updates. (from the past :/)

wip
add nics for eths to vms from numbers
2025-02-18 19:09:15 -06:00 · 2024-07-31 00:18:30 -05:00 · 2024-07-26 14:28:55 -05:00 · 2024-07-25 13:24:34 -05:00 · 2024-07-25 13:24:34 -05:00 · 2024-07-25 13:01:06 -05:00
22 changed files with 665 additions and 48 deletions
--- a/deploy.sh
+++ b/deploy.sh
@ -0,0 +1,43 @@
 set -e
 #for f in 172.16.1.{2,3};do ssh -l james $f sudo systemctl stop pgpool ; done
 #for f in 172.16.1.{2,3};do ssh -l james $f sudo systemctl stop postgresql ; done
 deploy() {
    TARGET="$1"
    shift
    nixos-rebuild --flake ".#$TARGET" --target-host "$TARGET" switch --impure --use-remote-sudo "$@"
 }
 spread_token() {
  #PW=$(
  #  ssh snorlax sudo cat /var/lib/rancher/k3s/server/node-token /etc/k3s.token | grep . | head -1 | grep . \
  #    || dd if=/dev/random bs=16 count=1 status=none | xxd -ps
  #)
  PW=$(
    ssh snorlax sudo cat /etc/k3s.token | grep . | head -1 | grep . \
      || dd if=/dev/random bs=16 count=1 status=none | xxd -ps
  )
  for f in snorlax sobble rowlet;do
      ssh $f "sudo bash -c 'touch /etc/k3s.token; chmod 600 /etc/k3s.token; dd of=/etc/k3s.token oflag=sync'" <<<"$PW"
  done
 }
 k3s_reset() {
    ssh $1 sudo /nix/store/*k3s*/bin/k3s-killall.sh || true
    ssh $1 sudo rm -rf /var/lib/rancher/k3s /etc/rancher/k3s
 }
 #k3s_reset snorlax
 #k3s_reset sobble
 #k3s_reset rowlet
 #nix run nixpkgs#natscli -- -s 172.16.1.2 kv del kine -f || true
 #nix run nixpkgs#natscli -- -s 172.16.1.2 kv del k0-kine -f || true
 #spread_token
 #deploy snorlax
 #spread_token
 deploy snorlax "$@"
 deploy sobble "$@"
 deploy rowlet "$@"
 #(PW=$(dd if=/dev/random bs=16 count=1 status=none | xxd -ps);for f in 172.16.1.{2,3};do ssh $f "sudo bash -c 'cat > /etc/pool_passwd'" <<<"$PW";done)
 #for f in 172.16.1.{2,3};do ssh -l james $f sudo systemctl start postgresql ; done
 #for f in 172.16.1.{2,3};do ssh -l james $f sudo systemctl start pgpool ; done
--- a/flake.lock
+++ b/flake.lock
@ -54,6 +54,24 @@
        "type": "github"
      }
    },
    "flake-utils_2": {
      "inputs": {
        "systems": "systems_3"
      },
      "locked": {
        "lastModified": 1710146030,
        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "interlude": {
      "inputs": {
        "flake-utils": "flake-utils",
@ -90,11 +108,11 @@
    },
    "nixlib": {
      "locked": {
-        "lastModified": 1719708727,
+        "lastModified": 1723942470,
-        "narHash": "sha256-XFNKtyirrGNdehpg7lMNm1skEcBApjqGhaHc/OI95HY=",
+        "narHash": "sha256-QdSArN0xKESEOTcv+3kE6yu4B4WX9lupZ4+Htx3RXGg=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
-        "rev": "1bba8a624b3b9d4f68db94fb63aaeb46039ce9e6",
+        "rev": "531a2e8416a6d8200a53eddfbdb8f2c8dc4a1251",
        "type": "github"
      },
      "original": {
@ -111,11 +129,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1720859326,
+        "lastModified": 1724028932,
-        "narHash": "sha256-i8BiZj5faQS6gsupE0S9xtiyZmWinGpVLwxXWV342aQ=",
+        "narHash": "sha256-U11ZiQPrpIBdv7oS23bNdX9GCxe/hPf/ARr64P2Wj1Y=",
        "owner": "nix-community",
        "repo": "nixos-generators",
-        "rev": "076ea5b672bb1ea535ee84cfdabd0c2f0b7f20c7",
+        "rev": "5fd22603892e4ec5ac6085058ed658243143aacd",
        "type": "github"
      },
      "original": {
@ -157,11 +175,11 @@
    },
    "nixpkgs_3": {
      "locked": {
-        "lastModified": 1720954236,
+        "lastModified": 1723938990,
