stub setup for new ekman cluster

2022-08-12 11:29:33 +02:00
parent 1932e0acf0
commit 4e30572bde
10 changed files with 904 additions and 0 deletions
--- a/clusters/ekman/default.nix
+++ b/clusters/ekman/default.nix
@@ -0,0 +1,343 @@
+let
+  # Pin the deployment package-set to a specific version of nixpkgs
+  # pkgs = import (builtins.fetchTarball {
+  #   url = "https://github.com/NixOS/nixpkgs/archive/e6377ff35544226392b49fa2cf05590f9f0c4b43.tar.gz";
+  #   sha256 = "1fra9wwy5gvj5ibayqkzqpwdf715bggc0qbmrfch4fghwvl5m70l";
+  # }) {};
+  pkgs = import <nixpkgs> {};
+
+  etcdNodes = {
+    c0-0 = "10.255.240.200";
+    c0-1 = "10.255.240.201";
+  };
+
+  etcdCluster = {
+    enable = true;
+    existing = false;
+    nodes = etcdNodes;
+  };
+
+  nodes =
+    with builtins;
+    let nodes = genList (n: n + 1) 1; in
+    map (n: ({ name = "c0-${toString n}"; address = "10.255.240.20${toString n}"; })) nodes;
+
+  ekman = {
+    # deployment.tags = [ "frontend" ];
+    node.myvnc = true;
+
+    systemd.targets = {
+      sleep.enable = false;
+      suspend.enable = false;
+      hibernate.enable = false;
+      hybrid-sleep.enable = false;
+    };
+
+    features = {
+      host = {
+        address = "10.255.240.200";
+        name = "c0-0";
+      };
+
+      os = {
+        externalInterface = "eno1";
+        nfs.enable = true;
+        nfs.exports = ''
+          /exports 10.255.240.0/24(insecure,rw,sync,no_subtree_check,crossmnt,fsid=0,no_root_squash)
+          /exports 10.255.241.0/24(insecure,rw,sync,no_subtree_check,crossmnt,fsid=0,no_root_squash)
+        '';
+      };
+
+      hpc = {
+        slurm.server = true;
+        frontend = true;
+      };
+
+      k8s = {
+        master.enable = true;
+        node.enable = true;
+        inherit nodes;
+        inherit etcdCluster;
+      };
+
+      monitoring = {
+        server = {
+          enable = false;
+          scrapeHosts = [ "frontend" "bee0-0" ] ++ (builtins.map (x: x.name) nodes);
+          defaultAlertReceiver = {
+            email_configs = [
+              { to = "jonas.juselius@oceanbox.io"; }
+            ];
+          };
+          pageAlertReceiver = {
+            webhook_configs = [
+              {
+                url = "https://prometheus-msteams.k2.itpartner.no/ekman";
+                http_config = {
+                  tls_config = { insecure_skip_verify = true; };
+                };
+              }
+            ];
+          };
+        };
+        webUI.enable = false;
+        webUI.acmeEmail = "innovasjon@itpartner.no";
+        webUI.allow = [
+            "10.1.2.0/24"
+            "172.19.254.0/24"
+            "172.19.255.0/24"
+        ];
+        infiniband-exporter = {
+          enable = true;
+          nameMap = ''
+            0x0c42a10300ddc4bc "frontend"
+            0x0c42a10300dbe7f4 "c0-1"
+          '';
+        };
+        slurm-exporter = {
+          enable = true;
+          port = 6080;
+        };
+      };
+    };
+
+    networking = {
+      useDHCP = false;
+      interfaces.enp33s0f0np0 = {
+        useDHCP = false;
+        ipv4.addresses = [ {
+          address = "10.255.240.200";
+          prefixLength = 24;
+        } ];
+      };
+      # interfaces.enp33s0f0np1 = {
+      #   useDHCP = false;
+      #   ipv4.addresses = [ {
+      #     address = "10.1.61.100";
+      #     prefixLength = 24;
+      #   } ];
+      # };
+      # interfaces.ibp59s0 = {
+      #   useDHCP = false;
+      #   ipv4.addresses = [ {
+      #     address = "10.255.241.200";
+      #     prefixLength = 24;
+      #   } ];
+      };
+      defaultGateway = "10.255.240.1";
+      firewall.extraCommands = ''
+        iptables -I INPUT -s 10.255.241.0/24 -j ACCEPT
+        iptables -t nat -A POSTROUTING -s 10.255.241.0/24 -j MASQUERADE
+      '';
+    };
+
+    fileSystems ={
+      "/exports/home" = {
+        device = "/home";
+        options = [ "bind" ];
+      };
+      "/frontend" = {
+        device = "/home";
+        options = [ "bind" ];
+      };
+      # "/opt" = {
+      #   device = "10.255.63.80:/opt";
+      #   fsType = "nfs";
+      #   options = [ "soft" "rdma" "defaults" ];
+      # };
+      # "/data" = {
+      #   device = "10.255.63.80:/data";
+      #   fsType = "nfs";
+      #   options = [ "soft" "rdma" "defaults" ];
+      # };
+      # "/vol/local-storage/vol1" = {
+      #   device = "/vol/vol1";
+      #   options = [ "bind" ];
+      # };
+      # "/vol/local-storage/vol2" = {
+      #   device = "/vol/vol2";
+      #   options = [ "bind" ];
