diff --git a/.gitignore b/.gitignore index b2be92b..12601f7 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ result +/configuration.nix diff --git a/README.md b/README.md index bb1de13..8dd2f24 100644 --- a/README.md +++ b/README.md @@ -1,50 +1,3 @@ -# SNS Cluster Configuration +Princeton SNS Group Cluster Configuration +========================================= -## Machine Specs - -| Cluster | CPU | RAM | HDD | SSD | -|---------|------------------------|------|-------------|---------| -| Adam | 2x8 2.2GHz Intel Xeon | 64GB | 4x2TB (in RAID) | | -| Alpha | 2x4 2.3GHz AMD Opetron | 8GB | 2x1TB | - | -| Beta | 2x4 2.4GHz Intel Xeon | 12GB | 2x1TB | 150GB | -| Gamma | 2x8 2.2GHz Intel Xeon | 64GB | 1TB | 2x240GB | -| SNS57 | 2x4 2.4GHz Intel Xeon | 64GB | 2x1TB | 150GB | - - -### Alpha Cluster -- Old SUN Systems - -1. sns3.cs.princeton.edu -2. sns4.cs.princeton.edu -3. sns6.cs.princeton.edu -4. sns7.cs.princeton.edu -5. sns8.cs.princeton.edu -6. sns9.cs.princeton.edu -7. sns14.cs.princeton.edu -7. sns15.cs.princeton.edu -8. sns17.cs.princeton.edu -9. sns20.cs.princeton.edu -10. sns21.cs.princeton.edu -11. sns24.cs.princeton.edu - -### Beta Cluster -- Remote Workstations - -1. sns26.cs.princeton.edu -2. sns29.cs.princeton.edu -3. sns31.cs.princeton.edu -4. sns32.cs.princeton.edu -5. sns33.cs.princeton.edu -6. sns44.cs.princeton.edu -6. sns45.cs.princeton.edu -8. sns49.cs.princeton.edu -9. sns51.cs.princeton.edu -10. sns52.cs.princeton.edu -11. ~~sns55.cs.princeton.edu~~ (needs manual intervention) -12. ~~sns55.cs.princeton.edu~~ (needs manual intervention) - -## Gamma Cluster -- Temporary Reservations - -1. sns59.cs.princeton.edu - -## One-offs - -1. sns57.cs.princeton.edu diff --git a/default.nix b/default.nix deleted file mode 100644 index 7c437e0..0000000 --- a/default.nix +++ /dev/null @@ -1,9 +0,0 @@ -with builtins; -let - utils = import ./utils; - machines = utils.modulesIn ./machines; - baseSNSMachine = n: (import ./machines/common.nix) { hostname = "sns${n}"; }; - baseMachines = listToAttrs - (map (n: let ns = toString n; in { name = "sns${ns}"; value = baseSNSMachine ns; }) - (genList (n: n + 1) 100)); -in baseMachines // machines diff --git a/default.nix b/default.nix new file mode 120000 index 0000000..022ec28 --- /dev/null +++ b/default.nix @@ -0,0 +1 @@ +./legacy/default.nix \ No newline at end of file diff --git a/legacy/README.md b/legacy/README.md new file mode 100644 index 0000000..bb1de13 --- /dev/null +++ b/legacy/README.md @@ -0,0 +1,50 @@ +# SNS Cluster Configuration + +## Machine Specs + +| Cluster | CPU | RAM | HDD | SSD | +|---------|------------------------|------|-------------|---------| +| Adam | 2x8 2.2GHz Intel Xeon | 64GB | 4x2TB (in RAID) | | +| Alpha | 2x4 2.3GHz AMD Opetron | 8GB | 2x1TB | - | +| Beta | 2x4 2.4GHz Intel Xeon | 12GB | 2x1TB | 150GB | +| Gamma | 2x8 2.2GHz Intel Xeon | 64GB | 1TB | 2x240GB | +| SNS57 | 2x4 2.4GHz Intel Xeon | 64GB | 2x1TB | 150GB | + + +### Alpha Cluster -- Old SUN Systems + +1. sns3.cs.princeton.edu +2. sns4.cs.princeton.edu +3. sns6.cs.princeton.edu +4. sns7.cs.princeton.edu +5. sns8.cs.princeton.edu +6. sns9.cs.princeton.edu +7. sns14.cs.princeton.edu +7. sns15.cs.princeton.edu +8. sns17.cs.princeton.edu +9. sns20.cs.princeton.edu +10. sns21.cs.princeton.edu +11. sns24.cs.princeton.edu + +### Beta Cluster -- Remote Workstations + +1. sns26.cs.princeton.edu +2. sns29.cs.princeton.edu +3. sns31.cs.princeton.edu +4. sns32.cs.princeton.edu +5. sns33.cs.princeton.edu +6. sns44.cs.princeton.edu +6. sns45.cs.princeton.edu +8. sns49.cs.princeton.edu +9. sns51.cs.princeton.edu +10. sns52.cs.princeton.edu +11. ~~sns55.cs.princeton.edu~~ (needs manual intervention) +12. ~~sns55.cs.princeton.edu~~ (needs manual intervention) + +## Gamma Cluster -- Temporary Reservations + +1. sns59.cs.princeton.edu + +## One-offs + +1. sns57.cs.princeton.edu diff --git a/legacy/default.nix b/legacy/default.nix new file mode 100644 index 0000000..7c437e0 --- /dev/null +++ b/legacy/default.nix @@ -0,0 +1,9 @@ +with builtins; +let + utils = import ./utils; + machines = utils.modulesIn ./machines; + baseSNSMachine = n: (import ./machines/common.nix) { hostname = "sns${n}"; }; + baseMachines = listToAttrs + (map (n: let ns = toString n; in { name = "sns${ns}"; value = baseSNSMachine ns; }) + (genList (n: n + 1) 100)); +in baseMachines // machines diff --git a/machines/adam.nix b/legacy/machines/adam.nix similarity index 100% rename from machines/adam.nix rename to legacy/machines/adam.nix diff --git a/machines/collective.nix b/legacy/machines/collective.nix similarity index 100% rename from machines/collective.nix rename to legacy/machines/collective.nix diff --git a/machines/common.nix b/legacy/machines/common.nix similarity index 100% rename from machines/common.nix rename to legacy/machines/common.nix diff --git a/machines/sns17.nix b/legacy/machines/sns17.nix similarity index 100% rename from machines/sns17.nix rename to legacy/machines/sns17.nix diff --git a/machines/sns20.nix b/legacy/machines/sns20.nix similarity index 100% rename from machines/sns20.nix rename to legacy/machines/sns20.nix diff --git a/machines/sns21.nix b/legacy/machines/sns21.nix similarity index 100% rename from machines/sns21.nix rename to legacy/machines/sns21.nix diff --git a/machines/sns24.nix b/legacy/machines/sns24.nix similarity index 100% rename from machines/sns24.nix rename to legacy/machines/sns24.nix diff --git a/legacy/machines/sns26.nix b/legacy/machines/sns26.nix new file mode 100644 index 0000000..655bb58 --- /dev/null +++ b/legacy/machines/sns26.nix @@ -0,0 +1,38 @@ +{ config, pkgs, ... }: + +let + hostname = "sns26"; + common = (import ./common.nix) { hostname = hostname; }; + utils = import ../utils; +in { + + # Import common configurat for all machines (locale, SSHd, updates...) + imports = [ common ]; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + git + ]; + + programs.mosh.enable = true; + + networking.firewall.allowedTCPPorts = [ + # Frida server + 8000 + ]; + + virtualisation.docker.enable = true; + + users.users.npopescu = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = utils.githubSSHKeys "nataliepopescu"; + }; + + users.users.leons = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = utils.githubSSHKeys "lschuermann"; + }; +} diff --git a/legacy/machines/sns29.nix b/legacy/machines/sns29.nix new file mode 100644 index 0000000..d0f20b1 --- /dev/null +++ b/legacy/machines/sns29.nix @@ -0,0 +1,42 @@ +# Configured as a workstation for @alevy, primarily for testing stuff on the +# cluster. If this comment is still here after November 2020, you can take over +# this machine with a PR. + +{ config, pkgs, ... }: + +let + hostname = "sns29"; + common = (import ./common.nix) { hostname = hostname; }; + utils = import ../utils; +in { + + # Import common configurat for all machines (locale, SSHd, updates...) + imports = [ common ]; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + ]; + + programs.mosh.enable = true; + + users.mutableUsers = false; + + users.users.alevy = { + isNormalUser = true; + extraGroups = [ "wheel" "snapfaas" ]; + openssh.authorizedKeys.keys = utils.githubSSHKeys "alevy"; + }; + + users.users.yue = { + isNormalUser = true; + extraGroups = [ "wheel" "snapfaas" ]; + openssh.authorizedKeys.keys = utils.githubSSHKeys "tan-yue"; + }; + + users.users.kw22 = { + isNormalUser = true; + extraGroups = [ "snapfaas" ]; + openssh.authorizedKeys.keys = utils.githubSSHKeys "kw1122"; + }; +} diff --git a/legacy/machines/sns31.nix b/legacy/machines/sns31.nix new file mode 100644 index 0000000..c28e8ba --- /dev/null +++ b/legacy/machines/sns31.nix @@ -0,0 +1,39 @@ +# Configured as a workstation for Jianan +# Current project users include Jianan, and Haoyu. + +{ config, pkgs, ... }: + +let + hostname = "sns31"; + common = (import ./common.nix) { hostname = hostname; }; + utils = import ../utils; +in { + + # Import common configurat for all machines (locale, SSHd, updates...) + imports = [ common ]; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + ]; + + programs.mosh.enable = true; + + users.users.haoyu = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = utils.githubSSHKeys "Lei-Houjyu"; + }; + + users.users.jiananl= { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = utils.githubSSHKeys "amberlu"; + }; + + users.users.araina= { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = utils.githubSSHKeys "ashwiniraina"; + }; +} diff --git a/legacy/machines/sns32.nix b/legacy/machines/sns32.nix new file mode 100644 index 0000000..c8711bf --- /dev/null +++ b/legacy/machines/sns32.nix @@ -0,0 +1,27 @@ +{ config, pkgs, ... }: + +let + hostname = "sns32"; + common = (import ./common.nix) { hostname = hostname; }; + utils = import ../utils; +in { + + # Import common configurat for all machines (locale, SSHd, updates...) + imports = [ common ]; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + git + ]; + + programs.mosh.enable = true; + + virtualisation.docker.enable = true; + + users.users.scaspin = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = utils.githubSSHKeys "scaspin"; + }; +} diff --git a/legacy/machines/sns33.nix b/legacy/machines/sns33.nix new file mode 100644 index 0000000..5fa5d5f --- /dev/null +++ b/legacy/machines/sns33.nix @@ -0,0 +1,66 @@ +# Configured as a workstation for @lei + +{ config, pkgs, ... }: + +let + hostname = "sns33"; + common = (import ./common.nix) { hostname = hostname; }; + utils = import ../utils; + kubeMasterIP = "10.1.1.2"; + kubeMasterHostname = "api.kube"; + kubeMasterAPIServerPort = 6443; +in { + + # Import common configurat for all machines (locale, SSHd, updates...) + imports = [ common ]; + + networking.extraHosts = "${kubeMasterIP} ${kubeMasterHostname}"; + + services.kubernetes = { + roles = ["master" "node"]; + masterAddress = kubeMasterHostname; + apiserverAddress = "https://${kubeMasterHostname}:${toString kubeMasterAPIServerPort}"; + easyCerts = true; + apiserver = { + securePort = kubeMasterAPIServerPort; + advertiseAddress = kubeMasterIP; + }; + + # use coredns + addons.dns.enable = true; + + # needed if you use swap + kubelet.extraOpts = "--fail-swap-on=false"; + }; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + git zip unzip + vim tmux wget docker-compose kubectl kompose kubernetes helm + ]; + + programs.mosh.enable = true; + + virtualisation.docker.enable = true; + + users.mutableUsers = false; + + users.users.lei = { + isNormalUser = true; + extraGroups = [ "wheel" "docker" ]; + openssh.authorizedKeys.keys = utils.githubSSHKeys "geraldleizhang"; + }; + + users.users.leochanj = { + isNormalUser = true; + extraGroups = [ "wheel" "docker" ]; + openssh.authorizedKeys.keys = utils.githubSSHKeys "leochanj105"; + }; + + users.users.leons = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = utils.githubSSHKeys "lschuermann"; + }; +} diff --git a/machines/sns4.nix b/legacy/machines/sns4.nix similarity index 100% rename from machines/sns4.nix rename to legacy/machines/sns4.nix diff --git a/legacy/machines/sns44.nix b/legacy/machines/sns44.nix new file mode 100644 index 0000000..3779f47 --- /dev/null +++ b/legacy/machines/sns44.nix @@ -0,0 +1,77 @@ +# @yuetan uses this machine as a testbed for securefaas project + +{ config, pkgs, ... }: + +let + hostname = "sns44"; + common = (import ./common.nix) { hostname = hostname; }; + utils = import ../utils; + snapfaasSrc = pkgs.fetchFromGitHub { + owner = "princeton-sns"; + repo = "snapfaas"; + rev = "9791be9d108dd45abf50d9a62681d7a0f61613d5"; + sha256 = "sha256-ZJS7GDW7lBILrMKrKXxLAw5gjKunSai27RO3oZvJAn4="; + }; + snapfaas = (import snapfaasSrc { inherit pkgs; release = false; }).snapfaas; +in { + + # Import common configurat for all machines (locale, SSHd, updates...) + imports = [ common ]; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + git + snapfaas lkl lmdb python39Full e2fsprogs gnumake wget + vim tmux + ]; + + # Expose port for development snapfaas webhook server + networking.firewall.allowedTCPPorts = [ 8080 ]; + + fileSystems."