Revive microvm-default to reduce the mess
This commit is contained in:
parent
f0b1019bd5
commit
87dc4f22b2
|
@ -772,10 +772,12 @@
|
||||||
cluster-network = ./modules/cluster/network.nix;
|
cluster-network = ./modules/cluster/network.nix;
|
||||||
cluster-options.imports = [
|
cluster-options.imports = [
|
||||||
deployment.nixosModules.deployment-options
|
deployment.nixosModules.deployment-options
|
||||||
self.nixosModules.microvm
|
microvm.nixosModules.microvm
|
||||||
|
./modules/microvm-defaults.nix
|
||||||
];
|
];
|
||||||
microvm.imports = [
|
microvm.imports = [
|
||||||
microvm.nixosModules.microvm
|
microvm.nixosModules.microvm
|
||||||
|
./modules/microvm-defaults.nix
|
||||||
./modules/microvm.nix
|
./modules/microvm.nix
|
||||||
];
|
];
|
||||||
microvm-host.imports = [
|
microvm-host.imports = [
|
||||||
|
|
|
@ -0,0 +1,48 @@
|
||||||
|
# No MicroVM settings but some defaults that enable evaulating NixOS
|
||||||
|
# configurations that are destined to be used on Skyflake
|
||||||
|
|
||||||
|
{ config, lib, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
# autoupdates do not make sense inside MicroVMs with read-only /nix/store
|
||||||
|
c3d2.autoUpdate = false;
|
||||||
|
|
||||||
|
boot = {
|
||||||
|
loader.grub.enable = false;
|
||||||
|
kernel.sysctl = lib.optionalAttrs (config.microvm.mem <= 1024) {
|
||||||
|
# table overflow causing packets from nginx to the service to drop
|
||||||
|
# nf_conntrack: nf_conntrack: table full, dropping packet
|
||||||
|
"net.netfilter.nf_conntrack_max" = "65536";
|
||||||
|
};
|
||||||
|
kernelParams = [
|
||||||
|
"preempt=none"
|
||||||
|
# No server/router runs any untrusted user code
|
||||||
|
"mitigations=off"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/" = lib.mkDefault {
|
||||||
|
fsType = "tmpfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
hardware.enableRedistributableFirmware = false;
|
||||||
|
|
||||||
|
# required that sysctl contains net.netfilter.nf_conntrack_max on boot
|
||||||
|
networking.firewall.autoLoadConntrackHelpers = true;
|
||||||
|
|
||||||
|
# nix store is mounted read only
|
||||||
|
nix.gc.automatic = false;
|
||||||
|
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d /home/root 0700 root root -" # createHome does not create it
|
||||||
|
];
|
||||||
|
|
||||||
|
users = {
|
||||||
|
mutableUsers = false;
|
||||||
|
# store root users files persistent, especially .bash_history
|
||||||
|
users."root" = {
|
||||||
|
createHome = true;
|
||||||
|
home = lib.mkForce "/home/root";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -69,30 +69,6 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
config = {
|
config = {
|
||||||
boot.loader.grub.enable = false;
|
|
||||||
|
|
||||||
# autoupdates do not make sense inside MicroVMs with read-only /nix/store
|
|
||||||
c3d2.autoUpdate = false;
|
|
||||||
|
|
||||||
boot = {
|
|
||||||
kernel.sysctl = lib.optionalAttrs (config.microvm.mem <= 1024) {
|
|
||||||
# table overflow causing packets from nginx to the service to drop
|
|
||||||
# nf_conntrack: nf_conntrack: table full, dropping packet
|
|
||||||
"net.netfilter.nf_conntrack_max" = "65536";
|
|
||||||
};
|
|
||||||
kernelParams = [
|
|
||||||
"preempt=none"
|
|
||||||
# No server/router runs any untrusted user code
|
|
||||||
"mitigations=off"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/" = lib.mkDefault {
|
|
||||||
fsType = "tmpfs";
|
|
||||||
};
|
|
||||||
|
|
||||||
hardware.enableRedistributableFirmware = false;
|
|
||||||
|
|
||||||
microvm = {
|
microvm = {
|
||||||
hypervisor = lib.mkDefault "cloud-hypervisor";
|
hypervisor = lib.mkDefault "cloud-hypervisor";
|
||||||
mem = lib.mkDefault 512;
|
mem = lib.mkDefault 512;
|
||||||
|
@ -127,18 +103,12 @@ in
|
||||||
}) config.c3d2.deployment.mounts;
|
}) config.c3d2.deployment.mounts;
|
||||||
};
|
};
|
||||||
|
|
||||||
networking = {
|
networking = lib.mkIf config.c3d2.deployment.autoNetSetup {
|
||||||
# required that sysctl contains net.netfilter.nf_conntrack_max on boot
|
|
||||||
firewall.autoLoadConntrackHelpers = true;
|
|
||||||
} // lib.optionalAttrs config.c3d2.deployment.autoNetSetup {
|
|
||||||
useDHCP = false;
|
useDHCP = false;
|
||||||
dhcpcd.enable = false;
|
dhcpcd.enable = false;
|
||||||
useNetworkd = true;
|
useNetworkd = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
# nix store is mounted read only
|
|
||||||
nix.gc.automatic = false;
|
|
||||||
|
|
||||||
systemd.network = lib.mkIf config.c3d2.deployment.autoNetSetup {
|
systemd.network = lib.mkIf config.c3d2.deployment.autoNetSetup {
|
||||||
links = builtins.foldl' (links: net: links // {
|
links = builtins.foldl' (links: net: links // {
|
||||||
"30-${net}" = {
|
"30-${net}" = {
|
||||||
|
@ -192,18 +162,5 @@ in
|
||||||
ssh root@${serverFQDN} -- $@
|
ssh root@${serverFQDN} -- $@
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.tmpfiles.rules = [
|
|
||||||
"d /home/root 0700 root root -" # createHome does not create it
|
|
||||||
];
|
|
||||||
|
|
||||||
users = {
|
|
||||||
mutableUsers = false;
|
|
||||||
# store root users files persistent, especially .bash_history
|
|
||||||
users."root" = {
|
|
||||||
createHome = true;
|
|
||||||
home = lib.mkForce "/home/root";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue