diff --git a/clusters/ekman/cluster.nix b/clusters/ekman/cluster.nix new file mode 100644 index 0000000..7b0207e --- /dev/null +++ b/clusters/ekman/cluster.nix @@ -0,0 +1,269 @@ +{ pkgs, lib, config, ... }: +with lib; +let + cfg = config.features.host; + + mkSANs = host: [ + host.name + host.address + "127.0.0.1" + ]; + + configuration = { + system.autoUpgrade.enable = lib.mkForce false; + + boot = { + loader.systemd-boot.enable = true; + loader.efi.canTouchEfiVariables = true; + kernelPackages = pkgs.linuxPackages_5_4; + kernelModules = [ "ib_umad" "ib_ipoib" ]; + kernelParams = [ + "console=ttyS0,115200" + "console=tty0" + ]; + }; + + + console = { + font = "Lat2-Terminus16"; + keyMap = "us"; + }; + + i18n = { + defaultLocale = "en_US.UTF-8"; + extraLocaleSettings = { + LC_CTYPE="en_DK.UTF-8"; + LC_TIME="en_DK.UTF-8"; + LC_PAPER="en_DK.UTF-8"; + LC_NAME="en_DK.UTF-8"; + LC_ADDRESS="en_DK.UTF-8"; + LC_TELEPHONE="en_DK.UTF-8"; + LC_MEASUREMENT="en_DK.UTF-8"; + LC_IDENTIFICATION="en_DK.UTF-8"; + }; + }; + + time.timeZone = "Europe/Oslo"; + + features = { + os = { + # boot.uefi = true; + adminAuthorizedKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiAS30ZO+wgfAqDE9Y7VhRunn2QszPHA5voUwo+fGOf jonas" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDULdlLC8ZLu9qBZUYsjhpr6kv5RH4yPkekXQdD7prkqapyoptUkO1nOTDwy7ZsKDxmp9Zc6OtdhgoJbowhGW3VIZPmooWO8twcaYDpkxEBLUehY/n8SlAwBtiHJ4mTLLcynJMVrjmTQLF3FeWVof0Aqy6UtZceFpLp1eNkiHTCM3anwtb9+gfr91dX1YsAOqxqv7ooRDu5rCRUvOi4OvRowepyuBcCjeWpTkJHkC9WGxuESvDV3CySWkGC2fF2LHkAu6SFsFE39UA5ZHo0b1TK+AFqRFiBAb7ULmtuno1yxhpBxbozf8+Yyc7yLfMNCyBpL1ci7WnjKkghQv7yM1xN2XMJLpF56v0slSKMoAs7ThoIlmkRm/6o3NCChgu0pkpNg/YP6A3HfYiEDgChvA6rAHX6+to50L9xF3ajqk4BUzWd/sCk7Q5Op2lzj31L53Ryg8vMP8hjDjYcgEcCCsGOcjUVgcsmfC9LupwRIEz3aF14AWg66+3zAxVho8ozjes= jonas.juselius@juselius.io" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCk5EKXxo/KLogjqSxSf/GkQdZ30UxB3wXc5k6Y6RRKQ/5iJ+XyYTbuqYOUp30p54apZzbayU2icahE/upr754lQicQwJtOXW/Iut57VRhSpq4P+mKCIdT58xCUkAZYr8Aja8UjHlYeJgFvp023K/fqmwbapu8R1gh4bzXm7uU1XeJoYfuOb+Cb8NGMn1ICrw2aztA0yVOXZ7tyJd2qyr1+6PuM/Ca2nKN4wLIX2vwyN3vZjR15nkIaHQGlTaJlNk2NEG1YTxsIQ9axDjNtyL80kjUr5M8zxW6s0h3451zr1b21EetP1i+1POIjS9uWXv5iabF+1Qb1GaS4FAYzzpqNY+moLzY7Zqfi05MPsMYkNoZ1Kg5aj0IuZb0OM9i6ZJrFs9nYAGG0uLSUTfrs957f9nokFyILGYg5xY46YN3uQrqfZifvcR0KaEdxEKvnfq0qrNG3uYLR/OYm2yblRcNbWgDoQ1hH7qa9uJM2JrPM07s4sJGkqfAib8Hwz9+l7jMrL6KIGUOA4aX0B1KZaIKKiZa42WlgdbeA17aW3laIqS5mZCkI3pLMYZAxe+A6rQi+V8ZAvDSyOL/Vws3lboXaN5QLu17R8uCY7MkIAvRBiZSpdWNeX3JO5m6zexkxkrFlxyEBf+ott4ATSw+eMYMs8i5xQRqPjgO1cABWkUdGpw== martin.moe.carstens@itpartner.no" + ]; + docker.enable = false; + + mailRelay = { + enable = true; + adminEmail = "jonas.juselius@tromso.serit.no"; + mailDomain = "itpartner.no"; + mailGateway = "smtpgw.itpartner.no:465"; + mailAuthUser = "utvikling"; + }; + }; + cachix.enable = false; + + monitoring.nodeExporter.enable = false; + + pki = { ca = ./ca; }; + + hpc = { + enable = true; + slurm = { + client = true; + mungeKey = ./munge.key; + controlMachine = "ekman"; + nodeName = [ + "c0-1 Sockets=2 CoresPerSocket=64 ThreadsPerCore=1 RealMemory=256000 TmpDisk=500000 State=UNKNOWN" + "ekman Sockets=2 CoresPerSocket=64 ThreadsPerCore=1 