diff --git a/lib/default.nix b/lib/default.nix index 0fd5451..c1f455a 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -217,6 +217,10 @@ rec { v4 = "${start.all.v4}2."; v6 = "${start.all.v6}2::"; }; + oci = { + v4 = "${start.all.v4}3."; + v6 = "${start.all.v6}3::"; + }; }; prefixes = { all = { @@ -232,6 +236,10 @@ rec { v4 = "${start.ctrs.v4}0/24"; v6 = "${start.ctrs.v6}/64"; }; + oci = { + v4 = "${start.oci.v4}0/24"; + v6 = "${start.oci.v6}/64"; + }; }; }; sshKeyFiles = { diff --git a/nixos/boxes/colony/default.nix b/nixos/boxes/colony/default.nix index 2427510..ac14881 100644 --- a/nixos/boxes/colony/default.nix +++ b/nixos/boxes/colony/default.nix @@ -100,6 +100,7 @@ lm_sensors linuxPackages.cpupower smartmontools + xfsprogs ]; systemd = { @@ -179,6 +180,15 @@ Gateway = allAssignments.shill.internal.ipv6.address; Destination = lib.my.colony.prefixes.ctrs.v6; } + + { + Gateway = allAssignments.whale2.internal.ipv4.address; + Destination = lib.my.colony.prefixes.oci.v4; + } + { + Gateway = allAssignments.whale2.internal.ipv6.address; + Destination = lib.my.colony.prefixes.oci.v6; + } ]; } ]; diff --git a/nixos/boxes/colony/vms/default.nix b/nixos/boxes/colony/vms/default.nix index bef27e6..46dd901 100644 --- a/nixos/boxes/colony/vms/default.nix +++ b/nixos/boxes/colony/vms/default.nix @@ -2,6 +2,7 @@ imports = [ ./estuary ./shill + ./whale2 ]; nixos.systems.colony.configuration = { lib, pkgs, config, systems, ... }: @@ -28,7 +29,8 @@ name = "installer"; backend = { driver = "file"; - filename = "${systems.installer.configuration.config.my.buildAs.iso}/iso/nixos-installer-devplayer0.iso"; + #filename = "${systems.installer.configuration.config.my.buildAs.iso}/iso/nixos-installer-devplayer0.iso"; + filename = "/persist/home/dev/nixos-installer-devplayer0.iso"; read-only = "on"; }; format.driver = "raw"; @@ -164,6 +166,36 @@ } ]); }; + + whale2 = { + uuid = "6d31b672-1f32-4e2b-a39f-78a5b5e949a0"; + cpu = "host,topoext"; + smp = { + cpus = 8; + threads = 2; + }; + memory = 16384; + networks.vms.mac = "52:54:00:d5:d9:c6"; + cleanShutdown.timeout = 120; + drives = [ ] ++ (optionals (!config.my.build.isDevVM) [ + (mkMerge [ (vmLVM "whale2" "esp") { frontendOpts.bootindex = 0; } ]) + (vmLVM "whale2" "nix") + (vmLVM "whale2" "persist") + { + name = "oci"; + backend = { + driver = "host_device"; + filename = "/dev/ssds/oci"; + discard = "unmap"; + }; + format = { + driver = "raw"; + discard = "unmap"; + }; + frontend = "virtio-blk"; + } + ]); + }; }; }; }; diff --git a/nixos/boxes/colony/vms/estuary/default.nix b/nixos/boxes/colony/vms/estuary/default.nix index