Add OCI container VM
This commit is contained in:
@@ -100,6 +100,7 @@
|
||||
lm_sensors
|
||||
linuxPackages.cpupower
|
||||
smartmontools
|
||||
xfsprogs
|
||||
];
|
||||
|
||||
systemd = {
|
||||
@@ -179,6 +180,15 @@
|
||||
Gateway = allAssignments.shill.internal.ipv6.address;
|
||||
Destination = lib.my.colony.prefixes.ctrs.v6;
|
||||
}
|
||||
|
||||
{
|
||||
Gateway = allAssignments.whale2.internal.ipv4.address;
|
||||
Destination = lib.my.colony.prefixes.oci.v4;
|
||||
}
|
||||
{
|
||||
Gateway = allAssignments.whale2.internal.ipv6.address;
|
||||
Destination = lib.my.colony.prefixes.oci.v6;
|
||||
}
|
||||
];
|
||||
}
|
||||
];
|
||||
|
||||
@@ -2,6 +2,7 @@
|
||||
imports = [
|
||||
./estuary
|
||||
./shill
|
||||
./whale2
|
||||
];
|
||||
|
||||
nixos.systems.colony.configuration = { lib, pkgs, config, systems, ... }:
|
||||
@@ -28,7 +29,8 @@
|
||||
name = "installer";
|
||||
backend = {
|
||||
driver = "file";
|
||||
filename = "${systems.installer.configuration.config.my.buildAs.iso}/iso/nixos-installer-devplayer0.iso";
|
||||
#filename = "${systems.installer.configuration.config.my.buildAs.iso}/iso/nixos-installer-devplayer0.iso";
|
||||
filename = "/persist/home/dev/nixos-installer-devplayer0.iso";
|
||||
read-only = "on";
|
||||
};
|
||||
format.driver = "raw";
|
||||
@@ -164,6 +166,36 @@
|
||||
}
|
||||
]);
|
||||
};
|
||||
|
||||
whale2 = {
|
||||
uuid = "6d31b672-1f32-4e2b-a39f-78a5b5e949a0";
|
||||
cpu = "host,topoext";
|
||||
smp = {
|
||||
cpus = 8;
|
||||
threads = 2;
|
||||
};
|
||||
memory = 16384;
|
||||
networks.vms.mac = "52:54:00:d5:d9:c6";
|
||||
cleanShutdown.timeout = 120;
|
||||
drives = [ ] ++ (optionals (!config.my.build.isDevVM) [
|
||||
(mkMerge [ (vmLVM "whale2" "esp") { frontendOpts.bootindex = 0; } ])
|
||||
(vmLVM "whale2" "nix")
|
||||
(vmLVM "whale2" "persist")
|
||||
{
|
||||
name = "oci";
|
||||
backend = {
|
||||
driver = "host_device";
|
||||
filename = "/dev/ssds/oci";
|
||||
discard = "unmap";
|
||||
};
|
||||
format = {
|
||||
driver = "raw";
|
||||
discard = "unmap";
|
||||
};
|
||||
frontend = "virtio-blk";
|
||||
}
|
||||
]);
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
@@ -35,7 +35,7 @@
|
||||
|
||||
configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }:
|
||||
let
|
||||
inherit (lib) mkIf mkMerge mkForce;
|
||||
inherit (lib) flatten mkIf mkMerge mkForce;
|
||||
inherit (lib.my) networkdAssignment;
|
||||
in
|
||||
{
|
||||
@@ -150,25 +150,18 @@
|
||||
ipv6PrefixConfig.Prefix = lib.my.colony.prefixes.base.v6;
|
||||
}
|
||||
];
|
||||
routes = map (r: { routeConfig = r; }) [
|
||||
{
|
||||
Gateway = allAssignments.colony.internal.ipv4.address;
|
||||
Destination = lib.my.colony.prefixes.vms.v4;
|
||||
}
|
||||
{
|
||||
Gateway = allAssignments.colony.internal.ipv6.address;
|
||||
Destination = lib.my.colony.prefixes.vms.v6;
|
||||
}
|
||||
|
||||
{
|
||||
Gateway = allAssignments.colony.internal.ipv4.address;
|
||||
Destination = lib.my.colony.prefixes.ctrs.v4;
|
||||
}
|
||||
{
|
||||
Gateway = allAssignments.colony.internal.ipv6.address;
|
||||
Destination = lib.my.colony.prefixes.ctrs.v6;
|
||||
}
|
||||
];
|
||||
routes = map (r: { routeConfig = r; }) (flatten
|
||||
([ ] ++
|
||||
(map (pName: [
|
||||
{
|
||||
Gateway = allAssignments.colony.internal.ipv4.address;
|
||||
Destination = lib.my.colony.prefixes."${pName}".v4;
|
||||
}
|
||||
{
|
||||
Gateway = allAssignments.colony.internal.ipv6.address;
|
||||
Destination = lib.my.colony.prefixes."${pName}".v6;
|
||||
}
|
||||
]) [ "vms" "ctrs" "oci" ])));
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
@@ -89,7 +89,7 @@ in
|
||||
let
|
||||
hosts = [
|
||||
"vm"
|
||||
"fw" "ctr"
|
||||
"fw" "ctr" "oci"
|
||||
"http" "jackflix-ctr" "chatterbox-ctr" "colony-psql-ctr"
|
||||
];
|
||||
matchHosts = concatStringsSep "|" hosts;
|
||||
|
||||
154
nixos/boxes/colony/vms/whale2/default.nix
Normal file
154
nixos/boxes/colony/vms/whale2/default.nix
Normal file
@@ -0,0 +1,154 @@
|
||||
{ lib, ... }: {
|
||||
nixos.systems.whale2 = {
|
||||
system = "x86_64-linux";
|
||||
nixpkgs = "mine";
