From 7279ea13e9942842fac7180199fdb58073498cf1 Mon Sep 17 00:00:00 2001 From: revol-xut Date: Fri, 11 Nov 2022 16:39:48 +0100 Subject: [PATCH] more test vm config --- .gitignore | 2 + .sops.yaml | 4 +- flake.nix | 6 +- hosts/quitte-vm/configuration.nix | 71 ++++++++++++++++++++++ hosts/quitte-vm/hardware-configuration.nix | 31 ++++++++++ hosts/quitte/configuration.nix | 66 +------------------- modules/base.nix | 2 +- modules/vm.nix | 6 +- 8 files changed, 116 insertions(+), 72 deletions(-) create mode 100644 .gitignore create mode 100644 hosts/quitte-vm/configuration.nix create mode 100644 hosts/quitte-vm/hardware-configuration.nix diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8cb727e --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +.qcow2 +result diff --git a/.sops.yaml b/.sops.yaml index 8cd66ef..61e4baa 100755 --- a/.sops.yaml +++ b/.sops.yaml @@ -7,7 +7,7 @@ keys: # private key stored in repo, used for test VM - &test age1925katzy5gws3f9hnvnlwspu6trxf488arwt6ayw3urg2mgumqhszxnmqh creation_rules: - - path_regex: secrets/durian\.yaml$ + - path_regex: secrets/quitte\.yaml$ key_groups: - pgp: - *bennofs @@ -15,7 +15,7 @@ creation_rules: - *felix age: - *durian - - path_regex: secrets\.test\.yaml$ + - path_regex: secrets/test\.yaml$ key_groups: - pgp: - *bennofs diff --git a/flake.nix b/flake.nix index c6934a6..087bed7 100755 --- a/flake.nix +++ b/flake.nix @@ -10,7 +10,7 @@ let in { #packages."aarch64-linux".sanddorn = self.nixosConfigurations.sanddorn.config.system.build.sdImage; - packages."x86_64-linux".quitte = self.nixosConfigurations.quitte.config.system.build.vm; + packages."x86_64-linux".quitte = self.nixosConfigurations.quitte-vm.config.system.build.vm; packages."x86_64-linux".default = self.packages."x86_64-linux".quitte; nixosConfigurations = { @@ -73,8 +73,8 @@ system = "x86_64-linux"; modules = [ inputs.sops-nix.nixosModules.sops + ./hosts/quitte/configuration.nix ./modules/base.nix - ./modules/sops.nix ./modules/keycloak.nix ./modules/nginx.nix ./modules/hedgedoc.nix @@ -84,7 +84,7 @@ "${nixpkgs}/nixos/modules/virtualisation/qemu-vm.nix" { _module.args.buildVM = true; - sops.defaultSopsFile = ./secrets/durian.yaml; + sops.defaultSopsFile = ./secrets/test.yaml; } ]; }; diff --git a/hosts/quitte-vm/configuration.nix b/hosts/quitte-vm/configuration.nix new file mode 100644 index 0000000..8413fb3 --- /dev/null +++ b/hosts/quitte-vm/configuration.nix @@ -0,0 +1,71 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, inputs, ... }: + +{ + imports = + [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + # setup NIX_PATH for flakes + nix.nixPath = [ + "nixpkgs=${inputs.nixpkgs}" + ]; + + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only + + networking.hostName = "espresso"; # Define your hostname. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + + # Set your time zone. + time.timeZone = "Europe/Berlin"; + + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.useDHCP = false; + networking.interfaces.ens3 = { + useDHCP = false; + ipv4.addresses = [ + { + address = "141.30.30.150"; + prefixLength = 25; + } + ]; + }; + + # enp65s0f0np0^C + networking.defaultGateway = "141.30.30.129"; + networking.nameservers = [ "9.9.9.9" ]; + + # allow building for aarch64 (pi) target + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "20.09"; # Did you read the comment? + +} + diff --git a/hosts/quitte-vm/hardware-configuration.nix b/hosts/quitte-vm/hardware-configuration.nix new file mode 100644 index 0000000..aaf2678 --- /dev/null +++ b/hosts/quitte-vm/hardware-configuration.nix @@ -0,0 +1,31 