From 1d62b2065f11773480efda19533ae815f8528a64 Mon Sep 17 00:00:00 2001 From: catvayor Date: Tue, 18 Jun 2024 09:47:57 +0200 Subject: [PATCH] nixos on watcher --- hive.nix | 54 ++++++- machines/kat-r86s/configuration.nix | 34 ++++- machines/kat-watcher/default.nix | 138 ++++++++++++++++++ machines/kat-watcher/disks.nix | 37 +++++ .../kat-watcher/hardware-configuration.nix | 31 ++++ modules/ssh.nix | 2 +- npins/sources.json | 28 +++- 7 files changed, 305 insertions(+), 19 deletions(-) create mode 100644 machines/kat-watcher/default.nix create mode 100644 machines/kat-watcher/disks.nix create mode 100644 machines/kat-watcher/hardware-configuration.nix diff --git a/hive.nix b/hive.nix index ed7bf87..97f28cd 100644 --- a/hive.nix +++ b/hive.nix @@ -10,6 +10,7 @@ in }; defaults = { + nodes, name, pkgs, lib, @@ -34,14 +35,13 @@ in "nixpkgs=${builtins.storePath pkgs.path}" "nixos=${builtins.storePath pkgs.path}" ]; - channel.enable = false; package = pkgs.lix; }; system.build.anywhere = pkgs.writeShellApplication { name = "anywhere-deploy_${name}.sh"; runtimeInputs = [ pkgs.nixos-anywhere ]; text = '' - nixos-anywhere --store-paths ${config.system.build.diskoScriptNoDeps} ${config.system.build.toplevel} ${config.deployment.targetHost} + nixos-anywhere --kexec ${nodes.kat-kexec.config.system.build.kexecTarball}/${nodes.kat-kexec.config.system.kexec-installer.name}-${pkgs.stdenv.hostPlatform.system}.tar.gz --store-paths ${config.system.build.diskoScriptNoDeps} ${config.system.build.toplevel} ${config.deployment.targetHost} ''; }; }; @@ -121,6 +121,16 @@ in ]; }; + kat-watcher = + { name, nodes, ... }: + { + deployment.targetHost = "watcher.kat"; + imports = [ + ./machines/kat-watcher + (users.root { ssh = true; }) + ]; + }; + kat-iso = { name, @@ -155,4 +165,44 @@ in services.qemuGuest.enable = true; boot.kernelParams = [ "console=ttyS0" ]; }; + + kat-kexec = + { + name, + pkgs, + modulesPath, + lib, + ... + }: + { + deployment = { + allowLocalDeployment = false; + targetHost = null; + }; + + imports = [ + ("${sources.nixos-images}/nix/kexec-installer/module.nix") + (users.root { ssh = true; }) + ]; + + networking = { + networkmanager.enable = false; + wireless.enable = false; + }; + console.keyMap = "fr"; + + environment.systemPackages = with pkgs; [ + perl + git + ]; + programs.zsh.enable = true; + services.openssh.enable = true; + services.qemuGuest.enable = true; + boot.kernelParams = [ "console=ttyS0" ]; + boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; + boot.supportedFilesystems = { + bcachefs = true; + zfs = lib.mkForce false; + }; + }; } diff --git a/machines/kat-r86s/configuration.nix b/machines/kat-r86s/configuration.nix index 1a2a0b2..9486dce 100644 --- a/machines/kat-r86s/configuration.nix +++ b/machines/kat-r86s/configuration.nix @@ -114,6 +114,10 @@ recommendedProxySettings = true; proxyPass = "http://192.168.122.2/"; }; + "traque.katvayor.net".locations."/" = { + recommendedProxySettings = true; + proxyPass = "http://192.168.122.4/"; + }; }; streamConfig = '' upstream kat-virt { @@ -123,18 +127,32 @@ listen 22000; proxy_pass kat-virt; } + upstream kat-traque { + server 192.168.122.4:22; + } + server { + listen 22001; + proxy_pass kat-virt; + } ''; }; # Open ports in the firewall. - networking.firewall.allowedTCPPorts = [ - 22 - 53 - 80 - 443 - 22000 - ]; - networking.firewall.allowedUDPPorts = [ 67 ]; + networking.firewall = { + allowedTCPPorts = [ + 22 + 53 + 80 + 443 + ]; + allowedTCPPortRanges = [ + { + from = 22000; + to = 22100; + } + ]; + allowedUDPPorts = [ 67 ]; + }; # Or disable the firewall altogether. # networking.firewall.enable = false; diff --git a/machines/kat-watcher/default.nix b/machines/kat-watcher/default.nix new file mode 100644 index 0000000..6b68d5d --- /dev/null +++ b/machines/kat-watcher/default.nix @@ -0,0 +1,138 @@ +{ + config, + lib, + pkgs, + ... +}: + +{ + imports = [ + ./hardware-configuration.nix + ./disks.nix + ]; + + boot = { + loader.grub = { + enable = true; + efiSupport = true; + efiInstallAsRemovable = true; + }; + supportedFilesystems = [ "bcachefs" ]; + kernelPackages = pkgs.linuxPackages_latest; + }; + + time.timeZone = "Europe/Paris"; + + networking = { + useNetworkd = true; + useDHCP = false; + }; + systemd.network = { + enable = true; + networks."10-ens3" = { + name = "ens3"; + address = [ + "51.83.69.54/32" + "2001:41d0:305:2100::5c52/56" + ]; + routes = [ + { Destination = "51.83.68.1/32"; } + { + Destination = "213.186.33.99/32"; + Gateway = "51.83.68.1"; + } + { Gateway = "51.83.68.1"; } + { Gateway = "2001:41d0:305:2100::1"; } + ]; + dns = [ "213.186.33.99" ]; + }; + }; + + i18n.defaultLocale = "en_US.UTF-8"; + console = { + font = "Lat2-Terminus16"; + keyMap = "fr"; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "root@katvayor.net"; + }; + services.nginx = { + enable = true; + virtualHosts = { + "degette.katvayor.net" = { + enableACME = true; + forceSSL = true; + locations."