From 799c41ec586590f3298a9e3f6526796911d5220b Mon Sep 17 00:00:00 2001 From: Victor Date: Sat, 30 Jul 2022 13:12:10 +0200 Subject: [PATCH 1/8] switched single host to colmena --- flake.nix | 36 ++++++++++++++++++++++--- hosts.nix | 1 - nixos/common/default.nix | 7 +---- nixos/hosts/bastion/configuration.nix | 2 +- nixos/hosts/minecraft/configuration.nix | 2 +- 5 files changed, 36 insertions(+), 12 deletions(-) diff --git a/flake.nix b/flake.nix index 095cf3f..105f09c 100644 --- a/flake.nix +++ b/flake.nix @@ -26,7 +26,7 @@ }; outputs = - { self, nixpkgs, deploy-rs, vault-secrets, serokell-nix, ... }@inputs: + { self, nixpkgs, deploy-rs, vault-secrets, serokell-nix, minecraft-servers, ... }@inputs: let inherit (nixpkgs) lib; inherit (builtins) filter mapAttrs; @@ -83,8 +83,37 @@ in { # Make the config and deploy sets - nixosConfigurations = lib.foldr (el: acc: acc // mkConfig el) { } nixHosts; - deploy.nodes = lib.foldr (el: acc: acc // mkDeploy el) { } nixHosts; + # nixosConfigurations = lib.foldr (el: acc: acc // mkConfig el) { } nixHosts; + # deploy.nodes = lib.foldr (el: acc: acc // mkDeploy el) { } nixHosts; + + colmena = { + meta = { + nixpkgs = import nixpkgs { + system = "x86_64-linux"; + overlays = [ + (import ./nixos/pkgs) + minecraft-servers.overlays.default + ]; + specialArgs = { + inherit hosts; + }; + }; + }; + + minecraft = { + imports = [ + vault-secrets.nixosModules.vault-secrets + ./nixos/common + "${./.}/nixos/hosts/minecraft/configuration.nix" + "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" + ./nixos/common/generic-lxc.nix + ]; + deployment = { + targetHost = "10.42.42.21"; + targetUser = "victor"; + }; + }; + }; apps.${system} = rec { @@ -114,6 +143,7 @@ # This only support bash so just execute zsh in bash as a workaround :/ shellHook = "zsh; exit $?"; buildInputs = with pkgs; [ + colmena deploy-rs.packages.${system}.deploy-rs fluxcd k9s diff --git a/hosts.nix b/hosts.nix index 02fb68f..4b3a9a5 100644 --- a/hosts.nix +++ b/hosts.nix @@ -97,7 +97,6 @@ hostname = "minecraft"; ip = "10.42.42.21"; mac = "EA:30:73:E4:B6:69"; - nix = false; } { hostname = "gitea"; diff --git a/nixos/common/default.nix b/nixos/common/default.nix index 7ce3305..a17e5fd 100644 --- a/nixos/common/default.nix +++ b/nixos/common/default.nix @@ -1,8 +1,7 @@ -{ config, inputs, pkgs, ... }: +{ config, pkgs, ... }: { imports = [ - inputs.vault-secrets.nixosModules.vault-secrets # User account definitions ./users ./services @@ -37,10 +36,6 @@ }; nixpkgs.config.allowUnfree = true; - nixpkgs.overlays = [ - (import ../pkgs) - inputs.minecraft-servers.overlays.default - ]; # Limit the systemd journal to 100 MB of disk or the # last 7 days of logs, whichever happens first. diff --git a/nixos/hosts/bastion/configuration.nix b/nixos/hosts/bastion/configuration.nix index c26cc8f..8a2309f 100644 --- a/nixos/hosts/bastion/configuration.nix +++ b/nixos/hosts/bastion/configuration.nix @@ -45,7 +45,7 @@ in { # Additional packages environment.systemPackages = with pkgs; [ binutils - checkov + colmena fix-vscode fluxcd k9s diff --git a/nixos/hosts/minecraft/configuration.nix b/nixos/hosts/minecraft/configuration.nix index 1b0bba5..3b5fcf6 100644 --- a/nixos/hosts/minecraft/configuration.nix +++ b/nixos/hosts/minecraft/configuration.nix @@ -24,7 +24,7 @@ networking.firewall.allowedTCPPorts = [ ]; services.minecraft-server = { - enable = true; + enable = false; package = pkgs.minecraftServers.purpur_1_18; jvmOpts = "--add-modules=jdk.incubator.vector -Xmx2048M -Xms2048M"; From ee9a017c467036778b32882cd2441e5d65d9f8a2 Mon Sep 17 00:00:00 2001 From: Victor Date: Sat, 30 Jul 2022 16:42:46 +0200 Subject: [PATCH 2/8] remove deploy-rs --- flake.lock | 86 +++++++++++++++++++++++------------------- flake.nix | 108 ++++++++++++++++------------------------------------- 2 files changed, 80 insertions(+), 114 deletions(-) diff --git a/flake.lock b/flake.lock index 20c5d67..dd5b9e2 100644 --- a/flake.lock +++ b/flake.lock @@ -26,23 +26,20 @@ "deploy-rs": { "inputs": { "flake-compat": "flake-compat_2", - "nixpkgs": [ - "nixpkgs" - ], - "utils": "utils_2" + "nixpkgs": "nixpkgs_2", + "utils": "utils_3" }, "locked": { - "lastModified": 1653594315, - "narHash": "sha256-kJ0ENmnQJ4qL2FeYKZba9kvv1KmIuB3NVpBwMeI7AJQ=", + "lastModified": 1648475189, + "narHash": "sha256-gAGAS6IagwoUr1B0ohE3iR6sZ8hP4LSqzYLC8Mq3WGU=", "owner": "serokell", "repo": "deploy-rs", - "rev": "184349d8149436748986d1bdba087e4149e9c160", + "rev": "83e0c78291cd08cb827ba0d553ad9158ae5a95c3", "type": "github" }, "original": { - "owner": "serokell", - "repo": "deploy-rs", - "type": "github" + "id": "deploy-rs", + "type": "indirect" } }, "flake-compat": { @@ -203,7 +200,7 @@ "nixpkgs": [ "nixpkgs" ], - "utils": "utils_3" + "utils": "utils_2" }, "locked": { "lastModified": 1659144434, @@ -222,7 +219,7 @@ "nix": { "inputs": { "lowdown-src": "lowdown-src", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_3" }, "locked": { "lastModified": 1633098935, @@ -240,7 +237,7 @@ "nix_2": { "inputs": { "lowdown-src": "lowdown-src_2", - "nixpkgs": "nixpkgs_3" + "nixpkgs": "nixpkgs_4" }, "locked": { "lastModified": 1633098935, @@ -273,17 +270,18 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1632864508, - "narHash": "sha256-d127FIvGR41XbVRDPVvozUPQ/uRHbHwvfyKHwEt5xFM=", + "lastModified": 1648219316, + "narHash": "sha256-Ctij+dOi0ZZIfX5eMhgwugfvB+WZSrvVNAyAuANOsnQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "82891b5e2c2359d7e58d08849e4c89511ab94234", + "rev": "30d3d79b7d3607d56546dd2a6b49e156ba0ec634", "type": "github" }, "original": { - "id": "nixpkgs", - "ref": "nixos-21.05-small", - "type": "indirect" + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" } }, "nixpkgs_3": { @@ -301,10 +299,24 @@ "type": "indirect" } }, + "nixpkgs_4": { + "locked": { + "lastModified": 1632864508, + "narHash": "sha256-d127FIvGR41XbVRDPVvozUPQ/uRHbHwvfyKHwEt5xFM=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "82891b5e2c2359d7e58d08849e4c89511ab94234", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-21.05-small", + "type": "indirect" + } + }, "root": { "inputs": { "colmena": "colmena", - "deploy-rs": "deploy-rs", "minecraft-servers": "minecraft-servers", "nixpkgs": "nixpkgs", "serokell-nix": "serokell-nix", @@ -313,9 +325,7 @@ }, "serokell-nix": { "inputs": { - "deploy-rs": [ - "deploy-rs" - ], + "deploy-rs": "deploy-rs", "flake-compat": "flake-compat_3", "flake-utils": "flake-utils_2", "gitignore-nix": "gitignore-nix", @@ -370,21 +380,6 @@ } }, "utils_2": { - "locked": { - "lastModified": 1648297722, - "narHash": "sha256-W+qlPsiZd8F3XkzXOzAoR+mpFqzm3ekQkJNa+PIh1BQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "0f8662f1319ad6abf89b3380dd2722369fc51ade", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "utils_3": { "inputs": { "flake-utils": "flake-utils" }, @@ -402,6 +397,21 @@ "type": "github" } }, + "utils_3": { + "locked": { + "lastModified": 1648297722, + "narHash": "sha256-W+qlPsiZd8F3XkzXOzAoR+mpFqzm3ekQkJNa+PIh1BQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "0f8662f1319ad6abf89b3380dd2722369fc51ade", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "vault-secrets": { "inputs": { "flake-compat": "flake-compat_4", diff --git a/flake.nix b/flake.nix index 105f09c..215c76c 100644 --- a/flake.nix +++ b/flake.nix @@ -8,15 +8,11 @@ inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; - deploy-rs.url = "github:serokell/deploy-rs"; - deploy-rs.inputs.nixpkgs.follows = "nixpkgs"; - colmena.url = "github:zhaofengli/colmena"; colmena.inputs.nixpkgs.follows = "nixpkgs"; serokell-nix.url = "github:serokell/serokell.nix"; serokell-nix.inputs.nixpkgs.follows = "nixpkgs"; - serokell-nix.inputs.deploy-rs.follows = "deploy-rs"; vault-secrets.url = "github:serokell/vault-secrets"; vault-secrets.inputs.nixpkgs.follows = "nixpkgs"; @@ -26,13 +22,14 @@ }; outputs = - { self, nixpkgs, deploy-rs, vault-secrets, serokell-nix, minecraft-servers, ... }@inputs: + { self, nixpkgs, vault-secrets, serokell-nix, minecraft-servers, ... }@inputs: let inherit (nixpkgs) lib; inherit (builtins) filter mapAttrs; system = "x86_64-linux"; hosts = import ./hosts.nix; + # TODO: consolidate with mkColmenaHost # Create a nixosConfiguration based on a foldername (nixname) and if the host is an LXC container or a VM. mkConfig = { hostname, profile ? hostname, lxc ? true, ... }: { "${profile}" = lib.nixosSystem { @@ -49,79 +46,53 @@ }; }; - # Same as above, but for the nodes part of deploy. - mkDeploy = { ip, hostname, profile ? hostname, ... }: { + # Import all nixos host definitions that are actual nix machines + nixHosts = filter ({ nix ? true, ... }: nix) hosts; + + mkColmenaHost = { ip, hostname, profile ? hostname, lxc ? true, ... }: { "${hostname}" = { - hostname = ip; - fastConnection = true; - profiles.system = { - user = "root"; - path = deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.${profile}; + imports = [ + vault-secrets.nixosModules.vault-secrets + ./nixos/common + "${./.}/nixos/hosts/${profile}/configuration.nix" + ] ++ (if lxc then [ + "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" + ./nixos/common/generic-lxc.nix + ] else [ ./nixos/common/generic-vm.nix ]); + + deployment = { + targetHost = ip; + targetUser = null; # Defaults to $USER }; }; }; - # Generates hosts.auto.tfvars.json for Terraform - genTFVars = - let - hostToVar = z@{ hostname, mac, ... }: { - "${hostname}" = { inherit mac; }; - }; - hostSet = lib.foldr (el: acc: acc // hostToVar el) { } hosts; - json = builtins.toJSON { hosts = hostSet; }; - in - pkgs.writeScriptBin "gen-tf-vars" '' - echo '${json}' | ${pkgs.jq}/bin/jq > terraform/hosts.auto.tfvars.json; - echo "Generated Terraform Variables"; - ''; - - # Import all nixos host definitions that are actual nix machines - nixHosts = filter ({ nix ? true, ... }: nix) hosts; - pkgs = serokell-nix.lib.pkgsWith nixpkgs.legacyPackages.${system} [ vault-secrets.overlay ]; in { # Make the config and deploy sets - # nixosConfigurations = lib.foldr (el: acc: acc // mkConfig el) { } nixHosts; - # deploy.nodes = lib.foldr (el: acc: acc // mkDeploy el) { } nixHosts; + nixosConfigurations = lib.foldr (el: acc: acc // mkConfig el) { } nixHosts; - colmena = { - meta = { - nixpkgs = import nixpkgs { - system = "x86_64-linux"; - overlays = [ - (import ./nixos/pkgs) - minecraft-servers.overlays.default - ]; + colmena = lib.foldr (el: acc: acc // mkColmenaHost el) + { + meta = { + nixpkgs = import nixpkgs { + system = "x86_64-linux"; + overlays = [ + (import ./nixos/pkgs) + vault-secrets.overlay + minecraft-servers.overlays.default + ]; + }; specialArgs = { inherit hosts; }; }; - }; - - minecraft = { - imports = [ - vault-secrets.nixosModules.vault-secrets - ./nixos/common - "${./.}/nixos/hosts/minecraft/configuration.nix" - "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" - ./nixos/common/generic-lxc.nix - ]; - deployment = { - targetHost = "10.42.42.21"; - targetUser = "victor"; - }; - }; - }; - + } + nixHosts; apps.${system} = rec { - default = deploy; - deploy = { - type = "app"; - program = "${deploy-rs.packages.${system}.deploy-rs}/bin/deploy"; - }; vault-push-approles = { type = "app"; program = "${pkgs.vault-push-approles self}/bin/vault-push-approles"; @@ -131,10 +102,6 @@ program = "${pkgs.vault-push-approle-envs self}/bin/vault-push-approle-envs"; }; - tfvars = { - type = "app"; - program = "${genTFVars}/bin/gen-tf-vars"; - }; }; # Use by running `nix develop` @@ -144,7 +111,6 @@ shellHook = "zsh; exit $?"; buildInputs = with pkgs; [ colmena - deploy-rs.packages.${system}.deploy-rs fluxcd k9s kubectl @@ -153,17 +119,7 @@ nixfmt nixUnstable vault - # (vault-push-approles self { }) - # (vault-push-approle-envs self { }) - genTFVars ]; }; - - # Filter out non-system checks: https://github.com/NixOS/nixpkgs/issues/175875#issuecomment-1152996862 - checks = lib.filterAttrs - (a: _: a == system) - (builtins.mapAttrs - (system: deployLib: deployLib.deployChecks self.deploy) - deploy-rs.lib); }; } From 5f5cfcb8d18634feb376e9763b4b07f8b3b4c1ea Mon Sep 17 00:00:00 2001 From: Victor Date: Sat, 30 Jul 2022 17:15:58 +0200 Subject: [PATCH 3/8] most of colmena done --- flake.nix | 59 +++++++++++++++++++++++-------------------------------- 1 file changed, 25 insertions(+), 34 deletions(-) diff --git a/flake.nix b/flake.nix index 215c76c..efa8789 100644 --- a/flake.nix +++ b/flake.nix @@ -28,38 +28,32 @@ inherit (builtins) filter mapAttrs; system = "x86_64-linux"; hosts = import ./hosts.nix; + specialArgs = { inherit hosts inputs; }; + # Filter all nixos host definitions that are actual nix machines + nixHosts = filter ({ nix ? true, ... }: nix) hosts; + + resolveImports = { hostname, profile ? hostname, lxc ? true, ... }: [ + vault-secrets.nixosModules.vault-secrets + ./nixos/common + "${./.}/nixos/hosts/${profile}/configuration.nix" + ] ++ (if lxc then [ + "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" + ./nixos/common/generic-lxc.nix + ] + else [ ./nixos/common/generic-vm.nix ]); - # TODO: consolidate with mkColmenaHost # Create a nixosConfiguration based on a foldername (nixname) and if the host is an LXC container or a VM. - mkConfig = { hostname, profile ? hostname, lxc ? true, ... }: { + mkConfig = { hostname, profile ? hostname, lxc ? true, ... }@host: { "${profile}" = lib.nixosSystem { inherit system; - modules = [ - ./nixos/common - "${./.}/nixos/hosts/${profile}/configuration.nix" - ] ++ (if lxc then [ - "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" - ./nixos/common/generic-lxc.nix - ] else - [ ./nixos/common/generic-vm.nix ]); - specialArgs = { inherit hosts inputs; }; + inherit specialArgs; + modules = resolveImports host; }; }; - # Import all nixos host definitions that are actual nix machines - nixHosts = filter ({ nix ? true, ... }: nix) hosts; - - mkColmenaHost = { ip, hostname, profile ? hostname, lxc ? true, ... }: { + mkColmenaHost = { ip, hostname, profile ? hostname, lxc ? true, ... }@host: { "${hostname}" = { - imports = [ - vault-secrets.nixosModules.vault-secrets - ./nixos/common - "${./.}/nixos/hosts/${profile}/configuration.nix" - ] ++ (if lxc then [ - "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" - ./nixos/common/generic-lxc.nix - ] else [ ./nixos/common/generic-vm.nix ]); - + imports = resolveImports host; deployment = { targetHost = ip; targetUser = null; # Defaults to $USER @@ -67,8 +61,7 @@ }; }; - pkgs = serokell-nix.lib.pkgsWith nixpkgs.legacyPackages.${system} [ vault-secrets.overlay ]; - + legacyPackages = serokell-nix.lib.pkgsWith nixpkgs.legacyPackages.${system} [ vault-secrets.overlay ]; in { # Make the config and deploy sets @@ -78,16 +71,14 @@ { meta = { nixpkgs = import nixpkgs { - system = "x86_64-linux"; + inherit system; overlays = [ (import ./nixos/pkgs) vault-secrets.overlay minecraft-servers.overlays.default ]; }; - specialArgs = { - inherit hosts; - }; + inherit specialArgs; }; } nixHosts; @@ -95,21 +86,21 @@ apps.${system} = rec { vault-push-approles = { type = "app"; - program = "${pkgs.vault-push-approles self}/bin/vault-push-approles"; + program = "${legacyPackages.vault-push-approles self}/bin/vault-push-approles"; }; vault-push-approle-envs = { type = "app"; program = - "${pkgs.vault-push-approle-envs self}/bin/vault-push-approle-envs"; + "${legacyPackages.vault-push-approle-envs self}/bin/vault-push-approle-envs"; }; }; # Use by running `nix develop` - devShells.${system}.default = pkgs.mkShell { + devShells.${system}.default = legacyPackages.mkShell { VAULT_ADDR = "http://vault.olympus:8200/"; # This only support bash so just execute zsh in bash as a workaround :/ shellHook = "zsh; exit $?"; - buildInputs = with pkgs; [ + buildInputs = with legacyPackages; [ colmena fluxcd k9s From 34dd2d59846fd6d1354c83975251ef8ec55c431e Mon Sep 17 00:00:00 2001 From: Victor Date: Sat, 30 Jul 2022 18:02:40 +0200 Subject: [PATCH 4/8] colmena last touches --- flake.nix | 38 +++++++++------------------ nixos/common/default.nix | 14 +++++++++- nixos/common/users/default.nix | 2 +- nixos/hosts/bastion/configuration.nix | 1 - 4 files changed, 26 insertions(+), 29 deletions(-) diff --git a/flake.nix b/flake.nix index efa8789..8d99ab8 100644 --- a/flake.nix +++ b/flake.nix @@ -22,7 +22,7 @@ }; outputs = - { self, nixpkgs, vault-secrets, serokell-nix, minecraft-servers, ... }@inputs: + { self, nixpkgs, vault-secrets, serokell-nix, minecraft-servers, colmena, ... }@inputs: let inherit (nixpkgs) lib; inherit (builtins) filter mapAttrs; @@ -32,8 +32,8 @@ # Filter all nixos host definitions that are actual nix machines nixHosts = filter ({ nix ? true, ... }: nix) hosts; + # Resolve imports based on a foldername (nixname) and if the host is an LXC container or a VM. resolveImports = { hostname, profile ? hostname, lxc ? true, ... }: [ - vault-secrets.nixosModules.vault-secrets ./nixos/common "${./.