From f2fddc100117f7d448089a8cd0b99d31cedc7889 Mon Sep 17 00:00:00 2001 From: arcnmx Date: Sat, 23 Mar 2024 21:13:01 -0700 Subject: [PATCH] refactor(access): network interface config --- modules/nixos/access.nix | 26 +++++ modules/nixos/home-assistant.nix | 6 +- modules/nixos/network/namespace.nix | 7 +- modules/nixos/nginx/local.nix | 17 +-- modules/nixos/postgres.nix | 6 +- modules/system/proxmox/container.nix | 15 +++ modules/system/proxmox/network.nix | 155 +++++++++++++++++++++++++++ modules/system/proxmox/vm.nix | 22 ++++ nixos/access/ldap.nix | 8 +- nixos/kyuuto/opl.nix | 6 +- nixos/kyuuto/samba.nix | 9 +- nixos/nfs.nix | 6 +- nixos/reisen-ct/internal.nix | 48 --------- nixos/reisen-ct/proxmox.nix | 21 +++- systems/aya/default.nix | 3 + systems/aya/nixos.nix | 20 ---- systems/aya/proxmox.nix | 20 ++++ systems/freeipa/default.nix | 15 +++ systems/freepbx/default.nix | 11 ++ systems/hakurei/default.nix | 3 + systems/hakurei/nixos.nix | 11 -- systems/hakurei/proxmox.nix | 16 +++ systems/keycloak/default.nix | 3 + systems/keycloak/nixos.nix | 11 -- systems/keycloak/proxmox.nix | 16 +++ systems/kuwubernetes/default.nix | 15 +++ systems/litterbox/default.nix | 3 + systems/litterbox/nixos.nix | 9 -- systems/litterbox/proxmox.nix | 17 +++ systems/mediabox/default.nix | 3 + systems/mediabox/nixos.nix | 16 --- systems/mediabox/proxmox.nix | 17 +++ systems/reimu/default.nix | 3 + systems/reimu/nixos.nix | 13 --- systems/reimu/proxmox.nix | 17 +++ systems/tei/default.nix | 3 + systems/tei/nixos.nix | 11 -- systems/tei/proxmox.nix | 16 +++ systems/utsuho/default.nix | 3 + systems/utsuho/nixos.nix | 11 -- systems/utsuho/proxmox.nix | 16 +++ tree.nix | 1 + 42 files changed, 466 insertions(+), 189 deletions(-) create mode 100644 modules/system/proxmox/container.nix create mode 100644 modules/system/proxmox/network.nix create mode 100644 modules/system/proxmox/vm.nix delete mode 100644 nixos/reisen-ct/internal.nix create mode 100644 systems/aya/proxmox.nix create mode 100644 systems/freeipa/default.nix create mode 100644 systems/hakurei/proxmox.nix create mode 100644 systems/keycloak/proxmox.nix create mode 100644 systems/litterbox/proxmox.nix create mode 100644 systems/mediabox/proxmox.nix create mode 100644 systems/reimu/proxmox.nix create mode 100644 systems/tei/proxmox.nix create mode 100644 systems/utsuho/proxmox.nix diff --git a/modules/nixos/access.nix b/modules/nixos/access.nix index 94580951..3408e57a 100644 --- a/modules/nixos/access.nix +++ b/modules/nixos/access.nix @@ -77,6 +77,14 @@ in { "fe80::/64" ]; }; + int = { + v4 = [ + "10.9.1.0/24" + ]; + v6 = [ + "fd0c::/64" + ]; + }; tail = mkIf tailscale.enable { v4 = [ "100.64.0.0/10" @@ -86,6 +94,24 @@ in { "fd7a:115c:a1e0:ab12::/64" ]; }; + allLan = { + v4 = cfg.cidrForNetwork.loopback.v4 + ++ cfg.cidrForNetwork.local.v4 + ++ cfg.cidrForNetwork.int.v4; + v6 = cfg.cidrForNetwork.loopback.v6 + ++ cfg.cidrForNetwork.local.v6 + ++ cfg.cidrForNetwork.int.v6; + }; + allLocal = { + v4 = mkMerge [ + cfg.cidrForNetwork.allLan.v4 + (mkIf tailscale.enable cfg.cidrForNetwork.tail.v4) + ]; + v6 = mkMerge [ + cfg.cidrForNetwork.allLan.v6 + (mkIf tailscale.enable cfg.cidrForNetwork.tail.v6) + ]; + }; }; localaddrs = { nftablesInclude = mkBefore ('' diff --git a/modules/nixos/home-assistant.nix b/modules/nixos/home-assistant.nix index 9d9c47ba..36a6874f 100644 --- a/modules/nixos/home-assistant.nix +++ b/modules/nixos/home-assistant.nix @@ -7,7 +7,7 @@ cfg = config.services.home-assistant; inherit (lib.modules) mkIf mkMerge mkBefore mkDefault mkOptionDefault; inherit (lib.options) mkOption mkEnableOption; - inherit (lib.lists) optional optionals elem unique; + inherit (lib.lists) optional elem unique; inherit (lib.strings) toLower; in { options.services.home-assistant = with lib.types; { @@ -118,9 +118,7 @@ in { trusted_proxies = let inherit (config.networking.access) cidrForNetwork; in - cidrForNetwork.loopback.all - ++ cidrForNetwork.local.all - ++ optionals config.services.tailscale.enable cidrForNetwork.tail.all + cidrForNetwork.allLocal.all ++ [ "200::/7" ]; diff --git a/modules/nixos/network/namespace.nix b/modules/nixos/network/namespace.nix index e446158c..a37adc73 100644 --- a/modules/nixos/network/namespace.nix +++ b/modules/nixos/network/namespace.nix @@ -9,11 +9,10 @@ inherit (lib.options) mkOption mkEnableOption; inherit (lib.modules) mkIf mkMerge mkBefore mkAfter mkDefault mkOptionDefault; inherit (lib.attrsets) mapAttrs' mapAttrsToList listToAttrs nameValuePair attrValues; - inherit (lib.lists) singleton optional optionals filter concatMap; + inherit (lib.lists) singleton optional filter concatMap; inherit (lib.strings) concatStringsSep escapeShellArg; inherit (utils) escapeSystemdExecArg; inherit (inputs.self.lib.lib) unmerged; - inherit (config.services) tailscale; inherit (config) networking; inherit (networking) access; enabledNamespaces = filter (ns: ns.enable) (attrValues networking.namespaces); @@ -324,8 +323,8 @@ '' ]; extraOutput = let - addrs4 = access.cidrForNetwork.local.v4 ++ optionals tailscale.enable access.cidrForNetwork.tail.v4; - addrs6 = access.cidrForNetwork.local.v6 ++ optionals tailscale.enable access.cidrForNetwork.tail.v6; + addrs4 = access.cidrForNetwork.allLocal.v4; + addrs6 = access.cidrForNetwork.allLocal.v6; daddr4 = ''{ ${concatStringsSep ", " addrs4} }''; daddr6 = ''{ ${concatStringsSep ", " addrs6} }''; in diff --git a/modules/nixos/nginx/local.nix b/modules/nixos/nginx/local.nix index 6e745713..3d344634 100644 --- a/modules/nixos/nginx/local.nix +++ b/modules/nixos/nginx/local.nix @@ -6,7 +6,6 @@ inherit (lib.options) mkOption mkEnableOption; inherit (lib.modules) mkIf mkMerge mkBefore mkOptionDefault; inherit (lib.strings) concatMapStringsSep optionalString; - inherit (lib.lists) optionals; inherit (config.services) tailscale; inherit (config.networking.access) cidrForNetwork localaddrs; mkAddrVar = remoteAddr: varPrefix: '' @@ -29,6 +28,13 @@ if (${remoteAddr} ~ "^fe80::") { set ${varPrefix}lan 1; } + set ${varPrefix}int 0; + if (${remoteAddr} ~ "^10\.9\.1\.[0-9]+") { + set ${varPrefix}lan 1; + } + if (${remoteAddr} ~ "^fd0c::") { + set ${varPrefix}int 1; + } set ${varPrefix}localhost 0; if (${remoteAddr} = "::1") { set ${varPrefix}localhost 1; @@ -43,6 +49,9 @@ if (${varPrefix}lan) { set ${varPrefix}client 1; } + if (${varPrefix}int) { + set ${varPrefix}client 1; + } if (${varPrefix}localhost) { set ${varPrefix}client 1; } @@ -79,12 +88,8 @@ config = { extraConfig = let mkAllow = cidr: "allow ${cidr};"; - allowAddresses = - cidrForNetwork.loopback.all - ++ cidrForNetwork.local.all - ++ optionals tailscale.enable cidrForNetwork.tail.all; allows = - concatMapStringsSep "\n" mkAllow allowAddresses + concatMapStringsSep "\n" mkAllow cidrForNetwork.allLocal.all + optionalString localaddrs.enable '' include ${localaddrs.stateDir}/*.nginx.conf; ''; diff --git a/modules/nixos/postgres.nix b/modules/nixos/postgres.nix index 7ece0c3e..6a1f8607 100644 --- a/modules/nixos/postgres.nix +++ b/modules/nixos/postgres.nix @@ -39,6 +39,9 @@ tailscale = { allow = mkEnableOption "tailscale TCP connections"; }; + int = { + allow = mkEnableOption "internal TCP connections"; + }; local = { allow = mkEnableOption "local TCP connections"; }; @@ -55,7 +58,8 @@ in mkMerge [ (mkIf config.authentication.tailscale.allow cidrForNetwork.tail.all) - (mkIf config.authentication.local.allow (cidrForNetwork.loopback.all ++ cidrForNetwork.local.all)) + (mkIf config.authentication.int.allow cidrForNetwork.int.all) + (mkIf config.authentication.local.allow cidrForNetwork.local.all) ]; authentication = mkMerge (map (host: '' host ${config.authentication.database} ${config.name} ${formatHost host} ${config.authentication.method} diff --git a/modules/system/proxmox/container.nix b/modules/system/proxmox/container.nix new file mode 100644 index 00000000..94f4984f --- /dev/null +++ b/modules/system/proxmox/container.nix @@ -0,0 +1,15 @@ +{config, lib, ...