-        "narHash": "sha256-1mEKHp4m9brvfQ0rjCca8P1WHpymK3TOr3v34ydv9bs=",
+        "narHash": "sha256-9tUadhnZQbWIiYVXH8ncfGXGvkNq3Hag4RCBEMUk7MI=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "53e81e790209e41f0c1efa9ff26ff2fd7ab35e27",
+        "rev": "c42fcfbdfeae23e68fc520f9182dde9f38ad1890",
        "type": "github"
      },
      "original": {
@ -185,17 +203,33 @@
        "type": "indirect"
      }
    },
    "nixpkgs_5": {
      "locked": {
        "lastModified": 1721838734,
        "narHash": "sha256-o87oh2nLDzZ1E9+j1I6GaEvd9865OWGYvxaPSiH9DEU=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "1855c9961e0bfa2e776fa4b58b7d43149eeed431",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable-small",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "numbers": {
      "inputs": {
        "ipcalc": "ipcalc",
        "nixpkgs": "nixpkgs_4"
      },
      "locked": {
-        "lastModified": 1721177469,
+        "lastModified": 1724036520,
-        "narHash": "sha256-8puiNyCJy6k1Pl25BgE4wUUpifO7f1hraR7JI9lAqW4=",
+        "narHash": "sha256-KJU6W5qghjMTjlTFnK0F2zJVw0qmTfC6nkMBhUNgjow=",
        "ref": "refs/heads/main",
-        "rev": "27af88462c971572a72a9a05c8608dca74e4a4b7",
+        "rev": "4550d62254e030c9075343a4897a985fcfda1fd6",
-        "revCount": 13,
+        "revCount": 29,
        "type": "git",
        "url": "https://git.strudelline.net/cascade/numbers"
      },
@ -204,6 +238,25 @@
        "url": "https://git.strudelline.net/cascade/numbers"
      }
    },
    "putex": {
      "inputs": {
        "flake-utils": "flake-utils_2",
        "nixpkgs": "nixpkgs_5"
      },
      "locked": {
        "lastModified": 1721923974,
        "narHash": "sha256-yz3VioYJXUTdl4TU1RZnGbRMj3ng3OTtVDEbGPFXGLE=",
        "ref": "refs/heads/main",
        "rev": "eed14b5adada7325e916dfc3a89cbd4beef806a8",
        "revCount": 7,
        "type": "git",
        "url": "https://git.strudelline.net/james/putex"
      },
      "original": {
        "type": "git",
        "url": "https://git.strudelline.net/james/putex"
      }
    },
    "root": {
      "inputs": {
        "deploy-rs": "deploy-rs",
@ -211,6 +264,7 @@
        "nixos-generators": "nixos-generators",
        "nixpkgs": "nixpkgs_3",
        "numbers": "numbers",
        "putex": "putex",
        "unstable": "unstable"
      }
    },
@ -244,13 +298,28 @@
        "type": "github"
      }
    },
    "systems_3": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "unstable": {
      "locked": {
-        "lastModified": 1721116560,
+        "lastModified": 1723985069,
-        "narHash": "sha256-++TYlGMAJM1Q+0nMVaWBSEvEUjRs7ZGiNQOpqbQApCU=",
+        "narHash": "sha256-MGtXhZHLZGKhtZT/MYXBJEuMkZB5DLYjY679EYNL7Es=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "9355fa86e6f27422963132c2c9aeedb0fb963d93",
+        "rev": "ff1c2669bbb4d0dd9e62cc94f0968cfa652ceec1",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -4,18 +4,19 @@
    unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
    numbers.url = "git+https://git.strudelline.net/cascade/numbers";
    interlude.url = "git+https://git.strudelline.net/nix/interlude";
    putex.url = "git+https://git.strudelline.net/james/putex";
    nixos-generators = { url = "github:nix-community/nixos-generators"; inputs.nixpkgs.follows = "nixpkgs"; };
    deploy-rs.url = "github:serokell/deploy-rs";
  };
-  outputs = { self, nixpkgs, unstable, numbers, interlude, nixos-generators, deploy-rs }@inputs:
