diff --git a/flake.lock b/flake.lock index e91b1a1..0c8c90f 100644 --- a/flake.lock +++ b/flake.lock @@ -58,11 +58,11 @@ "systems": "systems_3" }, "locked": { - "lastModified": 1733851514, - "narHash": "sha256-fQt/HzF+OBC8xLRYeHiYLSEzjrgOLNWhyd102aY2oLU=", + "lastModified": 1732215451, + "narHash": "sha256-P2VVlzRGKBNsiHsN1yMZcSMXpwtIx9ysMFZAqKFJ14o=", "owner": "nix-community", "repo": "authentik-nix", - "rev": "b059e1d6e7a94bbeabb4e87d47b5f5097fd61823", + "rev": "9d9c0a3a94a91cfed654a18239e27cf56970daa4", "type": "github" }, "original": { @@ -74,16 +74,16 @@ "authentik-src": { "flake": false, "locked": { - "lastModified": 1733849292, - "narHash": "sha256-gJYgrRxytoGHkjeEsiKY/tl06D8XOnZZ9SDpK1WSyUw=", + "lastModified": 1732213300, + "narHash": "sha256-4Pv35cnZGiTxe6j2O0F9L9sHzxVIC1SazeAUD5kWeBs=", "owner": "goauthentik", "repo": "authentik", - "rev": "0edd7531a152910e6bdd4f7d3d0cde3ed5fdd956", + "rev": "527e584699abc93712114b05f70f59c5187caa66", "type": "github" }, "original": { "owner": "goauthentik", - "ref": "version/2024.10.5", + "ref": "version/2024.10.4", "repo": "authentik", "type": "github" } @@ -204,11 +204,11 @@ "systems": "systems_4" }, "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "lastModified": 1726560853, + "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", "owner": "numtide", "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", "type": "github" }, "original": { @@ -269,11 +269,11 @@ "spectrum": "spectrum" }, "locked": { - "lastModified": 1733868086, - "narHash": "sha256-CeYsC8J2dNiV2FCQOxK1oZ/jNpOF2io7aCEFHmfi95U=", + "lastModified": 1732633513, + "narHash": "sha256-6LmtOmeDpv9iHS8l0GNcppP11dKIJFMZLdFyxQ+qQBM=", "owner": "astro", "repo": "microvm.nix", - "rev": "870cb181719aa12baf478d7cde6068ec7ed144ae", + "rev": "093ef734d3c37669860043a87dbf1c09fc6f5b38", "type": "github" }, "original": { @@ -376,11 +376,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1733730953, - "narHash": "sha256-dlK7n82FEyZlHH7BFHQAM5tua+lQO1Iv7aAtglc1O5s=", + "lastModified": 1732749044, + "narHash": "sha256-T38FQOg0BV5M8FN1712fovzNakSOENEYs+CSkg31C9Y=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7109b680d161993918b0a126f38bc39763e5a709", + "rev": "0c5b4ecbed5b155b705336aa96d878e55acd8685", "type": "github" }, "original": { @@ -454,11 +454,11 @@ "spectrum": { "flake": false, "locked": { - "lastModified": 1733308308, - "narHash": "sha256-+RcbMAjSxV1wW5UpS9abIG1lFZC8bITPiFIKNnE7RLs=", + "lastModified": 1729945407, + "narHash": "sha256-iGNMamNOAnVTETnIVqDWd6fl74J8fLEi1ejdZiNjEtY=", "ref": "refs/heads/main", - "rev": "80c9e9830d460c944c8f730065f18bb733bc7ee2", - "revCount": 792, + "rev": "f1d94ee7029af18637dbd5fdf4749621533693fa", + "revCount": 764, "type": "git", "url": "https://spectrum-os.org/git/spectrum" }, diff --git a/flake.nix b/flake.nix index f636dcf..c6e9ece 100644 --- a/flake.nix +++ b/flake.nix @@ -58,53 +58,37 @@ modules = [ agenix.nixosModules.default "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" - "${inputs.self}/systems/minimalLXCConfig.nix" "${inputs.self}/services" { networking.hostName = "nginx"; services.vm_nginx = { enable = true; }; - } - ]; - }; - onlyoffice = nixpkgs.lib.nixosSystem { - inherit system; - modules = [ - agenix.nixosModules.default - "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" - "${inputs.self}/systems/minimalLXCConfig.nix" - "${inputs.self}/services" - { - networking.hostName = "onlyoffice"; - services.vm_onlyoffice = { + services.lxc = { enable = true; - pgsql_ip = pgsql_host; }; } ]; }; - template = nixpkgs.lib.nixosSystem { - inherit system; - modules = [ - agenix.nixosModules.default - "${inputs.self}/systems/minimalVMConfig.nix" - { - networking.hostName = "nixos"; - } - ]; - }; jellyfin = nixpkgs.lib.nixosSystem { inherit system; modules = [ agenix.nixosModules.default microvm.nixosModules.microvm - "${inputs.self}/systems/minimalVMConfig.nix" + "${inputs.self}/systems" "${inputs.self}/services" { services.vm_jellyfin = { enable = true; }; + services.vm = { + enable = true; + hostname = "jellyfin"; + vm_ip = "192.168.1.42"; + vm_cpu = 4; + vm_mem = 8192; + macAddr = "02:00:00:00:00:42"; + }; } ]; }; @@ -113,13 +97,15 @@ modules = [ agenix.nixosModules.default "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" - "${inputs.self}/systems/minimalLXCConfig.nix" "${inputs.self}/services" { networking.hostName = "redis"; services.vm_redis = { enable = true; }; + services.lxc = { + enable = true; + }; } ]; }; @@ -128,7 +114,6 @@ modules = [ agenix.nixosModules.default "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" - "${inputs.self}/systems/minimalLXCConfig.nix" "${inputs.self}/services" { services.vm_grafana = { @@ -137,6 +122,9 @@ proxy_ip = proxy_host; pgsql_ip = pgsql_host; }; + services.lxc = { + enable = true; + }; } ]; }; @@ -145,7 +133,7 @@ modules = [ agenix.nixosModules.default microvm.nixosModules.microvm - "${inputs.self}/systems/minimalMicrovmConfig.nix" + "${inputs.self}/systems" "${inputs.self}/services" { services.vm_grafana = { @@ -154,7 +142,7 @@ proxy_ip = proxy_host; pgsql_ip = pgsql_host; }; - services.micro_vm = { + services.vm = { enable = true; hostname = "grafana"; vm_ip = "192.168.1.20"; @@ -184,7 +172,7 @@ }; } microvm.nixosModules.microvm - "${inputs.self}/systems/minimalMicrovmConfig.nix" + "${inputs.self}/systems" "${inputs.self}/services" { microvm = { @@ -196,7 +184,7 @@ } ]; }; - services.micro_vm = { + services.vm = { enable = true; hostname = "authentik"; vm_ip = "192.168.1.25"; diff --git a/secrets.nix b/secrets.nix index 50c0927..7ca541d 100644 --- a/secrets.nix +++ b/secrets.nix @@ -1,18 +1,16 @@ let - tbarnouin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos"; - users = [ tbarnouin ]; + tbarnouin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos"; + users = [ tbarnouin ]; - forgejo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2NAam+nseSCzJV/1UTyO2LgMjx0xT7/vTOOi5EG9HV root@forgejo-runner"; - grafana = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQxvO9vdd2f9aV4F3LEQrrTJaLwLvSLbLtjB9qNxc4z root@grafana"; - onlyoffice = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGbnzv2/Or4XdQXLDjIbr7oIDTQEvgSMTX4aiNCQk4tC root@onlyoffice"; + forgejo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2NAam+nseSCzJV/1UTyO2LgMjx0xT7/vTOOi5EG9HV root@forgejo-runner"; - systems = [ forgejo grafana ]; + grafana = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQxvO9vdd2f9aV4F3LEQrrTJaLwLvSLbLtjB9qNxc4z root@grafana"; + + systems = [ forgejo grafana ]; in { "secrets/initialPassword.age".publicKeys = users ++ systems; - "services/grafana/secrets/grafana-db.age".publicKeys = [ tbarnouin grafana ]; - "services/grafana/secrets/kuma-token.age".publicKeys = [ tbarnouin grafana ]; - "services/onlyoffice/secrets/office-dbpass.age".publicKeys = [ tbarnouin onlyoffice ]; - "services/onlyoffice/secrets/office-jwtpass.age".publicKeys = [ tbarnouin onlyoffice ]; + "../services/grafana/secrets/grafana-db.age".publicKeys = [ tbarnouin grafana ]; + "../services/grafana/secrets/kuma-token.age".publicKeys = [ tbarnouin grafana ]; } diff --git a/secrets/initialPassword.age b/secrets/initialPassword.age index 7be04a4..beb356e 100644 --- a/secrets/initialPassword.age +++ b/secrets/initialPassword.age @@ -1,13 +1,9 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyB5SjZL -dXhYcTh4RjBrUmhSSzBaWXRNZUQ3V1NVRTBZUzNLeUZCYkJmWGpNClZwMU9ldXRK -OGhZNXlFcEE1YzNGSVIwdzBXbFN4SlNWUWMwOGlEMnRQUG8KLT4gc3NoLWVkMjU1 -MTkgTVRPMXBnIHJSKzh1ZzZGeUJldW15Z2o3ejBqUC9EYUlNcHd5ZEEyRTNTQ2xS -STEwaGMKSHNVL1l3cnVQOHIwQTZZN0VqWHgvaXh0UmFxdEE3eWZqaXZFZjQwS05h -dwotPiBzc2gtZWQyNTUxOSB3bkVVcHcgVG9KYmRZenoyczJVQjhYbGkrQXdOclRJ -anhyVS9va3ZxcGVlR3BKV2xoVQplQk15MFhUdzF1REV3Qkt0dElaTTA4aTVBcGNH -ckxTWHh2dFVvUlo2V2JjCi0+ID9BQCstZ3JlYXNlCnVVWno2OEl1NVVNRy9VSHky -TjhGVDFHVjV2ME1GV0o0bHY0NlFoRGFyK2xvSlJudHNBCi0tLSBRd2hIUFV6Tndk -Z0pTenY1YUpEbldvcG1RdzdWUTZVYjRKMkNrZnpOTklRCo2ITrJB/w2tgDVxFe9e -jrmYkqnpujXppfQHXMhDGzdIPrAIEJrEMJp95sdz4EFqqk5mgu3K ------END AGE ENCRYPTED FILE----- +age-encryption.org/v1 +-> ssh-ed25519 OWkVXw Kp9otTIwi3SuVG43UebS2B+bvp6uy81KIIPIeJSW8iE +xXX6N1WrkxNLOC4ClZo9XzUZOdFK6210trH2GS5+N0E +-> ssh-ed25519 MTO1pg 70GcDYGKyG0w0s1ehWvcid1JKNRY3vRPeQhnEfHDWBI +Fcq3ZR6iA0J4CUBuQeVIyRoGMu88bd9oBrwGCJKicBE +-> ssh-ed25519 wnEUpw m7HRrztgLMS90k3cwzqBkMKfbji0Ub8atDwTGJNeq0c +rEPjFTG+hEPHNoLOyhmcY4QMJ4DYIIhBR10GVZqcIuo +--- eXz18+bRHesrblBjD/aqwFkAXUhEL741swR1csHpoXU +Ô|}pÁ#¢ç®,\‚m:(·¸ª# ëHH¡aÃÒ¸ß_~ª7 ž(5EgÈÏOQY[»r U;e \ No newline at end of file diff --git a/services/default.nix b/services/default.nix index 0b1e474..227cded 100644 --- a/services/default.nix +++ b/services/default.nix @@ -9,6 +9,6 @@ ./grafana ./authentik ./postgresql - ./onlyoffice + ./minimalConfig ]; } diff --git a/services/grafana/secrets/grafana-db.age b/services/grafana/secrets/grafana-db.age index 12da728..c3adad3 100644 --- a/services/grafana/secrets/grafana-db.age +++ b/services/grafana/secrets/grafana-db.age @@ -1,10 +1,8 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyArbVYy -QVAralludnhwNVJSMC9WeFAya3J5NUtuemx0TWNid084b3gwNHdRCjlqMVR5K0sx -TTdOT2NEYzMwRCtyWUY2eGVOUmpsKzU4SENiSmJxYzdqWWsKLT4gc3NoLWVkMjU1 -MTkgd25FVXB3IDlQTWpieUFDTDluV3VlaEV6ak9FRlJ4VVY1NlJWNkdIR1VKcmdl -RThjeHcKMjlSQ3lFMVI0NlRReDIvbjFRQ2FQclc0S0VnRTFCeUp0S25VVW44NDVQ -UQotPiAqTmpzJVctZ3JlYXNlCkYzVkUKLS0tIGpiaGhyMWl5VjMvZ2REVXJXb3FV -V25rTjRORDVXTDZZVG9MbnZFRUU4NlUKsUTcVfmpxX5claATFT9wTiFd2DFLJ9KV -+Un8kZobFeAjeLCZ3r/Cb8vUtw== ------END AGE ENCRYPTED FILE----- +age-encryption.org/v1 +-> ssh-ed25519 OWkVXw 1n49CouMzxgvdrQ+7gIbilN2oRkG3lfTJehpVwxeLXw +NBB8G9JeEmvbfXk6WdaDPYTaSBsNtDyqdTkJKG3RNtw +-> ssh-ed25519 wnEUpw LepRS+v4Jq+Z4VBtyDRw1BQkGOwOzI5HsjRSFP9SLA4 +hRZr5OauNH1VYHip7pifCuVxTTQa3S9VbjwjQEUuK00 +--- G3K8IsDtSXZ7Cqp0ehe7eczyzzEsiwwV9xfenlBz0Vo +@²W Jƒ–£0ÊH% +ƒ·Õ8Š4¼Ã\»‚&È©´ I^˜@5©ÂƒÏF \ No newline at end of file diff --git a/services/grafana/secrets/kuma-token.age b/services/grafana/secrets/kuma-token.age index e63927d..3b9dd76 100644 Binary files a/services/grafana/secrets/kuma-token.age and b/services/grafana/secrets/kuma-token.age differ diff --git a/services/minimalConfig/default.nix b/services/minimalConfig/default.nix index fd83cb6..5ee889f 100644 --- a/services/minimalConfig/default.nix +++ b/services/minimalConfig/default.nix @@ -1,10 +1,7 @@ { config, pkgs, lib, inputs, modulesPath, ... }: { - imports = [ - ./lxc.nix - ./vm.nix - ]; + imports = [ ./lxc.nix ]; nix = { settings.experimental-features = [ "nix-command" "flakes" ]; @@ -27,8 +24,8 @@ nix.gc = { automatic = true; - dates = "daily"; - options = "--delete-old"; + dates = "weekly"; + options = "--delete-older-than 7d"; }; security.sudo.wheelNeedsPassword = false; diff --git a/services/minimalConfig/lxc.nix b/services/minimalConfig/lxc.nix index acafe8d..f7ad202 100644 --- a/services/minimalConfig/lxc.nix +++ b/services/minimalConfig/lxc.nix @@ -7,13 +7,6 @@ in enable = lib.mkEnableOption "Enable LXC container config"; }; config = lib.mkIf cfg.enable { - boot.isContainer = true; - proxmoxLXC = { - enable = true; - privileged = false; - manageNetwork = false; - manageHostName = false; - }; systemd.suppressedSystemUnits = [ "dev-mqueue.mount" "sys-kernel-debug.mount" diff --git a/services/minimalConfig/vm.nix b/services/minimalConfig/vm.nix deleted file mode 100644 index 96c3ff3..0000000 --- a/services/minimalConfig/vm.nix +++ /dev/null @@ -1,12 +0,0 @@ -{lib, config, modulesPath, ...}: -let - cfg = config.services.vm; -in -{ - options.services.vm = { - enable = lib.mkEnableOption "Enable LXC container config"; - }; - config = lib.mkIf cfg.enable { - services.cloud-init.network.enable = true; - }; -} diff --git a/services/nginx/default.nix b/services/nginx/default.nix index 626dfe7..ffebf9f 100644 --- a/services/nginx/default.nix +++ b/services/nginx/default.nix @@ -109,11 +109,11 @@ in recommendedProxySettings = true; }; }; - "office.le43.eu" = { + "collabora.le43.eu" = { forceSSL = true; enableACME = true; locations."/" = { - proxyPass = "http://192.168.1.46"; + proxyPass = "http://192.168.1.46:9980"; proxyWebsockets = true; recommendedProxySettings = true; }; @@ -135,6 +135,15 @@ in proxyWebsockets = true; }; }; + "netbox.le43.eu" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://192.168.1.45"; + recommendedProxySettings = true; + proxyWebsockets = true; + }; + }; "uptime.le43.eu" = { forceSSL = true; enableACME = true; diff --git a/services/onlyoffice/default.nix b/services/onlyoffice/default.nix deleted file mode 100644 index 5540e48..0000000 --- a/services/onlyoffice/default.