create shared nixos config between physical and VM

rename nixos -> nix
2024-01-28 12:06:30 +01:00 · 2024-01-28 12:06:30 +01:00 · 32154e7163
commit 32154e7163
parent 472175c5a3
39 changed files with 114 additions and 196 deletions
--- a/flake.nix
+++ b/flake.nix
@ -38,7 +38,7 @@
      pkgs = nixpkgs.legacyPackages.${system};
      lib = pkgs.lib;
      pkgs-unstable = nixpkgs-unstable.legacyPackages.${system};
-      machines = import ./nixos/machines;
+      machines = import ./nix/machines;
      physicalMachines = lib.filterAttrs (n: v: v.type == "physical") machines;
      # TODO: Maybe use mergeAttrLists
      mkNixosSystems = systemDef:
@ -78,7 +78,7 @@
      nixosConfigurations = mkNixosSystems (machine: {
        inherit system;
        specialArgs = { inherit machines machine kubenix dns microvm disko agenix; };
-        modules = [ ./nixos ];
+        modules = [ ./nix/physical.nix ];
      });
      deploy = {
--- a/nixos/lab.nix
+++ b/nixos/lab.nix
--- a/nixos/machines/atlas_host_ed25519-cert.pub
+++ b/nixos/machines/atlas_host_ed25519-cert.pub
--- a/nixos/machines/atlas_user_ed25519-cert.pub
+++ b/nixos/machines/atlas_user_ed25519-cert.pub
--- a/nixos/machines/default.nix
+++ b/nixos/machines/default.nix
@ -15,6 +15,7 @@
      ssh = {
        useCertificates = true;
        # TODO: automatically set this?
        hostCert = builtins.readFile ./jefke_host_ed25519-cert.pub;
        userCert = builtins.readFile ./jefke_user_ed25519-cert.pub;
      };
--- a/nixos/machines/jefke_host_ed25519-cert.pub
+++ b/nixos/machines/jefke_host_ed25519-cert.pub
--- a/nixos/machines/jefke_user_ed25519-cert.pub
+++ b/nixos/machines/jefke_user_ed25519-cert.pub
--- a/nixos/machines/lewis_host_ed25519-cert.pub
+++ b/nixos/machines/lewis_host_ed25519-cert.pub
--- a/nixos/machines/lewis_user_ed25519-cert.pub
+++ b/nixos/machines/lewis_user_ed25519-cert.pub
--- a/nixos/modules/backups.nix
+++ b/nixos/modules/backups.nix
--- a/nixos/modules/data-sharing.nix
+++ b/nixos/modules/data-sharing.nix
--- a/nixos/modules/default.nix
+++ b/nixos/modules/default.nix
--- a/nixos/modules/k3s/bootstrap.nix
+++ b/nixos/modules/k3s/bootstrap.nix
--- a/nixos/modules/k3s/default.nix
+++ b/nixos/modules/k3s/default.nix
--- a/nixos/modules/networking/default.nix
+++ b/nixos/modules/networking/default.nix
--- a/nixos/modules/networking/dmz/default.nix
+++ b/nixos/modules/networking/dmz/default.nix
--- a/nixos/modules/networking/dmz/dnsmasq.nix
+++ b/nixos/modules/networking/dmz/dnsmasq.nix
--- a/nixos/modules/networking/dmz/zones/geokunis2.nl.nix
+++ b/nixos/modules/networking/dmz/zones/geokunis2.nl.nix
--- a/nixos/modules/networking/dmz/zones/kun.is.nix
+++ b/nixos/modules/networking/dmz/zones/kun.is.nix
--- a/nixos/modules/ssh-certificates.nix
+++ b/nixos/modules/ssh-certificates.nix
--- a/nixos/modules/storage.nix
+++ b/nixos/modules/storage.nix
--- a/nixos/modules/terraform-database/default.nix
+++ b/nixos/modules/terraform-database/default.nix
--- a/nixos/modules/terraform-database/postgresql_server.crt
+++ b/nixos/modules/terraform-database/postgresql_server.crt
--- a/nix/physical.nix
+++ b/nix/physical.nix
@ -0,0 +1,81 @@
 { pkgs, config, lib, modulesPath, machine, microvm, disko, agenix, machines, ... }: {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
    microvm.nixosModules.host
    ./shared.nix
  ];
  config = {
    boot = {
      kernelModules = [ "kvm-intel" ];
      extraModulePackages = [ ];
      initrd = {
        availableKernelModules = [
          "ahci"
          "xhci_pci"
          "nvme"
          "usbhid"
          "usb_storage"
          "sd_mod"
          "sdhci_pci"
        ];
        kernelModules = [ ];
      };
      loader = {
        systemd-boot.enable = true;
        efi.canTouchEfiVariables = true;
      };
    };
    nixpkgs = {
      config.allowUnfree = true;
      hostPlatform = "x86_64-linux";
    };
    hardware.cpu.intel.updateMicrocode = config.hardware.enableRedistributableFirmware;
    age.identityPaths = [ "/etc/age_ed25519" ];
    virtualisation.libvirtd.enable = true;
    nix = {
      package = pkgs.nixFlakes;
      extraOptions = ''
        experimental-features = nix-command flakes
      '';
    };
    system = {
      stateVersion = "23.05";
      activationScripts.diff = ''
        if [[ -e  /run/current-system ]]; then
          ${pkgs.nix}/bin/nix store diff-closures /run/current-system "$systemConfig"
        fi
      '';
    };
    microvm.vms =
      let
        vmsForHypervisor = lib.attrValues (lib.filterAttrs (n: v: v.type == "virtual" && v.hypervisorName == machine.hostName) machines);
      in
      lib.attrsets.mergeAttrsList (map
        (vm:
