tbarnouin/nixos-hypervisor
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

Compare commits

base: tbarnouin:9072f7a76d0a4768a1df904ce1c4f4ac06d98959
Branches Tags
tbarnouin:main
...
compare: tbarnouin:94022737a054f1f6bce14d51944c2a8b7747d850
Branches Tags
tbarnouin:main

13 commits
9072f7a76d ... 94022737a0

Author SHA1 Message Date
Théo Barnouin
94022737a0 Add onlyoffice secret conf
Some checks failed
/ Build Nix targets (push) Failing after 1m53s
Details
2025-01-08 09:21:06 +01:00
Théo Barnouin
470c42f8d0 Rekey secrets 2025-01-08 09:20:22 +01:00
Théo Barnouin
b09aa018d1 Rekey secrets 2025-01-08 09:20:10 +01:00
Théo Barnouin
c2d771a9c6 Add onlyoffice service 2025-01-07 14:19:36 +01:00
Théo Barnouin
0e79faf621 Add onlyoffice service 2025-01-07 14:06:58 +01:00
Théo Barnouin
a802422305 Add onlyoffice service 2025-01-07 14:06:00 +01:00
Théo Barnouin
5f2bbb255c Add onlyoffice service 2025-01-07 13:55:31 +01:00
Théo Barnouin
4bd733777a Changes in flake 2025-01-07 13:38:19 +01:00
Théo Barnouin
8aab61936f Separate minimal configs 2024-12-12 17:19:28 +01:00
Théo Barnouin
d48bfa332c Separate LXC, VM and microvm configs (it's getting ugly, need to tidy things up soon) 2024-12-12 11:54:49 +01:00
Théo Barnouin
44655068b8 Better proxmox LXC declaration 2024-12-12 11:32:58 +01:00
Théo Barnouin
93b85f705f Better proxmox LXC declaration 2024-12-12 11:14:01 +01:00
Théo Barnouin
87d98e8410 Update flake 2024-12-12 11:13:29 +01:00
19 changed files with 619 additions and 164 deletions
Show stats Expand all files Collapse all files

40
flake.lock generated
View file

@ -58,11 +58,11 @@
"systems": "systems_3"
},
"locked": {
"lastModified": 1732215451,
"narHash": "sha256-P2VVlzRGKBNsiHsN1yMZcSMXpwtIx9ysMFZAqKFJ14o=",
"lastModified": 1733851514,
"narHash": "sha256-fQt/HzF+OBC8xLRYeHiYLSEzjrgOLNWhyd102aY2oLU=",
"owner": "nix-community",
"repo": "authentik-nix",
"rev": "9d9c0a3a94a91cfed654a18239e27cf56970daa4",
"rev": "b059e1d6e7a94bbeabb4e87d47b5f5097fd61823",
"type": "github"
},
"original": {
@ -74,16 +74,16 @@
"authentik-src": {
"flake": false,
"locked": {
"lastModified": 1732213300,
"narHash": "sha256-4Pv35cnZGiTxe6j2O0F9L9sHzxVIC1SazeAUD5kWeBs=",
"lastModified": 1733849292,
"narHash": "sha256-gJYgrRxytoGHkjeEsiKY/tl06D8XOnZZ9SDpK1WSyUw=",
"owner": "goauthentik",
"repo": "authentik",
"rev": "527e584699abc93712114b05f70f59c5187caa66",
"rev": "0edd7531a152910e6bdd4f7d3d0cde3ed5fdd956",
"type": "github"
},
"original": {
"owner": "goauthentik",
"ref": "version/2024.10.4",
"ref": "version/2024.10.5",
"repo": "authentik",
"type": "github"
}
@ -204,11 +204,11 @@
"systems": "systems_4"
},
"locked": {
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
@ -269,11 +269,11 @@
"spectrum": "spectrum"
},
"locked": {
"lastModified": 1732633513,
"narHash": "sha256-6LmtOmeDpv9iHS8l0GNcppP11dKIJFMZLdFyxQ+qQBM=",
"lastModified": 1733868086,
"narHash": "sha256-CeYsC8J2dNiV2FCQOxK1oZ/jNpOF2io7aCEFHmfi95U=",
"owner": "astro",
"repo": "microvm.nix",
"rev": "093ef734d3c37669860043a87dbf1c09fc6f5b38",
"rev": "870cb181719aa12baf478d7cde6068ec7ed144ae",
"type": "github"
},
"original": {
@ -376,11 +376,11 @@
},
"nixpkgs_3": {
"locked": {
"lastModified": 1732749044,
"narHash": "sha256-T38FQOg0BV5M8FN1712fovzNakSOENEYs+CSkg31C9Y=",
"lastModified": 1733730953,
"narHash": "sha256-dlK7n82FEyZlHH7BFHQAM5tua+lQO1Iv7aAtglc1O5s=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "0c5b4ecbed5b155b705336aa96d878e55acd8685",
"rev": "7109b680d161993918b0a126f38bc39763e5a709",
"type": "github"
},
"original": {
@ -454,11 +454,11 @@
"spectrum": {
"flake": false,
"locked": {
"lastModified": 1729945407,
"narHash": "sha256-iGNMamNOAnVTETnIVqDWd6fl74J8fLEi1ejdZiNjEtY=",
"lastModified": 1733308308,
"narHash": "sha256-+RcbMAjSxV1wW5UpS9abIG1lFZC8bITPiFIKNnE7RLs=",
"ref": "refs/heads/main",
"rev": "f1d94ee7029af18637dbd5fdf4749621533693fa",
"revCount": 764,
"rev": "80c9e9830d460c944c8f730065f18bb733bc7ee2",
"revCount": 792,
"type": "git",
"url": "https://spectrum-os.org/git/spectrum"
},

