feat: enable better seperation of lxc dependencies

2023-11-16 01:09:35 +00:00 · 2023-11-16 01:09:35 +00:00 · 4c0f3a1645
commit 4c0f3a1645
parent 4a95e48179
13 changed files with 196 additions and 101 deletions
--- a/applications/proxmox-lxc.nix
+++ b/applications/proxmox-lxc.nix
@ -0,0 +1,93 @@
+/*
+Once https://github.com/NixOS/nixpkgs/pull/267764 is merged this can be removed
+*/
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib; {
+  options.proxmoxLXC = {
+    enable = mkOption {
+      default = true;
+      type = types.bool;
+      description = lib.mdDoc "Whether to enable the ProxmoxLXC.";
+    };
+    privileged = mkOption {
+      type = types.bool;
+      default = false;
+      description = lib.mdDoc ''
+        Whether to enable privileged mounts
+      '';
+    };
+    manageNetwork = mkOption {
+      type = types.bool;
+      default = false;
+      description = lib.mdDoc ''
+        Whether to manage network interfaces through nix options
+        When false, systemd-networkd is enabled to accept network
+        configuration from proxmox.
+      '';
+    };
+    manageHostName = mkOption {
+      type = types.bool;
+      default = false;
+      description = lib.mdDoc ''
+        Whether to manage hostname through nix options
+        When false, the hostname is picked up from /etc/hostname
+        populated by proxmox.
+      '';
+    };
+  };
+
+  config = let
+    cfg = config.proxmoxLXC;
+  in
+    mkIf cfg.enable {
+      system.build.tarball = pkgs.callPackage ../../lib/make-system-tarball.nix {
+        storeContents = [
+          {
+            object = config.system.build.toplevel;
+            symlink = "none";
+          }
+        ];
+
+        contents = [
+          {
+            source = config.system.build.toplevel + "/init";
+            target = "/sbin/init";
+          }
+        ];
+
+        extraCommands = "mkdir -p root etc/systemd/network";
+      };
+
+      boot = {
+        isContainer = true;
+        loader.initScript.enable = true;
+      };
+
+      networking = mkIf (!cfg.manageNetwork) {
+        useDHCP = false;
+        useHostResolvConf = false;
+        useNetworkd = true;
+        # pick up hostname from /etc/hostname generated by proxmox
+        hostName = mkIf (!cfg.manageHostName) (mkForce "");
+      };
+
+      services.openssh = {
+        enable = mkDefault true;
+        startWhenNeeded = mkDefault true;
+      };
+
+      systemd.mounts =
+        mkIf (!cfg.privileged)
+        [
+          {
+            where = "/sys/kernel/debug";
+            enable = false;
+          }
+        ];
+    };
+}
--- a/machines/_base.nix
+++ b/machines/_base.nix
@ -4,9 +4,17 @@
  config,
  options,
  inputs,
+  lib,
  ...
-}: {
+}:
+with lib; let
+  cfg = config.skynet;
+in {
  imports = [
+    # custom lxc mocule until the patch gets merged in
+    ../applications/proxmox-lxc.nix
+    # (modulesPath + "/virtualisation/proxmox-lxc.nix")
+
    # for the secrets
    inputs.agenix.nixosModules.default

@ -23,94 +31,106 @@
    ../applications/restic.nix
  ];

-  boot.kernelPackages = pkgs.linuxPackages_latest;
+  options.skynet = {
+    lxc = mkOption {
+      type = types.bool;
+      # most of our servers are lxc so its true by default
+      default = true;
+      description = mdDoc "Is this a Linux Container?";
+    };
+  };

-  nix = {
-    settings = {
-      # flakes are essensial
-      experimental-features = ["nix-command" "flakes"];
-      trusted-users = [
-        "root"
-        "@skynet-admins-linux"
+  config = {
+    # if its a lxc enable
+    proxmoxLXC.enable = cfg.lxc;
+
+    nix = {
+      settings = {
+        # flakes are essensial
+        experimental-features = ["nix-command" "flakes"];
+        trusted-users = [
+          "root"
+          "@skynet-admins-linux"
+        ];
+      };
+
+      # https://nixos.wiki/wiki/Storage_optimization
+      gc = {
+        automatic = true;
+        dates = "weekly";
+        options = "--delete-older-than 30d";
+      };
+      extraOptions = ''
+        min-free = ${toString (100 * 1024 * 1024)}
+        max-free = ${toString (1024 * 1024 * 1024)}
+      '';
+    };
+
+    system.stateVersion = "22.11";
+
+    services.openssh = {
+      enable = true;
+      settings.PermitRootLogin = "prohibit-password";
+    };
+
+    users.users.root = {
+      initialHashedPassword = "";
+
+      openssh.authorizedKeys.keys = [
+        # no obligation to have name attached to keys
+
+        # Root account
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin"
+
+        # CI/CD key
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBDvexq/JjsMqL0G5P38klzoOkHs3IRyXYO1luEJuB5R colmena_key"
+
+        # Brendan Golden
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHNLroAjCVR9Tx382cqdxPZ5KY32r/yoQH1mgsYNqpm Silver_Laptop_WSL_Deb"
+
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjaKI97NY7bki07kxAvo95196NXCaMvI1Dx7dMW05Q1 thenobrainer"
      ];
    };

