{ pkgs, ...}: let nodes = import ./nixops/stokes/nodes.nix; in { # deployment.tags = [ "frontend" ]; node.myvnc = true; systemd.targets = { sleep.enable = false; suspend.enable = false; hibernate.enable = false; hybrid-sleep.enable = false; }; features = { host = { address = "10.1.62.2"; name = "c0-0"; }; os = { externalInterface = "eno1"; nfs.enable = true; nfs.exports = '' /exports 10.1.61.0/24(insecure,rw,sync,no_subtree_check,crossmnt,fsid=0,no_root_squash) /exports 10.1.63.0/24(insecure,rw,sync,no_subtree_check,crossmnt,fsid=0,no_root_squash) ''; }; hpc = { slurm.server = true; frontend = true; }; k8s = { master.enable = true; node.enable = true; inherit nodes; }; monitoring = { server = { enable = false; scrapeHosts = [ "frontend" "mds0-0" ] ++ (builtins.map (x: x.name) nodes); defaultAlertReceiver = { email_configs = [ { to = "jonas.juselius@tromso.serit.no"; } ]; }; pageAlertReceiver = { webhook_configs = [ { url = "https://prometheus-msteams.k2.itpartner.no/stokes"; http_config = { tls_config = { insecure_skip_verify = true; }; }; } ]; }; }; webUI.enable = false; webUI.acmeEmail = "innovasjon@itpartner.no"; webUI.allow = [ "10.1.2.0/24" "172.19.254.0/24" "172.19.255.0/24" ]; infiniband-exporter = { enable = true; nameMap = '' 0x0c42a10300ddc4bc "frontend" 0x1c34da0300787798 "mds0-0" 0x0c42a10300dbe7f4 "c0-1" 0x0c42a10300dbe7d8 "c0-2" 0x0c42a10300dbe800 "c0-3" 0x0c42a10300dbec80 "c0-4" 0x0c42a10300dbea50 "c0-5" 0x0c42a10300dbeb2c "c0-6" 0x0c42a10300dbe7fc "c0-7" 0x0c42a10300dbe5a0 "c0-8" ''; }; slurm-exporter = { enable = true; port = 6080; }; }; }; # services.udev.extraRules = '' # KERNEL=="ibp59s0", SUBSYSTEM=="net", ATTR{create_child}:="0x2222" # ''; networking = { hostName = "stokes"; useDHCP = false; interfaces.eno1 = { useDHCP = false; ipv4.addresses = [ { address = "10.1.62.2"; prefixLength = 24; } ]; }; interfaces.enp175s0f0 = { useDHCP = false; ipv4.addresses = [ { address = "10.1.61.100"; prefixLength = 24; } ]; }; interfaces.ibp59s0 = { useDHCP = false; ipv4.addresses = [ { address = "10.1.63.100"; prefixLength = 24; } ]; }; defaultGateway = "10.1.62.1"; firewall.extraCommands = '' iptables -I INPUT -s 10.1.63.0/24 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.1.63.0/24 -j MASQUERADE ''; }; fileSystems ={ "/exports/home" = { device = "/home"; options = [ "bind" ]; }; "/stokes" = { device = "/home"; options = [ "bind" ]; }; "/vol/local-storage/vol1" = { device = "/vol/vol1"; options = [ "bind" ]; }; "/vol/local-storage/vol2" = { device = "/vol/vol2"; options = [ "bind" ]; }; }; nix.extraOptions = '' secret-key-files = /etc/nix/stokes.private ''; services.xserver = { enable = true; enableCtrlAltBackspace = true; layout = "us"; xkbVariant = "altgr-intl"; xkbOptions = "eurosign:e"; displayManager = { gdm.enable = true; job.logToFile = true; }; desktopManager.xfce.enable = true; }; services.prometheus.alertmanager.configuration.global = { smtp_smarthost = "smtpgw.itpartner.no:465"; smtp_auth_username = "utvikling"; smtp_auth_password = "S0m3rp0m@de#21!"; smtp_hello = "stokes.regnekraft.io"; smtp_from = "noreply@stokes.regnekraft.io"; }; services.nginx = { virtualHosts = { "ds.matnoc.regnekraft.io" = { forceSSL = true; enableACME = true; serverAliases = []; locations."/" = { proxyPass = "http://localhost:9088"; proxyWebsockets = false; extraConfig = '' allow 10.1.2.0/24; allow 172.19.254.0/24; allow 172.19.255.0/24; deny all; ''; }; }; }; }; # services.gitlab-runner = { # enable = true; # extraPackages = with pkgs; [ # singularity # ]; # concurrent = 4; # services = { # sif = { # registrationConfigFile = "/var/lib/secrets/gitlab-runner-registration"; # executor = "shell"; # tagList = [ "stokes" "sif" ]; # }; # }; # }; # security.sudo.extraConfig = '' # gitlab-runner ALL=(ALL) NOPASSWD: /run/current-system/sw/bin/singularity # ''; security.pam = { services.sshd.googleAuthenticator.enable = true; loginLimits = [ { domain = "@users"; item = "rss"; type = "hard"; value = 16000000; } { domain = "@users"; item = "cpu"; type = "hard"; value = 180; } ]; }; # ssh-rsa is deprecated, but putty/winscp users use it services.openssh.extraConfig = '' pubkeyacceptedalgorithms ssh-rsa,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256 ''; imports = [ ./nixops/stokes/cluster.nix ./hardware-configuration.nix ]; }