From b7bcb353f7180c310ddc3fcf38e6afed801c4129 Mon Sep 17 00:00:00 2001 From: Evan Reichard Date: Sat, 5 Apr 2025 12:56:54 -0400 Subject: [PATCH] wip rke2 --- flake.nix | 7 + modules/nixos/hardware/opengl/default.nix | 8 +- modules/nixos/nix/default.nix | 12 +- modules/nixos/security/sops/default.nix | 2 +- modules/nixos/services/cloud-init/default.nix | 26 ++++ modules/nixos/services/openiscsi/default.nix | 34 +++++ modules/nixos/services/openssh/default.nix | 4 +- modules/nixos/services/rke2/default.nix | 20 +++ modules/nixos/system/boot/default.nix | 4 +- systems/x86_64-vmware/rke2-node/default.nix | 131 +++++------------- 10 files changed, 134 insertions(+), 114 deletions(-) create mode 100644 modules/nixos/services/cloud-init/default.nix create mode 100644 modules/nixos/services/openiscsi/default.nix create mode 100644 modules/nixos/services/rke2/default.nix diff --git a/flake.nix b/flake.nix index 1cd599a..bcdc1aa 100755 --- a/flake.nix +++ b/flake.nix @@ -43,6 +43,13 @@ }; }; + channels-config = { + allowUnfree = true; + permittedInsecurePackages = [ + "intel-ocl-5.0-63503" + ]; + }; + homes.modules = with inputs; [ sops-nix.homeManagerModules.sops ]; diff --git a/modules/nixos/hardware/opengl/default.nix b/modules/nixos/hardware/opengl/default.nix index 7735192..068ffef 100644 --- a/modules/nixos/hardware/opengl/default.nix +++ b/modules/nixos/hardware/opengl/default.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, namespace, ... }: let - inherit (lib) mkIf; + inherit (lib) mkIf mkForce; inherit (lib.${namespace}) mkBoolOpt; cfg = config.${namespace}.hardware.opengl; @@ -8,7 +8,7 @@ in { options.${namespace}.hardware.opengl = { enable = lib.mkEnableOption "support for opengl"; - enable32Bit = mkBoolOpt false "enabel 32-bit"; + enable32Bit = mkBoolOpt false "enable 32-bit"; enableIntel = mkBoolOpt false "support for intel"; enableNvidia = mkBoolOpt false "support for nvidia"; }; @@ -19,8 +19,12 @@ in vdpauinfo ] ++ lib.optionals cfg.enableNvidia [ nvtopPackages.full + ] ++ lib.optionals cfg.enableIntel [ + intel-gpu-tools ]; + # Add Intel Arc / Nvidia Drivers + hardware.enableRedistributableFirmware = cfg.enableIntel; hardware.graphics = { enable = true; enable32Bit = cfg.enable32Bit; diff --git a/modules/nixos/nix/default.nix b/modules/nixos/nix/default.nix index 87af8bb..0ef9838 100644 --- a/modules/nixos/nix/default.nix +++ b/modules/nixos/nix/default.nix @@ -1,5 +1,6 @@ { config, lib, pkgs, namespace, host, ... }: let + inherit (lib) types mkIf; inherit (lib.${namespace}) mkBoolOpt mkOpt; cfg = config.${namespace}.nix; @@ -7,10 +8,10 @@ in { options.${namespace}.nix = { enable = mkBoolOpt true "Whether or not to manage nix configuration."; - package = mkOpt lib.types.package pkgs.nixVersions.latest "Which nix package to use."; + package = mkOpt types.package pkgs.nixVersions.latest "Which nix package to use."; }; - config = lib.mkIf cfg.enable { + config = mkIf cfg.enable { nix = let users = [ @@ -23,11 +24,10 @@ in { inherit (cfg) package; - buildMachines = lib.optional (host != "nixos-builder") { + buildMachines = lib.optional (config.${namespace}.security.sops.enable && host != "nixos-builder") { hostName = "10.0.50.130"; systems = [ "x86_64-linux" ]; sshUser = "evanreichard"; - speedFactor = 1; protocol = "ssh"; sshKey = config.sops.secrets.builder_ssh_key.path; supportedFeatures = [ @@ -46,10 +46,6 @@ in options = "--delete-older-than 7d"; }; - # This will additionally add your inputs to the system's legacy channels - # # Making legacy nix commands consistent as well - nixPath = lib.mapAttrsToList (key: _: "${key}=flake:${key}") config.nix.registry; - optimise.automatic = true; settings = { diff --git a/modules/nixos/security/sops/default.nix b/modules/nixos/security/sops/default.nix index 7efad11..adfcfe5 100644 --- a/modules/nixos/security/sops/default.nix +++ b/modules/nixos/security/sops/default.nix @@ -9,7 +9,7 @@ in enable = lib.mkEnableOption "sops"; defaultSopsFile = mkOpt lib.types.path null "Default sops file."; sshKeyPaths = mkOpt (with lib.types; listOf path) [ - "/etc/ssh/ssh_host_ed25519_key" + # "/etc/ssh/ssh_host_ed25519_key" ] "SSH Key paths to use."; }; diff --git a/modules/nixos/services/cloud-init/default.nix b/modules/nixos/services/cloud-init/default.nix new file mode 100644 index 0000000..48834b2 --- /dev/null +++ b/modules/nixos/services/cloud-init/default.nix @@ -0,0 +1,26 @@ +{ config, lib, namespace, ... }: +let + inherit (lib) mkIf; + + cfg = config.${namespace}.services.cloud-init; +in +{ + options.${namespace}.services.cloud-init = { + enable = lib.mkEnableOption "Enable Cloud-Init"; + }; + + config = mkIf cfg.enable { + services.cloud-init = { + enable = true; + network.enable = true; + settings = { + datasource_list = [ "NoCloud" ]; + preserve_hostname = false; + system_info = { + distro = "nixos"; + network.renderers = [ "networkd" ]; + }; + }; + }; + }; +} diff --git a/modules/nixos/services/openiscsi/default.nix b/modules/nixos/services/openiscsi/default.nix new file mode 100644 index 0000000..a85f63f --- /dev/null +++ b/modules/nixos/services/openiscsi/default.nix @@ -0,0 +1,34 @@ +{ config, pkgs, lib, namespace, host, ... }: +let + inherit (lib) types mkIf; + inherit (lib.${namespace}) mkOpt; + + cfg = config.${namespace}.services.openiscsi; +in +{ + options.${namespace}.services.openiscsi = { + enable = lib.mkEnableOption "Open iSCSI support"; + name = mkOpt types.str "iqn.2025.reichard.io:${host}" "iSCSI name"; + symlink = mkOpt types.bool false "Create a symlink to the iSCSI binaries"; + }; + + config = mkIf cfg.enable { + boot.kernelModules = [ "iscsi_tcp" "libiscsi" "scsi_transport_iscsi" ]; + + services.openiscsi = { + enable = true; + name = cfg.name; + }; + + environment.systemPackages = with pkgs; [ + openiscsi + ]; + + # Predominately used for RKE2 & Democratic CSI + system.activationScripts.iscsi-symlink = mkIf cfg.symlink '' + mkdir -p /usr/bin + ln -sf ${pkgs.openiscsi}/bin/iscsiadm /usr/bin/iscsiadm + ln -sf ${pkgs.openiscsi}/bin/iscsid /usr/bin/iscsid + ''; + }; +} diff --git a/modules/nixos/services/openssh/default.nix b/modules/nixos/services/openssh/default.nix index 3c22359..7b5f061 100644 --- a/modules/nixos/services/openssh/default.nix +++ b/modules/nixos/services/openssh/default.nix @@ -1,4 +1,4 @@ -{ config, format, lib, namespace, ... }: +{ config, lib, namespace, ... }: let inherit (lib) types @@ -40,7 +40,7 @@ in AuthenticationMethods = "publickey"; ChallengeResponseAuthentication = "no"; PasswordAuthentication = false; - PermitRootLogin = if format == "install-iso" then "yes" else "no"; + PermitRootLogin = "prohibit-password"; PubkeyAuthentication = "yes"; StreamLocalBindUnlink = "yes"; UseDns = false; diff --git a/modules/nixos/services/rke2/default.nix b/modules/nixos/services/rke2/default.nix new file mode 100644 index 0000000..d65e2ae --- /dev/null +++ b/modules/nixos/services/rke2/default.nix @@ -0,0 +1,20 @@ +{ config, lib, namespace, ... }: +let + inherit (lib) types mkIf; + inherit (lib.${namespace}) mkOpt; + + cfg = config.${namespace}.services.rke2; +in +{ + options.