Commit files for public release

nixos-configurations/lindberg/README.md

@@ -0,0 +1,61 @@
+# Host: Lindberg
+
+## Operations {#_operations}
+
+Reboot requires passphrase (see pass `host/lindberg/hdd_luks`)
+
+``` bash
+ssh -p 2222 root@lindberg.riedbach-ext.net.qo.is
+```
+
+## Hardware
+
+- [Mainboard Manual](docs/X570Pro4-mainboard-manual.pdf)
+
+
+### Front / Back
+
+#### Front Overview
+
+![](docs/front_full.jpg)
+
+#### Front PCIE
+
+![](docs/front_pcie_overview.jpg)
+![](docs/front_pcie_ssd.jpg)
+
+#### Front Cables
+
+![](docs/front_cables.jpg)
+
+#### Back
+
+![](docs/back_overview.jpg)
+
+### HDDs
+
+![](docs/back_hdds.jpg)
+
+#### HDD (0)
+
+![](docs/hdd_0.jpg)
+
+#### HDD (1)
+
+![](docs/hdd_1.jpg)
+
+#### HDD (3)
+
+![](docs/hdd_3.jpg)
+
+#### zvtaa02h
+
+![](docs/hdd_zvtaa02h.jpg)
+
+#### zvtaeypl
+
+![](docs/hdd_zvtaeypl.jpg)
+
+### SSD left
+
+![](docs/ssd_1_left.jpg)

nixos-configurations/lindberg/applications/default.nix

@@ -0,0 +1,5 @@
+{ config, pkgs, ... }:
+{
+
+  imports = [ ./loadbalancer.nix ];
+}

nixos-configurations/lindberg/applications/loadbalancer.nix

@@ -0,0 +1,10 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+{
+  qois.loadbalancer.enable = true;
+}

nixos-configurations/lindberg/backup.nix

@@ -0,0 +1,24 @@
+{ config, pkgs, ... }:
+{
+
+  qois.backup-client.includePaths = [ "/mnt/data" ];
+
+  services.borgbackup.jobs = {
+    data-local = {
+      repo = "/mnt/backup/disks/data";
+      doInit = true;
+      paths = [ "/mnt/data/" ];
+      prune.keep = {
+        within = "14d";
+        weekly = 4;
+        monthly = 6;
+        yearly = -1;
+      };
+      encryption = {
+        mode = "authenticated";
+        passphrase = "";
+      };
+      startAt = "07:15";
+    };
+  };
+}

nixos-configurations/lindberg/default.nix

@@ -0,0 +1,29 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./applications
+    ./backup.nix
+    ./disko-config.nix
+    ./filesystems.nix
+    ./networking.nix
+    ./secrets.nix
+    ./virtualisation.nix
+
+    ../../defaults/hardware/asrock.nix
+
+    ../../defaults/base
+    ../../defaults/meta
+  ];
+
+  # Set your time zone.
+  time.timeZone = "Europe/Amsterdam";
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "21.11"; # Did you read the comment?
+}