+  outputs = { self, nixpkgs, unstable, numbers, interlude, putex, nixos-generators, deploy-rs }@inputs:
  with builtins;
  with nixpkgs.lib;
  with interlude.lib;
  let
    includableModules =
      let localModules = "${./.}" + "/modules";
-          dirContents = readDir (traceVal localModules);
+          dirContents = readDir (localModules);
-          filenames = attrNames (trace "dirContents: ${toJSON dirContents}" dirContents);
+          filenames = attrNames (dirContents);
          dirs = (filter (n: dirContents."${n}" == "directory" &&
                             readFileType "${localModules}/${n}/default.nix" == "regular" ) filenames);
          files = concatMap (filterAndStripSuffix ".nix") (filter (n: dirContents."${n}" == "regular") filenames);
@ -36,12 +37,13 @@
          self.nixosModules.vmFormats
          numbers.nixosModules.users
          self.nixosModules.session
-          ({...}: {
+          putex.nixosModules.default
-            # fixed values.
+          {
-            networking.hostName = traceVal name;
+            # global fixed values.
-            system.stateVersion = "24.05";
+            networking.hostName = mkForce name;
-            nix.settings.require-sigs = false;
+            system.stateVersion = mkForce "24.05";
-          })
+            nix.settings.require-sigs = mkForce false;
          }
        ] ++ mods;
      });
    };
@ -106,6 +108,5 @@
         [ includableModules ]
      ++ (with numbers.api; map (h: buildMachine h) deployableHosts)
      ++ [(buildMachine' "cascade-installer" [self.nixosModules.installer] {} )]
      #++ [(buildMachine' "cascade-installer" [] {} )]
  );
 }
--- a/k3s_reset.sh
+++ b/k3s_reset.sh
@ -0,0 +1,23 @@
 #!/bin/bash
 for f in snorlax sobble rowlet;do
    ssh $f sudo systemctl stop k3s || true
    ssh $f sudo k3s-killall.sh || true
    ssh $f sudo rm -rf /var/lib/rancher/k3s /etc/rancher/k3s
 done
 deploy() {
    TARGET="$1"
    nixos-rebuild --flake ".#$TARGET" --target-host "$TARGET" switch --impure --use-remote-sudo
 }
 deploy snorlax
 TOKEN="$(ssh snorlax sudo cat /var/lib/rancher/k3s/server/node-token)"
 echo "$TOKEN" | ssh sobble "sudo bash -c 'umask 077; cat > /etc/k3s.token'"
 echo "$TOKEN" | ssh rowlet "sudo bash -c 'umask 077; cat > /etc/k3s.token'"
 deploy sobble
 deploy rowlet
 import-k3s-creds.sh sobble k0 172.16.1.2
 flux bootstrap gitea --hostname=git.strudelline.net --owner=cascade --repository=k0 --token-auth
--- a/mklocks.sh
+++ b/mklocks.sh
@ -0,0 +1,7 @@
 #!/bin/bash
 nats() {
    command nix run nixpkgs#natscli -- -s 172.16.1.2 "$@"
 }
 nats stream add locks --defaults --discard-per-subject --subjects='lock.router' --storage=memory --discard=new --max-msgs-per-subject=1
--- a/modules/_tmpl.nix
+++ b/modules/_tmpl.nix
@ -0,0 +1,6 @@
 { config, pkgs, lib, ... }:
 {
  config = {
  };
 }
--- a/modules/cascade-router-host.nix
+++ b/modules/cascade-router-host.nix
@ -0,0 +1,33 @@
 { config, pkgs, lib, ... }:
 {
  config = {
    systemd.services."cascade-router".unitConfig = {
      Wants = [ "sys-subsystem-net-devices-wan0.device" ];
      After = [ "sys-subsystem-net-devices-wan0.device" ];
    };
    services.putex.putexes = {
      sec-router = {
        start = "/run/current-system/sw/bin/systemctl --no-block start cascade-router.service";
        stop = ''
          /run/current-system/sw/bin/systemctl stop -f -s 9 cascade-router.service
        '';
        healthcheck = ''
