From 390cc301734e5fab5808f56e4192fa6cf5ec94f3 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 17 Jan 2024 21:28:15 +0100 Subject: [PATCH 01/10] copy microvm config --- flake.lock | 72 ++++++++++++++++++++++++++++ flake.nix | 8 +++- nixos/machines/default.nix | 49 +++++++++++++++---- nixos/modules/networking/default.nix | 5 ++ 4 files changed, 124 insertions(+), 10 deletions(-) diff --git a/flake.lock b/flake.lock index d5b79c3..c98670d 100644 --- a/flake.lock +++ b/flake.lock @@ -152,6 +152,24 @@ "type": "github" } }, + "flake-utils_2": { + "inputs": { + "systems": "systems_3" + }, + "locked": { + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -196,6 +214,28 @@ "type": "github" } }, + "microvm": { + "inputs": { + "flake-utils": "flake-utils_2", + "nixpkgs": [ + "nixpkgs" + ], + "spectrum": "spectrum" + }, + "locked": { + "lastModified": 1705263072, + "narHash": "sha256-DCqqaNWn9G81U+0Myyr36JrOKitcmS34oBWxqiHjabk=", + "owner": "astro", + "repo": "microvm.nix", + "rev": "088ba565537eaef1041a87be5a44ca0daa4e1908", + "type": "github" + }, + "original": { + "owner": "astro", + "repo": "microvm.nix", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1702272962, @@ -251,10 +291,27 @@ "disko": "disko", "dns": "dns", "kubenix": "kubenix", + "microvm": "microvm", "nixpkgs": "nixpkgs_2", "nixpkgs-unstable": "nixpkgs-unstable" } }, + "spectrum": { + "flake": false, + "locked": { + "lastModified": 1703273931, + "narHash": "sha256-CJ1Crdi5fXHkCiemovsp20/RC4vpDaZl1R6V273FecI=", + "ref": "refs/heads/main", + "rev": "97e2f3429ee61dc37664b4d096b2fec48a57b691", + "revCount": 597, + "type": "git", + "url": "https://spectrum-os.org/git/spectrum" + }, + "original": { + "type": "git", + "url": "https://spectrum-os.org/git/spectrum" + } + }, "systems": { "locked": { "lastModified": 1681028828, @@ -284,6 +341,21 @@ "type": "indirect" } }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "treefmt": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index 62a54d1..0621b5f 100644 --- a/flake.nix +++ b/flake.nix @@ -24,10 +24,15 @@ url = "github:kirelagin/dns.nix"; inputs.nixpkgs.follows = "nixpkgs"; }; + + microvm = { + url = "github:astro/microvm.nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = - { self, nixpkgs, deploy-rs, disko, agenix, kubenix, nixpkgs-unstable, dns, ... }: + { self, nixpkgs, deploy-rs, disko, agenix, kubenix, nixpkgs-unstable, dns, microvm, ... }: let system = "x86_64-linux"; pkgs = nixpkgs.legacyPackages.${system}; @@ -72,6 +77,7 @@ inherit system; specialArgs = { inherit kubenix dns; }; modules = [ + microvm.nixosModules.host machine.nixosModule disko.nixosModules.disko agenix.nixosModules.default diff --git a/nixos/machines/default.nix b/nixos/machines/default.nix index b0264d0..558d110 100644 --- a/nixos/machines/default.nix +++ b/nixos/machines/default.nix @@ -52,18 +52,49 @@ name = "lewis"; hostName = "lewis.hyp"; - nixosModule.lab = { - dataHost.enable = true; + nixosModule = { pkgs, ... }: { + lab = { + dataHost.enable = true; - storage = { - osDisk = "/dev/sda"; - dataPartition = "/dev/nvme0n1p1"; + storage = { + osDisk = "/dev/sda"; + dataPartition = "/dev/nvme0n1p1"; + }; + + ssh = { + useCertificates = true; + hostCert = builtins.readFile ./lewis_host_ed25519-cert.pub; + userCert = builtins.readFile ./lewis_user_ed25519-cert.pub; + }; }; - ssh = { - useCertificates = true; - hostCert = builtins.readFile ./lewis_host_ed25519-cert.pub; - userCert = builtins.readFile ./lewis_user_ed25519-cert.pub; + microvm.vms.my-microvm.config = { + services.openssh.enable = true; + networking.firewall.enable = false; + + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOodpLr+FDRyKyHjucHizNLVFHZ5AQmE9GmxMnOsSoaw pimkunis@thinkpadpim" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINUZp4BCxf7uLa1QWonx/Crf8tYZ5MKIZ+EuaBa82LrV user@user-laptop" + ]; + + programs.bash.interactiveShellInit = '' + echo "Hello world from inside a virtual machine!" | ${pkgs.lolcat}/bin/lolcat + ''; + + microvm = { + shares = [{ + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + tag = "ro-store"; + proto = "virtiofs"; + }]; + + interfaces = [{ + type = "tap"; + id = "vm-my-microvm"; + mac = "48:2D:63:E1:C5:39"; + }]; + }; }; }; }; diff --git a/nixos/modules/networking/default.nix b/nixos/modules/networking/default.nix index eb5d409..de60475 100644 --- a/nixos/modules/networking/default.nix +++ b/nixos/modules/networking/default.nix @@ -153,6 +153,11 @@ in { ++ lib.lists.optional (cfg.staticDMZIPv6Address != "") cfg.staticDMZIPv6Address; }; }; + + "40-vms" = { + matchConfig.Name = "vm-*"; + networkConfig.Bridge = cfg.dmzBridgeName; + }; }; }; }; From bd1ccce50d6e26e0ba5043e803880acefa803042 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 17 Jan 2024 23:04:27 +0100 Subject: [PATCH 02/10] fix ipv6 for wireguard --- .../networking/dmz/zones/geokunis2.nl.nix | 17 ++++++++++++++++- nixos/modules/networking/dmz/zones/kun.is.nix | 6 +++--- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/nixos/modules/networking/dmz/zones/geokunis2.nl.nix b/nixos/modules/networking/dmz/zones/geokunis2.nl.nix index 438700b..8a32dc7 100644 --- a/nixos/modules/networking/dmz/zones/geokunis2.nl.nix +++ b/nixos/modules/networking/dmz/zones/geokunis2.nl.nix @@ -7,7 +7,7 @@ in SOA = { nameServer = "ns"; adminEmail = "hostmaster@geokunis2.nl"; - serial = 2024011400; + serial = 2024011401; }; NS = [ @@ -49,5 +49,20 @@ in A = [ publicIPv4 ]; AAAA = [ ]; }; + + wg = { + A = [ publicIPv4 ]; + AAAA = [ "2a0d:6e00:1a77::1" ]; + }; + + wg4 = { + A = [ publicIPv4 ]; + AAAA = [ ]; + }; + + wg6 = { + A = [ ]; + AAAA = [ "2a0d:6e00:1a77::1" ]; + }; }; } diff --git a/nixos/modules/networking/dmz/zones/kun.is.nix b/nixos/modules/networking/dmz/zones/kun.is.nix index 8bc23ff..6c20a49 100644 --- a/nixos/modules/networking/dmz/zones/kun.is.nix +++ b/nixos/modules/networking/dmz/zones/kun.is.nix @@ -9,7 +9,7 @@ in SOA = { nameServer = "ns1"; adminEmail = "webmaster@kun.is"; - serial = 2024011400; + serial = 2024011401; }; NS = [ @@ -46,8 +46,8 @@ in git = { A = [ publicIPv4 ]; AAAA = [ ]; - }; - + }; + # Override because we don't support IPv6 for KMS. kms = { A = [ publicIPv4 ]; From d9bf4d30949b234f2f26c791970dd2b37922c8d1 Mon Sep 17 00:00:00 2001 From: Niels Kunis Date: Sat, 20 Jan 2024 19:01:46 +0100 Subject: [PATCH 03/10] corrected ipv6 address for wg.kun.is --- nixos/modules/networking/dmz/zones/kun.is.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/nixos/modules/networking/dmz/zones/kun.is.nix b/nixos/modules/networking/dmz/zones/kun.is.nix index 6c20a49..80e1730 100644 --- a/nixos/modules/networking/dmz/zones/kun.is.nix +++ b/nixos/modules/networking/dmz/zones/kun.is.nix @@ -53,5 +53,12 @@ in A = [ publicIPv4 ]; AAAA = [ ]; }; + + # Override because wg is on opnsense so ipv6 differs from "dmzServicesIPv6" + wg = { + A = [ publicIPv4 ]; + AAAA = [ "2a0d:6e00:1a77::1" ]; + }; + }; } From e57f80df82b5ae7bd05af6271de978596c69179c Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Tue, 23 Jan 2024 21:36:29 +0100 Subject: [PATCH 04/10] add flake app to reboot vms on servers --- flake.nix | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/flake.nix b/flake.nix index 0621b5f..f7ef537 100644 --- a/flake.nix +++ b/flake.nix @@ -36,6 +36,7 @@ let system = "x86_64-linux"; pkgs = nixpkgs.legacyPackages.${system}; + lib = pkgs.lib; pkgs-unstable = nixpkgs-unstable.legacyPackages.${system}; machines = import ./nixos/machines; # TODO: Maybe use mergeAttrLists @@ -102,5 +103,56 @@ checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; + + apps.${system} = + let + hostNames = builtins.concatStringsSep " " (builtins.map (host: "\"${host.config.networking.fqdn}\"") (builtins.attrValues self.nixosConfigurations)); + in + { + reboot-all-vms = + let + reboot-all-vms = pkgs.writeScriptBin "reboot-all-vms" '' + hostNames=(${hostNames}) + for hostName in ''${hostNames[@]}; do + units=$(${pkgs.openssh}/bin/ssh root@$hostName systemctl list-units --all) + microvmUnits=$(${pkgs.coreutils}/bin/echo "$units" | ${pkgs.gnugrep}/bin/grep 'microvm@.