[gitea] init

Networking still needs to be done but the vm boots using ```nix run .\#nixosConfigurations.durruti.config.microvm.declaredRunner```

book.toml

@@ -1,6 +0,0 @@
-[book]
-authors = ["ahtlon"]
-language = "de"
-multilingual = false
-src = "src"
-title = "Malobeo Infrastruktur Dokumentation"

doc/src/SUMMARY.md

@@ -13,4 +13,5 @@
         - [TODO](./todo.md)
     - [How-to]()
         - [Updates](./anleitung/updates.md)
-        - [Rollbacks](./anleitung/rollback.md)
+        - [Rollbacks](./anleitung/rollback.md)
+        - [MicroVM](./anleitung/microvm.md)

doc/src/anleitung/microvm.md

@@ -0,0 +1,39 @@
+### Declaring a MicroVM
+
+The hosts nixosSystems modules should be declared using the ```makeMicroVM``` helper function.
+Use durruti as orientation:
+``` nix
+    modules = makeMicroVM "durruti" "10.0.0.5" [
+      ./durruti/configuration.nix
+    ];
+```
+
+"durruti" is the hostname.  
+"10.0.0.5" is the IP assigned to its tap interface.  
+
+### Testing MicroVMs locally
+MicroVMs can be built and run easily on your local host.
+For durruti this is done by:
+``` bash
+sudo nix run .\#nixosConfigurations.durruti.config.microvm.declaredRunner
+```
+
+It seems to be necessary to run this as root so that the according tap interface can be created.
+To be able to ping the VM or give Internet Access to the VM your host needs to be setup as described below.
+
+### Host Setup
+To provide network access to the VMs a bridge interface needs to be created on your host.
+For that:
+- Add the infrastructure flake as input to your hosts flake  
+- Add ```inputs.malobeo.nixosModules.malobeo``` to your hosts imports
+- enable the host bridge: ```services.malobeo.microvm.enableHostBridge = true;```
+
+If you want to provide Internet access to the VM it is necessary to create a nat.
+This could be done like this:
+``` nix
+networking.nat = {
+  enable = true;
+  internalInterfaces = [ "microvm" ];
+  externalInterface = "eth0"; #change to your interface name
+};
+```

