Prepare for imperative microvms

Ramblurr · Feb 24, 2025 · 16d7e28 · 16d7e28
1 parent 7007231
commit 16d7e28
Show file tree

Hide file tree

Showing 18 changed files with 347 additions and 36 deletions.
diff --git a/.sops.yaml b/.sops.yaml
@@ -12,6 +12,7 @@ keys:
       - &witt age1dzr2v5py0vwj3wujdmfgcfjqc26vz07u7vl0j8la345y97f0au2smk79jd
       - &addams age1t70vans0qsnru7j06fwtj7wq7hpfj59cxreu9a20rrxuahff9fmqsa2wjd
       - &hello-world age14vg23yfklu7ld6flwnycx4lmfhkkuncejsju7tus2hj5qrryvgxsvvqtng
+      - &linkding age1uh5u7zcz28dskcskpyznxkyg2y4xj0wkaf4usmrjhkmfhzr6gg8qynk3hq
 creation_rules:
   - path_regex: terraform/secrets.sops.ya?ml$
     key_groups:
@@ -87,3 +88,10 @@ creation_rules:
           - *hello-world
           - *disaster-recovery
           - *ramblurr-tmp
+
+  - path_regex: guests/linkding/.*.sops.*$
+    key_groups:
+      - age:
+          - *linkding
+          - *disaster-recovery
+          - *ramblurr-tmp
diff --git a/config/common-server.nix b/config/common-server.nix
@@ -55,6 +55,7 @@
       bmon
       curl
       nvd
+      ncdu
       dig
       ethtool
       fd

diff --git a/config/guests.nix b/config/guests.nix
@@ -1,6 +1,7 @@
-{ inputs, ... }:
+{ inputs, config, ... }:
 {
   imports = [
+    inputs.home-manager.nixosModules.home-manager
     inputs.microvm.nixosModules.microvm
     inputs.impermanence.nixosModules.impermanence
     inputs.sops-nix.nixosModules.sops
@@ -14,4 +15,15 @@
     ../modules/sops.nix
     ../modules/impermanence/default.nix
   ];
+
+  home-manager = {
+    useGlobalPkgs = true;
+    useUserPackages = true;
+    sharedModules = [
+      {
+        home.stateVersion = config.system.stateVersion;
+      }
+      inputs.quadlet-nix.homeManagerModules.quadlet
+    ];
+  };
 }
diff --git a/config/site.nix b/config/site.nix
@@ -55,6 +55,7 @@ in
     domainName = "prim.${domain}";
     mtu = 1500;
     subnet4 = "10.9.4.0/22";
+    #subnets6 = { };
     subnets6.main = "${prefix6}:4::/64";
     hosts4 = {
       addams = [
@@ -65,6 +66,7 @@ in
       dewey = [ "10.9.4.17" ];
       mali = [ "10.9.4.10" ];
     };
+    hosts6 = { };
     hosts6.main = {
       addams = [ "${prefix6}:4::1" ];
     };
@@ -210,15 +212,17 @@ in
     subnets6.main = "${prefix6}:5::/64";
     hosts4 = {
       addams = [ "172.20.20.1" ];
-      hello-world = [ "172.20.20.2" ];
-      quine = [ "172.20.20.3" ];
+      quine = [ "172.20.20.2" ];
+      dewey = [ "172.20.20.3" ];
+      debord = [ "172.20.20.4" ];
+      linkding = [ "172.20.20.20" ];
     };
     hosts6.local = {
       addams = [ "${prefix6}:5::1" ];
     };
     dhcp = {
       enable = true;
-      start = "172.20.20.10";
+      start = "172.20.20.200";
       end = "172.20.20.254";
       router = "addams";
     };
@@ -313,6 +317,10 @@ in
           parent = "lan0";
           gw4 = true;
         };
+        svc = {
+          type = "bridge";
+          parent = "lan0";
+        };
       };
     };
     quine = {
@@ -321,6 +329,7 @@ in
         lan0.type = "phys";
         prim.type = "bridge";
         svc.type = "bridge";
+        vpn.type = "bridge";
       };
     };
     mali = {

diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -14,7 +14,8 @@
 
     nixfmt.url = "github:serokell/nixfmt";
 
