--- hiera_include: - incus - zfs profiles::pki::vault::alt_names: - incus.service.consul - incus.query.consul - "incus.service.%{facts.country}-%{facts.region}.consul" profiles::ssh::sign::principals: - incus.service.consul - incus.query.consul - "incus.service.%{facts.country}-%{facts.region}.consul" # configure consul service consul::services: incus: service_name: 'incus' tags: - 'incus' - 'container' - 'lxd' address: "%{facts.networking.ip}" port: 8443 checks: - id: 'incus_https_check' name: 'incus HTTPS Check' http: "https://%{facts.networking.fqdn}:8443" method: 'GET' tls_skip_verify: true interval: '10s' timeout: '1s' profiles::consul::client::node_rules: - resource: service segment: incus disposition: write # zfs settings zfs::zfs_arc_min: ~ zfs::zfs_arc_max: 4294967296 # 4GB zfs::zpools: fastpool: ensure: present disk: /dev/nvme1n1 ashift: 12 zfs::datasets: fastpool: canmount: 'off' acltype: posix atime: 'off' relatime: 'off' compression: 'zstd' xattr: 'sa' fastpool/data: canmount: 'on' mountpoint: '/data' # manage incus incus::cluster::members_lookup: true incus::cluster::members_role: roles::infra::incus::node incus::cluster::master: prodnxsr0009 # add sysadmin to incus-admin group profiles::accounts::sysadmin::extra_groups: - incus-admin # sysctl recommendations sysctl::base::values: fs.aio-max-nr: value: '524288' fs.inotify.max_queued_events: value: '1048576' fs.inotify.max_user_instances: value: '1048576' fs.inotify.max_user_watches: value: '1048576' kernel.dmesg_restrict: value: '1' kernel.keys.maxbytes: value: '2000000' kernel.keys.maxkeys: value: '2000' net.core.bpf_jit_limit: value: '1000000000' net.ipv4.neigh.default.gc_thresh3: value: '8192' net.ipv6.neigh.default.gc_thresh3: value: '8192' vm.max_map_count: value: '262144' # limits.d recommendations limits::entries: '*/nofile': both: 1048576 'root/nofile': both: 1048576 '*/memlock': both: unlimited 'root/memlock': both: unlimited