e860afd..e98a3e1 100644 --- a/nixos/boxes/colony/vms/estuary/default.nix +++ b/nixos/boxes/colony/vms/estuary/default.nix @@ -35,7 +35,7 @@ configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }: let - inherit (lib) mkIf mkMerge mkForce; + inherit (lib) flatten mkIf mkMerge mkForce; inherit (lib.my) networkdAssignment; in { @@ -150,25 +150,18 @@ ipv6PrefixConfig.Prefix = lib.my.colony.prefixes.base.v6; } ]; - routes = map (r: { routeConfig = r; }) [ - { - Gateway = allAssignments.colony.internal.ipv4.address; - Destination = lib.my.colony.prefixes.vms.v4; - } - { - Gateway = allAssignments.colony.internal.ipv6.address; - Destination = lib.my.colony.prefixes.vms.v6; - } - - { - Gateway = allAssignments.colony.internal.ipv4.address; - Destination = lib.my.colony.prefixes.ctrs.v4; - } - { - Gateway = allAssignments.colony.internal.ipv6.address; - Destination = lib.my.colony.prefixes.ctrs.v6; - } - ]; + routes = map (r: { routeConfig = r; }) (flatten + ([ ] ++ + (map (pName: [ + { + Gateway = allAssignments.colony.internal.ipv4.address; + Destination = lib.my.colony.prefixes."${pName}".v4; + } + { + Gateway = allAssignments.colony.internal.ipv6.address; + Destination = lib.my.colony.prefixes."${pName}".v6; + } + ]) [ "vms" "ctrs" "oci" ]))); } ]; }; diff --git a/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix b/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix index 1c99ea5..915333e 100644 --- a/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix +++ b/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix @@ -89,7 +89,7 @@ in let hosts = [ "vm" - "fw" "ctr" + "fw" "ctr" "oci" "http" "jackflix-ctr" "chatterbox-ctr" "colony-psql-ctr" ]; matchHosts = concatStringsSep "|" hosts; diff --git a/nixos/boxes/colony/vms/whale2/default.nix b/nixos/boxes/colony/vms/whale2/default.nix new file mode 100644 index 0000000..526bca9 --- /dev/null +++ b/nixos/boxes/colony/vms/whale2/default.nix @@ -0,0 +1,154 @@ +{ lib, ... }: { + nixos.systems.whale2 = { + system = "x86_64-linux"; + nixpkgs = "mine"; + + assignments = { + internal = { + name = "whale-vm"; + altNames = [ "oci" ]; + domain = lib.my.colony.domain; + ipv4.address = "${lib.my.colony.start.vms.v4}3"; + ipv6 = { + iid = "::3"; + address = "${lib.my.colony.start.vms.v6}3"; + }; + }; + oci = { + name = "whale-vm-oci"; + domain = lib.my.colony.domain; + ipv4 = { + address = "${lib.my.colony.start.oci.v4}1"; + gateway = null; + }; + ipv6.address = "${lib.my.colony.start.oci.v6}1"; + }; + }; + + configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }: + let + inherit (builtins) mapAttrs