centra
4ab47b1726
Add tenant-scoped PrismNET routing, security-group, port, and service-IP APIs plus a deployer reconciler and Nix module that apply declarative tenant network state. Teach PlasmaVMC to realize PrismNET NICs as a concrete local worker dataplane with Linux bridges, dnsmasq-backed DHCP, tap devices, richer network metadata, stable managed-volume IDs, and file:// image imports. Expand the VM cluster validation around the new path, including the guest webapp demo, restart and cross-node migration checks, IAM listener reservation hardening, and a flake workspace-source-root audit so Nix builds keep path dependencies complete.
257 lines
7.3 KiB
Nix
257 lines
7.3 KiB
Nix
# node01 - Control Plane Primary
|
|
#
|
|
# Services: ChainFire, FlareDB, IAM, PrismNET, FlashDNS, FiberLB, K8SHost
|
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
{
|
|
imports = [
|
|
./common.nix
|
|
../modules/chainfire.nix
|
|
../modules/flaredb.nix
|
|
../modules/iam.nix
|
|
../modules/prismnet.nix
|
|
../modules/plasmacloud-tenant-networking.nix
|
|
../modules/flashdns.nix
|
|
../modules/fiberlb.nix
|
|
../modules/k8shost.nix
|
|
../modules/plasmavmc.nix
|
|
../modules/coronafs.nix
|
|
../modules/lightningstor.nix
|
|
];
|
|
|
|
networking.hostName = "node01";
|
|
|
|
virtualisation = {
|
|
memorySize = 3072;
|
|
diskSize = 61440;
|
|
};
|
|
|
|
networking.interfaces.eth1.ipv4.addresses = [{
|
|
address = "10.100.0.11";
|
|
prefixLength = 24;
|
|
}];
|
|
|
|
services.chainfire = {
|
|
enable = true;
|
|
nodeId = "node01";
|
|
raftAddr = "10.100.0.11:2380";
|
|
apiAddr = "10.100.0.11:2379";
|
|
initialPeers = [
|
|
"node01=10.100.0.11:2380"
|
|
"node02=10.100.0.12:2380"
|
|
"node03=10.100.0.13:2380"
|
|
];
|
|
};
|
|
|
|
services.flaredb = {
|
|
enable = true;
|
|
nodeId = "node01";
|
|
raftAddr = "10.100.0.11:2480";
|
|
apiAddr = "10.100.0.11:2479";
|
|
initialPeers = [
|
|
"node01=10.100.0.11:2479"
|
|
"node02=10.100.0.12:2479"
|
|
"node03=10.100.0.13:2479"
|
|
];
|
|
settings.namespace_modes = {
|
|
default = "strong";
|
|
validation = "eventual";
|
|
plasmavmc = "strong";
|
|
lightningstor = "eventual";
|
|
prismnet = "eventual";
|
|
flashdns = "eventual";
|
|
fiberlb = "eventual";
|
|
creditservice = "strong";
|
|
k8shost = "eventual";
|
|
};
|
|
};
|
|
|
|
services.iam = {
|
|
enable = true;
|
|
port = 50080;
|
|
chainfireAddr = config.photonTestCluster.chainfireControlPlaneAddrs;
|
|
flaredbAddr = config.photonTestCluster.flaredbControlPlaneAddrs;
|
|
allowRandomSigningKey = true;
|
|
allowUnauthenticatedAdmin = true;
|
|
};
|
|
|
|
services.prismnet = {
|
|
enable = true;
|
|
port = 50081;
|
|
iamAddr = "10.100.0.11:50080";
|
|
chainfireAddr = config.photonTestCluster.chainfireControlPlaneAddrs;
|
|
flaredbAddr = config.photonTestCluster.flaredbControlPlaneAddrs;
|
|
};
|
|
|
|
services.flashdns = {
|
|
enable = true;
|
|
iamAddr = "10.100.0.11:50080";
|
|
chainfireAddr = config.photonTestCluster.chainfireControlPlaneAddrs;
|
|
flaredbAddr = config.photonTestCluster.flaredbControlPlaneAddrs;
|
|
};
|
|
|
|
services.fiberlb = {
|
|
enable = true;
|
|
port = 50085;
|
|
iamAddr = "10.100.0.11:50080";
|
|
chainfireAddr = config.photonTestCluster.chainfireControlPlaneAddrs;
|
|
flaredbAddr = config.photonTestCluster.flaredbControlPlaneAddrs;
|
|
};
|
|
|
|
services.plasmavmc = {
|
|
enable = true;
|
|
mode = "server";
|
|
port = 50082;
|
|
httpPort = 8084;
|
|
prismnetAddr = "10.100.0.11:50081";
|
|
iamAddr = "10.100.0.11:50080";
|
|
chainfireAddr = config.photonTestCluster.chainfireControlPlaneAddrs;
|
|
flaredbAddr = config.photonTestCluster.flaredbControlPlaneAddrs;
|
|
lightningstorAddr = "10.100.0.11:50086";
|
|
coronafsControllerEndpoint = "http://127.0.0.1:50088";
|
|
coronafsNodeEndpoint = "http://127.0.0.1:50088";
|
|
};
|
|
|
|
services.coronafs = {
