Splunk added as Service running in a Kubernetes VM

computer/pc-demo1/default.nix

@@ -5,10 +5,11 @@
 
   beancloud = {
     software = {
-      desktop = true;
-      nextcloud.server.enable = true;
-      gitlab = true;
-      forgejo = true;
+      desktop = false;
+      nextcloud.server.enable = false;
+      gitlab = false;
+      forgejo = false;
+      splunk = true;
     };
     disk.device.name = "vda";
     hardware.virtualmachine.type = "kvm";

flake.nix

@@ -41,6 +41,7 @@
               };
             }
             disko.nixosModules.disko
+            microvm.nixosModules.host
             impermanence.nixosModules.impermanence
             home-manager.nixosModules.home-manager
             ./computer/pc-demo1/default.nix
@@ -80,6 +81,21 @@
             }
           ];
         };
+        k8s = nixpkgs.lib.nixosSystem {
+          system = "x86_64-linux";
+          modules = [
+            {
+              config._module.args = {
+                flake = self;
+              };
+            }
+            microvm.nixosModules.microvm
+            ./virtualmachines/k8s/default.nix
+            ./options.nix
+            ./users/default.nix
+          ];
+        };
+
       };
     };
 }

options.nix

@@ -212,6 +212,11 @@
       default = false;
       description = "beancloud.software.virtualisation to activate the libvirtd daemon and virt-manager";
     };
+    beancloud.software.splunk = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "beancloud.software.splunk to deploy Splunk in a Kubernetes single node instances in the k8s microvm";
+    };
     beancloud.os.kernel.latest = lib.mkOption {
       type = lib.types.bool;
       example = true;

os/default.nix

@@ -11,7 +11,7 @@
     ./locale.nix
     ./network
     ./update.nix
-    ./virtualization.nix
+    ./virtualization
   ];
 
   time.timeZone = "Europe/Berlin";

os/kubernetes.nix

@@ -0,0 +1,21 @@
+{
+  pkgs,
+  ...
+}:
+
+{
+  services.k3s = {
+    enable = true;
+    manifests.splunkd = {
+      source = ../software/kubernetes/manifests/splunkd.yaml;
+    };
+  };
+
+  environment.variables.KUBECONFIG = "/etc/rancher/k3s/k3s.yaml";
+  networking.firewall.allowedTCPPorts = [ 6443 10248 10250 10251 10252 ];
+  
+  environment.systemPackages = with pkgs; [
+    kubectl
+    kubernetes-helm
+  ];
+}

os/network/nat.nix

@@ -3,7 +3,7 @@
 {
   config = lib.mkIf (config.beancloud.network.nat) {
     networking.nat = {
-      enable = config.beancloud.software.gitlab;
+      enable = true;
       internalInterfaces = [ "ve-+" ];
       externalInterface = "${config.beancloud.network.interface.lan}";
       enableIPv6 = false;

os/persistence.nix

@@ -17,125 +17,132 @@
       ];
       files = [
         "/etc/machine-id"
+        "/etc/ssh/ssh_host_rsa_key"
+        "/etc/ssh/ssh_host_rsa_key.pub"
+        "/etc/ssh/ssh_host_ed25519_key"
+        "/etc/ssh/ssh_host_ed25519_key.pub"
       ];
     };
   };
-  
-  boot.initrd.preLVMCommands = lib.mkIf (config.beancloud.persistence.type != "preservation" && config.beancloud.persistence.root == "fs") ''
-      WAIT_TIME=5
-      MAX_RETRIES=6
-      ROOT_DEV="/dev/disk/by-label/root"
-      ROOT_DIR=/rootmnt"
 
-      mountPartition() {
-        echo "mount the root / partition"
+  boot.initrd.preLVMCommands =
+    lib.mkIf
+      (config.beancloud.persistence.type != "preservation" && config.beancloud.persistence.root == "fs")
+      ''
+        WAIT_TIME=5
+        MAX_RETRIES=6
+        ROOT_DEV="/dev/disk/by-label/root"
+        ROOT_DIR=/rootmnt"
 