toJSON; + inherit (lib) mkIf mkMerge mkForce; + inherit (lib.my) networkdAssignment; + in + { + imports = [ + "${modulesPath}/profiles/qemu-guest.nix" + + + ]; + + config = mkMerge [ + { + boot = { + kernelParams = [ "console=ttyS0,115200n8" ]; + }; + + fileSystems = { + "/boot" = { + device = "/dev/disk/by-label/ESP"; + fsType = "vfat"; + }; + "/nix" = { + device = "/dev/disk/by-label/nix"; + fsType = "ext4"; + }; + "/persist" = { + device = "/dev/disk/by-label/persist"; + fsType = "ext4"; + neededForBoot = true; + }; + + "/var/lib/containers" = { + device = "/dev/disk/by-label/oci"; + fsType = "xfs"; + options = [ "pquota" ]; + }; + }; + + services = { + fstrim.enable = true; + netdata.enable = true; + }; + + virtualisation = { + podman = { + enable = true; + }; + }; + + environment = { + etc = { + "cni/net.d/90-colony.conflist".text = toJSON { + cniVersion = "0.4.0"; + name = "colony"; + plugins = [ + { + type = "bridge"; + bridge = "oci"; + isGateway = true; + ipMasq = false; + hairpinMode = true; + ipam = { + type = "host-local"; + routes = [ + { dst = "0.0.0.0/0"; } + { dst = "::/0"; } + ]; + ranges = [ + [ + { + subnet = lib.my.colony.prefixes.oci.v4; + gateway = lib.my.colony.start.oci.v4 + "1"; + } + ] + [ + { + subnet = lib.my.colony.prefixes.oci.v6; + gateway = lib.my.colony.start.oci.v6 + "1"; + } + ] + ]; + }; + capabilities.ips = true; + } + ]; + }; + }; + }; + + systemd.network = { + links = { + "10-vms" = { + matchConfig.MACAddress = "52:54:00:d5:d9:c6"; + linkConfig.Name = "vms"; + }; + }; + + networks = { + "80-vms" = networkdAssignment "vms" assignments.internal; + }; + }; + + my = { + secrets.key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDBTIj1jVdknXLNNroMJfgy7S2cSUC/qgFdnaUopEUzZ"; + server.enable = true; + + firewall = { + tcp.allowed = [ 19999 ]; + trustedInterfaces = [ "oci" ]; + extraRules = '' + table inet filter { + chain forward { + # Trust that the outer firewall has done the filtering! + iifname vms oifname oci accept + } + } + ''; + }; + }; + } + ]; + }; + }; +} diff --git a/nixos/modules/tmproot.nix b/nixos/modules/tmproot.nix index 04710f3..ee133c4 100644 --- a/nixos/modules/tmproot.nix +++ b/nixos/modules/tmproot.nix @@ -129,6 +129,8 @@ in "/root/.nix-defexpr" "/var/lib/logrotate.status" + + "/etc/cni/net.d/cni.lock" ]; persistence.config = { # In impermanence the key in `environment.persistence.