/nfs/home" = { + device = "adam-new.cs.princeton.edu:/home"; + fsType = "nfs4"; + }; + + + programs.mosh.enable = true; + + virtualisation.docker.enable = true; + + users.users.yuetan = { + isNormalUser = true; + extraGroups = [ "wheel" "kvm" ]; + openssh.authorizedKeys.keys = utils.githubSSHKeys "tan-yue"; + }; + + users.users.alevy = { + isNormalUser = true; + extraGroups = [ "wheel" "kvm" ]; + openssh.authorizedKeys.keys = utils.githubSSHKeys "alevy"; + }; + + users.users.cherrypiejam = { + isNormalUser = true; + extraGroups = [ "wheel" "kvm" "docker" ]; + openssh.authorizedKeys.keys = utils.githubSSHKeys "cherrypiejam"; + }; + + users.users.atli = { + isNormalUser = true; + extraGroups = [ "wheel" "kvm" "docker" ]; + openssh.authorizedKeys.keys = utils.githubSSHKeys "ATLi2001"; + }; + + users.users.scaspin = { + isNormalUser = true; + extraGroups = [ "wheel" "kvm" "docker" ]; + openssh.authorizedKeys.keys = utils.githubSSHKeys "scaspin"; + }; + + users.users.leons = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = utils.githubSSHKeys "lschuermann"; + }; +} diff --git a/legacy/machines/sns45.nix b/legacy/machines/sns45.nix new file mode 100644 index 0000000..7c7de1c --- /dev/null +++ b/legacy/machines/sns45.nix @@ -0,0 +1,45 @@ +# Configured as a workstation for @lschuermann + +{ config, pkgs, ... }: + +let + hostname = "sns45"; + common = (import ./common.nix) { hostname = hostname; }; + utils = import ../utils; +in { + + # Import common configurat for all machines (locale, SSHd, updates...) + imports = [ common ]; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + wget vim htop tmux nload iftop dnsutils gitAndTools.gitFull gnupg + gitAndTools.git-annex mtr bc zip unzip nmap nix-prefetch-git pdftk + imagemagick ghostscript rclone + ]; + + programs.mosh.enable = true; + + users.mutableUsers = false; + + users.users.leons = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = utils.githubSSHKeys "lschuermann"; + }; + + users.users.jenn = { + isNormalUser = true; + openssh.authorizedKeys.keys = + (utils.githubSSHKeys "jl3953") + ++ [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIeQ6wf0yUvjtkM5S9LMbcvvSjl3iYnxlYHPCgoRvSK JuiceSSH" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIVkRUb04W5PGOi22YLMYsn9/Xs+IAsM+dzuiayuQ3fO jl87@princeton.edu" + ]; + }; + + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOD4XspKe2E5BhBmx+GtRHdRR72+Q7wC7nFHbDj1VVzJ lschuermann/silicon/sns-nixbuild" + ]; +} diff --git a/legacy/machines/sns49.nix b/legacy/machines/sns49.nix new file mode 100644 index 0000000..c374ad9 --- /dev/null +++ b/legacy/machines/sns49.nix @@ -0,0 +1,35 @@ +# Configured as a workstation for @linanqinqin + +{ config, pkgs, ... }: + +let + hostname = "sns49"; + common = (import ./common.nix) { hostname = hostname; }; + utils = import ../utils; +in { + + # Import common configurat for all machines (locale, SSHd, updates...) + imports = [ common ]; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + ]; + + programs.mosh.enable = true; + + users.mutableUsers = false; + + users.users.linanqinqin = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9XMuiS7A+rQq2Q7/wIwqFCdbBEI0vXEoLU0DCwPl1KAfvdMM1w46y6+WAv66NMgjDa9wcwjdTBugMdMvWfm6UnEV7XIEbYtK9C9NO4/2gYMcIuMU2KHhoMJ86CIKGrwTDvvmvnFuPdrtIrhH66fg2qPMMUPhlQ93KlFsD+bKdQaKIIewLQaPgECuR/wb8a5qmmpAGdGLMGu+RXVJO71kiPdO999V0g1+pBA1FOqkuUUiE7nYQQfZl5PiaiqnI4PeR5qV1HWOkpNESfdzkrMXG/aa9/sOjl/q3DK6kmAIy0iaqm4V7SWWSz7WCQIXAWfFORdbpMaCtDaRPMShzQY6F linanqinqin@linanqinqindeMacBook-Pro.local +" ]; + }; + + users.users.leons = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = utils.githubSSHKeys "lschuermann"; + }; +} diff --git a/legacy/machines/sns51.nix b/legacy/machines/sns51.nix new file mode 100644 index 0000000..940af6d --- /dev/null +++ b/legacy/machines/sns51.nix @@ -0,0 +1,40 @@ +{ config, pkgs, ... }: + +let + hostname = "sns51"; + common = (import ./common.nix) { hostname = hostname; }; + utils = import ../utils; +in { + + # Import common configurat for all machines (locale, SSHd, updates...) + imports = [ common ]; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + git + ]; + + programs.mosh.enable = true; + + virtualisation.docker.enable = true; + + # For Leopard caching project + users.users.theano = { + isNormalUser = true; + extraGroups = [ "wheel" "kvm" ]; + openssh.authorizedKeys.keys = utils.githubSSHKeys "theanoli"; + }; + + users.users.nkaas = { + isNormalUser = true; + extraGroups = [ "wheel" "kvm" ]; + openssh.authorizedKeys.keys = utils.githubSSHKeys "nickaashoek"; + }; + + users.users.leons = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = utils.githubSSHKeys "lschuermann"; + }; +} diff --git a/legacy/machines/sns52.nix b/legacy/machines/sns52.nix new file mode 100644 index 0000000..664aaf4 --- /dev/null +++ b/legacy/machines/sns52.nix @@ -0,0 +1,47 @@ +# @davidhliu uses this machine as a workstation + +{ config, pkgs, ... }: + +let + hostname = "sns52"; + common = (import ./common.nix) { hostname = hostname; }; + utils = import ../utils; +in { + + # Import common configurat for all machines (locale, SSHd, updates...) + imports = [ common ]; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + git + ]; + + programs.mosh.enable = true; + + virtualisation.docker.enable = true; + + users.users.davidhliu= { + isNormalUser = true; + extraGroups = [ "wheel" "kvm" ]; + openssh.authorizedKeys.keys = utils.githubSSHKeys "LedgeDash"; + }; + + users.users.neilagarwal = { + isNormalUser = true; + extraGroups = [ "wheel" "kvm" "docker"]; + openssh.authorizedKeys.keys = utils.githubSSHKeys "neilsagarwal"; + }; + + users.users.ruipan = { + isNormalUser = true; + extraGroups = [ "wheel" "kvm" "docker"]; + openssh.authorizedKeys.keys = utils.githubSSHKeys "ruipeterpan"; + }; + + users.users.leons = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = utils.githubSSHKeys "lschuermann"; + }; +} diff --git a/legacy/machines/sns57.nix b/legacy/machines/sns57.nix new file mode 100644 index 0000000..968028b --- /dev/null +++ b/legacy/machines/sns57.nix @@ -0,0 +1,31 @@ +# @theanoli using to run simulations that require lots of memory. + +{ config, pkgs, ... }: + +let + hostname = "sns57"; + common = (import ./common.nix) { hostname = hostname; }; + utils = import ../utils; +in { + + # Import common configurat for all machines (locale, SSHd, updates...) + imports = [ common ]; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + git + ]; + + programs.mosh.enable = true; + + virtualisation.docker.enable = true; + + services.openssh.forwardX11 = true; + + users.users.theano = { + isNormalUser = true; + extraGroups = [ "wheel" "kvm" ]; + openssh.authorizedKeys.keys = utils.githubSSHKeys "theanoli"; + }; +} diff --git a/machines/sns59.nix b/legacy/machines/sns59.nix similarity index 100% rename from machines/sns59.nix rename to legacy/machines/sns59.nix diff --git a/machines/sns60.nix b/legacy/machines/sns60.nix similarity index 100% rename from machines/sns60.nix rename to legacy/machines/sns60.nix diff --git a/machines/sns61.nix b/legacy/machines/sns61.nix similarity index 100% rename from machines/sns61.nix rename to legacy/machines/sns61.nix diff --git a/legacy/machines/sns62.nix b/legacy/machines/sns62.nix new file mode 100644 index 0000000..303e9e1 --- /dev/null +++ b/legacy/machines/sns62.nix @@ -0,0 +1,60 @@ +# Configured as a workstation for @lschuermann to execute Vivado +# builds on. +# +# Vivado is installed through a release evaluation of +# https://github.com/lschuermann/tock-litex and adding the resulting +# derivation as a GC root (/nix/var/nix/gcroots/custom/). The actual +# Vivado package needs to be added to the Nix store as documented in +# "Adding files to the store" of https://nixos.wiki/wiki/Cheatsheet. + +{ config, pkgs, lib, ... }: + +let + hostname = "sns62"; + common = (import ./common.nix) { hostname = hostname; }; + utils = import ../utils; +in { + + # Import common configuration for all machines (locale, SSHd, + # updates...) + imports = [ common ]; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + wget vim htop tmux nload iftop dnsutils gitAndTools.gitFull gnupg + gitAndTools.git-annex mtr bc zip unzip nmap nix-prefetch-git pdftk + imagemagick ghostscript rclone + ]; + + programs.mosh.enable = true; + + users.mutableUsers = false; + + users.users.leons = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = utils.githubSSHKeys "lschuermann"; + }; + + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOD4XspKe2E5BhBmx+GtRHdRR72+Q7wC7nFHbDj1VVzJ lschuermann/silicon/sns-nixbuild" + ]; + + users.users.noiseeval = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = ( + lib.flatten ( + builtins.map utils.githubSSHKeys [ + "alevy" + "lschuermann" + "leochanj105" + "scaspin" + ] + ) + ) ++ [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBrOyN+OmWSv0/RYd7jK+TKx4tMO5Fuz8wyaMUR+j6A noise-eval-peer-key" + ]; + }; +} diff --git a/machines/sns9.nix b/legacy/machines/sns9.nix similarity index 100% rename from machines/sns9.nix rename to legacy/machines/sns9.nix diff --git a/test/.gitignore b/legacy/test/.gitignore similarity index 100% rename from test/.gitignore rename to legacy/test/.gitignore diff --git a/test/default.nix b/legacy/test/default.nix similarity index 100% rename from test/default.nix rename to legacy/test/default.nix diff --git a/test/ssh.sh b/legacy/test/ssh.sh similarity index 100% rename from test/ssh.sh rename to legacy/test/ssh.sh diff --git a/test/test.sh b/legacy/test/test.sh similarity index 100% rename from test/test.sh rename to legacy/test/test.sh diff --git a/utils/default.nix b/legacy/utils/default.nix similarity index 100% rename from utils/default.nix rename to legacy/utils/default.nix diff --git a/utils/deplorable.nix b/legacy/utils/deplorable.nix similarity index 100% rename from utils/deplorable.nix rename to legacy/utils/deplorable.nix diff --git a/utils/matrix-slack.nix b/legacy/utils/matrix-slack.nix similarity index 100% rename from utils/matrix-slack.nix rename to legacy/utils/matrix-slack.nix diff --git a/utils/matrix-synapse-localpart.patch b/legacy/utils/matrix-synapse-localpart.patch similarity index 100% rename from utils/matrix-synapse-localpart.patch rename to legacy/utils/matrix-synapse-localpart.patch diff --git a/utils/matrix.nix b/legacy/utils/matrix.nix similarity index 100% rename from utils/matrix.nix rename to legacy/utils/matrix.nix diff --git a/machines/sns26.nix b/machines/sns26.nix index 655bb58..00e5b5d 100644 --- a/machines/sns26.nix +++ b/machines/sns26.nix @@ -1,38 +1,115 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: let - hostname = "sns26"; - common = (import ./common.nix) { hostname = hostname; }; - utils = import ../utils; -in { - - # Import common configurat for all machines (locale, SSHd, updates...) - imports = [ common ]; - - # List packages installed in system profile. To search, run: - # $ nix search wget - environment.systemPackages = with pkgs; [ - git + snsHosts = [ + # alpha machines + # beta machines + "sns26" "sns29" "sns30" "sns31" "sns32" "sns33" "sns35" "sns38" "sns40" + "sns41" "sns43" "sns44" "sns45" "sns46" "sns47" "sns49" "sns50" "sns51" + "sns52" "sns54" "sns55" "sns57" "sns58" + # gamma machines + "sns62" ]; - programs.mosh.enable = true; - - networking.firewall.allowedTCPPorts = [ - # Frida server - 8000 +in +{ + imports = [ + ../sns-cluster ]; - virtualisation.docker.enable = true; + networking = { + hostId = "90591947"; + hostName = "sns26"; + + interfaces."enp1s0f0" = { + useDHCP = true; + }; + }; + + sns-machine = { + enable = true; + + family.beta = { + enable = true; + + bootDisks = [ { + diskNode = "/dev/disk/by-id/ata-WDC_WD1003FBYX-01Y7B0_WD-WCAW30746204"; + partUUID = "6C32-5AFA"; + } { + diskNode = "/dev/disk/by-id/ata-WDC_WD1003FBYX-01Y7B0_WD-WCAW30858349"; + partUUID = "A9E0-4E85"; + } ]; + + swapPartUUIDs = [ + "9463b40d-f607-416c-af0c-d95c9ff1eb6f" + "f73cb467-270f-405a-a406-3d64808b68b8" + ]; + }; + }; + + # ---------- ZFS Backup Server ----------------------------------------------- - users.users.npopescu = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = utils.githubSSHKeys "nataliepopescu"; + fileSystems."/var/lib/syncoid" = { + device = "/var/state/syncoid-home"; + fsType = "none"; + options = [ "bind" ]; }; - users.users.leons = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = utils.githubSSHKeys "lschuermann"; + services.syncoid = { + enable = true; + sshKey = "/var/lib/syncoid/.ssh/id_ed25519"; + commands = let + hostCommand = hostname: { + # Created beforehand using: + # zfs create -o mountpoint=none -o compression=lz4 rpool/cluster-backups + target = "rpool/cluster-backups/${hostname}"; + source = "backup-ssh@${hostname}.cs.princeton.edu:rpool/state"; + recursive = true; + extraArgs = [ "--keep-sync-snap" ]; + }; + in + lib.genAttrs snsHosts hostCommand; }; + + systemd.services = builtins.listToAttrs (builtins.map (h: lib.nameValuePair "syncoid-${h}" { + serviceConfig = { + ExecStartPre = lib.mkBefore [ + "-+${pkgs.zfs}/bin/zfs create -o mountpoint=none rpool/cluster-backups/${h}" + ]; + }; + }) snsHosts); + + # ---------- Prometheus Monitoring Server ------------------------------------ + + fileSystems."/var/lib/prometheus" = { + device = "rpool/state/prometheus-state"; + fsType = "zfs"; + }; + + services.prometheus = { + enable = true; + stateDir = "prometheus"; + webExternalUrl = "http://sns26.cs.princeton.edu:${ + toString config.services.prometheus.port}/"; + + scrapeConfigs = [ { + job_name = "cluster_node"; + scheme = "http"; + metrics_path = "/metrics"; + static_configs = [ { + targets = + builtins.map + (hostname: "${hostname}.cs.princeton.edu:9100") + snsHosts; + } ]; + } ]; + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? } diff --git a/machines/sns29.nix b/machines/sns29.nix index d0f20b1..16efd35 100644 --- a/machines/sns29.nix +++ b/machines/sns29.nix @@ -1,42 +1,38 @@ -# Configured as a workstation for @alevy, primarily for testing stuff on the -# cluster. If this comment is still here after November 2020, you can take over -# this machine with a PR. +{ config, pkgs, lib, ... }: -{ config, pkgs, ... }: - -let - hostname = "sns29"; - common = (import ./common.nix) { hostname = hostname; }; - utils = import ../utils; -in { +{ + imports = [ + ../sns-cluster + ]; - # Import common configurat for all machines (locale, SSHd, updates...) - imports = [ common ]; + networking = { + hostId = "c053498f"; + hostName = "sns29"; - # List packages installed in system profile. To search, run: - # $ nix search wget - environment.systemPackages = with pkgs; [ - ]; + interfaces."enp1s0f0" = { + useDHCP = true; + }; + }; - programs.mosh.enable = true; + sns-machine = { + enable = true; - users.mutableUsers = false; + family.beta = { + enable = true; - users.users.alevy = { - isNormalUser = true; - extraGroups = [ "wheel" "snapfaas" ]; - openssh.authorizedKeys.keys = utils.githubSSHKeys "alevy"; + bootDisks = [ { + diskNode = "/dev/disk/by-id/wwn-0x50014ee2056ef57a"; + partUUID = "419B-AED0"; + } ]; + swapPartUUIDs = [ "fbff7844-2d08-402e-bce4-6fd5da1a9136" ]; + }; }; - users.users.yue = { - isNormalUser = true; - extraGroups = [ "wheel" "snapfaas" ]; - openssh.authorizedKeys.keys = utils.githubSSHKeys "tan-yue"; - }; - - users.users.kw22 = { - isNormalUser = true; - extraGroups = [ "snapfaas" ]; - openssh.authorizedKeys.keys = utils.githubSSHKeys "kw1122"; - }; + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? } diff --git a/machines/sns30.nix b/machines/sns30.nix new file mode 100644 index 0000000..a639a18 --- /dev/null +++ b/machines/sns30.nix @@ -0,0 +1,38 @@ +{ config, pkgs, lib, ... }: + +{ + imports = [ + ../sns-cluster + ]; + + networking = { + hostId = "9d10b77c"; + hostName = "sns30"; + + interfaces."enp1s0f0" = { + useDHCP = true; + }; + }; + + sns-machine = { + enable = true; + + family.beta = { + enable = true; + + bootDisks = [ { + diskNode = "/dev/disk/by-id/wwn-0x50014ee2b01fc4d2"; + partUUID = "19B6-4039"; + } ]; + swapPartUUIDs = [ "b18d8c6b-fdba-454b-be97-9b5e65668e6c" ]; + }; + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? +} diff --git a/machines/sns31.nix b/machines/sns31.nix index c28e8ba..469ecc5 100644 --- a/machines/sns31.nix +++ b/machines/sns31.nix @@ -1,39 +1,38 @@ -# Configured as a workstation for Jianan -# Current project users include Jianan, and Haoyu. +{ config, pkgs, lib, ... }: -{ config, pkgs, ... }: +{ + imports = [ + ../sns-cluster + ]; -let - hostname = "sns31"; - common = (import ./common.nix) { hostname = hostname; }; - utils = import ../utils; -in { + networking = { + hostId = "c722e193"; + hostName = "sns31"; - # Import common configurat for all machines (locale, SSHd, updates...) - imports = [ common ]; + interfaces."enp1s0f0" = { + useDHCP = true; + }; + }; - # List packages installed in system profile. To search, run: - # $ nix search wget - environment.systemPackages = with pkgs; [ - ]; + sns-machine = { + enable = true; - programs.mosh.enable = true; + family.beta = { + enable = true; - users.users.haoyu = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = utils.githubSSHKeys "Lei-Houjyu"; + bootDisks = [ { + diskNode = "/dev/disk/by-id/wwn-0x50014ee25ac85c0c"; + partUUID = "E885-750C"; + } ]; + swapPartUUIDs = [ "b4349614-2956-49fe-a3a5-9647fdcdacaf" ]; + }; }; - users.users.jiananl= { - isNormalUser = true; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = utils.githubSSHKeys "amberlu"; - }; - - users.users.araina= { - isNormalUser = true; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = utils.githubSSHKeys "ashwiniraina"; - }; + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? } diff --git a/machines/sns32.nix b/machines/sns32.nix index c8711bf..1c5b3c2 100644 --- a/machines/sns32.nix +++ b/machines/sns32.nix @@ -1,27 +1,38 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: -let - hostname = "sns32"; - common = (import ./common.nix) { hostname = hostname; }; - utils = import ../utils; -in { +{ + imports = [ + ../sns-cluster + ]; - # Import common configurat for all machines (locale, SSHd, updates...) - imports = [ common ]; + networking = { + hostId = "058bec76"; + hostName = "sns32"; - # List packages installed in system profile. To search, run: - # $ nix search wget - environment.systemPackages = with pkgs; [ - git - ]; + interfaces."enp1s0f0" = { + useDHCP = true; + }; + }; - programs.mosh.enable = true; + sns-machine = { + enable = true; - virtualisation.docker.enable = true; + family.beta = { + enable = true; - users.users.scaspin = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = utils.githubSSHKeys "scaspin"; + bootDisks = [ { + diskNode = "/dev/disk/by-id/wwn-0x50014ee2b01fccde"; + partUUID = "FEFD-A14A"; + } ]; + swapPartUUIDs = [ "3e9a6b15-7301-461d-a06a-6e3bdea11137" ]; + }; }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? } diff --git a/machines/sns33.nix b/machines/sns33.nix index 5fa5d5f..d572475 100644 --- a/machines/sns33.nix +++ b/machines/sns33.nix @@ -1,66 +1,38 @@ -# Configured as a workstation for @lei +{ config, pkgs, lib, ... }: -{ config, pkgs, ... }: - -let - hostname = "sns33"; - common = (import ./common.nix) { hostname = hostname; }; - utils = import ../utils; - kubeMasterIP = "10.1.1.2"; - kubeMasterHostname = "api.kube"; - kubeMasterAPIServerPort = 6443; -in { - - # Import common configurat for all machines (locale, SSHd, updates...) - imports = [ common ]; +{ + imports = [ + ../sns-cluster + ]; - networking.extraHosts = "${kubeMasterIP} ${kubeMasterHostname}"; + networking = { + hostId = "0e5eb4d2"; + hostName = "sns33"; - services.kubernetes = { - roles = ["master" "node"]; - masterAddress = kubeMasterHostname; - apiserverAddress = "https://${kubeMasterHostname}:${toString kubeMasterAPIServerPort}"; - easyCerts = true; - apiserver = { - securePort = kubeMasterAPIServerPort; - advertiseAddress = kubeMasterIP; + interfaces."enp1s0f0" = { + useDHCP = true; }; - - # use coredns - addons.dns.enable = true; - - # needed if you use swap - kubelet.extraOpts = "--fail-swap-on=false"; }; - # List packages installed in system profile. To search, run: - # $ nix search wget - environment.systemPackages = with pkgs; [ - git zip unzip - vim tmux wget docker-compose kubectl kompose kubernetes helm - ]; - - programs.mosh.enable = true; + sns-machine = { + enable = true; - virtualisation.docker.enable = true; + family.beta = { + enable = true; - users.mutableUsers = false; - - users.users.lei = { - isNormalUser = true; - extraGroups = [ "wheel" "docker" ]; - openssh.authorizedKeys.keys = utils.githubSSHKeys "geraldleizhang"; - }; - - users.users.leochanj = { - isNormalUser = true; - extraGroups = [ "wheel" "docker" ]; - openssh.authorizedKeys.keys = utils.githubSSHKeys "leochanj105"; + bootDisks = [ { + diskNode = "/dev/disk/by-id/wwn-0x50014ee2b01fe0fe"; + partUUID = "0E6B-35DA"; + } ]; + swapPartUUIDs = [ "777dd6c5-d51e-40c0-b3ff-7e4b312d7185" ]; + }; }; - users.users.leons = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = utils.githubSSHKeys "lschuermann"; - }; + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? } diff --git a/machines/sns35.nix b/machines/sns35.nix new file mode 100644 index 0000000..12790a3 --- /dev/null +++ b/machines/sns35.nix @@ -0,0 +1,38 @@ +{ config, pkgs, lib, ... }: + +{ + imports = [ + ../sns-cluster + ]; + + networking = { + hostId = "dabd6fbb"; + hostName = "sns35"; + + interfaces."enp1s0f0" = { + useDHCP = true; + }; + }; + + sns-machine = { + enable = true; + + family.beta = { + enable = true; + + bootDisks = [ { + diskNode = "/dev/disk/by-id/wwn-0x50014ee20579d031"; + partUUID = "AA27-F5BD"; + } ]; + swapPartUUIDs = [ "8ef162ee-1137-4cd8-ad5b-b2aefb2dfad6" ]; + }; + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? +} diff --git a/machines/sns38.nix b/machines/sns38.nix new file mode 100644 index 0000000..ce6eb5c --- /dev/null +++ b/machines/sns38.nix @@ -0,0 +1,38 @@ +{ config, pkgs, lib, ... }: + +{ + imports = [ + ../sns-cluster + ]; + + networking = { + hostId = "412c25a4"; + hostName = "sns38"; + + interfaces."enp1s0f0" = { + useDHCP = true; + }; + }; + + sns-machine = { + enable = true; + + family.beta = { + enable = true; + + bootDisks = [ { + diskNode = "/dev/disk/by-id/wwn-0x50014ee2aff322b2"; + partUUID = "8764-931D"; + } ]; + swapPartUUIDs = [ "1d5c4bcd-5c0d-40f6-8c9d-2bdf172ccd48" ]; + }; + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? +} diff --git a/machines/sns40.nix b/machines/sns40.nix new file mode 100644 index 0000000..cdfb3d2 --- /dev/null +++ b/machines/sns40.nix @@ -0,0 +1,38 @@ +{ config, pkgs, lib, ... }: + +{ + imports = [ + ../sns-cluster + ]; + + networking = { + hostId = "9e0b0fef"; + hostName = "sns40"; + + interfaces."enp1s0f0" = { + useDHCP = true; + }; + }; + + sns-machine = { + enable = true; + + family.beta = { + enable = true; + + bootDisks = [ { + diskNode = "/dev/disk/by-id/wwn-0x50014ee25acf0dd3"; + partUUID = "7182-6C12"; + } ]; + swapPartUUIDs = [ "9b73b683-9c96-4d86-9368-f7551acf87a3" ]; + }; + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? +} diff --git a/machines/sns41.nix b/machines/sns41.nix new file mode 100644 index 0000000..e566097 --- /dev/null +++ b/machines/sns41.nix @@ -0,0 +1,38 @@ +{ config, pkgs, lib, ... }: + +{ + imports = [ + ../sns-cluster + ]; + + networking = { + hostId = "7eac84cc"; + hostName = "sns41"; + + interfaces."enp1s0f1" = { + useDHCP = true; + }; + }; + + sns-machine = { + enable = true; + + family.beta = { + enable = true; + + bootDisks = [ { + diskNode = "/dev/disk/by-id/wwn-0x50014ee2b013dd19"; + partUUID = "009F-1B97"; + } ]; + swapPartUUIDs = [ "e27730be-65f9-4e7d-bf61-3dbe80d2a6dd" ]; + }; + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? +} diff --git a/machines/sns43.nix b/machines/sns43.nix new file mode 100644 index 0000000..eed72ca --- /dev/null +++ b/machines/sns43.nix @@ -0,0 +1,38 @@ +{ config, pkgs, lib, ... }: + +{ + imports = [ + ../sns-cluster + ]; + + networking = { + hostId = "428205a1"; + hostName = "sns43"; + + interfaces."enp1s0f0" = { + useDHCP = true; + }; + }; + + sns-machine = { + enable = true; + + family.beta = { + enable = true; + + bootDisks = [ { + diskNode = "/dev/disk/by-id/wwn-0x50014ee2b024c61f"; + partUUID = "3921-AE59"; + } ]; + swapPartUUIDs = [ "29b106d3-4955-4b14-9bc8-3f7686cae714" ]; + }; + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? +} diff --git a/machines/sns44.nix b/machines/sns44.nix index 3779f47..399bced 100644 --- a/machines/sns44.nix +++ b/machines/sns44.nix @@ -1,77 +1,38 @@ -# @yuetan uses this machine as a testbed for securefaas project +{ config, pkgs, lib, ... }: -{ config, pkgs, ... }: - -let - hostname = "sns44"; - common = (import ./common.nix) { hostname = hostname; }; - utils = import ../utils; - snapfaasSrc = pkgs.fetchFromGitHub { - owner = "princeton-sns"; - repo = "snapfaas"; - rev = "9791be9d108dd45abf50d9a62681d7a0f61613d5"; - sha256 = "sha256-ZJS7GDW7lBILrMKrKXxLAw5gjKunSai27RO3oZvJAn4="; - }; - snapfaas = (import snapfaasSrc { inherit pkgs; release = false; }).snapfaas; -in { - - # Import common configurat for all machines (locale, SSHd, updates...) - imports = [ common ]; - - # List packages installed in system profile. To search, run: - # $ nix search wget - environment.systemPackages = with pkgs; [ - git - snapfaas lkl lmdb python39Full e2fsprogs gnumake wget - vim tmux +{ + imports = [ + ../sns-cluster ]; - # Expose port for development snapfaas webhook server - networking.firewall.allowedTCPPorts = [ 8080 ]; + networking = { + hostId = "fe81c10c"; + hostName = "sns44"; - fileSystems."/nfs/home" = { - device = "adam-new.cs.princeton.edu:/home"; - fsType = "nfs4"; + interfaces."enp1s0f1" = { + useDHCP = true; + }; }; + sns-machine = { + enable = true; - programs.mosh.enable = true; - - virtualisation.docker.enable = true; + family.beta = { + enable = true; - users.users.yuetan = { - isNormalUser = true; - extraGroups = [ "wheel" "kvm" ]; - openssh.authorizedKeys.keys = utils.githubSSHKeys "tan-yue"; - }; - - users.users.alevy = { - isNormalUser = true; - extraGroups = [ "wheel" "kvm" ]; - openssh.authorizedKeys.keys = utils.githubSSHKeys "alevy"; - }; - - users.users.cherrypiejam = { - isNormalUser = true; - extraGroups = [ "wheel" "kvm" "docker" ]; - openssh.authorizedKeys.keys = utils.githubSSHKeys "cherrypiejam"; + bootDisks = [ { + diskNode = "/dev/disk/by-id/wwn-0x50014ee25acc6d1c"; + partUUID = "D6A2-8C75"; + } ]; + swapPartUUIDs = [ "28b6f349-0383-4e30-a1ed-8e9856743111" ]; + }; }; - users.users.atli = { - isNormalUser = true; - extraGroups = [ "wheel" "kvm" "docker" ]; - openssh.authorizedKeys.keys = utils.githubSSHKeys "ATLi2001"; - }; - - users.users.scaspin = { - isNormalUser = true; - extraGroups = [ "wheel" "kvm" "docker" ]; - openssh.authorizedKeys.keys = utils.githubSSHKeys "scaspin"; - }; - - users.users.leons = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = utils.githubSSHKeys "lschuermann"; - }; + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? } diff --git a/machines/sns45.nix b/machines/sns45.nix index 7c7de1c..2146329 100644 --- a/machines/sns45.nix +++ b/machines/sns45.nix @@ -1,45 +1,38 @@ -# Configured as a workstation for @lschuermann +{ config, pkgs, lib, ... }: -{ config, pkgs, ... }: - -let - hostname = "sns45"; - common = (import ./common.nix) { hostname = hostname; }; - utils = import ../utils; -in { - - # Import common configurat for all machines (locale, SSHd, updates...) - imports = [ common ]; - - # List packages installed in system profile. To search, run: - # $ nix search wget - environment.systemPackages = with pkgs; [ - wget vim htop tmux nload iftop dnsutils gitAndTools.gitFull gnupg - gitAndTools.git-annex mtr bc zip unzip nmap nix-prefetch-git pdftk - imagemagick ghostscript rclone +{ + imports = [ + ../sns-cluster ]; - programs.mosh.enable = true; - - users.mutableUsers = false; + networking = { + hostId = "18e30b23"; + hostName = "sns45"; - users.users.leons = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = utils.githubSSHKeys "lschuermann"; + interfaces."enp1s0f0" = { + useDHCP = true; + }; }; - users.users.jenn = { - isNormalUser = true; - openssh.authorizedKeys.keys = - (utils.githubSSHKeys "jl3953") - ++ [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIeQ6wf0yUvjtkM5S9LMbcvvSjl3iYnxlYHPCgoRvSK JuiceSSH" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIVkRUb04W5PGOi22YLMYsn9/Xs+IAsM+dzuiayuQ3fO jl87@princeton.edu" - ]; + sns-machine = { + enable = true; + + family.beta = { + enable = true; + + bootDisks = [ { + diskNode = "/dev/disk/by-id/wwn-0x50014ee25abfe404"; + partUUID = "BFC9-B709"; + } ]; + swapPartUUIDs = [ "43729736-39c3-4895-abc2-bb7f698b0d96" ]; + }; }; - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOD4XspKe2E5BhBmx+GtRHdRR72+Q7wC7nFHbDj1VVzJ lschuermann/silicon/sns-nixbuild" - ]; + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? } diff --git a/machines/sns46.nix b/machines/sns46.nix new file mode 100644 index 0000000..54a4407 --- /dev/null +++ b/machines/sns46.nix @@ -0,0 +1,38 @@ +{ config, pkgs, lib, ... }: + +{ + imports = [ + ../sns-cluster + ]; + + networking = { + hostId = "326ac1ae"; + hostName = "sns46"; + + interfaces."enp1s0f1" = { + useDHCP = true; + }; + }; + + sns-machine = { + enable = true; + + family.beta = { + enable = true; + + bootDisks = [ { + diskNode = "/dev/disk/by-id/wwn-0x50014ee2057821ec"; + partUUID = "DF1F-1A9A"; + } ]; + swapPartUUIDs = [ "200dc0d3-d620-4803-8749-0f98deb2c20b" ]; + }; + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? +} diff --git a/machines/sns47.nix b/machines/sns47.nix new file mode 100644 index 0000000..5e45cd7 --- /dev/null +++ b/machines/sns47.nix @@ -0,0 +1,38 @@ +{ config, pkgs, lib, ... }: + +{ + imports = [ + ../sns-cluster + ]; + + networking = { + hostId = "2c5a3fb2"; + hostName = "sns47"; + + interfaces."enp1s0f0" = { + useDHCP = true; + }; + }; + + sns-machine = { + enable = true; + + family.beta = { + enable = true; + + bootDisks = [ { + diskNode = "/dev/disk/by-id/wwn-0x50014ee2b024c595"; + partUUID = "DC5B-F786"; + } ]; + swapPartUUIDs = [ "845bded3-b77e-4557-9270-206b09de08f5" ]; + }; + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? +} diff --git a/machines/sns49.nix b/machines/sns49.nix index c374ad9..967df0b 100644 --- a/machines/sns49.nix +++ b/machines/sns49.nix @@ -1,35 +1,38 @@ -# Configured as a workstation for @linanqinqin +{ config, pkgs, lib, ... }: -{ config, pkgs, ... }: - -let - hostname = "sns49"; - common = (import ./common.nix) { hostname = hostname; }; - utils = import ../utils; -in { +{ + imports = [ + ../sns-cluster + ]; - # Import common configurat for all machines (locale, SSHd, updates...) - imports = [ common ]; + networking = { + hostId = "fa526a52"; + hostName = "sns49"; - # List packages installed in system profile. To search, run: - # $ nix search wget - environment.systemPackages = with pkgs; [ - ]; + interfaces."enp1s0f0" = { + useDHCP = true; + }; + }; - programs.mosh.enable = true; + sns-machine = { + enable = true; - users.mutableUsers = false; + family.beta = { + enable = true; - users.users.linanqinqin = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9XMuiS7A+rQq2Q7/wIwqFCdbBEI0vXEoLU0DCwPl1KAfvdMM1w46y6+WAv66NMgjDa9wcwjdTBugMdMvWfm6UnEV7XIEbYtK9C9NO4/2gYMcIuMU2KHhoMJ86CIKGrwTDvvmvnFuPdrtIrhH66fg2qPMMUPhlQ93KlFsD+bKdQaKIIewLQaPgECuR/wb8a5qmmpAGdGLMGu+RXVJO71kiPdO999V0g1+pBA1FOqkuUUiE7nYQQfZl5PiaiqnI4PeR5qV1HWOkpNESfdzkrMXG/aa9/sOjl/q3DK6kmAIy0iaqm4V7SWWSz7WCQIXAWfFORdbpMaCtDaRPMShzQY6F linanqinqin@linanqinqindeMacBook-Pro.local -" ]; + bootDisks = [ { + diskNode = "/dev/disk/by-id/wwn-0x50014ee2056e671c"; + partUUID = "1854-B4E0"; + } ]; + swapPartUUIDs = [ "6f60a562-e50e-4751-9384-a739cf107b6c" ]; + }; }; - users.users.leons = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = utils.githubSSHKeys "lschuermann"; - }; + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "20.09"; # Did you read the comment? } diff --git a/machines/sns50.nix b/machines/sns50.nix new file mode 100644 index 0000000..1c3e524 --- /dev/null +++ b/machines/sns50.nix @@ -0,0 +1,38 @@ +{ config, pkgs, lib, ... }: + +{ + imports = [ + ../sns-cluster + ]; + + networking = { + hostId = "aefa0501"; + hostName = "sns50"; + + interfaces."enp1s0f0" = { + useDHCP = true; + }; + }; + + sns-machine = { + enable = true; + + family.beta = { + enable = true; + + bootDisks = [ { + diskNode = "/dev/disk/by-id/wwn-0x50014ee2b0184a5a"; + partUUID = "24C6-D10A"; + } ]; + swapPartUUIDs = [ "4d66a96c-be2b-4164-a631-88a449812e32" ]; + }; + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? +} diff --git a/machines/sns51.nix b/machines/sns51.nix index 940af6d..c2a5ab8 100644 --- a/machines/sns51.nix +++ b/machines/sns51.nix @@ -1,40 +1,38 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: -let - hostname = "sns51"; - common = (import ./common.nix) { hostname = hostname; }; - utils = import ../utils; -in { - - # Import common configurat for all machines (locale, SSHd, updates...) - imports = [ common ]; - - # List packages installed in system profile. To search, run: - # $ nix search wget - environment.systemPackages = with pkgs; [ - git +{ + imports = [ + ../sns-cluster ]; - programs.mosh.enable = true; - - virtualisation.docker.enable = true; + networking = { + hostId = "f30dbdc9"; + hostName = "sns51"; - # For Leopard caching project - users.users.theano = { - isNormalUser = true; - extraGroups = [ "wheel" "kvm" ]; - openssh.authorizedKeys.keys = utils.githubSSHKeys "theanoli"; + interfaces."enp1s0f0" = { + useDHCP = true; + }; }; - users.users.nkaas = { - isNormalUser = true; - extraGroups = [ "wheel" "kvm" ]; - openssh.authorizedKeys.keys = utils.githubSSHKeys "nickaashoek"; - }; + sns-machine = { + enable = true; + + family.beta = { + enable = true; - users.users.leons = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = utils.githubSSHKeys "lschuermann"; + bootDisks = [ { + diskNode = "/dev/disk/by-id/wwn-0x50014ee2b024b8e4"; + partUUID = "89AB-A4B9"; + } ]; + swapPartUUIDs = [ "c57edc5d-3854-43ec-8722-4891daca0e6f" ]; + }; }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? } diff --git a/machines/sns52.nix b/machines/sns52.nix index 664aaf4..4bb4bbc 100644 --- a/machines/sns52.nix +++ b/machines/sns52.nix @@ -1,47 +1,38 @@ -# @davidhliu uses this machine as a workstation +{ config, pkgs, lib, ... }: -{ config, pkgs, ... }: - -let - hostname = "sns52"; - common = (import ./common.nix) { hostname = hostname; }; - utils = import ../utils; -in { +{ + imports = [ + ../sns-cluster + ]; - # Import common configurat for all machines (locale, SSHd, updates...) - imports = [ common ]; + networking = { + hostId = "9904e2c0"; + hostName = "sns52"; - # List packages installed in system profile. To search, run: - # $ nix search wget - environment.systemPackages = with pkgs; [ - git - ]; + interfaces."enp1s0f0" = { + useDHCP = true; + }; + }; - programs.mosh.enable = true; + sns-machine = { + enable = true; - virtualisation.docker.enable = true; + family.beta = { + enable = true; - users.users.davidhliu= { - isNormalUser = true; - extraGroups = [ "wheel" "kvm" ]; - openssh.authorizedKeys.keys = utils.githubSSHKeys "LedgeDash"; - }; - - users.users.neilagarwal = { - isNormalUser = true; - extraGroups = [ "wheel" "kvm" "docker"]; - openssh.authorizedKeys.keys = utils.githubSSHKeys "neilsagarwal"; - }; - - users.users.ruipan = { - isNormalUser = true; - extraGroups = [ "wheel" "kvm" "docker"]; - openssh.authorizedKeys.keys = utils.githubSSHKeys "ruipeterpan"; + bootDisks = [ { + diskNode = "/dev/disk/by-id/wwn-0x50014ee25ac879f0"; + partUUID = "7861-7897"; + } ]; + swapPartUUIDs = [ "4103ad2d-d8a2-4ff3-bc90-3fded876d32b" ]; + }; }; - users.users.leons = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = utils.githubSSHKeys "lschuermann"; - }; + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? } diff --git a/machines/sns54.nix b/machines/sns54.nix new file mode 100644 index 0000000..3ad8acf --- /dev/null +++ b/machines/sns54.nix @@ -0,0 +1,38 @@ +{ config, pkgs, lib, ... }: + +{ + imports = [ + ../sns-cluster + ]; + + networking = { + hostId = "63fdab54"; + hostName = "sns54"; + + interfaces."enp1s0f0" = { + useDHCP = true; + }; + }; + + sns-machine = { + enable = true; + + family.beta = { + enable = true; + + bootDisks = [ { + diskNode = "/dev/disk/by-id/wwn-0x50014ee2056bad25"; + partUUID = "654C-06D0"; + } ]; + swapPartUUIDs = [ "010d994e-7c74-4b56-81bf-358e917ef4d5" ]; + }; + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? +} diff --git a/machines/sns55.nix b/machines/sns55.nix new file mode 100644 index 0000000..6c4a11c --- /dev/null +++ b/machines/sns55.nix @@ -0,0 +1,38 @@ +{ config, pkgs, lib, ... }: + +{ + imports = [ + ../sns-cluster + ]; + + networking = { + hostId = "93dc2efa"; + hostName = "sns55"; + + interfaces."enp1s0f0" = { + useDHCP = true; + }; + }; + + sns-machine = { + enable = true; + + family.beta = { + enable = true; + + bootDisks = [ { + diskNode = "/dev/disk/by-id/wwn-0x50014ee2b01dd732"; + partUUID = "52E5-550F"; + } ]; + swapPartUUIDs = [ "6202fa9c-24b4-4c93-a9f1-67d9f693e156" ]; + }; + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? +} diff --git a/machines/sns57.nix b/machines/sns57.nix index 968028b..f7af10c 100644 --- a/machines/sns57.nix +++ b/machines/sns57.nix @@ -1,31 +1,38 @@ -# @theanoli using to run simulations that require lots of memory. +{ config, pkgs, lib, ... }: -{ config, pkgs, ... }: - -let - hostname = "sns57"; - common = (import ./common.nix) { hostname = hostname; }; - utils = import ../utils; -in { +{ + imports = [ + ../sns-cluster + ]; - # Import common configurat for all machines (locale, SSHd, updates...) - imports = [ common ]; + networking = { + hostId = "292ab2b1"; + hostName = "sns57"; - # List packages installed in system profile. To search, run: - # $ nix search wget - environment.systemPackages = with pkgs; [ - git - ]; + interfaces."enp1s0f0" = { + useDHCP = true; + }; + }; - programs.mosh.enable = true; + sns-machine = { + enable = true; - virtualisation.docker.enable = true; - - services.openssh.forwardX11 = true; + family.beta = { + enable = true; - users.users.theano = { - isNormalUser = true; - extraGroups = [ "wheel" "kvm" ]; - openssh.authorizedKeys.keys = utils.githubSSHKeys "theanoli"; + bootDisks = [ { + diskNode = "/dev/disk/by-id/wwn-0x50014ee205724b8a"; + partUUID = "3A45-C519"; + } ]; + swapPartUUIDs = [ "1aea070e-bcfa-439c-baeb-b23869be1120" ]; + }; }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? } diff --git a/machines/sns58.nix b/machines/sns58.nix new file mode 100644 index 0000000..a7829eb --- /dev/null +++ b/machines/sns58.nix @@ -0,0 +1,38 @@ +{ config, pkgs, lib, ... }: + +{ + imports = [ + ../sns-cluster + ]; + + networking = { + hostId = "451e68a5"; + hostName = "sns58"; + + interfaces."eno1" = { + useDHCP = true; + }; + }; + + sns-machine = { + enable = true; + + family.beta = { + enable = true; + + bootDisks = [ { + diskNode = "/dev/disk/by-id/wwn-0x50014ee2b019cff0"; + partUUID = "AD41-DF10"; + } ]; + swapPartUUIDs = [ "05f35901-01ee-4177-bbac-97e895f7d1d1" ]; + }; + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? +} diff --git a/machines/sns62.nix b/machines/sns62.nix index 303e9e1..46353c9 100644 --- a/machines/sns62.nix +++ b/machines/sns62.nix @@ -1,60 +1,56 @@ -# Configured as a workstation for @lschuermann to execute Vivado -# builds on. -# -# Vivado is installed through a release evaluation of -# https://github.com/lschuermann/tock-litex and adding the resulting -# derivation as a GC root (/nix/var/nix/gcroots/custom/). The actual -# Vivado package needs to be added to the Nix store as documented in -# "Adding files to the store" of https://nixos.wiki/wiki/Cheatsheet. - { config, pkgs, lib, ... }: -let - hostname = "sns62"; - common = (import ./common.nix) { hostname = hostname; }; - utils = import ../utils; -in { - - # Import common configuration for all machines (locale, SSHd, - # updates...) - imports = [ common ]; - - # List packages installed in system profile. To search, run: - # $ nix search wget - environment.systemPackages = with pkgs; [ - wget vim htop tmux nload iftop dnsutils gitAndTools.gitFull gnupg - gitAndTools.git-annex mtr bc zip unzip nmap nix-prefetch-git pdftk - imagemagick ghostscript rclone +{ + imports = [ + ../sns-cluster ]; - programs.mosh.enable = true; + networking = { + hostId = "056f1814"; + hostName = "sns62"; - users.mutableUsers = false; + interfaces.enp4s0f0 = { + useDHCP = true; + }; + }; - users.users.leons = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = utils.githubSSHKeys "lschuermann"; + sns-machine = { + enable = true; + + family.gamma = { + enable = true; + + bootDiskNode = "/dev/disk/by-id/ata-Samsung_SSD_840_PRO_Series_S1ATNSAD725594H"; + bootPartUUID = "070D-17EA"; + swapPartUUID = "35d57daa-feaf-4c37-92d9-3987791de9c1"; + }; }; users.users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOD4XspKe2E5BhBmx+GtRHdRR72+Q7wC7nFHbDj1VVzJ lschuermann/silicon/sns-nixbuild" + # leons + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC9XgOJNVpO00+p04GwoL0viFco4p24PrsPzvsCOiAETJ6ttYiOFjYrpjQvNLsDse0PcW+duhtjyyp+Y7JZaOTeG6FX1Y8j6gDCUML58f4NlKtnWzfMftYkVO8QeYzdjJhG3J2zBXuqMmen7elVgZouvM/H47X620q7BssTTS1YIVnXxNn5jip8UbSJ1073MnUuTjSGrmS9yyLQx4Ka9/u6zzPDASw6OWXyzoXkWVpU5VzAqYk8Ob9C+lFQw5LMERsQBADoNB+kg/m+OoKS7XXu9+WFdTKsqhy7/c6hijRPaNsP/JRfsxEyjF+Y8LyokU2OXq0MWM0xZrt8O3/DsXAKqyIrGCVPQX+eeXvqP8LusFm2CDe8zoUeyLXvBdZX6Xxyy00OHHQRsuIbBYCJOUMbmDwIcEaC4DELjcNFZXJQYhj2hvB2sQvTMjnS58FDkD+IgVTTlTTzkEiDwbIV6lHbSqzA6AvZtZXd1+rQ4wFIT0clQhAGpBWKN+8Cotl51yC+P+nbU9xlCXM17Q3Pev2sjZFx1VU3oa5SEzEv74aWhUDCaATun/ebi/1Scm3ekOsiPVHuUBm9a2GUMYIuAOTL6W9AM2zZJ8xWkJw5Rj1eQnIDwD9izCRR1gJXlkTYwLn6ZnLawX6FS6Vvj5NV8mjjU4xlhnwaWF0b/Jmm3E966w==" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDGtanFKH41B3/4piGmhl82gh0AsGACkDV85vUcWHJhrY8AkrVSphnrpL62gY7R6/Rx3AZ+6A+GYoICJa/V4qWUkKryOavZ9xe164JeFtFFN/CrDsIWCLdMyvQ5JO0zc5QmUCRX/UfRzjRzf+y6QdnIoNw5tV2E0zQj9g68I7uNEuuYNmQLg2EyoOE0qtxFTMBEcRzocvVx2QoErDOWD17fDhjc1kR7D7lMVI8jIqRFEQQO3ke6YTXkJAVtjjELqcnSERq58qDKZm9HuYtiUe8cgiBe1UdD8lHTwAGbEE1mSV0IsAOxEoo1BkjBhrYqUxPwfObZwt6TkTF/tbuZkU+m4RU09j2FqliXe66cpDeyAs/C88QObsrqCHb3JJa1GtAp8JSeiELadYYKgiVJibVpb8mBksRxeCruk1Jr9DeAmKVeF/tTect9YALD8qTQNnsyBh0r7HMxyBEze5O6RAV2rnjWHxYIj9oBj8V/q+cykEUXfc4M8rHn/dt72h/LcL3jaYvQwecJjOCW2xW2/sGWkhJ7ittPV7aeOcL9TqG6mggukBjgM/TtPFxsjduxNZ2YSUgVHdmaRsfyDDMfXtdjfCdRcCxslRwQTgl8X2Kb5M0CsQSmWas7vb6JhBLyDPYWWJyxSzb98P3flq9qZjQlVaAiP6asYLDSoKMDYoY7Rw==" + "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLRUBvcGp1IPw+c1dBZhe5tpnrd3SwmAPU5NPz0rlVgKrsY0xF6VPRkxx8RiMicT+1lb/gaAgXpjr2gAWOrykx9ICrWOD46LocF7RmYPclhviRoPrIDQ9lr+tgBXVSRKew==" + "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBAAEifRTFU66SfUXr7eSsBQW1/znzR05dSDCy9eA8eJIbE4kIjqR1hFTKxI+dc2R6jGQK/DxPzLmg/aIRzH6fankH6gWNjpczP0MC1jgSRCqLTQe+TpyVnQ1f/1fPYCSOQ==" + "sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBKIVUBFIc4BI9yp3gmlCWA4MAm/22rgisu6BJivBfaPq/ELEZChxpfTPIAWMM0UUU53UppWRdI7Q3fdlYommOOAAAAAXaWRfeXViaWtleTVfc2tAYmxpbmsuc2g=" + + # alevy + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB0UMDPmdytTJ2J1y/FsvReZRFTl7WA2HB0GVMWyUP5R" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBbxJcPHPkhNwCuoa0wJvK4WHT/GVX7g3JjJFTZvXSc6eDgSr6r1oynlNO5jlr68AVAWxbkckfw6TAtdfuCxcrZQe+xMJ0UWmstR5Ed7poAbkU6uSrA8nLI0tl3Swuc87wq/qpX8nkEJR5oAGzNp0ZPTH7kshx3ZE/2n3XXLuyaYme68YhKk3MiVU8jz5J9NUeH4zeTdHKFMnydy4ORg+pVc/8esauQyiITk/SDRXIO56DEnpZQGu96gHVBDwtx8GxbnmEnumKsxiOR3aXbGFVF1FhlDyUKQKqm28GBJyByRiQuDVI06+ZhCLzrq3wiPbtxmctdBcVLP2KpqPYQPWZ" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICCReHVoVeXfqK8bbIcotwhUBrt7u2T6IQNKMysmJF42" ]; - users.users.noiseeval = { + users.users.leons = { isNormalUser = true; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = ( - lib.flatten ( - builtins.map utils.githubSSHKeys [ - "alevy" - "lschuermann" - "leochanj105" - "scaspin" - ] - ) - ) ++ [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBrOyN+OmWSv0/RYd7jK+TKx4tMO5Fuz8wyaMUR+j6A noise-eval-peer-key" - ]; + contactEmail = "leon@is.currently.online"; }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? } + diff --git a/secrets/.gpg-id b/secrets/.gpg-id new file mode 100644 index 0000000..88f2d23 --- /dev/null +++ b/secrets/.gpg-id @@ -0,0 +1,2 @@ +59D593461D9FF82BC1D2A579C7FF8B0BACB5F9DB +234D4159006E8F8FA6F04B2ADCAFEB752B7AE8F9 diff --git a/secrets/ipmi-password.gpg b/secrets/ipmi-password.gpg new file mode 100644 index 0000000..361d7f3 Binary files /dev/null and b/secrets/ipmi-password.gpg differ diff --git a/secrets/root-password.gpg b/secrets/root-password.gpg new file mode 100644 index 0000000..fef74ff Binary files /dev/null and b/secrets/root-password.gpg differ diff --git a/sns-cluster-install.sh b/sns-cluster-install.sh new file mode 100755 index 0000000..dd214f3 --- /dev/null +++ b/sns-cluster-install.sh @@ -0,0 +1,256 @@ +#!/usr/bin/env bash + +set -e + +echo "Princeton SNS Cluster Install Script. Hello World!" +echo "==================================================" +echo + +if [ "$(id -u)" -ne 0 ]; then + echo "This script must be run as root!" + exit 1 +fi + +# Make sure we're not booted into an EFI system. For now, only BIOS +# boot is supported. +if [ -d /sys/firmware/efi ]; then + echo "Error: EFI boot is currently supported..." + exit 1 +fi + +SWAP_PART_NODE="" +BOOT_PART_NODE="" + +function boot_setup_single() { + echo "Please enter the /dev/ device node name to partition and create a ZFS pool on." + echo "WARNING: This will destroy all data on the device!" + + read -rp "/dev/" BOOT_DEV_NODE + if [ ! -b "/dev/$BOOT_DEV_NODE" ]; then + echo "/dev/$BOOT_DEV_NODE does not exist." + return + fi + + # Partition the drive: + echo "--> Partitioning drive..." + parted -s -a optimal --script "/dev/$BOOT_DEV_NODE" unit s \ + mklabel gpt \ + disk_set pmbr_boot on \ + mkpart bios_boot 2048 4095 \ + set 1 bios_grub on \ + mkpart boot fat32 4096 2101247 \ + mkpart swap linux-swap 2101248 10489855 \ + mkpart rpool 10489856 "100%" + + # Reload the partition table + partprobe + + # Format the boot & swap partitions: + BOOT_PART_NODE="${BOOT_DEV_NODE}2" + echo "--> Formatting boot partition on /dev/$BOOT_PART_NODE..." + mkfs.vfat "/dev/$BOOT_PART_NODE" + SWAP_PART_NODE="${BOOT_DEV_NODE}3" + echo "--> Formatting swap partition on /dev/$SWAP_PART_NODE..." + mkswap "/dev/${SWAP_PART_NODE}" + + # Create the ZFS root pool + echo "--> Creating ZFS root pool \"rpool\"" + zpool create -f \ + -o ashift=12 \ + -o autotrim=on \ + -O acltype=posixacl \ + -O compression=lz4 \ + -O dnodesize=auto \ + -O normalization=formD \ + -O relatime=on \ + -O xattr=sa \ + -O mountpoint=none \ + rpool "/dev/${BOOT_DEV_NODE}4" +} + +function boot_config_select() { + echo "This system has the following drives attached:" + lsblk + read -rp "Setup a (s)ingle boot drive, (r)AID-1 ZFS pool, (m)anual config or (q)uit? > " BOOT_CONFIG_TYPE + if [ "$BOOT_CONFIG_TYPE" == "s" ]; then + RET=0; boot_setup_single || RET=$? + return $RET + elif [ "$BOOT_CONFIG_TYPE" == "r" ]; then + echo "RAID-1 boot setup is not yet supported." + return 1 + elif [ "$BOOT_CONFIG_TYPE" == "m" ]; then + echo "Manual configuration selected. Interrupt this script with C-z." + echo "Set up the boot partition and root ZFS pool (named rpool)." + echo "When done, bring the script into foreground with fg and press ENTER." + echo "We will then prompt for the boot and (if created) swap part device nodes." + read -rp "> PRESS ENTER WHEN READY" + read -rp "Boot disk device node > /dev/" BOOT_DEV_NODE + read -rp "Boot part device node > /dev/" BOOT_PART_NODE + read -rp "Swap part device node (leave empty if no swap) > /dev/" SWAP_PART_NODE + elif [ "$BOOT_CONFIG_TYPE" == "q" ]; then + exit 0 + else + echo "Unknown command, please try again. Enter \"q\" to quit." + return 1 + fi +} + +BOOT_CONFIG_DONE=0 +while [ $BOOT_CONFIG_DONE -eq 0 ]; do + if boot_config_select; then + if [ ! -b "/dev/$BOOT_PART_NODE" ]; then + echo "Boot partition /dev/$BOOT_PART_NODE does not appear to be a block device." + elif ! zpool list -H rpool > /dev/null; then + echo "ZFS pool \"rpool\" not found." + else + if [ "$(zfs list -H rpool -d1 | wc -l)" -gt 1 ]; then + echo "Warning: ZFS pool \"rpool\" does not seem to be empty." + fi + BOOT_CONFIG_DONE=1 + fi + else + echo "Whoops, that didn't work. Please try again..." + fi +done + +function zfs_create_filesystems() { + # Create the ZFS file systems. This is unified across different boot config types: + zfs create rpool/local + zfs create -o mountpoint=legacy rpool/local/nix + zfs create rpool/local/transient + zfs create -o mountpoint=legacy rpool/local/transient/root + zfs snapshot rpool/local/transient/root@blank + zfs create rpool/state + zfs create -o mountpoint=legacy rpool/state/system + zfs create rpool/state/home +} + +read -rp "About to create ZFS file systems. Continue? (Y/(s)kip/(q)uit)" ZFS_CREATE_FS_INPUT +if [ "$ZFS_CREATE_FS_INPUT" == "q" ]; then + echo "Goodbye!" + exit 0 +elif [ "$ZFS_CREATE_FS_INPUT" == "s" ]; then + echo "Skipping file system creation." +else + echo "Creating ZFS file systems..." + zfs_create_filesystems +fi + +function fs_mount() { + # Mount the root file system, boot partition and state volumes: + mkdir -p /mnt + mount -t zfs rpool/local/transient/root /mnt + mkdir -p /mnt/boot0 /mnt/nix /mnt/etc /mnt/var/state + mount "/dev/$BOOT_PART_NODE" /mnt/boot0 + mount -t zfs rpool/local/nix /mnt/nix + mount -t zfs rpool/state/system /mnt/var/state + mkdir -p /mnt/var/state/nixos + ln -s ../var/state/nixos /mnt/etc/nixos +} + +read -rp "About to mount file systems. Continue? (Y/(s)kip/(q)uit)" FS_MOUNT_INPUT +if [ "$FS_MOUNT_INPUT" == "q" ]; then + echo "Goodbye!" + exit 0 +elif [ "$FS_MOUNT_INPUT" == "s" ]; then + echo "Not mounting file systems." +else + echo "Mounting file systems..." + fs_mount +fi + +HOSTNAME_CORRECT=0 +while [ $HOSTNAME_CORRECT -eq 0 ]; do + read -rp "Enter this machine's hostname: " MACHINE_HOSTNAME + echo "Got the hostname as \"$MACHINE_HOSTNAME\", creating configuration as \"$MACHINE_HOSTNAME.nix\"." + read -rp "Is this correct (y/N)? " HOSTNAME_CORRECT_INPUT + if [ "$HOSTNAME_CORRECT_INPUT" == "y" ]; then + HOSTNAME_CORRECT=1 + fi +done + +echo "--> Cloning the SNS cluster configuration to /mnt/etc/nixos and" +echo " creating a symlink for configuration.nix to machines/$MACHINE_HOSTNAME.nix" +git clone "$(readlink -f .)" /mnt/etc/nixos/ +pushd /mnt/etc/nixos +git remote set-url origin https://github.com/princeton-sns/cluster.git +git config user.name "Anonymous Tiger" +git config user.email "hostmaster@sns.cs.princeton.edu" +popd +ln -s "./machines/$MACHINE_HOSTNAME.nix" /mnt/etc/nixos/configuration.nix + +TEMPLATE_CORRECT=0 +while [ $TEMPLATE_CORRECT -eq 0 ]; do + echo "You can preprovision this machine with a cluster-config template." + echo "Which template would you like to use?" + for TMPL in ./templates/*; do + echo "- $(basename "$TMPL")" + done + read -rp "Enter a template filename or \"quit\" > " TEMPLATE_FILE + if [ "$TEMPLATE_FILE" == "quit" ]; then + echo "Goodbye!" + exit 0 + elif [ -f "./templates/$TEMPLATE_FILE" ]; then + TEMPLATE_CORRECT=1 + else + echo "Could not find template \"$TEMPLATE_FILE\", please try again." + fi +done + +TMPLSTR_NIXOS_VERSION="$(nixos-version | sed 's/^\([[:digit:]]\+\.[[:digit:]]\+\).*$/\1/')" +export TMPLSTR_NIXOS_VERSION + +TMPLSTR_HOST_ID="$(head -c8 < /etc/machine-id)" +export TMPLSTR_HOST_ID +TMPLSTR_HOSTNAME="$MACHINE_HOSTNAME" +export TMPLSTR_HOSTNAME +TMPLSTR_UPLINK_IFACE="$(ip -o route get 8.8.8.8 | sed 's/^.* dev \([[:alnum:]]\+\) .*$/\1/')" +export TMPLSTR_UPLINK_IFACE + +TMPLSTR_BOOT_DISK_NODE="/dev/$BOOT_DEV_NODE" +for NODE in /dev/disk/by-id/*; do + if [ "$(readlink -f "$NODE")" == "/dev/$BOOT_DEV_NODE" ]; then + echo "$NODE matches for bootdev!" + TMPLSTR_BOOT_DISK_NODE="$NODE" + fi +done +if [ "$TMPLSTR_BOOT_DISK_NODE" == "/dev/$BOOT_DEV_NODE" ]; then + echo "Warning: could not resolve the boot device node to a device id." + echo "This will still work, but might be brittle when disk letter assignments change." +fi +export TMPLSTR_BOOT_DISK_NODE + +TMPLSTR_BOOT_PART_UUID="" +for NODE in /dev/disk/by-uuid/*; do + if [ "$(readlink -f "$NODE")" == "/dev/$BOOT_PART_NODE" ]; then + TMPLSTR_BOOT_PART_UUID="$(basename "$NODE")" + fi +done +if [ "$TMPLSTR_BOOT_PART_UUID" == "" ]; then + echo "Failed to resolve boot partition to UUID!" + exit 1 +fi +export TMPLSTR_BOOT_PART_UUID + +TMPLSTR_NULLABLE_SWAP_PART_UUID="" +TMPLSTR_SWAP_PART_UUID_LIST="" +if [ "$SWAP_PART_NODE" != "" ]; then + for NODE in /dev/disk/by-uuid/*; do + if [ "$(readlink -f "$NODE")" == "/dev/$SWAP_PART_NODE" ]; then + TMPLSTR_NULLABLE_SWAP_PART_UUID="\"$(basename "$NODE")\"" + TMPLSTR_SWAP_PART_UUID_LIST="[ \"$(basename "$NODE")\" ]" + fi + done + if [ "$TMPLSTR_NULLABLE_SWAP_PART_UUID" == "" ]; then + echo "Failed to resolve boot partition to UUID!" + exit 1 + fi +else + TMPLSTR_NULLABLE_SWAP_PART_UUID="null" + TMPLSTR_SWAP_PART_UUID_LIST="[ ]" +fi +export TMPLSTR_NULLABLE_SWAP_PART_UUID +export TMPLSTR_SWAP_PART_UUID_LIST + +envsubst < "./templates/$TEMPLATE_FILE" > "/mnt/etc/nixos/machines/$MACHINE_HOSTNAME.nix" +echo "Templated /mnt/etc/nixos/machines/$MACHINE_HOSTNAME.nix. Goodbye!" diff --git a/sns-cluster-installer.nix b/sns-cluster-installer.nix new file mode 100644 index 0000000..f7ceb0c --- /dev/null +++ b/sns-cluster-installer.nix @@ -0,0 +1,169 @@ +{ installerTarget ? "isoImage", kexecRootSSHKey ? null }: + +let + nixpkgs = builtins.fetchGit { + url = "https://github.com/NixOS/nixpkgs"; + ref = "nixos-22.11"; + rev = "7dc71aef32e8faf065cb171700792cf8a65c152d"; + }; + + cleverca22NixTests = builtins.fetchGit { + url = "https://github.com/cleverca22/nix-tests"; + ref = "master"; + rev = "2ba968302208ff0c17d555317c11fd3f06e947e2"; + }; + + pkgs = import nixpkgs {}; + + snsClusterConfigGit = nixosVersion: + pkgs.stdenvNoCC.mkDerivation rec { + name = "sns-cluster-config"; + + src = ./.; + + nativeBuildInputs = with pkgs; [ makeWrapper ]; + buildInputs = with pkgs; [ + coreutils util-linux parted dosfstools zfs mount iproute2 gnused git + envsubst nixosVersion + ]; + + buildPhase = '' + echo "Checking whether there are any uncommitted changes or untracked files." + git update-index --refresh + git diff-index --quiet HEAD -- + test "$(git ls-files --exclude-standard --others | wc -l)" -lt 1 + + # Remove files ignored by git + git clean -dfX + ''; + + installPhase = '' + cp -rf ./ $out + ''; + + postFixup = '' + wrapProgram $out/sns-cluster-install.sh \ + --set PATH ${pkgs.lib.makeBinPath buildInputs} + ''; + }; + + isoImageSystemConfig = { modulesPath, ... }: { + imports = [ + # Add in the standard module for NixOS install media: + (modulesPath + "/installer/cd-dvd/installation-cd-minimal.nix") + + # Provide an initial copy of the NixOS channel so that the user + # doesn't need to run "nix-channel --update" first. + (modulesPath + "/installer/cd-dvd/channel.nix") + ]; + }; + + netbootSystemConfig = { modulesPath, ... }: { + imports = [ + # Add in the standard module for NixOS install media: + (modulesPath + "/installer/netboot/netboot.nix") + + # Avoid bloating the installer: + (modulesPath + "/profiles/minimal.nix") + ]; + + # For now, we assume that this machine is netbooted through a + # Serial-on-Lan connection, so direct kernel output to the + # serial port. This also spawns a getty on ttyS0. + boot.kernelParams = [ + "console=ttyS0,115200" + ]; + }; + + kexecSystemConfig = { ... }: { + imports = [ + # Import cleverca22's kexec NixOS installer config + "${cleverca22NixTests}/kexec/configuration.nix" + ]; + + # Enable DHCP on all interfaces: + networking.useDHCP = true; + + kexec.autoReboot = false; + + users.users.root.openssh.authorizedKeys.keys = [ + kexecRootSSHKey + ]; + }; + + targetSystem = import "${nixpkgs}/nixos" { + configuration = { config, pkgs, lib, modulesPath, ... }: { + imports = ( + lib.optional + (installerTarget == "isoImage") + isoImageSystemConfig + ) ++ ( + lib.optional + (installerTarget == "netboot") + netbootSystemConfig + ) ++ ( + lib.optional + (installerTarget == "kexec_tarball") + kexecSystemConfig + ); + + # Configuration independent of targetFormat: + + # To ensure that we can actually use ZFS (and other potentially + # required file systems) to perform the installation: + boot.supportedFilesystems = [ + "zfs" "ext4" "vfat" "btrfs" + ]; + + # Required for ZFS: + networking.hostId = "01234567"; + + # Make a few useful utilities accessible: + environment.systemPackages = with pkgs; [ + vim tmux htop nload parted gptfdisk ipmitool + ]; + + boot.kernelParams = [ + "module_blacklist=md_mod" + ]; + + # Keep the "nixos" user generated by the imports of some of the + # installerTarget configurations, but auto-login as root. This + # is an installer, there's no harm in that. + services.getty.autologinUser = lib.mkForce "root"; + + system.activationScripts."symlink-sns-cluster-config-root" = let + nixosVersion = + lib.findSingle + (pkg: pkg.name == "nixos-version") + null null + config.environment.systemPackages; + nixosVersionFoundAssert = + lib.assertMsg + (nixosVersion != null) + "nixos-version not found in the target system's environment.systemPackages!"; + in '' + # DUMMY: ensure the nixos-version assertion is evaluated: + # ${builtins.toString nixosVersionFoundAssert} + ln -s ${snsClusterConfigGit nixosVersion} /root/sns-cluster-config + ''; + }; + }; + +in + if installerTarget == "netboot" then + # Build a top-level derivation which contains symlinks to the + # kernel, initial ramdisk and a special IPXE script which + # instructs the target host on how to load both these files. + (pkgs.linkFarm "nixos-netboot" [ { + name = "initrd"; + path = "${targetSystem.config.system.build.netbootRamdisk}/initrd"; + } { + name = "bzImage"; + path = "${targetSystem.config.system.build.kernel}/bzImage"; + } { + name = "netboot.ipxe"; + path = "${targetSystem.config.system.build.netbootIpxeScript}/netboot.ipxe"; + } ]) + else + targetSystem.config.system.build."