dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Add OCI container VM

Browse Source
This commit is contained in:
Jack O'Sullivan 2022-08-01 17:44:08 +01:00
parent 12aef1e47b
commit 9750bc5052
25 changed files with 267 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
lib/default.nix
View File

@ -217,6 +217,10 @@ rec {
v4 = "${start.all.v4}2.";
v6 = "${start.all.v6}2::";
};
oci = {
v4 = "${start.all.v4}3.";
v6 = "${start.all.v6}3::";
};
};
prefixes = {
all = {
@ -232,6 +236,10 @@ rec {
v4 = "${start.ctrs.v4}0/24";
v6 = "${start.ctrs.v6}/64";
};
oci = {
v4 = "${start.oci.v4}0/24";
v6 = "${start.oci.v6}/64";
};
};
};
sshKeyFiles = {

10
nixos/boxes/colony/default.nix
View File

@ -100,6 +100,7 @@
lm_sensors
linuxPackages.cpupower
smartmontools
xfsprogs
];
systemd = {
@ -179,6 +180,15 @@
Gateway = allAssignments.shill.internal.ipv6.address;
Destination = lib.my.colony.prefixes.ctrs.v6;
}
{
Gateway = allAssignments.whale2.internal.ipv4.address;
Destination = lib.my.colony.prefixes.oci.v4;
}
{
Gateway = allAssignments.whale2.internal.ipv6.address;
Destination = lib.my.colony.prefixes.oci.v6;
}
];
}
];

34
nixos/boxes/colony/vms/default.nix
View File

@ -2,6 +2,7 @@
imports = [
./estuary
./shill
./whale2
];
nixos.systems.colony.configuration = { lib, pkgs, config, systems, ... }:
@ -28,7 +29,8 @@
name = "installer";
backend = {
driver = "file";
filename = "${systems.installer.configuration.config.my.buildAs.iso}/iso/nixos-installer-devplayer0.iso";
#filename = "${systems.installer.configuration.config.my.buildAs.iso}/iso/nixos-installer-devplayer0.iso";
filename = "/persist/home/dev/nixos-installer-devplayer0.iso";
read-only = "on";
};
format.driver = "raw";
@ -164,6 +166,36 @@
}
]);
};
whale2 = {
uuid = "6d31b672-1f32-4e2b-a39f-78a5b5e949a0";
cpu = "host,topoext";
smp = {
cpus = 8;
threads = 2;
};
memory = 16384;
networks.vms.mac = "52:54:00:d5:d9:c6";
cleanShutdown.timeout = 120;
drives = [ ] ++ (optionals (!config.my.build.isDevVM) [
(mkMerge [ (vmLVM "whale2" "esp") { frontendOpts.bootindex = 0; } ])
(vmLVM "whale2" "nix")
(vmLVM "whale2" "persist")
{
name = "oci";
backend = {
driver = "host_device";
filename = "/dev/ssds/oci";
discard = "unmap";
};
format = {
driver = "raw";
discard = "unmap";
};
frontend = "virtio-blk";
}
]);
};
};
};
};

33
nixos/boxes/colony/vms/estuary/default.nix
View File

@ -35,7 +35,7 @@
configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }:
let
inherit (lib) mkIf mkMerge mkForce;
inherit (lib) flatten mkIf mkMerge mkForce;
inherit (lib.my) networkdAssignment;
in
{
@ -150,25 +150,18 @@
ipv6PrefixConfig.Prefix = lib.my.colony.prefixes.base.v6;
}
];
routes = map (r: { routeConfig = r; }) [
{
Gateway = allAssignments.colony.internal.ipv4.address;
Destination = lib.my.colony.prefixes.vms.v4;
}
{
Gateway = allAssignments.colony.internal.ipv6.address;
Destination = lib.my.colony.prefixes.vms.v6;
}
{
Gateway = allAssignments.colony.internal.ipv4.address;
Destination = lib.my.colony.prefixes.ctrs.v4;
}
{
Gateway = allAssignments.colony.internal.ipv6.address;
Destination = lib.my.colony.prefixes.ctrs.v6;
}
];
routes = map (r: { routeConfig = r; }) (flatten
([ ] ++
(map (pName: [
{
Gateway = allAssignments.colony.internal.ipv4.address;
Destination = lib.my.colony.prefixes."${pName}".v4;
}
{
Gateway = allAssignments.colony.internal.ipv6.address;
Destination = lib.my.colony.prefixes."${pName}".v6;
}
]) [ "vms" "ctrs" "oci" ])));
}
];
};

