From bd567f188c207200763932122270c97bb74a0261 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 30 Mar 2025 01:22:26 +1100
Subject: [PATCH 1/2] feat: deploy incus

- manage sysctl based on incus recommendations
- manage limits based on incus recommendations
- manage zpools and zfs datasets
- add incus hiera settings
---
 hieradata/roles/infra/incus/node.yaml | 69 +++++++++++++++++++++++++++
 1 file changed, 69 insertions(+)

diff --git a/hieradata/roles/infra/incus/node.yaml b/hieradata/roles/infra/incus/node.yaml
index a0c8ecb..15a51d0 100644
--- a/hieradata/roles/infra/incus/node.yaml
+++ b/hieradata/roles/infra/incus/node.yaml
@@ -1,4 +1,8 @@
 ---
+hiera_include:
+  - incus
+  - zfs
+
 profiles::pki::vault::alt_names:
   - incus.service.consul
   - incus.query.consul
@@ -31,3 +35,68 @@ profiles::consul::client::node_rules:
   - resource: service
     segment: incus
     disposition: write
+
+# zfs settings
+zfs::zfs_arc_min: ~
+zfs::zfs_arc_max: 4294967296 # 4GB
+zfs::zpools:
+  fastpool:
+    ensure: present
+    disk: /dev/nvme1n1
+    ashift: 12
+zfs::datasets:
+  fastpool:
+    canmount: 'off'
+    acltype: posix
+    atime: 'off'
+    relatime: 'off'
+    compression: 'zstd'
+    xattr: 'sa'
+  fastpool/data:
+    canmount: 'on'
+    mountpoint: '/data'
+
+# manage incus
+incus::cluster::members_lookup: true
+incus::cluster::members_role: roles::infra::incus::node
+incus::cluster::master: prodnxsr0009
+
+# add sysadmin to incus-admin group
+profiles::accounts::sysadmin::extra_groups:
+  - incus-admin
+
+# sysctl recommendations
+sysctl::base::values:
+  fs.aio-max-nr:
+    value: '524288'
+  fs.inotify.max_queued_events:
+    value: '1048576'
+  fs.inotify.max_user_instances:
+    value: '1048576'
+  fs.inotify.max_user_watches:
+    value: '1048576'
+  kernel.dmesg_restrict:
+    value: '1'
+  kernel.keys.maxbytes:
+    value: '2000000'
+  kernel.keys.maxkeys:
+    value: '2000'
+  net.core.bpf_jit_limit:
+    value: '1000000000'
+  net.ipv4.neigh.default.gc_thresh3:
+    value: '8192'
+  net.ipv6.neigh.default.gc_thresh3:
+    value: '8192'
+  vm.max_map_count:
+    value: '262144'
+
+# limits.d recommendations
+limits::entries:
+  '*/nofile':
+    both: 1048576
+  'root/nofile':
+    both: 1048576
+  '*/memlock':
+    both: unlimited
+  'root/memlock':
+    both: unlimited
-- 
2.47.3


From fb4d5c044dec275533988a268a4721cd6d2bc207 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Mon, 31 Mar 2025 23:01:50 +1100
Subject: [PATCH 2/2] feat: manage repo for zfs

- dont use zfs module to manage repo, use profiles::yum::global::repos
---
 hieradata/roles/infra/incus/node.yaml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/hieradata/roles/infra/incus/node.yaml b/hieradata/roles/infra/incus/node.yaml
index 15a51d0..3ec69b9 100644
--- a/hieradata/roles/infra/incus/node.yaml
+++ b/hieradata/roles/infra/incus/node.yaml
@@ -36,7 +36,19 @@ profiles::consul::client::node_rules:
     segment: incus
     disposition: write
 
+# additional repos
+profiles::yum::global::repos:
+  baseos:
+    name: zfs-kmod
+    descr: zfs-kmod repository
+    target: /etc/yum.repos.d/zfs-kmod.repo
+    baseurl: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os
+    gpgkey: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-openzfs-2022
+    mirrorlist: absent
+
+
 # zfs settings
+zfs::manage_repo: false
 zfs::zfs_arc_min: ~
 zfs::zfs_arc_max: 4294967296 # 4GB
 zfs::zpools:
-- 
2.47.3