From 40790797e111cec5ff682806998d50c38ed7bca9 Mon Sep 17 00:00:00 2001 From: Max Audron Date: Fri, 11 Aug 2023 16:51:35 +0200 Subject: cleanup modules --- flake.nix | 29 +++------- machines/ettves/default.nix | 3 - machines/nixos-test/default.nix | 7 +++ machines/phaenn/default.nix | 4 -- modules/common/default.nix | 37 +++++++++++++ modules/common/networking.nix | 15 +++++ modules/common/nix-settings.nix | 38 +++++++++++++ modules/default.nix | 60 ++++---------------- modules/hetzner/default.nix | 13 ----- modules/image/default.nix | 5 ++ modules/kubernetes/cri-o.nix | 38 +++++++++++++ modules/kubernetes/default.nix | 39 ++----------- modules/nix-settings.nix | 38 ------------- modules/vultr/default.nix | 33 +---------- modules/wireguard/default.nix | 118 +++++++++++++++++++++------------------- modules/wireguard/options.nix | 16 ++++++ 16 files changed, 245 insertions(+), 248 deletions(-) create mode 100644 modules/common/default.nix create mode 100644 modules/common/networking.nix create mode 100644 modules/common/nix-settings.nix create mode 100644 modules/kubernetes/cri-o.nix delete mode 100644 modules/nix-settings.nix diff --git a/flake.nix b/flake.nix index 3418c82..9836895 100644 --- a/flake.nix +++ b/flake.nix @@ -11,28 +11,17 @@ flake = let system = "x86_64-linux"; - specialArgs = inputs // { inherit system; }; + specialArgs = inputs; + mkSystem = modules: nixpkgs.lib.nixosSystem { + inherit specialArgs system; + modules = modules; + }; in { - nixosConfigurations = { - nixos-test = nixpkgs.lib.nixosSystem { - inherit specialArgs system; - modules = [ - (import ./machines/nixos-test) - - (import ./modules) - (import ./modules/users) - { - _module.args.nixinate = { - host = "10.49.212.3"; - sshUser = "audron"; - buildOn = "remote"; - substituteOnTarget = true; - hermetic = false; - }; - } - ]; - }; + nixosModules = import ./modules; + nixosConfigurations = with self.nixosModules; { + vultr-image = mkSystem [ common users image vultr ]; + nixos-test = mkSystem [ (import ./machines/nixos-test) common users ]; }; }; systems = [ "x86_64-linux" "x86_64-darwin" "aarch64-linux" "aarch64-darwin" ]; diff --git a/machines/ettves/default.nix b/machines/ettves/default.nix index b02155d..c614afb 100644 --- a/machines/ettves/default.nix +++ b/machines/ettves/default.nix @@ -23,8 +23,6 @@ domain = "vapor.systems"; hostId = "14e28906"; dhcpcd.enable = false; - usePredictableInterfaceNames = false; - enableIPv6 = true; interfaces.eth0.ipv4.addresses = [ { address = "195.201.245.25"; @@ -106,6 +104,5 @@ address = "fe80::1"; interface = "eth0"; }; - nameservers = [ "1.1.1.1" "8.8.8.8" ]; }; } diff --git a/machines/nixos-test/default.nix b/machines/nixos-test/default.nix index ce1d9d9..651ae82 100644 --- a/machines/nixos-test/default.nix +++ b/machines/nixos-test/default.nix @@ -13,4 +13,11 @@ users.users.root.openssh.authorizedKeys.keys = [ ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO2eIUtbt7RM75ThjKfUjm24QkzkzCSj7hs+GLaaxMeH cardno:12_767_512'' ]; + + _module.args.nixinate = { + host = "10.49.212.3"; + buildOn = "remote"; + substituteOnTarget = true; + hermetic = false; + }; } diff --git a/machines/phaenn/default.nix b/machines/phaenn/default.nix index d4b4d6c..4f25a5c 100644 --- a/machines/phaenn/default.nix +++ b/machines/phaenn/default.nix @@ -20,9 +20,6 @@ networking = { domain = "vapor.systems"; hostId = "f9274217"; - dhcpcd.enable = false; - usePredictableInterfaceNames = false; - enableIPv6 = true; interfaces.eth0.ipv4.addresses = [{ address = "142.132.159.202"; prefixLength = 26; @@ -36,6 +33,5 @@ address = "fe80::1"; interface = "eth0"; }; - nameservers = [ "1.1.1.1" "8.8.8.8" ]; }; } diff --git