From 27c402152f2e95b118e3fdd04b8398946656b806 Mon Sep 17 00:00:00 2001 From: kalipso Date: Tue, 3 Dec 2024 00:14:13 +0100 Subject: [PATCH 01/14] [nixpkgs] 24.05 -> 24.11 --- flake.lock | 52 ++++++++++++++++++++++++++-------------------------- flake.nix | 4 ++-- 2 files changed, 28 insertions(+), 28 deletions(-) diff --git a/flake.lock b/flake.lock index 4e2cb07..1504a0c 100644 --- a/flake.lock +++ b/flake.lock @@ -67,16 +67,16 @@ ] }, "locked": { - "lastModified": 1726989464, - "narHash": "sha256-Vl+WVTJwutXkimwGprnEtXc/s/s8sMuXzqXaspIGlwM=", + "lastModified": 1733050161, + "narHash": "sha256-lYnT+EYE47f5yY3KS/Kd4pJ6CO9fhCqumkYYkQ3TK20=", "owner": "nix-community", "repo": "home-manager", - "rev": "2f23fa308a7c067e52dfcc30a0758f47043ec176", + "rev": "62d536255879be574ebfe9b87c4ac194febf47c5", "type": "github" }, "original": { "owner": "nix-community", - "ref": "release-24.05", + "ref": "release-24.11", "repo": "home-manager", "type": "github" } @@ -109,11 +109,11 @@ "spectrum": "spectrum" }, "locked": { - "lastModified": 1732122592, - "narHash": "sha256-lF54irx92m8ddNDQDtOUjKsZAnsGyPL3QTO7byjlxNg=", + "lastModified": 1733003272, + "narHash": "sha256-ratU5qCcRuOojgPWM90gda4qrxukNqbyFi+kan2Ln04=", "owner": "astro", "repo": "microvm.nix", - "rev": "19650774c23df84d0b8f315d2527274563497cad", + "rev": "e8d5f12b834a59187c7ec147a8952a0567f97939", "type": "github" }, "original": { @@ -124,11 +124,11 @@ }, "nixlib": { "locked": { - "lastModified": 1731805462, - "narHash": "sha256-yhEMW4MBi+IAyEJyiKbnFvY1uARyMKJpLUhkczI49wk=", + "lastModified": 1733015484, + "narHash": "sha256-qiyO0GrTvbp869U4VGX5GhAZ00fSiPXszvosY1AgKQ8=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "b9f04e3cf71c23bea21d2768051e6b3068d44734", + "rev": "0e4fdd4a0ab733276b6d2274ff84ae353f17129e", "type": "github" }, "original": { @@ -145,11 +145,11 @@ ] }, "locked": { - "lastModified": 1732151224, - "narHash": "sha256-5IgpueM8SGLOadzUJK6Gk37zEBXGd56BkNOtoWmnZos=", + "lastModified": 1733101779, + "narHash": "sha256-Qqnfnb/RFxBbD25UYJ/yibvl9kIZNK5WkyLsUcb2byk=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "3280fdde8c8f0276c9f5286ad5c0f433dfa5d56c", + "rev": "a471acc460d4c238936a5116c8cc48a3c431dd66", "type": "github" }, "original": { @@ -160,11 +160,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1731797098, - "narHash": "sha256-UhWmEZhwJZmVZ1jfHZFzCg+ZLO9Tb/v3Y6LC0UNyeTo=", + "lastModified": 1733139194, + "narHash": "sha256-PVQW9ovo0CJbhuhCsrhFJGGdD1euwUornspKpBIgdok=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "672ac2ac86f7dff2f6f3406405bddecf960e0db6", + "rev": "c6c90887f84c02ce9ebf33b95ca79ef45007bf88", "type": "github" }, "original": { @@ -192,11 +192,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1732014248, - "narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=", + "lastModified": 1733015953, + "narHash": "sha256-t4BBVpwG9B4hLgc6GUBuj3cjU7lP/PJfpTHuSqE+crk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "23e89b7da85c3640bbc2173fe04f4bd114342367", + "rev": "ac35b104800bff9028425fec3b6e8a41de2bbfff", "type": "github" }, "original": { @@ -208,16 +208,16 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1731797254, - "narHash": "sha256-df3dJApLPhd11AlueuoN0Q4fHo/hagP75LlM5K1sz9g=", + "lastModified": 1732981179, + "narHash": "sha256-F7thesZPvAMSwjRu0K8uFshTk3ZZSNAsXTIFvXBT+34=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e8c38b73aeb218e27163376a2d617e61a2ad9b59", + "rev": "62c435d93bf046a5396f3016472e8f7c8e2aed65", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-24.05", + "ref": "nixos-24.11", "repo": "nixpkgs", "type": "github" } @@ -245,11 +245,11 @@ ] }, "locked": { - "lastModified": 1732186149, - "narHash": "sha256-N9JGWe/T8BC0Tss2Cv30plvZUYoiRmykP7ZdY2on2b0=", + "lastModified": 