update: system update & refactor

# Breaking Changes - sops location movod to "system/dev/<dev-name>/sops/sops-conf.nix" - flake devices declaration changes - whole flake update
2025-10-14 16:49:03 +08:00 · 2025-10-14 16:49:03 +08:00 · 6a71b601f5
commit 6a71b601f5
parent 321f740af0
116 changed files with 2576 additions and 3634 deletions
--- a/system/dev/dn-pre7780/expr/default.nix
+++ b/system/dev/dn-pre7780/expr/default.nix
@ -0,0 +1,5 @@
+{
+  imports = [
+    ./netbird.nix
+  ];
+}
--- a/system/dev/dn-pre7780/expr/netbird.nix
+++ b/system/dev/dn-pre7780/expr/netbird.nix
@ -0,0 +1,66 @@
+{
+  domain,
+  idpSecret,
+  dataStoreEncryptionKey,
+  coturnPassFile,
+  ...
+}:
+let
+  port = 51820;
+in
+{
+
+  services.netbird = {
+    server = {
+      enable = true;
+      domain = "netbird.${domain}";
+      enableNginx = true;
+      management = {
+        oidcConfigEndpoint = "https://keycloak.net.dn/realms/master/.well-known/openid-configuration";
+        settings = {
+          DataStoreEncryptionKey = {
+            _secret = dataStoreEncryptionKey;
+          };
+          TURNConfig = {
+            Secret = {
+              _secret = idpSecret;
+            };
+          };
+          IdpManagerConfig = {
+            ClientConfig = {
+              ClientID = "netbird-backend";
+              ClientSecret = {
+                _secret = idpSecret;
+              };
+            };
+          };
+        };
+      };
+      coturn = {
+        user = "netbird";
+        passwordFile = coturnPassFile;
+        enable = true;
+      };
+      dashboard.settings = {
+        USE_AUTH0 = false;
+        AUTH_AUTHORITY = "https://keycloak.net.dn/realms/master";
+        AUTH_CLIENT_ID = "netbird";
+        AUTH_AUDIENCE = "netbird";
+        AUTH_SUPPORTED_SCOPES = "openid profile email offline_access api";
+      };
+    };
+    clients.default = {
+      inherit port;
+      openFirewall = true;
+      name = "netbird";
+      interface = "wt0";
+      hardened = true;
+      dns-resolver.address = "10.0.0.1";
+    };
+  };
+
+  services.nginx.virtualHosts."netbird.${domain}" = {
+    enableACME = true;
+    forceSSL = true;
+  };
+}
--- a/system/dev/dn-pre7780/expr/vm-settings.nix
+++ b/system/dev/dn-pre7780/expr/vm-settings.nix
@ -0,0 +1,169 @@
+{
+  pkgs,
+  lib,
+  inputs,
+  system,
+}:
+let
+  vmList =
+    let
+      kubeMasterIP = "192.168.0.6";
+      kubeMasterHostname = "api.kube";
+      kubeMasterAPIServerPort = 6443;
+      kubeApi = "https://${kubeMasterHostname}:${toString kubeMasterAPIServerPort}";
+    in
+    {
+      # master
+      vm-1 = {
+        ip = "192.168.0.6";
+        mac = "02:00:00:00:00:01";
+        extraConfig = {
+          networking.extraHosts = "${kubeMasterIP} ${kubeMasterHostname}";
+          environment.systemPackages = with pkgs; [
+            kompose
+            kubectl
+            kubernetes
+          ];
+
+          services.kubernetes = {
+            roles = [
+              "master"
+              "node"
+            ];
+
+            masterAddress = kubeMasterHostname;
+            apiserverAddress = kubeApi;
+            easyCerts = true;
+            apiserver = {
+              securePort = kubeMasterAPIServerPort;
+              advertiseAddress = kubeMasterIP;
+            };
+
+            addons.dns.enable = true;
+          };
+
+          systemd.services.link-kube-config = {
+            wantedBy = [ "multi-user.target" ];
+            serviceConfig = {
+              Type = "oneshot";
+              ExecStart = "${pkgs.writeShellScript "link-kube-config.sh" ''
+                target="/etc/kubernetes/cluster-admin.kubeconfig"
+                if [ -e "$target" ]; then
+                  [ ! -d "/root/.kube" ] && mkdir -p "/root/.kube"
+                  ln -sf $target /root/.kube/config
+                fi
+              ''}";
+            };
+          };
