tjo-cloud/ingress
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: cloudinit nix cofig

Browse source
This commit is contained in:
Tine 2024-08-25 17:47:41 +02:00
parent 207d47ab5e
commit a49d802954
Signed by: mentos1386
SSH key fingerprint: SHA256:MNtTsLbihYaWF8j1fkOHfkKNlnN1JQfxEU/rBU8nCGw
7 changed files with 142 additions and 112 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

48
flake.nix
View file

@ -1,48 +0,0 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
nixos-generators = {
url = "github:nix-community/nixos-generators";
inputs.nixpkgs.follows = "nixpkgs";
};
xc = {
url = "github:joerdav/xc";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = { nixpkgs, nixos-generators, xc, ... }:
let
pkgsForSystem = system: import nixpkgs {
inherit system;
overlays = [
(final: prev: { xc = xc.packages.${system}.xc; })
];
};
allVMs = [ "x86_64-linux" "aarch64-linux" ];
forAllVMs = f: nixpkgs.lib.genAttrs allVMs (system: f {
inherit system;
pkgs = pkgsForSystem system;
});
in
{
packages = forAllVMs ({ system, pkgs }: {
vm = nixos-generators.nixosGenerate {
format = "qcow-efi";
system = system;
specialArgs = {
pkgs = pkgs;
};
modules = [
# Pin nixpkgs to the flake input, so that the packages installed
# come from the flake inputs.nixpkgs.url.
({ ... }: { nix.registry.nixpkgs.flake = nixpkgs; })
# Apply the rest of the config.
./configuration.nix
];
};
});
};
}

11
justfile
View file

@ -13,11 +13,11 @@ lint:
@tflint --recursive @tflint --recursive
build: build:
@nix build .#vm @nix build ./proxmox#vm
push: push:
#!/usr/bin/env sh #!/usr/bin/env sh
export NIXOS_IMAGE=$(nix path-info --quiet .#vm)/nixos.qcow2 export NIXOS_IMAGE=$(nix path-info --quiet ./proxmox#vm)/nixos.qcow2
export VERSION=$(echo $NIXOS_IMAGE | cut -d'/' -f4 | cut -d'-' -f1) export VERSION=$(echo $NIXOS_IMAGE | cut -d'/' -f4 | cut -d'-' -f1)
echo "Uploading $NIXOS_IMAGE to code.tjo.space" echo "Uploading $NIXOS_IMAGE to code.tjo.space"
@ -30,7 +30,7 @@ push:
deploy: build deploy: build
#!/usr/bin/env sh #!/usr/bin/env sh
export NIXOS_IMAGE=$(nix path-info --quiet .#vm)/nixos.qcow2 export NIXOS_IMAGE=$(nix path-info --quiet ./proxmox#vm)/nixos.qcow2
export TF_VAR_image_path=$NIXOS_IMAGE export TF_VAR_image_path=$NIXOS_IMAGE
echo "Deploying $NIXOS_IMAGE" echo "Deploying $NIXOS_IMAGE"
@ -38,3 +38,8 @@ deploy: build
cd {{justfile_directory()}}/terraform cd {{justfile_directory()}}/terraform
tofu init tofu init
tofu apply tofu apply
destroy:
#!/usr/bin/env sh
cd {{justfile_directory()}}/terraform
tofu destroy

37
proxmox/configuration.nix Normal file
View file

@ -0,0 +1,37 @@
{ lib, pkgs, ... }:
{
system.stateVersion = "24.05";
boot.loader.systemd-boot.enable = true;
services.qemuGuest.enable = true;
services.cloud-init = {
enable = true;
network.enable = true;
settings = lib.mkOptionDefault {
datasource = {
NoCloud = { };
ConfigDrive = { };
};
};
};
# Needed due to cloud-init.network.enable = true
networking.useNetworkd = true;
# Create default user
security.sudo.wheelNeedsPassword = false;
nix.settings.trusted-users = [ "nixos" ];
users.users.nixos = {
isNormalUser = true;
password = "hunter2";
extraGroups = [ "wheel" ];
};
nix.settings.experimental-features = [
"nix-command"
"flakes"
];
environment.systemPackages = [ pkgs.nginx ];
}

