From 91388362734929f5ca93bc8fb2b323e49ca6c5d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bruno=20Adel=C3=A9?= Date: Sun, 24 Nov 2024 09:41:46 +0100 Subject: [PATCH] feat: add hypervisor(hype16) host --- hosts/hype16/default.nix | 233 ++++++++++++++++++++++++ hosts/hype16/disks.nix | 73 ++++++++ hosts/hype16/hardware-configuration.nix | 13 ++ hosts/hype16/secrets.yml | 34 ++++ hosts/hype16/ssh-to-age.txt | 1 + hosts/hype16/ssh_host_ed25519_key.pub | 1 + hosts/hype16/ssh_host_rsa_key.pub | 1 + users/badele/hype16.nix | 120 ++++++++++++ users/root/hype16.nix | 21 +++ 9 files changed, 497 insertions(+) create mode 100644 hosts/hype16/default.nix create mode 100644 hosts/hype16/disks.nix create mode 100644 hosts/hype16/hardware-configuration.nix create mode 100644 hosts/hype16/secrets.yml create mode 100644 hosts/hype16/ssh-to-age.txt create mode 100644 hosts/hype16/ssh_host_ed25519_key.pub create mode 100644 hosts/hype16/ssh_host_rsa_key.pub create mode 100644 users/badele/hype16.nix create mode 100644 users/root/hype16.nix diff --git a/hosts/hype16/default.nix b/hosts/hype16/default.nix new file mode 100644 index 0000000..aae6140 --- /dev/null +++ b/hosts/hype16/default.nix @@ -0,0 +1,233 @@ +# ######################################################### +# NIXOS (hosts) +########################################################## +{ inputs, config, pkgs, lib, ... }: { + imports = [ + # Host and hardware configuration + ./hardware-configuration.nix + ./disks.nix + ../../nix/modules/nixos/host.nix + + # Users + ../root.nix + ../badele.nix + + # Commons + ../../nix/nixos/features/commons + ../../nix/nixos/features/homelab + ../../nix/nixos/features/system/containers.nix + + # Roles + ../../nix/nixos/roles # Automatically load service from sectionn from `homelab.json` file + ]; + + #################################### + # Boot + #################################### + + boot = { + kernelParams = [ "mem_sleep_default=deep" ]; + blacklistedKernelModules = [ ]; + kernelModules = [ "kvm-intel" ]; + supportedFilesystems = [ "btrfs" ]; + + # Grub EFI boot loader + loader = { + grub = { + enable = true; + devices = [ "nodev" ]; + efiInstallAsRemovable = true; + efiSupport = true; + useOSProber = true; + }; + }; + + # Network + kernel = { + sysctl = { + # Forward on all ipv4 interfaces. + "net.ipv4.conf.all.forwarding" = true; + }; + }; + }; + + # xorg + # videoDrivers = [ "intel" "i965" "nvidia" ]; + + #################################### + # host profile + #################################### + hostprofile = { nproc = 8; }; + + virtualisation.docker.storageDriver = "btrfs"; + + #################################### + # Hardware + #################################### + + # Pulseaudio + hardware.pulseaudio = { + enable = true; + support32Bit = + true; # # If compatibility with 32-bit applications is desired + #extraConfig = "load-module module-combine-sink"; + }; + + #################################### + # Networking + #################################### + + networking = { + enableIPv6 = false; + hostName = "hype16"; + useDHCP = false; + + # Define VLANs + vlans = { + vlandmz = { + id = 32; + interface = "enp1s0"; # tagged + }; + vlanadm = { + id = 240; + interface = "enp1s0"; # tagged + }; + }; + + # Create interfaces + interfaces = { + brlan = { + ipv4.addresses = [{ + address = "192.168.254.16"; + prefixLength = 24; + }]; + }; + + bradm = { + ipv4.addresses = [{ + address = "192.168.240.16"; + prefixLength = 24; + }]; + }; + + brdmz = { + ipv4.addresses = [{ + address = "192.168.32.16"; + prefixLength = 24; + }]; + }; + }; + + # Create bridges + bridges = { + # untagged + "brlan" = { interfaces = [ "enp1s0" ]; }; + "bradm" = { interfaces = [ "vlanadm" ]; }; + "brdmz" = { interfaces = [ "vlandmz" ]; }; + }; + + # Define default gateway and nameservers + defaultGateway = "192.168.254.254"; + nameservers = [ "89.2.0.1" "89.2.0.2" ]; + }; + + #################################### + # Incus hypervisor + #################################### + + networking.nftables.enable = true; + + networking.firewall = { + # logReversePathDrops = true; + # logRefusedPackets = true; + # logRefusedConnections = true; + # logRefusedUnicastsOnly = true; + + interfaces = { + brdmz = { + allowedTCPPorts = [ 53 67 ]; + allowedUDPPorts = [ 53 67 ]; + }; + + }; + + # Forward + # filterForward = true; + # extraForwardRules = "iifname brdmz oifname brdmz accept"; + extraInputRules = "iifname brdmz accept"; + # "iifname brdmz ip saddr 192.168.254.0/24 ip daddr 192.168.253.0/24 accept"; + }; + + virtualisation.incus = { + enable = true; + ui.enable = true; + preseed = { + profiles = [ + { + name = "default"; + description = "Default profile"; + devices = { + eth0 = { + name = "eth0"; + type = "nic"; + nictype = "bridged"; + parent = "brlan"; + }; + root = { + path = "/"; + pool = "default"; + size = "35GiB"; + type = "disk"; + }; + }; + } + { + name = "lan"; + description = "LAN profile"; + devices = { + eth0 = { + name = "eth0"; + type = "nic"; + nictype = "bridged"; + parent = "brlan"; + }; + }; + } + { + name = "dmz"; + description = "DMZ profile"; + devices = { + eth1 = { + name = "eth1"; + type = "nic"; + nictype = "bridged"; + parent = "brdmz"; + }; + }; + } + ]; + storage_pools = [{ + config = { source = "/var/lib/incus/storage-pools/default"; }; + driver = "dir"; + name = "default"; + }]; + }; + }; + + #################################### + # Storage + #################################### + systemd.tmpfiles.rules = [ + # trilium app + "d /data/incus/trilium/var_lib_trilium 0750 root root -" + ]; + + #################################### + # Programs + #################################### + powerManagement.powertop.enable = true; + programs = { }; + + nixpkgs.hostPlatform.system = "x86_64-linux"; + system.stateVersion = "24.05"; +} diff --git a/hosts/hype16/disks.nix b/hosts/hype16/disks.nix new file mode 100644 index 0000000..17e1f92 --- /dev/null +++ b/hosts/hype16/disks.nix @@ -0,0 +1,73 @@ +{ inputs, lib, ... }: { + + imports = [ inputs.disko.nixosModules.disko ]; + + disko.devices = { + disk = { + disk1 = { + type = "disk"; + device = lib.mkDefault + "/dev/disk/by-id/ata-CYX-SSD-S1000_230324000201S5121504"; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + start = "1M"; + end = "1024M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + size = "100%"; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; # Override existing partition + # Subvolumes must set a mountpoint in order to be mounted, + # unless their parent is mounted + subvolumes = { + # Subvolume name is different from mountpoint + "/rootfs" = { mountpoint = "/"; }; + # Subvolume name is the same as the mountpoint + "/home" = { + mountOptions = [ "compress=zstd" ]; + mountpoint = "/home"; + }; + # Sub(sub)volume doesn't need a mountpoint as its parent is mounted + "/home/user" = { }; + # Parent is not mounted so the mountpoint must be set + "/nix" = { + mountOptions = [ "compress=zstd" "noatime" ]; + mountpoint = "/nix"; + }; + # This subvolume will be created but not mounted + "/test" = { }; + # Subvolume for the swapfile + "/swap" = { + mountpoint = "/.swapvol"; + swap = { + swapfile.size = "1024M"; + swapfile2.size = "1024M"; + swapfile2.path = "rel-path"; + }; + }; + }; + + mountpoint = "/partition-root"; + swap = { + swapfile = { size = "20M"; }; + swapfile1 = { size = "20M"; }; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/hype16/hardware-configuration.nix b/hosts/hype16/hardware-configuration.nix new file mode 100644 index 0000000..d59f93d --- /dev/null +++ b/hosts/hype16/hardware-configuration.nix @@ -0,0 +1,13 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/hype16/secrets.yml b/hosts/hype16/secrets.yml new file mode 100644 index 0000000..ddb1c10 --- /dev/null +++ b/hosts/hype16/secrets.yml @@ -0,0 +1,34 @@ +system: + user: + root-hash: ENC[AES256_GCM,data:PScvPSDvRaHUXTr5dMBcUoZ2GaJcbb44030WMTvQ2cooKrL/eevf5a5apbRpFSRXu0HsOKpOwrXqauKD3coMY2HTyiYDGEgidrJlij9CjMOKVvHJl4P7hD1aszTuvEgBkwEj8BGAAtG+CA==,iv:AuM7cdeIXuptmRbcS0HcP5ZB7+VcbQuDlECQppCR8lo=,tag:4Te9jkG8yHijyICZlEKiuw==,type:str] + badele-hash: ENC[AES256_GCM,data:vsQy1euMz0qiHiN1Mm4Ab3+y1bvuAJ4QBh60jzLU9RN9JNkpXcsZMVyZ4K5aMFYPVDQ1146T6j+S9UlE9oR3QvenmcrjFWEORXZg+M3ZigHtubKOdbL66FR3lyXGsUgtLFiF7MXuCriubw==,iv:SZChyIKjR2P3/pU2dVxch/7IH86XnPFJGye3x4WKQNQ=,tag:WaEI+35ilONoBEibfpSNkg==,type:str] + test: ENC[AES256_GCM,data:UdDXow==,iv:jlKL5OkN/hS2iNpWIm989kHswyJcBikpWCvUpXNnAgs=,tag:z+gQyR4NnQjEKWBjv4O/Ow==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age15js628ku59g94njn0vup20r4xx34guesgsj5dqsken5hma2zqg2szjed66 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnaEJ0S0FXZ2hXNkw3dW9V + UzI4eVQrb3dmZ0ZXaElnRjZwUmFsSzBmeVdNCnNrTmlwOUt5cE5MNnJtMU9NVktp + NTdnSkZqZXJabU1UNDE1STdLQ2NVMm8KLS0tIG9tL01SMTJNYWFsVVJmSGlUWHVk + c1VGT1RCc1RYZVNIMEZ3cCs1NU0wOTgKeru9fVg8LbfA6FpM4ko7hFO7ydo6lJfP + 4C+BJzVBEacPJPUENa71iM5SPF1vD6DzX7Pw7afrph6HpaPXygiNDg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1atc7mzjz8k58l7wh5na8d9k5y5fl5qf75m5dtl53l6wvwmrr7pvqxchgtf + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4VlNTYVZzWFc3TXB5UTUz + cXVoS0twaE93NGk3UlYxZ1d4aElqd21VREc4Cis1TUJNZUZyRE9rR2haT1NRWFc5 + dFZoSTgrTVZZQnBJcEtvdWFwUEFvZm8KLS0tIGdwQ0Vwd1Urb3FsajY3c2phVExD + N0dtbTFRUk1lUGluTEtoWEpZSUNjVzAKpmtEkpZ9cw/uKSxObA7FIqG6wKWX7kK4 + Vy9yYRYSaJfCW46//3qwuYLqzGqa2+xGjyvPqRPohvFOhVn3pp7FFw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-10-27T07:35:19Z" + mac: ENC[AES256_GCM,data:QJ3WSWPmBAazKz2YJS10mP4BAw5Il+L0FgPVRGHy1wOpv6zpdvj+jHy239d0QuZ3kKVjHeSgaYf2wdzkOLNDCtKKUklBIgKHeRsgbhBOkMouFfnBwWlU65INM72eqW5rDxJ5xL2ieV5UOicomDYnM75SgMHibTBviXW5mLpLMEY=,iv:ch7wdE5bfeK5+VSk8bif6uErhneD3f97UIhnD6/aDNI=,tag:4O8LfwdBbVn3hSTSSd1FOQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/hosts/hype16/ssh-to-age.txt b/hosts/hype16/ssh-to-age.txt new file mode 100644 index 0000000..48ac4ad --- /dev/null +++ b/hosts/hype16/ssh-to-age.txt @@ -0,0 +1 @@ +age1atc7mzjz8k58l7wh5na8d9k5y5fl5qf75m5dtl53l6wvwmrr7pvqxchgtf diff --git a/hosts/hype16/ssh_host_ed25519_key.pub b/hosts/hype16/ssh_host_ed25519_key.pub new file mode 100644 index 0000000..ff2fe69 --- /dev/null +++ b/hosts/hype16/ssh_host_ed25519_key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAZhjzZnBhiMUFi8l9MwyIo4dq0/7u9vaVWpsZDGQU64 badele@badxps diff --git a/hosts/hype16/ssh_host_rsa_key.pub b/hosts/hype16/ssh_host_rsa_key.pub new file mode 100644 index 0000000..c0a3d07 --- /dev/null +++ b/hosts/hype16/ssh_host_rsa_key.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCgKR1Dk3NUCh4hKwSQK9vn2VUZqCvrQCZ61PTAhXXA1kBPX/FiQ4YuqUTGBPz99ygBOv8KCDuACySOZWgKBxlVeyhO8tmiChOrC95YBwHh1Ee8LFgCe1nsg6pZMYXADpk/HnvJlJg88SA3LsvYM6EyJ16fSowX/e4XDnrTWNBaNt4uxufIexVDr7DwgB1FdQdmxpssIyKWoKYQtNGsVPoghQgnBkb8Qh0nmfe6J+jE/JRUV0NTceIUxVpI5/p2OIvEAN4U6EcL7kvJdWzgpc1KtyinB8Aea8xN5oPQsRe2fVNe1uEDkFORXXIspA5qSZkU7o7ni9Vk3FIythWGVVZAUMaBA9RLlgitVDg4tBlb1MwDzL6cmYf05doOXIAL3Qwyb4ZbpLDYEGFHYHi+kgL7yZqo4BmtvTLZ7jqc7XMTZmvLXU8oPX99pre4EuldAtAvWyGYnnMk7EyBT+dE2UA3YiwtxOElAZpUTm7gkdrehZNT9VZw87Txz0xloeQa0qC7XWzFPPru0D1aAp/WEC7qAT3QGUokKzIpzclCs3jDzveV3tV72ouYva3TgCO/5r+qUGp6ebMU1IINPdb60bnFkUl98fPuKISzNAZDrRz7iBTVtPUlFIEZ8hYpXL9gIOF9NhH1hGo3qAyHs8ONY8GtFQ3x96SvI3T+iv8odoXxAw== badele@badxps diff --git a/users/badele/hype16.nix b/users/badele/hype16.nix new file mode 100644 index 0000000..c55f715 --- /dev/null +++ b/users/badele/hype16.nix @@ -0,0 +1,120 @@ +########################################################## +# HOME-MANAGER (user) +########################################################## +{ config +, inputs +, pkgs +, lib +, ... +}: +let + feh = "${pkgs.feh}/bin/feh"; + theme = "${pkgs.base16-schemes}/share/themes/catppuccin-latte.yaml"; + wallpaper = pkgs.runCommand "image.png" { } '' + COLOR=$(${pkgs.yq}/bin/yq -r .base00 ${theme}) + COLOR="#"$COLOR + ${pkgs.imagemagick}/bin/magick convert -size 1920x1080 xc:$COLOR $out + ''; +in +{ + imports = [ + # homelab Modules + ../../nix/modules/home-manager/font.nix + ../../nix/modules/home-manager/userconf.nix + + # Common tools and packages for all badele user hosts + ./commons.nix + + # Editor + # INFO: I use my independant neovim configuration => https://github.com/badele/vides + # ../../nix/home-manager/features/term/editor/lazyvim.nix + + # Term + ../../nix/home-manager/features/term/base.nix + ../../nix/home-manager/features/term/security + ]; + + + ############################################################################### + # Packages + ############################################################################### + home.packages = with pkgs; [ + ]; + + + programs = { + #################################### + # Monitors configuration + # autorandr --fingerprints + # autorandr --config + #################################### + autorandr = { + enable = true; + + profiles = { + "home-up" = { + fingerprint = { + eDP1 = "00ffffffffffff004d109a1400000000041c0104a52213780ede50a3544c99260f505400000001010101010101010101010101010101ac3780a070383e403020350058c210000018000000000000000000000000000000000000000000fe00544b365237804c513135364d31000000000002410328001200000a010a2020002b"; + DP3 = "00ffffffffffff0009d107779c0200000b110103802f1e78eecf75a455499927135054bdef80454f614f01018180818f714f0101010121399030621a274068b03600b10f1100001cd50980a0205e631010605208782d1100001a000000fd00384c1e5411000a202020202020000000fc0042656e51204650323232570a0a01d002031b71230907078301000067030c002000802d43100403e2000f8c0ad08a20e02d10103e9600a05a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000018"; + }; + config = { + eDP1 = { + enable = true; + primary = true; + crtc = 0; + position = "1680x0"; + mode = "1920x1080"; + rate = "60.00"; + }; + DP3 = { + enable = true; + crtc = 1; + position = "0x0"; + mode = "1680x1050"; + rate = "60.00"; + }; + }; + hooks.postswitch = '' + ${pkgs.i3}/bin/i3-msg restart + ${feh} --bg-scale '${config.stylix.image}' + ''; + }; + }; + }; + }; + + # You can preview the palette at ~/.config/stylix/palette.html + stylix.enable = true; + stylix.autoEnable = true; + + stylix.base16Scheme = "${pkgs.base16-schemes}/share/themes/gruvbox-dark-medium.yaml"; + stylix.image = pkgs.fetchurl { + url = "https://w.wallhaven.cc/full/0w/wallhaven-0w3pdr.jpg"; + sha256 = "sha256-xrLfcRkr6TjTW464GYf9XNFHRe5HlLtjpB0LQAh/l6M="; + }; + + # Disable neovim, it managed by https://github.com/badele/vide + stylix.targets.neovim.enable = false; + + stylix.fonts = { + serif = { + package = pkgs.dejavu_fonts; + name = "DejaVu Serif"; + }; + + sansSerif = { + package = pkgs.dejavu_fonts; + name = "DejaVu Sans"; + }; + + monospace = { + package = pkgs.dejavu_fonts; + name = "DejaVu Sans Mono"; + }; + + emoji = { + package = pkgs.noto-fonts-emoji; + name = "Noto Color Emoji"; + }; + }; +} diff --git a/users/root/hype16.nix b/users/root/hype16.nix new file mode 100644 index 0000000..ae3e4e2 --- /dev/null +++ b/users/root/hype16.nix @@ -0,0 +1,21 @@ +########################################################## +# HOME-MANAGER (user) +########################################################## +{ config +, inputs +, pkgs +, lib +, ... +}: +{ + imports = [ + # Common tools and packages for all root user hosts + ./commons.nix + ]; + + home = { + username = lib.mkDefault "root"; + homeDirectory = lib.mkDefault "/root/"; + stateVersion = lib.mkDefault "24.05"; + }; +}