From a0dc08e97bc55864a5b9855a632840b8242400d7 Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 5 Sep 2022 22:17:11 +0200 Subject: [PATCH] hosts/leoncloud: init --- flake.nix | 7 +++ hosts/leon/default.nix | 2 +- hosts/leoncloud/default.nix | 105 ++++++++++++++++++++++++++++++++++++ 3 files changed, 113 insertions(+), 1 deletion(-) create mode 100644 hosts/leoncloud/default.nix diff --git a/flake.nix b/flake.nix index e5ff8eee..68b8b3ed 100644 --- a/flake.nix +++ b/flake.nix @@ -737,6 +737,13 @@ ]; }; + leoncloud = nixosSystem' { + modules = [ + self.nixosModules.microvm + ./hosts/leoncloud + ]; + }; + nfsroot = nixosSystem' { modules = [ self.nixosModules.microvm diff --git a/hosts/leon/default.nix b/hosts/leon/default.nix index 58f5bed1..d4ef0a7c 100644 --- a/hosts/leon/default.nix +++ b/hosts/leon/default.nix @@ -80,7 +80,7 @@ in # try harder disabling global ipv6 networkConfig.LinkLocalAddressing = "no"; addresses = [ { - addressConfig.Address = "${config.c3d2.hosts.leon.ip4}/${toString zentralwerk.lib.config.site.net.serv.subnet4Len}"; + addressConfig.Address = "${config.c3d2.hosts.${config.networking.hostName}.ip4}/${toString zentralwerk.lib.config.site.net.serv.subnet4Len}"; } ]; routes = [ { routeConfig = { diff --git a/hosts/leoncloud/default.nix b/hosts/leoncloud/default.nix new file mode 100644 index 00000000..1227d092 --- /dev/null +++ b/hosts/leoncloud/default.nix @@ -0,0 +1,105 @@ +{ zentralwerk, config, pkgs, ... }: +let + netConfig = zentralwerk.lib.config.site.net.serv; + + mac = { + serv = "e2:e9:bb:f4:4a:fe"; + pub = "e2:e9:bb:f4:4a:ff"; + }; + +in +{ + microvm = { + mem = 1024; + }; + + c3d2.deployment = { + server = "server9"; + mounts = [ "etc" "home" "var"]; + autoNetSetup = false; + }; + microvm.interfaces = [ { + type = "tap"; + id = "pub-leoncloud"; + mac = mac.pub; + } { + type = "tap"; + id = "serv-leoncloud"; + mac = mac.serv; + } ]; + + networking = { + hostName = "leoncloud"; + firewall.enable = true; + }; + systemd.network = { + enable = true; + + # On the serv network I have a static IPv4 and only a route to the + # rest of the network so that I am reachable by + # public-access-proxy. + + links."00-serv" = { + matchConfig.MACAddress = mac.serv; + linkConfig.Name = "serv"; + }; + + networks."00-serv" = { + matchConfig.MACAddress = mac.serv; + networkConfig.IPv6AcceptRA = false; + # try harder disabling global ipv6 + networkConfig.LinkLocalAddressing = "no"; + addresses = [ { + addressConfig.Address = "${config.c3d2.hosts.${config.networking.hostName}.ip4}/${toString zentralwerk.lib.config.site.net.serv.subnet4Len}"; + } ]; + routes = [ { + routeConfig = { + Destination = "172.20.0.0/14"; + Gateway = config.c3d2.hosts.serv-gw.ip4; + }; + } ]; + }; + + # On the pub network I am a normal client. + + links."00-pub" = { + matchConfig.MACAddress = mac.pub; + linkConfig.Name = "pub"; + }; + + networks."01-pub" = { + matchConfig.MACAddress = mac.pub; + networkConfig.DHCP = "ipv4"; + networkConfig.IPv6AcceptRA = true; + }; + }; + + security.sudo = { + enable = true; + wheelNeedsPassword = false; + }; + + c3d2.hq.statistics.enable = true; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + wget vim python3Full nmap htop wireguard-tools + ]; + + users.users.leon = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + createHome = true; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM2zpmWA3Z9zshWaU8k1SWyJnbAyasOu9pV+9BvTY0XE leon@¯\_(ツ)_/¯" + ]; + }; + + networking.firewall = { + allowedTCPPorts = [ 80 443 ]; + allowedUDPPorts = [ ]; + }; + + system.stateVersion = "22.05"; +}