diff --git a/flake.lock b/flake.lock index 56947c9..4e2ccba 100644 --- a/flake.lock +++ b/flake.lock @@ -8,11 +8,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1754433428, - "narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=", + "lastModified": 1762618334, + "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=", "owner": "ryantm", "repo": "agenix", - "rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d", + "rev": "fcdea223397448d35d9b31f798479227e80183f6", "type": "github" }, "original": { @@ -48,11 +48,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1756770412, - "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=", + "lastModified": 1768135262, + "narHash": "sha256-PVvu7OqHBGWN16zSi6tEmPwwHQ4rLPU9Plvs8/1TUBY=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "4524271976b625a4a605beefd893f270620fd751", + "rev": "80daad04eddbbf5a4d883996a73f3f542fa437ac", "type": "github" }, "original": { @@ -100,11 +100,11 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1754788789, - "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=", + "lastModified": 1765674936, + "narHash": "sha256-k00uTP4JNfmejrCLJOwdObYC9jHRrr/5M/a/8L2EIdo=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "a73b9c743612e4244d865a2fdee11865283c04e6", + "rev": "2075416fcb47225d9b68ac469a5c4801a9c4dd85", "type": "github" }, "original": { @@ -115,11 +115,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1757068644, - "narHash": "sha256-NOrUtIhTkIIumj1E/Rsv1J37Yi3xGStISEo8tZm3KW4=", + "lastModified": 1769018530, + "narHash": "sha256-MJ27Cy2NtBEV5tsK+YraYr2g851f3Fl1LpNHDzDX15c=", "owner": "nixos", "repo": "nixpkgs", - "rev": "8eb28adfa3dc4de28e792e3bf49fcf9007ca8ac9", + "rev": "88d3861acdd3d2f0e361767018218e51810df8a1", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 13ddfb3..890043d 100644 --- a/flake.nix +++ b/flake.nix @@ -55,8 +55,9 @@ NIX_SSHOPTS="-o ForwardAgent=yes -J acidburn.vtluug.org" \ ${pkgs.nixos-rebuild}/bin/nixos-rebuild switch \ - --fast --flake ".#$TARGET_HOST_NAME" \ - --use-remote-sudo \ + --flake ".#$TARGET_HOST_NAME" \ + --no-reexec \ + --sudo \ --target-host "papatux@$TARGET_HOST_ADDRESS" \ --build-host "papatux@$TARGET_HOST_ADDRESS" ''; diff --git a/hosts/bastille/blade-names.nix b/hosts/bastille/blade-names.nix index f656f2d..083cad3 100644 --- a/hosts/bastille/blade-names.nix +++ b/hosts/bastille/blade-names.nix @@ -1,16 +1,18 @@ -# keep-sorted start -[ - "backbiter" - "damocles" - "durendal" - "eyelander" - "excalibur" - "gram" - "gryffindor" - "kusanagi" - "narsil" - "oathbringer" - "riptide" - "sting" -] -# keep-sorted end +{ + # TODO: prospit's a special case and won't remain here forever + "d8:9e:f3:3e:f9:41" = "prospit"; + + "40:f2:e9:c6:65:5f" = "backbiter"; + "40:f2:e9:c6:69:43" = "damocles"; + "40:f2:e9:c6:69:67" = "durendal"; + "40:f2:e9:c6:74:59" = "eyelander"; + "40:f2:e9:c6:75:f1" = "excalibur"; + "40:f2:e9:c6:76:21" = "gram"; + + "unassigned-0" = "gryffindor"; + "unassigned-1" = "kusanagi"; + "unassigned-2" = "narsil"; + "unassigned-3" = "oathbringer"; + "unassigned-4" = "riptide"; + "unassigned-5" = "sting"; +} diff --git a/hosts/bastille/blade.nix b/hosts/bastille/blade.nix new file mode 100644 index 0000000..8ba726e --- /dev/null +++ b/hosts/bastille/blade.nix @@ -0,0 +1,43 @@ +{ modulesPath, pkgs, lib, ... }: { + imports = [ + ./eno1-imm-disable.nix + (import ../common/k3s.nix { inherit lib; }) + ../common/nix.nix + ../common/sshd.nix + ../common/users-local.nix + (modulesPath + "/installer/netboot/netboot-minimal.nix") + ]; + + # Get NFS working (not idea why it's not default in NixOS) + boot.initrd = { + supportedFilesystems = [ "nfs" ]; + kernelModules = [ "nfs" ]; + }; + + # Get hostname from DHCP request + networking.hostName = ""; + + # Open kubernetes' ports for flannel and API server + networking.firewall = { + allowedTCPPorts = [ + 6443 + 10250 + ]; + allowedUDPPorts = [ + 8472 + ]; + }; + + + # when making the ISO, the initialHashedPassword is set to "" for some reason + # we already set a hashed password, so null this + users.users.root.initialHashedPassword = lib.mkForce null; + + environment.systemPackages = with pkgs; [ + fastfetch + git + nfs-utils + ]; + + system.stateVersion = "25.11"; +} diff --git a/hosts/bastille/eno1-imm-disable.nix b/hosts/bastille/eno1-imm-disable.nix new file mode 100644 index 0000000..87c8d6c --- /dev/null +++ b/hosts/bastille/eno1-imm-disable.nix @@ -0,0 +1,30 @@ +{ pkgs, lib, ... }: +let + eno1-imm-disable = pkgs.writeShellApplication { + name = "eno1-imm-disable"; + + runtimeInputs = [ + pkgs.iproute2 + ]; + + text = '' + if grep "Lenovo NeXtScale nx360 M5" /sys/devices/virtual/dmi/id/product_name; then + ip link set down eno1 + fi + ''; + }; +in { + systemd.services."eno1-imm-disable" = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + unitConfig = { + Description = "Disable eno1 on Lenovo NeXtScale nodes to avoid issues with using the imm interface"; + }; + + serviceConfig = { + Type = "oneshot"; + ExecStart = "${lib.getExe eno1-imm-disable}"; + }; + }; +} diff --git a/hosts/common/k3s.nix b/hosts/common/k3s.nix new file mode 100644 index 0000000..cfa90ce --- /dev/null +++ b/hosts/common/k3s.nix @@ -0,0 +1,35 @@ +{ + lib, + role ? "agent", + clusterInit ? false, + serverAddr ? "10.98.3.2", + flannelIface ? "enp1s0f1", +}: +{ + networking.firewall.allowedTCPPorts = [ + 6443 + ]; + + networking.firewall.allowedUDPPorts = [ + 8472 + ]; + + services.k3s = { + inherit role clusterInit; + + enable = true; + serverAddr = lib.mkIf (role != "server") "https://${serverAddr}:6443"; + nodeIP = lib.mkIf (role == "server") serverAddr; + + extraFlags = [ + "--token=\"garbage secret\"" + ] + ++ lib.optionals (role == "server") [ + "--flannel-iface=${flannelIface}" + "--advertise-address=${serverAddr}" + "--bind-address=${serverAddr}" + "--write-kubeconfig-mode=0640" + "--write-kubeconfig-group=wheel" + ]; + }; +} diff --git a/hosts/common/nfs.nix b/hosts/common/nfs.nix new file mode 100644 index 0000000..98647c2 --- /dev/null +++ b/hosts/common/nfs.nix @@ -0,0 +1,20 @@ +{ config, pkgs, ... }: +let + mkNfs = {path, options ? [ "vers=4.0" "soft" "nodev" "nosuid" ]}: { + device = "${path}"; + fsType = "nfs"; + inherit options; + }; +in +{ + environment.systemPackages = [ pkgs.nfs-utils ]; + + fileSystems."