+      # };
+    };
+
+    nix.extraOptions = ''
+      secret-key-files = /etc/nix/ekman.private
+    '';
+
+    services.xserver = {
+      enable = true;
+      enableCtrlAltBackspace = true;
+      layout = "us";
+      xkbVariant = "altgr-intl";
+      xkbOptions = "eurosign:e";
+      displayManager = {
+        gdm.enable = true;
+        job.logToFile = true;
+      };
+      desktopManager.xfce.enable = true;
+    };
+
+    services.prometheus.alertmanager.configuration.global = {
+        smtp_smarthost = "smtpgw.itpartner.no:465";
+        smtp_auth_username = "utvikling";
+        smtp_auth_password = "S0m3rp0m@de#21!";
+        smtp_hello = "ekman.oceanbox.io";
+        smtp_from = "noreply@ekman.oceanbox.io";
+    };
+
+    # services.nginx = {
+    #   virtualHosts = {
+    #     "ds.matnoc.regnekraft.io" = {
+    #       forceSSL = true;
+    #       enableACME = true;
+    #       serverAliases = [];
+    #       locations."/" = {
+    #         proxyPass = "http://localhost:9088";
+    #         proxyWebsockets = false;
+    #         extraConfig = ''
+    #           allow 10.1.2.0/24;
+    #           allow 172.19.254.0/24;
+    #           allow 172.19.255.0/24;
+    #           deny all;
+    #         '';
+    #       };
+    #     };
+    #   };
+    # };
+
+    # services.gitlab-runner = {
+    #   enable = true;
+    #   extraPackages = with pkgs; [
+    #     singularity
+    #   ];
+    #   concurrent = 4;
+    #   services = {
+    #     sif = {
+    #       registrationConfigFile = "/var/lib/secrets/gitlab-runner-registration";
+    #       executor = "shell";
+    #       tagList = [ "ekman" "sif" ];
+    #     };
+    #   };
+    # };
+
+    # security.sudo.extraConfig = ''
+    #   gitlab-runner ALL=(ALL) NOPASSWD: /run/current-system/sw/bin/singularity
+    # '';
+
+    security.pam = {
+      services.sshd.googleAuthenticator.enable = true;
+      loginLimits = [
+        {
+          domain = "@users";
+          item = "rss";
+          type = "hard";
+          value = 16000000;
+        }
+        {
+          domain = "@users";
+          item = "cpu";
+          type = "hard";
+          value = 180;
+        }
+      ];
+    };
+
+    # ssh-rsa is deprecated, but putty/winscp users use it
+    # services.openssh.extraConfig = ''
+    #   pubkeyacceptedalgorithms ssh-rsa,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
+    # '';
+
+    imports = [ ./cluster.nix ./hw/frontend.nix ];
+  };
+
+  compute = {
+    # deployment.tags = [ "compute" ];
+
+    fileSystems = {
+      "/frontend" = {
+        device = "10.255.240.200:/home";
+        fsType = "nfs";
+        options = [
+          "soft"
+          "defaults"
+          "noauto"
+          "x-systemd.automount"
+        ];
+      };
+      # "/opt" = {
+      #   device = "10.1.63.80:/opt";
+      #   fsType = "nfs";
+      #   options = [ "soft" "rdma" "defaults" ];
+      # };
+      # "/data" = {
+      #   device = "10.1.63.80:/data";
+      #   fsType = "nfs";
+      #   options = [ "soft" "rdma" "defaults" ];
+      # };
+    };
+
+    systemd.automounts = [
+      {
+        where = "/frontend";
+        wantedBy = [ "default.target" ];
+      }
+    ];
+  };
+
+  mkCompute = host:
+  let
+    ipoib = builtins.replaceStrings [".240."] [".241."] host.address;
+    hw = ./hw + "/${host.name}.nix";
+  in {
+    "${host.name}" = {
+      features = {
+        inherit host;
+        os.externalInterface = "enp33s0f0np0";
+        hpc.compute = true;
+        k8s = { inherit etcdCluster; };
+      };
+
+      node = {
+        i40efix = true;
+      };
+
+      networking = {
+        useDHCP = false;
+        interfaces.enp33s0f0np0 = {
+          useDHCP = false;
+          ipv4.addresses = [ {
+            address = host.address;
+            prefixLength = 24;
+          } ];
+          # ipv4.routes = [ {
+          #   address = "10.1.62.2";
+          #   prefixLength = 32;
+          #   via = "10.1.61.100";
+          # } ];
+
+        };
+        # interfaces.ibp65s0 = {
+        #   useDHCP = false;
+        #   ipv4.addresses = [ {
+        #     address = ipoib;
+        #     prefixLength = 24;
+        #   } ];
+        # };
+      };
+      imports = [ ./cluster.nix hw ];
+    }
+    // compute;
+};
+in {
+    ## morph
+    # network =  {
+    #   inherit pkgs;
+    #   description = "ekman";
+    #   ordering = {
+    #     tags = [ "frontend" "compute" ];
+    #   };
+    # };
+
+    inherit ekman;
+} // builtins.foldl' (a: n: a // mkCompute n) {} nodes
+