-    microvm.url = "github:astro/microvm.nix";
+    #microvm.url = "github:astro/microvm.nix";
+    microvm.url = "path:/home/ramblurr/src/microvm.nix";
     microvm.inputs.nixpkgs.follows = "nixpkgs";
 
     cadquery.url = "github:vinszent/cq-flake/main";

diff --git a/guests/linkding/default.nix b/guests/linkding/default.nix
@@ -0,0 +1,109 @@
+{
+  lib,
+  inputs,
+  config,
+  pkgs,
+  ...
+}:
+let
+  inherit (config.users.users.linkding) uid name;
+  inherit (config.repo.secrets.global) domain;
+  homeDir = "/home/linkding";
+in
+{
+  system.stateVersion = "24.11";
+  repo.secretFiles.home-ops = ../../secrets/home-ops.nix;
+  modules.microvm-guest = {
+    host = "dewey";
+    hostFQDN = "bookmarks.${domain}";
+    homeManager = {
+      enable = true;
+      username = "linkding";
+      uid = config.repo.secrets.home-ops.users.linkding.uid;
+      gid = config.repo.secrets.home-ops.groups.linkding.gid;
+    };
+    quadlet.enable = true;
+  };
+
+  systemd.tmpfiles.rules = [
+    "d /var/lib/linkding 0750 ${name} ${name}"
+  ];
+
+  microvm.hypervisor = "qemu";
+  microvm.credentialFiles = {
+    "SOPS_AGE_KEY" = "/run/secrets/linkding_sops_age_key";
+  };
+  systemd.services.sshd = {
+    serviceConfig = {
+      ImportCredential = "SOPS_AGE_KEY";
+    };
+    preStart = ''
+      # Make sure we don't write to stdout, since in case of
+      # socket activation, it goes to the remote side (#19589).
+      exec >&2
+      mkdir -p /etc/ssh
+      cat $CREDENTIALS_DIRECTORY/SOPS_AGE_KEY > /etc/ssh/ssh_host_ed25519_key
+      chmod 0600 /etc/ssh/ssh_host_ed25519_key
+    '';
+  };
+  ##microvm.qemu.machine = "q35";
+  #microvm.qemu.extraArgs = [
+  #  # only works with  microvm.qemu.machine = "q35";
+  #  #"-smbios" "type=11,value=io.systemd.credential:mycred=supersecret"
+
+  #  #WORKS
+  #  "-fw_cfg"
+  #  "name=opt/io.systemd.credentials/mycred,string=supersecret"
+  #];
+  #microvm.cloud-hypervisor.platformOEMStrings = [
+  #  "io.systemd.credential:APIKEY=supersecret"
+  #];
+  microvm.shares =
+    let
+      dir = "/var/lib/linkding";
+      tag = builtins.replaceStrings [ "/" ] [ "_" ] dir;
+    in
+    [
+      {
+        inherit tag;
+        source = "/var/lib/linkding";
+        mountPoint = dir;
+        proto = "virtiofs";
+      }
+    ];
+
+  home-manager.users.linkding =
+    { pkgs, config, ... }:
+    {
+      #virtualisation.quadlet.containers.linkding = {
+      #  autoStart = false;
+      #  serviceConfig = {
+      #    RestartSec = "10";
+      #    Restart = "always";
+      #  };
+      #  containerConfig = {
+      #    # renovate: docker-image
+      #    image = "docker.io/sissbruecker/linkding:1.38.0";
+      #    autoUpdate = "registry";
+      #    userns = "keep-id";
+      #    publishPorts = [ "8080:9090" ];
+      #    environments = {
+      #      LD_AUTH_PROXY_USERNAME_HEADER = "HTTP_X_AUTHENTIK_USERNAME";
+      #      LD_ENABLE_AUTH_PROXY = "True";
+      #      LD_SUPERUSER_NAME = "casey";
+      #      LD_DB_ENGINE = "postgres";
+      #      LD_DB_HOST = "/run/postgresql";
+      #      LD_DB_PORT = "";
+      #      LD_DB_DATABASE = "linkding";
+      #      LD_DB_USER = "linkding";
+      #      LD_DB_PASSWORD = "";
+      #    };
+      #    podmanArgs = [ ];
+      #    volumes = [
+      #      "/var/lib/linkding:/etc/linkding/data:rw"
+      #      "/run/postgresql:/run/postgresql:ro"
+      #    ];