/nfs/cistern/share" = mkNfs {path = "10.98.0.7:/cistern/nfs/share";}; + fileSystems."/nfs/cistern/files" = mkNfs {path = "10.98.0.7:/cistern/nfs/files";}; + fileSystems."/nfs/cistern/home" = mkNfs { + path = "10.98.0.7:/cistern/nfs/home"; + options = [ "vers=4.0" "soft" "nodev" "nosuid" ]; + }; + fileSystems."/nfs/cistern/libvirt" = mkNfs {path = "10.98.0.7:/cistern/nfs/libvirt";}; + fileSystems."/nfs/cistern/docker/data" = mkNfs {path = "10.98.0.7:/cistern/nfs/docker/data";}; +} \ No newline at end of file diff --git a/hosts/vesuvius/README.md b/hosts/vesuvius/README.md index 66f9fe3..2ab93b2 100644 --- a/hosts/vesuvius/README.md +++ b/hosts/vesuvius/README.md @@ -10,3 +10,13 @@ Giant storage server + future LHCPISCSIPXEIDK thing maybe? ## Storage We currently have one (manually created) RAID-Z2 pool mounted at `/forge` with `8` drives of `12 Tb` each. We have capacity for `48`(!) drives, but still only paper (and tape) caddies. + +``` +# for the nix store +zfs create -o mountpoint=legacy \ + -o compression=zstd \ + -o xattr=sa \ + -o acltype=posixacl \ + -o atime=off \ + forge/nix +``` \ No newline at end of file diff --git a/hosts/vesuvius/caddy.nix b/hosts/vesuvius/caddy.nix new file mode 100644 index 0000000..cb510df --- /dev/null +++ b/hosts/vesuvius/caddy.nix @@ -0,0 +1,82 @@ +{ + config, + pkgs, + lib, + ... +}: +let + gandi-key-path = "/secrets/gandi.env"; +in +{ + age.secrets."gandi.env".file = ../../secrets/vesuvius/gandi.env.age; + + containers.caddy-proxy = { + autoStart = true; + ephemeral = true; + macvlans = [ "eno0" ]; + privateNetwork = false; + bindMounts = { + "${gandi-key-path}" = { + hostPath = config.age.secrets."gandi.env".path; + }; + }; + config = + { + config, + lib, + pkgs, + ... + }: + { + networking.interfaces.mv-eno0 = { + useDHCP = true; + ipv4.addresses = [ + { + address = "128.173.89.163"; + prefixLength = 24; + } + ]; + ipv6.addresses = [ + { + address = "2607:b400:6:cc80:0:aff:fe62:f"; + prefixLength = 64; + } + ]; + }; + + # Force container to get DNS settings from network + networking.useHostResolvConf = false; + + services.caddy = { + enable = true; + virtualHosts."*.vtluug.org".extraConfig = '' + reverse_proxy svc.bastille.vtluug.org:80 { + header_up Host {labels.2}.svc.bastille.vtluug.org + } + ''; + package = pkgs.caddy.withPlugins { + plugins = [ "github.com/caddy-dns/gandi@v1.1.0" ]; + hash = "sha256-5mjD0CY7f5+sRtV1rXysj8PvId2gQaWiXlIaTg2Lv8A="; + }; + globalConfig = '' + acme_ca https://acme-staging-v02.api.letsencrypt.org/directory + acme_dns gandi {env.GANDI_AUTH_TOKEN} + ''; + }; + systemd.services.caddy.serviceConfig.EnvironmentFile = [ "${gandi-key-path}" ]; + + networking.firewall = { + allowedTCPPorts = [ + 80 + 443 + ]; + allowedUDPPorts = [ + 80 + 443 + ]; + }; + + system.stateVersion = "26.05"; + }; + }; +} diff --git a/hosts/vesuvius/configuration.nix b/hosts/vesuvius/configuration.nix index 482f77b..9af1381 100644 --- a/hosts/vesuvius/configuration.nix +++ b/hosts/vesuvius/configuration.nix @@ -1,58 +1,31 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: { imports = [ ./hardware-configuration.nix + (import ../common/k3s.nix { inherit lib; role = "server"; clusterInit = true; }) ./nix.nix ./zfs.nix + ./ipa.nix ./netboot.nix + ./nfs-export.nix + (import ./network.nix { inherit config lib pkgs; }) + ./caddy.nix + + ../common/nfs.nix + ../common/tz-locale.nix + ../common/users-local.nix + ../common/sshd.nix ]; boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - networking.hostName = "vesuvius"; - - networking.networkmanager.enable = true; - networking.networkmanager.unmanaged = [ "interface-name:enp1s0f1" ]; - - time.timeZone = "America/New_York"; - - i18n.defaultLocale = "en_US.UTF-8"; - - i18n.extraLocaleSettings = { - LC_ADDRESS = "en_US.UTF-8"; - LC_IDENTIFICATION = "en_US.UTF-8"; - LC_MEASUREMENT = "en_US.UTF-8"; - LC_MONETARY = "en_US.UTF-8"; - LC_NAME = "en_US.UTF-8"; - LC_NUMERIC = "en_US.UTF-8"; - LC_PAPER = "en_US.UTF-8"; - LC_TELEPHONE = "en_US.UTF-8"; - LC_TIME = "en_US.UTF-8"; - }; - - users.users.papatux = { - isNormalUser = true; - description = "papatux"; - extraGroups = [ "networkmanager" "wheel" ]; - openssh.authorizedKeys.keys = import ../../papatux-keys.nix; - }; - - security.sudo.wheelNeedsPassword = false; - nixpkgs.config.allowUnfree = true; environment.systemPackages = with pkgs; [ + git neovim ]; - services.openssh.enable = true; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "25.05"; # Did you read the comment? } diff --git a/hosts/vesuvius/ipa.nix b/hosts/vesuvius/ipa.nix index fc011e1..3bbd0df 100644 --- a/hosts/vesuvius/ipa.nix +++ b/hosts/vesuvius/ipa.nix @@ -1,10 +1,16 @@ -# TODO: /etc/krb5.keytab missing, maybe agenix { config, pkgs, ... }: { - age.secrets."krb5.keytab".file = ../../secrets/krb5.keytab.age; - + age.secrets."krb5.keytab" = { + file = ../../secrets/keytabs/vesuvius.keytab.age; + path = "/etc/krb5.keytab"; + owner = "root"; + group = "root"; + mode = "0600"; + }; environment.variables.KRB5_KTNAME = config.age.secrets."krb5.keytab".path; + networking.domain = "vtluug.org"; + security.ipa = { enable = true; @@ -19,4 +25,15 @@ sha256 = "16wv6kfvnm0hcyzr0wjrgmymw3asm84m8r1wbfq09qvqrjycfc6s"; }; }; + security.sudo.extraRules = [ + { + groups = [ "admins" ]; + commands = [ + { + command = "ALL"; + options = ["SETENV" "NOPASSWD"]; + } + ]; + } + ]; } diff --git a/hosts/vesuvius/netboot.nix b/hosts/vesuvius/netboot.nix index 9222a1c..bbe5ad3 100644 --- a/hosts/vesuvius/netboot.nix +++ b/hosts/vesuvius/netboot.nix @@ -1,44 +1,54 @@ -{ config, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: let - dom_ip = "10.98.2.1"; + dom_ip = "10.98.3.2"; + vlan_router_ip = "10.98.3.1"; + dns_server_ip = "10.98.0.1"; dhcp_iface = "enp1s0f1"; - client_range = "10.98.2.2,10.98.2.100"; + client_range = "10.98.3.3,10.98.3.100"; - sub_image = pkgs.nixos { - imports = [ "${pkgs.path}/nixos/modules/installer/netboot/netboot-minimal.nix" ]; + netboot-hostnames = import ../bastille/blade-names.nix; - system.stateVersion = "25.05"; - services.openssh = { - enable = true; - settings.PasswordAuthentication = true; - settings.KbdInteractiveAuthentication = false; - }; + sub_image = lib.nixosSystem { + system = "x86_64-linux"; - users.users.papatux = { - isNormalUser = true; - description = "papatux"; - extraGroups = [ "networkmanager" "wheel" ]; - hashedPassword = "$6$6GnvJWpo8oOWM1tb$GhuldW5iIdS6OuRyq5u1hSSu0VotQCLac7emA.Kui2hWLozR7EIO4Su6PCo5hTRG8iWnAOlGemQVyejIA9l4j/"; - openssh.authorizedKeys.keys = import ../../papatux-keys.nix; - }; + modules = [ + ../bastille/blade.nix + ]; }; - + + blade = sub_image.config.system.build; + ipxe_config = pkgs.writeText "boot.ipxe" '' #!ipxe - kernel http://${dom_ip}:8080/netboot-nixtest/kernel init=/init boot.shell_on_fail - initrd http://${dom_ip}:8080/netboot-nixtest/initrd + kernel http://${dom_ip}:8080/netboot-kernel/bzImage init=${blade.toplevel}/init boot.shell_on_fail + initrd http://${dom_ip}:8080/netboot-initrd/initrd boot ''; webroot = pkgs.linkFarm "netboot" [ - { name = "netboot-nixtest"; path = sub_image.config.system.build.toplevel; } - { name = "boot.ipxe"; path = ipxe_config; } + { + name = "netboot-kernel"; + path = blade.kernel; + } + { + name = "netboot-initrd"; + path = blade.netbootRamdisk; + } + { + name = "boot.ipxe"; + path = ipxe_config; + } ]; # fyi this is cause tftpd in dnsmasq chroots and wouldn't follow external symlinks # like the ones in a linkfarm - tftproot = pkgs.runCommand "tftproot-real" {} '' + tftproot = pkgs.runCommand "tftproot-real" { } '' mkdir -p $out cp ${ipxe_config} $out/boot.ipxe cp ${pkgs.ipxe}/ipxe.efi $out/ipxe.efi @@ -54,27 +64,70 @@ in services.dnsmasq = { enable = true; - settings.enable-tftp = true; - settings.tftp-root = "${tftproot}"; - settings.dhcp-range = "${client_range},12h"; - settings.dhcp-option = [ "option:router,${dom_ip}" ]; - settings.dhcp-userclass = [ "set:ipxe,iPXE" ]; - settings.dhcp-boot = [ - "tag:!ipxe,ipxe.efi" - "http://${dom_ip}:8080/boot.ipxe" - ]; + settings = { + domain = "bastille.vtluug.org"; + domain-needed = true; + interface = "${dhcp_iface}"; + bind-interfaces = true; + server = [ + "198.82.247.98" + "198.82.247.66" + "198.82.247.34" + "2001:468:c80:6101:0:100:0:62" + "2001:468:c80:4101:0:100:0:42" + "2001:468:c80:2101:0:100:0:22" + "/whit.vtluug.org/10.98.0.1" + ]; + enable-tftp = true; + tftp-root = "${tftproot}"; + dhcp-range = "${client_range},12h"; + dhcp-option = [ "option:router,${vlan_router_ip}" ]; + dhcp-userclass = [ "set:ipxe,iPXE" ]; + dhcp-boot = [ + "tag:!ipxe,ipxe.efi" + "http://${dom_ip}:8080/boot.ipxe" + ]; + # Set hostnames via DHCP + dhcp-host = builtins.map (host: "${host.fst},${host.snd}") ( + lib.lists.filter (host: !lib.strings.hasInfix "unassigned" host.fst) ( + lib.lists.zipLists (builtins.attrNames netboot-hostnames) (builtins.attrValues netboot-hostnames) + ) + ); + address = [ + "/bastille.vtluug.org/::" # Filter IPv6 so it doesn't just hang forever when resolving every request to local domain + "/vesuvius.bastille.vtluug.org/${dom_ip}" + "/svc.bastille.vtluug.org/${dom_ip}" + ]; + local = [ + "/svc.bastille.vtluug.org/" + ]; + }; }; services.nginx = { enable = true; virtualHosts."netboot" = { - listen = [{ port = 8080; addr = "0.0.0.0"; }]; + listen = [ + { + port = 8080; + addr = "0.0.0.0"; + } + ]; locations."