${installerTarget}" diff --git a/sns-cluster/default.nix b/sns-cluster/default.nix new file mode 100644 index 0000000..3605ae0 --- /dev/null +++ b/sns-cluster/default.nix @@ -0,0 +1,343 @@ +{ config, pkgs, lib, ... }: + +let + cfg = config.sns-machine; + + zfsHomeUsers = + lib.filterAttrs (user: userCfg: + userCfg.snsZFSPersistHome) + config.users.users; + +in +{ + imports = [ + ./family-alpha.nix + ./family-beta.nix + ./family-gamma.nix + ./filesystems.nix + ]; + + # We use a patched version of the filesystems module, to be able to + # dynamically generate mountpoints based on user's home + # directories. For more info on this, see [1]. + # + # [1]: https://github.com/NixOS/nixpkgs/issues/24570. + disabledModules = [ + "tasks/filesystems.nix" + ]; + + options.users.users = lib.mkOption { + type = lib.types.attrsOf (lib.types.submodule ({ name, config, ... }: { + options = { + snsZFSPersistHome = lib.mkOption { + type = lib.types.bool; + default = name != "root" && config.isNormalUser; + }; + + # TODO: privacy concerns. Is there some way to protect this, but still + # force everyone to be reachable, and quickly be able to build a list of + # emails for a set of machines? + contactEmail = lib.mkOption { + # We allow null here, but have an assertion for non-null below. This + # allows us to generate a nicer error message. + type = lib.types.nullOr lib.types.str; + default = null; + }; + }; + })); + }; + + options.sns-machine = { + enable = lib.mkOption { + type = lib.types.bool; + }; + }; + + config = lib.mkIf cfg.enable ({ + assertions = [ (let + machineFamiliesEnabled = lib.attrNames ( + lib.filterAttrs (family: familyCfg: + familyCfg.enable) cfg.family); + in { + assertion = lib.length machineFamiliesEnabled <= 1; + message = "At most one machine family can be enabled at a time. " + + "Enabled families: ${ + lib.concatStringsSep ", " machineFamiliesEnabled}."; + }) (let + invalidHomeUsers = lib.attrNames ( + lib.filterAttrs (user: userCfg: + userCfg.home != "/home/${user}") + zfsHomeUsers); + in { + assertion = lib.length invalidHomeUsers == 0; + message = "Users with snsZFSPersistHome must have their home directory " + + "set to \"/home/$USER\". Check ${ + lib.concatStringsSep ", " invalidHomeUsers}"; + }) (let + noContactUsers = lib.attrNames ( + lib.filterAttrs (user: userCfg: + userCfg.isNormalUser && userCfg.contactEmail == null) + config.users.users); + in { + assertion = lib.length noContactUsers == 0; + message = "Users must have a valid contactEmail configured and be " + + "reachable at this address. Check ${ + lib.concatStringsSep ", " noContactUsers}."; + }) ]; + + # ---------- Misc System Configuration ------------------------------------- + # + # All services configured on these systems should take into account that + # state outside of dedicated ZFS volumes is not persisted across reboots. + # Store state in a directory in `/var/state` or a dedicated ZFS file system + # under `rpool/state/` (automatically included in backups). + + time.timeZone = "America/New_York"; + + # Provide a selection of generally useful packages by default: + environment.systemPackages = with pkgs; [ + vim wget bc htop iotop tmux gitAndTools.gitFull gitAndTools.git-annex + zip unzip nload mtr nmap sipcalc gnupg rclone pciutils usbutils + nix-prefetch-git ipmitool + + # TODO: move into environment for syncoid command + lzop mbuffer + ]; + + services.openssh = { + enable = true; + passwordAuthentication = false; + hostKeys = [ { + path = "/var/state/openssh-host-keys/ssh_host_ed25519_key"; + type = "ed25519"; + } { + path = "/var/state/openssh-host-keys/ssh_host_rsa_key"; + type = "rsa"; + bits = "4096"; + } ]; + }; + + system.activationScripts."ssh-ensure-host-keys-dir" = '' + mkdir -p /var/state/openssh-host-keys + chmod 700 /var/state/openssh-host-keys + ''; + + # Operator SSH keys: + users.users.root.openssh.authorizedKeys.keys = [ + # alevy + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB0UMDPmdytTJ2J1y/FsvReZRFTl7WA2HB0GVMWyUP5R" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBbxJcPHPkhNwCuoa0wJvK4WHT/GVX7g3JjJFTZvXSc6eDgSr6r1oynlNO5jlr68AVAWxbkckfw6TAtdfuCxcrZQe+xMJ0UWmstR5Ed7poAbkU6uSrA8nLI0tl3Swuc87wq/qpX8nkEJR5oAGzNp0ZPTH7kshx3ZE/2n3XXLuyaYme68YhKk3MiVU8jz5J9NUeH4zeTdHKFMnydy4ORg+pVc/8esauQyiITk/SDRXIO56DEnpZQGu96gHVBDwtx8GxbnmEnumKsxiOR3aXbGFVF1FhlDyUKQKqm28GBJyByRiQuDVI06+ZhCLzrq3wiPbtxmctdBcVLP2KpqPYQPWZ" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICCReHVoVeXfqK8bbIcotwhUBrt7u2T6IQNKMysmJF42" + + # leons (smartcards only) + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC9XgOJNVpO00+p04GwoL0viFco4p24PrsPzvsCOiAETJ6ttYiOFjYrpjQvNLsDse0PcW+duhtjyyp+Y7JZaOTeG6FX1Y8j6gDCUML58f4NlKtnWzfMftYkVO8QeYzdjJhG3J2zBXuqMmen7elVgZouvM/H47X620q7BssTTS1YIVnXxNn5jip8UbSJ1073MnUuTjSGrmS9yyLQx4Ka9/u6zzPDASw6OWXyzoXkWVpU5VzAqYk8Ob9C+lFQw5LMERsQBADoNB+kg/m+OoKS7XXu9+WFdTKsqhy7/c6hijRPaNsP/JRfsxEyjF+Y8LyokU2OXq0MWM0xZrt8O3/DsXAKqyIrGCVPQX+eeXvqP8LusFm2CDe8zoUeyLXvBdZX6Xxyy00OHHQRsuIbBYCJOUMbmDwIcEaC4DELjcNFZXJQYhj2hvB2sQvTMjnS58FDkD+IgVTTlTTzkEiDwbIV6lHbSqzA6AvZtZXd1+rQ4wFIT0clQhAGpBWKN+8Cotl51yC+P+nbU9xlCXM17Q3Pev2sjZFx1VU3oa5SEzEv74aWhUDCaATun/ebi/1Scm3ekOsiPVHuUBm9a2GUMYIuAOTL6W9AM2zZJ8xWkJw5Rj1eQnIDwD9izCRR1gJXlkTYwLn6ZnLawX6FS6Vvj5NV8mjjU4xlhnwaWF0b/Jmm3E966w== cardno:9 040 274" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDGtanFKH41B3/4piGmhl82gh0AsGACkDV85vUcWHJhrY8AkrVSphnrpL62gY7R6/Rx3AZ+6A+GYoICJa/V4qWUkKryOavZ9xe164JeFtFFN/CrDsIWCLdMyvQ5JO0zc5QmUCRX/UfRzjRzf+y6QdnIoNw5tV2E0zQj9g68I7uNEuuYNmQLg2EyoOE0qtxFTMBEcRzocvVx2QoErDOWD17fDhjc1kR7D7lMVI8jIqRFEQQO3ke6YTXkJAVtjjELqcnSERq58qDKZm9HuYtiUe8cgiBe1UdD8lHTwAGbEE1mSV0IsAOxEoo1BkjBhrYqUxPwfObZwt6TkTF/tbuZkU+m4RU09j2FqliXe66cpDeyAs/C88QObsrqCHb3JJa1GtAp8JSeiELadYYKgiVJibVpb8mBksRxeCruk1Jr9DeAmKVeF/tTect9YALD8qTQNnsyBh0r7HMxyBEze5O6RAV2rnjWHxYIj9oBj8V/q+cykEUXfc4M8rHn/dt72h/LcL3jaYvQwecJjOCW2xW2/sGWkhJ7ittPV7aeOcL9TqG6mggukBjgM/TtPFxsjduxNZ2YSUgVHdmaRsfyDDMfXtdjfCdRcCxslRwQTgl8X2Kb5M0CsQSmWas7vb6JhBLyDPYWWJyxSzb98P3flq9qZjQlVaAiP6asYLDSoKMDYoY7Rw== cardno:0005 00007D5B" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjLuM7C6emv+xAFYnXA+mSUKmMEmKDM0A6WzZ0HliFb cardno:23 559 180" + ]; + + # Mutable user state is not persisted. + users.mutableUsers = false; + + # --> Either one of the following must be set: + + # Set a hashed root password: + users.users.root.initialHashedPassword = + "$6$zXOHOCP4zSZWJQgY$6vFWG3SOSzZf88aTuOeZ5mz1ep0XB.PFy9Hw66rlm58BIvtr6lLv4Q2rq.72loPJc1f6PCEHUqJ.1ZFX.Fjro1"; + users.users.root.hashedPassword = + config.users.users.root.initialHashedPassword; + + # Don't set a root password requires setting the `allowNoPasswordLogin` + # option. It is named rather unfortunate: it does not mean that a user can + # login to the system without a password, but rather that we allow NixOS to + # build a system configuration where no user has a password set. We use + # password-less SUDO and SSH keys, so this is not an issue in our case. + # users.allowNoPasswordLogin = true; + + # Enable the firewall (OpenSSH is always automatically allowed): + networking.firewall.enable = true; + + # Save energy when system idling: + powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; + + # ---------- Bootloader Configuration -------------------------------------- + + # Provide an iPXE shell as an "escape" hatch to load a NixOS installer: + boot.loader.grub.ipxe.shell = '' + #!ipxe + shell + ''; + + # Configure iPXE to expose its console on the SOL port: + boot.loader.grub.extraFiles."ipxe.lkrn" = lib.mkForce + "${pkgs.ipxe.overrideAttrs (_: { + preConfigure = '' + sed -i 's|^//\(#define.*CONSOLE_SERIAL\)|\1|g' src/config/console.h + ''; + })}/ipxe.lkrn"; + + # ---------- ZFS Transient Root File System Support ------------------------ + + boot.initrd.postDeviceCommands = '' + # Just to make sure the device is up. TODO: check to see whether there is + # a more reliable way to do this. + sleep 5 + + # Don't allow these commands to fail the boot process. If these fail, + # there's a chance that importing the pool & not rolling back will + # still work in the later stages of the boot process. + zpool import -f rpool || true + zfs rollback rpool/local/transient/root@blank || true + ''; + + # The patched filesystems.nix module no longer populates + # `boot.supportedFilesystems` from `config.fileSystems` due to a circular + # dependency on `users.users`. Set it manually: + boot.supportedFilesystems = [ + "zfs" "vfat" + ]; + + fileSystems = { + "/" = { + device = "rpool/local/transient/root"; + fsType = "zfs"; + }; + + "/nix" = { + device = "rpool/local/nix"; + fsType = "zfs"; + }; + + "/var/state" = { + device = "rpool/state/system"; + fsType = "zfs"; + }; + } // ( + # Automatically generate mount points for user ZFS home directories: + lib.mapAttrs' (user: userCfg: + lib.nameValuePair userCfg.home { + device = "rpool/state/home/${user}"; + fsType = "zfs"; + }) + zfsHomeUsers + ); + + # Export the active ZFS home file systems, such that the backup service can + # read this file and retire homes accordingly. + system.extraSystemBuilderCmds = '' + ln -s ${ + pkgs.writeText "active-zfs-homes.txt" ( + lib.concatStringsSep "\n" ( + builtins.map (user: + "rpool/state/home/${user}") + (lib.attrNames zfsHomeUsers))) + } $out/active-zfs-homes + ''; + + # Create a ZFS home directory automatically, if + # `users.users..snsZFSPersistHome` is set. This will be automatically + # included in backups, and removed by the backup machine once the user is no + # longer present (although still included in backups). + system.activationScripts."zfs-create-homes" = + lib.concatStringsSep "\n\n" ( + builtins.map (user: '' + if ZFS_HOME_CREATE=`${pkgs.zfs}/bin/zfs create -o mountpoint=legacy rpool/state/home/${user} 2>&1`; then + echo 'Created ZFS file system for "${user}" home directory.' + else + if echo "$ZFS_HOME_CREATE" | grep "dataset already exists" 2>&1 >/dev/null; then + echo 'Reusing existing ZFS file system for "${user}" home directory.' + else + echo 'Unknown error occured while creating ZFS file system for "${user}" home directory:' + echo "$ZFS_HOME_CREATE" + fi + fi + '') (lib.attrNames zfsHomeUsers)); + + # Persist the NixOS configuration. + environment.etc.nixos = { + source = "/var/state/nixos"; + }; + + # ---------- Syncoid ZFS Pull-based Backups -------------------------------- + + users.users.backup-ssh = let + # This uses a slightly patched version of the `only` script [1], + # to limit the commands that can be run on this user with the + # backup SSH key. For further documentation on how `only` works, + # see [1]. + # + # The ZFS commands are run in a user context. This requires + # giving this user the appropriate permissions on the allowed + # data sets, for example: + # + # zfs allow backup-ssh bookmark,hold,send,snapshot,mount,destroy rpool/state + # + # [1]: https://at.magma-soft.at/sw/blog/posts/The_Only_Way_For_SSH_Forced_Commands/ + zpoolPattern = ''[[:alnum:]_\-]\+''; + zfsPattern = ''[[:alnum:]\/_\-]\+''; + snapNamePattern = ''[[:alnum:]_\:\-]\+''; + snapPattern = "'${zfsPattern}\\(@\\|'@'\\)${snapNamePattern}'"; + onlyrules = pkgs.writeText "backup-ssh-onlyrules" '' + \:^echo -n$:{p;q} + \:^cat /run/current-system/active-zfs-homes$:{p;q} + \:^exit$:{p;q} + \:^zpool get -o value -H feature@[[:alnum:]_]\+ '${zpoolPattern}'$:{p;q} + \:^zfs list -o name,origin -t filesystem,volume -Hr '${zfsPattern}'$:{p;q} + \:^zfs get -H syncoid\:sync '${zfsPattern}'$:{p;q} + \:^zfs get -Hpd 1 -t snapshot guid,creation '${zfsPattern}'$:{p;q} + \:^zfs snapshot '${zfsPattern}'@${snapNamePattern}$:{p;q} + \:^zfs send\( -nvP\)\?\( -I ${snapPattern}\)\? ${snapPattern}\( | lzop | mbuffer -q -s 128k -m 16M 2>/dev/null\)\?