}/nixos/hosts/${profile}/configuration.nix" ] ++ (if lxc then [ @@ -42,16 +42,14 @@ ] else [ ./nixos/common/generic-vm.nix ]); - # Create a nixosConfiguration based on a foldername (nixname) and if the host is an LXC container or a VM. - mkConfig = { hostname, profile ? hostname, lxc ? true, ... }@host: { - "${profile}" = lib.nixosSystem { - inherit system; - inherit specialArgs; - modules = resolveImports host; + mkConfig = { hostname, ... }@host: { + "${hostname}" = lib.nixosSystem { + inherit system specialArgs; + modules = resolveImports host; }; }; - mkColmenaHost = { ip, hostname, profile ? hostname, lxc ? true, ... }@host: { + mkColmenaHost = { ip, hostname, ... }@host: { "${hostname}" = { imports = resolveImports host; deployment = { @@ -61,7 +59,7 @@ }; }; - legacyPackages = serokell-nix.lib.pkgsWith nixpkgs.legacyPackages.${system} [ vault-secrets.overlay ]; + pkgs = serokell-nix.lib.pkgsWith nixpkgs.legacyPackages.${system} [ vault-secrets.overlay ]; in { # Make the config and deploy sets @@ -74,7 +72,6 @@ inherit system; overlays = [ (import ./nixos/pkgs) - vault-secrets.overlay minecraft-servers.overlays.default ]; }; @@ -83,25 +80,12 @@ } nixHosts; - apps.${system} = rec { - vault-push-approles = { - type = "app"; - program = "${legacyPackages.vault-push-approles self}/bin/vault-push-approles"; - }; - vault-push-approle-envs = { - type = "app"; - program = - "${legacyPackages.vault-push-approle-envs self}/bin/vault-push-approle-envs"; - }; - }; - # Use by running `nix develop` - devShells.${system}.default = legacyPackages.mkShell { + devShells.${system}.default = pkgs.mkShell { VAULT_ADDR = "http://vault.olympus:8200/"; # This only support bash so just execute zsh in bash as a workaround :/ shellHook = "zsh; exit $?"; - buildInputs = with legacyPackages; [ - colmena + buildInputs = with pkgs; [ fluxcd k9s kubectl @@ -110,6 +94,8 @@ nixfmt nixUnstable vault + (vault-push-approle-envs self) + (vault-push-approle-approles self) ]; }; }; diff --git a/nixos/common/default.nix b/nixos/common/default.nix index a17e5fd..9c0ef6e 100644 --- a/nixos/common/default.nix +++ b/nixos/common/default.nix @@ -1,7 +1,8 @@ -{ config, pkgs, ... }: +{ config, pkgs, inputs, ... }: { imports = [ + inputs.vault-secrets.nixosModules.vault-secrets # User account definitions ./users ./services @@ -23,13 +24,24 @@ "https://cachix.cachix.org" "https://nix-community.cachix.org" "https://nixpkgs-review-bot.cachix.org" + "https://colmena.cachix.org" ]; trusted-public-keys = [ "cachix.cachix.org-1:eWNHQldwUO7G2VkjpnjDbWwy4KQ/HNxht7H4SSoMckM=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "nixpkgs-review-bot.cachix.org-1:eppgiDjPk7Hkzzz7XlUesk3rcEHqNDozGOrcLc8IqwE=" + "colmena.cachix.org-1:7BzpDnjjH8ki2CT3f6GdOk7QAzPOl+1t3LvTLXqYcSg=" ]; }; + gc = { + dates = "weekly"; + automatic = true; + randomizedDelaySec = "45min"; + }; + optimise = { + automatic = true; + dates = "weekly"; + }; extraOptions = '' experimental-features = nix-command flakes ''; diff --git a/nixos/common/users/default.nix b/nixos/common/users/default.nix index 96ae9ce..5cb68df 100644 --- a/nixos/common/users/default.nix +++ b/nixos/common/users/default.nix @@ -48,7 +48,7 @@ ]; # Make me admin - extraGroups = [ "wheel" ]; + extraGroups = [ "systemd-journal" "wheel" ]; }; # Configure the root account diff --git a/nixos/hosts/bastion/configuration.nix b/nixos/hosts/bastion/configuration.nix index 8a2309f..5d9adbb 100644 --- a/nixos/hosts/bastion/configuration.nix +++ b/nixos/hosts/bastion/configuration.nix @@ -45,7 +45,6 @@ in { # Additional packages environment.systemPackages = with pkgs; [ binutils - colmena fix-vscode fluxcd k9s From 1f937300ff57a423524e5c55de5c4c2e2b1fab0c Mon Sep 17 00:00:00 2001 From: Victor Date: Sat, 30 Jul 2022 22:16:44 +0200 Subject: [PATCH 5/8] start set up for multi-location nixos flake --- flake.nix | 19 ++++++++++++------- nixos/common/default.nix | 3 ++- nixos/hosts/default.nix | 4 ++++ .../{ => olympus}/_template/configuration.nix | 0 .../{ => olympus}/bastion/configuration.nix | 0 .../bastion/hardware-configuration.nix | 0 .../{ => olympus}/database/configuration.nix | 0 hosts.nix => nixos/hosts/olympus/default.nix | 1 + .../{ => olympus}/dhcp/configuration.nix | 3 ++- .../hosts/{ => olympus}/dns/configuration.nix | 8 +++++--- .../{ => olympus}/gitea/configuration.nix | 0 .../{ => olympus}/hedgedoc/configuration.nix | 0 .../hosts/{ => olympus}/k3s/configuration.nix | 0 .../k3s/hardware-configuration.nix | 0 .../{ => olympus}/minecraft/configuration.nix | 0 .../{ => olympus}/minio/configuration.nix | 0 .../{ => olympus}/mosquitto/configuration.nix | 0 .../{ => olympus}/nginx/configuration.nix | 0 .../{ => olympus}/synapse/configuration.nix | 0 .../{ => olympus}/unifi/configuration.nix | 0 .../{ => olympus}/vault/configuration.nix | 0 .../victoriametrics/configuration.nix | 0 .../{ => olympus}/wireguard/configuration.nix | 0 23 files changed, 26 insertions(+), 12 deletions(-) create mode 100644 nixos/hosts/default.nix rename nixos/hosts/{ => olympus}/_template/configuration.nix (100%) rename nixos/hosts/{ => olympus}/bastion/configuration.nix (100%) rename nixos/hosts/{ => olympus}/bastion/hardware-configuration.nix (100%) rename nixos/hosts/{ => olympus}/database/configuration.nix (100%) rename hosts.nix => nixos/hosts/olympus/default.nix (99%) rename nixos/hosts/{ => olympus}/dhcp/configuration.nix (96%) rename nixos/hosts/{ => olympus}/dns/configuration.nix (88%) rename nixos/hosts/{ => olympus}/gitea/configuration.nix (100%) rename nixos/hosts/{ => olympus}/hedgedoc/configuration.nix (100%) rename nixos/hosts/{ => olympus}/k3s/configuration.nix (100%) rename nixos/hosts/{ => olympus}/k3s/hardware-configuration.nix (100%) rename nixos/hosts/{ => olympus}/minecraft/configuration.nix (100%) rename nixos/hosts/{ => olympus}/minio/configuration.nix (100%) rename nixos/hosts/{ => olympus}/mosquitto/configuration.nix (100%) rename nixos/hosts/{ => olympus}/nginx/configuration.nix (100%) rename nixos/hosts/{ => olympus}/synapse/configuration.nix (100%) rename nixos/hosts/{ => olympus}/unifi/configuration.nix (100%) rename nixos/hosts/{ => olympus}/vault/configuration.nix (100%) rename nixos/hosts/{ => olympus}/victoriametrics/configuration.nix (100%) rename nixos/hosts/{ => olympus}/wireguard/configuration.nix (100%) diff --git a/flake.nix b/flake.nix index 8d99ab8..3cb3feb 100644 --- a/flake.nix +++ b/flake.nix @@ -25,17 +25,21 @@ { self, nixpkgs, vault-secrets, serokell-nix, minecraft-servers, colmena, ... }@inputs: let inherit (nixpkgs) lib; - inherit (builtins) filter mapAttrs; + inherit (builtins) filter mapAttrs attrValues concatLists; system = "x86_64-linux"; - hosts = import ./hosts.nix; - specialArgs = { inherit hosts inputs; }; + # import and add location qualifier to all hosts + hosts = mapAttrs (location: lhosts: map ({ tags ? [ ], ... }@x: x // { tags = [ location ] ++ tags; inherit location; }) lhosts) (import ./nixos/hosts); + # flatten hosts to single list + flat_hosts = concatLists (attrValues hosts); # Filter all nixos host definitions that are actual nix machines - nixHosts = filter ({ nix ? true, ... }: nix) hosts; + nixHosts = filter ({ nix ? true, ... }: nix) flat_hosts; + # Define args each module gets access to (access to hosts is useful for DNS/DHCP) + specialArgs = { inherit hosts flat_hosts inputs; }; # Resolve imports based on a foldername (nixname) and if the host is an LXC container or a VM. - resolveImports = { hostname, profile ? hostname, lxc ? true, ... }: [ + resolveImports = { hostname, location, profile ? hostname, lxc ? true, ... }: [ ./nixos/common - "${./.}/nixos/hosts/${profile}/configuration.nix" + "${./.}/nixos/hosts/${location}/${profile}/configuration.nix" ] ++ (if lxc then [ "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" ./nixos/common/generic-lxc.nix @@ -49,10 +53,11 @@ }; }; - mkColmenaHost = { ip, hostname, ... }@host: { + mkColmenaHost = { ip, hostname, tags, ... }@host: { "${hostname}" = { imports = resolveImports host; deployment = { + inherit tags; targetHost = ip; targetUser = null; # Defaults to $USER }; diff --git a/nixos/common/default.nix b/nixos/common/default.nix index 9c0ef6e..bc1478b 100644 --- a/nixos/common/default.nix +++ b/nixos/common/default.nix @@ -40,7 +40,7 @@ }; optimise = { automatic = true; - dates = "weekly"; + dates = [ "weekly" ]; }; extraOptions = '' experimental-features = nix-command flakes @@ -63,6 +63,7 @@ permitRootLogin = "no"; }; + # TODO: Location dependent vault-secrets = { vaultPrefix = "secrets/nixos"; vaultAddress = "http://vault.olympus:8200/"; diff --git a/nixos/hosts/default.nix b/nixos/hosts/default.nix new file mode 100644 index 0000000..b325b5b --- /dev/null +++ b/nixos/hosts/default.nix @@ -0,0 +1,4 @@ +{ + olympus = import ./olympus; + hades = []; +} diff --git a/nixos/hosts/_template/configuration.nix b/nixos/hosts/olympus/_template/configuration.nix similarity index 100% rename from nixos/hosts/_template/configuration.nix rename to nixos/hosts/olympus/_template/configuration.nix diff --git a/nixos/hosts/bastion/configuration.nix b/nixos/hosts/olympus/bastion/configuration.nix similarity index 100% rename from nixos/hosts/bastion/configuration.nix rename to nixos/hosts/olympus/bastion/configuration.nix diff --git a/nixos/hosts/bastion/hardware-configuration.nix b/nixos/hosts/olympus/bastion/hardware-configuration.nix similarity index 100% rename from nixos/hosts/bastion/hardware-configuration.nix rename to nixos/hosts/olympus/bastion/hardware-configuration.nix diff --git a/nixos/hosts/database/configuration.nix b/nixos/hosts/olympus/database/configuration.nix similarity index 100% rename from nixos/hosts/database/configuration.nix rename to nixos/hosts/olympus/database/configuration.nix diff --git a/hosts.nix b/nixos/hosts/olympus/default.nix similarity index 99% rename from hosts.nix rename to nixos/hosts/olympus/default.nix index 4b3a9a5..95bac89 100644 --- a/hosts.nix +++ b/nixos/hosts/olympus/default.nix @@ -46,6 +46,7 @@ ip = "10.42.42.9"; ip6 = "2001:41f0:9639:1:68c2:89ff:fe85:cfa6"; mac = "6A:C2:89:85:CF:A6"; + tags = [ "web" ]; } { hostname = "k3s-node1"; diff --git a/nixos/hosts/dhcp/configuration.nix b/nixos/hosts/olympus/dhcp/configuration.nix similarity index 96% rename from nixos/hosts/dhcp/configuration.nix rename to nixos/hosts/olympus/dhcp/configuration.nix index 1451139..339f731 100644 --- a/nixos/hosts/dhcp/configuration.nix +++ b/nixos/hosts/olympus/dhcp/configuration.nix @@ -5,6 +5,7 @@ let hostName = hostname; ipAddress = ip; }; + hosts' = hosts.olympus; in { imports = [ ]; @@ -47,6 +48,6 @@ in { range 10.42.43.1 10.42.43.254; } ''; - machines = map hostToDhcp hosts; + machines = map hostToDhcp hosts'; }; } diff --git a/nixos/hosts/dns/configuration.nix b/nixos/hosts/olympus/dns/configuration.nix similarity index 88% rename from nixos/hosts/dns/configuration.nix rename to nixos/hosts/olympus/dns/configuration.nix index d4535f4..2dd32df 100644 --- a/nixos/hosts/dns/configuration.nix +++ b/nixos/hosts/olympus/dns/configuration.nix @@ -2,7 +2,9 @@ let inherit (builtins) filter hasAttr; localdomain = "olympus"; - ipv6Hosts = filter (hasAttr "ip6") hosts; + # TODO: use location attr in hosts + hosts' = hosts.${localdomain}; + ipv6Hosts = filter (hasAttr "ip6") hosts'; localData = { hostname, ip, ... }: ''"${hostname}.${localdomain}. A ${ip}"''; local6Data = { hostname, ip6, ... }: ''"${hostname}.