kubernetes vm building

aliases.nix

@@ -12,13 +12,16 @@
       all = "sudo chmod -R a+rwx ./*";
       ng = "cd /etc/nginx/ && sudo nvim .";
       copy = "xclip -sel clip";
-      pubkey = "cat ~/.ssh/id_ed25519.pub | copy";
+      pubkey = "cat ~/.ssh/id_ed25519.pub | ${pkgs.osc}/bin/osc copy";
       up = "docker compose up -d";
       down = "docker compose down -t 0";
       inspect = "nix edit nixpkgs#$1";
       fe = "nix develop";
       fed = "nvim flake.nix";
       cdn = "cd /etc/nixos";
+      snorre = "ssh bot@spoodythe.one";
+      kube-vm =
+        "ssh -o 'UserKnownHostsFile=/dev/null' -o 'StrictHostKeyChecking=no' -p 2222 root@localhost";
       cpu =
         "sudo turbostat --quiet --show PkgWatt --interval 1 --num_iterations 1 | awk 'NR==2{print $1}'";
       r = "nix run";

configuration.nix

@@ -11,7 +11,8 @@
     ./aliases.nix
     ./modules/drivers/nvidia.nix
     ./docker.nix
-    ./modules/k8s.nix
+    # ./modules/k8s.nix
+    ./modules/oscd.nix
 
     ./modules/python.nix
     ./programs.nix
@@ -24,6 +25,8 @@
     ./networking/caddy.nix
     ./modules/buildCache.nix
 
+    ./vms/kube-vm
+
     # ./modules/de.nix
     ./modules/displayOff.nix
   ];
@@ -43,7 +46,7 @@
   # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
 
   # Enable networking
-  networking.networkmanager.enable = true;
+  # networking.networkmanager.enable = true;
 
   # Set your time zone.
   time.timeZone = "Europe/Copenhagen";

docker.nix

@@ -2,4 +2,15 @@
   virtualisation.docker.enable = true;
 
   hardware.nvidia-container-toolkit.enable = true;
+
+  systemd.user.services.force-start-docker-containers = {
+    description = "docker stupid, so this starts the docker composes";
+
+    wantedBy = [ "multi-user.target" ];
+
+    serviceConfig = {
+      ExecStart = "/home/botserver/scripts/docker/up.sh";
+      Type = "oneshot";
+    };
+  };
 }

flake.lock

@@ -20,6 +20,27 @@
         "type": "github"
       }
     },
+    "microvm": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "spectrum": "spectrum"
+      },
+      "locked": {
+        "lastModified": 1768682386,
+        "narHash": "sha256-mKrMf7eG9TM2AM3pTuhIiCGmZ/JwDegCQH3ThVqcTuc=",
+        "owner": "astro",
+        "repo": "microvm.nix",
+        "rev": "f469c1dfede623bbbf1ac605f6359316fd4002ef",
+        "type": "github"
+      },
+      "original": {
+        "owner": "astro",
+        "repo": "microvm.nix",
+        "type": "github"
+      }
+    },
     "nix-index-database": {
       "inputs": {
         "nixpkgs": [
@@ -59,9 +80,26 @@
     "root": {
       "inputs": {
         "home-manager": "home-manager",
+        "microvm": "microvm",
         "nix-index-database": "nix-index-database",
         "nixpkgs": "nixpkgs"
       }
+    },
+    "spectrum": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1759482047,
+        "narHash": "sha256-H1wiXRQHxxPyMMlP39ce3ROKCwI5/tUn36P8x6dFiiQ=",
+        "ref": "refs/heads/main",
+        "rev": "c5d5786d3dc938af0b279c542d1e43bce381b4b9",
+        "revCount": 996,
+        "type": "git",
+        "url": "https://spectrum-os.org/git/spectrum"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://spectrum-os.org/git/spectrum"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -13,16 +13,23 @@
       url = "github:nix-community/nix-index-database";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
+    microvm = {
+      url = "github:astro/microvm.nix";
+      inputs.nixpkgs.follows = "nixpkgs";
     };
-  outputs = { self, nixpkgs, ... }@inputs: {
+  };
+  outputs = { self, nixpkgs, microvm, ... }@inputs: {
     # configuration name matches hostname, so this system is chosen by default
-    nixosConfigurations.nixos = nixpkgs.lib.nixosSystem {
+    nixosConfigurations.botkube = nixpkgs.lib.nixosSystem {
       # pass along all the inputs and stuff to the system function
       specialArgs = { inherit inputs; };
       modules = [
         # import configuration
         ./configuration.nix
 