$:{p;q} + \:^zfs destroy -r 'rpool/state/home/${zfsPattern}'$:{p;q} + ''; + # onlyrules = pkgs.writeText "backup-ssh-onlyrules" (builtins.readFile ./onlyrules.example); + onlyrc = pkgs.writeText "backup-ssh-onlyrc" '' + show_allowed + show_denied + ''; + patchedOnly = + pkgs.writeScript "backup-ssh-only" ( + builtins.replaceStrings + [ "LOGGER=logger" "SED=sed" "WHICH=which" + "RULES=~/.onlyrules" "RCFILE=~/.onlyrc" ] + [ "LOGGER=${pkgs.logger}/bin/logger" "SED=${pkgs.gnused}/bin/sed" + "WHICH=${pkgs.which}/bin/which" "RULES=${onlyrules}" + "RCFILE=${onlyrc}" ] + (builtins.readFile ./only)); + in { + isSystemUser = true; + group = "backup-ssh"; + shell = pkgs.bash; + openssh.authorizedKeys.keys = [ + ("command=\"${patchedOnly} echo cat exit zfs zpool\" " + + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNcB6840dOUw3h8ckWvDarndt14SGO3eCsmAC3zkYUN sns-cluster-zfs-backups") + ]; + }; + + users.groups.backup-ssh = {}; + + system.activationScripts."backup-ssh-zfs-permissions" = { + deps = [ "users" "groups" ]; + text = '' + ${pkgs.zfs}/bin/zfs allow backup-ssh bookmark,hold,send,snapshot,mount,destroy rpool/state + ''; + }; + + # ---------- Monitoring ---------------------------------------------------- + + services.prometheus.exporters.node = { + enable = true; + enabledCollectors = [ + # Disabled by default, this is interesting to diagnose performance + # bottlenecks caused by e.g., network activity: + "interrupts" + ]; + openFirewall = false; + listenAddress = "0.0.0.0"; + }; + + # Add rule to the firewall to give SNS26 access to the node exporter: + networking.firewall.extraCommands = '' + iptables -A INPUT -p tcp -s 128.112.7.126 --dport ${ + toString config.services.prometheus.exporters.node.port} -j ACCEPT + ''; + }); +} diff --git a/sns-cluster/family-alpha.nix b/sns-cluster/family-alpha.nix new file mode 100644 index 0000000..36a2ff7 --- /dev/null +++ b/sns-cluster/family-alpha.nix @@ -0,0 +1,68 @@ +{ config, pkgs, lib, ... }: + +let + cfg = config.sns-machine.family.alpha; + +in +{ + options.sns-machine.family.alpha = { + enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + bootDiskNode = lib.mkOption { + type = lib.types.str; + }; + + bootPartUUID = lib.mkOption { + type = lib.types.str; + }; + + swapPartUUID = lib.mkOption { + type = lib.types.str; + }; + }; + + config = lib.mkIf (config.sns-machine.enable && cfg.enable) ({ + hardware = { + enableRedistributableFirmware = true; + # TODO: microcode updates? + }; + + boot = { + loader.grub = { + enable = true; + version = 2; + mirroredBoots = [ { + devices = [ cfg.bootDiskNode ]; + path = "/boot0"; + } ]; + device = cfg.bootDiskNode; + # TODO: SOL serial port & baudrate? + # extraConfig = '' + # serial --unit=0 --speed=115200 + # terminal_input serial console + # terminal_output serial console + # ''; + }; + + initrd.availableKernelModules = [ + "ohci_pci" "ehci_pci" "pata_amd" "sata_nv" "usbhid" "sd_mod" + ]; + kernelModules = [ "kvm-amd" ]; + + # TODO: SOL serial port & baudrate? + # kernelParams = [ "console=ttyS0,115200" ]; + }; + + fileSystems."/boot0" = { + device = "/dev/disk/by-uuid/${cfg.bootPartUUID}"; + fsType = "vfat"; + }; + + swapDevices = [ { + device = "/dev/disk/by-uuid/${cfg.swapPartUUID}"; + } ]; + }); +} diff --git a/sns-cluster/family-beta.nix b/sns-cluster/family-beta.nix new file mode 100644 index 0000000..2a75c06 --- /dev/null +++ b/sns-cluster/family-beta.nix @@ -0,0 +1,77 @@ +{ config, pkgs, lib, ... }: + +let + cfg = config.sns-machine.family.beta; + +in +{ + options.sns-machine.family.beta = { + enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + bootDisks = lib.mkOption {}; + + swapPartUUIDs = lib.mkOption { + type = lib.types.listOf lib.types.str; + }; + }; + + config = lib.mkIf (config.sns-machine.enable && cfg.enable) (let + + enumeratedBootDisks = + lib.imap0 (i: bootDiskCfg: + bootDiskCfg // { idx = i; mountpoint = "/boot${toString i}"; } + ) (builtins.sort (a: b: + # Ensure that the boot devices have a consistent order, based + # on their UUIDs. We match the disks to mountpoints below, and + # don't want Grub to get confused. + builtins.lessThan a.partUUID b.partUUID) cfg.bootDisks); + + in + { + hardware = { + enableRedistributableFirmware = true; + cpu.intel.updateMicrocode = true; + }; + + boot = { + loader.grub = { + enable = true; + version = 2; + mirroredBoots = + builtins.map (bootDiskCfg: { + devices = [ bootDiskCfg.diskNode ]; + path = bootDiskCfg.mountpoint; + }) enumeratedBootDisks; + extraConfig = '' + serial --unit=0 --speed=115200 + terminal_input serial console + terminal_output serial console + ''; + }; + + initrd.availableKernelModules = [ + "uhci_hcd" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "sr_mod" + ]; + kernelModules = [ "kvm-intel" ]; + kernelParams = [ "console=ttyS0,115200" ]; + }; + + fileSystems = + builtins.listToAttrs ( + builtins.map (bootDiskCfg: + lib.nameValuePair bootDiskCfg.mountpoint { + device = "/dev/disk/by-uuid/${bootDiskCfg.partUUID}"; + fsType = "vfat"; + } + ) enumeratedBootDisks + ); + + swapDevices = + builtins.map (partUUID: { + device = "/dev/disk/by-uuid/${partUUID}"; }) + cfg.swapPartUUIDs; + }); +} diff --git a/sns-cluster/family-gamma.nix b/sns-cluster/family-gamma.nix new file mode 100644 index 0000000..df93b0c --- /dev/null +++ b/sns-cluster/family-gamma.nix @@ -0,0 +1,59 @@ +{ config, pkgs, lib, ... }: + +let + cfg = config.sns-machine.family.gamma; + +in +{ + options.sns-machine.family.gamma = { + enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + bootDiskNode = lib.mkOption { + type = lib.types.str; + }; + + bootPartUUID = lib.mkOption { + type = lib.types.str; + }; + + swapPartUUID = lib.mkOption { + type = lib.types.str; + }; + }; + + config = lib.mkIf (config.sns-machine.enable && cfg.enable) ({ + hardware = { + enableRedistributableFirmware = true; + cpu.intel.updateMicrocode = true; + }; + + boot.loader.grub = { + enable = true; + version = 2; + mirroredBoots = [ { + devices = [ cfg.bootDiskNode ]; + path = "/boot0"; + } ]; + }; + + boot = { + initrd.availableKernelModules = [ + "ehci_pci" "ahci" "isci" "mpt3sas" "usbhid" "usb_storage" "sd_mod" + "sr_mod" + ]; + kernelModules = [ "kvm-intel" ]; + }; + + fileSystems."/boot0" = { + device = "/dev/disk/by-uuid/${cfg.bootPartUUID}"; + fsType = "vfat"; + }; + + swapDevices = [ { + device = "/dev/disk/by-uuid/${cfg.swapPartUUID}"; + } ]; + }); +} diff --git a/sns-cluster/filesystems.nix b/sns-cluster/filesystems.nix new file mode 100644 index 0000000..b353144 --- /dev/null +++ b/sns-cluster/filesystems.nix @@ -0,0 +1,434 @@ +# Vendored from https://github.com/NixOS/nixpkgs/, file +# nixos/modules/tasks/filesystems.nix, revision c021df579277 +# +# Licensed under the MIT license, see +# https://github.com/NixOS/nixpkgs/blob/c021df579277/COPYING + +{ config, lib, pkgs, utils, ... }: + +with lib; +with utils; + +let + + addCheckDesc = desc: elemType: check: types.addCheck elemType check + // { description = "${elemType.description} (with check: ${desc})"; }; + + isNonEmpty = s: (builtins.match "[ \t\n]*" s) == null; + nonEmptyStr = addCheckDesc "non-empty" types.str isNonEmpty; + + fileSystems' = toposort fsBefore (attrValues config.fileSystems); + + fileSystems = if fileSystems' ? result + then # use topologically sorted fileSystems everywhere + fileSystems'.result + else # the assertion below will catch this, + # but we fall back to the original order + # anyway so that other modules could check + # their assertions too + (attrValues config.fileSystems); + + specialFSTypes = [ "proc" "sysfs" "tmpfs" "ramfs" "devtmpfs" "devpts" ]; + + nonEmptyWithoutTrailingSlash = addCheckDesc "non-empty without trailing slash" types.str + (s: isNonEmpty s && (builtins.match ".+/" s) == null); + + coreFileSystemOpts = { name, config, ... }: { + + options = { + mountPoint = mkOption { + example = "/mnt/usb"; + type = nonEmptyWithoutTrailingSlash; + description = lib.mdDoc "Location of the mounted the file system."; + }; + + device = mkOption { + default = null; + example = "/dev/sda"; + type = types.nullOr nonEmptyStr; + description = lib.mdDoc "Location of the device."; + }; + + fsType = mkOption { + default = "auto"; + example = "ext3"; + type = nonEmptyStr; + description = lib.mdDoc "Type of the file system."; + }; + + options = mkOption { + default = [ "defaults" ]; + example = [ "data=journal" ]; + description = lib.mdDoc "Options used to mount the file system."; + type = types.listOf nonEmptyStr; + }; + + depends = mkOption { + default = [ ]; + example = [ "/persist" ]; + type = types.listOf nonEmptyWithoutTrailingSlash; + description = lib.mdDoc '' + List of paths that should be mounted before this one. This filesystem's + {option}`device` and {option}`mountPoint` are always + checked and do not need to be included explicitly. If a path is added + to this list, any other filesystem whose mount point is a parent of + the path will be mounted before this filesystem. The paths do not need + to actually be the {option}`mountPoint` of some other filesystem. + ''; + }; + + }; + + config = { + mountPoint = mkDefault name; + device = mkIf (elem config.fsType specialFSTypes) (mkDefault config.fsType); + }; + + }; + + fileSystemOpts = { config, ... }: { + + options = { + + label = mkOption { + default = null; + example = "root-partition"; + type = types.nullOr nonEmptyStr; + description = lib.mdDoc "Label of the device (if any)."; + }; + + autoFormat = mkOption { + default = false; + type = types.bool; + description = lib.mdDoc '' + If the device does not currently contain a filesystem (as + determined by {command}`blkid`, then automatically + format it with the filesystem type specified in + {option}`fsType`. Use with caution. + ''; + }; + + formatOptions = mkOption { + default = ""; + type = types.str; + description = lib.mdDoc '' + If {option}`autoFormat` option is set specifies + extra options passed to mkfs. + ''; + }; + + autoResize = mkOption { + default = false; + type = types.bool; + description = lib.mdDoc '' + If set, the filesystem is grown to its maximum size before + being mounted. (This is typically the size of the containing + partition.) This is currently only supported for ext2/3/4 + filesystems that are mounted during early boot. + ''; + }; + + noCheck = mkOption { + default = false; + type = types.bool; + description = lib.mdDoc "Disable running fsck on this filesystem."; + }; + + }; + + config = let + defaultFormatOptions = + # -F needed to allow bare block device without partitions + if (builtins.substring 0 3 config.fsType) == "ext" then "-F" + # -q needed for non-interactive operations + else if config.fsType == "jfs" then "-q" + # (same here) + else if config.fsType == "reiserfs" then "-q" + else null; + in { + options = mkIf config.autoResize [ "x-nixos.autoresize" ]; + formatOptions = mkIf (defaultFormatOptions != null) (mkDefault defaultFormatOptions); + }; + + }; + + # Makes sequence of `specialMount device mountPoint options fsType` commands. + # `systemMount` should be defined in the sourcing script. + makeSpecialMounts = mounts: + pkgs.writeText "mounts.sh" (concatMapStringsSep "\n" (mount: '' + specialMount "${mount.device}" "${mount.mountPoint}" "${concatStringsSep "," mount.options}" "${mount.fsType}" + '') mounts); + + makeFstabEntries = + let + fsToSkipCheck = [ "none" "bindfs" "btrfs" "zfs" "tmpfs" "nfs" "nfs4" "vboxsf" "glusterfs" "apfs" "9p" "cifs" "prl_fs" "vmhgfs" ]; + isBindMount = fs: builtins.elem "bind" fs.options; + skipCheck = fs: fs.noCheck || fs.device == "none" || builtins.elem fs.fsType fsToSkipCheck || isBindMount fs; + # https://wiki.archlinux.org/index.php/fstab#Filepath_spaces + escape = string: builtins.replaceStrings [ " " "\t" ] [ "\\040" "\\011" ] string; + in fstabFileSystems: { rootPrefix ? "", excludeChecks ? false, extraOpts ? (fs: []) }: concatMapStrings (fs: + (optionalString (isBindMount fs) (escape rootPrefix)) + + (if fs.device != null then escape fs.device + else if fs.label != null then "/dev/disk/by-label/${escape fs.label}" + else throw "No device specified for mount point ‘${fs.mountPoint}’.") + + " " + escape (rootPrefix + fs.mountPoint) + + " " + fs.fsType + + " " + escape (builtins.concatStringsSep "," (fs.options ++ (extraOpts fs))) + + " " + (optionalString (!excludeChecks) + ("0 " + (if skipCheck fs then "0" else if fs.mountPoint == "/" then "1" else "2"))) + + "\n" + ) fstabFileSystems; + + initrdFstab = pkgs.writeText "initrd-fstab" (makeFstabEntries (filter utils.fsNeededForBoot fileSystems) { + rootPrefix = "/sysroot"; + excludeChecks = true; + extraOpts = fs: + (optional fs.autoResize "x-systemd.growfs") + ++ (optional fs.autoFormat "x-systemd.makefs"); + }); + +in + +{ + + ###### interface + + options = { + + fileSystems = mkOption { + default = {}; + example = literalExpression '' + { + "/".device = "/dev/hda1"; + "/data" = { + device = "/dev/hda2"; + fsType = "ext3"; + options = [ "data=journal" ]; + }; + "/bigdisk".label = "bigdisk"; + } + ''; + type = types.attrsOf (types.submodule [coreFileSystemOpts fileSystemOpts]); + description = lib.mdDoc '' + The file systems to be mounted. It must include an entry for + the root directory (`mountPoint = "/"`). Each + entry in the list is an attribute set with the following fields: + `mountPoint`, `device`, + `fsType` (a file system type recognised by + {command}`mount`; defaults to + `"auto"`), and `options` + (the mount options passed to {command}`mount` using the + {option}`-o` flag; defaults to `[ "defaults" ]`). + + Instead of specifying `device`, you can also + specify a volume label (`label`) for file + systems that support it, such as ext2/ext3 (see {command}`mke2fs -L`). + ''; + }; + + system.fsPackages = mkOption { + internal = true; + default = [ ]; + description = lib.mdDoc "Packages supplying file system mounters and checkers."; + }; + + boot.supportedFilesystems = mkOption { + default = [ ]; + example = [ "btrfs" ]; + type = types.listOf types.str; + description = lib.mdDoc "Names of supported filesystem types."; + }; + + boot.specialFileSystems = mkOption { + default = {}; + type = types.attrsOf (types.submodule coreFileSystemOpts); + internal = true; + description = lib.mdDoc '' + Special filesystems that are mounted very early during boot. + ''; + }; + + boot.devSize = mkOption { + default = "5%"; + example = "32m"; + type = types.str; + description = lib.mdDoc '' + Size limit for the /dev tmpfs. Look at mount(8), tmpfs size option, + for the accepted syntax. + ''; + }; + + boot.devShmSize = mkOption { + default = "50%"; + example = "256m"; + type = types.str; + description = lib.mdDoc '' + Size limit for the /dev/shm tmpfs. Look at mount(8), tmpfs size option, + for the accepted syntax. + ''; + }; + + boot.runSize = mkOption { + default = "25%"; + example = "256m"; + type = types.str; + description = lib.mdDoc '' + Size limit for the /run tmpfs. Look at mount(8), tmpfs size option, + for the accepted syntax. + ''; + }; + }; + + + ###### implementation + + config = { + + assertions = let + ls = sep: concatMapStringsSep sep (x: x.mountPoint); + notAutoResizable = fs: fs.autoResize && !