-        echo "create the $ROOT_DIR folder"
-        mkdir -p "$ROOT_DIR"
+        mountPartition() {
+          echo "mount the root / partition"
 
-        COUNTER=1
-        while [ ! -e "$ROOT_DEV" ] || [ ! -e "$ROOT_DIR" ]; do
-          echo "the root partition or the mount folder are not yet available"
-          sleep $WAIT_TIME
-          if [ "$COUNTER" -eq "$MAX_RETRIES" ]; then
-            echo "device check failed"
-            exit 1
-          fi
-          COUNTER="$((COUNTER + 1))"
-        done
+          echo "create the $ROOT_DIR folder"
+          mkdir -p "$ROOT_DIR"
 
-        COUNTER=1
-        until mount "$ROOT_DEV" $ROOT_DIR; do
-          echo "the root partition has not yet been mounted"
-          sleep "$WAIT_TIME"
-          if [ "$COUNTER" -eq "$MAX_RETRIES" ]; then
-            echo "mount failed"
-            exit 1
-          fi
-          COUNTER="$((COUNTER + 1))"
-        done
-        echo "mount done"
-      }
+          COUNTER=1
+          while [ ! -e "$ROOT_DEV" ] || [ ! -e "$ROOT_DIR" ]; do
+            echo "the root partition or the mount folder are not yet available"
+            sleep $WAIT_TIME
+            if [ "$COUNTER" -eq "$MAX_RETRIES" ]; then
+              echo "device check failed"
+              exit 1
+            fi
+            COUNTER="$((COUNTER + 1))"
+          done
 
-      wipePartition() {
-        echo "wipe the content from the / partition"
+          COUNTER=1
+          until mount "$ROOT_DEV" $ROOT_DIR; do
+            echo "the root partition has not yet been mounted"
+            sleep "$WAIT_TIME"
+            if [ "$COUNTER" -eq "$MAX_RETRIES" ]; then
+              echo "mount failed"
+              exit 1
+            fi
+            COUNTER="$((COUNTER + 1))"
+          done
+          echo "mount done"
+        }
 
-        COUNTER=1
-        until rm -rf "$ROOT_DIR/*"; do
-          echo "the wipe has been failed"
-          sleep 5
-          if [ "$COUNTER" -eq "$MAX_RETRIES" ]; then
-            echo "wipe failed"
-            exit 1
-          fi
-          COUNTER="$((COUNTER + 1))"
-        done
-        echo "wipe done"
-      }
+        wipePartition() {
+          echo "wipe the content from the / partition"
 
-      umountPartition() {
-        echo "umount the root / partition"
+          COUNTER=1
+          until rm -rf "$ROOT_DIR/*"; do
+            echo "the wipe has been failed"
+            sleep 5
+            if [ "$COUNTER" -eq "$MAX_RETRIES" ]; then
+              echo "wipe failed"
+              exit 1
+            fi
+            COUNTER="$((COUNTER + 1))"
+          done
+          echo "wipe done"
+        }
 
-        COUNTER=1
-        until umount "$ROOT_DIR"; do
-          echo "umount failed"
-          sleep 5
-          if [ "$COUNTER" -eq "$MAX_RETRIES" ]; then
+        umountPartition() {
+          echo "umount the root / partition"
+
+          COUNTER=1
+          until umount "$ROOT_DIR"; do
             echo "umount failed"
-            exit 1
-          fi
-          COUNTER="$((COUNTER + 1))"
-        done
-        echo "umount done"
-      }
+            sleep 5
+            if [ "$COUNTER" -eq "$MAX_RETRIES" ]; then
+              echo "umount failed"
+              exit 1
+            fi
+            COUNTER="$((COUNTER + 1))"
+          done
+          echo "umount done"
+        }
 