52
flake.nix
View file

@ -58,37 +58,53 @@
modules = [
agenix.nixosModules.default
"${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix"
"${inputs.self}/systems/minimalLXCConfig.nix"
"${inputs.self}/services"
{
networking.hostName = "nginx";
services.vm_nginx = {
enable = true;
};
services.lxc = {
}
];
};
onlyoffice = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
agenix.nixosModules.default
"${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix"
"${inputs.self}/systems/minimalLXCConfig.nix"
"${inputs.self}/services"
{
networking.hostName = "onlyoffice";
services.vm_onlyoffice = {
enable = true;
pgsql_ip = pgsql_host;
};
}
];
};
template = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
agenix.nixosModules.default
"${inputs.self}/systems/minimalVMConfig.nix"
{
networking.hostName = "nixos";
}
];
};
jellyfin = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
agenix.nixosModules.default
microvm.nixosModules.microvm
"${inputs.self}/systems"
"${inputs.self}/systems/minimalVMConfig.nix"
"${inputs.self}/services"
{
services.vm_jellyfin = {
enable = true;
};
services.vm = {
enable = true;
hostname = "jellyfin";
vm_ip = "192.168.1.42";
vm_cpu = 4;
vm_mem = 8192;
macAddr = "02:00:00:00:00:42";
};
}
];
};
@ -97,15 +113,13 @@
modules = [
agenix.nixosModules.default
"${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix"
"${inputs.self}/systems/minimalLXCConfig.nix"
"${inputs.self}/services"
{
networking.hostName = "redis";
services.vm_redis = {
enable = true;
};
services.lxc = {
enable = true;
};
}
];
};
@ -114,6 +128,7 @@
modules = [
agenix.nixosModules.default
"${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix"
"${inputs.self}/systems/minimalLXCConfig.nix"
"${inputs.self}/services"
{
services.vm_grafana = {
@ -122,9 +137,6 @@
proxy_ip = proxy_host;
pgsql_ip = pgsql_host;
};
services.lxc = {
enable = true;
};
}
];
};
@ -133,7 +145,7 @@
modules = [
agenix.nixosModules.default
microvm.nixosModules.microvm
"${inputs.self}/systems"
"${inputs.self}/systems/minimalMicrovmConfig.nix"
"${inputs.self}/services"
{
services.vm_grafana = {
@ -142,7 +154,7 @@
proxy_ip = proxy_host;
pgsql_ip = pgsql_host;
};
services.vm = {
services.micro_vm = {
enable = true;
hostname = "grafana";
vm_ip = "192.168.1.20";
@ -172,7 +184,7 @@
};
}
microvm.nixosModules.microvm
"${inputs.self}/systems"
"${inputs.self}/systems/minimalMicrovmConfig.nix"
"${inputs.self}/services"
{
microvm = {
@ -184,7 +196,7 @@
}
];
};
services.vm = {
services.micro_vm = {
enable = true;
hostname = "authentik";
vm_ip = "192.168.1.25";

