neoloc/incus_deploy (#241)

feat: deploy incus - manage sysctl based on incus recommendations - manage limits based on incus recommendations - manage zpools and zfs datasets - add incus hiera settings feat: manage repo for zfs - dont use zfs module to manage repo, use profiles:😋:global::repos Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/241
2025-03-31 23:14:05 +11:00 · 2025-03-31 23:14:05 +11:00 · 95bc2716cf
commit 95bc2716cf
parent 978013f325
1 changed files with 81 additions and 0 deletions
--- a/hieradata/roles/infra/incus/node.yaml
+++ b/hieradata/roles/infra/incus/node.yaml
@ -1,4 +1,8 @@
 ---
+hiera_include:
+  - incus
+  - zfs
+
 profiles::pki::vault::alt_names:
  - incus.service.consul
  - incus.query.consul
@ -31,3 +35,80 @@ profiles::consul::client::node_rules:
  - resource: service
    segment: incus
    disposition: write
+
+# additional repos
+profiles::yum::global::repos:
+  baseos:
+    name: zfs-kmod
+    descr: zfs-kmod repository
+    target: /etc/yum.repos.d/zfs-kmod.repo
+    baseurl: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os
+    gpgkey: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-openzfs-2022
+    mirrorlist: absent
+
+
+# zfs settings
+zfs::manage_repo: false
+zfs::zfs_arc_min: ~
+zfs::zfs_arc_max: 4294967296 # 4GB
+zfs::zpools:
+  fastpool:
+    ensure: present
+    disk: /dev/nvme1n1
+    ashift: 12
+zfs::datasets:
+  fastpool:
+    canmount: 'off'
+    acltype: posix
+    atime: 'off'
+    relatime: 'off'
+    compression: 'zstd'
+    xattr: 'sa'
+  fastpool/data:
+    canmount: 'on'
+    mountpoint: '/data'
+
+# manage incus
+incus::cluster::members_lookup: true
+incus::cluster::members_role: roles::infra::incus::node
+incus::cluster::master: prodnxsr0009
+
+# add sysadmin to incus-admin group
+profiles::accounts::sysadmin::extra_groups:
+  - incus-admin
+
+# sysctl recommendations
+sysctl::base::values:
+  fs.aio-max-nr:
+    value: '524288'
+  fs.inotify.max_queued_events:
+    value: '1048576'
+  fs.inotify.max_user_instances:
+    value: '1048576'
+  fs.inotify.max_user_watches:
+    value: '1048576'
+  kernel.dmesg_restrict:
+    value: '1'
+  kernel.keys.maxbytes:
+    value: '2000000'
+  kernel.keys.maxkeys:
+    value: '2000'
+  net.core.bpf_jit_limit:
+    value: '1000000000'
+  net.ipv4.neigh.default.gc_thresh3:
+    value: '8192'
+  net.ipv6.neigh.default.gc_thresh3:
+    value: '8192'
+  vm.max_map_count:
+    value: '262144'
+
+# limits.d recommendations
+limits::entries:
+  '*/nofile':
+    both: 1048576
+  'root/nofile':
+    both: 1048576
+  '*/memlock':
+    both: unlimited
+  'root/memlock':
+    both: unlimited