RealMemory=256000 TmpDisk=500000 State=UNKNOWN" + ]; + partitionName = [ + "batch Nodes=c0-1 Default=YES MaxTime=INFINITE State=UP" + "frontend Nodes=ekman MaxTime=1:00:00 State=UP" + ]; + }; + beegfs = { + enable = false; + beegfs = { + bee0-0 = { + mgmtdHost = "bee0-0"; + connAuthFile = ""; + client = { + enable = true; + mountPoint = "/work"; + }; + }; + }; + }; + }; + + k8s = { + enable = true; + node.enable = true; + clusterName = "ekman"; + initca = ./ca; + cidr = "10.100.0.0/16"; + master = { + name = "ekman"; + address = "10.255.240.200"; + extraSANs = [ "ekman.local" ]; + }; + ingressNodes = [ + "ekman.local" + ]; + fileserver = "bee0-0"; + charts = { + acme_email = "innovasjon@itpartner.no"; + grafana_smtp_user = "utvikling"; + grafana_smtp_password = "S0m3rp0m@de#21!"; + }; + }; + }; + + services.kubernetes.kubelet.extraSANs = mkSANs { + name = cfg.name; + address = cfg.address; + }; + + networking = { + domain = mkDefault "oceanbox.io"; + defaultGateway = mkDefault "10.1.61.1"; + nameservers = mkDefault [ "8.8.8.8" ]; + search = mkDefault [ "local" ]; + extraHosts = import ./hosts.nix; + firewall.extraCommands = '' + iptables -I INPUT -s 10.255.240.0/24 -j ACCEPT + ''; + }; + + environment.variables = {}; + + systemd.services."serial-getty@ttyS0".enable = true; + + nix = { + maxJobs = 32; + trustedUsers = [ "@wheel" ]; + # binaryCachePublicKeys = [ + # "ekman-1:BCgUFnXc6wgpstwG0M09/Ccrrz45MxHpS62JSC9sxW5hWxMqBNNvU1otqs4pWUOyvdxLPKIk6P5WCJWp+AFJig==" + # ]; + }; + }; + + deployment = { + deployment.targetHost = cfg.address; + }; + + # i40efix = { + # boot = let kernelExtras = pkgs.callPackage ./kernel.nix { + # kernel = pkgs.linuxPackages_5_4.kernel; + # }; in { + # extraModulePackages = [ kernelExtras.i40e2 ]; + # kernelModules = [ "ib_umad" "ib_ipoib" "i40e2" ]; + # }; + # }; + i40efix = { + boot = { + extraModulePackages = []; + kernelModules = [ "ib_umad" "ib_ipoib" ]; + }; + }; + + shosts = { + environment.etc."ssh/shosts.equiv" = { + mode = "0644"; + uid = 0; + gid = 0; + text = '' + 10.255.240.200 + 10.255.240.201 + ''; + }; + + programs.ssh.knownHosts = { + ekman = { + hostNames = [ + "ekman" "ekman.local" "ekman.oceanbox.io" "10.255.240.200" + ]; + publicKeyFile = ./pubkeys/ekman.pub; + }; + c0-1 = { hostNames = [ "c0-1" "c0-1.local" "10.255.240.201" "10.255.241.201" ]; publicKeyFile = ./pubkeys/c0-1.pub; }; + }; + + environment.systemPackages = [ openssh-shosts ]; + + security.wrappers = { + ssh-keysign = { + source = "${openssh-shosts}/libexec/ssh-keysign"; + owner = "root"; + group = "root"; + permissions = "u+rs,g+rx,o+rx"; + }; + }; + }; + + openssh-shosts = pkgs.openssh.overrideAttrs (attrs: { + buildFlags = [ "SSH_KEYSIGN=/run/wrappers/bin/ssh-keysign" ]; + }); + + myvnc = + let + myvnc = pkgs.writeScriptBin "myvnc" '' + #!${pkgs.runtimeShell} + + uid=`id -u` + port=$((9000+$uid)) + shell=`getent passwd $(id -un) | awk -F : '{print $NF}'` + # vnc=${pkgs.tigervnc}/bin/vncserver + vnc=/nix/store/czp2b60dwk75widi8y287hr0xx1wgv2a-tigervnc-1.10.1/bin/vncserver + + case $1 in + -p|--port) shift; port=$1 ;; + kill|stop) + display=$($vnc -list | sed -n 's/^\(:[0-9]\+\).