diff --git a/outputs.nix b/outputs.nix index 4a4893c..f431122 100644 --- a/outputs.nix +++ b/outputs.nix @@ -14,6 +14,60 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems let pkgs-unstable = nixpkgs-unstable.legacyPackages."${system}"; pkgs = nixpkgs.legacyPackages."${system}"; + + vmMicroVMOverwrites = options: { + microvm = { + mem = pkgs.lib.mkForce 4096; + hypervisor = pkgs.lib.mkForce "qemu"; + socket = pkgs.lib.mkForce null; + shares = pkgs.lib.mkForce [ + { + tag = "ro-store"; + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + } + ]; + interfaces = pkgs.lib.mkIf (!options.withNetworking) (pkgs.lib.mkForce [{ + type = "user"; + id = "eth0"; + mac = "02:23:de:ad:be:ef"; + }]); + }; + + boot.initrd.network.ssh.enable = pkgs.lib.mkForce false; + boot.isContainer = pkgs.lib.mkForce false; + users.users.root.password = ""; + fileSystems."/".fsType = pkgs.lib.mkForce "tmpfs"; + services.getty.helpLine = '' + Log in as "root" with an empty password. + Use "reboot" to shut qemu down. + ''; + }; + + vmSopsOverwrites = host: { + sops.defaultSopsFile = pkgs.lib.mkForce ./machines/${host}/dummy.yaml; + + environment.etc = { + devHostKey = { + source = ./machines/secrets/devkey_ed25519; + mode = "0600"; + }; + }; + + services.openssh.hostKeys = [{ + path = "/etc/devHostKey"; + type = "ed25519"; + }]; + }; + + buildVM = host: networking: sopsDummy: (self.nixosConfigurations.${host}.extendModules { + modules = [ + (vmMicroVMOverwrites { withNetworking = networking; }) + (if sopsDummy then (vmSopsOverwrites host) else {}) + ] ++ pkgs.lib.optionals (! self.nixosConfigurations.${host}.config ? microvm) [ + microvm.nixosModules.microvm + ]; + }).config.microvm.declaredRunner; in { devShells.default = @@ -38,14 +92,19 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems pkgs.mdbook microvmpkg.microvm ]; + packages = builtins.map (pkgName: self.legacyPackages."${pkgs.system}".scripts.${pkgName}) installed; shellHook = ''echo "Available scripts: ${builtins.concatStringsSep " " installed}"''; }; + legacyPackages = { scripts.remote-install = pkgs.writeShellScriptBin "remote-install" (builtins.readFile ./scripts/remote-install-encrypt.sh); scripts.boot-unlock = pkgs.writeShellScriptBin "boot-unlock" (builtins.readFile ./scripts/unlock-boot.sh); + scripts.run-vm = self.packages.${system}.run-vm; }; + vmBuilder = buildVM; + packages = { docs = pkgs.stdenv.mkDerivation { name = "malobeo-docs"; @@ -63,91 +122,44 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems cp -r ./book/* $dest ''; }; - } // - builtins.foldl' - (result: host: - let - inherit (self.nixosConfigurations.${host}) config; - in - result // { - # boot any machine in a microvm - "${host}-vm" = (self.nixosConfigurations.${host}.extendModules { - modules = [{ - microvm = { - mem = pkgs.lib.mkForce 4096; - hypervisor = pkgs.lib.mkForce "qemu"; - socket = pkgs.lib.mkForce null; - shares = pkgs.lib.mkForce [{ - tag = "ro-store"; - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - }]; - }; - boot.isContainer = pkgs.lib.mkForce false; - users.users.root.password = ""; - fileSystems."/".fsType = pkgs.lib.mkForce "tmpfs"; - services.getty.helpLine = '' - Log in as "root" with an empty password. - Use "reboot" to shut qemu down. - ''; - }] ++ pkgs.lib.optionals (! config ? microvm) [ - microvm.nixosModules.microvm - ]; - }).config.microvm.declaredRunner; - }) - { } - (builtins.attrNames self.nixosConfigurations) // - - builtins.foldl' - (result: host: - let - inherit (self.nixosConfigurations.${host}) config; - in - result // { - # boot any machine in a microvm - "${host}-vm-withsops" = (self.nixosConfigurations.${host}.extendModules { - modules = [{ - sops.defaultSopsFile = pkgs.lib.mkForce ./machines/${host}/dummy.yaml; - - environment.etc = { - devHostKey = { - source = ./machines/secrets/devkey_ed25519; - mode = "0600"; - }; - }; - - services.openssh.hostKeys = [{ - path = "/etc/devHostKey"; - type = "ed25519"; - }]; - - microvm = { - mem = pkgs.lib.mkForce 4096; - hypervisor = pkgs.lib.mkForce "qemu"; - socket = pkgs.lib.mkForce null; - shares = pkgs.lib.mkForce [ - { - tag = "ro-store"; - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - } - ]; - }; - boot.isContainer = pkgs.lib.mkForce false; - users.users.root.password = ""; - fileSystems."/".fsType = pkgs.lib.mkForce "tmpfs"; - services.getty.helpLine = '' - Log in as "root" with an empty password. - Use "reboot" to shut qemu down. - ''; - }] ++ pkgs.lib.optionals (! config ? microvm) [ - microvm.nixosModules.microvm - ]; - }).config.microvm.declaredRunner; - }) - { } - (builtins.attrNames self.nixosConfigurations); + run-vm = pkgs.writeShellScriptBin "run-vm" '' + usage() { + echo "Usage: run-vm [--networking] [--dummy-secrets]" + echo "ATTENTION: This script must be run from the flakes root directory" + echo "--networking setup interfaces. requires root and hostbridge enabled on the host" + echo "--dummy-secrets deploy dummy sops secrets" + exit 1 + } + + # check at least one arg was given + if [ "$#" -lt 1 ]; then + usage + fi + + HOSTNAME=$1 + + # Optionale Argumente + NETWORK=false + DUMMY_SECRETS=false + + # check argws + shift + while [[ "$#" -gt 0 ]]; do + case $1 in + --networking) NETWORK=true ;; + --dummy-secrets) DUMMY_SECRETS=true ;; + *) echo "Unknown argument: $1"; usage ;; + esac + shift + done + echo "starting host $HOSTNAME" + echo "enable networking: $NETWORK" + echo "deploy dummy secrets: $DUMMY_SECRETS" + + ${pkgs.nix}/bin/nix run --impure --expr "((builtins.getFlake \"$(pwd)\").vmBuilder.x86_64-linux \"$HOSTNAME\" $NETWORK $DUMMY_SECRETS)" + ''; + }; apps = { docs = { @@ -156,9 +168,14 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems ${pkgs.mdbook}/bin/mdbook serve --open ./doc ''); }; + + run-vm = { + type = "app"; + program = self.packages.${system}.run-vm; + }; }; - })) // rec { + })) // { nixosConfigurations = import ./machines/configuration.nix (inputs // { inherit inputs; self = self;