pederbs/config
pederbs/config
2
1
Fork 0
Code Issues Pull Requests Releases Activity

add lots of rules for vmVariant

Browse Source
This commit is contained in:
Peder Bergebakken Sundt 2024-12-26 01:18:01 +01:00
parent 6a66681dec
commit f143b3b5eb
23 changed files with 112 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.envrc
View File

@ -26,3 +26,5 @@ fi
if rg 'TODO' -q ; then if rg 'TODO' -q ; then
echo "There are $(rg 'TODO' | wc -l ) 'TODO'" echo "There are $(rg 'TODO' | wc -l ) 'TODO'"
fi fi
export QEMU_NET_OPTS="hostfwd=tcp::10022-:22,hostfwd=tcp::10080-:80,hostfwd=tcp::10443-:443"

1
.gitignore vendored
View File

@ -9,3 +9,4 @@ results-*
_* _*
/logs /logs
mprocs.log mprocs.log
*.qcow2

26
base.nix
View File

@ -11,6 +11,17 @@
# nice to have if i just dump this flake into /etc/nixos on a clean install # nice to have if i just dump this flake into /etc/nixos on a clean install
(ifExists ./configuration.nix ) (ifExists ./configuration.nix )
(ifExists ./hardware-configuration.nix ) (ifExists ./hardware-configuration.nix )
# TODO: move somewhere smart
{
options.virtualisation.isVmVariant = lib.mkOption {
type = lib.types.bool;
default = false;
};
config.virtualisation.vmVariant = {
virtualisation.isVmVariant = true;
};
}
]; ];
nixpkgs.overlays = [ nixpkgs.overlays = [
@ -95,11 +106,24 @@
# no acme in VM mode: # no acme in VM mode:
virtualisation.vmVariant = { virtualisation.vmVariant = {
/* users.users.root.initialPassword = "root"; */
security.acme.defaults.server = "https://127.0.0.1"; security.acme.defaults.server = "https://127.0.0.1";
security.acme.preliminarySelfsigned = true; security.acme.preliminarySelfsigned = true;
}; };
# set VM root password in VM mode
virtualisation.vmVariant = {
users.users.root.initialPassword = "root";
};
# fix VM networking, disable static IPs
virtualisation.vmVariant = {
networking.interfaces = lib.mkForce {};
networking.defaultGateway = lib.mkForce null;
networking.nameservers = lib.mkForce [];
networking.networkmanager.enable = lib.mkForce false;
networking.useDHCP = lib.mkForce true;
};
# System fonts # System fonts
# Nice to have when X-forwading on headless machines # Nice to have when X-forwading on headless machines
fonts.fontDir.enable = true; # creates /run/current-system/sw/share/X11/fonts fonts.fontDir.enable = true; # creates /run/current-system/sw/share/X11/fonts

4
justfile
View File

@ -39,6 +39,10 @@ build-no-remote-builders hostname="":
build-vm hostname=`just _a_host`: build-vm hostname=`just _a_host`:
nixos-rebuild build-vm --accept-flake-config --show-trace --flake .#"{{hostname}}" nixos-rebuild build-vm --accept-flake-config --show-trace --flake .#"{{hostname}}"
build-vm-and-run $hostname=`just _a_host`:
@just build-vm "$hostname"
./result/bin/run-"$hostname"-vm
test: test:
sudo nixos-rebuild test --accept-flake-config --show-trace --flake . sudo nixos-rebuild test --accept-flake-config --show-trace --flake .

3
profiles/autossh-reverse-tunnels/default.nix
View File

@ -1,4 +1,7 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
lib.mkIf (!config.virtualisation.isVmVariant)
{ {
# AutoSSH reverse tunnels # AutoSSH reverse tunnels

4
profiles/domeneshop-dyndns.nix
View File

@ -13,8 +13,8 @@ in
example = [ config.networking.fqdn ]; example = [ config.networking.fqdn ];
}; };
}; };
# don't run if local VM
config = lib.mkIf (cfg.targets != []) { config = lib.mkIf (cfg.targets != [] && !config.virtualisation.isVmVariant) {
users.users.domeneshop.isSystemUser = true; users.users.domeneshop.isSystemUser = true;
users.users.domeneshop.group = "domeneshop"; users.users.domeneshop.group = "domeneshop";

7
profiles/http/docs/pdoc.nix
View File

@ -250,7 +250,12 @@ let
''; '';
}; };
in { in
# don't build if local vm
lib.mkIf (!config.virtualisation.isVmVariant)
{
# Pdoc # Pdoc
# Auto-generate API documentation for Python projects. # Auto-generate API documentation for Python projects.

