feat: enable better seperation of lxc dependencies

applications/proxmox-lxc.nix

@@ -0,0 +1,93 @@
+/*
+Once https://github.com/NixOS/nixpkgs/pull/267764 is merged this can be removed
+*/
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib; {
+  options.proxmoxLXC = {
+    enable = mkOption {
+      default = true;
+      type = types.bool;
+      description = lib.mdDoc "Whether to enable the ProxmoxLXC.";
+    };
+    privileged = mkOption {
+      type = types.bool;
+      default = false;
+      description = lib.mdDoc ''
+        Whether to enable privileged mounts
+      '';
+    };
+    manageNetwork = mkOption {
+      type = types.bool;
+      default = false;
+      description = lib.mdDoc ''
+        Whether to manage network interfaces through nix options
+        When false, systemd-networkd is enabled to accept network
+        configuration from proxmox.
+      '';
+    };
+    manageHostName = mkOption {
+      type = types.bool;
+      default = false;
+      description = lib.mdDoc ''
+        Whether to manage hostname through nix options
+        When false, the hostname is picked up from /etc/hostname
+        populated by proxmox.
+      '';
+    };
+  };
+
+  config = let
+    cfg = config.proxmoxLXC;
+  in
+    mkIf cfg.enable {
+      system.build.tarball = pkgs.callPackage ../../lib/make-system-tarball.nix {
+        storeContents = [
+          {
+            object = config.system.build.toplevel;
+            symlink = "none";
+          }
+        ];
+
+        contents = [
+          {
+            source = config.system.build.toplevel + "/init";
+            target = "/sbin/init";
+          }
+        ];
+
+        extraCommands = "mkdir -p root etc/systemd/network";
+      };
+
+      boot = {
+        isContainer = true;
+        loader.initScript.enable = true;
+      };
+
+      networking = mkIf (!cfg.manageNetwork) {
+        useDHCP = false;
+        useHostResolvConf = false;
+        useNetworkd = true;
+        # pick up hostname from /etc/hostname generated by proxmox
+        hostName = mkIf (!cfg.manageHostName) (mkForce "");
+      };
+
+      services.openssh = {
+        enable = mkDefault true;
+        startWhenNeeded = mkDefault true;
+      };
+
+      systemd.mounts =
+        mkIf (!cfg.privileged)
+        [
+          {
+            where = "/sys/kernel/debug";
+            enable = false;
+          }
+        ];
+    };
+}

machines/_base.nix

@@ -4,9 +4,17 @@
   config,
   options,
   inputs,
+  lib,
   ...
-}: {
+}:
+with lib; let
+  cfg = config.skynet;
+in {
   imports = [
+    # custom lxc mocule until the patch gets merged in
+    ../applications/proxmox-lxc.nix
+    # (modulesPath + "/virtualisation/proxmox-lxc.nix")
+
     # for the secrets
     inputs.agenix.nixosModules.default
 
@@ -23,94 +31,106 @@
     ../applications/restic.nix
   ];
 
-  boot.kernelPackages = pkgs.linuxPackages_latest;
+  options.skynet = {
+    lxc = mkOption {
+      type = types.bool;
+      # most of our servers are lxc so its true by default
+      default = true;
+      description = mdDoc "Is this a Linux Container?";
+    };
+  };
 
-  nix = {
+  config = {
-    settings = {
+    # if its a lxc enable
-      # flakes are essensial
+    proxmoxLXC.enable = cfg.lxc;
-      experimental-features = ["nix-command" "flakes"];
+
-      trusted-users = [
+    nix = {
-        "root"
+      settings = {
-        "@skynet-admins-linux"
+        # flakes are essensial
+        experimental-features = ["nix-command" "flakes"];
+        trusted-users = [
+          "root"
+          "@skynet-admins-linux"
+        ];
+      };
+
+      # https://nixos.wiki/wiki/Storage_optimization
+      gc = {
+        automatic = true;
+        dates = "weekly";
+        options = "--delete-older-than 30d";
+      };
+      extraOptions = ''
+        min-free = ${toString (100 * 1024 * 1024)}
+        max-free = ${toString (1024 * 1024 * 1024)}
+      '';
+    };
+
+    system.stateVersion = "22.11";
+
+    services.openssh = {
+      enable = true;
+      settings.PermitRootLogin = "prohibit-password";
+    };
+
+    users.users.root = {
+      initialHashedPassword = "";
+
+      openssh.authorizedKeys.keys = [
+        # no obligation to have name attached to keys
+
+        # Root account
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin"
+
+        # CI/CD key
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBDvexq/JjsMqL0G5P38klzoOkHs3IRyXYO1luEJuB5R colmena_key"
+
+        # Brendan Golden
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHNLroAjCVR9Tx382cqdxPZ5KY32r/yoQH1mgsYNqpm Silver_Laptop_WSL_Deb"
+
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjaKI97NY7bki07kxAvo95196NXCaMvI1Dx7dMW05Q1 thenobrainer"
       ];
     };
 
