Compare commits

...

5 Commits

Author SHA1 Message Date
Sam 291a86f71b lxd module 2024-06-29 14:40:10 +01:00
Sam 822a710ff5 Added extra admin groups 2024-06-29 14:39:16 +01:00
Sam d8672d109a Inital setup of lxd on nebula 2024-06-29 11:03:07 +01:00
Sam 7be100bfd2 Removed unnecessary imports 2024-06-29 11:02:15 +01:00
Sam fe42a0b448 Removed unnecessary declaration for btrfs device name. 2024-06-29 10:59:45 +01:00
6 changed files with 112 additions and 6 deletions

View File

@ -0,0 +1,18 @@
{
imports = [
./lxd-preseed.nix
./lxd-networking.nix
];
virtualisation = {
lxd = {
enable = true;
recommendedSysctlSettings = true;
};
lxc = {
lxcfs.enable = true;
};
};
}

View File

@ -0,0 +1,21 @@
{ ... }:
let
lxd_profiles = {
"default" = (import ./profiles/default.nix);
};
in
{
boot = {
kernelModules = [ "nf_nat_ftp" ];
kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = true;
"net.ipv4.conf.default.forwarding" = true;
};
};
# allow static ipv4 for containers
networking.firewall.extraCommands = ''
iptables -a input -i ${lxd_profiles.default.network.name} -m comment --comment "lxd rule for ${lxd_profiles.default.network.name}" -j accept
'';
}

View File

@ -0,0 +1,26 @@
{ ... }:
let
lxd_profiles = {
"default" = (import ./profiles/default.nix);
};
in
{
virtualisation = {
lxd = {
preseed = {
networks = [
lxd_profiles.default.network
];
profiles = [
lxd_profiles.default.profile
];
storage_pools = [
lxd_profiles.default.storage_pool
];
};
};
};
}

View File

@ -0,0 +1,35 @@
{
network = {
name = "lxdBrDefault";
type = "bridge";
config = {
"ipv4.address" = "10.100.1.1/8";
"ipv4.nat" = "true";
};
};
storage_pool = {
name = "test";
driver = "zfs";
config.source = "zspeed/test";
};
profile = {
name = "default";
devices = {
"eth0" = {
name = "eth0";
nictype = "bridged";
parent = "lxdBrDefault";
type = "nic";
};
"root" = {
path = "/";
pool = "default";
size = "8GiB";
type = "disk";
};
};
};
}

View File

@ -1,5 +1,6 @@
{ pkgs, inputs, config, lib, ... }:
let
ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
username = "admin";
pubKeys = lib.filesystem.listFilesRecursive (../keys);
hostname = config.networking.hostName;
@ -7,7 +8,7 @@ let
secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml";
in
in
{
users.users.${username} = {
isNormalUser = true;
@ -15,7 +16,13 @@ in
hashedPasswordFile = sopsHashedPasswordFile;
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
extraGroups = ["wheel"];
extraGroups = [
"wheel"
] ++ ifTheyExist [
"docker"
"lxc"
"git"
];
packages = with pkgs; [
];
@ -30,7 +37,7 @@ in
path = "/home/${username}/.ssh/id_ed25519";
mode = "0600";
owner = "${username}";
};
};
"ssh_keys/${username}/id_ed25519.pub" = {
path = "/home/${username}/.ssh/id_ed25519.pub";
mode = "0644";

View File

@ -1,11 +1,10 @@
{ inputs, config, lib, pkgs, outputs, ... }:
{ inputs, ... }:
let
# Disko setup
fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence
dev = "/dev/sda"; # depends on target hardware
encrypted = false; # currrently only applies to btrfs
impermanence = false; # currrently only applies to btrfs
btrfsMountDevice = if encrypted then "/dev/mapper/crypted" else "/dev/root_vg/root";
user = "admin";
in
{
@ -24,7 +23,7 @@ in
# Import optional options
../common/optional/openssh.nix
../common/optional/lxd
];