centra
d2149b6249
- Replace form_urlencoded with RFC 3986 compliant URI encoding - Implement aws_uri_encode() matching AWS SigV4 spec exactly - Unreserved chars (A-Z,a-z,0-9,-,_,.,~) not encoded - All other chars percent-encoded with uppercase hex - Preserve slashes in paths, encode in query params - Normalize empty paths to '/' per AWS spec - Fix test expectations (body hash, HMAC values) - Add comprehensive SigV4 signature determinism test This fixes the canonicalization mismatch that caused signature validation failures in T047. Auth can now be enabled for production. Refs: T058.S1
133 lines
4.5 KiB
Nix
133 lines
4.5 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
|
|
{
|
|
imports = [
|
|
./netboot-base.nix
|
|
../modules # Import PlasmaCloud service modules
|
|
];
|
|
|
|
# ============================================================================
|
|
# WORKER NODE PROFILE
|
|
# ============================================================================
|
|
# This profile includes compute-focused services for a worker node:
|
|
# - PlasmaVMC: Virtual machine control plane (for running VMs)
|
|
# - PrismNET: Software-defined networking (for VM networking)
|
|
#
|
|
# Worker nodes are designed for running tenant workloads (VMs, containers)
|
|
# and do not run the core distributed services (Chainfire, FlareDB, IAM).
|
|
#
|
|
# Services are DISABLED by default in the netboot image.
|
|
# They will be enabled in the final installed system configuration.
|
|
# ============================================================================
|
|
|
|
# ============================================================================
|
|
# SERVICE PACKAGE AVAILABILITY
|
|
# ============================================================================
|
|
# Make worker service packages available in the netboot image
|
|
environment.systemPackages = with pkgs; [
|
|
plasmavmc-server
|
|
prismnet-server
|
|
|
|
# Additional tools for worker nodes
|
|
qemu # For running VMs
|
|
libvirt # Virtualization management
|
|
bridge-utils # Network bridge configuration
|
|
openvswitch # Software-defined networking
|
|
];
|
|
|
|
# ============================================================================
|
|
# PLASMAVMC CONFIGURATION (DISABLED)
|
|
# ============================================================================
|
|
services.plasmavmc = {
|
|
enable = lib.mkDefault false;
|
|
port = 8081;
|
|
};
|
|
|
|
# ============================================================================
|
|
# NOVANET CONFIGURATION (DISABLED)
|
|
# ============================================================================
|
|
services.prismnet = {
|
|
enable = lib.mkDefault false;
|
|
port = 8082;
|
|
};
|
|
|
|
# ============================================================================
|
|
# VIRTUALIZATION SUPPORT
|
|
# ============================================================================
|
|
# Enable KVM virtualization
|
|
boot.kernelModules = [ "kvm-intel" "kvm-amd" ];
|
|
|
|
# Enable nested virtualization
|
|
boot.extraModprobeConfig = ''
|
|
options kvm_intel nested=1
|
|
options kvm_amd nested=1
|
|
'';
|
|
|
|
# ============================================================================
|
|
# NETWORKING CONFIGURATION
|
|
# ============================================================================
|
|
# Enable Open vSwitch for SDN
|
|
networking.vswitches = lib.mkDefault {};
|
|
|
|
# Open firewall ports for worker services
|
|
networking.firewall.allowedTCPPorts = [
|
|
# PlasmaVMC
|
|
8081
|
|
|
|
# PrismNET
|
|
8082
|
|
|
|
# QEMU/LibVirt
|
|
16509 # libvirtd
|
|
5900 # VNC (for VM console access)
|
|
];
|
|
|
|
networking.firewall.allowedUDPPorts = [
|
|
# VXLAN for overlay networking
|
|
4789
|
|
];
|
|
|
|
# ============================================================================
|
|
# STORAGE CONFIGURATION
|
|
# ============================================================================
|
|
# Enable LVM for flexible storage management
|
|
services.lvm.enable = true;
|
|
|
|
# Enable ZFS if needed for VM storage
|
|
boot.supportedFilesystems = [ "ext4" "xfs" "btrfs" "zfs" ];
|
|
|
|
# ============================================================================
|
|
# RESOURCE LIMITS
|
|
# ============================================================================
|
|
# Worker nodes should dedicate most resources to tenant workloads
|
|
# Minimal resource limits for management services
|
|
systemd.services.plasmavmc.serviceConfig = lib.mkIf config.services.plasmavmc.enable {
|
|
MemoryMax = "256M";
|
|
CPUQuota = "25%";
|
|
};
|
|
|
|
systemd.services.prismnet.serviceConfig = lib.mkIf config.services.prismnet.enable {
|
|
MemoryMax = "256M";
|
|
CPUQuota = "25%";
|
|
};
|
|
|
|
# ============================================================================
|
|
# PERFORMANCE TUNING
|
|
# ============================================================================
|
|
# Optimize for VM workloads
|
|
boot.kernel.sysctl = {
|
|
# Increase max number of open files
|
|
"fs.file-max" = 1000000;
|
|
|
|
# Increase network buffer sizes
|
|
"net.core.rmem_max" = 134217728;
|
|
"net.core.wmem_max" = 134217728;
|
|
|
|
# Enable IP forwarding for VM networking
|
|
"net.ipv4.ip_forward" = 1;
|
|
"net.ipv6.conf.all.forwarding" = 1;
|
|
|
|
# Optimize for high-performance networking
|
|
"net.core.netdev_max_backlog" = 5000;
|
|
};
|
|
}
|