Add Tailscale exit node profile (#21)

* Add Tailscale exit node profile * Format files
ethnt · Dec 26, 2023 · c54109b · c54109b
1 parent d0a3b14
commit c54109b
Show file tree

Hide file tree

Showing 9 changed files with 181 additions and 15 deletions.
diff --git a/Justfile b/Justfile
@@ -26,3 +26,5 @@ repl:
 
 format:
     nix fmt
+
+alias fmt := format
diff --git a/deploy/.terraform.lock.hcl b/deploy/.terraform.lock.hcl
diff --git a/deploy/configuration.tf b/deploy/configuration.tf
@@ -12,21 +12,21 @@ provider "aws" {
 
 provider "proxmox" {
   alias               = "anise"
-  pm_api_url          = "https://192.168.10.10:8006/api2/json"
+  pm_api_url          = "https://anise:8006/api2/json"
   pm_api_token_id     = data.sops_file.secrets.data["ANISE_PM_API_TOKEN_ID"]
   pm_api_token_secret = data.sops_file.secrets.data["ANISE_PM_API_TOKEN_SECRET"]
 }
 
 provider "proxmox" {
   alias               = "basil"
-  pm_api_url          = "https://192.168.10.20:8006/api2/json"
+  pm_api_url          = "https://basil:8006/api2/json"
   pm_api_token_id     = data.sops_file.secrets.data["BASIL_PM_API_TOKEN_ID"]
   pm_api_token_secret = data.sops_file.secrets.data["BASIL_PM_API_TOKEN_SECRET"]
 }
 
 provider "proxmox" {
   alias               = "cardamom"
-  pm_api_url          = "https://192.168.10.30:8006/api2/json"
+  pm_api_url          = "https://cardamom:8006/api2/json"
   pm_api_token_id     = data.sops_file.secrets.data["CARDAMOM_PM_API_TOKEN_ID"]
   pm_api_token_secret = data.sops_file.secrets.data["CARDAMOM_PM_API_TOKEN_SECRET"]
 }
diff --git a/deploy/vms.tf b/deploy/vms.tf
@@ -54,7 +54,7 @@ resource "proxmox_vm_qemu" "htpc" {
   iso         = "local:iso/latest-nixos-minimal-x86_64-linux.iso"
   vmid        = 101
   cpu         = "host,flags=+pcid"
-  memory      = 65536
+  memory      = 32768
   balloon     = 0
   sockets     = 1
   cores       = 16
@@ -67,7 +67,6 @@ resource "proxmox_vm_qemu" "htpc" {
 
   bios = "seabios"
 
-
   network {
     model     = "virtio"
     bridge    = "vmbr0"
@@ -92,6 +91,41 @@ resource "proxmox_vm_qemu" "htpc" {
   }
 }
 
+resource "proxmox_vm_qemu" "builder" {
+  provider = proxmox.basil
+
+  name        = "builder"
+  target_node = "basil"
+  iso         = "omnibus:iso/latest-nixos-minimal-x86_64-linux.iso"
+  vmid        = 102
+  cpu         = "host"
+  memory      = 32768
+  balloon     = 0
+  sockets     = 1
+  cores       = 8
+  qemu_os     = "other"
+  scsihw      = "virtio-scsi-single"
+  # boot        = "order=scsi0"
+
+  onboot = true
+  agent  = 1
+
+  bios = "seabios"
+
+  network {
+    model  = "virtio"
+    bridge = "vmbr0"
+  }
+
+  disk {
+    type    = "scsi"
+    size    = "128G"
+    storage = "local-zfs"
+    discard = "on"
+    format  = "raw"
+  }
+}
+
 resource "proxmox_vm_qemu" "matrix" {
   provider = proxmox.cardamom
 

