public/nixos-demo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Splunk added as Service running in a Kubernetes VM

Browse Source
This commit is contained in:
Birk Bohne 2025-07-16 17:24:57 +02:00
parent 02e5ddb00f
commit 5841960b1d
No known key found for this signature in database
17 changed files with 571 additions and 233 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
computer/pc-demo1/default.nix
View File

@ -5,10 +5,11 @@
beancloud = { beancloud = {
software = { software = {
desktop = true; desktop = false;
nextcloud.server.enable = true; nextcloud.server.enable = false;
gitlab = true; gitlab = false;
forgejo = true; forgejo = false;
splunk = true;
}; };
disk.device.name = "vda"; disk.device.name = "vda";
hardware.virtualmachine.type = "kvm"; hardware.virtualmachine.type = "kvm";

16
flake.nix
View File

@ -41,6 +41,7 @@
}; };
} }
disko.nixosModules.disko disko.nixosModules.disko
microvm.nixosModules.host
impermanence.nixosModules.impermanence impermanence.nixosModules.impermanence
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
./computer/pc-demo1/default.nix ./computer/pc-demo1/default.nix
@ -80,6 +81,21 @@
} }
]; ];
}; };
k8s = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
{
config._module.args = {
flake = self;
};
}
microvm.nixosModules.microvm
./virtualmachines/k8s/default.nix
./options.nix
./users/default.nix
];
};
}; };
}; };
} }

5
options.nix
View File

@ -212,6 +212,11 @@
default = false; default = false;
description = "beancloud.software.virtualisation to activate the libvirtd daemon and virt-manager"; description = "beancloud.software.virtualisation to activate the libvirtd daemon and virt-manager";
}; };
beancloud.software.splunk = lib.mkOption {
type = lib.types.bool;
default = false;
description = "beancloud.software.splunk to deploy Splunk in a Kubernetes single node instances in the k8s microvm";
};
beancloud.os.kernel.latest = lib.mkOption { beancloud.os.kernel.latest = lib.mkOption {
type = lib.types.bool; type = lib.types.bool;
example = true; example = true;

2
os/default.nix
View File

@ -11,7 +11,7 @@
./locale.nix ./locale.nix
./network ./network
./update.nix ./update.nix
./virtualization.nix ./virtualization
]; ];
time.timeZone = "Europe/Berlin"; time.timeZone = "Europe/Berlin";

21
os/kubernetes.nix Normal file
View File

@ -0,0 +1,21 @@
{
pkgs,
...
}:
{
services.k3s = {
enable = true;
manifests.splunkd = {
source = ../software/kubernetes/manifests/splunkd.yaml;
};
};
environment.variables.KUBECONFIG = "/etc/rancher/k3s/k3s.yaml";
networking.firewall.allowedTCPPorts = [ 6443 10248 10250 10251 10252 ];
environment.systemPackages = with pkgs; [
kubectl
kubernetes-helm
];
}

2
os/network/nat.nix
View File

@ -3,7 +3,7 @@
{ {
config = lib.mkIf (config.beancloud.network.nat) { config = lib.mkIf (config.beancloud.network.nat) {
networking.nat = { networking.nat = {
enable = config.beancloud.software.gitlab; enable = true;
internalInterfaces = [ "ve-+" ]; internalInterfaces = [ "ve-+" ];
externalInterface = "${config.beancloud.network.interface.lan}"; externalInterface = "${config.beancloud.network.interface.lan}";
enableIPv6 = false; enableIPv6 = false;