          set -e
          cd /sys/class/net
          # cat all carrier values we care about,
          # filter out the ones that are 1
          # if there's anything left, exit 1.
          if (for f in wan0 sec0 lan0;do echo "$f $(cat "$f"/carrier)"; done|grep -v 1|grep -q .) ;then
            exit 1
          fi
          exit 0
        '';
      };
    };
    virtualisation.libvirtd.allowedBridges = [ "sec0" "lan0" "wan0" ];
  };
 }
--- a/modules/cascade-router.nix
+++ b/modules/cascade-router.nix
@ -0,0 +1,32 @@
 { config, pkgs, lib, ... }:
 {
  config = {
    #system.activationScripts."arpFilter" = ''
    #PATH=${pkgs.procps}/bin:${pkgs.iptables}/bin:$PATH
    #  sysctl net.ipv4.conf.all.arp_filter=1
    #  sysctl net.ipv4.conf.default.arp_filter=1
    #'';
    environment.systemPackages = with pkgs; [
      tcpdump
    ];
    networking = {
      nat = {
        enable = true;
        externalInterface = "wan0";
        internalInterfaces = [ "lan0" "sec0" ];
      };
      useHostResolvConf = false;
      useNetworkd = true;
      useDHCP = false;
      interfaces."wan0" = {
        useDHCP = true;
        #macAddress = "a0:ce:c8:c6:d2:5f";
      };
    };
    system.stateVersion = "24.05";
  };
 }
--- a/modules/corenet-flux.yaml
+++ b/modules/corenet-flux.yaml
@ -0,0 +1,5 @@
 ---
 kind: Namespace
 apiVersion: v1
 metadata:
  name: test-wow
--- a/modules/corenet.nix
+++ b/modules/corenet.nix
@ -0,0 +1,91 @@
 {config, numbers, pkgs, lib, ...}:
 with lib;
 let
 hasIface = iface: elem iface (numbers.api.hostIfaces config.networking.hostName);
 strIfHasIface = iface: s: if hasIface iface then s else "";
 attrsetIfHasIface = iface: as: if hasIface iface then as else {};
 eltIfHasIface = iface: elt: if hasIface iface then [ elt ] else [];
 nameservers = filter (x: x != "") [
    "127.0.0.1"
    (if config.networking.hostName != "snorlax" then (numbers.api.hostIface "snorlax" "sec0").ip else "")
    (if config.networking.hostName != "sobble" then (numbers.api.hostIface "sobble" "sec0").ip else "")
    (if config.networking.hostName != "rowlet" then (numbers.api.hostIface "rowlet" "sec0").ip else "")
  ];
 in
 {
  imports = [
    #./pgpool.nix
    ./udp514.nix
  ];
  services.udp514-journal.enable = true;
  services.coredns = {
    enable = true;
    config = ''
      . {
        ${strIfHasIface "sxxxxec0" "bind sec0"}
        ${strIfHasIface "xxxxlan0" "bind lan0"}
        nsid ${config.networking.hostName}
        forward . 172.16.1.8
        template IN A server.dns {
          answer "{{ .Name }} 0 IN A ${(numbers.api.hostIface config.networking.hostName "sec0").ip}"
        }
      }
    '';
  };
  services.resolved.enable = false;
  #networking.resolvconf.enable = false;
  environment.etc."resolv.conf".text = foldl'
    (a: s: if s == "" then a else "${a}nameserver ${s}\n")
    "" nameservers;
  networking.nameservers = nameservers;
  system.activationScripts."corenet-flux" = mkIf true ''
    ln -sf ${./corenet-flux.yaml} /var/lib/rancher/k3s/server/manifests/corenet-flux.yaml
  '';
  services.k3s = {
