feat: add hypervisor(hype16) host (#5)

Author: badele

hosts/hype16/default.nix

@@ -0,0 +1,233 @@
+# #########################################################
+# NIXOS (hosts)
+##########################################################
+{ inputs, config, pkgs, lib, ... }: {
+  imports = [
+    # Host and hardware configuration
+    ./hardware-configuration.nix
+    ./disks.nix
+    ../../nix/modules/nixos/host.nix
+
+    # Users
+    ../root.nix
+    ../badele.nix
+
+    # Commons
+    ../../nix/nixos/features/commons
+    ../../nix/nixos/features/homelab
+    ../../nix/nixos/features/system/containers.nix
+
+    # Roles
+    ../../nix/nixos/roles # Automatically load service from <host.modules> sectionn from `homelab.json` file
+  ];
+
+  ####################################
+  # Boot
+  ####################################
+
+  boot = {
+    kernelParams = [ "mem_sleep_default=deep" ];
+    blacklistedKernelModules = [ ];
+    kernelModules = [ "kvm-intel" ];
+    supportedFilesystems = [ "btrfs" ];
+
+    # Grub EFI boot loader
+    loader = {
+      grub = {
+        enable = true;
+        devices = [ "nodev" ];
+        efiInstallAsRemovable = true;
+        efiSupport = true;
+        useOSProber = true;
+      };
+    };
+
+    # Network
+    kernel = {
+      sysctl = {
+        # Forward on all ipv4 interfaces.
+        "net.ipv4.conf.all.forwarding" = true;
+      };
+    };
+  };
+
+  # xorg
+  # videoDrivers = [ "intel" "i965" "nvidia" ];
+
+  ####################################
+  # host profile
+  ####################################
+  hostprofile = { nproc = 8; };
+
+  virtualisation.docker.storageDriver = "btrfs";
+
+  ####################################
+  # Hardware
+  ####################################
+
+  # Pulseaudio
+  hardware.pulseaudio = {
+    enable = true;
+    support32Bit =
+      true; # # If compatibility with 32-bit applications is desired
+    #extraConfig = "load-module module-combine-sink";
+  };
+
+  ####################################
+  # Networking
+  ####################################
+
+  networking = {
+    enableIPv6 = false;
+    hostName = "hype16";
+    useDHCP = false;
+
+    # Define VLANs
+    vlans = {
+      vlandmz = {
+        id = 32;
+        interface = "enp1s0"; # tagged
+      };
+      vlanadm = {
+        id = 240;
+        interface = "enp1s0"; # tagged
+      };
+    };
+
+    # Create interfaces
+    interfaces = {
+      brlan = {
+        ipv4.addresses = [{
+          address = "192.168.254.16";
+          prefixLength = 24;
+        }];
+      };
+
+      bradm = {
+        ipv4.addresses = [{
+          address = "192.168.240.16";
+          prefixLength = 24;
+        }];
+      };
+
+      brdmz = {
+        ipv4.addresses = [{
+          address = "192.168.32.16";
+          prefixLength = 24;
+        }];
+      };
+    };
+
+    # Create bridges
+    bridges = {
+      # untagged
+      "brlan" = { interfaces = [ "enp1s0" ]; };
+      "bradm" = { interfaces = [ "vlanadm" ]; };
+      "brdmz" = { interfaces = [ "vlandmz" ]; };
+    };
+
+    # Define default gateway and nameservers
+    defaultGateway = "192.168.254.254";
+    nameservers = [ "89.2.0.1" "89.2.0.2" ];
+  };
+
+  ####################################
+  # Incus hypervisor
+  ####################################
+
+  networking.nftables.enable = true;
+
+  networking.firewall = {
+    # logReversePathDrops = true;
+    # logRefusedPackets = true;
+    # logRefusedConnections = true;
+    # logRefusedUnicastsOnly = true;
+
+    interfaces = {
+      brdmz = {
+        allowedTCPPorts = [ 53 67 ];
+        allowedUDPPorts = [ 53 67 ];
+      };
+
+    };
+
+    # Forward
+    # filterForward = true;
+    # extraForwardRules = "iifname brdmz oifname brdmz accept";
+    extraInputRules = "iifname brdmz accept";
+    # "iifname brdmz ip saddr 192.168.254.0/24 ip daddr 192.168.253.0/24 accept";
+  };
+
+  virtualisation.incus = {
+    enable = true;
+    ui.enable = true;
+    preseed = {
+      profiles = [
+        {
+          name = "default";
+          description = "Default profile";
+          devices = {
+            eth0 = {
+              name = "eth0";
+              type = "nic";
+              nictype = "bridged";
+              parent = "brlan";
+            };
+            root = {
+              path = "/";
+              pool = "default";
+              size = "35GiB";
+              type = "disk";
+            };
+          };
+        }
+        {
+          name = "lan";
+          description = "LAN profile";
+          devices = {
+            eth0 = {
+              name = "eth0";
+              type = "nic";
+              nictype = "bridged";
+              parent = "brlan";
+            };
+          };
+        }
+        {
+          name = "dmz";
+          description = "DMZ profile";
+          devices = {
+            eth1 = {
+              name = "eth1";
+              type = "nic";
+              nictype = "bridged";
+              parent = "brdmz";
+            };
+          };
+        }
+      ];
+      storage_pools = [{
+        config = { source = "/var/lib/incus/storage-pools/default"; };
+        driver = "dir";
+        name = "default";
+      }];
+    };
+  };
+
+  ####################################
+  # Storage
+  ####################################
+  systemd.tmpfiles.rules = [
+    # trilium app
+    "d /data/incus/trilium/var_lib_trilium 0750 root root -"
+  ];
+
+  ####################################
+  # Programs
+  ####################################
+  powerManagement.powertop.enable = true;
+  programs = { };
+
+  nixpkgs.hostPlatform.system = "x86_64-linux";
+  system.stateVersion = "24.05";
+}