*` (aka name passed the attrsOf submodule) sets the @@ -326,6 +328,15 @@ in } ]; }) + (mkIf config.virtualisation.podman.enable { + my.tmproot.persistence.config.directories = [ + { + directory = "/var/cache/containers"; + mode = "750"; + } + "/var/lib/cni" + ]; + }) (mkIf config.my.build.isDevVM { fileSystems = mkVMOverride { # Hijack the "root" device for persistence in the VM diff --git a/secrets/chatterbox/nul.ie.signing.key.age b/secrets/chatterbox/nul.ie.signing.key.age index 3251231..7ee8a48 100644 --- a/secrets/chatterbox/nul.ie.signing.key.age +++ b/secrets/chatterbox/nul.ie.signing.key.age @@ -1,9 +1,10 @@ age-encryption.org/v1 --> ssh-ed25519 ZB3e6Q sQJFhvr8FRUhNhBMue77730wcbg28fTFnsszgerwEBo -7VzmwSkllK2wbSyFSCClvjY4X6sT6vLLPBAcXSbmnRU --> X25519 DufjAOGVQtGU2oiDCymV7rv9bdw5Llk3KjbOj5wJxxs -9sOvYKIfp+fUKcW6zbhAU3kwaUrF9PCBlu56qmGhOss --> m-grease s$ A ,2 =sKpm -lLRsEhRI4PsWw9K6uygWxFznKZSJUXesteKQ7hZ/wWJXkRHq ---- XYl7iGPy1+YfKOWNoZoiYvfFjctfqhWWzR4hMCWmXYU -𞄲K诛2Rp)w.(rh~w|%j蛡彴▏  9湘灻 0d{奠最濌愳馝礬Vag~"T -斃3\)N逽"I \ No newline at end of file +-> ssh-ed25519 ZB3e6Q iCLxItNihRG7KUDgcUm4vrtWQblN5hdYwvAegw0m5DQ +nQSrxGdOaWjtjYssejOg1DoNRnIYNznRzDJUEcWCUgA +-> X25519 eE1k40fJ67VXFqUJ8pB2Ll8/s1K0kD3YkfMQnOqKiTw +nH9+nHG8pAVLn5krLSNGc18FEMcp6o5NKkf/ciuFPY8 +-> U|8z(Y7-grease n 6 +DNyQQUnKJ9kGTrZY0pj67eeuEMpyn69awH4v0+RZiS9GaVRNPz9dv6VfzI178NDv +wb2gQLYc/5QFlvKo1pYx12AxxF3LvrwhNm8w9nvVjXUzFqn7SvoFxszxtw +--- bQBm6Njo6zu9+Xwao1BlMfBUXYL8TbytByW27Hde/Tg +裂v黩\'铎_綇H麨(=a叭Jfこ+镲歊杌須,(銙+W鵾?榋n逹~補>椇)汗単F悏X硆M4暫y墠 \ No newline at end of file diff --git a/secrets/chatterbox/synapse.yaml.age b/secrets/chatterbox/synapse.yaml.age index 2bea90c..647123e 100644 Binary files a/secrets/chatterbox/synapse.yaml.age and b/secrets/chatterbox/synapse.yaml.age differ diff --git a/secrets/dhparams.pem.age b/secrets/dhparams.pem.age index a182ab9..2aee7aa 100644 Binary files a/secrets/dhparams.pem.age and b/secrets/dhparams.pem.age differ diff --git a/secrets/estuary/netdata/powerdns.conf.age b/secrets/estuary/netdata/powerdns.conf.age index f4df152..dd1fb02 100644 Binary files a/secrets/estuary/netdata/powerdns.conf.age and b/secrets/estuary/netdata/powerdns.conf.age differ diff --git a/secrets/estuary/netdata/powerdns_recursor.conf.age b/secrets/estuary/netdata/powerdns_recursor.conf.age index 5168537..26a371a 100644 Binary files a/secrets/estuary/netdata/powerdns_recursor.conf.age and b/secrets/estuary/netdata/powerdns_recursor.conf.age differ diff --git a/secrets/estuary/pdns/auth.conf.age b/secrets/estuary/pdns/auth.conf.age index 1d36fd0..acda45b 100644 --- a/secrets/estuary/pdns/auth.conf.age +++ b/secrets/estuary/pdns/auth.conf.age @@ -1,9 +1,10 @@ age-encryption.org/v1 --> ssh-ed25519 n8CpUw ACIVtxzORRq2ptG0/MNlBt83MQZJu3Pc3R/5QRpgi2A -NSO8o2fL/EDLXegZ/kkzMW4/Za79q/6QfMQ1t0Sk9BM --> X25519 