flake: Make openstack-image EFI

Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/78
Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>

flake.lock

@@ -63,7 +63,7 @@
       "inputs": {
         "fix-python": "fix-python",
         "nixpkgs": [
-          "nixpkgs-unstable"
+          "nixpkgs"
         ]
       },
       "locked": {
@@ -156,6 +156,42 @@
         "url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"
       }
     },
+    "nixlib": {
+      "locked": {
+        "lastModified": 1725757153,
+        "narHash": "sha256-c1a6iLmCVPFI9EUVMrBN8xdmFxFXEjcVwiTSVmqajOs=",
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "rev": "68584f89dd0eb16fea5d80ae127f3f681f6a5df7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "type": "github"
+      }
+    },
+    "nixos-generators": {
+      "inputs": {
+        "nixlib": "nixlib",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1726102718,
+        "narHash": "sha256-u89QyfjtXryLHrO3Wre4kuWK5KDKiXe8lgRi6+cUOEw=",
+        "owner": "nix-community",
+        "repo": "nixos-generators",
+        "rev": "5ae384b83b91080f0fead6bc1add1cff8277cb3f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixos-generators",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1725198597,
@@ -250,6 +286,7 @@
         "matrix-next": "matrix-next",
         "minecraft-data": "minecraft-data",
         "nix-gitea-themes": "nix-gitea-themes",
+        "nixos-generators": "nixos-generators",
         "nixpkgs": "nixpkgs",
         "nixpkgs-unstable": "nixpkgs-unstable",
         "pvv-calendar-bot": "pvv-calendar-bot",

flake.nix

@@ -24,14 +24,17 @@
     nix-gitea-themes.inputs.nixpkgs.follows = "nixpkgs";
 
     grzegorz.url = "github:Programvareverkstedet/grzegorz";
-    grzegorz.inputs.nixpkgs.follows = "nixpkgs-unstable";
+    grzegorz.inputs.nixpkgs.follows = "nixpkgs";
     grzegorz-clients.url = "github:Programvareverkstedet/grzegorz-clients";
     grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
 
     minecraft-data.url = "git+https://git.pvv.ntnu.no/Drift/minecraft-data.git";
+
+    nixos-generators.url = "github:nix-community/nixos-generators";
+    nixos-generators.inputs.nixpkgs.follows = "nixpkgs";
   };
 
-  outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
+  outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, nixos-generators, ... }@inputs:
   let
     nixlib = nixpkgs.lib;
     systems = [
@@ -126,7 +129,6 @@
           inputs.grzegorz-clients.nixosModules.grzegorz-webui
         ];
       };
-      buskerud = stableNixosConfig "buskerud" { };
     };
 
     nixosModules = {
@@ -150,6 +152,40 @@
 
         simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
 
+        openstack-image = nixos-generators.nixosGenerate {
+          system = "x86_64-linux";
+          format = "openstack";
+
+          modules = [
+            ({config, lib, pkgs, modulesPath, ... }: {
+              system.build.openstackImage = lib.mkForce (import "${modulesPath}/../lib/make-disk-image.nix" {
+                inherit config lib pkgs;
+                additionalSpace = "1024M";
+                copyChannel = true;
+                diskSize = "auto";
+                format = "raw";
+                partitionTableType = "efi";
+                configFile = pkgs.writeText "configuration.nix"
+                  ''
+                    {
+                      imports = [ <nixpkgs/nixos/modules/virtualisation/openstack-config.nix> ];
+                    }
+                  '';
+              });
+              boot.loader.grub = lib.mkForce {
+                device = "nodev";
+                efiSupport = true;
+                efiInstallAsRemovable = true;
+              };
+
+              fileSystems."/boot" = {
+                device = "/dev/disk/by-label/ESP";
+                fsType = "vfat";
+              };
+            })
+          ];
+        };
+
       } //
       (nixlib.pipe null [
         (_: pkgs.callPackage ./packages/mediawiki-extensions { })

hosts/bekkalokk/services/bluemap/default.nix

@@ -14,6 +14,7 @@ in {
   services.bluemap = {
     enable = true;
     eula = true;
+    onCalendar = "*-*-* 05:45:00"; # a little over an hour after auto-upgrade
 