*/\1/p'| head -1) + $vnc -kill $display + exit 0 + ;; + esac + ps ax | sed '/grep/d' | grep "Xvnc.*-rfbport $port" >/dev/null 2>&1 + [ $? = 1 ] && $vnc -rfbport $port + echo "Xvnc server is running on port $port." + exec $shell -i + ''; + + buildCommand = '' + mkdir -p $out/bin + echo $src > $out/bin/myvnc + chmod 755 $out/bin/myvnc + ''; + in { + environment.systemPackages = [ myvnc ]; + }; + +in { + options.node = { + i40efix = mkEnableOption "Apply fix for i40e driver"; + + myvnc = mkEnableOption "Enable myvnc script"; + }; + + config = mkMerge [ + configuration + + deployment + + shosts + + (mkIf config.node.i40efix i40efix) + + (mkIf config.node.myvnc myvnc) + ]; + + imports = [ + ../../modules + ../../nixos + ./users.nix + ]; +} + diff --git a/clusters/ekman/default.nix b/clusters/ekman/default.nix new file mode 100644 index 0000000..cb9143a --- /dev/null +++ b/clusters/ekman/default.nix @@ -0,0 +1,343 @@ +let + # Pin the deployment package-set to a specific version of nixpkgs + # pkgs = import (builtins.fetchTarball { + # url = "https://github.com/NixOS/nixpkgs/archive/e6377ff35544226392b49fa2cf05590f9f0c4b43.tar.gz"; + # sha256 = "1fra9wwy5gvj5ibayqkzqpwdf715bggc0qbmrfch4fghwvl5m70l"; + # }) {}; + pkgs = import {}; + + etcdNodes = { + c0-0 = "10.255.240.200"; + c0-1 = "10.255.240.201"; + }; + + etcdCluster = { + enable = true; + existing = false; + nodes = etcdNodes; + }; + + nodes = + with builtins; + let nodes = genList (n: n + 1) 1; in + map (n: ({ name = "c0-${toString n}"; address = "10.255.240.20${toString n}"; })) nodes; + + ekman = { + # deployment.tags = [ "frontend" ]; + node.myvnc = true; + + systemd.targets = { + sleep.enable = false; + suspend.enable = false; + hibernate.enable = false; + hybrid-sleep.enable = false; + }; + + features = { + host = { + address = "10.255.240.200"; + name = "c0-0"; + }; + + os = { + externalInterface = "eno1"; + nfs.enable = true; + nfs.exports = '' + /exports 10.255.240.0/24(insecure,rw,sync,no_subtree_check,crossmnt,fsid=0,no_root_squash) + /exports 10.255.241.0/24(insecure,rw,sync,no_subtree_check,crossmnt,fsid=0,no_root_squash) + ''; + }; + + hpc = { + slurm.server = true; + frontend = true; + }; + + k8s = { + master.enable = true; + node.enable = true; + inherit nodes; + inherit etcdCluster; + }; + + monitoring = { + server = { + enable = false; + scrapeHosts = [ "frontend" "bee0-0" ] ++ (builtins.map (x: x.name) nodes); + defaultAlertReceiver = { + email_configs = [ + { to = "jonas.juselius@oceanbox.io"; } + ]; + }; + pageAlertReceiver = { + webhook_configs = [ + { + url = "https://prometheus-msteams.k2.itpartner.no/ekman"; + http_config = { + tls_config = { insecure_skip_verify = true; }; + }; + } + ]; + }; + }; + webUI.enable = false; + webUI.acmeEmail = "innovasjon@itpartner.no"; + webUI.allow = [ + "10.1.2.0/24" + "172.19.254.0/24" + "172.19.255.0/24" + ]; + infiniband-exporter = { + enable = true; + nameMap = '' + 0x0c42a10300ddc4bc "frontend" + 0x0c42a10300dbe7f4 "c0-1" + ''; + }; + slurm-exporter = { + enable = true; + port = 6080; + }; + }; + }; + + networking = { + useDHCP = false; + interfaces.enp33s0f0np0 = { + useDHCP = false; + ipv4.addresses = [ { + address = "10.255.240.200"; + prefixLength = 