Splunk added as Service running in a Kubernetes VM

computer/pc-demo1/default.nix

@@ -5,10 +5,11 @@
 
   beancloud = {
     software = {
-      desktop = true;
+      desktop = false;
-      nextcloud.server.enable = true;
+      nextcloud.server.enable = false;
-      gitlab = true;
+      gitlab = false;
-      forgejo = true;
+      forgejo = false;
+      splunk = true;
     };
     disk.device.name = "vda";
     hardware.virtualmachine.type = "kvm";

flake.nix

@@ -41,6 +41,7 @@
               };
             }
             disko.nixosModules.disko
+            microvm.nixosModules.host
             impermanence.nixosModules.impermanence
             home-manager.nixosModules.home-manager
             ./computer/pc-demo1/default.nix
@@ -80,6 +81,21 @@
             }
           ];
         };
+        k8s = nixpkgs.lib.nixosSystem {
+          system = "x86_64-linux";
+          modules = [
+            {
+              config._module.args = {
+                flake = self;
+              };
+            }
+            microvm.nixosModules.microvm
+            ./virtualmachines/k8s/default.nix
+            ./options.nix
+            ./users/default.nix
+          ];
+        };
+
       };
     };
 }

options.nix

@@ -212,6 +212,11 @@
       default = false;
       description = "beancloud.software.virtualisation to activate the libvirtd daemon and virt-manager";
     };
+    beancloud.software.splunk = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "beancloud.software.splunk to deploy Splunk in a Kubernetes single node instances in the k8s microvm";
+    };
     beancloud.os.kernel.latest = lib.mkOption {
       type = lib.types.bool;
       example = true;

os/default.nix

@@ -11,7 +11,7 @@
     ./locale.nix
     ./network
     ./update.nix
-    ./virtualization.nix
+    ./virtualization
   ];
 
   time.timeZone = "Europe/Berlin";

os/kubernetes.nix

@@ -0,0 +1,21 @@
+{
+  pkgs,
+  ...
+}:
+
+{
+  services.k3s = {
+    enable = true;
+    manifests.splunkd = {
+      source = ../software/kubernetes/manifests/splunkd.yaml;
+    };
+  };
+
+  environment.variables.KUBECONFIG = "/etc/rancher/k3s/k3s.yaml";
+  networking.firewall.allowedTCPPorts = [ 6443 10248 10250 10251 10252 ];
+  
+  environment.systemPackages = with pkgs; [
+    kubectl
+    kubernetes-helm
+  ];
+}

os/network/nat.nix

@@ -3,7 +3,7 @@
 {
   config = lib.mkIf (config.beancloud.network.nat) {
     networking.nat = {
-      enable = config.beancloud.software.gitlab;
+      enable = true;
       internalInterfaces = [ "ve-+" ];
       externalInterface = "${config.beancloud.network.interface.lan}";
       enableIPv6 = false;

os/persistence.nix

@@ -17,11 +17,18 @@
       ];
       files = [
         "/etc/machine-id"
+        "/etc/ssh/ssh_host_rsa_key"
+        "/etc/ssh/ssh_host_rsa_key.pub"
+        "/etc/ssh/ssh_host_ed25519_key"
+        "/etc/ssh/ssh_host_ed25519_key.pub"
       ];
     };
   };
 
-  boot.initrd.preLVMCommands = lib.mkIf (config.beancloud.persistence.type != "preservation" && config.beancloud.persistence.root == "fs") ''
+  boot.initrd.preLVMCommands =
+    lib.mkIf
+      (config.beancloud.persistence.type != "preservation" && config.beancloud.persistence.root == "fs")
+      ''
         WAIT_TIME=5
         MAX_RETRIES=6
         ROOT_DEV="/dev/disk/by-label/root"

os/virtualization/default.nix

@@ -31,4 +31,8 @@
       config.beancloud.software.virtualisation || config.beancloud.software.virt-manager
     ) virt-manager)
   ];
+
+    imports = [
+    ./microvm
+  ];
 }

