From db0d376595c966b5005bbf4c75ead088df92005a Mon Sep 17 00:00:00 2001 From: Dmitriy Kholkin Date: Fri, 11 Feb 2022 14:07:03 +0300 Subject: [PATCH] lxc config --- flake.lock | 66 ++++++++++---------- flake.nix | 29 ++++----- machines/NixOS-CT/default.nix | 31 +++++++++ machines/NixOS-CT/hardware-configuration.nix | 3 + machines/NixOS-CT/system | 1 + modules/devices.nix | 5 ++ profiles/boot.nix | 1 + profiles/nix/default.nix | 2 +- profiles/overlay.nix | 2 +- profiles/security.nix | 3 +- profiles/workspace/gpg.nix | 4 +- profiles/workspace/ssh.nix | 18 +++--- roles/container.nix | 24 +++++++ roles/default.nix | 1 + 14 files changed, 128 insertions(+), 62 deletions(-) create mode 100644 machines/NixOS-CT/default.nix create mode 100644 machines/NixOS-CT/hardware-configuration.nix create mode 100644 machines/NixOS-CT/system create mode 100644 roles/container.nix diff --git a/flake.lock b/flake.lock index c64abd8..a8be46e 100644 --- a/flake.lock +++ b/flake.lock @@ -99,11 +99,11 @@ }, "flake-utils_2": { "locked": { - "lastModified": 1642700792, - "narHash": "sha256-XqHrk7hFb+zBvRg6Ghl+AZDq03ov6OshJLiSWOoX5es=", + "lastModified": 1644229661, + "narHash": "sha256-1YdnJAsNy69bpcjuoKdOYQX0YxZBiCYZo4Twxerqv7k=", "owner": "numtide", "repo": "flake-utils", - "rev": "846b2ae0fc4cc943637d3d1def4454213e203cba", + "rev": "3cecb5b042f7f209c56ffd8371b2711a290ec797", "type": "github" }, "original": { @@ -134,11 +134,11 @@ ] }, "locked": { - "lastModified": 1643307345, - "narHash": "sha256-xiu7i6Q3Dqu4lLfDNaAL/f2DVewBxL+ysMuAyJiGv+4=", + "lastModified": 1644534280, + "narHash": "sha256-Gzf/Jq/F1vvTp6XkzPU+pBCj3OSAFLiR7f0ptwRseiI=", "owner": "nix-community", "repo": "home-manager", - "rev": "4e92ec84f93a293042a64c3ed56ac8aee62fb6e1", + "rev": "6d9d9294d09b5e88df65f8c6651efb8a4d7d2476", "type": "github" }, "original": { @@ -224,11 +224,11 @@ "nixpkgs-regression": "nixpkgs-regression" }, "locked": { - "lastModified": 1643379043, - "narHash": "sha256-TCOGKEuHBLgqfCUkMmEWsC/fCynmrPn4xXhZHKSa+0g=", + "lastModified": 1644524107, + "narHash": "sha256-X/4pRZ4RkG2AhurEER8DQecqB1FaX34jFc7bTpkd4PU=", "owner": "nixos", "repo": "nix", - "rev": "4bf6af7b555033de5c1d6851edb60a91940d43c3", + "rev": "5b809f9e0e0fe84304c2ae0f5f7b2d4db02565ad", "type": "github" }, "original": { @@ -306,11 +306,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1643403894, - "narHash": "sha256-5j30wrw5HN/xhEChv+wfCRzTmJeJuB/mMGLlfw/PofY=", + "lastModified": 1644572214, + "narHash": "sha256-ATafeAQayQX4QQLYuicwJUghS46OXe/xOi04SR3+AvI=", "owner": "nixos", "repo": "nixpkgs", - "rev": "e87db3c8c332cfed455f39a7784f473bab886c2d", + "rev": "e1e76842a1d5303a4b0d2af0087a4be112f12369", "type": "github" }, "original": { @@ -323,11 +323,11 @@ "nixpkgs-mozilla": { "flake": false, "locked": { - "lastModified": 1638887313, - "narHash": "sha256-FMYV6rVtvSIfthgC1sK1xugh3y7muoQcvduMdriz4ag=", + "lastModified": 1643634764, + "narHash": "sha256-EcFlgzZnZSHwZixELYV1pa267t+u5mCeLhSNBeAA/+c=", "owner": "mozilla", "repo": "nixpkgs-mozilla", - "rev": "7c1e8b1dd6ed0043fb4ee0b12b815256b0b9de6f", + "rev": "f233fdc4ff6ba2ffeb1e3e3cd6d63bb1297d6996", "type": "github" }, "original": { @@ -369,11 +369,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1643247693, - "narHash": "sha256-rmShxIuNjYBz4l83J0J++sug+MURUY1koPCzX4F8hfo=", + "lastModified": 