feat(infra): initial NixOS migration · khuedoan.com/cloudlab@b530f38

+34

infra/production/hetzner/helsinki/compute/.terraform.lock.hcl

··· 1 1 # This file is maintained automatically by "tofu init". 2 2 # Manual edits may be lost in future updates. 3 3 4 + provider "registry.opentofu.org/hashicorp/external" { 5 + version = "2.3.5" 6 + hashes = [ 7 + "h1:jcVmeuuz74tdRt2kj0MpUG9AORdlAlRRQ3k61y0r5Vc=", 8 + "zh:1fb9aca1f068374a09d438dba84c9d8ba5915d24934a72b6ef66ef6818329151", 9 + "zh:3eab30e4fcc76369deffb185b4d225999fc82d2eaaa6484d3b3164a4ed0f7c49", 10 + "zh:4f8b7a4832a68080f0bf4f155b56a691832d8a91ce8096dac0f13a90081abc50", 11 + "zh:5ff1935612db62e48e4fe6cfb83dfac401b506a5b7b38342217616fbcab70ce0", 12 + "zh:993192234d327ec86726041eb6d1efb001e41f32e4518ad8b9b162130b65ee9a", 13 + "zh:ce445e68282a2c4b2d1f994a2730406df4ea47914c0932fb4a7eb040a7ec7061", 14 + "zh:e305e17216840c54194141fb852839c2cedd6b41abd70cf8d606d6e88ed40e64", 15 + "zh:edba65fb241d663c09aa2cbf75026c840e963d5195f27000f216829e49811437", 16 + "zh:f306cc6f6ec9beaf75bdcefaadb7b77af320b1f9b56d8f50df5ebd2189a93148", 17 + "zh:fb2ff9e1f86796fda87e1f122d40568912a904da51d477461b850d81a0105f3d", 18 + ] 19 + } 20 + 21 + provider "registry.opentofu.org/hashicorp/null" { 22 + version = "3.2.4" 23 + hashes = [ 24 + "h1:jsKjBiLb+v3OIC3xuDiY4sR0r1OHUMSWPYKult9MhT0=", 25 + "zh:1769783386610bed8bb1e861a119fe25058be41895e3996d9216dd6bb8a7aee3", 26 + "zh:32c62a9387ad0b861b5262b41c5e9ed6e940eda729c2a0e58100e6629af27ddb", 27 + "zh:339bf8c2f9733fce068eb6d5612701144c752425cebeafab36563a16be460fb2", 28 + "zh:36731f23343aee12a7e078067a98644c0126714c4fe9ac930eecb0f2361788c4", 29 + "zh:3d106c7e32a929e2843f732625a582e562ff09120021e510a51a6f5d01175b8d", 30 + "zh:74bcb3567708171ad83b234b92c9d63ab441ef882b770b0210c2b14fdbe3b1b6", 31 + "zh:90b55bdbffa35df9204282251059e62c178b0ac7035958b93a647839643c0072", 32 + "zh:ae24c0e5adc692b8f94cb23a000f91a316070fdc19418578dcf2134ff57cf447", 33 + "zh:b5c10d4ad860c4c21273203d1de6d2f0286845edf1c64319fa2362df526b5f58", 34 + "zh:e05bbd88e82e1d6234988c85db62fd66f11502645838fff594a2ec25352ecd80", 35 + ] 36 + } 37 + 4 38 provider "registry.opentofu.org/hetznercloud/hcloud" { 5 39 version = "1.52.0" 6 40 constraints = "~> 1.45"

+118

infra/production/hetzner/helsinki/compute/configuration.nix

··· 1 + { pkgs, ... }: 2 + 3 + { 4 + disko.devices = { 5 + disk = { 6 + main = { 7 + type = "disk"; 8 + # TODO don't hard code device? 9 + device = "/dev/sda"; 10 + content = { 11 + type = "gpt"; 12 + partitions = { 13 + boot = { 14 + size = "1M"; 15 + type = "EF02"; # for grub MBR 16 + }; 17 + ESP = { 18 + size = "1G"; 19 + type = "EF00"; 20 + content = { 21 + type = "filesystem"; 22 + format = "vfat"; 23 + mountpoint = "/boot"; 24 + mountOptions = [ "umask=0077" ]; 25 + }; 26 + }; 27 + root = { 28 + size = "100%"; 29 + content = { 30 + type = "filesystem"; 31 + format = "ext4"; 32 + mountpoint = "/"; 33 + }; 34 + }; 35 + }; 36 + }; 37 + }; 38 + }; 39 + }; 40 + 41 + boot = { 42 + loader = { 43 + systemd-boot = { 44 + enable = true; 45 + }; 46 + efi = { 47 + canTouchEfiVariables = true; 48 + }; 49 + }; 50 + }; 51 + 52 + networking = { 53 + networkmanager = { 54 + enable = true; 55 + }; 56 + firewall = { 57 + # https://docs.k3s.io/installation/requirements#inbound-rules-for-k3s-server-nodes 58 + allowedTCPPorts = [ 59 + 6443 60 + 10250 61 + ]; 62 + allowedTCPPortRanges = [ 63 + { from = 2379; to = 2380; } 64 + ]; 65 + }; 66 + }; 67 + 68 + nix = { 69 + settings = { 70 + experimental-features = [ 71 + "nix-command" 72 + "flakes" 73 + ]; 74 + }; 75 + optimise.automatic = true; 76 + gc = { 77 + automatic = true; 78 + dates = "weekly"; 79 + options = "--delete-older-than 30d"; 80 + }; 81 + }; 82 + 83 + services = { 84 + openssh.enable = true; 85 + k3s = { 86 + enable = true; 87 + role = "server"; 88 + extraFlags = toString [ 89 + "--disable-helm-controller" 90 + "--disable-network-policy" 91 + "--disable=traefik" 92 + "--secrets-encryption=true" 93 + "--snapshotter=stargz" 94 + 95 + # TODO better ipv6 ipam 96 + "--cluster-cidr=2001:cafe:42::/56" 97 + "--service-cidr=2001:cafe:43::/112" 98 + ]; 99 + }; 100 + }; 101 + 102 + users.users.admin = { 103 + isNormalUser = true; 104 + description = "Admin"; 105 + extraGroups = [ 106 + "networkmanager" 107 + "wheel" 108 + ]; 109 + packages = with pkgs; [ 110 + neovim 111 + git 112 + gnumake 113 + tmux 114 + ]; 115 + }; 116 + 117 + system.stateVersion = "25.05"; 118 + }

