From c2e2ed5ea89ce0592a2801f4d66f731d64729e15 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Mon, 26 Feb 2024 23:08:12 +0100 Subject: [PATCH 1/5] WIP raspberry pi support --- flake.nix | 15 ++++---- nixos/machines/default.nix | 14 +++++++ nixos/modules/networking/default.nix | 4 +- nixos/modules/storage.nix | 9 +++-- nixos/physical.nix | 55 +++++++++++++++++----------- 5 files changed, 63 insertions(+), 34 deletions(-) diff --git a/flake.nix b/flake.nix index 635a074..6078051 100644 --- a/flake.nix +++ b/flake.nix @@ -30,10 +30,9 @@ outputs = { self, nixpkgs, deploy-rs, disko, agenix, nixpkgs-unstable, dns, microvm, ... }: let - system = "x86_64-linux"; - pkgs = nixpkgs.legacyPackages.${system}; + pkgs = nixpkgs.legacyPackages."x86_64-linux"; lib = pkgs.lib; - pkgs-unstable = nixpkgs-unstable.legacyPackages.${system}; + pkgs-unstable = nixpkgs-unstable.legacyPackages."x86_64-linux"; machines = import ./nixos/machines; physicalMachines = lib.filterAttrs (n: v: v.type == "physical") machines; mkNixosSystems = systemDef: @@ -48,7 +47,7 @@ physicalMachines; in { - devShells.${system}.default = pkgs.mkShell { + devShells."x86_64-linux".default = pkgs.mkShell { packages = with pkgs; [ libsecret # TODO: using nixos-anywhere from nixos-unstable produces buffer overflow. @@ -65,10 +64,11 @@ ]; }; - formatter.${system} = pkgs.nixfmt; + formatter."x86_64-linux" = pkgs.nixfmt; nixosConfigurations = mkNixosSystems (name: machine: { - inherit system; + system = machine.arch; + specialArgs = { inherit machines machine dns microvm disko agenix; }; modules = [ ./nixos @@ -83,7 +83,8 @@ nodes = mkDeployNodes (name: machine: { hostname = self.nixosConfigurations.${name}.config.networking.fqdn; profiles.system = { - path = deploy-rs.lib.${system}.activate.nixos + remoteBuild = true; + path = deploy-rs.lib."aarch64-linux".activate.nixos self.nixosConfigurations.${name}; }; }); diff --git a/nixos/machines/default.nix b/nixos/machines/default.nix index a520f90..7cdf2a1 100644 --- a/nixos/machines/default.nix +++ b/nixos/machines/default.nix @@ -1,6 +1,18 @@ { + warwick = { + type = "physical"; + arch = "aarch64-linux"; + + nixosModule.lab = { + storage = { + osDisk = "/dev/sda"; + }; + }; + }; + atlas = { type = "physical"; + arch = "x86_64-linux"; nixosModule.lab = { storage = { @@ -18,6 +30,7 @@ jefke = { type = "physical"; + arch = "x86_64-linux"; nixosModule = { lab = { @@ -37,6 +50,7 @@ lewis = { type = "physical"; + arch = "x86_64-linux"; nixosModule.lab = { backups.enable = true; diff --git a/nixos/modules/networking/default.nix b/nixos/modules/networking/default.nix index 16416f6..577e3e1 100644 --- a/nixos/modules/networking/default.nix +++ b/nixos/modules/networking/default.nix @@ -35,7 +35,7 @@ in { networking = { domain = if machine.type == "physical" then "hyp" else "dmz"; nftables.enable = true; - useDHCP = false; + useDHCP = true; firewall = { enable = true; @@ -43,7 +43,7 @@ in { }; }; - systemd.network = lib.mkIf (machine.type == "physical") { + systemd.network = lib.mkIf (false && machine.type == "physical") { enable = true; netdevs = { diff --git a/nixos/modules/storage.nix b/nixos/modules/storage.nix index 3ad1b78..6611546 100644 --- a/nixos/modules/storage.nix +++ b/nixos/modules/storage.nix @@ -10,7 +10,8 @@ in { }; dataPartition = lib.mkOption { - type = lib.types.str; + default = null; + type = lib.types.nullOr lib.types.str; description = '' Partition to be used for data storage on this machine. ''; @@ -25,8 +26,10 @@ in { }; }; - config = lib.mkIf (machine.type == "physical") { - fileSystems.