-      loadModules() {
-        echo "load the ext4 module"
+        loadModules() {
+          echo "load the ext4 module"
 
-        COUNTER=1
-        until modprobe ext4; do
-          echo "modprobe ext4 failed"
-          sleep 5
-          if [ "$COUNTER" -eq "$MAX_RETRIES" ]; then
-            echo "modprobe failed"
-            exit 1
-          fi
-          COUNTER="$((COUNTER + 1))"
-        done
-        echo "modprobe done"
-      }
+          COUNTER=1
+          until modprobe ext4; do
+            echo "modprobe ext4 failed"
+            sleep 5
+            if [ "$COUNTER" -eq "$MAX_RETRIES" ]; then
+              echo "modprobe failed"
+              exit 1
+            fi
+            COUNTER="$((COUNTER + 1))"
+          done
+          echo "modprobe done"
+        }
 
-      fixPermissions() {
-        echo "fix /var/empty permissions"
+        fixPermissions() {
+          echo "fix /var/empty permissions"
 
-        COUNTER=1
-        until chattr -i -a "$ROOT_DIR/var/empty"; do
-          echo "chattr /var/empty failed"
-          sleep 5
-          if [ "$COUNTER" -eq "$MAX_RETRIES" ]; then
-            echo "chattr failed"
-            exit 1
-          fi
-          COUNTER="$((COUNTER + 1))"
-        done
+          COUNTER=1
+          until chattr -i -a "$ROOT_DIR/var/empty"; do
+            echo "chattr /var/empty failed"
+            sleep 5
+            if [ "$COUNTER" -eq "$MAX_RETRIES" ]; then
+              echo "chattr failed"
+              exit 1
+            fi
+            COUNTER="$((COUNTER + 1))"
+          done
 
-        COUNTER=1
-        until chmod 755 "$ROOT_DIR/var/empty"; do
-          echo "chmod /var/empty failed"
-          sleep 5
-          if [ "$COUNTER" -eq "$MAX_RETRIES" ]; then
-            echo "chmod failed"
-            exit 1
-          fi
-          COUNTER="$((COUNTER + 1))"
-        done
-        echo "permissions fix done"
-      }
+          COUNTER=1
+          until chmod 755 "$ROOT_DIR/var/empty"; do
+            echo "chmod /var/empty failed"
+            sleep 5
+            if [ "$COUNTER" -eq "$MAX_RETRIES" ]; then
+              echo "chmod failed"
+              exit 1
+            fi
+            COUNTER="$((COUNTER + 1))"
+          done
+          echo "permissions fix done"
+        }
 
-      loadModules
-      mountPartition
-      fixPermissions
-      wipePartition
-      umountPartition
-  '';
-}
+        loadModules
+        mountPartition
+        fixPermissions
+        wipePartition
+        umountPartition
+      '';
+}

os/virtualization/default.nix

@@ -31,4 +31,8 @@
       config.beancloud.software.virtualisation || config.beancloud.software.virt-manager
     ) virt-manager)
   ];
+
+    imports = [
+    ./microvm
+  ];
 }