${localdomain}. AAAA ${ip6}"''; @@ -38,8 +40,8 @@ in { interface = [ "0.0.0.0" "::0" ]; local-zone = ''"${localdomain}." transparent''; - local-data = (map localData hosts) ++ (map local6Data ipv6Hosts); - local-data-ptr = (map ptrData hosts) ++ (map ptr6Data ipv6Hosts); + local-data = (map localData hosts') ++ (map local6Data ipv6Hosts); + local-data-ptr = (map ptrData hosts') ++ (map ptr6Data ipv6Hosts); access-control = [ "127.0.0.1/32 allow_snoop" diff --git a/nixos/hosts/gitea/configuration.nix b/nixos/hosts/olympus/gitea/configuration.nix similarity index 100% rename from nixos/hosts/gitea/configuration.nix rename to nixos/hosts/olympus/gitea/configuration.nix diff --git a/nixos/hosts/hedgedoc/configuration.nix b/nixos/hosts/olympus/hedgedoc/configuration.nix similarity index 100% rename from nixos/hosts/hedgedoc/configuration.nix rename to nixos/hosts/olympus/hedgedoc/configuration.nix diff --git a/nixos/hosts/k3s/configuration.nix b/nixos/hosts/olympus/k3s/configuration.nix similarity index 100% rename from nixos/hosts/k3s/configuration.nix rename to nixos/hosts/olympus/k3s/configuration.nix diff --git a/nixos/hosts/k3s/hardware-configuration.nix b/nixos/hosts/olympus/k3s/hardware-configuration.nix similarity index 100% rename from nixos/hosts/k3s/hardware-configuration.nix rename to nixos/hosts/olympus/k3s/hardware-configuration.nix diff --git a/nixos/hosts/minecraft/configuration.nix b/nixos/hosts/olympus/minecraft/configuration.nix similarity index 100% rename from nixos/hosts/minecraft/configuration.nix rename to nixos/hosts/olympus/minecraft/configuration.nix diff --git a/nixos/hosts/minio/configuration.nix b/nixos/hosts/olympus/minio/configuration.nix similarity index 100% rename from nixos/hosts/minio/configuration.nix rename to nixos/hosts/olympus/minio/configuration.nix diff --git a/nixos/hosts/mosquitto/configuration.nix b/nixos/hosts/olympus/mosquitto/configuration.nix similarity index 100% rename from nixos/hosts/mosquitto/configuration.nix rename to nixos/hosts/olympus/mosquitto/configuration.nix diff --git a/nixos/hosts/nginx/configuration.nix b/nixos/hosts/olympus/nginx/configuration.nix similarity index 100% rename from nixos/hosts/nginx/configuration.nix rename to nixos/hosts/olympus/nginx/configuration.nix diff --git a/nixos/hosts/synapse/configuration.nix b/nixos/hosts/olympus/synapse/configuration.nix similarity index 100% rename from nixos/hosts/synapse/configuration.nix rename to nixos/hosts/olympus/synapse/configuration.nix diff --git a/nixos/hosts/unifi/configuration.nix b/nixos/hosts/olympus/unifi/configuration.nix similarity index 100% rename from nixos/hosts/unifi/configuration.nix rename to nixos/hosts/olympus/unifi/configuration.nix diff --git a/nixos/hosts/vault/configuration.nix b/nixos/hosts/olympus/vault/configuration.nix similarity index 100% rename from nixos/hosts/vault/configuration.nix rename to nixos/hosts/olympus/vault/configuration.nix diff --git a/nixos/hosts/victoriametrics/configuration.nix b/nixos/hosts/olympus/victoriametrics/configuration.nix similarity index 100% rename from nixos/hosts/victoriametrics/configuration.nix rename to nixos/hosts/olympus/victoriametrics/configuration.nix diff --git a/nixos/hosts/wireguard/configuration.nix b/nixos/hosts/olympus/wireguard/configuration.nix similarity index 100% rename from nixos/hosts/wireguard/configuration.nix rename to nixos/hosts/olympus/wireguard/configuration.nix From 378e3831e4bf3450436a3e0877ca5ec630404626 Mon Sep 17 00:00:00 2001 From: Victor Date: Sat, 30 Jul 2022 22:57:42 +0200 Subject: [PATCH 6/8] set hostname toplevel --- flake.nix | 6 +++++- nixos/hosts/olympus/bastion/configuration.nix | 2 -- nixos/hosts/olympus/database/configuration.nix | 2 -- nixos/hosts/olympus/dhcp/configuration.nix | 1 - nixos/hosts/olympus/dns/configuration.nix | 2 -- nixos/hosts/olympus/gitea/configuration.nix | 2 -- nixos/hosts/olympus/hedgedoc/configuration.nix | 2 -- nixos/hosts/olympus/k3s/configuration.nix | 2 -- nixos/hosts/olympus/minecraft/configuration.nix | 2 -- nixos/hosts/olympus/minio/configuration.nix | 2 -- nixos/hosts/olympus/mosquitto/configuration.nix | 2 -- nixos/hosts/olympus/nginx/configuration.nix | 2 -- nixos/hosts/olympus/synapse/configuration.nix | 2 -- nixos/hosts/olympus/unifi/configuration.nix | 2 -- nixos/hosts/olympus/vault/configuration.nix | 2 -- nixos/hosts/olympus/victoriametrics/configuration.nix | 2 -- nixos/hosts/olympus/wireguard/configuration.nix | 2 -- 17 files changed, 5 insertions(+), 32 deletions(-) diff --git a/flake.nix b/flake.nix index 3cb3feb..e9983bc 100644 --- a/flake.nix +++ b/flake.nix @@ -53,9 +53,13 @@ }; }; - mkColmenaHost = { ip, hostname, tags, ... }@host: { + mkColmenaHost = { ip, hostname, tags, location, ... }@host: { "${hostname}" = { imports = resolveImports host; + networking = { + hostName = hostname; + domain = location; + }; deployment = { inherit tags; targetHost = ip; diff --git a/nixos/hosts/olympus/bastion/configuration.nix b/nixos/hosts/olympus/bastion/configuration.nix index 5d9adbb..c79003f 100644 --- a/nixos/hosts/olympus/bastion/configuration.nix +++ b/nixos/hosts/olympus/bastion/configuration.nix @@ -28,8 +28,6 @@ in { boot.loader.grub.version = 2; boot.loader.grub.device = "/dev/sda"; - networking.hostName = "bastion"; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/nixos/hosts/olympus/database/configuration.nix b/nixos/hosts/olympus/database/configuration.nix index 5e3f68f..7fb8861 100644 --- a/nixos/hosts/olympus/database/configuration.nix +++ b/nixos/hosts/olympus/database/configuration.nix @@ -9,8 +9,6 @@ in { imports = [ ]; - networking.hostName = "database"; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/nixos/hosts/olympus/dhcp/configuration.nix b/nixos/hosts/olympus/dhcp/configuration.nix index 339f731..9c7db31 100644 --- a/nixos/hosts/olympus/dhcp/configuration.nix +++ b/nixos/hosts/olympus/dhcp/configuration.nix @@ -10,7 +10,6 @@ in { imports = [ ]; networking = { - hostName = "dhcp"; defaultGateway = "10.42.42.1"; nameservers = [ "10.42.42.15" "10.42.42.16" ]; interfaces.eth0 = { diff --git a/nixos/hosts/olympus/dns/configuration.nix b/nixos/hosts/olympus/dns/configuration.nix index 2dd32df..21b81a5 