diff --git a/aliases.nix b/aliases.nix index ae45876..d1181ab 100644 --- a/aliases.nix +++ b/aliases.nix @@ -12,13 +12,16 @@ all = "sudo chmod -R a+rwx ./*"; ng = "cd /etc/nginx/ && sudo nvim ."; copy = "xclip -sel clip"; - pubkey = "cat ~/.ssh/id_ed25519.pub | copy"; + pubkey = "cat ~/.ssh/id_ed25519.pub | ${pkgs.osc}/bin/osc copy"; up = "docker compose up -d"; down = "docker compose down -t 0"; inspect = "nix edit nixpkgs#$1"; fe = "nix develop"; fed = "nvim flake.nix"; cdn = "cd /etc/nixos"; + snorre = "ssh bot@spoodythe.one"; + kube-vm = + "ssh -o 'UserKnownHostsFile=/dev/null' -o 'StrictHostKeyChecking=no' -p 2222 root@localhost"; cpu = "sudo turbostat --quiet --show PkgWatt --interval 1 --num_iterations 1 | awk 'NR==2{print $1}'"; r = "nix run"; diff --git a/configuration.nix b/configuration.nix index cdb706c..59abf9d 100755 --- a/configuration.nix +++ b/configuration.nix @@ -11,7 +11,8 @@ ./aliases.nix ./modules/drivers/nvidia.nix ./docker.nix - ./modules/k8s.nix + # ./modules/k8s.nix + ./modules/oscd.nix ./modules/python.nix ./programs.nix @@ -24,6 +25,8 @@ ./networking/caddy.nix ./modules/buildCache.nix + ./vms/kube-vm + # ./modules/de.nix ./modules/displayOff.nix ]; @@ -43,7 +46,7 @@ # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; # Enable networking - networking.networkmanager.enable = true; + # networking.networkmanager.enable = true; # Set your time zone. time.timeZone = "Europe/Copenhagen"; diff --git a/docker.nix b/docker.nix index 0774ced..0516c7a 100644 --- a/docker.nix +++ b/docker.nix @@ -1,5 +1,16 @@ -{pkgs, ...} : { +{ pkgs, ... }: { virtualisation.docker.enable = true; hardware.nvidia-container-toolkit.enable = true; + + systemd.user.services.force-start-docker-containers = { + description = "docker stupid, so this starts the docker composes"; + + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + ExecStart = "/home/botserver/scripts/docker/up.sh"; + Type = "oneshot"; + }; + }; } diff --git a/flake.lock b/flake.lock index 9823463..599b06f 100755 --- a/flake.lock +++ b/flake.lock @@ -20,6 +20,27 @@ "type": "github" } }, + "microvm": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "spectrum": "spectrum" + }, + "locked": { + "lastModified": 1768682386, + "narHash": "sha256-mKrMf7eG9TM2AM3pTuhIiCGmZ/JwDegCQH3ThVqcTuc=", + "owner": "astro", + "repo": "microvm.nix", + "rev": "f469c1dfede623bbbf1ac605f6359316fd4002ef", + "type": "github" + }, + "original": { + "owner": "astro", + "repo": "microvm.nix", + "type": "github" + } + }, "nix-index-database": { "inputs": { "nixpkgs": [ @@ -59,9 +80,26 @@ "root": { "inputs": { "home-manager": "home-manager", + "microvm": "microvm", "nix-index-database": "nix-index-database", "nixpkgs": "nixpkgs" } + }, + "spectrum": { + "flake": false, + "locked": { + "lastModified": 1759482047, + "narHash": "sha256-H1wiXRQHxxPyMMlP39ce3ROKCwI5/tUn36P8x6dFiiQ=", + "ref": "refs/heads/main", + "rev": "c5d5786d3dc938af0b279c542d1e43bce381b4b9", + "revCount": 996, + "type": "git", + "url": "https://spectrum-os.org/git/spectrum" + }, + "original": { + "type": "git", + "url": "https://spectrum-os.org/git/spectrum" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index eac3f41..e003459 100755 --- a/flake.nix +++ b/flake.nix @@ -13,16 +13,23 @@ url = "github:nix-community/nix-index-database"; inputs.nixpkgs.follows = "nixpkgs"; }; + + microvm = { + url = "github:astro/microvm.nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; - outputs = { self, nixpkgs, ... }@inputs: { + outputs = { self, nixpkgs, microvm, ... }@inputs: { # configuration name matches