-    # https://nixos.wiki/wiki/Storage_optimization
+    # skynet-admin-linux will always be added, individual servers can override the groups option
-    gc = {
+    services.skynet_ldap_client.enable = true;
-      automatic = true;
+
-      dates = "weekly";
+    networking = {
-      options = "--delete-older-than 30d";
+      # every sever needs to be accessable over ssh for admin use at least
+      firewall.allowedTCPPorts = [22];
+
+      # explisitly stating this is good
+      defaultGateway = "193.1.99.65";
+
+      # cannot use our own it seems?
+      nameservers = [
+        # ns1
+        "193.1.99.120"
+        # ns2
+        "193.1.99.109"
+      ];
     };
-    extraOptions = ''
-      min-free = ${toString (100 * 1024 * 1024)}
-      max-free = ${toString (1024 * 1024 * 1024)}
-    '';
-  };
 
-  system.stateVersion = "22.11";
+    # time on vendetta is strangely out of sync
+    networking.timeServers = options.networking.timeServers.default ++ ["ie.pool.ntp.org"];
+    services.ntp.enable = true;
 
-  services.openssh = {
+    # use teh above nameservers as the fallback dns
-    enable = true;
+    services.resolved.fallbackDns = config.networking.nameservers;
-    settings.PermitRootLogin = "prohibit-password";
-  };
 
-  users.users.root = {
+    environment.systemPackages = [
-    initialHashedPassword = "";
+      # for flakes
-
+      pkgs.git
-    openssh.authorizedKeys.keys = [
+      # useful tools
-      # no obligation to have name attached to keys
+      pkgs.ncdu_2
-
+      pkgs.htop
-      # Root account
+      pkgs.nano
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin"
+      pkgs.nmap
-
+      pkgs.bind
-      # CI/CD key
+      pkgs.zip
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBDvexq/JjsMqL0G5P38klzoOkHs3IRyXYO1luEJuB5R colmena_key"
+      pkgs.traceroute
-
+      pkgs.openldap
-      # Brendan Golden
+      pkgs.screen
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHNLroAjCVR9Tx382cqdxPZ5KY32r/yoQH1mgsYNqpm Silver_Laptop_WSL_Deb"
-
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjaKI97NY7bki07kxAvo95196NXCaMvI1Dx7dMW05Q1 thenobrainer"
     ];
   };
-
-  # skynet-admin-linux will always be added, individual servers can override the groups option
-  services.skynet_ldap_client.enable = true;
-
-  networking = {
-    # every sever needs to be accessable over ssh for admin use at least
-    firewall.allowedTCPPorts = [22];
-
-    # explisitly stating this is good
-    defaultGateway = "193.1.99.65";
-
-    # cannot use our own it seems?
-    nameservers = [
-      # ns1
-      "193.1.99.120"
-      # ns2
-      "193.1.99.109"
-    ];
-  };
-
-  # time on vendetta is strangely out of sync
-  networking.timeServers = options.networking.timeServers.default ++ ["ie.pool.ntp.org"];
-  services.ntp.enable = true;
-
-  # use teh above nameservers as the fallback dns
-  services.resolved.fallbackDns = config.networking.nameservers;
-
-  environment.systemPackages = [
-    # for flakes
-    pkgs.git
-    # useful tools
-    pkgs.ncdu_2
-    pkgs.htop
-    pkgs.nano
-    pkgs.nmap
-    pkgs.bind
-    pkgs.zip
-    pkgs.traceroute
-    pkgs.openldap
-    pkgs.screen
-  ];
 }

machines/cadie.nix

@@ -12,7 +12,6 @@ Notes:
   pkgs,
   lib,
   nodes,
-  modulesPath,
   ...
 }: let
   # name of the server, sets teh hostname and record for it
@@ -21,7 +20,6 @@ Notes:
   hostname = "${name}.skynet.ie";
 in {
   imports = [
-    (modulesPath + "/virtualisation/proxmox-lxc.nix")
     ../applications/nextcloud.nix
   ];
 