100644 --- a/nixos/hosts/olympus/dns/configuration.nix +++ b/nixos/hosts/olympus/dns/configuration.nix @@ -13,8 +13,6 @@ let in { imports = [ ]; - networking.hostName = "dns"; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/nixos/hosts/olympus/gitea/configuration.nix b/nixos/hosts/olympus/gitea/configuration.nix index 848982f..f0cc409 100644 --- a/nixos/hosts/olympus/gitea/configuration.nix +++ b/nixos/hosts/olympus/gitea/configuration.nix @@ -6,8 +6,6 @@ { imports = [ ]; - networking.hostName = "gitea"; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/nixos/hosts/olympus/hedgedoc/configuration.nix b/nixos/hosts/olympus/hedgedoc/configuration.nix index dbb8dd3..1f06d8d 100644 --- a/nixos/hosts/olympus/hedgedoc/configuration.nix +++ b/nixos/hosts/olympus/hedgedoc/configuration.nix @@ -11,8 +11,6 @@ in { imports = [ ]; - networking.hostName = "hedgedoc"; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/nixos/hosts/olympus/k3s/configuration.nix b/nixos/hosts/olympus/k3s/configuration.nix index 8cba9eb..a6d715a 100644 --- a/nixos/hosts/olympus/k3s/configuration.nix +++ b/nixos/hosts/olympus/k3s/configuration.nix @@ -14,8 +14,6 @@ boot.kernel.sysctl."fs.inotify.max_user_instances" = 2147483647; # INT_MAX, dynamically limited based on available memory boot.kernel.sysctl."fs.inotify.max_user_watches" = 1048576; - networking.hostName = "k3s-node1"; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/nixos/hosts/olympus/minecraft/configuration.nix b/nixos/hosts/olympus/minecraft/configuration.nix index 3b5fcf6..35a5844 100644 --- a/nixos/hosts/olympus/minecraft/configuration.nix +++ b/nixos/hosts/olympus/minecraft/configuration.nix @@ -6,8 +6,6 @@ { imports = [ ]; - networking.hostName = "minecraft"; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/nixos/hosts/olympus/minio/configuration.nix b/nixos/hosts/olympus/minio/configuration.nix index ad3b26d..a73bf0b 100644 --- a/nixos/hosts/olympus/minio/configuration.nix +++ b/nixos/hosts/olympus/minio/configuration.nix @@ -10,8 +10,6 @@ let in { imports = [ ]; - networking.hostName = "minio"; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/nixos/hosts/olympus/mosquitto/configuration.nix b/nixos/hosts/olympus/mosquitto/configuration.nix index 1fbe8b3..a30040e 100644 --- a/nixos/hosts/olympus/mosquitto/configuration.nix +++ b/nixos/hosts/olympus/mosquitto/configuration.nix @@ -8,8 +8,6 @@ in { imports = [ ]; - networking.hostName = "mosquitto"; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/nixos/hosts/olympus/nginx/configuration.nix b/nixos/hosts/olympus/nginx/configuration.nix index d8c5afe..a9ccc83 100644 --- a/nixos/hosts/olympus/nginx/configuration.nix +++ b/nixos/hosts/olympus/nginx/configuration.nix @@ -24,8 +24,6 @@ let ''; in { - networking.hostName = "nginx"; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/nixos/hosts/olympus/synapse/configuration.nix b/nixos/hosts/olympus/synapse/configuration.nix index 84d2e72..088fd81 100644 --- a/nixos/hosts/olympus/synapse/configuration.nix +++ b/nixos/hosts/olympus/synapse/configuration.nix @@ -11,8 +11,6 @@ in { imports = [ ]; - networking.hostName = "synapse"; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/nixos/hosts/olympus/unifi/configuration.nix b/nixos/hosts/olympus/unifi/configuration.nix index c2e6d5d..b7cb490 100644 --- a/nixos/hosts/olympus/unifi/configuration.nix +++ b/nixos/hosts/olympus/unifi/configuration.nix @@ -7,8 +7,6 @@ { imports = [ ]; - networking.hostName = "unifi"; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/nixos/hosts/olympus/vault/configuration.nix b/nixos/hosts/olympus/vault/configuration.nix index 9553941..23e416a 100644 --- a/nixos/hosts/olympus/vault/configuration.nix +++ b/nixos/hosts/olympus/vault/configuration.nix @@ -5,8 +5,6 @@ { config, pkgs, ... }: let port = 8200; in { - networking.hostName = "vault"; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/nixos/hosts/olympus/victoriametrics/configuration.nix b/nixos/hosts/olympus/victoriametrics/configuration.nix index 2a5372f..57331a9 100644 --- a/nixos/hosts/olympus/victoriametrics/configuration.nix +++ b/nixos/hosts/olympus/victoriametrics/configuration.nix @@ -10,8 +10,6 @@ in { imports = [ ]; - networking.hostName = "victoriametrics"; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/nixos/hosts/olympus/wireguard/configuration.nix b/nixos/hosts/olympus/wireguard/configuration.nix index 27236a2..16ffd62 100644 --- a/nixos/hosts/olympus/wireguard/configuration.nix +++ b/nixos/hosts/olympus/wireguard/configuration.nix @@ -7,8 +7,6 @@ let vs = config.vault-secrets.secrets; in { imports = [ ]; - networking.hostName = "wireguard"; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave From 1e3192f8659c7c98e2b2a491ebb4d0caed1b1019 Mon Sep 17 00:00:00 2001 From: Victor Date: Sat, 30 Jul 2022 23:17:06 +0200 Subject: [PATCH 7/8] make dns multi-location aware --- flake.nix | 5 +++-- nixos/hosts/olympus/dns/configuration.nix | 21 +++++++++++---------- 2 files changed, 14 insertions(+), 12 deletions(-) diff --git a/flake.nix b/flake.nix index e9983bc..a2f0d1f 100644 --- a/flake.nix +++ b/flake.nix @@ -95,6 +95,7 @@ # This only support bash so just execute zsh in bash as a workaround :/ shellHook = "zsh; exit $?"; buildInputs = with pkgs; [ + colmena.packages.x86_64-linux.colmena fluxcd k9s kubectl @@ -103,8 +104,8 @@ nixfmt nixUnstable vault - (vault-push-approle-envs self) - (vault-push-approle-approles self) + # (vault-push-approle-envs self) + # (vault-push-approle-approles self) ]; }; }; diff --git a/nixos/hosts/olympus/dns/configuration.nix b/nixos/hosts/olympus/dns/configuration.nix index 21b81a5..7173acc 100644 --- a/nixos/hosts/olympus/dns/configuration.nix +++ b/nixos/hosts/olympus/dns/configuration.nix @@ -1,15 +1,15 @@ -{ config, pkgs, hosts, ... }: +{ config, pkgs, hosts, flat_hosts, ... }: let - inherit (builtins) filter hasAttr; - localdomain = "olympus"; - # TODO: use location attr in hosts - hosts' = hosts.