1733128155, + "narHash": "sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc=", "owner": "Mic92", "repo": "sops-nix", - "rev": "53c853fb1a7e4f25f68805ee25c83d5de18dc699", + "rev": "c6134b6fff6bda95a1ac872a2a9d5f32e3c37856", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index ad9eac3..02dd232 100644 --- a/flake.nix +++ b/flake.nix @@ -3,7 +3,7 @@ inputs = { nixos-hardware.url = "github:NixOS/nixos-hardware/master"; - nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; sops-nix.url = "github:Mic92/sops-nix"; sops-nix.inputs.nixpkgs.follows = "nixpkgs"; @@ -33,7 +33,7 @@ }; home-manager= { - url = "github:nix-community/home-manager/release-24.05"; + url = "github:nix-community/home-manager/release-24.11"; inputs = { nixpkgs.follows = "nixpkgs"; }; -- 2.51.2 From 533b496bde94fc93f22a80f15ce9d5e11cec5e77 Mon Sep 17 00:00:00 2001 From: kalipso Date: Tue, 3 Dec 2024 00:31:54 +0100 Subject: [PATCH 02/14] [machines] remove sound.enable = true; --- machines/bakunin/configuration.nix | 1 - machines/louise/configuration.nix | 1 - machines/lucia/configuration.nix | 4 ---- 3 files changed, 6 deletions(-) diff --git a/machines/bakunin/configuration.nix b/machines/bakunin/configuration.nix index 87fdf3e..b57bc31 100644 --- a/machines/bakunin/configuration.nix +++ b/machines/bakunin/configuration.nix @@ -67,7 +67,6 @@ networking.hostName = "bakunin"; networking.networkmanager.enable = true; - sound.enable = true; hardware.pulseaudio = { enable = true; zeroconf.discovery.enable = true; diff --git a/machines/louise/configuration.nix b/machines/louise/configuration.nix index 81eec8e..146a5fa 100644 --- a/machines/louise/configuration.nix +++ b/machines/louise/configuration.nix @@ -67,7 +67,6 @@ networking.hostName = "louise"; networking.networkmanager.enable = true; - sound.enable = true; hardware.pulseaudio = { enable = true; zeroconf.discovery.enable = true; diff --git a/machines/lucia/configuration.nix b/machines/lucia/configuration.nix index 440096a..ecb2965 100644 --- a/machines/lucia/configuration.nix +++ b/machines/lucia/configuration.nix @@ -39,12 +39,8 @@ in # Set your time zone. time.timeZone = "Europe/Berlin"; - # hardware audio support: - sound.enable = true; - services = { - dokuwiki.sites."wiki.malobeo.org" = { enable = true; #acl = "* @ALL 8"; # everyone can edit using this config -- 2.51.2 From 2a97e2424f40269e32e7c2051a6198b6aa9bbaa2 Mon Sep 17 00:00:00 2001 From: kalipso Date: Tue, 3 Dec 2024 00:45:07 +0100 Subject: [PATCH 03/14] [lucia] rm deprecated boot.loader.raspberryPi needs to be fixed still according to https://github.com/NixOS/nixpkgs/pull/241534 --- machines/lucia/configuration.nix | 8 -------- 1 file changed, 8 deletions(-) diff --git a/machines/lucia/configuration.nix b/machines/lucia/configuration.nix index ecb2965..7184763 100644 --- a/machines/lucia/configuration.nix +++ b/machines/lucia/configuration.nix @@ -20,14 +20,6 @@ in # Use the extlinux boot loader. (NixOS wants to enable GRUB by default) boot.loader.grub.enable = false; - boot.loader.raspberryPi.enable = false; - boot.loader.raspberryPi.version = 3; - boot.loader.raspberryPi.uboot.enable = true; - boot.loader.raspberryPi.firmwareConfig = '' - dtparam=audio=on - hdmi_ignore_edid_audio=1 - audio_pwm_mode=2 - ''; # Enables the generation of /boot/extlinux/extlinux.conf boot.loader.generic-extlinux-compatible.enable = true; -- 2.51.2 From bcfba8daf58c7bb12a8ae6d282d30ea0f2b4e3a0 Mon Sep 17 00:00:00 2001 From: kalipso Date: Tue, 3 Dec 2024 00:50:44 +0100 Subject: [PATCH 04/14] [machines] switch PulseAudio to Pipewire --- machines/bakunin/configuration.nix | 15 ++++++--------- machines/louise/configuration.nix | 15 ++++++--------- 2 files changed, 12 insertions(+), 18 deletions(-) diff --git a/machines/bakunin/configuration.nix b/machines/bakunin/configuration.nix index b57bc31..86b4166 