+48

infra/production/hetzner/helsinki/compute/flake.lock

··· 1 + { 2 + "nodes": { 3 + "disko": { 4 + "inputs": { 5 + "nixpkgs": [ 6 + "nixpkgs" 7 + ] 8 + }, 9 + "locked": { 10 + "lastModified": 1755519972, 11 + "narHash": "sha256-bU4nqi3IpsUZJeyS8Jk85ytlX61i4b0KCxXX9YcOgVc=", 12 + "owner": "nix-community", 13 + "repo": "disko", 14 + "rev": "4073ff2f481f9ef3501678ff479ed81402caae6d", 15 + "type": "github" 16 + }, 17 + "original": { 18 + "owner": "nix-community", 19 + "repo": "disko", 20 + "type": "github" 21 + } 22 + }, 23 + "nixpkgs": { 24 + "locked": { 25 + "lastModified": 1755593991, 26 + "narHash": "sha256-BA9MuPjBDx/WnpTJ0EGhStyfE7hug8g85Y3Ju9oTsM4=", 27 + "owner": "NixOS", 28 + "repo": "nixpkgs", 29 + "rev": "a58390ab6f1aa810eb8e0f0fc74230e7cc06de03", 30 + "type": "github" 31 + }, 32 + "original": { 33 + "owner": "NixOS", 34 + "ref": "nixos-25.05", 35 + "repo": "nixpkgs", 36 + "type": "github" 37 + } 38 + }, 39 + "root": { 40 + "inputs": { 41 + "disko": "disko", 42 + "nixpkgs": "nixpkgs" 43 + } 44 + } 45 + }, 46 + "root": "root", 47 + "version": 7 48 + }

+21

infra/production/hetzner/helsinki/compute/flake.nix

··· 1 + { 2 + inputs = { 3 + nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; 4 + disko = { 5 + url = "github:nix-community/disko"; 6 + inputs.nixpkgs.follows = "nixpkgs"; 7 + }; 8 + }; 9 + 10 + outputs = { self, nixpkgs, disko }: { 11 + nixosConfigurations = { 12 + master = nixpkgs.lib.nixosSystem { 13 + system = "aarch64-linux"; # TODO support multiple systems 14 + modules = [ 15 + disko.nixosModules.disko 16 + ./configuration.nix 17 + ]; 18 + }; 19 + }; 20 + }; 21 + }

+19 -3

infra/production/hetzner/helsinki/compute/main.tf

··· 10 10 name = each.key 11 11 server_type = "cax11" 12 12 public_net { 13 - ipv4_enabled = false 13 + ipv4_enabled = true 14 14 ipv6_enabled = true 15 15 } 16 - # TODO NixOS 17 - image = "debian-13" 16 + image = "debian-13" # Only used to bootstrap nixos-anywhere 18 17 location = each.value.location 19 18 ssh_keys = [ 20 19 hcloud_ssh_key.main.id 21 20 ] 22 21 } 22 + 23 + module "nixos" { 24 + for_each = hcloud_server.nodes 25 + 26 + source = "github.com/nix-community/nixos-anywhere//terraform/all-in-one" 27 + nixos_system_attr = "${var.flake}#nixosConfigurations.master.config.system.build.toplevel" 28 + nixos_partitioner_attr = "${var.flake}#nixosConfigurations.master.config.system.build.diskoScript" 29 + target_host = each.value.ipv6_address 30 + instance_id = each.value.name 31 + build_on_remote = true 32 + # extra_files_script = "${path.module}/decrypt-ssh-secrets.sh" 33 + # disk_encryption_key_scripts = [{ 34 + # path = "/tmp/secret.key" 35 + # # script is below 36 + # script = "${path.module}/decrypt-zfs-key.sh" 37 + # }] 38 + }

+7 -6

infra/production/hetzner/helsinki/compute/terragrunt.hcl

··· 8 8 "master-1" = { 9 9 location = "hel1" 10 10 } 11 - "worker-1" = { 12 - location = "nbg1" 13 - } 14 - "worker-2" = { 15 - location = "fsn1" 16 - } 11 + # "worker-1" = { 12 + # location = "nbg1" 13 + # } 14 + # "worker-2" = { 15 + # location = "fsn1" 16 + # } 17 17 } 18 + flake = get_terragrunt_dir() 18 19 }

+4

infra/production/hetzner/helsinki/compute/variables.tf

··· 3 3 location = string 4 4 })) 5 5 } 6 + 7 + variable "flake" { 8 + 9 + }

Configure Feed

Configure Feed