From 32154e71632faa750bb8a76b91c50553632777b8 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 28 Jan 2024 12:06:30 +0100 Subject: [PATCH] create shared nixos config between physical and VM rename nixos -> nix --- flake.nix | 4 +- {nixos => nix}/lab.nix | 0 .../machines/atlas_host_ed25519-cert.pub | 0 .../machines/atlas_user_ed25519-cert.pub | 0 {nixos => nix}/machines/default.nix | 1 + .../machines/jefke_host_ed25519-cert.pub | 0 .../machines/jefke_user_ed25519-cert.pub | 0 .../machines/lewis_host_ed25519-cert.pub | 0 .../machines/lewis_user_ed25519-cert.pub | 0 {nixos => nix}/modules/backups.nix | 0 {nixos => nix}/modules/data-sharing.nix | 0 {nixos => nix}/modules/default.nix | 0 {nixos => nix}/modules/k3s/bootstrap.nix | 0 {nixos => nix}/modules/k3s/default.nix | 0 {nixos => nix}/modules/networking/default.nix | 0 .../modules/networking/dmz/default.nix | 0 .../modules/networking/dmz/dnsmasq.nix | 0 .../networking/dmz/zones/geokunis2.nl.nix | 0 .../modules/networking/dmz/zones/kun.is.nix | 0 {nixos => nix}/modules/ssh-certificates.nix | 0 {nixos => nix}/modules/storage.nix | 0 .../modules/terraform-database/default.nix | 0 .../terraform-database/postgresql_server.crt | 0 nix/physical.nix | 81 +++++++++ {nixos => nix}/secrets/README.md | 0 {nixos => nix}/secrets/atlas_host_ed25519.age | Bin {nixos => nix}/secrets/atlas_user_ed25519.age | Bin {nixos => nix}/secrets/borg_passphrase.age | 0 .../secrets/database_passwords.env.age | 0 .../secrets/ec2_borg_server.pem.age | Bin {nixos => nix}/secrets/jefke_host_ed25519.age | Bin {nixos => nix}/secrets/jefke_user_ed25519.age | Bin {nixos => nix}/secrets/lewis_host_ed25519.age | Bin {nixos => nix}/secrets/lewis_user_ed25519.age | Bin .../secrets/postgresql_server.key.age | Bin {nixos => nix}/secrets/secrets.nix | 0 nixos/vm.nix => nix/shared.nix | 27 +-- nix/virtual.nix | 29 +++ nixos/default.nix | 168 ------------------ 39 files changed, 114 insertions(+), 196 deletions(-) rename {nixos => nix}/lab.nix (100%) rename {nixos => nix}/machines/atlas_host_ed25519-cert.pub (100%) rename {nixos => nix}/machines/atlas_user_ed25519-cert.pub (100%) rename {nixos => nix}/machines/default.nix (98%) rename {nixos => nix}/machines/jefke_host_ed25519-cert.pub (100%) rename {nixos => nix}/machines/jefke_user_ed25519-cert.pub (100%) rename {nixos => nix}/machines/lewis_host_ed25519-cert.pub (100%) rename {nixos => nix}/machines/lewis_user_ed25519-cert.pub (100%) rename {nixos => nix}/modules/backups.nix (100%) rename {nixos => nix}/modules/data-sharing.nix (100%) rename {nixos => nix}/modules/default.nix (100%) rename {nixos => nix}/modules/k3s/bootstrap.nix (100%) rename {nixos => nix}/modules/k3s/default.nix (100%) rename {nixos => nix}/modules/networking/default.nix (100%) rename {nixos => nix}/modules/networking/dmz/default.nix (100%) rename {nixos => nix}/modules/networking/dmz/dnsmasq.nix (100%) rename {nixos => nix}/modules/networking/dmz/zones/geokunis2.nl.nix (100%) rename {nixos => nix}/modules/networking/dmz/zones/kun.is.nix (100%) rename {nixos => nix}/modules/ssh-certificates.nix (100%) rename {nixos => nix}/modules/storage.nix (100%) rename {nixos => nix}/modules/terraform-database/default.nix (100%) rename {nixos => nix}/modules/terraform-database/postgresql_server.crt (100%) create mode 100644 nix/physical.nix rename {nixos => nix}/secrets/README.md (100%) rename {nixos => nix}/secrets/atlas_host_ed25519.age (100%) rename {nixos => nix}/secrets/atlas_user_ed25519.age (100%) rename {nixos => nix}/secrets/borg_passphrase.age (100%) rename {nixos => nix}/secrets/database_passwords.env.age (100%) rename {nixos => nix}/secrets/ec2_borg_server.pem.age (100%) rename {nixos => nix}/secrets/jefke_host_ed25519.age (100%) rename {nixos => nix}/secrets/jefke_user_ed25519.age (100%) rename {nixos => nix}/secrets/lewis_host_ed25519.age (100%) rename {nixos => nix}/secrets/lewis_user_ed25519.age (100%) rename {nixos => nix}/secrets/postgresql_server.key.age (100%) rename {nixos => nix}/secrets/secrets.nix (100%) rename nixos/vm.nix => nix/shared.nix (75%) create mode 100644 nix/virtual.nix delete mode 100644 nixos/default.nix diff --git a/flake.nix b/flake.nix index 61bb6b3..be3e5bd 100644 --- a/flake.nix +++ b/flake.nix @@ -38,7 +38,7 @@ pkgs = nixpkgs.legacyPackages.