18
secrets.nix
View file

@ -1,16 +1,18 @@
let
tbarnouin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos";
users = [ tbarnouin ];
tbarnouin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos";
users = [ tbarnouin ];
forgejo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2NAam+nseSCzJV/1UTyO2LgMjx0xT7/vTOOi5EG9HV root@forgejo-runner";
forgejo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2NAam+nseSCzJV/1UTyO2LgMjx0xT7/vTOOi5EG9HV root@forgejo-runner";
grafana = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQxvO9vdd2f9aV4F3LEQrrTJaLwLvSLbLtjB9qNxc4z root@grafana";
onlyoffice = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGbnzv2/Or4XdQXLDjIbr7oIDTQEvgSMTX4aiNCQk4tC root@onlyoffice";
grafana = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQxvO9vdd2f9aV4F3LEQrrTJaLwLvSLbLtjB9qNxc4z root@grafana";
systems = [ forgejo grafana ];
systems = [ forgejo grafana ];
in
{
"secrets/initialPassword.age".publicKeys = users ++ systems;
"../services/grafana/secrets/grafana-db.age".publicKeys = [ tbarnouin grafana ];
"../services/grafana/secrets/kuma-token.age".publicKeys = [ tbarnouin grafana ];
"services/grafana/secrets/grafana-db.age".publicKeys = [ tbarnouin grafana ];
"services/grafana/secrets/kuma-token.age".publicKeys = [ tbarnouin grafana ];
"services/onlyoffice/secrets/office-dbpass.age".publicKeys = [ tbarnouin onlyoffice ];
"services/onlyoffice/secrets/office-jwtpass.age".publicKeys = [ tbarnouin onlyoffice ];
}

22
secrets/initialPassword.age
View file

@ -1,9 +1,13 @@
age-encryption.org/v1
-> ssh-ed25519 OWkVXw Kp9otTIwi3SuVG43UebS2B+bvp6uy81KIIPIeJSW8iE
xXX6N1WrkxNLOC4ClZo9XzUZOdFK6210trH2GS5+N0E
-> ssh-ed25519 MTO1pg 70GcDYGKyG0w0s1ehWvcid1JKNRY3vRPeQhnEfHDWBI
Fcq3ZR6iA0J4CUBuQeVIyRoGMu88bd9oBrwGCJKicBE
-> ssh-ed25519 wnEUpw m7HRrztgLMS90k3cwzqBkMKfbji0Ub8atDwTGJNeq0c
rEPjFTG+hEPHNoLOyhmcY4QMJ4DYIIhBR10GVZqcIuo
--- eXz18+bRHesrblBjD/aqwFkAXUhEL741swR1csHpoXU
Ô|}pÁ#¢ç®,\m:(·¸ª# ëHH¡aÃÒ¸ß_~ª7 ž(5EgÈÏOQY[»r U;e
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyB5SjZL
dXhYcTh4RjBrUmhSSzBaWXRNZUQ3V1NVRTBZUzNLeUZCYkJmWGpNClZwMU9ldXRK
OGhZNXlFcEE1YzNGSVIwdzBXbFN4SlNWUWMwOGlEMnRQUG8KLT4gc3NoLWVkMjU1
MTkgTVRPMXBnIHJSKzh1ZzZGeUJldW15Z2o3ejBqUC9EYUlNcHd5ZEEyRTNTQ2xS
STEwaGMKSHNVL1l3cnVQOHIwQTZZN0VqWHgvaXh0UmFxdEE3eWZqaXZFZjQwS05h
dwotPiBzc2gtZWQyNTUxOSB3bkVVcHcgVG9KYmRZenoyczJVQjhYbGkrQXdOclRJ
anhyVS9va3ZxcGVlR3BKV2xoVQplQk15MFhUdzF1REV3Qkt0dElaTTA4aTVBcGNH
ckxTWHh2dFVvUlo2V2JjCi0+ID9BQCstZ3JlYXNlCnVVWno2OEl1NVVNRy9VSHky
TjhGVDFHVjV2ME1GV0o0bHY0NlFoRGFyK2xvSlJudHNBCi0tLSBRd2hIUFV6Tndk
Z0pTenY1YUpEbldvcG1RdzdWUTZVYjRKMkNrZnpOTklRCo2ITrJB/w2tgDVxFe9e
jrmYkqnpujXppfQHXMhDGzdIPrAIEJrEMJp95sdz4EFqqk5mgu3K
-----END AGE ENCRYPTED FILE-----