/".root = "${webroot}"; }; }; networking.firewall = { - allowedTCPPorts = [ 8080 ]; - allowedUDPPorts = [ 67 69 ]; + allowedTCPPorts = [ + 6443 + 8080 + 10250 + ]; + allowedUDPPorts = [ + 53 + 67 + 69 + 8472 + ]; }; -} \ No newline at end of file +} diff --git a/hosts/vesuvius/network.nix b/hosts/vesuvius/network.nix new file mode 100644 index 0000000..ccf0508 --- /dev/null +++ b/hosts/vesuvius/network.nix @@ -0,0 +1,53 @@ +{ + config, + lib, + pkgs, + ipv6_allowed_prefix ? "2607:b400:6:cc80::/64", + ... +}: +{ + networking.hostName = "vesuvius"; + + networking.networkmanager.enable = true; + networking.networkmanager.unmanaged = [ "interface-name:enp1s0f1" ]; + + networking.interfaces.enp1s0f1.ipv4.routes = [ + { + address = "10.98.0.0"; + prefixLength = 16; + via = "10.98.3.1"; + } + ]; + + # Open ports for K3s ingress + networking.firewall = { + allowedTCPPorts = [ + 80 + 443 + ]; + allowedUDPPorts = [ + 80 + 443 + ]; + }; + + + networking.nftables = { + enable = true; + ruleset = '' + table ip6 filter { + chain input { + type filter hook input priority 0; policy drop; + + ct state { established, related } accept; + iifname "lo" accept; + + icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-neighbor-solicit, nd-neighbor-advert } accept; + + ip6 saddr ${ipv6_allowed_prefix} accept comment "Allow IPv6 from LAN"; + ip6 saddr fe80::/64 accept comment "Allow IPv6 from link local"; + } + } + ''; + }; +} diff --git a/hosts/vesuvius/nfs-export.nix b/hosts/vesuvius/nfs-export.nix new file mode 100644 index 0000000..74770ed --- /dev/null +++ b/hosts/vesuvius/nfs-export.nix @@ -0,0 +1,34 @@ +{ + services.nfs.server = { + enable = true; + exports = '' + /forge/nfs 10.98.0.0/16(rw,sync,fsid=root,no_subtree_check,root_squash,sec=sys) 2607:b400:0006:cc80::/64(rw,sync,fsid=root,no_subtree_check,root_squash,sec=sys) + /forge/nfs/kube-volumes 10.98.3.0/24(rw,sync,no_root_squash,insecure,no_subtree_check) + ''; + + # fixed rpc.statd port; for firewall + lockdPort = 4001; + mountdPort = 4002; + statdPort = 4000; + }; + systemd.services."rpc-svcgssd".enable = false; + + networking.firewall = { + enable = true; + # for NFSv3; view with `rpcinfo -p` + allowedTCPPorts = [ + 111 + 2049 + 4000 + 4001 + 4002 + ]; + allowedUDPPorts = [ + 111 + 2049 + 4000 + 4001 + 4002 + ]; + }; +} diff --git a/hosts/vesuvius/zfs.nix b/hosts/vesuvius/zfs.nix index df075c4..dfc4afe 100644 --- a/hosts/vesuvius/zfs.nix +++ b/hosts/vesuvius/zfs.nix @@ -13,5 +13,13 @@ fileSystems."/forge" = { device = "forge"; fsType = "zfs"; + neededForBoot = true; + }; + + fileSystems."/nix" = { + device = "/forge/nix"; + fsType = "none"; + options = [ "bind" ]; + depends = [ "/forge" ]; }; } diff --git a/kube-manifests/config/coredns-config.yaml b/kube-manifests/config/coredns-config.yaml new file mode 100644 index 0000000..efcd492 --- /dev/null +++ b/kube-manifests/config/coredns-config.