-    # https://nixos.wiki/wiki/Storage_optimization
-    gc = {
-      automatic = true;
-      dates = "weekly";
-      options = "--delete-older-than 30d";
+    # skynet-admin-linux will always be added, individual servers can override the groups option
+    services.skynet_ldap_client.enable = true;
+
+    networking = {
+      # every sever needs to be accessable over ssh for admin use at least
+      firewall.allowedTCPPorts = [22];
+
+      # explisitly stating this is good
+      defaultGateway = "193.1.99.65";
+
+      # cannot use our own it seems?
+      nameservers = [
+        # ns1
+        "193.1.99.120"
+        # ns2
+        "193.1.99.109"
+      ];
    };
-    extraOptions = ''
-      min-free = ${toString (100 * 1024 * 1024)}
-      max-free = ${toString (1024 * 1024 * 1024)}
-    '';
-  };

-  system.stateVersion = "22.11";
+    # time on vendetta is strangely out of sync
+    networking.timeServers = options.networking.timeServers.default ++ ["ie.pool.ntp.org"];
+    services.ntp.enable = true;

-  services.openssh = {
-    enable = true;
-    settings.PermitRootLogin = "prohibit-password";
-  };
+    # use teh above nameservers as the fallback dns
+    services.resolved.fallbackDns = config.networking.nameservers;

-  users.users.root = {
-    initialHashedPassword = "";
-
-    openssh.authorizedKeys.keys = [
-      # no obligation to have name attached to keys
-
-      # Root account
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin"
-
-      # CI/CD key
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBDvexq/JjsMqL0G5P38klzoOkHs3IRyXYO1luEJuB5R colmena_key"
-
-      # Brendan Golden
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHNLroAjCVR9Tx382cqdxPZ5KY32r/yoQH1mgsYNqpm Silver_Laptop_WSL_Deb"
-
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjaKI97NY7bki07kxAvo95196NXCaMvI1Dx7dMW05Q1 thenobrainer"
+    environment.systemPackages = [
+      # for flakes
+      pkgs.git
+      # useful tools
+      pkgs.ncdu_2
+      pkgs.htop
+      pkgs.nano
+      pkgs.nmap
+      pkgs.bind
+      pkgs.zip
+      pkgs.traceroute
+      pkgs.openldap
+      pkgs.screen
    ];
  };
-
-  # skynet-admin-linux will always be added, individual servers can override the groups option
-  services.skynet_ldap_client.enable = true;
-
-  networking = {
-    # every sever needs to be accessable over ssh for admin use at least
-    firewall.allowedTCPPorts = [22];
-
-    # explisitly stating this is good
-    defaultGateway = "193.1.99.65";
-
-    # cannot use our own it seems?
-    nameservers = [
-      # ns1
-      "193.1.99.120"
-      # ns2
-      "193.1.99.109"
-    ];
-  };
-
-  # time on vendetta is strangely out of sync
-  networking.timeServers = options.networking.timeServers.default ++ ["ie.pool.ntp.org"];
-  services.ntp.enable = true;
-
-  # use teh above nameservers as the fallback dns
-  services.resolved.fallbackDns = config.networking.nameservers;
-
-  environment.systemPackages = [
-    # for flakes
-    pkgs.git
-    # useful tools
-    pkgs.ncdu_2
-    pkgs.htop
-    pkgs.nano
-    pkgs.nmap
-    pkgs.bind
-    pkgs.zip
-    pkgs.traceroute
-    pkgs.openldap
-    pkgs.screen
-  ];
 }
--- a/machines/cadie.nix
+++ b/machines/cadie.nix
@ -12,7 +12,6 @@ Notes:
  pkgs,
  lib,
  nodes,
-  modulesPath,
  ...
 }: let
  # name of the server, sets teh hostname and record for it
@ -21,7 +20,6 @@ Notes:
  hostname = "${name}.skynet.ie";
 in {
  imports = [
-    (modulesPath + "/virtualisation/proxmox-lxc.nix")
    ../applications/nextcloud.nix
  ];

