l neoprism.r: init

3 files changed, 183 insertions, 0 deletions

diff --git a/lass/1systems/neoprism/config.nix b/lass/1systems/neoprism/config.nix
new file mode 100644
index 000000000..e4f9d2560
--- /dev/null
+++ b/lass/1systems/neoprism/config.nix
@@ -0,0 +1,25 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    <stockholm/lass>
+    <stockholm/lass/2configs/retiolum.nix>
+    <stockholm/lass/2configs/libvirt.nix>
+    { # TODO make new hfos.nix out of this vv
+      users.users.riot = {
+        uid = pkgs.stockholm.lib.genid_uint31 "riot";
+        isNormalUser = true;
+        extraGroups = [ "libvirtd" ];
+        openssh.authorizedKeys.keys = [
+          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange"
+        ];
+      };
+      # krebs.iptables.tables.filter.FORWARD.rules = [
+      #   { v6 = false; precedence = 1000; predicate = "--destination 95.216.1.130"; target = "ACCEPT"; }
+      #   { v6 = false; precedence = 1000; predicate = "--source 95.216.1.130"; target = "ACCEPT"; }
+      # ];
+    }
+  ];
+
+  krebs.build.host = config.krebs.hosts.neoprism;
+}
diff --git a/lass/1systems/neoprism/disk.nix b/lass/1systems/neoprism/disk.nix
new file mode 100644
index 000000000..cf9a8cef4
--- /dev/null
+++ b/lass/1systems/neoprism/disk.nix
@@ -0,0 +1,116 @@
+{ lib, ... }:
+{
+  disk = (lib.genAttrs [ "/dev/nvme0n1" "/dev/nvme1n1" ] (disk: {
+    type = "disk";
+    device = disk;
+    content = {
+      type = "table";
+      format = "gpt";
+      partitions = [
+        {
+          name = "boot";
+          type = "partition";
+          start = "0";
+          end = "1M";
+          part-type = "primary";
+          flags = ["bios_grub"];
+        }
+        {
+          type = "partition";
+          name = "ESP";
+          start = "1M";
+          end = "1GiB";
+          fs-type = "fat32";
+          bootable = true;
+          content = {
+            type = "mdraid";
+            name = "boot";
+          };
+        }
+        {
+          type = "partition";
+          name = "zfs";
+          start = "1GiB";
+          end = "100%";
+          content = {
+            type = "zfs";
+            pool = "zroot";
+          };
+        }
+      ];
+    };
+  })) // {
+    hdd1 = {
+      type = "disk";
+      device = "/dev/sda";
+      content = {
+        type = "zfs";
+        pool = "tank";
+      };
+    };
+  };
+  mdadm = {
+    boot = {
+      type = "mdadm";
+      level = 1;
+      metadata = "1.0";
+      content = {
+        type = "filesystem";
+        format = "vfat";
+        mountpoint = "/boot";
+      };
+    };
+  };
+  zpool = {
+    zroot = {
+      type = "zpool";
+      mode = "mirror";
+      mountpoint = "/";
+      rootFsOptions = {
+      };
+      datasets.reserved = {
+        zfs_type = "filesystem";
+        options.refreservation = "1G";
+      };
+    };
+    tank = {
+      type = "zpool";
+      datasets = {
+        reserved = {
+          zfs_type = "filesystem";
+          options.refreservation = "1G";
+        };
+        containers = {
+          zfs_type = "filesystem";
+          mountpoint = "/var/lib/containers";
+        };
+        home = {
+          zfs_type = "filesystem";
+          mountpoint = "/home";
+        };
+        srv = {
+          zfs_type = "filesystem";
+          mountpoint = "/srv";
+        };
+        libvirt = {
+          zfs_type = "filesystem";
+          mountpoint = "/var/lib/libvirt";
+        };
+        # encrypted = {
+        #   zfs_type = "filesystem";
+        #   options = {
+        #     mountpoint = "none";
+        #     encryption = "aes-256-gcm";
+        #     keyformat = "passphrase";
+        #     keylocation = "prompt";
+        #   };
+        # };
+
+        # "encrypted/download" = {
+        #   zfs_type = "filesystem";
+        #   mountpoint = "/var/download";
+        # };
+      };
+    };
+  };
+}
diff --git a/lass/1systems/neoprism/physical.nix b/lass/1systems/neoprism/physical.nix
new file mode 100644
index 000000000..4ffb749f1
--- /dev/null
+++ b/lass/1systems/neoprism/physical.nix
@@ -0,0 +1,42 @@
+{ config, lib, pkgs, ... }:
+
+{
+
+  imports = [
+    ./config.nix
+    <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+  ];
+
+  disko.devices = import ./disk.nix;
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.efiSupport = true;
+  boot.loader.grub.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "sd_mod" ];
+  boot.kernelModules = [ "kvm-amd" ];
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+
+  # networking config
+  boot.kernelParams = [ "net.ifnames=0" ];
+  networking.bridges."ext-br".interfaces = [ "eth0" ];
+  networking = {
+    hostId = "2283aaae";
+    defaultGateway = "95.217.192.1";
+    defaultGateway6 = { address = "fe80::1"; interface = "ext-br"; };
+    # Use google's public DNS server
+    nameservers = [ "8.8.8.8" ];
+    interfaces.ext-br.ipv4.addresses = [
+      {
+        address = "95.217.192.59";
+        prefixLength = 26;
+      }
+    ];
+    interfaces.ext-br.ipv6.addresses = [
+      {
+        address = "2a01:4f9:4a:4f1a::1";
+        prefixLength = 64;
+      }
+    ];
+  };
+
+}