os/virtualization/microvm/default.nix

@@ -0,0 +1,73 @@
+{
+  config,
+  flake,
+  lib,
+  ...
+}:
+
+{
+  config = lib.mkIf (config.beancloud.software.splunk) {
+    microvm = {
+      vms = {
+        k8s = {
+          flake = flake;
+          updateFlake = "git+https://code.beancloud.de/public/nixos-demo.git?ref=${config.beancloud.tier}";
+          restartIfChanged = true;
+        };
+      };
+      autostart = [
+        "k8s"
+      ];
+    };
+
+    environment.persistence = {
+      persistence = {
+        directories = [
+          "/var/lib/microvms/"
+        ];
+      };
+    };
+
+    systemd.network = {
+      networks."${config.beancloud.network.interface.lan}-k8s" = {
+        enable = lib.mkDefault true;
+        matchConfig.Name = [ "${config.beancloud.network.interface.lan}-k8s" ];
+        linkConfig.RequiredForOnline = lib.mkDefault "routable";
+        address = [
+          "192.168.101.1/32"
+        ];
+        routes = [
+          {
+            Destination = "192.168.101.10/32";
+          }
+        ];
+        networkConfig = {
+          IPv4Forwarding = true;
+        };
+      };
+    };
+
+    beancloud.network.nat = true;
+    networking.nat = {
+      internalInterfaces = [ "${config.beancloud.network.interface.lan}-k8s" ];
+      internalIPs = [ "192.168.101.0/24" ];
+      forwardPorts = [
+        {
+          proto = "tcp";
+          sourcePort = 10023;
+          destination = "192.168.101.10:22";
+        }
+        {
+          proto = "tcp";
+          sourcePort = 8000;
+          destination = "192.168.101.10:8000";
+        }
+        {
+          proto = "tcp";
+          sourcePort = 8089;
+          destination = "192.168.101.10:8089";
+        }
+      ];
+    };
+  };
+}

software/default.nix

@@ -15,6 +15,7 @@
     fzf
     git
     htop
+    kubectl
     (lib.mkIf config.beancloud.hardware.macbook inxi)
     jq
     less

software/kubernetes/manifests/splunkd.yaml

@@ -0,0 +1,97 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: license
+  labels:
+    app: splunk
+    role: splunk_license_master
+    tier: management
+spec:
+  serviceName: license
+  replicas: 1
+  selector:
+    matchLabels:
+      app: splunk
+      role: splunk_license_master
+      tier: management
+  template:
+    metadata:
+      labels:
+        app: splunk
+        role: splunk_license_master
+        tier: management
+    spec:
+      dnsPolicy: ClusterFirst
+      containers:
+        - name: license
+          image: splunk/splunk:9.4.1
+          envFrom:
+            - configMapRef:
+                name: splunk-config
+          env:
+            - name: SPLUNK_ROLE
+              value: splunk_license_master
+          ports:
+            - name: web
+              containerPort: 8000
+            - name: mgmt
+              containerPort: 8089
+          volumeMounts:
+            - name: splunk-license-data
+              mountPath: /opt/splunk/var
+            - name: splunk-license-config
+              mountPath: /opt/splunk/etc
+      volumes:
+        - name: splunk-license
+          configMap:
+            name: splunk-license            
+  volumeClaimTemplates:
+    - metadata:
+        name: splunk-license-data
+      spec:
+        accessModes: ["ReadWriteOnce"]
+        resources:
+          requests:
+            storage: 512M
+    - metadata:
+        name: splunk-license-config
+      spec:
+        accessModes: ["ReadWriteOnce"]
+        resources:
+          requests:
+            storage: 512M
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: license
+spec:
+  selector:
+    app: splunk
+  type: LoadBalancer
+  ports:
+    - name: web
+      protocol: TCP
+      port: 8000
+      targetPort: web
+    - name: mgmt
+      protocol: TCP
+      port: 8089
+      targetPort: mgmt
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: splunk-config
+data:
+    SPLUNK_START_ARGS: "--accept-license"
+    SPLUNK_PASSWORD: demo1234
+    SPLUNK_ROLE: splunk_indexer
+    SPLUNK_CLUSTER_MASTER_URL: master
+    SPLUNK_INDEXER_URL: indexer-0,indexer-1,indexer-2
+    SPLUNK_SEARCH_HEAD_URL: search-0,search-1
+    SPLUNK_DEPLOYER_URL: deployer
+    SPLUNK_SEARCH_HEAD_CAPTAIN_URL: captain-0
+    SPLUNK_IDXC_SECRET: demoidx1234
+    SPLUNK_SHC_SECRET: demoshc1234
+    SPLUNK_LICENSE_MASTER_URL: license-master