hostname, so this system is chosen by default - nixosConfigurations.nixos = nixpkgs.lib.nixosSystem { + nixosConfigurations.botkube = nixpkgs.lib.nixosSystem { # pass along all the inputs and stuff to the system function specialArgs = { inherit inputs; }; modules = [ # import configuration ./configuration.nix + inputs.microvm.nixosModules.host + # home manager part 2 inputs.home-manager.nixosModules.default diff --git a/hardware-configuration.nix b/hardware-configuration.nix index 8ef0a82..797c12b 100755 --- a/hardware-configuration.nix +++ b/hardware-configuration.nix @@ -53,6 +53,13 @@ options = [ "nofail" "x-systemd.automount" ]; }; + # fileSystems."/mnt/benjaSteal" = { + # device = "mediaslave@deprived.dev:/"; + # fsType = "sshfs"; + # options = + # [ "nodev" "noatime" "allow_other" "IdentityFile=/root/.ssh/id_ed25519" ]; + # }; + # fileSystems."/mnt/disk5" = { # device = "/dev/disk/by-partuuid/3610155d-6d3d-4be1-9e50-7a638ccbf98c"; # fsType = "ext4"; diff --git a/modules/buildCache.nix b/modules/buildCache.nix index 587f407..2b0af00 100644 --- a/modules/buildCache.nix +++ b/modules/buildCache.nix @@ -8,6 +8,8 @@ }; }; + nix.settings.trusted-users = [ "root" "botserver" ]; + imports = [ ./../networking/networkSetup.nix ]; services.caddy = { diff --git a/modules/getNvim.nix b/modules/getNvim.nix new file mode 100644 index 0000000..79392a7 --- /dev/null +++ b/modules/getNvim.nix @@ -0,0 +1,24 @@ +{ pkgs, ... }: { + environment.systemPackages = [ + (pkgs.writeShellScriptBin "get-nvim" '' + set -e + + # 1. Define Variables + NVIM_CONFIG_DIR="$HOME/.config/nvim" + REPO_URL="https://github.com/MagicBOTAlex/NVimConfigs" + + # 2. Delete Existing Config + if [ -d "$NVIM_CONFIG_DIR" ]; then + echo "🗑️ Deleting existing Neovim configuration at $NVIM_CONFIG_DIR..." + rm -rf "$NVIM_CONFIG_DIR" + fi + + # 3. Clone Fresh + echo "⚙️ Cloning new Neovim Configs..." + git clone "$REPO_URL" "$NVIM_CONFIG_DIR" + + echo "✅ Done!" + '') + ]; +} + diff --git a/modules/oscd.nix b/modules/oscd.nix new file mode 100644 index 0000000..7d18ce8 --- /dev/null +++ b/modules/oscd.nix @@ -0,0 +1,24 @@ +{ config, pkgs, lib, ... }: +let + oscd = pkgs.rustPlatform.buildRustPackage rec { + pname = "oscd"; + version = "0.1.10"; + + src = pkgs.fetchCrate { + inherit pname version; + hash = "sha256-PMn7PB7Mt+YrpV0bohTIAVvBOZMigV7WdJjwNEGpbgs="; + }; + + cargoHash = "sha256-K6eyRyBdab3/7024LNTh5SETH1gMZjB9viFzzWLdYBc="; + + meta = with lib; { + description = "OSC debugger (CLI)"; + homepage = "https://crates.io/crates/oscd"; + license = licenses.mit; + maintainers = with maintainers; [ ]; + platforms = platforms.all; + }; + }; +in +{ environment.systemPackages = with pkgs; [ oscd ]; } + diff --git a/networking/caddy.nix b/networking/caddy.nix index 122b050..f18737c 100644 --- a/networking/caddy.nix +++ b/networking/caddy.nix @@ -13,9 +13,26 @@ ''; }; - services.caddy.virtualHosts."argocd.deprived.dev" = { + # services.caddy.virtualHosts."argocd.deprived.dev" = { + # extraConfig = '' + # reverse_proxy https://127.0.0.1:4325 { + # header_up Host {host} + # transport http { + # tls_insecure_skip_verify + # } + # } + # ''; + # }; + + services.caddy.virtualHosts."webui.deprived.dev" = { extraConfig = '' - reverse_proxy 127.0.0.1:4325 + reverse_proxy * 127.0.0.1:3000 + ''; + }; + + services.caddy.virtualHosts."yaaumma.com" = { + extraConfig = '' + redir https://www.yaaumma.com{uri} permanent ''; }; @@ -181,7 +198,7 @@ @protected not method OPTIONS basicauth @protected { - alice $2a$14$GbqQnETcOz5fNEbS06Y0E.HxRIIgPKAK7OMijT1Bv63h3V6S/gwRG + alex $2a$14$GbqQnETcOz5fNEbS06Y0E.HxRIIgPKAK7OMijT1Bv63h3V6S/gwRG } reverse_proxy 127.0.0.1:8800 @@ -196,12 +213,82 @@ ''; }; + services.caddy.virtualHosts."spotify.api.deprived.dev" = { + extraConfig = '' + encode zstd gzip + + # 1. CORS Headers + # We switched "*" to "{header.Origin}" and added "Credentials: true" + # This allows the browser to send the Authorization header safely. + header { + Access-Control-Allow-Origin "{header.Origin}" + Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS" + Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization" + Access-Control-Allow-Credentials "true" + Vary "Origin" + } + + # 2. Handle Preflight (OPTIONS) + # Must be defined before Basic Auth + @options { + method OPTIONS + } + respond @options 204 + + # 3. Protect everything EXCEPT Options + # (Fix: Ensure this is on a new line) + @protected { + not method OPTIONS + } + + basicauth @protected { + alex $2a$14$GbqQnETcOz5fNEbS06Y0E.HxRIIgPKAK7OMijT1Bv63h3V6S/gwRG + } + + # 4. Proxy + reverse_proxy 127.0.0.1:4142 { + header_down -Access-Control-Allow-Origin + } + ''; + }; + services.caddy.virtualHosts."lyrics.deprived.dev" = { extraConfig = '' + header { + Access-Control-Allow-Origin "*" + Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS" + Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization" + } + + @options { + method OPTIONS + } + respond @options 204 + reverse_proxy * 127.0.0.1:7444 ''; }; + # Github MaintainerCD hook + services.caddy.virtualHosts."lyrics.hook.deprived.dev" = { + extraConfig = '' + reverse_proxy * 127.0.0.1:7576 + ''; + }; + + services.caddy.virtualHosts."docker.deprived.dev" = { + extraConfig = '' + reverse_proxy * 127.0.0.1:5000 + ''; + }; + + services.caddy.virtualHosts."docker.ui.deprived.dev" = { + extraConfig = '' + reverse_proxy * 127.0.0.1:6842 + + ''; + }; + services.caddy.virtualHosts."zhenss.deprived.dev" = { extraConfig = '' reverse_proxy * 127.0.0.1:8388 diff --git a/networking/networkSetup.nix b/networking/networkSetup.nix index 03eeedc..131f29a 100644 --- a/networking/networkSetup.nix +++ b/networking/networkSetup.nix @@ -1,8 +1,17 @@ -{pkgs, ... } : { - services.caddy.enable = true; +{ pkgs, ... }: { + services.caddy = { enable = true; }; security.acme.acceptTerms = true; security.acme.defaults.email = "zhen@deprived.dev"; networking.firewall.enable = false; + networking.useNetworkd = true; + networking.useDHCP = false; + + systemd.network.enable = true; + systemd.network.networks."10-enp8s0" = { + matchConfig.Name = "enp8s0"; + networkConfig.DHCP = "ipv4"; + dhcpV4Config.UseRoutes = true; + }; } diff --git a/programs.nix b/programs.nix index ff5dd7e..95fe452 100644 --- a/programs.nix +++ b/programs.nix @@ -14,6 +14,8 @@ ffmpeg-full borgbackup openssl + wireguard-tools + apacheHttpd p7zip vtk immich-cli diff --git a/vms/kube-vm/default.nix b/vms/kube-vm/default.nix new file mode 100644 index 0000000..8b644b6 --- /dev/null +++ b/vms/kube-vm/default.nix @@ -0,0 +1,6 @@ +{ pkgs, ... }: { + environment.systemPackages = with pkgs; [ virtiofsd ]; + microvm.autostart = [ "kube-vm" ]; + microvm.vms."kube-vm" = { config = ./kube-vm.nix; }; + +} diff --git a/vms/kube-vm/kube-vm.nix b/vms/kube-vm/kube-vm.nix new file mode 100644 index 0000000..ee9ee39 --- /dev/null +++ b/vms/kube-vm/kube-vm.nix @@ -0,0 +1,70 @@ +{ pkgs, ... }: { + users.users.root = { + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAhiPhFbCi64NduuV794omgS8mctBLXtqxbaEJyUo6lg botalex@DESKTOPSKTOP-ENDVV0V" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFhTExbc9m4dCK6676wGiA8zPjE0l/9Fz2yf0IKvUvg