${system}; lib = pkgs.lib; pkgs-unstable = nixpkgs-unstable.legacyPackages.${system}; - machines = import ./nixos/machines; + machines = import ./nix/machines; physicalMachines = lib.filterAttrs (n: v: v.type == "physical") machines; # TODO: Maybe use mergeAttrLists mkNixosSystems = systemDef: @@ -78,7 +78,7 @@ nixosConfigurations = mkNixosSystems (machine: { inherit system; specialArgs = { inherit machines machine kubenix dns microvm disko agenix; }; - modules = [ ./nixos ]; + modules = [ ./nix/physical.nix ]; }); deploy = { diff --git a/nixos/lab.nix b/nix/lab.nix similarity index 100% rename from nixos/lab.nix rename to nix/lab.nix diff --git a/nixos/machines/atlas_host_ed25519-cert.pub b/nix/machines/atlas_host_ed25519-cert.pub similarity index 100% rename from nixos/machines/atlas_host_ed25519-cert.pub rename to nix/machines/atlas_host_ed25519-cert.pub diff --git a/nixos/machines/atlas_user_ed25519-cert.pub b/nix/machines/atlas_user_ed25519-cert.pub similarity index 100% rename from nixos/machines/atlas_user_ed25519-cert.pub rename to nix/machines/atlas_user_ed25519-cert.pub diff --git a/nixos/machines/default.nix b/nix/machines/default.nix similarity index 98% rename from nixos/machines/default.nix rename to nix/machines/default.nix index 40c30e4..c64dd60 100644 --- a/nixos/machines/default.nix +++ b/nix/machines/default.nix @@ -15,6 +15,7 @@ ssh = { useCertificates = true; + # TODO: automatically set this? hostCert = builtins.readFile ./jefke_host_ed25519-cert.pub; userCert = builtins.readFile ./jefke_user_ed25519-cert.pub; }; diff --git a/nixos/machines/jefke_host_ed25519-cert.pub b/nix/machines/jefke_host_ed25519-cert.pub similarity index 100% rename from nixos/machines/jefke_host_ed25519-cert.pub rename to nix/machines/jefke_host_ed25519-cert.pub diff --git a/nixos/machines/jefke_user_ed25519-cert.pub b/nix/machines/jefke_user_ed25519-cert.pub similarity index 100% rename from nixos/machines/jefke_user_ed25519-cert.pub rename to nix/machines/jefke_user_ed25519-cert.pub diff --git a/nixos/machines/lewis_host_ed25519-cert.pub b/nix/machines/lewis_host_ed25519-cert.pub similarity index 100% rename from nixos/machines/lewis_host_ed25519-cert.pub rename to nix/machines/lewis_host_ed25519-cert.pub diff --git a/nixos/machines/lewis_user_ed25519-cert.pub b/nix/machines/lewis_user_ed25519-cert.pub similarity index 100% rename from nixos/machines/lewis_user_ed25519-cert.pub rename to nix/machines/lewis_user_ed25519-cert.pub diff --git a/nixos/modules/backups.nix b/nix/modules/backups.nix similarity index 100% rename from nixos/modules/backups.nix rename to nix/modules/backups.nix diff --git a/nixos/modules/data-sharing.nix b/nix/modules/data-sharing.nix similarity index 100% rename from nixos/modules/data-sharing.nix rename to nix/modules/data-sharing.nix diff --git a/nixos/modules/default.nix b/nix/modules/default.nix similarity index 100% rename from nixos/modules/default.nix rename to nix/modules/default.nix diff --git a/nixos/modules/k3s/bootstrap.nix b/nix/modules/k3s/bootstrap.nix similarity index 100% rename from nixos/modules/k3s/bootstrap.nix rename to nix/modules/k3s/bootstrap.nix diff --git a/nixos/modules/k3s/default.nix