211
os/persistence.nix
View File

@ -17,125 +17,132 @@
]; ];
files = [ files = [
"/etc/machine-id" "/etc/machine-id"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
]; ];
}; };
}; };
boot.initrd.preLVMCommands = lib.mkIf (config.beancloud.persistence.type != "preservation" && config.beancloud.persistence.root == "fs") '' boot.initrd.preLVMCommands =
WAIT_TIME=5 lib.mkIf
MAX_RETRIES=6 (config.beancloud.persistence.type != "preservation" && config.beancloud.persistence.root == "fs")
ROOT_DEV="/dev/disk/by-label/root" ''
ROOT_DIR=/rootmnt" WAIT_TIME=5
MAX_RETRIES=6
ROOT_DEV="/dev/disk/by-label/root"
ROOT_DIR=/rootmnt"
mountPartition() { mountPartition() {
echo "mount the root / partition" echo "mount the root / partition"
echo "create the $ROOT_DIR folder" echo "create the $ROOT_DIR folder"
mkdir -p "$ROOT_DIR" mkdir -p "$ROOT_DIR"
COUNTER=1 COUNTER=1
while [ ! -e "$ROOT_DEV" ] || [ ! -e "$ROOT_DIR" ]; do while [ ! -e "$ROOT_DEV" ] || [ ! -e "$ROOT_DIR" ]; do
echo "the root partition or the mount folder are not yet available" echo "the root partition or the mount folder are not yet available"
sleep $WAIT_TIME sleep $WAIT_TIME
if [ "$COUNTER" -eq "$MAX_RETRIES" ]; then if [ "$COUNTER" -eq "$MAX_RETRIES" ]; then
echo "device check failed" echo "device check failed"
exit 1 exit 1
fi fi
COUNTER="$((COUNTER + 1))" COUNTER="$((COUNTER + 1))"
done done
COUNTER=1 COUNTER=1
until mount "$ROOT_DEV" $ROOT_DIR; do until mount "$ROOT_DEV" $ROOT_DIR; do
echo "the root partition has not yet been mounted" echo "the root partition has not yet been mounted"
sleep "$WAIT_TIME" sleep "$WAIT_TIME"
if [ "$COUNTER" -eq "$MAX_RETRIES" ]; then if [ "$COUNTER" -eq "$MAX_RETRIES" ]; then
echo "mount failed" echo "mount failed"
exit 1 exit 1
fi fi
COUNTER="$((COUNTER + 1))" COUNTER="$((COUNTER + 1))"
done done
echo "mount done" echo "mount done"
} }
wipePartition() { wipePartition() {
echo "wipe the content from the / partition" echo "wipe the content from the / partition"
COUNTER=1 COUNTER=1
until rm -rf "$ROOT_DIR/*"; do until rm -rf "$ROOT_DIR/*"; do
echo "the wipe has been failed" echo "the wipe has been failed"
sleep 5 sleep 5
if [ "$COUNTER" -eq "$MAX_RETRIES" ]; then if [ "$COUNTER" -eq "$MAX_RETRIES" ]; then
echo "wipe failed" echo "wipe failed"
exit 1 exit 1
fi fi
COUNTER="$((COUNTER + 1))" COUNTER="$((COUNTER + 1))"
done done
echo "wipe done" echo "wipe done"
} }
umountPartition() { umountPartition() {
echo "umount the root / partition" echo "umount the root / partition"
COUNTER=1 COUNTER=1
until umount "$ROOT_DIR"; do until umount "$ROOT_DIR"; do
echo "umount failed"
sleep 5
if [ "$COUNTER" -eq "$MAX_RETRIES" ]; then
echo "umount failed" echo "umount failed"
exit 1 sleep 5
fi if [ "$COUNTER" -eq "$MAX_RETRIES" ]; then
COUNTER="$((COUNTER + 1))" echo "umount failed"
done exit 1
echo "umount done" fi
} COUNTER="$((COUNTER + 1))"
done
echo "umount done"
}
loadModules() { loadModules() {
echo "load the ext4 module" echo "load the ext4 module"
COUNTER=1 COUNTER=1
until modprobe ext4; do until modprobe ext4; do
echo "modprobe ext4 failed" echo "modprobe ext4 failed"
sleep 5 sleep 5
if [ "$COUNTER" -eq "$MAX_RETRIES" ]; then if [ "$COUNTER" -eq "$MAX_RETRIES" ]; then
echo "modprobe failed" echo "modprobe failed"
exit 1 exit 1
fi fi
COUNTER="$((COUNTER + 1))" COUNTER="$((COUNTER + 1))"
done done
echo "modprobe done" echo "modprobe done"
} }
fixPermissions() { fixPermissions() {
echo "fix /var/empty permissions" echo "fix /var/empty permissions"
COUNTER=1 COUNTER=1
until chattr -i -a "$ROOT_DIR/var/empty"; do until chattr -i -a "$ROOT_DIR/var/empty"; do
echo "chattr /var/empty failed" echo "chattr /var/empty failed"
sleep 5 sleep 5
if [ "$COUNTER" -eq "$MAX_RETRIES" ]; then if [ "$COUNTER" -eq "$MAX_RETRIES" ]; then
echo "chattr failed" echo "chattr failed"
exit 1 exit 1
fi fi
COUNTER="$((COUNTER + 1))" COUNTER="$((COUNTER + 1))"
done done
COUNTER=1 COUNTER=1
until chmod 755 "$ROOT_DIR/var/empty"; do until chmod 755 "$ROOT_DIR/var/empty"; do
echo "chmod /var/empty failed" echo "chmod /var/empty failed"
sleep 5 sleep 5
if [ "$COUNTER" -eq "$MAX_RETRIES" ]; then if [ "$COUNTER" -eq "$MAX_RETRIES" ]; then
echo "chmod failed" echo "chmod failed"
exit 1 exit 1
fi fi
COUNTER="$((COUNTER + 1))" COUNTER="$((COUNTER + 1))"
done done
echo "permissions fix done" echo "permissions fix done"
} }
loadModules loadModules
mountPartition mountPartition
fixPermissions fixPermissions
wipePartition wipePartition
umountPartition umountPartition
''; '';
} }

4
os/virtualization.nix → os/virtualization/default.nix
View File

@ -31,4 +31,8 @@
config.beancloud.software.virtualisation || config.beancloud.software.virt-manager config.beancloud.software.virtualisation || config.beancloud.software.virt-manager
) virt-manager) ) virt-manager)
]; ];
imports = [
./microvm
];
} }

73
os/virtualization/microvm/default.nix Normal file
View File

@ -0,0 +1,73 @@
{
config,
flake,
lib,
...
}:
{
config = lib.mkIf (config.beancloud.software.splunk) {
microvm = {
vms = {
k8s = {
flake = flake;
updateFlake = "git+https://code.beancloud.de/public/nixos-demo.git?ref=${config.beancloud.tier}";
restartIfChanged = true;
};
};
autostart = [
"k8s"
];
};
environment.persistence = {
persistence = {
directories = [
"/var/lib/microvms/"
];
};
};
systemd.network = {
networks."${config.beancloud.network.interface.lan}-k8s" = {
enable = lib.mkDefault true;
matchConfig.Name = [ "${config.beancloud.network.interface.lan}-k8s" ];
linkConfig.RequiredForOnline = lib.mkDefault "routable";
address = [
"192.168.101.1/32"
];
routes = [
{
Destination = "192.168.101.10/32";
}
];
networkConfig = {
IPv4Forwarding = true;
};
};
};
beancloud.network.nat = true;
networking.nat = {
internalInterfaces = [ "${config.beancloud.network.interface.lan}-k8s" ];
internalIPs = [ "192.168.101.0/24" ];
forwardPorts = [
{
proto = "tcp";
sourcePort = 10023;
destination = "192.168.101.10:22";
}
{
proto = "tcp";
sourcePort = 8000;
destination = "192.168.101.10:8000";
}
{
proto = "tcp";
sourcePort = 8089;
destination = "192.168.101.10:8089";
}
];
};
};
}

1
software/default.nix
View File

@ -15,6 +15,7 @@
fzf fzf
git git
htop htop
kubectl
(lib.mkIf config.beancloud.hardware.macbook inxi) (lib.mkIf config.beancloud.hardware.macbook inxi)
jq jq
less less

97
software/kubernetes/manifests/splunkd.yaml Normal file
View File

@ -0,0 +1,97 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: license
labels:
app: splunk
role: splunk_license_master
tier: management
spec:
serviceName: license
replicas: 1
selector:
matchLabels:
app: splunk
role: splunk_license_master
tier: management
template:
metadata:
labels:
app: splunk
role: splunk_license_master
tier: management
spec:
dnsPolicy: ClusterFirst
containers:
- name: license
image: splunk/splunk:9.4.1
envFrom:
- configMapRef:
name: splunk-config
env:
- name: SPLUNK_ROLE
value: splunk_license_master
ports:
- name: web
containerPort: 8000
- name: mgmt
containerPort: 8089
volumeMounts:
- name: splunk-license-data
mountPath: /opt/splunk/var
- name: splunk-license-config
mountPath: /opt/splunk/etc
volumes:
- name: splunk-license
configMap:
name: splunk-license
volumeClaimTemplates:
- metadata:
name: splunk-license-data
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 512M
- metadata:
name: splunk-license-config
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 512M
---
apiVersion: v1
kind: Service
metadata:
name: license
spec:
selector:
app: splunk
type: LoadBalancer
ports:
- name: web
protocol: TCP
port: 8000
targetPort: web
- name: mgmt
protocol: TCP
port: 8089
targetPort: mgmt
---
apiVersion: v1
kind: ConfigMap
metadata:
name: splunk-config
data:
SPLUNK_START_ARGS: "--accept-license"
SPLUNK_PASSWORD: demo1234
SPLUNK_ROLE: splunk_indexer
SPLUNK_CLUSTER_MASTER_URL: master
SPLUNK_INDEXER_URL: indexer-0,indexer-1,indexer-2
SPLUNK_SEARCH_HEAD_URL: search-0,search-1
SPLUNK_DEPLOYER_URL: deployer
SPLUNK_SEARCH_HEAD_CAPTAIN_URL: captain-0
SPLUNK_IDXC_SECRET: demoidx1234
SPLUNK_SHC_SECRET: demoshc1234
SPLUNK_LICENSE_MASTER_URL: license-master

20
users/demo/default.nix
View File

@ -29,16 +29,14 @@
}; };
}; };
environment.persistence = { environment.persistence.persistence = {
persistence = { directories = [
directories = [ {
{ directory = "/home/demo";
directory = "/home/demo"; user = "demo";
user = "demo"; group = "users";
group = "users"; mode = "u=rwx,g=,o=";
mode = "u=rwx,g=,o="; }
} ];
];
};
}; };
} }

