dump-dvb/nix-config
dump-dvb
/
nix-config
mirror of https://github.com/dump-dvb/nix-config.git
3
0
Fork 0
Code Issues Projects Releases Wiki Activity

add microvm for monitoring

This commit is contained in:
Tassilo - 2022-12-07 20:06:46 +01:00
parent 04688487ba
commit 6e7ec5f982
Signed by: revol-xut
GPG Key ID: 4F56FF7759627D07
5 changed files with 105 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.sops.yaml
View File

@ -6,6 +6,7 @@ keys:
# - &admin_astro
- &data-hoarder age1djp5hk6vpm5glzqy9h2e2cgam5xydx888glgs85kvs57spaf8v0sfm0pa2
- &data-hoarder-staging age1m4g4y5ga2m8xdvs7rarda3tyk4gtkyta6pfyq2n3xmy47z20kfxq73m8r8
- &watch-me-senpai age18q907v2706qxmjewqan7xng2su3z6zyz9a2q444jew22apd46y7q8wjjku
# turmlabor
- &traffic-stop-box-0 age1yxtur968m4xe0m3kj0waqpm2kuuywpp9f6t0rxl4f0262ze9n9jqehw0k5
# zw
@ -57,6 +58,15 @@ creation_rules:
age:
- *data-hoarder
- *data-hoarder-staging
- path_regex: secrets/watch-me-senpai/[^/]+\.yaml$
key_groups:
- pgp:
- *admin_oxa
- *admin_revol-xut
- *admin_marenz-1
- *admin_marenz-2
age:
- *watch-me-senpai
- path_regex: secrets/traffic-stop-box/[^/]+\.yaml$
key_groups:
- pgp:

8
flake.nix
View File

@ -171,6 +171,14 @@
] ++ data-hoarder-modules;
};
};
watch-me-senpai = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = inputs;
modules = [
./hosts/watch-me-senpai
microvm.nixosModules.microvm
];
};
hydraJobs = (lib.mapAttrs (_name: value: { ${value.config.system.build.toplevel.system} = value.config.system.build.toplevel; }) self.nixosConfigurations) // {
sops-binaries."x86_64-linux" = sops-nix.packages."x86_64-linux".sops-install-secrets;

44
hosts/watch-me-senpai/configuration.nix Normal file
View File

@ -0,0 +1,44 @@
{ self, ... }: {
microvm = {
hypervisor = "cloud-hypervisor";
mem = 4096;
vcpu = 2;
interfaces = [{
type = "tap";
id = "serv-dvb-prod";
mac = mac_addr;
}];
shares = [
{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "store";
proto = "virtiofs";
socket = "store.socket";
}
{
source = "/var/lib/microvms/watch-me-senpai/etc";
mountPoint = "/etc";
tag = "etc";
proto = "virtiofs";
socket = "etc.socket";
}
{
source = "/var/lib/microvms/watch-me-senpai/var";
mountPoint = "/var";
tag = "var";
proto = "virtiofs";
socket = "var.socket";
}
];
};
networking.hostName = "watch-me-senpai"; # Define your hostname.
# Set your time zone.
time.timeZone = "Europe/Berlin";
sops.defaultSopsFile = self + /secrets/watch-me-senpai/secrets.yaml;
system.stateVersion = "22.05";
}

6
hosts/watch-me-senpai/default.nix Normal file
View File

@ -0,0 +1,6 @@
{
imports = [
./configuration.nix
./wireguard_server.nix
];
}

37
hosts/watch-me-senpai/wireguard_server.nix Normal file
View File

@ -0,0 +1,37 @@
{ config, ... }:
let
port = 51820;
in
{
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
networking.firewall.allowedUDPPorts = [ port ];
deployment-dvb.net = {
iface.uplink = {
name = "ens3";
mac = mac_addr;
matchOn = "mac";
useDHCP = false;
addr4 = "172.20.73.70/25";
dns = [ "172.20.73.8" "9.9.9.9" ];
routes = [
{
routeConfig = {
Gateway = "172.20.73.1";
GatewayOnLink = true;
Destination = "0.0.0.0/0";
};
}
];
};
wg = {
addr4 = "10.13.37.6";
prefix4 = 24;
privateKeyFile = config.sops.secrets.wg-seckey.path;
publicKey = "zaMM8Fa/PK0Fq4pYl0KAyOYkOjHBrZ4RVgfqqFIzq3I=";
};
};
}