4
profiles/http/services/flexget.nix
View File

@ -2,6 +2,10 @@
let let
cfg = config.services.flexget; cfg = config.services.flexget;
in in
# TODO: run in VM mode if we run transmission in the same VM
lib.mkIf (!config.virtualisation.isVmVariant)
{ {
# Flexget # Flexget

3
profiles/http/services/garage/gunktrunk.nix
View File

@ -4,6 +4,9 @@ let
cfg = config.services.garage; cfg = config.services.garage;
in in
# don't mount if local VM
lib.mkIf (!config.virtualisation.isVmVariant)
{ {
# gunktrunk # gunktrunk

4
profiles/http/services/jellyfin.nix
View File

@ -1,4 +1,8 @@
{ config, pkgs, lib, inputs, mkDomain, ... }: { config, pkgs, lib, inputs, mkDomain, ... }:
# don't mount if local VM
lib.mkIf (!config.virtualisation.isVmVariant)
{ {
# Jellyfin # Jellyfin

4
profiles/http/services/navidrome.nix
View File

@ -1,4 +1,8 @@
{ config, pkgs, lib, mkDomain, ... }: { config, pkgs, lib, mkDomain, ... }:
# don't mount if local VM
lib.mkIf (!config.virtualisation.isVmVariant)
{ {
# Navidrome # Navidrome
# Music Server and Streamer compatible with Subsonic/Airsonic # Music Server and Streamer compatible with Subsonic/Airsonic

4
profiles/http/services/plex.nix
View File

@ -1,4 +1,8 @@
{ config, pkgs, lib, inputs, mkDomain, ... }: { config, pkgs, lib, inputs, mkDomain, ... }:
# don't mount if local VM
lib.mkIf (!config.virtualisation.isVmVariant)
{ {
# Plex # Plex

2
profiles/http/services/polaris.nix
View File

@ -17,7 +17,7 @@
settings.album_art_pattern = settings.album_art_pattern =
"([Cc]over|COVER|[Ff]older|FOLDER|[Ff]ront|FRONT)\.(jpeg|JPEG|jpg|JPG|png|PNG|bmp|BMP|gif|GIF)"; "([Cc]over|COVER|[Ff]older|FOLDER|[Ff]ront|FRONT)\.(jpeg|JPEG|jpg|JPG|png|PNG|bmp|BMP|gif|GIF)";
#"(?i)(cover|folder|front)\.(jpeg|jpg|png|bmp|gif)"; #"(?i)(cover|folder|front)\.(jpeg|jpg|png|bmp|gif)";
mount_dirs = [ mount_dirs = lib.mkIf (!config.virtualisation.isVmVariant) [
{ name = "Albums"; source = "/mnt/reidun/Music/Albums"; } { name = "Albums"; source = "/mnt/reidun/Music/Albums"; }
{ name = "dojin.co"; source = "/mnt/reidun/Music/dojin.co"; } { name = "dojin.co"; source = "/mnt/reidun/Music/dojin.co"; }
{ name = "Vocaloid"; source = "/mnt/reidun/Music/Vocaloid"; } { name = "Vocaloid"; source = "/mnt/reidun/Music/Vocaloid"; }

4
profiles/http/services/resilio.nix
View File

@ -1,4 +1,8 @@
{ config, pkgs, lib, mkDomain, ... }: { config, pkgs, lib, mkDomain, ... }:
# don't mount if local VM
lib.mkIf (!config.virtualisation.isVmVariant)
{ {
# Resilio Sync # Resilio Sync
# Automatically sync files via secure, distributed technology # Automatically sync files via secure, distributed technology

3
profiles/mounts/freon-nfs.nix
View File

@ -2,6 +2,9 @@
# TODO: use tailscale if enabled # TODO: use tailscale if enabled
# don't mount if local VM
lib.mkIf (!config.virtualisation.isVmVariant)
{ {
# TODO: wireguard # TODO: wireguard
#boot.kernelParams = [ "nfs.nfs4_disable_idmapping=0" "nfsd.nfs4_disable_idmapping=0" ]; #boot.kernelParams = [ "nfs.nfs4_disable_idmapping=0" "nfsd.nfs4_disable_idmapping=0" ];

4
profiles/mounts/fridge-nfs.nix
View File

@ -1,4 +1,8 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
# don't mount if local VM
lib.mkIf (!config.virtualisation.isVmVariant)
{ {
#boot.kernelParams = [ "nfs.nfs4_disable_idmapping=0" "nfsd.nfs4_disable_idmapping=0" ]; #boot.kernelParams = [ "nfs.nfs4_disable_idmapping=0" "nfsd.nfs4_disable_idmapping=0" ];

10
profiles/mounts/meconium-zfs.nix
View File

@ -4,7 +4,11 @@
imports = [ ./common-zfs.nix ]; imports = [ ./common-zfs.nix ];
# non legacy-mount config = lib.mkIf (!config.virtualisation.isVmVariant) {
systemd.services.zfs-mount.enable = true; # default
boot.zfs.extraPools = [ "Meconium" ]; # import on boot # non legacy-mount
systemd.services.zfs-mount.enable = true;
boot.zfs.extraPools = [ "Meconium" ]; # import on boot
};
} }