${cfg.dataMountPoint}.device = cfg.dataPartition; + config = lib.mkIf (false && machine.type == "physical") { + fileSystems.${cfg.dataMountPoint} = lib.mkIf (! isNull cfg.dataPartition) { + device = cfg.dataPartition; + }; # TODO: Rename this to 'osDisk'. Unfortunately, we would need to run nixos-anywhere again then. disko.devices.disk.vdb = { diff --git a/nixos/physical.nix b/nixos/physical.nix index 1bf9b02..df1e959 100644 --- a/nixos/physical.nix +++ b/nixos/physical.nix @@ -1,39 +1,50 @@ -{ pkgs, config, lib, modulesPath, microvm, disko, agenix, machines, dns, ... }: { +{ pkgs, config, lib, modulesPath, microvm, disko, agenix, machines, dns, machine, ... }: { imports = [ (modulesPath + "/installer/scan/not-detected.nix") microvm.nixosModules.host ]; config = { - boot = { - kernelModules = [ "kvm-intel" ]; - extraModulePackages = [ ]; - initrd = { - availableKernelModules = [ - "ahci" - "xhci_pci" - "nvme" - "usbhid" - "usb_storage" - "sd_mod" - "sdhci_pci" - ]; - kernelModules = [ ]; - }; - - loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; + fileSystems = { + "/" = { + device = "/dev/disk/by-label/NIXOS_SD"; + fsType = "ext4"; + options = [ "noatime" ]; }; }; + boot.loader.grub.device = "/dev/sda"; + # boot = { + # # kernelModules = [ "kvm-intel" ]; + # kernelModules = [ ]; + # extraModulePackages = [ ]; + + # initrd = { + # availableKernelModules = [ + # "ahci" + # "xhci_pci" + # "nvme" + # "usbhid" + # "usb_storage" + # "sd_mod" + # "sdhci_pci" + # ]; + # kernelModules = [ ]; + # }; + + # loader = { + # # systemd-boot.enable = true; + # efi.canTouchEfiVariables = true; + # }; + # }; + nixpkgs = { config.allowUnfree = true; - hostPlatform = "x86_64-linux"; + # hostPlatform = machine.arch; }; - hardware.cpu.intel.updateMicrocode = config.hardware.enableRedistributableFirmware; + # hardware.cpu.intel.updateMicrocode = config.hardware.enableRedistributableFirmware; age.identityPaths = [ "/etc/age_ed25519" ]; -- 2.45.2 From 1683c4caa8adf98cd75ca749563f1c3e95fa84b1 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Tue, 27 Feb 2024 20:14:53 +0100 Subject: [PATCH 2/5] deploy-rs works for raspberrypi --- flake.lock | 17 +++++++++++++++++ flake.nix | 5 +++-- nixos/physical.nix | 9 +++++++-- nixos/virtual/default.nix | 14 +++++++------- 4 files changed, 34 insertions(+), 11 deletions(-) diff --git a/flake.lock b/flake.lock index 4c9d906..5b6d7de 100644 --- a/flake.lock +++ b/flake.lock @@ -198,6 +198,22 @@ "type": "github" } }, + "nixos-hardware": { + "locked": { + "lastModified": 1708594753, + "narHash": "sha256-c/gH7iXS/IYH9NrFOT+aJqTq+iEBkvAkpWuUHGU3+f0=", + "owner": "NixOS", + "repo": "nixos-hardware", + "rev": "3f7d0bca003eac1a1a7f4659bbab9c8f8c2a0958", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "master", + "repo": "nixos-hardware", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1702272962, @@ -253,6 +269,7 @@ "disko": "disko", "dns": "dns", "microvm": "microvm", + "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs_2", "nixpkgs-unstable": "nixpkgs-unstable" } diff --git a/flake.nix b/flake.nix index 6078051..f10eb34 100644 --- a/flake.nix +++ b/flake.nix @@ -5,6 +5,7 @@ nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; deploy-rs.url = "github:serokell/deploy-rs"; + nixos-hardware.url = "github:NixOS/nixos-hardware/master"; disko = { url = "github:nix-community/disko"; @@ -28,7 +29,7 @@ }; outputs = - { self, nixpkgs, deploy-rs, disko, agenix, nixpkgs-unstable, dns, microvm, ... }: + { self, nixpkgs, deploy-rs, disko, agenix, nixpkgs-unstable, dns, microvm, nixos-hardware, ... }: let pkgs = nixpkgs.legacyPackages."x86_64-linux"; lib = pkgs.lib; @@ -69,7 +70,7 @@ nixosConfigurations = mkNixosSystems (name: machine: { system = machine.arch; - specialArgs = { inherit machines machine dns microvm disko agenix; }; + specialArgs = { inherit machines machine dns microvm disko agenix nixos-hardware; }; modules = [ ./nixos { networking.hostName = name; } diff --git a/nixos/physical.nix b/nixos/physical.nix index df1e959..13251f3 100644 --- a/nixos/physical.nix +++ b/nixos/physical.nix @@ -1,7 +1,8 @@ -{ pkgs, config, lib, modulesPath, microvm, disko, agenix, machines, dns, machine, ... }: { +{ pkgs, config, lib, modulesPath, microvm, disko, agenix, machines, dns, machine, nixos-hardware, ... }: { imports = [ (modulesPath + "/installer/scan/not-detected.nix") microvm.nixosModules.host + nixos-hardware.nixosModules.raspberry-pi-4 ]; config = { @@ -14,7 +15,11 @@ }; }; - boot.loader.grub.device = "/dev/sda"; + # boot.loader.grub.device = "/dev/sda"; + # boot.loader.grub.enable = true; + # boot.loader.grub.efiSupport = true; + # boot.loader.grub.efiInstallAsRemovable = true; + # boot.loader.grub.device = "nodev"; # boot = { # # kernelModules = [ "kvm-intel" ]; # kernelModules = [ ]; diff --git a/nixos/virtual/default.nix b/nixos/virtual/default.nix index f3bf85b..ad37f90 100644 --- a/nixos/virtual/default.nix +++ b/nixos/virtual/default.nix @@ -74,14 +74,14 @@ }]; services.openssh = { - hostKeys = [{ - path = "/etc/ssh/host_keys/ssh_host_ed25519_key"; - type = "ed25519"; - }]; + # hostKeys = [{ + # path = "/etc/ssh/host_keys/ssh_host_ed25519_key"; + # type = "ed25519"; + # }]; - extraConfig = '' - HostKey /etc/ssh/host_keys/ssh_host_ed25519_key - ''; + # extraConfig = '' + # HostKey /etc/ssh/host_keys/ssh_host_ed25519_key + # ''; }; microvm = { -- 2.45.2 From 25937f535b76cd552703f860af8c36763f78d12d Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Tue, 27 Feb 2024 23:28:52 +0100 Subject: [PATCH 3/5] integrate settings raspberry pi --- flake.nix | 4 +- nixos/machines/default.nix | 56 ++++++++---- nixos/modules/networking/default.nix | 129 ++++++++++++++++++++------- nixos/modules/storage.nix | 61 +++++++------ nixos/physical.nix | 63 +++++-------- nixos/virtual/default.nix | 92 +++---------------- 6 files changed, 212 insertions(+), 193 deletions(-) diff --git a/flake.nix b/flake.nix index f10eb34..782ff27 100644 --- a/flake.nix +++ b/flake.nix @@ -84,8 +84,8 @@ nodes = mkDeployNodes (name: machine: { hostname = self.nixosConfigurations.${name}.config.networking.fqdn; profiles.system = { - remoteBuild = true; - path = deploy-rs.lib."aarch64-linux".activate.nixos + remoteBuild = machine.arch != "x86_64-linux"; + path = deploy-rs.lib."