${namespace}.services.rke2 = with types; { + enable = lib.mkEnableOption "Enabel RKE2"; + disable = mkOpt (listOf str) [ ] "Disable services"; + }; + + config = mkIf cfg.enable { + services.rke2 = { + enable = true; + disable = cfg.disable; + }; + }; +} diff --git a/modules/nixos/system/boot/default.nix b/modules/nixos/system/boot/default.nix index ebb0e13..cfe2b95 100644 --- a/modules/nixos/system/boot/default.nix +++ b/modules/nixos/system/boot/default.nix @@ -43,11 +43,9 @@ in }; initrd = mkIf cfg.xenGuest { - availableKernelModules = [ "xen_blkfront" "xen_netfront" ]; kernelModules = [ "xen_netfront" "xen_blkfront" ]; - supportedFilesystems = [ "ext4" "xenfs" ]; + supportedFilesystems = [ "xenfs" ]; }; - kernelModules = mkIf cfg.xenGuest [ "xen_netfront" "xen_blkfront" "xenfs" ]; }; }; diff --git a/systems/x86_64-vmware/rke2-node/default.nix b/systems/x86_64-vmware/rke2-node/default.nix index 9c28331..c87b5a5 100755 --- a/systems/x86_64-vmware/rke2-node/default.nix +++ b/systems/x86_64-vmware/rke2-node/default.nix @@ -1,16 +1,46 @@ -{ pkgs, lib, modulesPath, ... }: +{ pkgs, namespace, lib, modulesPath, ... }: +let + inherit (lib.${namespace}) enabled; +in { imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + config = { reichard = { - nix.enable = false; + nix = enabled; + + system = { + boot = { + enable = true; + xenGuest = true; + }; + }; + + services = { + openssh = enabled; + cloud-init = enabled; + rke2 = { + enable = true; + disable = [ "rke2-ingress-nginx" ]; + }; + openiscsi = { + enable = true; + symlink = true; + }; + }; + + hardware = { + opengl = { + enable = true; + enableIntel = true; + }; + }; }; # Basic System system.stateVersion = "24.11"; - nix.settings.experimental-features = [ "nix-command" "flakes" ]; time.timeZone = "UTC"; fileSystems."/" = { @@ -19,41 +49,6 @@ autoResize = true; }; - boot = { - initrd = { - availableKernelModules = [ - # Xen - "xen_blkfront" - "xen_netfront" - ]; - kernelModules = [ "xen_netfront" "xen_blkfront" ]; - supportedFilesystems = [ "ext4" "xenfs" ]; - }; - kernelModules = [ - # Xen VM Requirements - "xen_netfront" - "xen_blkfront" - "xenfs" - - # iSCSI - "iscsi_tcp" - ]; - }; - - # Add Intel Arc A310 GPU Drivers - nixpkgs.config.allowUnfree = true; - hardware.enableRedistributableFirmware = true; - hardware.graphics = { - enable = true; - extraPackages = with pkgs; [ - libvdpau-va-gl - intel-vaapi-driver - intel-media-driver - intel-compute-runtime - intel-ocl - ]; - }; - # Network Configuration networking = { hostName = lib.mkForce ""; @@ -88,44 +83,6 @@ }; }; - services = { - # Enable Xen Guest Utilities - xe-guest-utilities.enable = true; - - # Enable iSCSI - openiscsi = { - enable = true; - name = "iqn.2025.placeholder:initiator"; # Overridden @ Runtime - }; - - # Cloud Init - cloud-init = { - enable = true; - network.enable = true; - settings = { - datasource_list = [ "NoCloud" ]; - preserve_hostname = false; - system_info.distro = "nixos"; - system_info.network.renderers = [ "networkd" ]; - }; - }; - - # Enable SSH - openssh = { - enable = true; - settings = { - PasswordAuthentication = false; - PermitRootLogin = "prohibit-password"; - }; - }; - - # Enable RKE2 - rke2 = { - enable = true; - disable = [ "rke2-ingress-nginx" ]; - }; - }; - systemd.services = { # RKE2 - Wait Cloud Init rke2-server = { @@ -155,33 +112,11 @@ }; }; - # User Authorized Keys - users.users.root = { - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIe1n9l9pVF5+kjWJCOt3AvBVf1HOSZkEDZxCWVPSIkr evan@reichard" - ]; - hashedPassword = null; - }; - - # Add Symlinks Expected by Democratic - system.activationScripts = { - iscsi-initiator = '' - mkdir -p /usr/bin - ln -sf ${pkgs.openiscsi}/bin/iscsiadm /usr/bin/iscsiadm - ln -sf ${pkgs.openiscsi}/bin/iscsid /usr/bin/iscsid - ''; - }; - # System Packages environment = { systemPackages = with pkgs; [ htop - intel-gpu-tools - k9s - kubectl - kubernetes-helm nfs-utils - openiscsi tmux vim ];