From 4aa6a6f858fd5c7dbae6ce70438f3613ada59f2c Mon Sep 17 00:00:00 2001 From: James Andariese Date: Fri, 18 Apr 2025 00:54:58 -0500 Subject: [PATCH] interim import --- .gitignore | 1 + Makefile | 5 ++ flake.lock | 149 ++++--------------------------------- flake.nix | 100 ++++++++----------------- hosts/installer.nix | 92 +++++++++++++++++++++++ hosts/xerneas.nix | 20 +++++ hosts/yveltal.nix | 21 ++++++ iface-templates.nix | 28 +++++++ modules/corenet.nix | 45 ++++------- modules/k3s.nix | 65 ++++++++++++++++ modules/luks.nix | 1 - modules/nvidia.nix | 3 + modules/serial-console.nix | 8 ++ modules/server.nix | 2 - modules/users.nix | 23 ++++++ rowlet.nix | 21 ------ snorlax.nix | 20 ----- sobble.nix | 21 ------ types/k3s-server.nix | 10 +++ types/minimal.nix | 11 +++ types/server.nix | 14 ++++ 21 files changed, 360 insertions(+), 300 deletions(-) create mode 100644 Makefile create mode 100644 hosts/installer.nix create mode 100644 hosts/xerneas.nix create mode 100644 hosts/yveltal.nix create mode 100644 iface-templates.nix create mode 100644 modules/k3s.nix create mode 100644 modules/nvidia.nix create mode 100644 modules/serial-console.nix create mode 100644 modules/users.nix delete mode 100644 rowlet.nix delete mode 100644 snorlax.nix delete mode 100644 sobble.nix create mode 100644 types/k3s-server.nix create mode 100644 types/minimal.nix create mode 100644 types/server.nix diff --git a/.gitignore b/.gitignore index e4492bb..86a69c6 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ result .* !.git* *poop* +*.iso diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..e50b0ba --- /dev/null +++ b/Makefile @@ -0,0 +1,5 @@ +installer.iso: flake.nix modules hosts/installer.nix + nix build .#nixosConfigurations.installer.config.system.build.isoImage + rm -f installer.iso + cp result/iso/nixos-*.iso installer.iso + diff --git a/flake.lock b/flake.lock index 95f639d..db64767 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ "utils": "utils" }, "locked": { - "lastModified": 1718194053, - "narHash": "sha256-FaGrf7qwZ99ehPJCAwgvNY5sLCqQ3GDiE/6uLhxxwSY=", + "lastModified": 1727447169, + "narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=", "owner": "serokell", "repo": "deploy-rs", - "rev": "3867348fa92bc892eba5d9ddb2d7a97b9e127a8a", + "rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76", "type": "github" }, "original": { @@ -54,24 +54,6 @@ "type": "github" } }, - "flake-utils_2": { - "inputs": { - "systems": "systems_3" - }, - "locked": { - "lastModified": 1710146030, - "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, "interlude": { "inputs": { "flake-utils": "flake-utils", @@ -91,28 +73,13 @@ "url": "https://git.strudelline.net/nix/interlude" } }, - "ipcalc": { - "locked": { - "lastModified": 1720829192, - "narHash": "sha256-uo1vVwyhdbEqzUa27/wxvnIZFIRyiTidIDRXeP59FWg=", - "ref": "refs/heads/main", - "rev": "e7e8242a9918161d8e0b3fb4b725612aef8a03bb", - "revCount": 3, - "type": "git", - "url": "https://git.strudelline.net/nix/ipcalc" - }, - "original": { - "type": "git", - "url": "https://git.strudelline.net/nix/ipcalc" - } - }, "nixlib": { "locked": { - "lastModified": 1723942470, - "narHash": "sha256-QdSArN0xKESEOTcv+3kE6yu4B4WX9lupZ4+Htx3RXGg=", + "lastModified": 1736643958, + "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "531a2e8416a6d8200a53eddfbdb8f2c8dc4a1251", + "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181", "type": "github" }, "original": { @@ -129,11 +96,11 @@ ] }, "locked": { - "lastModified": 