${localdomain}; + inherit (builtins) filter hasAttr attrNames; + hosts' = flat_hosts; + domains = attrNames hosts; + ipv6Hosts = filter (hasAttr "ip6") hosts'; - localData = { hostname, ip, ... }: ''"${hostname}.${localdomain}. A ${ip}"''; - local6Data = { hostname, ip6, ... }: ''"${hostname}.${localdomain}. AAAA ${ip6}"''; - ptrData = { hostname, ip, ... }: ''"${ip} ${hostname}.${localdomain}"''; - ptr6Data = { hostname, ip6, ... }: ''"${ip6} ${hostname}.${localdomain}"''; + localData = { hostname, location, ip, ... }: ''"${hostname}.${location}. A ${ip}"''; + local6Data = { hostname, location, ip6, ... }: ''"${hostname}.${location}. AAAA ${ip6}"''; + ptrData = { hostname, location, ip, ... }: ''"${ip} ${hostname}.${location}"''; + ptr6Data = { hostname, location, ip6, ... }: ''"${ip6} ${hostname}.${location}"''; in { imports = [ ]; @@ -37,7 +37,7 @@ in { interface-automatic = "yes"; interface = [ "0.0.0.0" "::0" ]; - local-zone = ''"${localdomain}." transparent''; + local-zone = map (localdomain: ''"${localdomain}}." transparent'') domains; local-data = (map localData hosts') ++ (map local6Data ipv6Hosts); local-data-ptr = (map ptrData hosts') ++ (map ptr6Data ipv6Hosts); @@ -46,6 +46,7 @@ in { "::1 allow_snoop" "10.42.0.0/16 allow" "127.0.0.0/8 allow" + "192.168.0.0/23 allow" "192.168.2.0/24 allow" "::1/128 allow" ]; From ecfc36e0174c0c9597e5a7b124956e420db3e7a7 Mon Sep 17 00:00:00 2001 From: Victor Date: Sat, 30 Jul 2022 23:35:52 +0200 Subject: [PATCH 8/8] final changes for tonight --- flake.nix | 7 ++++--- nixos/common/default.nix | 11 +++-------- nixos/common/users/default.nix | 2 +- nixos/hosts/default.nix | 2 +- nixos/hosts/hades/default.nix | 1 + nixos/hosts/olympus/_template/configuration.nix | 2 -- nixos/hosts/olympus/dhcp/configuration.nix | 7 ++++--- 7 files changed, 14 insertions(+), 18 deletions(-) create mode 100644 nixos/hosts/hades/default.nix diff --git a/flake.nix b/flake.nix index a2f0d1f..90a08b1 100644 --- a/flake.nix +++ b/flake.nix @@ -71,9 +71,10 @@ pkgs = serokell-nix.lib.pkgsWith nixpkgs.legacyPackages.${system} [ vault-secrets.overlay ]; in { - # Make the config and deploy sets + # Make the nixosConfigurations, mostly for vault-secrets nixosConfigurations = lib.foldr (el: acc: acc // mkConfig el) { } nixHosts; + # Make the coleman configuration colmena = lib.foldr (el: acc: acc // mkColmenaHost el) { meta = { @@ -104,8 +105,8 @@ nixfmt nixUnstable vault - # (vault-push-approle-envs self) - # (vault-push-approle-approles self) + (vault-push-approle-envs self) + (vault-push-approle-approles self) ]; }; }; diff --git a/nixos/common/default.nix b/nixos/common/default.nix index bc1478b..215ad9b 100644 --- a/nixos/common/default.nix +++ b/nixos/common/default.nix @@ -1,4 +1,4 @@ -{ config, pkgs, inputs, ... }: +{ config, lib, pkgs, inputs, ... }: { imports = [ @@ -32,11 +32,7 @@ "nixpkgs-review-bot.cachix.org-1:eppgiDjPk7Hkzzz7XlUesk3rcEHqNDozGOrcLc8IqwE=" "colmena.cachix.org-1:7BzpDnjjH8ki2CT3f6GdOk7QAzPOl+1t3LvTLXqYcSg=" ]; - }; - gc = { - dates = "weekly"; - automatic = true; - randomizedDelaySec = "45min"; + # Also use zsh for root; }; optimise = { automatic = true; @@ -63,8 +59,7 @@ permitRootLogin = "no"; }; - # TODO: Location dependent - vault-secrets = { + vault-secrets = lib.mkIf (config.networking.domain == "olympus") { vaultPrefix = "secrets/nixos"; vaultAddress = "http://vault.olympus:8200/"; approlePrefix = "olympus-${config.networking.hostName}"; diff --git a/nixos/common/users/default.nix b/nixos/common/users/default.nix index 5cb68df..3036bae 100644 --- a/nixos/common/users/default.nix +++ b/nixos/common/users/default.nix @@ -54,7 +54,7 @@ # Configure the root account users.extraUsers.root = { # Allow my SSH keys for logging in as root. - openssh.authorizedKeys.keys = config.users.users.victor.openssh.authorizedKeys.keys; + openssh.authorizedKeys.keys = config.users.extraUsers.victor.openssh.authorizedKeys.keys; # Also use zsh for root shell = pkgs.zsh; }; diff --git a/nixos/hosts/default.nix b/nixos/hosts/default.nix index b325b5b..a09236d 100644 --- a/nixos/hosts/default.nix +++ b/nixos/hosts/default.nix @@ -1,4 +1,4 @@ { + hades = import ./hades; olympus = import ./olympus; - hades = []; } diff --git a/nixos/hosts/hades/default.nix b/nixos/hosts/hades/default.nix new file mode 100644 index 0000000..fe51488 --- /dev/null +++ b/nixos/hosts/hades/default.nix @@ -0,0 +1 @@ +[] diff --git a/nixos/hosts/olympus/_template/configuration.nix b/nixos/hosts/olympus/_template/configuration.nix index b33d3f0..e660f64 100644 --- a/nixos/hosts/olympus/_template/configuration.nix +++ b/nixos/hosts/olympus/_template/configuration.nix @@ -7,8 +7,6 @@ { imports = [ ]; - networking.hostName = "template"; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/nixos/hosts/olympus/dhcp/configuration.nix b/nixos/hosts/olympus/dhcp/configuration.nix index 9c7db31..afd5cf9 100644 --- a/nixos/hosts/olympus/dhcp/configuration.nix +++ b/nixos/hosts/olympus/dhcp/configuration.nix @@ -5,7 +5,8 @@ let hostName = hostname; ipAddress = ip; }; - hosts' = hosts.olympus; + localDomain = config.networking.domain; + hosts' = hosts.${localDomain}; in { imports = [ ]; @@ -41,8 +42,8 @@ in { option broadcast-address 10.42.43.255; option routers 10.42.42.1; option domain-name-servers 10.42.42.15, 10.42.42.16; - option domain-name "olympus"; - option domain-search "olympus"; + option domain-name "${localDomain}"; + option domain-search "${localDomain}"; subnet 10.42.42.0 netmask 255.255.254.0 { range 10.42.43.1 10.42.43.254; }