From 61ac5a0d5eb9d66d6d3a31aa2ef22ee600b33370 Mon Sep 17 00:00:00 2001 From: chn Date: Wed, 8 Jan 2025 08:17:39 +0800 Subject: [PATCH] Revert "devices: xmupc1 xmupc2 -> srv2" This reverts commit cac52c47afd36f9bebe2ce1916b1dbb89cec3214. --- .sops.yaml | 24 ++-- .../node0 => srv1/node2}/secrets/default.yaml | 0 .../node0 => srv1/node2}/secrets/munge.key | 0 devices/srv2/default.nix | 87 --------------- devices/srv2/node0/default.nix | 44 -------- devices/srv2/node1/default.nix | 30 ----- devices/srv2/node1/secrets/munge.key | 24 ---- devices/vps6/default.nix | 2 +- devices/xmupc1/default.nix | 103 ++++++++++++++++++ .../node1 => xmupc1}/secrets/default.yaml | 0 devices/xmupc1/secrets/munge.key | 24 ++++ devices/xmupc2/README.md | 29 +++++ devices/xmupc2/default.nix | 95 ++++++++++++++++ devices/xmupc2/secrets/default.yaml | 54 +++++++++ devices/xmupc2/secrets/munge.key | 24 ++++ flake/nixos.nix | 65 ++++++----- modules/packages/ssh.nix | 23 ++-- modules/user/chn/ssh.nix | 2 +- 18 files changed, 387 insertions(+), 243 deletions(-) rename devices/{srv2/node0 => srv1/node2}/secrets/default.yaml (100%) rename devices/{srv2/node0 => srv1/node2}/secrets/munge.key (100%) delete mode 100644 devices/srv2/default.nix delete mode 100644 devices/srv2/node0/default.nix delete mode 100644 devices/srv2/node1/default.nix delete mode 100644 devices/srv2/node1/secrets/munge.key create mode 100644 devices/xmupc1/default.nix rename devices/{srv2/node1 => xmupc1}/secrets/default.yaml (100%) create mode 100644 devices/xmupc1/secrets/munge.key create mode 100644 devices/xmupc2/README.md create mode 100644 devices/xmupc2/default.nix create mode 100644 devices/xmupc2/secrets/default.yaml create mode 100644 devices/xmupc2/secrets/munge.key diff --git a/.sops.yaml b/.sops.yaml index 3bbaad4b..0808b408 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -4,14 +4,14 @@ keys: # cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age - &vps6 age164tyqklwhdm57tfm5u863mdt2xrzrrzac4py8a0j9y6kzqcjy9zsp073t6 - &vps7 age137x7csalutwvfygvvzpemlsywvdxj3j4z93a50z2sjx03w6zau8q3r5902 - &nas age19lhcwk37jmvn6z0v4dpdfh0k4u23f76twdjknc0p7atktf37rd7s4t4wj3 + - &xmupc1 age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg + - &xmupc2 age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw - &pi3b age1yjgswvexp0x0de0sw4u6hamruzeluxccmx2enxazl6pwhhsr2s9qlxdemq - &one age1m7nrxfw22wvp7pj8y9pdl745w95x89uu8dzl9ppsaazweqf2lqms5yshsp - &srv1-node0 age1nzetyehldf3gl6pr6mu5d2cv387p8wjqn6wfpll7a3sl8us6n38s0ds633 - &srv1-node1 age1wj33xt8nj7rhnsenepsf6k3lmq5vk4wn84jwr55qy9cwu05xn5cspg3h7t - &srv1-node2 age16e7ykphshal6qhwfvat698hl48s8yr0jvzh27ecdyfh5uk7t9u6s753jgy - &srv1-node3 age1lee0kl24f0ntss6m69zu2s2e7njdpkv9nl7rlf4nn7rvv0mlgvfqrte2y5 - - &srv2-node0 age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw - - &srv2-node1 age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg creation_rules: - path_regex: devices/pc/.*$ key_groups: @@ -33,6 +33,16 @@ creation_rules: - age: - *chn - *nas + - path_regex: devices/xmupc1/.*$ + key_groups: + - age: + - *chn + - *xmupc1 + - path_regex: devices/xmupc2/.*$ + key_groups: + - age: + - *chn + - *xmupc2 - path_regex: devices/pi3b/.*$ key_groups: - age: @@ -63,13 +73,3 @@ creation_rules: - age: - *chn - *srv1-node3 - - path_regex: devices/srv2/node0/.*$ - key_groups: - - age: - - *chn - - *srv2-node0 - - path_regex: devices/srv2/node1/.