+      #  };
+      #};
+    };
+}
diff --git a/guests/linkding/secrets.sops.yaml b/guests/linkding/secrets.sops.yaml
@@ -0,0 +1,42 @@
+ssh_host_ed25519_key: ENC[AES256_GCM,data:oImvdjWrBC6LaDT8YRvH3th83Fjf/PN6+6fIVdaj1PlnR9bYdP2IxHk7QNj/L4fG7BHvs/5Yh9YqAWl6285JLkNq2gSkl6I5i0kfxUooul5aJ0XDkJqvvuvOlXq7aWim9aA3wH3/GtEZAeF/ak7p/tx2+cHMZNSZ5onUnqhWfvWwHhM8k/AQAu6NDMYiYw7WE+WjBQmiW204LKEAWIHSEFCaklKbnIVjBJGn/qxmAsOR33Ux0HRvpPofdto8zGekACpChO0r6tZJStnBQFd5T2Fl2Iip/2n4Txh+Iy2ghdsK6ExRt0SnsPuJYTbKXO/T2bs2Dx2Cdmv4xAiVLK4HNFwczguaVYl+0BGNoXzLV03ihr9QHjyZH7L8pDstRdw9WbK099loUwGAbHqbG/qiww24GnO2+lYVCQ7XpYReejY/rChgdVp110RU0jFrNIUncEShtcXghkjwa/4Gg2euFz3QSaSKOHbaUDh6/En6zSu2jlGPIIA60DfMgN0yuSLiR+EXwWl+Jy+QJsvwPBM/,iv:nym+wL8JnfA0d9YoecpXJS6o5dNUQL5+QxE4d7Xu0CE=,tag:LciQESy7KmS1w3H0ff6JMA==,type:str]
+ssh_host_ed25519_key_pub: ENC[AES256_GCM,data:6v4wnXaGFSR2yuPGkNTGagZBQz4RX3nn5i0DFCJnehPSSlNRrex8/9wLO9iJbOwURxW1eHku8oaLbxa21u9LqWeyTq+dVtx25ussgtLuMcPl9pVYbErnVZw=,iv:eJ4xHXwXSbOjQ6DpjI7RsjPhSdHX/Icp2Kx4n0E5SBQ=,tag:09xh1RX97wiriGRgZ8A2eA==,type:str]
+age_key_pub: ENC[AES256_GCM,data:DzGc3LXqBpiPj/5Ig796AMKVa0abzgmGvgHdh28QqC5MWF4GcFPVqDHdb7N3SL5sfACUrYESBZNGZTV03+M=,iv:IYbl56HzusNPlc2/aXOsl4Jg+G7e+f9pnULaDnX3g9I=,tag:gThJFbqSwsFoIYFeAfKqpA==,type:str]
+machine_id: ENC[AES256_GCM,data:jbOYgynDeAi5eYeOR0qIqvUvPRjDA1F+sz7W9CZ9CRc=,iv:Cf/mjHcgkCiVYI2gT8yW7FQWD4r6ahd0J943qnss9+0=,tag:2+8/XWFDS/44n9negtdbdg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1uh5u7zcz28dskcskpyznxkyg2y4xj0wkaf4usmrjhkmfhzr6gg8qynk3hq
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6eHBZS3ZHWG55cy9iWjRl
+            bUhGNlU0bHAwS0hJQnVPN3hwTE9YbVI5YjA0ClVKTlFHWm1FQnhiUHd4d0RsNFZV
+            dnBkK2J6ZVZEbGxEQnJ2OCtsbTZKZ2cKLS0tIHZraWNUMGV1d1plcDlzRGUvVmFk
+            QjRjRHRyckNIdngyMFJJd3Vyb2laN0UKOBvIYdHn0DOqWNbokzhTuPlD00y6WoGD
+            Pj+NlAmCvKdKSMIGRPBrsocfgDPRGqAwIE5N/sS9jW0tW/vi1Hu9Ig==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age15j42dspmmwprjau6l48xp05d97s8ml5s3tjxrfwvm37tvuynssuqtsevkj
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxM1VJczFvZGtRVDdtQU43
+            VStlc25Dc0c0M0RIWk51dXQ5Q05Ud1ZVSVdVCitFem94Nko0VDVzMU9LMkh3V0xC
+            UDM3M0wvaFZLK0I1eHBqYnRLeVNheFkKLS0tIHdXNzgyamFNaWhFN3gwMDlTYlkx
+            N0d0ZGlSdjNQZXhrQjJ1VlZCQ0pJeHMKziyOHm028ul7GQxq7qpQixAB2i01Brl9
+            b/NiU7i93Waaec5xXeluAwTzOEKoiRzeVWiuAmbI0iyg07voJmFULA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1urrpmqc2erg2tg5ene0tyr6cfne925zggtlqn40xwp5wqlqrp5tst8f808
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArWWdGOERIalVHRUpRd1JT
+            cDcyOFRuVnZMK2t2YVhUUWFENTNBQjJzdVJ3CjJvMStSVENhdzVSNmcyQ0FSazc4
+            RitYUzY2T3NwY3ZHbHZvV0ZDWkZSQUEKLS0tIHFYL1RZVVFicG9XQjNmdnA0aUJ2
+            MW1pWFlscmV4TXQ4Mk9Hd2ZmNmtOYUUK64eFpt4KJSBVgtwMcryjo+hL1uPZK6BR
+            DHMS4ThjAnr1gCvijeG9svvz078glzRHPcXY/AEkN+PS3dKmyGVg7A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-02-17T15:47:20Z"
+    mac: ENC[AES256_GCM,data:RzIe0xGkwdOiUMZq0TKm8W46jyaJS77ROm2XSQs6vMdacgLsCTRrC8Tv07VKBlYxYcWw3bIrvr1b7UBjNKiM6SJ8qgHM1u4A3T8bR87ykQ8vz2KZnbsqY4e53kC3ByN51Dlm6rmtFIpXB9uTq/MCgN0ym9nuFwjZr3D9tDW1ff0=,iv:TJqZhCnGNum1b5++zigYm9cV1ER2icFIe8psMhzjB1k=,tag:BPTBm+dPxiNo05bIIcRpUg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4
diff --git a/hosts/dewey/default.nix b/hosts/dewey/default.nix
@@ -24,6 +24,10 @@ in
   sops.defaultSopsFile = ./secrets.sops.yaml;
 