100644 --- a/machines/bakunin/configuration.nix +++ b/machines/bakunin/configuration.nix @@ -67,16 +67,13 @@ networking.hostName = "bakunin"; networking.networkmanager.enable = true; - hardware.pulseaudio = { - enable = true; - zeroconf.discovery.enable = true; - extraConfig = '' - load-module module-zeroconf-discover - ''; - }; - - services.avahi = { + security.rtkit.enable = true; + services.pipewire = { enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + systemWide = true; }; diff --git a/machines/louise/configuration.nix b/machines/louise/configuration.nix index 146a5fa..913a1af 100644 --- a/machines/louise/configuration.nix +++ b/machines/louise/configuration.nix @@ -67,16 +67,13 @@ networking.hostName = "louise"; networking.networkmanager.enable = true; - hardware.pulseaudio = { - enable = true; - zeroconf.discovery.enable = true; - extraConfig = '' - load-module module-zeroconf-discover - ''; - }; - - services.avahi = { + security.rtkit.enable = true; + services.pipewire = { enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + systemWide = true; }; -- 2.51.2 From 046c11234fb5937195cae522cd32522520616c0d Mon Sep 17 00:00:00 2001 From: kalipso Date: Tue, 10 Dec 2024 17:27:14 +0100 Subject: [PATCH 05/14] [fanny] init --- machines/configuration.nix | 11 +++++ machines/fanny/configuration.nix | 41 +++++++++++++++++++ machines/fanny/hardware-configuration.nix | 49 +++++++++++++++++++++++ 3 files changed, 101 insertions(+) create mode 100644 machines/fanny/configuration.nix create mode 100644 machines/fanny/hardware-configuration.nix diff --git a/machines/configuration.nix b/machines/configuration.nix index bb50a90..daa9454 100644 --- a/machines/configuration.nix +++ b/machines/configuration.nix @@ -93,6 +93,17 @@ in ]; }; + fanny = nixosSystem { + system = "x86_64-linux"; + specialArgs.inputs = inputs; + modules = defaultModules ++ [ + ./fanny/configuration.nix + inputs.disko.nixosModules.disko + ./modules/disko/btrfs-laptop.nix + ]; + }; + + durruti = nixosSystem { system = "x86_64-linux"; specialArgs.inputs = inputs; diff --git a/machines/fanny/configuration.nix b/machines/fanny/configuration.nix new file mode 100644 index 0000000..ae2fc70 --- /dev/null +++ b/machines/fanny/configuration.nix @@ -0,0 +1,41 @@ +{ config, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + #./hardware-configuration.nix + ../modules/malobeo_user.nix + ../modules/sshd.nix + ../modules/minimal_tools.nix + ../modules/autoupdate.nix + ]; + + malobeo.autoUpdate = { + enable = true; + url = "https://hydra.dynamicdiscord.de"; + project = "malobeo"; + jobset = "infrastructure"; + cacheurl = "https://cache.dynamicdiscord.de"; + }; + + boot.loader.systemd-boot.enable = true; + + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + + services.tor = { + enable = true; + client.enable = true; + }; + + # needed for printing drivers + nixpkgs.config.allowUnfree = true; + + services.acpid.enable = true; + + networking.hostName = "fanny"; + networking.networkmanager.enable = true; + + time.timeZone = "Europe/Berlin"; + system.stateVersion = "23.05"; # Do.. Not.. Change.. +} + diff --git a/machines/fanny/hardware-configuration.nix b/machines/fanny/hardware-configuration.nix new file mode 100644 index 0000000..28b4c19 --- /dev/null +++ b/machines/fanny/hardware-configuration.nix @@ -0,0 +1,49 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + +boot.initrd.luks.devices = { +root = { +device = "/dev/disk/by-uuid/35ae4fa2-1076-42ae-a04c-1752126b2aaf"; +preLVM = true; +allowDiscards = true; +}; +}; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/fe34ee57-9397-4311-94f2-a4fc0a3ef09c"; + fsType = "btrfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/402B-2026"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/b4a28946-dcc4-437d-a1b9-08d36f4b6b27"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} -- 