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: coredns-custom + namespace: kube-system +data: + my-custom.server: | + bastille.vtluug.org:53 { + forward . 10.98.3.2 + } + whit.vtluug.org:53 { + forward . 10.98.0.1 + } diff --git a/kube-manifests/config/forge-nfs-storage.yaml b/kube-manifests/config/forge-nfs-storage.yaml new file mode 100644 index 0000000..f649f9c --- /dev/null +++ b/kube-manifests/config/forge-nfs-storage.yaml @@ -0,0 +1,18 @@ +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: forge-nfs-csi +provisioner: nfs.csi.k8s.io +parameters: + server: vesuvius.bastille.vtluug.org + share: /kube-volumes + # csi.storage.k8s.io/provisioner-secret is only needed for providing mountOptions in DeleteVolume + # csi.storage.k8s.io/provisioner-secret-name: "mount-options" + # csi.storage.k8s.io/provisioner-secret-namespace: "default" +reclaimPolicy: Delete +volumeBindingMode: Immediate +allowVolumeExpansion: true +mountOptions: + - hard + - nfsvers=4.2 + diff --git a/kube-manifests/services/ephemeral.yaml b/kube-manifests/services/ephemeral.yaml new file mode 100644 index 0000000..6218102 --- /dev/null +++ b/kube-manifests/services/ephemeral.yaml @@ -0,0 +1,71 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ephemeral-chat-deployment + labels: + app: ephemeral-chat +spec: + replicas: 1 + selector: + matchLabels: + app: ephemeral-chat + template: + metadata: + labels: + app: ephemeral-chat + spec: + containers: + - name: ephemeral + image: ghcr.io/mikhail729/ephemeral:0.2.2 + ports: + - containerPort: 80 + env: + - name: PORT + value: "80" + resources: + requests: + memory: 64Mi + cpu: 0.5 + limits: + memory: 64Mi + cpu: 0.5 +--- +apiVersion: v1 +kind: Service +metadata: + name: ephemeral-chat-service +spec: + selector: + app: ephemeral-chat + type: LoadBalancer + ports: + - name: http + port: 80 + protocol: TCP +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: ephemeral-chat-ingress +spec: + rules: + - host: "ephemeral.svc.bastille.vtluug.org" + http: + paths: + - pathType: Prefix + path: "/" + backend: + service: + name: ephemeral-chat-service + port: + number: 80 + - host: "ephemeral.vtluug.org" + http: + paths: + - pathType: Prefix + path: "/" + backend: + service: + name: ephemeral-chat-service + port: + number: 80 diff --git a/kube-manifests/services/search-4get.yaml b/kube-manifests/services/search-4get.yaml new file mode 100644 index 0000000..fead9d1 --- /dev/null +++ b/kube-manifests/services/search-4get.yaml @@ -0,0 +1,111 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: search-4get-nfs-pvc + labels: + app: search-4get +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 16Mi + storageClassName: forge-nfs-csi +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: search-4get-deployment + labels: + app: search-4get +spec: + replicas: 1 + selector: + matchLabels: + app: search-4get + template: + metadata: + labels: + app: search-4get + spec: + volumes: + - name: search-4get-banner + persistentVolumeClaim: + claimName: search-4get-nfs-pvc + initContainers: + - name: search-4get-banner-loader + image: alpine:3 + command: + - "sh" + - "-c" + - wget -O /banner/go-hokies.jpg https://search.vtluug.org/banner/go-hokies.jpg + volumeMounts: + - name: search-4get-banner + mountPath: /banner + containers: + - name: search-4get + image: luuul/4get:latest + ports: + - containerPort: 80 + env: + - name: FOURGET_PROTO + value: "http" + - name: FOURGET_SERVER_NAME + value: "search-staging.vtluug.org" + - name: FOURGET_SERVER_SHORT_DESCRIPTION + value: "Virginia Tech Linux & Unix User's Group" + - name: FOURGET_SERVER_LONG_DESCRIPTION + value: "Virginia Tech Linux & Unix User's Group" + resources: + requests: + memory: 1Gi + cpu: 2 + limits: + memory: 1Gi + cpu: 2 + volumeMounts: + - name: search-4get-banner + mountPath: /var/www/html/4get/banner + readOnly: false + # make opensearch hallucinate that we're connecting thru https + # otherwise, it'll add the search engine as http://[host], which + # inevitably resolves to http://search.vtluug.org:443, which obviously + # just doesn't work + # lifecycle: + # postStart: + # exec: + # command: + # - "/bin/sh" + # - "-c" + # - sed -i '2i\$_SERVER[\"HTTPS\"] = \"on\";' opensearch.php +--- +apiVersion: v1 +kind: Service +metadata: + name: search-4get-service +spec: + selector: + app: search-4get + type: LoadBalancer + ports: + - name: http + port: 80 + protocol: TCP +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: search-4get-ingress +spec: + rules: + - host: "search-staging.svc.bastille.vtluug.org" + http: + paths: + - pathType: Prefix + path: "/" + backend: + service: + name: search-4get-service + port: + number: 80 diff --git a/secrets/keytabs/vesuvius.keytab.age b/secrets/keytabs/vesuvius.keytab.age new file mode 100644 index 0000000..b20d783 --- /dev/null +++ b/secrets/keytabs/vesuvius.keytab.age @@ -0,0 +1,5 @@ +age-encryption.org/v1 +-> ssh-ed25519 aQG9zQ AwGnHtis2RoMcZHMea4Jbhzm5yYq9uos+1h0WtIVDCM +IAFYorEgHmeGXXfakwa3Fk9UDC5XPJGSkx5PbPRumoo +--- x+eNJlai124x5jAWKQkq2hhDegsZ+GxPlsnoWrd4zv0 +D,|]=V,Aֳ#luy}(bi OFۓwrH_> (zr/)dJ1g3RӂFqx.܃3g*J(oUA dRa߂3@"L-S8_9*V~9yqr_AJЎDR8 4ߩu Ā??Eq \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 177078e..579f7a4 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -2,6 +2,7 @@ let vesuvius = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOHI7ziwxkEbJzvpaZulPFpDW7l0vbGJ+ifHcHJ2fHex"; zerocool = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN+60yHIqES3Dr1Upp23QGwzvqELQEeH6e4lTKTV9iUY root@zerocool"; in { - "krb5.keytab.age".publicKeys = [ vesuvius ]; + "keytabs/vesuvius.keytab.age".publicKeys = [ vesuvius ]; "zerocool/wg.priv.age".publicKeys = [ zerocool ]; + "vesuvius/gandi.env.age".publicKeys = [ vesuvius ]; } diff --git a/secrets/vesuvius/gandi.env.age b/secrets/vesuvius/gandi.env.age new file mode 100644 index 0000000..41e0ec9 --- /dev/null +++ b/secrets/vesuvius/gandi.env.age @@ -0,0 +1,6 @@ +age-encryption.org/v1 +-> ssh-ed25519 aQG9zQ jw2KC87a5QeOMwU1pqdW1+KFcC5wklRqd83pAogk2FQ +ejYvXVoBtyNFpB+vvSYJh6ZGHyCdG1dOv/f1wQusN64 +--- LgR65OUy1KkB+4mxvWCVh7AdgLjYDJ4dagAr8YS2VZg +#% +=! 1~.JWVhѶpԷ '50J-J暅Y2v0xAxK!ff¨ј3< \ No newline at end of file