diff --git a/flake.nix b/flake.nix index 918d312..ee38e58 100644 --- a/flake.nix +++ b/flake.nix @@ -74,15 +74,6 @@ ./hosts/ns1 ]; }; - ns2 = nixpkgs.lib.nixosSystem { - inherit system; - specialArgs = { - inherit inputs self; - }; - modules = commonModules ++ [ - ./hosts/ns2 - ]; - }; ha1 = nixpkgs.lib.nixosSystem { inherit system; specialArgs = { @@ -92,15 +83,6 @@ ./hosts/ha1 ]; }; - template1 = nixpkgs.lib.nixosSystem { - inherit system; - specialArgs = { - inherit inputs self; - }; - modules = commonModules ++ [ - ./hosts/template - ]; - }; template2 = nixpkgs.lib.nixosSystem { inherit system; specialArgs = { @@ -200,6 +182,15 @@ ./hosts/testvm03 ]; }; + ns2 = nixpkgs.lib.nixosSystem { + inherit system; + specialArgs = { + inherit inputs self; + }; + modules = commonModules ++ [ + ./hosts/ns2 + ]; + }; }; packages = forAllSystems ( { pkgs }: diff --git a/hosts/ha1/configuration.nix b/hosts/ha1/configuration.nix index ce43676..181e3b7 100644 --- a/hosts/ha1/configuration.nix +++ b/hosts/ha1/configuration.nix @@ -7,7 +7,7 @@ { imports = [ - ../template/hardware-configuration.nix + ./hardware-configuration.nix ../../system ../../common/vm diff --git a/hosts/template/hardware-configuration.nix b/hosts/ha1/hardware-configuration.nix similarity index 100% rename from hosts/template/hardware-configuration.nix rename to hosts/ha1/hardware-configuration.nix diff --git a/hosts/http-proxy/configuration.nix b/hosts/http-proxy/configuration.nix index 8524075..7cf9971 100644 --- a/hosts/http-proxy/configuration.nix +++ b/hosts/http-proxy/configuration.nix @@ -5,7 +5,7 @@ { imports = [ - ../template/hardware-configuration.nix + ./hardware-configuration.nix ../../system ../../common/vm diff --git a/hosts/http-proxy/hardware-configuration.nix b/hosts/http-proxy/hardware-configuration.nix new file mode 100644 index 0000000..48bf109 --- /dev/null +++ b/hosts/http-proxy/hardware-configuration.nix @@ -0,0 +1,42 @@ +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ + "ptp_kvm" + ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-label/root"; + fsType = "xfs"; + }; + + swapDevices = [ { device = "/dev/disk/by-label/swap"; } ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/jelly01/configuration.nix b/hosts/jelly01/configuration.nix index 289a577..048ae1c 100644 --- a/hosts/jelly01/configuration.nix +++ b/hosts/jelly01/configuration.nix @@ -5,7 +5,7 @@ { imports = [ - ../template/hardware-configuration.nix + ./hardware-configuration.nix ../../system ../../common/vm diff --git a/hosts/jelly01/hardware-configuration.nix b/hosts/jelly01/hardware-configuration.nix new file mode 100644 index 0000000..48bf109 --- /dev/null +++ b/hosts/jelly01/hardware-configuration.nix @@ -0,0 +1,42 @@ +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ + "ptp_kvm" + ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-label/root"; + fsType = "xfs"; + }; + + swapDevices = [ { device = "/dev/disk/by-label/swap"; } ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/jump/configuration.nix b/hosts/jump/configuration.nix index 0979c9d..3f9a775 100644 --- a/hosts/jump/configuration.nix +++ b/hosts/jump/configuration.nix @@ -3,7 +3,7 @@ { imports = [ - ../template/hardware-configuration.nix + ./hardware-configuration.nix ../../system ]; diff --git a/hosts/monitoring01/configuration.nix b/hosts/monitoring01/configuration.nix index b014900..32c8f48 100644 --- a/hosts/monitoring01/configuration.nix +++ b/hosts/monitoring01/configuration.nix @@ -5,7 +5,7 @@ { imports = [ - ../template/hardware-configuration.nix + ./hardware-configuration.nix ../../system ../../common/vm diff --git a/hosts/monitoring01/hardware-configuration.nix b/hosts/monitoring01/hardware-configuration.nix new file mode 100644 index 0000000..48bf109 --- /dev/null +++ b/hosts/monitoring01/hardware-configuration.nix @@ -0,0 +1,42 @@ +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ + "ptp_kvm" + ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-label/root"; + fsType = "xfs"; + }; + + swapDevices = [ { device = "/dev/disk/by-label/swap"; } ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/nats1/configuration.nix b/hosts/nats1/configuration.nix index 09bc874..aab3a48 100644 --- a/hosts/nats1/configuration.nix +++ b/hosts/nats1/configuration.nix @@ -5,7 +5,7 @@ { imports = [ - ../template/hardware-configuration.nix + ./hardware-configuration.nix ../../system ../../common/vm diff --git a/hosts/nats1/hardware-configuration.nix b/hosts/nats1/hardware-configuration.nix new file mode 100644 index 0000000..48bf109 --- /dev/null +++ b/hosts/nats1/hardware-configuration.nix @@ -0,0 +1,42 @@ +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ + "ptp_kvm" + ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-label/root"; + fsType = "xfs"; + }; + + swapDevices = [ { device = "/dev/disk/by-label/swap"; } ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/nix-cache01/configuration.nix b/hosts/nix-cache01/configuration.nix index 46dcff1..1b96659 100644 --- a/hosts/nix-cache01/configuration.nix +++ b/hosts/nix-cache01/configuration.nix @@ -5,7 +5,7 @@ { imports = [ - ../template/hardware-configuration.nix + ./hardware-configuration.nix ../../system ../../common/vm diff --git a/hosts/nix-cache01/hardware-configuration.nix b/hosts/nix-cache01/hardware-configuration.nix new file mode 100644 index 0000000..48bf109 --- /dev/null +++ b/hosts/nix-cache01/hardware-configuration.nix @@ -0,0 +1,42 @@ +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ + "ptp_kvm" + ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-label/root"; + fsType = "xfs"; + }; + + swapDevices = [ { device = "/dev/disk/by-label/swap"; } ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/ns1/configuration.nix b/hosts/ns1/configuration.nix index aef3c38..dd504d4 100644 --- a/hosts/ns1/configuration.nix +++ b/hosts/ns1/configuration.nix @@ -7,7 +7,7 @@ { imports = [ - ../template/hardware-configuration.nix + ./hardware-configuration.nix ../../system ../../services/ns/master-authorative.nix diff --git a/hosts/ns2/configuration.nix b/hosts/ns2/configuration.nix index c1baca7..562a04d 100644 --- a/hosts/ns2/configuration.nix +++ b/hosts/ns2/configuration.nix @@ -7,23 +7,38 @@ { imports = [ - ../template/hardware-configuration.nix + ../template2/hardware-configuration.nix ../../system + ../../common/vm + + # DNS services ../../services/ns/secondary-authorative.nix ../../services/ns/resolver.nix - ../../common/vm ]; + # Host metadata + homelab.host = { + tier = "prod"; + role = "dns"; + labels.dns_role = "secondary"; + }; + + # Enable Vault integration + vault.enable = true; + + # Enable remote deployment via NATS + homelab.deploy.enable = true; + nixpkgs.config.allowUnfree = true; - # Use the systemd-boot EFI boot loader. boot.loader.grub.enable = true; - boot.loader.grub.device = "/dev/sda"; + boot.loader.grub.device = "/dev/vda"; networking.hostName = "ns2"; networking.domain = "home.2rjus.net"; networking.useNetworkd = true; networking.useDHCP = false; + # Disable resolved - conflicts with Unbound resolver services.resolved.enable = false; networking.nameservers = [ "10.69.13.5" @@ -47,14 +62,7 @@ "nix-command" "flakes" ]; - vault.enable = true; - homelab.deploy.enable = true; - - homelab.host = { - role = "dns"; - labels.dns_role = "secondary"; - }; - + nix.settings.tarball-ttl = 0; environment.systemPackages = with pkgs; [ vim wget @@ -67,5 +75,5 @@ # Or disable the firewall altogether. networking.firewall.enable = false; - system.stateVersion = "23.11"; # Did you read the comment? -} + system.stateVersion = "25.11"; # Did you read the comment? +} \ No newline at end of file diff --git a/hosts/ns2/default.nix b/hosts/ns2/default.nix index 4cd684a..57ed4b4 100644 --- a/hosts/ns2/default.nix +++ b/hosts/ns2/default.nix @@ -2,4 +2,4 @@ imports = [ ./configuration.nix ]; -} +} \ No newline at end of file diff --git a/hosts/ns2/hardware-configuration.nix b/hosts/ns2/hardware-configuration.nix deleted file mode 100644 index 881ea3c..0000000 --- a/hosts/ns2/hardware-configuration.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ - (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; - boot.initrd.kernelModules = [ ]; - # boot.kernelModules = [ ]; - # boot.extraModulePackages = [ ]; - - fileSystems."/" = - { - device = "/dev/disk/by-uuid/6889aba9-61ed-4687-ab10-e5cf4017ac8d"; - fsType = "xfs"; - }; - - fileSystems."/boot" = - { - device = "/dev/disk/by-uuid/BC07-3B7A"; - fsType = "vfat"; - }; - - swapDevices = - [{ device = "/dev/disk/by-uuid/64e5757b-6625-4dd2-aa2a-66ca93444d23"; }]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - # networking.interfaces.ens18.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/hosts/pgdb1/configuration.nix b/hosts/pgdb1/configuration.nix index 9b5c1ec..31299ba 100644 --- a/hosts/pgdb1/configuration.nix +++ b/hosts/pgdb1/configuration.nix @@ -5,7 +5,7 @@ { imports = [ - ../template/hardware-configuration.nix + ./hardware-configuration.nix ../../system ../../common/vm diff --git a/hosts/pgdb1/hardware-configuration.nix b/hosts/pgdb1/hardware-configuration.nix new file mode 100644 index 0000000..48bf109 --- /dev/null +++ b/hosts/pgdb1/hardware-configuration.nix @@ -0,0 +1,42 @@ +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ + "ptp_kvm" + ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-label/root"; + fsType = "xfs"; + }; + + swapDevices = [ { device = "/dev/disk/by-label/swap"; } ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/template/configuration.nix b/hosts/template/configuration.nix deleted file mode 100644 index e974a49..0000000 --- a/hosts/template/configuration.nix +++ /dev/null @@ -1,62 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - imports = - [ - ./hardware-configuration.nix - - ../../system - ]; - - # Template host - exclude from DNS zone generation - homelab.dns.enable = false; - - homelab.host = { - tier = "test"; - priority = "low"; - }; - - - boot.loader.grub.enable = true; - boot.loader.grub.device = "/dev/sda"; - networking.hostName = "nixos-template"; - networking.domain = "home.2rjus.net"; - networking.useNetworkd = true; - networking.useDHCP = false; - services.resolved.enable = true; - networking.nameservers = [ - "10.69.13.5" - "10.69.13.6" - ]; - - systemd.network.enable = true; - systemd.network.networks."ens18" = { - matchConfig.Name = "ens18"; - address = [ - "10.69.8.250/24" - ]; - routes = [ - { Gateway = "10.69.8.1"; } - ]; - linkConfig.RequiredForOnline = "routable"; - }; - time.timeZone = "Europe/Oslo"; - - nix.settings.experimental-features = [ "nix-command" "flakes" ]; - nix.settings.tarball-ttl = 