    enable = true;
    tokenFile = mkIf (config.networking.hostName != "snorlax") "/etc/k3s.token";
    serverAddr =
      mkIf (config.networking.hostName != "snorlax")
        "https://${(numbers.api.hostIface "snorlax" "sec0").ip}:6443";
    clusterInit = config.networking.hostName == "snorlax";
    extraFlags = (
    #" --datastore-endpoint=nats://localhost:4222?noEmbed=true&bucket=k0-kine&replicas=2"+
    " --disable=traefik"+
    " --disable=local-storage"+
    " --cluster-cidr=10.128.0.0/16"+
    " --service-cidr=10.129.0.0/16"+
    " --flannel-backend=vxlan"+
    " --embedded-registry"+
    (strIfHasIface "sec0" " --node-ip=${(numbers.api.hostIface config.networking.hostName "sec0").ip}")+
    #(strIfHasIface "lan0" " --tls-san=${(numbers.api.hostIface config.networking.hostName "lan0").ip}")+
    "");
  };
  environment.etc."rancher/k3s/registries.yaml".text = ''
    mirrors:
      "*":
  '';
  networking.firewall.allowedUDPPorts = [
    53 80 443 5432 5001 9898 9999 6443 4222 6222 8222 2379 2380 8472 10250
  ];
  networking.firewall.allowedUDPPortRanges = [
    { from = 5000; to = 32767; }
  ];
  networking.firewall.allowedTCPPorts = [
    53 80 443 5432 5001 9898 9999 6443 4222 6222 8222 2379 2380 10250
  ];
  networking.firewall.allowedTCPPortRanges = [
    { from = 5000; to = 32767; }
  ];
 }
--- a/modules/packages.nix
+++ b/modules/packages.nix
@ -7,20 +7,20 @@
 {
  environment.systemPackages = with pkgs; [
    seatd
-    emacs-nox
+    #emacs-nox
    inetutils
    unzip
    buildah
    curl
    vim
-    neovim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
+    neovim
    wget
    sshfs
    dig
    gost
    elinks
-    dislocker
+    #dislocker
-    ntfs3g
+    #ntfs3g
    kubectl
    sops
    git
@ -32,6 +32,7 @@
    brightnessctl
    kubernetes-helm
    ripgrep
    bridge-utils
    nettools
    psmisc
--- a/modules/pgpool.nix
+++ b/modules/pgpool.nix
@ -0,0 +1,101 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
  cfg = config.services.pgpool;
  shq = lib.escapeShellArg;
  configFile = pkgs.writeText "pgpool.conf" cfg.config;
 in
 {
  options = {
    services.pgpool = {
      enable = mkEnableOption "pgpool-II";
      config = mkOption {
        default = ''
          backend_clustering_mode = 'snapshot_isolation'
          backend_hostname0 = '127.0.0.1'
          backend_port0 = 5432
          backend_weight0 = 1
          logging_collector = true
          log_destination = 'syslog,stderr'
          log_min_messages = 'INFO'
        '';
        example = ''
          backend_clustering_mode = 'snapshot_isolation'
          backend_hostname0 = '127.0.0.1'
          backend_port0 = 5432
          backend_weight0 = 1
          logging_collector = true
          log_destination = 'syslog,stderr'
          log_min_messages = 'INFO'
        '';
        description = ''
          Verbatim pgpool.conf to use
        '';
      };
      user = mkOption {
        type = types.str;
        default = "pgpool";
        description = ''
          User account under which pgpool runs.