2.51.2 From 7dbbaf08af7435aa9a3c59b2ca3fd415f58244c5 Mon Sep 17 00:00:00 2001 From: kalipso Date: Wed, 11 Dec 2024 11:56:41 +0100 Subject: [PATCH 06/14] [fanny] setup disko drive layout --- machines/configuration.nix | 2 +- machines/fanny/configuration.nix | 3 + machines/modules/disko/btrfs-laptop.nix | 2 +- machines/modules/disko/fanny.nix | 141 ++++++++++++++++++++++++ 4 files changed, 146 insertions(+), 2 deletions(-) create mode 100644 machines/modules/disko/fanny.nix diff --git a/machines/configuration.nix b/machines/configuration.nix index daa9454..7623051 100644 --- a/machines/configuration.nix +++ b/machines/configuration.nix @@ -99,7 +99,7 @@ in modules = defaultModules ++ [ ./fanny/configuration.nix inputs.disko.nixosModules.disko - ./modules/disko/btrfs-laptop.nix + ./modules/disko/fanny.nix ]; }; diff --git a/machines/fanny/configuration.nix b/machines/fanny/configuration.nix index ae2fc70..a462212 100644 --- a/machines/fanny/configuration.nix +++ b/machines/fanny/configuration.nix @@ -33,8 +33,11 @@ services.acpid.enable = true; networking.hostName = "fanny"; + networking.hostId = "1312acab"; networking.networkmanager.enable = true; + virtualisation.vmVariant.virtualisation.graphics = false; + time.timeZone = "Europe/Berlin"; system.stateVersion = "23.05"; # Do.. Not.. Change.. } diff --git a/machines/modules/disko/btrfs-laptop.nix b/machines/modules/disko/btrfs-laptop.nix index aeedcbb..eef6931 100644 --- a/machines/modules/disko/btrfs-laptop.nix +++ b/machines/modules/disko/btrfs-laptop.nix @@ -30,7 +30,7 @@ content = { type = "luks"; name = "crypted"; - passwordFile = "/tmp/secret.key"; # Interactive + passwordFile = /tmp/secret.key; # Interactive content = { type = "btrfs"; extraArgs = [ "-f" ]; diff --git a/machines/modules/disko/fanny.nix b/machines/modules/disko/fanny.nix new file mode 100644 index 0000000..53380c6 --- /dev/null +++ b/machines/modules/disko/fanny.nix @@ -0,0 +1,141 @@ +{ + disko.devices = { + disk = { + ssd = { + type = "disk"; + device = "/dev/sda"; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "1024M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + zfs = { + size = "100%"; + content = { + type = "zfs"; + pool = "zroot"; + }; + }; + }; + }; + }; + + hdd0 = { + type = "disk"; + device = "/dev/sdb"; + content = { + type = "gpt"; + partitions = { + zfs = { + size = "100%"; + content = { + type = "zfs"; + pool = "storage"; + }; + }; + }; + }; + }; + + hdd1 = { + type = "disk"; + device = "/dev/sdc"; + content = { + type = "gpt"; + partitions = { + zfs = { + size = "100%"; + content = { + type = "zfs"; + pool = "storage"; + }; + }; + }; + }; + }; + }; + + zpool = { + zroot = { + type = "zpool"; + mode = ""; + # Workaround: cannot import 'zroot': I/O error in disko tests + options.cachefile = "none"; + rootFsOptions = { + compression = "zstd"; + "com.sun:auto-snapshot" = "false"; + }; + + datasets = { + encrypted = { + type = "zfs_fs"; + options = { + mountpoint = "none"; + encryption = "aes-256-gcm"; + keyformat = "passphrase"; + keylocation = "file:///tmp/root.key"; + }; + # use this to read the key during boot + postCreateHook = '' + zfs set keylocation="prompt" "zroot/$name"; + ''; + }; + "encrypted/root" = { + type = "zfs_fs"; + mountpoint = "/"; + }; + "encrypted/var" = { + type = "zfs_fs"; + mountpoint = "/var"; + }; + "encrypted/etc" = { + type = "zfs_fs"; + mountpoint = "/etc"; + }; + "encrypted/home" = { + type = "zfs_fs"; + mountpoint = "/home"; + }; + "encrypted/nix" = { + type = "zfs_fs"; + mountpoint = "/nix"; + }; + }; + }; + + storage = { + type = "zpool"; + mode = "mirror"; + + datasets = { + encrypted = { + type = "zfs_fs"; + options = { + mountpoint = "none"; + encryption = "aes-256-gcm"; + keyformat = "passphrase"; + keylocation = "file:///tmp/storage.key"; + }; + + # use this to read the key during boot + postCreateHook = '' + zfs set keylocation="prompt" "zroot/$name"; + ''; + }; + "encrypted/data" = { + type = "zfs_fs"; + mountpoint = "/data"; + }; + }; + }; + }; + }; +} -- 2.51.2 From f853a47eb9885eacf1de53bf34638bb2a3f513c3 Mon Sep 17 00:00:00 2001 From: kalipso Date: Wed, 11 Dec 2024 11:56:55 +0100 Subject: [PATCH 07/14] [docs] add vmWithDisko documentation --- doc/src/anleitung/create.md | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/doc/src/anleitung/create.md b/doc/src/anleitung/create.md index 63d16f9..a1d14bb 100644 --- a/doc/src/anleitung/create.md +++ b/doc/src/anleitung/create.md @@ -42,6 +42,25 @@ sudo nix --extra-experimental-features "flakes nix-command" run 'github:nix-comm # failed with no space left on device. # problem is lots of data is written to the local /nix/store which is mounted on tmpfs in ram # it seems that a workaround could be modifying the bootable stick to contain a swap partition to extend tmpfs storage - - +``` + +# Testing Disko +Testing disko partitioning is working quite well. Just run the following and check the datasets in the vm: +```bash +nix run -L .\#nixosConfigurations.fanny.config.system.build.vmWithDisko +``` + +Only problem is that encryption is not working, so it needs to be commented out. For testing host fanny the following parts in ```./machines/modules/disko/fanny.nix``` need to be commented out(for both pools!): +```nix +datasets = { + encrypted = { + options = { + encryption = "aes-256-gcm"; #THIS ONE + keyformat = "passphrase"; #THIS ONE + keylocation = "file:///tmp/root.key"; #THIS ONE + }; + # use this to read the key during boot + postCreateHook = '' #THIS ONE + zfs set keylocation="prompt" "zroot/$name"; #THIS ONE + ''; #THIS ONE ``` -- 2.51.2 From 37a6a1dffb99ee23152d0f6cd24cc601cb61e985 Mon Sep 17 00:00:00 2001 From: kalipso Date: Tue, 19 Nov 2024 15:43:23 +0100 Subject: [PATCH 08/14] [doc] add basic microvm documentation --- doc/src/anleitung/microvm.md | 1 - 1 file changed, 1 deletion(-) diff --git a/doc/src/anleitung/microvm.md b/doc/src/anleitung/microvm.md index 86f13c5..2babba6 100644 --- a/doc/src/anleitung/microvm.md +++ b/doc/src/anleitung/microvm.md @@ -49,4 +49,3 @@ The following example would init and autostart durruti and gitea: ``` nix malobeo.microvm.deployHosts = [ "durruti" "gitea" ]; ``` - -- 2.51.2 From d6a615cc358a8cfc53ccbd4696aa5fe7affae4e1 Mon Sep 17 00:00:00 2001 From: kalipso Date: Tue, 10 Dec 2024 13:59:32 +0100 Subject: [PATCH 09/14] [nix] fix devshell --- outputs.nix | 24 ++++++++++++++++++++++-- shell.nix | 24 ------------------------ 2 files changed, 22 insertions(+), 26 deletions(-) delete mode 100644 shell.nix diff --git a/outputs.nix b/outputs.nix index d4758aa..392401b 100644 --- a/outputs.nix +++ b/outputs.nix @@ -4,6 +4,7 @@ , nixpkgs-unstable , nixos-generators , sops-nix +, microvm , ... } @inputs: @@ -15,8 +16,27 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems pkgs = nixpkgs.legacyPackages."${system}"; in { - devShells.default = pkgs.callPackage ./shell.nix { - inherit (sops-nix.packages."${pkgs.system}") sops-import-keys-hook ssh-to-pgp sops-init-gpg-key; + devShells.default = + let + sops = sops-nix.packages."${pkgs.system}"; + microvmpkg = microvm.packages."${pkgs.system}"; + in + pkgs.mkShell { + sopsPGPKeyDirs = [ + "./machines/secrets/keys/hosts" + "./machines/secrets/keys/users" + ]; + + nativeBuildInputs = [ + sops.ssh-to-pgp + sops.sops-import-keys-hook + sops.sops-init-gpg-key + pkgs.sops + pkgs.age + pkgs.python310Packages.grip + pkgs.mdbook + microvmpkg.microvm + ]; }; packages = { diff --git a/shell.nix b/shell.nix deleted file mode 100644 index 3799ec9..0000000 --- a/shell.