|
|
enable = true;
|
|
metadataBackend = "chainfire";
|
|
chainfireKeyPrefix = "/coronafs/test-cluster/control/volumes";
|
|
port = 50088;
|
|
advertiseHost = "10.100.0.11";
|
|
exportBasePort = 11000;
|
|
exportPortCount = 256;
|
|
exportSharedClients = 64;
|
|
exportCacheMode = "none";
|
|
exportAioMode = "io_uring";
|
|
exportDiscardMode = "unmap";
|
|
exportDetectZeroesMode = "unmap";
|
|
preallocate = true;
|
|
syncOnWrite = false;
|
|
};
|
|
|
|
services.lightningstor = {
|
|
enable = true;
|
|
mode = "all-in-one";
|
|
port = 50086;
|
|
nodePort = 50090;
|
|
s3Port = 9000;
|
|
objectStorageBackend = "distributed";
|
|
distributedRequestTimeoutMs = 300000;
|
|
distributedNodeEndpoints = [
|
|
"http://10.100.0.21:50086"
|
|
"http://10.100.0.22:50086"
|
|
];
|
|
replicaCount = 3;
|
|
readQuorum = 1;
|
|
writeQuorum = 2;
|
|
nodeMetricsPort = 9198;
|
|
chainfireAddr = config.photonTestCluster.chainfireControlPlaneAddrs;
|
|
iamAddr = "10.100.0.11:50080";
|
|
flaredbAddr = config.photonTestCluster.flaredbControlPlaneAddrs;
|
|
zone = "zone-a";
|
|
region = "test";
|
|
};
|
|
|
|
services.k8shost = {
|
|
enable = true;
|
|
port = 50087;
|
|
iamAddr = "http://10.100.0.11:50080";
|
|
chainfireAddr = "http://${config.photonTestCluster.chainfireControlPlaneAddrs}";
|
|
prismnetAddr = "http://10.100.0.11:50081";
|
|
flaredbPdAddr = config.photonTestCluster.chainfireControlPlaneAddrs;
|
|
flaredbDirectAddr = config.photonTestCluster.flaredbControlPlaneAddrs;
|
|
fiberlbAddr = "http://10.100.0.11:50085";
|
|
flashdnsAddr = "http://10.100.0.11:50084";
|
|
};
|
|
|
|
services.lightningstor.s3AccessKeyId = "photoncloud-test";
|
|
services.lightningstor.s3SecretKey = "photoncloud-test-secret";
|
|
|
|
plasmacloud.tenantNetworking = {
|
|
enable = true;
|
|
endpoint = "http://127.0.0.1:50081";
|
|
iamEndpoint = "http://127.0.0.1:50080";
|
|
controllerPrincipalId = "plasmacloud-reconciler";
|
|
prune = true;
|
|
tenants = [
|
|
{
|
|
org_id = "matrix-tenant-org";
|
|
project_id = "matrix-tenant-project";
|
|
security_groups = [
|
|
{
|
|
name = "vm-default";
|
|
description = "Default tenant SG for matrix VMs";
|
|
rules = [
|
|
{
|
|
direction = "ingress";
|
|
protocol = "tcp";
|
|
port_range_min = 22;
|
|
port_range_max = 22;
|
|
remote_cidr = "10.100.0.0/24";
|
|
description = "Allow SSH from the cluster network";
|
|
}
|
|
{
|
|
direction = "egress";
|
|
protocol = "any";
|
|
remote_cidr = "0.0.0.0/0";
|
|
description = "Allow outbound traffic";
|
|
}
|
|
];
|
|
}
|
|
{
|
|
name = "web";
|
|
description = "HTTP ingress from default tenant members";
|
|
rules = [
|
|
{
|
|
direction = "ingress";
|
|
protocol = "tcp";
|
|
port_range_min = 80;
|
|
port_range_max = 80;
|
|
remote_group = "vm-default";
|
|
description = "Allow HTTP from vm-default members";
|
|
}
|
|
];
|
|
}
|
|
];
|
|
service_ip_pools = [
|
|
{
|
|
name = "cluster-services";
|
|
cidr_block = "10.62.200.0/24";
|
|
description = "ClusterIP allocations for matrix tenant services";
|
|
pool_type = "cluster_ip";
|
|
}
|
|
{
|
|
name = "public-services";
|
|
cidr_block = "10.62.210.0/24";
|
|
description = "Load balancer allocations for matrix tenant services";
|
|
pool_type = "load_balancer";
|
|
}
|
|
];
|
|
vpcs = [
|
|
{
|
|
name = "matrix-vpc";
|
|
cidr_block = "10.62.0.0/16";
|
|
description = "Declarative PrismNET tenant network for VM matrix validation";
|
|
router = {
|
|
name = "matrix-router";
|
|
gateway_cidr = "10.62.0.1/24";
|
|
mac_address = "02:00:00:00:62:01";
|
|
external_ip = "203.0.113.62";
|
|
description = "Tenant edge router";
|
|
};
|
|
subnets = [
|
|
{
|
|
name = "matrix-subnet";
|
|
cidr_block = "10.62.10.0/24";
|
|
gateway_ip = "10.62.10.1";
|
|
description = "Primary VM subnet for matrix validation";
|
|
dhcp_enabled = true;
|
|
}
|
|
];
|
|
}
|
|
];
|
|
}
|
|
];
|
|
};
|
|
}
|