diff --git a/nixops/nfs0/default.nix b/nixops/nfs0/default.nix new file mode 100644 index 0000000..e82f25b --- /dev/null +++ b/nixops/nfs0/default.nix @@ -0,0 +1,165 @@ +let + # Pin the deployment package-set to a specific version of nixpkgs + # pkgs = import (builtins.fetchTarball { + # url = "https://github.com/NixOS/nixpkgs/archive/e9148dc1c30e02aae80cc52f68ceb37b772066f3.tar.gz"; + # sha256 = "1ckzhh24mgz6jd1xhfgx0i9mijk6xjqxwsshnvq789xsavrmsc36"; + # }) {}; + pkgs = import {}; + name = "nfs0"; + address = "10.255.241.80"; +in { + nfs0 = { config, pkgs, ... }: with pkgs; { + # deployment.tags = [ "fs" ]; + deployment.targetHost = address; + system.autoUpgrade.enable = lib.mkForce false; + + systemd.targets = { + sleep.enable = false; + suspend.enable = false; + hibernate.enable = false; + hybrid-sleep.enable = false; + }; + + environment.etc = { + "minio/rootcredentials" = { + text = '' + accessKey="admin" + secretKey="en to tre fire" + ''; + mode = "600"; + uid = 280; + }; + }; + + cluster = { + k8sNode = true; + }; + + features = { + host = { + inherit address; + inherit name; + }; + + os = { + externalInterface = "enp33s0f3np3"; + nfs.enable = true; + nfs.exports = '' + /exports 10.255.241.0/24(insecure,rw,sync,no_subtree_check,crossmnt,fsid=0,no_root_squash) + /exports 10.255.243.0/24(insecure,rw,sync,no_subtree_check,crossmnt,fsid=0,no_root_squash) + ''; + }; + + certs = { + enable = true; + caBundle = ./ca; + certs = [ + { + name = name; + SANs = [ "${name}.cluster.local" address ]; + owner = "nginx"; + group = "nginx"; + } + ]; + }; + }; + + system.activationScripts = { + kernel.text = '' + if [ -e /sys/block/md126 ]; then + echo "deadline" > /sys/block/md126/queue/scheduler + # echo "4096" > /sys/block/md126/queue/nr_requests + echo "4096" > /sys/block/md126/queue/read_ahead_kb + echo "always" > /sys/kernel/mm/transparent_hugepage/enabled + echo "always" > /sys/kernel/mm/transparent_hugepage/defrag + fi + grep -q rdma /proc/fs/nfsd/portlist + [ $? != 0 ] && echo "rdma 20049" > /proc/fs/nfsd/portlist + ''; + }; + + boot.kernel.sysctl = { + "vm.dirty_background_ratio" = 5; + "vm.dirty_ratio" = 10; + "vm.vfs_cache_pressure" = 50; + "vm.min_free_kbytes" = 262144; + }; + + services.minio = { + enable = true; + region = "store1"; + browser = true; + rootCredentialsFile = "/etc/minio/rootcredentials"; + listenAddress = "0.0.0.0:9000"; + dataDir = [ "/data/s3" ]; + }; + + networking = { + hostName = name; + interfaces.enp33s0f3np3 = { + useDHCP = false; + ipv4.addresses = [ { + address = address; + prefixLength = 24; + } ]; + }; + interfaces.ibp65s0 = { + useDHCP = false; + ipv4.addresses = [ { + address = "10.255.243.80"; + prefixLength = 24; + } ]; + }; + firewall = { + allowedTCPPorts = [ 443 9000 9001 ]; + allowedUDPPorts = []; + extraCommands = '' + iptables -I INPUT -s 10.255.243.0/24 -j ACCEPT + iptables -t nat -A POSTROUTING -s 10.255.243.0/24 -j MASQUERADE + ''; + }; + }; + + # services.nginx = { + # enable = true; + # statusPage = true; + # virtualHosts = { + # "s3ui.oceanbox.io" = { + # forceSSL = true; + # enableACME = false; + # sslTrustedCertificate = "/var/lib/secrets/ca.pem"; + # sslCertificate = "/var/lib/secrets/s3.pem"; + # sslCertificateKey = "/var/lib/secrets/s3-key.pem"; + # serverAliases = []; + # locations."/" = { + # proxyPass = "http://127.0.0.1:9001"; + # extraConfig = '' + # allow all; + # ''; + # }; + # }; + + # }; + # }; + + fileSystems = { + "/exports/data" = { + device = "/data"; + options = [ "bind" ]; + }; + "/exports/opt" = { + device = "/opt"; + options = [ "bind" ]; + }; + "/vol/local-storage/vol1" = { + device = "/vol/vol1"; + options = [ "bind" ]; + }; + }; + + imports = [ + ../ekman/cluster.nix + ./hardware-configuration.nix + ]; + }; +} diff --git a/nixops/nfs0/hardware-configuration.nix b/nixops/nfs0/hardware-configuration.nix new file mode 100644 index 0000000..0570a03 --- /dev/null +++ b/nixops/nfs0/hardware-configuration.nix @@ -0,0 +1,55 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "megaraid_sas" "xhci_pci" "ahci" "usbhid" "sd_mod" ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/46dfa481-ccd4-4e4f-b1d7-6875d582f7cd"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/F71C-0BD2"; + fsType = "vfat"; + }; + + fileSystems."/data" = + { device = "/dev/disk/by-uuid/126c5d04-5266-43e8-887d-740d5944cb2b"; + fsType = "xfs"; + options = [ + "noatime" + "nodiratime" + "logbufs=8" + "logbsize=256k" + "largeio" + "inode64" + "swalloc" + "allocsize=131072k" + ]; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.docker0.useDHCP = lib.mkDefault true; + # networking.interfaces.enp33s0f0np0.useDHCP = lib.mkDefault true; + # networking.interfaces.enp33s0f1np1.useDHCP = lib.mkDefault true; + # networking.interfaces.enp33s0f2np2.useDHCP = lib.mkDefault true; + # networking.interfaces.enp33s0f3np3.useDHCP = lib.mkDefault true; + + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +}