add lots of rules for vmVariant

2024-12-26 01:18:01 +01:00 · 2024-12-26 01:18:01 +01:00 · f143b3b5eb
commit f143b3b5eb
parent 6a66681dec
23 changed files with 112 additions and 26 deletions
--- a/.envrc
+++ b/.envrc
@ -26,3 +26,5 @@ fi
 if rg 'TODO' -q ; then
  echo "There are $(rg 'TODO' | wc -l ) 'TODO'"
 fi
+
+export QEMU_NET_OPTS="hostfwd=tcp::10022-:22,hostfwd=tcp::10080-:80,hostfwd=tcp::10443-:443"
--- a/.gitignore
+++ b/.gitignore
@ -9,3 +9,4 @@ results-*
 _*
 /logs
 mprocs.log
+*.qcow2
--- a/base.nix
+++ b/base.nix
@ -11,6 +11,17 @@
    # nice to have if i just dump this flake into /etc/nixos on a clean install
    (ifExists ./configuration.nix )
    (ifExists ./hardware-configuration.nix )
+
+    # TODO: move somewhere smart
+    {
+      options.virtualisation.isVmVariant = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+      };
+      config.virtualisation.vmVariant = {
+        virtualisation.isVmVariant = true;
+      };
+    }
  ];

  nixpkgs.overlays = [
@ -95,11 +106,24 @@

  # no acme in VM mode:
  virtualisation.vmVariant = {
-    /* users.users.root.initialPassword = "root"; */
    security.acme.defaults.server = "https://127.0.0.1";
    security.acme.preliminarySelfsigned = true;
  };

+  # set VM root password in VM mode
+  virtualisation.vmVariant = {
+    users.users.root.initialPassword = "root";
+  };
+
+  # fix VM networking, disable static IPs
+  virtualisation.vmVariant = {
+    networking.interfaces = lib.mkForce {};
+    networking.defaultGateway = lib.mkForce null;
+    networking.nameservers = lib.mkForce [];
+    networking.networkmanager.enable = lib.mkForce false;
+    networking.useDHCP = lib.mkForce true;
+  };
+
  # System fonts
  # Nice to have when X-forwading on headless machines
  fonts.fontDir.enable = true; # creates /run/current-system/sw/share/X11/fonts
--- a/4
+++ b/4
@ -39,6 +39,10 @@ build-no-remote-builders hostname="":
 build-vm hostname=`just _a_host`:
  nixos-rebuild build-vm --accept-flake-config --show-trace --flake .#"{{hostname}}"

+build-vm-and-run $hostname=`just _a_host`:
+  @just build-vm "$hostname"
+  ./result/bin/run-"$hostname"-vm
+
 test:
  sudo nixos-rebuild test --accept-flake-config --show-trace --flake .

--- a/profiles/autossh-reverse-tunnels/default.nix
+++ b/profiles/autossh-reverse-tunnels/default.nix
@ -1,4 +1,7 @@
 { config, pkgs, lib, ... }:
+
+lib.mkIf (!config.virtualisation.isVmVariant)
+
 {
  # AutoSSH reverse tunnels

--- a/profiles/domeneshop-dyndns.nix
+++ b/profiles/domeneshop-dyndns.nix
@ -13,8 +13,8 @@ in
      example = [ config.networking.fqdn ];
    };
  };
-
-  config = lib.mkIf (cfg.targets != []) {
+  # don't run if local VM
+  config = lib.mkIf (cfg.targets != [] && !config.virtualisation.isVmVariant) {

    users.users.domeneshop.isSystemUser = true;
    users.users.domeneshop.group = "domeneshop";
--- a/profiles/http/docs/pdoc.nix
+++ b/profiles/http/docs/pdoc.nix
@ -250,7 +250,12 @@ let
    '';
  };

-in {
+in
+
+# don't build if local vm
+lib.mkIf (!config.virtualisation.isVmVariant)
+
+{

  # Pdoc
  # Auto-generate API documentation for Python projects.
--- a/profiles/http/services/flexget.nix
+++ b/profiles/http/services/flexget.nix
@ -2,6 +2,10 @@
 let
  cfg = config.services.flexget;
 in
+
+# TODO: run in VM mode if we run transmission in the same VM
+lib.mkIf (!config.virtualisation.isVmVariant)
+
 {

  # Flexget
--- a/profiles/http/services/garage/gunktrunk.nix
+++ b/profiles/http/services/garage/gunktrunk.nix
@ -4,6 +4,9 @@ let
  cfg = config.services.garage;
 in

+# don't mount if local VM
+lib.mkIf (!config.virtualisation.isVmVariant)
+
 {

  # gunktrunk
--- a/profiles/http/services/jellyfin.nix
+++ b/profiles/http/services/jellyfin.nix
@ -1,4 +1,8 @@
 { config, pkgs, lib, inputs, mkDomain, ... }:
+
+# don't mount if local VM
+lib.mkIf (!config.virtualisation.isVmVariant)
+
 {
  # Jellyfin

--- a/profiles/http/services/navidrome.nix
+++ b/profiles/http/services/navidrome.nix
@ -1,4 +1,8 @@
 { config, pkgs, lib, mkDomain, ... }:
+
+# don't mount if local VM
+lib.mkIf (!config.virtualisation.isVmVariant)
+
 {
  # Navidrome
  # Music Server and Streamer compatible with Subsonic/Airsonic
--- a/profiles/http/services/plex.nix
+++ b/profiles/http/services/plex.nix
@ -1,4 +1,8 @@
 { config, pkgs, lib, inputs, mkDomain, ... }:
+
+# don't mount if local VM
+lib.mkIf (!config.virtualisation.isVmVariant)
+
 {
  # Plex

--- a/profiles/http/services/polaris.nix
+++ b/profiles/http/services/polaris.nix
@ -17,7 +17,7 @@
      settings.album_art_pattern =
        "([Cc]over|COVER|[Ff]older|FOLDER|[Ff]ront|FRONT)\.(jpeg|JPEG|jpg|JPG|png|PNG|bmp|BMP|gif|GIF)";
        #"(?i)(cover|folder|front)\.(jpeg|jpg|png|bmp|gif)";
-      mount_dirs = [
+      mount_dirs = lib.mkIf (!config.virtualisation.isVmVariant) [
        { name = "Albums";    source = "/mnt/reidun/Music/Albums"; }
        { name = "dojin.co";  source = "/mnt/reidun/Music/dojin.co"; }
        { name = "Vocaloid";  source = "/mnt/reidun/Music/Vocaloid"; }
--- a/profiles/http/services/resilio.nix
+++ b/profiles/http/services/resilio.nix
@ -1,4 +1,8 @@
 { config, pkgs, lib, mkDomain, ... }:
+
+# don't mount if local VM
+lib.mkIf (!config.virtualisation.isVmVariant)
+
 {
  # Resilio Sync
  # Automatically sync files via secure, distributed technology
--- a/profiles/mounts/freon-nfs.nix
+++ b/profiles/mounts/freon-nfs.nix
@ -2,6 +2,9 @@

 # TODO: use tailscale if enabled

+# don't mount if local VM
+lib.mkIf (!config.virtualisation.isVmVariant)
+
 {
  # TODO: wireguard
  #boot.kernelParams = [ "nfs.nfs4_disable_idmapping=0" "nfsd.nfs4_disable_idmapping=0" ];
--- a/profiles/mounts/fridge-nfs.nix
+++ b/profiles/mounts/fridge-nfs.nix
@ -1,4 +1,8 @@
 { config, pkgs, lib, ... }:
+
+# don't mount if local VM
+lib.mkIf (!config.virtualisation.isVmVariant)
+
 {
  #boot.kernelParams = [ "nfs.nfs4_disable_idmapping=0" "nfsd.nfs4_disable_idmapping=0" ];

--- a/profiles/mounts/meconium-zfs.nix
+++ b/profiles/mounts/meconium-zfs.nix
@ -4,7 +4,11 @@

  imports = [ ./common-zfs.nix ];

-  # non legacy-mount
-  systemd.services.zfs-mount.enable = true; # default
-  boot.zfs.extraPools = [ "Meconium" ]; # import on boot
+  config = lib.mkIf (!config.virtualisation.isVmVariant) {
+
+    # non legacy-mount
+    systemd.services.zfs-mount.enable = true;
+    boot.zfs.extraPools = [ "Meconium" ]; # import on boot
+
+  };
 }
--- a/profiles/mounts/panorama-zfs.nix
+++ b/profiles/mounts/panorama-zfs.nix
@ -4,15 +4,19 @@

  imports = [ ./common-zfs.nix ];

