treewide: deployment instructions; qemu

2025-05-12 21:30:36 +01:00 · 2024-09-03 17:25:42 +03:00 · 2024-09-03 17:25:42 +03:00 · c2f4fdbcb3
commit c2f4fdbcb3
parent 7599920aad
5 changed files with 96 additions and 5 deletions
--- a/README.md
+++ b/README.md
@ -0,0 +1,76 @@
+# hyprland-infra
+
+<!--
+    TODO: proper readme.
+    Things we want:
+      - Onboarding
+      - Adding new services
+      - Easier deployment (?)
+-->
+
+Hyprland Nix infrastructure. Contains non-critical services, which include but
+is not limited to:
+
+- Typhon (Nix build service)
+
+## Networking setup
+
+### Creating a bridge on the host
+
+A bridge is needed to preserve bidirectional connectivity between the host and
+the guest.
+
+Get the current connection's link name. We'll use `<eth0>` throughout this file.
+
+```bash
+$ nmcli con show
+```
+
+```bash
+$ nmcli con add ifname br0 type bridge con-name br0
+$ nmcli con add type bridge-slave ifname <eth0> master br0
+```
+
+If using DHCP:
+
+```bash
+$ nmcli con mod br0 ipv4.method auto
+```
+
+If using static IPs:
+
+```bash
+$ nmcli con mod br0 ipv4.method manual
+$ nmcli con mod br0 ipv4.addresses 10.1.1.16/24
+$ nmcli con mod br0 ipv4.gateway 10.1.1.1
+$ nmcli con mod br0 ipv4.dns '10.1.1.1,1.1.1.1'
+```
+
+We do not need Spanning Tree Protocol, disable it:
+
+```bash
+$ nmcli con mod br0 bridge.stp no
+```
+
+Turn up the bridge:
+
+```bash
+$ nmcli con down <eth0>
+$ nmcli con up br0
+```
+
+To disable `<eth0>` autoconnect and let the bridge do the connection instead:
+
+```bash
+$ nmcli con mod <eth0> connection.autoconnect no
+```
+
+<!--
+    TODO(fufexan): research and add systemd-networkd sample code
+    - raf: The host does not run systemd-networkd. Good to have
+    but definitely not a priority.
+-->
+
+### Setting up QEMU to allow bridges
+
+In `/etc/qemu/bridge.conf` write `allow br0`.
--- a/hosts/caesar/virt.nix
+++ b/hosts/caesar/virt.nix
@ -25,10 +25,11 @@
      vm0.vlan = 1;
    };

+    # mac addr can be anything, especially the last 3 bytes
+    # the OUI is specific to QEMU
    qemu.networkingOptions = [
-      "-net nic,netdev=user.0,model=virtio"
-      "-netdev user,id=user.0,\${QEMU_NET_OPTS:+,$QEMU_NET_OPTS}"
-      "hostfwd=tcp::2222-:2222"
+      "-device virtio-net-pci,netdev=user0,mac=52:54:00:00:00:00"
+      "-netdev bridge,id=user0,br=br0"
    ];
  };
 }
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -27,6 +27,7 @@

  sharedModules = [
    inputs.agenix.nixosModules.default
+    ../modules/users.nix
  ];
 in {
  flake.nixosConfigurations = {
--- a/modules/openssh.nix
+++ b/modules/openssh.nix
@ -4,12 +4,19 @@ in {
  services.openssh = {
    enable = true;

-    # since this is a VM, use a separate port than the host's
+    # since this is a VM, use a different port than the host's
    ports = [2222];

    settings = {
      PasswordAuthentication = mkForce false;
-      KexAlgorithms = mkForce ["sntrup761x25519-sha512@openssh.com"];
+      KexAlgorithms = mkForce [
+        "curve25519-sha256"
+        "curve25519-sha256@libssh.org"
+        "diffie-hellman-group16-sha512"
+        "diffie-hellman-group18-sha512"
+        "diffie-hellman-group-exchange-sha256"
+        "sntrup761x25519-sha512@openssh.com"
+      ];
      KbdInteractiveAuthentication = mkForce false;
    };
  };
--- a/modules/users.nix
+++ b/modules/users.nix
@ -0,0 +1,6 @@
+{self, ...}: {
+  imports = [
+    "${self}/users/mihai.nix"
+    "${self}/users/raf.nix"
+  ];
+}