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ mkShell -, sops-import-keys-hook -, ssh-to-pgp -, sops-init-gpg-key -, sops -, pkgs -}: - -mkShell { - sopsPGPKeyDirs = [ - "./machines/secrets/keys/hosts" - "./machines/secrets/keys/users" - ]; - - nativeBuildInputs = [ - ssh-to-pgp - sops-import-keys-hook - sops-init-gpg-key - sops - pkgs.age - pkgs.python310Packages.grip - pkgs.mdbook - ]; -} -- 2.51.2 From a292b013657e6bc0d01023cad55bc9179213518f Mon Sep 17 00:00:00 2001 From: kalipso Date: Tue, 10 Dec 2024 14:00:14 +0100 Subject: [PATCH 10/14] [microvms] fix #39 Microvms are not persistent --- machines/configuration.nix | 32 ++++++++++++++++++++++++++------ 1 file changed, 26 insertions(+), 6 deletions(-) diff --git a/machines/configuration.nix b/machines/configuration.nix index 7623051..5b69f0a 100644 --- a/machines/configuration.nix +++ b/machines/configuration.nix @@ -45,12 +45,32 @@ let inputs.microvm.nixosModules.microvm { microvm = { - hypervisor = "qemu"; - shares = [ { - tag = "ro-store"; - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - } ]; + hypervisor = "cloud-hypervisor"; + mem = 2560; + shares = [ + { + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + tag = "store"; + proto = "virtiofs"; + socket = "store.socket"; + } + { + source = "/var/lib/microvms/${hostName}/etc"; + mountPoint = "/etc"; + tag = "etc"; + proto = "virtiofs"; + socket = "etc.socket"; + } + { + source = "/var/lib/microvms/${hostName}/var"; + mountPoint = "/var"; + tag = "var"; + proto = "virtiofs"; + socket = "var.socket"; + } + ]; + interfaces = [ { type = "tap"; -- 2.51.2 From b2f8b308cbc647c4f271b021374dec82ac5fc50d Mon Sep 17 00:00:00 2001 From: kalipso Date: Tue, 10 Dec 2024 14:00:34 +0100 Subject: [PATCH 11/14] [nixpkgs] update microvm --- flake.lock | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/flake.lock b/flake.lock index 1504a0c..7b28974 100644 --- a/flake.lock +++ b/flake.lock @@ -47,11 +47,11 @@ "systems": "systems_3" }, "locked": { - "lastModified": 1726560853, - "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", "owner": "numtide", "repo": "flake-utils", - "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", "type": "github" }, "original": { @@ -109,11 +109,19 @@ "spectrum": "spectrum" }, "locked": { +<<<<<<< HEAD "lastModified": 1733003272, "narHash": "sha256-ratU5qCcRuOojgPWM90gda4qrxukNqbyFi+kan2Ln04=", "owner": "astro", "repo": "microvm.nix", "rev": "e8d5f12b834a59187c7ec147a8952a0567f97939", +======= + "lastModified": 1733796600, + "narHash": "sha256-scaQMTs4NnGkd9SZWROr5m0vOZIIhRkk5N7Q+S9zhXQ=", + "owner": "astro", + "repo": "microvm.nix", + "rev": "e08aed6e3a32e47e21e57bd2791326ea3f7647be", +>>>>>>> 72ab98e ([nixpkgs] update microvm) "type": "github" }, "original": { @@ -261,11 +269,11 @@ "spectrum": { "flake": false, "locked": { - "lastModified": 1729945407, - "narHash": "sha256-iGNMamNOAnVTETnIVqDWd6fl74J8fLEi1ejdZiNjEtY=", + "lastModified": 1733308308, + "narHash": "sha256-+RcbMAjSxV1wW5UpS9abIG1lFZC8bITPiFIKNnE7RLs=", "ref": "refs/heads/main", - "rev": "f1d94ee7029af18637dbd5fdf4749621533693fa", - "revCount": 764, + "rev": "80c9e9830d460c944c8f730065f18bb733bc7ee2", + "revCount": 792, "type": "git", "url": "https://spectrum-os.org/git/spectrum" }, -- 2.51.2 From 49435d68ff6e8749a4aee249f1cce25f51aa6a60 Mon Sep 17 00:00:00 2001 From: kalipso Date: Wed, 11 Dec 2024 12:36:59 +0100 Subject: [PATCH 12/14] [nix] output vm packages for each host this now runs any host as microvm. it removes shared directories for microvms so no manuall setup is needed (expect you want persistence). i took it from c3d2, thanks guys for the inspiration <3 https://gitea.c3d2.de/c3d2/nix-config/src/branch/master/packages.nix --- outputs.nix | 41 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/outputs.nix b/outputs.nix index 392401b..630be36 100644 --- a/outputs.nix +++ b/outputs.nix @@ -56,7 +56,46 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems cp -r ./book/* $dest ''; }; - }; + } // + + builtins.foldl' + (result: host: + let + inherit (self.nixosConfigurations.