b/nix/modules/k3s/default.nix similarity index 100% rename from nixos/modules/k3s/default.nix rename to nix/modules/k3s/default.nix diff --git a/nixos/modules/networking/default.nix b/nix/modules/networking/default.nix similarity index 100% rename from nixos/modules/networking/default.nix rename to nix/modules/networking/default.nix diff --git a/nixos/modules/networking/dmz/default.nix b/nix/modules/networking/dmz/default.nix similarity index 100% rename from nixos/modules/networking/dmz/default.nix rename to nix/modules/networking/dmz/default.nix diff --git a/nixos/modules/networking/dmz/dnsmasq.nix b/nix/modules/networking/dmz/dnsmasq.nix similarity index 100% rename from nixos/modules/networking/dmz/dnsmasq.nix rename to nix/modules/networking/dmz/dnsmasq.nix diff --git a/nixos/modules/networking/dmz/zones/geokunis2.nl.nix b/nix/modules/networking/dmz/zones/geokunis2.nl.nix similarity index 100% rename from nixos/modules/networking/dmz/zones/geokunis2.nl.nix rename to nix/modules/networking/dmz/zones/geokunis2.nl.nix diff --git a/nixos/modules/networking/dmz/zones/kun.is.nix b/nix/modules/networking/dmz/zones/kun.is.nix similarity index 100% rename from nixos/modules/networking/dmz/zones/kun.is.nix rename to nix/modules/networking/dmz/zones/kun.is.nix diff --git a/nixos/modules/ssh-certificates.nix b/nix/modules/ssh-certificates.nix similarity index 100% rename from nixos/modules/ssh-certificates.nix rename to nix/modules/ssh-certificates.nix diff --git a/nixos/modules/storage.nix b/nix/modules/storage.nix similarity index 100% rename from nixos/modules/storage.nix rename to nix/modules/storage.nix diff --git a/nixos/modules/terraform-database/default.nix b/nix/modules/terraform-database/default.nix similarity index 100% rename from nixos/modules/terraform-database/default.nix rename to nix/modules/terraform-database/default.nix diff --git a/nixos/modules/terraform-database/postgresql_server.crt b/nix/modules/terraform-database/postgresql_server.crt similarity index 100% rename from nixos/modules/terraform-database/postgresql_server.crt rename to nix/modules/terraform-database/postgresql_server.crt diff --git a/nix/physical.nix b/nix/physical.nix new file mode 100644 index 0000000..aac1776 --- /dev/null +++ b/nix/physical.nix @@ -0,0 +1,81 @@ +{ pkgs, config, lib, modulesPath, machine, microvm, disko, agenix, machines, ... }: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + microvm.nixosModules.host + ./shared.nix + ]; + + config = { + boot = { + kernelModules = [ "kvm-intel" ]; + extraModulePackages = [ ]; + + initrd = { + availableKernelModules = [ + "ahci" + "xhci_pci" + "nvme" + "usbhid" + "usb_storage" + "sd_mod" + "sdhci_pci" + ]; + kernelModules = [ ]; + }; + + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + }; + + nixpkgs = { + config.allowUnfree = true; + hostPlatform = "x86_64-linux"; + }; + + hardware.cpu.intel.updateMicrocode = config.hardware.enableRedistributableFirmware; + + age.identityPaths = [ "/etc/age_ed25519" ]; + + virtualisation.libvirtd.enable = true; + + nix = { + package = pkgs.nixFlakes; + extraOptions = '' + experimental-features = nix-command flakes + ''; + }; + + system = { + stateVersion = "23.05"; + + activationScripts.diff = '' + if [[ -e /run/current-system ]]; then + ${pkgs.nix}/bin/nix store diff-closures /run/current-system "$systemConfig" + fi + ''; + }; + + microvm.vms = + let + vmsForHypervisor = lib.attrValues (lib.filterAttrs (n: v: v.type == "virtual" && v.hypervisorName == machine.hostName) machines); + in + lib.attrsets.mergeAttrsList (map + (vm: + { + "${vm.hostName}" = { + # TODO Simplify? + specialArgs = { inherit agenix disko pkgs lib microvm; machine = vm; hypervisorConfig = config; }; + config = { + imports = [ + ./virtual.nix + ]; + }; + }; + } + ) + vmsForHypervisor + ); + }; +} diff --git a/nixos/secrets/README.md b/nix/secrets/README.md similarity index 100% rename from nixos/secrets/README.md rename to nix/secrets/README.md diff --git a/nixos/secrets/atlas_host_ed25519.age b/nix/secrets/atlas_host_ed25519.age similarity index 100% rename from nixos/secrets/atlas_host_ed25519.age rename to nix/secrets/atlas_host_ed25519.age diff --git a/nixos/secrets/atlas_user_ed25519.age b/nix/secrets/atlas_user_ed25519.age similarity index 100% rename from nixos/secrets/atlas_user_ed25519.age rename to nix/secrets/atlas_user_ed25519.age diff --git a/nixos/secrets/borg_passphrase.age b/nix/secrets/borg_passphrase.age similarity index 100% rename from nixos/secrets/borg_passphrase.age rename to nix/secrets/borg_passphrase.age diff --git a/nixos/secrets/database_passwords.env.age b/nix/secrets/database_passwords.env.age similarity index 100% rename from nixos/secrets/database_passwords.env.age rename to nix/secrets/database_passwords.env.age diff --git a/nixos/secrets/ec2_borg_server.pem.age b/nix/secrets/ec2_borg_server.pem.age similarity index 100% rename from nixos/secrets/ec2_borg_server.pem.age rename to nix/secrets/ec2_borg_server.pem.age diff --git a/nixos/secrets/jefke_host_ed25519.age b/nix/secrets/jefke_host_ed25519.age similarity index 100% rename from nixos/secrets/jefke_host_ed25519.age rename to nix/secrets/jefke_host_ed25519.age diff --git a/nixos/secrets/jefke_user_ed25519.age b/nix/secrets/jefke_user_ed25519.age similarity index 100% rename from nixos/secrets/jefke_user_ed25519.age rename to nix/secrets/jefke_user_ed25519.age diff --git a/nixos/secrets/lewis_host_ed25519.age b/nix/secrets/lewis_host_ed25519.age similarity index 100% rename from nixos/secrets/lewis_host_ed25519.age rename to nix/secrets/lewis_host_ed25519.age diff --git a/nixos/secrets/lewis_user_ed25519.age b/nix/secrets/lewis_user_ed25519.age similarity index 100% rename from nixos/secrets/lewis_user_ed25519.age rename to nix/secrets/lewis_user_ed25519.age diff --git a/nixos/secrets/postgresql_server.key.age b/nix/secrets/postgresql_server.key.age similarity index 100% rename from nixos/secrets/postgresql_server.key.age rename to nix/secrets/postgresql_server.key.age diff --git a/nixos/secrets/secrets.nix b/nix/secrets/secrets.nix similarity index 100% rename from nixos/secrets/secrets.nix rename to nix/secrets/secrets.nix diff --git a/nixos/vm.nix b/nix/shared.nix similarity index 75% rename from nixos/vm.nix rename to nix/shared.nix index 7887b26..890f3c9 100644 --- a/nixos/vm.nix +++ b/nix/shared.nix @@ -1,4 +1,4 @@ -{ pkgs, lib, config, agenix, disko, machine, hypervisorConfig, ... }: { +{ pkgs, machine, disko, agenix, ... }: { imports = [ ./modules ./lab.nix @@ -7,17 +7,7 @@ agenix.nixosModules.default ]; - options.lab.vmMacAddress = lib.mkOption { - type = lib.types.str; - description = '' - The MAC address of the VM's main NIC. - ''; - }; - - # TODO: remove overlap with physical nixos module - # Perhaps a sane defaults module? config = { - system.stateVersion = hypervisorConfig.system.stateVersion; time.timeZone = "Europe/Amsterdam"; i18n = { @@ -100,20 +90,5 @@ parted radvd ]; - - microvm = { - shares = [{ - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - tag = "ro-store"; - proto = "virtiofs"; - }]; - - interfaces = [{ - type = "tap"; - id = "vm-${machine.hostName}"; - mac = config.lab.vmMacAddress; - }]; - }; }; } diff --git a/nix/virtual.nix b/nix/virtual.nix new file mode 100644 index 0000000..b1203dc --- /dev/null +++ b/nix/virtual.nix @@ -0,0 +1,29 @@ +{ lib, config, machine, hypervisorConfig, ... }: { + imports = [ ./shared.nix ]; + + options.lab.vmMacAddress = lib.mkOption { + type = lib.types.str; + description = '' + The MAC address of the VM's main NIC. + ''; + }; + + config = { + system.stateVersion = hypervisorConfig.system.stateVersion; + + microvm = { + shares = [{ + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + tag = "ro-store"; + proto = "virtiofs"; + }]; + + interfaces = [{ + type = "tap"; + id = "vm-${machine.hostName}"; + mac = config.lab.vmMacAddress; + }]; + }; + }; +} diff --git a/nixos/default.nix b/nixos/default.nix deleted file mode 100644 index 1cef138..0000000 --- a/nixos/default.nix +++ /dev/null @@ -1,168 +0,0 @@ -{ pkgs, config, lib, modulesPath, machine, microvm, disko, agenix, machines, ... }: { - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - ./modules - ./lab.nix - machine.nixosModule - disko.nixosModules.disko - agenix.nixosModules.default - microvm.nixosModules.host - ]; - - config = { - boot = { - kernelModules = [ "kvm-intel" ]; - extraModulePackages = [ ]; - - initrd = { - availableKernelModules = [ - "ahci" - "xhci_pci" - "nvme" - "usbhid" - "usb_storage" - "sd_mod" - "sdhci_pci" - ]; - kernelModules = [ ]; - }; - - loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; - }; - }; - - time.timeZone = "Europe/Amsterdam"; - - i18n = { - defaultLocale = "en_US.UTF-8"; - - extraLocaleSettings = { - LC_ADDRESS = "nl_NL.UTF-8"; - LC_IDENTIFICATION = "nl_NL.UTF-8"; - LC_MEASUREMENT = "nl_NL.UTF-8"; - LC_MONETARY = "nl_NL.UTF-8"; - LC_NAME = "nl_NL.UTF-8"; - LC_NUMERIC = "nl_NL.UTF-8"; - LC_PAPER = "nl_NL.UTF-8"; - LC_TELEPHONE = "nl_NL.UTF-8"; - LC_TIME = "nl_NL.UTF-8"; - }; - }; - - services = { - openssh = { - enable = true; - openFirewall = true; - - settings = { - PasswordAuthentication = false; - KbdInteractiveAuthentication = false; - }; - }; - - xserver = { - layout = "us"; - xkbVariant = ""; - }; - }; - - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOodpLr+FDRyKyHjucHizNLVFHZ5AQmE9GmxMnOsSoaw pimkunis@thinkpadpim" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINUZp4BCxf7uLa1QWonx/Crf8tYZ5MKIZ+EuaBa82LrV user@user-laptop" - ]; - - programs = { - ssh = { - knownHosts = { - dmz = { - hostNames = [ "*.dmz" ]; - publicKey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAX2IhgHNxC6JTvLu9cej+iWuG+uJFMXn4AiRro9533x"; - certAuthority = true; - }; - - hypervisors = { - hostNames = [ "*.hyp" ]; - publicKey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFzRkH3d/KVJQouswY/DMpenWbDFVOnI3Vut0xR0e1tb"; - certAuthority = true; - }; - }; - - }; - - neovim = { - enable = true; - vimAlias = true; - viAlias = true; - }; - }; - - nixpkgs = { - config.allowUnfree = true; - hostPlatform = "x86_64-linux"; - }; - - environment.systemPackages = with pkgs; [ - neofetch - wget - git - btop - htop - ripgrep - dig - tree - file - tcpdump - lsof - parted - radvd - ]; - - hardware.cpu.intel.updateMicrocode = config.hardware.enableRedistributableFirmware; - - age.identityPaths = [ "/etc/age_ed25519" ]; - - virtualisation.libvirtd.enable = true; - - nix = { - package = pkgs.nixFlakes; - extraOptions = '' - experimental-features = nix-command flakes - ''; - }; - - system = { - stateVersion = "23.05"; - - activationScripts.diff = '' - if [[ -e /run/current-system ]]; then - ${pkgs.nix}/bin/nix store diff-closures /run/current-system "$systemConfig" - fi - ''; - }; - - microvm.vms = - let - vmsForHypervisor = lib.attrValues (lib.filterAttrs (n: v: v.type == "virtual" && v.hypervisorName == machine.hostName) machines); - in - lib.attrsets.mergeAttrsList (map - (vm: - { - "${vm.hostName}" = { - # TODO Simplify? - specialArgs = { inherit agenix disko pkgs lib microvm; machine = vm; hypervisorConfig = config; }; - config = { - imports = [ - ./vm.nix - ]; - }; - }; - } - ) - vmsForHypervisor - ); - }; -}