        '';
      };
      group = mkOption {
        type = types.str;
        default = "pgpool";
        description = ''
          User group under which pgpool runs.
        '';
      };
      package = mkPackageOption pkgs "pgpool" { };
      extraArgs = mkOption {
        default = [];
        example = [ "-dns.port=53" ];
        type = types.listOf types.str;
        description = "Extra arguments to pass to coredns.";
      };
    };
  };
  config = mkIf cfg.enable {
    users.users.${cfg.user} = {
      isSystemUser = true;
      group = cfg.group;
      extraGroups = mkIf config.services.postgresql.enable [ "postgres" ];
    };
    users.groups.${cfg.group} = {};
    environment.etc."pgpool.conf" = {
      source = configFile;
    };
    environment.systemPackages = [ cfg.package ];
    systemd.services.pgpool = {
      description = "pgpool-II postgresql load balancer and replication manager";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        PermissionsStartOnly = true;
        LimitNPROC = 512;
        LimitNOFILE = 1048576;
        #CapabilityBoundingSet = "cap_net_bind_service";
        #AmbientCapabilities = "cap_net_bind_service";
        NoNewPrivileges = true;
        User = cfg.user;
        Group = cfg.group;
        PIDFile = "/run/pgpool/pgpool.pid";
        RuntimeDirectory = "pgpool";
        ExecStart = "${getBin cfg.package}/bin/pgpool ${lib.escapeShellArgs cfg.extraArgs}";
        ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID";
        Restart = "no";
        Type = "forking";
      };
    };
  };
 }
--- a/modules/server.nix
+++ b/modules/server.nix
@ -9,23 +9,6 @@
  virtualisation = {
    kvmgt.enable = true;
    libvirtd = {
      enable = true;
      qemu = {
        runAsRoot = true;
        verbatimConfig = ''
          cgroup_device_acl = ["/dev/kvmfr0", "/dev/kvm"]
        '';
 	swtpm = {
 	  enable = true;
 	};
      };
    };
    docker = {
      enable = true;
      enableNvidia = false;
    };
    containers = {
      enable = true;
      policy = {
@ -39,6 +22,8 @@
    };
  };
  #hardware.nvidia-container-toolkit.enable = true;
  services.openssh.enable = true;
  networking.firewall.enable = true;
@ -50,4 +35,14 @@
  systemd.network.wait-online.enable = lib.mkDefault false;
  networking.useDHCP = false;
  #services.tcsd.enable = true;
  security.sudo = {
    enable = true;
    extraRules = [
      { users = [ "%wheel" ];
        commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ];
      }
    ];
  };
 }
--- a/modules/stateless-vm.nix
+++ b/modules/stateless-vm.nix
@ -0,0 +1,4 @@
 {
  imports = [ ./vm.nix ];
  config.virtualisation.diskImage = null;
 }
--- a/modules/tank-nvme-luks.nix
+++ b/modules/tank-nvme-luks.nix
@ -0,0 +1,33 @@
 {config,...}:
 # to use this, you must have created the lvm devices for the host
 # in this example, my hostname is sobble and the disk is /dev/sda:
 # 
 #     fdisk /dev/sda
 #     n  # new partition, assuming this is a blank disk.
 #        #     (enter for all defauls until you're back at the prompt)
 #     t  # set type
 #     1  # first partition, again assuming this was a blank disk
 #     8e # lvm
 #     w  # write and quit
 #     
 #     either make the lv inside an existing vg like the root luks one
 #     ----------
 #     lvcreate -L50G -n sobble-tank-nvme sobble-luks
 #     --- or ---
 #     pvcreate /dev/nvme0n2p15
 #     vgcreate sobble-tank-nvme /dev/nvme0n2p15
 #     lvcreate -l 100%FREE -n sobble-tank-nvme sobble-tank-nvme
 #     -- then --
 #     mkfs.ext4 /dev/sobble-tank-nvme/sobble-tank-nvme
 let
 m = "${config.networking.hostName}-luks";
 n = "${config.networking.hostName}-tank-nvme";
 in
 {
  fileSystems."/tank/nvme" = {
    device = "/dev/${m}/${n}";
    fsType = "ext4";
  };
 }
--- a/modules/tank-nvme.nix
+++ b/modules/tank-nvme.nix
@ -0,0 +1,26 @@
 {config,...}:
 # to use this, you must have created the lvm devices for the host
 # in this example, my hostname is sobble and the disk is /dev/sda:
 # 
 #     fdisk /dev/sda
 #     n  # new partition, assuming this is a blank disk.
 #        #     (enter for all defauls until you're back at the prompt)
 #     t  # set type
 #     1  # first partition, again assuming this was a blank disk
 #     8e # lvm
 #     w  # write and quit
 #     
 #     pvcreate /dev/nvme5n7p9
 #     vgcreate sobble-tank-nvme /dev/nvme5n7p9
 #     lvcreate -l 100%FREE -n sobble-tank-nvme sobble-tank-nvme 
 #     mkfs.ext4 /dev/sobble-tank-nvme/sobble-tank-nvme
 let n = "${config.networking.hostName}-tank-nvme";
 in
 {
  fileSystems."/tank/nvme" = {
    device = "/dev/${n}/${n}";
    fsType = "ext4";
  };
 }
--- a/modules/tank-ssd-luks.nix
+++ b/modules/tank-ssd-luks.nix
@ -0,0 +1,28 @@
 {config,...}:
 # to use this, you must have created the lvm devices for the host
 # in this example, my hostname is sobble and the disk is /dev/sda:
 # 
 #     fdisk /dev/sda
 #     n  # new partition, assuming this is a blank disk.
 #        #     (enter for all defauls until you're back at the prompt)
 #     t  # set type
 #     1  # first partition, again assuming this was a blank disk
 #     8e # lvm
 #     w  # write and quit
 #     
 #     pvcreate /dev/sda1
 #     vgcreate sobble-tank-ssd /dev/sda1
 #     lvcreate -l 100%FREE -n sobble-tank-ssd sobble-tank-ssd 
 #     mkfs.ext4 /dev/sobble-tank-ssd/sobble-tank-ssd
 let
 m = "${config.networking.hostName}-luks";
 n = "${config.networking.hostName}-tank-ssd";
 in
 {
  fileSystems."/tank/ssd" = {
    device = "/dev/${m}/${n}";
    fsType = "ext4";
  };
 }
--- a/modules/tank-ssd.nix
+++ b/modules/tank-ssd.nix
@ -0,0 +1,26 @@
 {config,...}:
 # to use this, you must have created the lvm devices for the host
 # in this example, my hostname is sobble and the disk is /dev/sda:
 # 
 #     fdisk /dev/sda
 #     n  # new partition, assuming this is a blank disk.
 #        #     (enter for all defauls until you're back at the prompt)
 #     t  # set type
 #     1  # first partition, again assuming this was a blank disk
 #     8e # lvm
 #     w  # write and quit
 #     
 #     pvcreate /dev/sda1
 #     vgcreate sobble-tank-ssd /dev/sda1
 #     lvcreate -l 100%FREE -n sobble-tank-ssd sobble-tank-ssd 
 #     mkfs.ext4 /dev/sobble-tank-ssd/sobble-tank-ssd
 let n = "${config.networking.hostName}-tank-ssd";
 in
 {
  fileSystems."/tank/ssd" = {
    device = "/dev/${n}/${n}";
    fsType = "ext4";
  };
 }
--- a/modules/udp514-pkg.nix
+++ b/modules/udp514-pkg.nix
@ -0,0 +1,19 @@
 { pkgs ? import <nixpkgs> {}, ... }:
 with pkgs;
 stdenv.mkDerivation {
  name = "udp514-journal";
  src = fetchFromGitHub {
    owner = "eworm-de"; repo = "udp514-journal"; rev = "main";
    hash = "sha256-lk2Uz3OemhXd4MMR2zFi54XCQiGjibgvT1iz0a7R1j4=";
  };
  buildInputs = [ systemd ];
  nativeBuildInputs = [ pkg-config multimarkdown ];
  buildPhase = ''
    make udp514-journal
  '';
  installPhase = ''
    mkdir -p $out/bin
    cp udp514-journal $out/bin/udp514-journal
  '';
 }
--- a/modules/udp514.nix
+++ b/modules/udp514.nix
@ -0,0 +1,48 @@
 { config, lib, pkgs, ... }:
 with lib;
 let udp514-journal = import ./udp514-pkg.nix { inherit pkgs; };
    cfg = config.services.udp514-journal;
    port = 514;