${host}) config; + in + result // { + # boot any machine in a microvm + "${host}-vm" = (self.nixosConfigurations.${host}.extendModules { + modules = [{ + microvm = { + mem = pkgs.lib.mkForce 4096; + hypervisor = pkgs.lib.mkForce "qemu"; + socket = pkgs.lib.mkForce null; + shares = pkgs.lib.mkForce [{ + tag = "ro-store"; + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + }]; + interfaces = pkgs.lib.mkForce [{ + type = "user"; + id = "eth0"; + mac = "02:23:de:ad:be:ef"; + }]; + }; + boot.isContainer = pkgs.lib.mkForce false; + users.users.root.password = ""; + fileSystems."/".fsType = pkgs.lib.mkForce "tmpfs"; + services.getty.helpLine = '' + Log in as "root" with an empty password. + Use "reboot" to shut qemu down. + ''; + }] ++ pkgs.lib.optionals (! config ? microvm) [ + microvm.nixosModules.microvm + ]; + }).config.microvm.declaredRunner; + }) + { } + (builtins.attrNames self.nixosConfigurations); apps = { docs = { -- 2.51.2 From 4367161e5f2aae046baf7f61f48cde29e274fc2b Mon Sep 17 00:00:00 2001 From: kalipso Date: Wed, 11 Dec 2024 12:52:55 +0100 Subject: [PATCH 13/14] [docs] add local persistent microvm usage --- doc/src/anleitung/microvm.md | 40 +++++++++++++++++++++++++++++++----- 1 file changed, 35 insertions(+), 5 deletions(-) diff --git a/doc/src/anleitung/microvm.md b/doc/src/anleitung/microvm.md index 2babba6..1775767 100644 --- a/doc/src/anleitung/microvm.md +++ b/doc/src/anleitung/microvm.md @@ -12,14 +12,44 @@ Use durruti as orientation: "10.0.0.5" is the IP assigned to its tap interface. ### Testing MicroVMs locally -MicroVMs can be built and run easily on your local host. -For durruti this is done by: +MicroVMs can be built and run easily on your local host, but they are not persistent! +For durruti for example this is done by: ``` bash -sudo nix run .\#nixosConfigurations.durruti.config.microvm.declaredRunner +nix run .\#durruti-vm +``` + +### Testing persistent microvms +In order to test persistent microvms locally we need to create them using the ```microvm``` command. +This is necessary to be able to mount persistent /etc and /var volumes on those hosts. +Do the following: + +```bash +# go into our repo and start the default dev shell (or us direnv) +nix develop .# + +# create a microvm on your host (on the example of durruti) +sudo microvm -c durruti -f git+file:///home/username/path/to/infrastructure/repo + +# start the vm +sudo systemctl start microvm@durruti.serivce + +# this may fail, if so we most probably need to create /var /etc manually, then restart +sudo mkdir /var/lib/microvms/durruti/{var, etc} + +# now you can for example get the rsa host key from /var/lib/microvms/durruti/etc/ssh/ + +# alternatively u can run the vm in interactive mode (maybe stop the microvm@durruti.service first) +microvm -r durruti + +# after u made changes to the microvm update and restart the vm +microvm -uR durruti + +# deleting the vm again: +sudo systemctl stop microvm@durruti.service +sudo systemctl stop microvm-virtiofsd@durruti.service +sudo rm -rf /var/lib/microvms/durruti ``` -It seems to be necessary to run this as root so that the according tap interface can be created. -To be able to ping the VM or give Internet Access to the VM your host needs to be setup as described below. ### Host Setup -- 2.51.2 From 3734af538858940e20a82c06e65cb04cabcb5337 Mon Sep 17 00:00:00 2001 From: kalipso Date: Tue, 3 Dec 2024 00:14:13 +0100 Subject: [PATCH 14/14] [nixpkgs] 24.05 -> 24.11 --- flake.lock | 56 +++++++++++++++++++++++------------------------------- 1 file changed, 24 insertions(+), 32 