          {
            "${vm.hostName}" = {
              # TODO Simplify?
              specialArgs = { inherit agenix disko pkgs lib microvm; machine = vm; hypervisorConfig = config; };
              config = {
                imports = [
                  ./virtual.nix
                ];
              };
            };
          }
        )
        vmsForHypervisor
      );
  };
 }
--- a/nixos/secrets/README.md
+++ b/nixos/secrets/README.md
--- a/nixos/secrets/atlas_host_ed25519.age
+++ b/nixos/secrets/atlas_host_ed25519.age
--- a/nixos/secrets/atlas_user_ed25519.age
+++ b/nixos/secrets/atlas_user_ed25519.age
--- a/nixos/secrets/borg_passphrase.age
+++ b/nixos/secrets/borg_passphrase.age
--- a/nixos/secrets/database_passwords.env.age
+++ b/nixos/secrets/database_passwords.env.age
--- a/nixos/secrets/ec2_borg_server.pem.age
+++ b/nixos/secrets/ec2_borg_server.pem.age
--- a/nixos/secrets/jefke_host_ed25519.age
+++ b/nixos/secrets/jefke_host_ed25519.age
--- a/nixos/secrets/jefke_user_ed25519.age
+++ b/nixos/secrets/jefke_user_ed25519.age
--- a/nixos/secrets/lewis_host_ed25519.age
+++ b/nixos/secrets/lewis_host_ed25519.age
--- a/nixos/secrets/lewis_user_ed25519.age
+++ b/nixos/secrets/lewis_user_ed25519.age
--- a/nixos/secrets/postgresql_server.key.age
+++ b/nixos/secrets/postgresql_server.key.age
--- a/nixos/secrets/secrets.nix
+++ b/nixos/secrets/secrets.nix
--- a/nix/shared.nix
+++ b/nix/shared.nix
@ -1,4 +1,4 @@
-{ pkgs, lib, config, agenix, disko, machine, hypervisorConfig, ... }: {
+{ pkgs, machine, disko, agenix, ... }: {
  imports = [
    ./modules
    ./lab.nix
@ -7,17 +7,7 @@
    agenix.nixosModules.default
  ];
  options.lab.vmMacAddress = lib.mkOption {
    type = lib.types.str;
    description = ''
      The MAC address of the VM's main NIC.
    '';
  };
  # TODO: remove overlap with physical nixos module
  # Perhaps a sane defaults module?
  config = {
    system.stateVersion = hypervisorConfig.system.stateVersion;
    time.timeZone = "Europe/Amsterdam";
    i18n = {
@ -100,20 +90,5 @@
      parted
      radvd
    ];
    microvm = {
      shares = [{
        source = "/nix/store";
        mountPoint = "/nix/.ro-store";
        tag = "ro-store";
        proto = "virtiofs";
      }];
      interfaces = [{
        type = "tap";
        id = "vm-${machine.hostName}";
        mac = config.lab.vmMacAddress;
      }];
    };
  };
 }
--- a/nix/virtual.nix
+++ b/nix/virtual.nix
@ -0,0 +1,29 @@
 { lib, config, machine, hypervisorConfig, ... }: {
  imports = [ ./shared.nix ];
  options.lab.vmMacAddress = lib.mkOption {
    type = lib.types.str;
    description = ''
      The MAC address of the VM's main NIC.