}: let + inherit (lib.options) mkOption mkEnableOption; + cfg = config.proxmox.container; +in { + options.proxmox.container = with lib.types; { + enable = mkEnableOption "LXC container"; + privileged = mkEnableOption "root"; + lxc = { + configJsonFile = mkOption { + type = nullOr path; + default = null; + }; + }; + }; +} diff --git a/modules/system/proxmox/network.nix b/modules/system/proxmox/network.nix new file mode 100644 index 00000000..8b61c442 --- /dev/null +++ b/modules/system/proxmox/network.nix @@ -0,0 +1,155 @@ +{config, lib, inputs, ...}: let + inherit (inputs.self.lib.lib) unmerged eui64; + inherit (lib.options) mkOption mkEnableOption; + inherit (lib.modules) mkIf mkMerge mkOptionDefault mkOverride; + inherit (lib.attrsets) attrValues; + inherit (lib.lists) elem findSingle; + inherit (lib.strings) hasPrefix removePrefix replaceStrings; + inherit (lib.trivial) toHexString mapNullable; + mkAlmostOptionDefault = mkOverride 1250; + cfg = config.proxmox.network; + internalOffset = 32; + networkInterfaceModule = { config, name, system, ... }: { + options = with lib.types; { + enable = mkEnableOption "network interface" // { + default = true; + }; + bridge = mkOption { + type = str; + default = "vmbr0"; + }; + id = mkOption { + type = str; + default = name; + }; + name = mkOption { + type = str; + }; + macAddress = mkOption { + type = nullOr str; + default = null; + }; + address4 = mkOption { + type = nullOr (either (enum [ "auto" ]) str); + default = null; + }; + gateway4 = mkOption { + type = nullOr str; + default = null; + }; + address6 = mkOption { + type = nullOr (either (enum [ "auto" "dhcp" ]) str); + default = null; + }; + gateway6 = mkOption { + type = nullOr str; + default = null; + }; + firewall.enable = mkEnableOption "firewall"; + vm.model = mkOption { + type = enum [ "virtio" "e1000" "rtl8139" "vmxnet3" ]; + default = "virtio"; + }; + mdns = { + enable = mkEnableOption "mDNS" // { + default = system.proxmox.node.name == "reisen" && config.id == "net0"; + }; + }; + slaac = { + postfix = mkOption { + type = nullOr str; + }; + }; + internal = { + enable = mkEnableOption "internal network interface"; + }; + networkd = { + enable = mkEnableOption "systemd.network" // { + default = true; + }; + networkSettings = mkOption { + type = unmerged.types.attrs; + }; + }; + }; + config = let + conf = { + name = mkMerge [ + (mkIf (hasPrefix "net" config.id && system.proxmox.container.enable) (mkOptionDefault ("eth" + removePrefix "net" config.id))) + # VMs have names like `ens18` for net0... + ]; + slaac.postfix = mkOptionDefault (mapNullable eui64 config.macAddress); + gateway4 = mkMerge [ + (mkIf (system.proxmox.node.name == "reisen" && config.bridge == "vmbr0" && config.address4 != null && config.address4 != "auto") (mkAlmostOptionDefault "10.1.1.1")) + ]; + networkd.networkSettings = { + name = mkAlmostOptionDefault config.name; + matchConfig = { + MACAddress = mkIf (config.macAddress != null) (mkOptionDefault config.macAddress); + Type = mkOptionDefault "ether"; + }; + linkConfig = mkMerge [ + (mkIf config.mdns.enable { Multicast = mkOptionDefault true; }) + ]; + networkConfig = mkMerge [ + (mkIf (config.address6 == "auto") { + IPv6AcceptRA = true; + }) + (mkIf config.mdns.enable { + MulticastDNS = true; + }) + ]; + address = mkMerge [ + (mkIf (! elem config.address4 [ null "auto" ]) [ config.address4 ]) + (mkIf (! elem config.address6 [ null "auto" "dhcp" ]) [ config.address6 ]) + ]; + gateway = mkMerge [ + (mkIf (config.gateway4 != null) [ config.gateway4 ]) + (mkIf (config.gateway6 != null) [ config.gateway6 ]) + ]; + DHCP = mkAlmostOptionDefault ( + if config.address4 == "auto" && config.address6 == "dhcp" then "yes" + else if config.address6 == "dhcp" then "ipv6" + else if config.address4 == "dhcp" then "ipv4" + else "no" + ); + }; + }; + confInternal = { + name = mkAlmostOptionDefault "eth9"; + bridge = mkAlmostOptionDefault "vmbr9"; + address4 = mkAlmostOptionDefault "10.9.1.