2
nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
View File

@ -89,7 +89,7 @@ in
let
hosts = [
"vm"
"fw" "ctr"
"fw" "ctr" "oci"
"http" "jackflix-ctr" "chatterbox-ctr" "colony-psql-ctr"
];
matchHosts = concatStringsSep "|" hosts;

154
nixos/boxes/colony/vms/whale2/default.nix Normal file
View File

@ -0,0 +1,154 @@
{ lib, ... }: {
nixos.systems.whale2 = {
system = "x86_64-linux";
nixpkgs = "mine";
assignments = {
internal = {
name = "whale-vm";
altNames = [ "oci" ];
domain = lib.my.colony.domain;
ipv4.address = "${lib.my.colony.start.vms.v4}3";
ipv6 = {
iid = "::3";
address = "${lib.my.colony.start.vms.v6}3";
};
};
oci = {
name = "whale-vm-oci";
domain = lib.my.colony.domain;
ipv4 = {
address = "${lib.my.colony.start.oci.v4}1";
gateway = null;
};
ipv6.address = "${lib.my.colony.start.oci.v6}1";
};
};
configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }:
let
inherit (builtins) mapAttrs toJSON;
inherit (lib) mkIf mkMerge mkForce;
inherit (lib.my) networkdAssignment;
in
{
imports = [
"${modulesPath}/profiles/qemu-guest.nix"
];
config = mkMerge [
{
boot = {
kernelParams = [ "console=ttyS0,115200n8" ];
};
fileSystems = {
"/boot" = {
device = "/dev/disk/by-label/ESP";
fsType = "vfat";
};
"/nix" = {
device = "/dev/disk/by-label/nix";
fsType = "ext4";
};
"/persist" = {
device = "/dev/disk/by-label/persist";
fsType = "ext4";
neededForBoot = true;
};
"/var/lib/containers" = {
device = "/dev/disk/by-label/oci";
fsType = "xfs";
options = [ "pquota" ];
};
};
services = {
fstrim.enable = true;
netdata.enable = true;
};
virtualisation = {
podman = {
enable = true;
};
};
environment = {
etc = {
"cni/net.d/90-colony.conflist".text = toJSON {
cniVersion = "0.4.0";
name = "colony";
plugins = [
{
type = "bridge";
bridge = "oci";
isGateway = true;
ipMasq = false;
hairpinMode = true;
ipam = {
type = "host-local";
routes = [
{ dst = "0.0.0.0/0"; }
{ dst = "::/0"; }
];
ranges = [
[
{
subnet = lib.my.colony.prefixes.oci.v4;
gateway = lib.my.colony.start.oci.v4 + "1";
}
]
[
{
subnet = lib.my.colony.prefixes.oci.v6;
gateway = lib.my.colony.start.oci.v6 + "1";
}
]
];
};
capabilities.ips = true;
}
];
};
};
};
systemd.network = {
links = {
"10-vms" = {
matchConfig.MACAddress = "52:54:00:d5:d9:c6";
linkConfig.Name = "vms";
};
};
networks = {
"80-vms" = networkdAssignment "vms" assignments.internal;
};
};
my = {
secrets.key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDBTIj1jVdknXLNNroMJfgy7S2cSUC/qgFdnaUopEUzZ";
server.enable = true;
firewall = {
tcp.allowed = [ 19999 ];
trustedInterfaces = [ "oci" ];
extraRules = ''
table inet filter {
chain forward {
# Trust that the outer firewall has done the filtering!
iifname vms oifname oci accept
}
}
'';
};
};
}
];
};
};
}