users/demo/default.nix

@@ -28,17 +28,15 @@
       };
     };
   };
-  
-  environment.persistence = {
-    persistence = {
-      directories = [
-        {
-          directory = "/home/demo";
-          user = "demo";
-          group = "users";
-          mode = "u=rwx,g=,o=";
-        }
-      ];
-    };
+
+  environment.persistence.persistence = {
+    directories = [
+      {
+        directory = "/home/demo";
+        user = "demo";
+        group = "users";
+        mode = "u=rwx,g=,o=";
+      }
+    ];
   };
 }

users/demo/home/gnome.nix

@@ -3,119 +3,122 @@
 {
   # https://nix-community.github.io/home-manager/options.xhtml#opt-dconf.settings
   # https://github.com/nix-community/dconf2nix
-  dconf.settings =
-    let
-      inherit (lib.hm.gvariant) mkUint32;
-    in
-    {
-      "system/locale" = {
-        region = "de_DE.UTF-8";
-      };
+  config = lib.mkIf (osConfig.beancloud.software.desktop) {
+    dconf.settings =
+      let
+        inherit (lib.hm.gvariant) mkUint32;
+      in
+      {
+        "system/locale" = {
+          region = "de_DE.UTF-8";
+        };
 
-      "org/gnome/software" = {
-        download-updates = false;
-        download-updates-notify = false;
-      };
+        "org/gnome/software" = {
+          download-updates = false;
+          download-updates-notify = false;
+        };
 
-      "org/gnome/desktop/calendar" = {
-        show-weekdate = true;
-      };
+        "org/gnome/desktop/calendar" = {
+          show-weekdate = true;
+        };
 
-      "org/gnome/desktop/datetime" = {
-        automatic-timezone = true;
-      };
+        "org/gnome/desktop/datetime" = {
+          automatic-timezone = true;
+        };
 
-      "org/gnome/desktop/interface" = {
-        clock-show-weekday = true;
-        enable-hot-corners = true;
-        color-scheme = "prefer-dark";
-      };
+        "org/gnome/desktop/interface" = {
+          clock-show-weekday = true;
+          enable-hot-corners = true;
+          color-scheme = "prefer-dark";
+        };
 
-      "org/gnome/desktop/session" = {
-        idle-delay = mkUint32 300;
-      };
+        "org/gnome/desktop/session" = {
+          idle-delay = mkUint32 300;
+        };
 
-      "org/gnome/desktop/screensaver" = {
-        lock-enabled = osConfig.beancloud.os.screensaver.lock;
-      };
+        "org/gnome/desktop/screensaver" = {
+          lock-enabled = osConfig.beancloud.os.screensaver.lock;
+        };
 
-      "org/gnome/desktop/peripherals/keyboard" = {
-        numlock-state = true;
-      };
+        "org/gnome/desktop/peripherals/keyboard" = {
+          numlock-state = true;
+        };
 
-      "org/gnome/desktop/peripherals/mouse" = {
-        natural-scroll = true;
-      };
+        "org/gnome/desktop/peripherals/mouse" = {
+          natural-scroll = true;
+        };
 
-      "org/gnome/Console" = {
-        custom-font = "UbuntuMono Nerd Font Mono 13";
-        last-window-maximised = true;
-        use-system-font = true;
-      };
+        "org/gnome/Console" = {
+          custom-font = "UbuntuMono Nerd Font Mono 13";
+          last-window-maximised = true;
+          use-system-font = true;
+        };
 
-      "org/gnome/shell" = {
-        enabled-extensions = [
-          "openbar@neuromorph"
-          "dash-to-dock@micxgx.gmail.com"
-        ];
-        favorite-apps = [
-          "firefox.desktop"
-          "org.gnome.Geary.desktop"
-          "org.gnome.Calendar.desktop"
-          "org.gnome.Music.desktop"
-          "org.gnome.Nautilus.desktop"
-        ];
-      };
+        "org/gnome/shell" = {
+          disable-user-extensions = false;
+          enabled-extensions = [
+            "openbar@neuromorph"
+            "dash-to-dock@micxgx.gmail.com"
+          ];
+          favorite-apps = [
+            "firefox.desktop"
+            "org.gnome.Geary.desktop"
+            "org.gnome.Calendar.desktop"
+            "org.gnome.Music.desktop"
+            "org.gnome.Nautilus.desktop"
+          ];
+        };
 