${toString (system.proxmox.vm.id - internalOffset)}/24"; + address6 = mkAlmostOptionDefault "fd0c::${toHexString (system.proxmox.vm.id - internalOffset)}/64"; + macAddress = mkIf (system.proxmox.network.interfaces.net0.macAddress or null != null && hasPrefix "BC:24:11:" system.proxmox.network.interfaces.net0.macAddress) (mkAlmostOptionDefault ( + replaceStrings [ "BC:24:11:" ] [ "BC:24:19:" ] system.proxmox.network.interfaces.net0.macAddress + )); + networkd.networkSettings.linkConfig.RequiredForOnline = false; + }; + in mkMerge [ + conf + (mkIf config.internal.enable confInternal) + ]; + }; +in { + options.proxmox.network = with lib.types; { + interfaces = mkOption { + type = attrsOf (submoduleWith { + modules = [ networkInterfaceModule ]; + specialArgs = { + system = config; + }; + }); + default = { }; + }; + internal = { + interface = mkOption { + type = nullOr unspecified; + }; + }; + }; + config.proxmox.network = { + internal = { + interface = mkOptionDefault (findSingle (interface: interface.internal.enable) null (throw "expected only one internal network interface") (attrValues cfg.interfaces)); + }; + }; +} diff --git a/modules/system/proxmox/vm.nix b/modules/system/proxmox/vm.nix new file mode 100644 index 00000000..40da72a1 --- /dev/null +++ b/modules/system/proxmox/vm.nix @@ -0,0 +1,22 @@ +{config, lib, ...}: let + inherit (lib.options) mkOption mkEnableOption; + cfg = config.proxmox; +in { + options.proxmox = with lib.types; { + enabled = mkOption { + type = bool; + default = cfg.vm.enable || cfg.container.enable; + readOnly = true; + }; + vm = { + enable = mkEnableOption "QEMU VM"; + id = mkOption { + type = int; + }; + }; + node.name = mkOption { + type = str; + default = "reisen"; + }; + }; +} diff --git a/nixos/access/ldap.nix b/nixos/access/ldap.nix index 239872c3..14f82bf3 100644 --- a/nixos/access/ldap.nix +++ b/nixos/access/ldap.nix @@ -7,8 +7,6 @@ let inherit (lib.options) mkOption mkEnableOption; inherit (lib.modules) mkIf mkMerge; inherit (lib.strings) concatMapStringsSep optionalString; - inherit (lib.lists) optionals; - inherit (config.services) tailscale; inherit (config.services.nginx) virtualHosts; inherit (config.networking.access) cidrForNetwork localaddrs; access = config.services.nginx.access.ldap; @@ -16,11 +14,7 @@ let portSsl = 636; allows = let mkAllow = cidr: "allow ${cidr};"; - allowAddresses = - cidrForNetwork.loopback.all - ++ cidrForNetwork.local.all - ++ optionals tailscale.enable cidrForNetwork.tail.all; - allows = concatMapStringsSep "\n" mkAllow allowAddresses + optionalString localaddrs.enable '' + allows = concatMapStringsSep "\n" mkAllow cidrForNetwork.allLocal.all + optionalString localaddrs.enable '' include ${localaddrs.stateDir}/*.nginx.conf; ''; in '' diff --git a/nixos/kyuuto/opl.nix b/nixos/kyuuto/opl.nix index 5628676b..413466d6 100644 --- a/nixos/kyuuto/opl.nix +++ b/nixos/kyuuto/opl.nix @@ -42,10 +42,6 @@ in { }; shares.opl = let inherit (config.networking.access) cidrForNetwork; - localAddrs = - cidrForNetwork.loopback.all - ++ cidrForNetwork.local.all - ++ lib.optionals config.services.tailscale.enable cidrForNetwork.tail.all; in mkIf cfg.enable { comment = "Kyuuto Media OPL"; @@ -58,7 +54,7 @@ in { "@kyuuto-peeps" ]; "strict sync" = false; - "hosts allow" = localAddrs; + "hosts allow" = cidrForNetwork.allLocal.all; }; }; services.tmpfiles = let diff --git a/nixos/kyuuto/samba.nix b/nixos/kyuuto/samba.nix index bd3018d7..965b99cf 100644 --- a/nixos/kyuuto/samba.nix +++ b/nixos/kyuuto/samba.nix @@ -4,14 +4,9 @@ ... }: let inherit (lib.modules) mkIf mkMerge mkDefault; - inherit (lib.lists) optionals; inherit (config.networking.access) cidrForNetwork; inherit (config) kyuuto; cfg = config.services.samba; - localAddrs = - cidrForNetwork.loopback.all - ++ cidrForNetwork.local.all - ++ optionals config.services.tailscale.enable cidrForNetwork.tail.all; guestUsers = mkIf cfg.guest.enable [cfg.guest.user]; kyuuto-media = { "create mask" = "0664"; @@ -41,7 +36,7 @@ in { ["@peeps"] ]; #"guest only" = true; - "hosts allow" = localAddrs; + "hosts allow" = cidrForNetwork.allLocal.all; "acl group control" = true; "create mask" = "0664"; "force directory mode" = "3000"; @@ -61,7 +56,7 @@ in { ]; "read list" = guestUsers; "write list" = ["@kyuuto-peeps"]; - "hosts allow" = localAddrs; + "hosts allow" = cidrForNetwork.allLocal.all; } ]; kyuuto-library-net = mkMerge [ diff --git a/nixos/nfs.nix b/nixos/nfs.nix index ef692103..aa7fb5e5 100644 --- a/nixos/nfs.nix +++ b/nixos/nfs.nix @@ -23,9 +23,7 @@ in { mountdPort = mkDefault 4002; }; export = { - flagSets = let - localAddrs = cidrForNetwork.loopback.all ++ cidrForNetwork.local.all; - in { + flagSets = { common = [ "no_subtree_check" "anonuid=${toString config.users.users.guest.uid}" @@ -57,7 +55,7 @@ in { "@trusted" ]; tailClients = optionals config.services.tailscale.enable cidrForNetwork.tail.all; - localClients = localAddrs ++ flagSets.tailClients; + localClients = cidrForNetwork.allLan.all ++ flagSets.tailClients; allClients = flagSets.clientGroups ++ flagSets.trustedClients ++ flagSets.localClients; }; root = { diff --git a/nixos/reisen-ct/internal.nix b/nixos/reisen-ct/internal.nix deleted file mode 100644 index ea69fdae..00000000 --- a/nixos/reisen-ct/internal.nix +++ /dev/null @@ -1,48 +0,0 @@ -{ - config, - lib, - ... -}: let - inherit (lib.options) mkOption mkEnableOption; - inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault; - inherit (lib.trivial) toHexString; - cfg = config.access.internal; - offset = 32; -in { - options.access = with lib.types; { - internal = { - enable = mkEnableOption "eth9"; - macAddress = mkOption { - type = nullOr str; - default = null; - }; - vmid = mkOption { - type = int; - }; - address4 = mkOption { - type = str; - }; - address6 = mkOption { - type = str; - }; - }; - }; - config.access.internal = { - address4 = mkOptionDefault "10.9.1.${toString (cfg.vmid - offset)}"; - address6 = mkOptionDefault "fd0c::${toHexString (cfg.vmid - offset)}"; - }; - config.systemd.network.networks.eth9 = mkIf cfg.enable { - mdns.enable = false; - name = mkDefault "eth9"; - matchConfig = { - MACAddress = mkIf (cfg.macAddress != null) (mkOptionDefault cfg.macAddress); - Type = mkOptionDefault "ether"; - }; - linkConfig.RequiredForOnline = mkOptionDefault false; - address = mkMerge [ - ["${cfg.address4}/24"] - (mkIf config.networking.enableIPv6 [ "${cfg.address6}/64" ]) - ]; - DHCP = "no"; - }; -} diff --git a/nixos/reisen-ct/proxmox.nix b/nixos/reisen-ct/proxmox.nix index 80da26e3..bfe8c7dc 100644 --- a/nixos/reisen-ct/proxmox.nix +++ b/nixos/reisen-ct/proxmox.nix @@ -1,9 +1,14 @@ { lib, + inputs, modulesPath, + system, ... }: let - inherit (lib.modules) mkDefault; + inherit (inputs.self.lib.lib) unmerged; + inherit (lib.modules) mkIf mkMerge mkDefault; + inherit (lib.attrsets) mapAttrsToList; + inherit (system) proxmox; in { imports = [ (modulesPath + "/virtualisation/proxmox-lxc.nix") @@ -16,4 +21,18 @@ in { # nix default is way too big GC_INITIAL_HEAP_SIZE = mkDefault "8M"; }; + + proxmoxLXC.privileged = mkIf (proxmox.container.enable && proxmox.container.privileged) true; + + systemd.network = mkIf proxmox.enabled (mkMerge (mapAttrsToList (_: interface: mkIf (interface.enable && interface.networkd.enable) { + networks.