From a49d802954a0befe50f50d87d347546147153065 Mon Sep 17 00:00:00 2001 From: Tine Date: Sun, 25 Aug 2024 17:47:41 +0200 Subject: [PATCH] feat: cloudinit nix cofig --- flake.nix | 48 ------------- justfile | 11 ++- proxmox/configuration.nix | 37 ++++++++++ flake.lock => proxmox/flake.lock | 8 +-- proxmox/flake.nix | 70 +++++++++++++++++++ .../configuration.nix | 41 ++--------- terraform/node.tf | 39 +++++------ 7 files changed, 142 insertions(+), 112 deletions(-) delete mode 100644 flake.nix create mode 100644 proxmox/configuration.nix rename flake.lock => proxmox/flake.lock (92%) create mode 100644 proxmox/flake.nix rename configuration.nix => terraform/configuration.nix (75%) diff --git a/flake.nix b/flake.nix deleted file mode 100644 index 0d0780b..0000000 --- a/flake.nix +++ /dev/null @@ -1,48 +0,0 @@ -{ - inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11"; - nixos-generators = { - url = "github:nix-community/nixos-generators"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - xc = { - url = "github:joerdav/xc"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - }; - - outputs = { nixpkgs, nixos-generators, xc, ... }: - let - pkgsForSystem = system: import nixpkgs { - inherit system; - overlays = [ - (final: prev: { xc = xc.packages.${system}.xc; }) - ]; - }; - allVMs = [ "x86_64-linux" "aarch64-linux" ]; - forAllVMs = f: nixpkgs.lib.genAttrs allVMs (system: f { - inherit system; - pkgs = pkgsForSystem system; - }); - in - { - packages = forAllVMs ({ system, pkgs }: { - vm = nixos-generators.nixosGenerate { - format = "qcow-efi"; - system = system; - - specialArgs = { - pkgs = pkgs; - }; - - modules = [ - # Pin nixpkgs to the flake input, so that the packages installed - # come from the flake inputs.nixpkgs.url. - ({ ... }: { nix.registry.nixpkgs.flake = nixpkgs; }) - # Apply the rest of the config. - ./configuration.nix - ]; - }; - }); - }; -} diff --git a/justfile b/justfile index 43abb89..97ac00c 100644 --- a/justfile +++ b/justfile @@ -13,11 +13,11 @@ lint: @tflint --recursive build: - @nix build .#vm + @nix build ./proxmox#vm push: #!/usr/bin/env sh - export NIXOS_IMAGE=$(nix path-info --quiet .#vm)/nixos.qcow2 + export NIXOS_IMAGE=$(nix path-info --quiet ./proxmox#vm)/nixos.qcow2 export VERSION=$(echo $NIXOS_IMAGE | cut -d'/' -f4 | cut -d'-' -f1) echo "Uploading $NIXOS_IMAGE to code.tjo.space" @@ -30,7 +30,7 @@ push: deploy: build #!/usr/bin/env sh - export NIXOS_IMAGE=$(nix path-info --quiet .#vm)/nixos.qcow2 + export NIXOS_IMAGE=$(nix path-info --quiet ./proxmox#vm)/nixos.qcow2 export TF_VAR_image_path=$NIXOS_IMAGE echo "Deploying $NIXOS_IMAGE" @@ -38,3 +38,8 @@ deploy: build cd {{justfile_directory()}}/terraform tofu init tofu apply + +destroy: + #!/usr/bin/env sh + cd {{justfile_directory()}}/terraform + tofu destroy diff --git a/proxmox/configuration.nix b/proxmox/configuration.nix new file mode 100644 index 0000000..73a8890 --- /dev/null +++ b/proxmox/configuration.nix @@ -0,0 +1,37 @@ +{ lib, pkgs, ... }: +{ + system.stateVersion = "24.05"; + + boot.loader.systemd-boot.enable = true; + + services.qemuGuest.enable = true; + + services.cloud-init = { + enable = true; + network.enable = true; + settings = lib.mkOptionDefault { + datasource = { + NoCloud = { }; + ConfigDrive = { }; + }; + }; + }; + + # Needed due to cloud-init.network.enable = true + networking.useNetworkd = true; + + # Create default user + security.sudo.wheelNeedsPassword = false; + nix.settings.trusted-users = [ "nixos" ]; + users.users.nixos = { + isNormalUser = true; + password = "hunter2"; + extraGroups = [ "wheel" ]; + }; + + nix.settings.experimental-features = [ + "nix-command" + "flakes" + ]; + environment.systemPackages = [ pkgs.nginx ]; +} diff --git a/flake.lock b/proxmox/flake.lock similarity index 92% rename from flake.lock rename to proxmox/flake.lock index aaca5fc..a3c6069 100644 --- a/flake.lock +++ b/proxmox/flake.lock @@ -53,16 +53,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1720535198, - "narHash": "sha256-zwVvxrdIzralnSbcpghA92tWu2DV2lwv89xZc8MTrbg=", + "lastModified": 1724316499, + "narHash": "sha256-Qb9MhKBUTCfWg/wqqaxt89Xfi6qTD3XpTzQ9eXi3JmE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "205fd4226592cc83fd4c0885a3e4c9c400efabb5", + "rev": "797f7dc49e0bc7fab4b57c021cdf68f595e47841", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-23.11", + "ref": "nixos-24.05", "repo": "nixpkgs", "type": "github" } diff --git a/proxmox/flake.nix b/proxmox/flake.nix new file mode 100644 index 0000000..56f33ae --- /dev/null +++ b/proxmox/flake.nix @@ -0,0 +1,70 @@ +{ + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05"; + nixos-generators = { + url = "github:nix-community/nixos-generators"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + xc = { + url = "github:joerdav/xc"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + }; + + outputs = + { + nixpkgs, + nixos-generators, + xc, + ... + }: + let + pkgsForSystem = + system: + import nixpkgs { + inherit system; + overlays = [ (final: prev: { xc = xc.packages.${system}.xc; }) ]; + }; + allVMs = [ + "x86_64-linux" + "aarch64-linux" + ]; + forAllVMs = + f: + nixpkgs.lib.genAttrs allVMs ( + system: + f { + inherit system; + pkgs = pkgsForSystem system; + } + ); + in + { + packages = forAllVMs ( + { system, pkgs }: + { + vm = nixos-generators.nixosGenerate { + format = "qcow-efi"; + system = system; + + specialArgs = { + pkgs = pkgs; + }; + + modules = [ + # Pin nixpkgs to the flake input, so that the packages installed + # come from the flake inputs.nixpkgs.url. + ( + { ... }: + { + nix.registry.nixpkgs.flake = nixpkgs; + } + ) + # Apply the rest of the config. + ./configuration.nix + ]; + }; + } + ); + }; +} diff --git a/configuration.nix b/terraform/configuration.nix similarity index 75% rename from configuration.nix rename to terraform/configuration.nix index b53fb49..d1f57de 100644 --- a/configuration.nix +++ b/terraform/configuration.nix @@ -19,42 +19,13 @@ let ''; fixupPhase = ""; }; + instance = builtins.fromJSON (builtins.readFile "/etc/ingress.tjo.cloud.json"); in { - system.stateVersion = "23.11"; + system.stateVersion = "24.05"; - # BOOT - boot.loader.systemd-boot.enable = true; - - # PROXMOX - services.qemuGuest.enable = true; - services.cloud-init = { - enable = true; - network.enable = true; - settings = lib.mkOptionDefault { - datasource = { - NoCloud = { }; - ConfigDrive = { }; - }; - cloud_init_modules = [ - [ - "write-files" - "always" - ] - ]; - cloud_config_modules = [ - [ - "runcmd" - "always" - ] - ]; - system_info = { - default_user = { - name = "nixos"; - }; - }; - }; - }; + networking.hostName = instance.name; + networking.domain = instance.domain; # USER MANAGEMENT security.sudo.wheelNeedsPassword = false; @@ -63,6 +34,7 @@ in isNormalUser = true; password = "hunter2"; extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = instance.ssh_keys; }; # SSH @@ -86,7 +58,6 @@ in systemd.services.qemu-guest-agent.requires = [ "tailscaled-autoconnect.service" ]; # FIREWALL - networking.useNetworkd = true; networking.firewall = { enable = true; @@ -123,6 +94,4 @@ in }; }; }; - - environment.systemPackages = [ pkgs.nginx ]; } diff --git a/terraform/node.tf b/terraform/node.tf index 428a2c6..c31a174 100644 --- a/terraform/node.tf +++ b/terraform/node.tf @@ -1,9 +1,12 @@ locals { + domain = "ingress.tjo.cloud" + nodes = { for k, v in var.nodes : k => merge(v, { id = 700 + index(keys(var.nodes), k) hash = sha1(v.name) mac_address = "AA:BB:07:00:${format("%v:%v", substr(sha1(v.name), 0, 2), substr(sha1(v.name), 2, 2))}" + domain = local.domain }) } @@ -27,6 +30,8 @@ locals { public_ipv6 = local.ipv6_addresses[k]["ens18"][0] internal_ipv4 = local.ipv4_addresses[k]["tailscale0"][0] internal_ipv6 = local.ipv6_addresses[k]["tailscale0"][0] + #internal_ipv4 = data.tailscale_device.ingress[k].addresses[0] + #internal_ipv6 = data.tailscale_device.ingress[k].addresses[1] }) } } @@ -36,7 +41,7 @@ resource "tailscale_tailnet_key" "ingress" { ephemeral = true preauthorized = true tags = ["tag:ingress-tjo-cloud"] - description = "tailscale key for ingress-tjo-cloud nodes" + description = "tailscale key for ingress-tjo-cloud instances" } resource "proxmox_virtual_environment_file" "ingress" { @@ -60,26 +65,20 @@ resource "proxmox_virtual_environment_file" "userdata" { source_raw { data = <<-EOF #cloud-config - ssh_authorized_keys: - %{for key in var.ssh_keys~} - - ${key} - %{endfor} write_files: + - path: /etc/ingress.tjo.cloud.json + encoding: base64 + content: ${base64encode(jsonencode({ name : each.value.name, domain : each.value.domain, ssh_keys : var.ssh_keys }))} - path: /run/secrets/tailscale.com/authkey + permissions: '0600' content: ${var.tailscale_apikey} - permissions: '0400' - owner: root:root - path: /etc/nixos/configuration.nix - content: | - { config, pkgs, ... }: - { - system.stateVersion = "23.11"; - networking.hostName = "${each.value.name}"; - networking.domain = "ingress.tjo.cloud"; - } + encoding: base64 + content: ${base64encode(file("${path.module}/configuration.nix"))} runcmd: - - systemctl start tailscaled-autoconnect.service - - nixos-rebuild switch + - source /etc/profile && nixos-rebuild switch + power_state: + mode: reboot EOF file_name = "${each.value.name}.ingress.tjo.cloud.userconfig.yaml" } @@ -89,13 +88,11 @@ resource "proxmox_virtual_environment_vm" "nodes" { for_each = local.nodes vm_id = each.value.id - name = "${each.value.name}.ingress.tjo.cloud" + name = "${each.value.name}.${each.value.domain}" node_name = each.value.host - description = "Node ${each.value.name} for ingress.tjo.cloud." - tags = concat( - ["ingress-tjo-cloud"], - ) + description = "Node ${each.value.name} for ${each.value.domain}." + tags = [each.value.domain] stop_on_destroy = true timeout_start_vm = 60