2
services/default.nix
View file

@ -9,6 +9,6 @@
./grafana
./authentik
./postgresql
./minimalConfig
./onlyoffice
];
}

18
services/grafana/secrets/grafana-db.age
View file

@ -1,8 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 OWkVXw 1n49CouMzxgvdrQ+7gIbilN2oRkG3lfTJehpVwxeLXw
NBB8G9JeEmvbfXk6WdaDPYTaSBsNtDyqdTkJKG3RNtw
-> ssh-ed25519 wnEUpw LepRS+v4Jq+Z4VBtyDRw1BQkGOwOzI5HsjRSFP9SLA4
hRZr5OauNH1VYHip7pifCuVxTTQa3S9VbjwjQEUuK00
--- G3K8IsDtSXZ7Cqp0ehe7eczyzzEsiwwV9xfenlBz0Vo
@²W £0ÊH%
ƒ·Õ8Š4¼Ã\»‚&È©´ I^˜@5©ÂƒÏF
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyArbVYy
QVAralludnhwNVJSMC9WeFAya3J5NUtuemx0TWNid084b3gwNHdRCjlqMVR5K0sx
TTdOT2NEYzMwRCtyWUY2eGVOUmpsKzU4SENiSmJxYzdqWWsKLT4gc3NoLWVkMjU1
MTkgd25FVXB3IDlQTWpieUFDTDluV3VlaEV6ak9FRlJ4VVY1NlJWNkdIR1VKcmdl
RThjeHcKMjlSQ3lFMVI0NlRReDIvbjFRQ2FQclc0S0VnRTFCeUp0S25VVW44NDVQ
UQotPiAqTmpzJVctZ3JlYXNlCkYzVkUKLS0tIGpiaGhyMWl5VjMvZ2REVXJXb3FV
V25rTjRORDVXTDZZVG9MbnZFRUU4NlUKsUTcVfmpxX5claATFT9wTiFd2DFLJ9KV
+Un8kZobFeAjeLCZ3r/Cb8vUtw==
-----END AGE ENCRYPTED FILE-----

BIN
services/grafana/secrets/kuma-token.age
View file

Binary file not shown.

