home/nixos-servers
home/nixos-servers
Archived
2
0
Fork 0
Code Issues 8 Pull requests Projects Releases Packages Wiki Activity Actions

remove hypervisor vlan

Browse source 
remove VM support
This commit is contained in:
Pim Kunis 2024-04-12 23:13:06 +02:00
parent 0c882b7bcb
commit d2f4fb1e86
8 changed files with 12 additions and 342 deletions
Download patch file Download diff file Expand all files Collapse all files

13
nix/default.nix
View file

@ -5,9 +5,8 @@
machine.nixosModule
disko.nixosModules.disko
agenix.nixosModules.default
]
++ lib.lists.optional machine.isPhysical ./physical.nix
++ lib.lists.optional machine.isVirtual ./virtual;
./physical.nix
];
config = {
time.timeZone = "Europe/Amsterdam";
@ -59,15 +58,7 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAX2IhgHNxC6JTvLu9cej+iWuG+uJFMXn4AiRro9533x";
certAuthority = true;
};
hypervisors = {
hostNames = [ "*.hyp" ];
publicKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFzRkH3d/KVJQouswY/DMpenWbDFVOnI3Vut0xR0e1tb";
certAuthority = true;
};
};
};
neovim = {

4
nix/flake/nixos.nix
View file

@ -1,4 +1,4 @@
{ nixpkgs, nixpkgs-unstable, machines, physicalMachines, dns, microvm, disko, agenix, nixos-hardware, kubenix, ... }:
{ nixpkgs, nixpkgs-unstable, machines, physicalMachines, dns, agenix, nixos-hardware, kubenix, disko, ... }:
let
mkNixosSystems = systemDef:
builtins.mapAttrs
@ -11,7 +11,7 @@ in
nixosConfigurations = mkNixosSystems (name: machine: {
system = machine.arch;
specialArgs = { inherit nixpkgs-unstable machines machine dns microvm disko agenix nixos-hardware kubenix; };
specialArgs = { inherit nixpkgs-unstable machines machine dns agenix nixos-hardware kubenix disko; };
modules = [
../.
{ networking.hostName = name; }

83
nix/modules/networking/default.nix
View file

@ -46,7 +46,7 @@ in {
config = {
networking = {
domain = if machine.isPhysical then "hyp" else "dmz";
domain = "dmz";
nftables.enable = true;
useDHCP = false;
@ -59,96 +59,15 @@ in {
systemd.network = {
enable = true;
netdevs = lib.mkIf machine.isHypervisor {
"20-vlandmz" = {
vlanConfig.Id = 30;
netdevConfig = {
Kind = "vlan";
Name = "vlandmz";
};
};
"20-bridgedmz" = {
netdevConfig = {
Kind = "bridge";
Name = cfg.dmz.bridgeName;
};
};
};
networks = lib.attrsets.mergeAttrsList [
(lib.optionalAttrs machine.isHypervisor {
"30-main-nic" = {
matchConfig.Name = "en*";
vlan = [ "vlandmz" ];
networkConfig = {
DHCP = "yes";
};
};
"40-vlandmz" = {
matchConfig.Name = "vlandmz";
linkConfig.RequiredForOnline = "enslaved";
networkConfig = {
IPv6AcceptRA = false;
LinkLocalAddressing = "no";
Bridge = cfg.dmz.bridgeName;
};
};
"40-bridgedmz" = {
matchConfig.Name = cfg.dmz.bridgeName;
linkConfig.RequiredForOnline = "carrier";
networkConfig = {
IPv6AcceptRA = cfg.dmz.allowConnectivity;
LinkLocalAddressing = if cfg.dmz.allowConnectivity then "ipv6" else "no";
DHCP = "yes";
};
};
"40-vms" = {
matchConfig.Name = "vm-*";
networkConfig.Bridge = cfg.dmz.bridgeName;
};
})
(lib.optionalAttrs machine.isVirtual {
"30-main-nic" = {
matchConfig.Name = "en*";
networkConfig = {
IPv6AcceptRA = ! cfg.staticNetworking;
DHCP = lib.mkIf (! cfg.staticNetworking) "yes";
Address = lib.mkIf cfg.staticNetworking [
"${cfg.staticIPv4}/${cfg.dmz.ipv4.prefixLength}"
"${cfg.staticIPv6}/${cfg.dmz.ipv6.prefixLength}"
];
DNS = lib.mkIf cfg.staticNetworking [
cfg.dmz.ipv4.router
cfg.dmz.ipv6.router
];
};
routes = lib.mkIf cfg.staticNetworking [
{
routeConfig = {
Gateway = cfg.dmz.ipv4.router;
Destination = "0.0.0.0/0";
};
}
{
routeConfig = {
Gateway = cfg.dmz.ipv6.router;
Destination = "::/0";
};
}
];
};
})
(lib.optionalAttrs machine.isRaspberryPi {
"30-main-nic" = {