hosts/hype16/disks.nix

@@ -0,0 +1,73 @@
+{ inputs, lib, ... }: {
+
+  imports = [ inputs.disko.nixosModules.disko ];
+
+  disko.devices = {
+    disk = {
+      disk1 = {
+        type = "disk";
+        device = lib.mkDefault
+          "/dev/disk/by-id/ata-CYX-SSD-S1000_230324000201S5121504";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              priority = 1;
+              name = "ESP";
+              start = "1M";
+              end = "1024M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+              };
+            };
+            root = {
+              size = "100%";
+              content = {
+                type = "btrfs";
+                extraArgs = [ "-f" ]; # Override existing partition
+                # Subvolumes must set a mountpoint in order to be mounted,
+                # unless their parent is mounted
+                subvolumes = {
+                  # Subvolume name is different from mountpoint
+                  "/rootfs" = { mountpoint = "/"; };
+                  # Subvolume name is the same as the mountpoint
+                  "/home" = {
+                    mountOptions = [ "compress=zstd" ];
+                    mountpoint = "/home";
+                  };
+                  # Sub(sub)volume doesn't need a mountpoint as its parent is mounted
+                  "/home/user" = { };
+                  # Parent is not mounted so the mountpoint must be set
+                  "/nix" = {
+                    mountOptions = [ "compress=zstd" "noatime" ];
+                    mountpoint = "/nix";
+                  };
+                  # This subvolume will be created but not mounted
+                  "/test" = { };
+                  # Subvolume for the swapfile
+                  "/swap" = {
+                    mountpoint = "/.swapvol";
+                    swap = {
+                      swapfile.size = "1024M";
+                      swapfile2.size = "1024M";
+                      swapfile2.path = "rel-path";
+                    };
+                  };
+                };
+
+                mountpoint = "/partition-root";
+                swap = {
+                  swapfile = { size = "20M"; };
+                  swapfile1 = { size = "20M"; };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/hype16/hardware-configuration.nix

@@ -0,0 +1,13 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/hype16/secrets.yml