24; + } ]; + }; + # interfaces.enp33s0f0np1 = { + # useDHCP = false; + # ipv4.addresses = [ { + # address = "10.1.61.100"; + # prefixLength = 24; + # } ]; + # }; + # interfaces.ibp59s0 = { + # useDHCP = false; + # ipv4.addresses = [ { + # address = "10.255.241.200"; + # prefixLength = 24; + # } ]; + }; + defaultGateway = "10.255.240.1"; + firewall.extraCommands = '' + iptables -I INPUT -s 10.255.241.0/24 -j ACCEPT + iptables -t nat -A POSTROUTING -s 10.255.241.0/24 -j MASQUERADE + ''; + }; + + fileSystems ={ + "/exports/home" = { + device = "/home"; + options = [ "bind" ]; + }; + "/frontend" = { + device = "/home"; + options = [ "bind" ]; + }; + # "/opt" = { + # device = "10.255.63.80:/opt"; + # fsType = "nfs"; + # options = [ "soft" "rdma" "defaults" ]; + # }; + # "/data" = { + # device = "10.255.63.80:/data"; + # fsType = "nfs"; + # options = [ "soft" "rdma" "defaults" ]; + # }; + # "/vol/local-storage/vol1" = { + # device = "/vol/vol1"; + # options = [ "bind" ]; + # }; + # "/vol/local-storage/vol2" = { + # device = "/vol/vol2"; + # options = [ "bind" ]; + # }; + }; + + nix.extraOptions = '' + secret-key-files = /etc/nix/ekman.private + ''; + + services.xserver = { + enable = true; + enableCtrlAltBackspace = true; + layout = "us"; + xkbVariant = "altgr-intl"; + xkbOptions = "eurosign:e"; + displayManager = { + gdm.enable = true; + job.logToFile = true; + }; + desktopManager.xfce.enable = true; + }; + + services.prometheus.alertmanager.configuration.global = { + smtp_smarthost = "smtpgw.itpartner.no:465"; + smtp_auth_username = "utvikling"; + smtp_auth_password = "S0m3rp0m@de#21!"; + smtp_hello = "ekman.oceanbox.io"; + smtp_from = "noreply@ekman.oceanbox.io"; + }; + + # services.nginx = { + # virtualHosts = { + # "ds.matnoc.regnekraft.io" = { + # forceSSL = true; + # enableACME = true; + # serverAliases = []; + # locations."/" = { + # proxyPass = "http://localhost:9088"; + # proxyWebsockets = false; + # extraConfig = '' + # allow 10.1.2.0/24; + # allow 172.19.254.0/24; + # allow 172.19.255.0/24; + # deny all; + # ''; + # }; + # }; + # }; + # }; + + # services.gitlab-runner = { + # enable = true; + # extraPackages = with pkgs; [ + # singularity + # ]; + # concurrent = 4; + # services = { + # sif = { + # registrationConfigFile = "/var/lib/secrets/gitlab-runner-registration"; + # executor = "shell"; + # tagList = [ "ekman" "sif" ]; + # }; + # }; + # }; + + # security.sudo.extraConfig = '' + # gitlab-runner ALL=(ALL) NOPASSWD: /run/current-system/sw/bin/singularity + # ''; + + security.pam = { + services.sshd.googleAuthenticator.enable = true; + loginLimits = [ + { + domain = "@users"; + item = "rss"; + type = "hard"; + value = 16000000; + } + { + domain = "@users"; + item = "cpu"; + type = "hard"; + value = 180; + } + ]; + }; + + # ssh-rsa is deprecated, but putty/winscp users use it + # services.openssh.extraConfig = '' + # pubkeyacceptedalgorithms ssh-rsa,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256 + # ''; + + imports = [ ./cluster.nix ./hw/frontend.nix ]; + }; + + compute = { + # deployment.tags = [ "compute" ]; + + fileSystems = { + "/frontend" = { + device = "10.255.240.200:/home"; + fsType = "nfs"; + options = [ + "soft" + "defaults" + "noauto" + "x-systemd.automount" + ]; + }; + # "/opt" = { + # device = "10.1.63.80:/opt"; + # fsType = "nfs"; + # options = [ "soft" "rdma" "defaults" ]; + # }; + # "/data" = { + # device = "10.1.63.80:/data"; + # fsType = "nfs"; + # options = [ "soft" "rdma" "defaults" ]; + # }; + }; + + systemd.automounts = [ + { + where = "/frontend"; + wantedBy = [ "default.target" ]; + } + ]; + }; + + mkCompute = host: + let + ipoib = builtins.replaceStrings [".240."] [".241."] host.address; + hw = ./hw + "/${host.name}.nix"; + in { + "${host.name}" = { + features = { + inherit host; + os.externalInterface = "enp33s0f0np0"; + hpc.compute = true; + k8s = { inherit etcdCluster; }; + }; + + node = { + i40efix = true; + }; + + networking = { + useDHCP = false; + interfaces.enp33s0f0np0 = { + useDHCP = false; + ipv4.addresses = [ { + address = host.address; + prefixLength = 24; + } ]; + # ipv4.routes = [ { + # address = "10.1.62.2"; + # prefixLength = 32; + # via = "10.1.61.100"; + # } ]; + + }; + # interfaces.ibp65s0 = { + # useDHCP = false; + # ipv4.addresses = [ { + # address = ipoib; + # prefixLength = 24; + # } ]; + # }; + }; + imports = [ ./cluster.nix hw ]; + } + // compute; +}; +in { + ## morph + # network = { + # inherit pkgs; + # description = "ekman"; + # ordering = { + # tags = [ "frontend" "compute" ]; + # }; + # }; + + inherit ekman; +} // builtins.foldl' (a: n: a // mkCompute n) {} nodes + diff --git a/clusters/ekman/hosts.nix b/clusters/ekman/hosts.nix new file mode 100644 index 0000000..ccfc6dc --- /dev/null +++ b/clusters/ekman/hosts.nix @@ -0,0 +1,10 @@ +'' + 10.255.240.200 frontend frontend.local c0-0 ekman ekman.oceanbox.io + 10.255.240.201 c0-1 c0-1.local + + # 10.1.61.80 bee0-0 bee0-0.local + + # 10.1.63.101 ib0-1 ib0-1.local + + # 10.1.63.80 ibmds0-0 ibmds0-0.local +'' diff --git a/clusters/ekman/hw/c0-1.nix b/clusters/ekman/hw/c0-1.nix new file mode 100644 index 0000000..e1eceaf --- /dev/null +++ b/clusters/ekman/hw/c0-1.nix @@ -0,0 +1,39 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/102a2e89-1ffb-4f8b-810e-b742b6f9da98"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/54C4-7983"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/29ba5bab-0777-4ac1-96af-3952e28d570c"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp33s0f0np0.useDHCP = lib.mkDefault true; + # networking.interfaces.enp33s0f1np1.useDHCP = lib.mkDefault true; + + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/clusters/ekman/hw/frontend.nix b/clusters/ekman/hw/frontend.nix new file mode 100644 index 0000000..08c97b3 --- /dev/null +++ b/clusters/ekman/hw/frontend.nix @@ -0,0 +1,39 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/e19cbe18-e194-47f6-8eb5-c60b5be1bb7a"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/6A07-053A"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/2100e403-0dff-4314-b85a-cad99820aacf"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp33s0f0np0.useDHCP = lib.mkDefault true; + # networking.interfaces.enp33s0f1np1.useDHCP = lib.mkDefault true; + + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/clusters/ekman/kernel.nix b/clusters/ekman/kernel.nix new file mode 100644 index 0000000..f865667 --- /dev/null +++ b/clusters/ekman/kernel.nix @@ -0,0 +1,46 @@ +{pkgs, lib, stdenv, fetchurl, config, kernel ? pkgs.linux, ...