11
nixos/modules/tmproot.nix
View File

@ -129,6 +129,8 @@ in
"/root/.nix-defexpr"
"/var/lib/logrotate.status"
"/etc/cni/net.d/cni.lock"
];
persistence.config = {
# In impermanence the key in `environment.persistence.*` (aka name passed the attrsOf submodule) sets the
@ -326,6 +328,15 @@ in
}
];
})
(mkIf config.virtualisation.podman.enable {
my.tmproot.persistence.config.directories = [
{
directory = "/var/cache/containers";
mode = "750";
}
"/var/lib/cni"
];
})
(mkIf config.my.build.isDevVM {
fileSystems = mkVMOverride {
# Hijack the "root" device for persistence in the VM

17
secrets/chatterbox/nul.ie.signing.key.age
View File

@ -1,9 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 ZB3e6Q sQJFhvr8FRUhNhBMue77730wcbg28fTFnsszgerwEBo
7VzmwSkllK2wbSyFSCClvjY4X6sT6vLLPBAcXSbmnRU
-> X25519 DufjAOGVQtGU2oiDCymV7rv9bdw5Llk3KjbOj5wJxxs
9sOvYKIfp+fUKcW6zbhAU3kwaUrF9PCBlu56qmGhOss
-> m-grease s$ A ,2 =sKpm
lLRsEhRI4PsWw9K6uygWxFznKZSJUXesteKQ7hZ/wWJXkRHq
--- XYl7iGPy1+YfKOWNoZoiYvfFjctfqhWWzR4hMCWmXYU
”5à0K¥Öïš2Rp)wÓ.(rh¡U~w|%jÍ<C38D>°¨‡ ®Ç 9Ïæ¡V<C2A1>žÃÒ 0d€{µì×î<C397>ê<EFBFBD>ìñEµ\Vag~"T -”À3\­)N®­ßS"I
-> ssh-ed25519 ZB3e6Q iCLxItNihRG7KUDgcUm4vrtWQblN5hdYwvAegw0m5DQ
nQSrxGdOaWjtjYssejOg1DoNRnIYNznRzDJUEcWCUgA
-> X25519 eE1k40fJ67VXFqUJ8pB2Ll8/s1K0kD3YkfMQnOqKiTw
nH9+nHG8pAVLn5krLSNGc18FEMcp6o5NKkf/ciuFPY8
-> U|8z(Y7-grease n 6
DNyQQUnKJ9kGTrZY0pj67eeuEMpyn69awH4v0+RZiS9GaVRNPz9dv6VfzI178NDv
wb2gQLYc/5QFlvKo1pYx12AxxF3LvrwhNm8w9nvVjXUzFqn7SvoFxszxtw
--- bQBm6Njo6zu9+Xwao1BlMfBUXYL8TbytByW27Hde/Tg
ÁÑv€÷ò\ˆ'îì_½<>­ÍHýºûž(=a°ÈJf¤³¼+ïïšRëè»íš,(ã’+¤<>Wù{?˜ZnßQûæ~Ña´>—º)º¹…gF<67>‰X³rM4•ºy‰<79>

BIN
secrets/chatterbox/synapse.yaml.age
View File

Binary file not shown.

BIN
secrets/dhparams.pem.age
View File

Binary file not shown.

BIN
secrets/estuary/netdata/powerdns.conf.age
View File

Binary file not shown.

BIN
secrets/estuary/netdata/powerdns_recursor.conf.age
View File

Binary file not shown.