34
nix/physical.nix
View file

@ -1,8 +1,5 @@
{ pkgs, nixpkgs-unstable, config, lib, microvm, disko, agenix, machine, machines, dns, nixos-hardware, kubenix, ... }: {
imports = [
microvm.nixosModules.host
]
++ lib.lists.optional (machine.isRaspberryPi) nixos-hardware.nixosModules.raspberry-pi-4;
{ pkgs, config, lib, machine, nixos-hardware, ... }: {
imports = lib.lists.optional (machine.isRaspberryPi) nixos-hardware.nixosModules.raspberry-pi-4;
config = {
boot = lib.mkIf (machine.isHypervisor) {
@ -54,32 +51,5 @@
fi
'';
};
microvm.vms =
let
vmsForHypervisor = lib.filterAttrs (n: v: v.isVirtual && v.hypervisorName == config.networking.hostName) machines;
in
builtins.mapAttrs
(name: vm:
{
# Do not restart virtual machines to apply configuration changes.
# While conceptually this seems useful, it could result in annoying situations.
# For example, changing the default VM configuration will restart ALL VMs simultaneously, causing a lot of stress on the servers.
# Downside of not restarting, is that we may need to do this manually now to apply changes.
restartIfChanged = false;
specialArgs = {
inherit agenix disko pkgs lib microvm dns nixpkgs-unstable kubenix;
machine = vm;
hypervisorConfig = config;
};
config.imports = [
./.
{ networking.hostName = name; }
];
}
)
vmsForHypervisor;
};
}

94
nix/virtual/default.nix
View file

@ -1,94 +0,0 @@
{ pkgs, lib, config, hypervisorConfig, ... }: {
imports = [ ./docker_swarm.nix ];
options.lab.vm = {
# TODO: make global.
baseMACAddress = lib.mkOption {
default = "BA:DB:EE:F0:00:00";
type = lib.types.str;
description = ''
Base MAC address for VMs in the DMZ.
'';
};
id = lib.mkOption {
type = lib.types.int;
description = ''
Unique identifier of this VM from wich the MAC address is derived.
'';
};
shares = lib.mkOption {
default = [ ];
description = ''
Directories mounted on the VM using VirtioFS.
'';
type = lib.types.listOf (lib.types.submodule ({ config, ... }: {
options = {
name = lib.mkOption {
type = lib.types.str;
description = ''
The name of the directory share.
'';
};
mountPoint = lib.mkOption {
type = lib.types.str;
description = ''
The mount point of the directory share inside the virtual machine.
'';
};
};
}));
};
};
config = {
system.stateVersion = hypervisorConfig.system.stateVersion;
lab.vm.shares = [{
name = "host_keys";
mountPoint = "/etc/ssh/host_keys";
}];
services.openssh =
let
hostKeyPath = "/etc/ssh/host_keys/ssh_host_ed25519_key";
in
{
hostKeys = [{
path = hostKeyPath;
type = "ed25519";
}];
extraConfig = ''
HostKey ${hostKeyPath}
'';
};
microvm = {
# TODO: make this dependent on the host CPU
vcpu = 4;
shares = [{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
proto = "virtiofs";
}] ++ map
(share: {
source = "/var/lib/microvms/${config.networking.hostName}/shares/${share.name}";
mountPoint = share.mountPoint;
tag = share.name;
proto = "virtiofs";
})
config.lab.vm.shares;
interfaces = [{
type = "tap";
id = "vm-${config.networking.hostName}";
mac = pkgs.lib.net.mac.add config.lab.vm.id config.lab.vm.baseMACAddress;
}];
};
};
}

39
nix/virtual/docker_swarm.nix
View file

@ -1,39 +0,0 @@
{ pkgs, lib, config, machine, ... }:
let
cfg = config.lab.dockerSwarm;
in
{
options.lab.dockerSwarm.enable = lib.mkOption {
default = false;
type = lib.types.bool;
description = ''
Whether to enable Docker Swarm on this host.
'';
};
config = lib.mkIf cfg.enable {
lab.vm.shares = lib.mkIf machine.isVirtual [{
name = "docker";
mountPoint = "/var/lib/docker";
}];
networking = {
nftables.enable = lib.mkForce false;
firewall.enable = lib.mkForce false;
};
virtualisation.docker = {
enable = true;
liveRestore = false;
};
environment.systemPackages = [
(pkgs.python311.withPackages (python-pkgs: with python-pkgs; [
docker
requests
jsondiff
pyyaml
]))
];
};
}