flake.lock

@@ -21,6 +21,24 @@
         "url": "https://git.dynamicdiscord.de/kalipso/ep3-bs.nix"
       }
     },
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems_3"
+      },
+      "locked": {
+        "lastModified": 1726560853,
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -61,6 +79,28 @@
         "type": "github"
       }
     },
+    "microvm": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "spectrum": "spectrum"
+      },
+      "locked": {
+        "lastModified": 1731240174,
+        "narHash": "sha256-HYu+bPoV3UILhwc4Ar5iQ7aF+DuQWHXl4mljN6Bwq6A=",
+        "owner": "astro",
+        "repo": "microvm.nix",
+        "rev": "dd89404e1885b8d7033106f3898eaef8db660cb2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "astro",
+        "repo": "microvm.nix",
+        "type": "github"
+      }
+    },
     "nixlib": {
       "locked": {
         "lastModified": 1729386149,
@@ -99,11 +139,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1730161780,
-        "narHash": "sha256-z5ILcmwMtiCoHTXS1KsQWqigO7HJO8sbyK7f7wn9F/E=",
+        "lastModified": 1730919458,
+        "narHash": "sha256-yMO0T0QJlmT/x4HEyvrCyigGrdYfIXX3e5gWqB64wLg=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "07d15e8990d5d86a631641b4c429bc0a7400cfb8",
+        "rev": "e1cc1f6483393634aee94514186d21a4871e78d7",
         "type": "github"
       },
       "original": {
@@ -131,11 +171,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1729973466,
-        "narHash": "sha256-knnVBGfTCZlQgxY1SgH0vn2OyehH9ykfF8geZgS95bk=",
+        "lastModified": 1730602179,
+        "narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "cd3e8833d70618c4eea8df06f95b364b016d4950",
+        "rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
         "type": "github"
       },
       "original": {
@@ -147,11 +187,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1729880355,
-        "narHash": "sha256-RP+OQ6koQQLX5nw0NmcDrzvGL8HDLnyXt/jHhL1jwjM=",
+        "lastModified": 1730785428,
+        "narHash": "sha256-Zwl8YgTVJTEum+L+0zVAWvXAGbWAuXHax3KzuejaDyo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "18536bf04cd71abd345f9579158841376fdd0c5a",
+        "rev": "4aa36568d413aca0ea84a1684d2d46f55dbabad7",
         "type": "github"
       },
       "original": {
@@ -163,11 +203,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1729973466,
-        "narHash": "sha256-knnVBGfTCZlQgxY1SgH0vn2OyehH9ykfF8geZgS95bk=",
+        "lastModified": 1730883749,
+        "narHash": "sha256-mwrFF0vElHJP8X3pFCByJR365Q2463ATp2qGIrDUdlE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "cd3e8833d70618c4eea8df06f95b364b016d4950",
+        "rev": "dba414932936fde69f0606b4f1d87c5bc0003ede",
         "type": "github"
       },
       "original": {
@@ -182,6 +222,7 @@
         "ep3-bs": "ep3-bs",
         "home-manager": "home-manager",
         "mfsync": "mfsync",
+        "microvm": "microvm",
         "nixos-generators": "nixos-generators",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs_2",
@@ -199,11 +240,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1729999681,
-        "narHash": "sha256-qm0uCtM9bg97LeJTKQ8dqV/FvqRN+ompyW4GIJruLuw=",
+        "lastModified": 1731047660,
+        "narHash": "sha256-iyp51lPWEQz4c5VH9bVbAuBcFP4crETU2QJYh5V0NYA=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "1666d16426abe79af5c47b7c0efa82fd31bf4c56",
+        "rev": "60e1bce1999f126e3b16ef45f89f72f0c3f8d16f",
         "type": "github"
       },
       "original": {
@@ -212,6 +253,22 @@
         "type": "github"
       }
     },
+    "spectrum": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1729945407,
+        "narHash": "sha256-iGNMamNOAnVTETnIVqDWd6fl74J8fLEi1ejdZiNjEtY=",
+        "ref": "refs/heads/main",
+        "rev": "f1d94ee7029af18637dbd5fdf4749621533693fa",
+        "revCount": 764,
+        "type": "git",
+        "url": "https://spectrum-os.org/git/spectrum"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://spectrum-os.org/git/spectrum"
+      }
+    },
     "systems": {
       "locked": {
         "lastModified": 1681028828,
@@ -257,6 +314,21 @@
         "type": "github"
       }
     },
+    "systems_4": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "tasklist": {
       "inputs": {
         "nixpkgs": [
@@ -315,7 +387,7 @@
     },
     "utils_3": {
       "inputs": {
-        "systems": "systems_3"
+        "systems": "systems_4"
       },
       "locked": {
         "lastModified": 1726560853,

flake.nix

@@ -8,6 +8,8 @@
     sops-nix.url = "github:Mic92/sops-nix";
     sops-nix.inputs.nixpkgs.follows = "nixpkgs";
     mfsync.url = "github:k4lipso/mfsync";
+    microvm.url = "github:astro/microvm.nix";
+    microvm.inputs.nixpkgs.follows = "nixpkgs";
 
     utils = {
       url = "github:numtide/flake-utils";

machines/configuration.nix

@@ -40,6 +40,34 @@ let
     }
   ];
   defaultModules = baseModules;
+
+  makeMicroVM = hostName: ipv4Addr: modules: [
+    inputs.microvm.nixosModules.microvm
+    {
+      microvm = {
+        hypervisor = "qemu";
+        interfaces = [
+          {
+            type = "tap";
+            id = "vm-${hostName}";
+            mac = "02:00:00:00:00:01";
+          }
+        ];
+      };
+      
+      systemd.network.enable = true;
+      
+      systemd.network.networks."20-lan" = {
+        matchConfig.Type = "ether";
+        networkConfig = {
+          Address = [ "${ipv4Addr}/24" ];
+          Gateway = "10.0.0.1";
+          DNS = ["1.1.1.1"];
+          DHCP = "no";
+        };
+      };
+    }
+  ] ++ defaultModules ++ modules;
 in
 {
   louise = nixosSystem {
@@ -53,7 +81,7 @@ in
   durruti = nixosSystem {
     system = "x86_64-linux";
     specialArgs.inputs = inputs;
-    modules = defaultModules ++ [
+    modules = makeMicroVM "durruti" "10.0.0.5" [
       ./durruti/configuration.nix
     ];
   };
@@ -66,4 +94,12 @@ in
       ./lucia/hardware_configuration.nix
     ];
   };
+
+  gitea = nixosSystem {
+    system = "x86_64-linux";
+    specialArgs.inputs = inputs;
+    modules = makeMicroVM "gitea" "10.0.0.6" [
+      ./gitea/configuration.nix
+    ];
+  };
 }

machines/durruti/configuration.nix

@@ -5,7 +5,6 @@ with lib;
 {
   sops.defaultSopsFile = ./secrets.yaml;
 