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { + device = "/dev/disk/by-uuid/6d8f4b96-4ccb-4a94-a9b1-bab4a28fc940"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/58C2-5A6A"; + fsType = "vfat"; + }; + + swapDevices = [ ]; + +} diff --git a/hosts/quitte/configuration.nix b/hosts/quitte/configuration.nix index 34416b0..b8ba887 100644 --- a/hosts/quitte/configuration.nix +++ b/hosts/quitte/configuration.nix @@ -1,13 +1,8 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - { config, pkgs, ... }: { imports = [ - # Include the results of the hardware scan. ./hardware-configuration.nix ]; @@ -28,80 +23,23 @@ } ]; }; + networking.defaultGateway = "141.30.30.129"; networking.nameservers = [ "141.30.1.1" ]; networking.hostName = "quitte"; # Define your hostname. - # Pick only one of the below networking options. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. # Set your time zone. time.timeZone = "Europe/Berlin"; - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Select internationalisation properties. - # i18n.defaultLocale = "en_US.UTF-8"; - # console = { - # font = "Lat2-Terminus16"; - # keyMap = "us"; - # useXkbConfig = true; # use xkbOptions in tty. - # }; - - # Enable the X11 windowing system. - # services.xserver.enable = true; - - - - - # Configure keymap in X11 - # services.xserver.layout = "us"; - # services.xserver.xkbOptions = { - # "eurosign:e"; - # "caps:escape" # map caps to escape. - # }; - - # Enable CUPS to print documents. - # services.printing.enable = true; - - # Enable sound. - # sound.enable = true; - # hardware.pulseaudio.enable = true; - - # Enable touchpad support (enabled default in most desktopManager). - # services.xserver.libinput.enable = true; - - # Define a user account. Don't forget to set a password with ‘passwd’. - # users.users.jane = { - # isNormalUser = true; - # extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. - # packages = with pkgs; [ - # firefox - # thunderbird - # ]; - # }; - # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ - vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. + vim wget git ]; - # Some programs need SUID wrappers, can be configured further or are - # started in user sessions. - # programs.mtr.enable = true; - # programs.gnupg.agent = { - # enable = true; - # enableSSHSupport = true; - # }; - - # List services that you want to enable: - # Enable the OpenSSH daemon. services.openssh.enable = true; services.openssh.permitRootLogin = "yes"; diff --git a/modules/base.nix b/modules/base.nix index 56df325..9f10ac3 100755 --- a/modules/base.nix +++ b/modules/base.nix @@ -38,7 +38,7 @@ ../keys/ssh/jannusch-arch ../keys/ssh/tassilo ../keys/ssh/jonasga - ../keys/shh/helene + ../keys/ssh/helene ]; }; diff --git a/modules/vm.nix b/modules/vm.nix index 41de9d3..e668821 100644 --- a/modules/vm.nix +++ b/modules/vm.nix @@ -6,6 +6,7 @@ ]; users.users.root.hashedPassword = ""; + users.users.root.initialPassword = ""; users.mutableUsers = false; networking.useDHCP = lib.mkForce false; @@ -14,12 +15,13 @@ }; networking.defaultGateway = lib.mkForce null; - sops.defaultSopsFile = lib.mkForce ../secrets/quitte-vm.yaml; + sops.defaultSopsFile = lib.mkForce ../secrets/test.yaml; sops.age.sshKeyPaths = lib.mkForce [ ]; sops.gnupg.sshKeyPaths = lib.mkForce [ ]; - sops.age.keyFile = lib.mkForce "${../keys/gpg/test.age}"; + sops.age.keyFile = lib.mkForce "${../keys/test.age}"; sops.age.generateKey = lib.mkForce false; + # don't use production endpoint for test vm, to avoid rate limiting security.acme.defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";