mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-11 07:10:39 +02:00
Code Activity

feat: add declarative microvms

Browse source
This commit is contained in:
oddlama 2023-05-08 14:48:59 +02:00
parent 1a7472207a
commit 1b9d9fc58a
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
8 changed files with 124 additions and 80 deletions
Download patch file Download diff file Expand all files Collapse all files

40
flake.lock generated
View file

@ -116,11 +116,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1682856014, "lastModified": 1683508929,
"narHash": "sha256-QkjneK3DH68IsEf2VnTkMesjsyHsVeVlr6TFxp97uIw=", "narHash": "sha256-AqkIrwewCL8+zlkqhNxheF+kOfyakzZDk43SqRTIqRE=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "8b43938cf77bbeddec127a5398b5dba3578c4290", "rev": "2a59f5cf641607dbecb0cfec3ae32247e4aeb311",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -207,11 +207,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1682779989, "lastModified": 1683543852,
"narHash": "sha256-H8AjcIBYFYrlRobYJ+n1B+ZJ6TsaaeZpuLn4iRqVvr4=", "narHash": "sha256-aS9qNcg9GwSYFLCWa3Lw+2nVPG11mmQ3B7Oka1hh04M=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "3144311f31194b537808ae6848f86f3dbf977d59", "rev": "3f3fa731ad0f99741d4dc98e8e1287b45e30b452",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -257,12 +257,10 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1682817142, "lastModified": 1682972682,
"narHash": "sha256-mkKUFwQq8Sgw+p82K5SoWO6lODFeJcr+SpzH3+Utye0=", "narHash": "sha256-IYInF92rLqqVk/dyugT2QVbVeEfYx1rbBJjbUlRD8oE=",
"owner": "astro", "type": "git",
"repo": "microvm.nix", "url": "file:///root/projects/microvm.nix"
"rev": "15fb183b412619d27db227dcbaf959c63bdaba09",
"type": "github"
}, },
"original": { "original": {
"owner": "astro", "owner": "astro",
@ -293,11 +291,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1682332772, "lastModified": 1683530131,
"narHash": "sha256-GMoWhChQdeNM2FFqVbEZgBABSdi/+JgSP6v+jUz5b24=", "narHash": "sha256-R0RSqj6JdZfru2x/cM19KJMHsU52OjtyxI5cccd+uFc=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixos-generators", "repo": "nixos-generators",
"rev": "d774aeedc0685e5871be1e1ee0511900deeb21c2", "rev": "10079333313ff62446e6f2b0e7c5231c7431d269",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -308,11 +306,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1682836095, "lastModified": 1683269598,
"narHash": "sha256-PdzpJhuXBz71AgWNWMMYLbB8GMMce6QguhQY/6HOOcc=", "narHash": "sha256-KNsb+nBbB1Fmxd07dt4E0KXMT4YeKJB7gQaA6Xfk+mo=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "e4a21ddcb45ee5f5c85a5d9e9698debf77fb98c3", "rev": "51559e691f1493a26f94f1df1aaf516bb507e78b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -344,11 +342,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1682692304, "lastModified": 1683408522,
"narHash": "sha256-9/lyXN2BpHw+1xE+D2ySBSLMCHWqiWu5tPHBMRDib8M=", "narHash": "sha256-9kcPh6Uxo17a3kK3XCHhcWiV1Yu1kYj22RHiymUhMkU=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "937a9d1ee7b1351d8c55fff6611a8edf6e7c1c37", "rev": "897876e4c484f1e8f92009fd11b7d988a121a4e7",
"type": "github" "type": "github"
}, },
"original": { "original": {

