From 75e9e63e5184fa3430248ea4ee7aa54a27ab6854 Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Sun, 22 Feb 2026 13:04:59 +0100 Subject: [PATCH] restructure --- hosts/common.nix | 87 ++++++++++++++++++++++++------ hosts/control-plane-01/default.nix | 11 ++++ hosts/control-plane-02/default.nix | 11 ++++ hosts/control-plane-03/default.nix | 11 ++++ hosts/kaede/base.nix | 67 ----------------------- hosts/kaede/default.nix | 85 ++++++++++++++++++++++++++--- hosts/kaede/networking.nix | 29 ---------- hosts/kaede/programs.nix | 31 ----------- hosts/kaede/services.nix | 25 --------- hosts/kaede/users.nix | 23 -------- hosts/vm.nix | 29 ++++++++++ hosts/worker-01/default.nix | 11 ++++ hosts/worker-02/default.nix | 11 ++++ hosts/worker-03/default.nix | 11 ++++ hosts/worker-04/default.nix | 11 ++++ hosts/worker-05/default.nix | 11 ++++ lib/randomHour.nix | 9 ++++ services/openssh.nix | 16 ++++++ 18 files changed, 292 insertions(+), 197 deletions(-) create mode 100644 hosts/control-plane-01/default.nix create mode 100644 hosts/control-plane-02/default.nix create mode 100644 hosts/control-plane-03/default.nix delete mode 100644 hosts/kaede/base.nix delete mode 100644 hosts/kaede/networking.nix delete mode 100644 hosts/kaede/programs.nix delete mode 100644 hosts/kaede/services.nix delete mode 100644 hosts/kaede/users.nix create mode 100644 hosts/vm.nix create mode 100644 hosts/worker-01/default.nix create mode 100644 hosts/worker-02/default.nix create mode 100644 hosts/worker-03/default.nix create mode 100644 hosts/worker-04/default.nix create mode 100644 hosts/worker-05/default.nix create mode 100644 lib/randomHour.nix create mode 100644 services/openssh.nix diff --git a/hosts/common.nix b/hosts/common.nix index 895a2ef..81c429b 100644 --- a/hosts/common.nix +++ b/hosts/common.nix @@ -1,9 +1,25 @@ { config, lib, pkgs, ... }: +let + randomHour = import ../lib/randomHour.nix { inherit lib; }; +in { + nix = { + optimise = { + automatic = true; + dates = [ "${toString randomHour config.networking.hostName}:00" ]; + }; + settings = { + auto-optimise-store = true; + experimental-features = [ "nix-command" "flakes" ]; + }; + gc = { + automatic = true; + options = "--delete-older-than 7d"; + }; + }; + boot = { - initrd.availableKernelModules = [ "ahci" "xhci_pci" "ehci_pci" "megaraid_sas" "nvme" "usbhid" "usb_storage" "sd_mod" "sr_mod" ]; - kernelModules = [ "kvm-intel" ]; loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; @@ -11,23 +27,34 @@ kernelPackages = pkgs.linuxPackages_latest; }; - fileSystems = { - "/" = { - device = "/dev/disk/by-label/ROOT"; - fsType = "ext4"; - options = [ "discard" "noatime" ]; - }; - "/boot" = { - device = "/dev/disk/by-label/BOOT"; - fsType = "vfat"; - options = [ "fmask=0022" "dmask=0022" "discard" "noatime" ]; - }; + networking = { + search = [ "xengi.de" ]; + useNetworkd = true; + nftables.enable = true; + dhcpcd.enable = false; + useDHCP = false; + nameservers = [ + "2606:4700:4700::1111#one.one.one.one" + "2620:fe::fe#dns.quad9.net" + ]; + firewall.enable = true; }; - swapDevices = []; + services.resolved = { + enable = true; + fallbackDns = [ + "1.1.1.1#one.one.one.one" + "9.9.9.9#dns.quad9.net" + ]; + llmnr = "false"; + extraConfig = '' + MulticastDNS=false + ''; + dnssec = "allow-downgrade"; + dnsovertls = "true"; #"opportunistic"; + }; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; time.timeZone = "Europe/Berlin"; @@ -37,9 +64,37 @@ }; environment.systemPackages = with pkgs; [ + vim git ]; - system.stateVersion = "25.11"; + programs = { + vim = { + enable = true; + defaultEditor = true; + }; + mtr.enable = true; + htop = { + enable = true; + settings = { + highlight_base_name = true; + show_cpu_frequency = true; + show_cpu_temperature = true; + update_process_names = true; + color_scheme = "6"; + }; + }; + tmux = { + enable = true; + terminal = "screen-256color"; + shortcut = "a"; + plugins = with pkgs.tmuxPlugins; [ sensible ]; + newSession = true; + historyLimit = 10000; + clock24 = true; + }; + }; + + security.sudo.execWheelOnly = true; } diff --git a/hosts/control-plane-01/default.nix b/hosts/control-plane-01/default.nix new file mode 100644 index 0000000..dc3466c --- /dev/null +++ b/hosts/control-plane-01/default.nix @@ -0,0 +1,11 @@ +{ ... }: + +{ + imports = [ + ../common.nix + ../vm.nix + ../../services/openssh.nix + ../../services/etcd.nix + ]; +} + diff --git a/hosts/control-plane-02/default.nix b/hosts/control-plane-02/default.nix new file mode 100644 index 0000000..dc3466c --- /dev/null +++ b/hosts/control-plane-02/default.nix @@ -0,0 +1,11 @@ +{ ... }: + +{ + imports = [ + ../common.nix + ../vm.nix + ../../services/openssh.nix + ../../services/etcd.nix + ]; +} + diff --git a/hosts/control-plane-03/default.nix b/hosts/control-plane-03/default.nix new file mode 100644 index 0000000..dc3466c --- /dev/null +++ b/hosts/control-plane-03/default.nix @@ -0,0 +1,11 @@ +{ ... }: + +{ + imports = [ + ../common.nix + ../vm.nix + ../../services/openssh.nix + ../../services/etcd.nix + ]; +} + diff --git a/hosts/kaede/base.nix b/hosts/kaede/base.nix deleted file mode 100644 index b9d1b50..0000000 --- a/hosts/kaede/base.nix +++ /dev/null @@ -1,67 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - boot = { - initrd.availableKernelModules = [ "ahci" "xhci_pci" "ehci_pci" "megaraid_sas" "nvme" "usbhid" "usb_storage" "sd_mod" "sr_mod" ]; - kernelModules = [ "kvm-intel" ]; - loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; - }; - kernelPackages = pkgs.linuxPackages_latest; - swraid = { - enable = true; - mdadmConf = '' - ARRAY /dev/md/ROOT metadata=1.2 UUID=acd8260f-e30f-2f3f-74f7-e51ee905a498 - MAILADDR root@localhost - ''; - }; - }; - - fileSystems = { - "/" = { - device = "/dev/disk/by-uuid/e44cfa13-868e-4d26-b3de-5a8ae92bb055"; - fsType = "ext4"; - options = [ "discard" "noatime" ]; - }; - "/boot" = { - device = "/dev/disk/by-uuid/AD5C-950B"; - fsType = "vfat"; - options = [ "fmask=0022" "dmask=0022" "discard" "noatime" ]; - }; - }; - - swapDevices = [ - { device = "/dev/disk/by-uuid/e8825b01-f91e-4c4f-8916-bffeb6fac0cd"; } - { device = "/dev/disk/by-uuid/5b53c0b9-ab57-4992-8e81-957e19c7b685"; } - ]; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; - - time.timeZone = "Europe/Berlin"; - - console = { - font = "Lat2-Terminus16"; - useXkbConfig= true; - }; - - environment.systemPackages = with pkgs; [ - git - ]; - - virtualisation = { - #useEFIBoot = true; - libvirtd = { - enable = true; - nss.enableGuest = true; - startDelay = 1; - onShutdown = "shutdown"; - }; - }; - #rootDevice = "/dev/disk/by-label/nixos"; - #mountHostNixStore = true; - - system.stateVersion = "25.11"; -} - diff --git a/hosts/kaede/default.nix b/hosts/kaede/default.nix index 6bbc37d..392d917 100644 --- a/hosts/kaede/default.nix +++ b/hosts/kaede/default.nix @@ -1,12 +1,85 @@ -{ ... }: +{ config, lib, pkgs, ... }: { imports = [ - ./base.nix - ./networking.nix - ./users.nix - ./programs.nix - ./services.nix + ../common.nix + ../../services/openssh.nix ]; + + boot = { + initrd.availableKernelModules = [ "ahci" "xhci_pci" "ehci_pci" "megaraid_sas" "nvme" "usbhid" "usb_storage" "sd_mod" "sr_mod" ]; + kernelModules = [ "kvm-intel" ]; + swraid = { + enable = true; + mdadmConf = '' + ARRAY /dev/md/ROOT metadata=1.2 UUID=acd8260f-e30f-2f3f-74f7-e51ee905a498 + MAILADDR root@localhost + ''; + }; + #kernel.sysctl = { + # "net.ipv4.ip_forward" = true; + # "net.ipv4.conf.all.forwarding" = true; + #}; + }; + + networking = { + hostName = "kaede"; + domain = "xengi.de"; + search = [ "xengi.de" ]; + defaultGateway6 = { + address = "2a00:1328:e100:1::6c"; + interface = "eno3"; + }; + defaultGateway = { + address = "217.115.0.182"; + interface = "eno3"; + }; + interfaces.eno3 = { + ipv6.addresses = [{ address = "2a00:1328:e100:1::6d"; prefixLength = 127; }]; + ipv4.addresses = [{ address = "217.115.0.183"; prefixLength = 31; }]; + }; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/e44cfa13-868e-4d26-b3de-5a8ae92bb055"; + fsType = "ext4"; + options = [ "discard" "noatime" ]; + }; + "/boot" = { + device = "/dev/disk/by-uuid/AD5C-950B"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" "discard" "noatime" ]; + }; + }; + + swapDevices = [ + { device = "/dev/disk/by-uuid/e8825b01-f91e-4c4f-8916-bffeb6fac0cd"; } + { device = "/dev/disk/by-uuid/5b53c0b9-ab57-4992-8e81-957e19c7b685"; } + ]; + + virtualisation = { + useEFIBoot = true; + libvirtd = { + enable = true; + nss.enableGuest = true; + startDelay = 1; + onShutdown = "shutdown"; + }; + }; + #rootDevice = "/dev/disk/by-label/nixos"; + #mountHostNixStore = true; + + services.openssh.banner = '' + __ __ __ + /'__`\ /\ \ /'_ `\ + ___ /\_\L\ \\ \ \/'\ /\ \L\ \ ____ + /'___\/_/_\_<_\ \ , < \/_> _ <_ /',__\ + /\ \__/ /\ \L\ \\ \ \\`\ /\ \L\ \/\__, `\ + \ \____\\ \____/ \ \_\ \_\ \____/\/\____/ + \/____/ \/___/ \/_/\/_/\/___/ \/___/ + ''; + + system.stateVersion = "25.11"; } diff --git a/hosts/kaede/networking.nix b/hosts/kaede/networking.nix deleted file mode 100644 index c88d7bd..0000000 --- a/hosts/kaede/networking.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ ... }: - -{ - networking = { - hostName = "kaede"; - domain = "xengi.de"; - search = [ "xengi.de" ]; - useNetworkd = true; - dhcpcd.enable = false; - nftables.enable = true; - useDHCP = false; - nameservers = [ - "2606:4700:4700::1111#one.one.one.one" - "2620:fe::fe#dns.quad9.net" - "1.1.1.1#one.one.one.one" - "9.9.9.9#dns.quad9.net" - ]; - defaultGateway = { - address = "217.115.0.182"; - interface = "eno3"; - }; - interfaces.eno3 = { - ipv6.addresses = [{ address = "2a00:1328:e100:1::6d"; prefixLength = 127; }]; - ipv4.addresses = [{ address = "217.115.0.183"; prefixLength = 31; }]; - }; - firewall.enable = true; - }; -} - diff --git a/hosts/kaede/programs.nix b/hosts/kaede/programs.nix deleted file mode 100644 index 184c46d..0000000 --- a/hosts/kaede/programs.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ pkgs, ... }: - -{ - programs = { - fish.enable = true; - vim = { - enable = true; - defaultEditor = true; - }; - htop = { - enable = true; - settings = { - highlight_base_name = true; - show_cpu_frequency = true; - show_cpu_temperature = true; - update_process_names = true; - color_scheme = "6"; - }; - }; - tmux = { - enable = true; - terminal = "screen-256color"; - shortcut = "a"; - plugins = with pkgs.tmuxPlugins; [ sensible ]; - newSession = true; - historyLimit = 10000; - clock24 = true; - }; - }; -} - diff --git a/hosts/kaede/services.nix b/hosts/kaede/services.nix deleted file mode 100644 index 7722ce9..0000000 --- a/hosts/kaede/services.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ ... }: - -{ - services = { - openssh = { - enable = true; - ports = [ 10022 ]; - openFirewall = true; - banner = '' - __ __ __ - /'__`\ /\ \ /'_ `\ - ___ /\_\L\ \\ \ \/'\ /\ \L\ \ ____ - /'___\/_/_\_<_\ \ , < \/_> _ <_ /',__\ - /\ \__/ /\ \L\ \\ \ \\`\ /\ \L\ \/\__, `\ - \ \____\\ \____/ \ \_\ \_\ \____/\/\____/ - \/____/ \/___/ \/_/\/_/\/___/ \/___/ - ''; - settings = { - PasswordAuthentication = false; - KbdInteractiveAuthentication = false; - }; - }; - }; -} - diff --git a/hosts/kaede/users.nix b/hosts/kaede/users.nix deleted file mode 100644 index 573efaa..0000000 --- a/hosts/kaede/users.