+        inputs.microvm.nixosModules.host
+
         # home manager part 2
         inputs.home-manager.nixosModules.default
 

hardware-configuration.nix

@@ -53,6 +53,13 @@
     options = [ "nofail" "x-systemd.automount" ];
   };
 
+  # fileSystems."/mnt/benjaSteal" = {
+  #   device = "mediaslave@deprived.dev:/";
+  #   fsType = "sshfs";
+  #   options =
+  #     [ "nodev" "noatime" "allow_other" "IdentityFile=/root/.ssh/id_ed25519" ];
+  # };
+
   # fileSystems."/mnt/disk5" = {
   #   device = "/dev/disk/by-partuuid/3610155d-6d3d-4be1-9e50-7a638ccbf98c";
   #   fsType = "ext4";

modules/buildCache.nix

@@ -8,6 +8,8 @@
     };
   };
 
+  nix.settings.trusted-users = [ "root" "botserver" ];
+
   imports = [ ./../networking/networkSetup.nix ];
 
   services.caddy = {

modules/getNvim.nix

@@ -0,0 +1,24 @@
+{ pkgs, ... }: {
+  environment.systemPackages = [
+    (pkgs.writeShellScriptBin "get-nvim" ''
+      set -e
+
+      # 1. Define Variables
+      NVIM_CONFIG_DIR="$HOME/.config/nvim"
+      REPO_URL="https://github.com/MagicBOTAlex/NVimConfigs"
+
+      # 2. Delete Existing Config
+      if [ -d "$NVIM_CONFIG_DIR" ]; then
+        echo "🗑️  Deleting existing Neovim configuration at $NVIM_CONFIG_DIR..."
+        rm -rf "$NVIM_CONFIG_DIR"
+      fi
+
+      # 3. Clone Fresh
+      echo "⚙️  Cloning new Neovim Configs..."
+      git clone "$REPO_URL" "$NVIM_CONFIG_DIR"
+
+      echo "✅ Done!"
+    '')
+  ];
+}
+

modules/oscd.nix

@@ -0,0 +1,24 @@
+{ config, pkgs, lib, ... }:
+let
+  oscd = pkgs.rustPlatform.buildRustPackage rec {
+    pname = "oscd";
+    version = "0.1.10";
+
+    src = pkgs.fetchCrate {
+      inherit pname version;
+      hash = "sha256-PMn7PB7Mt+YrpV0bohTIAVvBOZMigV7WdJjwNEGpbgs=";
+    };
+
+    cargoHash = "sha256-K6eyRyBdab3/7024LNTh5SETH1gMZjB9viFzzWLdYBc=";
+
+    meta = with lib; {
+      description = "OSC debugger (CLI)";
+      homepage = "https://crates.io/crates/oscd";
+      license = licenses.mit;
+      maintainers = with maintainers; [ ];
+      platforms = platforms.all;
+    };
+  };
+in
+{ environment.systemPackages = with pkgs; [ oscd ]; }
+

networking/caddy.nix

@@ -13,9 +13,26 @@
     '';
   };
 
-  services.caddy.virtualHosts."argocd.deprived.dev" = {
+  # services.caddy.virtualHosts."argocd.deprived.dev" = {
+  #   extraConfig = ''
+  #     reverse_proxy https://127.0.0.1:4325 {
+  #       header_up Host {host}
+  #       transport http {
+  #         tls_insecure_skip_verify
+  #       }
+  #     }
+  #   '';
+  # };
+
+  services.caddy.virtualHosts."webui.deprived.dev" = {
     extraConfig = ''
-      reverse_proxy 127.0.0.1:4325
+      reverse_proxy * 127.0.0.1:3000
+    '';
+  };
+
+  services.caddy.virtualHosts."yaaumma.com" = {
+    extraConfig = ''
+      redir https://www.yaaumma.com{uri} permanent
     '';
   };
 
