From afc9af0084394a92361a6d10da38cb8830ffecee Mon Sep 17 00:00:00 2001
From: Jonni Liljamo <jonni@liljamo.com>
Date: Sun, 4 Aug 2024 18:53:53 +0300
Subject: [PATCH] wip: lxc stuff

---
 lib/util.nix                     | 14 ++++++++
 roles/default.nix                |  1 +
 roles/prometheus.nix             | 24 +++++++++++++
 systems/hosts/default.nix        |  8 +++++
 systems/profiles/default.nix     |  1 +
 systems/profiles/lxc/default.nix | 14 ++++++++
 systems/profiles/lxc/lxc.nix     | 59 ++++++++++++++++++++++++++++++++
 7 files changed, 121 insertions(+)
 create mode 100644 lib/util.nix
 create mode 100644 roles/prometheus.nix
 create mode 100644 systems/profiles/lxc/default.nix
 create mode 100644 systems/profiles/lxc/lxc.nix

diff --git a/lib/util.nix b/lib/util.nix
new file mode 100644
index 0000000..b885844
--- /dev/null
+++ b/lib/util.nix
@@ -0,0 +1,14 @@
+{...}: let
+  hostNameToIPv4 = {
+    "dns" = "10.1.2.3";
+    "metrics" = "10.1.2.5";
+    "proxy" = "10.1.2.10";
+    "auth" = "10.1.2.12";
+    "cloud" = "10.1.2.15";
+    "alderaan" = "10.1.2.16";
+    "social" = "10.1.2.17";
+  };
+  getIPv4 = hostName: hostNameToIPv4.${hostName};
+in {
+  getIPv4 = getIPv4;
+}
diff --git a/roles/default.nix b/roles/default.nix
index 6f5044c..1698599 100644
--- a/roles/default.nix
+++ b/roles/default.nix
@@ -13,6 +13,7 @@
     ./kitty.nix
     ./nix.nix
     ./plasma.nix
+    ./prometheus.nix
     ./qutebrowser.nix
     ./tailscale.nix
     ./zellij.nix
diff --git a/roles/prometheus.nix b/roles/prometheus.nix
new file mode 100644
index 0000000..a2c4797
--- /dev/null
+++ b/roles/prometheus.nix
@@ -0,0 +1,24 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  cfg = config.roles.prometheus;
+in {
+  options.roles.prometheus = {
+    exporters = lib.mkOption {
+      type = lib.types.submodule {
+        options = {
+          openFirewall = lib.mkOption {
+            type = lib.types.bool;
+            default = false;
+            description = "Wheter to open firewall ports for enabled exporters";
+          };
+          node.enable = lib.mkEnableOption "node exporter";
+          systemd.enable = lib.mkEnableOption "systemd exporter";
+        };
+      };
+      default = {};
+    };
+  };
+}
diff --git a/systems/hosts/default.nix b/systems/hosts/default.nix
index fd7c6fa..99d81f2 100644
--- a/systems/hosts/default.nix
+++ b/systems/hosts/default.nix
@@ -1,6 +1,7 @@
 {
   desktop,
   laptop,
+  lxc,
   ...
 }: {
   alice = {
@@ -13,4 +14,11 @@
     profile = laptop;
     modules = [];
   };
+
+  # LXCs
+  dns = {
+    system = "x86_64-linux";
+    profile = lxc;
+    moduels = [];
+  };
 }
diff --git a/systems/profiles/default.nix b/systems/profiles/default.nix
index d6bb3f8..84416a3 100644
--- a/systems/profiles/default.nix
+++ b/systems/profiles/default.nix
@@ -1,4 +1,5 @@
 inputs: {
   desktop = import ./desktop inputs;
   laptop = import ./laptop inputs;
+  lxc = import ./lxc inputs;
 }
diff --git a/systems/profiles/lxc/default.nix b/systems/profiles/lxc/default.nix
new file mode 100644
index 0000000..e5fb0f5
--- /dev/null
+++ b/systems/profiles/lxc/default.nix
@@ -0,0 +1,14 @@
+inputs @ {sops-nix, ...}: {
+  modules = [
+    sops-nix.nixosModules.sops
+
+    ../../../modules
+    ../../../roles
+
+    ./lxc.nix
+  ];
+  specialArgs = {
+    inherit inputs;
+    artautil = import ../../../lib/util.nix {};
+  };
+}
diff --git a/systems/profiles/lxc/lxc.nix b/systems/profiles/lxc/lxc.nix
new file mode 100644
index 0000000..d222e63
--- /dev/null
+++ b/systems/profiles/lxc/lxc.nix
@@ -0,0 +1,59 @@
+{
+  artautil,
+  config,
+  lib,
+  ...
+}: {
+  boot.isContainer = true;
+
+  # Install new init script
+  system.activationScripts.installInitScript = lib.mkForce ''
+    mkdir -p /sbin
+    ln -fs $systemConfig/init /sbin/init
+  '';
+
+  networking.defaultGateway = {
+    address = "10.1.2.1";
+    interface = "eth0";
+  };
+  networking.nameservers = ["10.1.2.3"];
+  networking.interfaces."eth0".ipv4.addresses = [
+    {
+      address = artautil.getIPv4 config.networking.hostName;
+      prefixLength = 24;
+    }
+  ];
+
+  nix.settings.trusted-users = ["root"];
+
+  users.users.root = {
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGAlif3ABIk0YSx++A+sEeRYPNMMZWLcDuoTKhmcCL6K jonni@liljamo.com"
+    ];
+  };
+
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = lib.mkForce false;
+      KbdInteractiveAuthentication = lib.mkForce false;
+      PermitRootLogin = lib.mkForce "prohibit-password";
+    };
+  };
+
+  systemd.suppressedSystemUnits = [
+    "console-getty.service"
+    "getty@.service"
+    "systemd-udev-trigger.service"
+    "systemd-udevd.service"
+    "sys-fs-fuse-connections.mount"
+    "sys-kernel-debug.mount"
+    "dev-mqueue.mount"
+  ];
+  services = {
+    journald.extraConfig = "SystemMaxUse=4G";
+    cron.systemCronJobs = [
+      "0 22 * * * root journalctl --vacuum-time=7d"
+    ];
+  };
+}
-- 
2.44.1