Compare commits
5 Commits
63ba2ebaba
...
291a86f71b
Author | SHA1 | Date |
---|---|---|
Sam | 291a86f71b | |
Sam | 822a710ff5 | |
Sam | d8672d109a | |
Sam | 7be100bfd2 | |
Sam | fe42a0b448 |
|
@ -0,0 +1,18 @@
|
|||
{
|
||||
imports = [
|
||||
./lxd-preseed.nix
|
||||
./lxd-networking.nix
|
||||
];
|
||||
|
||||
virtualisation = {
|
||||
lxd = {
|
||||
enable = true;
|
||||
|
||||
recommendedSysctlSettings = true;
|
||||
};
|
||||
|
||||
lxc = {
|
||||
lxcfs.enable = true;
|
||||
};
|
||||
};
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
{ ... }:
|
||||
let
|
||||
lxd_profiles = {
|
||||
"default" = (import ./profiles/default.nix);
|
||||
};
|
||||
in
|
||||
{
|
||||
boot = {
|
||||
kernelModules = [ "nf_nat_ftp" ];
|
||||
|
||||
kernel.sysctl = {
|
||||
"net.ipv4.conf.all.forwarding" = true;
|
||||
"net.ipv4.conf.default.forwarding" = true;
|
||||
};
|
||||
};
|
||||
|
||||
# allow static ipv4 for containers
|
||||
networking.firewall.extraCommands = ''
|
||||
iptables -a input -i ${lxd_profiles.default.network.name} -m comment --comment "lxd rule for ${lxd_profiles.default.network.name}" -j accept
|
||||
'';
|
||||
}
|
|
@ -0,0 +1,26 @@
|
|||
{ ... }:
|
||||
|
||||
let
|
||||
lxd_profiles = {
|
||||
"default" = (import ./profiles/default.nix);
|
||||
};
|
||||
in
|
||||
{
|
||||
virtualisation = {
|
||||
lxd = {
|
||||
preseed = {
|
||||
networks = [
|
||||
lxd_profiles.default.network
|
||||
];
|
||||
|
||||
profiles = [
|
||||
lxd_profiles.default.profile
|
||||
];
|
||||
|
||||
storage_pools = [
|
||||
lxd_profiles.default.storage_pool
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -0,0 +1,35 @@
|
|||
{
|
||||
network = {
|
||||
name = "lxdBrDefault";
|
||||
type = "bridge";
|
||||
|
||||
config = {
|
||||
"ipv4.address" = "10.100.1.1/8";
|
||||
"ipv4.nat" = "true";
|
||||
};
|
||||
};
|
||||
|
||||
storage_pool = {
|
||||
name = "test";
|
||||
driver = "zfs";
|
||||
config.source = "zspeed/test";
|
||||
};
|
||||
|
||||
profile = {
|
||||
name = "default";
|
||||
devices = {
|
||||
"eth0" = {
|
||||
name = "eth0";
|
||||
nictype = "bridged";
|
||||
parent = "lxdBrDefault";
|
||||
type = "nic";
|
||||
};
|
||||
"root" = {
|
||||
path = "/";
|
||||
pool = "default";
|
||||
size = "8GiB";
|
||||
type = "disk";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,5 +1,6 @@
|
|||
{ pkgs, inputs, config, lib, ... }:
|
||||
let
|
||||
ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
|
||||
username = "admin";
|
||||
pubKeys = lib.filesystem.listFilesRecursive (../keys);
|
||||
hostname = config.networking.hostName;
|
||||
|
@ -7,7 +8,7 @@ let
|
|||
secretsDirectory = builtins.toString inputs.nix-secrets;
|
||||
secretsFile = "${secretsDirectory}/secrets.yaml";
|
||||
|
||||
in
|
||||
in
|
||||
{
|
||||
users.users.${username} = {
|
||||
isNormalUser = true;
|
||||
|
@ -15,7 +16,13 @@ in
|
|||
hashedPasswordFile = sopsHashedPasswordFile;
|
||||
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
|
||||
|
||||
extraGroups = ["wheel"];
|
||||
extraGroups = [
|
||||
"wheel"
|
||||
] ++ ifTheyExist [
|
||||
"docker"
|
||||
"lxc"
|
||||
"git"
|
||||
];
|
||||
|
||||
packages = with pkgs; [
|
||||
];
|
||||
|
@ -30,7 +37,7 @@ in
|
|||
path = "/home/${username}/.ssh/id_ed25519";
|
||||
mode = "0600";
|
||||
owner = "${username}";
|
||||
};
|
||||
};
|
||||
"ssh_keys/${username}/id_ed25519.pub" = {
|
||||
path = "/home/${username}/.ssh/id_ed25519.pub";
|
||||
mode = "0644";
|
||||
|
|
|
@ -1,11 +1,10 @@
|
|||
{ inputs, config, lib, pkgs, outputs, ... }:
|
||||
{ inputs, ... }:
|
||||
let
|
||||
# Disko setup
|
||||
fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence
|
||||
dev = "/dev/sda"; # depends on target hardware
|
||||
encrypted = false; # currrently only applies to btrfs
|
||||
impermanence = false; # currrently only applies to btrfs
|
||||
btrfsMountDevice = if encrypted then "/dev/mapper/crypted" else "/dev/root_vg/root";
|
||||
user = "admin";
|
||||
in
|
||||
{
|
||||
|
@ -24,7 +23,7 @@ in
|
|||
|
||||
# Import optional options
|
||||
../common/optional/openssh.nix
|
||||
|
||||
../common/optional/lxd
|
||||
|
||||
];
|
||||
|
||||
|
|
Loading…
Reference in New Issue