@@ -181,7 +198,7 @@
 
       @protected not method OPTIONS
       basicauth @protected {
-        alice $2a$14$GbqQnETcOz5fNEbS06Y0E.HxRIIgPKAK7OMijT1Bv63h3V6S/gwRG
+        alex $2a$14$GbqQnETcOz5fNEbS06Y0E.HxRIIgPKAK7OMijT1Bv63h3V6S/gwRG
       }
 
       reverse_proxy 127.0.0.1:8800
@@ -196,12 +213,82 @@
     '';
   };
 
+  services.caddy.virtualHosts."spotify.api.deprived.dev" = {
+    extraConfig = ''
+      encode zstd gzip
+
+      # 1. CORS Headers
+      # We switched "*" to "{header.Origin}" and added "Credentials: true"
+      # This allows the browser to send the Authorization header safely.
+      header {
+          Access-Control-Allow-Origin "{header.Origin}"
+          Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS"
+          Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"
+          Access-Control-Allow-Credentials "true"
+          Vary "Origin"
+      }
+
+      # 2. Handle Preflight (OPTIONS)
+      # Must be defined before Basic Auth
+      @options {
+          method OPTIONS
+      }
+      respond @options 204
+
+      # 3. Protect everything EXCEPT Options
+      # (Fix: Ensure this is on a new line)
+      @protected {
+          not method OPTIONS
+      }
+
+      basicauth @protected {
+          alex $2a$14$GbqQnETcOz5fNEbS06Y0E.HxRIIgPKAK7OMijT1Bv63h3V6S/gwRG
+      }
+
+      # 4. Proxy
+      reverse_proxy 127.0.0.1:4142 {
+          header_down -Access-Control-Allow-Origin
+      }
+    '';
+  };
+
   services.caddy.virtualHosts."lyrics.deprived.dev" = {
     extraConfig = ''
+      header {
+          Access-Control-Allow-Origin "*"
+          Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS"
+          Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"
+      }
+
+      @options {
+          method OPTIONS
+      }
+      respond @options 204
+
       reverse_proxy * 127.0.0.1:7444
     '';
   };
 
+  # Github MaintainerCD hook
+  services.caddy.virtualHosts."lyrics.hook.deprived.dev" = {
+    extraConfig = ''
+      reverse_proxy * 127.0.0.1:7576
+    '';
+  };
+
+  services.caddy.virtualHosts."docker.deprived.dev" = {
+    extraConfig = ''
+      reverse_proxy * 127.0.0.1:5000
+    '';
+  };
+
+  services.caddy.virtualHosts."docker.ui.deprived.dev" = {
+    extraConfig = ''
+      reverse_proxy * 127.0.0.1:6842
+
+    '';
+  };
+
   services.caddy.virtualHosts."zhenss.deprived.dev" = {
     extraConfig = ''
       reverse_proxy * 127.0.0.1:8388

networking/networkSetup.nix

@@ -1,8 +1,17 @@
 { pkgs, ... }: {
-  services.caddy.enable = true;
+  services.caddy = { enable = true; };
 
   security.acme.acceptTerms = true;
   security.acme.defaults.email = "zhen@deprived.dev";
   networking.firewall.enable = false;
 
+  networking.useNetworkd = true;
+  networking.useDHCP = false;
+
+  systemd.network.enable = true;
+  systemd.network.networks."10-enp8s0" = {
+    matchConfig.Name = "enp8s0";
+    networkConfig.DHCP = "ipv4";
+    dhcpV4Config.UseRoutes = true;
+  };
 }

programs.nix

@@ -14,6 +14,8 @@
     ffmpeg-full
     borgbackup
     openssl
+    wireguard-tools
+    apacheHttpd
     p7zip
     vtk
     immich-cli

vms/kube-vm/default.nix

@@ -0,0 +1,6 @@
+{ pkgs, ... }: {
+  environment.systemPackages = with pkgs; [ virtiofsd ];
+  microvm.autostart = [ "kube-vm" ];
+  microvm.vms."kube-vm" = { config = ./kube-vm.nix; };
+
+}