a/modules/common/default.nix b/modules/common/default.nix new file mode 100644 index 0000000..f338823 --- /dev/null +++ b/modules/common/default.nix @@ -0,0 +1,37 @@ +{ config, lib, pkgs, ... }: + +{ + imports = [ ./nix-settings.nix ./networking.nix ]; + + # Time and Locale + time.timeZone = "UTC"; + i18n.defaultLocale = "en_US.UTF-8"; + console = { + font = "Lat2-Terminus16"; + keyMap = "us"; + }; + + # Default Packages Set + environment.systemPackages = with pkgs; [ vim htop wget nftables wireguard-tools ]; + + # Security + networking.firewall.enable = false; + security.sudo.wheelNeedsPassword = false; + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "no"; + }; + }; + + # CPU + powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; + hardware.cpu.amd.updateMicrocode = + lib.mkDefault config.hardware.enableRedistributableFirmware; + hardware.cpu.intel.updateMicrocode = + lib.mkDefault config.hardware.enableRedistributableFirmware; + + # System state version + system.stateVersion = lib.mkDefault "23.05"; +} diff --git a/modules/common/networking.nix b/modules/common/networking.nix new file mode 100644 index 0000000..0f9aaca --- /dev/null +++ b/modules/common/networking.nix @@ -0,0 +1,15 @@ +{ config, lib, pkgs, ... }: + +{ + networking = { + usePredictableInterfaceNames = false; + enableIPv6 = true; + tempAddresses = "disabled"; + interfaces.eth0.useDHCP = true; + nameservers = [ "1.1.1.1" "8.8.8.8" ]; + + dhcpcd.extraConfig = '' + nohook resolv.conf + ''; + }; +} diff --git a/modules/common/nix-settings.nix b/modules/common/nix-settings.nix new file mode 100644 index 0000000..9e2eeb9 --- /dev/null +++ b/modules/common/nix-settings.nix @@ -0,0 +1,38 @@ +{ config, nixpkgs, lib, pkgs, ... }: + +{ + environment.etc = { + "nix/channels/nixpkgs".source = nixpkgs.outPath; + }; + + nix = { + extraOptions = '' + keep-outputs = true + keep-derivations = true + experimental-features = nix-command flakes + ''; + + registry = { + nixpkgs.flake = nixpkgs; + }; + + nixPath = [ + "nixpkgs=/etc/nix/channels/nixpkgs" + ]; + + settings = { + trusted-users = [ "@wheel" ]; + auto-optimise-store = true; + + substituters = [ + "https://cache.nixos.org/" + "https://nix-community.cachix.org" + ]; + + trusted-public-keys = [ + "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + }; + }; +} diff --git a/modules/default.nix b/modules/default.nix index f94ece5..9c986a7 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1,52 +1,12 @@ -{ config, nixpkgs, pkgs, lib, ... }: - { - imports = [ - ./users - ./crypto - ./wireguard - ./nix-settings.nix - ]; - - # Time and Locale - time.timeZone = "UTC"; - i18n.defaultLocale = "en_US.UTF-8"; - console = { - font = "Lat2-Terminus16"; - keyMap = "us"; - }; - - # Default Packages Set - environment.systemPackages = with pkgs; [ vim htop wget nftables wireguard-tools ]; - - # Wireguard - wireguard = { - enable = lib.mkDefault false; - v4 = { network = lib.mkDefault "10.10.0.0"; }; - v6 = { - ula = lib.mkDefault "fd15:3d8c:d429:beef"; - gua = lib.mkDefault "2a0f:9400:8020:beef"; - }; - }; - - # Security - networking.firewall.enable = false; - security.sudo.wheelNeedsPassword = false; - services.openssh = { - enable = true; - settings = { - PasswordAuthentication = false; - PermitRootLogin = "no"; - }; - }; - - # CPU - powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; - hardware.cpu.amd.updateMicrocode = - lib.mkDefault config.hardware.enableRedistributableFirmware; - hardware.cpu.intel.updateMicrocode = - lib.mkDefault config.hardware.enableRedistributableFirmware; - - # System state version - system.stateVersion = lib.mkDefault "23.05"; + common = import ./common; + crypto = import ./crypto; + hetzner = import ./hetzner; + image = import ./image; + kubernetes = import ./kubernetes; + matrix = import ./matrix; + users = import ./users; + vultr = import ./vultr; + wireguard = import ./wireguard; + zfs = import ./zfs; } diff --git a/modules/hetzner/default.nix b/modules/hetzner/default.nix index 692ee20..d24908d 100644 --- a/modules/hetzner/default.nix +++ b/modules/hetzner/default.nix @@ -8,17 +8,4 @@ boot.loader.grub.device = "/dev/sda"; fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; - - networking = { - domain = "vapor.systems"; - usePredictableInterfaceNames = false; - enableIPv6 = true; - tempAddresses = "disabled"; - interfaces.eth0.useDHCP = true; - nameservers = [ "1.1.1.1" "8.8.8.8" ]; - - dhcpcd.extraConfig = '' - nohook resolv.conf - ''; - }; } diff --git a/modules/image/default.nix b/modules/image/default.nix index 5903db3..f98afd9 100644 --- a/modules/image/default.nix +++ b/modules/image/default.nix @@ -2,6 +2,11 @@ { config = { + networking = { + domain = "vapor.systems"; + hostName = "image"; + }; + system.build.image = import { name = "vapor-systems-image"; format = "raw"; diff --git a/modules/kubernetes/cri-o.nix b/modules/kubernetes/cri-o.nix new file mode 100644 index 0000000..cc32b26 --- /dev/null +++ b/modules/kubernetes/cri-o.nix @@ -0,0 +1,38 @@ +{ config, lib, pkgs, ... }: + +{ + virtualisation.cri-o = { + enable = true; + settings = { + crio = { + network.plugin_dir = "/opt/cni/bin"; + default_runtime = "crun"; + runtime = { + allowed_devices = [ "/dev/fuse" ]; + default_sysctls = [ + "net.ipv4.ping_group_range=0 2147483647" + ]; + workloads = { + gitlab = { + activation_annotation = "io.kubernetes.cri-o.workload/gitlab"; + allowed_annotations = [ + "io.kubernetes.cri-o.userns-mode" + "io.kubernetes.cri-o.Devices" + "io.kubernetes.cri-o.ShmSize" + ]; + }; + }; + runtimes.crun = { + runtime_type = "oci"; + runtime_root = "/run/crun"; + allowed_annotations = [ + "io.kubernetes.cri-o.userns-mode" + "io.kubernetes.cri-o.Devices" + "io.kubernetes.cri-o.ShmSize" + ]; + }; + }; + }; + }; + }; +} diff --git a/modules/kubernetes/default.nix b/modules/kubernetes/default.nix index 1cf1f09..20b766f 100644 --- a/modules/kubernetes/default.nix +++ b/modules/kubernetes/default.nix @@ -21,6 +21,10 @@ let v6 = "${config.wireguard.v6.ula}::${config.wireguard.v6.address}"; }; in { + imports = [ + ./cri-o.nix + ]; + options = { kubernetes = { role = mkOption { @@ -109,40 +113,5 @@ in { configPath = "/etc/k3s/config.yaml"; disableAgent = cfg.role == "agent"; }; - - virtualisation.cri-o = { - enable = true; - settings = { - crio = { - network.plugin_dir = "/opt/cni/bin"; - default_runtime = "crun"; - runtime = { - allowed_devices = [ "/dev/fuse" ]; - default_sysctls = [ - "net.ipv4.ping_group_range=0 2147483647" - ]; - workloads = { - gitlab = { - activation_annotation = "io.kubernetes.cri-o.workload/gitlab"; - allowed_annotations = [ - "io.kubernetes.cri-o.userns-mode" - "io.kubernetes.cri-o.Devices" - "io.kubernetes.cri-o.ShmSize" - ]; - }; - }; - runtimes.crun = { - runtime_type = "oci"; - runtime_root = "/run/crun"; - allowed_annotations = [ - "io.kubernetes.cri-o.userns-mode" - "io.kubernetes.cri-o.Devices" - "io.kubernetes.cri-o.ShmSize" - ]; - }; - }; - }; - }; - }; }; } diff --git a/modules/nix-settings.nix b/modules/nix-settings.nix deleted file mode 100644 index 9e2eeb9..0000000 --- a/modules/nix-settings.