From c54109b0674b148bf8df655a1d73bb8ea61267a7 Mon Sep 17 00:00:00 2001 From: Ethan Turkeltaub Date: Mon, 25 Dec 2023 20:03:22 -0500 Subject: [PATCH] Add Tailscale exit node profile (#21) * Add Tailscale exit node profile * Format files --- Justfile | 2 + deploy/.terraform.lock.hcl | 7 ++ deploy/configuration.tf | 6 +- deploy/vms.tf | 38 +++++++- hosts/builder/disk-config.nix | 97 +++++++++++++++++++ hosts/builder/hardware-configuration.nix | 18 ++++ hosts/controller/configuration.nix | 15 +-- hosts/omnibus/configuration.nix | 4 +- .../networking/tailscale/exit-node.nix | 9 ++ 9 files changed, 181 insertions(+), 15 deletions(-) create mode 100644 hosts/builder/disk-config.nix create mode 100644 hosts/builder/hardware-configuration.nix create mode 100644 modules/profiles/networking/tailscale/exit-node.nix diff --git a/Justfile b/Justfile index 2ffcefc..b76d056 100644 --- a/Justfile +++ b/Justfile @@ -26,3 +26,5 @@ repl: format: nix fmt + +alias fmt := format diff --git a/deploy/.terraform.lock.hcl b/deploy/.terraform.lock.hcl index a8e08d5..9156bc2 100644 --- a/deploy/.terraform.lock.hcl +++ b/deploy/.terraform.lock.hcl @@ -6,6 +6,7 @@ provider "registry.terraform.io/carlpett/sops" { constraints = "0.7.2" hashes = [ "h1:+A1/RJ3eNVQHDFHjol70EfC5Yh9e78WMXxh1uoxlAYQ=", + "h1:nWrLW+9JjGLwfss4T7pTaE+JiZlBJQGoYxt4pDe5OE8=", "h1:vVGdyTEh1393CXc/Dt7/INj0pG9V2kA9dZ02laGj5+c=", "zh:43f218054ea3a72c9756bf989aeebb9d0f23b66fd08e9fb4ae75d4f921295e82", "zh:57fd326388042a6b7ecd60f740f81e5ef931546c4f068f054e7df34acf65d190", @@ -22,6 +23,7 @@ provider "registry.terraform.io/hashicorp/aws" { constraints = "~> 5.0" hashes = [ "h1:C2XSEyqWul0FwJjRqz0o1es91fm5PLlQY1jAopatkR4=", + "h1:TjctPnxYpg1RZaU1dGW8BSvdmf0t0jsNGU1rEmNIXns=", "h1:f3SxpLlSueYKYXz5zpzP90MUN3cJ+omnTHXV9vUtOvM=", "zh:032424d4686ce2ff7c5a4a738491635616afbf6e06b3e7e6a754baa031d1265d", "zh:1e530b4020544ec94e1fe7b1e4296640eb12cf1bf4f79cd6429ff2c4e6fffaf3", @@ -46,6 +48,7 @@ provider "registry.terraform.io/hashicorp/external" { hashes = [ "h1:/4FnL0cF4qhQ1ASUYUZG/MZB2d+DvK34tKXI3DQQipY=", "h1:9rJggijNdRdFk//ViQPGZdK0xu9XU/9qBDijNsZJMg0=", + "h1:gznGscVJ0USxy4CdihpjRKPsKvyGr/zqPvBoFLJTQDc=", "zh:001e2886dc81fc98cf17cf34c0d53cb2dae1e869464792576e11b0f34ee92f54", "zh:2eeac58dd75b1abdf91945ac4284c9ccb2bfb17fa9bdb5f5d408148ff553b3ee", "zh:2fc39079ba61411a737df2908942e6970cb67ed2f4fb19090cd44ce2082903dd", @@ -65,6 +68,7 @@ provider "registry.terraform.io/hashicorp/local" { version = "2.4.0" hashes = [ "h1:Bs7LAkV/iQTLv72j+cTMrvx2U3KyXrcVHaGbdns1NcE=", + "h1:ZUEYUmm2t4vxwzxy1BvN1wL6SDWrDxfH7pxtzX8c6d0=", "h1:iPUE8YWbDWCNRq8+ArRdpbZV95TWYDvidXJin8e/ymA=", "zh:53604cd29cb92538668fe09565c739358dc53ca56f9f11312b9d7de81e48fab9", "zh:66a46e9c508716a1c98efbf793092f03d50049fa4a83cd6b2251e9a06aca2acf", @@ -84,6 +88,7 @@ provider "registry.terraform.io/hashicorp/local" { provider "registry.terraform.io/hashicorp/tls" { version = "4.0.4" hashes = [ + "h1:GZcFizg5ZT2VrpwvxGBHQ/hO9r6g0vYdQqx3bFD3anY=", "h1:O6ouLbudQhS4tj++kn7j9NRtg/tZ3ek7HSWcyPiUR4s=", "h1:Wd3RqmQW60k2QWPN4sK5CtjGuO1d+CRNXgC+D4rKtXc=", "zh:23671ed83e1fcf79745534841e10291bbf34046b27d6e68a5d0aab77206f4a55", @@ -105,6 +110,7 @@ provider "registry.terraform.io/tailscale/tailscale" { version = "0.13.7" constraints = "0.13.7" hashes = [ + "h1:IRg5A6z9R59yDRJuXjPrbyEy3gLgVun+blPTl3eT2CM=", "h1:IzKYGNqenFIq5OmDPaCD4ylGAIxG2drVPzurMIA7wjg=", "h1:TGMP6qlcWe9koqh0+akztZYWPjGUM35XN8xzqcXCV/U=", "zh:0f1655340771851db36d2994bf04481444a873bb555b3eef20a769c3c884aff4", @@ -129,6 +135,7 @@ provider "registry.terraform.io/telmate/proxmox" { constraints = "2.9.14" hashes = [ "h1:KWPlH228/+BiH8OOY754MTTaUkLJLN/1krSSzqiyNsE=", + "h1:asZa5VKbWeCpLNv1JAutt5CdD27HaGFjxxcr6mvn8Ps=", "zh:0d049d33f705e5b814d30028770c084151218439424e99684ce31d7e26a720b5", "zh:20b1c64ed56d81de95f3f37b82b45b4654c0de26670c0e87a474c5cce13cd015", "zh:2946058abd1d8e50e475b9ec39781eb02576b40dbd80f4653fade4493a4514c6", diff --git a/deploy/configuration.tf b/deploy/configuration.tf index 61a19e6..297f1a2 100644 --- a/deploy/configuration.tf +++ b/deploy/configuration.tf @@ -12,21 +12,21 @@ provider "aws" { provider "proxmox" { alias = "anise" - pm_api_url = "https://192.168.10.10:8006/api2/json" + pm_api_url = "https://anise:8006/api2/json" pm_api_token_id = data.sops_file.secrets.data["ANISE_PM_API_TOKEN_ID"] pm_api_token_secret = data.sops_file.secrets.data["ANISE_PM_API_TOKEN_SECRET"] } provider "proxmox" { alias = "basil" - pm_api_url = "https://192.168.10.20:8006/api2/json" + pm_api_url = "https://basil:8006/api2/json" pm_api_token_id = data.sops_file.secrets.data["BASIL_PM_API_TOKEN_ID"] pm_api_token_secret = data.sops_file.secrets.data["BASIL_PM_API_TOKEN_SECRET"] } provider "proxmox" { alias = "cardamom" - pm_api_url = "https://192.168.10.30:8006/api2/json" + pm_api_url = "https://cardamom:8006/api2/json" pm_api_token_id = data.sops_file.secrets.data["CARDAMOM_PM_API_TOKEN_ID"] pm_api_token_secret = data.sops_file.secrets.data["CARDAMOM_PM_API_TOKEN_SECRET"] } diff --git a/deploy/vms.tf b/deploy/vms.tf index 174384e..6b10ee3 100644 --- a/deploy/vms.tf +++ b/deploy/vms.tf @@ -54,7 +54,7 @@ resource "proxmox_vm_qemu" "htpc" { iso = "local:iso/latest-nixos-minimal-x86_64-linux.iso" vmid = 101 cpu = "host,flags=+pcid" - memory = 65536 + memory = 32768 balloon = 0 sockets = 1 cores = 16 @@ -67,7 +67,6 @@ resource "proxmox_vm_qemu" "htpc" { bios = "seabios" - network { model = "virtio" bridge = "vmbr0" @@ -92,6 +91,41 @@ resource "proxmox_vm_qemu" "htpc" { } } +resource "proxmox_vm_qemu" "builder" { + provider = proxmox.basil + + name = "builder" + target_node = "basil" + iso = "omnibus:iso/latest-nixos-minimal-x86_64-linux.iso" + vmid = 102 + cpu = "host" + memory = 32768 + balloon = 0 + sockets = 1 + cores = 8 + qemu_os = "other" + scsihw = "virtio-scsi-single" + # boot = "order=scsi0" + + onboot = true + agent = 1 + + bios = "seabios" + + network { + model = "virtio" + bridge = "vmbr0" + } + + disk { + type = "scsi" + size = "128G" + storage = "local-zfs" + discard = "on" + format = "raw" + } +} + resource "proxmox_vm_qemu" "matrix" { provider = proxmox.cardamom diff --git a/hosts/builder/disk-config.nix b/hosts/builder/disk-config.nix new file mode 100644 index 0000000..7c3808e --- /dev/null +++ b/hosts/builder/disk-config.nix @@ -0,0 +1,97 @@ +_: +let disks = { scsi = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0"; }; +in { + disko.devices = { + disk = { + root = { + type = "disk"; + device = disks.scsi; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; + }; + + ESP = { + size = "1G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + + zfs = { + size = "100%"; + content = { + type = "zfs"; + pool = "zroot"; + }; + }; + }; + }; + }; + }; + + zpool = { + zroot = { + type = "zpool"; + + options = { + ashift = "12"; + autotrim = "on"; + }; + + rootFsOptions = { + acltype = "posixacl"; + compression = "lz4"; + dnodesize = "auto"; + normalization = "formD"; + relatime = "on"; + xattr = "sa"; + mountpoint = "none"; + }; + + postCreateHook = '' + zfs snapshot zroot/root@empty + zfs mount + ''; + + datasets = { + "root" = { + type = "zfs_fs"; + options.mountpoint = "legacy"; + mountpoint = "/"; + }; + + "nix" = { + type = "zfs_fs"; + options.mountpoint = "legacy"; + mountpoint = "/nix"; + }; + + "var" = { + type = "zfs_fs"; + options.mountpoint = "legacy"; + mountpoint = "/var"; + }; + + "persist" = { + type = "zfs_fs"; + options.mountpoint = "legacy"; + mountpoint = "/persist"; + }; + + "home" = { + type = "zfs_fs"; + options.mountpoint = "legacy"; + mountpoint = "/home"; + }; + }; + }; + }; + }; +} diff --git a/hosts/builder/hardware-configuration.nix b/hosts/builder/hardware-configuration.nix new file mode 100644 index 0000000..172395d --- /dev/null +++ b/hosts/builder/hardware-configuration.nix @@ -0,0 +1,18 @@ +{ + boot.initrd.availableKernelModules = [ + "ahci" + "ehci_pci" + "nvme" + "sd_mod" + "sr_mod" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + ]; + + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + swapDevices = [ ]; +} diff --git a/hosts/controller/configuration.nix b/hosts/controller/configuration.nix index d5497e9..09e0083 100644 --- a/hosts/controller/configuration.nix +++ b/hosts/controller/configuration.nix @@ -1,18 +1,19 @@ { suites, profiles, ... }: { imports = with suites; core ++ [ - profiles.power.server.apc - profiles.networking.unifi - profiles.networking.blocky + profiles.databases.postgresql.blocky + profiles.databases.postgresql.default + profiles.databases.redis.blocky profiles.filesystems.hybrid-boot profiles.filesystems.zfs - profiles.hardware.intel profiles.hardware.hidpi + profiles.hardware.intel profiles.hardware.ssd profiles.hardware.thermald - profiles.databases.redis.blocky - profiles.databases.postgresql.default - profiles.databases.postgresql.blocky + profiles.networking.blocky + profiles.networking.tailscale.exit-node + profiles.networking.unifi + profiles.power.server.apc profiles.telemetry.prometheus-nut-exporter profiles.telemetry.prometheus-smokeping-exporter ] ++ [ ./disk-config.nix ./hardware-configuration.nix ]; diff --git a/hosts/omnibus/configuration.nix b/hosts/omnibus/configuration.nix index 0dd6e32..7f910aa 100644 --- a/hosts/omnibus/configuration.nix +++ b/hosts/omnibus/configuration.nix @@ -63,9 +63,7 @@ }; programs.fish.shellAliases.iotop = '' - bash -c "sudo sysctl kernel.task_delayacct=1 && sudo ${ - pkgs.lib.getExe pkgs.iotop - } ; sudo sysctl kernel.task_delayacct=0" + bash -c "sudo sysctl kernel.task_delayacct=1 && sudo ${pkgs.iotop}/bin/iotop ; sudo sysctl kernel.task_delayacct=0" ''; system.stateVersion = "23.11"; diff --git a/modules/profiles/networking/tailscale/exit-node.nix b/modules/profiles/networking/tailscale/exit-node.nix new file mode 100644 index 0000000..5f977e7 --- /dev/null +++ b/modules/profiles/networking/tailscale/exit-node.nix @@ -0,0 +1,9 @@ +{ lib, ... }: { + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = 1; + "net.ipv6.conf.all.forwarding" = 1; + }; + + services.tailscale.extraUpFlags = + lib.mkAfter [ "--advertise-exit-node" "--advertise-routes=192.168.0.0/24" ]; +}