8
flake.lock → proxmox/flake.lock
View file

@ -53,16 +53,16 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1720535198, "lastModified": 1724316499,
"narHash": "sha256-zwVvxrdIzralnSbcpghA92tWu2DV2lwv89xZc8MTrbg=", "narHash": "sha256-Qb9MhKBUTCfWg/wqqaxt89Xfi6qTD3XpTzQ9eXi3JmE=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "205fd4226592cc83fd4c0885a3e4c9c400efabb5", "rev": "797f7dc49e0bc7fab4b57c021cdf68f595e47841",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "nixos-23.11", "ref": "nixos-24.05",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }

70
proxmox/flake.nix Normal file
View file

@ -0,0 +1,70 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
nixos-generators = {
url = "github:nix-community/nixos-generators";
inputs.nixpkgs.follows = "nixpkgs";
};
xc = {
url = "github:joerdav/xc";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs =
{
nixpkgs,
nixos-generators,
xc,
...
}:
let
pkgsForSystem =
system:
import nixpkgs {
inherit system;
overlays = [ (final: prev: { xc = xc.packages.${system}.xc; }) ];
};
allVMs = [
"x86_64-linux"
"aarch64-linux"
];
forAllVMs =
f:
nixpkgs.lib.genAttrs allVMs (
system:
f {
inherit system;
pkgs = pkgsForSystem system;
}
);
in
{
packages = forAllVMs (
{ system, pkgs }:
{
vm = nixos-generators.nixosGenerate {
format = "qcow-efi";
system = system;
specialArgs = {
pkgs = pkgs;
};
modules = [
# Pin nixpkgs to the flake input, so that the packages installed
# come from the flake inputs.nixpkgs.url.
(
{ ... }:
{
nix.registry.nixpkgs.flake = nixpkgs;
}
)
# Apply the rest of the config.
./configuration.nix
];
};
}
);
};
}

41
configuration.nix → terraform/configuration.nix
View file

@ -19,42 +19,13 @@ let
''; '';
fixupPhase = ""; fixupPhase = "";
}; };
instance = builtins.fromJSON (builtins.readFile "/etc/ingress.tjo.cloud.json");
in in
{ {
system.stateVersion = "23.11"; system.stateVersion = "24.05";
# BOOT networking.hostName = instance.name;
boot.loader.systemd-boot.enable = true; networking.domain = instance.domain;
# PROXMOX
services.qemuGuest.enable = true;
services.cloud-init = {
enable = true;
network.enable = true;
settings = lib.mkOptionDefault {
datasource = {
NoCloud = { };
ConfigDrive = { };
};
cloud_init_modules = [
[
"write-files"
"always"
]
];
cloud_config_modules = [
[
"runcmd"
"always"
]
];
system_info = {
default_user = {
name = "nixos";
};
};
};
};
# USER MANAGEMENT # USER MANAGEMENT
security.sudo.wheelNeedsPassword = false; security.sudo.wheelNeedsPassword = false;
@ -63,6 +34,7 @@ in
isNormalUser = true; isNormalUser = true;
password = "hunter2"; password = "hunter2";
extraGroups = [ "wheel" ]; extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = instance.ssh_keys;
}; };
# SSH # SSH
@ -86,7 +58,6 @@ in
systemd.services.qemu-guest-agent.requires = [ "tailscaled-autoconnect.service" ]; systemd.services.qemu-guest-agent.requires = [ "tailscaled-autoconnect.service" ];
# FIREWALL # FIREWALL
networking.useNetworkd = true;
networking.firewall = { networking.firewall = {
enable = true; enable = true;
@ -123,6 +94,4 @@ in
}; };
}; };
}; };
environment.systemPackages = [ pkgs.nginx ];
} }

