diff --git a/Taskfile b/Taskfile index b88cf30..3a212c5 100755 --- a/Taskfile +++ b/Taskfile @@ -12,7 +12,11 @@ build() { dump() { build "$@" - sudo cp -f result/vzdump* /mnt/share/proxmox/dump/ + if [ -a "vm-$1.nix" ]; then + sudo cp -f result/vzdump* /mnt/share/proxmox/dump/ + elif [ -a "lxc-$1.nix" ]; then + sudo cp -f result/tarball/nixos-system-x86_64-linux.tar.xz "/mnt/share/proxmox/dump/$1.tar.xz" + fi } get-ip() { @@ -20,8 +24,10 @@ get-ip() { if [[ "$file" = "proxmox" ]]; then echo 192.168.0.3 return - elif [[ "$file" != *.nix ]]; then + elif [[ "$file" != *.nix && -a "vm-$1.nix" ]]; then file="vm-$1.nix" + elif [[ "$file" != *.nix && -a "lxc-$1.nix" ]]; then + file="lxc-$1.nix" fi grep ip4 "$file" | grep -Po "[0-9]+(\.[0-9]+){3}" } diff --git a/flake.lock b/flake.lock index 6bf780d..9ed5c8f 100644 --- a/flake.lock +++ b/flake.lock @@ -3,11 +3,11 @@ "flake-compat": { "flake": false, "locked": { - "lastModified": 1733328505, - "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", + "lastModified": 1747046372, + "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", "owner": "edolstra", "repo": "flake-compat", - "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", + "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", "type": "github" }, "original": { @@ -41,11 +41,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1748051893, - "narHash": "sha256-KV6bgVHPzb9ymVk9WDRX1lkkeoZETMbS/MyPpIOUWVo=", + "lastModified": 1755914134, + "narHash": "sha256-RZNriojTbxeuCcytq/RlXQ7xJIDZPzGScPxWRft2fbM=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "a600d058c19e1668db6ba759ecc4cfd154079ab5", + "rev": "f4f58df48f0ebd1c898a043790cd58dd95bc272c", "type": "github" }, "original": { @@ -56,11 +56,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1742889210, - "narHash": "sha256-hw63HnwnqU3ZQfsMclLhMvOezpM7RSB0dMAtD5/sOiw=", + "lastModified": 1748929857, + "narHash": "sha256-lcZQ8RhsmhsK8u7LIFsJhsLh/pzR9yZ8yqpTzyGdj+Q=", "owner": "nixos", "repo": "nixpkgs", - "rev": "698214a32beb4f4c8e3942372c694f40848b360d", + "rev": "c2a03962b8e24e669fb37b7df10e7c79531ff1a4", "type": "github" }, "original": { @@ -72,16 +72,16 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1747862697, - "narHash": "sha256-U4HaNZ1W26cbOVm0Eb5OdGSnfQVWQKbLSPrSSa78KC0=", + "lastModified": 1755704039, + "narHash": "sha256-gKlP0LbyJ3qX0KObfIWcp5nbuHSb5EHwIvU6UcNBg2A=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2baa12ff69913392faf0ace833bc54bba297ea95", + "rev": "9cb344e96d5b6918e94e1bca2d9f3ea1e9615545", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-24.11", + "ref": "nixos-25.05", "repo": "nixpkgs", "type": "github" } diff --git a/flake.nix b/flake.nix index 55a1e9a..3726b2f 100644 --- a/flake.nix +++ b/flake.nix @@ -1,13 +1,13 @@ { inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; nix-minecraft.url = "github:Infinidoge/nix-minecraft"; }; outputs = { self, nixpkgs, ... }@inputs: let system = "x86_64-linux"; - nixos = path: nixpkgs.lib.nixosSystem { + nixos-vma = path: nixpkgs.lib.nixosSystem { specialArgs = { inherit system inputs; }; modules = [ "${nixpkgs}/nixos/modules/virtualisation/proxmox-image.nix" @@ -15,16 +15,27 @@ outputs = { self, nixpkgs, ... }@inputs: path ]; }; + nixos-lxc = path: nixpkgs.lib.nixosSystem { + specialArgs = { inherit system inputs; }; + modules = [ + "${nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" + { nixpkgs.hostPlatform = "${system}"; } + path + ]; + }; image = name: self.nixosConfigurations.${name}.config.system.build.VMA; + lxc = name: self.nixosConfigurations.${name}.config.system.build.tarball; in { nixosConfigurations = { - majcraft = nixos ./vm-majcraft.nix; - homelab = nixos ./vm-homelab.nix; + majcraft = nixos-vma ./vm-majcraft.nix; + homelab = nixos-vma ./vm-homelab.nix; + metrics = nixos-lxc ./lxc-metrics.nix; }; packages.