tbarnouin/nixos-hypervisor
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Remove microvm and correct build for nginx

Browse source
This commit is contained in:
Théo Barnouin 2025-04-04 14:09:58 +02:00
parent 126dd2cf53
commit 64986d2883
3 changed files with 28 additions and 184 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

88
flake.lock generated
View file

@ -127,23 +127,6 @@
"inputs": { "inputs": {
"systems": "systems_3" "systems": "systems_3"
}, },
"locked": {
"lastModified": 1694529238,
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
"type": "github"
},
"original": {
"id": "flake-utils",
"type": "indirect"
}
},
"flake-utils_3": {
"inputs": {
"systems": "systems_4"
},
"locked": { "locked": {
"lastModified": 1731533236, "lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
@ -153,9 +136,8 @@
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "numtide", "id": "flake-utils",
"repo": "flake-utils", "type": "indirect"
"type": "github"
} }
}, },
"home-manager": { "home-manager": {
@ -187,11 +169,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1739757849, "lastModified": 1743387206,
"narHash": "sha256-Gs076ot1YuAAsYVcyidLKUMIc4ooOaRGO0PqTY7sBzA=", "narHash": "sha256-24N3NAuZZbYqZ39NgToZgHUw6M7xHrtrAm18kv0+2Wo=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "9d3d080aec2a35e05a15cedd281c2384767c2cfe", "rev": "15c5f9d04fabd176f30286c8f52bbdb2c853a146",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -201,28 +183,6 @@
"type": "github" "type": "github"
} }
}, },
"microvm": {
"inputs": {
"flake-utils": "flake-utils_3",
"nixpkgs": [
"nixpkgs"
],
"spectrum": "spectrum"
},
"locked": {
"lastModified": 1741275356,
"narHash": "sha256-VMeqnLv2O6Lg3/pka1tUzzbOjSmEb6RQOp9OuJRcx0A=",
"owner": "astro",
"repo": "microvm.nix",
"rev": "5e1b3dba5b52405dab79412392b9c799d49bd8c0",
"type": "github"
},
"original": {
"owner": "astro",
"repo": "microvm.nix",
"type": "github"
}
},
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1741379970, "lastModified": 1741379970,
@ -241,11 +201,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1741600792, "lastModified": 1743576891,
"narHash": "sha256-yfDy6chHcM7pXpMF4wycuuV+ILSTG486Z/vLx/Bdi6Y=", "narHash": "sha256-vXiKURtntURybE6FMNFAVpRPr8+e8KoLPrYs9TGuAKc=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "ebe2788eafd539477f83775ef93c3c7e244421d3", "rev": "44a69ed688786e98a101f02b712c313f1ade37ab",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -260,7 +220,6 @@
"agenix": "agenix", "agenix": "agenix",
"crowdsec": "crowdsec", "crowdsec": "crowdsec",
"home-manager": "home-manager_2", "home-manager": "home-manager_2",
"microvm": "microvm",
"nixpkgs": "nixpkgs_2" "nixpkgs": "nixpkgs_2"
} }
}, },
@ -285,22 +244,6 @@
"type": "github" "type": "github"
} }
}, },
"spectrum": {
"flake": false,
"locked": {
"lastModified": 1733308308,
"narHash": "sha256-+RcbMAjSxV1wW5UpS9abIG1lFZC8bITPiFIKNnE7RLs=",
"ref": "refs/heads/main",
"rev": "80c9e9830d460c944c8f730065f18bb733bc7ee2",
"revCount": 792,
"type": "git",
"url": "https://spectrum-os.org/git/spectrum"
},
"original": {
"type": "git",
"url": "https://spectrum-os.org/git/spectrum"
}
},
"systems": { "systems": {
"locked": { "locked": {
"lastModified": 1681028828, "lastModified": 1681028828,
@ -345,21 +288,6 @@
"repo": "default", "repo": "default",
"type": "github" "type": "github"
} }
},
"systems_4": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