9
services/minimalConfig/default.nix
View file

@ -1,7 +1,10 @@
{ config, pkgs, lib, inputs, modulesPath, ... }:
{
imports = [ ./lxc.nix ];
imports = [
./lxc.nix
./vm.nix
];
nix = {
settings.experimental-features = [ "nix-command" "flakes" ];
@ -24,8 +27,8 @@
nix.gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 7d";
dates = "daily";
options = "--delete-old";
};
security.sudo.wheelNeedsPassword = false;

7
services/minimalConfig/lxc.nix
View file

@ -7,6 +7,13 @@ in
enable = lib.mkEnableOption "Enable LXC container config";
};
config = lib.mkIf cfg.enable {
boot.isContainer = true;
proxmoxLXC = {
enable = true;
privileged = false;
manageNetwork = false;
manageHostName = false;
};
systemd.suppressedSystemUnits = [
"dev-mqueue.mount"
"sys-kernel-debug.mount"

12
services/minimalConfig/vm.nix Normal file
View file

@ -0,0 +1,12 @@
{lib, config, modulesPath, ...}:
let
cfg = config.services.vm;
in
{
options.services.vm = {
enable = lib.mkEnableOption "Enable LXC container config";
};
config = lib.mkIf cfg.enable {
services.cloud-init.network.enable = true;
};
}

13
services/nginx/default.nix
View file

@ -109,11 +109,11 @@ in
recommendedProxySettings = true;
};
};
"collabora.le43.eu" = {
"office.le43.eu" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://192.168.1.46:9980";
proxyPass = "http://192.168.1.46";
proxyWebsockets = true;
recommendedProxySettings = true;
};
@ -135,15 +135,6 @@ in
proxyWebsockets = true;
};
};
"netbox.le43.eu" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://192.168.1.45";
recommendedProxySettings = true;
proxyWebsockets = true;
};
};
"uptime.le43.eu" = {
forceSSL = true;
enableACME = true;

38
services/onlyoffice/default.nix Normal file
View file

@ -0,0 +1,38 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.vm_onlyoffice;
in
{
options.services.vm_onlyoffice = {
enable = lib.mkEnableOption "Enable OnlyOffice service";
pgsql_ip = lib.mkOption {
type = lib.types.str;
description = "The PostgreSQL host IP address";
};
};
config = lib.mkIf cfg.enable {
age.secrets = {
office-dbpass = {
file = ./secrets/office-dbpass.age;
owner = "onlyoffice";
};
office-jwtpass = {
file = ./secrets/office-jwtpass.age;
owner = "onlyoffice";
};
};
services = {
onlyoffice = {
enable = true;
hostname = "office.le43.eu";
port = 8000;
postgresName = "onlyoffice";
postgresHost = "${cfg.pgsql_ip}";
postgresUser = "onlyoffice";
postgresPasswordFile = config.age.secrets.office-dbpass.path;
jwtSecretFile = config.age.secrets.office-jwtpass.path;
};
};
networking.firewall.allowedTCPPorts = [ 80 4369 5432 5672 6379 8000 8080 ];
};
}

11
services/onlyoffice/secrets/office-dbpass.age Normal file
View file

@ -0,0 +1,11 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBocWVS
dS9jdG85QSsza20rbWhBVkwvQXF1dWxYNDMrSURhMk5RSktFNGhFCjJGY1pPazdV
b3ZJMGVaNC9VcGxoZzlhZWFSYUkzM0hFdUNCaFRXSDNqV2sKLT4gc3NoLWVkMjU1
MTkgSXpNcXdRIDhMeStYYW1RWEg4ZHFReFF6QjhONE1SUi9wbTVMVi9vQmRxS1dM
SWlmU2cKRkdlK1pIRDAzd3laVXg5Q0dIQllQbkF1cjhVeEpwa1c5d0xWVUFxMThW
awotPiA3US1ncmVhc2UKUmFCODRUSi9zdzdlcitUaXNwTHg1eHE5QjhmVEZaa09P
dUphRkRkajRXTmpWUUh3U1ZySk0xNUhLaVpCaWlVCi0tLSBWQkprbFBXOWNjU3pt
UVpza3ZjSDk4QllEQnpIU3BoNzU5L3RLS1hOZHRFCqYg1Z912qrGFWLIfhSyoKiW
r0cvLu4276n5bEw0rUzpyPrr1QaXHdOyjdNOrlc=
-----END AGE ENCRYPTED FILE-----