nHYed6I+w6lIxgQNPUdeO35HlHmd0tKATpvnbtB5WzU -IWRKvT2csHQplib3ms1akiqdzGS37xQ2ev45yGW5d+w --> %YW{-grease -4/tMk8Gzztby5x5ojQXj3853G0V8t7AoZA ---- 6vzp2wJk0Eh0O33xXCLrQiNbqeV7oMgvvqrgyRMK9Mg -2徴兹珿h搁l疴)N撕熖[N 冗 俻枺剠愮岇3>鵰'N I?) =6除穈陶`毌 \ No newline at end of file +-> ssh-ed25519 n8CpUw gSOLNKBwaCiP9TqcaIBrRF7HnQrXziYl13GzjVS1ryk +kgXnpg8IMVfNnb9meGPbAYGbgkeiWF5USDd7KlJGJmA +-> X25519 oL6s/UbRmFIcZ62H7766Q0Bu4KoFwzICgGPB/ogTvj0 +FTWqAvm3Eq2AzhC+5xAUGMuZYbVtrPt+c1QBtXMdv/A +-> 54{PX{A-grease CyetKe> >}$Pn iQ)-0sK r +68Ze/tRYRoVy0x619dD1ibTGYaAGoljMxE2Ll5Sx+V9jRzi/DHtq/xyQTgvJfv3z +JM7E+KJZetXLLlvpOGKw3GBm +--- TWJdBHQyXz0rCxKloRqmXut0GODBw32Lwjnj9gFJAFI +臂!= 齼I0r嗔癑縱#(2毝R8 [-俈I恾p,}v眏H#爍J?嫤!磛~P煓 \ No newline at end of file diff --git a/secrets/estuary/pdns/recursor.conf.age b/secrets/estuary/pdns/recursor.conf.age index 5b9f9dc..2cade17 100644 Binary files a/secrets/estuary/pdns/recursor.conf.age and b/secrets/estuary/pdns/recursor.conf.age differ diff --git a/secrets/hercules/aws-credentials.ini.age b/secrets/hercules/aws-credentials.ini.age index ac5208d..0db4f4f 100644 Binary files a/secrets/hercules/aws-credentials.ini.age and b/secrets/hercules/aws-credentials.ini.age differ diff --git a/secrets/hercules/binary-caches.json.age b/secrets/hercules/binary-caches.json.age index 752fe02..3a5ca76 100644 Binary files a/secrets/hercules/binary-caches.json.age and b/secrets/hercules/binary-caches.json.age differ diff --git a/secrets/hercules/cluster-join-token.key.age b/secrets/hercules/cluster-join-token.key.age index c9296a9..b5a571b 100644 Binary files a/secrets/hercules/cluster-join-token.key.age and b/secrets/hercules/cluster-join-token.key.age differ diff --git a/secrets/jackflix/mullvad-privkey.age b/secrets/jackflix/mullvad-privkey.age index 6c8856f..6d0ab1e 100644 Binary files a/secrets/jackflix/mullvad-privkey.age and b/secrets/jackflix/mullvad-privkey.age differ diff --git a/secrets/middleman/cloudflare-credentials.conf.age b/secrets/middleman/cloudflare-credentials.conf.age index 550d4a9..733d147 100644 Binary files a/secrets/middleman/cloudflare-credentials.conf.age and b/secrets/middleman/cloudflare-credentials.conf.age differ diff --git a/secrets/middleman/nginx-sso.yaml.age b/secrets/middleman/nginx-sso.yaml.age index 9b6f53a..986c643 100644 Binary files a/secrets/middleman/nginx-sso.yaml.age and b/secrets/middleman/nginx-sso.yaml.age differ diff --git a/secrets/minio.env.age b/secrets/minio.env.age index c941d28..0b819fc 100644 --- a/secrets/minio.env.age +++ b/secrets/minio.env.age @@ -1,10 +1,12 @@ age-encryption.org/v1 --> ssh-ed25519 hkbtvg