home/nixos-servers
home/nixos-servers
2
0
Fork 0
Code Issues 8 Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'microvm2'

Browse source
This commit is contained in:
Pim Kunis 2024-01-28 13:59:25 +01:00
commit 0fd0713e08
8 changed files with 336 additions and 182 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

72
flake.lock
View file

@ -152,6 +152,24 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils_2": {
"inputs": {
"systems": "systems_3"
},
"locked": {
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -196,6 +214,28 @@
"type": "github" "type": "github"
} }
}, },
"microvm": {
"inputs": {
"flake-utils": "flake-utils_2",
"nixpkgs": [
"nixpkgs"
],
"spectrum": "spectrum"
},
"locked": {
"lastModified": 1705263072,
"narHash": "sha256-DCqqaNWn9G81U+0Myyr36JrOKitcmS34oBWxqiHjabk=",
"owner": "astro",
"repo": "microvm.nix",
"rev": "088ba565537eaef1041a87be5a44ca0daa4e1908",
"type": "github"
},
"original": {
"owner": "astro",
"repo": "microvm.nix",
"type": "github"
}
},
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1702272962, "lastModified": 1702272962,
@ -251,10 +291,27 @@
"disko": "disko", "disko": "disko",
"dns": "dns", "dns": "dns",
"kubenix": "kubenix", "kubenix": "kubenix",
"microvm": "microvm",
"nixpkgs": "nixpkgs_2", "nixpkgs": "nixpkgs_2",
"nixpkgs-unstable": "nixpkgs-unstable" "nixpkgs-unstable": "nixpkgs-unstable"
} }
}, },
"spectrum": {
"flake": false,
"locked": {
"lastModified": 1703273931,
"narHash": "sha256-CJ1Crdi5fXHkCiemovsp20/RC4vpDaZl1R6V273FecI=",
"ref": "refs/heads/main",
"rev": "97e2f3429ee61dc37664b4d096b2fec48a57b691",
"revCount": 597,
"type": "git",
"url": "https://spectrum-os.org/git/spectrum"
},
"original": {
"type": "git",
"url": "https://spectrum-os.org/git/spectrum"
}
},
"systems": { "systems": {
"locked": { "locked": {
"lastModified": 1681028828, "lastModified": 1681028828,
@ -284,6 +341,21 @@
"type": "indirect" "type": "indirect"
} }
}, },
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"treefmt": { "treefmt": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [

47
flake.nix
View file

@ -24,29 +24,32 @@
url = "github:kirelagin/dns.nix"; url = "github:kirelagin/dns.nix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
microvm = {
url = "github:astro/microvm.nix";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = outputs =
{ self, nixpkgs, deploy-rs, disko, agenix, kubenix, nixpkgs-unstable, dns, ... }: { self, nixpkgs, deploy-rs, disko, agenix, kubenix, nixpkgs-unstable, dns, microvm, ... }:
let let
system = "x86_64-linux"; system = "x86_64-linux";
pkgs = nixpkgs.legacyPackages.${system}; pkgs = nixpkgs.legacyPackages.${system};
lib = pkgs.lib;
pkgs-unstable = nixpkgs-unstable.legacyPackages.${system}; pkgs-unstable = nixpkgs-unstable.legacyPackages.${system};
machines = import ./nixos/machines; machines = import ./nixos/machines;
# TODO: Maybe use mergeAttrLists physicalMachines = lib.filterAttrs (n: v: v.type == "physical") machines;
mkNixosSystems = systemDef: mkNixosSystems = systemDef:
nixpkgs.lib.foldlAttrs builtins.mapAttrs
(acc: name: machine: (name: machine:
acc // { nixpkgs.lib.nixosSystem (systemDef name machine)
"${name}" = nixpkgs.lib.nixosSystem (systemDef machine); )
}) physicalMachines;
{ }
machines;
mkDeployNodes = nodeDef: mkDeployNodes = nodeDef:
nixpkgs.lib.foldlAttrs builtins.mapAttrs
(acc: name: machine: acc // { "${name}" = nodeDef machine; }) (name: machine: nodeDef name machine)
{ } physicalMachines;
machines;
in in
{ {
devShells.${system}.default = pkgs.mkShell { devShells.${system}.default = pkgs.mkShell {
@ -68,27 +71,21 @@
formatter.${system} = pkgs.nixfmt; formatter.${system} = pkgs.nixfmt;
nixosConfigurations = mkNixosSystems (machine: { nixosConfigurations = mkNixosSystems (name: machine: {
inherit system; inherit system;
specialArgs = { inherit kubenix dns; }; specialArgs = { inherit machines machine kubenix dns microvm disko agenix; };
modules = [ modules = [ ./nixos ];
machine.nixosModule
disko.nixosModules.disko
agenix.nixosModules.default
./nixos
{ networking.hostName = machine.name; }
];
}); });
deploy = { deploy = {
sshUser = "root"; sshUser = "root";
user = "root"; user = "root";
nodes = mkDeployNodes (machine: { nodes = mkDeployNodes (name: machine: {
hostname = machine.hostName; hostname = self.nixosConfigurations.${name}.config.networking.fqdn;
profiles.system = { profiles.system = {
path = deploy-rs.lib.${system}.activate.nixos path = deploy-rs.lib.${system}.activate.nixos
self.nixosConfigurations.${machine.name}; self.nixosConfigurations.${name};
}; };
}); });
}; };

