diff --git a/.gitignore b/.gitignore index a2fa571..8bea5d2 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,4 @@ result .direnv/ book/ fanny-efi-vars.fd +nix-store-overlay.img diff --git a/flake.lock b/flake.lock index dcad527..9d20960 100644 --- a/flake.lock +++ b/flake.lock @@ -109,11 +109,11 @@ "spectrum": "spectrum" }, "locked": { - "lastModified": 1736905611, - "narHash": "sha256-eW6SfZRaOnOybBzhvEzu3iRL8IhwE0ETxUpnkErlqkE=", + "lastModified": 1739104176, + "narHash": "sha256-bNvtud2PUcbYM0i5Uq1v01Dcgq7RuhVKfjaSKkW2KRI=", "owner": "astro", "repo": "microvm.nix", - "rev": "a18d7ba1bb7fd4841191044ca7a7f895ef2adf3b", + "rev": "d3a9b7504d420a1ffd7c83c1bb8fe57deaf939d2", "type": "github" }, "original": { @@ -160,11 +160,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1736978406, - "narHash": "sha256-oMr3PVIQ8XPDI8/x6BHxsWEPBRU98Pam6KGVwUh8MPk=", + "lastModified": 1738816619, + "narHash": "sha256-5yRlg48XmpcX5b5HesdGMOte+YuCy9rzQkJz+imcu6I=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "b678606690027913f3434dea3864e712b862dde5", + "rev": "2eccff41bab80839b1d25b303b53d339fbb07087", "type": "github" }, "original": { @@ -192,11 +192,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1737062831, - "narHash": "sha256-Tbk1MZbtV2s5aG+iM99U8FqwxU/YNArMcWAv6clcsBc=", + "lastModified": 1739020877, + "narHash": "sha256-mIvECo/NNdJJ/bXjNqIh8yeoSjVLAuDuTUzAo7dzs8Y=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5df43628fdf08d642be8ba5b3625a6c70731c19c", + "rev": "a79cfe0ebd24952b580b1cf08cd906354996d547", "type": "github" }, "original": { @@ -208,11 +208,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1736916166, - "narHash": "sha256-puPDoVKxkuNmYIGMpMQiK8bEjaACcCksolsG36gdaNQ=", + "lastModified": 1739206421, + "narHash": "sha256-PwQASeL2cGVmrtQYlrBur0U20Xy07uSWVnFup2PHnDs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e24b4c09e963677b1beea49d411cd315a024ad3a", + "rev": "44534bc021b85c8d78e465021e21f33b856e2540", "type": "github" }, "original": { @@ -245,11 +245,11 @@ ] }, "locked": { - "lastModified": 1737107480, - "narHash": "sha256-GXUE9+FgxoZU8v0p6ilBJ8NH7k8nKmZjp/7dmMrCv3o=", + "lastModified": 1739262228, + "narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=", "owner": "Mic92", "repo": "sops-nix", - "rev": "4c4fb93f18b9072c6fa1986221f9a3d7bf1fe4b6", + "rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975", "type": "github" }, "original": { diff --git a/machines/.sops.yaml b/machines/.sops.yaml index 560284a..c919312 100644 --- a/machines/.sops.yaml +++ b/machines/.sops.yaml @@ -8,10 +8,12 @@ keys: - &admin_atlan age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c - &machine_moderatio 3b7027ab1933c4c5e0eb935f8f9b3c058aa6d4c2 - &machine_lucia 3474196f3adf27cfb70f8f56bcd52d1ed55033db - - &machine_durruti age1xu6kxpf8p0r8d6sgyl0m20p5hmw35nserl7rejuzm66eql0ur4mq03u0vp + - &machine_durruti age1arwef7t65lz40lxhs5svyzentskjzam3e0e0yxen872vwy6v234s9uftvr + - &machine_infradocs age15rqsygf7yfe6pv6t4c6c9jc6yk4vu5grmmcu7sexvqfw8763mf2q6qw50h + - &machine_overwatch age1075ep3sl5ztshnq4jrygxqqqfts9wzk4gvvtwfjcep5ke8nzqs5sxtw7vd - &machine_vpn age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh - - &machine_fanny age14dpm6vaycd6u34dkndcktpamqgdyj4aqccjnl5533dsza05hxuds0tjfnf - - &machine_nextcloud age1w07s4y2uh0xd322ralyyh79545lvxzqncd0s65q9cx4ttlqv5u9s7y78gr + - &machine_fanny age136sz3lzhxf74ryruvq34d4tmmxnezkqkgu6zqa3dm582c22fgejqagrqxk + - &machine_nextcloud age19mn55pz5dgeghjg5cp7mymwax20jshmp8gwzuf2s3h5xlvzjksyqfscsqk #this dummy key is used for testing. - &machine_dummy age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng creation_rules: diff --git a/machines/configuration.nix b/machines/configuration.nix deleted file mode 100644 index 0e7fd4b..0000000 --- a/machines/configuration.nix +++ /dev/null @@ -1,198 +0,0 @@ -{ self -, nixpkgs-unstable -, nixpkgs -, sops-nix -, inputs -, nixos-hardware -, home-manager -, ... -}: -let - nixosSystem = nixpkgs.lib.makeOverridable nixpkgs.lib.nixosSystem; - nixosSystemUnstable = nixpkgs-unstable.lib.makeOverridable nixpkgs-unstable.lib.nixosSystem; - - baseModules = [ - # make flake inputs accessiable in NixOS - { _module.args.inputs = inputs; } - { - imports = [ - ({ pkgs, ... }: { - nix = { - extraOptions = '' - experimental-features = nix-command flakes - ''; - - settings = { - substituters = [ - "https://cache.dynamicdiscord.de" - "https://cache.nixos.org/" - ]; - trusted-public-keys = [ - "cache.dynamicdiscord.de:DKueZicqi2NhJJXz9MYgUbiyobMs10fTyHCgAUibRP4=" - ]; - trusted-users = [ "root" "@wheel" ]; - }; - }; - }) - - sops-nix.nixosModules.sops - ]; - } - ]; - defaultModules = baseModules; - - makeMicroVM = hostName: ipv4Addr: macAddr: modules: [ - inputs.microvm.nixosModules.microvm - { - microvm = { - hypervisor = "cloud-hypervisor"; - mem = 2560; - shares = [ - { - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - tag = "store"; - proto = "virtiofs"; - socket = "store.socket"; - } - { - source = "/var/lib/microvms/${hostName}/etc"; - mountPoint = "/etc"; - tag = "etc"; - proto = "virtiofs"; - socket = "etc.socket"; - } - { - source = "/var/lib/microvms/${hostName}/var"; - mountPoint = "/var"; - tag = "var"; - proto = "virtiofs"; - socket = "var.socket"; - } - ]; - - interfaces = [ - { - type = "tap"; - id = "vm-${hostName}"; - mac = "${macAddr}"; - } - ]; - }; - - systemd.network.enable = true; - - systemd.network.networks."20-lan" = { - matchConfig.Type = "ether"; - networkConfig = { - Address = [ "${ipv4Addr}/24" ]; - Gateway = "10.0.0.1"; - DNS = ["1.1.1.1"]; - DHCP = "no"; - }; - }; - } - ] ++ defaultModules ++ modules; - - inputsMod = inputs // { malobeo = self; }; -in -{ - louise = nixosSystem { - system = "x86_64-linux"; - specialArgs.inputs = inputs; - modules = defaultModules ++ [ - ./louise/configuration.nix - ]; - }; - - bakunin = nixosSystem { - system = "x86_64-linux"; - specialArgs.inputs = inputs; - modules = defaultModules ++ [ - ./bakunin/configuration.nix - inputs.disko.nixosModules.disko - ]; - }; - - lucia = nixosSystem { - system = "aarch64-linux"; - specialArgs.inputs = inputs; - modules = defaultModules ++ [ - ./lucia/configuration.nix - ./lucia/hardware_configuration.nix - ]; - }; - - fanny = nixosSystem { - system = "x86_64-linux"; - specialArgs.inputs = inputsMod; - modules = defaultModules ++ [ - self.nixosModules.malobeo.vpn - ./fanny/configuration.nix - ]; - }; - - durruti = nixosSystem { - system = "x86_64-linux"; - specialArgs.inputs = inputs; - specialArgs.self = self; - modules = makeMicroVM "durruti" "10.0.0.5" "52:DA:0D:F9:EF:F9" [ - ./durruti/configuration.nix - ]; - }; - - vpn = nixosSystem { - system = "x86_64-linux"; - specialArgs.inputs = inputs; - specialArgs.self = self; - modules = makeMicroVM "vpn" "10.0.0.10" "D0:E5:CA:F0:D7:E6" [ - self.nixosModules.malobeo.vpn - ./vpn/configuration.nix - ]; - }; - - infradocs = nixosSystem { - system = "x86_64-linux"; - specialArgs.inputs = inputs; - specialArgs.self = self; - modules = makeMicroVM "infradocs" "10.0.0.11" "D0:E5:CA:F0:D7:E7" [ - self.nixosModules.malobeo.vpn - ./infradocs/configuration.nix - ]; - }; - - uptimekuma = nixosSystem { - system = "x86_64-linux"; - specialArgs.inputs = inputs; - specialArgs.self = self; - modules = makeMicroVM "uptimekuma" "10.0.0.12" "D0:E5:CA:F0:D7:E8" [ - ./uptimekuma/configuration.nix - ]; - }; - - nextcloud = nixosSystem { - system = "x86_64-linux"; - specialArgs.inputs = inputs; - specialArgs.self = self; - modules = makeMicroVM "nextcloud" "10.0.0.13" "D0:E5:CA:F0:D7:E9" [ - ./nextcloud/configuration.nix - ]; - }; - - overwatch = nixosSystem { - system = "x86_64-linux"; - specialArgs.inputs = inputs; - specialArgs.self = self; - modules = makeMicroVM "overwatch" "10.0.0.14" "D0:E5:CA:F0:D7:E0" [ - ./overwatch/configuration.nix - ]; - }; - - testvm = nixosSystem { - system = "x86_64-linux"; - specialArgs.inputs = inputs; - specialArgs.self = self; - modules = defaultModules ++ [ ./testvm ]; - }; - -} diff --git a/machines/fanny/configuration.nix b/machines/fanny/configuration.nix index 6c19159..075db24 100644 --- a/machines/fanny/configuration.nix +++ b/machines/fanny/configuration.nix @@ -13,12 +13,20 @@ in ../modules/sshd.nix ../modules/minimal_tools.nix ../modules/autoupdate.nix + inputs.self.nixosModules.malobeo.vpn inputs.self.nixosModules.malobeo.initssh inputs.self.nixosModules.malobeo.disko inputs.self.nixosModules.malobeo.microvm inputs.self.nixosModules.malobeo.metrics ]; + virtualisation.vmVariantWithDisko = { + virtualisation = { + memorySize = 4096; + cores = 3; + }; + }; + malobeo.metrics = { enable = true; enablePromtail = true; @@ -50,11 +58,17 @@ in disk0 = "disk/by-id/ata-SAMSUNG_MZ7LN256HCHP-000L7_S20HNAAH200381"; }; storage = { + enable = true; disks = ["disk/by-id/wwn-0x50014ee265b53b60" "disk/by-id/wwn-0x50014ee2bb0a194a"]; mirror = true; }; }; + systemd.tmpfiles.rules = [ + "L /var/lib/microvms/data - - - - /data/microvms" + "d /data/microvms 0755 root root" #not needed for real host? + ]; + malobeo.initssh = { enable = true; authorizedKeys = sshKeys.admins; @@ -71,6 +85,12 @@ in services.malobeo.microvm.deployHosts = [ "overwatch" "infradocs" "nextcloud" "durruti" ]; networking = { + nat = { + enable = true; + externalInterface = "enp1s0"; + internalInterfaces = [ "microvm" ]; + }; + firewall = { allowedTCPPorts = [ 80 ]; }; diff --git a/machines/fanny/secrets.yaml b/machines/fanny/secrets.yaml index 195e7bc..37dfc12 100644 --- a/machines/fanny/secrets.yaml +++ b/machines/fanny/secrets.yaml @@ -5,63 +5,63 @@ sops: azure_kv: [] hc_vault: [] age: - - recipient: age14dpm6vaycd6u34dkndcktpamqgdyj4aqccjnl5533dsza05hxuds0tjfnf + - recipient: age136sz3lzhxf74ryruvq34d4tmmxnezkqkgu6zqa3dm582c22fgejqagrqxk enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCTmdrV1IyM2hldloxM3Zh - cGVIZmtCZ0FLTEQxcFBLaVh0VXUwNWVGR1hBCnJ6SHpzckh5VVduM0Z2dkh2WHdy - WGxRV0JFZTdqcWgzUFlSZkowZElJd2MKLS0tIGxYL0orSVdmZzJBSEIvRUNDUVlK - RWFLOWp4TVJBM3llS0lmQlBUQ2ZQNkUKEz/dXR0tkVeyC9Oxai5gZEAhRImdL1FL - 2LdVRiCt3MqR9wtfw1/pR7166Bx8nLIN42uWh2YU5j0/0rXNq+I6Qg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2ZFBYMHMzTFRMLzhCbnBE + MXkreklWSUVOckl5OTJ0VzlWS2tIOFBRRVVJCk90OXJoMHQza0hTSGt5VUphNjY1 + MkFrTHQwTHJNSGZjT2JOYXJLWExwQTQKLS0tIHlTeVgvRlU0MXA3cUl2OE9tYUls + TStjbTBkMTNOcHBja0JRYUdvSWJUN00KtOPBH8xZy/GD9Ua3H6jisoluCR+UzaeE + pAWM9Y6Gn6f7jv2BPKVTaWsyrafsYP7cDabQe2ancAuuKvkng/jrEw== -----END AGE ENCRYPTED FILE----- - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQW5OU2FiNStkazFRRHBK - U2kzNkpWRDVQTDBkTFFNWnREcjh6NlhmRnhZCkxMYlZhcUlGUnN3QWFzbVkyYlpX - eWZaOUxsUCtZYmx0U29ZckFaMjNLTFEKLS0tIExxV0REL3MwUTZpMkgxYlZMc0JS - cTNEYTBGT3VRaDI1eUhucnd5d2JhTWMKNZlkUjxX2QTFoiCWPzz62jz4kK8d5rW/ - MJ1w69Qve7lsUAg74YlFF7i/yYSZZkHoRMs92lRmq3lHlbK6aaUMTw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhc282T2VVamFGcG1Ub3hp + S1VwKzVsWW1sRXczZnRNdkxDWE5Sd0hhVUJRCkovNGZ1ZlN0c1VyMXV0WThJMGFi + QVM3WW5Eam81dWpGaFd3bm80TmtQSlUKLS0tIFFSUy9SYWdKeE5KWk0yZld5dDYy + QVZyNWVOMTh3ejBha21Qb2xCRkFERGMKH9nMQUoS5bGcLUx2T1dOmKd9jshttTrP + SKFx7MXcjFRLKS2Ij12V8ftjL3Uod6be5zoMibkxK19KmXY/514Jww== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-01-14T12:41:07Z" mac: ENC[AES256_GCM,data:RJ4Fa8MmX8u8S3zrD/SaywTC3d2IfHQPBDy3C9u4GuXJ/ruEChAB1kN8rqMPvkmET8UUgHIEp7RpbzMtg/FOmKYKYTTx5t//3/VozvAEZurhG/4mnN3r6uaZ0R9+wSjym8IyOKsJ7p4XrfE5tRdzNyU4EqfkEiyf+jO751uSnYI=,iv:eiTdmbcrpUvyDPFmGawxJs/ehmD7KqulaoB+nfpC6ko=,tag:+TKr53cFS3wbLXNgcbZfJQ==,type:str] pgp: - - created_at: "2025-01-14T12:32:13Z" + - created_at: "2025-02-11T18:32:49Z" enc: |- -----BEGIN PGP MESSAGE----- - hQGMA5HdvEwzh/H7AQv/YM4JBfaFngZt0SmMP3fBCodQXWnWMjy5VYoTOKKaOfG8 - 5GRTf+o1stsru3EKImh5PTqniRO6UH+/DOKBY8zHsy9lXojGka3uPJRKv7JUD5YO - 8NjlHwwg+jcQN/qtrWc+1D69zR1aO/6yxfgujL3r/fJ4reqtSNfkVYVy2lEcw2ZN - zhlN+fBxZCyHyUTKLcXrG7Fg8BRudjwBnIsBTLAVFkWg0bnlq38vicGpF5CHsRjA - cTPq2D9ev888WKHcjFcXYqxeKkXkqBuOOMlCHQyJCv8HHfA/GY+pBQfiVmvSt77O - /MA8hVYl8G4tRFsbUdZzqtPbAsLy30w1e9dpsD2M6tD55V2RNUCrznB2lo0uXZ24 - 9MUnad+NQdntbe5B2OBUF/MNKZ9/tC+B9pBm7Tx3rxSELytGuQF11x4EyLwn+Ict - iBBV5P3RiulxLW6MbDs+7JPILfcMfg6e8q+GY1dnIPZrs8Qf5W60FxbOYYiMvJ9k - UtnZAixVdlpkAsQz/t630lgBX9DLYjEVgaxC+zqtRjfHkoyvGIac6cgHDX/fBs7p - Woud0RbwffhOhaIF47Z2W4UPfn5Mtcu63fQpjCM9urk9asaRPeNDTeEYVjqSZD6N - J+o9dahBHvIF - =GKm4 + hQGMA5HdvEwzh/H7AQwAmorRyo7mguHQxATRRuKstaXertmyz2AhKFr1Kr880vBJ + ODjEKmkH77wIpOnZjOYrx7j2JWosoJ1KgsUUh4VlAPM3O6cXVwqDucu1d8O/HzK3 + RPuPfTKDr/lKl7QyQCx5lQuxE1/qn88D/g/fMQYu3NAVJa7acpTdSsfyo9nZ3QMb + ly6YEyGDc/IhBy5igc7bIWy1o+XATmyUxA+jZVMLiBKhetogMC507Eq71tUCMEht + CItRoFFPeoCzC8JPjpQNQmXoe5WDv3hzWpUBRJgjScYz3JuEfakbsAnzrPc41Mga + yPhSPYPBtHlEt+DntW9i/CFLEJ+I0V+uz3gnNtNdHTIIe2AZbGympjZldZThldb3 + Tupo7ep6VQgi+hG37wLmQdvSVWR8lVJDMvOmV9xZqdFYfQdBr2gewTT6Y2QCc8GZ + HBtJASlpIbydd/rtLtaTwtdOz64g+F5Vw/6T3ciyExt6RCoPALqZCoyzQnvnQm7e + JPPauAs8BH8ejoDlJYjK0lgBBMSJTZ2xlGYh4wG8zmGtGok2wvXYy+DeqlXuCIy6 + 7Xu4BLTL9eOZZo0sPR+RQfYbII0zMIc2fPBtU2c2z89YOTI44FI0BVbTlhLIIXXz + NJMDln08MWwr + =hhKC -----END PGP MESSAGE----- fp: c4639370c41133a738f643a591ddbc4c3387f1fb - - created_at: "2025-01-14T12:32:13Z" + - created_at: "2025-02-11T18:32:49Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA98TrrsQEbXUARAAmD4PfLpRVUXTo5yyS9LSs5vmEvnCmNc0ad4Oiv7YAxhs - W7SCKHq2zOfGIeZZHP0wjRnJELwMCVLy4dVo/slDHCiy8T4MZXaYR04ZaJJ+OHrF - e5xxAA6FjipufvxgRZvLhDj+g+RaX2TuxdL9gFSVS81rvEpSRDnydt2O/6G4SGBR - GO5b176eMerrqOqRLL5Ou4b6oitagvRwZzOXQ+YonKZz3STlyXRMgWxeFTDK9T/q - yYOwPVAOU1jhYzUjHNAYCp3CH4ERScrO7AwomAWH+Fe48WRbg2ebdqRnuv/Vl4PM - wc5DQcCIIIIENMGIYOzUo1KrfQlevzXF/mbgAgo/uVuRl3Y3lCRAcZBQOtUCF5Ap - FhsO87EMXlZWj3bv08f21t3hQztfuaHIqFpCbSIGgmiE9cAY0cOtCYpJfCYdV7iT - cOElJgYRbAsAbFC9wTQWEvwIxrgnCIrkCg1bzP5KNLG1K+ae5J7qN77qeTQw2/ul - QDDUUNnzjes562t+/xFLQa/bust1Y8pAYn1s1LEBol1hLX4Igonlkw303UPjZOI2 - MyH5hOh0hNUReuOpHpre/pYquE8Dd27XKAHfJsSd3ZLJG5+1Msw23lIsptgovNrB - 5VRvPj8WPojiDHqN27kt/IuayN3TeoJFjmAjkoFjlyKTcs+b6cDkxUw3LcP+6NjS - WAHQI0pWTa5zD8UPow4DHxteP4jW/6ddBfJ1Vz1scqKMXYvxFkRqZvn3uAJOtcuw - CgQ4CXE43n4G7g5gvWl6ZFW8tdXR7Sw+USnHR/9oS9fV0rHcxxDFEfE= - =9FN4 + hQIMA98TrrsQEbXUAQ//cBdyq4JxOhU9t7Z9iWAp2DRObgv7HMbhIXh1351wuzA7 + Fe0Kqcoo/ekCkIPrLZOC5z4CMjXwOCPSncMMm5vK5ibixTlX9446+Hv7AQ1vq2Nt + 2daL8ZzpCeCJmi07Vyp72/NJOZYa6YY/gFiiRw044lNLFS//b0sYkipne5COjvca + I7BxWCpGwLLWZ7LNKhg6i0at+0AqEdBDiwSE7jfeY6IL9tPOIqmBxYIWMbiAkPMd + /nK8PVPrt41NkJkuxfjXcYowJRcJmAYHGiRUQaAkUZyRQxmolbLwwJ+/CVYxv5Kk + hN5QvT82z5I8gK5LXrt3ZGEcC9dADkRSQr/qcWQT+CEnsGZi8b0unwUZZruDVb7d + eIwICaXu62gH/mlJN1z/J5jEciwQtC9Eh932x5qY3sdtd6Gm7/EHTf9NJ9Zg3gTk + nfytwpfUmtJO/bI5RvYSUkXkU6CLY6bqRW12+YrsAP+vDITYcLVEJGt7jrXDFto2 + Z9rlywZsQiZhLrzi1UImCTthcceI6Hd7l3TOYV84gMxdahBo3FLKnoZRK2I7ukGq + Wi0KjajcsJ6LBUCCpMg/tW+TT8/+66QY9BDzcv/hBdRc4lCKNeKDwwGFPSFZCcib + uyT8UB6iUYVMiNSHRqdGGcH0NwH45Oe2g9nF/lrJ0vYw1toN3WSpEc5v/Nch8DbS + WAE3DazXQgd4UQ19q+5cC+L5POWcAjgWpZlRwBXBRdeOKFDF9maCPL6MpfMm6XG1 + /JNfzhipjL5OXgJgK7iUFJlH9AuD18g/by7yID0bTsg2fkfLglwjfm8= + =Sdch -----END PGP MESSAGE----- fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4 unencrypted_suffix: _unencrypted diff --git a/machines/hosts.nix b/machines/hosts.nix new file mode 100644 index 0000000..f780fc3 --- /dev/null +++ b/machines/hosts.nix @@ -0,0 +1,75 @@ +{ ... }: + +{ + malobeo = { + hosts = { + louise = { + type = "host"; + }; + + bakunin = { + type = "host"; + }; + + fanny = { + type = "host"; + }; + + lucia = { + type = "rpi"; + }; + + durruti = { + type = "microvm"; + network = { + address = "10.0.0.5"; + mac = "52:DA:0D:F9:EF:F9"; + }; + }; + + vpn = { + type = "microvm"; + network = { + address = "10.0.0.10"; + mac = "D0:E5:CA:F0:D7:E6"; + }; + }; + + infradocs = { + type = "microvm"; + network = { + address = "10.0.0.11"; + mac = "D0:E5:CA:F0:D7:E7"; + }; + }; + + uptimekuma = { + type = "microvm"; + network = { + address = "10.0.0.12"; + mac = "D0:E5:CA:F0:D7:E8"; + }; + }; + + nextcloud = { + type = "microvm"; + network = { + address = "10.0.0.13"; + mac = "D0:E5:CA:F0:D7:E9"; + }; + }; + + overwatch = { + type = "microvm"; + network = { + address = "10.0.0.14"; + mac = "D0:E5:CA:F0:D7:E0"; + }; + }; + + testvm = { + type = "host"; + }; + }; + }; +} diff --git a/machines/infradocs/configuration.nix b/machines/infradocs/configuration.nix index fece076..d1cc2fa 100644 --- a/machines/infradocs/configuration.nix +++ b/machines/infradocs/configuration.nix @@ -9,7 +9,7 @@ with lib; }; imports = [ - self.nixosModules.malobeo.metrics + inputs.malobeo.nixosModules.malobeo.metrics ../durruti/documentation.nix ../modules/malobeo_user.nix ../modules/sshd.nix diff --git a/machines/lucia/configuration.nix b/machines/lucia/configuration.nix index 7184763..3688f84 100644 --- a/machines/lucia/configuration.nix +++ b/machines/lucia/configuration.nix @@ -6,6 +6,7 @@ in { imports = [ # Include the results of the hardware scan. + ./hardware_configuration.nix ../modules/malobeo_user.nix ]; diff --git a/machines/modules/disko/btrfs-laptop.nix b/machines/modules/disko/btrfs-laptop.nix deleted file mode 100644 index eef6931..0000000 --- a/machines/modules/disko/btrfs-laptop.nix +++ /dev/null @@ -1,63 +0,0 @@ -{ config, self, inputs, ... }: - -{ - imports = [ - inputs.disko.nixosModules.disko - ]; - - # https://github.com/nix-community/disko/blob/master/example/luks-btrfs-subvolumes.nix - disko.devices = { - disk = { - main = { - type = "disk"; - # When using disko-install, we will overwrite this value from the commandline - device = "/dev/disk/by-id/some-disk-id"; - content = { - type = "gpt"; - partitions = { - ESP = { - size = "512M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ "umask=0077" ]; - }; - }; - luks = { - size = "100%"; - content = { - type = "luks"; - name = "crypted"; - passwordFile = /tmp/secret.key; # Interactive - content = { - type = "btrfs"; - extraArgs = [ "-f" ]; - subvolumes = { - "/root" = { - mountpoint = "/"; - mountOptions = [ "compress=zstd" "noatime" ]; - }; - "/home" = { - mountpoint = "/home"; - mountOptions = [ "compress=zstd" "noatime" ]; - }; - "/nix" = { - mountpoint = "/nix"; - mountOptions = [ "compress=zstd" "noatime" ]; - }; - "/swap" = { - mountpoint = "/.swapvol"; - swap.swapfile.size = "20M"; - }; - }; - }; - }; - }; - }; - }; - }; - }; - }; -} diff --git a/machines/modules/disko/default.nix b/machines/modules/disko/default.nix index 2794fff..7911beb 100644 --- a/machines/modules/disko/default.nix +++ b/machines/modules/disko/default.nix @@ -102,7 +102,7 @@ in mountOptions = [ "umask=0077" ]; }; }; - encryptedSwap = { + encryptedSwap = lib.mkIf cfg.encryption { size = cfg.root.swap; content = { type = "swap"; @@ -187,6 +187,7 @@ in postCreateHook = lib.mkIf cfg.encryption '' zfs set keylocation="prompt" zroot/encrypted; ''; + }; "encrypted/root" = { type = "zfs_fs"; @@ -244,13 +245,16 @@ in }; # use this to read the key during boot postCreateHook = lib.mkIf cfg.encryption '' - zfs set keylocation="prompt" storage/encrypted; + zfs set keylocation="file:///root/secret.key" storage/encrypted; ''; }; "encrypted/data" = { type = "zfs_fs"; mountpoint = "/data"; - options.mountpoint = "legacy"; + }; + "encrypted/data/microvms" = { + type = "zfs_fs"; + mountpoint = "/data/microvms"; }; reserved = { # for cow delete if pool is full @@ -267,7 +271,7 @@ in }; boot.zfs.devNodes = lib.mkDefault cfg.devNodes; - + boot.zfs.extraPools = lib.mkIf cfg.storage.enable [ "storage" ]; fileSystems."/".neededForBoot = true; fileSystems."/etc".neededForBoot = true; fileSystems."/boot".neededForBoot = true; diff --git a/machines/modules/host_builder.nix b/machines/modules/host_builder.nix new file mode 100644 index 0000000..c75f6f0 --- /dev/null +++ b/machines/modules/host_builder.nix @@ -0,0 +1,250 @@ +{ self +, nixpkgs-unstable +, nixpkgs +, sops-nix +, inputs +, hosts +, ... +}: +let + pkgs = nixpkgs.legacyPackages."x86_64-linux"; +in +rec { + nixosSystem = nixpkgs.lib.makeOverridable nixpkgs.lib.nixosSystem; + nixosSystemUnstable = nixpkgs-unstable.lib.makeOverridable nixpkgs-unstable.lib.nixosSystem; + + baseModules = [ + # make flake inputs accessiable in NixOS + { _module.args.inputs = inputs; } + { + imports = [ + ({ pkgs, ... }: { + nix = { + extraOptions = '' + experimental-features = nix-command flakes + ''; + + settings = { + substituters = [ + "https://cache.dynamicdiscord.de" + "https://cache.nixos.org/" + ]; + trusted-public-keys = [ + "cache.dynamicdiscord.de:DKueZicqi2NhJJXz9MYgUbiyobMs10fTyHCgAUibRP4=" + ]; + trusted-users = [ "root" "@wheel" ]; + }; + }; + }) + + sops-nix.nixosModules.sops + ]; + } + ]; + defaultModules = baseModules; + + makeMicroVM = hostName: ipv4Addr: macAddr: modules: [ + { + microvm = { + hypervisor = "cloud-hypervisor"; + mem = 2560; + shares = [ + { + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + tag = "store"; + proto = "virtiofs"; + socket = "store.socket"; + } + { + source = "/var/lib/microvms/${hostName}/etc"; + mountPoint = "/etc"; + tag = "etc"; + proto = "virtiofs"; + socket = "etc.socket"; + } + { + source = "/var/lib/microvms/${hostName}/var"; + mountPoint = "/var"; + tag = "var"; + proto = "virtiofs"; + socket = "var.socket"; + } + { + source = "/var/lib/microvms/data/${hostName}"; + mountPoint = "/data"; + tag = "data"; + proto = "virtiofs"; + socket = "microdata.socket"; + } + ]; + + interfaces = [ + { + type = "tap"; + id = "vm-${hostName}"; + mac = "${macAddr}"; + } + ]; + }; + + systemd.network.enable = true; + + systemd.network.networks."20-lan" = { + matchConfig.Type = "ether"; + networkConfig = { + Address = [ "${ipv4Addr}/24" ]; + Gateway = "10.0.0.1"; + DNS = ["1.1.1.1"]; + DHCP = "no"; + }; + }; + } + ] ++ defaultModules ++ modules; + + inputsMod = inputs // { malobeo = self; }; + + + vmMicroVMOverwrites = hostname: options: { + microvm = rec { + mem = pkgs.lib.mkForce 4096; + hypervisor = pkgs.lib.mkForce "qemu"; + socket = pkgs.lib.mkForce null; + + + #needed for hosts that deploy imperative microvms (for example fanny) + writableStoreOverlay = pkgs.lib.mkIf options.writableStore "/nix/.rw-store"; + volumes = pkgs.lib.mkIf options.writableStore [ { + image = "nix-store-overlay.img"; + mountPoint = writableStoreOverlay; + size = 2048; + } ]; + + shares = pkgs.lib.mkForce (pkgs.lib.optionals (!options.writableStore) [ + { + tag = "ro-store"; + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + } + ] ++ pkgs.lib.optionals (options.varPath != "") [ + { + source = "${options.varPath}"; + securityModel = "mapped"; + mountPoint = "/var"; + tag = "var"; + } + ]); + + interfaces = pkgs.lib.mkIf (!options.withNetworking) (pkgs.lib.mkForce [{ + type = "user"; + id = "eth0"; + mac = "02:23:de:ad:be:ef"; + }]); + + #if networking is disabled forward port 80 to still have access to webservices + forwardPorts = pkgs.lib.mkIf (!options.withNetworking && options.fwdPort != 0) (pkgs.lib.mkForce [ + { from = "host"; host.port = options.fwdPort; guest.port = 80; } + ]); + + }; + + fileSystems = { + "/".fsType = pkgs.lib.mkForce "tmpfs"; + + # prometheus uses a memory mapped file which doesnt seem supported by 9p shares + # therefore we mount a tmpfs inside the datadir + "/var/lib/prometheus2/data" = pkgs.lib.mkIf (hostname == "overwatch" && options.varPath != "") (pkgs.lib.mkForce { + fsType = pkgs.lib.mkForce "tmpfs"; + }); + }; + + boot.isContainer = pkgs.lib.mkForce false; + services.timesyncd.enable = false; + users.users.root.password = ""; + services.getty.helpLine = '' + Log in as "root" with an empty password. + Use "reboot" to shut qemu down. + ''; + }; + + vmDiskoOverwrites = { + boot.initrd = { + secrets = pkgs.lib.mkForce {}; + network.ssh.enable = pkgs.lib.mkForce false; + }; + + malobeo.disks.enable = pkgs.lib.mkForce false; + networking.hostId = "a3c3101f"; + }; + + vmSopsOverwrites = host: { + sops.defaultSopsFile = pkgs.lib.mkForce ../${host}/dummy.yaml; + + environment.etc = { + devHostKey = { + source = ../secrets/devkey_ed25519; + mode = "0600"; + }; + }; + + services.openssh.hostKeys = [{ + path = "/etc/devHostKey"; + type = "ed25519"; + }]; + }; + + vmNestedMicroVMOverwrites = host: sopsDummy: { + + services.malobeo.microvm.deployHosts = pkgs.lib.mkForce []; + microvm.vms = + let + # Map the values to each hostname to then generate an Attrset using listToAttrs + mapperFunc = name: { inherit name; value = { + specialArgs.inputs = inputsMod; + specialArgs.self = self; + config = { + imports = (makeMicroVM "${name}" + "${hosts.malobeo.hosts.${name}.network.address}" + "${hosts.malobeo.hosts.${name}.network.mac}" [ + ../${name}/configuration.nix + (vmMicroVMOverwrites name { + withNetworking = true; + varPath = ""; + writableStore = false; }) + (if sopsDummy then (vmSopsOverwrites name) else {}) + ]); + }; + }; }; + in + builtins.listToAttrs (map mapperFunc self.nixosConfigurations.${host}.config.services.malobeo.microvm.deployHosts); + }; + + buildVM = host: networking: sopsDummy: disableDisko: varPath: writableStore: fwdPort: (self.nixosConfigurations.${host}.extendModules { + modules = [ + (vmMicroVMOverwrites host { + withNetworking = networking; + varPath = "${varPath}"; + writableStore = writableStore; + fwdPort = fwdPort; }) + (if sopsDummy then (vmSopsOverwrites host) else {}) + (if disableDisko then vmDiskoOverwrites else {}) + ] ++ pkgs.lib.optionals (hosts.malobeo.hosts.${host}.type != "microvm") [ + inputs.microvm.nixosModules.microvm + ] ++ pkgs.lib.optionals (self.nixosConfigurations.${host}.config ? services.malobeo.microvm.deployHosts) [ + (vmNestedMicroVMOverwrites host sopsDummy) + ]; + }); + + buildHost = hosts: (builtins.mapAttrs (host: settings: nixosSystem { + system = if (settings.type == "rpi") then "aarch64-linux" else "x86_64-linux"; + specialArgs.inputs = inputsMod; + specialArgs.self = self; + modules = (if (settings.type != "microvm") then + defaultModules ++ [ ../${host}/configuration.nix ] + else + makeMicroVM "${host}" "${settings.network.address}" "${settings.network.mac}" [ + inputs.microvm.nixosModules.microvm + ../${host}/configuration.nix + ]); + }) hosts); +} diff --git a/machines/modules/malobeo/initssh.nix b/machines/modules/malobeo/initssh.nix index 8286084..6a68622 100644 --- a/machines/modules/malobeo/initssh.nix +++ b/machines/modules/malobeo/initssh.nix @@ -30,9 +30,7 @@ in loader.efi.canTouchEfiVariables = true; supportedFilesystems = [ "vfat" "zfs" ]; zfs = { - forceImportAll = true; requestEncryptionCredentials = true; - }; initrd = { availableKernelModules = cfg.ethernetDrivers; diff --git a/machines/modules/malobeo/peers.nix b/machines/modules/malobeo/peers.nix index 787cabf..febf4c5 100644 --- a/machines/modules/malobeo/peers.nix +++ b/machines/modules/malobeo/peers.nix @@ -30,6 +30,13 @@ publicKey = "TrJ4UAF//zXdaLwZudI78L+rTC36zEDodTDOWNS4Y1Y="; }; + "hetzner" = { + role = "client"; + address = [ "10.100.0.6/24" ]; + allowedIPs = [ "10.100.0.6/32" ]; + publicKey = "csRzgwtnzmSLeLkSwTwEOrdKq55UOxZacR5D3GopCTQ="; + }; + "fanny" = { role = "client"; address = [ "10.100.0.101/24" ]; diff --git a/machines/nextcloud/configuration.nix b/machines/nextcloud/configuration.nix index 88939dc..a2cacdf 100644 --- a/machines/nextcloud/configuration.nix +++ b/machines/nextcloud/configuration.nix @@ -37,6 +37,7 @@ with lib; hostName = "cloud.malobeo.org"; config.adminpassFile = config.sops.secrets.nextcloudAdminPass.path; #https = true; #disable for testing + datadir = "/data/services/nextcloud/"; database.createLocally = true; config.dbtype = "pgsql"; configureRedis = true; @@ -46,7 +47,7 @@ with lib; }; extraAppsEnable = true; extraApps = { - inherit (config.services.nextcloud.package.packages.apps) contacts calendar; + inherit (config.services.nextcloud.package.packages.apps) contacts calendar deck polls; collectives = pkgs.fetchNextcloudApp { sha256 = "sha256-cj/8FhzxOACJaUEu0eG9r7iAQmnOG62yFHeyUICalFY="; url = "https://github.com/nextcloud/collectives/releases/download/v2.15.2/collectives-2.15.2.tar.gz"; @@ -55,6 +56,12 @@ with lib; }; settings = { trusted_domains = ["10.0.0.13"]; + "maintenance_window_start" = "1"; + "default_phone_region" = "DE"; + }; + phpOptions = { + "realpath_cache_size" = "0"; + "opcache.interned_strings_buffer" = "23"; }; }; diff --git a/machines/nextcloud/secrets.yaml b/machines/nextcloud/secrets.yaml index 0327a08..01c7c15 100644 --- a/machines/nextcloud/secrets.yaml +++ b/machines/nextcloud/secrets.yaml @@ -8,60 +8,60 @@ sops: - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqSk9GWktrZ3FsRHpOcTJp - Y3VWMytTRlhxVXJma1puT1lMRTN2NHBNV2xrCi8xYTFWeVN6RWl0Um9mZXpoKzFh - SjVFcGJRNlhkVUZQYXpEb0EwYzUvUjQKLS0tIGEvdGdMRGxvcndxMllZTWZqKzg1 - aWlJOTdYV1JMM0dIWEFDSHRuQWdlcVUKsdwGZ3SkJEf4ALDhHUlSQJNKrFyWd7fW - WTGk66NJ2yD8ko/6OyB9J9U0WPbFLgr972H+klBq/IDmOx0hClbYNA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3cFBEempENHlXNnhNb1d5 + UitGNFliTDliZUdCSVBPRUVEWDc1Skw3N2xvCkFoL01DL2ZmWHhoMHV4TGdhaFdH + bG9XdUQ4ano4VjRxVTloNnl4OHJ6dkkKLS0tIDJvK2ZjNVhYZ1FkQTVWWjBhSFlt + R1Ixc3pWNFMvUVl0M1NsZ0txRXFMTkkK5aDgbCd13gAfZUrROnwRHgyXvIF67o1W + EzEFyhWatq2KKzv6VoJSFnvEx5lMPSs0LLvOK2qgrsz0jWdy6yUkAg== -----END AGE ENCRYPTED FILE----- - - recipient: age1w07s4y2uh0xd322ralyyh79545lvxzqncd0s65q9cx4ttlqv5u9s7y78gr + - recipient: age19mn55pz5dgeghjg5cp7mymwax20jshmp8gwzuf2s3h5xlvzjksyqfscsqk enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoNzdib3Ztd0g0MlVqYVF6 - cUtjZzEyY2FJYVRoT1p5RlJwYVQwUXVOUkNVCkp4V3hMYlJsaVN4RjlwQXNWS1Jt - aitzWVdOcUdrNHorenZGZU1iWFZzVjgKLS0tIGNGcTU5OUJLM3VzQk1uODFwS1hO - WG16Y25tMDkreGFnSFRKN1AybyttYWcKcLHJScp2Ozh0jIdi7Hb/tSjaCGorqXaC - 9DIrQPHbPP1RIc6Ak8Kn30/BHEWV3VaiBCT3vfS9pNJQNjB4T+901g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxc3BSNVdqSTNYZSt4c05K + TnpuYXF1L2lzQkdZOS9uUnA5aUpGTldWZVQ0CkZvN2hubmwvUW5xUWhtaE0xMzlp + U3dpRHlmdU5UVG1nTS9XUVpTSjdQQ00KLS0tIC9sWTBOMStOYis1SDhLbjFlVk1F + M2dYNEpmWmxyeXU5S0FuV083NkVaQ3cKXuGyR0YQy+22z2kgM7IPhr0gurWQYczm + FA7C/2hoqb4tyyejomitndBSyxIxnaReO0Apl6JXeTLor8Dpuu42oQ== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-11-26T20:00:50Z" mac: ENC[AES256_GCM,data:qoY9SfpoU+8HfvD5v/1S6BOkbnZUmHIbtwr0tTSuPETjnFNgr1VVw9mnRatJKPYYFb9/rMZQWIqTY+iUIEkcTVyVXhd6ki5CHW+uxCeBIyMzq33rtEa/btkEUoii4iPieamBCIY21W0znE+edxfR04yRJtLxMICEbuW4Hjf6bwk=,iv:nG42fRgjpuIjPMYnn/6egEdzYolcUBsspaZ8zMv4888=,tag:C6apGoAvVLsWdLWSCwrx6w==,type:str] pgp: - - created_at: "2025-01-21T21:04:08Z" + - created_at: "2025-02-19T14:34:54Z" enc: |- -----BEGIN PGP MESSAGE----- - hQGMA5HdvEwzh/H7AQv/ejIylIgs3yeVcZriQTA8d/xyXTdFw6On422lTCDk3d0W - GOdV44vAzUzNX5tziQtLjectLUrKh9Qb9WaP4VnTCGI0XJ/dEtYRCkYMx8MjjbLl - 8GqFi3Hw958Uykp9wt0iiP6BQ42Fo77EPxVcn21eHKZY0zg/vaeRXXeXSzkjzANs - NN/KFS06uFRJhmp+0z6hDRrHnpb0wd5JGjHOp96jK9LmpwfZZZlVpAHp04hOhlPV - cMmdjg9IRSubvbraTbDrgwB0h3JKdqovFDnAP/KvT+rw5xnVUVMq/3tUNq4MbfZb - CvQrXsjQJQbEhY+eAJZVRO07kX0+zMvIin4ss7Xt++qlo4/OvFvuGbnUhJE+hrBb - nkyGhbDrjpsfa3djCEZ0UxMAWtPeIQ7T8QMkGY+UKeJKxfOGSchARnfCtGD/rtsj - wuhqGya7g7WP78WzwASzlPwB5jpdQ29/zLWXR60lNCYu0UYSVYmlspZnKEB0FkLO - TNUrwXXMrM0XwMVaG/sF0lgBEPE6CTuE85evCHFyu6zhEAa7YimKAPIowcwYLSJ2 - 46KfttJAYnRnb68Kk9N5xcFyvhKyTx/6eMdxkgr2LMoSTBDUgZfG3rDQC+ZbFE3m - bUOvx3Ho80EC - =oQd6 + hQGMA5HdvEwzh/H7AQwAkNhF9L1ocTsJRDyIA+0y24gtvRKAZhSRwds2wvTiBkPS + jzse8z4wY2yWz/JbEgqJqeFxJCaE64oc+2dETJIl2IsiRBDlXKfpL4yfRV+P6Ffu + DQfAR57hKIYa9emx+iFGoDMpRSuuLg4EGDoe1tmAu2OwLhKsqJrbL1ak88GB7/ko + gFk02AF/QYuEetc7R0pZPxB6n1HQGBrvqAFrnHEsxw2rR7I4kNYpEzyf0IuGHfB1 + 92WfYtdYSni7cqmTPV+t+k6P1VcJe6GXdlQnHk2pByqC2WrcrP+MtaAMkmWqxU72 + AGarWEV2bnXmBsM5LcOQF6Mbui9tpEBE0O3lMlzUNXoVYHpOczlqdWkqh/y3Ea8V + bnHcaLQ8XubRyccK4JYZ4AIMJVPlVcnXdjZ4VFJwjRzGrllorq4x8L0niv60HV/g + akxsjW1DPnJURNFacT3JYF+PsN+hpj/ma2k8qUTX5wFVJy3Gm0psVYqE5901ivBA + yg7mfiftchDvIeGQR8tE0lgBZrJbf/SjpVdawq7DORFVxkaNeoSAxOkCnqZ5kc7C + w6zfxABWvwz73QM0AqfNzjkyswGk7N/09Zpj4BvjbbYuAfvIdiVVDHRPez/qWjnB + vkt9aLXFepLl + =4LVt -----END PGP MESSAGE----- fp: c4639370c41133a738f643a591ddbc4c3387f1fb - - created_at: "2025-01-21T21:04:08Z" + - created_at: "2025-02-19T14:34:54Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA98TrrsQEbXUAQ//eu7YkPL7dU4AYWCZI7THsiJ51SOMahOXp/qC5yL18aZY - r4SpyNhFezGIJfMuhwBSZZBI/MNW6M+zMwIJ2wkioxUDnDvfVi10/cV6p85U75Jn - 59e1afN+eekG2DCI6sWPmLy8jmYh4CQRdEurtfzquDOARZ4IHZjotP5AWI8OPHlM - FdK2jGXFVevQY0m619CNm78D2NEdlGe1QtLVSazWQ8MsDLfMnHTYFUy3EoSihzat - QkcR//8whzlLT/NcqKlnBDNBU7FvPov+ZdUmIw1mx2wp5f2sGp4m737Yhoey2aFL - qLXHDc91nVRcw95FBDNYlSH8a2AzT4sm4vFR5EkC6vrfz+v1pdg1Fc3dc++hPgE0 - MYWn6f4v8lDhPhw2kpmAP4Oz4uPdmPgdfXKiIzr7qf3O5lIC6ZIIwoqhj2f0odj6 - 7anDUN5C3B5ruFU3UNJEBLrZelbmg4zf2hAtzfoi0L9paIZX5SCLP3PDbvdRbADc - oyC3Gw/DeddQ9ZeP+wYiwJ/614zRBmZRzQr9RFowf0gJBSS7TaWPCONfUJ/3eekX - or8JpLTD5PMQNoS0L4S41Cj+yOg/AlmHF/9yvj1GVTKT9rBj3Snki9NOmY2ZUQo3 - BDdnsftA3w4q4iu06ojQkrjn/FJjmNzb83XR2WxrHFUAaY//nISyY/9uTsEhwFbS - WAFlKfmyVc7nLBI12i0yWLLy/tcVF3c8gtGfNmyoe/RIr+6EQmzUi0v+X49Tnzpj - 8JAnE+4Jzm2ijqF4Ats5KoXqFiLUenJZQHJ3IFoI36n+hM4P/ICeZ4k= - =s9pl + hQIMA98TrrsQEbXUARAAmoHJ3i2vABDamIF3Nj6uuawarW+KKjzrIfYvAmWW4fgz + zVAquTl1Oculhv+H4eVuylNUM5kwyCkM/VAxy3KoSNZn6aGZVDuns70r9lbNC1R8 + +diYAIe33rE3h6/Rw74RgOXUgNalONeoBWbIUuG+y9XOIfu7CBoUeGJct4ycYH0h + bn5iI0e4myDldmSc7OYnyruQMYg9OcKBnQPTZl1qzTqpwR6/BnIhWJcItuc3W5rv + aEunQ8lVyNxhGWMDwFucUJ2WbxkOFOFWPrLGXtsUg/I32aCUNR6X/HnYUezqCoSA + SFJAsaPkBr07o5Be5D03m0s5ryktQUdAElyDaz2Sgc58re9mtYKBAf4P4fKD5Zx+ + TJJGr6dmtb28Nxb5mbMroKbTit92NHHatXfz/YrZ1JyCHuINZ5Sq01TGhx6y71Uj + 0Afq3S2la+85UYRsQ5g9q6jM8rBHjm9AdcUkWA1chtn6elAUG8J0B+DUYYwcrMtp + YWFaKNHT09FRn4TcgE50Wgn9lX2RZ03viBbgCvDBLh3fmzl+dU1DsFdwuYmbgOeO + B6SQ2+SF3VVR7vAn4oPKydztCfYmb+38sCQl/FtZdP1RRW150fXtUx7aAzWGsLhq + AObrNp0uMeCBHtpWctwFR1qssfRD3DHkI59MqoGK7ehDtBS6hzayjJp8sTiqCTzS + WAH/vMH2cvGN3q9mr73bBqHBxAL+ANWxrDvQmM4xwbLxET24ULnsC35bn4psWjTN + Y3aQqzhaZdYOki09fLENaYl6BMeIcfBx4qUrgfQKLUNqGV5fvVuXJUc= + =/V5O -----END PGP MESSAGE----- fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4 unencrypted_suffix: _unencrypted diff --git a/machines/testvm/default.nix b/machines/testvm/configuration.nix similarity index 98% rename from machines/testvm/default.nix rename to machines/testvm/configuration.nix index b338fbc..003a017 100644 --- a/machines/testvm/default.nix +++ b/machines/testvm/configuration.nix @@ -24,7 +24,7 @@ in malobeo.disks = { enable = true; - encryption = false; + encryption = true; hostId = "83abc8cb"; devNodes = "/dev/disk/by-path/"; root = { diff --git a/machines/vpn/configuration.nix b/machines/vpn/configuration.nix index 82914b4..6caeed1 100644 --- a/machines/vpn/configuration.nix +++ b/machines/vpn/configuration.nix @@ -17,6 +17,7 @@ with lib; }; imports = [ + inputs.self.nixosModules.malobeo.vpn ../modules/malobeo_user.nix ../modules/sshd.nix ../modules/minimal_tools.nix diff --git a/outputs.nix b/outputs.nix index 9cfbf03..c8dac17 100644 --- a/outputs.nix +++ b/outputs.nix @@ -15,86 +15,8 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems pkgs-unstable = nixpkgs-unstable.legacyPackages."${system}"; pkgs = nixpkgs.legacyPackages."${system}"; - vmMicroVMOverwrites = hostname: options: { - microvm = { - mem = pkgs.lib.mkForce 4096; - hypervisor = pkgs.lib.mkForce "qemu"; - socket = pkgs.lib.mkForce null; - shares = pkgs.lib.mkForce ([ - { - tag = "ro-store"; - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - } - ] ++ pkgs.lib.optionals (options.varPath != "") [ - { - source = "${options.varPath}"; - securityModel = "mapped"; - mountPoint = "/var"; - tag = "var"; - } - ]); - interfaces = pkgs.lib.mkIf (!options.withNetworking) (pkgs.lib.mkForce [{ - type = "user"; - id = "eth0"; - mac = "02:23:de:ad:be:ef"; - }]); - }; - - fileSystems = { - "/".fsType = pkgs.lib.mkForce "tmpfs"; - - # prometheus uses a memory mapped file which doesnt seem supported by 9p shares - # therefore we mount a tmpfs inside the datadir - "/var/lib/prometheus2/data" = pkgs.lib.mkIf (hostname == "overwatch" && options.varPath != "") (pkgs.lib.mkForce { - fsType = pkgs.lib.mkForce "tmpfs"; - }); - }; - - boot.isContainer = pkgs.lib.mkForce false; - services.timesyncd.enable = false; - users.users.root.password = ""; - services.getty.helpLine = '' - Log in as "root" with an empty password. - Use "reboot" to shut qemu down. - ''; - }; - - vmDiskoOverwrites = { - boot.initrd = { - secrets = pkgs.lib.mkForce {}; - network.ssh.enable = pkgs.lib.mkForce false; - }; - - malobeo.disks.enable = pkgs.lib.mkForce false; - networking.hostId = "a3c3101f"; - }; - - vmSopsOverwrites = host: { - sops.defaultSopsFile = pkgs.lib.mkForce ./machines/${host}/dummy.yaml; - - environment.etc = { - devHostKey = { - source = ./machines/secrets/devkey_ed25519; - mode = "0600"; - }; - }; - - services.openssh.hostKeys = [{ - path = "/etc/devHostKey"; - type = "ed25519"; - }]; - }; - - buildVM = host: networking: sopsDummy: disableDisko: varPath: (self.nixosConfigurations.${host}.extendModules { - modules = [ - (vmMicroVMOverwrites host { withNetworking = networking; varPath = "${varPath}"; }) - (if sopsDummy then (vmSopsOverwrites host) else {}) - (if disableDisko then vmDiskoOverwrites else {}) - ] ++ pkgs.lib.optionals (! self.nixosConfigurations.${host}.config ? microvm) [ - microvm.nixosModules.microvm - ]; - }).config.microvm.declaredRunner; + hosts = import ./machines/hosts.nix ( inputs // { inherit inputs; self = self; }); + utils = import ./machines/modules/host_builder.nix ( inputs // { inherit inputs; self = self; hosts = hosts; }); in { devShells.default = @@ -130,7 +52,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems scripts.run-vm = self.packages.