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ config, pkgs, lib, ... }: -let - cfg = config.services.vm_onlyoffice; -in -{ - options.services.vm_onlyoffice = { - enable = lib.mkEnableOption "Enable OnlyOffice service"; - pgsql_ip = lib.mkOption { - type = lib.types.str; - description = "The PostgreSQL host IP address"; - }; - }; - config = lib.mkIf cfg.enable { - age.secrets = { - office-dbpass = { - file = ./secrets/office-dbpass.age; - owner = "onlyoffice"; - }; - office-jwtpass = { - file = ./secrets/office-jwtpass.age; - owner = "onlyoffice"; - }; - }; - services = { - onlyoffice = { - enable = true; - hostname = "office.le43.eu"; - port = 8000; - postgresName = "onlyoffice"; - postgresHost = "${cfg.pgsql_ip}"; - postgresUser = "onlyoffice"; - postgresPasswordFile = config.age.secrets.office-dbpass.path; - jwtSecretFile = config.age.secrets.office-jwtpass.path; - }; - }; - networking.firewall.allowedTCPPorts = [ 80 4369 5432 5672 6379 8000 8080 ]; - }; -} diff --git a/services/onlyoffice/secrets/office-dbpass.age b/services/onlyoffice/secrets/office-dbpass.age deleted file mode 100644 index 488bba0..0000000 --- a/services/onlyoffice/secrets/office-dbpass.age +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBocWVS -dS9jdG85QSsza20rbWhBVkwvQXF1dWxYNDMrSURhMk5RSktFNGhFCjJGY1pPazdV -b3ZJMGVaNC9VcGxoZzlhZWFSYUkzM0hFdUNCaFRXSDNqV2sKLT4gc3NoLWVkMjU1 -MTkgSXpNcXdRIDhMeStYYW1RWEg4ZHFReFF6QjhONE1SUi9wbTVMVi9vQmRxS1dM -SWlmU2cKRkdlK1pIRDAzd3laVXg5Q0dIQllQbkF1cjhVeEpwa1c5d0xWVUFxMThW -awotPiA3US1ncmVhc2UKUmFCODRUSi9zdzdlcitUaXNwTHg1eHE5QjhmVEZaa09P -dUphRkRkajRXTmpWUUh3U1ZySk0xNUhLaVpCaWlVCi0tLSBWQkprbFBXOWNjU3pt -UVpza3ZjSDk4QllEQnpIU3BoNzU5L3RLS1hOZHRFCqYg1Z912qrGFWLIfhSyoKiW -r0cvLu4276n5bEw0rUzpyPrr1QaXHdOyjdNOrlc= ------END AGE ENCRYPTED FILE----- diff --git a/services/onlyoffice/secrets/office-jwtpass.age b/services/onlyoffice/secrets/office-jwtpass.age deleted file mode 100644 index 7157924..0000000 --- a/services/onlyoffice/secrets/office-jwtpass.age +++ /dev/null @@ -1,10 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBybjlG -ZXVqakxMNjB5L1dDZnZnMW92M3lpTnhwMU1qMXdVYmQ1RXZwTFJnCkV6L3lKSXA1 -Y0FqQ0htUzdRTXFqVitIVUp1K2VKc2RUNTlQNWJLVTBFNDAKLT4gc3NoLWVkMjU1 -MTkgSXpNcXdRIDVXRUlBcHRucDc3ZzM4SG9UUUY0dzNJV2ZlWkRncXVGWm5Gd2xp -U0E2d0kKOGNTUXhFL2xDZTNPK2MrVTA0Qjduci9rS201UDJYaDlaajV3Q091VEFq -RQotPiBxZy1ncmVhc2UgPmYydCBwfG8gPCBhWGFgYUYqLwpYZWMKLS0tIHlrbkd1 -b1dQdTJKVXhYMlhJdmhCU01iT0ZpRC9BZEVXSXhsWDBjc09yMkEKi3aQtU6pMcZ+ -F+DZFI/hTYJ3AXYhkyTlNK47SzF4Ut6RLqzvUAT0scIf1kGepzITUg== ------END AGE ENCRYPTED FILE----- diff --git a/systems/default.nix b/systems/default.nix new file mode 100644 index 0000000..1c27987 --- /dev/null +++ b/systems/default.nix @@ -0,0 +1,6 @@ +{ inputs, ... }: +{ + imports = [ + ./microvm.nix + ]; +} diff --git a/systems/microvm.nix b/systems/microvm.nix new file mode 100644 index 0000000..d7ef82a --- /dev/null +++ b/systems/microvm.nix @@ -0,0 +1,78 @@ +{ inputs, lib, config, microvm, ... }: +let + cfg = config.services.vm; +in +{ + options.services.vm = { + enable = lib.mkEnableOption "Enable NixOS microvm config"; + hostname = lib.mkOption { + type = lib.types.str; + description = "The VM hostname"; + }; + vm_ip = lib.mkOption { + type = lib.types.str; + description = "The VM IP address"; + }; + macAddr = lib.mkOption { + type = lib.types.str; + description = "The VM MAC Address"; + }; + vm_mem = lib.mkOption { + type = lib.types.int; + description = "The VM memory count"; + default = 0; + }; + vm_cpu = lib.mkOption { + type = lib.types.int; + description = "The VM CPU count"; + default = 1; + }; + }; + config = lib.mkIf cfg.enable { + microvm = { + vcpu = cfg.vm_cpu; + balloonMem = cfg.vm_mem; + volumes = [ + { + mountPoint = "/var"; + image = "/var/lib/microvms/${cfg.hostname}/var.img"; + size = 8192; + } + ]; + shares = [ + { + proto = "virtiofs"; + tag = "ro-store"; + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + } + { + proto = "virtiofs"; + tag = "${cfg.hostname}-env"; + source = "/var/lib/microvms/${cfg.hostname}/env"; + mountPoint = "/run/secrets/${cfg.hostname}"; + } + ]; + interfaces = [ { + type = "tap"; + id = "vm-${cfg.hostname}"; + mac = "${cfg.macAddr}"; + } ]; + + hypervisor = "qemu"; + socket = "control.socket"; + }; + systemd.network.enable = true; + + systemd.network.networks."20-lan" = { + matchConfig.Type = "ether"; + networkConfig = { + Address = ["${cfg.vm_ip}/24"]; + Gateway = "192.168.1.254"; + DNS = ["192.168.1.254"]; + IPv6AcceptRA = true; + DHCP = "no"; + }; + }; + }; +} diff --git a/systems/minimalLXCConfig.nix b/systems/minimalLXCConfig.nix deleted file mode 100644 index cc45864..0000000 --- a/systems/minimalLXCConfig.nix +++ /dev/null @@ -1,132 +0,0 @@ -{ config, pkgs, lib, inputs, modulesPath, ... }: -{ - - nix = { - settings.experimental-features = [ "nix-command" "flakes" ]; - settings.trusted-users = [ "root" "@wheel" ]; - }; - - networking = { - firewall = { - enable = true; - allowedTCPPorts = [ 22 9002 ]; - }; - }; - - boot.isContainer = true; - proxmoxLXC = { - enable = true; - privileged = false; - manageNetwork = false; - manageHostName = false; - }; - systemd.suppressedSystemUnits = [ - "dev-mqueue.mount" - "sys-kernel-debug.mount" - "sys-fs-fuse-connections.mount" - ]; - - time.timeZone = "Europe/Paris"; - console.keyMap = "fr"; - i18n.defaultLocale = "fr_FR.UTF-8"; - environment.sessionVariables = rec { - TERM = "xterm-256color"; - }; - - nix.gc = { - automatic = true; - dates = "daily"; - options = "--delete-old"; - }; - - security.sudo.wheelNeedsPassword = false; - users = { - users.tbarnouin = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - shell = pkgs.zsh; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICf1B0nxNMvPWSR9pStdtx2x6Iw+JUeCCt1CKWoD8dsr" - ]; - }; - users.root = { - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos" - ]; - }; - }; - - programs = { - zsh = { - enable = true; - shellAliases = { - ll = "ls -l"; - lla = "ls -lah"; - }; - ohMyZsh = { - enable = true; - plugins = [ "git" ]; - theme = "bira"; - }; - }; - tmux = { - enable = true; - }; - }; - - nixpkgs.config.allowUnfree = true; - environment = { - localBinInPath = true; - systemPackages = with pkgs; [ - vim - bash - wget - curl - git - htop - tree - dig - ncdu - nmap - iperf3 - netcat-openbsd - ]; - }; - - services = { - openssh = { - enable = true; - settings.PasswordAuthentication = false; - settings.KbdInteractiveAuthentication = false; - settings.PermitRootLogin = "prohibit-password"; - hostKeys = [ - { - path = "/etc/ssh/ssh_host_ed25519_key"; - type = "ed25519"; - } - ]; - }; - fail2ban = { - enable = true; - }; - rsyslogd = { - enable = true; - extraConfig = "*.