nixos-configurations/lindberg/disko-config.nix

@@ -0,0 +1,192 @@
+{ pkgs, ... }:
+{
+  disko.devices = {
+    disk = rec {
+      data-1 = {
+        type = "disk";
+        device = "/dev/disk/by-id/ata-ST18000NM003D-3DL103_ZVTAA02H";
+        content = {
+          type = "gpt";
+          partitions = {
+            raid_data = {
+              size = "100%";
+              content = {
+                type = "mdraid";
+                name = "raid_data";
+              };
+            };
+          };
+        };
+      };
+      data-2 = {
+        type = "disk";
+        device = "/dev/disk/by-id/ata-ST18000NM003D-3DL103_ZVTAEYPL";
+        content = data-1.content;
+      };
+      backup = {
+        type = "disk";
+        device = "/dev/disk/by-id/ata-WDC_WD40EFRX-68N32N0_WD-WCC7K5ZUA0VR";
+        content = {
+          type = "gpt";
+          partitions = {
+            backup = {
+              size = "100%";
+              content = {
+                type = "luks";
+                name = "crypted_backup";
+                settings.allowDiscards = true;
+                askPassword = true;
+                content = {
+                  type = "filesystem";
+                  format = "btrfs";
+                  mountpoint = "/mnt/backup";
+                  mountOptions = [
+                    "defaults"
+                    "noatime"
+                  ];
+                };
+              };
+            };
+          };
+        };
+      };
+      system-1 = {
+        type = "disk";
+        device = "/dev/disk/by-id/nvme-SAMSUNG_MZVL22T0HBLB-00B00_S677NE0NC01017";
+        content = {
+          type = "gpt";
+          partitions = {
+            boot = {
+              size = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot-primary";
+              };
+            };
+            raid_system = {
+              start = "5G";
+              size = "100%";
+              content = {
+                type = "mdraid";
+                name = "raid_system";
+              };
+            };
+          };
+        };
+      };
+      system-2 = {
+        type = "disk";
+        device = "/dev/disk/by-id/nvme-Lexar_SSD_NM790_2TB_NLK644R000627P2202";
+        content = pkgs.lib.recursiveUpdate system-1.content {
+          partitions.boot.content.mountpoint = "/boot-secondary";
+        };
+      };
+      cache = {
+        type = "disk";
+        device = "/dev/disk/by-id/ata-Samsung_SSD_840_PRO_Series_S12PNEAD274438F";
+        content = {
+          type = "gpt";
+          partitions = {
+            crypted_cache = {
+              size = "100%";
+              content = {
+                type = "luks";
+                name = "crypted_cache";
+                settings.allowDiscards = true;
+                askPassword = true;
+                content = {
+                  type = "lvm_pv";
+                  vg = "vg_cache";
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+
+    mdadm = {
+      "raid_system" = {
+        type = "mdadm";
+        level = 1;
+        content = {
+          type = "luks";
+          name = "crypted_system";
+          settings = {
+            allowDiscards = true;
+            bypassWorkqueues = true;
+          };
+          askPassword = true;
+          content = {
+            type = "lvm_pv";
+            vg = "vg_system";
+          };
+        };
+      };
+      "raid_data" = {
+        type = "mdadm";
+        level = 1;
+        content = {
+          type = "luks";
+          name = "crypted_data";
+          settings.allowDiscards = true;
+          askPassword = true;
+          content = {
+            type = "lvm_pv";
+            vg = "vg_data";
+          };
+        };
+      };
+    };
+    lvm_vg = {
+      vg_data = {
+        type = "lvm_vg";
+        lvs = {
+          lv_data = {
+            size = "12TB";
+            content = {
+              type = "filesystem";
+              format = "btrfs";
+              mountpoint = "/mnt/data";
+              mountOptions = [
+                "defaults"
+                "noatime"
+              ];
+            };
+          };
+        };
+      };
+      vg_system = {
+        type = "lvm_vg";
+        lvs = {
+          hv_lindberg = {
+            size = "100GiB";
+            content = {
+              type = "btrfs";
+              mountOptions = [
+                "defaults"
+                "noatime"
+              ];
+              subvolumes = {
+                "/root".mountpoint = "/";
+              };
+            };
+          };
+        };
+      };
+      vg_cache = {
+        type = "lvm_vg";
+        lvs = {
+          lv_swap_lindberg = {
+            size = "10GiB";
+            content = {
+              type = "swap";
+            };
+          };
+        };
+      };
+    };
+  };
+}

nixos-configurations/lindberg/filesystems.nix

@@ -0,0 +1,38 @@
+{ config, pkgs, ... }:
+{
+
+  # Configurations are set in disko-config.nix!
+
+  # mdadm.conf generated by `mdadm --detail --scan`
+  boot.swraid.enable = true;
+  boot.swraid.mdadmConf = ''
+    MAILADDR root
+    ARRAY /dev/md/raid_system metadata=1.2 name=any:raid_system UUID=1becc692:aeb83b67:1c65da45:b8bd4b93
+    ARRAY /dev/md/raid_data metadata=1.2 name=any:raid_data UUID=576eabb1:0722bc27:84d9314f:d0145000
+    INACTIVE-ARRAY /dev/md125 metadata=1.2 name=nixos:md_data UUID=b9c36b6d:a2e0fa86:f6dbfe57:857cd0d2
+  '';
+
+  # TODO: RAID Monitoring
+  # TODO: Set spin-down time of physical disks
+
+  services.fwupd.daemonSettings.EspLocation = pkgs.lib.mkForce config.disko.devices.disk.system-1.content.partitions.boot.content.mountpoint;
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.grub = {
+    enable = true;
+    efiSupport = true;
+    mirroredBoots = [
+      {
+        devices = [ "nodev" ];
+        path = "/boot-primary";
+        efiBootloaderId = "NixOS primary";
+      }
+      #{
+      #  devices = [ "nodev" ];
+      #  path = "/boot-secondary";
+      #  efiBootloaderId = "NixOS secondary";
+      #}
+    ];
+  };
+}