${system}.run-vm; }; - vmBuilder = buildVM; + vmBuilder = utils.buildVM; packages = { docs = pkgs.stdenv.mkDerivation { @@ -150,60 +72,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems ''; }; - run-vm = pkgs.writeShellScriptBin "run-vm" '' - usage() { - echo "Usage: run-vm [--networking] [--dummy-secrets] [--no-disko]" - echo "ATTENTION: This script must be run from the flakes root directory" - echo "--networking setup interfaces. requires root and hostbridge enabled on the host" - echo "--dummy-secrets run vm with dummy sops secrets" - echo "--no-disko disable disko and initrd secrets. needed for real hosts like fanny" - echo "--var path to directory that should be shared as /var. may require root otherwise some systemd units fail within vm. if dir is empty vm will populate" - exit 1 - } - - # check at least one arg was given - if [ "$#" -lt 1 ]; then - usage - fi - - HOSTNAME=$1 - - # Optionale Argumente - NETWORK=false - DUMMY_SECRETS=false - NO_DISKO=false - VAR_PATH="" - - # check argws - shift - while [[ "$#" -gt 0 ]]; do - case $1 in - --networking) NETWORK=true ;; - --dummy-secrets) DUMMY_SECRETS=true ;; - --no-disko) NO_DISKO=true ;; - --var) - if [[ -n "$2" && ! "$2" =~ ^- ]]; then - VAR_PATH="$2" - shift - else - echo "Error: --var requires a non-empty string argument." - usage - fi - ;; - *) echo "Unknown argument: $1"; usage ;; - esac - shift - done - echo "starting host $HOSTNAME" - echo "enable networking: $NETWORK" - echo "deploy dummy secrets: $DUMMY_SECRETS" - echo "disable disko and initrd secrets: $NO_DISKO" - if [ -n "$VAR_PATH" ]; then - echo "sharing var directory: $VAR_PATH" - fi - - ${pkgs.nix}/bin/nix run --show-trace --impure --expr "((builtins.getFlake \"$(pwd)\").vmBuilder.x86_64-linux \"$HOSTNAME\" $NETWORK $DUMMY_SECRETS $NO_DISKO \"$VAR_PATH\")" - ''; + run-vm = pkgs.writeShellScriptBin "run-vm" (builtins.readFile ./scripts/run-vm.sh); }; apps = { @@ -229,11 +98,13 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems }; }; - })) // { - nixosConfigurations = import ./machines/configuration.nix (inputs // { - inherit inputs; - self = self; - }); + })) // ( + let + hosts = import ./machines/hosts.nix ( inputs // { inherit inputs; self = self; }); + utils = import ./machines/modules/host_builder.nix ( inputs // { inherit inputs; self = self; hosts = hosts; }); + in + { + nixosConfigurations = utils.buildHost hosts.malobeo.hosts; nixosModules.malobeo = { host.imports = [ ./machines/durruti/host_config.nix ]; @@ -255,4 +126,4 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems nixpkgs.lib.mapAttrs getBuildEntry self.nixosConfigurations ); -} +}) diff --git a/scripts/remote-install-encrypt.sh b/scripts/remote-install-encrypt.sh index 07331a8..277f519 100755 --- a/scripts/remote-install-encrypt.sh +++ b/scripts/remote-install-encrypt.sh @@ -37,9 +37,11 @@ trap cleanup EXIT # Create the directory where sshd expects to find the host keys install -d -m755 "$temp/etc/ssh/" +install -d -m755 "$temp/root/" diskKey=$(sops -d machines/$hostname/disk.key) echo "$diskKey" > /tmp/secret.key +echo "$diskKey" > $temp/root/secret.key ssh-keygen -f $temp/etc/ssh/"$hostname" -t ed25519 -N "" ssh-keygen -f $temp/etc/ssh/initrd -t ed25519 -N "" diff --git a/scripts/run-vm.sh b/scripts/run-vm.sh new file mode 100644 index 0000000..3968cdd --- /dev/null +++ b/scripts/run-vm.sh @@ -0,0 +1,67 @@ +usage() { + echo "Usage: run-vm [--networking] [--dummy-secrets] [--no-disko]" + echo "ATTENTION: This script must be run from the flakes root directory" + echo "--networking setup interfaces. requires root and hostbridge enabled on the host" + echo "--dummy-secrets run vm with dummy sops secrets" + echo "--no-disko disable disko and initrd secrets. needed for real hosts like fanny" + echo "--writable-store enables writable store. necessary for host with nested imperative microvms like fanny" + echo "--var path to directory that should be shared as /var. may require root otherwise some systemd units fail within vm. if dir is empty vm will populate" + echo "--fwd-port forwards the given port to port 80 on vm" + exit 1 +} + +# check at least one arg was given +if [ "$#" -lt 1 ]; then + usage +fi + +HOSTNAME=$1 + +# Optionale Argumente +NETWORK=false +DUMMY_SECRETS=false +NO_DISKO=false +RW_STORE=false +VAR_PATH="" +FWD_PORT=0 + +# check argws +shift +while [[ "$#" -gt 0 ]]; do + case $1 in + --networking) NETWORK=true ;; + --dummy-secrets) DUMMY_SECRETS=true ;; + --no-disko) NO_DISKO=true ;; + --writable-store) RW_STORE=true ;; + --var) + if [[ -n "$2" && ! "$2" =~ ^- ]]; then + VAR_PATH="$2" + shift + else + echo "Error: --var requires a non-empty string argument." + usage + fi + ;; + --fwd-port) + if [[ -n "$2" && ! "$2" =~ ^- ]]; then + FWD_PORT="$2" + shift + else + echo "Error: --var requires a non-empty string argument." + usage + fi + ;; + *) echo "Unknown argument: $1"; usage ;; + esac + shift +done +echo "starting host $HOSTNAME" +echo "enable networking: $NETWORK" +echo "deploy dummy secrets: $DUMMY_SECRETS" +echo "disable disko and initrd secrets: $NO_DISKO" +echo "use writable store: $RW_STORE" +if [ -n "$VAR_PATH" ]; then + echo "sharing var directory: $VAR_PATH" +fi + +nix run --show-trace --impure --expr "((builtins.getFlake \"$(pwd)\").vmBuilder.x86_64-linux \"$HOSTNAME\" $NETWORK $DUMMY_SECRETS $NO_DISKO \"$VAR_PATH\" $RW_STORE $FWD_PORT).config.microvm.declaredRunner" diff --git a/scripts/unlock-boot.sh b/scripts/unlock-boot.sh index 2c5cea3..347f260 100644 --- a/scripts/unlock-boot.sh +++ b/scripts/unlock-boot.sh @@ -23,18 +23,14 @@ echo if [ $# = 1 ] then diskkey=$(sops -d machines/$HOSTNAME/disk.key) - echo "$diskkey" | ssh $sshoptions root@$HOSTNAME-initrd "systemd-tty-ask-password-agent" #storage - echo "$diskkey" | ssh $sshoptions root@$HOSTNAME-initrd "systemd-tty-ask-password-agent" #root elif [ $# = 2 ] then diskkey=$(sops -d machines/$HOSTNAME/disk.key) IP=$2 - echo "$diskkey" | ssh $sshoptions root@$IP "systemd-tty-ask-password-agent" #storage - echo "$diskkey" | ssh $sshoptions root@$IP "systemd-tty-ask-password-agent" #root - + else echo echo "Unlock the root disk on a remote host."