create shared nixos config between physical and VM

rename nixos -> nix
2024-01-28 12:06:30 +01:00 · 2024-01-28 12:06:30 +01:00 · 32154e7163
commit 32154e7163
parent 472175c5a3
39 changed files with 114 additions and 196 deletions
--- a/flake.nix
+++ b/flake.nix
@ -38,7 +38,7 @@
      pkgs = nixpkgs.legacyPackages.${system};
      lib = pkgs.lib;
      pkgs-unstable = nixpkgs-unstable.legacyPackages.${system};
-      machines = import ./nixos/machines;
+      machines = import ./nix/machines;
      physicalMachines = lib.filterAttrs (n: v: v.type == "physical") machines;
      # TODO: Maybe use mergeAttrLists
      mkNixosSystems = systemDef:
@ -78,7 +78,7 @@
      nixosConfigurations = mkNixosSystems (machine: {
        inherit system;
        specialArgs = { inherit machines machine kubenix dns microvm disko agenix; };
-        modules = [ ./nixos ];
+        modules = [ ./nix/physical.nix ];
      });

      deploy = {
--- a/nixos/lab.nix
+++ b/nixos/lab.nix
--- a/nixos/machines/atlas_host_ed25519-cert.pub
+++ b/nixos/machines/atlas_host_ed25519-cert.pub
--- a/nixos/machines/atlas_user_ed25519-cert.pub
+++ b/nixos/machines/atlas_user_ed25519-cert.pub
--- a/nixos/machines/default.nix
+++ b/nixos/machines/default.nix
@ -15,6 +15,7 @@

      ssh = {
        useCertificates = true;
+        # TODO: automatically set this?
        hostCert = builtins.readFile ./jefke_host_ed25519-cert.pub;
        userCert = builtins.readFile ./jefke_user_ed25519-cert.pub;
      };
--- a/nixos/machines/jefke_host_ed25519-cert.pub
+++ b/nixos/machines/jefke_host_ed25519-cert.pub
--- a/nixos/machines/jefke_user_ed25519-cert.pub
+++ b/nixos/machines/jefke_user_ed25519-cert.pub
--- a/nixos/machines/lewis_host_ed25519-cert.pub
+++ b/nixos/machines/lewis_host_ed25519-cert.pub
--- a/nixos/machines/lewis_user_ed25519-cert.pub
+++ b/nixos/machines/lewis_user_ed25519-cert.pub
--- a/nixos/modules/backups.nix
+++ b/nixos/modules/backups.nix
--- a/nixos/modules/data-sharing.nix
+++ b/nixos/modules/data-sharing.nix
--- a/nixos/modules/default.nix
+++ b/nixos/modules/default.nix
--- a/nixos/modules/k3s/bootstrap.nix
+++ b/nixos/modules/k3s/bootstrap.nix
--- a/nixos/modules/k3s/default.nix
+++ b/nixos/modules/k3s/default.nix
--- a/nixos/modules/networking/default.nix
+++ b/nixos/modules/networking/default.nix
--- a/nixos/modules/networking/dmz/default.nix
+++ b/nixos/modules/networking/dmz/default.nix
--- a/nixos/modules/networking/dmz/dnsmasq.nix
+++ b/nixos/modules/networking/dmz/dnsmasq.nix
--- a/nixos/modules/networking/dmz/zones/geokunis2.nl.nix
+++ b/nixos/modules/networking/dmz/zones/geokunis2.nl.nix
--- a/nixos/modules/networking/dmz/zones/kun.is.nix
+++ b/nixos/modules/networking/dmz/zones/kun.is.nix
--- a/nixos/modules/ssh-certificates.nix
+++ b/nixos/modules/ssh-certificates.nix
--- a/nixos/modules/storage.nix
+++ b/nixos/modules/storage.nix
--- a/nixos/modules/terraform-database/default.nix
+++ b/nixos/modules/terraform-database/default.nix
--- a/nixos/modules/terraform-database/postgresql_server.crt
+++ b/nixos/modules/terraform-database/postgresql_server.crt
--- a/nix/physical.nix
+++ b/nix/physical.nix
@ -0,0 +1,81 @@