1724028932, - "narHash": "sha256-U11ZiQPrpIBdv7oS23bNdX9GCxe/hPf/ARr64P2Wj1Y=", + "lastModified": 1742568034, + "narHash": "sha256-QaMEhcnscfF2MqB7flZr+sLJMMYZPnvqO4NYf9B4G38=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "5fd22603892e4ec5ac6085058ed658243143aacd", + "rev": "42ee229088490e3777ed7d1162cb9e9d8c3dbb11", "type": "github" }, "original": { @@ -175,11 +142,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1723938990, - "narHash": "sha256-9tUadhnZQbWIiYVXH8ncfGXGvkNq3Hag4RCBEMUk7MI=", + "lastModified": 1735563628, + "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c42fcfbdfeae23e68fc520f9182dde9f38ad1890", + "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798", "type": "github" }, "original": { @@ -188,83 +155,12 @@ "type": "indirect" } }, - "nixpkgs_4": { - "locked": { - "lastModified": 1720691131, - "narHash": "sha256-CWT+KN8aTPyMIx8P303gsVxUnkinIz0a/Cmasz1jyIM=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "a046c1202e11b62cbede5385ba64908feb7bfac4", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "ref": "nixos-24.05", - "type": "indirect" - } - }, - "nixpkgs_5": { - "locked": { - "lastModified": 1721838734, - "narHash": "sha256-o87oh2nLDzZ1E9+j1I6GaEvd9865OWGYvxaPSiH9DEU=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "1855c9961e0bfa2e776fa4b58b7d43149eeed431", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable-small", - "repo": "nixpkgs", - "type": "github" - } - }, - "numbers": { - "inputs": { - "ipcalc": "ipcalc", - "nixpkgs": "nixpkgs_4" - }, - "locked": { - "lastModified": 1724036520, - "narHash": "sha256-KJU6W5qghjMTjlTFnK0F2zJVw0qmTfC6nkMBhUNgjow=", - "ref": "refs/heads/main", - "rev": "4550d62254e030c9075343a4897a985fcfda1fd6", - "revCount": 29, - "type": "git", - "url": "https://git.strudelline.net/cascade/numbers" - }, - "original": { - "type": "git", - "url": "https://git.strudelline.net/cascade/numbers" - } - }, - "putex": { - "inputs": { - "flake-utils": "flake-utils_2", - "nixpkgs": "nixpkgs_5" - }, - "locked": { - "lastModified": 1721923974, - "narHash": "sha256-yz3VioYJXUTdl4TU1RZnGbRMj3ng3OTtVDEbGPFXGLE=", - "ref": "refs/heads/main", - "rev": "eed14b5adada7325e916dfc3a89cbd4beef806a8", - "revCount": 7, - "type": "git", - "url": "https://git.strudelline.net/james/putex" - }, - "original": { - "type": "git", - "url": "https://git.strudelline.net/james/putex" - } - }, "root": { "inputs": { "deploy-rs": "deploy-rs", "interlude": "interlude", "nixos-generators": "nixos-generators", "nixpkgs": "nixpkgs_3", - "numbers": "numbers", - "putex": "putex", "unstable": "unstable" } }, @@ -298,28 +194,13 @@ "type": "github" } }, - "systems_3": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, "unstable": { "locked": { - "lastModified": 1723985069, - "narHash": "sha256-MGtXhZHLZGKhtZT/MYXBJEuMkZB5DLYjY679EYNL7Es=", + "lastModified": 1744536153, + "narHash": "sha256-awS2zRgF4uTwrOKwwiJcByDzDOdo3Q1rPZbiHQg/N38=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ff1c2669bbb4d0dd9e62cc94f0968cfa652ceec1", + "rev": "18dd725c29603f582cf1900e0d25f9f1063dbf11", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 619c032..5791901 100644 --- a/flake.nix +++ b/flake.nix @@ -2,79 +2,46 @@ inputs = { nixpkgs.url = "nixpkgs/nixos-24.05"; unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; - numbers.url = "git+https://git.strudelline.net/cascade/numbers"; interlude.url = "git+https://git.strudelline.net/nix/interlude"; - putex.url = "git+https://git.strudelline.net/james/putex"; nixos-generators = { url = "github:nix-community/nixos-generators"; inputs.nixpkgs.follows = "nixpkgs"; }; deploy-rs.url = "github:serokell/deploy-rs"; }; - outputs = { self, nixpkgs, unstable, numbers, interlude, putex, nixos-generators, deploy-rs }@inputs: + outputs = { self, nixpkgs, unstable, interlude, nixos-generators, deploy-rs }@inputs: with builtins; with nixpkgs.lib; with interlude.lib; let - includableModules = - let localModules = "${./.