${machine.arch}".activate.nixos self.nixosConfigurations.${name}; }; }); diff --git a/nixos/machines/default.nix b/nixos/machines/default.nix index 7cdf2a1..0642755 100644 --- a/nixos/machines/default.nix +++ b/nixos/machines/default.nix @@ -1,7 +1,12 @@ +# TODO: Create a nixos module system for this. (mkMerge) +# That way, we don't have to specify isRaspberryPi on every machine... etc. { warwick = { type = "physical"; arch = "aarch64-linux"; + isRaspberryPi = true; + isHypervisor = false; + isVirtualMachine = false; nixosModule.lab = { storage = { @@ -13,6 +18,9 @@ atlas = { type = "physical"; arch = "x86_64-linux"; + isRaspberryPi = false; + isHypervisor = true; + isVirtualMachine = false; nixosModule.lab = { storage = { @@ -31,19 +39,20 @@ jefke = { type = "physical"; arch = "x86_64-linux"; + isRaspberryPi = false; + isHypervisor = true; + isVirtualMachine = false; - nixosModule = { - lab = { - storage = { - osDisk = "/dev/sda"; - dataPartition = "/dev/nvme0n1p1"; - }; + nixosModule.lab = { + storage = { + osDisk = "/dev/sda"; + dataPartition = "/dev/nvme0n1p1"; + }; - ssh = { - useCertificates = true; - hostCert = builtins.readFile ./certificates/jefke/host_ed25519.crt; - userCert = builtins.readFile ./certificates/jefke/user_ed25519.crt; - }; + ssh = { + useCertificates = true; + hostCert = builtins.readFile ./certificates/jefke/host_ed25519.crt; + userCert = builtins.readFile ./certificates/jefke/user_ed25519.crt; }; }; }; @@ -51,6 +60,9 @@ lewis = { type = "physical"; arch = "x86_64-linux"; + isRaspberryPi = false; + isHypervisor = true; + isVirtualMachine = false; nixosModule.lab = { backups.enable = true; @@ -73,18 +85,23 @@ hermes = { type = "virtual"; hypervisorName = "lewis"; + isRaspberryPi = false; + isVirtualMachine = true; + isHypervisor = false; nixosModule = { config, ... }: { lab = { - networking.dmz.services.enable = true; + networking = { + dmz.services.enable = true; + staticNetworking = true; + staticIPv4 = config.lab.networking.dmz.ipv4.services; + staticIPv6 = config.lab.networking.dmz.ipv6.services; + }; vm = { # TODO: would be cool to create a check that a mac address is only ever assigned to one VM. # TODO: idea: what if we generated these IDs by hashing the host name and reducing that to the amount of hosts possible? id = 7; - staticNetworking = true; - staticIPv4 = config.lab.networking.dmz.ipv4.services; - staticIPv6 = config.lab.networking.dmz.ipv6.services; shares = [{ name = "dnsmasq"; @@ -98,6 +115,9 @@ maestro = { type = "virtual"; hypervisorName = "atlas"; + isRaspberryPi = false; + isVirtualMachine = false; + isHypervisor = false; nixosModule = { config, ... }: { microvm.balloonMem = 7680; @@ -115,6 +135,9 @@ bancomart = { type = "virtual"; hypervisorName = "jefke"; + isRaspberryPi = false; + isVirtualMachine = false; + isHypervisor = false; nixosModule = { microvm.balloonMem = 7680; @@ -129,6 +152,9 @@ vpay = { type = "virtual"; hypervisorName = "lewis"; + isRaspberryPi = false; + isVirtualMachine = false; + isHypervisor = false; nixosModule = { microvm.balloonMem = 5120; diff --git a/nixos/modules/networking/default.nix b/nixos/modules/networking/default.nix index 577e3e1..40f6404 100644 --- a/nixos/modules/networking/default.nix +++ b/nixos/modules/networking/default.nix @@ -22,11 +22,26 @@ in { }; }; - mainNicNamePattern = lib.mkOption { - default = "en*"; + staticNetworking = lib.mkOption { + default = false; + type = lib.types.bool; + description = '' + Whether this machine has static networking configuration applied. + Routing is prepopulated, but IP addresses have to be set. + ''; + }; + + staticIPv4 = lib.mkOption { type = lib.types.str; description = '' - Pattern to match the name of this machine's main NIC. + Static IPv4 address for the machine. + ''; + }; + + staticIPv6 = lib.mkOption { + type = lib.types.str; + description = '' + Static IPv6 address for the machine. ''; }; }; @@ -35,7 +50,7 @@ in { networking = { domain = if machine.type == "physical" then "hyp" else "dmz"; nftables.enable = true; - useDHCP = true; + useDHCP = false; firewall = { enable = true; @@ -43,10 +58,10 @@ in { }; }; - systemd.network = lib.mkIf (false && machine.type == "physical") { + systemd.network = { enable = true; - netdevs = { + netdevs = lib.mkIf machine.isHypervisor { "20-vlandmz" = { vlanConfig.Id = 30; @@ -64,43 +79,89 @@ in { }; }; - networks = { - "30-main-nic" = { - matchConfig.Name = cfg.mainNicNamePattern; - vlan = [ "vlandmz" ]; + networks = lib.attrsets.mergeAttrsList [ + (lib.optionalAttrs machine.isHypervisor { + "30-main-nic" = { + matchConfig.Name = "en*"; + vlan = [ "vlandmz" ]; - networkConfig = { - DHCP = "yes"; + networkConfig = { + DHCP = "yes"; + }; }; - }; - "40-vlandmz" = { - matchConfig.Name = "vlandmz"; - linkConfig.RequiredForOnline = "enslaved"; + "40-vlandmz" = { + matchConfig.Name = "vlandmz"; + linkConfig.RequiredForOnline = "enslaved"; - networkConfig = { - IPv6AcceptRA = false; - LinkLocalAddressing = "no"; - Bridge = cfg.dmz.bridgeName; + networkConfig = { + IPv6AcceptRA = false; + LinkLocalAddressing = "no"; + Bridge = cfg.dmz.bridgeName; + }; }; - }; - "40-bridgedmz" = { - matchConfig.Name = cfg.dmz.bridgeName; - linkConfig.RequiredForOnline = "carrier"; + "40-bridgedmz" = { + matchConfig.Name = cfg.dmz.bridgeName; + linkConfig.RequiredForOnline = "carrier"; - networkConfig = { - IPv6AcceptRA = cfg.dmz.allowConnectivity; - LinkLocalAddressing = if cfg.dmz.allowConnectivity then "ipv6" else "no"; - DHCP = "yes"; + networkConfig = { + IPv6AcceptRA = cfg.dmz.allowConnectivity; + LinkLocalAddressing = if cfg.dmz.allowConnectivity then "ipv6" else "no"; + DHCP = "yes"; + }; }; - }; - "40-vms" = { - matchConfig.Name = "vm-*"; - networkConfig.Bridge = cfg.dmz.bridgeName; - }; - }; + "40-vms" = { + matchConfig.Name = "vm-*"; + networkConfig.Bridge = cfg.dmz.bridgeName; + }; + }) + (lib.optionalAttrs machine.isVirtualMachine { + "30-main-nic" = { + matchConfig.Name = "en*"; + + networkConfig = { + IPv6AcceptRA = ! cfg.staticNetworking; + DHCP = lib.mkIf (! cfg.staticNetworking) "yes"; + + Address = lib.mkIf cfg.staticNetworking [ + "${cfg.staticIPv4}/${cfg.dmz.ipv4.prefixLength}" + "${cfg.staticIPv6}/${cfg.dmz.ipv6.prefixLength}" + ]; + + DNS = lib.mkIf cfg.staticNetworking [ + cfg.dmz.ipv4.router + cfg.dmz.ipv6.router + ]; + }; + + routes = lib.mkIf cfg.staticNetworking [ + { + routeConfig = { + Gateway = cfg.dmz.ipv4.router; + Destination = "0.0.0.0/0"; + }; + } + { + routeConfig = { + Gateway = cfg.dmz.ipv6.router; + Destination = "::/0"; + }; + } + ]; + }; + }) + (lib.optionalAttrs machine.isRaspberryPi { + "30-main-nic" = { + matchConfig.Name = "end*"; + networkConfig = { + IPv6AcceptRA = true; + DHCP = "yes"; + }; + }; + }) + ]; }; }; } diff --git a/nixos/modules/storage.nix b/nixos/modules/storage.nix index 6611546..94e3365 100644 --- a/nixos/modules/storage.nix +++ b/nixos/modules/storage.nix @@ -26,40 +26,51 @@ in { }; }; - config = lib.mkIf (false && machine.type == "physical") { - fileSystems.