*\.service' | ${pkgs.gawkInteractive}/bin/awk '{print $1}') + if [ -n "$microvmUnits" ]; then + for microvmUnit in "$microvmUnits"; do + ${pkgs.coreutils}/bin/echo "Restarting $microvmUnit on $hostName" + ${pkgs.openssh}/bin/ssh root@$hostName systemctl restart "$microvmUnit" + done + fi + done + ''; + in + { + type = "app"; + program = "${reboot-all-vms}/bin/reboot-all-vms"; + }; + + reboot-vm = + let + reboot-vm = pkgs.writeScriptBin "reboot-vm" '' + if [ -z "$1" ]; then + ${pkgs.coreutils}/bin/echo "Please provide a VM name!" + exit 1 + fi + + hostNames=(${hostNames}) + unitName="microvm@$1.service" + for hostName in ''${hostNames[@]}; do + units=$(${pkgs.openssh}/bin/ssh root@$hostName systemctl list-units --all) + if [[ "''${units[@]}" =~ "$unitName" ]]; then + ${pkgs.coreutils}/bin/echo "Restarting $unitName on $hostName" + ${pkgs.openssh}/bin/ssh root@$hostName systemctl restart "$unitName" + fi + done + ''; + in + { + type = "app"; + program = "${reboot-vm}/bin/reboot-vm"; + }; + }; }; } From 472175c5a30477795a20a88b9e3567cf96ba1182 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 28 Jan 2024 11:48:13 +0100 Subject: [PATCH 05/10] integrate VM definitions --- flake.nix | 72 +------- nixos/default.nix | 250 +++++++++++++++------------ nixos/machines/default.nix | 54 +++--- nixos/modules/networking/default.nix | 13 +- nixos/modules/storage.nix | 4 +- nixos/vm.nix | 119 +++++++++++++ 6 files changed, 296 insertions(+), 216 deletions(-) create mode 100644 nixos/vm.nix diff --git a/flake.nix b/flake.nix index f7ef537..61bb6b3 100644 --- a/flake.nix +++ b/flake.nix @@ -39,6 +39,7 @@ lib = pkgs.lib; pkgs-unstable = nixpkgs-unstable.legacyPackages.${system}; machines = import ./nixos/machines; + physicalMachines = lib.filterAttrs (n: v: v.type == "physical") machines; # TODO: Maybe use mergeAttrLists mkNixosSystems = systemDef: nixpkgs.lib.foldlAttrs @@ -47,12 +48,12 @@ "${name}" = nixpkgs.lib.nixosSystem (systemDef machine); }) { } - machines; + physicalMachines; mkDeployNodes = nodeDef: nixpkgs.lib.foldlAttrs (acc: name: machine: acc // { "${name}" = nodeDef machine; }) { } - machines; + physicalMachines; in { devShells.${system}.default = pkgs.mkShell { @@ -76,15 +77,8 @@ nixosConfigurations = mkNixosSystems (machine: { inherit system; - specialArgs = { inherit kubenix dns; }; - modules = [ - microvm.nixosModules.host - machine.nixosModule - disko.nixosModules.disko - agenix.nixosModules.default - ./nixos - { networking.hostName = machine.name; } - ]; + specialArgs = { inherit machines machine kubenix dns microvm disko agenix; }; + modules = [ ./nixos ]; }); deploy = { @@ -92,10 +86,11 @@ user = "root"; nodes = mkDeployNodes (machine: { - hostname = machine.hostName; + # TODO: simply get this from nixos configuration? + hostname = "${machine.hostName}.${machine.domain}"; profiles.system = { path = deploy-rs.lib.${system}.activate.nixos - self.nixosConfigurations.${machine.name}; + self.nixosConfigurations.${machine.hostName}; }; }); }; @@ -103,56 +98,5 @@ checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; - - apps.${system} = - let - hostNames = builtins.concatStringsSep " " (builtins.map (host: "\"${host.config.networking.fqdn}\"") (builtins.attrValues self.nixosConfigurations)); - in - { - reboot-all-vms = - let - reboot-all-vms = pkgs.writeScriptBin "reboot-all-vms" '' - hostNames=(${hostNames}) - for hostName in ''${hostNames[@]}; do - units=$(${pkgs.openssh}/bin/ssh root@$hostName systemctl list-units --all) - microvmUnits=$(${pkgs.coreutils}/bin/echo "$units" | ${pkgs.gnugrep}/bin/grep 'microvm@.*\.service' | ${pkgs.gawkInteractive}/bin/awk '{print $1}') - if [ -n "$microvmUnits" ]; then - for microvmUnit in "$microvmUnits"; do - ${pkgs.coreutils}/bin/echo "Restarting $microvmUnit on $hostName" - ${pkgs.openssh}/bin/ssh root@$hostName systemctl restart "$microvmUnit" - done - fi - done - ''; - in - { - type = "app"; - program = "${reboot-all-vms}/bin/reboot-all-vms"; - }; - - reboot-vm = - let - reboot-vm = pkgs.writeScriptBin "reboot-vm" '' - if [ -z "$1" ]; then - ${pkgs.coreutils}/bin/echo "Please provide a VM name!" - exit 1 - fi - - hostNames=(${hostNames}) - unitName="microvm@$1.service" - for hostName in ''${hostNames[@]}; do - units=$(${pkgs.openssh}/bin/ssh root@$hostName systemctl list-units --all) - if [[ "''${units[@]}" =~ "$unitName" ]]; then - ${pkgs.coreutils}/bin/echo "Restarting $unitName on $hostName" - ${pkgs.openssh}/bin/ssh root@$hostName systemctl restart "$unitName" - fi - done - ''; - in - { - type = "app"; - program = "${reboot-vm}/bin/reboot-vm"; - }; - }; }; } diff --git a/nixos/default.nix b/nixos/default.nix index 15a8f26..1cef138 100644 --- a/nixos/default.nix +++ b/nixos/default.nix @@ -1,142 +1,168 @@ -{ pkgs, config, lib, modulesPath, ... }: { +{ pkgs, config, lib, modulesPath, machine, microvm, disko, agenix, machines, ... }: { imports = [ (modulesPath + "/installer/scan/not-detected.nix") ./modules ./lab.nix + machine.nixosModule + disko.nixosModules.disko + agenix.nixosModules.default + microvm.nixosModules.host ]; - boot = { - kernelModules = [ "kvm-intel" ]; - extraModulePackages = [ ]; + config = { + boot = { + kernelModules = [ "kvm-intel" ]; + extraModulePackages = [ ]; - initrd = { - availableKernelModules = [ - "ahci" - "xhci_pci" - "nvme" - "usbhid" - "usb_storage" - "sd_mod" - "sdhci_pci" - ]; - kernelModules = [ ]; - }; + initrd = { + availableKernelModules = [ + "ahci" + "xhci_pci" + "nvme" + "usbhid" + "usb_storage" + "sd_mod" + "sdhci_pci" + ]; + kernelModules = [ ]; + }; - loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; - }; - }; - - time.timeZone = "Europe/Amsterdam"; - - i18n = { - defaultLocale = "en_US.UTF-8"; - - extraLocaleSettings = { - LC_ADDRESS = "nl_NL.UTF-8"; - LC_IDENTIFICATION = "nl_NL.UTF-8"; - LC_MEASUREMENT = "nl_NL.UTF-8"; - LC_MONETARY = "nl_NL.UTF-8"; - LC_NAME = "nl_NL.UTF-8"; - LC_NUMERIC = "nl_NL.UTF-8"; - LC_PAPER = "nl_NL.UTF-8"; - LC_TELEPHONE = "nl_NL.UTF-8"; - LC_TIME = "nl_NL.UTF-8"; - }; - }; - - services = { - openssh = { - enable = true; - openFirewall = true; - - settings = { - PasswordAuthentication = false; - KbdInteractiveAuthentication = false; + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; }; }; - xserver = { - layout = "us"; - xkbVariant = ""; + time.timeZone = "Europe/Amsterdam"; + + i18n = { + defaultLocale = "en_US.UTF-8"; + + extraLocaleSettings = { + LC_ADDRESS = "nl_NL.UTF-8"; + LC_IDENTIFICATION = "nl_NL.UTF-8"; + LC_MEASUREMENT = "nl_NL.UTF-8"; + LC_MONETARY = "nl_NL.UTF-8"; + LC_NAME = "nl_NL.UTF-8"; + LC_NUMERIC = "nl_NL.UTF-8"; + LC_PAPER = "nl_NL.UTF-8"; + LC_TELEPHONE = "nl_NL.UTF-8"; + LC_TIME = "nl_NL.UTF-8"; + }; }; - }; - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOodpLr+FDRyKyHjucHizNLVFHZ5AQmE9GmxMnOsSoaw pimkunis@thinkpadpim" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINUZp4BCxf7uLa1QWonx/Crf8tYZ5MKIZ+EuaBa82LrV user@user-laptop" - ]; + services = { + openssh = { + enable = true; + openFirewall = true; - programs = { - ssh = { - knownHosts = { - dmz = { - hostNames = [ "*.dmz" ]; - publicKey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAX2IhgHNxC6JTvLu9cej+iWuG+uJFMXn4AiRro9533x"; - certAuthority = true; - }; - - hypervisors = { - hostNames = [ "*.hyp" ]; - publicKey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFzRkH3d/KVJQouswY/DMpenWbDFVOnI3Vut0xR0e1tb"; - certAuthority = true; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; }; }; + xserver = { + layout = "us"; + xkbVariant = ""; + }; }; - neovim = { - enable = true; - vimAlias = true; - viAlias = true; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOodpLr+FDRyKyHjucHizNLVFHZ5AQmE9GmxMnOsSoaw pimkunis@thinkpadpim" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINUZp4BCxf7uLa1QWonx/Crf8tYZ5MKIZ+EuaBa82LrV user@user-laptop" + ]; + + programs = { + ssh = { + knownHosts = { + dmz = { + hostNames = [ "*.dmz" ]; + publicKey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAX2IhgHNxC6JTvLu9cej+iWuG+uJFMXn4AiRro9533x"; + certAuthority = true; + }; + + hypervisors = { + hostNames = [ "*.hyp" ]; + publicKey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFzRkH3d/KVJQouswY/DMpenWbDFVOnI3Vut0xR0e1tb"; + certAuthority = true; + }; + }; + + }; + + neovim = { + enable = true; + vimAlias = true; + viAlias = true; + }; }; - }; - nixpkgs = { - config.allowUnfree = true; - hostPlatform = "x86_64-linux"; - }; + nixpkgs = { + config.allowUnfree = true; + hostPlatform = "x86_64-linux"; + }; - environment.systemPackages = with pkgs; [ - neofetch - wget - git - btop - htop - ripgrep - dig - tree - file - tcpdump - lsof - parted - radvd - ]; + environment.systemPackages = with pkgs; [ + neofetch + wget + git + btop + htop + ripgrep + dig + tree + file + tcpdump + lsof + parted + radvd + ]; - hardware.cpu.intel.updateMicrocode = - lib.mkDefault config.hardware.enableRedistributableFirmware; + hardware.cpu.intel.updateMicrocode = config.hardware.enableRedistributableFirmware; - age.identityPaths = [ "/etc/age_ed25519" ]; + age.identityPaths = [ "/etc/age_ed25519" ]; - virtualisation.libvirtd.enable = true; + virtualisation.libvirtd.enable = true; - nix = { - package = pkgs.nixFlakes; - extraOptions = '' - experimental-features = nix-command flakes - ''; - }; + nix = { + package = pkgs.nixFlakes; + extraOptions = '' + experimental-features = nix-command flakes + ''; + }; - system = { - stateVersion = "23.05"; + system = { + stateVersion = "23.05"; - activationScripts.diff = '' - if [[ -e /run/current-system ]]; then - ${pkgs.nix}/bin/nix store diff-closures /run/current-system "$systemConfig" - fi - ''; + activationScripts.diff = '' + if [[ -e /run/current-system ]]; then + ${pkgs.nix}/bin/nix store diff-closures /run/current-system "$systemConfig" + fi + ''; + }; + + microvm.vms = + let + vmsForHypervisor = lib.attrValues (lib.filterAttrs (n: v: v.type == "virtual" && v.hypervisorName == machine.hostName) machines); + in + lib.attrsets.mergeAttrsList (map + (vm: + { + "${vm.hostName}" = { + # TODO Simplify? + specialArgs = { inherit agenix disko pkgs lib microvm; machine = vm; hypervisorConfig = config; }; + config = { + imports = [ + ./vm.nix + ]; + }; + }; + } + ) + vmsForHypervisor + ); }; } diff --git a/nixos/machines/default.nix b/nixos/machines/default.nix index 558d110..40c30e4 100644 --- a/nixos/machines/default.nix +++ b/nixos/machines/default.nix @@ -1,7 +1,9 @@ { jefke = { - name = "jefke"; - hostName = "jefke.hyp"; + # TODO: directly set and read this from nixos config. + hostName = "jefke"; + domain = "hyp"; + type = "physical"; nixosModule.lab = { terraformDatabase.enable = true; @@ -20,8 +22,9 @@ }; atlas = { - name = "atlas"; - hostName = "atlas.hyp"; + hostName = "atlas"; + domain = "hyp"; + type = "physical"; nixosModule = { config, ... }: let inherit (config.lab.networking) dmzServicesIPv4 dmzServicesIPv6; in @@ -49,8 +52,9 @@ }; lewis = { - name = "lewis"; - hostName = "lewis.hyp"; + hostName = "lewis"; + domain = "hyp"; + type = "physical"; nixosModule = { pkgs, ... }: { lab = { @@ -67,35 +71,21 @@ userCert = builtins.readFile ./lewis_user_ed25519-cert.pub; }; }; + }; + }; - microvm.vms.my-microvm.config = { - services.openssh.enable = true; - networking.firewall.enable = false; + my-microvm = { + hostName = "my-microvm"; + domain = "dmz"; + type = "virtual"; + hypervisorName = "lewis"; - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOodpLr+FDRyKyHjucHizNLVFHZ5AQmE9GmxMnOsSoaw pimkunis@thinkpadpim" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINUZp4BCxf7uLa1QWonx/Crf8tYZ5MKIZ+EuaBa82LrV user@user-laptop" - ]; + nixosModule = { pkgs, config, ... }: { + programs.bash.interactiveShellInit = '' + echo "Hello world from inside a virtual machine!" | ${pkgs.lolcat}/bin/lolcat + ''; - programs.bash.interactiveShellInit = '' - echo "Hello world from inside a virtual machine!" | ${pkgs.lolcat}/bin/lolcat - ''; - - microvm = { - shares = [{ - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - tag = "ro-store"; - proto = "virtiofs"; - }]; - - interfaces = [{ - type = "tap"; - id = "vm-my-microvm"; - mac = "48:2D:63:E1:C5:39"; - }]; - }; - }; + lab.vmMacAddress = "BA:DB:EE:F0:00:00"; }; }; } diff --git a/nixos/modules/networking/default.nix b/nixos/modules/networking/default.nix index de60475..0a0e640 100644 --- a/nixos/modules/networking/default.nix +++ b/nixos/modules/networking/default.nix @@ -1,4 +1,4 @@ -{ lib, config, ... }: +{ lib, config, machine, ... }: let cfg = config.lab.networking; in { imports = [ ./dmz ]; @@ -89,17 +89,18 @@ in { config = { networking = { - domain = "hyp"; + hostName = machine.hostName; + domain = machine.domain; + nftables.enable = true; + useDHCP = machine.type == "virtual"; + firewall = { enable = true; checkReversePath = false; }; - - nftables.enable = true; - useDHCP = false; }; - systemd.network = { + systemd.network = lib.mkIf (machine.type == "physical") { enable = true; netdevs = { diff --git a/nixos/modules/storage.nix b/nixos/modules/storage.nix index f01b665..3ad1b78 100644 --- a/nixos/modules/storage.nix +++ b/nixos/modules/storage.nix @@ -1,4 +1,4 @@ -{ lib, config, ... }: +{ lib, config, machine, ... }: let cfg = config.lab.storage; in { options.lab.storage = { @@ -25,7 +25,7 @@ in { }; }; - config = { + config = lib.mkIf (machine.type == "physical") { fileSystems.${cfg.dataMountPoint}.device = cfg.dataPartition; # TODO: Rename this to 'osDisk'. Unfortunately, we would need to run nixos-anywhere again then. diff --git a/nixos/vm.nix b/nixos/vm.nix new file mode 100644 index 0000000..7887b26 --- /dev/null +++ b/nixos/vm.nix @@ -0,0 +1,119 @@ +{ pkgs, lib, config, agenix, disko, machine, hypervisorConfig, ... }: { + imports = [ + ./modules + ./lab.nix + machine.nixosModule + disko.nixosModules.disko + agenix.nixosModules.default + ]; + + options.lab.vmMacAddress = lib.mkOption { + type = lib.types.str; + description = '' + The MAC address of the VM's main NIC. + ''; + }; + + # TODO: remove overlap with physical nixos module + # Perhaps a sane defaults module? + config = { + system.stateVersion = hypervisorConfig.system.stateVersion; + time.timeZone = "Europe/Amsterdam"; + + i18n = { + defaultLocale = "en_US.UTF-8"; + + extraLocaleSettings = { + LC_ADDRESS = "nl_NL.UTF-8"; + LC_IDENTIFICATION = "nl_NL.UTF-8"; + LC_MEASUREMENT = "nl_NL.UTF-8"; + LC_MONETARY = "nl_NL.UTF-8"; + LC_NAME = "nl_NL.UTF-8"; + LC_NUMERIC = "nl_NL.UTF-8"; + LC_PAPER = "nl_NL.UTF-8"; + LC_TELEPHONE = "nl_NL.UTF-8"; + LC_TIME = "nl_NL.UTF-8"; + }; + }; + + services = { + openssh = { + enable = true; + openFirewall = true; + + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + }; + }; + + xserver = { + layout = "us"; + xkbVariant = ""; + }; + }; + + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOodpLr+FDRyKyHjucHizNLVFHZ5AQmE9GmxMnOsSoaw pimkunis@thinkpadpim" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINUZp4BCxf7uLa1QWonx/Crf8tYZ5MKIZ+EuaBa82LrV user@user-laptop" + ]; + + programs = { + ssh = { + knownHosts = { + dmz = { + hostNames = [ "*.dmz" ]; + publicKey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAX2IhgHNxC6JTvLu9cej+iWuG+uJFMXn4AiRro9533x"; + certAuthority = true; + }; + + hypervisors = { + hostNames = [ "*.hyp" ]; + publicKey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFzRkH3d/KVJQouswY/DMpenWbDFVOnI3Vut0xR0e1tb"; + certAuthority = true; + }; + }; + + }; + + neovim = { + enable = true; + vimAlias = true; + viAlias = true; + }; + }; + + environment.systemPackages = with pkgs; [ + neofetch + wget + git + btop + htop + ripgrep + dig + tree + file + tcpdump + lsof + parted + radvd + ]; + + microvm = { + shares = [{ + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + tag = "ro-store"; + proto = "virtiofs"; + }]; + + interfaces = [{ + type = "tap"; + id = "vm-${machine.hostName}"; + mac = config.lab.vmMacAddress; + }]; + }; + }; +} From 32154e71632faa750bb8a76b91c50553632777b8 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 28 Jan 2024 12:06:30 +0100 Subject: [PATCH 06/10] create shared nixos config between physical and VM rename nixos -> nix --- flake.nix | 4 +- {nixos => nix}/lab.nix | 0 .../machines/atlas_host_ed25519-cert.pub | 0 .../machines/atlas_user_ed25519-cert.pub | 0 {nixos => nix}/machines/default.nix | 1 + .../machines/jefke_host_ed25519-cert.pub | 0 .../machines/jefke_user_ed25519-cert.pub | 0 .../machines/lewis_host_ed25519-cert.pub | 0 .../machines/lewis_user_ed25519-cert.pub | 0 {nixos => nix}/modules/backups.nix | 0 {nixos => nix}/modules/data-sharing.nix | 0 {nixos => nix}/modules/default.nix | 0 {nixos => nix}/modules/k3s/bootstrap.nix | 0 {nixos => nix}/modules/k3s/default.nix | 0 {nixos => nix}/modules/networking/default.nix | 0 .../modules/networking/dmz/default.nix | 0 .../modules/networking/dmz/dnsmasq.nix | 0 .../networking/dmz/zones/geokunis2.nl.nix | 0 .../modules/networking/dmz/zones/kun.is.nix | 0 {nixos => nix}/modules/ssh-certificates.nix | 0 {nixos => nix}/modules/storage.nix | 0 .../modules/terraform-database/default.nix | 0 .../terraform-database/postgresql_server.crt | 0 nix/physical.nix | 81 +++++++++ {nixos => nix}/secrets/README.md | 0 {nixos => nix}/secrets/atlas_host_ed25519.age | Bin {nixos => nix}/secrets/atlas_user_ed25519.age | Bin {nixos => nix}/secrets/borg_passphrase.age | 0 .../secrets/database_passwords.env.age | 0 .../secrets/ec2_borg_server.pem.age | Bin {nixos => nix}/secrets/jefke_host_ed25519.age | Bin {nixos => nix}/secrets/jefke_user_ed25519.age | Bin {nixos => nix}/secrets/lewis_host_ed25519.age | Bin {nixos => nix}/secrets/lewis_user_ed25519.age | Bin .../secrets/postgresql_server.key.age | Bin {nixos => nix}/secrets/secrets.nix | 0 nixos/vm.nix => nix/shared.nix | 27 +-- nix/virtual.nix | 29 +++ nixos/default.nix | 168 ------------------ 39 files changed, 114 insertions(+), 196 deletions(-) rename {nixos => nix}/lab.nix (100%) rename {nixos => nix}/machines/atlas_host_ed25519-cert.pub (100%) rename {nixos => nix}/machines/atlas_user_ed25519-cert.pub (100%) rename {nixos => nix}/machines/default.nix (98%) rename {nixos => nix}/machines/jefke_host_ed25519-cert.pub (100%) rename {nixos => nix}/machines/jefke_user_ed25519-cert.pub (100%) rename {nixos => nix}/machines/lewis_host_ed25519-cert.pub (100%) rename {nixos => nix}/machines/lewis_user_ed25519-cert.pub (100%) rename {nixos => nix}/modules/backups.nix (100%) rename {nixos => nix}/modules/data-sharing.nix (100%) rename {nixos => nix}/modules/default.nix (100%) rename {nixos => nix}/modules/k3s/bootstrap.nix (100%) rename {nixos => nix}/modules/k3s/default.nix (100%) rename {nixos => nix}/modules/networking/default.nix (100%) rename {nixos => nix}/modules/networking/dmz/default.nix (100%) rename {nixos => nix}/modules/networking/dmz/dnsmasq.nix (100%) rename {nixos => nix}/modules/networking/dmz/zones/geokunis2.nl.nix (100%) rename {nixos => nix}/modules/networking/dmz/zones/kun.is.nix (100%) rename {nixos => nix}/modules/ssh-certificates.nix (100%) rename {nixos => nix}/modules/storage.nix (100%) rename {nixos => nix}/modules/terraform-database/default.nix (100%) rename {nixos => nix}/modules/terraform-database/postgresql_server.crt (100%) create mode 100644 nix/physical.nix rename {nixos => nix}/secrets/README.md (100%) rename {nixos => nix}/secrets/atlas_host_ed25519.age (100%) rename {nixos => nix}/secrets/atlas_user_ed25519.age (100%) rename {nixos => nix}/secrets/borg_passphrase.age (100%) rename {nixos => nix}/secrets/database_passwords.env.age (100%) rename {nixos => nix}/secrets/ec2_borg_server.pem.age (100%) rename {nixos => nix}/secrets/jefke_host_ed25519.age (100%) rename {nixos => nix}/secrets/jefke_user_ed25519.age (100%) rename {nixos => nix}/secrets/lewis_host_ed25519.age (100%) rename {nixos => nix}/secrets/lewis_user_ed25519.age (100%) rename {nixos => nix}/secrets/postgresql_server.key.age (100%) rename {nixos => nix}/secrets/secrets.nix (100%) rename nixos/vm.nix => nix/shared.nix (75%) create mode 100644 nix/virtual.nix delete mode 100644 nixos/default.nix diff --git a/flake.nix b/flake.nix index 61bb6b3..be3e5bd 100644 --- a/flake.nix +++ b/flake.nix @@ -38,7 +38,7 @@ pkgs = nixpkgs.legacyPackages.${system}; lib = pkgs.lib; pkgs-unstable = nixpkgs-unstable.legacyPackages.${system}; - machines = import ./nixos/machines; + machines = import ./nix/machines; physicalMachines = lib.filterAttrs (n: v: v.type == "physical") machines; # TODO: Maybe use mergeAttrLists mkNixosSystems = systemDef: @@ -78,7 +78,7 @@ nixosConfigurations = mkNixosSystems (machine: { inherit system; specialArgs = { inherit machines machine kubenix dns microvm disko agenix; }; - modules = [ ./nixos ]; + modules = [ ./nix/physical.nix ]; }); deploy = { diff --git a/nixos/lab.nix b/nix/lab.nix similarity index 100% rename from nixos/lab.nix rename to nix/lab.nix diff --git a/nixos/machines/atlas_host_ed25519-cert.pub b/nix/machines/atlas_host_ed25519-cert.pub similarity index 100% rename from nixos/machines/atlas_host_ed25519-cert.pub rename to nix/machines/atlas_host_ed25519-cert.pub diff --git a/nixos/machines/atlas_user_ed25519-cert.pub b/nix/machines/atlas_user_ed25519-cert.pub similarity index 100% rename from nixos/machines/atlas_user_ed25519-cert.pub rename to nix/machines/atlas_user_ed25519-cert.pub diff --git a/nixos/machines/default.nix b/nix/machines/default.nix similarity index 98% rename from nixos/machines/default.nix rename to nix/machines/default.nix index 40c30e4..c64dd60 100644 --- a/nixos/machines/default.nix +++ b/nix/machines/default.nix @@ -15,6 +15,7 @@ ssh = { useCertificates = true; + # TODO: automatically set this? hostCert = builtins.readFile ./jefke_host_ed25519-cert.pub; userCert = builtins.readFile ./jefke_user_ed25519-cert.pub; }; diff --git a/nixos/machines/jefke_host_ed25519-cert.pub b/nix/machines/jefke_host_ed25519-cert.pub similarity index 100% rename from nixos/machines/jefke_host_ed25519-cert.pub rename to nix/machines/jefke_host_ed25519-cert.pub diff --git a/nixos/machines/jefke_user_ed25519-cert.pub b/nix/machines/jefke_user_ed25519-cert.pub similarity index 100% rename from nixos/machines/jefke_user_ed25519-cert.pub rename to nix/machines/jefke_user_ed25519-cert.pub diff --git a/nixos/machines/lewis_host_ed25519-cert.pub b/nix/machines/lewis_host_ed25519-cert.pub similarity index 100% rename from nixos/machines/lewis_host_ed25519-cert.pub rename to nix/machines/lewis_host_ed25519-cert.pub diff --git a/nixos/machines/lewis_user_ed25519-cert.pub b/nix/machines/lewis_user_ed25519-cert.pub similarity index 100% rename from nixos/machines/lewis_user_ed25519-cert.pub rename to nix/machines/lewis_user_ed25519-cert.pub diff --git a/nixos/modules/backups.nix b/nix/modules/backups.nix similarity index 100% rename from nixos/modules/backups.nix rename to nix/modules/backups.nix diff --git a/nixos/modules/data-sharing.nix b/nix/modules/data-sharing.nix similarity index 100% rename from nixos/modules/data-sharing.nix rename to nix/modules/data-sharing.nix diff --git a/nixos/modules/default.nix b/nix/modules/default.nix similarity index 100% rename from nixos/modules/default.nix rename to nix/modules/default.nix diff --git a/nixos/modules/k3s/bootstrap.nix b/nix/modules/k3s/bootstrap.nix similarity index 100% rename from nixos/modules/k3s/bootstrap.nix rename to nix/modules/k3s/bootstrap.nix diff --git a/nixos/modules/k3s/default.nix b/nix/modules/k3s/default.nix similarity index 100% rename from nixos/modules/k3s/default.nix rename to nix/modules/k3s/default.nix diff --git a/nixos/modules/networking/default.nix b/nix/modules/networking/default.nix similarity index 100% rename from nixos/modules/networking/default.nix rename to nix/modules/networking/default.nix diff --git a/nixos/modules/networking/dmz/default.nix b/nix/modules/networking/dmz/default.nix similarity index 100% rename from nixos/modules/networking/dmz/default.nix rename to nix/modules/networking/dmz/default.nix diff --git a/nixos/modules/networking/dmz/dnsmasq.nix b/nix/modules/networking/dmz/dnsmasq.nix similarity index 100% rename from nixos/modules/networking/dmz/dnsmasq.nix rename to nix/modules/networking/dmz/dnsmasq.nix diff --git a/nixos/modules/networking/dmz/zones/geokunis2.nl.nix b/nix/modules/networking/dmz/zones/geokunis2.nl.nix similarity index 100% rename from nixos/modules/networking/dmz/zones/geokunis2.nl.nix rename to nix/modules/networking/dmz/zones/geokunis2.nl.nix diff --git a/nixos/modules/networking/dmz/zones/kun.is.nix b/nix/modules/networking/dmz/zones/kun.is.nix similarity index 100% rename from nixos/modules/networking/dmz/zones/kun.is.nix rename to nix/modules/networking/dmz/zones/kun.is.nix diff --git a/nixos/modules/ssh-certificates.nix b/nix/modules/ssh-certificates.nix similarity index 100% rename from nixos/modules/ssh-certificates.nix rename to nix/modules/ssh-certificates.nix diff --git a/nixos/modules/storage.nix b/nix/modules/storage.nix similarity index 100% rename from nixos/modules/storage.nix rename to nix/modules/storage.nix diff --git a/nixos/modules/terraform-database/default.nix b/nix/modules/terraform-database/default.nix