Revive microvm-default to reduce the mess

This commit is contained in:
Sandro - 2023-05-20 02:45:32 +02:00
parent f0b1019bd5
commit 87dc4f22b2
Signed by: sandro
GPG Key ID: 3AF5A43A3EECC2E5
3 changed files with 52 additions and 45 deletions

View File

@ -772,10 +772,12 @@
cluster-network = ./modules/cluster/network.nix;
cluster-options.imports = [
deployment.nixosModules.deployment-options
self.nixosModules.microvm
microvm.nixosModules.microvm
./modules/microvm-defaults.nix
];
microvm.imports = [
microvm.nixosModules.microvm
./modules/microvm-defaults.nix
./modules/microvm.nix
];
microvm-host.imports = [

View File

@ -0,0 +1,48 @@
# No MicroVM settings but some defaults that enable evaulating NixOS
# configurations that are destined to be used on Skyflake
{ config, lib, ... }:
{
# autoupdates do not make sense inside MicroVMs with read-only /nix/store
c3d2.autoUpdate = false;
boot = {
loader.grub.enable = false;
kernel.sysctl = lib.optionalAttrs (config.microvm.mem <= 1024) {
# table overflow causing packets from nginx to the service to drop
# nf_conntrack: nf_conntrack: table full, dropping packet
"net.netfilter.nf_conntrack_max" = "65536";
};
kernelParams = [
"preempt=none"
# No server/router runs any untrusted user code
"mitigations=off"
];
};
fileSystems."/" = lib.mkDefault {
fsType = "tmpfs";
};
hardware.enableRedistributableFirmware = false;
# required that sysctl contains net.netfilter.nf_conntrack_max on boot
networking.firewall.autoLoadConntrackHelpers = true;
# nix store is mounted read only
nix.gc.automatic = false;
systemd.tmpfiles.rules = [
"d /home/root 0700 root root -" # createHome does not create it
];
users = {
mutableUsers = false;
# store root users files persistent, especially .bash_history
users."root" = {
createHome = true;
home = lib.mkForce "/home/root";
};
};
}

View File

@ -69,30 +69,6 @@ in
};
config = {
boot.loader.grub.enable = false;
# autoupdates do not make sense inside MicroVMs with read-only /nix/store
c3d2.autoUpdate = false;
boot = {
kernel.sysctl = lib.optionalAttrs (config.microvm.mem <= 1024) {
# table overflow causing packets from nginx to the service to drop
# nf_conntrack: nf_conntrack: table full, dropping packet
"net.netfilter.nf_conntrack_max" = "65536";
};
kernelParams = [
"preempt=none"
# No server/router runs any untrusted user code
"mitigations=off"
];
};
fileSystems."/" = lib.mkDefault {
fsType = "tmpfs";
};
hardware.enableRedistributableFirmware = false;
microvm = {
hypervisor = lib.mkDefault "cloud-hypervisor";
mem = lib.mkDefault 512;
@ -127,18 +103,12 @@ in
}) config.c3d2.deployment.mounts;
};
networking = {
# required that sysctl contains net.netfilter.nf_conntrack_max on boot
firewall.autoLoadConntrackHelpers = true;
} // lib.optionalAttrs config.c3d2.deployment.autoNetSetup {
networking = lib.mkIf config.c3d2.deployment.autoNetSetup {
useDHCP = false;
dhcpcd.enable = false;
useNetworkd = true;
};
# nix store is mounted read only
nix.gc.automatic = false;
systemd.network = lib.mkIf config.c3d2.deployment.autoNetSetup {
links = builtins.foldl' (links: net: links // {
"30-${net}" = {
@ -192,18 +162,5 @@ in
ssh root@${serverFQDN} -- $@
'';
};
systemd.tmpfiles.rules = [
"d /home/root 0700 root root -" # createHome does not create it
];
users = {
mutableUsers = false;
# store root users files persistent, especially .bash_history
users."root" = {
createHome = true;
home = lib.mkForce "/home/root";
};
};
};
}