197
users/demo/home/gnome.nix
View File

@ -3,119 +3,122 @@
{ {
# https://nix-community.github.io/home-manager/options.xhtml#opt-dconf.settings # https://nix-community.github.io/home-manager/options.xhtml#opt-dconf.settings
# https://github.com/nix-community/dconf2nix # https://github.com/nix-community/dconf2nix
dconf.settings = config = lib.mkIf (osConfig.beancloud.software.desktop) {
let dconf.settings =
inherit (lib.hm.gvariant) mkUint32; let
in inherit (lib.hm.gvariant) mkUint32;
{ in
"system/locale" = { {
region = "de_DE.UTF-8"; "system/locale" = {
}; region = "de_DE.UTF-8";
};
"org/gnome/software" = { "org/gnome/software" = {
download-updates = false; download-updates = false;
download-updates-notify = false; download-updates-notify = false;
}; };
"org/gnome/desktop/calendar" = { "org/gnome/desktop/calendar" = {
show-weekdate = true; show-weekdate = true;
}; };
"org/gnome/desktop/datetime" = { "org/gnome/desktop/datetime" = {
automatic-timezone = true; automatic-timezone = true;
}; };
"org/gnome/desktop/interface" = { "org/gnome/desktop/interface" = {
clock-show-weekday = true; clock-show-weekday = true;
enable-hot-corners = true; enable-hot-corners = true;
color-scheme = "prefer-dark"; color-scheme = "prefer-dark";
}; };
"org/gnome/desktop/session" = { "org/gnome/desktop/session" = {
idle-delay = mkUint32 300; idle-delay = mkUint32 300;
}; };
"org/gnome/desktop/screensaver" = { "org/gnome/desktop/screensaver" = {
lock-enabled = osConfig.beancloud.os.screensaver.lock; lock-enabled = osConfig.beancloud.os.screensaver.lock;
}; };
"org/gnome/desktop/peripherals/keyboard" = { "org/gnome/desktop/peripherals/keyboard" = {
numlock-state = true; numlock-state = true;
}; };
"org/gnome/desktop/peripherals/mouse" = { "org/gnome/desktop/peripherals/mouse" = {
natural-scroll = true; natural-scroll = true;
}; };
"org/gnome/Console" = { "org/gnome/Console" = {
custom-font = "UbuntuMono Nerd Font Mono 13"; custom-font = "UbuntuMono Nerd Font Mono 13";
last-window-maximised = true; last-window-maximised = true;
use-system-font = true; use-system-font = true;
}; };
"org/gnome/shell" = { "org/gnome/shell" = {
enabled-extensions = [ disable-user-extensions = false;
"openbar@neuromorph" enabled-extensions = [
"dash-to-dock@micxgx.gmail.com" "openbar@neuromorph"
]; "dash-to-dock@micxgx.gmail.com"
favorite-apps = [ ];
"firefox.desktop" favorite-apps = [
"org.gnome.Geary.desktop" "firefox.desktop"
"org.gnome.Calendar.desktop" "org.gnome.Geary.desktop"
"org.gnome.Music.desktop" "org.gnome.Calendar.desktop"
"org.gnome.Nautilus.desktop" "org.gnome.Music.desktop"
]; "org.gnome.Nautilus.desktop"
}; ];
};
"org/gnome/shell/extensions/dash-to-dock" = { "org/gnome/shell/extensions/dash-to-dock" = {
background-opacity = 0.80000000000000004; background-opacity = 0.80000000000000004;
dash-max-icon-size = 48; dash-max-icon-size = 48;
dock-position = "RIGHT"; dock-position = "RIGHT";
extend-height = false; extend-height = false;
height-fraction = 0.90000000000000002; height-fraction = 0.90000000000000002;
intellihide-mode = "FOCUS_APPLICATION_WINDOWS"; intellihide-mode = "FOCUS_APPLICATION_WINDOWS";
preferred-monitor = -2; preferred-monitor = -2;
preferred-monitor-by-connector = "DP-1"; preferred-monitor-by-connector = "DP-1";
}; };
"org/gnome/shell/extensions/gtk4-ding" = { "org/gnome/shell/extensions/gtk4-ding" = {
icon-size = "small"; icon-size = "small";
}; };
"org/gnome/shell/extensions/openbar" = { "org/gnome/shell/extensions/openbar" = {
bg-change = true; bg-change = true;
default-font = "UbuntuMono Nerd Font Mono 12"; default-font = "UbuntuMono Nerd Font Mono 12";
neon-wmax = false; neon-wmax = false;
pause-reload = false; pause-reload = false;
reloadstyle = true; reloadstyle = true;
trigger-reload = true; trigger-reload = true;
shadow = false; shadow = false;
wmaxbar = true; wmaxbar = true;
autohg-bar = true; autohg-bar = true;
autohg-menu = true; autohg-menu = true;
trigger-autotheme = true; trigger-autotheme = true;
autotheme-dark = "Dark"; autotheme-dark = "Dark";
autotheme-font = true; autotheme-font = true;
autotheme-light = "Pastel"; autotheme-light = "Pastel";
bartype = "Trilands"; bartype = "Trilands";
}; };
"org/gnome/nautilus/list-view" = { "org/gnome/nautilus/list-view" = {
default-zoom-level = "small"; default-zoom-level = "small";
}; };
"org/gnome/nautilus/preferences" = { "org/gnome/nautilus/preferences" = {
default-folder-viewer = "list-view"; default-folder-viewer = "list-view";
search-filter-time-type = "last_modified"; search-filter-time-type = "last_modified";
}; };
"org/gnome/settings-daemon/plugins/power" = { "org/gnome/settings-daemon/plugins/power" = {
power-button-action = "interactive"; power-button-action = "interactive";
sleep-inactive-ac-type = "nothing"; sleep-inactive-ac-type = "nothing";
}; };
"org/gnome/mutter" = { "org/gnome/mutter" = {
experimental-features = [ "scale-monitor-framebuffer" ]; experimental-features = [ "scale-monitor-framebuffer" ];
};
}; };
}; };
} }

