Merge branch '351.disable-swap' into 'develop'

Secure swap space and have 8 GB of swap consistently on all machines. Closes privatestorageops#351 See merge request privatestorage/PrivateStorageio!103

Merge branch '351.disable-swap' into 'develop'
8565b145 · Jean-Paul Calderone · 89017598 · 5cd53070 · 8565b145 · 8565b145
Commit 8565b145 authored 3 years ago by Jean-Paul Calderone
--- a/morph/grid/production/storage001-hardware.nix
+++ b/morph/grid/production/storage001-hardware.nix
@@ -12,6 +12,7 @@
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
+  boot.kernel.sysctl = { "vm.swappiness" = 0; };

  fileSystems."/" =
    { device = "/dev/disk/by-uuid/f72c1f46-6723-45bf-9ef7-92f31cc37589";
@@ -30,9 +31,12 @@
      fsType = "zfs";
    };

-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/f986a811-4912-4e9a-8bc3-01cb6926c4c6"; }
-    ];
+  swapDevices = [ {
+    device = "/var/swapfile";
+    size = 8192; # megabytes
+    randomEncryption = true;
+  } ];
+

  nix.maxJobs = lib.mkDefault 24;
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";

--- a/morph/grid/production/storage002-hardware.nix
+++ b/morph/grid/production/storage002-hardware.nix
@@ -12,6 +12,7 @@
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
+  boot.kernel.sysctl = { "vm.swappiness" = 0; };

  fileSystems."/" =
    { device = "/dev/disk/by-uuid/0e92ada9-effb-42e2-a26a-9cdb529bcdc7";
@@ -30,9 +31,11 @@
      fsType = "ext4";
    };

-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/f762b5e2-bbdd-4a02-bbd9-0bf6b11e0ab5"; }
-    ];
+  swapDevices = [ {
+    device = "/var/swapfile";
+    size = 8192; # megabytes
+    randomEncryption = true;
+  } ];

  nix.maxJobs = lib.mkDefault 24;
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";

--- a/morph/grid/production/storage003-hardware.nix
+++ b/morph/grid/production/storage003-hardware.nix
@@ -13,6 +13,7 @@
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  boot.supportedFilesystems = [ "zfs" ];
+  boot.kernel.sysctl = { "vm.swappiness" = 0; };

  fileSystems."/" =
    { device = "/dev/disk/by-uuid/240fc1f6-cd55-48a3-ac80-5b3550a32ef5";
@@ -31,7 +32,11 @@
      fsType = "zfs";
    };

-  swapDevices = [ ];
+  swapDevices = [ {
+    device = "/var/swapfile";
+    size = 8192; # megabytes
+    randomEncryption = true;
+  } ];

  nix.maxJobs = lib.mkDefault 24;
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";

--- a/morph/grid/production/storage004-hardware.nix
+++ b/morph/grid/production/storage004-hardware.nix
@@ -12,6 +12,7 @@
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
+  boot.kernel.sysctl = { "vm.swappiness" = 0; };

  fileSystems."/" =
    { device = "/dev/disk/by-uuid/d628122e-05d9-4212-b6a5-4b9516d85dbe";
@@ -25,7 +26,11 @@
      fsType = "zfs";
    };

-  swapDevices = [ ];
+  swapDevices = [ {
+    device = "/var/swapfile";
+    size = 8192; # megabytes
+    randomEncryption = true;
+  } ];

  nix.maxJobs = lib.mkDefault 32;
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";

--- a/morph/grid/production/storage005-hardware.nix
+++ b/morph/grid/production/storage005-hardware.nix
@@ -12,6 +12,7 @@
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
+  boot.kernel.sysctl = { "vm.swappiness" = 0; };

  fileSystems."/" =
    { device = "/dev/disk/by-uuid/2653c6bb-396f-4911-b9ff-b68de8f9715d";
@@ -30,7 +31,11 @@
    fsType = "zfs";
  };

-  swapDevices = [ ];
+  swapDevices = [ {
+    device = "/var/swapfile";
+    size = 8192; # megabytes
+    randomEncryption = true;
+  } ];

  nix.maxJobs = lib.mkDefault 32;
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";

--- a/morph/grid/testing/testing001-hardware.nix
+++ b/morph/grid/testing/testing001-hardware.nix
 {
  imports = [ <nixpkgs/nixos/modules/virtualisation/amazon-image.nix> ];
  ec2.hvm = true;
+  boot.kernel.sysctl = { "vm.swappiness" = 0; };
+  swapDevices = [ {
+    device = "/var/swapfile";
+    size = 8192; # megabytes
+    randomEncryption = true;
+  } ];
+

  boot.supportedFilesystems = [ "zfs" ];
  networking.hostId = "10000000";

--- a/morph/lib/hardware-virtual.nix
+++ b/morph/lib/hardware-virtual.nix
@@ -11,6 +11,7 @@

  boot.initrd.availableKernelModules = [ "ata_piix" "sd_mod" "sr_mod" ];
  boot.initrd.kernelModules = [ ];
+  boot.kernel.sysctl = { "vm.swappiness" = 0; };
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];

@@ -33,4 +34,3 @@
  # We want to push packages with morph without having to sign them
  nix.trustedUsers = [ "@wheel" "root" "vagrant" ];
 }
-
--- a/morph/lib/issuer-aws.nix
+++ b/morph/lib/issuer-aws.nix
-{
+{ lib, ... }: {
  imports = [ <nixpkgs/nixos/modules/virtualisation/amazon-image.nix> ];
+
+  # amazon-image.nix isn't quite aware of nvme-attached storage so give it a
+  # little help configuring grub.
+  boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
+
  ec2.hvm = true;
+  boot.kernel.sysctl = { "vm.swappiness" = 0; };
+  swapDevices = [ {
+    device = "/var/swapfile";
+    size = 8192; # megabytes
+    randomEncryption = true;
+  } ];
 }