Richie/dotfiles
1
0
Fork 0
mirror of https://github.com/RichieCahill/dotfiles.git synced 2026-04-17 04:58:19 -04:00
Code Issues Packages Projects Releases Wiki Activity

setup a isolated vlan for the runners

Browse Source
This commit is contained in:
Richie Cahill
2025-12-23 22:48:49 -05:00
parent a9a6e1f932
commit 409f376166
2 changed files with 166 additions and 108 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
systems/jeeves/networking.nix
View File

@@ -2,31 +2,71 @@
networking = { networking = {
hostName = "jeeves"; hostName = "jeeves";
hostId = "0e15ce35"; hostId = "0e15ce35";
firewall.enable = true; firewall = {
enable = true;
interfaces.br-nix-builder = {
allowedTCPPorts = [ ];
allowedUDPPorts = [ ];
};
};
useNetworkd = true; useNetworkd = true;
}; };
systemd.network = { systemd.network = {
enable = true; enable = true;
wait-online = {
enable = false;
anyInterface = true;
};
netdevs = {
"20-br-nix-builder" = {
netdevConfig = {
Kind = "bridge";
Name = "br-nix-builder";
};
};
"30-internet-vlan" = {
netdevConfig = {
Kind = "vlan";
Name = "internet-vlan";
};
vlanConfig.Id = 100;
};
};
networks = { networks = {
"10-1GB_Primary" = { "10-1GB_Primary" = {
matchConfig.Name = "enp98s0f0"; matchConfig.Name = "enp97s0f1";
address = [ "192.168.99.14/24" ]; address = [ "192.168.99.14/24" ];
routes = [ { Gateway = "192.168.99.1"; } ]; routes = [ { Gateway = "192.168.99.1"; } ];
vlan = [ "internet-vlan" ];
linkConfig.RequiredForOnline = "routable"; linkConfig.RequiredForOnline = "routable";
}; };
"10-1GB_Secondary" = { "50-internet-vlan" = {
matchConfig.Name = "enp98s0f1"; matchConfig.Name = "internet-vlan";
DHCP = "yes"; bridge = [ "br-nix-builder" ];
linkConfig.RequiredForOnline = "no";
}; };
"10-10GB_Primary" = { "60-br-nix-builder" = {
matchConfig.Name = "enp97s0f0np0"; matchConfig.Name = "br-nix-builder";
DHCP = "yes"; bridgeConfig = { };
linkConfig.RequiredForOnline = "routable"; address = [ "192.168.3.10/24" ];
}; routingPolicyRules = [
"10-10GB_Secondary" = { {
matchConfig.Name = "enp97s0f1np1"; From = "192.168.3.0/24";
DHCP = "yes"; Table = 100;
Priority = 100;
}
];
routes = [
{
Gateway = "192.168.3.1";
Table = 100;
GatewayOnLink = false;
Metric = 2048;
PreferredSource = "192.168.3.10";
}
];
linkConfig.RequiredForOnline = "no";
}; };
}; };
}; };

28
systems/jeeves/runners/nix_builder.nix
View File

@@ -9,9 +9,17 @@ with lib;
let let
vars = import ../vars.nix; vars = import ../vars.nix;
cfg = config.services.nix_builder;
in in
{ {
options.services.nix_builder.containers = mkOption { options.services.nix_builder = {
bridgeName = mkOption {
type = types.str;
default = "br-nix-builder";
description = "Bridge name for the builder containers.";
};
containers = mkOption {
type = types.attrsOf ( type = types.attrsOf (
types.submodule ( types.submodule (
{ name, ... }: { name, ... }:
@@ -23,15 +31,19 @@ in
default = { }; default = { };
description = "GitHub runner container configurations"; description = "GitHub runner container configurations";
}; };
};
config.containers = mapAttrs ( config = {
name: cfg: containers = mapAttrs (
mkIf cfg.enable { name: containerCfg:
mkIf containerCfg.enable {
autoStart = true; autoStart = true;
privateNetwork = true; privateNetwork = true;
hostBridge = cfg.bridgeName;
ephemeral = true; ephemeral = true;
bindMounts = { bindMounts = {
storage = { storage = {
hostPath = "/zfs/media/github-runners/${name}";
mountPoint = "/zfs/media/github-runners/${name}"; mountPoint = "/zfs/media/github-runners/${name}";
isReadOnly = false; isReadOnly = false;
}; };
@@ -41,6 +53,7 @@ in
isReadOnly = false; isReadOnly = false;
}; };
secrets = { secrets = {
hostPath = "${vars.secrets}/services/github-runners/${name}";
mountPoint = "${vars.secrets}/services/github-runners/${name}"; mountPoint = "${vars.secrets}/services/github-runners/${name}";
isReadOnly = true; isReadOnly = true;
}; };
@@ -53,6 +66,10 @@ in
... ...
}: }:
{ {
networking = {
useDHCP = lib.mkDefault true;
interfaces.eth0.useDHCP = true;
};
nix.settings = { nix.settings = {
trusted-substituters = [ trusted-substituters = [
"https://cache.nixos.org" "https://cache.nixos.org"
@@ -112,5 +129,6 @@ in
system.stateVersion = "24.11"; system.stateVersion = "24.11";
}; };
} }
) config.services.nix_builder.containers; ) cfg.containers;
};
} }