From 4c0f3a1645a885512c7d91ec74a3e8e762bf2307 Mon Sep 17 00:00:00 2001 From: Brendan Golden Date: Thu, 16 Nov 2023 01:09:35 +0000 Subject: [PATCH] feat: enable better seperation of lxc dependencies --- applications/proxmox-lxc.nix | 93 ++++++++++++++++++ machines/_base.nix | 182 +++++++++++++++++++---------------- machines/cadie.nix | 2 - machines/earth.nix | 2 - machines/galatea.nix | 2 - machines/gir.nix | 2 - machines/glados.nix | 2 - machines/hardware/_base.nix | 2 + machines/kitt.nix | 2 - machines/optimus.nix | 2 - machines/skynet.nix | 2 - machines/vigil.nix | 2 - machines/wheatly.nix | 2 - 13 files changed, 196 insertions(+), 101 deletions(-) create mode 100644 applications/proxmox-lxc.nix diff --git a/applications/proxmox-lxc.nix b/applications/proxmox-lxc.nix new file mode 100644 index 0000000..964454e --- /dev/null +++ b/applications/proxmox-lxc.nix @@ -0,0 +1,93 @@ +/* +Once https://github.com/NixOS/nixpkgs/pull/267764 is merged this can be removed +*/ +{ + config, + pkgs, + lib, + ... +}: +with lib; { + options.proxmoxLXC = { + enable = mkOption { + default = true; + type = types.bool; + description = lib.mdDoc "Whether to enable the ProxmoxLXC."; + }; + privileged = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to enable privileged mounts + ''; + }; + manageNetwork = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to manage network interfaces through nix options + When false, systemd-networkd is enabled to accept network + configuration from proxmox. + ''; + }; + manageHostName = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to manage hostname through nix options + When false, the hostname is picked up from /etc/hostname + populated by proxmox. + ''; + }; + }; + + config = let + cfg = config.proxmoxLXC; + in + mkIf cfg.enable { + system.build.tarball = pkgs.callPackage ../../lib/make-system-tarball.nix { + storeContents = [ + { + object = config.system.build.toplevel; + symlink = "none"; + } + ]; + + contents = [ + { + source = config.system.build.toplevel + "/init"; + target = "/sbin/init"; + } + ]; + + extraCommands = "mkdir -p root etc/systemd/network"; + }; + + boot = { + isContainer = true; + loader.initScript.enable = true; + }; + + networking = mkIf (!cfg.manageNetwork) { + useDHCP = false; + useHostResolvConf = false; + useNetworkd = true; + # pick up hostname from /etc/hostname generated by proxmox + hostName = mkIf (!cfg.manageHostName) (mkForce ""); + }; + + services.openssh = { + enable = mkDefault true; + startWhenNeeded = mkDefault true; + }; + + systemd.mounts = + mkIf (!cfg.privileged) + [ + { + where = "/sys/kernel/debug"; + enable = false; + } + ]; + }; +} diff --git a/machines/_base.nix b/machines/_base.nix index d26a887..01aaf76 100644 --- a/machines/_base.nix +++ b/machines/_base.nix @@ -4,9 +4,17 @@ config, options, inputs, + lib, ... -}: { +}: +with lib; let + cfg = config.skynet; +in { imports = [ + # custom lxc mocule until the patch gets merged in + ../applications/proxmox-lxc.nix + # (modulesPath + "/virtualisation/proxmox-lxc.nix") + # for the secrets inputs.agenix.nixosModules.default @@ -23,94 +31,106 @@ ../applications/restic.nix ]; - boot.kernelPackages = pkgs.linuxPackages_latest; + options.skynet = { + lxc = mkOption { + type = types.bool; + # most of our servers are lxc so its true by default + default = true; + description = mdDoc "Is this a Linux Container?"; + }; + }; - nix = { - settings = { - # flakes are essensial - experimental-features = ["nix-command" "flakes"]; - trusted-users = [ - "root" - "@skynet-admins-linux" + config = { + # if its a lxc enable + proxmoxLXC.enable = cfg.lxc; + + nix = { + settings = { + # flakes are essensial + experimental-features = ["nix-command" "flakes"]; + trusted-users = [ + "root" + "@skynet-admins-linux" + ]; + }; + + # https://nixos.wiki/wiki/Storage_optimization + gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 30d"; + }; + extraOptions = '' + min-free = ${toString (100 * 1024 * 1024)} + max-free = ${toString (1024 * 1024 * 1024)} + ''; + }; + + system.stateVersion = "22.11"; + + services.openssh = { + enable = true; + settings.PermitRootLogin = "prohibit-password"; + }; + + users.users.root = { + initialHashedPassword = ""; + + openssh.authorizedKeys.keys = [ + # no obligation to have name attached to keys + + # Root account + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin" + + # CI/CD key + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBDvexq/JjsMqL0G5P38klzoOkHs3IRyXYO1luEJuB5R colmena_key" + + # Brendan Golden + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHNLroAjCVR9Tx382cqdxPZ5KY32r/yoQH1mgsYNqpm Silver_Laptop_WSL_Deb" + + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjaKI97NY7bki07kxAvo95196NXCaMvI1Dx7dMW05Q1 thenobrainer" ]; }; - # https://nixos.wiki/wiki/Storage_optimization - gc = { - automatic = true; - dates = "weekly"; - options = "--delete-older-than 30d"; + # skynet-admin-linux will always be added, individual servers can override the groups option + services.skynet_ldap_client.enable = true; + + networking = { + # every sever needs to be accessable over ssh for admin use at least + firewall.allowedTCPPorts = [22]; + + # explisitly stating this is good + defaultGateway = "193.1.99.65"; + + # cannot use our own it seems? + nameservers = [ + # ns1 + "193.1.99.120" + # ns2 + "193.1.99.109" + ]; }; - extraOptions = '' - min-free = ${toString (100 * 1024 * 1024)} - max-free = ${toString (1024 * 1024 * 1024)} - ''; - }; - system.stateVersion = "22.11"; + # time on vendetta is strangely out of sync + networking.timeServers = options.networking.timeServers.default ++ ["ie.pool.ntp.org"]; + services.ntp.enable = true; - services.openssh = { - enable = true; - settings.PermitRootLogin = "prohibit-password"; - }; + # use teh above nameservers as the fallback dns + services.resolved.fallbackDns = config.networking.nameservers; - users.users.root = { - initialHashedPassword = ""; - - openssh.authorizedKeys.keys = [ - # no obligation to have name attached to keys - - # Root account - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin" - - # CI/CD key - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBDvexq/JjsMqL0G5P38klzoOkHs3IRyXYO1luEJuB5R colmena_key" - - # Brendan Golden - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHNLroAjCVR9Tx382cqdxPZ5KY32r/yoQH1mgsYNqpm Silver_Laptop_WSL_Deb" - - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjaKI97NY7bki07kxAvo95196NXCaMvI1Dx7dMW05Q1 thenobrainer" + environment.systemPackages = [ + # for flakes + pkgs.git + # useful tools + pkgs.ncdu_2 + pkgs.htop + pkgs.nano + pkgs.nmap + pkgs.bind + pkgs.zip + pkgs.traceroute + pkgs.openldap + pkgs.screen ]; }; - - # skynet-admin-linux will always be added, individual servers can override the groups option - services.skynet_ldap_client.enable = true; - - networking = { - # every sever needs to be accessable over ssh for admin use at least - firewall.allowedTCPPorts = [22]; - - # explisitly stating this is good - defaultGateway = "193.1.99.65"; - - # cannot use our own it seems? - nameservers = [ - # ns1 - "193.1.99.120" - # ns2 - "193.1.99.109" - ]; - }; - - # time on vendetta is strangely out of sync - networking.timeServers = options.networking.timeServers.default ++ ["ie.pool.ntp.org"]; - services.ntp.enable = true; - - # use teh above nameservers as the fallback dns - services.resolved.fallbackDns = config.networking.nameservers; - - environment.systemPackages = [ - # for flakes - pkgs.git - # useful tools - pkgs.ncdu_2 - pkgs.htop - pkgs.nano - pkgs.nmap - pkgs.bind - pkgs.zip - pkgs.traceroute - pkgs.openldap - pkgs.screen - ]; } diff --git a/machines/cadie.nix b/machines/cadie.nix index 5efed45..e7c045b 100644 --- a/machines/cadie.nix +++ b/machines/cadie.nix @@ -12,7 +12,6 @@ Notes: pkgs, lib, nodes, - modulesPath, ... }: let # name of the server, sets teh hostname and record for it @@ -21,7 +20,6 @@ Notes: hostname = "${name}.skynet.ie"; in { imports = [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") ../applications/nextcloud.nix ]; diff --git a/machines/earth.nix b/machines/earth.nix index c844371..e8c2f9d 100644 --- a/machines/earth.nix +++ b/machines/earth.nix @@ -13,7 +13,6 @@ Notes: lib, nodes, inputs, - modulesPath, ... }: let name = "earth"; @@ -21,7 +20,6 @@ Notes: hostname = "${name}.skynet.ie"; in { imports = [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") ../applications/skynet.ie.nix ]; diff --git a/machines/galatea.nix b/machines/galatea.nix index 57f5390..f82217c 100644 --- a/machines/galatea.nix +++ b/machines/galatea.nix @@ -13,7 +13,6 @@ Notes: lib, nodes, config, - modulesPath, ... }: let # name of the server, sets teh hostname and record for it @@ -22,7 +21,6 @@ Notes: hostname = "${name}.skynet.ie"; in { imports = [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") ../applications/ulfm.nix ]; diff --git a/machines/gir.nix b/machines/gir.nix index 09141db..ebb17e2 100644 --- a/machines/gir.nix +++ b/machines/gir.nix @@ -12,7 +12,6 @@ Notes: pkgs, lib, nodes, - modulesPath, ... }: let # name of the server, sets teh hostname and record for it @@ -22,7 +21,6 @@ Notes: #hostname = ip_pub; in { imports = [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") ../applications/email.nix ]; diff --git a/machines/glados.nix b/machines/glados.nix index 2b1987e..d1e7d2c 100644 --- a/machines/glados.nix +++ b/machines/glados.nix @@ -13,7 +13,6 @@ Notes: Each user has roughly 20gb os storage pkgs, lib, nodes, - modulesPath, ... }: let # name of the server, sets teh hostname and record for it @@ -22,7 +21,6 @@ Notes: Each user has roughly 20gb os storage hostname = "${name}.skynet.ie"; in { imports = [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") ../applications/gitlab.nix ]; diff --git a/machines/hardware/_base.nix b/machines/hardware/_base.nix index ae8b77f..e9b831f 100644 --- a/machines/hardware/_base.nix +++ b/machines/hardware/_base.nix @@ -11,6 +11,8 @@ with lib; let has_ip = interface: (length config.networking.interfaces."${interface}".ipv4.addresses) != 0; in { config = { + skynet.lxc = false; + assertions = [ { assertion = lists.any has_ip interfaces; diff --git a/machines/kitt.nix b/machines/kitt.nix index 881d14b..5891571 100644 --- a/machines/kitt.nix +++ b/machines/kitt.nix @@ -12,7 +12,6 @@ Notes: pkgs, lib, nodes, - modulesPath, ... }: let # name of the server, sets teh hostname and record for it @@ -22,7 +21,6 @@ Notes: #hostname = ip_pub; in { imports = [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") ../applications/ldap/server.nix ../applications/discord.nix ../applications/bitwarden/vaultwarden.nix diff --git a/machines/optimus.nix b/machines/optimus.nix index 9cdcfbb..095c55c 100644 --- a/machines/optimus.nix +++ b/machines/optimus.nix @@ -13,7 +13,6 @@ Notes: lib, nodes, arion, - modulesPath, ... }: let # name of the server, sets teh hostname and record for it @@ -22,7 +21,6 @@ Notes: hostname = "${name}.skynet.ie"; in { imports = [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") ../applications/games.nix ]; diff --git a/machines/skynet.nix b/machines/skynet.nix index bbe5676..250f069 100644 --- a/machines/skynet.nix +++ b/machines/skynet.nix @@ -13,7 +13,6 @@ Notes: Does not host offical sites lib, nodes, inputs, - modulesPath, ... }: let name = "skynet"; @@ -23,7 +22,6 @@ Notes: Does not host offical sites hostname = "${name}.skynet.ie"; in { imports = [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") ../applications/skynet_users.nix ]; diff --git a/machines/vigil.nix b/machines/vigil.nix index ba4d464..e3c811c 100644 --- a/machines/vigil.nix +++ b/machines/vigil.nix @@ -12,7 +12,6 @@ Notes: pkgs, lib, nodes, - modulesPath, ... }: let name = "vigil"; @@ -20,7 +19,6 @@ Notes: hostname = "${name}.skynet.ie"; in { imports = [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") ]; deployment = { diff --git a/machines/wheatly.nix b/machines/wheatly.nix index 16fc41c..02eabce 100644 --- a/machines/wheatly.nix +++ b/machines/wheatly.nix @@ -12,7 +12,6 @@ Notes: pkgs, lib, nodes, - modulesPath, ... }: let # name of the server, sets teh hostname and record for it @@ -21,7 +20,6 @@ Notes: hostname = "${name}.skynet.ie"; in { imports = [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") ../applications/gitlab_runner.nix ];