nixos-config/modules/services/dmz/microvm.nix

125 lines
3.7 KiB
Nix
Raw Normal View History

{ config, microvm, nixpkgs, user, agenix, impermanence, ... }:
let
2023-10-22 10:59:34 +02:00
name = "gitea-runner";
in
{
microvm = {
2023-10-22 10:59:34 +02:00
autostart = [
name
2023-10-22 10:59:34 +02:00
];
vms = {
${name} = {
2023-10-16 10:33:47 +02:00
pkgs = import nixpkgs {
system = "x86_64-linux";
config.allowUnfree = true;
};
config = {
2024-01-18 17:42:23 +01:00
imports =
[ agenix.nixosModules.default ] ++
[ impermanence.nixosModules.impermanence ] ++
2024-01-18 17:42:23 +01:00
[( ./gitea_runner.nix )];
networking = {
2023-10-22 10:59:34 +02:00
hostName = "${name}";
2023-10-16 10:33:47 +02:00
2024-01-21 14:16:39 +01:00
firewall = {
enable = true;
2023-10-16 10:33:47 +02:00
allowedUDPPorts = [ ];
allowedTCPPorts = [ ];
};
};
2023-10-16 10:33:47 +02:00
systemd.network = {
enable = true;
networks = {
"10-lan" = {
matchConfig.Name = "*";
networkConfig = {
DHCP = "yes";
IPv6AcceptRA = true;
};
};
};
};
users.users.${user} = { # System User
isNormalUser = true;
initialPassword = "runnertest";
extraGroups = [ "wheel" ];
uid = 2000;
openssh.authorizedKeys.keys = [
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIANmaraVJ/o20c4dqVnGLp/wGck9QNHFPvO9jcEbKS29AAAABHNzaDo= kabbone@kabc"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIgo4IP8ISUohyAMiDc3zEe6ESUE3un7eN5FhVtxZHmcAAAABHNzaDo= kabbone@kabc"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIKVDApb3vZ+i97V4xLJh8rUF6z5OVYfORlXYbLhdQO15AAAABHNzaDo= kabbone@hades.home.opel-online.de"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIB0q++epdX7feQxvmC2m/CJEoJbkqtAJy6Ml6WKHxryZAAAABHNzaDo= kabbone@hades.home.opel-online.de"
];
};
services = {
openssh = {
enable = true;
settings.PasswordAuthentication = false;
hostKeys = [
{
path = "/persist/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
{
path = "/persist/etc/ssh/ssh_host_rsa_key";
type = "rsa";
bits = 4096;
}];
};
};
fileSystems."/persist".neededForBoot = nixpkgs.lib.mkForce true;
environment.persistence."/persist" = {
directories = [
"/var/lib/nixos"
"/var/log"
2024-01-21 14:16:39 +01:00
"/var/lib/gitea-runner"
];
files = [
"/etc/machine-id"
];
};
microvm = {
hypervisor = "cloud-hypervisor";
vcpu = 4;
mem = 4096;
interfaces = [
{
type = "macvtap";
2023-10-16 10:33:47 +02:00
id = "vm-${name}";
mac = "04:00:00:00:00:01";
macvtap = {
link = "enp6s18";
mode = "bridge";
};
} ];
shares = [{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
proto = "virtiofs";
}
{
source = "/etc/vm-persist/${name}";
mountPoint = "/persist";
tag = "persist";
proto = "virtiofs";
}];
#writableStoreOverlay = "/nix/.rw-store";
#storeOnDisk = true;
};
system.stateVersion = "23.05";
};
};
};
};
}