snorre@archlinux" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGxUPAsPkri0B+xkO3sCHJZfKgAbgPcepP8J4WW4yyLj u0_a167@localhost" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfQLOKUnOARUAs8X1EL1GRHoCQ0oMun0vzL7Z78yOsM nixos@nixos" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJw1ckvXz78ITeqANrWSkJl6PJo2AMA4myNrRMBAB7xW zhentao2004@gmail.com" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhcUZbIMX0W27l/FMF5WijpdsJAK329/P008OEAfcyz botmain@nixos" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILB0esg3ABIcYWxvQKlPuwEE6cbhNcWjisfky0wnGirJ root@nixos" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGxUPAsPkri0B+xkO3sCHJZfKgAbgPcepP8J4WW4yyLj u0_a167@localhost" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKyZOZlcQBmqSPxjaGgE2tP+K7LYziqjFUo3EX12rGtf botlap@nixos" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLSUXsao6rjC3FDtRHhh7z6wqMtA/mqL50e1Dj9a2wE botserver@botserver" + ]; + }; + services.openssh = { enable = true; }; + imports = [ ./../../modules/getNvim.nix ]; + environment.systemPackages = with pkgs; [ + neovim + git + wget + curl + busybox + gcc + tree-sitter + busybox + nodejs_22 + screen + fastfetch + btop + openssh + ripgrep + ]; + + # --- MicroVM Specific Settings --- + microvm = { + # Choose your hypervisor: "qemu", "firecracker", "cloud-hypervisor", etc. + hypervisor = "qemu"; + + # Create a tap interface or user networking + interfaces = [{ + type = "user"; # 'user' networking is easiest for testing (slirp) + id = "eth0"; + mac = "02:00:00:00:00:01"; + }]; + + forwardPorts = [{ + from = "host"; + host.port = 2222; + guest.port = 22; + }]; + + # Mount the host's /nix/store explicitly (read-only) + # This makes the VM start instantly as it shares the host store. + shares = [{ + tag = "ro-store"; + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + }]; + + # Writable disk allocation + volumes = [{ + image = "/var/lib/microvms/kube-vm/kube-vm.img"; + mountPoint = "/"; + size = 512 * 4; # Size in MB + }]; + }; + + system.stateVersion = "24.11"; +} diff --git a/modules/k8s.nix b/vms/kube-vm/kubernetes.nix similarity index 78% rename from modules/k8s.nix rename to vms/kube-vm/kubernetes.nix index b334f36..c6f0ff6 100644 --- a/modules/k8s.nix +++ b/vms/kube-vm/kubernetes.nix @@ -23,16 +23,26 @@ in { ]; virtualisation.containerd.enable = true; - environment.systemPackages = with pkgs; [ kompose kubectl kubernetes argocd ]; + environment.systemPackages = with pkgs; [ + kompose + kubectl + kubernetes + argocd + openiscsi + nfs-utils + ]; networking.useNetworkd = true; - networking.extraHosts = "${kubeMasterIP} ${kubeMasterHostname}"; + networking.extraHosts = '' + ${kubeMasterIP} ${kubeMasterHostname} + 192.168.50.82 botkube''; services.kubernetes = let api = "https://${kubeMasterHostname}:${toString kubeMasterAPIServerPort}"; in { roles = [ "node" ]; masterAddress = kubeMasterHostname; easyCerts = true; + apiserver.allowPrivileged = true; # point kubelet and other services to kube-apiserver kubelet.kubeconfig.server = api; @@ -42,7 +52,8 @@ in { addons.dns.enable = true; # needed if you use swap - kubelet.extraOpts = "--fail-swap-on=false"; + kubelet.extraOpts = + "--fail-swap-on=false --resolv-conf=/run/systemd/resolve/resolv.conf"; }; systemd.services."forward-argocd" = { @@ -54,7 +65,7 @@ in { wantedBy = [ "multi-user.target" ]; script = '' - ${pkgs.kubernetes}/bin/kubectl port-forward svc/argocd-server -n argocd 4325:80 || true + ${pkgs.kubernetes}/bin/kubectl port-forward svc/argocd-server -n argocd --address 0.0.0.0 4325:80 ''; serviceConfig = { User = "botserver"; }; };