*$ - key_groups: - - age: - - *chn - - *srv2-node1 diff --git a/devices/srv2/node0/secrets/default.yaml b/devices/srv1/node2/secrets/default.yaml similarity index 100% rename from devices/srv2/node0/secrets/default.yaml rename to devices/srv1/node2/secrets/default.yaml diff --git a/devices/srv2/node0/secrets/munge.key b/devices/srv1/node2/secrets/munge.key similarity index 100% rename from devices/srv2/node0/secrets/munge.key rename to devices/srv1/node2/secrets/munge.key diff --git a/devices/srv2/default.nix b/devices/srv2/default.nix deleted file mode 100644 index fb36d9a3..00000000 --- a/devices/srv2/default.nix +++ /dev/null @@ -1,87 +0,0 @@ -inputs: -{ - config = - { - nixos = - { - model.type = "server"; - system = - { - fileSystems = - { - mount = let inherit (inputs.config.nixos.model.cluster) clusterName nodeName; in - { - vfat."/dev/disk/by-partlabel/${clusterName}-${nodeName}-boot" = "/boot"; - btrfs."/dev/disk/by-partlabel/${clusterName}-${nodeName}-root1" = - { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; }; - }; - swap = [ "/nix/swap/swap" ]; - rollingRootfs = {}; - }; - nixpkgs.cuda = - { - enable = true; - capabilities = - [ - # p5000 p400 - "6.1" - # 2080 Ti - "7.5" - # 3090 - "8.6" - # 4090 - "8.9" - ]; - forwardCompat = false; - }; - }; - hardware.gpu.type = "nvidia"; - services = - { - snapper.enable = true; - sshd = { passwordAuthentication = true; groupBanner = true; }; - smartd.enable = true; - slurm = - { - enable = true; - master = "srv2-node0"; - node = - { - srv2-node0 = - { - name = "n0"; address = "192.168.178.1"; - cpu = { sockets = 2; cores = 22; threads = 2; }; - memoryMB = 122880; - gpus."4090" = 1; - }; - srv2-node1 = - { - name = "n1"; address = "192.168.178.2"; - cpu = { cores = 16; threads = 2; }; - memoryMB = 94208; - gpus = { "p5000" = 1; "3090" = 1; "4090" = 1; }; - }; - }; - partitions = - { - all = [ "srv2-node0" "srv2-node1" ]; - n0 = [ "srv2-node0" ]; - n1 = [ "srv2-node1" ]; - }; - defaultPartition = "all"; - tui = - { - cpuQueues = - [ - { name = "n0"; mpiThreads = 8; openmpThreads = 10; } - { name = "n1"; mpiThreads = 3; openmpThreads = 4; } - ]; - gpuIds = [ "4090" "3090" "p5000" ]; - gpuPartition = "all"; - }; - }; - }; - user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "lly" "yxf" "hss" ]; - }; - }; -} diff --git a/devices/srv2/node0/default.nix b/devices/srv2/node0/default.nix deleted file mode 100644 index 947f7423..00000000 --- a/devices/srv2/node0/default.nix +++ /dev/null @@ -1,44 +0,0 @@ -inputs: -{ - config = - { - nixos = - { - model.cluster.nodeType = "master"; - hardware.cpus = [ "intel" ]; - system = - { - nixpkgs.march = "skylake"; - # TODO: configure network - # networking.static = - # { - # eno145 = { ip = "192.168.1.10"; mask = 24; gateway = "192.168.1.1"; }; - # eno146 = { ip = "192.168.178.1"; mask = 24; }; - # }; - }; - services = - { - xray.client = { enable = true; dnsmasq.extraInterfaces = [ "eno146" ]; }; # TODO: listen on shared port - beesd.instances.root = { device = "/"; hashTableSizeMB = 16384; threads = 4; }; - wireguard = - { - enable = true; - peers = [ "vps6" ]; - publicKey = "lNTwQqaR0w/loeG3Fh5qzQevuAVXhKXgiPt6fZoBGFE="; - wireguardIp = "192.168.83.7"; - }; - xrdp = { enable = true; hostname = [ "srv2.chn.moe" ]; }; - samba = { enable = true; hostsAllowed = ""; shares = { home.path = "/home"; root.path = "/"; }; }; - nfs = { root = "/"; exports = [ "/home" ]; accessLimit = "192.168.178.0/24"; }; - groupshare = {}; - hpcstat = {}; - }; - }; - # TODO: these netowrk settings should be changed - # allow other machine access network by this machine - systemd.network.networks."10-eno146".networkConfig.IPMasquerade = "both"; - # without this, tproxy does not work - # TODO: why? - networking.firewall.trustedInterfaces = [ "eno146" ]; - }; -} diff --git a/devices/srv2/node1/default.nix b/devices/srv2/node1/default.nix deleted file mode 100644 index 7040461a..00000000 --- a/devices/srv2/node1/default.nix +++ /dev/null @@ -1,30 +0,0 @@ -inputs: -{ - config = - { - nixos = - { - model.cluster.nodeType = "worker"; - hardware.cpus = [ "amd" ]; - system = - { - nixpkgs.march = "znver3"; - # TODO: network - # networking.static.eno2 = - # { ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; }; - fileSystems.mount.nfs."192.168.178.1:/home" = "/home"; - }; - services.beesd.instances.root = { device = "/"; hashTableSizeMB = 512; }; - }; - services.hardware.bolt.enable = true; - specialisation.no-share-home.configuration = - { - nixos.system.fileSystems.mount.nfs = inputs.lib.mkForce null; - system.nixos.tags = [ "no-share-home" ]; - }; - # TODO: network - # boot.initrd.systemd.network.networks."10-eno2" = inputs.config.systemd.network.networks."10-eno2"; - # make slurm sub process to be able to communicate with the master - # networking.firewall.trustedInterfaces = [ "eno2" ]; - }; -} diff --git a/devices/srv2/node1/secrets/munge.key b/devices/srv2/node1/secrets/munge.key deleted file mode 100644 index e8f551e4..00000000 --- a/devices/srv2/node1/secrets/munge.key +++ /dev/null @@ -1,24 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:YOWJQ16lYMKebzSyCcJ+N8x1iqD9Ml1cm07sTwSe0dE/OHtAyhasJ9qbg8wBhhtm0fjl5S5cNh6KxqGzb/0BSfMPIhii72gBdnPgjSWyVFatKM3Egqn4dUk96RlbUMWvPzWMGmleUGedWu7gUIHP2kgbfl94Whqpe1ozgb7qoxg=,iv:R+TguIqtcXQXiAL/vVgkZAWCCdvAV9rYwaTTszgDqE4=,tag:MlAcThDJjCglpJhK2HIjxg==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOMnJ4TVkyWGtmeTZvZk1h\ndnZKU1FyM1lsYktKZnRhekR3bm9PMXphV1FvCjhOY21iV3g2SXVTL0FLQUhFa0Ni\nYnJsenZldUk4anRvbStlemZzQUx2RUUKLS0tIGFVanY3QzRzV0REdUYxbnBtS1My\nemtCdG9tMUhuTkFDalRNMzJaVEZHOVUK3sfaYjScNEyJnuwTKtIlzJzNqf4dz6ea\nmgtijiKjFl7LVo08XRKz7Ry0/s5nawrh0yT64MGOoz+zT3Lu5BPRpw==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCNTVLQTVwUkNucjNVMVht\nQ0wyaWFMc2c5NGlQZHl6REQya2NYM3pXeEFvCm9JWmM0Zkg1V0JzSlJGMUNOdmJ3\nTFBSSVFNSzRMaDFlV082dTAwbEg1eHMKLS0tIG1PL3ZHNFljdXAzNGZVTU5CL2Z0\nSFJmbitSaTZtY05OQ2xmVStubnAyMmMKJKwjJLyQKk0l24vRYuN8Qa8mksOkMrOc\nFUKcJjJ4faucBAPLohHFVrbzfDLu4BhIN3mCXKSydKCaRqXlz57FHw==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2025-01-07T12:12:40Z", - "mac": "ENC[AES256_GCM,data:NDi9LQINjtSO0qJe37WPbAyRlEgaGvxP8jrEwzd/3gQoR1zSvaBa9+IerAxCCZc9pJFVzq6FVQ4Yw8AH+dkigdMep5KL6JCtYLTqLDhohuW9REKfev6BapILfMNr2o6wyrzo+uZsbvtfq356yMVclFUtZKX8xDnGpvdUBQaTm0s=,iv:ffKwGh1zOL7wcJ1W9jbmvubXJQENZmRj58WNFRLiDtc=,tag:A7Tuvu+F1knhLwdkxJfXgQ==,type:str]", - "pgp": null, - "unencrypted_suffix": "_unencrypted", - "version": "3.9.2" - } -} \ No newline at end of file diff --git a/devices/vps6/default.nix b/devices/vps6/default.nix index 2b45e93a..84d85a6a 100644 --- a/devices/vps6/default.nix +++ b/devices/vps6/default.nix @@ -78,7 +78,7 @@ inputs: wireguard = { enable = true; - peers = [ "pc" "nas" "one" "vps7" "srv2-node0" "pi3b" "srv1-node0" ]; + peers = [ "pc" "nas" "one" "vps7" "xmupc1" "xmupc2" "pi3b" "srv1-node0" ]; publicKey = "AVOsYUKQQCvo3ctst3vNi8XSVWo1Wh15066aHh+KpF4="; wireguardIp = "192.168.83.1"; listenIp = "74.211.99.69"; diff --git a/devices/xmupc1/default.nix b/devices/xmupc1/default.nix new file mode 100644 index 00000000..34922049 --- /dev/null +++ b/devices/xmupc1/default.nix @@ -0,0 +1,103 @@ +inputs: +{ + config = + { + nixos = + { + model.type = "server"; + system = + { + fileSystems = + { + mount = + { + # TODO: reparition + vfat."