similarity index 100% rename from nixos/modules/terraform-database/default.nix rename to nix/modules/terraform-database/default.nix diff --git a/nixos/modules/terraform-database/postgresql_server.crt b/nix/modules/terraform-database/postgresql_server.crt similarity index 100% rename from nixos/modules/terraform-database/postgresql_server.crt rename to nix/modules/terraform-database/postgresql_server.crt diff --git a/nix/physical.nix b/nix/physical.nix new file mode 100644 index 0000000..aac1776 --- /dev/null +++ b/nix/physical.nix @@ -0,0 +1,81 @@ +{ pkgs, config, lib, modulesPath, machine, microvm, disko, agenix, machines, ... }: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + microvm.nixosModules.host + ./shared.nix + ]; + + config = { + boot = { + kernelModules = [ "kvm-intel" ]; + extraModulePackages = [ ]; + + initrd = { + availableKernelModules = [ + "ahci" + "xhci_pci" + "nvme" + "usbhid" + "usb_storage" + "sd_mod" + "sdhci_pci" + ]; + kernelModules = [ ]; + }; + + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + }; + + nixpkgs = { + config.allowUnfree = true; + hostPlatform = "x86_64-linux"; + }; + + hardware.cpu.intel.updateMicrocode = config.hardware.enableRedistributableFirmware; + + age.identityPaths = [ "/etc/age_ed25519" ]; + + virtualisation.libvirtd.enable = true; + + nix = { + package = pkgs.nixFlakes; + extraOptions = '' + experimental-features = nix-command flakes + ''; + }; + + system = { + stateVersion = "23.05"; + + activationScripts.diff = '' + if [[ -e /run/current-system ]]; then + ${pkgs.nix}/bin/nix store diff-closures /run/current-system "$systemConfig" + fi + ''; + }; + + microvm.vms = + let + vmsForHypervisor = lib.attrValues (lib.filterAttrs (n: v: v.type == "virtual" && v.hypervisorName == machine.hostName) machines); + in + lib.attrsets.mergeAttrsList (map + (vm: + { + "${vm.hostName}" = { + # TODO Simplify? + specialArgs = { inherit agenix disko pkgs lib microvm; machine = vm; hypervisorConfig = config; }; + config = { + imports = [ + ./virtual.nix + ]; + }; + }; + } + ) + vmsForHypervisor + ); + }; +} diff --git a/nixos/secrets/README.md b/nix/secrets/README.md similarity index 100% rename from nixos/secrets/README.md rename to nix/secrets/README.md diff --git a/nixos/secrets/atlas_host_ed25519.age b/nix/secrets/atlas_host_ed25519.age similarity index 100% rename from nixos/secrets/atlas_host_ed25519.age rename to nix/secrets/atlas_host_ed25519.age diff --git a/nixos/secrets/atlas_user_ed25519.age b/nix/secrets/atlas_user_ed25519.age similarity index 100% rename from nixos/secrets/atlas_user_ed25519.age rename to nix/secrets/atlas_user_ed25519.age diff --git a/nixos/secrets/borg_passphrase.age b/nix/secrets/borg_passphrase.age similarity index 100% rename from nixos/secrets/borg_passphrase.age rename to nix/secrets/borg_passphrase.age diff --git a/nixos/secrets/database_passwords.env.age b/nix/secrets/database_passwords.env.age similarity index 100% rename from nixos/secrets/database_passwords.env.age rename to nix/secrets/database_passwords.env.age diff --git a/nixos/secrets/ec2_borg_server.pem.age b/nix/secrets/ec2_borg_server.pem.age similarity index 100% rename from nixos/secrets/ec2_borg_server.pem.age rename to nix/secrets/ec2_borg_server.pem.age diff --git a/nixos/secrets/jefke_host_ed25519.age b/nix/secrets/jefke_host_ed25519.age similarity index 100% rename from nixos/secrets/jefke_host_ed25519.age rename to nix/secrets/jefke_host_ed25519.age diff --git a/nixos/secrets/jefke_user_ed25519.age b/nix/secrets/jefke_user_ed25519.age similarity index 100% rename from nixos/secrets/jefke_user_ed25519.age rename to nix/secrets/jefke_user_ed25519.age diff --git a/nixos/secrets/lewis_host_ed25519.age b/nix/secrets/lewis_host_ed25519.age similarity index 100% rename from nixos/secrets/lewis_host_ed25519.age rename to nix/secrets/lewis_host_ed25519.age diff --git a/nixos/secrets/lewis_user_ed25519.age b/nix/secrets/lewis_user_ed25519.age similarity index 100% rename from nixos/secrets/lewis_user_ed25519.age rename to nix/secrets/lewis_user_ed25519.age diff --git a/nixos/secrets/postgresql_server.key.age b/nix/secrets/postgresql_server.key.age similarity index 100% rename from nixos/secrets/postgresql_server.key.age rename to nix/secrets/postgresql_server.key.age diff --git a/nixos/secrets/secrets.nix b/nix/secrets/secrets.nix similarity index 100% rename from nixos/secrets/secrets.nix rename to nix/secrets/secrets.nix diff --git a/nixos/vm.nix b/nix/shared.nix similarity index 75% rename from nixos/vm.nix rename to nix/shared.nix index 7887b26..890f3c9 100644 --- a/nixos/vm.nix +++ b/nix/shared.nix @@ -1,4 +1,4 @@ -{ pkgs, lib, config, agenix, disko, machine, hypervisorConfig, ... }: { +{ pkgs, machine, disko, agenix, ... }: { imports = [ ./modules ./lab.nix @@ -7,17 +7,7 @@ agenix.nixosModules.default ]; - options.lab.vmMacAddress = lib.mkOption { - type = lib.types.str; - description = '' - The MAC address of the VM's main NIC. - ''; - }; - - # TODO: remove overlap with physical nixos module - # Perhaps a sane defaults module? config = { - system.stateVersion = hypervisorConfig.system.stateVersion; time.timeZone = "Europe/Amsterdam"; i18n = { @@ -100,20 +90,5 @@ parted radvd ]; - - microvm = { - shares = [{ - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - tag = "ro-store"; - proto = "virtiofs"; - }]; - - interfaces = [{ - type = "tap"; - id = "vm-${machine.hostName}"; - mac = config.lab.vmMacAddress; - }]; - }; }; } diff --git a/nix/virtual.nix b/nix/virtual.nix new file mode 100644 index 0000000..b1203dc --- /dev/null +++ b/nix/virtual.nix @@ -0,0 +1,29 @@ +{ lib, config, machine, hypervisorConfig, ... }: { + imports = [ ./shared.nix ]; + + options.lab.vmMacAddress = lib.mkOption { + type = lib.types.str; + description = '' + The MAC address of the VM's main NIC. + ''; + }; + + config = { + system.stateVersion = hypervisorConfig.system.stateVersion; + + microvm = { + shares = [{ + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + tag = "ro-store"; + proto = "virtiofs"; + }]; + + interfaces = [{ + type = "tap"; + id = "vm-${machine.hostName}"; + mac = config.lab.vmMacAddress; + }]; + }; + }; +} diff --git a/nixos/default.nix b/nixos/default.nix deleted file mode 100644 index 1cef138..0000000 --- a/nixos/default.nix +++ /dev/null @@ -1,168 +0,0 @@ -{ pkgs, config, lib, modulesPath, machine, microvm, disko, agenix, machines, ... }: { - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - ./modules - ./lab.nix - machine.nixosModule - disko.nixosModules.disko - agenix.nixosModules.default - microvm.nixosModules.host - ]; - - config = { - boot = { - kernelModules = [ "kvm-intel" ]; - extraModulePackages = [ ]; - - initrd = { - availableKernelModules = [ - "ahci" - "xhci_pci" - "nvme" - "usbhid" - "usb_storage" - "sd_mod" - "sdhci_pci" - ]; - kernelModules = [ ]; - }; - - loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; - }; - }; - - time.timeZone = "Europe/Amsterdam"; - - i18n = { - defaultLocale = "en_US.UTF-8"; - - extraLocaleSettings = { - LC_ADDRESS = "nl_NL.UTF-8"; - LC_IDENTIFICATION = "nl_NL.UTF-8"; - LC_MEASUREMENT = "nl_NL.UTF-8"; - LC_MONETARY = "nl_NL.UTF-8"; - LC_NAME = "nl_NL.UTF-8"; - LC_NUMERIC = "nl_NL.UTF-8"; - LC_PAPER = "nl_NL.UTF-8"; - LC_TELEPHONE = "nl_NL.UTF-8"; - LC_TIME = "nl_NL.UTF-8"; - }; - }; - - services = { - openssh = { - enable = true; - openFirewall = true; - - settings = { - PasswordAuthentication = false; - KbdInteractiveAuthentication = false; - }; - }; - - xserver = { - layout = "us"; - xkbVariant = ""; - }; - }; - - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOodpLr+FDRyKyHjucHizNLVFHZ5AQmE9GmxMnOsSoaw pimkunis@thinkpadpim" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINUZp4BCxf7uLa1QWonx/Crf8tYZ5MKIZ+EuaBa82LrV user@user-laptop" - ]; - - programs = { - ssh = { - knownHosts = { - dmz = { - hostNames = [ "*.dmz" ]; - publicKey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAX2IhgHNxC6JTvLu9cej+iWuG+uJFMXn4AiRro9533x"; - certAuthority = true; - }; - - hypervisors = { - hostNames = [ "*.hyp" ]; - publicKey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFzRkH3d/KVJQouswY/DMpenWbDFVOnI3Vut0xR0e1tb"; - certAuthority = true; - }; - }; - - }; - - neovim = { - enable = true; - vimAlias = true; - viAlias = true; - }; - }; - - nixpkgs = { - config.allowUnfree = true; - hostPlatform = "x86_64-linux"; - }; - - environment.systemPackages = with pkgs; [ - neofetch - wget - git - btop - htop - ripgrep - dig - tree - file - tcpdump - lsof - parted - radvd - ]; - - hardware.cpu.intel.updateMicrocode = config.hardware.enableRedistributableFirmware; - - age.identityPaths = [ "/etc/age_ed25519" ]; - - virtualisation.libvirtd.enable = true; - - nix = { - package = pkgs.nixFlakes; - extraOptions = '' - experimental-features = nix-command flakes - ''; - }; - - system = { - stateVersion = "23.05"; - - activationScripts.diff = '' - if [[ -e /run/current-system ]]; then - ${pkgs.nix}/bin/nix store diff-closures /run/current-system "$systemConfig" - fi - ''; - }; - - microvm.vms = - let - vmsForHypervisor = lib.attrValues (lib.filterAttrs (n: v: v.type == "virtual" && v.hypervisorName == machine.hostName) machines); - in - lib.attrsets.mergeAttrsList (map - (vm: - { - "${vm.hostName}" = { - # TODO Simplify? - specialArgs = { inherit agenix disko pkgs lib microvm; machine = vm; hypervisorConfig = config; }; - config = { - imports = [ - ./vm.nix - ]; - }; - }; - } - ) - vmsForHypervisor - ); - }; -} From 371b851ca53393fcbaf74247a5269f0bd414c48e Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 28 Jan 2024 12:30:13 +0100 Subject: [PATCH 07/10] create shared entrypoint nixos config for physical and vm --- flake.nix | 4 ++-- nix/shared.nix => nixos/default.nix | 6 ++++-- {nix => nixos}/lab.nix | 0 {nix => nixos}/machines/atlas_host_ed25519-cert.pub | 0 {nix => nixos}/machines/atlas_user_ed25519-cert.pub | 0 {nix => nixos}/machines/default.nix | 2 +- {nix => nixos}/machines/jefke_host_ed25519-cert.pub | 0 {nix => nixos}/machines/jefke_user_ed25519-cert.pub | 0 {nix => nixos}/machines/lewis_host_ed25519-cert.pub | 0 {nix => nixos}/machines/lewis_user_ed25519-cert.pub | 0 {nix => nixos}/modules/backups.nix | 0 {nix => nixos}/modules/data-sharing.nix | 0 {nix => nixos}/modules/default.nix | 0 {nix => nixos}/modules/k3s/bootstrap.nix | 0 {nix => nixos}/modules/k3s/default.nix | 0 {nix => nixos}/modules/networking/default.nix | 0 {nix => nixos}/modules/networking/dmz/default.nix | 0 {nix => nixos}/modules/networking/dmz/dnsmasq.nix | 0 .../modules/networking/dmz/zones/geokunis2.nl.nix | 0 .../modules/networking/dmz/zones/kun.is.nix | 0 {nix => nixos}/modules/ssh-certificates.nix | 0 {nix => nixos}/modules/storage.nix | 0 .../modules/terraform-database/default.nix | 0 .../terraform-database/postgresql_server.crt | 0 {nix => nixos}/physical.nix | 3 +-- {nix => nixos}/secrets/README.md | 0 {nix => nixos}/secrets/atlas_host_ed25519.age | Bin {nix => nixos}/secrets/atlas_user_ed25519.age | Bin {nix => nixos}/secrets/borg_passphrase.age | 0 {nix => nixos}/secrets/database_passwords.env.age | 0 {nix => nixos}/secrets/ec2_borg_server.pem.age | Bin {nix => nixos}/secrets/jefke_host_ed25519.age | Bin {nix => nixos}/secrets/jefke_user_ed25519.age | Bin {nix => nixos}/secrets/lewis_host_ed25519.age | Bin {nix => nixos}/secrets/lewis_user_ed25519.age | Bin {nix => nixos}/secrets/postgresql_server.key.age | Bin {nix => nixos}/secrets/secrets.nix | 0 {nix => nixos}/virtual.nix | 2 -- 38 files changed, 8 insertions(+), 9 deletions(-) rename nix/shared.nix => nixos/default.nix (91%) rename {nix => nixos}/lab.nix (100%) rename {nix => nixos}/machines/atlas_host_ed25519-cert.pub (100%) rename {nix => nixos}/machines/atlas_user_ed25519-cert.pub (100%) rename {nix => nixos}/machines/default.nix (96%) rename {nix => nixos}/machines/jefke_host_ed25519-cert.pub (100%) rename {nix => nixos}/machines/jefke_user_ed25519-cert.pub (100%) rename {nix => nixos}/machines/lewis_host_ed25519-cert.pub (100%) rename {nix => nixos}/machines/lewis_user_ed25519-cert.pub (100%) rename {nix => nixos}/modules/backups.nix (100%) rename {nix => nixos}/modules/data-sharing.nix (100%) rename {nix => nixos}/modules/default.nix (100%) rename {nix => nixos}/modules/k3s/bootstrap.nix (100%) rename {nix => nixos}/modules/k3s/default.nix (100%) rename {nix => nixos}/modules/networking/default.nix (100%) rename {nix => nixos}/modules/networking/dmz/default.nix (100%) rename {nix => nixos}/modules/networking/dmz/dnsmasq.nix (100%) rename {nix => nixos}/modules/networking/dmz/zones/geokunis2.nl.nix (100%) rename {nix => nixos}/modules/networking/dmz/zones/kun.is.nix (100%) rename {nix => nixos}/modules/ssh-certificates.nix (100%) rename {nix => nixos}/modules/storage.nix (100%) rename {nix => nixos}/modules/terraform-database/default.nix (100%) rename {nix => nixos}/modules/terraform-database/postgresql_server.crt (100%) rename {nix => nixos}/physical.nix (97%) rename {nix => nixos}/secrets/README.md (100%) rename {nix => nixos}/secrets/atlas_host_ed25519.age (100%) rename {nix => nixos}/secrets/atlas_user_ed25519.age (100%) rename {nix => nixos}/secrets/borg_passphrase.age (100%) rename {nix => nixos}/secrets/database_passwords.env.age (100%) rename {nix => nixos}/secrets/ec2_borg_server.pem.age (100%) rename {nix => nixos}/secrets/jefke_host_ed25519.age (100%) rename {nix => nixos}/secrets/jefke_user_ed25519.age (100%) rename {nix => nixos}/secrets/lewis_host_ed25519.age (100%) rename {nix => nixos}/secrets/lewis_user_ed25519.age (100%) rename {nix => nixos}/secrets/postgresql_server.key.age (100%) rename {nix => nixos}/secrets/secrets.nix (100%) rename {nix => nixos}/virtual.nix (95%) diff --git a/flake.nix b/flake.nix index be3e5bd..61bb6b3 100644 --- a/flake.nix +++ b/flake.nix @@ -38,7 +38,7 @@ pkgs = nixpkgs.legacyPackages.${system}; lib = pkgs.lib; pkgs-unstable = nixpkgs-unstable.legacyPackages.${system}; - machines = import ./nix/machines; + machines = import ./nixos/machines; physicalMachines = lib.filterAttrs (n: v: v.type == "physical") machines; # TODO: Maybe use mergeAttrLists mkNixosSystems = systemDef: @@ -78,7 +78,7 @@ nixosConfigurations = mkNixosSystems (machine: { inherit system; specialArgs = { inherit machines machine kubenix dns microvm disko agenix; }; - modules = [ ./nix/physical.nix ]; + modules = [ ./nixos ]; }); deploy = { diff --git a/nix/shared.nix b/nixos/default.nix similarity index 91% rename from nix/shared.nix rename to nixos/default.nix index 890f3c9..4b145e3 100644 --- a/nix/shared.nix +++ b/nixos/default.nix @@ -1,11 +1,13 @@ -{ pkgs, machine, disko, agenix, ... }: { +{ pkgs, lib, machine, disko, agenix, ... }: { imports = [ ./modules ./lab.nix machine.nixosModule disko.nixosModules.disko agenix.nixosModules.default - ]; + ] + ++ lib.lists.optional (machine.type == "physical") ./physical.nix + ++ lib.lists.optional (machine.type == "virtual") ./virtual.nix; config = { time.timeZone = "Europe/Amsterdam"; diff --git a/nix/lab.nix b/nixos/lab.nix similarity index 100% rename from nix/lab.nix rename to nixos/lab.nix diff --git a/nix/machines/atlas_host_ed25519-cert.pub b/nixos/machines/atlas_host_ed25519-cert.pub similarity index 100% rename from nix/machines/atlas_host_ed25519-cert.pub rename to nixos/machines/atlas_host_ed25519-cert.pub diff --git a/nix/machines/atlas_user_ed25519-cert.pub b/nixos/machines/atlas_user_ed25519-cert.pub similarity index 100% rename from nix/machines/atlas_user_ed25519-cert.pub rename to nixos/machines/atlas_user_ed25519-cert.pub diff --git a/nix/machines/default.nix b/nixos/machines/default.nix similarity index 96% rename from nix/machines/default.nix rename to nixos/machines/default.nix index c64dd60..50cd21a 100644 --- a/nix/machines/default.nix +++ b/nixos/machines/default.nix @@ -83,7 +83,7 @@ nixosModule = { pkgs, config, ... }: { programs.bash.interactiveShellInit = '' - echo "Hello world from inside a virtual machine!" | ${pkgs.lolcat}/bin/lolcat + echo "Hello world from inside a virtual machine!!" | ${pkgs.lolcat}/bin/lolcat ''; lab.vmMacAddress = "BA:DB:EE:F0:00:00"; diff --git a/nix/machines/jefke_host_ed25519-cert.pub b/nixos/machines/jefke_host_ed25519-cert.pub similarity index 100% rename from nix/machines/jefke_host_ed25519-cert.pub rename to nixos/machines/jefke_host_ed25519-cert.pub diff --git a/nix/machines/jefke_user_ed25519-cert.pub b/nixos/machines/jefke_user_ed25519-cert.pub similarity index 100% rename from nix/machines/jefke_user_ed25519-cert.pub rename to nixos/machines/jefke_user_ed25519-cert.pub