dolomite: bandwagon support

2024-04-16 16:48:56 +08:00 · 2024-04-16 16:48:56 +08:00 · d2013a50d4
commit d2013a50d4
parent af11897dda
5 changed files with 99 additions and 4 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -4,6 +4,7 @@ keys:
  - &host-raspite age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj
  - &host-sgp-00 age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx
  - &host-tok-00 age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj
+  - &host-la-00 age1fw2sqaa5s9c8ml6ncsexkj8ar4288387ju92ytjys4awf9aw6smqqz94dh
  - &host-massicot age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta
 creation_rules:
  - path_regex: machines/calcite/secrets.yaml
@ -31,6 +32,11 @@ creation_rules:
    - age:
      - *xin
      - *host-tok-00
+  - path_regex: machines/dolomite/secrets/la-00.yaml
+    key_groups:
+    - age:
+      - *xin
+      - *host-la-00
  - path_regex: machines/secrets.yaml
    key_groups:
    - age:
@ -39,6 +45,7 @@ creation_rules:
      - *host-raspite
      - *host-sgp-00
      - *host-tok-00
+      - *host-la-00
      - *host-massicot
  - path_regex: home/xin/secrets.yaml
    key_groups:
--- a/machines/dolomite/bandwagon.nix
+++ b/machines/dolomite/bandwagon.nix
@ -0,0 +1,38 @@
+{ config, lib, pkgs, modulesPath, ... }:
+let
+  cfg = config.isBandwagon;
+in
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+
+
+  options = {
+    isBandwagon = lib.mkEnableOption "Bandwagon instance";
+  };
+
+  config = lib.mkIf cfg.isBandwagon {
+    boot.initrd.availableKernelModules = [ "ata_piix" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+    boot.initrd.kernelModules = [ ];
+    boot.kernelModules = [ ];
+    boot.extraModulePackages = [ ];
+
+    fileSystems."/" =
+      { device = "/dev/disk/by-label/NIXROOT";
+        fsType = "xfs";
+      };
+
+    fileSystems."/boot" =
+      { device = "/dev/disk/by-label/NIXBOOT";
+        fsType = "vfat";
+      };
+
+    swapDevices = [ ];
+
+    boot.loader.grub.enable = lib.mkForce true;
+    boot.loader.grub.version = lib.mkForce 2;
+    boot.loader.grub.device = lib.mkForce "/dev/sda";
+    networking.useDHCP = false;
+    networking.interfaces.ens18.useDHCP = true;
+    networking.interfaces.ens19.useDHCP = true;
+  };
+}
--- a/machines/dolomite/default.nix
+++ b/machines/dolomite/default.nix
@ -1,12 +1,19 @@
 { inputs, config, pkgs, lib, modulesPath, ... }:
+let
+  awsHosts = [ "sgp-00" "tok-00 "];
+  bwgHosts = [ "la-00" ];
+in
 {
  imports = [
    ../sops.nix
-    "${modulesPath}/virtualisation/amazon-image.nix"
+   ./bandwagon.nix
+   ./lightsail.nix
  ];


  config = {
+    isBandwagon = builtins.elem config.networking.hostName bwgHosts;
+    isLightsail = builtins.elem config.networking.hostName awsHosts;
    sops = {
      secrets = {
        wg_private_key = {
@ -19,7 +26,6 @@
        };
      };
    };
-    boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
    boot.kernel.sysctl = {
      "net.core.default_qdisc" = "fq";
      "net.ipv4.tcp_congestion_control" = "bbr";
@ -39,9 +45,9 @@

    custom.prometheus = {
      enable = false;
-      exporters.enable = true;
+      exporters.enable = false;
      grafana = {
-        enable = true;
+        enable = false;
        password_file = config.sops.secrets.grafana_cloud_api.path;
      };
    };
--- a/machines/dolomite/lightsail.nix
+++ b/machines/dolomite/lightsail.nix
@ -0,0 +1,13 @@
+{ config, lib, pkgs, modulesPath, ... }:
+let
+  cfg = config.isLightsail;
+in
+{
+  imports = [ "${modulesPath}/virtualisation/amazon-image.nix" ];
+  options = {
+    isLightsail = lib.mkEnableOption "Lightsail instance";
+  };
+  config = lib.mkIf cfg.isLightsail{
+    boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
+  };
+}
--- a/machines/dolomite/secrets/la-00.yaml
+++ b/machines/dolomite/secrets/la-00.yaml
@ -0,0 +1,31 @@
+wg_private_key: ENC[AES256_GCM,data:jz/03kP/dj625Jweu0MEw9aGm3Z3M1f43cZqGy2eElCIDhD78n+zZAqOM8c=,iv:fZxuvZLx97YyDoafQXbqVYjqRYzZq90PJiri9vdjwro=,tag:0A9sGnSl3y3gpEuvsdRtGg==,type:str]
+wg_ipv6_local_addr: ENC[AES256_GCM,data:W/uR+9kAKdXViAbZ0vEhC2eNwlzqX0x+LpzLrLCmQuVgRbZAtJCqfeE=,iv:pMZumU7fMV5MYX59hO7SEMLlG4m8DdPXeAiNgLxNzZk=,tag:xdGBpOBdWlc8Q9BDMv04sA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4WjRVY3BKdVU1WERrVzla
+            L1NNYWp2SFZEaW84b0h1clFGRHVmRDhnM3o0CkUrZjZKNHp2TGtrTXpyOHNVckJw
+            VURjOEVaR3VQU1pJY2NaOFBQRjVIdWcKLS0tIFBQRWRnNnk4aWxsQVhhdUdVWWpy
+            aG9Oa3lOY0JjY2tFU3ZTazcyZW5SM0kKRfTrM65aI5LMOHoGsls3PWChrY5pEz91
+            EERpRd552+PxYBKvumI59mtdlD263d5kmlTxIIZXTOJ2fcl1bii2bg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1fw2sqaa5s9c8ml6ncsexkj8ar4288387ju92ytjys4awf9aw6smqqz94dh
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTdzk4ajV5ekNpZXNGTHdD
+            aVBLZDlSbzE1aG5LT0cvVVVlVDBNOWtackNVCjVnZDhYZmFoT21DZHNYT2pMVDF6
+            ZW5UY1ZFRFdtbDdPZHZIWUVuWjhJMk0KLS0tIGR4UUYwcjJtZUFYYlJSS2d6Q3hZ
+            WVJYSWhOaTEvNUdYTXV6OThPenJaY0UKv3WK6gacUxO6PFklkW+jDMG5FgIUuEvN
+            RvvI9ZXRD4QwKW1mpVrxbC+fRqlKawyyyyikvHFGJvpts4/88IcgUQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-04-15T11:37:57Z"
+    mac: ENC[AES256_GCM,data:iCgvJMijsUjdBT9hMQx4owYkbp2nV1jORB5HGtz5IPHgI9A5FXAAPFtaSGgQSI3twSkYMU94NULjumCyyWt3syH5KK9itHgHwONyVFieyXLiWozqpN2Z0SA5G4SnK3E6X273br9gwNAj33I2MdS/3K8b4EOO2yEzilWmrW7f3rk=,iv:UD7uHrtq4O6+EsWFrjegTXHtQUFcnhKsu4J0e0srDtk=,tag:b0eJEeUJPwi4+rDPeBY7oA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1