os/virtualization/microvm/default.nix

@@ -0,0 +1,73 @@
+{
+  config,
+  flake,
+  lib,
+  ...
+}:
+
+{
+  config = lib.mkIf (config.beancloud.software.splunk) {
+    microvm = {
+      vms = {
+        k8s = {
+          flake = flake;
+          updateFlake = "git+https://code.beancloud.de/public/nixos-demo.git?ref=${config.beancloud.tier}";
+          restartIfChanged = true;
+        };
+      };
+      autostart = [
+        "k8s"
+      ];
+    };
+
+    environment.persistence = {
+      persistence = {
+        directories = [
+          "/var/lib/microvms/"
+        ];
+      };
+    };
+
+    systemd.network = {
+      networks."${config.beancloud.network.interface.lan}-k8s" = {
+        enable = lib.mkDefault true;
+        matchConfig.Name = [ "${config.beancloud.network.interface.lan}-k8s" ];
+        linkConfig.RequiredForOnline = lib.mkDefault "routable";
+        address = [
+          "192.168.101.1/32"
+        ];
+        routes = [
+          {
+            Destination = "192.168.101.10/32";
+          }
+        ];
+        networkConfig = {
+          IPv4Forwarding = true;
+        };
+      };
+    };
+
+    beancloud.network.nat = true;
+    networking.nat = {
+      internalInterfaces = [ "${config.beancloud.network.interface.lan}-k8s" ];
+      internalIPs = [ "192.168.101.0/24" ];
+      forwardPorts = [
+        {
+          proto = "tcp";
+          sourcePort = 10023;
+          destination = "192.168.101.10:22";
+        }
+        {
+          proto = "tcp";
+          sourcePort = 8000;
+          destination = "192.168.101.10:8000";
+        }
+        {
+          proto = "tcp";
+          sourcePort = 8089;
+          destination = "192.168.101.10:8089";
+        }
+      ];
+    };
+  };
+}

software/default.nix

@@ -15,6 +15,7 @@
     fzf
     git
     htop
+    kubectl
     (lib.mkIf config.beancloud.hardware.macbook inxi)
     jq
     less

software/kubernetes/manifests/splunkd.yaml

@@ -0,0 +1,97 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: license
+  labels:
+    app: splunk
+    role: splunk_license_master
+    tier: management
+spec:
+  serviceName: license
+  replicas: 1
+  selector:
+    matchLabels:
+      app: splunk
+      role: splunk_license_master
+      tier: management
+  template:
+    metadata:
+      labels:
+        app: splunk
+        role: splunk_license_master
+        tier: management
+    spec:
+      dnsPolicy: ClusterFirst
+      containers:
+        - name: license
+          image: splunk/splunk:9.4.1
+          envFrom:
+            - configMapRef:
+                name: splunk-config
+          env:
+            - name: SPLUNK_ROLE
+              value: splunk_license_master
+          ports:
+            - name: web
+              containerPort: 8000
+            - name: mgmt
+              containerPort: 8089
+          volumeMounts:
+            - name: splunk-license-data
+              mountPath: /opt/splunk/var
+            - name: splunk-license-config
+              mountPath: /opt/splunk/etc
+      volumes:
+        - name: splunk-license
+          configMap:
+            name: splunk-license            
+  volumeClaimTemplates:
+    - metadata:
+        name: splunk-license-data
+      spec:
+        accessModes: ["ReadWriteOnce"]
+        resources:
+          requests:
+            storage: 512M
+    - metadata:
+        name: splunk-license-config
+      spec:
+        accessModes: ["ReadWriteOnce"]
+        resources:
+          requests:
+            storage: 512M
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: license
+spec:
+  selector:
+    app: splunk
+  type: LoadBalancer
+  ports:
+    - name: web
+      protocol: TCP
+      port: 8000
+      targetPort: web
+    - name: mgmt
+      protocol: TCP
+      port: 8089
+      targetPort: mgmt
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: splunk-config
+data:
+    SPLUNK_START_ARGS: "--accept-license"
+    SPLUNK_PASSWORD: demo1234
+    SPLUNK_ROLE: splunk_indexer
+    SPLUNK_CLUSTER_MASTER_URL: master
+    SPLUNK_INDEXER_URL: indexer-0,indexer-1,indexer-2
+    SPLUNK_SEARCH_HEAD_URL: search-0,search-1
+    SPLUNK_DEPLOYER_URL: deployer
+    SPLUNK_SEARCH_HEAD_CAPTAIN_URL: captain-0
+    SPLUNK_IDXC_SECRET: demoidx1234
+    SPLUNK_SHC_SECRET: demoshc1234
+    SPLUNK_LICENSE_MASTER_URL: license-master

users/demo/default.nix

@@ -29,8 +29,7 @@
     };
   };
 
