diff --git a/systems/jeeves/networking.nix b/systems/jeeves/networking.nix index 0b81723..eedac6a 100644 --- a/systems/jeeves/networking.nix +++ b/systems/jeeves/networking.nix @@ -2,31 +2,71 @@ networking = { hostName = "jeeves"; hostId = "0e15ce35"; - firewall.enable = true; + firewall = { + enable = true; + interfaces.br-nix-builder = { + allowedTCPPorts = [ ]; + allowedUDPPorts = [ ]; + }; + }; useNetworkd = true; }; systemd.network = { enable = true; + wait-online = { + enable = false; + anyInterface = true; + }; + netdevs = { + "20-br-nix-builder" = { + netdevConfig = { + Kind = "bridge"; + Name = "br-nix-builder"; + }; + }; + "30-internet-vlan" = { + netdevConfig = { + Kind = "vlan"; + Name = "internet-vlan"; + }; + vlanConfig.Id = 100; + }; + }; networks = { "10-1GB_Primary" = { - matchConfig.Name = "enp98s0f0"; + matchConfig.Name = "enp97s0f1"; address = [ "192.168.99.14/24" ]; routes = [ { Gateway = "192.168.99.1"; } ]; + vlan = [ "internet-vlan" ]; linkConfig.RequiredForOnline = "routable"; }; - "10-1GB_Secondary" = { - matchConfig.Name = "enp98s0f1"; - DHCP = "yes"; + "50-internet-vlan" = { + matchConfig.Name = "internet-vlan"; + bridge = [ "br-nix-builder" ]; + linkConfig.RequiredForOnline = "no"; }; - "10-10GB_Primary" = { - matchConfig.Name = "enp97s0f0np0"; - DHCP = "yes"; - linkConfig.RequiredForOnline = "routable"; - }; - "10-10GB_Secondary" = { - matchConfig.Name = "enp97s0f1np1"; - DHCP = "yes"; + "60-br-nix-builder" = { + matchConfig.Name = "br-nix-builder"; + bridgeConfig = { }; + address = [ "192.168.3.10/24" ]; + routingPolicyRules = [ + { + From = "192.168.3.0/24"; + Table = 100; + Priority = 100; + } + ]; + routes = [ + { + Gateway = "192.168.3.1"; + Table = 100; + GatewayOnLink = false; + Metric = 2048; + PreferredSource = "192.168.3.10"; + } + ]; + linkConfig.RequiredForOnline = "no"; }; }; }; diff --git a/systems/jeeves/runners/nix_builder.nix b/systems/jeeves/runners/nix_builder.nix index c4fc905..615d834 100644 --- a/systems/jeeves/runners/nix_builder.nix +++ b/systems/jeeves/runners/nix_builder.nix @@ -9,108 +9,126 @@ with lib; let vars = import ../vars.nix; + cfg = config.services.nix_builder; in { - options.services.nix_builder.containers = mkOption { - type = types.attrsOf ( - types.submodule ( - { name, ... }: - { - options.enable = mkEnableOption "GitHub runner container"; - } - ) - ); - default = { }; - description = "GitHub runner container configurations"; + options.services.nix_builder = { + bridgeName = mkOption { + type = types.str; + default = "br-nix-builder"; + description = "Bridge name for the builder containers."; + }; + + containers = mkOption { + type = types.attrsOf ( + types.submodule ( + { name, ... }: + { + options.enable = mkEnableOption "GitHub runner container"; + } + ) + ); + default = { }; + description = "GitHub runner container configurations"; + }; }; - config.containers = mapAttrs ( - name: cfg: - mkIf cfg.enable { - autoStart = true; - privateNetwork = true; - ephemeral = true; - bindMounts = { - storage = { - mountPoint = "/zfs/media/github-runners/${name}"; - isReadOnly = false; - }; - host-nix = { - mountPoint = "/host-nix/var/nix/daemon-socket"; - hostPath = "/nix/var/nix/daemon-socket"; - isReadOnly = false; - }; - secrets = { - mountPoint = "${vars.secrets}/services/github-runners/${name}"; - isReadOnly = true; - }; - }; - config = - { - config, - pkgs, - lib, - ... - }: - { - nix.settings = { - trusted-substituters = [ - "https://cache.nixos.org" - "https://cache.tmmworkshop.com" - "https://nix-community.cachix.org" - ]; - substituters = [ - "https://cache.nixos.org/?priority=2&want-mass-query=true" - "https://cache.tmmworkshop.com/?priority=2&want-mass-query=true" - "https://nix-community.cachix.org/?priority=10&want-mass-query=true" - ]; - trusted-public-keys = [ - "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" - "cache.tmmworkshop.com:jHffkpgbmEdstQPoihJPYW9TQe6jnQbWR2LqkNGV3iA=" - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - ]; - experimental-features = [ - "flakes" - "nix-command" - ]; - sandbox = true; - allowed-users = [ "github-runners" ]; - trusted-users = [ - "root" - "github-runners" - ]; + config = { + containers = mapAttrs ( + name: containerCfg: + mkIf containerCfg.enable { + autoStart = true; + privateNetwork = true; + hostBridge = cfg.bridgeName; + ephemeral = true; + bindMounts = { + storage = { + hostPath = "/zfs/media/github-runners/${name}"; + mountPoint = "/zfs/media/github-runners/${name}"; + isReadOnly = false; }; - nixpkgs = { - overlays = builtins.attrValues outputs.overlays; - config.allowUnfree = true; + host-nix = { + mountPoint = "/host-nix/var/nix/daemon-socket"; + hostPath = "/nix/var/nix/daemon-socket"; + isReadOnly = false; }; - services.github-runners.${name} = { - enable = true; - replace = true; - workDir = "/zfs/media/github-runners/${name}"; - url = "https://github.com/RichieCahill/dotfiles"; - extraLabels = [ "nixos" ]; - tokenFile = "${vars.secrets}/services/github-runners/${name}"; - user = "github-runners"; - group = "github-runners"; - extraPackages = with pkgs; [ - nixfmt-rfc-style - nixos-rebuild - treefmt - my_python - ]; + secrets = { + hostPath = "${vars.secrets}/services/github-runners/${name}"; + mountPoint = "${vars.secrets}/services/github-runners/${name}"; + isReadOnly = true; }; - users = { - users.github-runners = { - shell = pkgs.bash; - isSystemUser = true; - group = "github-runners"; - uid = 601; + }; + config = + { + config, + pkgs, + lib, + ... + }: + { + networking = { + useDHCP = lib.mkDefault true; + interfaces.eth0.useDHCP = true; }; - groups.github-runners.gid = 601; + nix.settings = { + trusted-substituters = [ + "https://cache.nixos.org" + "https://cache.tmmworkshop.com" + "https://nix-community.cachix.org" + ]; + substituters = [ + "https://cache.nixos.org/?priority=2&want-mass-query=true" + "https://cache.tmmworkshop.com/?priority=2&want-mass-query=true" + "https://nix-community.cachix.org/?priority=10&want-mass-query=true" + ]; + trusted-public-keys = [ + "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + "cache.tmmworkshop.com:jHffkpgbmEdstQPoihJPYW9TQe6jnQbWR2LqkNGV3iA=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + experimental-features = [ + "flakes" + "nix-command" + ]; + sandbox = true; + allowed-users = [ "github-runners" ]; + trusted-users = [ + "root" + "github-runners" + ]; + }; + nixpkgs = { + overlays = builtins.attrValues outputs.overlays; + config.allowUnfree = true; + }; + services.github-runners.${name} = { + enable = true; + replace = true; + workDir = "/zfs/media/github-runners/${name}"; + url = "https://github.com/RichieCahill/dotfiles"; + extraLabels = [ "nixos" ]; + tokenFile = "${vars.secrets}/services/github-runners/${name}"; + user = "github-runners"; + group = "github-runners"; + extraPackages = with pkgs; [ + nixfmt-rfc-style + nixos-rebuild + treefmt + my_python + ]; + }; + users = { + users.github-runners = { + shell = pkgs.bash; + isSystemUser = true; + group = "github-runners"; + uid = 601; + }; + groups.github-runners.gid = 601; + }; + system.stateVersion = "24.11"; }; - system.stateVersion = "24.11"; - }; - } - ) config.services.nix_builder.containers; + } + ) cfg.containers; + }; }