(hasPrefix "ext" fs.fsType || fs.fsType == "f2fs"); + in [ + { assertion = ! (fileSystems' ? cycle); + message = "The ‘fileSystems’ option can't be topologically sorted: mountpoint dependency path ${ls " -> " fileSystems'.cycle} loops to ${ls ", " fileSystems'.loops}"; + } + { assertion = ! (any notAutoResizable fileSystems); + message = let + fs = head (filter notAutoResizable fileSystems); + in + "Mountpoint '${fs.mountPoint}': 'autoResize = true' is not supported for 'fsType = \"${fs.fsType}\"':${if fs.fsType == "auto" then " fsType has to be explicitly set and" else ""} only the ext filesystems and f2fs support it."; + } + ]; + + # Export for use in other modules + system.build.fileSystems = fileSystems; + system.build.earlyMountScript = makeSpecialMounts (toposort fsBefore (attrValues config.boot.specialFileSystems)).result; + + # boot.supportedFilesystems = map (fs: fs.fsType) fileSystems; + + # Add the mount helpers to the system path so that `mount' can find them. + system.fsPackages = [ pkgs.dosfstools ]; + + environment.systemPackages = with pkgs; [ fuse3 fuse ] ++ config.system.fsPackages; + + environment.etc.fstab.text = + let + swapOptions = sw: concatStringsSep "," ( + sw.options + ++ optional (sw.priority != null) "pri=${toString sw.priority}" + ++ optional (sw.discardPolicy != null) "discard${optionalString (sw.discardPolicy != "both") "=${toString sw.discardPolicy}"}" + ); + in '' + # This is a generated file. Do not edit! + # + # To make changes, edit the fileSystems and swapDevices NixOS options + # in your /etc/nixos/configuration.nix file. + # + # + + # Filesystems. + ${makeFstabEntries fileSystems {}} + + # Swap devices. + ${flip concatMapStrings config.swapDevices (sw: + "${sw.realDevice} none swap ${swapOptions sw}\n" + )} + ''; + + boot.initrd.systemd.contents."/etc/fstab".source = initrdFstab; + + # Provide a target that pulls in all filesystems. + systemd.targets.fs = + { description = "All File Systems"; + wants = [ "local-fs.target" "remote-fs.target" ]; + }; + + systemd.services = + + # Emit systemd services to format requested filesystems. + let + formatDevice = fs: + let + mountPoint' = "${escapeSystemdPath fs.mountPoint}.mount"; + device' = escapeSystemdPath fs.device; + device'' = "${device'}.device"; + in nameValuePair "mkfs-${device'}" + { description = "Initialisation of Filesystem ${fs.device}"; + wantedBy = [ mountPoint' ]; + before = [ mountPoint' "systemd-fsck@${device'}.service" ]; + requires = [ device'' ]; + after = [ device'' ]; + path = [ pkgs.util-linux ] ++ config.system.fsPackages; + script = + '' + if ! [ -e "${fs.device}" ]; then exit 1; fi + # FIXME: this is scary. The test could be more robust. + type=$(blkid -p -s TYPE -o value "${fs.device}" || true) + if [ -z "$type" ]; then + echo "creating ${fs.fsType} filesystem on ${fs.device}..." + mkfs.${fs.fsType} ${fs.formatOptions} "${fs.device}" + fi + ''; + unitConfig.RequiresMountsFor = [ "${dirOf fs.device}" ]; + unitConfig.DefaultDependencies = false; # needed to prevent a cycle + serviceConfig.Type = "oneshot"; + }; + in listToAttrs (map formatDevice (filter (fs: fs.autoFormat && !(utils.fsNeededForBoot fs)) fileSystems)) // { + # Mount /sys/fs/pstore for evacuating panic logs and crashdumps from persistent storage onto the disk using systemd-pstore. + # This cannot be done with the other special filesystems because the pstore module (which creates the mount point) is not loaded then. + "mount-pstore" = { + serviceConfig = { + Type = "oneshot"; + # skip on kernels without the pstore module + ExecCondition = "${pkgs.kmod}/bin/modprobe -b pstore"; + ExecStart = pkgs.writeShellScript "mount-pstore.sh" '' + set -eu + # if the pstore module is builtin it will have mounted the persistent store automatically. it may also be already mounted for other reasons. + ${pkgs.util-linux}/bin/mountpoint -q /sys/fs/pstore || ${pkgs.util-linux}/bin/mount -t pstore -o nosuid,noexec,nodev pstore /sys/fs/pstore + # wait up to 1.5 seconds for the backend to be registered and the files to appear. a systemd path unit cannot detect this happening; and succeeding after a restart would not start dependent units. + TRIES=15 + while [ "$(cat /sys/module/pstore/parameters/backend)" = "(null)" ]; do + if (( $TRIES )); then + sleep 0.1 + TRIES=$((TRIES-1)) + else + echo "Persistent Storage backend was not registered in time." >&2 + break + fi + done + ''; + RemainAfterExit = true; + }; + unitConfig = { + ConditionVirtualization = "!container"; + DefaultDependencies = false; # needed to prevent a cycle + }; + before = [ "systemd-pstore.service" ]; + wantedBy = [ "systemd-pstore.service" ]; + }; + }; + + systemd.tmpfiles.rules = [ + "d /run/keys 0750 root ${toString config.ids.gids.keys}" + "z /run/keys 0750 root ${toString config.ids.gids.keys}" + ]; + + # Sync mount options with systemd's src/core/mount-setup.c: mount_table. + boot.specialFileSystems = { + "/proc" = { fsType = "proc"; options = [ "nosuid" "noexec" "nodev" ]; }; + "/run" = { fsType = "tmpfs"; options = [ "nosuid" "nodev" "strictatime" "mode=755" "size=${config.boot.runSize}" ]; }; + "/dev" = { fsType = "devtmpfs"; options = [ "nosuid" "strictatime" "mode=755" "size=${config.boot.devSize}" ]; }; + "/dev/shm" = { fsType = "tmpfs"; options = [ "nosuid" "nodev" "strictatime" "mode=1777" "size=${config.boot.devShmSize}" ]; }; + "/dev/pts" = { fsType = "devpts"; options = [ "nosuid" "noexec" "mode=620" "ptmxmode=0666" "gid=${toString config.ids.gids.tty}" ]; }; + + # To hold secrets that shouldn't be written to disk + "/run/keys" = { fsType = "ramfs"; options = [ "nosuid" "nodev" "mode=750" ]; }; + } // optionalAttrs (!config.boot.isContainer) { + # systemd-nspawn populates /sys by itself, and remounting it causes all + # kinds of weird issues (most noticeably, waiting for host disk device + # nodes). + "/sys" = { fsType = "sysfs"; options = [ "nosuid" "noexec" "nodev" ]; }; + }; + + }; + +} diff --git a/sns-cluster/only b/sns-cluster/only new file mode 100644 index 0000000..f122d17 --- /dev/null +++ b/sns-cluster/only @@ -0,0 +1,145 @@ +#!/bin/sh +# leg20170302: CC0, Public Domain +# +# 'only' is a utility to be run via ssh as a 'command' specified for a +# public key in the `authorized_keys` file. It checks if the command +# in SSH_ORIGINAL_COMMAND is listed as one of the parameters specified +# on 'only's commandline and runs it if the command line arguments in +# SSH_ORIGINAL_COMMAND are allowed by the rules found in the rule file +# ~/.onlyrules. 'only' refuses to run commands if the rule file does +# not exist. +# +# You can enable command line substitution by creating a ~/.onlyrc +# file with the token 'enable_command_line_substitution' on a single +# line. This is not encouraged for security reasons. +# +# ~/.onlyrc also allows to enable gradually more verbosity for denied +# commands. Since this leaks information to an attacker it is also +# not recomended. The configuration details are explained in the +# example .onlyrc file. +# +# The following example `authorized_keys` line shows how to allow to +# run the commands ls, who. +# +# command="only ls who",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAA... +# +# A sample ~/.configrules file which locks down the commands to not +# allow any commandline parameters would look like this: +# +# \:^ls$:{p;q} +# \:^who$:{p;q} +# +# If the allowed command is specified with an absolute path, the +# requested command must be specified with exactly the same path. +# +# command="only /bin/ls" +# +# Otherwise, if the requested command is specified with an absolute +# path it is only executed if it is on the users PATH, so we single +# out requests outside of the PATH - which you might restrict to +# something secure. +# +# There is a subtle difference between normal mode and command line +# substitution mode. In normal mode the *original* command is run, so +# if you have e.g. `/bin/cmd` and `/usr/bin/cmd` and your PATH is: +# `/bin:/usr/bin` you can select to run on or the other by specifying +# the absolute path. In substitution mode either the first command on +# the path is run (`/bin/cmd` in our example) or you must specify the +# absolute path in the allowed commands and adapte ~/onlyrules +# accordingly. +# +# Command execution and denial is logged to the auth logging facility. +# +# Requirements: which (1), sed(1) and logger(1) + +LOGGER=logger +SED=sed +WHICH=which +# +RULES=~/.onlyrules +RCFILE=~/.onlyrc + +# check if rule file exit +if [ ! -f $RULES ]; then + $LOGGER -p auth.warn -- no rules file $USER: $SSH_ORIGINAL_COMMAND + exit 1 +fi + +# check if command substitution is allowed +if [ -f $RCFILE ]; then + SUBST="$($SED -ne '/^enable_command_line_substitution$/p' $RCFILE)" +fi + +# Test $SSH_ORIGINAL_COMMAND line against the rules file. If it +# passes run it, else deny. +# The rule is selected via the $1 argument. +try () { + allowed="$1" + # strip off the command itself + set -- $SSH_ORIGINAL_COMMAND + original="$1" + shift + # + CMD=$(echo "$allowed" $@ | $SED -nf $RULES) + [ -z "$CMD" ] && deny + if [ -n "$SUBST" ]; then + set -- $CMD + else + set -- $SSH_ORIGINAL_COMMAND + fi + $LOGGER -p auth.info -- running $USER: $@ + eval "$@" + exit $? +} + +# Deny the requested command more or less verbosely. +deny () { + $LOGGER -p auth.warn -- denied $USER: $SSH_ORIGINAL_COMMAND + if [ -f $RCFILE ]; then + if [ -n "$($SED -ne '/^show_terse_denied/p' $RCFILE)" ]; then + echo denied >&2 + else + if [ -n "$($SED -ne '/^show_denied/p' $RCFILE)" ]; then + echo denied: $SSH_ORIGINAL_COMMAND >&2 + fi + if [ -n "$($SED -ne '/^show_allowed/p' $RCFILE)" ]; then + echo allowed: $ALLOWED_COMMANDS + fi + if [ -n "$($SED -ne '/^help_text/p' $RCFILE)" ]; then + $SED -e '1,/^help_text/d' $RCFILE + fi + fi + fi + exit 1 +} + +# main +ALLOWED_COMMANDS="$@" +set -- $SSH_ORIGINAL_COMMAND +for allowed in $ALLOWED_COMMANDS; do + # If allowed starts with / we want exact match + if [ x"${allowed%%/*}" = x ]; then + if [ x"$allowed" = x"$1" ]; then + try $allowed + else + continue + fi + fi + + # if original command starts with slash, we check if it is + # in the path. + if [ x"${1%%/*}" = x ]; then + if [ x"$($WHICH $allowed)" = x"$1" ]; then + try $allowed + else + continue + fi + fi + # both are relative paths or filenames + if [ x"$allowed" = x"$1" ]; then + try $allowed + fi +done + +deny + diff --git a/templates/alpha.nix b/templates/alpha.nix new file mode 100644 index 0000000..373a183 --- /dev/null +++ b/templates/alpha.nix @@ -0,0 +1,36 @@ +{ config, pkgs, lib, ... }: + +{ + imports = [ + ../sns-cluster + ]; + + networking = { + hostId = "${TMPLSTR_HOST_ID}"; + hostName = "${TMPLSTR_HOSTNAME}"; + + interfaces."${TMPLSTR_UPLINK_IFACE}" = { + useDHCP = true; + }; + }; + + sns-machine = { + enable = true; + + family.alpha = { + enable = true; + + bootDiskNode = "${TMPLSTR_BOOT_DISK_NODE}"; + bootPartUUID = "${TMPLSTR_BOOT_PART_UUID}"; + swapPartUUID = ${TMPLSTR_NULLABLE_SWAP_PART_UUID}; + }; + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "${TMPLSTR_NIXOS_VERSION}"; # Did you read the comment? +} diff --git a/templates/beta.nix b/templates/beta.nix new file mode 100644 index 0000000..7220d87 --- /dev/null +++ b/templates/beta.nix @@ -0,0 +1,38 @@ +{ config, pkgs, lib, ... }: + +{ + imports = [ + ../sns-cluster + ]; + + networking = { + hostId = "${TMPLSTR_HOST_ID}"; + hostName = "${TMPLSTR_HOSTNAME}"; + + interfaces."${TMPLSTR_UPLINK_IFACE}" = { + useDHCP = true; + }; + }; + + sns-machine = { + enable = true; + + family.beta = { + enable = true; + + bootDisks = [ { + diskNode = "${TMPLSTR_BOOT_DISK_NODE}"; + partUUID = "${TMPLSTR_BOOT_PART_UUID}"; + } ]; + swapPartUUIDs = ${TMPLSTR_SWAP_PART_UUID_LIST}; + }; + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "${TMPLSTR_NIXOS_VERSION}"; # Did you read the comment? +} diff --git a/templates/gamma.nix b/templates/gamma.nix new file mode 100644 index 0000000..e4cef24 --- /dev/null +++ b/templates/gamma.nix @@ -0,0 +1,36 @@ +{ config, pkgs, lib, ... }: + +{ + imports = [ + ../sns-cluster + ]; + + networking = { + hostId = "${TMPLSTR_HOST_ID}"; + hostName = "${TMPLSTR_HOSTNAME}"; + + interfaces."${TMPLSTR_UPLINK_IFACE}" = { + useDHCP = true; + }; + }; + + sns-machine = { + enable = true; + + family.gamma = { + enable = true; + + bootDiskNode = "${TMPLSTR_BOOT_DISK_NODE}"; + bootPartUUID = "${TMPLSTR_BOOT_PART_UUID}"; + swapPartUUID = ${TMPLSTR_NULLABLE_SWAP_PART_UUID}; + }; + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "${TMPLSTR_NIXOS_VERSION}"; # Did you read the comment? +}