}" + "/modules"; - dirContents = readDir (localModules); - filenames = attrNames (dirContents); - dirs = (filter (n: dirContents."${n}" == "directory" && - readFileType "${localModules}/${n}/default.nix" == "regular" ) filenames); - files = concatMap (filterAndStripSuffix ".nix") (filter (n: dirContents."${n}" == "regular") filenames); - in - foldl recursiveUpdate {} ( - (map (x: { nixosModules."${x}" = import (trace "importing ${localModules}/${x}" "${localModules}/${x}"); }) (trace "dirs: ${toJSON dirs}" dirs)) - ++ (map (x: { nixosModules."${x}" = import (trace "importing ${localModules}/${x}.nix" "${localModules}/${x}.nix"); }) (trace "files: ${toJSON files}" files)) - ); - buildMachine' = name: mods: cfg: { + buildMachine = name: arch: + { # the evaluated machine - nixosConfigurations."${name}" = + nixosConfigurations."${name}" = + let + pkgs = import nixpkgs { config = { allowUnfree = true; }; system = arch; }; + specialArgs = { basePath = "${toString ./.}"; inherit inputs; }; + in nixosSystem ( + { + inherit pkgs specialArgs; + modules = [ + (import "${./.}/hosts/${name}.nix") + { + system.stateVersion = mkForce "24.05"; + nix.settings.require-sigs = mkForce false; + networking.hostName = name; # Define your hostname. + } + self.nixosModules.vmFormats + self.nixosModules.fixFlakeRegistry + ]; + }); + }; + hosts = let - pkgs = import nixpkgs { config = { allowUnfree = true; };}; - specialArgs = { basePath = "${toString ./.}"; inherit inputs numbers; }; - in nixosSystem (cfg // { - inherit pkgs specialArgs; - modules = [ - self.nixosModules.vmFormats - numbers.nixosModules.users - self.nixosModules.session - putex.nixosModules.default - { - # global fixed values. - networking.hostName = mkForce name; - system.stateVersion = mkForce "24.05"; - nix.settings.require-sigs = mkForce false; - } - ] ++ mods; - }); - }; - buildMachine = name: - # the evaluated machine - with numbers.api; - let - modules = [ - self.nixosModules.fixFlakeRegistry - numbers.nixosModules.networking - self.nixosModules.packages - self.nixosModules.luks - self.nixosModules.systemd-efi - numbers.nixosModules.users - ] ++ (map (x: self.nixosModules."${x}") (hostModules name)); - arch = hostSystem name; + hostsPath = "${./.}" + "/hosts"; + dirContents = readDir hostsPath; + filenames = attrNames dirContents; + #dirs = (filter (n: dirContents."${n}" == "directory" && + # readFileType "${hostsPath}/${n}/default.nix" == "regular") filenames); in - (buildMachine' name modules { system = arch; }) - // - { - deploy.nodes."${name}" = { - hostname = "172.16.19.1"; - profiles.system = { - user = "root"; - path = deploy-rs.lib."${arch}".activate.nixos self.nixosConfigurations."${name}"; - }; - }; - - # This is highly advised, and will prevent many possible mistakes - checks = deploy-rs.lib."${arch}".deployChecks self.deploy; - }; + concatMap (filterAndStripSuffix ".nix") (filter (n: dirContents."