10
services/onlyoffice/secrets/office-jwtpass.age Normal file
View file

@ -0,0 +1,10 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBybjlG
ZXVqakxMNjB5L1dDZnZnMW92M3lpTnhwMU1qMXdVYmQ1RXZwTFJnCkV6L3lKSXA1
Y0FqQ0htUzdRTXFqVitIVUp1K2VKc2RUNTlQNWJLVTBFNDAKLT4gc3NoLWVkMjU1
MTkgSXpNcXdRIDVXRUlBcHRucDc3ZzM4SG9UUUY0dzNJV2ZlWkRncXVGWm5Gd2xp
U0E2d0kKOGNTUXhFL2xDZTNPK2MrVTA0Qjduci9rS201UDJYaDlaajV3Q091VEFq
RQotPiBxZy1ncmVhc2UgPmYydCBwfG8gPCBhWGFgYUYqLwpYZWMKLS0tIHlrbkd1
b1dQdTJKVXhYMlhJdmhCU01iT0ZpRC9BZEVXSXhsWDBjc09yMkEKi3aQtU6pMcZ+
F+DZFI/hTYJ3AXYhkyTlNK47SzF4Ut6RLqzvUAT0scIf1kGepzITUg==
-----END AGE ENCRYPTED FILE-----

6
systems/default.nix
View file

@ -1,6 +0,0 @@
{ inputs, ... }:
{
imports = [
./microvm.nix
];
}

78
systems/microvm.nix
View file

@ -1,78 +0,0 @@
{ inputs, lib, config, microvm, ... }:
let
cfg = config.services.vm;
in
{
options.services.vm = {
enable = lib.mkEnableOption "Enable NixOS microvm config";
hostname = lib.mkOption {
type = lib.types.str;
description = "The VM hostname";
};
vm_ip = lib.mkOption {
type = lib.types.str;
description = "The VM IP address";
};
macAddr = lib.mkOption {
type = lib.types.str;
description = "The VM MAC Address";
};
vm_mem = lib.mkOption {
type = lib.types.int;
description = "The VM memory count";
default = 0;
};
vm_cpu = lib.mkOption {
type = lib.types.int;
description = "The VM CPU count";
default = 1;
};
};
config = lib.mkIf cfg.enable {
microvm = {
vcpu = cfg.vm_cpu;
balloonMem = cfg.vm_mem;
volumes = [
{
mountPoint = "/var";
image = "/var/lib/microvms/${cfg.hostname}/var.img";
size = 8192;
}
];
shares = [
{
proto = "virtiofs";
tag = "ro-store";
source = "/nix/store";
mountPoint = "/nix/.ro-store";
}
{
proto = "virtiofs";
tag = "${cfg.hostname}-env";
source = "/var/lib/microvms/${cfg.hostname}/env";
mountPoint = "/run/secrets/${cfg.hostname}";
}
];
interfaces = [ {
type = "tap";
id = "vm-${cfg.hostname}";
mac = "${cfg.macAddr}";
} ];
hypervisor = "qemu";
socket = "control.socket";
};
systemd.network.enable = true;
systemd.network.networks."20-lan" = {
matchConfig.Type = "ether";
networkConfig = {
Address = ["${cfg.vm_ip}/24"];
Gateway = "192.168.1.254";
DNS = ["192.168.1.254"];
IPv6AcceptRA = true;
DHCP = "no";
};
};
};
}