-  boot.isContainer = true;
   networking = {
     hostName = mkDefault "durruti";
     useDHCP = false;

machines/durruti/host_config.nix

@@ -44,6 +44,5 @@ in
       enableACME= true;
       locations."/".proxyPass = "http://${cfg.host_ip}:80";
     };
-
   };
 }

machines/gitea/configuration.nix

@@ -0,0 +1,37 @@
+{ config, lib, pkgs, inputs, ... }:
+
+with lib;
+
+{
+  #sops.defaultSopsFile = ./secrets.yaml;
+
+  networking = {
+    hostName = mkDefault "gitea";
+    useDHCP = false;
+    nameservers = [ "1.1.1.1" ];
+  };
+
+  imports = [
+    ../modules/malobeo_user.nix
+    ../modules/sshd.nix
+    ../modules/minimal_tools.nix
+    ../modules/autoupdate.nix
+  ];
+
+  services.gitea = {
+    enable = true;
+    appName = "malobeo git instance";
+
+    settings.server = {
+      DOMAIN = "git.malobeo.org";
+      HTTP_PORT = 3001;
+      SSH_PORT = 22;
+      ROOT_URL = "https://git.malobeo.org/";
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 3001 ];
+
+  system.stateVersion = "22.11"; # Did you read the comment?
+}
+

machines/modules/malobeo/microvm_host.nix

@@ -0,0 +1,52 @@
+{ config, lib, options, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.malobeo.microvm;
+in
+{
+  options = {
+    services.malobeo.microvm = {
+      enableHostBridge = mkOption {
+        default = false;
+        type = types.bool;
+        description = lib.mdDoc "Setup bridge device for microvms.";
+      };
+    };
+  };
+
+  config = mkIf cfg.enableHostBridge
+  { 
+    systemd.network = {
+      enable = true;
+      # create a bride device that all the microvms will be connected to
+      netdevs."10-microvm".netdevConfig = {
+        Kind = "bridge";
+        Name = "microvm";
+      };
+
+      networks."10-microvm" = {
+        matchConfig.Name = "microvm";
+        networkConfig = {
+          DHCPServer = true;
+          IPv6SendRA = true;
+        };
+        addresses = [ {
+          Address = "10.0.0.1/24";
+        } {
+          Address = "fd12:3456:789a::1/64";
+        } ];
+        ipv6Prefixes = [ {
+          Prefix = "fd12:3456:789a::/64";
+        } ];
+      };
+
+      # connect the vms to the bridge
+      networks."11-microvm" = {
+        matchConfig.Name = "vm-*";
+        networkConfig.Bridge = "microvm";
+      };
+    };
+  };
+}

outputs.nix

@@ -41,7 +41,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
     apps = {
       docs = {
         type = "app";
-        program = builtins.toString (pkgs.writeScript "docs" ''
+        program = builtins.toString (pkgs.writeShellScript "docs" ''
           ${pkgs.mdbook}/bin/mdbook serve --open ./doc
         '');
       };
@@ -52,7 +52,10 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
       inherit inputs;
     });
 
-    nixosModules.malobeo = import ./machines/durruti/host_config.nix;
+    nixosModules.malobeo.imports = [
+      ./machines/durruti/host_config.nix
+      ./machines/modules/malobeo/microvm_host.nix
+    ];
 
     hydraJobs = nixpkgs.lib.mapAttrs (_: nixpkgs.lib.hydraJob) (
       let

src/SUMMARY.md

@@ -1,15 +0,0 @@
-# Summary
-
-- [Index](./Index.md)
-    - [Info]()
-        - [Aktuelle Server]()
-            - [Durruti](./server/durruti.md)
-            - [Lucia](./server/lucia.md)
-        - [Hardware]()
-        - [Netzwerk]()
-        - [Seiten]()
-            - [musik](./projekte/musik.md)
-        - [TODO](./todo.md)
-    - [How-to]()
-        - [Updates](./anleitung/updates.md)
-        - [Rollbacks](./anleitung/rollback.md)