15
flake.nix
View file

@ -69,6 +69,7 @@
colmena, colmena,
nixos-generators, nixos-generators,
nixpkgs, nixpkgs,
microvm,
flake-utils, flake-utils,
agenix-rekey, agenix-rekey,
... ...
@ -96,7 +97,6 @@
ward = { ward = {
type = "nixos"; type = "nixos";
system = "x86_64-linux"; system = "x86_64-linux";
microVmHost = true;
}; };
zackbiene = { zackbiene = {
type = "nixos"; type = "nixos";
@ -105,25 +105,24 @@
}; };
colmena = import ./nix/colmena.nix inputs; colmena = import ./nix/colmena.nix inputs;
colmenaNodes = ((colmena.lib.makeHive self.colmena).introspect (x: x)).nodes; inherit ((colmena.lib.makeHive self.colmena).introspect (x: x)) nodes;
microvmNodes = import ./nix/microvms.nix inputs;
# All nixos based hosts collected together
nodes = self.colmenaNodes // self.microvmNodes;
# Collect installer packages # Collect installer packages
inherit inherit
(recursiveMergeAttrs (recursiveMergeAttrs
(nixpkgs.lib.mapAttrsToList (nixpkgs.lib.mapAttrsToList
(import ./nix/generate-installer.nix inputs) (import ./nix/generate-installer.nix inputs)
self.colmenaNodes)) self.nodes))
packages packages
; ;
} }
// flake-utils.lib.eachDefaultSystem (system: rec { // flake-utils.lib.eachDefaultSystem (system: rec {
pkgs = import nixpkgs { pkgs = import nixpkgs {
inherit system; localSystem = system;
config.allowUnfree = true; config.allowUnfree = true;
overlays = [
microvm.overlay
];
}; };
apps = apps =

24
hosts/common/core/net.nix
View file

@ -16,7 +16,7 @@
; ;
in { in {
networking = { networking = {
hostName = mkDefault nodeName; hostName = nodeName;
useDHCP = mkForce false; useDHCP = mkForce false;
useNetworkd = true; useNetworkd = true;
dhcpcd.enable = false; dhcpcd.enable = false;
@ -80,14 +80,16 @@ in {
}; };
# Rename known network interfaces # Rename known network interfaces
services.udev.packages = let services.udev.packages =
interfaceNamesUdevRules = pkgs.writeTextFile { lib.mkIf ((nodeSecrets.networking.interfaces or {}) != {})
name = "interface-names-udev-rules"; (let
text = concatStringsSep "\n" (mapAttrsToList ( interfaceNamesUdevRules = pkgs.writeTextFile {
interface: attrs: ''SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="${attrs.mac}", NAME:="${interface}"'' name = "interface-names-udev-rules";
) text = concatStringsSep "\n" (mapAttrsToList (
nodeSecrets.networking.interfaces); interface: attrs: ''SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="${attrs.mac}", NAME:="${interface}"''
destination = "/etc/udev/rules.d/01-interface-names.rules"; )
}; nodeSecrets.networking.interfaces);
in [interfaceNamesUdevRules]; destination = "/etc/udev/rules.d/01-interface-names.rules";
};
in [interfaceNamesUdevRules]);
} }

21
hosts/ward/default.nix
View file

@ -1,5 +1,8 @@
{ {
config, config,
inputs,
lib,
microvm,
nixos-hardware, nixos-hardware,
pkgs, pkgs,
... ...
@ -8,6 +11,8 @@
nixos-hardware.common-cpu-intel nixos-hardware.common-cpu-intel
nixos-hardware.common-pc-ssd nixos-hardware.common-pc-ssd
microvm.host
../common/core ../common/core
../common/hardware/intel.nix ../common/hardware/intel.nix
../common/hardware/physical.nix ../common/hardware/physical.nix
@ -23,6 +28,22 @@
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" "r8169"]; boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" "r8169"];
microvm.vms = {
test = let
node =
(import ../../nix/generate-node.nix inputs)
"ward-microvm-test" {
system = "x86_64-linux";
config = ./microvms/test;
};
in {
inherit (node) pkgs specialArgs;
config = {
inherit (node) imports;
};
};
};
#services.authelia.instances.main = { #services.authelia.instances.main = {
# enable = true; # enable = true;
# settings = { # settings = {

28
hosts/ward/microvms/test/default.nix Normal file
View file

@ -0,0 +1,28 @@
{
config,
inputs,
lib,
microvm,
nixos-hardware,
pkgs,
...
}: {
imports = [
microvm.microvm
../../../common/core
../../../../users/root
];
systemd.network.networks = {
"10-wan" = {
# TODO
matchConfig.Name = "en*";
DHCP = "yes";
networkConfig.IPv6PrivacyExtensions = "kernel";
dhcpV4Config.RouteMetric = 20;
dhcpV6Config.RouteMetric = 20;
};
};
}