${n}" == "regular") filenames); in foldl recursiveUpdate { nixosModules = { @@ -91,9 +58,6 @@ # the sample format from nixos-generators # formatConfigs.my-custom-format = { config, modulesPath, ... }: { - # imports = [ "${toString modulesPath}/installer/cd-dvd/installation-cd-base.nix" ]; - # formatAttr = "isoImage"; - # fileExtension = ".iso"; # networking.wireless.networks = { # # ... # }; @@ -104,9 +68,7 @@ unstable.flake = inputs.unstable; };}; }; - } ( # lists to recursively merge into the config. - [ includableModules ] - ++ (with numbers.api; map (h: buildMachine h) deployableHosts) - ++ [(buildMachine' "cascade-installer" [self.nixosModules.installer] {} )] + } ( [] # lists to recursively merge into the config. + ++ (map (h: buildMachine h "x86_64-linux") hosts) ); } diff --git a/hosts/installer.nix b/hosts/installer.nix new file mode 100644 index 0000000..e9b4ff6 --- /dev/null +++ b/hosts/installer.nix @@ -0,0 +1,92 @@ +{ config, pkgs, lib, modulesPath, ... }: + +let installer = pkgs.writeShellApplication { + name = "cascade-installer"; + runtimeInputs = with pkgs; [ + btrfs-progs + coreutils + cryptsetup + dig + dosfstools + e2fsprogs + git + lvm2 + nix + parted + util-linux + ]; + + text = + let + shq = lib.escapeShellArg; + partedMin = cmd: '' + parted -f -a minimal "$DEVICE" --script ${cmd} + ''; + partedOpt = cmd: '' + parted -f -a optimal "$DEVICE" --script ${cmd} + ''; + in + '' + if [ "$#" -ne 2 ];then + 1>&2 echo "usage: $0 hostname full-disk-device" + exit 1 + fi + HOSTNAME="$1" + DEVICE="$2" + LABEL="$HOSTNAME"-luks0 + LV="$HOSTNAME"-luks + + echo ABOUT TO DESTROY THIS MACHINE + sleep 10 || exit 1 + + wipefs -a "$DEVICE" + + ${partedMin "mklabel gpt"} + ${partedMin "mkpart ESP fat32 0% 1GB"} + ${partedMin "set 1 esp on"} + ${partedOpt "mkpart \"$HOSTNAME\"-luks0 ext4 1GB 100%"} + + sleep 1 + + cryptsetup -q luksFormat --type luks2 /dev/disk/by-partlabel/"$LABEL" -d /dev/zero -l 32 + cryptsetup -q luksOpen /dev/disk/by-partlabel/"$LABEL" "$LABEL" -d /dev/zero -l 32 + + pvcreate /dev/mapper/"$LABEL" + vgcreate "$LV" /dev/mapper/"$LABEL" + lvcreate -L 20G -n "$HOSTNAME"-root "$LV" + + mkfs.fat -F 32 -n BOOT /dev/disk/by-partlabel/ESP + mkfs.ext4 -L "$HOSTNAME"-root /dev/"$LV"/"$HOSTNAME"-root + + sleep 1 + + # note to future self who "fixes" this: + # the -p is to prevent error if the path exists, not to create / which obviously exists. + # this is a scenario that happens when rerunning these commands during debugging. just + # leave the -p, future me. please just leave it. + mkdir -p /mnt + mount /dev/disk/by-label/"$HOSTNAME"-root /mnt + mkdir -p /mnt/boot + mount /dev/disk/by-label/BOOT /mnt/boot + mkdir -p /mnt/root + + TOKEN="$(dig +short lan-auth-token.strudelline.net TXT | tr -d '"')" + umask 0077 + mkdir -p /root + printf 'machine git.strudelline.net\nlogin lan-auth\npassword %s\n' "$TOKEN" > /root/.netrc + printf 'machine git.strudelline.net\nlogin lan-auth\npassword %s\n' "$TOKEN" > /mnt/root/.netrc + + nixos-install --flake git+https://git.strudelline.net/cascade/nixos#"$HOSTNAME" --impure --no-root-password + ''; +}; +in +{ + imports = [ + ../types/minimal.nix + (modulesPath + "/installer/cd-dvd/installation-cd-minimal.nix") + ]; + + environment.systemPackages = [ + installer + ]; +} diff --git a/hosts/xerneas.nix b/hosts/xerneas.nix new file mode 100644 index 0000000..5932c32 --- /dev/null +++ b/hosts/xerneas.nix @@ -0,0 +1,20 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, lib, inputs, ... }: + +let iface = import ../iface-templates.nix; +in { + imports = + [ # Include the results of the hardware scan. + ../types/server.nix + ]; + config = lib.mkMerge [ + (iface.bridge "lan0" "172.16.1.252/12" "172.16.1.1" "phy0" "d8:9e:f3:1b:7f:8a") + (iface.dhcp "phy1" "98:b7:85:01:39:1a") + (iface.dhcp "phy2" "98:b7:85:01:39:1b") + (iface.dhcp "phy3" "98:b7:85:01:39:1c") + (iface.dhcp "phy4" "98:b7:85:01:39:1d") + ]; +} diff --git a/hosts/yveltal.nix b/hosts/yveltal.nix new file mode 100644 index 0000000..84f3386 --- /dev/null +++ b/hosts/yveltal.nix @@ -0,0 +1,21 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, lib, inputs, ... }: + +let iface = import ../iface-templates.nix; +in { + imports = + [ # Include the results of the hardware scan. + ../types/server.nix + ]; + config = lib.mkMerge [ + (iface.bridge "lan0" "172.16.1.251/12" "172.16.1.1" "phy0" "50:9a:4c:49:cc:1b") + (iface.dhcp "phy1" "98:b7:85:01:36:ec") + (iface.dhcp "phy2" "98:b7:85:01:36:ed") + (iface.dhcp "phy3" "98:b7:85:01:36:ee") + (iface.dhcp "phy4" "98:b7:85:01:36:ef") + ]; + +} diff --git a/iface-templates.nix b/iface-templates.nix new file mode 100644 index 0000000..b8355b1 --- /dev/null +++ b/iface-templates.nix @@ -0,0 +1,28 @@ +let build = iface: mac: rest: { + systemd.network.enable = true; + systemd.network.links."${iface}" = { + linkConfig.Name = iface; + matchConfig.PermanentMACAddress = mac; + }; + systemd.network.networks."${iface}".enable = true; +} // rest; in +{ + bridge = bridge: ip: gateway: build { + systemd.network.networks."${iface}".bridge = [ bridge ]; + systemd.network.networks."${bridge}" = { + address = [ ip ]; + gateway = [ gateway ]; + }; + systemd.network.netdevs."${bridge}" = { + netdevConfig = { + Name = bridge; + Kind = "bridge"; + }; + }; + }; + dhcp = build { + systemd.network.networks."${iface}" = { + DHCP = "yes"; + }; + }; +} diff --git a/modules/corenet.nix b/modules/corenet.nix index cf1bc30..685164c 100644 --- a/modules/corenet.nix +++ b/modules/corenet.nix @@ -8,43 +8,26 @@ strIfHasIface = iface: s: if hasIface iface then s else ""; attrsetIfHasIface = iface: as: if hasIface iface then as else {}; eltIfHasIface = iface: elt: if hasIface iface then [ elt ] else []; -nameservers = filter (x: x != "") [ - "127.0.0.1" - (if config.networking.hostName != "snorlax" then (numbers.api.hostIface "snorlax" "sec0").ip else "") - (if config.networking.hostName != "sobble" then (numbers.api.hostIface "sobble" "sec0").ip else "") - (if config.networking.hostName != "rowlet" then (numbers.api.hostIface "rowlet" "sec0").ip else "") - ]; - in { imports = [ - #./pgpool.nix ./udp514.nix ]; services.udp514-journal.enable = true; - services.coredns = { - enable = true; - config = '' - . { - ${strIfHasIface "sxxxxec0" "bind sec0"} - ${strIfHasIface "xxxxlan0" "bind lan0"} - nsid ${config.networking.hostName} - forward . 172.16.1.8 - template IN A server.dns { - answer "{{ .Name }} 0 IN A ${(numbers.api.hostIface config.networking.hostName "sec0").ip}" - } - } - ''; - }; services.resolved.enable = false; - #networking.resolvconf.enable = false; - environment.etc."resolv.conf".text = foldl' - (a: s: if s == "" then a else "${a}nameserver ${s}\n") - "" nameservers; - networking.nameservers = nameservers; + environment.etc."resolv.conf".text = '' + nameserver 172.16.1.8 + nameserver 172.16.1.1 + search cascade.strudelline.net + ''; + + networking.nameservers = [ + 172.16.1.8 + 172.16.1.1 + ]; system.activationScripts."corenet-flux" = mkIf true '' @@ -55,19 +38,17 @@ in enable = true; tokenFile = mkIf (config.networking.hostName != "snorlax") "/etc/k3s.token"; serverAddr = - mkIf (config.networking.hostName != "snorlax") - "https://${(numbers.api.hostIface "snorlax" "sec0").ip}:6443"; + "https://${(numbers.apt.hostIface "snorlax" "sec0").ip}:6443"; clusterInit = config.networking.hostName == "snorlax"; extraFlags = ( - #" --datastore-endpoint=nats://localhost:4222?noEmbed=true&bucket=k0-kine&replicas=2"+ " --disable=traefik"+ " --disable=local-storage"+ " --cluster-cidr=10.128.0.0/16"+ " --service-cidr=10.129.0.0/16"+ " --flannel-backend=vxlan"+ " --embedded-registry"+ - (strIfHasIface "sec0" " --node-ip=${(numbers.api.hostIface config.networking.hostName "sec0").ip}")+ - #(strIfHasIface "lan0" " --tls-san=${(numbers.api.hostIface config.networking.hostName "lan0").ip}")+ + " --node-ip=172.16.1.254"+ + " --tls-san=k8s.cascade.strudelline.net")+ ""); }; diff --git a/modules/k3s.nix b/modules/k3s.nix new file mode 100644 index 0000000..4dd4984 --- /dev/null +++ b/modules/k3s.nix @@ -0,0 +1,65 @@ +{config, numbers, pkgs, lib, ...}: + +with lib; + +let +hasIface = iface: elem iface (numbers.api.hostIfaces config.networking.hostName); +strIfHasIface = iface: s: if hasIface iface then s else ""; +attrsetIfHasIface = iface: as: if hasIface iface then as else {}; +eltIfHasIface = iface: elt: if hasIface iface then [ elt ] else []; + +in + +{ + networking.nameservers = [ + "172.16.1.53" + "172.16.1.8" + ]; + + system.activationScripts."corenet-flux" = mkIf true '' + ln -sf ${./corenet-flux.yaml} /var/lib/rancher/k3s/server/manifests/corenet-flux.yaml + ''; + + services.k3s = { + enable = true; + tokenFile = "/etc/k3s.token"; + serverAddr = + "https://172.16.17.1:6443"; + extraFlags = ( + " --flannel-backend=wireguard-native"+ + " --disable=traefik"+ + " --disable=servicelb"+ + " --disable=local-storage"+ + " --tls-san=k8s.cascade.strudelline.net"+ + " --kubelet-arg=config=/etc/rancher/k3s/kubelet.config}"+ + " --kubelet-arg=allowed-unsafe-sysctls=net.*"+ + " --embedded-registry"+ + " --nonroot-devices"+ + ""); + }; + + environment.etc = { + "rancher/k3s/kubelet.config".text = '' + apiVersion: kubelet.config.k8s.io/v1beta1 + kind: KubeletConfiguration + maxPods: 250 + ''; + "rancher/k3s/registries.yaml".text = '' + mirrors: + "*": + ''; + }; + + networking.firewall.allowedUDPPorts = [ + 53 80 443 5432 5001 9898 9999 6443 4222 6222 8222 2379 2380 8472 10250 + ]; + networking.firewall.allowedUDPPortRanges = [ + { from = 5000; to = 32767; } + ]; + networking.firewall.allowedTCPPorts = [ + 53 80 443 5432 5001 9898 9999 6443 4222 6222 8222 2379 2380 10250 + ]; + networking.firewall.allowedTCPPortRanges = [ + { from = 5000; to = 32767; } + ]; +} diff --git a/modules/luks.nix b/modules/luks.nix index 1f484f9..1380906 100644 --- a/modules/luks.nix +++ b/modules/luks.nix @@ -18,5 +18,4 @@ device = "/dev/disk/by-label/BOOT"; fsType = "vfat"; }; - } diff --git a/modules/nvidia.nix b/modules/nvidia.nix new file mode 100644 index 0000000..b22f43c --- /dev/null +++ b/modules/nvidia.nix @@ -0,0 +1,3 @@ +{ + hardware.nvidia-container-toolkit.enable = true; +} diff --git a/modules/serial-console.nix b/modules/serial-console.nix new file mode 100644 index 0000000..521887f --- /dev/null +++ b/modules/serial-console.nix @@ -0,0 +1,8 @@ +{ + boot.kernelParams = [ "console=ttyS0,115200n8" ]; + boot.loader.grub.extraConfig = " + serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1 + terminal_input serial + terminal_output serial + "; +} diff --git a/modules/server.nix b/modules/server.nix index e4a33b0..fc37abf 100644 --- a/modules/server.nix +++ b/modules/server.nix @@ -22,8 +22,6 @@ }; }; - #hardware.nvidia-container-toolkit.enable = true; - services.openssh.enable = true; networking.firewall.enable = true; diff --git a/modules/users.nix b/modules/users.nix new file mode 100644 index 0000000..9925279 --- /dev/null +++ b/modules/users.nix @@ -0,0 +1,23 @@ +{config, lib, ...