17
secrets/estuary/pdns/auth.conf.age
View File

@ -1,9 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 n8CpUw ACIVtxzORRq2ptG0/MNlBt83MQZJu3Pc3R/5QRpgi2A
NSO8o2fL/EDLXegZ/kkzMW4/Za79q/6QfMQ1t0Sk9BM
-> X25519 nHYed6I+w6lIxgQNPUdeO35HlHmd0tKATpvnbtB5WzU
IWRKvT2csHQplib3ms1akiqdzGS37xQ2ev45yGW5d+w
-> %YW{-grease
4/tMk8Gzztby5x5ojQXj3853G0V8t7AoZA
--- 6vzp2wJk0Eh0O33xXCLrQiNbqeV7oMgvvqrgyRMK9Mg
2ŹŐ×ȬGh°¸élđâ)NËşźĚűÁ[N˝ Čß pŁ„…<E2809E>çŚěŁ|3ő>ům'N I?î)Ł =6łý·`ĚŐ`‚šŻ
-> ssh-ed25519 n8CpUw gSOLNKBwaCiP9TqcaIBrRF7HnQrXziYl13GzjVS1ryk
kgXnpg8IMVfNnb9meGPbAYGbgkeiWF5USDd7KlJGJmA
-> X25519 oL6s/UbRmFIcZ62H7766Q0Bu4KoFwzICgGPB/ogTvj0
FTWqAvm3Eq2AzhC+5xAUGMuZYbVtrPt+c1QBtXMdv/A
-> 54{PX{A-grease CyetKe> >}$Pn iQ)-0sK r
68Ze/tRYRoVy0x619dD1ibTGYaAGoljMxE2Ll5Sx+V9jRzi/DHtq/xyQTgvJfv3z
JM7E+KJZetXLLlvpOGKw3GBm
--- TWJdBHQyXz0rCxKloRqmXut0GODBw32Lwjnj9gFJAFI
±Ű!= «Óý<>I0rŕÁ°Jżvůé#(č2š¶R´8 [-VI<56>}pç,}v±jţHŮ# qJ?‹¦ď!δv~Pź™

BIN
secrets/estuary/pdns/recursor.conf.age
View File

Binary file not shown.

BIN
secrets/hercules/aws-credentials.ini.age
View File

Binary file not shown.

BIN
secrets/hercules/binary-caches.json.age
View File

Binary file not shown.

BIN
secrets/hercules/cluster-join-token.key.age
View File

Binary file not shown.

BIN
secrets/jackflix/mullvad-privkey.age
View File

Binary file not shown.

BIN
secrets/middleman/cloudflare-credentials.conf.age
View File

Binary file not shown.

BIN
secrets/middleman/nginx-sso.yaml.age
View File

Binary file not shown.