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ config, nixpkgs, lib, pkgs, ... }: - -{ - environment.etc = { - "nix/channels/nixpkgs".source = nixpkgs.outPath; - }; - - nix = { - extraOptions = '' - keep-outputs = true - keep-derivations = true - experimental-features = nix-command flakes - ''; - - registry = { - nixpkgs.flake = nixpkgs; - }; - - nixPath = [ - "nixpkgs=/etc/nix/channels/nixpkgs" - ]; - - settings = { - trusted-users = [ "@wheel" ]; - auto-optimise-store = true; - - substituters = [ - "https://cache.nixos.org/" - "https://nix-community.cachix.org" - ]; - - trusted-public-keys = [ - "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - ]; - }; - }; -} diff --git a/modules/vultr/default.nix b/modules/vultr/default.nix index 765c03d..3104e0f 100644 --- a/modules/vultr/default.nix +++ b/modules/vultr/default.nix @@ -1,17 +1,10 @@ { config, lib, pkgs, modulesPath, ... }: { - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - users.users."root".initialHashedPassword = "$6$R6JH.y368Bn6V$q710R4zQDK8vH7.L8JRAmFZwQW2H.3A00DPtKXFJb0nem87JlgYmD6UJbJ4vhP.f9UmvmqAgur8qMWEsBsErI/"; - users.users."root".hashedPassword = config.users.users."root".initialHashedPassword; - - boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; + boot.initrd.availableKernelModules = + [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; boot.loader.grub.devices = [ "/dev/vda" ]; @@ -22,24 +15,4 @@ fsType = "ext4"; }; }; - - # kubernetes = { - # role = "agent"; - # taints = { - # role = "ns:NoSchedule"; - # }; - # }; - - networking = { - domain = "ns.vapor.systems"; - usePredictableInterfaceNames = false; - enableIPv6 = true; - tempAddresses = "disabled"; - interfaces.eth0.useDHCP = true; - nameservers = [ "1.1.1.1" "8.8.8.8" ]; - - dhcpcd.extraConfig = '' - nohook resolv.conf - ''; - }; } diff --git a/modules/wireguard/default.nix b/modules/wireguard/default.nix index c9fc063..345af3e 100644 --- a/modules/wireguard/default.nix +++ b/modules/wireguard/default.nix @@ -3,65 +3,73 @@ with lib; { imports = [ ./options.nix ./roaming.nix ]; - config = mkIf config.wireguard.enable (let - cfg = config.wireguard; + config = mkIf config.wireguard.enable ( + let + cfg = config.wireguard; - peers = let - attrPeers = mapAttrs (n: node: - let peer = node.config.wireguard; - in { - endpoint = - "${node.config.deployment.targetHost}:${toString peer.port}"; - publicKey = peer.publicKey; - persistentKeepalive = 25; - allowedIPs = [ - "${peer.v4.address}/32" - "${peer.v6.ula}::${peer.v6.address}/128" - "${peer.v6.gua}::${peer.v6.address}/128" - ] ++ peer.allowedIPs; - }) (filterAttrs (n: node: node.config.wireguard.enable) nodes); - peers = attrValues attrPeers; - in peers; - in { - secrets = mkIf config.wireguard.enable { - wireguard = { - source = ../../secrets - + ("/" + "${config.networking.hostName}.privkey"); - dest = "/root/wireguard/privkey"; + peers = + let + attrPeers = mapAttrs + (n: node: + let peer = node.config.wireguard; + in + { + endpoint = + "${node.config.deployment.targetHost}:${toString peer.port}"; + publicKey = peer.publicKey; + persistentKeepalive = 25; + allowedIPs = [ + "${peer.v4.address}/32" + "${peer.v6.ula}::${peer.v6.address}/128" + "${peer.v6.gua}::${peer.v6.address}/128" + ] ++ peer.allowedIPs; + }) + (filterAttrs (n: node: node.config.wireguard.enable) nodes); + peers = attrValues attrPeers; + in + peers; + in + { + secrets = mkIf config.wireguard.enable { + wireguard = { + source = ../../secrets + + ("/" + "${config.networking.hostName}.privkey"); + dest = "/root/wireguard/privkey"; + }; }; - }; - networking.wireguard.interfaces = mkIf config.wireguard.enable { - wg0 = with { ifname = "wg0"; }; { - ips = [ - "${cfg.v4.address}/${toString cfg.v4.prefixLength}" - "${cfg.v6.ula}::${cfg.v6.address}/128" - "${cfg.v6.gua}::${cfg.v6.address}/128" - ]; - listenPort = cfg.port; - postSetup = '' - ${pkgs.nftables}/bin/nft add table ${ifname} - ${pkgs.nftables}/bin/nft 'add chain ${ifname} prerouting { type nat hook prerouting priority 0 ; }' - ${pkgs.nftables}/bin/nft 'add chain ${ifname} postrouting { type nat hook postrouting priority 100 ; }' - ${pkgs.nftables}/bin/nft add rule ${ifname} postrouting ip saddr ${cfg.v4.network}/${ - toString cfg.v4.prefixLength - } oif ${cfg.natInterface} masquerade + networking.wireguard.interfaces = mkIf config.wireguard.enable { + wg0 = with { ifname = "wg0"; }; { + ips = [ + "${cfg.v4.address}/${toString cfg.v4.prefixLength}" + "${cfg.v6.ula}::${cfg.v6.address}/128" + "${cfg.v6.gua}::${cfg.v6.address}/128" + ]; + listenPort = cfg.port; + postSetup = '' + ${pkgs.nftables}/bin/nft add table ${ifname} + ${pkgs.nftables}/bin/nft 'add chain ${ifname} prerouting { type nat hook prerouting priority 0 ; }' + ${pkgs.nftables}/bin/nft 'add chain ${ifname} postrouting { type nat hook postrouting priority 100 ; }' + ${pkgs.nftables}/bin/nft add rule ${ifname} postrouting ip saddr ${cfg.v4.network}/${ + toString cfg.v4.prefixLength + } oif ${cfg.natInterface} masquerade - ${pkgs.iproute2}/bin/ip link set ${ifname} multicast on - ''; - postShutdown = '' - ${pkgs.nftables}/bin/nft flush table ${ifname} - ${pkgs.nftables}/bin/nft delete table ${ifname} - ''; - privateKeyFile = "/root/wireguard/privkey"; - peers = peers; + ${pkgs.iproute2}/bin/ip link set ${ifname} multicast on + ''; + postShutdown = '' + ${pkgs.nftables}/bin/nft flush table ${ifname} + ${pkgs.nftables}/bin/nft delete table ${ifname} + ''; + privateKeyFile = "/root/wireguard/privkey"; + peers = peers; + }; }; - }; - boot.kernel.sysctl = { - "net.ipv4.ip_forward" = lib.mkDefault true; - "net.ipv6.conf.all.forwarding" = true; - "net.netfilter.nf_conntrack_tcp_be_liberal" = true; - }; - }); + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = lib.mkDefault true; + "net.ipv6.conf.all.forwarding" = true; + "net.netfilter.nf_conntrack_tcp_be_liberal" = true; + }; + } + ); } diff --git a/modules/wireguard/options.nix b/modules/wireguard/options.nix index 903716e..69013d0 100644 --- a/modules/wireguard/options.nix +++ b/modules/wireguard/options.nix @@ -5,62 +5,78 @@ with lib; { wireguard = { enable = mkOption { type = types.bool; + default = false; description = "Enable wireguard"; }; + roaming = mkOption { type = types.bool; description = "Deploy roaming peers to this host"; default = false; }; + port = mkOption { type = types.int; description = "Port of the wireguard interface (51820)"; default = 51820; }; + publicKey = mkOption { type = types.str; description = "Public key of the wireguard interface"; }; + natInterface = mkOption { type = types.str; description = "Interface to use for outgoing NAT connections"; default = "eth0"; }; + v4 = { address = mkOption { type = types.str; description = "IP of the wireguard interface (10.10.0.1)"; }; + network = mkOption { type = types.str; description = "The Network CIDR of the wireguard network (10.10.0.0)"; + default = "10.10.0.0"; }; + prefixLength = mkOption { type = types.int; description = "Prefix Length of the wireguard interface IP (24)"; default = 24; }; }; + v6 = { address = mkOption { type = types.str; description = "IP of the wireguard interface ()"; }; + prefixLength = mkOption { type = types.int; description = "Prefix Length of the wireguard interface IP (24)"; default = 64; }; + ula = mkOption { type = types.str; description = "Unique Local Alloctation for IPv6 net"; + default = "fd15:3d8c:d429:beef"; }; + gua = mkOption { type = types.str; description = "Global Unique Allocation for IPv6 net, used as base for hosts"; + default = "2a0f:9400:8020:beef"; }; }; + allowedIPs = mkOption { type = types.listOf types.str; description = "Extra allowedIPs"; -- cgit v1.2.3