}: +with builtins; +with lib; +let adminGroups = + filter (x: hasAttr x config.users.groups) [ "users" "networkmanager" "wheel" "keyd" "tss" "plugdev" "uinput" "tss" "disk" "dialout" "kvm" "docker" "libvirtd" ] + ; +adminUser = name: { hashedPassword, sshKeys ? [], ...}@options: { + users.users."${name}" = { + isNormalUser = true; + description = name; + linger = true; + extraGroups = adminGroups; + hashedPassword = hashedPassword; + openssh.authorizedKeys.keys = if (isList sshKeys) then sshKeys else [ sshKeys ]; + }; +}; +in +{ config = mkMerge [ + (adminUser "james" { + hashedPassword = "$6$rounds=3329299$pm3dw//wbFgSL3vc$9oXIvCyHqvQHpcn0cvn686mlbt5T4Qd4c5vgSdI8oNhVGXb7pteLyzN.b2pJ3w22NsPovWoL9M.ScyJXRTPP10"; + sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA2FMpfO9p2xfATWwaqpT3cGwYOtraiTMfmRXDBI7jrR james"; + }) +];} diff --git a/rowlet.nix b/rowlet.nix deleted file mode 100644 index f48bd0b..0000000 --- a/rowlet.nix +++ /dev/null @@ -1,21 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - -{ config, pkgs, lib, flake-inputs, ... }: - -{ - imports = - [ # Include the results of the hardware scan. - #./hardware-configuration.nix - ./lib/packages.nix - ./lib/server.nix - ./lib/session.nix - ]; - - networking.hostName = "rowlet"; # Define your hostname. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - - system.stateVersion = "24.05"; -} diff --git a/snorlax.nix b/snorlax.nix deleted file mode 100644 index aebad30..0000000 --- a/snorlax.nix +++ /dev/null @@ -1,20 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - -{ config, pkgs, lib, flake-inputs, ... }: - -{ - imports = - [ # Include the results of the hardware scan. - ./lib/packages.nix - ./lib/server.nix - ./lib/session.nix - ]; - - networking.hostName = "snorlax"; # Define your hostname. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - - system.stateVersion = "24.05"; -} diff --git a/sobble.nix b/sobble.nix deleted file mode 100644 index b83df5e..0000000 --- a/sobble.nix +++ /dev/null @@ -1,21 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - -{ config, pkgs, lib, inputs, ... }: - -{ - imports = - [ # Include the results of the hardware scan. - #./hardware-configuration.nix - ./lib/packages.nix - ./lib/server.nix - ./lib/session.nix - ]; - - networking.hostName = "sobble"; # Define your hostname. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - - system.stateVersion = "24.05"; -} diff --git a/types/k3s-server.nix b/types/k3s-server.nix new file mode 100644 index 0000000..ac57421 --- /dev/null +++ b/types/k3s-server.nix @@ -0,0 +1,10 @@ +{ config, pkgs, lib, ... }: + +{ + imports = [ + ./server.nix + ../modules/k3s.nix + ]; + + system.stateVersion = "24.05"; +} diff --git a/types/minimal.nix b/types/minimal.nix new file mode 100644 index 0000000..f726d03 --- /dev/null +++ b/types/minimal.nix @@ -0,0 +1,11 @@ +{ config, pkgs, lib, flake-inputs, ... }: + +{ + imports = [ + ../modules/session.nix + ../modules/users.nix + ../modules/serial-console.nix + ]; + + system.stateVersion = "24.05"; +} diff --git a/types/server.nix b/types/server.nix new file mode 100644 index 0000000..5b0ed00 --- /dev/null +++ b/types/server.nix @@ -0,0 +1,14 @@ +{ config, pkgs, lib, flake-inputs, ... }: + +{ + imports = [ + ../modules/session.nix + ../modules/server.nix + ../modules/systemd-efi.nix + ../modules/luks.nix + ../modules/users.nix + ../modules/serial-console.nix + ]; + + system.stateVersion = "24.05"; +}