     host = "minecraft.pvv.ntnu.no";
 

hosts/bekkalokk/services/gitea/default.nix

@@ -55,6 +55,11 @@ in {
         USER = "gitea@pvv.ntnu.no";
         SUBJECT_PREFIX = "[pvv-git]";
       };
+      metrics = {
+        ENABLED = true;
+        ENABLED_ISSUE_BY_LABEL = true;
+        ENABLED_ISSUE_BY_REPOSITORY = true;
+      };
       indexer.REPO_INDEXER_ENABLED = true;
       service = {
         DISABLE_REGISTRATION = true;
@@ -109,11 +114,20 @@ in {
     forceSSL = true;
     enableACME = true;
     kTLS = true;
-    locations."/" = {
-      proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
-      extraConfig = ''
-        client_max_body_size 512M;
-      '';
+    locations = {
+      "/" = {
+        proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
+        extraConfig = ''
+          client_max_body_size 512M;
+        '';
+      };
+      "/metrics" = {
+        proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
+        extraConfig = ''
+          allow ${values.hosts.ildkule.ipv4}/32;
+          deny all;
+        '';
+      };
     };
   };
 

hosts/bekkalokk/services/idp-simplesamlphp/default.nix

@@ -202,6 +202,12 @@ in
           rewrite ^/simplesaml/(.*)$ /$1 redirect;
           return 404;
         '';
+        "/robots.txt" = {
+          root = pkgs.writeTextDir "robots.txt" ''
+            User-agent: *
+            Disallow: /
+          '';
+        };
       };
     };
   };

hosts/bicep/acmeCert.nix

@@ -1,24 +0,0 @@
-{ values, ... }:
-{
-  users.groups.acme.members = [ "nginx" ];
-
-  security.acme.certs."postgres.pvv.ntnu.no" = {
-    group = "acme";
-    extraDomainNames = [
-      # "postgres.pvv.org"
-      "bicep.pvv.ntnu.no"
-      # "bicep.pvv.org"
-      # values.hosts.bicep.ipv4
-      # values.hosts.bicep.ipv6
-    ];
-  };
-
-  services.nginx = {
-    enable = true;
-    virtualHosts."postgres.pvv.ntnu.no" = {
-      forceSSL = true;
-      enableACME = true;
-      # useACMEHost = "postgres.pvv.ntnu.no";
-    };
-  };
-}

hosts/bicep/configuration.nix

@@ -7,8 +7,6 @@
     ../../misc/metrics-exporters.nix
     ./services/nginx
 
-    ./acmeCert.nix
-
     ./services/mysql.nix
     ./services/postgres.nix
     ./services/mysql.nix
@@ -36,6 +34,9 @@
     anyInterface = true;
   };
 
+  # There are no smart devices
+  services.smartd.enable = false;
+
   # Do not change, even during upgrades.
   # See https://search.nixos.org/options?show=system.stateVersion
   system.stateVersion = "22.11";

hosts/bicep/services/matrix/synapse.nix

@@ -182,8 +182,6 @@ in {
         extraConfig = ''
           allow ${values.hosts.ildkule.ipv4};
           allow ${values.hosts.ildkule.ipv6};
-          allow ${values.hosts.ildkule.ipv4_global};
-          allow ${values.hosts.ildkule.ipv6_global};
           deny all;
         '';
       })
@@ -195,8 +193,6 @@ in {
       extraConfig = ''
         allow ${values.hosts.ildkule.ipv4};
         allow ${values.hosts.ildkule.ipv6};
-        allow ${values.hosts.ildkule.ipv4_global};
-        allow ${values.hosts.ildkule.ipv6_global};
         deny all;
       '';
     };