-  environment.persistence = {
+  environment.persistence.persistence = {
-    persistence = {
     directories = [
       {
         directory = "/home/demo";
@@ -40,5 +39,4 @@
       }
     ];
   };
-  };
 }

users/demo/home/gnome.nix

@@ -3,6 +3,7 @@
 {
   # https://nix-community.github.io/home-manager/options.xhtml#opt-dconf.settings
   # https://github.com/nix-community/dconf2nix
+  config = lib.mkIf (osConfig.beancloud.software.desktop) {
     dconf.settings =
       let
         inherit (lib.hm.gvariant) mkUint32;
@@ -54,6 +55,7 @@
         };
 
         "org/gnome/shell" = {
+          disable-user-extensions = false;
           enabled-extensions = [
             "openbar@neuromorph"
             "dash-to-dock@micxgx.gmail.com"
@@ -118,4 +120,5 @@
           experimental-features = [ "scale-monitor-framebuffer" ];
         };
       };
+  };
 }

users/demo/home/ssh.nix

@@ -1,4 +1,4 @@
-{  ... }:
+{  lib, osConfig, ... }:
 
 {
   programs = {
@@ -12,6 +12,11 @@
           user = "gitea";
           port = 22;
         };
+        k8s = lib.mkIf osConfig.beancloud.software.splunk {
+          hostname = "pc-demo1";
+          user = "demo";
+          port = 10023;
+        };
       };
     };
   };

users/root/default.nix

@@ -17,8 +17,7 @@
     };
   };
 
-  environment.persistence = {
+  environment.persistence.persistence = {
-    persistence = {
     directories = [
       {
         directory = "/root";
@@ -28,5 +27,4 @@
       }
     ];
   };
-  };
 }

virtualmachines/k8s/default.nix

@@ -0,0 +1,77 @@
+{
+  config,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    ../network.nix
+    ../../os/network/firewall.nix
+    ../../users
+    ../../os/kubernetes.nix
+    ../../software/openssh.nix
+  ];
+
+  microvm = {
+    guest.enable = true;
+    hypervisor = "cloud-hypervisor";
+    mem = 16384;
+    vcpu = 4;
+    interfaces = [
+      {
+        type = "tap";
+        id = "${config.beancloud.network.interface.lan}-${config.networking.hostName}";
+        mac = "1E:62:1E:FF:58:D0";
+      }
+    ];
+    volumes = [
+      {
+        mountPoint = "/";
+        autoCreate = true;
+        fsType = "ext4";
+        label = "root";
+        size = 12288;
+        image = "root.img";
+      }
+    ];
+    shares = [
+      {
+        source = "/nix/store";
+        mountPoint = "/nix/.ro-store";
+        tag = "ro-store";
+        proto = "virtiofs";
+      }
+    ];
+  };
+
+  networking.hostName = "k8s";
+  beancloud.network.address = "192.168.101.10";
+  services.k3s.serverAddr = "https://${config.beancloud.network.address}:6443";
+  system.stateVersion = "25.05";
+
+  users = {
+    users = {
+      root = {
+        password = "rootpw";
+      };
+      demo = {
+        password = "demo";
+        uid = 1000;
+        createHome = true;
+        home = "/home/demo";
+        shell = pkgs.bashInteractive;
+        isNormalUser = true;
+        extraGroups = [
+          "wheel"
+        ];
+      };
+    };
+  };
+
+  services.k3s = {
+    manifests.splunkd = {
+      enable = true;
+    };
+  };
+}

virtualmachines/network.nix

@@ -0,0 +1,32 @@
+{ config, lib, ... }:
+
+{
+  networking.usePredictableInterfaceNames = false;
+  systemd.network.networks."10-lan" = {
+    enable = lib.mkDefault true;
+    address = [ "${config.beancloud.network.address}/32" ];
+    routes = [
+      {
+        # A route to the host
+        Destination = "192.168.101.1/32";
+        GatewayOnLink = true;
+      }
+      {
+        # Default route
+        Destination = "0.0.0.0/0";
+        Gateway = "192.168.101.1";
+        GatewayOnLink = true;
+      }
+    ];
+    matchConfig.Name = [ "${config.beancloud.network.interface.lan}" ];
+    linkConfig.RequiredForOnline = lib.mkDefault "routable";
+    networkConfig = {
+      DHCP = "no";
+      IPv6AcceptRA = false;
+      DNS = [
+        "9.9.9.9" # https://www.quad9.net/service/service-addresses-and-features
+        "2620:fe::fe" # https://www.quad9.net/service/service-addresses-and-features
+      ];
+    };
+  };
+}