deletions(-) diff --git a/flake.lock b/flake.lock index 7b28974..cd46566 100644 --- a/flake.lock +++ b/flake.lock @@ -67,11 +67,11 @@ ] }, "locked": { - "lastModified": 1733050161, - "narHash": "sha256-lYnT+EYE47f5yY3KS/Kd4pJ6CO9fhCqumkYYkQ3TK20=", + "lastModified": 1733951536, + "narHash": "sha256-Zb5ZCa7Xj+0gy5XVXINTSr71fCfAv+IKtmIXNrykT54=", "owner": "nix-community", "repo": "home-manager", - "rev": "62d536255879be574ebfe9b87c4ac194febf47c5", + "rev": "1318c3f3b068cdcea922fa7c1a0a1f0c96c22f5f", "type": "github" }, "original": { @@ -109,19 +109,11 @@ "spectrum": "spectrum" }, "locked": { -<<<<<<< HEAD - "lastModified": 1733003272, - "narHash": "sha256-ratU5qCcRuOojgPWM90gda4qrxukNqbyFi+kan2Ln04=", + "lastModified": 1734041466, + "narHash": "sha256-51bhaMe8BZuNAStUHvo07nDO72wmw8PAqkSYH4U31Yo=", "owner": "astro", "repo": "microvm.nix", - "rev": "e8d5f12b834a59187c7ec147a8952a0567f97939", -======= - "lastModified": 1733796600, - "narHash": "sha256-scaQMTs4NnGkd9SZWROr5m0vOZIIhRkk5N7Q+S9zhXQ=", - "owner": "astro", - "repo": "microvm.nix", - "rev": "e08aed6e3a32e47e21e57bd2791326ea3f7647be", ->>>>>>> 72ab98e ([nixpkgs] update microvm) + "rev": "3910e65c3d92c82ea41ab295c66df4c0b4f9e7b3", "type": "github" }, "original": { @@ -132,11 +124,11 @@ }, "nixlib": { "locked": { - "lastModified": 1733015484, - "narHash": "sha256-qiyO0GrTvbp869U4VGX5GhAZ00fSiPXszvosY1AgKQ8=", + "lastModified": 1733620091, + "narHash": "sha256-5WoMeCkaXqTZwwCNLRzyLxEJn8ISwjx4cNqLgqKwg9s=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "0e4fdd4a0ab733276b6d2274ff84ae353f17129e", + "rev": "f4dc9a6c02e5e14d91d158522f69f6ab4194eb5b", "type": "github" }, "original": { @@ -153,11 +145,11 @@ ] }, "locked": { - "lastModified": 1733101779, - "narHash": "sha256-Qqnfnb/RFxBbD25UYJ/yibvl9kIZNK5WkyLsUcb2byk=", + "lastModified": 1733965598, + "narHash": "sha256-0tlZU8xfQGPcBOdXZee7P3vJLyPjTrXw7WbIgXD34gM=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "a471acc460d4c238936a5116c8cc48a3c431dd66", + "rev": "d162ffdf0a30f3d19e67df5091d6744ab8b9229f", "type": "github" }, "original": { @@ -168,11 +160,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1733139194, - "narHash": "sha256-PVQW9ovo0CJbhuhCsrhFJGGdD1euwUornspKpBIgdok=", + "lastModified": 1733861262, + "narHash": "sha256-+jjPup/ByS0LEVIrBbt7FnGugJgLeG9oc+ivFASYn2U=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "c6c90887f84c02ce9ebf33b95ca79ef45007bf88", + "rev": "cf737e2eba82b603f54f71b10cb8fd09d22ce3f5", "type": "github" }, "original": { @@ -200,11 +192,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1733015953, - "narHash": "sha256-t4BBVpwG9B4hLgc6GUBuj3cjU7lP/PJfpTHuSqE+crk=", + "lastModified": 1733759999, + "narHash": "sha256-463SNPWmz46iLzJKRzO3Q2b0Aurff3U1n0nYItxq7jU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ac35b104800bff9028425fec3b6e8a41de2bbfff", + "rev": "a73246e2eef4c6ed172979932bc80e1404ba2d56", "type": "github" }, "original": { @@ -216,11 +208,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1732981179, - "narHash": "sha256-F7thesZPvAMSwjRu0K8uFshTk3ZZSNAsXTIFvXBT+34=", + "lastModified": 1733808091, + "narHash": "sha256-KWwINTQelKOoQgrXftxoqxmKFZb9pLVfnRvK270nkVk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "62c435d93bf046a5396f3016472e8f7c8e2aed65", + "rev": "a0f3e10d94359665dba45b71b4227b0aeb851f8e", "type": "github" }, "original": { @@ -253,11 +245,11 @@ ] }, "locked": { - "lastModified": 1733128155, - "narHash": "sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc=", + "lastModified": 1733965552, + "narHash": "sha256-GZ4YtqkfyTjJFVCub5yAFWsHknG1nS/zfk7MuHht4Fs=", "owner": "Mic92", "repo": "sops-nix", - "rev": "c6134b6fff6bda95a1ac872a2a9d5f32e3c37856", + "rev": "2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004", "type": "github" }, "original": { -- 2.51.2