39
terraform/node.tf
View file

@ -1,9 +1,12 @@
locals { locals {
domain = "ingress.tjo.cloud"
nodes = { nodes = {
for k, v in var.nodes : k => merge(v, { for k, v in var.nodes : k => merge(v, {
id = 700 + index(keys(var.nodes), k) id = 700 + index(keys(var.nodes), k)
hash = sha1(v.name) hash = sha1(v.name)
mac_address = "AA:BB:07:00:${format("%v:%v", substr(sha1(v.name), 0, 2), substr(sha1(v.name), 2, 2))}" mac_address = "AA:BB:07:00:${format("%v:%v", substr(sha1(v.name), 0, 2), substr(sha1(v.name), 2, 2))}"
domain = local.domain
}) })
} }
@ -27,6 +30,8 @@ locals {
public_ipv6 = local.ipv6_addresses[k]["ens18"][0] public_ipv6 = local.ipv6_addresses[k]["ens18"][0]
internal_ipv4 = local.ipv4_addresses[k]["tailscale0"][0] internal_ipv4 = local.ipv4_addresses[k]["tailscale0"][0]
internal_ipv6 = local.ipv6_addresses[k]["tailscale0"][0] internal_ipv6 = local.ipv6_addresses[k]["tailscale0"][0]
#internal_ipv4 = data.tailscale_device.ingress[k].addresses[0]
#internal_ipv6 = data.tailscale_device.ingress[k].addresses[1]
}) })
} }
} }
@ -36,7 +41,7 @@ resource "tailscale_tailnet_key" "ingress" {
ephemeral = true ephemeral = true
preauthorized = true preauthorized = true
tags = ["tag:ingress-tjo-cloud"] tags = ["tag:ingress-tjo-cloud"]
description = "tailscale key for ingress-tjo-cloud nodes" description = "tailscale key for ingress-tjo-cloud instances"
} }
resource "proxmox_virtual_environment_file" "ingress" { resource "proxmox_virtual_environment_file" "ingress" {
@ -60,26 +65,20 @@ resource "proxmox_virtual_environment_file" "userdata" {
source_raw { source_raw {
data = <<-EOF data = <<-EOF
#cloud-config #cloud-config
ssh_authorized_keys:
%{for key in var.ssh_keys~}
- ${key}
%{endfor}
write_files: write_files:
- path: /etc/ingress.tjo.cloud.json
encoding: base64
content: ${base64encode(jsonencode({ name : each.value.name, domain : each.value.domain, ssh_keys : var.ssh_keys }))}
- path: /run/secrets/tailscale.com/authkey - path: /run/secrets/tailscale.com/authkey
permissions: '0600'
content: ${var.tailscale_apikey} content: ${var.tailscale_apikey}
permissions: '0400'
owner: root:root
- path: /etc/nixos/configuration.nix - path: /etc/nixos/configuration.nix
content: | encoding: base64
{ config, pkgs, ... }: content: ${base64encode(file("${path.module}/configuration.nix"))}
{
system.stateVersion = "23.11";
networking.hostName = "${each.value.name}";
networking.domain = "ingress.tjo.cloud";
}
runcmd: runcmd:
- systemctl start tailscaled-autoconnect.service - source /etc/profile && nixos-rebuild switch
- nixos-rebuild switch power_state:
mode: reboot
EOF EOF
file_name = "${each.value.name}.ingress.tjo.cloud.userconfig.yaml" file_name = "${each.value.name}.ingress.tjo.cloud.userconfig.yaml"
} }
@ -89,13 +88,11 @@ resource "proxmox_virtual_environment_vm" "nodes" {
for_each = local.nodes for_each = local.nodes
vm_id = each.value.id vm_id = each.value.id
name = "${each.value.name}.ingress.tjo.cloud" name = "${each.value.name}.${each.value.domain}"
node_name = each.value.host node_name = each.value.host
description = "Node ${each.value.name} for ingress.tjo.cloud." description = "Node ${each.value.name} for ${each.value.domain}."
tags = concat( tags = [each.value.domain]
["ingress-tjo-cloud"],
)
stop_on_destroy = true stop_on_destroy = true
timeout_start_vm = 60 timeout_start_vm = 60