${cfg.dataMountPoint} = lib.mkIf (! isNull cfg.dataPartition) { - device = cfg.dataPartition; - }; + config = { + fileSystems = lib.attrsets.mergeAttrsList [ + (lib.optionalAttrs machine.isHypervisor { + "${cfg.dataMountPoint}".device = cfg.dataPartition; + }) + (lib.optionalAttrs machine.isRaspberryPi { + "/" = { + device = "/dev/disk/by-label/NIXOS_SD"; + fsType = "ext4"; + options = [ "noatime" ]; + }; + }) + ]; # TODO: Rename this to 'osDisk'. Unfortunately, we would need to run nixos-anywhere again then. - disko.devices.disk.vdb = { - device = cfg.osDisk; - type = "disk"; + disko = lib.mkIf machine.isHypervisor { + devices.disk.vdb = { + device = cfg.osDisk; + type = "disk"; - content = { - type = "gpt"; + content = { + type = "gpt"; - partitions = { - swap.size = "100%"; + partitions = { + swap.size = "100%"; - ESP = { - type = "EF00"; - size = "500M"; + ESP = { + type = "EF00"; + size = "500M"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; }; - }; - root = { - end = "-4G"; + root = { + end = "-4G"; - content = { - type = "filesystem"; - format = "btrfs"; - mountpoint = "/"; + content = { + type = "filesystem"; + format = "btrfs"; + mountpoint = "/"; + }; }; }; }; diff --git a/nixos/physical.nix b/nixos/physical.nix index 13251f3..9b6e0af 100644 --- a/nixos/physical.nix +++ b/nixos/physical.nix @@ -1,55 +1,40 @@ -{ pkgs, config, lib, modulesPath, microvm, disko, agenix, machines, dns, machine, nixos-hardware, ... }: { +{ pkgs, config, lib, microvm, disko, agenix, machine, machines, dns, nixos-hardware, ... }: { imports = [ - (modulesPath + "/installer/scan/not-detected.nix") microvm.nixosModules.host - nixos-hardware.nixosModules.raspberry-pi-4 - ]; + ] + ++ lib.lists.optional (machine.isRaspberryPi) nixos-hardware.nixosModules.raspberry-pi-4; config = { + boot = lib.mkIf (machine.isHypervisor) { + kernelModules = [ "kvm-intel" ]; + extraModulePackages = [ ]; - fileSystems = { - "/" = { - device = "/dev/disk/by-label/NIXOS_SD"; - fsType = "ext4"; - options = [ "noatime" ]; + initrd = { + availableKernelModules = [ + "ahci" + "xhci_pci" + "nvme" + "usbhid" + "usb_storage" + "sd_mod" + "sdhci_pci" + ]; + kernelModules = [ ]; + }; + + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; }; }; - # boot.loader.grub.device = "/dev/sda"; - # boot.loader.grub.enable = true; - # boot.loader.grub.efiSupport = true; - # boot.loader.grub.efiInstallAsRemovable = true; - # boot.loader.grub.device = "nodev"; - # boot = { - # # kernelModules = [ "kvm-intel" ]; - # kernelModules = [ ]; - # extraModulePackages = [ ]; - - # initrd = { - # availableKernelModules = [ - # "ahci" - # "xhci_pci" - # "nvme" - # "usbhid" - # "usb_storage" - # "sd_mod" - # "sdhci_pci" - # ]; - # kernelModules = [ ]; - # }; - - # loader = { - # # systemd-boot.enable = true; - # efi.canTouchEfiVariables = true; - # }; - # }; - nixpkgs = { config.allowUnfree = true; + # TODO: do we need this? # hostPlatform = machine.arch; }; - # hardware.cpu.intel.updateMicrocode = config.hardware.enableRedistributableFirmware; + hardware.cpu.intel.updateMicrocode = lib.mkIf (machine.isHypervisor) config.hardware.enableRedistributableFirmware; age.identityPaths = [ "/etc/age_ed25519" ]; diff --git a/nixos/virtual/default.nix b/nixos/virtual/default.nix index ad37f90..089fe41 100644 --- a/nixos/virtual/default.nix +++ b/nixos/virtual/default.nix @@ -2,6 +2,7 @@ imports = [ ./docker_swarm.nix ]; options.lab.vm = { + # TODO: make global. baseMACAddress = lib.mkOption { default = "BA:DB:EE:F0:00:00"; type = lib.types.str; @@ -17,29 +18,6 @@ ''; }; - staticNetworking = lib.mkOption { - default = false; - type = lib.types.bool; - description = '' - Whether this VM has static networking configuration applied. - Routing is prepopulated, but IP addresses have to be set. - ''; - }; - - staticIPv4 = lib.mkOption { - type = lib.types.str; - description = '' - Static IPv4 address for the VM. - ''; - }; - - staticIPv6 = lib.mkOption { - type = lib.types.str; - description = '' - Static IPv6 address for the VM. - ''; - }; - shares = lib.mkOption { default = [ ]; description = '' @@ -73,16 +51,20 @@ mountPoint = "/etc/ssh/host_keys"; }]; - services.openssh = { - # hostKeys = [{ - # path = "/etc/ssh/host_keys/ssh_host_ed25519_key"; - # type = "ed25519"; - # }]; + services.openssh = + let + hostKeyPath = "/etc/ssh/host_keys/ssh_host_ed25519_key"; + in + { + hostKeys = [{ + path = hostKeyPath; + type = "ed25519"; + }]; - # extraConfig = '' - # HostKey /etc/ssh/host_keys/ssh_host_ed25519_key - # ''; - }; + extraConfig = '' + HostKey ${hostKeyPath} + ''; + }; microvm = { # TODO: make this dependent on the host CPU @@ -108,51 +90,5 @@ mac = pkgs.lib.net.mac.add config.lab.vm.id config.lab.vm.baseMACAddress; }]; }; - - networking.useDHCP = false; - - systemd.network = - let - cfg = config.lab.networking; - in - { - enable = true; - - networks = { - "30-main-nic" = { - matchConfig.Name = "en*"; - - networkConfig = { - IPv6AcceptRA = ! config.lab.vm.staticNetworking; - DHCP = lib.mkIf (! config.lab.vm.staticNetworking) "yes"; - - Address = lib.mkIf config.lab.vm.staticNetworking [ - "${ config.lab.vm.staticIPv4}/${cfg.dmz.ipv4.prefixLength}" - "${config.lab.vm.staticIPv6}/${cfg.dmz.ipv6.prefixLength}" - ]; - - DNS = lib.mkIf config.lab.vm.staticNetworking [ - cfg.dmz.ipv4.router - cfg.dmz.ipv6.router - ]; - }; - - routes = lib.mkIf config.lab.vm.staticNetworking [ - { - routeConfig = { - Gateway = cfg.dmz.ipv4.router; - Destination = "0.0.0.0/0"; - }; - } - { - routeConfig = { - Gateway = cfg.dmz.ipv6.router; - Destination = "::/0"; - }; - } - ]; - }; - }; - }; }; } -- 2.45.2 From 22c235f3800821f66f3ffe0cf44b262eb4fb900c Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Tue, 27 Feb 2024 23:31:48 +0100 Subject: [PATCH 4/5] add documentation about broken flake checks --- README.md | 3 +++ flake.nix | 2 ++ 2 files changed, 5 insertions(+) diff --git a/README.md b/README.md index 8582b86..a5f4e74 100644 --- a/README.md +++ b/README.md @@ -45,3 +45,6 @@ A workaround is to deploy the share without `deploy-rs`'s rollback feature enabl ``` deploy --targets .