diff options
| author | Max Audron <audron@cocaine.farm> | 2023-08-11 16:51:35 +0200 |
|---|---|---|
| committer | Max Audron <audron@cocaine.farm> | 2023-08-11 16:51:35 +0200 |
| commit | 40790797e111cec5ff682806998d50c38ed7bca9 (patch) | |
| tree | 6db95b93f0797a62637845ea4bda5a3eedbc9306 /modules | |
| parent | move nixinate to own flake (diff) | |
cleanup modules
Diffstat (limited to '')
| -rw-r--r-- | modules/common/default.nix | 37 | ||||
| -rw-r--r-- | modules/common/networking.nix | 15 | ||||
| -rw-r--r-- | modules/common/nix-settings.nix (renamed from modules/nix-settings.nix) | 0 | ||||
| -rw-r--r-- | modules/default.nix | 60 | ||||
| -rw-r--r-- | modules/hetzner/default.nix | 13 | ||||
| -rw-r--r-- | modules/image/default.nix | 5 | ||||
| -rw-r--r-- | modules/kubernetes/cri-o.nix | 38 | ||||
| -rw-r--r-- | modules/kubernetes/default.nix | 39 | ||||
| -rw-r--r-- | modules/vultr/default.nix | 33 | ||||
| -rw-r--r-- | modules/wireguard/default.nix | 118 | ||||
| -rw-r--r-- | modules/wireguard/options.nix | 16 |
11 files changed, 191 insertions, 183 deletions
diff --git a/modules/common/default.nix b/modules/common/default.nix new file mode 100644 index 0000000..f338823 --- /dev/null +++ b/modules/common/default.nix @@ -0,0 +1,37 @@ +{ config, lib, pkgs, ... }: + +{ + imports = [ ./nix-settings.nix ./networking.nix ]; + + # Time and Locale + time.timeZone = "UTC"; + i18n.defaultLocale = "en_US.UTF-8"; + console = { + font = "Lat2-Terminus16"; + keyMap = "us"; + }; + + # Default Packages Set + environment.systemPackages = with pkgs; [ vim htop wget nftables wireguard-tools ]; + + # Security + networking.firewall.enable = false; + security.sudo.wheelNeedsPassword = false; + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "no"; + }; + }; + + # CPU + powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; + hardware.cpu.amd.updateMicrocode = + lib.mkDefault config.hardware.enableRedistributableFirmware; + hardware.cpu.intel.updateMicrocode = + lib.mkDefault config.hardware.enableRedistributableFirmware; + + # System state version + system.stateVersion = lib.mkDefault "23.05"; +} diff --git a/modules/common/networking.nix b/modules/common/networking.nix new file mode 100644 index 0000000..0f9aaca --- /dev/null +++ b/modules/common/networking.nix @@ -0,0 +1,15 @@ +{ config, lib, pkgs, ... }: + +{ + networking = { + usePredictableInterfaceNames = false; + enableIPv6 = true; + tempAddresses = "disabled"; + interfaces.eth0.useDHCP = true; + nameservers = [ "1.1.1.1" "8.8.8.8" ]; + + dhcpcd.extraConfig = '' + nohook resolv.conf + ''; + }; +} diff --git a/modules/nix-settings.nix b/modules/common/nix-settings.nix index 9e2eeb9..9e2eeb9 100644 --- a/modules/nix-settings.nix +++ b/modules/common/nix-settings.nix diff --git a/modules/default.nix b/modules/default.nix index f94ece5..9c986a7 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1,52 +1,12 @@ -{ config, nixpkgs, pkgs, lib, ... }: - { - imports = [ - ./users - ./crypto - ./wireguard - ./nix-settings.nix - ]; - - # Time and Locale - time.timeZone = "UTC"; - i18n.defaultLocale = "en_US.UTF-8"; - console = { - font = "Lat2-Terminus16"; - keyMap = "us"; - }; - - # Default Packages Set - environment.systemPackages = with pkgs; [ vim htop wget nftables wireguard-tools ]; - - # Wireguard - wireguard = { - enable = lib.mkDefault false; - v4 = { network = lib.mkDefault "10.10.0.0"; }; - v6 = { - ula = lib.mkDefault "fd15:3d8c:d429:beef"; - gua = lib.mkDefault "2a0f:9400:8020:beef"; - }; - }; - - # Security - networking.firewall.enable = false; - security.sudo.wheelNeedsPassword = false; - services.openssh = { - enable = true; - settings = { - PasswordAuthentication = false; - PermitRootLogin = "no"; - }; - }; - - # CPU - powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; - hardware.cpu.amd.updateMicrocode = - lib.mkDefault config.hardware.enableRedistributableFirmware; - hardware.cpu.intel.updateMicrocode = - lib.mkDefault config.hardware.enableRedistributableFirmware; - - # System state version - system.stateVersion = lib.mkDefault "23.05"; + common = import ./common; + crypto = import ./crypto; + hetzner = import ./hetzner; + image = import ./image; + kubernetes = import ./kubernetes; + matrix = import ./matrix; + users = import ./users; + vultr = import ./vultr; + wireguard = import ./wireguard; + zfs = import ./zfs; } diff --git a/modules/hetzner/default.nix b/modules/hetzner/default.nix index 692ee20..d24908d 100644 --- a/modules/hetzner/default.nix +++ b/modules/hetzner/default.nix @@ -8,17 +8,4 @@ boot.loader.grub.device = "/dev/sda"; fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; - - networking = { - domain = "vapor.systems"; - usePredictableInterfaceNames = false; - enableIPv6 = true; - tempAddresses = "disabled"; - interfaces.eth0.useDHCP = true; - nameservers = [ "1.1.1.1" "8.8.8.8" ]; - - dhcpcd.extraConfig = '' - nohook resolv.conf - ''; - }; } diff --git a/modules/image/default.nix b/modules/image/default.nix index 5903db3..f98afd9 100644 --- a/modules/image/default.nix +++ b/modules/image/default.nix @@ -2,6 +2,11 @@ { config = { + networking = { + domain = "vapor.systems"; + hostName = "image"; + }; + system.build.image = import <nixpkgs/nixos/lib/make-disk-image.nix> { name = "vapor-systems-image"; format = "raw"; diff --git a/modules/kubernetes/cri-o.nix b/modules/kubernetes/cri-o.nix new file mode 100644 index 0000000..cc32b26 --- /dev/null +++ b/modules/kubernetes/cri-o.nix @@ -0,0 +1,38 @@ +{ config, lib, pkgs, ... }: + +{ + virtualisation.cri-o = { + enable = true; + settings = { + crio = { + network.plugin_dir = "/opt/cni/bin"; + default_runtime = "crun"; + runtime = { + allowed_devices = [ "/dev/fuse" ]; + default_sysctls = [ + "net.ipv4.ping_group_range=0 2147483647" + ]; + workloads = { + gitlab = { + activation_annotation = "io.kubernetes.cri-o.workload/gitlab"; + allowed_annotations = [ + "io.kubernetes.cri-o.userns-mode" + "io.kubernetes.cri-o.Devices" + "io.kubernetes.cri-o.ShmSize" + ]; + }; + }; + runtimes.crun = { + runtime_type = "oci"; + runtime_root = "/run/crun"; + allowed_annotations = [ + "io.kubernetes.cri-o.userns-mode" + "io.kubernetes.cri-o.Devices" + "io.kubernetes.cri-o.ShmSize" + ]; + }; + }; + }; + }; + }; +} diff --git a/modules/kubernetes/default.nix b/modules/kubernetes/default.nix index 1cf1f09..20b766f 100644 --- a/modules/kubernetes/default.nix +++ b/modules/kubernetes/default.nix @@ -21,6 +21,10 @@ let v6 = "${config.wireguard.v6.ula}::${config.wireguard.v6.address}"; }; in { + imports = [ + ./cri-o.nix + ]; + options = { kubernetes = { role = mkOption { @@ -109,40 +113,5 @@ in { configPath = "/etc/k3s/config.yaml"; disableAgent = cfg.role == "agent"; }; - - virtualisation.cri-o = { - enable = true; - settings = { - crio = { - network.plugin_dir = "/opt/cni/bin"; - default_runtime = "crun"; - runtime = { - allowed_devices = [ "/dev/fuse" ]; - default_sysctls = [ - "net.ipv4.ping_group_range=0 2147483647" - ]; - workloads = { - gitlab = { - activation_annotation = "io.kubernetes.cri-o.workload/gitlab"; - allowed_annotations = [ - "io.kubernetes.cri-o.userns-mode" - "io.kubernetes.cri-o.Devices" - "io.kubernetes.cri-o.ShmSize" - ]; - }; - }; - runtimes.crun = { - runtime_type = "oci"; - runtime_root = "/run/crun"; - allowed_annotations = [ - "io.kubernetes.cri-o.userns-mode" - "io.kubernetes.cri-o.Devices" - "io.kubernetes.cri-o.ShmSize" - ]; - }; - }; - }; - }; - }; }; } diff --git a/modules/vultr/default.nix b/modules/vultr/default.nix index 765c03d..3104e0f 100644 --- a/modules/vultr/default.nix +++ b/modules/vultr/default.nix @@ -1,17 +1,10 @@ { config, lib, pkgs, modulesPath, ... }: { - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - users.users."root".initialHashedPassword = "$6$R6JH.y368Bn6V$q710R4zQDK8vH7.L8JRAmFZwQW2H.3A00DPtKXFJb0nem87JlgYmD6UJbJ4vhP.f9UmvmqAgur8qMWEsBsErI/"; - users.users."root".hashedPassword = config.users.users."root".initialHashedPassword; - - boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; + boot.initrd.availableKernelModules = + [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; boot.loader.grub.devices = [ "/dev/vda" ]; @@ -22,24 +15,4 @@ fsType = "ext4"; }; }; - - # kubernetes = { - # role = "agent"; - # taints = { - # role = "ns:NoSchedule"; - # }; - # }; - - networking = { - domain = "ns.vapor.systems"; - usePredictableInterfaceNames = false; - enableIPv6 = true; - tempAddresses = "disabled"; - interfaces.eth0.useDHCP = true; - nameservers = [ "1.1.1.1" "8.8.8.8" ]; - - dhcpcd.extraConfig = '' - nohook resolv.conf - ''; - }; } diff --git a/modules/wireguard/default.nix b/modules/wireguard/default.nix index c9fc063..345af3e 100644 --- a/modules/wireguard/default.nix +++ b/modules/wireguard/default.nix @@ -3,65 +3,73 @@ with lib; { imports = [ ./options.nix ./roaming.nix ]; - config = mkIf config.wireguard.enable (let - cfg = config.wireguard; + config = mkIf config.wireguard.enable ( + let + cfg = config.wireguard; - peers = let - attrPeers = mapAttrs (n: node: - let peer = node.config.wireguard; - in { - endpoint = - "${node.config.deployment.targetHost}:${toString peer.port}"; - publicKey = peer.publicKey; - persistentKeepalive = 25; - allowedIPs = [ - "${peer.v4.address}/32" - "${peer.v6.ula}::${peer.v6.address}/128" - "${peer.v6.gua}::${peer.v6.address}/128" - ] ++ peer.allowedIPs; - }) (filterAttrs (n: node: node.config.wireguard.enable) nodes); - peers = attrValues attrPeers; - in peers; - in { - secrets = mkIf config.wireguard.enable { - wireguard = { - source = ../../secrets - + ("/" + "${config.networking.hostName}.privkey"); - dest = "/root/wireguard/privkey"; + peers = + let + attrPeers = mapAttrs + (n: node: + let peer = node.config.wireguard; + in + { + endpoint = + "${node.config.deployment.targetHost}:${toString peer.port}"; + publicKey = peer.publicKey; + persistentKeepalive = 25; + allowedIPs = [ + "${peer.v4.address}/32" + "${peer.v6.ula}::${peer.v6.address}/128" + "${peer.v6.gua}::${peer.v6.address}/128" + ] ++ peer.allowedIPs; + }) + (filterAttrs (n: node: node.config.wireguard.enable) nodes); + peers = attrValues attrPeers; + in + peers; + in + { + secrets = mkIf config.wireguard.enable { + wireguard = { + source = ../../secrets + + ("/" + "${config.networking.hostName}.privkey"); + dest = "/root/wireguard/privkey"; + }; }; - }; - networking.wireguard.interfaces = mkIf config.wireguard.enable { - wg0 = with { ifname = "wg0"; }; { - ips = [ - "${cfg.v4.address}/${toString cfg.v4.prefixLength}" - "${cfg.v6.ula}::${cfg.v6.address}/128" - "${cfg.v6.gua}::${cfg.v6.address}/128" - ]; - listenPort = cfg.port; - postSetup = '' - ${pkgs.nftables}/bin/nft add table ${ifname} - ${pkgs.nftables}/bin/nft 'add chain ${ifname} prerouting { type nat hook prerouting priority 0 ; }' - ${pkgs.nftables}/bin/nft 