hosts/buskerud/configuration.nix

@@ -1,38 +0,0 @@
-{ config, pkgs, values, ... }:
-{
-  imports = [
-    ./hardware-configuration.nix
-    ../../base
-    ../../misc/metrics-exporters.nix
-
-    ./services/libvirt.nix
-  ];
-
-  # buskerud does not support efi?
-  # boot.loader.systemd-boot.enable = true;
-  # boot.loader.efi.canTouchEfiVariables = true;
-  boot.loader.grub.enable = true;
-  boot.loader.grub.device = "/dev/sdb";
-
-  networking.hostName = "buskerud";
-  networking.search = [ "pvv.ntnu.no" "pvv.org" ];
-  networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
-  networking.tempAddresses = "disabled";
-
-  systemd.network.networks."enp3s0f0" = values.defaultNetworkConfig // {
-    matchConfig.Name = "enp3s0f0";
-    address = with values.hosts.buskerud; [ (ipv4 + "/25") (ipv6 + "/64") ];
-  };
-
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-  ];
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.05"; # Did you read the comment?
-}

hosts/buskerud/hardware-configuration.nix

@@ -1,37 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ata_piix" "hpsa" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/ed9654fe-575a-4fb3-b6ff-1b059479acff";
-      fsType = "ext4";
-    };
-
-  swapDevices = [ ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp14s0f0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp14s0f1.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp3s0f0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp3s0f1.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp4s0f0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp4s0f1.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-}

hosts/buskerud/services/libvirt.nix

@@ -1,10 +0,0 @@
-{ config, pkgs, lib, ... }:
-{
-  virtualisation.libvirtd.enable = true;
-  programs.dconf.enable = true;
-  boot.kernelModules = [ "kvm-intel" ];
-
-  # On a gui-enabled machine, connect with:
-  # $ virt-manager --connect "qemu+ssh://buskerud/system?socket=/var/run/libvirt/libvirt-sock"
-}
-

hosts/ildkule/configuration.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, values, ... }:
+{ config, pkgs, lib, values, ... }:
 {
   imports = [
       # Include the results of the hardware scan.
@@ -19,33 +19,37 @@
   boot.tmp.cleanOnBoot = true;
   zramSwap.enable = true;
 
-  networking.hostName = "ildkule"; # Define your hostname.
+  # Openstack Neutron and systemd-networkd are not best friends, use something else:
+  systemd.network.enable = lib.mkForce false;
+  networking = let
+    hostConf = values.hosts.ildkule;
+  in {
+    hostName = "ildkule";
+    tempAddresses = "disabled";
+    useDHCP = lib.mkForce true;
 
-  # Main connection, using the global/floatig IP, for communications with the world
-  systemd.network.networks."30-ntnu-global" = values.openstackGlobalNetworkConfig // {
-    matchConfig.Name = "ens4";
+    search = values.defaultNetworkConfig.domains;
+    nameservers = values.defaultNetworkConfig.dns;
+    defaultGateway.address = hostConf.ipv4_internal_gw;
 
-    # Add the global addresses in addition to the local address learned from DHCP
-    addresses = [
-      { addressConfig.Address = "${values.hosts.ildkule.ipv4_global}/32"; }
-      { addressConfig.Address = "${values.hosts.ildkule.ipv6_global}/128"; }
-    ];
-  };
-
-  # Secondary connection only for use within the university network
-  systemd.network.networks."40-ntnu-internal" = values.openstackLocalNetworkConfig // {
-    matchConfig.Name = "ens3";
-    # Add the ntnu-internal addresses in addition to the local address learned from DHCP
-    addresses = [
-      { addressConfig.Address = "${values.hosts.ildkule.ipv4}/32"; }
-      { addressConfig.Address = "${values.hosts.ildkule.ipv6}/128"; }
-    ];
+    interfaces."ens4" = {
+      ipv4.addresses = [
+        { address = hostConf.ipv4;          prefixLength = 32; }
+        { address = hostConf.ipv4_internal; prefixLength = 24; }
+      ];
+      ipv6.addresses = [
+        { address = hostConf.ipv6;          prefixLength = 64; }
+      ];
+    };
   };
 
   # List packages installed in system profile
   environment.systemPackages = with pkgs; [
   ];
 
+  # No devices with SMART
+  services.smartd.enable = false;
+
   system.stateVersion = "23.11"; # Did you read the comment?
 