1644472683, + "narHash": "sha256-sP6iM4NksOYO6NFfTJ96cg+ClPnq6cdY30xKA1iYtyU=", "owner": "nixos", "repo": "nixpkgs", - "rev": "6c4b9f1a2fd761e2d384ef86cff0d208ca27fdca", + "rev": "7adc9c14ec74b27358a8df9b973087e351425a79", "type": "github" }, "original": { @@ -391,11 +391,11 @@ ] }, "locked": { - "lastModified": 1643400116, - "narHash": "sha256-q8BH3R1FlsFJqKKPCCPPFUuRy0TdUd5PUzrlVH3NZ3Q=", + "lastModified": 1644572525, + "narHash": "sha256-x/ITjqXCJATZ9vRrK45aVzb5beYMvA1SlZvZ6IS4EuI=", "owner": "nix-community", "repo": "nixpkgs-wayland", - "rev": "ea3913eda1ed45951e6f47e43b26e3bc8f9f756d", + "rev": "a3cd4ebb1c8332477ee5009b01823878dca5fd5b", "type": "github" }, "original": { @@ -421,11 +421,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1643650039, - "narHash": "sha256-/CNYphB5xu/1eoDSPozkXXU+L+qtpRVF2QyGtt1xKTw=", + "lastModified": 1644572214, + "narHash": "sha256-ATafeAQayQX4QQLYuicwJUghS46OXe/xOi04SR3+AvI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a0ba069da39a5dc38ff3009423b2700c2fb5447d", + "rev": "e1e76842a1d5303a4b0d2af0087a4be112f12369", "type": "github" }, "original": { @@ -436,11 +436,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1643169865, - "narHash": "sha256-+KIpNRazbc8Gac9jdWCKQkFv9bjceaLaLhlwqUEYu8c=", + "lastModified": 1644420267, + "narHash": "sha256-rFJuctggkjM412OC6OGPdXogFp7czGDW05ueWqpJbj8=", "owner": "nixos", "repo": "nixpkgs", - "rev": "945ec499041db73043f745fad3b2a3a01e826081", + "rev": "98bb5b77c8c6666824a4c13d23befa1e07210ef1", "type": "github" }, "original": { @@ -485,11 +485,11 @@ "qbittorrent-ee": { "flake": false, "locked": { - "lastModified": 1643267137, - "narHash": "sha256-FHX0FYCpVqg8UmerQiq3vWKSbmsxO4FG4rxxEsIMOLE=", + "lastModified": 1644253080, + "narHash": "sha256-0tzLqWo/apr5iDV2q4gLDtJnccJF+VdkE1Tp7T1IYww=", "owner": "c0re100", "repo": "qBittorrent-Enhanced-Edition", - "rev": "21c1ca4e495923a2cddfbd8cd09523bc332957d8", + "rev": "f3fd3cef350362187cad17a23fee010be193630f", "type": "github" }, "original": { @@ -526,11 +526,11 @@ "rycee": { "flake": false, "locked": { - "lastModified": 1643342537, - "narHash": "sha256-pm37P9/AJbFILqxZzcS0dqdXkftJssyHs3Jk7pRY0gs=", + "lastModified": 1644552128, + "narHash": "sha256-lEr3ly9l+M/GL44m4krFUk5x7Xddc1WYwbUFUKLUBGk=", "owner": "rycee", "repo": "nur-expressions", - "rev": "2ce49ac394974b2fffcdaefc835042d111a3b836", + "rev": "b0bc3ed37a683a6a5beb569a13c927a71510643d", "type": "gitlab" }, "original": { diff --git a/flake.nix b/flake.nix index 0297df5..4de342a 100644 --- a/flake.nix +++ b/flake.nix @@ -15,6 +15,7 @@ inputs.nixpkgs.follows = "nixpkgs"; }; base16.url = "github:alukardbf/base16-nix"; + # base16.url = "/home/alukard/projects/base16-nix"; base16-horizon-scheme = { url = "github:michael-ball/base16-horizon-scheme"; flake = false; @@ -77,7 +78,7 @@ }; }; - outputs = { nixpkgs, nix, self, ... }@inputs: + outputs = { self, nixpkgs, nixpkgs-stable, ... }@inputs: let rebuild = (pkgs: pkgs.writeShellScriptBin "rebuild" '' if [[ -z $1 ]]; then @@ -113,30 +114,26 @@ nixosConfigurations = with nixpkgs.lib; let hosts = builtins.attrNames (builtins.readDir ./machines); - mkHost = name: - let + mkHost = name: nixosSystem { system = builtins.readFile (./machines + "/${name}/system"); - in nixosSystem { - system = system; - modules = [ (import (./machines + "/${name}")) { device = name; } ]; - specialArgs = { inherit inputs; }; - }; - in genAttrs hosts mkHost; + modules = [ (import (./machines + "/${name}")) { device = name; } ]; + specialArgs = { inherit inputs; }; + }; + in (genAttrs hosts mkHost) // { + NixOS-CT = nixpkgs-stable.lib.nixosSystem { + system = builtins.readFile (./machines + "/${name}/system"); + modules = [ (import (./machines + "/${name}")) { device = name; } ]; + specialArgs = { inherit inputs; }; + }; + }; legacyPackages.x86_64-linux = (builtins.head (builtins.attrValues self.nixosConfigurations)).pkgs; - legacyPackages.aarch64-linux = - (builtins.head (builtins.attrValues self.nixosConfigurations)).pkgs; devShell.x86_64-linux = let pkgs = self.legacyPackages.x86_64-linux; in pkgs.mkShell { nativeBuildInputs = [ (rebuild pkgs) ]; }; - devShell.aarch64-linux = let - pkgs = self.legacyPackages.aarch64-linux; - in pkgs.mkShell { - nativeBuildInputs = [ (rebuild pkgs) ]; - }; }; } diff --git a/machines/NixOS-CT/default.nix b/machines/NixOS-CT/default.nix new file mode 100644 index 0000000..2707d4f --- /dev/null +++ b/machines/NixOS-CT/default.nix @@ -0,0 +1,31 @@ +{ inputs, lib, ... }: { + imports = with inputs.self.nixosModules; with inputs.self.nixosProfiles; [ + ./hardware-configuration.nix + inputs.self.nixosRoles.container + ]; + + deviceSpecific.devInfo = { + cpu = { + vendor = "intel"; + clock = 2300; + cores = 2; + }; + drive = { + type = "hdd"; + speed = 100; + size = 10; + }; + gpu = { + vendor = "other"; + }; + bigScreen = false; + ram = 1; + }; + deviceSpecific.enableVirtualisation = true; + deviceSpecific.wireguard.enable = false; + deviceSpecific.isServer = lib.mkForce true; + + systemd.suppressedSystemUnits = [ + "sys-kernel-debug.mount" + ]; +} diff --git a/machines/NixOS-CT/hardware-configuration.nix b/machines/NixOS-CT/hardware-configuration.nix new file mode 100644 index 0000000..e45002c --- /dev/null +++ b/machines/NixOS-CT/hardware-configuration.nix @@ -0,0 +1,3 @@ +{ config, lib, pkgs, modulesPath, ... }: { + imports = [ (modulesPath + "/virtualisation/lxc-container.nix") ]; +} diff --git a/machines/NixOS-CT/system b/machines/NixOS-CT/system new file mode 100644 index 0000000..9bdfd5f --- /dev/null +++ b/machines/NixOS-CT/system @@ -0,0 +1 @@ +x86_64-linux \ No newline at end of file diff --git a/modules/devices.nix b/modules/devices.nix index 261b51d..93b9c95 100644 --- a/modules/devices.nix +++ b/modules/devices.nix @@ -41,6 +41,11 @@ with types; { default = !isNull (builtins.match ".*(Cloud|Server)" config.networking.hostName); }; + isContainer = mkOption { + type = bool; + default = + !isNull (builtins.match ".*(CT|Container)" config.networking.hostName); + }; isISO = mkOption { type = bool; default = diff --git a/profiles/boot.nix b/profiles/boot.nix index 28a103d..218a431 100644 --- a/profiles/boot.nix +++ b/profiles/boot.nix @@ -19,6 +19,7 @@ with config.deviceSpecific; { "rd.udev.log_priority=3" "pti=off" "spectre_v2=off" + "kvm.ignore_msrs=1" ]; kernelPackages = pkgs.linuxPackages_zen; diff --git a/profiles/nix/default.nix b/profiles/nix/default.nix index e28b0d7..0f7407d 100644 --- a/profiles/nix/default.nix +++ b/profiles/nix/default.nix @@ -25,7 +25,7 @@ inputs.nix.defaultPackage.