/" = { + recommendedProxySettings = true; + proxyPass = "http://100.102.49.84/"; + }; + }; + "traque.katvayor.net" = { + enableACME = true; + forceSSL = true; + locations."/" = { + recommendedProxySettings = true; + proxyPass = "http://100.102.49.84/"; + }; + }; + }; + streamConfig = '' + upstream kat-virt { + server 100.102.49.84:22000; + } + server { + listen 22000; + proxy_pass kat-virt; + } + upstream kat-traque { + server 100.102.49.84:22001; + } + server { + listen 22001; + proxy_pass kat-virt; + } + ''; + }; + + services.dbus.packages = with pkgs; [ dconf ]; + + programs.zsh.enable = true; + + environment.systemPackages = with pkgs; [ + wget + nix-search-cli + git + btop + ranger + screen + ]; + + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + + services.openssh.enable = true; + + services.netbird.enable = true; + networking = { + nftables.enable = true; + firewall = { + allowedTCPPorts = [ + 22 + 80 + 443 + ]; + allowedTCPPortRanges = [ + { + from = 22000; + to = 22100; + } + ]; + }; + }; + + system.stateVersion = "23.11"; +} diff --git a/machines/kat-watcher/disks.nix b/machines/kat-watcher/disks.nix new file mode 100644 index 0000000..6463c76 --- /dev/null +++ b/machines/kat-watcher/disks.nix @@ -0,0 +1,37 @@ +{ + disko.devices = { + disk = { + sda = { + device = "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + type = "EF02"; + size = "1M"; + priority = 1; + }; + ESP = { + type = "EF00"; + size = "100M"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + size = "100%"; + content = { + type = "filesystem"; + format = "bcachefs"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/machines/kat-watcher/hardware-configuration.nix b/machines/kat-watcher/hardware-configuration.nix new file mode 100644 index 0000000..b3c9ce2 --- /dev/null +++ b/machines/kat-watcher/hardware-configuration.nix @@ -0,0 +1,31 @@ +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + "sd_mod" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens3.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/modules/ssh.nix b/modules/ssh.nix index 6811f45..2413be1 100644 --- a/modules/ssh.nix +++ b/modules/ssh.nix @@ -10,7 +10,7 @@ }; "watcher.kat" = { - user = "ubuntu"; + user = "root"; hostname = "watcher.katvayor.net"; }; "r86s.kat" = { diff --git a/npins/sources.json b/npins/sources.json index 76a22c8..40508a1 100644 --- a/npins/sources.json +++ b/npins/sources.json @@ -8,9 +8,9 @@ "repo": "agenix" }, "branch": "main", - "revision": "c2fc0762bbe8feb06a2e59a364fa81b3a57671c9", - "url": "https://github.com/ryantm/agenix/archive/c2fc0762bbe8feb06a2e59a364fa81b3a57671c9.tar.gz", - "hash": "1lpkwinlax40b7xgzspbkm9rsi4a1x48hxhixnni4irxxwnav0ah" + "revision": "3a56735779db467538fb2e577eda28a9daacaca6", + "url": "https://github.com/ryantm/agenix/archive/3a56735779db467538fb2e577eda28a9daacaca6.tar.gz", + "hash": "1h66zapc6im07k3kcgvhy3lhzahb70vd6m2ijhz4i0v6mn5l3fk9" }, "disko": { "type": "GitRelease", @@ -35,15 +35,27 @@ "repo": "home-manager" }, "branch": "master", - "revision": "0eb314b4f0ba337e88123e0b1e57ef58346aafd9", - "url": "https://github.com/nix-community/home-manager/archive/0eb314b4f0ba337e88123e0b1e57ef58346aafd9.tar.gz", - "hash": "1fwcxx8ilkih855g2dk9n9wvhizkxy1r16x414n3rchqg8knybhw" + "revision": "0a7ffb28e5df5844d0e8039c9833d7075cdee792", + "url": "https://github.com/nix-community/home-manager/archive/0a7ffb28e5df5844d0e8039c9833d7075cdee792.tar.gz", + "hash": "1qd5sdpgpadd0972gmngjl0gf96h4cz0xvmv0186pgj6xgzc7amh" + }, + "nixos-images": { + "type": "Git", + "repository": { + "type": "GitHub", + "owner": "nix-community", + "repo": "nixos-images" + }, + "branch": "main", + "revision": "42b13bbd6fce3bcf6272a6ed664a23b9417b82c2", + "url": "https://github.com/nix-community/nixos-images/archive/42b13bbd6fce3bcf6272a6ed664a23b9417b82c2.tar.gz", + "hash": "1ap3z694mjbfrwa2ddqlq1sqbwqy6xrq0r68blwr53cn7nx0rn4f" }, "nixpkgs": { "type": "Channel", "name": "nixpkgs-unstable", - "url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.11pre633168.6132b0f6e344/nixexprs.tar.xz", - "hash": "0jli5364mw57krjc9csswc3xh1bvbjcv85hf81l9gx7fcp5qkswa" + "url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.11pre639552.e6cea36f8349/nixexprs.tar.xz", + "hash": "0pii8c6wlh7wc6wxwhc85nyn3pk00qi3kn3jah2agf87cbmm9qdk" } }, "version": 3