-      "org/gnome/shell/extensions/dash-to-dock" = {
-        background-opacity = 0.80000000000000004;
-        dash-max-icon-size = 48;
-        dock-position = "RIGHT";
-        extend-height = false;
-        height-fraction = 0.90000000000000002;
-        intellihide-mode = "FOCUS_APPLICATION_WINDOWS";
-        preferred-monitor = -2;
-        preferred-monitor-by-connector = "DP-1";
-      };
+        "org/gnome/shell/extensions/dash-to-dock" = {
+          background-opacity = 0.80000000000000004;
+          dash-max-icon-size = 48;
+          dock-position = "RIGHT";
+          extend-height = false;
+          height-fraction = 0.90000000000000002;
+          intellihide-mode = "FOCUS_APPLICATION_WINDOWS";
+          preferred-monitor = -2;
+          preferred-monitor-by-connector = "DP-1";
+        };
 
-      "org/gnome/shell/extensions/gtk4-ding" = {
-        icon-size = "small";
-      };
+        "org/gnome/shell/extensions/gtk4-ding" = {
+          icon-size = "small";
+        };
 
-      "org/gnome/shell/extensions/openbar" = {
-        bg-change = true;
-        default-font = "UbuntuMono Nerd Font Mono 12";
-        neon-wmax = false;
-        pause-reload = false;
-        reloadstyle = true;
-        trigger-reload = true;
-        shadow = false;
-        wmaxbar = true;
-        autohg-bar = true;
-        autohg-menu = true;
-        trigger-autotheme = true;
-        autotheme-dark = "Dark";
-        autotheme-font = true;
-        autotheme-light = "Pastel";
-        bartype = "Trilands";
-      };
+        "org/gnome/shell/extensions/openbar" = {
+          bg-change = true;
+          default-font = "UbuntuMono Nerd Font Mono 12";
+          neon-wmax = false;
+          pause-reload = false;
+          reloadstyle = true;
+          trigger-reload = true;
+          shadow = false;
+          wmaxbar = true;
+          autohg-bar = true;
+          autohg-menu = true;
+          trigger-autotheme = true;
+          autotheme-dark = "Dark";
+          autotheme-font = true;
+          autotheme-light = "Pastel";
+          bartype = "Trilands";
+        };
 
-      "org/gnome/nautilus/list-view" = {
-        default-zoom-level = "small";
-      };
+        "org/gnome/nautilus/list-view" = {
+          default-zoom-level = "small";
+        };
 
-      "org/gnome/nautilus/preferences" = {
-        default-folder-viewer = "list-view";
-        search-filter-time-type = "last_modified";
-      };
+        "org/gnome/nautilus/preferences" = {
+          default-folder-viewer = "list-view";
+          search-filter-time-type = "last_modified";
+        };
 
-      "org/gnome/settings-daemon/plugins/power" = {
-        power-button-action = "interactive";
-        sleep-inactive-ac-type = "nothing";
-      };
+        "org/gnome/settings-daemon/plugins/power" = {
+          power-button-action = "interactive";
+          sleep-inactive-ac-type = "nothing";
+        };
 
-      "org/gnome/mutter" = {
-        experimental-features = [ "scale-monitor-framebuffer" ];
+        "org/gnome/mutter" = {
+          experimental-features = [ "scale-monitor-framebuffer" ];
+        };
       };
-    };
+  };
 }

users/demo/home/ssh.nix

@@ -1,4 +1,4 @@
-{  ... }:
+{  lib, osConfig, ... }:
 