26
nix/generate-node.nix
View file

@ -25,21 +25,15 @@ in
secrets = self.secrets.content; secrets = self.secrets.content;
nodeSecrets = self.secrets.content.nodes.${nodeName}; nodeSecrets = self.secrets.content.nodes.${nodeName};
nixos-hardware = nixos-hardware.nixosModules; nixos-hardware = nixos-hardware.nixosModules;
microvm = microvm.nixosModules;
}; };
imports = imports = [
[ (nodeMeta.config or ../hosts + "/${nodeName}")
(../hosts + "/${nodeName}") agenix.nixosModules.default
agenix.nixosModules.default agenix-rekey.nixosModules.default
agenix-rekey.nixosModules.default disko.nixosModules.disko
disko.nixosModules.disko home-manager.nixosModules.default
home-manager.nixosModules.default impermanence.nixosModules.impermanence
impermanence.nixosModules.impermanence nixos-nftables-firewall.nixosModules.default
nixos-nftables-firewall.nixosModules.default ];
]
++ optionals (nodeMeta.microVmHost or false) [
microvm.nixosModules.host
]
++ optionals (nodeMeta.type == "microvm") [
microvm.nixosModules.microvm
];
} }

21
nix/microvms.nix
View file

@ -1,21 +0,0 @@
{
self,
nixpkgs,
...
} @ inputs: let
inherit
(nixpkgs.lib)
filterAttrs
mapAttrs
nixosSystem
;
microvmNodes = filterAttrs (_: x: x.type == "microvm") self.hosts;
nodes = mapAttrs (import ./generate-node.nix inputs) microvmNodes;
generateMicrovmNode = nodeName: _:
nixosSystem {
inherit (nodes.${nodeName}) system pkgs specialArgs;
modules = nodes.${nodeName}.imports;
};
in
mapAttrs generateMicrovmNode nodes

29
nix/secrets.nix
View file

@ -18,7 +18,12 @@
} @ inputs: let } @ inputs: let
inherit inherit
(nixpkgs.lib) (nixpkgs.lib)
attrNames
concatMap
filterAttrs
listToAttrs
mapAttrs mapAttrs
nameValuePair
; ;
# If the given expression is a bare set, it will be wrapped in a function, # If the given expression is a bare set, it will be wrapped in a function,
# so that the imported file can always be applied to the inputs, similar to # so that the imported file can always be applied to the inputs, similar to
@ -34,8 +39,26 @@
then builtins.extraBuiltins.rageImportEncrypted self.secrets.masterIdentities path then builtins.extraBuiltins.rageImportEncrypted self.secrets.masterIdentities path
else {} else {}
); );
# Secrets for each physical node
nodeSecrets = mapAttrs (nodeName: _: importEncrypted ../hosts/${nodeName}/secrets/secrets.nix.age inputs) self.hosts;
# A list of all nodes that have microvm directories
nodesWithMicrovms = builtins.filter (nodeName: builtins.pathExists ../hosts/${nodeName}/microvms) (attrNames self.hosts);
# Returns a list of all microvms defined for the given node
microvmsFor = nodeName:
attrNames (filterAttrs
(_: t: t == "directory")
(builtins.readDir ../hosts/${nodeName}/microvms));
# Returns all defined microvms with name and definition for a given node
microvmDefsFor = nodeName:
map
(microvmName: nameValuePair "${nodeName}-microvm-${microvmName}" ../hosts/${nodeName}/microvms/${microvmName})
(microvmsFor nodeName);
# A attrset mapping all microvm nodes to its definition folder
microvms = listToAttrs (concatMap microvmDefsFor nodesWithMicrovms);
# The secrets for each microvm
microvmSecrets = mapAttrs (microvmName: microvmPath: importEncrypted (microvmPath + "/secrets/secrets.nix.age") inputs) microvms;
in in
(importEncrypted ../secrets/secrets.nix.age inputs) (importEncrypted ../secrets/secrets.nix.age inputs)
// { // {nodes = nodeSecrets // microvmSecrets;}
nodes = mapAttrs (hostName: _: importEncrypted ../hosts/${hostName}/secrets/secrets.nix.age inputs) self.hosts;
}