--- a/machines/earth.nix
+++ b/machines/earth.nix
@ -13,7 +13,6 @@ Notes:
  lib,
  nodes,
  inputs,
-  modulesPath,
  ...
 }: let
  name = "earth";
@ -21,7 +20,6 @@ Notes:
  hostname = "${name}.skynet.ie";
 in {
  imports = [
-    (modulesPath + "/virtualisation/proxmox-lxc.nix")
    ../applications/skynet.ie.nix
  ];

--- a/machines/galatea.nix
+++ b/machines/galatea.nix
@ -13,7 +13,6 @@ Notes:
  lib,
  nodes,
  config,
-  modulesPath,
  ...
 }: let
  # name of the server, sets teh hostname and record for it
@ -22,7 +21,6 @@ Notes:
  hostname = "${name}.skynet.ie";
 in {
  imports = [
-    (modulesPath + "/virtualisation/proxmox-lxc.nix")
    ../applications/ulfm.nix
  ];

--- a/machines/gir.nix
+++ b/machines/gir.nix
@ -12,7 +12,6 @@ Notes:
  pkgs,
  lib,
  nodes,
-  modulesPath,
  ...
 }: let
  # name of the server, sets teh hostname and record for it
@ -22,7 +21,6 @@ Notes:
  #hostname  = ip_pub;
 in {
  imports = [
-    (modulesPath + "/virtualisation/proxmox-lxc.nix")
    ../applications/email.nix
  ];

--- a/machines/glados.nix
+++ b/machines/glados.nix
@ -13,7 +13,6 @@ Notes:    Each user has roughly 20gb os storage
  pkgs,
  lib,
  nodes,
-  modulesPath,
  ...
 }: let
  # name of the server, sets teh hostname and record for it
@ -22,7 +21,6 @@ Notes:    Each user has roughly 20gb os storage
  hostname = "${name}.skynet.ie";
 in {
  imports = [
-    (modulesPath + "/virtualisation/proxmox-lxc.nix")
    ../applications/gitlab.nix
  ];

--- a/machines/hardware/_base.nix
+++ b/machines/hardware/_base.nix
@ -11,6 +11,8 @@ with lib; let
  has_ip = interface: (length config.networking.interfaces."${interface}".ipv4.addresses) != 0;
 in {
  config = {
+    skynet.lxc = false;
+
    assertions = [
      {
        assertion = lists.any has_ip interfaces;
--- a/machines/kitt.nix
+++ b/machines/kitt.nix
@ -12,7 +12,6 @@ Notes:
  pkgs,
  lib,
  nodes,
-  modulesPath,
  ...
 }: let
  # name of the server, sets teh hostname and record for it
@ -22,7 +21,6 @@ Notes:
  #hostname  = ip_pub;
 in {
  imports = [
-    (modulesPath + "/virtualisation/proxmox-lxc.nix")
    ../applications/ldap/server.nix
    ../applications/discord.nix
    ../applications/bitwarden/vaultwarden.nix
--- a/machines/optimus.nix
+++ b/machines/optimus.nix
@ -13,7 +13,6 @@ Notes:
  lib,
  nodes,
  arion,
-  modulesPath,
  ...
 }: let
  # name of the server, sets teh hostname and record for it
@ -22,7 +21,6 @@ Notes:
  hostname = "${name}.skynet.ie";
 in {
  imports = [
-    (modulesPath + "/virtualisation/proxmox-lxc.nix")
    ../applications/games.nix
  ];

--- a/machines/skynet.nix
+++ b/machines/skynet.nix
@ -13,7 +13,6 @@ Notes:    Does not host offical sites
  lib,
  nodes,
  inputs,
-  modulesPath,
  ...
 }: let
  name = "skynet";
@ -23,7 +22,6 @@ Notes:    Does not host offical sites
  hostname = "${name}.skynet.ie";
 in {
  imports = [
-    (modulesPath + "/virtualisation/proxmox-lxc.nix")
    ../applications/skynet_users.nix
  ];

--- a/machines/vigil.nix
+++ b/machines/vigil.nix
@ -12,7 +12,6 @@ Notes:
  pkgs,
  lib,
  nodes,
-  modulesPath,
  ...
 }: let
  name = "vigil";
@ -20,7 +19,6 @@ Notes:
  hostname = "${name}.skynet.ie";
 in {
  imports = [
-    (modulesPath + "/virtualisation/proxmox-lxc.nix")
  ];

  deployment = {
--- a/machines/wheatly.nix
+++ b/machines/wheatly.nix
@ -12,7 +12,6 @@ Notes:
  pkgs,
  lib,
  nodes,
-  modulesPath,
  ...
 }: let
  # name of the server, sets teh hostname and record for it
@ -21,7 +20,6 @@ Notes:
  hostname = "${name}.skynet.ie";
 in {
  imports = [
-    (modulesPath + "/virtualisation/proxmox-lxc.nix")
    ../applications/gitlab_runner.nix
  ];