}: +let + i40e = + stdenv.mkDerivation rec { + name = "i40e-${version}-${kernel.version}"; + version = "2.13.10"; + + src = pkgs.fetchFromGitHub { + owner = "dmarion"; + repo = "i40e"; + rev = "7228a7c3b362c3170baa2f9a9c6870a900e78dbd"; + sha256 = "087kvq9wrc1iw6vig8cqcx7cb6346wx8qxzb85c3n8638vq1vrxr"; + }; + + hardeningDisable = [ "pic" ]; + + configurePhase = '' + cd src + kernel_version=${kernel.modDirVersion} + sed -i -e 's|/lib/modules|${kernel.dev}/lib/modules|' Makefile + sed -i -e 's|/lib/modules|${kernel.dev}/lib/modules|' common.mk + export makeFlags="BUILD_KERNEL=$kernel_version" + ''; + + installPhase = '' + install -v -D -m 644 i40e.ko "$out/lib/modules/$kernel_version/kernel/drivers/net/i40e/i40e2.ko" + ''; + + dontStrip = true; + + enableParallelBuilding = true; + + meta = { + description = "Linux kernel drivers for Intel Ethernet adapters and LOMs (LAN On Motherboard)"; + homepage = https://github.com/dmarion/i40e; + license = lib.licenses.gpl2; + }; + }; +in +{ + i40e2 = i40e; + overlay = self: super: { + linuxPackages_5_4 = super.linuxPackages_5_4 // { inherit i40e; }; + }; +} + diff --git a/clusters/ekman/munge.key b/clusters/ekman/munge.key new file mode 100644 index 0000000..0aeca32 --- /dev/null +++ b/clusters/ekman/munge.key @@ -0,0 +1,2 @@ +/ik/|RER$Qfj5rdС7{99TۛiČ,Ќh8tv:%T +|ȴΕV00w|Ϯ|_Y{3L_!F1Td&F7BR \ No newline at end of file diff --git a/clusters/ekman/pubkeys/c0-1.pub b/clusters/ekman/pubkeys/c0-1.pub new file mode 100644 index 0000000..41e42c2 --- /dev/null +++ b/clusters/ekman/pubkeys/c0-1.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC11miL1X2hmZ+FZngDIMUECt8Mr7etEF1yXOXMBPwKSLhMaJnIo7+3C1oVlxf0MZjYMA0neIpSB/PpD1PZU89QBrL/HlnEHVChlNoPuTjN3SoMVSwClCf94VW4c5obK4b0EVbJujudreMC7q4sDOzcMVsBwWCZYmOroM1AqQ2dcZFWpj9hk7RWm3UlxnGG8ZPB9i6zzuKECp9W00RznxLaX0Ys6acXIrhg7N1CIZSWyQwQ6hb5bAz6rbTMgub3YZktckVgTlWnpyW6jfR4+xJW5fM5uVcW1kgSP/xQ+sAnAvH099ogBZSlv59oBL/jIGAVQwKptxkacues6drsohAocmstxVRyatBtEMBp5Grn+pzoDH6cIYTXy3qAgpUzQCnSsW6ttG2cVtPvw/3OSgYsJ1J0VHWfJ8AVBDpRahOa20A7hXR0RzbeRJ4xX4Fu4ndcaR+GTdLSBfb/WSyn1751WZmxqegFnjhuKNcxqKj2tjzm9/oKPtO0Ri8bIDVtLSjTJ4Vhed5I2X50Du9YBcbee1FtqHZV09OCfGRWKL39721b+gmC0JYKHCU6NpAnxa1jjrDJieYCKDsmQtXfWm1mtXeVir4I31ufWUJoGc0YTl/qWpcCVKPDmQHBRLvv7pqU2Fz/FkW+7mePf73Ympc1PRfxNoiP8oeQyPzsmN0liw== root@OBNODE01 diff --git a/clusters/ekman/pubkeys/ekman.pub b/clusters/ekman/pubkeys/ekman.pub new file mode 100644 index 0000000..0a83062 --- /dev/null +++ b/clusters/ekman/pubkeys/ekman.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCySwxKuwdqn+jaEi73BPSFslUoLW2St3FKZ1iojQa7H73SZDWQGCyyR9bwmMpjWUCXt/7aZmljF78MF9t/dE/ZJAQfxYv/rt6QCYDWLZBalyNQ2X3R7U2WNlZPF3KwnxnmOJOPCDKnHrbsGaUG7z6oERaCSgngY8haOVsHJIo55gpjBCkAT/WhvFQ4vcaECuJWVg619lebDVTAVNZDdI7I8KzezMOSX+dH1Z/nr90pq54ZunK5RmaMuYo7tb/PeD3T1/cbK8PUyZsx29iih8PtOwoIkeIaszvrk1BeJmFkhfUyuXZp3/a2BlZ01pIIf2RVpimsqCuk4vYw3OB8MQZDihBniYaNjvogsl7VGoVfGiJHb1az3P8NUYDl0kn7MaNJC5Mboaqj9DCDTAht6mTl3qLkDvpMnIAbxxRCNwqSxhfUvOZJRVe3qKWeKfggOeAWFwxy/Ij3EpiD5eiA/PnuZEA0iuJ+EPEbjJdlcUxy9ZjGgn3t0f5VygMV9E6v9fVF+79ocWqyuugwO/4WTWC/jqq5dfujNfsQ3QZ+wfsyuyZsDiCsqdk0GS3sE7ngy4aDs4G4qdkzB0USFaydv7R/Rbvsy2sLwivB+pLboVrnAVtDIlHuaKtMR1De/K9G4vvjEQ89T4Os3bMwkMY15HnEX5mO5vARnnz+VfGcKCbIIQ== root@OBNODE02 