0; - environment.systemPackages = with pkgs; [ - age - vim - wget - git - ]; - - # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - networking.firewall.enable = false; - - system.stateVersion = "23.11"; # Did you read the comment? -} - diff --git a/hosts/template/default.nix b/hosts/template/default.nix deleted file mode 100644 index 81db6c0..0000000 --- a/hosts/template/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: { - imports = [ - ./hardware-configuration.nix - ./configuration.nix - ./scripts.nix - ]; -} diff --git a/hosts/template/scripts.nix b/hosts/template/scripts.nix deleted file mode 100644 index a423008..0000000 --- a/hosts/template/scripts.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ pkgs, ... }: -let - prepare-host-script = pkgs.writeShellApplication { - name = "prepare-host.sh"; - text = '' - echo "Removing machine-id" - rm -f /etc/machine-id || true - - echo "Removing SSH host keys" - rm -f /etc/ssh/ssh_host_* || true - - echo "Restarting SSH" - systemctl restart sshd - - echo "Removing temporary files" - rm -rf /tmp/* || true - - echo "Removing logs" - journalctl --rotate || true - journalctl --vacuum-time=1s || true - - echo "Removing cache" - rm -rf /var/cache/* || true - ''; - }; -in -{ - environment.systemPackages = [ prepare-host-script ]; - users.motd = "Prepare host by running 'prepare-host.sh'."; -} diff --git a/scripts/create-host/validators.py b/scripts/create-host/validators.py index d97699b..31a0317 100644 --- a/scripts/create-host/validators.py +++ b/scripts/create-host/validators.py @@ -140,20 +140,22 @@ def validate_ip_unique(ip: Optional[str], repo_root: Path) -> None: ip_part = ip.split("/")[0] # Check all hosts/*/configuration.nix files + # Search for IP with CIDR notation to match static IP assignments + # (e.g., "10.69.13.5/24") but not DNS resolver entries (e.g., "10.69.13.5") hosts_dir = repo_root / "hosts" if hosts_dir.exists(): for config_file in hosts_dir.glob("*/configuration.nix"): content = config_file.read_text() - if ip_part in content: + if ip in content: raise ValueError( f"IP address {ip_part} already in use in {config_file}" ) - # Check terraform/vms.tf + # Check terraform/vms.tf - search for full IP with CIDR terraform_file = repo_root / "terraform" / "vms.tf" if terraform_file.exists(): content = terraform_file.read_text() - if ip_part in content: + if ip in content: raise ValueError( f"IP address {ip_part} already in use in {terraform_file}" ) diff --git a/terraform/vault/approle.tf b/terraform/vault/approle.tf index 721a88d..39b15b3 100644 --- a/terraform/vault/approle.tf +++ b/terraform/vault/approle.tf @@ -80,13 +80,6 @@ locals { ] } - "ns2" = { - paths = [ - "secret/data/hosts/ns2/*", - "secret/data/shared/dns/*", - ] - } - # Wave 4: http-proxy "http-proxy" = { paths = [ diff --git a/terraform/vault/hosts-generated.tf b/terraform/vault/hosts-generated.tf index 72def73..6a45d20 100644 --- a/terraform/vault/hosts-generated.tf +++ b/terraform/vault/hosts-generated.tf @@ -20,6 +20,12 @@ locals { "secret/data/hosts/testvm03/*", ] } + "ns2" = { + paths = [ + "secret/data/hosts/ns2/*", + "secret/data/shared/dns/*", + ] + } } diff --git a/terraform/vms.tf b/terraform/vms.tf index f1fe1c8..e7a10fd 100644 --- a/terraform/vms.tf +++ b/terraform/vms.tf @@ -58,6 +58,13 @@ locals { memory = 2048 disk_size = "20G" } + "ns2" = { + ip = "10.69.13.6/24" + cpu_cores = 2 + memory = 2048 + disk_size = "20G" + vault_wrapped_token = "s.3nran1e1Uim4B1OomIWCoS4T" + } } # Compute VM configurations with defaults applied