranus/stateful-jupyter.nix new file mode 100644 index 0000000..a90de5c --- /dev/null +++ b/hosts/uranus/stateful-jupyter.nix @@ -0,0 +1,32 @@ +{ pkgs, lib, ... }: +{ + virtualisation.docker = { + enable = true; + # magic from marenz to make it work on ceph + storageDriver = "devicemapper"; + extraOptions = "--storage-opt dm.basesize=40G --storage-opt dm.fs=xfs"; + }; + systemd.enableUnifiedCgroupHierarchy = false; + + # user to run the thing + # jupyterlab container + virtualisation.oci-containers = { + backend = "docker"; + containers."jupyterlab-stateful" = { + autoStart = true; + ports = [ "8080:8080" ]; + volumes = [ "/var/lib/jupyter-volume:/workdir" ]; + imageFile = let + package-string = lib.concatStringsSep " " [ + "numpy" + "scipy" + "pandas" + "matplotlib" + ]; + in + (import ./jupyter-container.nix { inherit pkgs; packages = package-string; }); + image = "stateful-jupyterlab"; + }; + }; + +} diff --git a/hosts/uranus/stateless-jupyter.nix b/hosts/uranus/stateless-jupyter.nix new file mode 100644 index 0000000..ae1502f --- /dev/null +++ b/hosts/uranus/stateless-jupyter.nix @@ -0,0 +1,2 @@ +# The plan is to try out how broken the stateless jupyter lab in nixos +{} diff --git a/secrets/uranus/secrets.yaml b/secrets/uranus/secrets.yaml new file mode 100644 index 0000000..132af14 --- /dev/null +++ b/secrets/uranus/secrets.yaml @@ -0,0 +1,91 @@ +wg-seckey: ENC[AES256_GCM,data:mUFBjQpHC0Flpyw82lXUInLVm0TJW1wB51evA7hXiit7JcK4z/HCyD5UGQU=,iv:O2/UP+WjCmasU6kP/58B1zXL0XAmzUOcM/1ONE31+/o=,tag:ObN6viKQm7ghuXKVeUydjg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1xnaw8ssrq2hpsntnt8kdu4dlqh4lz3dcq5lzwn490cskz886te6sreuale + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoeE84V0txS3JRYmtoaERl + aEY2Ung4MnRwUUc1VkwwZnhiTG1nTGVzSDBNCjJZMDBHWDJWckZJTUlObDlBV2Ey + V29PZDZXMG1TSVlHY3pZTzdBVVZhQzgKLS0tIC95WVB5T0l2SnVzNS9HSTIxTUVS + YVFMQ3pZYS9oM3RERDg4NHA1OHRoUEkKYIKvmU6cMiWqrDASPeDZAs3jHOn41onU + YtnMpjNQncMbvzDjuijjsCusgxL1DOEWvkg5xn8u4yGhguV6hEW4mQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-05-30T13:44:49Z" + mac: ENC[AES256_GCM,data:iLT8KrlibgljBzhZAFEdlKs/+c0XjxFkCHchjuO9dQJb576HpFsQj6LD5opWPAizdhRG0IniP1g9lUTrpE9Wb/XmQWIuVAJGpCiIWaFM0ENZ5fEcZDoWkBNJVmELe4M7yffD1N1EYffd0uwjyzHoPgEnFC8GrNMeBZdCuu08tR8=,iv:clpxUJLj8o4FRTW9oBxxnU23MYBvRDhxW9df85n4/AM=,tag:abTl8mvDRRknDHbP+01ZKg==,type:str] + pgp: + - created_at: "2023-05-30T14:29:01Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA7zUOKwzpAE7AQ//YPEvsi5RgjUojgVMxUXg7DKmpeot6cXb+QbwvlmLkxeK + mn5fQB3AdX9zhSnYZr6fgpt6aSyWupbFiDsQM3gYX7JHOB6loats/YZUwNxr8ir6 + ceyQPv6hmVOkQ9A8bUn9eK0kSVnr+mBlHU58NQE66yTnjjQNo2ljB2ctZ0yuesPZ + WRMTcmmOSuu0KUXxONiBJtuywP+3mKfl1gkr8O4LCHl8eKcohjlzk/b9ByBaOxsk + 71YlmT7/pMwsLOPHtbBgahFsPTbJnE7+22x+0QLPGDAMn3kX3R0bP83sgojYgsZi + mkS3+gkxAuEcwdLMnmH74FwoyzHHbtXAlnXC0uTVilJotIQayyQj2zS6nujkNlyB + kx0OghvOpH4ydua8ol9eZOMACKxqIKScYU9jT/hnSEkdXsuSsoOUlnOz+AiYlaST + /4f6Q9AhP4Z30AqaEQHXjIQasmPQYWETbgeoBrEATE/dsD9lmdXrIxoPckGyuG9V + XtRmF80KUhzv9RK5GEr++zTY2QkzPKc7RUmBF1kwJle9TCDgzk9pgHPakKm09Uzg + 0x71TOoj8vqudA/R7Tey1syUJxQousROLUo++HIGO2Snmq8k7n0cAuG/PpoBVi6G + 8cI7YbolkeNzSu3pco15Y5zr0lM95bDCgcotes2FSmrx7EbrtGyy42UHfTLPdg/S + UQHhqQLCsinUFP2R63afaQnTPK73Ara4UNa3BZQwyGPRqHA54XEfgV8GplDHfAR1 + USd/m5qt7/D+7yRlBW2lZoBV2iQ2H+YiZIGJf8ZzbSQ8Ag== + =2LaE + -----END PGP MESSAGE----- + fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C + - created_at: "2023-05-30T14:29:01Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA/YLzOYaRIJJAQ//baC4RNaj9Rdsr+1ioetydAHxNdyYEV7jn5k+X/SF/E0S + pha6PCGzwAFCkB5CAsiPFySCCxTG3UvrKH0lsZT5TTRCJGMc5RwOXqB6SedH18Lg + Q7JU4YUf+KiOCkF2xCx9LMlszcoqim9+ghDKTXGDmR+UBkyXLkMhrNmEQBWTNB9w + iFcgSR0knpmzuYMmcAAgn7nez4HAvBpqj31fkMWiHUJACdb0A+3G/ZEEQ1WIZsmE + qhHS1OdTMKWEvPQe4bNSjIMOnvam/QAHzh7DFl1ie96Jp9Q0zZKRpXN2xHdamQW2 + DTk4+cpk3AE/HLYSAZVMMD3l1vcs8VpXcK5Omkn5Wtn7UzHFpCwLkv9fz70xMhP1 + ia+b0GqxesmD0oPS160i+nLMbDoKTlutnSaaetBI2BvyxCktiYh0ebRfd2V7Yc7g + baHFrdbA92wXEEew+zB8n0bvMB5Vgddu7HKitk9a3VFotaBwl1gyEbbP2hE3o9Pi + kG8lckPNkctYLcL4Fkzsc3ApzjISlBwSCOngEDhtiVkYzDCn4xFjDG1S/6owxH7I + BCuQBQYxciZaHzse9GFxqJG6jzmUZQWnNO7K3z1TvBe2Wd5wLIgnrN/NYk3q/HzE + uq88r7hnPX1DY6d2/0jBIS42/PyF0PActLQEqc1xrkddWKJ0Kosthcx2ao0ATNjS + XgF9947oDqXMA2HvMaIuHc6NbuDM/hIrozxLbowcnXleJ2US3Ugs59Fn1yAB5lis + VFl/24R7mF6DQTdjtL2k6MwY3pMkL5eLTQelcLYxMQE6/NE/5z6jah9243J+Y3w= + =Wa2k + -----END PGP MESSAGE----- + fp: 91EBE87016391323642A6803B966009D57E69CC6 + - created_at: "2023-05-30T14:29:01Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQEMA1N/l9+zlMQzAQf+NHtpTxXDoYH+BwO0glYgvcy96g2n6SVyYcBOaOKRpLuV + iAR/bx+YmK57/Ql/ef7k+2nJJc4c7Z4nCLU+tzTrFj/FfV7IoqmIpWb5aFYSlYiq + 5yBEEAkbtDeYvkRwFV3FOiS329H9uwwR6K/R8XqhDlWxuvxXwio+rhxJTbGDvEQj + 6Zpk7QNo915G/uxfk4Mfe8uTfgTSFeWkytk0zpoRbZure1frzTvfPzjf1wJJYGDv + scM7iX1EknM/2aXJe2un9gbtjiLmZKhlB4lHbRekxb9yck0hapbjP8audC07S/Jy + vMuMmSMEHgJKlfBs8wxh4Pl9Kbx0wOdUvGEIZseDRdJeAYsdrPAAc2fMPMWjTTIq + HpcakoRix4/BhheTqCMaLqO0BZf1JyZoh6ddlmbHZvJl8R4Cqd/Br91NSj76zsCI + JJ9J4VHfYojocUMwyk/VtV/45QzpXTp+zYxgO5t6VQ== + =piEQ + -----END PGP MESSAGE----- + fp: 069836A578F7939612DB4934F77D0F7E247A1EE4 + - created_at: "2023-05-30T14:29:01Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQEMA1N/l9+zlMQzAQf+J3x16/phL1UJijUsddpD+xBamK3Zw7D67oof7IVDMFGd + rXh/6iVzu5gWQcV/BJhErZaeonWDi/pkSVVaiKpqHv3OQ1aJIVS6pCsrIWcMBawQ + ZqkmFIgIEBlY4kLh0qY6FXkS1Kk9YGTE/7B2Jsuq98ZO9DwDgd+s7rXknDnTwfyG + op9HYLPIjSrG3mJdkwUerzoOL0VQeiDAUQSEucXd6ZCtC1BM4ybeitaReFHVNB3v + DjNOQNpP0l+xQ8aIYwLauFOY9/E6qiwb4Xb8zmCP5yKJMkjrv96hxFtIZ7DDwcOt + aqsRZUjNmdAEsoQPrrFc7AlfPpxb7NZICQ98gcY18NJeAS2SNzAib4WsqZuvXyXg + RfWT79oyXzr07ftH8qtnd9dOp3L7PxCIb10TodL1TTK+yuYmAviIwNPM8jpUrL+0 + X8G2/LKcvpa0ulvzJAqSphIEDX8kV57BVuBf2Zz2cQ== + =tKC1 + -----END PGP MESSAGE----- + fp: ED06986DFAAE6A61B751DC2F537F97DFB394C433 + unencrypted_suffix: _unencrypted + version: 3.7.3