132
systems/minimalLXCConfig.nix Normal file
View file

@ -0,0 +1,132 @@
{ config, pkgs, lib, inputs, modulesPath, ... }:
{
nix = {
settings.experimental-features = [ "nix-command" "flakes" ];
settings.trusted-users = [ "root" "@wheel" ];
};
networking = {
firewall = {
enable = true;
allowedTCPPorts = [ 22 9002 ];
};
};
boot.isContainer = true;
proxmoxLXC = {
enable = true;
privileged = false;
manageNetwork = false;
manageHostName = false;
};
systemd.suppressedSystemUnits = [
"dev-mqueue.mount"
"sys-kernel-debug.mount"
"sys-fs-fuse-connections.mount"
];
time.timeZone = "Europe/Paris";
console.keyMap = "fr";
i18n.defaultLocale = "fr_FR.UTF-8";
environment.sessionVariables = rec {
TERM = "xterm-256color";
};
nix.gc = {
automatic = true;
dates = "daily";
options = "--delete-old";
};
security.sudo.wheelNeedsPassword = false;
users = {
users.tbarnouin = {
isNormalUser = true;
extraGroups = [ "wheel" ];
shell = pkgs.zsh;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICf1B0nxNMvPWSR9pStdtx2x6Iw+JUeCCt1CKWoD8dsr"
];
};
users.root = {
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos"
];
};
};
programs = {
zsh = {
enable = true;
shellAliases = {
ll = "ls -l";
lla = "ls -lah";
};
ohMyZsh = {
enable = true;
plugins = [ "git" ];
theme = "bira";
};
};
tmux = {
enable = true;
};
};
nixpkgs.config.allowUnfree = true;
environment = {
localBinInPath = true;
systemPackages = with pkgs; [
vim
bash
wget
curl
git
htop
tree
dig
ncdu
nmap
iperf3
netcat-openbsd
];
};
services = {
openssh = {
enable = true;
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
settings.PermitRootLogin = "prohibit-password";
hostKeys = [
{
path = "/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
};
fail2ban = {
enable = true;
};
rsyslogd = {
enable = true;
extraConfig = "*.*@192.168.1.27:514;RSYSLOG_SyslogProtocol23Format";
};
prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = [ "systemd" ];
port = 9002;
};
};
};
};
system = {
stateVersion = "24.05";
activationScripts.ensure-ssh-key-dir.text = "mkdir -p /etc/ssh";
};
}

195
systems/minimalMicrovmConfig.nix Normal file
View file

@ -0,0 +1,195 @@
{ config, pkgs, lib, inputs, modulesPath, microvm, ... }:
let
cfg = config.services.micro_vm;
in
{
options.services.micro_vm = {
enable = lib.mkEnableOption "Enable NixOS microvm config";
hostname = lib.mkOption {
type = lib.types.str;
description = "The VM hostname";
};
vm_ip = lib.mkOption {
type = lib.types.str;
description = "The VM IP address";
};
macAddr = lib.mkOption {
type = lib.types.str;
description = "The VM MAC Address";
};
vm_mem = lib.mkOption {
type = lib.types.int;
description = "The VM memory count";
default = 0;
};
vm_cpu = lib.mkOption {
type = lib.types.int;
description = "The VM CPU count";
default = 1;
};
};
config = lib.mkIf cfg.enable {
microvm = {
vcpu = cfg.vm_cpu;
balloonMem = cfg.vm_mem;
volumes = [
{
mountPoint = "/var";
image = "/var/lib/microvms/${cfg.hostname}/var.img";
size = 8192;
}
];
shares = [
{
proto = "virtiofs";
tag = "ro-store";
source = "/nix/store";
mountPoint = "/nix/.ro-store";
}
{
proto = "virtiofs";
tag = "${cfg.hostname}-env";
source = "/var/lib/microvms/${cfg.hostname}/env";
mountPoint = "/run/secrets/${cfg.hostname}";
}
];
interfaces = [ {
type = "tap";
id = "vm-${cfg.hostname}";
mac = "${cfg.macAddr}";
} ];
hypervisor = "qemu";
socket = "control.socket";
};
systemd.network.enable = true;
systemd.network.networks."20-lan" = {
matchConfig.Type = "ether";
networkConfig = {
Address = ["${cfg.vm_ip}/24"];
Gateway = "192.168.1.254";
DNS = ["192.168.1.254"];
IPv6AcceptRA = true;
DHCP = "no";
};
};
nix = {
settings.experimental-features = [ "nix-command" "flakes" ];
settings.trusted-users = [ "root" "@wheel" ];
};
networking = {
firewall = {
enable = true;
allowedTCPPorts = [ 22 9002 ];
};
};
time.timeZone = "Europe/Paris";
console.keyMap = "fr";
i18n.defaultLocale = "fr_FR.UTF-8";
environment.sessionVariables = rec {
TERM = "xterm-256color";
};
nix.gc = {
automatic = true;
dates = "daily";
options = "--delete-old";
};
security.sudo.wheelNeedsPassword = false;
users = {
users.tbarnouin = {
isNormalUser = true;
extraGroups = [ "wheel" ];
shell = pkgs.zsh;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICf1B0nxNMvPWSR9pStdtx2x6Iw+JUeCCt1CKWoD8dsr"
];
};
users.root = {
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos"
];
};
};
programs = {
zsh = {
enable = true;
shellAliases = {
ll = "ls -l";
lla = "ls -lah";
};
ohMyZsh = {
enable = true;
plugins = [ "git" ];
theme = "bira";
};
};
tmux = {
enable = true;
};
};
nixpkgs.config.allowUnfree = true;
environment = {
localBinInPath = true;
systemPackages = with pkgs; [
vim
bash
wget
curl
git
htop
tree
dig
ncdu
nmap
iperf3
netcat-openbsd
];
};
services = {
openssh = {
enable = true;
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
settings.PermitRootLogin = "prohibit-password";
hostKeys = [
{
path = "/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
};
fail2ban = {
enable = true;
};
rsyslogd = {
enable = true;
extraConfig = "*.*@192.168.1.27:514;RSYSLOG_SyslogProtocol23Format";
};
prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = [ "systemd" ];
port = 9002;
};
};
};
};
system = {
stateVersion = "24.05";
activationScripts.ensure-ssh-key-dir.text = "mkdir -p /etc/ssh";
};
};
}