    # not configurable yet.
    # cfg.port;
 in
 {
  options = {
    services.udp514-journal = {
      enable = mkEnableOption "udp514-journal";
      openFirewall = mkOption {
        default = true;
        type = types.bool;
        description = "Whether to open the firewall for the specified port.";
      };
      # this is apparently not configurable yet.
      #port = mkOption {
      #  default = 514;
      #  type = types.port;
      #  description = "udp514-journal syslog ingest port";
      #};
    };
  };
  config = mkIf cfg.enable {
    systemd.services."udp514-journal" = {
      description = "udp514-journal syslog to journald adapter";
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        DynamicUser = true;
        ProtectSystem = "full";
        CapabilityBoundingSet = "cap_net_bind_service";
        AmbientCapabilities = "cap_net_bind_service";
        Type = "notify";
        Restart = "always";
        ExecStart = "${udp514-journal}/bin/udp514-journal";
        ProtectHome = true;
        PrivateDevices = true;
      };
    };
    networking.firewall.allowedUDPPorts = mkIf cfg.openFirewall [ port ];
  };
 }
--- a/modules/vm.nix
+++ b/modules/vm.nix
@ -0,0 +1,27 @@
 { config, lib, modulesPath, numbers, ... }:
 with lib;
 let
  makeNic = { matchMac, iface, media, ... }:
    # because of the bridge logic, br=iface _and_ internal-iface=iface
    if media != "eth" then [] else [ "-nic bridge,id=${iface},br=${iface},model=virtio,mac=${matchMac}" ];
  makeNicFromHostIface = host: iface: makeNic (numbers.api.hostIface host iface);
  makeNics = host: concatMap (makeNicFromHostIface host) (numbers.api.hostIfaces host);
  makeQemuNetworkingOptions = host:
    (makeNics host) ++ [
    #  "-net nic,netdev=user.0,model=virtio"
    #  "-netdev user,id=user.0,\${QEMU_NET_OPTS:+,$QEMU_NET_OPTS}"
    ];
 in
 {
  imports = [
    "${modulesPath}/virtualisation/qemu-vm.nix"
    ./server.nix
  ];
  config = {
    virtualisation.graphics = false;
    virtualisation.qemu.networkingOptions = makeQemuNetworkingOptions config.networking.hostName;
  };
 }
--- a/snorlax.nix
+++ b/snorlax.nix
@ -7,7 +7,6 @@
 {
  imports =
    [ # Include the results of the hardware scan.
      #./hardware-configuration.nix
      ./lib/packages.nix
      ./lib/server.nix
      ./lib/session.nix
Author	SHA1	Message	Date
James Andariese	dede80153f	updates. (from the past :/)	2025-02-18 19:09:15 -06:00
James Andariese	ec44cba36d	wip	2024-07-31 00:18:30 -05:00
James Andariese	97a0c9035f	add nics for eths to vms from numbers	2024-07-26 14:28:55 -05:00
James Andariese	e8b4512af3	router is now a full virtual host	2024-07-25 13:24:34 -05:00
James Andariese	a08f6e85bb	make coredns do something useful instead of harmful	2024-07-25 13:24:34 -05:00
James Andariese	f981bea56a	update global defaults	2024-07-25 13:01:06 -05:00
James Andariese	a3e0114083	add corenet module and basic coredns + Corefile	2024-07-24 18:45:01 -05:00