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ pkgs, ... }: - -{ - users.users.xengi = { - isNormalUser = true; - extraGroups = [ "wheel" "libvirtd" ]; - shell = pkgs.fish; - packages = with pkgs; [ - fastfetch - kitty # for terminfo - ]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICW1+Ml8R9x1LCJaZ8bIZ1qIV4HCuZ6x7DziFW+0Nn5T xengi@kanae_2022-12-09" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICmb+mJfo84IagUaRoDEqY9ROjjQUOQ7tMclpN6NDPrX xengi@kota_2022-01-16" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyklb7dvEHH0VBEMmTUQFKHN6ekBQqkDKj09+EilUIQ xengi@lucy_2018-09-08" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICjv9W8WXq9QGkgmANNPQR24/I1Pm1ghxNIHftEI+jlZ xengi@mayu_2021-06-11" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhyfD+8jMl6FDSADb11sfAsJk0KNoVzjjiDRZjUOtmf xengi@nana_2019-08-16" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMPtGqhV7io3mhIoZho4Yf7eCo0sUZvjT2NziM2PkXSo xengi@nyu_2017-10-11" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILwYcSxbP6Hon//kZFIZJSHdqvsJ6AyCwH4JP9/t4q46 xengi@yuka_2020-12-16" - ]; - }; -} - diff --git a/hosts/vm.nix b/hosts/vm.nix new file mode 100644 index 0000000..2c42748 --- /dev/null +++ b/hosts/vm.nix @@ -0,0 +1,29 @@ +{ ... }: + +{ + boot = {}; # TODO: add kernel modules + + fileSystems = { + "/" = { + device = "/dev/disk/by-label/ROOT"; + fsType = "ext4"; + options = [ "discard" "noatime" ]; + }; + "/boot" = { + device = "/dev/disk/by-label/BOOT"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" "discard" "noatime" ]; + }; + }; + + #swapDevices = [{ device = "/dev/disk/by-label/SWAP"; }]; + + networking = { + domain = "k8s.xengi.de"; + defaultGateway6 = { + address = "2a00:1328:e101:1300::1"; # TODO: use host network + interface = "ens3"; # TODO: use correct interface name + }; + }; +} + diff --git a/hosts/worker-01/default.nix b/hosts/worker-01/default.nix new file mode 100644 index 0000000..dc3466c --- /dev/null +++ b/hosts/worker-01/default.nix @@ -0,0 +1,11 @@ +{ ... }: + +{ + imports = [ + ../common.nix + ../vm.nix + ../../services/openssh.nix + ../../services/etcd.nix + ]; +} + diff --git a/hosts/worker-02/default.nix b/hosts/worker-02/default.nix new file mode 100644 index 0000000..dc3466c --- /dev/null +++ b/hosts/worker-02/default.nix @@ -0,0 +1,11 @@ +{ ... }: + +{ + imports = [ + ../common.nix + ../vm.nix + ../../services/openssh.nix + ../../services/etcd.nix + ]; +} + diff --git a/hosts/worker-03/default.nix b/hosts/worker-03/default.nix new file mode 100644 index 0000000..dc3466c --- /dev/null +++ b/hosts/worker-03/default.nix @@ -0,0 +1,11 @@ +{ ... }: + +{ + imports = [ + ../common.nix + ../vm.nix + ../../services/openssh.nix + ../../services/etcd.nix + ]; +} + diff --git a/hosts/worker-04/default.nix b/hosts/worker-04/default.nix new file mode 100644 index 0000000..dc3466c --- /dev/null +++ b/hosts/worker-04/default.nix @@ -0,0 +1,11 @@ +{ ... }: + +{ + imports = [ + ../common.nix + ../vm.nix + ../../services/openssh.nix + ../../services/etcd.nix + ]; +} + diff --git a/hosts/worker-05/default.nix b/hosts/worker-05/default.nix new file mode 100644 index 0000000..dc3466c --- /dev/null +++ b/hosts/worker-05/default.nix @@ -0,0 +1,11 @@ +{ ... }: + +{ + imports = [ + ../common.nix + ../vm.nix + ../../services/openssh.nix + ../../services/etcd.nix + ]; +} + diff --git a/lib/randomHour.nix b/lib/randomHour.nix new file mode 100644 index 0000000..628f8c9 --- /dev/null +++ b/lib/randomHour.nix @@ -0,0 +1,9 @@ +{ lib }: +hostname: + +let + hash = builtins.hashString "sha256" hostname; + n = lib.strings.toIntBase 16 (builtins.substring 0 8 hash); +in + n % 24 + diff --git a/services/openssh.nix b/services/openssh.nix new file mode 100644 index 0000000..18fee9f --- /dev/null +++ b/services/openssh.nix @@ -0,0 +1,16 @@ +{ ... }: + +{ + services = { + openssh = { + enable = true; + ports = [ 10022 ]; + openFirewall = true; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + }; + }; + }; +} +