 }

hosts/ildkule/services/monitoring/grafana.nix

@@ -75,6 +75,12 @@ in {
           url = "https://grafana.com/api/dashboards/240/revisions/3/download";
           options.path = dashboards/go-processes.json;
         }
+        {
+          name = "Gitea Dashbaord";
+          type = "file";
+          url = "https://grafana.com/api/dashboards/17802/revisions/3/download";
+          options.path = dashboards/gitea-dashbaord.json;
+        }
       ];
 
     };

hosts/ildkule/services/monitoring/prometheus/default.nix

@@ -1,11 +1,11 @@
 { config, ... }: {
   imports = [
-    ./gogs.nix
+    ./gitea.nix
     ./matrix-synapse.nix
     # TODO: enable once https://github.com/NixOS/nixpkgs/pull/242365 gets merged
     # ./mysqld.nix
-    ./node.nix
     ./postgres.nix
+    ./machines.nix
   ];
 
   services.prometheus = {

hosts/ildkule/services/monitoring/prometheus/gitea.nix

@@ -0,0 +1,16 @@
+{ ... }:
+{
+  services.prometheus.scrapeConfigs = [{
+    job_name = "gitea";
+    scrape_interval = "60s";
+    scheme = "https";
+
+    static_configs = [
+      {
+        targets = [
+          "git.pvv.ntnu.no:443"
+        ];
+      }
+    ];
+  }];
+}

hosts/ildkule/services/monitoring/prometheus/gogs.nix

@@ -1,16 +0,0 @@
-{ config, ... }: let
-  cfg = config.services.prometheus;
-in {
-  services.prometheus.scrapeConfigs = [{
-    job_name = "git-gogs";
-    scheme = "https";
-    metrics_path = "/-/metrics";
-    static_configs = [
-      {
-        targets = [
-          "essendrop.pvv.ntnu.no:443"
-        ];
-      }
-    ];
-  }];
-}

hosts/ildkule/services/monitoring/prometheus/machines.nix

@@ -0,0 +1,54 @@
+{ config, ... }: let
+  cfg = config.services.prometheus;
+in {
+  services.prometheus.scrapeConfigs = [{
+    job_name = "base_info";
+    static_configs = [
+      { labels.hostname = "ildkule";
+        targets = [
+          "ildkule.pvv.ntnu.no:${toString cfg.exporters.node.port}"
+          "ildkule.pvv.ntnu.no:${toString cfg.exporters.systemd.port}"
+        ];
+      }
+      { labels.hostname = "bekkalokk";
+        targets = [
+          "bekkalokk.pvv.ntnu.no:9100"
+          "bekkalokk.pvv.ntnu.no:9101"
+        ];
+      }
+      { labels.hostname = "bicep";
+        targets = [
+          "bicep.pvv.ntnu.no:9100"
+          "bicep.pvv.ntnu.no:9101"
+        ];
+      }
+      { labels.hostname = "brzeczyszczykiewicz";
+        targets = [
+          "brzeczyszczykiewicz.pvv.ntnu.no:9100"
+          "brzeczyszczykiewicz.pvv.ntnu.no:9101"
+        ];
+      }
+      { labels.hostname = "georg";
+        targets = [
+          "georg.pvv.ntnu.no:9100"
+          "georg.pvv.ntnu.no:9101"
+        ];
+      }
+      { labels.hostname =  "hildring";
+        targets = [
+          "hildring.pvv.ntnu.no:9100"
+        ];
+      }
+      { labels.hostname =  "isvegg";
+        targets = [
+          "isvegg.pvv.ntnu.no:9100"
+        ];
+      }
+      { labels.hostname =  "microbel";
+        targets = [
+          "microbel.pvv.ntnu.no:9100"
+        ];
+      }
+    ];
+  }];
+}

hosts/ildkule/services/monitoring/prometheus/node.nix

@@ -1,22 +0,0 @@
-{ config, ... }: let
-  cfg = config.services.prometheus;
-in {
-  services.prometheus.scrapeConfigs = [{
-    job_name = "node";
-    static_configs = [
-      {
-        targets = [
-          "ildkule.pvv.ntnu.no:${toString cfg.exporters.node.port}"
-          "microbel.pvv.ntnu.no:9100"
-          "isvegg.pvv.ntnu.no:9100"
-          "knakelibrak.pvv.ntnu.no:9100"
-          "hildring.pvv.ntnu.no:9100"
-          "bicep.pvv.ntnu.no:9100"
-          "essendrop.pvv.ntnu.no:9100"
-          "andresbu.pvv.ntnu.no:9100"
-          "bekkalokk.pvv.ntnu.no:9100"
-        ];
-      }
-    ];
-  }];
-}

justfile

@@ -18,7 +18,7 @@ run-vm machine=`just _a_machine`:
   nix eval .#inputs --apply builtins.attrNames --json \
     | jq '.[]' -r \
     | gum choose --no-limit --height=15 \
-    | xargs nix flake update --commit-lock-file
+    | xargs -L 1 nix flake lock --update-input
 