|
||||
|
||||
assignments = {
|
||||
internal = {
|
||||
name = "whale-vm";
|
||||
altNames = [ "oci" ];
|
||||
domain = lib.my.colony.domain;
|
||||
ipv4.address = "${lib.my.colony.start.vms.v4}3";
|
||||
ipv6 = {
|
||||
iid = "::3";
|
||||
address = "${lib.my.colony.start.vms.v6}3";
|
||||
};
|
||||
};
|
||||
oci = {
|
||||
name = "whale-vm-oci";
|
||||
domain = lib.my.colony.domain;
|
||||
ipv4 = {
|
||||
address = "${lib.my.colony.start.oci.v4}1";
|
||||
gateway = null;
|
||||
};
|
||||
ipv6.address = "${lib.my.colony.start.oci.v6}1";
|
||||
};
|
||||
};
|
||||
|
||||
configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }:
|
||||
let
|
||||
inherit (builtins) mapAttrs toJSON;
|
||||
inherit (lib) mkIf mkMerge mkForce;
|
||||
inherit (lib.my) networkdAssignment;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
"${modulesPath}/profiles/qemu-guest.nix"
|
||||
|
||||
|
||||
];
|
||||
|
||||
config = mkMerge [
|
||||
{
|
||||
boot = {
|
||||
kernelParams = [ "console=ttyS0,115200n8" ];
|
||||
};
|
||||
|
||||
fileSystems = {
|
||||
"/boot" = {
|
||||
device = "/dev/disk/by-label/ESP";
|
||||
fsType = "vfat";
|
||||
};
|
||||
"/nix" = {
|
||||
device = "/dev/disk/by-label/nix";
|
||||
fsType = "ext4";
|
||||
};
|
||||
"/persist" = {
|
||||
device = "/dev/disk/by-label/persist";
|
||||
fsType = "ext4";
|
||||
neededForBoot = true;
|
||||
};
|
||||
|
||||
"/var/lib/containers" = {
|
||||
device = "/dev/disk/by-label/oci";
|
||||
fsType = "xfs";
|
||||
options = [ "pquota" ];
|
||||
};
|
||||
};
|
||||
|
||||
services = {
|
||||
fstrim.enable = true;
|
||||
netdata.enable = true;
|
||||
};
|
||||
|
||||
virtualisation = {
|
||||
podman = {
|
||||
enable = true;
|
||||
};
|
||||
};
|
||||
|
||||
environment = {
|
||||
etc = {
|
||||
"cni/net.d/90-colony.conflist".text = toJSON {
|
||||
cniVersion = "0.4.0";
|
||||
name = "colony";
|
||||
plugins = [
|
||||
{
|
||||
type = "bridge";
|
||||
bridge = "oci";
|
||||
isGateway = true;
|
||||
ipMasq = false;
|
||||
hairpinMode = true;
|
||||
ipam = {
|
||||
type = "host-local";
|
||||
routes = [
|
||||
{ dst = "0.0.0.0/0"; }
|
||||
{ dst = "::/0"; }
|
||||
];
|
||||
ranges = [
|
||||
[
|
||||
{
|
||||
subnet = lib.my.colony.prefixes.oci.v4;
|
||||
gateway = lib.my.colony.start.oci.v4 + "1";
|
||||
}
|
||||
]
|
||||
[
|
||||
{
|
||||
subnet = lib.my.colony.prefixes.oci.v6;
|
||||
gateway = lib.my.colony.start.oci.v6 + "1";
|
||||
}
|
||||
]
|
||||
];
|
||||
};
|
||||
capabilities.ips = true;
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
systemd.network = {
|
||||
links = {
|
||||
"10-vms" = {
|
||||
matchConfig.MACAddress = "52:54:00:d5:d9:c6";
|
||||
linkConfig.Name = "vms";
|
||||
};
|
||||
};
|
||||
|
||||
networks = {
|
||||
"80-vms" = networkdAssignment "vms" assignments.internal;
|
||||
};
|
||||
};
|
||||
|
||||
my = {
|
||||
secrets.key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDBTIj1jVdknXLNNroMJfgy7S2cSUC/qgFdnaUopEUzZ";
|
||||
server.enable = true;
|
||||
|
||||
firewall = {
|
||||
tcp.allowed = [ 19999 ];
|
||||
trustedInterfaces = [ "oci" ];
|
||||
extraRules = ''
|
||||
table inet filter {
|
||||
chain forward {
|
||||
# Trust that the outer firewall has done the filtering!
|
||||
iifname vms oifname oci accept
|
||||
}
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -129,6 +129,8 @@ in
|
||||
"/root/.nix-defexpr"
|
||||
|
||||
"/var/lib/logrotate.status"
|
||||
|
||||
"/etc/cni/net.d/cni.lock"
|
||||
];
|
||||
persistence.config = {
|
||||
# In impermanence the key in `environment.persistence.*` (aka name passed the attrsOf submodule) sets the
|
||||
@@ -326,6 +328,15 @@ in
|
||||
}
|
||||
];
|
||||
})
|
||||
(mkIf config.virtualisation.podman.enable {
|
||||
my.tmproot.persistence.config.directories = [
|
||||
{
|
||||
directory = "/var/cache/containers";
|
||||
mode = "750";
|
||||
}
|
||||
"/var/lib/cni"
|
||||
];
|
||||
})
|
||||
(mkIf config.my.build.isDevVM {
|
||||
fileSystems = mkVMOverride {
|
||||
# Hijack the "root" device for persistence in the VM
|
||||
|
||||
Reference in New Issue
Block a user