121
flake.nix
View file

@ -7,10 +7,6 @@
url = "github:nix-community/home-manager/release-24.11"; url = "github:nix-community/home-manager/release-24.11";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
microvm = {
url = "github:astro/microvm.nix";
inputs.nixpkgs.follows = "nixpkgs";
};
crowdsec = { crowdsec = {
url = "git+https://codeberg.org/kampka/nix-flake-crowdsec.git"; url = "git+https://codeberg.org/kampka/nix-flake-crowdsec.git";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
@ -22,7 +18,6 @@
self, self,
nixpkgs, nixpkgs,
home-manager, home-manager,
microvm,
agenix, agenix,
crowdsec, crowdsec,
... ...
@ -34,73 +29,36 @@
pkgs = import nixpkgs {inherit system;}; pkgs = import nixpkgs {inherit system;};
in { in {
nixosConfigurations = { nixosConfigurations = {
nixmox-curiosity = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
agenix.nixosModules.default
./hosts/nixmox-curiosity/configuration.nix
{
networking.hostName = "nixmox-curiosity";
}
home-manager.nixosModules.home-manager
{
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users.${username} = import ./hosts/nixmox-curiosity/home.nix;
}
microvm.nixosModules.host
{
microvm = {
autostart = [];
vms = {};
};
}
];
specialArgs = {
inherit inputs;
inherit username;
inherit proxy_host;
inherit pgsql_host;
inherit system;
};
};
nginx = nixpkgs.lib.nixosSystem { nginx = nixpkgs.lib.nixosSystem {
inherit system; inherit system;
modules = [ modules = [
agenix.nixosModules.default agenix.nixosModules.default
crowdsec.nixosModules.crowdsec-firewall-bouncer crowdsec.nixosModules.crowdsec-firewall-bouncer
({ pkgs, lib, ... }: { {
nixpkgs.overlays = [crowdsec.overlays.default];
services.crowdsec-firewall-bouncer = { services.crowdsec-firewall-bouncer = {
enable = true; enable = true;
settings = { package = inputs.crowdsec.packages."x86_64-linux".crowdsec-firewall-bouncer;
api_key = "secret_api_key";
api_url = "http://localhost:8080";
}; };
}; }
})
"${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix"
"${inputs.self}/systems/minimalLXCConfig.nix" "${inputs.self}/systems/minimalLXCConfig.nix"
"${inputs.self}/services" "${inputs.self}/services"
"${inputs.self}/modules" "${inputs.self}/modules"
{ {
networking.hostName = "nginx";
services = { services = {
vm_nginx = { vm_nginx = {
enable = true; enable = true;
}; };
crowdsec-firewall-bouncer = {
enable = true;
};
crowdsec = { crowdsec = {
enable = true; enable = true;
package = pkgs.crowdsec;
autoUpdateService = false; autoUpdateService = false;
settings = { settings = {
general = { general = {
api = { api = {
server = { server = {
enable = false; enable = false;
#listen_uri = "127.0.0.1:8080";
}; };
}; };
prometheus.listen_addr = "0.0.0.0"; prometheus.listen_addr = "0.0.0.0";
@ -126,30 +84,11 @@
type = "syslog"; type = "syslog";
}; };
} }
{
source = "file";
labels = {
type = "syslog";
};
}
]; ];
}; };
}; };
}; };
systemd.services.crowdsec.serviceConfig = { networking.hostName = "nginx";
ExecStartPre = let
script = pkgs.writeScriptBin "register-bouncer" ''
#!${pkgs.runtimeShell}
set -eu
set -o pipefail
if ! cscli bouncers list | grep -q "my-bouncer"; then
cscli bouncers add "my-bouncer" --key "secret_api_key"
fi
'';
in ["${script}/bin/register-bouncer"];
};
} }
]; ];
}; };
@ -215,21 +154,22 @@
} }
]; ];
}; };
# template = nixpkgs.lib.nixosSystem { template = nixpkgs.lib.nixosSystem {
# inherit system; inherit system;
# modules = [ modules = [
# agenix.nixosModules.default agenix.nixosModules.default
# "${inputs.self}/systems/minimalVMConfig.nix" "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-image.nix"
# { "${inputs.self}/systems/minimalVMConfig.nix"
# networking.hostName = "nixos"; {
# } networking.hostName = "nixos";
# ]; }
# }; ];
};
jellyfin = nixpkgs.lib.nixosSystem { jellyfin = nixpkgs.lib.nixosSystem {
inherit system; inherit system;
modules = [ modules = [
agenix.nixosModules.default agenix.nixosModules.default
microvm.nixosModules.microvm "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-image.nix"
"${inputs.self}/systems/minimalVMConfig.nix" "${inputs.self}/systems/minimalVMConfig.nix"
"${inputs.self}/services" "${inputs.self}/services"
{ {
@ -271,31 +211,6 @@
} }
]; ];
}; };
grafana = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
agenix.nixosModules.default
microvm.nixosModules.microvm
"${inputs.self}/systems/minimalMicrovmConfig.nix"
"${inputs.self}/services"
{
services.vm_grafana = {
enable = true;
vm_ip = "192.168.1.27";
proxy_ip = proxy_host;
pgsql_ip = pgsql_host;
};
services.micro_vm = {
enable = true;
hostname = "grafana";
vm_ip = "192.168.1.20";
vm_cpu = 1;
vm_mem = 512;
macAddr = "02:00:00:00:00:20";
};
}
];
};
}; };
}; };
} }

3
secrets/secrets.nix
View file

@ -6,10 +6,11 @@ let
onlyoffice = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAEHTFFQoi8PtzkdTEeA5lGELFS01J51GLLjrnySJM7R root@onlyoffice"; onlyoffice = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAEHTFFQoi8PtzkdTEeA5lGELFS01J51GLLjrnySJM7R root@onlyoffice";
postgresql = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJW7qA7j1sICuu1RAfs9ifR9dmOlHq45tKu1ga7CKaob root@pgsql"; postgresql = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJW7qA7j1sICuu1RAfs9ifR9dmOlHq45tKu1ga7CKaob root@pgsql";
forgejo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILMf3Cc/S0p/LFcW+RLMEqpxOOv8q/HrKO4I9joHmRxl root@forgejo"; forgejo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILMf3Cc/S0p/LFcW+RLMEqpxOOv8q/HrKO4I9joHmRxl root@forgejo";
nginx = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKX2wkS9bpMy1+ITPtQclRkthOwksWBZOLa3bT9oLAe1 root@nixos-nginx";
systems = [grafana onlyoffice postgresql forgejo]; systems = [grafana onlyoffice postgresql forgejo];
in { in {
"secrets/initialPassword.age".publicKeys = users ++ systems; "initialPassword.age".publicKeys = users ++ systems;
"services/grafana/secrets/grafana-db.age".publicKeys = [tbarnouin grafana]; "services/grafana/secrets/grafana-db.age".publicKeys = [tbarnouin grafana];
"services/grafana/secrets/grafana-oauth_secret.age".publicKeys = [tbarnouin grafana]; "services/grafana/secrets/grafana-oauth_secret.age".publicKeys = [tbarnouin grafana];