nixfiles/nixos/boxes/colony/vms/whale2/default.nix

194 lines
5.5 KiB
Nix
Raw Normal View History

2022-08-01 22:55:59 +01:00
{ lib, ... }:
let
inherit (builtins) mapAttrs;
inherit (lib.my) net;
2023-11-02 13:41:50 +00:00
inherit (lib.my.c.colony) domain prefixes;
2022-08-01 22:55:59 +01:00
in
{
2022-08-01 17:44:08 +01:00
nixos.systems.whale2 = {
system = "x86_64-linux";
nixpkgs = "mine";
assignments = {
2022-11-21 01:21:50 +00:00
routing = {
name = "whale-vm-routing";
inherit domain;
ipv4.address = net.cidr.host 3 prefixes.vms.v4;
2022-11-21 01:21:50 +00:00
};
2022-08-01 17:44:08 +01:00
internal = {
name = "whale-vm";
altNames = [ "oci" ];
inherit domain;
2022-11-21 01:21:50 +00:00
ipv4 = {
address = net.cidr.host 2 prefixes.vip1;
2022-11-21 01:21:50 +00:00
mask = 32;
gateway = null;
genPTR = false;
};
2022-08-01 17:44:08 +01:00
ipv6 = {
iid = "::3";
address = net.cidr.host 3 prefixes.vms.v6;
2022-08-01 17:44:08 +01:00
};
};
oci = {
name = "whale-vm-oci";
inherit domain;
2022-08-01 17:44:08 +01:00
ipv4 = {
address = net.cidr.host 1 prefixes.oci.v4;
2022-08-01 17:44:08 +01:00
gateway = null;
};
ipv6.address = net.cidr.host 1 prefixes.oci.v6;
2022-08-01 17:44:08 +01:00
};
};
2022-08-01 22:55:59 +01:00
extraAssignments = mapAttrs (n: i: {
internal = {
name = n;
inherit domain;
ipv4.address = net.cidr.host i prefixes.oci.v4;
ipv6.address = net.cidr.host i prefixes.oci.v6;
2022-08-01 22:55:59 +01:00
};
}) {
valheim-oci = 2;
2024-01-01 16:28:04 +00:00
simpcraft-oci = 3;
2024-01-08 23:31:06 +00:00
simpcraft-staging-oci = 4;
2022-08-01 22:55:59 +01:00
};
2022-08-01 17:44:08 +01:00
configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }:
let
2022-08-01 22:55:59 +01:00
inherit (builtins) toJSON;
2022-08-01 17:44:08 +01:00
inherit (lib) mkIf mkMerge mkForce;
inherit (lib.my) networkdAssignment;
in
{
imports = [
"${modulesPath}/profiles/qemu-guest.nix"
2022-08-01 22:55:59 +01:00
./valheim.nix
2024-01-01 16:28:04 +00:00
./minecraft
2022-08-01 17:44:08 +01:00
];
config = mkMerge [
{
boot = {
kernelParams = [ "console=ttyS0,115200n8" ];
};
fileSystems = {
"/boot" = {
device = "/dev/disk/by-label/ESP";
fsType = "vfat";
};
"/nix" = {
device = "/dev/disk/by-label/nix";
fsType = "ext4";
};
"/persist" = {
device = "/dev/disk/by-label/persist";
fsType = "ext4";
neededForBoot = true;
};
"/var/lib/containers" = {
device = "/dev/disk/by-label/oci";
fsType = "xfs";
options = [ "pquota" ];
};
};
services = {
2023-11-02 13:41:50 +00:00
fstrim = lib.my.c.colony.fstrimConfig;
2022-08-01 17:44:08 +01:00
netdata.enable = true;
};
virtualisation = {
podman = {
enable = true;
};
2022-08-01 22:55:59 +01:00
oci-containers = {
backend = "podman";
};
# NixOS has switched to using netavark, which is native to podman. It's currently missing an option to
# disable iptables rules generation, which is very annoying.
containers.containersConf.settings.network.network_backend = mkForce "cni";
2022-08-01 17:44:08 +01:00
};
environment = {
etc = {
"cni/net.d/90-colony.conflist".text = toJSON {
cniVersion = "0.4.0";
name = "colony";
plugins = [
{
type = "bridge";
bridge = "oci";
isGateway = true;
ipMasq = false;
hairpinMode = true;
ipam = {
type = "host-local";
routes = [
{ dst = "0.0.0.0/0"; }
{ dst = "::/0"; }
];
ranges = [
[
{
subnet = prefixes.oci.v4;
gateway = net.cidr.host 1 prefixes.oci.v4;
2022-08-01 17:44:08 +01:00
}
]
[
{
subnet = prefixes.oci.v6;
gateway = net.cidr.host 1 prefixes.oci.v6;
2022-08-01 17:44:08 +01:00
}
]
];
};
capabilities.ips = true;
}
];
};
};
};
systemd.network = {
links = {
"10-vms" = {
matchConfig.MACAddress = "52:54:00:d5:d9:c6";
linkConfig.Name = "vms";
};
};
networks = {
2022-11-21 01:21:50 +00:00
"80-vms" = mkMerge [
(networkdAssignment "vms" assignments.routing)
(networkdAssignment "vms" assignments.internal)
];
2022-08-01 17:44:08 +01:00
};
};
my = {
secrets.key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDBTIj1jVdknXLNNroMJfgy7S2cSUC/qgFdnaUopEUzZ";
server.enable = true;
firewall = {
tcp.allowed = [ 19999 ];
trustedInterfaces = [ "oci" ];
extraRules = ''
table inet filter {
chain forward {
# Trust that the outer firewall has done the filtering!
iifname vms oifname oci accept
}
}
'';
};
};
}
];
};
};
}