diff --git a/clusters/ekman/users.nix b/clusters/ekman/users.nix new file mode 100644 index 0000000..e16f322 --- /dev/null +++ b/clusters/ekman/users.nix @@ -0,0 +1,154 @@ +{ pkgs, ... }: +{ + users.groups = { + admin = { gid = 10000; }; + jonas = { gid = 1000; }; + olean = { gid = 1001; }; + frankgaa = { gid = 1002; }; + bast = { gid = 1003; }; + stig = { gid = 1004; }; + + sif = { + gid = 11000; + members = [ + "jonas" + "olean" + "bast" + "frankgaa" + "stig" + ]; + }; + }; + + users.users = { + admin = { + description = "Administrator"; + home = "/home/admin"; + group = "admin"; + extraGroups = [ + "users" + "wheel" + "root" + "adm" + "admin" + "cdrom" + "fuse" + "wireshark" + "libvirtd" + "networkmanager" + "tty" + "keys" + ]; + uid = 10000; + isNormalUser = true; + createHome = false; + useDefaultShell = false; + shell = pkgs.fish; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDULdlLC8ZLu9qBZUYsjhpr6kv5RH4yPkekXQdD7prkqapyoptUkO1nOTDwy7ZsKDxmp9Zc6OtdhgoJbowhGW3VIZPmooWO8twcaYDpkxEBLUehY/n8SlAwBtiHJ4mTLLcynJMVrjmTQLF3FeWVof0Aqy6UtZceFpLp1eNkiHTCM3anwtb9+gfr91dX1YsAOqxqv7ooRDu5rCRUvOi4OvRowepyuBcCjeWpTkJHkC9WGxuESvDV3CySWkGC2fF2LHkAu6SFsFE39UA5ZHo0b1TK+AFqRFiBAb7ULmtuno1yxhpBxbozf8+Yyc7yLfMNCyBpL1ci7WnjKkghQv7yM1xN2XMJLpF56v0slSKMoAs7ThoIlmkRm/6o3NCChgu0pkpNg/YP6A3HfYiEDgChvA6rAHX6+to50L9xF3ajqk4BUzWd/sCk7Q5Op2lzj31L53Ryg8vMP8hjDjYcgEcCCsGOcjUVgcsmfC9LupwRIEz3aF14AWg66+3zAxVho8ozjes= jonas.juselius@juselius.io" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiAS30ZO+wgfAqDE9Y7VhRunn2QszPHA5voUwo+fGOf jonas-3" + ]; + }; + + jonas = { + description = "Jonas Juselius"; + home = "/home/jonas"; + group = "jonas"; + extraGroups = [ + "users" + "wheel" + "root" + "adm" + "admin" + "cdrom" + "fuse" + "wireshark" + "libvirtd" + "networkmanager" + "tty" + "keys" + ]; + uid = 1000; + isNormalUser = true; + createHome = false; + useDefaultShell = false; + shell = pkgs.fish; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDULdlLC8ZLu9qBZUYsjhpr6kv5RH4yPkekXQdD7prkqapyoptUkO1nOTDwy7ZsKDxmp9Zc6OtdhgoJbowhGW3VIZPmooWO8twcaYDpkxEBLUehY/n8SlAwBtiHJ4mTLLcynJMVrjmTQLF3FeWVof0Aqy6UtZceFpLp1eNkiHTCM3anwtb9+gfr91dX1YsAOqxqv7ooRDu5rCRUvOi4OvRowepyuBcCjeWpTkJHkC9WGxuESvDV3CySWkGC2fF2LHkAu6SFsFE39UA5ZHo0b1TK+AFqRFiBAb7ULmtuno1yxhpBxbozf8+Yyc7yLfMNCyBpL1ci7WnjKkghQv7yM1xN2XMJLpF56v0slSKMoAs7ThoIlmkRm/6o3NCChgu0pkpNg/YP6A3HfYiEDgChvA6rAHX6+to50L9xF3ajqk4BUzWd/sCk7Q5Op2lzj31L53Ryg8vMP8hjDjYcgEcCCsGOcjUVgcsmfC9LupwRIEz3aF14AWg66+3zAxVho8ozjes= jonas.juselius@juselius.io" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiAS30ZO+wgfAqDE9Y7VhRunn2QszPHA5voUwo+fGOf jonas-3" + ]; + }; + + olean = { + description = "Ole Anders Nøst"; + home = "/home/olean"; + group = "olean"; + extraGroups = [ + "users" + ]; + uid = 1001; + isNormalUser = true; + createHome = false; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAlfc2r3mNkvmdta+H/5zfdFe6317zmCdhhPYbipaGVFPUZO2cCTgSso28oDvOpCDldo/wl3jUxYNDlwH8LYMqKT3aGaOZr8JbxYzd+L+5GM2KTD+4YRmPtpYS/LWcc3j+fiFXSgX6Mrrgf6ineCRuBxSooDVE+pBakM1U7d5NE25apaAvclzFTmZBg0Sf9e5sgHkR99r9DUeGEQWGNZVUGwti39dFVp+aC9dsA+1/OtNB/HMF5G1MMk9dqvN7n7i9o9Plef2DParn4QU1GhmUKeEiBe4OAmSP+WwD4YvK6iXSKZG6tuTEspw+mR3rK5gBHrEiaNlCtp7O9BnAw4Wjhw== rsa-key-20201218" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCp3QEG9uJq4EKMRWlBkqg/EQD6+2E90E6/1i+JLbiBYBSV6Yqac6KzyJezaVXzch+qm6FFXas3thaBScbA4cELkETaxyNzYG6sNcLyEhlQn51pEsq2mFiq8IiaMaDc55/2HTbXVrpNoTNQFt6lBwHziKQYuUI0H0cxze+ppp0ZJOu1MsayW8JOv75YSv6WFIDRR+KP6dOEBu1PsP6plTZwK94ogjQ+3KHGcMAnE3cf8VCEF8akNC6GRmCgXNZE4I9MmKTDr217OoFpnXAx5/KTvGo+USkXc6xn/vbQsni4ExwGlMTg97RK49wIHD1NfGxZ3sv7mZ+UQPqqmSxCG+zueJrR6BSBfbm7fw5KvRn69rOihapeo/6GoqqVDe4yn1imtojjHN6+9pgJ9E6o108qbXRw2X6t1KUuXrB+fTfUKvy0kWiJFIMDSUtKF/nhiES+aCI4b4WBwyg5hdKGvgJdjyUS7P/jYgqWRe+qmknAERtQKlFDA/C6ChsTXerFD5Ikvu3dajJUiDehszEON5F4JlxSf2VpUFCDLVNqV/GjJqOg90mXGDk82c+0ZHIUsPLsdqR+t/xnOSv1Ks9I5fId6g+3OlR1ifnb3Qm48QGKbi/CM8M/QXzv4VgeIkRTR0Oi4W0P1tpUSyPd1nyGaM/B/FqN52XIUjRqIfu0emwgiw== olean@navier" + ]; + }; + + frankgaa = { + description = "Frank Gaardsted"; + home = "/home/frankgaa"; + group = "frankgaa"; + extraGroups = [ + "users" + ]; + uid = 1002; + isNormalUser = true; + createHome = false; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDTq/IAtLkvHaPKTsp5U9YnhBj7PLFflS9vWpm5e/bFXQkSShkqUOktff1GITIN+RTpUS8zF9UkJA8fj5K382DhIn4jVb9HvQzmHNBTxU5ClpOuKhfibrts5IKMLAiN1enwZYu0iUIVfDKTYmqgAnjN8B6OyzIAB8bsBUMdN29PEwJT4cCVRRySLRfoWiXiZKow71FzXIACgxMwGhj2fpslKQoat2LGny03XR7EZrv36u1OktT28Gxf4ZrGpT9+3SAyf7aW20xHALU/dHXVsfsuqnoqw1InZ5VhvIVtoIj+5Vc5dkTXkychL0Hb+WxiH5O/3T18YUqes08UPZX5G9kB fga@akvaplan.niva.no" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDXv//iSTq5k1iYPZq9MKuF2OCE2UQPdR6TglWAeAnwL72UoKG068qDK3Ys+mFRY/S957hLn0FPFJPigcSaLzBq2v3G6kKySg68XWQfxBTSi5Wg81taNoJKQK+QAKfU2FiW9i1dLkvRKEXlY3tmF2mZLwqvrClRQMw8Nz0PQ5LnQfRgge07aXA3nDEf/nRuIaPG8zEki56lOONMWz4bGTjPn1y6y9gYAmskOc9w7uEOAy3VxkoR8fKvQM0ZTgt+6+68QxReyaDHH+12AqDxDy4wTCNX1LU902NDxyJZrUa2Xv9me2qN5O7hDOL/8S19MkJPBDEttMtA2rsFQlD9WYqycqgFhbOzLb7gixK1lrL3CYHsE9fXD2LuitSDXf79HFnCVHD5HJG7CbpIJLNNeTOCx94vspf9J8OENNdnNCgMFC1FKV/vdCiZ/RAOUCINrekvrX8FNjlXIhHOeK/gG6gP61oWpx3qbOExeMQTqWa9cGeHPtIdPiJVCza9Mg4X+0D9DCaP7KVLAxKioWqyd2WsyYeVhXA0OqnkEQk/jPZUjnxL1rnlH3I6QtVxHyqKcmmWEoRUnXId0ASUqx2hmsmI0TZD197PLFq53VO86v7jlAXLyzwmPh5VWdTOywklRpM29sZplVG/6gkHm/vM0DVSTEjVW+4mMFlzaiKgujH2fw== frankgaa@frankenstein" + ]; + }; + + bast = { + description = "Radovan Bast"; + home = "/home/bast"; + group = "bast"; + extraGroups = [ + "users" + "wheel" + "root" + ]; + uid = 1003; + isNormalUser = true; + createHome = false; + useDefaultShell = false; + shell = pkgs.fish; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFbrEhm1acesXmbgfO5lN1gcTFXqusq61QyCZXunYJpl" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIdcJteh9d/N1o8BbdEMRVxeMjm28saon/Oh2tV0+TYj" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEg6tHlB5xco85d4XJja71hz1nEe9wFF1+ht8oKULkwh" + ]; + }; + + stig = { + description = "Stig Rune Jensen"; + home = "/home/stig"; + group = "stig"; + extraGroups = [ + "users" + "wheel" + "root" + ]; + uid = 1004; + isNormalUser = true; + createHome = false; + useDefaultShell = false; + shell = pkgs.fish; + openssh.authorizedKeys.keys = [ + ]; + }; + }; + +}