${system} = { majcraft = image "majcraft"; homelab = image "homelab"; + metrics = lxc "metrics"; }; }; } diff --git a/lxc-base.nix b/lxc-base.nix new file mode 100644 index 0000000..7dfb446 --- /dev/null +++ b/lxc-base.nix @@ -0,0 +1,116 @@ +{ config, pkgs, modulesPath, lib, ... }: + +{ + imports = [ + (modulesPath + "/virtualisation/proxmox-lxc.nix") + ]; + + options.my.vm = { + name = lib.mkOption { + type = lib.types.nonEmptyStr; + example = "hello01"; + description = "Used for vm name and hostname"; + }; + + iface = lib.mkOption { + type = lib.types.nonEmptyStr; + default = "ens18"; + example = "ens18"; + description = "Interface on which static IP is bound"; + }; + + ip4 = lib.mkOption { + type = lib.types.nonEmptyStr; + example = "192.168.0.42"; + description = "Static IP for this VM"; + }; + }; + + config = let cfg = config.my.vm; in { + proxmoxLXC = { + enable = true; + }; + + # Allow remote updates with flakes and non-root users + nix.settings.trusted-users = [ "root" "@wheel" ]; + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + + # Enable mDNS for `hostname.local` addresses + services.avahi.enable = true; + services.avahi.nssmdns4 = true; + services.avahi.publish = { + enable = true; + addresses = true; + }; + + # Some sane packages we need on every system + environment.systemPackages = with pkgs; [ + vim + git # for pulling nix flakes + ]; + + # doing it here opens udp port _and_ installs package + programs.mosh.enable = true; + + # Don't ask for passwords + security.sudo.wheelNeedsPassword = false; + + # Don't use cloud-init + services.cloud-init.network.enable = lib.mkForce false; + networking = { + hostName = cfg.name; + nameservers = ["192.168.0.1"]; + interfaces.${cfg.iface} = { + ipv4.addresses = [{ + address = cfg.ip4; + prefixLength = 24; + }]; + }; + defaultGateway = { + address = "192.168.0.1"; + interface = "${cfg.iface}"; + }; + defaultGateway6 = { + address = "fe80::1"; + interface = "${cfg.iface}"; + }; + }; + + # Enable ssh + services.openssh = { + enable = true; + settings.PasswordAuthentication = false; + settings.KbdInteractiveAuthentication = false; + }; + programs.ssh.startAgent = true; + + # Enable prometheus metrics export + networking.firewall.allowedTCPPorts = [ 9100 ]; + services.prometheus.exporters.node = { + enable = true; + port = 9100; + enabledCollectors = ["systemd"]; + }; + + # Add an admin user + users.users.admin = { + isNormalUser = true; + description = "Robert Perce"; + extraGroups = [ "wheel" ]; + }; + + users.users.admin.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFTDd1G3ufe8lCEWMbMN+q83WrrS92+qrI2tOaMtit+q robert@aether" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHdReqMvpgCuez7dTeSaMnHU/7gDal6/HH7c8m17M1hb rob@ereshkigal" + ]; + + # Default filesystem + fileSystems."/" = lib.mkDefault { + device = "/dev/disk/by-label/nixos"; + autoResize = true; + fsType = "ext4"; + }; + + system.stateVersion = lib.mkDefault "24.11"; + }; +} diff --git a/lxc-metrics.nix b/lxc-metrics.nix new file mode 100644 index 0000000..1735011 --- /dev/null +++ b/lxc-metrics.nix @@ -0,0 +1,61 @@ +{ config, inputs, pkgs, ... }: + +{ + imports = [ + ./lxc-base.nix + ]; + + config = { + my.vm = { + name = "metrics01"; + ip4 = "192.168.0.6"; + }; + + # environment.systemPackages = with pkgs; [ + + # ] + networking.extraHosts = '' + 192.168.0.2 xalicas + 192.168.0.3 proxmox + 192.168.0.4 craft01 + 192.168.0.5 lab01 + 192.168.0.6 metrics01 + 192.168.0.100 unifi + ''; + + networking.firewall.allowedTCPPorts = [ 3000 ]; + + services.grafana = { + enable = true; + settings = { + server = { + http_addr = "0.0.0.0"; + http_port = 3000; + + enable_gzip = true; + enforce_domain = false; + domain = "metrics.rperce.net"; + }; + }; + }; + + services.prometheus = { + enable = true; + port = 9001; + scrapeConfigs = [ + { job_name = "nodes"; + static_configs = [{ + targets = [ + "xalicas:9100" + "proxmox:9100" + "craft01:9100" + "lab01:9100" + "127.0.0.1:9100" + "unifi:9100" + ]; + }]; + } + ]; + }; + }; +} diff --git a/recipes/proxmox-nag.bash b/recipes/proxmox-nag.bash new file mode 100644 index 0000000..9556763 --- /dev/null +++ b/recipes/proxmox-nag.bash @@ -0,0 +1,8 @@ +echo '$ run ssh proxmox' +echo '$ su # with "proxmox root" pw' +echo '$ vi /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js' +echo '/No valid' +echo '?!== .active' +echo 'x' +echo ':wq' +echo 'systemctl restart pveproxy' diff --git a/vm-homelab.nix b/vm-homelab.nix index 0c469cb..5ebd4a1 100644 --- a/vm-homelab.nix +++ b/vm-homelab.nix @@ -36,7 +36,7 @@ reverse_proxy http://192.168.0.2:2283 ''; "metrics.rperce.net".extraConfig = '' - reverse_proxy http://192.168.0.2:3000 + reverse_proxy http://192.168.0.6:3000 ''; "jellyfin.rperce.net".extraConfig = '' reverse_proxy http://192.168.0.2:8096