${interface.name} = unmerged.mergeAttrs interface.networkd.networkSettings; + }) proxmox.network.interfaces)); + + networking.firewall.interfaces.int = let + inherit (proxmox.network.internal) interface; + in mkIf (interface != null) { + nftables.conditions = [ + "iifname ${interface.name}" + ]; + }; } diff --git a/systems/aya/default.nix b/systems/aya/default.nix index 78928c62..cfd2f0c3 100644 --- a/systems/aya/default.nix +++ b/systems/aya/default.nix @@ -1,4 +1,7 @@ _: { + imports = [ + ./proxmox.nix + ]; arch = "x86_64"; type = "NixOS"; modules = [ diff --git a/systems/aya/nixos.nix b/systems/aya/nixos.nix index 4b15fd8f..0f365450 100644 --- a/systems/aya/nixos.nix +++ b/systems/aya/nixos.nix @@ -31,26 +31,6 @@ }; interfaces.eth1 = {}; }; - systemd.network.networks.eth0 = { - name = "eth0"; - matchConfig = { - MACAddress = "BC:24:11:C4:66:A9"; - Type = "ether"; - }; - address = ["10.1.1.47/24"]; - gateway = ["10.1.1.1"]; - DHCP = "no"; - }; - systemd.network.networks.eth1 = { - name = "eth1"; - matchConfig = { - MACAddress = "BC:24:11:C4:66:AA"; - Type = "ether"; - }; - DHCP = "no"; - slaac.enable = false; - mdns.enable = false; - }; sops.defaultSopsFile = ./secrets.yaml; diff --git a/systems/aya/proxmox.nix b/systems/aya/proxmox.nix new file mode 100644 index 00000000..288c6c9b --- /dev/null +++ b/systems/aya/proxmox.nix @@ -0,0 +1,20 @@ +_: { + proxmox = { + vm.id = 105; + container = { + enable = true; + lxc.configJsonFile = ./lxc.json; + }; + network.interfaces = { + net0 = { + macAddress = "BC:24:11:C4:66:A9"; + address4 = "10.1.1.47/24"; + address6 = "auto"; + }; + net1 = { + macAddress = "BC:24:11:C4:66:AA"; + networkd.networkSettings.linkConfig.RequiredForOnline = false; + }; + }; + }; +} diff --git a/systems/freeipa/default.nix b/systems/freeipa/default.nix new file mode 100644 index 00000000..7b34b950 --- /dev/null +++ b/systems/freeipa/default.nix @@ -0,0 +1,15 @@ +_: { + type = null; + proxmox = { + vm = { + id = 202; + enable = true; + }; + network.interfaces = { + net0 = { + name = "ens18"; + macAddress = "BC:24:11:3D:39:91"; + }; + }; + }; +} diff --git a/systems/freepbx/default.nix b/systems/freepbx/default.nix index 60e5f5c2..b7138b6c 100644 --- a/systems/freepbx/default.nix +++ b/systems/freepbx/default.nix @@ -1,3 +1,14 @@ _: { type = null; + proxmox = { + vm = { + id = 203; + enable = true; + }; + network.interfaces = { + net0 = { + macAddress = "BC:24:11:33:19:04"; + }; + }; + }; } diff --git a/systems/hakurei/default.nix b/systems/hakurei/default.nix index dc0ea17c..f0dc61a4 100644 --- a/systems/hakurei/default.nix +++ b/systems/hakurei/default.nix @@ -1,4 +1,7 @@ _: { + imports = [ + ./proxmox.nix + ]; arch = "x86_64"; type = "NixOS"; modules = [ diff --git a/systems/hakurei/nixos.nix b/systems/hakurei/nixos.nix index 83bb8c96..84074150 100644 --- a/systems/hakurei/nixos.nix +++ b/systems/hakurei/nixos.nix @@ -292,17 +292,6 @@ in { services.samba.openFirewall = true; - systemd.network.networks.eth0 = { - name = "eth0"; - matchConfig = { - MACAddress = "BC:24:11:C4:66:A7"; - Type = "ether"; - }; - address = ["10.1.1.41/24"]; - gateway = ["10.1.1.1"]; - DHCP = "no"; - }; - sops.defaultSopsFile = ./secrets.yaml; system.stateVersion = "23.11"; diff --git a/systems/hakurei/proxmox.nix b/systems/hakurei/proxmox.nix new file mode 100644 index 00000000..7ee2644d --- /dev/null +++ b/systems/hakurei/proxmox.nix @@ -0,0 +1,16 @@ +_: { + proxmox = { + vm.id = 103; + container = { + enable = true; + lxc.configJsonFile = ./lxc.json; + }; + network.interfaces = { + net0 = { + macAddress = "BC:24:11:C4:66:A7"; + address4 = "10.1.1.41/24"; + address6 = "auto"; + }; + }; + }; +} diff --git a/systems/keycloak/default.nix b/systems/keycloak/default.nix index 78928c62..cfd2f0c3 100644 --- a/systems/keycloak/default.nix +++ b/systems/keycloak/default.nix @@ -1,4 +1,7 @@ _: { + imports = [ + ./proxmox.nix + ]; arch = "x86_64"; type = "NixOS"; modules = [ diff --git a/systems/keycloak/nixos.nix