 {
   programs = {
@@ -12,6 +12,11 @@
           user = "gitea";
           port = 22;
         };
+        k8s = lib.mkIf osConfig.beancloud.software.splunk {
+          hostname = "pc-demo1";
+          user = "demo";
+          port = 10023;
+        };
       };
     };
   };

users/root/default.nix

@@ -1,6 +1,6 @@
 { ... }:
 
-{ 
+{
   users = {
     users = {
       root = {
@@ -16,17 +16,15 @@
       };
     };
   };
-  
-  environment.persistence = {
-    persistence = {
-      directories = [
-        {
-          directory = "/root";
-          user = "root";
-          group = "root";
-          mode = "u=rwx,g=,o=";
-        }
-      ];
-    };
+
+  environment.persistence.persistence = {
+    directories = [
+      {
+        directory = "/root";
+        user = "root";
+        group = "root";
+        mode = "u=rwx,g=,o=";
+      }
+    ];
   };
 }

virtualmachines/k8s/default.nix

@@ -0,0 +1,77 @@
+{
+  config,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    ../network.nix
+    ../../os/network/firewall.nix
+    ../../users
+    ../../os/kubernetes.nix
+    ../../software/openssh.nix
+  ];
+
+  microvm = {
+    guest.enable = true;
+    hypervisor = "cloud-hypervisor";
+    mem = 16384;
+    vcpu = 4;
+    interfaces = [
+      {
+        type = "tap";
+        id = "${config.beancloud.network.interface.lan}-${config.networking.hostName}";
+        mac = "1E:62:1E:FF:58:D0";
+      }
+    ];
+    volumes = [
+      {
+        mountPoint = "/";
+        autoCreate = true;
+        fsType = "ext4";
+        label = "root";
+        size = 12288;
+        image = "root.img";
+      }
+    ];
+    shares = [
+      {
+        source = "/nix/store";
+        mountPoint = "/nix/.ro-store";
+        tag = "ro-store";
+        proto = "virtiofs";
+      }
+    ];
+  };
+
+  networking.hostName = "k8s";
+  beancloud.network.address = "192.168.101.10";
+  services.k3s.serverAddr = "https://${config.beancloud.network.address}:6443";
+  system.stateVersion = "25.05";
+
+  users = {
+    users = {
+      root = {
+        password = "rootpw";
+      };
+      demo = {
+        password = "demo";
+        uid = 1000;
+        createHome = true;
+        home = "/home/demo";
+        shell = pkgs.bashInteractive;
+        isNormalUser = true;
+        extraGroups = [
+          "wheel"
+        ];
+      };
+    };
+  };
+
+  services.k3s = {
+    manifests.splunkd = {
+      enable = true;
+    };
+  };
+}

virtualmachines/network.nix

@@ -0,0 +1,32 @@
+{ config, lib, ... }:
+
+{
+  networking.usePredictableInterfaceNames = false;
+  systemd.network.networks."10-lan" = {
+    enable = lib.mkDefault true;
+    address = [ "${config.beancloud.network.address}/32" ];
+    routes = [
+      {
+        # A route to the host
+        Destination = "192.168.101.1/32";
+        GatewayOnLink = true;
+      }
+      {
+        # Default route
+        Destination = "0.0.0.0/0";
+        Gateway = "192.168.101.1";
+        GatewayOnLink = true;
+      }
+    ];
+    matchConfig.Name = [ "${config.beancloud.network.interface.lan}" ];
+    linkConfig.RequiredForOnline = lib.mkDefault "routable";
+    networkConfig = {
+      DHCP = "no";
+      IPv6AcceptRA = false;
+      DNS = [
+        "9.9.9.9" # https://www.quad9.net/service/service-addresses-and-features
+        "2620:fe::fe" # https://www.quad9.net/service/service-addresses-and-features
+      ];
+    };
+  };
+}