62
nixos/default.nix
View file

@ -1,33 +1,15 @@
{ pkgs, config, lib, modulesPath, ... }: { { pkgs, lib, machine, disko, agenix, ... }: {
imports = [ imports = [
(modulesPath + "/installer/scan/not-detected.nix")
./modules ./modules
./lab.nix ./lab.nix
]; machine.nixosModule
disko.nixosModules.disko
boot = { agenix.nixosModules.default
kernelModules = [ "kvm-intel" ]; ]
extraModulePackages = [ ]; ++ lib.lists.optional (machine.type == "physical") ./physical.nix
++ lib.lists.optional (machine.type == "virtual") ./virtual.nix;
initrd = {
availableKernelModules = [
"ahci"
"xhci_pci"
"nvme"
"usbhid"
"usb_storage"
"sd_mod"
"sdhci_pci"
];
kernelModules = [ ];
};
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
};
config = {
time.timeZone = "Europe/Amsterdam"; time.timeZone = "Europe/Amsterdam";
i18n = { i18n = {
@ -95,11 +77,6 @@
}; };
}; };
nixpkgs = {
config.allowUnfree = true;
hostPlatform = "x86_64-linux";
};
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
neofetch neofetch
wget wget
@ -115,28 +92,5 @@
parted parted
radvd radvd
]; ];
hardware.cpu.intel.updateMicrocode =
lib.mkDefault config.hardware.enableRedistributableFirmware;
age.identityPaths = [ "/etc/age_ed25519" ];
virtualisation.libvirtd.enable = true;
nix = {
package = pkgs.nixFlakes;
extraOptions = ''
experimental-features = nix-command flakes
'';
};
system = {
stateVersion = "23.05";
activationScripts.diff = ''
if [[ -e /run/current-system ]]; then
${pkgs.nix}/bin/nix store diff-closures /run/current-system "$systemConfig"
fi
'';
}; };
} }

38
nixos/machines/default.nix
View file

@ -1,9 +1,11 @@
{ {
jefke = { jefke = {
name = "jefke"; type = "physical";
hostName = "jefke.hyp";
nixosModule.lab = { nixosModule = {
networking.hostName = "jefke";
lab = {
terraformDatabase.enable = true; terraformDatabase.enable = true;
storage = { storage = {
@ -13,19 +15,22 @@
ssh = { ssh = {
useCertificates = true; useCertificates = true;
# TODO: automatically set this?
hostCert = builtins.readFile ./jefke_host_ed25519-cert.pub; hostCert = builtins.readFile ./jefke_host_ed25519-cert.pub;
userCert = builtins.readFile ./jefke_user_ed25519-cert.pub; userCert = builtins.readFile ./jefke_user_ed25519-cert.pub;
}; };
}; };
}; };
};
atlas = { atlas = {
name = "atlas"; type = "physical";
hostName = "atlas.hyp";
nixosModule = { config, ... }: nixosModule = { config, ... }:
let inherit (config.lab.networking) dmzServicesIPv4 dmzServicesIPv6; in let inherit (config.lab.networking) dmzServicesIPv4 dmzServicesIPv6; in
{ {
networking.hostName = "atlas";
lab = { lab = {
networking = { networking = {
# TODO: Ideally, we don't have to set this here. # TODO: Ideally, we don't have to set this here.
@ -49,10 +54,12 @@
}; };
lewis = { lewis = {
name = "lewis"; type = "physical";
hostName = "lewis.hyp";
nixosModule.lab = { nixosModule = {
networking.hostName = "lewis";
lab = {
dataHost.enable = true; dataHost.enable = true;
storage = { storage = {
@ -67,4 +74,19 @@
}; };
}; };
}; };
};
my-microvm = {
type = "virtual";
hypervisorName = "lewis";
nixosModule = { pkgs, ... }: {
networking.hostName = "my-microvm";
lab.vmMacAddress = "BA:DB:EE:F0:00:00";
programs.bash.interactiveShellInit = ''
echo "Hello world from inside a virtual machine!!" | ${pkgs.lolcat}/bin/lolcat
'';
};
};
} }