b/systems/keycloak/nixos.nix index 089606e3..7953619f 100644 --- a/systems/keycloak/nixos.nix +++ b/systems/keycloak/nixos.nix @@ -38,16 +38,5 @@ sops.defaultSopsFile = ./secrets.yaml; - systemd.network.networks.eth0 = { - name = "eth0"; - matchConfig = { - MACAddress = "BC:24:11:C4:66:AC"; - Type = "ether"; - }; - address = ["10.1.1.48/24"]; - gateway = ["10.1.1.1"]; - DHCP = "no"; - }; - system.stateVersion = "23.11"; } diff --git a/systems/keycloak/proxmox.nix b/systems/keycloak/proxmox.nix new file mode 100644 index 00000000..e845fc47 --- /dev/null +++ b/systems/keycloak/proxmox.nix @@ -0,0 +1,16 @@ +_: { + proxmox = { + vm.id = 107; + container = { + enable = true; + lxc.configJsonFile = ./lxc.json; + }; + network.interfaces = { + net0 = { + macAddress = "BC:24:11:C4:66:AC"; + address4 = "10.1.1.48/24"; + address6 = "auto"; + }; + }; + }; +} diff --git a/systems/kuwubernetes/default.nix b/systems/kuwubernetes/default.nix index ea396fa3..40558a4b 100644 --- a/systems/kuwubernetes/default.nix +++ b/systems/kuwubernetes/default.nix @@ -4,4 +4,19 @@ _: { modules = [ ./nixos.nix ]; + proxmox = { + vm = { + id = 201; + enable = true; + }; + network.interfaces = { + net0 = { + mdns.enable = false; + name = "ens18"; + macAddress = "BC:24:11:49:FE:DC"; + address4 = "10.1.1.42/24"; + address6 = "auto"; + }; + }; + }; } diff --git a/systems/litterbox/default.nix b/systems/litterbox/default.nix index 78928c62..cfd2f0c3 100644 --- a/systems/litterbox/default.nix +++ b/systems/litterbox/default.nix @@ -1,4 +1,7 @@ _: { + imports = [ + ./proxmox.nix + ]; arch = "x86_64"; type = "NixOS"; modules = [ diff --git a/systems/litterbox/nixos.nix b/systems/litterbox/nixos.nix index 965d383e..e4fe4eef 100644 --- a/systems/litterbox/nixos.nix +++ b/systems/litterbox/nixos.nix @@ -11,14 +11,5 @@ sops.defaultSopsFile = ./secrets.yaml; - systemd.network.networks.eth0 = { - name = "eth0"; - matchConfig = { - MACAddress = "BC:24:11:C4:66:AB"; - Type = "ether"; - }; - DHCP = "yes"; - }; - system.stateVersion = "23.11"; } diff --git a/systems/litterbox/proxmox.nix b/systems/litterbox/proxmox.nix new file mode 100644 index 00000000..91906789 --- /dev/null +++ b/systems/litterbox/proxmox.nix @@ -0,0 +1,17 @@ +_: { + proxmox = { + vm.id = 106; + container = { + enable = true; + lxc.configJsonFile = ./lxc.json; + }; + network.interfaces = { + net0 = { + mdns.enable = true; + macAddress = "BC:24:11:C4:66:AB"; + address4 = "auto"; + address6 = "auto"; + }; + }; + }; +} diff --git a/systems/mediabox/default.nix b/systems/mediabox/default.nix index ea396fa3..ab61cf26 100644 --- a/systems/mediabox/default.nix +++ b/systems/mediabox/default.nix @@ -1,4 +1,7 @@ _: { + imports = [ + ./proxmox.nix + ]; arch = "x86_64"; type = "NixOS"; modules = [ diff --git a/systems/mediabox/nixos.nix b/systems/mediabox/nixos.nix index 172c6ce3..510bf507 100644 --- a/systems/mediabox/nixos.nix +++ b/systems/mediabox/nixos.nix @@ -106,22 +106,6 @@ in { unitConfig.RequiresMountsFor = mapAttrsToList (path: _: path) plexLibrary; }; - systemd.network.networks.eth0 = { - name = "eth0"; - matchConfig = { - MACAddress = "BC:24:11:34:F4:A8"; - Type = "ether"; - }; - address = ["10.1.1.44/24"]; - gateway = ["10.1.1.1"]; - DHCP = "no"; - }; - access.internal = { - enable = true; - macAddress = "BC:24:19:34:F4:A8"; - vmid = 102; - }; - sops.defaultSopsFile = ./secrets.yaml; system.stateVersion = "21.05"; diff --git a/systems/mediabox/proxmox.nix b/systems/mediabox/proxmox.nix new file mode 100644 index 00000000..4baac34d --- /dev/null +++ b/systems/mediabox/proxmox.nix @@ -0,0 +1,17 @@ +_: { + proxmox = { + vm.id = 102; + container = { + enable = true; + lxc.configJsonFile = ./lxc.json; + }; + network.interfaces = { + net0 = { + macAddress = "BC:24:11:34:F4:A8"; + address4 = "10.1.1.44/24"; + address6 = "auto"; + }; + net1.internal.enable = true; + }; + }; +} diff --git a/systems/reimu/default.nix b/systems/reimu/default.nix index 78928c62..cfd2f0c3 100644 --- a/systems/reimu/default.nix +++ b/systems/reimu/default.nix @@ -1,4 +1,7 @@ _: { + imports = [ + ./proxmox.nix + ]; arch = "x86_64"; type = "NixOS"; modules = [ diff --git a/systems/reimu/nixos.nix b/systems/reimu/nixos.nix index 8d88e388..92165e40 100644 --- a/systems/reimu/nixos.nix +++ b/systems/reimu/nixos.nix @@ -19,19 +19,6 @@ beatsaber.enable = false; }; - proxmoxLXC.privileged = true; - - systemd.network.networks.eth0 = { - name = "eth0"; - matchConfig = { - MACAddress = "BC:24:11:C4:66:A8"; - Type = "ether"; - }; - address = ["10.1.1.45/24"]; - gateway = ["10.1.1.1"]; - DHCP = "no"; - }; - sops.defaultSopsFile = ./secrets.yaml; system.stateVersion = "23.11"; diff --git a/systems/reimu/proxmox.nix b/systems/reimu/proxmox.nix new file mode 100644 index 00000000..c4779d96 --- /dev/null +++ b/systems/reimu/proxmox.nix @@ -0,0 +1,17 @@ +_: { + proxmox = { + vm.id = 104; + container = { + enable = true; + privileged = true; + lxc.configJsonFile = ./lxc.json; + }; + network.interfaces = { + net0 = { + macAddress = "BC:24:11:C4:66:A8"; + address4 = "10.1.1.45/24"; + address6 = "auto"; + }; + }; + }; +} diff --git a/systems/tei/default.nix b/systems/tei/default.nix index 78928c62..cfd2f0c3 100644 --- a/systems/tei/default.nix +++ b/systems/tei/default.nix @@ -1,4 +1,7 @@ _: { + imports = [ + ./proxmox.nix + ]; arch = "x86_64"; type = "NixOS"; modules = [ diff --git a/systems/tei/nixos.nix b/systems/tei/nixos.nix index 7e56b686..2ed197a3 100644 --- a/systems/tei/nixos.nix +++ b/systems/tei/nixos.nix @@ -51,16 +51,5 @@ in { ]; }; - systemd.network.networks.eth0 = { - name = "eth0"; - matchConfig = { - MACAddress = "BC:24:11:CC:66:57"; - Type = "ether"; - }; - address = ["10.1.1.39/24"]; - gateway = ["10.1.1.1"]; - DHCP = "no"; - }; - system.stateVersion = "23.11"; } diff --git a/systems/tei/proxmox.nix b/systems/tei/proxmox.nix new file mode 100644 index 00000000..84c083d4 --- /dev/null +++ b/systems/tei/proxmox.nix @@ -0,0 +1,16 @@ +_: { + proxmox = { + vm.id = 101; + container = { + enable = true; + lxc.configJsonFile = ./lxc.json; + }; + network.interfaces = { + net0 = { + macAddress = "BC:24:11:CC:66:57"; + address4 = "10.1.1.39/24"; + address6 = "auto"; + }; + }; + }; +} diff --git a/systems/utsuho/default.nix b/systems/utsuho/default.nix index ea396fa3..ab61cf26 100644 --- a/systems/utsuho/default.nix +++ b/systems/utsuho/default.nix @@ -1,4 +1,7 @@ _: { + imports = [ + ./proxmox.nix + ]; arch = "x86_64"; type = "NixOS"; modules = [ diff --git a/systems/utsuho/nixos.nix b/systems/utsuho/nixos.nix index 34e18d7e..144ba833 100644 --- a/systems/utsuho/nixos.nix +++ b/systems/utsuho/nixos.nix @@ -43,16 +43,5 @@ in { sops.defaultSopsFile = ./secrets.yaml; - systemd.network.networks.eth0 = { - name = "eth0"; - matchConfig = { - MACAddress = "BC:24:11:C4:66:A6"; - Type = "ether"; - }; - address = ["10.1.1.38/24"]; - gateway = ["10.1.1.1"]; - DHCP = "no"; - }; - system.stateVersion = "23.11"; } diff --git a/systems/utsuho/proxmox.nix b/systems/utsuho/proxmox.nix new file mode 100644 index 00000000..9f5b2acd --- /dev/null +++ b/systems/utsuho/proxmox.nix @@ -0,0 +1,16 @@ +_: { + proxmox = { + vm.id = 108; + container = { + enable = true; + lxc.configJsonFile = ./lxc.json; + }; + network.interfaces = { + net0 = { + macAddress = "BC:24:11:C4:66:A6"; + address4 = "10.1.1.38/24"; + address6 = "auto"; + }; + }; + }; +} diff --git a/tree.nix b/tree.nix index 66939dff..5e902185 100644 --- a/tree.nix +++ b/tree.nix @@ -60,6 +60,7 @@ "modules/nixos/steam".functor.enable = true; "modules/meta".functor.enable = true; "modules/system".functor.enable = true; + "modules/system/proxmox".functor.enable = true; "modules/home".functor.enable = true; "modules/type".functor.enable = true; "nixos/*".functor = {