7 files changed, 121 insertions(+), 0 deletions(-)

A lib/util.nix
M roles/default.nix
A roles/prometheus.nix
M systems/hosts/default.nix
M systems/profiles/default.nix
A systems/profiles/lxc/default.nix
A systems/profiles/lxc/lxc.nix

@@ 0,0 1,14 @@
+{...}: let
+  hostNameToIPv4 = {
+    "dns" = "10.1.2.3";
+    "metrics" = "10.1.2.5";
+    "proxy" = "10.1.2.10";
+    "auth" = "10.1.2.12";
+    "cloud" = "10.1.2.15";
+    "alderaan" = "10.1.2.16";
+    "social" = "10.1.2.17";
+  };
+  getIPv4 = hostName: hostNameToIPv4.${hostName};
+in {
+  getIPv4 = getIPv4;
+}

@@ 13,6 13,7 @@
     ./kitty.nix
     ./nix.nix
     ./plasma.nix
+    ./prometheus.nix
     ./qutebrowser.nix
     ./tailscale.nix
     ./zellij.nix

@@ 0,0 1,24 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  cfg = config.roles.prometheus;
+in {
+  options.roles.prometheus = {
+    exporters = lib.mkOption {
+      type = lib.types.submodule {
+        options = {
+          openFirewall = lib.mkOption {
+            type = lib.types.bool;
+            default = false;
+            description = "Wheter to open firewall ports for enabled exporters";
+          };
+          node.enable = lib.mkEnableOption "node exporter";
+          systemd.enable = lib.mkEnableOption "systemd exporter";
+        };
+      };
+      default = {};
+    };
+  };
+}

@@ 1,6 1,7 @@
 {
   desktop,
   laptop,
+  lxc,
   ...
 }: {
   alice = {


@@ 13,4 14,11 @@
     profile = laptop;
     modules = [];
   };
+
+  # LXCs
+  dns = {
+    system = "x86_64-linux";
+    profile = lxc;
+    moduels = [];
+  };
 }

@@ 1,4 1,5 @@
 inputs: {
   desktop = import ./desktop inputs;
   laptop = import ./laptop inputs;
+  lxc = import ./lxc inputs;
 }

@@ 0,0 1,14 @@
+inputs @ {sops-nix, ...}: {
+  modules = [
+    sops-nix.nixosModules.sops
+
+    ../../../modules
+    ../../../roles
+
+    ./lxc.nix
+  ];
+  specialArgs = {
+    inherit inputs;
+    artautil = import ../../../lib/util.nix {};
+  };
+}

@@ 0,0 1,59 @@
+{
+  artautil,
+  config,
+  lib,
+  ...
+}: {
+  boot.isContainer = true;
+
+  # Install new init script
+  system.activationScripts.installInitScript = lib.mkForce ''
+    mkdir -p /sbin
+    ln -fs $systemConfig/init /sbin/init
+  '';
+
+  networking.defaultGateway = {
+    address = "10.1.2.1";
+    interface = "eth0";
+  };
+  networking.nameservers = ["10.1.2.3"];
+  networking.interfaces."eth0".ipv4.addresses = [
+    {
+      address = artautil.getIPv4 config.networking.hostName;
+      prefixLength = 24;
+    }
+  ];
+
+  nix.settings.trusted-users = ["root"];
+
+  users.users.root = {
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGAlif3ABIk0YSx++A+sEeRYPNMMZWLcDuoTKhmcCL6K jonni@liljamo.com"
+    ];
+  };
+
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = lib.mkForce false;
+      KbdInteractiveAuthentication = lib.mkForce false;
+      PermitRootLogin = lib.mkForce "prohibit-password";
+    };
+  };
+
+  systemd.suppressedSystemUnits = [
+    "console-getty.service"
+    "getty@.service"
+    "systemd-udev-trigger.service"
+    "systemd-udevd.service"
+    "sys-fs-fuse-connections.mount"
+    "sys-kernel-debug.mount"
+    "dev-mqueue.mount"
+  ];
+  services = {
+    journald.extraConfig = "SystemMaxUse=4G";
+    cron.systemCronJobs = [
+      "0 22 * * * root journalctl --vacuum-time=7d"
+    ];
+  };
+}