IrwZ+4sEJvFpB/zrFR/8Lu4GgpPppm84IYOAP7QWH0o -Px7RM+aKmjRQKdr0Ta/v+s9M+rRvRTNs9YYaZnNeORk --> X25519 lSIE40xvHLkKFMCgsKjVhbxYfv7ddDJ3xyMlcDdxgxU -sc+2ibxqyLtlcpFUPCab+x4imPjuedQadA4b1Qg63a4 --> [J"78S~E-grease S||B(wq} suB8~I ~?E@d} -/3IplD0a0o3phrEIX85CAVkFRvLcCh3ncK/0Reur0bvKsqOjg37KH+Az5dDh2h9D -63kpJpGxwNKlRntnWQWxeYN2PN3cZrggH25/EJuJT3td2Q ---- a+cb3+9Z7WWk6vGGaiXz11G2fKUqLbYuUPyzturVFXY -鐥鶦EB(c#僘$J耔4g*t剘香)穑h:揌馺莘a' 焐<鳤俽錵+撚D浐w慙K3彑憁慕 \ No newline at end of file +-> ssh-ed25519 hkbtvg G/+xT6RqgxbeZc6fafYkqFs7FyWL58+PhUIrN4g7lVA +h/lSiNjqSnoBv+nuSyRuQegzIrpyDJ/JmH2z0+WjxJc +-> X25519 S/BUrpWmbVbEzRWzLLtLctqR+aiir7slufy+o2Wq+Vs +Hf3NrG88+kISvWbRGTjkNRTNLnpjRY/W/Ukg4N133lg +-> 9KLY0A-grease b%;W R dR$ +ijMZxH1fad+vLWdei7kZsMYO9u92jjVlx7lPgMbIMFqkFy3xqoGL8jpi96Oz7+nS +BPbCv6bJQyfo+fUgg6U8Indc3XdbCbcqVPNzguCohQoYxUAC+j+DRQVz3ePadXKY +fZo +--- vWyTykBiq5nFO1UxCC8r1eXZiRxdRzVaj02zi3iCLKc +GO掬仭tP蒈)獷7嗳髰R;灮遁灰 躂爏5i=lS鳃N(.b@誡耉茡鼉 +檟&\僗FF售朇D~ #阧 \ No newline at end of file diff --git a/secrets/nix-cache-gc.ini.age b/secrets/nix-cache-gc.ini.age index 88efe99..0b60d07 100644 Binary files a/secrets/nix-cache-gc.ini.age and b/secrets/nix-cache-gc.ini.age differ diff --git a/secrets/pdns-file-records.key.age b/secrets/pdns-file-records.key.age index ed4f193..215e75c 100644 Binary files a/secrets/pdns-file-records.key.age and b/secrets/pdns-file-records.key.age differ diff --git a/secrets/user-passwd.txt.age b/secrets/user-passwd.txt.age index 256ca16..b59ddf6 100644 Binary files a/secrets/user-passwd.txt.age and b/secrets/user-passwd.txt.age differ diff --git a/secrets/vaultwarden.env.age b/secrets/vaultwarden.env.age index ca5d5f6..8189b1d 100644 --- a/secrets/vaultwarden.env.age +++ b/secrets/vaultwarden.env.age @@ -1,9 +1,9 @@ age-encryption.org/v1 --> ssh-ed25519 HJ/J7A SyRXLRxv1tu111Xne8u3JUIz0qy8C6HYD7X4uD4pGUI -QuTY1ZZqLjE8gC3Df7pBT1lWcRPL3EIxHA7dGjp+NEg --> X25519 N5sWlzsAMGknj5na/nbY00pT5CWedf2S0j1iCKCTFSU -vM70N7ymKgC3J9OrOAj6CFU/smAz2lLGX4inh1usTzc --> 'cQcC'-grease Cq7J w# .Tc -2ScwMdP22ccCa7g3Xbhw2kT4qjW9Cg ---- wwRUIFVC5mOE9w8NRr2Ld7GjeK0sFlsDnvEFke9Rzc0 -斟(芮箌u媐Kа 屺;xE-轀B胕[轴YY&媺稖}= \翌唴扶c互嶞~璪Ol`x謞=皱/闢`>鳝1"u4k<:u肃蚔 P馴挺"gLX鮷矯Fz'蜓&(l \ No newline at end of file +-> ssh-ed25519 HJ/J7A A4ybdNG0bDSIBDnjktzi1DpmGrkvNt0SE+YqCHNokEg +gwL+6yhXPM3oFkq3S/4PlWzi1h43yBRW1atvYbg2Ax4 +-> X25519 R8AIKLRKCLCUmJB3A/z+9iQOfwbqNRm7GgZQX1PgHXM +nP+UagGakkcI4c59CHSldzGvJLzDXJE16u+LggSLUcM +-> iS[]-grease +NLqKdqlhdrhVyfNihGFsQC+jvA9wu60 +--- KDffMrsRX2L2uqdu0ReWQnIcqkYjWfNh4s7KgXTYpDA +-粩)霪h忚i嶡X"膧e膈q}J乤&rJ !I袍:7;~鐅颊煜-得泯*=鷈驨筐欿bWp#栺B腿mux锎q櫋覺n+B荊餫L葌軩er慜1晲^竧]c"dI歊RG|Q \ No newline at end of file