   modules.vpn.tailscale.enable = true;
+  modules.microvm-host = {
+    enable = true;
+    baseZfsDataset = "rpool/encrypted/safe/microvms";
+  };
   home-ops = {
     enable = true;
     ingress.enable = true;
@@ -46,7 +50,7 @@ in
       calibre.enable = true;
       calibre-web.enable = true;
       archivebox.enable = false;
-      linkding.enable = true;
+      #linkding.enable = true;
       matrix-synapse.enable = true;
       influxdb.enable = true;
       git-archive.enable = true;

diff --git a/modules/distributed-config.nix b/modules/distributed-config.nix
@@ -87,7 +87,8 @@ in
       getConfig =
         path: otherNode:
         let
-          cfg = nodes.${otherNode}.config.nodes.${nodeName} or null;
+          otherNode2 = lib.traceVal otherNode;
+          cfg = nodes.${otherNode2}.config.nodes.${nodeName} or null;
         in
         optionals (cfg != null) (getAttrFromPath path cfg);
       mergeConfigFromOthers = path: mkMerge (concatMap (getConfig path) (attrNames nodes));

diff --git a/modules/microvm-guest/common.nix b/modules/microvm-guest/common.nix
@@ -22,12 +22,6 @@ in
 
   config = lib.mkIf cfg.enable {
 
-    modules.microvm-guest.mounts = [
-      "etc"
-      "home"
-      "var"
-    ];
-
     # make mounts like /etc /home /var available early so that they can be used in system.activationScripts
     fileSystems =
       {
@@ -41,14 +35,16 @@ in
     microvm = {
       hypervisor = lib.mkDefault "cloud-hypervisor";
       deflateOnOOM = false;
-      mem = lib.mkDefault 512;
+      mem = lib.mkDefault 1024;
       vcpu = lib.mkDefault 4;
 
       interfaces = lib.mkIf cfg.autoNetSetup (
         map (net: {
-          type = "tap";
+          type = "macvtap";
           id = builtins.substring 0 15 "${net}-${hostName}";
           mac = generateMacAddress net;
+          macvtap.link = "vlan-svc";
+          macvtap.mode = "bridge";
         }) nets
       );
 
@@ -98,6 +94,7 @@ in
     };
 
     systemd.network = lib.mkIf cfg.autoNetSetup {
+      enable = true;
       links = builtins.foldl' (
         links: net:
         links
@@ -181,23 +178,27 @@ in
     hardware.enableRedistributableFirmware = false;
 
     # nix store is mounted read only
-    nix = {
-      enable = lib.mkDefault false;
-      gc.automatic = false;
-      optimise.automatic = false;
-    };
+    #nix = {
+    #  enable = lib.mkDefault false;
+    #  gc.automatic = false;
+    #  optimise.automatic = false;
+    #};
 
     system.build.installBootLoader = "${pkgs.coreutils}/bin/true";
 
     systemd.tmpfiles.rules = [
       "d /home/root 0700 root root -" # createHome does not create it
     ];
 
+    systemd.user.extraConfig = ''
+      DefaultEnvironment="PATH=/run/current-system/sw/bin:/run/wrappers/bin:${lib.makeBinPath [ pkgs.bash ]}"
+    '';
+
     users = {
       mutableUsers = false;
       users."root" = {
         createHome = true;
-        #home = lib.mkForce "/home/root";
+        home = lib.mkForce "/home/root";
       };
     };
   };
-Original file line number
+Diff line change
@@ Expand Up / @@ -55,6 +55,7 @@ @@
           bmon
           curl
           nvd
+          ncdu
           dig
           ethtool
           fd
@@ Expand Down @@