-  # non legacy-mount
-  systemd.services.zfs-mount.enable = true; # default
-  boot.zfs.extraPools = [ "Panorama" ]; # import on boot
+  config = lib.mkIf (!config.virtualisation.isVmVariant) {

-  # todo: tailscale nfs mount
+    # non legacy-mount
+    systemd.services.zfs-mount.enable = true;
+    boot.zfs.extraPools = [ "Panorama" ]; # import on boot

-  # TODO: zrepl pull
-  # https://search.nixos.org/options?channel=unstable&query=services.zrepl
-  # https://github.com/NixOS/infra/blob/8be4953d68ce81455787cd60e82086022855a3c2/build/haumea/zrepl.nix#L20
+    # todo: tailscale nfs mount
+
+    # TODO: zrepl pull
+    # https://search.nixos.org/options?channel=unstable&query=services.zrepl
+    # https://github.com/NixOS/infra/blob/8be4953d68ce81455787cd60e82086022855a3c2/build/haumea/zrepl.nix#L20
+
+    # TODO: rsync pull + snapshot?
+  };

-  # TODO: rsync pull + snapshot?
 }
--- a/profiles/mounts/reidun-nfs.nix
+++ b/profiles/mounts/reidun-nfs.nix
@ -2,6 +2,9 @@

 # TODO: use tailscale if enabled

+# don't mount if local VM
+lib.mkIf (!config.virtualisation.isVmVariant)
+
 {
  # TODO: wireguard
  #boot.kernelParams = [ "nfs.nfs4_disable_idmapping=0" "nfsd.nfs4_disable_idmapping=0" ];
--- a/profiles/tailscale-inner.nix
+++ b/profiles/tailscale-inner.nix
@ -1,4 +1,6 @@
-{ config, ... }:
+{ config, lib, ... }:
+
+lib.mkIf (!config.virtualisation.isVmVariant)

 # DERP is a relay system that Tailscale uses when a direct connection cannot be established.
 # https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp
--- a/profiles/tailscale-outer.nix
+++ b/profiles/tailscale-outer.nix
@ -1,4 +1,6 @@
-{ config, ... }:
+{ config, lib, ... }:
+
+lib.mkIf (!config.virtualisation.isVmVariant)

 # DERP is a relay system that Tailscale uses when a direct connection cannot be established.
 # https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp
--- a/profiles/vpn-pbsds/tailscale.nix
+++ b/profiles/vpn-pbsds/tailscale.nix
@ -1,8 +1,14 @@
 { config, pkgs, lib, ...}:
+
+# THIS IS NOT USED
+# see tailscale-{inner,outer}.nix instead
+
 let
  cfg = config.services.tailscale;
-  inherit (lib) mkIf getExe;
 in
+
+lib.mkIf (!config.virtualisation.isVmVariant)
+
 {
  services.tailscale.enable = true;
  networking.firewall.checkReversePath = "loose";
@ -10,7 +16,7 @@ in
  networking.firewall.allowedUDPPorts = [ cfg.port ];

  /** /
-  systemd.services."tailscale-autoconnect" = mkIf cfg.enable {
+  systemd.services."tailscale-autoconnect" = lib.mkIf cfg.enable {
    serviceConfig.Type = "oneshot";
    after = [ "network-pre.target" "tailscale.service" ];
    wants = [ "network-pre.target" "tailscale.service" ];
@ -18,12 +24,12 @@ in
    script = ''
      sleep 60 # Wait for tailscaled to settle

-      status="$(${getExe cfg.package} status -json | ${getExe pkgs.jq} -r .BackendState)"
+      status="$(${lib.getExe cfg.package} status -json | ${lib.getExe pkgs.jq} -r .BackendState)"
      if [ $status = "Running" ]; then
        exit 0 # already authenticated
      fi

-      #${getExe cfg.package} up -authkey tskey-examplekeyhere
+      #${lib.getExe cfg.package} up -authkey tskey-examplekeyhere
    '';
  };
  /**/
--- a/users/pbsds/default.nix
+++ b/users/pbsds/default.nix
@ -85,8 +85,4 @@
    ];
  };

-  #virtualisation.vmVariant = {
-  #  users.users."pbsds".initialHashedPassword = "TODO";
-  #}
-
 }