*@192.168.1.27:514;RSYSLOG_SyslogProtocol23Format"; - }; - prometheus = { - exporters = { - node = { - enable = true; - enabledCollectors = [ "systemd" ]; - port = 9002; - }; - }; - }; - }; - - system = { - stateVersion = "24.05"; - activationScripts.ensure-ssh-key-dir.text = "mkdir -p /etc/ssh"; - }; -} diff --git a/systems/minimalMicrovmConfig.nix b/systems/minimalMicrovmConfig.nix deleted file mode 100644 index ce0ab8a..0000000 --- a/systems/minimalMicrovmConfig.nix +++ /dev/null @@ -1,195 +0,0 @@ -{ config, pkgs, lib, inputs, modulesPath, microvm, ... }: -let - cfg = config.services.micro_vm; -in -{ - options.services.micro_vm = { - enable = lib.mkEnableOption "Enable NixOS microvm config"; - hostname = lib.mkOption { - type = lib.types.str; - description = "The VM hostname"; - }; - vm_ip = lib.mkOption { - type = lib.types.str; - description = "The VM IP address"; - }; - macAddr = lib.mkOption { - type = lib.types.str; - description = "The VM MAC Address"; - }; - vm_mem = lib.mkOption { - type = lib.types.int; - description = "The VM memory count"; - default = 0; - }; - vm_cpu = lib.mkOption { - type = lib.types.int; - description = "The VM CPU count"; - default = 1; - }; - }; - config = lib.mkIf cfg.enable { - microvm = { - vcpu = cfg.vm_cpu; - balloonMem = cfg.vm_mem; - volumes = [ - { - mountPoint = "/var"; - image = "/var/lib/microvms/${cfg.hostname}/var.img"; - size = 8192; - } - ]; - shares = [ - { - proto = "virtiofs"; - tag = "ro-store"; - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - } - { - proto = "virtiofs"; - tag = "${cfg.hostname}-env"; - source = "/var/lib/microvms/${cfg.hostname}/env"; - mountPoint = "/run/secrets/${cfg.hostname}"; - } - ]; - interfaces = [ { - type = "tap"; - id = "vm-${cfg.hostname}"; - mac = "${cfg.macAddr}"; - } ]; - - hypervisor = "qemu"; - socket = "control.socket"; - }; - systemd.network.enable = true; - - systemd.network.networks."20-lan" = { - matchConfig.Type = "ether"; - networkConfig = { - Address = ["${cfg.vm_ip}/24"]; - Gateway = "192.168.1.254"; - DNS = ["192.168.1.254"]; - IPv6AcceptRA = true; - DHCP = "no"; - }; - }; - - nix = { - settings.experimental-features = [ "nix-command" "flakes" ]; - settings.trusted-users = [ "root" "@wheel" ]; - }; - - networking = { - firewall = { - enable = true; - allowedTCPPorts = [ 22 9002 ]; - }; - }; - - time.timeZone = "Europe/Paris"; - console.keyMap = "fr"; - i18n.defaultLocale = "fr_FR.UTF-8"; - environment.sessionVariables = rec { - TERM = "xterm-256color"; - }; - - nix.gc = { - automatic = true; - dates = "daily"; - options = "--delete-old"; - }; - - security.sudo.wheelNeedsPassword = false; - users = { - users.tbarnouin = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - shell = pkgs.zsh; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICf1B0nxNMvPWSR9pStdtx2x6Iw+JUeCCt1CKWoD8dsr" - ]; - }; - users.root = { - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos" - ]; - }; - }; - - programs = { - zsh = { - enable = true; - shellAliases = { - ll = "ls -l"; - lla = "ls -lah"; - }; - ohMyZsh = { - enable = true; - plugins = [ "git" ]; - theme = "bira"; - }; - }; - tmux = { - enable = true; - }; - }; - - nixpkgs.config.allowUnfree = true; - environment = { - localBinInPath = true; - systemPackages = with pkgs; [ - vim - bash - wget - curl - git - htop - tree - dig - ncdu - nmap - iperf3 - netcat-openbsd - ]; - }; - - services = { - openssh = { - enable = true; - settings.PasswordAuthentication = false; - settings.KbdInteractiveAuthentication = false; - settings.PermitRootLogin = "prohibit-password"; - hostKeys = [ - { - path = "/etc/ssh/ssh_host_ed25519_key"; - type = "ed25519"; - } - ]; - }; - fail2ban = { - enable = true; - }; - rsyslogd = { - enable = true; - extraConfig = "*.*@192.168.1.27:514;RSYSLOG_SyslogProtocol23Format"; - }; - prometheus = { - exporters = { - node = { - enable = true; - enabledCollectors = [ "systemd" ]; - port = 9002; - }; - }; - }; - }; - - system = { - stateVersion = "24.05"; - activationScripts.ensure-ssh-key-dir.text = "mkdir -p /etc/ssh"; - }; - }; -} - diff --git a/systems/minimalVMConfig.nix b/systems/minimalVMConfig.nix deleted file mode 100644 index bb06f68..0000000 --- a/systems/minimalVMConfig.nix +++ /dev/null @@ -1,120 +0,0 @@ -{ config, pkgs, lib, inputs, modulesPath, ... }: -{ - - nix = { - settings.experimental-features = [ "nix-command" "flakes" ]; - settings.trusted-users = [ "root" "@wheel" ]; - }; - - networking = { - firewall = { - enable = true; - allowedTCPPorts = [ 22 9002 ]; - }; - }; - - time.timeZone = "Europe/Paris"; - console.keyMap = "fr"; - i18n.defaultLocale = "fr_FR.UTF-8"; - environment.sessionVariables = rec { - TERM = "xterm-256color"; - }; - - nix.gc = { - automatic = true; - dates = "daily"; - options = "--delete-old"; - }; - - security.sudo.wheelNeedsPassword = false; - users = { - users.tbarnouin = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - shell = pkgs.zsh; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICf1B0nxNMvPWSR9pStdtx2x6Iw+JUeCCt1CKWoD8dsr" - ]; - }; - users.root = { - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos" - ]; - }; - }; - - programs = { - zsh = { - enable = true; - shellAliases = { - ll = "ls -l"; - lla = "ls -lah"; - }; - ohMyZsh = { - enable = true; - plugins = [ "git" ]; - theme = "bira"; - }; - }; - tmux = { - enable = true; - }; - }; - - nixpkgs.config.allowUnfree = true; - environment = { - localBinInPath = true; - systemPackages = with pkgs; [ - vim - bash - wget - curl - git - htop - tree - dig - ncdu - nmap - iperf3 - netcat-openbsd - ]; - }; - - services = { - cloud-init.network.enable = true; - openssh = { - enable = true; - settings.PasswordAuthentication = false; - settings.KbdInteractiveAuthentication = false; - settings.PermitRootLogin = "prohibit-password"; - hostKeys = [ - { - path = "/etc/ssh/ssh_host_ed25519_key"; - type = "ed25519"; - } - ]; - }; - fail2ban = { - enable = true; - }; - rsyslogd = { - enable = true; - extraConfig = "*.*@192.168.1.27:514;RSYSLOG_SyslogProtocol23Format"; - }; - prometheus = { - exporters = { - node = { - enable = true; - enabledCollectors = [ "systemd" ]; - port = 9002; - }; - }; - }; - }; - - system = { - stateVersion = "24.05"; - activationScripts.ensure-ssh-key-dir.text = "mkdir -p /etc/ssh"; - }; -}