 
 _a_machine:

misc/metrics-exporters.nix

@@ -14,13 +14,31 @@
       "::1"
       values.hosts.ildkule.ipv4
       values.hosts.ildkule.ipv6
-      values.hosts.ildkule.ipv4_global
-      values.hosts.ildkule.ipv6_global
     ];
   };
 
 
-  networking.firewall.allowedTCPPorts = [ 9100 ];
+  services.prometheus.exporters.systemd = {
+    enable = true;
+    port = 9101;
+    extraFlags = [
+      "--systemd.collector.enable-restart-count"
+      "--systemd.collector.enable-ip-accounting"
+    ];
+  };
+
+  systemd.services.prometheus-systemd-exporter.serviceConfig = {
+    IPAddressDeny = "any";
+    IPAddressAllow = [
+      "127.0.0.1"
+      "::1"
+      values.hosts.ildkule.ipv4
+      values.hosts.ildkule.ipv6
+    ];
+  };
+  
+
+  networking.firewall.allowedTCPPorts = [ 9100 9101 ];
 
   services.promtail = {
     enable = true;

values.nix

@@ -30,11 +30,10 @@ in rec {
       ipv6 = pvv-ipv6 168;
     };
     ildkule = {
-      ipv4 = "10.212.25.209";
-      ipv6 = "2001:700:300:6025:f816:3eff:feee:812d";
-
-      ipv4_global = "129.241.153.213";
-      ipv6_global = "2001:700:300:6026:f816:3eff:fe58:f1e8";
+      ipv4 = "129.241.153.213";
+      ipv4_internal = "192.168.12.209";
+      ipv4_internal_gw = "192.168.12.1";
+      ipv6 = "2001:700:300:6026:f816:3eff:fe58:f1e8";
     };
     bicep = {
       ipv4 = pvv-ipv4 209;
@@ -59,39 +58,14 @@ in rec {
       ipv4 = pvv-ipv4 204;
       ipv6 = pvv-ipv6 "1:4f"; # Wtf øystein og daniel why
     };
-    buskerud = {
-      ipv4 = pvv-ipv4 231;
-      ipv6 = pvv-ipv6 231;
-    };
   };
 
   defaultNetworkConfig = {
-    networkConfig.IPv6AcceptRA = "no";
-    gateway = [ hosts.gateway ];
-    dns = [ "129.241.0.200" "129.241.0.201" ];
+    dns = [ "129.241.0.200" "129.241.0.201" "2001:700:300:1900::200" "2001:700:300:1900::201" ];
     domains = [ "pvv.ntnu.no" "pvv.org" ];
+    gateway = [ hosts.gateway ];
+
+    networkConfig.IPv6AcceptRA = "no";
     DHCP = "no";
   };
-
-  openstackGlobalNetworkConfig = {
-    networkConfig.IPv6AcceptRA = "yes";
-    dns = [ "129.241.0.200" "129.241.0.201" ];
-    domains = [ "pvv.ntnu.no" "pvv.org" ];
-    DHCP = "yes";
-  };
-
-  openstackLocalNetworkConfig = {
-    networkConfig.IPv6AcceptRA = "no";
-    dns = [ "129.241.0.200" "129.241.0.201" ];
-    domains = [ "pvv.ntnu.no" "pvv.org" ];
-    DHCP = "yes";
-
-    # Only use this network for link-local networking, not global/default routes
-    dhcpV4Config.UseRoutes = "no";
-    routes = [
-      { routeConfig = { Destination = "10.0.0.0/8"; Gateway = "_dhcp4"; }; }
-    ];
-
-    linkConfig.RequiredForOnline = "no";
-  };
 }