    '';
  };
  config = {
    system.stateVersion = hypervisorConfig.system.stateVersion;
    microvm = {
      shares = [{
        source = "/nix/store";
        mountPoint = "/nix/.ro-store";
        tag = "ro-store";
        proto = "virtiofs";
      }];
      interfaces = [{
        type = "tap";
        id = "vm-${machine.hostName}";
        mac = config.lab.vmMacAddress;
      }];
    };
  };
 }
--- a/nixos/default.nix
+++ b/nixos/default.nix
@ -1,168 +0,0 @@
 { pkgs, config, lib, modulesPath, machine, microvm, disko, agenix, machines, ... }: {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
    ./modules
    ./lab.nix
    machine.nixosModule
    disko.nixosModules.disko
    agenix.nixosModules.default
    microvm.nixosModules.host
  ];
  config = {
    boot = {
      kernelModules = [ "kvm-intel" ];
      extraModulePackages = [ ];
      initrd = {
        availableKernelModules = [
          "ahci"
          "xhci_pci"
          "nvme"
          "usbhid"
          "usb_storage"
          "sd_mod"
          "sdhci_pci"
        ];
        kernelModules = [ ];
      };
      loader = {
        systemd-boot.enable = true;
        efi.canTouchEfiVariables = true;
      };
    };
    time.timeZone = "Europe/Amsterdam";
    i18n = {
      defaultLocale = "en_US.UTF-8";
      extraLocaleSettings = {
        LC_ADDRESS = "nl_NL.UTF-8";
        LC_IDENTIFICATION = "nl_NL.UTF-8";
        LC_MEASUREMENT = "nl_NL.UTF-8";
        LC_MONETARY = "nl_NL.UTF-8";
        LC_NAME = "nl_NL.UTF-8";
        LC_NUMERIC = "nl_NL.UTF-8";
        LC_PAPER = "nl_NL.UTF-8";
        LC_TELEPHONE = "nl_NL.UTF-8";
        LC_TIME = "nl_NL.UTF-8";
      };
    };
    services = {
      openssh = {
        enable = true;
        openFirewall = true;
        settings = {
          PasswordAuthentication = false;
          KbdInteractiveAuthentication = false;
        };
      };
      xserver = {
        layout = "us";
        xkbVariant = "";
      };
    };
    users.users.root.openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOodpLr+FDRyKyHjucHizNLVFHZ5AQmE9GmxMnOsSoaw pimkunis@thinkpadpim"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINUZp4BCxf7uLa1QWonx/Crf8tYZ5MKIZ+EuaBa82LrV user@user-laptop"
    ];
    programs = {
      ssh = {
        knownHosts = {
          dmz = {
            hostNames = [ "*.dmz" ];
            publicKey =
              "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAX2IhgHNxC6JTvLu9cej+iWuG+uJFMXn4AiRro9533x";
            certAuthority = true;
          };
          hypervisors = {
            hostNames = [ "*.hyp" ];
            publicKey =
              "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFzRkH3d/KVJQouswY/DMpenWbDFVOnI3Vut0xR0e1tb";
            certAuthority = true;
          };
        };
      };
      neovim = {
        enable = true;
        vimAlias = true;
        viAlias = true;
      };
    };
    nixpkgs = {
      config.allowUnfree = true;
      hostPlatform = "x86_64-linux";
    };
    environment.systemPackages = with pkgs; [
      neofetch
      wget
      git
      btop
      htop
      ripgrep
      dig
      tree
      file
      tcpdump
      lsof
      parted
      radvd
    ];
    hardware.cpu.intel.updateMicrocode = config.hardware.enableRedistributableFirmware;
    age.identityPaths = [ "/etc/age_ed25519" ];
    virtualisation.libvirtd.enable = true;
    nix = {
      package = pkgs.nixFlakes;
      extraOptions = ''
        experimental-features = nix-command flakes
      '';
    };
    system = {
      stateVersion = "23.05";
      activationScripts.diff = ''
        if [[ -e  /run/current-system ]]; then
          ${pkgs.nix}/bin/nix store diff-closures /run/current-system "$systemConfig"
        fi
      '';
    };
    microvm.vms =
      let
        vmsForHypervisor = lib.attrValues (lib.filterAttrs (n: v: v.type == "virtual" && v.hypervisorName == machine.hostName) machines);
      in
      lib.attrsets.mergeAttrsList (map
        (vm:
          {
            "${vm.hostName}" = {
              # TODO Simplify?
              specialArgs = { inherit agenix disko pkgs lib microvm; machine = vm; hypervisorConfig = config; };
              config = {
                imports = [
                  ./vm.nix
                ];
              };
            };
          }
        )
        vmsForHypervisor
      );
  };
 }