sync

2026-05-06 18:12:30 +02:00 · 2026-04-01 22:53:54 +02:00 · 2026-04-01 22:53:54 +02:00 · f2bb1de7d8
commit f2bb1de7d8
parent 38d26110e1
15 changed files with 505 additions and 87 deletions
--- a/vms/kube-daddy/kube-daddy.nix
+++ b/vms/kube-daddy/kube-daddy.nix
@ -1,4 +1,6 @@
-{ pkgs, ... }: {
+{ lib, pkgs, ... }:
+
+{
  users.users.root = {
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAhiPhFbCi64NduuV794omgS8mctBLXtqxbaEJyUo6lg botalex@DESKTOPSKTOP-ENDVV0V"
@ -13,8 +15,7 @@
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLSUXsao6rjC3FDtRHhh7z6wqMtA/mqL50e1Dj9a2wE botserver@botserver"
    ];

-    hashedPassword =
-      "$6$HpwhjoEuhRZuFhJF$jEV3SxbcGKVlRRgbDx6YpySyTHKUIOnmUD0Rd4PLXsXhbnrgeBVCPfkK.cBCUmxUeQjNTzj4CDpP4XBxLz0EV0";
+    hashedPassword = "$6$HpwhjoEuhRZuFhJF$jEV3SxbcGKVlRRgbDx6YpySyTHKUIOnmUD0Rd4PLXsXhbnrgeBVCPfkK.cBCUmxUeQjNTzj4CDpP4XBxLz0EV0";

    shell = pkgs.fish;

@ -22,8 +23,14 @@

  environment.variables.EDITOR = "nvim";

-  services.openssh = { enable = true; };
-  imports = [ ./../../modules/getNvim.nix ./kubernetes.nix ];
+  services.openssh = {
+    enable = true;
+  };
+  imports = [
+    ./../../modules/getNvim.nix
+    ./kubernetes.nix
+    # ./wg-snorre.nix
+  ];
  environment.systemPackages = with pkgs; [
    neovim
    git
@ -42,6 +49,9 @@
    openssl
    dig
    argocd
+    gnutar
+    wireguard-tools
+    python312
  ];

  programs.fish = {
@ -59,11 +69,13 @@
    vcpu = 8;

    # Create a tap interface or user networking
-    interfaces = [{
-      type = "tap";
-      id = "microvm-tap1"; # Matches the host's first tap
-      mac = "02:00:00:00:00:01";
-    }];
+    interfaces = [
+      {
+        type = "tap";
+        id = "microvm-tap1"; # Matches the host's first tap
+        mac = "02:00:00:00:00:01";
+      }
+    ];

    # forwardPorts = [
    #   {
@ -91,42 +103,120 @@

    # Mount the host's /nix/store explicitly (read-only)
    # This makes the VM start instantly as it shares the host store.
-    shares = [{
-      tag = "ro-store";
-      source = "/nix/store";
-      mountPoint = "/nix/.ro-store";
-    }];
+    shares = [
+      {
+        tag = "ro-store";
+        source = "/nix/store";
+        mountPoint = "/nix/.ro-store";
+      }
+      {
+        proto = "9p";
+        tag = "docking-mount";
+        # Source path can be absolute or relative
+        # to /var/lib/microvms/$hostName
+        source = "../shared/docking";
+        mountPoint = "/root/docking";
+      }
+      {
+        proto = "9p";
+        tag = "kube-wireguard";
+        # Source path can be absolute or relative
+        # to /var/lib/microvms/$hostName
+        source = "../shared/wg";
+        mountPoint = "/root/wg";
+      }
+      # {
+      #   proto = "9p";
+      #   tag = "kube-mount";
+      #   source = "../shared/kube";
+      #   mountPoint = "/var/lib/kubernetes";
+      # }
+      # {
+      #   proto = "9p";
+      #   tag = "config";
+      #   source = "../shared/.config";
+      #   mountPoint = "/root/.config";
+      # }
+      # {
+      #   proto = "9p";
+      #   tag = "local";
+      #   source = "../shared/.local";
+      #   mountPoint = "/root/.local";
+      # }
+    ];

    # Writable disk allocation
-    volumes = [{
-      image = "/var/lib/microvms/kube-daddy/kube-daddy.img";
-      mountPoint = "/";
-      size = 32768; # Size in MB
-    }];
+    volumes = [
+      {
+        image = "/var/lib/microvms/kube-daddy/kube-daddy.img";
+        mountPoint = "/";
+        size = 32768; # Size in MB
+      }
+    ];
  };

+  services.resolved.enable = true;
  networking = {
    hostName = "kube-daddy";
    useNetworkd = true;
-    firewall.enable =
-      false; # Keep disabled for easier testing, or allow port 22
+    firewall.enable = false;
+    nameservers = [
+      "10.0.0.1"
+      "8.8.8.8"
+    ];
+  };

-    interfaces.enp0s4.ipv4.addresses = [{
-      address = "10.0.0.2";
-      prefixLength = 24;
-    }];
-
-    defaultGateway = {
-      address = "10.0.0.1";
-      interface = "enp0s4";
+  systemd.network = {
+    # 1. Define the Bridge Device
+    netdevs."20-br0" = {
+      netdevConfig = {
+        Kind = "bridge";
+        Name = "br0";
+      };
+    };
+
+    networks = {
+      # 2. Configure the Bridge (IP & Gateway go here now)
+      "30-br0" = {
+        matchConfig.Name = "br0";
+        networkConfig = {
+          Address = "10.0.0.2/24";
+          Gateway = "10.0.0.1";
+          DNS = [
+            "10.0.0.1"
+            "8.8.8.8"
+          ];
+        };
+        linkConfig.RequiredForOnline = "routable";
+      };
+
+      # 3. Catch the changing interface and attach it to the bridge
+      "40-uplink" = {
+        # This wildcard matches enp0s7, enp1s0, etc.
+        matchConfig.Name = "en*";
+        networkConfig.Bridge = "br0";
+      };
    };
-    nameservers = [ "1.1.1.1" ];
  };

  # Allow passwordless root login for testing (Do not use in production!)
  services.getty.autologinUser = "root";
  users.users.root.password = "";

+  systemd.services."load-br_netfilter" = {
+    enable = true;
+    description = "Modprobe br_netfilter";
+    before = [ "flannel.service" ];
+    wantedBy = [
+      "multi-user.target"
+      "flannel.service"
+    ];
+
+    script = ''
+      ${pkgs.kmod}/bin/modprobe br_netfilter
+    '';
+  };
+
  systemd.network.enable = true;
  systemd.network.networks."11-microvm" = {
    matchConfig.Name = "vm-*";
@ -135,5 +225,11 @@
  };

  system.stateVersion = "24.11";
-}

+  systemd.tmpfiles.rules = [
+    "d  /root/.kube       0755  root  root  -"
+    "d  /root/.config       0755  root  root  -"
+    "d  /root/.local       0755  root  root  -"
+    "L+ /root/.kube/config -     -     -      -    /etc/kubernetes/cluster-admin.kubeconfig"
+  ];
+}