vms/kube-vm/kube-vm.nix

@@ -0,0 +1,70 @@
+{ pkgs, ... }: {
+  users.users.root = {
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAhiPhFbCi64NduuV794omgS8mctBLXtqxbaEJyUo6lg botalex@DESKTOPSKTOP-ENDVV0V"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFhTExbc9m4dCK6676wGiA8zPjE0l/9Fz2yf0IKvUvg snorre@archlinux"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGxUPAsPkri0B+xkO3sCHJZfKgAbgPcepP8J4WW4yyLj u0_a167@localhost"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfQLOKUnOARUAs8X1EL1GRHoCQ0oMun0vzL7Z78yOsM nixos@nixos"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJw1ckvXz78ITeqANrWSkJl6PJo2AMA4myNrRMBAB7xW zhentao2004@gmail.com"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhcUZbIMX0W27l/FMF5WijpdsJAK329/P008OEAfcyz botmain@nixos"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILB0esg3ABIcYWxvQKlPuwEE6cbhNcWjisfky0wnGirJ root@nixos"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGxUPAsPkri0B+xkO3sCHJZfKgAbgPcepP8J4WW4yyLj u0_a167@localhost"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKyZOZlcQBmqSPxjaGgE2tP+K7LYziqjFUo3EX12rGtf botlap@nixos"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLSUXsao6rjC3FDtRHhh7z6wqMtA/mqL50e1Dj9a2wE botserver@botserver"
+    ];
+  };
+  services.openssh = { enable = true; };
+  imports = [ ./../../modules/getNvim.nix ];
+  environment.systemPackages = with pkgs; [
+    neovim
+    git
+    wget
+    curl
+    busybox
+    gcc
+    tree-sitter
+    busybox
+    nodejs_22
+    screen
+    fastfetch
+    btop
+    openssh
+    ripgrep
+  ];
+
+  # --- MicroVM Specific Settings ---
+  microvm = {
+    # Choose your hypervisor: "qemu", "firecracker", "cloud-hypervisor", etc.
+    hypervisor = "qemu";
+
+    # Create a tap interface or user networking
+    interfaces = [{
+      type = "user"; # 'user' networking is easiest for testing (slirp)
+      id = "eth0";
+      mac = "02:00:00:00:00:01";
+    }];
+
+    forwardPorts = [{
+      from = "host";
+      host.port = 2222;
+      guest.port = 22;
+    }];
+
+    # Mount the host's /nix/store explicitly (read-only)
+    # This makes the VM start instantly as it shares the host store.
+    shares = [{
+      tag = "ro-store";
+      source = "/nix/store";
+      mountPoint = "/nix/.ro-store";
+    }];
+
+    # Writable disk allocation
+    volumes = [{
+      image = "/var/lib/microvms/kube-vm/kube-vm.img";
+      mountPoint = "/";
+      size = 512 * 4; # Size in MB
+    }];
+  };
+
+  system.stateVersion = "24.11";
+}

vms/kube-vm/kubernetes.nix

@@ -23,16 +23,26 @@ in {
   ];
 
   virtualisation.containerd.enable = true;
-  environment.systemPackages = with pkgs; [ kompose kubectl kubernetes argocd ];
+  environment.systemPackages = with pkgs; [
+    kompose
+    kubectl
+    kubernetes
+    argocd
+    openiscsi
+    nfs-utils
+  ];
 
   networking.useNetworkd = true;
-  networking.extraHosts = "${kubeMasterIP} ${kubeMasterHostname}";
+  networking.extraHosts = ''
+    ${kubeMasterIP} ${kubeMasterHostname} 
+      192.168.50.82  botkube'';
   services.kubernetes = let
     api = "https://${kubeMasterHostname}:${toString kubeMasterAPIServerPort}";
   in {
     roles = [ "node" ];
     masterAddress = kubeMasterHostname;
     easyCerts = true;
+    apiserver.allowPrivileged = true;
 
     # point kubelet and other services to kube-apiserver
     kubelet.kubeconfig.server = api;
@@ -42,7 +52,8 @@ in {
     addons.dns.enable = true;
 
     # needed if you use swap
-    kubelet.extraOpts = "--fail-swap-on=false";
+    kubelet.extraOpts =
+      "--fail-swap-on=false --resolv-conf=/run/systemd/resolve/resolv.conf";
   };
 
   systemd.services."forward-argocd" = {
@@ -54,7 +65,7 @@ in {
     wantedBy = [ "multi-user.target" ];
 
     script = ''
-      ${pkgs.kubernetes}/bin/kubectl port-forward svc/argocd-server -n argocd 4325:80 || true
+      ${pkgs.kubernetes}/bin/kubectl port-forward svc/argocd-server -n argocd --address 0.0.0.0 4325:80 
     '';
     serviceConfig = { User = "botserver"; };
   };