+{ pkgs, config, lib, modulesPath, machine, microvm, disko, agenix, machines, ... }: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+    microvm.nixosModules.host
+    ./shared.nix
+  ];
+
+  config = {
+    boot = {
+      kernelModules = [ "kvm-intel" ];
+      extraModulePackages = [ ];
+
+      initrd = {
+        availableKernelModules = [
+          "ahci"
+          "xhci_pci"
+          "nvme"
+          "usbhid"
+          "usb_storage"
+          "sd_mod"
+          "sdhci_pci"
+        ];
+        kernelModules = [ ];
+      };
+
+      loader = {
+        systemd-boot.enable = true;
+        efi.canTouchEfiVariables = true;
+      };
+    };
+
+    nixpkgs = {
+      config.allowUnfree = true;
+      hostPlatform = "x86_64-linux";
+    };
+
+    hardware.cpu.intel.updateMicrocode = config.hardware.enableRedistributableFirmware;
+
+    age.identityPaths = [ "/etc/age_ed25519" ];
+
+    virtualisation.libvirtd.enable = true;
+
+    nix = {
+      package = pkgs.nixFlakes;
+      extraOptions = ''
+        experimental-features = nix-command flakes
+      '';
+    };
+
+    system = {
+      stateVersion = "23.05";
+
+      activationScripts.diff = ''
+        if [[ -e  /run/current-system ]]; then
+          ${pkgs.nix}/bin/nix store diff-closures /run/current-system "$systemConfig"
+        fi
+      '';
+    };
+
+    microvm.vms =
+      let
+        vmsForHypervisor = lib.attrValues (lib.filterAttrs (n: v: v.type == "virtual" && v.hypervisorName == machine.hostName) machines);
+      in
+      lib.attrsets.mergeAttrsList (map
+        (vm:
+          {
+            "${vm.hostName}" = {
+              # TODO Simplify?
+              specialArgs = { inherit agenix disko pkgs lib microvm; machine = vm; hypervisorConfig = config; };
+              config = {
+                imports = [
+                  ./virtual.nix
+                ];
+              };
+            };
+          }
+        )
+        vmsForHypervisor
+      );
+  };
+}
--- a/nixos/secrets/README.md
+++ b/nixos/secrets/README.md
--- a/nixos/secrets/atlas_host_ed25519.age
+++ b/nixos/secrets/atlas_host_ed25519.age
--- a/nixos/secrets/atlas_user_ed25519.age
+++ b/nixos/secrets/atlas_user_ed25519.age
--- a/nixos/secrets/borg_passphrase.age
+++ b/nixos/secrets/borg_passphrase.age
--- a/nixos/secrets/database_passwords.env.age
+++ b/nixos/secrets/database_passwords.env.age
--- a/nixos/secrets/ec2_borg_server.pem.age
+++ b/nixos/secrets/ec2_borg_server.pem.age
--- a/nixos/secrets/jefke_host_ed25519.age
+++ b/nixos/secrets/jefke_host_ed25519.age
--- a/nixos/secrets/jefke_user_ed25519.age
+++ b/nixos/secrets/jefke_user_ed25519.age
--- a/nixos/secrets/lewis_host_ed25519.age
+++ b/nixos/secrets/lewis_host_ed25519.age
--- a/nixos/secrets/lewis_user_ed25519.age
+++ b/nixos/secrets/lewis_user_ed25519.age
--- a/nixos/secrets/postgresql_server.key.age
+++ b/nixos/secrets/postgresql_server.key.age
--- a/nixos/secrets/secrets.nix
+++ b/nixos/secrets/secrets.nix
--- a/nix/shared.nix
+++ b/nix/shared.nix
@ -1,4 +1,4 @@
-{ pkgs, lib, config, agenix, disko, machine, hypervisorConfig, ... }: {
+{ pkgs, machine, disko, agenix, ... }: {
  imports = [
    ./modules
    ./lab.nix
@ -7,17 +7,7 @@
    agenix.nixosModules.default
  ];