7
users/demo/home/ssh.nix
View File

@ -1,4 +1,4 @@
{ ... }: { lib, osConfig, ... }:
{ {
programs = { programs = {
@ -12,6 +12,11 @@
user = "gitea"; user = "gitea";
port = 22; port = 22;
}; };
k8s = lib.mkIf osConfig.beancloud.software.splunk {
hostname = "pc-demo1";
user = "demo";
port = 10023;
};
}; };
}; };
}; };

20
users/root/default.nix
View File

@ -17,16 +17,14 @@
}; };
}; };
environment.persistence = { environment.persistence.persistence = {
persistence = { directories = [
directories = [ {
{ directory = "/root";
directory = "/root"; user = "root";
user = "root"; group = "root";
group = "root"; mode = "u=rwx,g=,o=";
mode = "u=rwx,g=,o="; }
} ];
];
};
}; };
} }

77
virtualmachines/k8s/default.nix Normal file
View File

@ -0,0 +1,77 @@
{
config,
pkgs,
...
}:
{
imports = [
../network.nix
../../os/network/firewall.nix
../../users
../../os/kubernetes.nix
../../software/openssh.nix
];
microvm = {
guest.enable = true;
hypervisor = "cloud-hypervisor";
mem = 16384;
vcpu = 4;
interfaces = [
{
type = "tap";
id = "${config.beancloud.network.interface.lan}-${config.networking.hostName}";
mac = "1E:62:1E:FF:58:D0";
}
];
volumes = [
{
mountPoint = "/";
autoCreate = true;
fsType = "ext4";
label = "root";
size = 12288;
image = "root.img";
}
];
shares = [
{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
proto = "virtiofs";
}
];
};
networking.hostName = "k8s";
beancloud.network.address = "192.168.101.10";
services.k3s.serverAddr = "https://${config.beancloud.network.address}:6443";
system.stateVersion = "25.05";
users = {
users = {
root = {
password = "rootpw";
};
demo = {
password = "demo";
uid = 1000;
createHome = true;
home = "/home/demo";
shell = pkgs.bashInteractive;
isNormalUser = true;
extraGroups = [
"wheel"
];
};
};
};
services.k3s = {
manifests.splunkd = {
enable = true;
};
};
}

32
virtualmachines/network.nix Normal file
View File

@ -0,0 +1,32 @@
{ config, lib, ... }:
{
networking.usePredictableInterfaceNames = false;
systemd.network.networks."10-lan" = {
enable = lib.mkDefault true;
address = [ "${config.beancloud.network.address}/32" ];
routes = [
{
# A route to the host
Destination = "192.168.101.1/32";
GatewayOnLink = true;
}
{
# Default route
Destination = "0.0.0.0/0";
Gateway = "192.168.101.1";
GatewayOnLink = true;
}
];
matchConfig.Name = [ "${config.beancloud.network.interface.lan}" ];
linkConfig.RequiredForOnline = lib.mkDefault "routable";
networkConfig = {
DHCP = "no";
IPv6AcceptRA = false;
DNS = [
"9.9.9.9" # https://www.quad9.net/service/service-addresses-and-features
"2620:fe::fe" # https://www.quad9.net/service/service-addresses-and-features
];
};
};
}