${pkgs.system}.overrideAttrs (oa: { patches = [ ./nix.patch ] ++ oa.patches or [ ]; }) - else pkgs.nixStable; + else pkgs.nixFlakes; extraOptions = '' experimental-features = nix-command flakes diff --git a/profiles/overlay.nix b/profiles/overlay.nix index 897cdf2..d2a6785 100644 --- a/profiles/overlay.nix +++ b/profiles/overlay.nix @@ -32,7 +32,7 @@ with lib; { vscode-fhs = master.vscode-fhs; xonar-fp = pkgs.callPackage ./packages/xonar-fp.nix { }; youtube-to-mpv = pkgs.callPackage ./packages/youtube-to-mpv.nix { term = config.defaultApplications.term.cmd; }; - vivaldi = stable.vivaldi; + vivaldi = master.vivaldi; wine = super.wineWowPackages.staging; pass-secret-service = super.pass-secret-service.overrideAttrs (_: { installCheckPhase = null; }); qbittorrent = super.qbittorrent.overrideAttrs (old: rec { diff --git a/profiles/security.nix b/profiles/security.nix index e455ed2..7695821 100644 --- a/profiles/security.nix +++ b/profiles/security.nix @@ -46,7 +46,7 @@ with config.deviceSpecific; { ]; }; home-manager.users.alukard = { - systemd.user.services.polkit-agent = { + systemd.user.services.polkit-agent = lib.mkIf (!isServer) { Unit = { Description = "Run polkit authentication agent"; X-RestartIfChanged = true; @@ -55,7 +55,6 @@ with config.deviceSpecific; { Service = { ExecStart = "${pkgs.mate.mate-polkit}/libexec/polkit-mate-authentication-agent-1"; }; }; }; - home-manager.useUserPackages = true; systemd.services."user@" = { serviceConfig = { Restart = "always"; }; }; services.getty.autologinUser = "alukard"; } diff --git a/profiles/workspace/gpg.nix b/profiles/workspace/gpg.nix index 23aa03f..58fca1c 100644 --- a/profiles/workspace/gpg.nix +++ b/profiles/workspace/gpg.nix @@ -1,5 +1,5 @@ { config, ... }: -{ +with config.deviceSpecific; { home-manager.users.alukard = { programs.gpg = { enable = true; @@ -8,7 +8,7 @@ services.gpg-agent = { enable = true; enableSshSupport = true; - pinentryFlavor = "gnome3"; + pinentryFlavor = if !isServer then "gnome3" else "curses"; sshKeys = [ "7A7130ABF128CC2C32B3D6AD27515056B0193CE1" "E6A6377C3D0827C36428A290199FDB3B91414AFE" diff --git a/profiles/workspace/ssh.nix b/profiles/workspace/ssh.nix index 66d7b41..ef7b60a 100644 --- a/profiles/workspace/ssh.nix +++ b/profiles/workspace/ssh.nix @@ -1,10 +1,10 @@ -{ pkgs, lib, config, ... }: { - +{ pkgs, lib, config, ... }: +with config.deviceSpecific; { services.openssh = { enable = true; passwordAuthentication = false; permitRootLogin = "no"; - forwardX11 = true; + forwardX11 = !isServer; extraConfig = "StreamLocalBindUnlink yes"; ports = [ 22 ]; }; @@ -20,12 +20,16 @@ "*" = { compression = false; }; - "oracle-cloud" = { - hostname = "ataraxia.1337.cx"; + "proxmox.pve" = { + hostname = "192.168.0.10"; + user = "root"; + }; + "matrix.pve" = { + hostname = "192.168.0.11"; user = "alukard"; }; - "oracle-arm" = { - hostname = "ataraxiadev.1337.cx"; + "nixos.pve" = { + hostname = "192.168.0.12"; user = "alukard"; }; }; diff --git a/roles/container.nix b/roles/container.nix new file mode 100644 index 0000000..4a01fb1 --- /dev/null +++ b/roles/container.nix @@ -0,0 +1,24 @@ +{ inputs, pkgs, ... }: { + imports = with inputs.self.nixosModules; with inputs.self.nixosProfiles; [ + inputs.home-manager.nixosModules.home-manager { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + } + + devices + git + gpg + locale + misc + network + nix + overlay + secrets + secrets-envsubst + security + ssh + zsh + ]; + + environment.systemPackages = [ pkgs.kitty ]; +} \ No newline at end of file diff --git a/roles/default.nix b/roles/default.nix index 8672710..9b311b3 100644 --- a/roles/default.nix +++ b/roles/default.nix @@ -3,4 +3,5 @@ desktop = ./desktop.nix; base = ./base.nix; workstation = ./workstation.nix; + container = ./container.nix; }