#lewis --auto-rollback false --magic-rollback false ``` + +Currently the flake checks fail on Raspberry Pi because it tries to compile the deploy-rs binary in aarch64 format on the controller. +This can be temporarily circumvented by using `--skip-checks`. diff --git a/flake.nix b/flake.nix index 782ff27..ce94d78 100644 --- a/flake.nix +++ b/flake.nix @@ -91,6 +91,8 @@ }); }; + # TODO: Currently flake checks for Raspberry Pi are broken. + # Temporarily use --skip-checks until this is resolved. checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; -- 2.45.2 From 735a8a0ddf725f8e025e29dcb0bf9e21d03d0762 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 28 Feb 2024 21:39:23 +0100 Subject: [PATCH 5/5] skip deploy-rs flake check for architecture different from the deployment machine --- README.md | 3 --- flake.nix | 25 +++++++++++++++++-------- 2 files changed, 17 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index a5f4e74..8582b86 100644 --- a/README.md +++ b/README.md @@ -45,6 +45,3 @@ A workaround is to deploy the share without `deploy-rs`'s rollback feature enabl ``` deploy --targets .#lewis --auto-rollback false --magic-rollback false ``` - -Currently the flake checks fail on Raspberry Pi because it tries to compile the deploy-rs binary in aarch64 format on the controller. -This can be temporarily circumvented by using `--skip-checks`. diff --git a/flake.nix b/flake.nix index ce94d78..1989ac2 100644 --- a/flake.nix +++ b/flake.nix @@ -31,9 +31,10 @@ outputs = { self, nixpkgs, deploy-rs, disko, agenix, nixpkgs-unstable, dns, microvm, nixos-hardware, ... }: let - pkgs = nixpkgs.legacyPackages."x86_64-linux"; + controllerArch = "x86_64-linux"; + pkgs = nixpkgs.legacyPackages.${controllerArch}; lib = pkgs.lib; - pkgs-unstable = nixpkgs-unstable.legacyPackages."x86_64-linux"; + pkgs-unstable = nixpkgs-unstable.legacyPackages.${controllerArch}; machines = import ./nixos/machines; physicalMachines = lib.filterAttrs (n: v: v.type == "physical") machines; mkNixosSystems = systemDef: @@ -48,7 +49,7 @@ physicalMachines; in { - devShells."x86_64-linux".default = pkgs.mkShell { + devShells.${controllerArch}.default = pkgs.mkShell { packages = with pkgs; [ libsecret # TODO: using nixos-anywhere from nixos-unstable produces buffer overflow. @@ -65,7 +66,7 @@ ]; }; - formatter."x86_64-linux" = pkgs.nixfmt; + formatter.${controllerArch} = pkgs.nixfmt; nixosConfigurations = mkNixosSystems (name: machine: { system = machine.arch; @@ -84,17 +85,25 @@ nodes = mkDeployNodes (name: machine: { hostname = self.nixosConfigurations.${name}.config.networking.fqdn; profiles.system = { - remoteBuild = machine.arch != "x86_64-linux"; + remoteBuild = machine.arch != controllerArch; path = deploy-rs.lib."${machine.arch}".activate.nixos self.nixosConfigurations.${name}; }; }); }; - # TODO: Currently flake checks for Raspberry Pi are broken. - # Temporarily use --skip-checks until this is resolved. + # Deploy-rs' flake checks seem broken for architectures different from the deployment machine. + # We skip these here. checks = builtins.mapAttrs - (system: deployLib: deployLib.deployChecks self.deploy) + (system: deployLib: + deployLib.deployChecks (self.deploy // { + nodes = (lib.attrsets.filterAttrs + (name: node: + machines.${name}.arch == controllerArch + ) + self.deploy.nodes); + }) + ) deploy-rs.lib; }; } -- 2.45.2