diff --git a/nix/machines/lewis_host_ed25519-cert.pub b/nixos/machines/lewis_host_ed25519-cert.pub similarity index 100% rename from nix/machines/lewis_host_ed25519-cert.pub rename to nixos/machines/lewis_host_ed25519-cert.pub diff --git a/nix/machines/lewis_user_ed25519-cert.pub b/nixos/machines/lewis_user_ed25519-cert.pub similarity index 100% rename from nix/machines/lewis_user_ed25519-cert.pub rename to nixos/machines/lewis_user_ed25519-cert.pub diff --git a/nix/modules/backups.nix b/nixos/modules/backups.nix similarity index 100% rename from nix/modules/backups.nix rename to nixos/modules/backups.nix diff --git a/nix/modules/data-sharing.nix b/nixos/modules/data-sharing.nix similarity index 100% rename from nix/modules/data-sharing.nix rename to nixos/modules/data-sharing.nix diff --git a/nix/modules/default.nix b/nixos/modules/default.nix similarity index 100% rename from nix/modules/default.nix rename to nixos/modules/default.nix diff --git a/nix/modules/k3s/bootstrap.nix b/nixos/modules/k3s/bootstrap.nix similarity index 100% rename from nix/modules/k3s/bootstrap.nix rename to nixos/modules/k3s/bootstrap.nix diff --git a/nix/modules/k3s/default.nix b/nixos/modules/k3s/default.nix similarity index 100% rename from nix/modules/k3s/default.nix rename to nixos/modules/k3s/default.nix diff --git a/nix/modules/networking/default.nix b/nixos/modules/networking/default.nix similarity index 100% rename from nix/modules/networking/default.nix rename to nixos/modules/networking/default.nix diff --git a/nix/modules/networking/dmz/default.nix b/nixos/modules/networking/dmz/default.nix similarity index 100% rename from nix/modules/networking/dmz/default.nix rename to nixos/modules/networking/dmz/default.nix diff --git a/nix/modules/networking/dmz/dnsmasq.nix b/nixos/modules/networking/dmz/dnsmasq.nix similarity index 100% rename from nix/modules/networking/dmz/dnsmasq.nix rename to nixos/modules/networking/dmz/dnsmasq.nix diff --git a/nix/modules/networking/dmz/zones/geokunis2.nl.nix b/nixos/modules/networking/dmz/zones/geokunis2.nl.nix similarity index 100% rename from nix/modules/networking/dmz/zones/geokunis2.nl.nix rename to nixos/modules/networking/dmz/zones/geokunis2.nl.nix diff --git a/nix/modules/networking/dmz/zones/kun.is.nix b/nixos/modules/networking/dmz/zones/kun.is.nix similarity index 100% rename from nix/modules/networking/dmz/zones/kun.is.nix rename to nixos/modules/networking/dmz/zones/kun.is.nix diff --git a/nix/modules/ssh-certificates.nix b/nixos/modules/ssh-certificates.nix similarity index 100% rename from nix/modules/ssh-certificates.nix rename to nixos/modules/ssh-certificates.nix diff --git a/nix/modules/storage.nix b/nixos/modules/storage.nix similarity index 100% rename from nix/modules/storage.nix rename to nixos/modules/storage.nix diff --git a/nix/modules/terraform-database/default.nix b/nixos/modules/terraform-database/default.nix similarity index 100% rename from nix/modules/terraform-database/default.nix rename to nixos/modules/terraform-database/default.nix diff --git a/nix/modules/terraform-database/postgresql_server.crt b/nixos/modules/terraform-database/postgresql_server.crt similarity index 100% rename from nix/modules/terraform-database/postgresql_server.crt rename to nixos/modules/terraform-database/postgresql_server.crt diff --git a/nix/physical.nix b/nixos/physical.nix similarity index 97% rename from nix/physical.nix rename to nixos/physical.nix index aac1776..8ee2bbc 100644 --- a/nix/physical.nix +++ b/nixos/physical.nix @@ -2,7 +2,6 @@ imports = [ (modulesPath + "/installer/scan/not-detected.nix") microvm.nixosModules.host - ./shared.nix ]; config = { @@ -69,7 +68,7 @@ specialArgs = { inherit agenix disko pkgs lib microvm; machine = vm; hypervisorConfig = config; }; config = { imports = [ - ./virtual.nix + ./. ]; }; }; diff --git a/nix/secrets/README.md b/nixos/secrets/README.md similarity index 100% rename from nix/secrets/README.md rename to nixos/secrets/README.md diff --git a/nix/secrets/atlas_host_ed25519.age b/nixos/secrets/atlas_host_ed25519.age similarity index 100% rename from nix/secrets/atlas_host_ed25519.age rename to nixos/secrets/atlas_host_ed25519.age diff --git a/nix/secrets/atlas_user_ed25519.age b/nixos/secrets/atlas_user_ed25519.age similarity index 100% rename from nix/secrets/atlas_user_ed25519.age rename to nixos/secrets/atlas_user_ed25519.age diff --git a/nix/secrets/borg_passphrase.age b/nixos/secrets/borg_passphrase.age similarity index 100% rename from nix/secrets/borg_passphrase.age rename to nixos/secrets/borg_passphrase.age diff --git a/nix/secrets/database_passwords.env.age b/nixos/secrets/database_passwords.env.age similarity index 100% rename from nix/secrets/database_passwords.env.age rename to nixos/secrets/database_passwords.env.age diff --git a/nix/secrets/ec2_borg_server.pem.age b/nixos/secrets/ec2_borg_server.pem.age similarity index 100% rename from nix/secrets/ec2_borg_server.pem.age rename to nixos/secrets/ec2_borg_server.pem.age diff --git a/nix/secrets/jefke_host_ed25519.age b/nixos/secrets/jefke_host_ed25519.age similarity index 100% rename from nix/secrets/jefke_host_ed25519.age rename to nixos/secrets/jefke_host_ed25519.age diff --git a/nix/secrets/jefke_user_ed25519.age b/nixos/secrets/jefke_user_ed25519.age similarity index 100% rename from nix/secrets/jefke_user_ed25519.age rename to nixos/secrets/jefke_user_ed25519.age diff --git a/nix/secrets/lewis_host_ed25519.age b/nixos/secrets/lewis_host_ed25519.age similarity index 100% rename from nix/secrets/lewis_host_ed25519.age rename to nixos/secrets/lewis_host_ed25519.age diff --git a/nix/secrets/lewis_user_ed25519.age b/nixos/secrets/lewis_user_ed25519.age similarity index 100% rename from nix/secrets/lewis_user_ed25519.age rename to nixos/secrets/lewis_user_ed25519.age diff --git a/nix/secrets/postgresql_server.key.age b/nixos/secrets/postgresql_server.key.age similarity index 100% rename from nix/secrets/postgresql_server.key.age rename to nixos/secrets/postgresql_server.key.age diff --git a/nix/secrets/secrets.nix b/nixos/secrets/secrets.nix similarity index 100% rename from nix/secrets/secrets.nix rename to nixos/secrets/secrets.nix diff --git a/nix/virtual.nix b/nixos/virtual.nix similarity index 95% rename from nix/virtual.nix rename to nixos/virtual.nix index b1203dc..e08ded9 100644 --- a/nix/virtual.nix +++ b/nixos/virtual.nix @@ -1,6 +1,4 @@ { lib, config, machine, hypervisorConfig, ... }: { - imports = [ ./shared.nix ]; - options.lab.vmMacAddress = lib.mkOption { type = lib.types.str; description = '' From bd5dc4b8836dea00831f48809408a12b96c3eb5c Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 28 Jan 2024 12:55:58 +0100 Subject: [PATCH 08/10] set hostName and domain in nixos config directly --- flake.nix | 16 ++++---- nixos/machines/default.nix | 55 ++++++++++++++++++---------- nixos/modules/networking/default.nix | 2 - nixos/physical.nix | 23 +++++------- nixos/virtual.nix | 4 +- 5 files changed, 55 insertions(+), 45 deletions(-) diff --git a/flake.nix b/flake.nix index 61bb6b3..78448b3 100644 --- a/flake.nix +++ b/flake.nix @@ -40,18 +40,19 @@ pkgs-unstable = nixpkgs-unstable.legacyPackages.${system}; machines = import ./nixos/machines; physicalMachines = lib.filterAttrs (n: v: v.type == "physical") machines; - # TODO: Maybe use mergeAttrLists + # TODO: Use mergeAttrLists mkNixosSystems = systemDef: nixpkgs.lib.foldlAttrs (acc: name: machine: acc // { - "${name}" = nixpkgs.lib.nixosSystem (systemDef machine); + "${name}" = nixpkgs.lib.nixosSystem (systemDef name machine); }) { } physicalMachines; mkDeployNodes = nodeDef: + # TODO: Use mergeAttrLists nixpkgs.lib.foldlAttrs - (acc: name: machine: acc // { "${name}" = nodeDef machine; }) + (acc: name: machine: acc // { "${name}" = nodeDef name machine; }) { } physicalMachines; in @@ -75,7 +76,7 @@ formatter.${system} = pkgs.nixfmt; - nixosConfigurations = mkNixosSystems (machine: { + nixosConfigurations = mkNixosSystems (name: machine: { inherit system; specialArgs = { inherit machines machine kubenix dns microvm disko agenix; }; modules = [ ./nixos ]; @@ -85,12 +86,11 @@ sshUser = "root"; user = "root"; - nodes = mkDeployNodes (machine: { - # TODO: simply get this from nixos configuration? - hostname = "${machine.hostName}.