120
systems/minimalVMConfig.nix Normal file
View file

@ -0,0 +1,120 @@
{ config, pkgs, lib, inputs, modulesPath, ... }:
{
nix = {
settings.experimental-features = [ "nix-command" "flakes" ];
settings.trusted-users = [ "root" "@wheel" ];
};
networking = {
firewall = {
enable = true;
allowedTCPPorts = [ 22 9002 ];
};
};
time.timeZone = "Europe/Paris";
console.keyMap = "fr";
i18n.defaultLocale = "fr_FR.UTF-8";
environment.sessionVariables = rec {
TERM = "xterm-256color";
};
nix.gc = {
automatic = true;
dates = "daily";
options = "--delete-old";
};
security.sudo.wheelNeedsPassword = false;
users = {
users.tbarnouin = {
isNormalUser = true;
extraGroups = [ "wheel" ];
shell = pkgs.zsh;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICf1B0nxNMvPWSR9pStdtx2x6Iw+JUeCCt1CKWoD8dsr"
];
};
users.root = {
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos"
];
};
};
programs = {
zsh = {
enable = true;
shellAliases = {
ll = "ls -l";
lla = "ls -lah";
};
ohMyZsh = {
enable = true;
plugins = [ "git" ];
theme = "bira";
};
};
tmux = {
enable = true;
};
};
nixpkgs.config.allowUnfree = true;
environment = {
localBinInPath = true;
systemPackages = with pkgs; [
vim
bash
wget
curl
git
htop
tree
dig
ncdu
nmap
iperf3
netcat-openbsd
];
};
services = {
cloud-init.network.enable = true;
openssh = {
enable = true;
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
settings.PermitRootLogin = "prohibit-password";
hostKeys = [
{
path = "/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
};
fail2ban = {
enable = true;
};
rsyslogd = {
enable = true;
extraConfig = "*.*@192.168.1.27:514;RSYSLOG_SyslogProtocol23Format";
};
prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = [ "systemd" ];
port = 9002;
};
};
};
};
system = {
stateVersion = "24.05";
activationScripts.ensure-ssh-key-dir.text = "mkdir -p /etc/ssh";
};
}