20
secrets/minio.env.age
View File

@ -1,10 +1,12 @@
age-encryption.org/v1
-> ssh-ed25519 hkbtvg IrwZ+4sEJvFpB/zrFR/8Lu4GgpPppm84IYOAP7QWH0o
Px7RM+aKmjRQKdr0Ta/v+s9M+rRvRTNs9YYaZnNeORk
-> X25519 lSIE40xvHLkKFMCgsKjVhbxYfv7ddDJ3xyMlcDdxgxU
sc+2ibxqyLtlcpFUPCab+x4imPjuedQadA4b1Qg63a4
-> [J"78S~E-grease S||B(wq} suB8~I ~?E@d}
/3IplD0a0o3phrEIX85CAVkFRvLcCh3ncK/0Reur0bvKsqOjg37KH+Az5dDh2h9D
63kpJpGxwNKlRntnWQWxeYN2PN3cZrggH25/EJuJT3td2Q
--- a+cb3+9Z7WWk6vGGaiXz11G2fKUqLbYuUPyzturVFXY
ç—îúCEBÏ(c#€ƒY$Jñè4g*t„~Ïãƒ)ð£ü:“Hñ`ûÙÝ·Ýa' ó ìÉ<øAråk½+“ÓDºw§cLK3<4B>ŸmĽäÿ‹
-> ssh-ed25519 hkbtvg G/+xT6RqgxbeZc6fafYkqFs7FyWL58+PhUIrN4g7lVA
h/lSiNjqSnoBv+nuSyRuQegzIrpyDJ/JmH2z0+WjxJc
-> X25519 S/BUrpWmbVbEzRWzLLtLctqR+aiir7slufy+o2Wq+Vs
Hf3NrG88+kISvWbRGTjkNRTNLnpjRY/W/Ukg4N133lg
-> 9KLY0A-grease b%;W R dR$
ijMZxH1fad+vLWdei7kZsMYO9u92jjVlx7lPgMbIMFqkFy3xqoGL8jpi96Oz7+nS
BPbCv6bJQyfo+fUgg6U8Indc3XdbCbcqVPNzguCohQoYxUAC+j+DRQVz3ePadXKY
fZo
--- vWyTykBiq5nFO1UxCC8r1eXZiRxdRzVaj02zi3iCLKc
G€OÞä<12>¡t¬ÒPƒÝÜþ)«E7àÈó<C388>R¾;ž»¶Ý»Ò ¯·ÜJ sÜ5i=lSÈúNïš(.b@Õ]ÂVÆ“üƒ„
øð™xûÛ&\ƒXFFÊÛCD~ ·#êh

BIN
secrets/nix-cache-gc.ini.age
View File

Binary file not shown.

BIN
secrets/pdns-file-records.key.age
View File

Binary file not shown.

BIN
secrets/user-passwd.txt.age
View File

Binary file not shown.

16
secrets/vaultwarden.env.age
View File

@ -1,9 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 HJ/J7A SyRXLRxv1tu111Xne8u3JUIz0qy8C6HYD7X4uD4pGUI
QuTY1ZZqLjE8gC3Df7pBT1lWcRPL3EIxHA7dGjp+NEg
-> X25519 N5sWlzsAMGknj5na/nbY00pT5CWedf2S0j1iCKCTFSU
vM70N7ymKgC3J9OrOAj6CFU/smAz2lLGX4inh1usTzc
-> 'cQcC'-grease Cq7J w# .Tc
2ScwMdP22ccCa7g3Xbhw2kT4qjW9Cg
--- wwRUIFVC5mOE9w8NRr2Ld7GjeK0sFlsDnvEFke9Rzc0
Őĺ(ÜÇą|ufK§Ń á¨;xE-ÝśBĂi[ÖáYY&‹‰¶ś}÷= \Ňýď·öcŐ»ĄŤüÄ~­bOl`xÖy=ÖĺŮ/ęV`>ą÷­1Ü"u°4űákÂ<§U:§MuËŕÍÍV“ ů»PńZͦ"gLXő{łCFđzÖ'ňŃ&Đ(l
-> ssh-ed25519 HJ/J7A A4ybdNG0bDSIBDnjktzi1DpmGrkvNt0SE+YqCHNokEg
gwL+6yhXPM3oFkq3S/4PlWzi1h43yBRW1atvYbg2Ax4
-> X25519 R8AIKLRKCLCUmJB3A/z+9iQOfwbqNRm7GgZQX1PgHXM
nP+UagGakkcI4c59CHSldzGvJLzDXJE16u+LggSLUcM
-> iS[]-grease
NLqKdqlhdrhVyfNihGFsQC+jvA9wu60
--- KDffMrsRX2L2uqdu0ReWQnIcqkYjWfNh4s7KgXTYpDA
ÿ-»”)ö¯h<C2AF>èiŽ@X"Ä€eëõ¯Æ©ñq}J<>a&rJ â!IÅÛÖ:™7;~çv¼ÕìÏ-µÃãýâ*=úeóN¿ðšKbÔWp#ñBÍÈmÇuxï´q™¡ÓXnñ+«âBÇGðaLÈÝDer¢O1•<31>^¸t]c"<22>dšRRû¬ø°G|Q