diff --git a/hosts/builder/disk-config.nix b/hosts/builder/disk-config.nix
@@ -0,0 +1,97 @@
+_:
+let disks = { scsi = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0"; };
+in {
+  disko.devices = {
+    disk = {
+      root = {
+        type = "disk";
+        device = disks.scsi;
+        content = {
+          type = "gpt";
+          partitions = {
+            boot = {
+              size = "1M";
+              type = "EF02";
+            };
+
+            ESP = {
+              size = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+              };
+            };
+
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "zroot";
+              };
+            };
+          };
+        };
+      };
+    };
+
+    zpool = {
+      zroot = {
+        type = "zpool";
+
+        options = {
+          ashift = "12";
+          autotrim = "on";
+        };
+
+        rootFsOptions = {
+          acltype = "posixacl";
+          compression = "lz4";
+          dnodesize = "auto";
+          normalization = "formD";
+          relatime = "on";
+          xattr = "sa";
+          mountpoint = "none";
+        };
+
+        postCreateHook = ''
+          zfs snapshot zroot/root@empty
+          zfs mount
+        '';
+
+        datasets = {
+          "root" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/";
+          };
+
+          "nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/nix";
+          };
+
+          "var" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/var";
+          };
+
+          "persist" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/persist";
+          };
+
+          "home" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/home";
+          };
+        };
+      };
+    };
+  };
+}
diff --git a/hosts/builder/hardware-configuration.nix b/hosts/builder/hardware-configuration.nix
@@ -0,0 +1,18 @@
+{
+  boot.initrd.availableKernelModules = [
+    "ahci"
+    "ehci_pci"
+    "nvme"
+    "sd_mod"
+    "sr_mod"
+    "uhci_hcd"
+    "virtio_pci"
+    "virtio_scsi"
+  ];
+
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  swapDevices = [ ];
+}
diff --git a/hosts/controller/configuration.nix b/hosts/controller/configuration.nix
@@ -1,18 +1,19 @@
 { suites, profiles, ... }: {
   imports = with suites;
     core ++ [
-      profiles.power.server.apc
-      profiles.networking.unifi
-      profiles.networking.blocky
+      profiles.databases.postgresql.blocky
+      profiles.databases.postgresql.default
+      profiles.databases.redis.blocky
       profiles.filesystems.hybrid-boot
       profiles.filesystems.zfs
-      profiles.hardware.intel
       profiles.hardware.hidpi
+      profiles.hardware.intel
       profiles.hardware.ssd
       profiles.hardware.thermald
-      profiles.databases.redis.blocky
-      profiles.databases.postgresql.default
-      profiles.databases.postgresql.blocky
+      profiles.networking.blocky
+      profiles.networking.tailscale.exit-node
+      profiles.networking.unifi
+      profiles.power.server.apc
       profiles.telemetry.prometheus-nut-exporter
       profiles.telemetry.prometheus-smokeping-exporter
     ] ++ [ ./disk-config.nix ./hardware-configuration.nix ];

diff --git a/hosts/omnibus/configuration.nix b/hosts/omnibus/configuration.nix
@@ -63,9 +63,7 @@
   };
 
   programs.fish.shellAliases.iotop = ''
-    bash -c "sudo sysctl kernel.task_delayacct=1 && sudo ${
-      pkgs.lib.getExe pkgs.iotop
-    } ; sudo sysctl kernel.task_delayacct=0"
+    bash -c "sudo sysctl kernel.task_delayacct=1 && sudo ${pkgs.iotop}/bin/iotop ; sudo sysctl kernel.task_delayacct=0"
   '';
 
   system.stateVersion = "23.11";

diff --git a/modules/profiles/networking/tailscale/exit-node.nix b/modules/profiles/networking/tailscale/exit-node.nix
@@ -0,0 +1,9 @@
+{ lib, ... }: {
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = 1;
+    "net.ipv6.conf.all.forwarding" = 1;
+  };
+
+  services.tailscale.extraUpFlags =
+    lib.mkAfter [ "--advertise-exit-node" "--advertise-routes=192.168.0.0/24" ];
+}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -26,3 +26,5 @@ repl:

		format:
		nix fmt

		alias fmt := format