17
nixos/modules/networking/default.nix
View file

@ -1,4 +1,4 @@
{ lib, config, ... }: { lib, config, machine, ... }:
let cfg = config.lab.networking; let cfg = config.lab.networking;
in { in {
imports = [ ./dmz ]; imports = [ ./dmz ];
@ -89,17 +89,17 @@ in {
config = { config = {
networking = { networking = {
domain = "hyp"; domain = if machine.type == "physical" then "hyp" else "dmz";
nftables.enable = true;
useDHCP = machine.type == "virtual";
firewall = { firewall = {
enable = true; enable = true;
checkReversePath = false; checkReversePath = false;
}; };
nftables.enable = true;
useDHCP = false;
}; };
systemd.network = { systemd.network = lib.mkIf (machine.type == "physical") {
enable = true; enable = true;
netdevs = { netdevs = {
@ -153,6 +153,11 @@ in {
++ lib.lists.optional (cfg.staticDMZIPv6Address != "") cfg.staticDMZIPv6Address; ++ lib.lists.optional (cfg.staticDMZIPv6Address != "") cfg.staticDMZIPv6Address;
}; };
}; };
"40-vms" = {
matchConfig.Name = "vm-*";
networkConfig.Bridge = cfg.dmzBridgeName;
};
}; };
}; };
}; };

4
nixos/modules/storage.nix
View file

@ -1,4 +1,4 @@
{ lib, config, ... }: { lib, config, machine, ... }:
let cfg = config.lab.storage; let cfg = config.lab.storage;
in { in {
options.lab.storage = { options.lab.storage = {
@ -25,7 +25,7 @@ in {
}; };
}; };
config = { config = lib.mkIf (machine.type == "physical") {
fileSystems.${cfg.dataMountPoint}.device = cfg.dataPartition; fileSystems.${cfg.dataMountPoint}.device = cfg.dataPartition;
# TODO: Rename this to 'osDisk'. Unfortunately, we would need to run nixos-anywhere again then. # TODO: Rename this to 'osDisk'. Unfortunately, we would need to run nixos-anywhere again then.

77
nixos/physical.nix Normal file
View file

@ -0,0 +1,77 @@
{ pkgs, config, lib, modulesPath, microvm, disko, agenix, machines, ... }: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
microvm.nixosModules.host
];
config = {
boot = {
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
initrd = {
availableKernelModules = [
"ahci"
"xhci_pci"
"nvme"
"usbhid"
"usb_storage"
"sd_mod"
"sdhci_pci"
];
kernelModules = [ ];
};
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
};
nixpkgs = {
config.allowUnfree = true;
hostPlatform = "x86_64-linux";
};
hardware.cpu.intel.updateMicrocode = config.hardware.enableRedistributableFirmware;
age.identityPaths = [ "/etc/age_ed25519" ];
virtualisation.libvirtd.enable = true;
nix = {
package = pkgs.nixFlakes;
extraOptions = ''
experimental-features = nix-command flakes
'';
};
system = {
stateVersion = "23.05";
activationScripts.diff = ''
if [[ -e /run/current-system ]]; then
${pkgs.nix}/bin/nix store diff-closures /run/current-system "$systemConfig"
fi
'';
};
microvm.vms =
let
vmsForHypervisor = lib.filterAttrs (n: v: v.type == "virtual" && v.hypervisorName == config.networking.hostName) machines;
in
builtins.mapAttrs
(name: vm:
{
# TODO Simplify?
specialArgs = { inherit agenix disko pkgs lib microvm; machine = vm; hypervisorConfig = config; };
config = {
imports = [
./.
];
};
}
)
vmsForHypervisor;
};
}

27
nixos/virtual.nix Normal file
View file

@ -0,0 +1,27 @@
{ lib, config, hypervisorConfig, ... }: {
options.lab.vmMacAddress = lib.mkOption {
type = lib.types.str;
description = ''
The MAC address of the VM's main NIC.
'';
};
config = {
system.stateVersion = hypervisorConfig.system.stateVersion;
microvm = {
shares = [{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
proto = "virtiofs";
}];
interfaces = [{
type = "tap";
id = "vm-${config.networking.hostName}";
mac = config.lab.vmMacAddress;
}];
};
};
}