@@ -0,0 +1,34 @@
+system:
+    user:
+        root-hash: ENC[AES256_GCM,data:PScvPSDvRaHUXTr5dMBcUoZ2GaJcbb44030WMTvQ2cooKrL/eevf5a5apbRpFSRXu0HsOKpOwrXqauKD3coMY2HTyiYDGEgidrJlij9CjMOKVvHJl4P7hD1aszTuvEgBkwEj8BGAAtG+CA==,iv:AuM7cdeIXuptmRbcS0HcP5ZB7+VcbQuDlECQppCR8lo=,tag:4Te9jkG8yHijyICZlEKiuw==,type:str]
+        badele-hash: ENC[AES256_GCM,data:vsQy1euMz0qiHiN1Mm4Ab3+y1bvuAJ4QBh60jzLU9RN9JNkpXcsZMVyZ4K5aMFYPVDQ1146T6j+S9UlE9oR3QvenmcrjFWEORXZg+M3ZigHtubKOdbL66FR3lyXGsUgtLFiF7MXuCriubw==,iv:SZChyIKjR2P3/pU2dVxch/7IH86XnPFJGye3x4WKQNQ=,tag:WaEI+35ilONoBEibfpSNkg==,type:str]
+        test: ENC[AES256_GCM,data:UdDXow==,iv:jlKL5OkN/hS2iNpWIm989kHswyJcBikpWCvUpXNnAgs=,tag:z+gQyR4NnQjEKWBjv4O/Ow==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age15js628ku59g94njn0vup20r4xx34guesgsj5dqsken5hma2zqg2szjed66
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnaEJ0S0FXZ2hXNkw3dW9V
+            UzI4eVQrb3dmZ0ZXaElnRjZwUmFsSzBmeVdNCnNrTmlwOUt5cE5MNnJtMU9NVktp
+            NTdnSkZqZXJabU1UNDE1STdLQ2NVMm8KLS0tIG9tL01SMTJNYWFsVVJmSGlUWHVk
+            c1VGT1RCc1RYZVNIMEZ3cCs1NU0wOTgKeru9fVg8LbfA6FpM4ko7hFO7ydo6lJfP
+            4C+BJzVBEacPJPUENa71iM5SPF1vD6DzX7Pw7afrph6HpaPXygiNDg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1atc7mzjz8k58l7wh5na8d9k5y5fl5qf75m5dtl53l6wvwmrr7pvqxchgtf
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4VlNTYVZzWFc3TXB5UTUz
+            cXVoS0twaE93NGk3UlYxZ1d4aElqd21VREc4Cis1TUJNZUZyRE9rR2haT1NRWFc5
+            dFZoSTgrTVZZQnBJcEtvdWFwUEFvZm8KLS0tIGdwQ0Vwd1Urb3FsajY3c2phVExD
+            N0dtbTFRUk1lUGluTEtoWEpZSUNjVzAKpmtEkpZ9cw/uKSxObA7FIqG6wKWX7kK4
+            Vy9yYRYSaJfCW46//3qwuYLqzGqa2+xGjyvPqRPohvFOhVn3pp7FFw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-10-27T07:35:19Z"
+    mac: ENC[AES256_GCM,data:QJ3WSWPmBAazKz2YJS10mP4BAw5Il+L0FgPVRGHy1wOpv6zpdvj+jHy239d0QuZ3kKVjHeSgaYf2wdzkOLNDCtKKUklBIgKHeRsgbhBOkMouFfnBwWlU65INM72eqW5rDxJ5xL2ieV5UOicomDYnM75SgMHibTBviXW5mLpLMEY=,iv:ch7wdE5bfeK5+VSk8bif6uErhneD3f97UIhnD6/aDNI=,tag:4O8LfwdBbVn3hSTSSd1FOQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1

hosts/hype16/ssh-to-age.txt

@@ -0,0 +1 @@
+age1atc7mzjz8k58l7wh5na8d9k5y5fl5qf75m5dtl53l6wvwmrr7pvqxchgtf

hosts/hype16/ssh_host_ed25519_key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAZhjzZnBhiMUFi8l9MwyIo4dq0/7u9vaVWpsZDGQU64 badele@badxps

hosts/hype16/ssh_host_rsa_key.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCgKR1Dk3NUCh4hKwSQK9vn2VUZqCvrQCZ61PTAhXXA1kBPX/FiQ4YuqUTGBPz99ygBOv8KCDuACySOZWgKBxlVeyhO8tmiChOrC95YBwHh1Ee8LFgCe1nsg6pZMYXADpk/HnvJlJg88SA3LsvYM6EyJ16fSowX/e4XDnrTWNBaNt4uxufIexVDr7DwgB1FdQdmxpssIyKWoKYQtNGsVPoghQgnBkb8Qh0nmfe6J+jE/JRUV0NTceIUxVpI5/p2OIvEAN4U6EcL7kvJdWzgpc1KtyinB8Aea8xN5oPQsRe2fVNe1uEDkFORXXIspA5qSZkU7o7ni9Vk3FIythWGVVZAUMaBA9RLlgitVDg4tBlb1MwDzL6cmYf05doOXIAL3Qwyb4ZbpLDYEGFHYHi+kgL7yZqo4BmtvTLZ7jqc7XMTZmvLXU8oPX99pre4EuldAtAvWyGYnnMk7EyBT+dE2UA3YiwtxOElAZpUTm7gkdrehZNT9VZw87Txz0xloeQa0qC7XWzFPPru0D1aAp/WEC7qAT3QGUokKzIpzclCs3jDzveV3tV72ouYva3TgCO/5r+qUGp6ebMU1IINPdb60bnFkUl98fPuKISzNAZDrRz7iBTVtPUlFIEZ8hYpXL9gIOF9NhH1hGo3qAyHs8ONY8GtFQ3x96SvI3T+iv8odoXxAw== badele@badxps