'add chain ${ifname} postrouting { type nat hook postrouting priority 100 ; }' - ${pkgs.nftables}/bin/nft add rule ${ifname} postrouting ip saddr ${cfg.v4.network}/${ - toString cfg.v4.prefixLength - } oif ${cfg.natInterface} masquerade + networking.wireguard.interfaces = mkIf config.wireguard.enable { + wg0 = with { ifname = "wg0"; }; { + ips = [ + "${cfg.v4.address}/${toString cfg.v4.prefixLength}" + "${cfg.v6.ula}::${cfg.v6.address}/128" + "${cfg.v6.gua}::${cfg.v6.address}/128" + ]; + listenPort = cfg.port; + postSetup = '' + ${pkgs.nftables}/bin/nft add table ${ifname} + ${pkgs.nftables}/bin/nft 'add chain ${ifname} prerouting { type nat hook prerouting priority 0 ; }' + ${pkgs.nftables}/bin/nft 'add chain ${ifname} postrouting { type nat hook postrouting priority 100 ; }' + ${pkgs.nftables}/bin/nft add rule ${ifname} postrouting ip saddr ${cfg.v4.network}/${ + toString cfg.v4.prefixLength + } oif ${cfg.natInterface} masquerade - ${pkgs.iproute2}/bin/ip link set ${ifname} multicast on - ''; - postShutdown = '' - ${pkgs.nftables}/bin/nft flush table ${ifname} - ${pkgs.nftables}/bin/nft delete table ${ifname} - ''; - privateKeyFile = "/root/wireguard/privkey"; - peers = peers; + ${pkgs.iproute2}/bin/ip link set ${ifname} multicast on + ''; + postShutdown = '' + ${pkgs.nftables}/bin/nft flush table ${ifname} + ${pkgs.nftables}/bin/nft delete table ${ifname} + ''; + privateKeyFile = "/root/wireguard/privkey"; + peers = peers; + }; }; - }; - boot.kernel.sysctl = { - "net.ipv4.ip_forward" = lib.mkDefault true; - "net.ipv6.conf.all.forwarding" = true; - "net.netfilter.nf_conntrack_tcp_be_liberal" = true; - }; - }); + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = lib.mkDefault true; + "net.ipv6.conf.all.forwarding" = true; + "net.netfilter.nf_conntrack_tcp_be_liberal" = true; + }; + } + ); } diff --git a/modules/wireguard/options.nix b/modules/wireguard/options.nix index 903716e..69013d0 100644 --- a/modules/wireguard/options.nix +++ b/modules/wireguard/options.nix @@ -5,62 +5,78 @@ with lib; { wireguard = { enable = mkOption { type = types.bool; + default = false; description = "Enable wireguard"; }; + roaming = mkOption { type = types.bool; description = "Deploy roaming peers to this host"; default = false; }; + port = mkOption { type = types.int; description = "Port of the wireguard interface (51820)"; default = 51820; }; + publicKey = mkOption { type = types.str; description = "Public key of the wireguard interface"; }; + natInterface = mkOption { type = types.str; description = "Interface to use for outgoing NAT connections"; default = "eth0"; }; + v4 = { address = mkOption { type = types.str; description = "IP of the wireguard interface (10.10.0.1)"; }; + network = mkOption { type = types.str; description = "The Network CIDR of the wireguard network (10.10.0.0)"; + default = "10.10.0.0"; }; + prefixLength = mkOption { type = types.int; description = "Prefix Length of the wireguard interface IP (24)"; default = 24; }; }; + v6 = { address = mkOption { type = types.str; description = "IP of the wireguard interface ()"; }; + prefixLength = mkOption { type = types.int; description = "Prefix Length of the wireguard interface IP (24)"; default = 64; }; + ula = mkOption { type = types.str; description = "Unique Local Alloctation for IPv6 net"; + default = "fd15:3d8c:d429:beef"; }; + gua = mkOption { type = types.str; description = "Global Unique Allocation for IPv6 net, used as base for hosts"; + default = "2a0f:9400:8020:beef"; }; }; + allowedIPs = mkOption { type = types.listOf types.str; description = "Extra allowedIPs"; |