/dev/disk/by-uuid/467C-02E3" = "/boot"; + btrfs = + { + "/dev/disk/by-uuid/2f9060bc-09b5-4348-ad0f-3a43a91d158b"."/nix" = "/nix"; + "/dev/disk/by-uuid/a04a1fb0-e4ed-4c91-9846-2f9e716f6e12" = + { + "/nix/rootfs" = "/nix/rootfs"; + "/nix/persistent" = "/nix/persistent"; + "/nix/nodatacow" = "/nix/nodatacow"; + "/nix/rootfs/current" = "/"; + }; + }; + }; + swap = [ "/nix/swap/swap" ]; + rollingRootfs = {}; + }; + nixpkgs = + { + march = "znver3"; + cuda = + { + enable = true; + capabilities = + [ + # p5000 p400 + "6.1" + # 2080 Ti + "7.5" + # 3090 + "8.6" + # 4090 + "8.9" + ]; + forwardCompat = false; + }; + }; + nix.remote.slave.enable = true; + }; + hardware = { cpus = [ "amd" ]; gpu.type = "nvidia"; }; + virtualization.kvmHost = { enable = true; gui = true; }; + services = + { + snapper.enable = true; + sshd = { passwordAuthentication = true; groupBanner = true; }; + xray.client.enable = true; + smartd.enable = true; + beesd.instances = + { + root = { device = "/"; hashTableSizeMB = 16384; threads = 4; }; + nix = { device = "/nix"; hashTableSizeMB = 512; }; + }; + wireguard = + { + enable = true; + peers = [ "vps6" ]; + publicKey = "JEY7D4ANfTpevjXNvGDYO6aGwtBGRXsf/iwNwjwDRQk="; + wireguardIp = "192.168.83.6"; + }; + slurm = + { + enable = true; + master = "xmupc1"; + node.xmupc1 = + { + name = "xmupc1"; address = "127.0.0.1"; + cpu = { cores = 16; threads = 2; }; + memoryMB = 94208; + gpus = { "p5000" = 1; "3090" = 1; "4090" = 1; }; + }; + partitions.localhost = [ "xmupc1" ]; + tui = { cpuQueues = [{ mpiThreads = 3; openmpThreads = 4; }]; gpuIds = [ "p5000" "3090" "4090" ]; }; + }; + xrdp = { enable = true; hostname = [ "xmupc1.chn.moe" ]; }; + samba = + { + enable = true; + hostsAllowed = ""; + shares = { home.path = "/home"; root.path = "/"; }; + }; + groupshare = {}; + hpcstat = {}; + docker = {}; + }; + bugs = [ "xmunet" "amdpstate" ]; + user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "lly" "yxf" "hss" ]; + }; + services.hardware.bolt.enable = true; + }; +} diff --git a/devices/srv2/node1/secrets/default.yaml b/devices/xmupc1/secrets/default.yaml similarity index 100% rename from devices/srv2/node1/secrets/default.yaml rename to devices/xmupc1/secrets/default.yaml diff --git a/devices/xmupc1/secrets/munge.key b/devices/xmupc1/secrets/munge.key new file mode 100644 index 00000000..57193d72 --- /dev/null +++ b/devices/xmupc1/secrets/munge.key @@ -0,0 +1,24 @@ +{ + "data": "ENC[AES256_GCM,data:tuEymMXW0f7Rui5wrz/xozphTEq6ffkYIfNIoURFNHwH2Cg+aKHz2ox0gk02BJARhPMDrxCYlChkcrEI0ma/T0eBe9sWz3tA8AOwU1lHSZ06d/JWzW7IUIyTac2mnjt3/jY/qpnR4A8wtHwD0j4zkzXgUgFwq7k/fs24acEE4Jo=,iv:iDTS0xswLrwkOYmfomE5hluVONgJYia/RjINDy7T3R0=,tag:oIYNpFCuT2D+X1QEJJiHew==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3aFRRa0NsOUp5MEg3UHcx\nc3g1VFZEQS9Tci9QSnNFYnIrT3hUdVU5cWxjCnU5UXVEdTFXczJzcHVvSjF2WHdB\nYmpyQVVaUFozKzJIZThBbXUxb2k2YzAKLS0tIHE1QXVrOXo1Y3VXMzJJYitWU3Qv\neDF1cndrSi94clh1cS9NczN0UW9pOXcKtrnIj3WovMYdcg5nWnnyRhJhTGLrlwxW\nxQ6bmNrfbZedmCNdjY2lPXmudMXJ8YlWe/HGCe94x3iFlaSwCIGUsA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBocFl1SHJEemRySlBnMmNn\nVW9RS1NNdlo4M3l2WGlQaHJmbDBHcjMwaVVnCnY5WExPOXZJVEdYSlJ6UTRBMGJj\ncmlYaUNVV1hnWTNkaWVuV2VuaXN2eU0KLS0tIDBTYnd2NmVYTUJKaHZWRWo3ZlUx\nTEtPZWc2RE1XNG9WTXFOTllWVUVWeUkK+9aLz1rygGAQjpG+oMNUtrDkQaDfg+2q\nnl/CtZZrFD6NXGw6Di0X5t9fQu295NTJ/0qjXnfMigG8gDtxkE+/7g==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-02-26T06:04:53Z", + "mac": "ENC[AES256_GCM,data:y0RkPyUwwff95BFL951TxS/x5ORzMsxFJVjopSw+8iVtswD8MT1nmsbwyth4C9OnJ/IAtnZk/CjAt72a68AZpPI+2W/JqJq20ohFoquDNhTlsoyLWdO3Vjrd+Wo3hp0+iKQ3e/uYrF1sTqQO9a3OIxu2sVLM0gEDmIe2nJpLJQo=,iv:EjXTQvVdjzfClNfQ3rPxAFVWVqr7sSOz4ap+nshPEAk=,tag:DcIlf9W7NNqQ+gf8f46MwQ==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} \ No newline at end of file diff --git a/devices/xmupc2/README.md b/devices/xmupc2/README.md new file mode 100644 index 00000000..c9e05eb1 --- /dev/null +++ b/devices/xmupc2/README.md @@ -0,0 +1,29 @@ +# 硬件 + +* CPU:44 核 88 线程。 +* 内存:256 G。 +* 显卡: + * 4090:24 G 显存。 + * ~~P5000:16 G 显存~~暂时拔掉了,否则 4090 供电不够。 +* 硬盘:18 T。 + +# 支持的连接协议 + +## SSH + +* 地址:xmupc2.chn.moe +* 端口:6394 +* 用户名:自己名字的拼音首字母 +* 可以用密码登陆,也可以用证书登陆。 + +## RDP + +* 地址:xmupc2.chn.moe:3390 +* 用户名:自己名字的拼音首字母 +* 密码和 ssh 一样(使用同样的验证机制)。 + +## samba + +因端口冲突暂时禁用。 + +其它内容请阅读 [xmupc1](../xmupc1) 的说明,两台机器的软件大致是一样的。 diff --git a/devices/xmupc2/default.nix b/devices/xmupc2/default.nix new file mode 100644 index 00000000..a762534c --- /dev/null +++ b/devices/xmupc2/default.nix @@ -0,0 +1,95 @@ +inputs: +{ + config = + { + nixos = + { + model.type = "server"; + system = + { + fileSystems = + { + mount = + { + vfat."/dev/disk/by-uuid/23CA-F4C4" = "/boot"; + btrfs = + { + "/dev/disk/by-uuid/d187e03c-a2b6-455b-931a-8d35b529edac" = + { "/nix/rootfs/current" = "/"; "/nix" = "/nix"; }; + }; + }; + swap = [ "/nix/swap/swap" ]; + rollingRootfs = {}; + }; + nixpkgs = + { + march = "skylake"; + cuda = + { + enable = true; + capabilities = + [ + # p5000 p400 + "6.1" + # 2080 Ti + "7.5" + # 3090 + "8.6" + # 4090 + "8.9" + ]; + forwardCompat = false; + }; + }; + nix = + { + marches = + [ + "broadwell" "skylake" + # AVX512F CLWB AVX512VL AVX512BW AVX512DQ AVX512CD AVX512VNNI + # "cascadelake" + ]; + remote.slave.enable = true; + }; + grub.windowsEntries."8F50-83B8" = "猿神,启动!"; + }; + hardware = { cpus = [ "intel" ]; gpu.type = "nvidia"; }; + virtualization.kvmHost = { enable = true; gui = true; }; + services = + { + snapper.enable = true; + sshd = { passwordAuthentication = true; groupBanner = true; }; + xray.client.enable = true; + smartd.enable = true; + beesd.instances.root = { device = "/"; hashTableSizeMB = 16384; threads = 4; }; + wireguard = + { + enable = true; + peers = [ "vps6" ]; + publicKey = "lNTwQqaR0w/loeG3Fh5qzQevuAVXhKXgiPt6fZoBGFE="; + wireguardIp = "192.168.83.7"; + }; + slurm = + { + enable = true; + master = "xmupc2"; + node.xmupc2 = + { + name = "xmupc2"; address = "127.0.0.1"; + cpu = { sockets = 2; cores = 22; threads = 2; }; + memoryMB = 253952; + gpus."4090" = 1; + }; + partitions.localhost = [ "xmupc2" ]; + tui = { cpuQueues = [{ mpiThreads = 8; openmpThreads = 10; }]; gpuIds = [ "4090" ]; }; + }; + xrdp = { enable = true; hostname = [ "xmupc2.chn.moe" ]; }; + samba = { enable = true; hostsAllowed = ""; shares = { home.path = "/home"; root.path = "/"; }; }; + groupshare = {}; + docker = {}; + }; + bugs = [ "xmunet" ]; + user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "lly" "yxf" "hss" ]; + }; + }; +} diff --git a/devices/xmupc2/secrets/default.yaml b/devices/xmupc2/secrets/default.yaml new file mode 100644 index 00000000..455ed099 --- /dev/null +++ b/devices/xmupc2/secrets/default.yaml @@ -0,0 +1,54 @@ +acme: + token: ENC[AES256_GCM,data:Wb7Gons3HCMK5WGIZpG4XrrqZ5G6bymjuKMW6IUjLiK0CIXFz/ARNg==,iv:zc4BgHcc+O7SHQbJkff11fBwgsd+TFtvSEGJ/qrzVo4=,tag:K+Nu9kenTtTnin4+hDCdWA==,type:str] +nginx: + maxmind-license: ENC[AES256_GCM,data:FPVSD8otQMNpbESNEHXCfQjB/zi3OVwZoyLijUtnHQlQzec7KVSiGw==,iv:DkkwCqvRmcFHQIXseh2fycCxZboJMYhHPu67GddenY4=,tag:iHEC8r5GcuB1QcZ5Uf8Skw==,type:str] +xray-client: + uuid: ENC[AES256_GCM,data:j2R0UtfS/es2A+Ic+Kq6FZJSqXlA/Q8tGkuAIX0ZdTsV4hGk,iv:Ovpr49isIJRdUyM3jxgiT+9Sc+qTF6ZnkKUwxIq6KUs=,tag:2VRSkiPNWaOmCqLJti8Bzw==,type:str] +wireguard: + privateKey: ENC[AES256_GCM,data:0Vw9NVs/Kxc52zUlmeAPFeOG8msdL0YopjhzFKRWhv6+kfb+SFObOP8EJ2M=,iv:KgIZIawbnN+1sIcMjNECkdtujPbg7yQktKVc25SXavI=,tag:b79oZP+GZKmM3OVFshvFhg==,type:str] +users: + #ENC[AES256_GCM,data:FP1Mr1TmRI4L,iv:3K4LMbOQPvF1ORWNyaXDoC5MXn3yColR4eKs9sm9y5s=,tag:f3guTegVXw1A6aqolKQnqA==,type:comment] + xll: ENC[AES256_GCM,data:CAEd+usnLKoQZ+0PLEiJfbZpz2pyn+I/edC2KbNXBXZPAgT7IDENMnSQyxme899KqRVL4nLrtHs82aA8+kl/dE+QYSTCFVVuHg==,iv:Hs8rb0Iu5Xw74p9/cL2gWfPLh61VaLzIltKUSjRFZjc=,tag:/u5vI0oTMQbNoCEzhcWqOw==,type:str] + #ENC[AES256_GCM,data:UIns0CnC/QmJ,iv:Gn4XDPcdTyDLXAgGq7qwayrN206Gx7JsJ3V9G+4bTyA=,tag:FITVs8Tgkiq1XoS8joXM1Q==,type:comment] + zem: ENC[AES256_GCM,data:znpGuS8LVxaztnwQlIwu3hykWRBUtQvOsniLaOasXDbw9lHGX8lwwYJuCE+0I14HmiZK/RrrouIwfAfcjZQzPyjJ/SRoOG1Vyg==,iv:YXHX43y99/w9102vhsvFLVOUtJmuRnLVLu+ywfn9URY=,tag:AzsmkXOyX7y/D+ndteuMmA==,type:str] + #ENC[AES256_GCM,data:6vMItERptBsX,iv:G0sDjEfLciheMxTZbeLIbWKlimPD1ANIk/VVdhQifXA=,tag:oR9FEdVx6W+0uDeKfb37iw==,type:comment] + yjq: ENC[AES256_GCM,data:sGPQ0xALULREnhzl9g/V91M5osMglsSps6R4gYn5OZc/4xVC1phF3qajVN3YMOr7kKgkHbF2Rjm6/2vuK0k1iYZnFswUAmFlmw==,iv:5vG1hn7SlX6HCpas2BgxBSwWqLby8OCxcH3EKNvceIc=,tag:TVwFBAuosKnEOZecq1phXw==,type:str] + #ENC[AES256_GCM,data:ALHxkRABA+ll,iv:r1IDiHLFcTdLID3q16zrLTavAwQfddC7bXMKcFZFveI=,tag:4Pd0/Q1BmH4gJjaM4hbqqQ==,type:comment] + gb: ENC[AES256_GCM,data:z4CrtdmdLJJ0qZzr7qvihnluJQgjtciX56KdEmtemiRu0llEJk9qz6a23aJ7m40Sfc38elF1/LsvjOuBOC87+BVkKDCj76phag==,iv:WrFVxkr3snmqDXZx5kAYCLp7ixEIzxoT7El3rV7Ovqg=,tag:iExf2Y/HObHQrKMTRvqn7A==,type:str] + #ENC[AES256_GCM,data:XfNExliq7noL,iv:K+rFlZHF1oY5rsTzaO0mgxiE1VlKdtPTifAaesg321k=,tag:Dja8NmPWZdJkf/J/96/wAw==,type:comment] + wp: ENC[AES256_GCM,data:yjMDez28pJUo6riIHypQQgjGFbuLwy87eG4ek/+Li2w8b4Cm5JckRvs26o+S0blfICc8WqIqEJGakT2wVBE5O1jGfniKn3PhTA==,iv:dOA318XRd2EXxmTIlk6GhlAR/FBpbKkbPJJCXTwFCxM=,tag:9MkXNUuAoplAzE+4eJpr0w==,type:str] + #ENC[AES256_GCM,data:YGcTkNCeu3m7,iv:jYmVrfRFwQoX1XxeSzS23wRMAD/AnzYBXQjI76Ke2FE=,tag:WJfSmjdggzPojDcJ6GzP+A==,type:comment] + hjp: ENC[AES256_GCM,data:0R5SfBFKuLGurwINnTj31FOrwwfY9bqVS1rG/a0HqIYd+Ui8/2ffFBx0Et+tYIqcxXEJpGbvse43V0naNKmFKlLanfcy9YV/Hg==,iv:mpAUmcVHWWLoreEsG9ha09jxte8mQCLt/A7nm04iX9Y=,tag:bia9pjL0MAcs9vj1gKCVCQ==,type:str] + #ENC[AES256_GCM,data:Q3TFPjvcDmKh,iv:eZ1NXGQr9HogxWa46T26WL63nvqho2/KSji8Dgse76o=,tag:iSGPRMCMolp7LVFjJGPotg==,type:comment] + lly: ENC[AES256_GCM,data:tP/NtJcMUtZPvuAqoM6KhCMybhsTxKSq4WWW3SBzQ/O0FmUXhECQc5CQnI4J9PlalP7Ug+uUQzeBMnHN84pkKNIeHVJhqjU8Zw==,iv:7TPPuSfXypSRnnhuy8LJSXIB+KB+3vWV0G7AbCZpB6s=,tag:iSLgRxOHgUolByFyvwltNQ==,type:str] +mariadb: + slurm: ENC[AES256_GCM,data:9wLQ1zF/kDaiw0s3UaRpiHgmngU7u6hwyqpddSjev0+Z0v58Q2oiJtK8vn+2VlSxx5ACfqEFbzp0PZYAxd575w==,iv:q9JTkgDymOwkbZ/PaxRAAQrtO96QmGgZcQuLTFCMoS4=,tag:dwOHlOTgZqT/1jQ+oGf7UQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0Rmc2Ull1WFB4Smh3c0Zl + emlTNGJKZkpIK2JFeUNVeUcrR2FzRXRQZHlvCkhzMHpzYmZRZ0M0cXdRVi8wZmp6 + ZDRZQ2FkOWt6M0lrdjBHa3VTWXBDKzgKLS0tIGtJbTRRelg1VVk2QStwdzlFM1g4 + M1JOd1g3cVdjUFRhZ0FxcWphZXZJbkkKFXDtJVoi+qIrXp6cznevuZ+peBiRRITP + rrplqLiYsNIGKmKYtRIUu8WXDZ2q2CJ8Z+pka3W3H/U+m957hBDWyw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsSHdka3FPQUYrcXQzcTFo + a000TUllT0MvUzk5ZzVFbXZheG9ZVTM2S253CkE5VW9tQktvL2pMWFoxcnFjTGpr + Z0p1RjZWRGpSZ01TdTZRcEJXM2NOUkUKLS0tIC9rNmNzWitMdEd5dXQvdWlELzhM + M0xoL1dQR0kvMWpzN0RMNWVCTFQxNFUKj9LPjBo5NGOrGYNvu8qZ13PLYjLEWllU + LARzEn4XgkeHckouwvxZYMCx7WxmAruRWaOvnxTIczzSNP7wIrqnkA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-10-26T12:27:03Z" + mac: ENC[AES256_GCM,data:q1EihAxiS23XoKWt4ogBo34pP7J6i/yFglmmvFIdWKIgwaoXWFexKrdu1oRZBIxISW+3b/NzkuUm1anu3sGFGiirDpllg8wu8ezXJJODb8yTU0HJpZ/9vjBPm+ZBt5zFzGky7kmW+qOFfUsZkr8dCiJil/Z0HrXrY2d59ksxhto=,iv:7b6ePa4xXdjrj8O2JWAptsONz8gPApS3roYMuRyrztU=,tag:uzOcc8H2W6VvGDkrex5M6A==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/devices/xmupc2/secrets/munge.key b/devices/xmupc2/secrets/munge.key new file mode 100644 index 00000000..0171b9f2 --- /dev/null +++ b/devices/xmupc2/secrets/munge.key @@ -0,0 +1,24 @@ +{ + "data": "ENC[AES256_GCM,data:Um00c+kry3QrHEZVdlUws+gGGvtPKh8WzkpT6CHL7uwHRUWc+5E0bvlwXFJTkmPdGOOV2Jx9fGvSKpQb1/MPJhMhpCAw5n69QIRjVVURZcvVVFrl+eNO2sf/h2GTFvKRAtlcNAh7cvjkpiB3r+S7mRYSI914B7w8GLTdRFvtqYo=,iv:gk7S1SiA0iBAfpXLhhPJuexolP6w1XAd8M2H+sqqmoM=,tag:O8Eoa4LjEo14H/+1W5rcgQ==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWYmNFOFlnbm1FdXdGWUNr\nOGN3THhDUyt4SDVzcHY5dEYrSWsrQm1UOFJvCmhXaWFlcC8wazROaXZzcm9tUnFM\nQlphZ0x6c0RhbzY0aGVFbXdOa1BHbG8KLS0tIHF2YUNTVnZ3Z25FSnFlTEdmdXhE\nb3Z2UEp1c2UrOUp3NEdNcE5HSFptbzAKWGSTwv6xUNs/f+p0Bhpzg8zZ7EVK8kMm\no13fru2Cnqrw8Cj0zfx+7LODpBVzo03fLYKqZ6kbPZGa12ihk+fD4g==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKRVMrenM2Q1ZheFVPc2Rz\nYVd6UGoxbkpSQlZsNFN1dmIzSkl6SERwaTBRCjlHV3MvTEpxbDY4OHZjeUd5NmRF\nRmc1NzVCMTA0bDhwajNlMWZKTlNKK2cKLS0tIHRZZ0cxY2dwV21iRDlmeE5UZkM4\nK1dKV24yY3FKV2J3U2VzZWt2QnBSTHcKn8mq+1RnJG/nBbH2mAFpSFSTHDWvMqJj\nsziW9lK0cH6bPxhcpDO4oG8K08bdGHUVGtx2Zk81CDqzfamlMzzG2Q==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-03-09T07:59:38Z", + "mac": "ENC[AES256_GCM,data:zNh6Cioh4+r0+nx04yLqeQShozxl7bLLKSmwodnmHtVQVlOTjj5sDLMEAAmrj1Ym2KrBPJOgdm34Sl6AbsmiBLxzDcBKe6J68Y/LHIeaPkToRKpmoy9I9a177w0KzFXgNaU2ieH71egD+nf8JmGG61hDjpiJRpx1Lwxb16Bn+Xs=,iv:QxiUYymiGuH0EBwEhyg5gDzkSKvGhq0+0wERNEJ71UM=,tag:N1Nn9X9vrghwwJWC3kituA==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} \ No newline at end of file diff --git a/flake/nixos.nix b/flake/nixos.nix index f29e35dd..af944eab 100644 --- a/flake/nixos.nix +++ b/flake/nixos.nix @@ -1,8 +1,5 @@ { inputs, localLib }: -let - machine = [ "nas" "pc" "pi3b" "vps6" "vps7" "one" ]; - cluster = { srv1 = 4; srv2 = 2; }; -in builtins.listToAttrs +builtins.listToAttrs ( (builtins.map (system: @@ -14,39 +11,41 @@ in builtins.listToAttrs specialArgs = { topInputs = inputs; inherit localLib; }; modules = localLib.mkModules [ - { config = { nixpkgs.overlays = [ inputs.self.overlays.default ]; nixos.model.hostname = system; }; } + { + config = + { + nixpkgs.overlays = [ inputs.self.overlays.default ]; + nixos.model.hostname = system; + }; + } ../modules ../devices/${system} ]; }; }) - machine) - ++ (builtins.concatLists (builtins.map - (cluster: - let nodes = builtins.genList (n: "node${builtins.toString n}") cluster.value; - in builtins.map - (node: - { - name = "${cluster.name}-${node}"; - value = inputs.nixpkgs.lib.nixosSystem + [ "nas" "pc" "pi3b" "vps6" "vps7" "xmupc1" "xmupc2" "one" ]) + ++ (builtins.map + (node: + { + name = "srv1-${node}"; + value = inputs.nixpkgs.lib.nixosSystem + { + system = "x86_64-linux"; + specialArgs = { topInputs = inputs; inherit localLib; }; + modules = localLib.mkModules + [ { - system = "x86_64-linux"; - specialArgs = { topInputs = inputs; inherit localLib; }; - modules = localLib.mkModules - [ - { - config = - { - nixpkgs.overlays = [ inputs.self.overlays.default ]; - nixos.model.cluster = { clusterName = cluster.name; nodeName = node; }; - }; - } - ../modules - ../devices/${cluster.name} - ../devices/${cluster.name}/${node} - ]; - }; - }) - nodes) - (localLib.attrsToList cluster))) + config = + { + nixpkgs.overlays = [ inputs.self.overlays.default ]; + nixos.model.cluster = { clusterName = "srv1"; nodeName = node; }; + }; + } + ../modules + ../devices/srv1 + ../devices/srv1/${node} + ]; + }; + }) + [ "node0" "node1" "node2" "node3" ]) ) diff --git a/modules/packages/ssh.nix b/modules/packages/ssh.nix index c6e1d2b7..b3581697 100644 --- a/modules/packages/ssh.nix +++ b/modules/packages/ssh.nix @@ -57,20 +57,20 @@ inputs: ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl"; hostnames = [ "github.com" ]; }; - srv2-node0 = - { - ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIJZ/+divGnDr0x+UlknA84Tfu6TPD+zBGmxWZY4Z38P6"; - hostnames = [ "srv2.chn.moe" "wireguard.srv2.chn.moe" ]; - }; - srv2-node1 = + xmupc1 = { ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAINTvfywkKRwMrVp73HfHTfjhac2Tn9qX/lRjLr09ycHp"; - hostnames = [ "192.168.178.2" ]; + hostnames = [ "[office.chn.moe]:6007" "[xmupc1.chn.moe]:6007" "wireguard.xmupc1.chn.moe" "192.168.83.6" ]; + }; + xmupc2 = + { + ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIJZ/+divGnDr0x+UlknA84Tfu6TPD+zBGmxWZY4Z38P6"; + hostnames = [ "[xmupc2.chn.moe]:6394" "wireguard.xmupc2.chn.moe" "192.168.83.7" ]; }; srv1-node0 = { ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIDm6M1D7dBVhjjZtXYuzMj2P1fXNWN3O9wmwNssxEeDs"; - hostnames = [ "srv1.chn.moe" "wireguard.srv1.chn.moe" ]; + hostnames = [ "srv1.chn.moe" "node0.srv1.chn.moe" "wireguard.node0.srv1.chn.moe" ]; }; srv1-node1 = { @@ -124,7 +124,7 @@ inputs: [ "vps6" "wireguard.vps6" "vps7" "wireguard.vps7" "wireguard.nas" "wireguard.one" ]) ++ (builtins.map (host: { name = host; value = { inherit host; hostname = "${host}.chn.moe"; forwardX11 = true; }; }) - [ "wireguard.pc" "srv1" "wireguard.srv1" "srv2" "wireguard.srv2" ]) + [ "wireguard.pc" "wireguard.xmupc1" "wireguard.xmupc2" "srv1" "wireguard.srv1" ]) ++ (builtins.map (host: { @@ -140,6 +140,8 @@ inputs: [ "wlin" "hwang" ]) ) // rec { + xmupc1 = { host = "xmupc1"; hostname = "xmupc1.chn.moe"; port = 6007; forwardX11 = true; }; + xmupc2 = { host = "xmupc2"; hostname = "xmupc2.chn.moe"; port = 6394; forwardX11 = true; }; nas = { host = "nas"; hostname = "192.168.1.2"; forwardX11 = true; }; pc = { host = "pc"; hostname = "192.168.1.3"; forwardX11 = true; }; one = { host = "one"; hostname = "192.168.1.4"; forwardX11 = true; }; @@ -152,11 +154,10 @@ inputs: forwardAgent = true; extraOptions.AddKeysToAgent = "yes"; }; - "wireguard.jykang" = jykang // { host = "wireguard.jykang"; proxyJump = "wireguard.srv2"; }; + "wireguard.jykang" = jykang // { host = "wireguard.jykang"; proxyJump = "wireguard.xmupc1"; }; srv1-node1 = { host = "srv1-node1"; hostname = "192.168.178.2"; proxyJump = "srv1"; }; srv1-node2 = { host = "srv1-node2"; hostname = "192.168.178.3"; proxyJump = "srv1"; }; srv1-node3 = { host = "srv1-node3"; hostname = "192.168.178.4"; proxyJump = "srv1"; }; - srv2-node1 = { host = "srv2-node1"; hostname = "192.168.178.2"; proxyJump = "srv2"; }; }; }; })]; diff --git a/modules/user/chn/ssh.nix b/modules/user/chn/ssh.nix index 10dda40b..cc659b8f 100644 --- a/modules/user/chn/ssh.nix +++ b/modules/user/chn/ssh.nix @@ -19,7 +19,7 @@ inputs: (system: { name = system; value = { forwardAgent = true; extraOptions.AddKeysToAgent = "yes"; }; }) [ "vps6" "wireguard.vps6" "vps7" "wireguard.vps7" "wireguard.pc" "nas" "wireguard.nas" "pc" - "srv1" "wireguard.srv1" "srv2" "wireguard.srv2" "one" "wireguard.one" + "xmupc1" "wireguard.xmupc1" "xmupc2" "wireguard.xmupc2" "one" "wireguard.one" ])); extraConfig = inputs.lib.mkIf inputs.config.nixos.model.private ''