nixos-configurations/lindberg/networking.nix

@@ -0,0 +1,93 @@
+{ config, pkgs, ... }:
+
+let
+  meta = config.qois.meta;
+in
+{
+  networking.hostName = meta.hosts.lindberg.hostName;
+
+  imports = [ ../../defaults/backplane-net ];
+
+  networking.useDHCP = false;
+  networking.interfaces.enp5s0.useDHCP = true;
+
+  # Virtualization
+  networking.interfaces.vms-nat.useDHCP = false;
+  networking.interfaces.vms-nat.ipv4.addresses = [
+    (
+      let
+        netConfig = meta.network.virtual.lindberg-vms-nat;
+      in
+      {
+        address = netConfig.hosts.lindberg.v4.ip;
+        prefixLength = netConfig.v4.prefixLength;
+      }
+    )
+  ];
+
+  networking.bridges.vms-nat.interfaces = [ ];
+  networking.nat = {
+    enable = true;
+    internalInterfaces = [ "vms-nat" ];
+    internalIPs = with meta.network.virtual.lindberg-vms-nat.v4; [
+      "${id}/${builtins.toString prefixLength}"
+    ];
+    externalInterface = "enp5s0";
+  };
+  services.dnsmasq =
+    let
+      netConfig = meta.network.virtual.lindberg-vms-nat;
+    in
+    {
+      enable = true;
+      resolveLocalQueries = false;
+      settings = {
+        interface = "vms-nat";
+        bind-interfaces = true;
+
+        domain-needed = true;
+
+        domain = netConfig.domain;
+        dhcp-range = [ "10.247.0.2,10.247.0.253" ];
+        dhcp-option = [
+          "option:router,${netConfig.hosts.lindberg.v4.ip}"
+          "option:domain-search,${netConfig.domain}"
+        ];
+        dhcp-authoritative = true;
+      };
+    };
+  systemd.services.dnsmasq.bindsTo = [ "network-addresses-vms-nat.service" ];
+  networking.firewall.interfaces.vms-nat = {
+    allowedUDPPorts = [
+      53
+      67
+    ];
+    allowedTCPPorts = [ 53 ];
+  };
+
+  # Boot
+  boot.initrd.network.udhcpc.enable = true;
+
+  services.qois.luks-ssh = {
+    enable = true;
+    interface = "eth0";
+    sshPort = 2222;
+  };
+
+  # Use this node as vpn exit node
+  qois.backup-client.includePaths = [ "/var/lib/tailscale" ];
+  services.tailscale = {
+    enable = true;
+    openFirewall = true;
+    useRoutingFeatures = "server";
+    authKeyFile = config.sops.secrets."tailscale/key".path;
+    extraUpFlags = [
+      "--login-server=https://vpn.qo.is"
+      "--advertise-exit-node"
+      (
+        with meta.network.virtual.backplane.v4; "--advertise-routes=${id}/${builtins.toString prefixLength}"
+      )
+      "--advertise-tags=tag:srv"
+    ];
+  };
+}

nixos-configurations/lindberg/secrets.nix

@@ -0,0 +1,19 @@
+{ ... }:
+let
+  backupConfiguration = {
+    restartUnits = [
+      "borgbackup-job-data-fulberg.service"
+      "borgbackup-job-data-tierberg.service"
+    ];
+  };
+in
+
+{
+  sops.secrets = {
+    "tailscale/key" = {
+      restartUnits = [ "tailscale.service" ];
+    };
+    "backup/data/password" = backupConfiguration;
+    "backup/data/ssh-key" = backupConfiguration;
+  };
+}

nixos-configurations/lindberg/virtualisation.nix

@@ -0,0 +1,8 @@
+{ config, pkgs, ... }:
+{
+  virtualisation.libvirtd = {
+    enable = true;
+    onShutdown = "shutdown";
+  };
+  environment.systemPackages = [ pkgs.virtiofsd ];
+}