-  options.lab.vmMacAddress = lib.mkOption {
-    type = lib.types.str;
-    description = ''
-      The MAC address of the VM's main NIC.
-    '';
-  };
-
-  # TODO: remove overlap with physical nixos module
-  # Perhaps a sane defaults module?
  config = {
-    system.stateVersion = hypervisorConfig.system.stateVersion;
    time.timeZone = "Europe/Amsterdam";

    i18n = {
@ -100,20 +90,5 @@
      parted
      radvd
    ];
-
-    microvm = {
-      shares = [{
-        source = "/nix/store";
-        mountPoint = "/nix/.ro-store";
-        tag = "ro-store";
-        proto = "virtiofs";
-      }];
-
-      interfaces = [{
-        type = "tap";
-        id = "vm-${machine.hostName}";
-        mac = config.lab.vmMacAddress;
-      }];
-    };
  };
 }
--- a/nix/virtual.nix
+++ b/nix/virtual.nix
@ -0,0 +1,29 @@
+{ lib, config, machine, hypervisorConfig, ... }: {
+  imports = [ ./shared.nix ];
+
+  options.lab.vmMacAddress = lib.mkOption {
+    type = lib.types.str;
+    description = ''
+      The MAC address of the VM's main NIC.
+    '';
+  };
+
+  config = {
+    system.stateVersion = hypervisorConfig.system.stateVersion;
+
+    microvm = {
+      shares = [{
+        source = "/nix/store";
+        mountPoint = "/nix/.ro-store";
+        tag = "ro-store";
+        proto = "virtiofs";
+      }];
+
+      interfaces = [{
+        type = "tap";
+        id = "vm-${machine.hostName}";
+        mac = config.lab.vmMacAddress;
+      }];
+    };
+  };
+}
--- a/nixos/default.nix
+++ b/nixos/default.nix
@ -1,168 +0,0 @@
-{ pkgs, config, lib, modulesPath, machine, microvm, disko, agenix, machines, ... }: {
-  imports = [
-    (modulesPath + "/installer/scan/not-detected.nix")
-    ./modules
-    ./lab.nix
-    machine.nixosModule
-    disko.nixosModules.disko
-    agenix.nixosModules.default
-    microvm.nixosModules.host
-  ];
-
-  config = {
-    boot = {
-      kernelModules = [ "kvm-intel" ];
-      extraModulePackages = [ ];
-
-      initrd = {
-        availableKernelModules = [
-          "ahci"
-          "xhci_pci"
-          "nvme"
-          "usbhid"
-          "usb_storage"
-          "sd_mod"
-          "sdhci_pci"
-        ];
-        kernelModules = [ ];
-      };
-
-      loader = {
-        systemd-boot.enable = true;
-        efi.canTouchEfiVariables = true;
-      };
-    };
-
-    time.timeZone = "Europe/Amsterdam";
-
-    i18n = {
-      defaultLocale = "en_US.UTF-8";
-
-      extraLocaleSettings = {
-        LC_ADDRESS = "nl_NL.UTF-8";
-        LC_IDENTIFICATION = "nl_NL.UTF-8";
-        LC_MEASUREMENT = "nl_NL.UTF-8";
-        LC_MONETARY = "nl_NL.UTF-8";
-        LC_NAME = "nl_NL.UTF-8";
-        LC_NUMERIC = "nl_NL.UTF-8";
-        LC_PAPER = "nl_NL.UTF-8";
-        LC_TELEPHONE = "nl_NL.UTF-8";
-        LC_TIME = "nl_NL.UTF-8";
-      };
-    };
-
-    services = {
-      openssh = {
-        enable = true;
-        openFirewall = true;
-
-        settings = {
-          PasswordAuthentication = false;
-          KbdInteractiveAuthentication = false;
-        };
-      };
-
-      xserver = {
-        layout = "us";
-        xkbVariant = "";
-      };
-    };
-
-    users.users.root.openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOodpLr+FDRyKyHjucHizNLVFHZ5AQmE9GmxMnOsSoaw pimkunis@thinkpadpim"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINUZp4BCxf7uLa1QWonx/Crf8tYZ5MKIZ+EuaBa82LrV user@user-laptop"
-    ];
-
-    programs = {
-      ssh = {
-        knownHosts = {
-          dmz = {
-            hostNames = [ "*.dmz" ];
-            publicKey =
-              "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAX2IhgHNxC6JTvLu9cej+iWuG+uJFMXn4AiRro9533x";
-            certAuthority = true;
-          };
-
-          hypervisors = {
-            hostNames = [ "*.hyp" ];
-            publicKey =
-              "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFzRkH3d/KVJQouswY/DMpenWbDFVOnI3Vut0xR0e1tb";
-            certAuthority = true;
-          };
-        };
-
-      };
-
-      neovim = {
-        enable = true;
-        vimAlias = true;
-        viAlias = true;
-      };
-    };
-
-    nixpkgs = {
-      config.allowUnfree = true;
-      hostPlatform = "x86_64-linux";
-    };
-
-    environment.systemPackages = with pkgs; [
-      neofetch
-      wget
-      git
-      btop
-      htop
-      ripgrep
-      dig
-      tree
-      file
-      tcpdump
-      lsof
-      parted
-      radvd
-    ];
-
-    hardware.cpu.intel.updateMicrocode = config.hardware.enableRedistributableFirmware;
-
-    age.identityPaths = [ "/etc/age_ed25519" ];
-
-    virtualisation.libvirtd.enable = true;
-
-    nix = {
-      package = pkgs.nixFlakes;
-      extraOptions = ''
-        experimental-features = nix-command flakes
-      '';
-    };
-
-    system = {
-      stateVersion = "23.05";
-
-      activationScripts.diff = ''
-        if [[ -e  /run/current-system ]]; then
-          ${pkgs.nix}/bin/nix store diff-closures /run/current-system "$systemConfig"
-        fi
-      '';
-    };
-
-    microvm.vms =
-      let
-        vmsForHypervisor = lib.attrValues (lib.filterAttrs (n: v: v.type == "virtual" && v.hypervisorName == machine.hostName) machines);
-      in
-      lib.attrsets.mergeAttrsList (map
-        (vm:
-          {
-            "${vm.hostName}" = {
-              # TODO Simplify?
-              specialArgs = { inherit agenix disko pkgs lib microvm; machine = vm; hypervisorConfig = config; };
-              config = {
-                imports = [
-                  ./vm.nix
-                ];
-              };
-            };
-          }
-        )
-        vmsForHypervisor
-      );
-  };
-}