${machine.domain}"; + nodes = mkDeployNodes (name: machine: { + hostname = self.nixosConfigurations.${name}.config.networking.fqdn; profiles.system = { path = deploy-rs.lib.${system}.activate.nixos - self.nixosConfigurations.${machine.hostName}; + self.nixosConfigurations.${name}; }; }); }; diff --git a/nixos/machines/default.nix b/nixos/machines/default.nix index 50cd21a..b936b53 100644 --- a/nixos/machines/default.nix +++ b/nixos/machines/default.nix @@ -1,35 +1,44 @@ { jefke = { - # TODO: directly set and read this from nixos config. - hostName = "jefke"; - domain = "hyp"; + # TODO: model this in a nixos module? type = "physical"; - nixosModule.lab = { - terraformDatabase.enable = true; - - storage = { - osDisk = "/dev/sda"; - dataPartition = "/dev/nvme0n1p1"; + nixosModule = { + networking = { + hostName = "jefke"; + # TODO: generate this using type? + domain = "hyp"; }; - ssh = { - useCertificates = true; - # TODO: automatically set this? - hostCert = builtins.readFile ./jefke_host_ed25519-cert.pub; - userCert = builtins.readFile ./jefke_user_ed25519-cert.pub; + lab = { + terraformDatabase.enable = true; + + storage = { + osDisk = "/dev/sda"; + dataPartition = "/dev/nvme0n1p1"; + }; + + ssh = { + useCertificates = true; + # TODO: automatically set this? + hostCert = builtins.readFile ./jefke_host_ed25519-cert.pub; + userCert = builtins.readFile ./jefke_user_ed25519-cert.pub; + }; }; }; }; atlas = { - hostName = "atlas"; - domain = "hyp"; type = "physical"; nixosModule = { config, ... }: let inherit (config.lab.networking) dmzServicesIPv4 dmzServicesIPv6; in { + networking = { + hostName = "atlas"; + domain = "hyp"; + }; + lab = { networking = { # TODO: Ideally, we don't have to set this here. @@ -53,11 +62,14 @@ }; lewis = { - hostName = "lewis"; - domain = "hyp"; type = "physical"; nixosModule = { pkgs, ... }: { + networking = { + hostName = "lewis"; + domain = "hyp"; + }; + lab = { dataHost.enable = true; @@ -76,8 +88,6 @@ }; my-microvm = { - hostName = "my-microvm"; - domain = "dmz"; type = "virtual"; hypervisorName = "lewis"; @@ -86,6 +96,11 @@ echo "Hello world from inside a virtual machine!!" | ${pkgs.lolcat}/bin/lolcat ''; + networking = { + hostName = "my-microvm"; + domain = "dmz"; + }; + lab.vmMacAddress = "BA:DB:EE:F0:00:00"; }; }; diff --git a/nixos/modules/networking/default.nix b/nixos/modules/networking/default.nix index 0a0e640..e1f8b71 100644 --- a/nixos/modules/networking/default.nix +++ b/nixos/modules/networking/default.nix @@ -89,8 +89,6 @@ in { config = { networking = { - hostName = machine.hostName; - domain = machine.domain; nftables.enable = true; useDHCP = machine.type == "virtual"; diff --git a/nixos/physical.nix b/nixos/physical.nix index 8ee2bbc..67b459a 100644 --- a/nixos/physical.nix +++ b/nixos/physical.nix @@ -58,23 +58,20 @@ microvm.vms = let - vmsForHypervisor = lib.attrValues (lib.filterAttrs (n: v: v.type == "virtual" && v.hypervisorName == machine.hostName) machines); + vmsForHypervisor = lib.filterAttrs (n: v: v.type == "virtual" && v.hypervisorName == config.networking.hostName) machines; in - lib.attrsets.mergeAttrsList (map - (vm: + builtins.mapAttrs + (name: vm: { - "${vm.hostName}" = { - # TODO Simplify? - specialArgs = { inherit agenix disko pkgs lib microvm; machine = vm; hypervisorConfig = config; }; - config = { - imports = [ - ./. - ]; - }; + # TODO Simplify? + specialArgs = { inherit agenix disko pkgs lib microvm; machine = vm; hypervisorConfig = config; }; + config = { + imports = [ + ./. + ]; }; } ) - vmsForHypervisor - ); + vmsForHypervisor; }; } diff --git a/nixos/virtual.nix b/nixos/virtual.nix index e08ded9..e206587 100644 --- a/nixos/virtual.nix +++ b/nixos/virtual.nix @@ -1,4 +1,4 @@ -{ lib, config, machine, hypervisorConfig, ... }: { +{ lib, config, hypervisorConfig, ... }: { options.lab.vmMacAddress = lib.mkOption { type = lib.types.str; description = '' @@ -19,7 +19,7 @@ interfaces = [{ type = "tap"; - id = "vm-${machine.hostName}"; + id = "vm-${config.networking.hostName}"; mac = config.lab.vmMacAddress; }]; }; From a015290fcf723977e809a20e5e56221e555ddf56 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 28 Jan 2024 13:46:32 +0100 Subject: [PATCH 09/10] derive domain from server type --- nixos/machines/default.nix | 21 ++++----------------- nixos/modules/networking/default.nix | 1 + nixos/physical.nix | 2 +- 3 files changed, 6 insertions(+), 18 deletions(-) diff --git a/nixos/machines/default.nix b/nixos/machines/default.nix index b936b53..fb4eac4 100644 --- a/nixos/machines/default.nix +++ b/nixos/machines/default.nix @@ -4,11 +4,7 @@ type = "physical"; nixosModule = { - networking = { - hostName = "jefke"; - # TODO: generate this using type? - domain = "hyp"; - }; + networking.hostName = "jefke"; lab = { terraformDatabase.enable = true; @@ -34,10 +30,7 @@ nixosModule = { config, ... }: let inherit (config.lab.networking) dmzServicesIPv4 dmzServicesIPv6; in { - networking = { - hostName = "atlas"; - domain = "hyp"; - }; + networking.hostName = "atlas"; lab = { networking = { @@ -65,10 +58,7 @@ type = "physical"; nixosModule = { pkgs, ... }: { - networking = { - hostName = "lewis"; - domain = "hyp"; - }; + networking.hostName = "lewis"; lab = { dataHost.enable = true; @@ -96,10 +86,7 @@ echo "Hello world from inside a virtual machine!!" | ${pkgs.lolcat}/bin/lolcat ''; - networking = { - hostName = "my-microvm"; - domain = "dmz"; - }; + networking.hostName = "my-microvm"; lab.vmMacAddress = "BA:DB:EE:F0:00:00"; }; diff --git a/nixos/modules/networking/default.nix b/nixos/modules/networking/default.nix index e1f8b71..5e7fa18 100644 --- a/nixos/modules/networking/default.nix +++ b/nixos/modules/networking/default.nix @@ -89,6 +89,7 @@ in { config = { networking = { + domain = if machine.type == "physical" then "hyp" else "dmz"; nftables.enable = true; useDHCP = machine.type == "virtual"; diff --git a/nixos/physical.nix b/nixos/physical.nix index 67b459a..35858fb 100644 --- a/nixos/physical.nix +++ b/nixos/physical.nix @@ -1,4 +1,4 @@ -{ pkgs, config, lib, modulesPath, machine, microvm, disko, agenix, machines, ... }: { +{ pkgs, config, lib, modulesPath, microvm, disko, agenix, machines, ... }: { imports = [ (modulesPath + "/installer/scan/not-detected.nix") microvm.nixosModules.host From 8e9d566d10a772ef84ebf4015c7c9bd54737ac69 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 28 Jan 2024 13:57:36 +0100 Subject: [PATCH 10/10] simplify flake functions --- flake.nix | 17 ++++++----------- nixos/machines/default.nix | 12 +++++------- 2 files changed, 11 insertions(+), 18 deletions(-) diff --git a/flake.nix b/flake.nix index 78448b3..8af709c 100644 --- a/flake.nix +++ b/flake.nix @@ -40,20 +40,15 @@ pkgs-unstable = nixpkgs-unstable.legacyPackages.${system}; machines = import ./nixos/machines; physicalMachines = lib.filterAttrs (n: v: v.type == "physical") machines; - # TODO: Use mergeAttrLists mkNixosSystems = systemDef: - nixpkgs.lib.foldlAttrs - (acc: name: machine: - acc // { - "${name}" = nixpkgs.lib.nixosSystem (systemDef name machine); - }) - { } + builtins.mapAttrs + (name: machine: + nixpkgs.lib.nixosSystem (systemDef name machine) + ) physicalMachines; mkDeployNodes = nodeDef: - # TODO: Use mergeAttrLists - nixpkgs.lib.foldlAttrs - (acc: name: machine: acc // { "${name}" = nodeDef name machine; }) - { } + builtins.mapAttrs + (name: machine: nodeDef name machine) physicalMachines; in { diff --git a/nixos/machines/default.nix b/nixos/machines/default.nix index fb4eac4..649ef3d 100644 --- a/nixos/machines/default.nix +++ b/nixos/machines/default.nix @@ -1,6 +1,5 @@ { jefke = { - # TODO: model this in a nixos module? type = "physical"; nixosModule = { @@ -57,7 +56,7 @@ lewis = { type = "physical"; - nixosModule = { pkgs, ... }: { + nixosModule = { networking.hostName = "lewis"; lab = { @@ -81,14 +80,13 @@ type = "virtual"; hypervisorName = "lewis"; - nixosModule = { pkgs, config, ... }: { + nixosModule = { pkgs, ... }: { + networking.hostName = "my-microvm"; + lab.vmMacAddress = "BA:DB:EE:F0:00:00"; + programs.bash.interactiveShellInit = '' echo "Hello world from inside a virtual machine!!" | ${pkgs.lolcat}/bin/lolcat ''; - - networking.hostName = "my-microvm"; - - lab.vmMacAddress = "BA:DB:EE:F0:00:00"; }; }; }