machines/earth.nix

@@ -13,7 +13,6 @@ Notes:
   lib,
   nodes,
   inputs,
-  modulesPath,
   ...
 }: let
   name = "earth";
@@ -21,7 +20,6 @@ Notes:
   hostname = "${name}.skynet.ie";
 in {
   imports = [
-    (modulesPath + "/virtualisation/proxmox-lxc.nix")
     ../applications/skynet.ie.nix
   ];
 

machines/galatea.nix

@@ -13,7 +13,6 @@ Notes:
   lib,
   nodes,
   config,
-  modulesPath,
   ...
 }: let
   # name of the server, sets teh hostname and record for it
@@ -22,7 +21,6 @@ Notes:
   hostname = "${name}.skynet.ie";
 in {
   imports = [
-    (modulesPath + "/virtualisation/proxmox-lxc.nix")
     ../applications/ulfm.nix
   ];
 

machines/gir.nix

@@ -12,7 +12,6 @@ Notes:
   pkgs,
   lib,
   nodes,
-  modulesPath,
   ...
 }: let
   # name of the server, sets teh hostname and record for it
@@ -22,7 +21,6 @@ Notes:
   #hostname  = ip_pub;
 in {
   imports = [
-    (modulesPath + "/virtualisation/proxmox-lxc.nix")
     ../applications/email.nix
   ];
 

machines/glados.nix

@@ -13,7 +13,6 @@ Notes:    Each user has roughly 20gb os storage
   pkgs,
   lib,
   nodes,
-  modulesPath,
   ...
 }: let
   # name of the server, sets teh hostname and record for it
@@ -22,7 +21,6 @@ Notes:    Each user has roughly 20gb os storage
   hostname = "${name}.skynet.ie";
 in {
   imports = [
-    (modulesPath + "/virtualisation/proxmox-lxc.nix")
     ../applications/gitlab.nix
   ];
 

machines/hardware/_base.nix

@@ -11,6 +11,8 @@ with lib; let
   has_ip = interface: (length config.networking.interfaces."${interface}".ipv4.addresses) != 0;
 in {
   config = {
+    skynet.lxc = false;
+
     assertions = [
       {
         assertion = lists.any has_ip interfaces;

machines/kitt.nix

@@ -12,7 +12,6 @@ Notes:
   pkgs,
   lib,
   nodes,
-  modulesPath,
   ...
 }: let
   # name of the server, sets teh hostname and record for it
@@ -22,7 +21,6 @@ Notes:
   #hostname  = ip_pub;
 in {
   imports = [
-    (modulesPath + "/virtualisation/proxmox-lxc.nix")
     ../applications/ldap/server.nix
     ../applications/discord.nix
     ../applications/bitwarden/vaultwarden.nix

machines/optimus.nix

@@ -13,7 +13,6 @@ Notes:
   lib,
   nodes,
   arion,
-  modulesPath,
   ...
 }: let
   # name of the server, sets teh hostname and record for it
@@ -22,7 +21,6 @@ Notes:
   hostname = "${name}.skynet.ie";
 in {
   imports = [
-    (modulesPath + "/virtualisation/proxmox-lxc.nix")
     ../applications/games.nix
   ];
 

machines/skynet.nix

@@ -13,7 +13,6 @@ Notes:    Does not host offical sites
   lib,
   nodes,
   inputs,
-  modulesPath,
   ...
 }: let
   name = "skynet";
@@ -23,7 +22,6 @@ Notes:    Does not host offical sites
   hostname = "${name}.skynet.ie";
 in {
   imports = [
-    (modulesPath + "/virtualisation/proxmox-lxc.nix")
     ../applications/skynet_users.nix
   ];
 

machines/vigil.nix

@@ -12,7 +12,6 @@ Notes:
   pkgs,
   lib,
   nodes,
-  modulesPath,
   ...
 }: let
   name = "vigil";
@@ -20,7 +19,6 @@ Notes:
   hostname = "${name}.skynet.ie";
 in {
   imports = [
-    (modulesPath + "/virtualisation/proxmox-lxc.nix")
   ];
 
   deployment = {

machines/wheatly.nix

@@ -12,7 +12,6 @@ Notes:
   pkgs,
   lib,
   nodes,
-  modulesPath,
   ...
 }: let
   # name of the server, sets teh hostname and record for it
@@ -21,7 +20,6 @@ Notes:
   hostname = "${name}.skynet.ie";
 in {
   imports = [
-    (modulesPath + "/virtualisation/proxmox-lxc.nix")
     ../applications/gitlab_runner.nix
   ];