+        };
+      };
+      # Node
+      vm-2 = {
+        ip = "192.168.0.7";
+        mac = "02:00:00:00:00:02";
+        extraConfig = {
+          networking.extraHosts = "${kubeMasterIP} ${kubeMasterHostname}";
+
+          environment.systemPackages = with pkgs; [
+            kompose
+            kubectl
+            kubernetes
+          ];
+
+          services.kubernetes = {
+            roles = [ "node" ];
+            masterAddress = kubeMasterHostname;
+            easyCerts = true;
+
+            kubelet.kubeconfig.server = kubeApi;
+            apiserverAddress = kubeApi;
+            addons.dns.enable = true;
+          };
+        };
+      };
+    };
+
+  mkMicrovm = name: value: {
+    hypervisor = "qemu";
+    vcpu = 4;
+    mem = 8192;
+    interfaces = [
+      {
+        type = "tap";
+        id = "${name}";
+        mac = value.mac;
+      }
+    ];
+    shares = [
+      {
+        tag = "ro-store";
+        source = "/nix/store";
+        mountPoint = "/nix/.ro-store";
+      }
+    ];
+  };
+in
+lib.mapAttrs' (
+  name: value:
+  lib.nameValuePair name (
+    lib.nixosSystem {
+      inherit system;
+      modules = [
+        inputs.microvm.nixosModules.microvm
+        value.extraConfig
+        {
+          microvm = mkMicrovm name value;
+          system.stateVersion = lib.trivial.release;
+          networking.hostName = name;
+          networking.domain = "kube";
+          networking.firewall.enable = false;
+          users.users.root.password = "";
+          services.getty.autologinUser = "root";
+
+          programs.fish.enable = true;
+          programs.bash = {
+            shellInit = ''
+              if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]
+              then
+                shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION=""
+                exec ${pkgs.fish}/bin/fish $LOGIN_OPTION
+              fi
+            '';
+          };
+
+          systemd.network.enable = true;
+          systemd.network.networks."20-lan" = {
+            matchConfig.Type = "ether";
+            networkConfig = {
+              Address = [ "${value.ip}/24" ];
+              Gateway = "192.168.0.1";
+              DNS = [ "192.168.0.1" ];
+              DHCP = "no";
+            };
+          };
+
+          systemd.services.br-netfilter = {
+            wantedBy = [ "multi-user.target" ];
+            serviceConfig = {
+              ExecStart = "/run/current-system/sw/bin/modprobe br_netfilter";
+            };
+          };
+
+          environment.systemPackages = with pkgs; [
+            dig.dnsutils
+            openssl
+
+            fishPlugins.done
+            fishPlugins.fzf-fish
+            fishPlugins.forgit
+            fishPlugins.hydro
+            fzf
+            fishPlugins.grc
+            grc
+            git
+          ];
+        }
+      ];
+    }
+  )
+) vmList
--- a/system/dev/dn-pre7780/expr/vm.nix
+++ b/system/dev/dn-pre7780/expr/vm.nix
@ -0,0 +1,44 @@
+self: {
+  networking.useNetworkd = true;
+  systemd.network.enable = true;
+  systemd.network.networks."10-lan" = {
+    matchConfig.Name = [
+      "enp0s31f6"
+      "vm-*"
+    ];
+    networkConfig = {
+      Bridge = "br0";
+    };
+  };
+
+  systemd.network.netdevs."br0" = {
+    netdevConfig = {
+      Name = "br0";
+      Kind = "bridge";
+    };
+  };
+
+  systemd.network.networks."10-lan-bridge" = {
+    matchConfig.Name = "br0";
+    networkConfig = {
+      Address = [ "192.168.0.5/24" ];
+      Gateway = "192.168.0.1";
+      DNS = [ "192.168.0.1" ];
+    };
+
+    linkConfig.RequiredForOnline = "routable";
+  };
+
+  microvm.vms = {
+    vm-1 = {
+      flake = self;
+      updateFlake = "git+file:///etc/nixos";
+      autostart = false;
+    };
+    vm-2 = {
+      flake = self;
+      updateFlake = "git+file:///etc/nixos";
+      autostart = false;
+    };
+  };
+}