20
profiles/mounts/panorama-zfs.nix
View File

@ -4,15 +4,19 @@
imports = [ ./common-zfs.nix ]; imports = [ ./common-zfs.nix ];
# non legacy-mount config = lib.mkIf (!config.virtualisation.isVmVariant) {
systemd.services.zfs-mount.enable = true; # default
boot.zfs.extraPools = [ "Panorama" ]; # import on boot
# todo: tailscale nfs mount # non legacy-mount
systemd.services.zfs-mount.enable = true;
boot.zfs.extraPools = [ "Panorama" ]; # import on boot
# TODO: zrepl pull # todo: tailscale nfs mount
# https://search.nixos.org/options?channel=unstable&query=services.zrepl
# https://github.com/NixOS/infra/blob/8be4953d68ce81455787cd60e82086022855a3c2/build/haumea/zrepl.nix#L20 # TODO: zrepl pull
# https://search.nixos.org/options?channel=unstable&query=services.zrepl
# https://github.com/NixOS/infra/blob/8be4953d68ce81455787cd60e82086022855a3c2/build/haumea/zrepl.nix#L20
# TODO: rsync pull + snapshot?
};
# TODO: rsync pull + snapshot?
} }

3
profiles/mounts/reidun-nfs.nix
View File

@ -2,6 +2,9 @@
# TODO: use tailscale if enabled # TODO: use tailscale if enabled
# don't mount if local VM
lib.mkIf (!config.virtualisation.isVmVariant)
{ {
# TODO: wireguard # TODO: wireguard
#boot.kernelParams = [ "nfs.nfs4_disable_idmapping=0" "nfsd.nfs4_disable_idmapping=0" ]; #boot.kernelParams = [ "nfs.nfs4_disable_idmapping=0" "nfsd.nfs4_disable_idmapping=0" ];

4
profiles/tailscale-inner.nix
View File

@ -1,4 +1,6 @@
{ config, ... }: { config, lib, ... }:
lib.mkIf (!config.virtualisation.isVmVariant)
# DERP is a relay system that Tailscale uses when a direct connection cannot be established. # DERP is a relay system that Tailscale uses when a direct connection cannot be established.
# https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp # https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp

4
profiles/tailscale-outer.nix
View File

@ -1,4 +1,6 @@
{ config, ... }: { config, lib, ... }:
lib.mkIf (!config.virtualisation.isVmVariant)
# DERP is a relay system that Tailscale uses when a direct connection cannot be established. # DERP is a relay system that Tailscale uses when a direct connection cannot be established.
# https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp # https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp

14
profiles/vpn-pbsds/tailscale.nix
View File

@ -1,8 +1,14 @@
{ config, pkgs, lib, ...}: { config, pkgs, lib, ...}:
# THIS IS NOT USED
# see tailscale-{inner,outer}.nix instead
let let
cfg = config.services.tailscale; cfg = config.services.tailscale;
inherit (lib) mkIf getExe;
in in
lib.mkIf (!config.virtualisation.isVmVariant)
{ {
services.tailscale.enable = true; services.tailscale.enable = true;
networking.firewall.checkReversePath = "loose"; networking.firewall.checkReversePath = "loose";
@ -10,7 +16,7 @@ in
networking.firewall.allowedUDPPorts = [ cfg.port ]; networking.firewall.allowedUDPPorts = [ cfg.port ];
/** / /** /
systemd.services."tailscale-autoconnect" = mkIf cfg.enable { systemd.services."tailscale-autoconnect" = lib.mkIf cfg.enable {
serviceConfig.Type = "oneshot"; serviceConfig.Type = "oneshot";
after = [ "network-pre.target" "tailscale.service" ]; after = [ "network-pre.target" "tailscale.service" ];
wants = [ "network-pre.target" "tailscale.service" ]; wants = [ "network-pre.target" "tailscale.service" ];
@ -18,12 +24,12 @@ in
script = '' script = ''
sleep 60 # Wait for tailscaled to settle sleep 60 # Wait for tailscaled to settle
status="$(${getExe cfg.package} status -json | ${getExe pkgs.jq} -r .BackendState)" status="$(${lib.getExe cfg.package} status -json | ${lib.getExe pkgs.jq} -r .BackendState)"
if [ $status = "Running" ]; then if [ $status = "Running" ]; then
exit 0 # already authenticated exit 0 # already authenticated
fi fi
#${getExe cfg.package} up -authkey tskey-examplekeyhere #${lib.getExe cfg.package} up -authkey tskey-examplekeyhere
''; '';
}; };
/**/ /**/

4
users/pbsds/default.nix
View File

@ -85,8 +85,4 @@
]; ];
}; };
#virtualisation.vmVariant = {
# users.users."pbsds".initialHashedPassword = "TODO";
#}
} }