diff options
author | makefu <github@syntax-fehler.de> | 2023-01-30 23:43:04 +0100 |
---|---|---|
committer | makefu <github@syntax-fehler.de> | 2023-01-30 23:43:04 +0100 |
commit | 369fa6b7eb3f0fa3e1034bcad438eeda017949f8 (patch) | |
tree | 22f7891595fba32a7e66b755617e0d49b91993f3 /lass/1systems | |
parent | dbc3870841223051e4f617b4c06065c168c69c10 (diff) | |
parent | c7417c8bc1b50d466dae493ac3619d9f324f34f8 (diff) |
Merge remote-tracking branch 'lass/master'
Diffstat (limited to 'lass/1systems')
-rw-r--r-- | lass/1systems/aergia/config.nix | 76 | ||||
-rw-r--r-- | lass/1systems/aergia/disk.nix | 64 | ||||
-rw-r--r-- | lass/1systems/aergia/install.sh | 3 | ||||
-rw-r--r-- | lass/1systems/aergia/physical.nix | 86 | ||||
-rw-r--r-- | lass/1systems/aergia/source.nix | 21 | ||||
-rw-r--r-- | lass/1systems/green/config.nix | 2 | ||||
-rw-r--r-- | lass/1systems/hilum/disk.nix | 53 | ||||
-rwxr-xr-x | lass/1systems/hilum/flash-stick.sh | 37 | ||||
-rw-r--r-- | lass/1systems/hilum/physical.nix | 43 | ||||
-rw-r--r-- | lass/1systems/neoprism/config.nix | 6 | ||||
-rw-r--r-- | lass/1systems/orange/config.nix | 21 | ||||
-rw-r--r-- | lass/1systems/orange/physical.nix | 7 | ||||
-rw-r--r-- | lass/1systems/radio/config.nix | 2 | ||||
-rw-r--r-- | lass/1systems/ubik/config.nix | 33 | ||||
-rw-r--r-- | lass/1systems/ubik/physical.nix | 7 | ||||
-rw-r--r-- | lass/1systems/yellow/config.nix | 11 |
16 files changed, 455 insertions, 17 deletions
diff --git a/lass/1systems/aergia/config.nix b/lass/1systems/aergia/config.nix new file mode 100644 index 000000000..ed5bbcf12 --- /dev/null +++ b/lass/1systems/aergia/config.nix @@ -0,0 +1,76 @@ +{ config, lib, pkgs, ... }: + +{ + imports = [ + <stockholm/lass> + + <stockholm/lass/2configs/retiolum.nix> + <stockholm/lass/2configs/exim-retiolum.nix> + <stockholm/lass/2configs/baseX.nix> + <stockholm/lass/2configs/pipewire.nix> + <stockholm/lass/2configs/browsers.nix> + <stockholm/lass/2configs/programs.nix> + <stockholm/lass/2configs/network-manager.nix> + <stockholm/lass/2configs/syncthing.nix> + <stockholm/lass/2configs/sync/sync.nix> + <stockholm/lass/2configs/games.nix> + <stockholm/lass/2configs/steam.nix> + <stockholm/lass/2configs/wine.nix> + <stockholm/lass/2configs/fetchWallpaper.nix> + <stockholm/lass/2configs/yellow-mounts/samba.nix> + <stockholm/lass/2configs/pass.nix> + <stockholm/lass/2configs/mail.nix> + <stockholm/lass/2configs/bitcoin.nix> + # <stockholm/lass/2configs/xonsh.nix> + <stockholm/lass/2configs/review.nix> + <stockholm/lass/2configs/dunst.nix> + <stockholm/lass/2configs/print.nix> + <stockholm/lass/2configs/br.nix> + ]; + + system.stateVersion = "22.11"; + + krebs.build.host = config.krebs.hosts.aergia; + + environment.systemPackages = with pkgs; [ + brain + bank + l-gen-secrets + generate-secrets + ]; + + programs.adb.enable = true; + + hardware.bluetooth = { + enable = true; + powerOnBoot = true; + }; + hardware.pulseaudio.package = pkgs.pulseaudioFull; + + lass.browser.config = { + fy = { browser = "chromium"; groups = [ "audio" "video" ]; hidden = true; }; + qt = { browser = "qutebrowser"; groups = [ "audio" "video" ]; hidden = true; }; + }; + + nix.trustedUsers = [ "root" "lass" ]; + + # nix.extraOptions = '' + # extra-experimental-features = nix-command flakes + # ''; + + services.tor = { + enable = true; + client.enable = true; + }; + + documentation.nixos.enable = true; + boot.binfmt.emulatedSystems = [ + "aarch64-linux" + ]; + + boot.cleanTmpDir = true; + + # vbox + virtualisation.virtualbox.host.enable = true; + users.users.mainUser.extraGroups = [ "vboxusers" ]; +} diff --git a/lass/1systems/aergia/disk.nix b/lass/1systems/aergia/disk.nix new file mode 100644 index 000000000..0ae0892ee --- /dev/null +++ b/lass/1systems/aergia/disk.nix @@ -0,0 +1,64 @@ +{ lib, ... }: +{ + disk = { + main = { + type = "disk"; + device = "/dev/nvme0n1"; + content = { + type = "table"; + format = "gpt"; + partitions = [ + { + name = "boot"; + type = "partition"; + start = "0"; + end = "1M"; + part-type = "primary"; + flags = ["bios_grub"]; + } + { + type = "partition"; + name = "ESP"; + start = "1MiB"; + end = "1GiB"; + fs-type = "fat32"; + bootable = true; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + } + { + name = "root"; + type = "partition"; + start = "1GiB"; + end = "100%"; + content = { + type = "luks"; + name = "aergia1"; + content = { + type = "btrfs"; + extraArgs = "-f"; # Override existing partition + subvolumes = { + # Subvolume name is different from mountpoint + "/rootfs" = { + mountpoint = "/"; + }; + # Mountpoints inferred from subvolume name + "/home" = { + mountOptions = []; + }; + "/nix" = { + mountOptions = []; + }; + }; + }; + }; + } + ]; + }; + }; + }; +} + diff --git a/lass/1systems/aergia/install.sh b/lass/1systems/aergia/install.sh new file mode 100644 index 000000000..0e4f0ab4c --- /dev/null +++ b/lass/1systems/aergia/install.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +target=$1 diff --git a/lass/1systems/aergia/physical.nix b/lass/1systems/aergia/physical.nix new file mode 100644 index 000000000..de5f7540e --- /dev/null +++ b/lass/1systems/aergia/physical.nix @@ -0,0 +1,86 @@ +{ config, lib, pkgs, modulesPath, ... }: +{ + imports = [ + ./config.nix + (modulesPath + "/installer/scan/not-detected.nix") + ]; + disko.devices = import ./disk.nix; + + networking.hostId = "deadbeef"; + # boot.loader.efi.canTouchEfiVariables = true; + boot.loader.grub = { + enable = true; + device = "/dev/nvme0n1"; + efiSupport = true; + efiInstallAsRemovable = true; + }; + + boot.kernelPackages = pkgs.linuxPackages_latest; + + boot.kernelParams = [ + # Enable energy savings during sleep + "mem_sleep_default=deep" + "initcall_blacklist=acpi_cpufreq_init" + + # for ryzenadj -i + "iomem=relaxed" + ]; + + # Enables the amd cpu scaling https://www.kernel.org/doc/html/latest/admin-guide/pm/amd-pstate.html + # On recent AMD CPUs this can be more energy efficient. + boot.kernelModules = [ "amd-pstate" "kvm-amd" ]; + + # hardware.cpu.amd.updateMicrocode = true; + + services.xserver.videoDrivers = [ + "amdgpu" + ]; + + boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ]; + + environment.systemPackages = [ + pkgs.vulkan-tools + pkgs.ryzenadj + (pkgs.writers.writeDashBin "set_tdp" '' + set -efux + watt=$1 + value=$(( $watt * 1000 )) + ${pkgs.ryzenadj}/bin/ryzenadj --stapm-limit="$value" --fast-limit="$value" --slow-limit="$value" + '') + ]; + + # textsize + services.xserver.dpi = 200; + hardware.video.hidpi.enable = lib.mkDefault true; + + # corectrl + programs.corectrl.enable = true; + users.users.mainUser.extraGroups = [ "corectrl" ]; + + # use newer ryzenadj + nixpkgs.config.packageOverrides = super: { + ryzenadj = super.ryzenadj.overrideAttrs (old: { + version = "unstable-2023-01-15"; + src = pkgs.fetchFromGitHub { + owner = "FlyGoat"; + repo = "RyzenAdj"; + rev = "1052fb52b2c0e23ac4cd868c4e74d4a9510be57c"; # unstable on 2023-01-15 + sha256 = "sha256-/IxkbQ1XrBrBVrsR4EdV6cbrFr1m+lGwz+rYBqxYG1k="; + }; + }); + }; + + # keyboard quirks + services.xserver.displayManager.sessionCommands = '' + xmodmap -e 'keycode 96 = F12 Insert F12 F12' # rebind shift + F12 to shift + insert + ''; + services.udev.extraHwdb = /* sh */ '' + # disable back buttons + evdev:input:b0003v2F24p0135* # /dev/input/event2 + KEYBOARD_KEY_70026=reserved + KEYBOARD_KEY_70027=reserved + ''; + + # ignore power key + services.logind.extraConfig = "HandlePowerKey=ignore"; +} diff --git a/lass/1systems/aergia/source.nix b/lass/1systems/aergia/source.nix new file mode 100644 index 000000000..abbf26c75 --- /dev/null +++ b/lass/1systems/aergia/source.nix @@ -0,0 +1,21 @@ +{ lib, pkgs, test, ... }: let + npkgs = lib.importJSON ../../../krebs/nixpkgs-unstable.json; +in { + nixpkgs = (if test then lib.mkForce ({ derivation = let + rev = npkgs.rev; + sha256 = npkgs.sha256; + in '' + with import (builtins.fetchTarball { + url = "https://github.com/nixos/nixpkgs/archive/${rev}.tar.gz"; + sha256 = "${sha256}"; + }) {}; + pkgs.fetchFromGitHub { + owner = "nixos"; + repo = "nixpkgs"; + rev = "${rev}"; + sha256 = "${sha256}"; + } + ''; }) else { + git.ref = lib.mkForce npkgs.rev; + }); +} diff --git a/lass/1systems/green/config.nix b/lass/1systems/green/config.nix index cd38c3585..077f7b3fa 100644 --- a/lass/1systems/green/config.nix +++ b/lass/1systems/green/config.nix @@ -27,7 +27,7 @@ with import <stockholm/lib>; krebs.build.host = config.krebs.hosts.green; - lass.sync-containers3.inContainer = { + krebs.sync-containers3.inContainer = { enable = true; pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFlUMf943qEQG64ob81p6dgoHq4jUjq7tSvmSdEOEU2y"; }; diff --git a/lass/1systems/hilum/disk.nix b/lass/1systems/hilum/disk.nix new file mode 100644 index 000000000..926401648 --- /dev/null +++ b/lass/1systems/hilum/disk.nix @@ -0,0 +1,53 @@ +{ lib, disk, keyFile, ... }: +{ + disk = { + main = { + type = "disk"; + device = disk; + content = { + type = "table"; + format = "gpt"; + partitions = [ + { + name = "boot"; + type = "partition"; + start = "0"; + end = "1M"; + part-type = "primary"; + flags = ["bios_grub"]; + } + { + type = "partition"; + name = "ESP"; + start = "1MiB"; + end = "50%"; + fs-type = "fat32"; + bootable = true; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + } + { + name = "root"; + type = "partition"; + start = "50%"; + end = "100%"; + content = { + type = "luks"; + name = "hilum_luks"; + keyFile = keyFile; + content = { + type = "filesystem"; + format = "xfs"; + mountpoint = "/"; + }; + }; + } + ]; + }; + }; + }; +} + diff --git a/lass/1systems/hilum/flash-stick.sh b/lass/1systems/hilum/flash-stick.sh new file mode 100755 index 000000000..17a5fc580 --- /dev/null +++ b/lass/1systems/hilum/flash-stick.sh @@ -0,0 +1,37 @@ +#!/bin/sh +set -efux + +disk=$1 + +export NIXPKGS_ALLOW_UNFREE=1 +(umask 077; pass show admin/hilum/luks > /tmp/hilum.luks) +trap 'rm -f /tmp/hilum.luks' EXIT +stockholm_root=$(git rev-parse --show-toplevel) +ssh root@localhost -t -- $(nix-build \ + --no-out-link \ + -I nixpkgs=/var/src/nixpkgs \ + -I stockholm="$stockholm_root" \ + -I secrets="$stockholm_root"/lass/2configs/tests/dummy-secrets \ + -E "with import <nixpkgs> {}; (pkgs.nixos [ + { + luksPassFile = \"/tmp/hilum.luks\"; + mainDisk = \"$disk\"; + disko.rootMountPoint = \"/mnt/hilum\"; + } + ./physical.nix + ]).disko" +) +rm -f /tmp/hilum.luks +$(nix-build \ + --no-out-link \ + -I nixpkgs=/var/src/nixpkgs \ + "$stockholm_root"/lass/krops.nix -A populate \ + --argstr name hilum \ + --argstr target "root@localhost/mnt/hilum/var/src" \ + --arg force true +) +ssh root@localhost << SSH +NIXOS_CONFIG=/mnt/hilum/var/src/nixos-config nixos-install --no-root-password --root /mnt/hilum -I /var/src +nixos-enter --root /mnt/hilum -- nixos-rebuild -I /var/src switch --install-bootloader +umount -Rv /mnt/hilum +SSH diff --git a/lass/1systems/hilum/physical.nix b/lass/1systems/hilum/physical.nix index f8bab57d6..6f160062d 100644 --- a/lass/1systems/hilum/physical.nix +++ b/lass/1systems/hilum/physical.nix @@ -1,11 +1,38 @@ -{ lib, pkgs, ... }: +{ config, lib, pkgs, ... }: { imports = [ ./config.nix <nixpkgs/nixos/modules/installer/scan/not-detected.nix> + { + # nice hack to carry around state passed impurely at the beginning + options.mainDisk = let + tryFile = path: default: + if lib.elem (builtins.baseNameOf path) (lib.attrNames (builtins.readDir (builtins.dirOf path))) then + builtins.readFile path + else + default + ; + in lib.mkOption { + type = lib.types.str; + default = tryFile "/etc/hilum-disk" "/dev/sdz"; + }; + config.environment.etc.hilum-disk.text = config.mainDisk; + } + { + options.luksPassFile = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + }; + } ]; + disko.devices = import ./disk.nix { + inherit lib; + disk = config.mainDisk; + keyFile = config.luksPassFile; + }; + boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci" ]; boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.kernelModules = [ "kvm-intel" ]; @@ -13,21 +40,9 @@ boot.loader.grub.enable = true; boot.loader.grub.efiSupport = true; - boot.loader.grub.device = "/dev/disk/by-id/usb-General_USB_Flash_Disk_0374116060006128-0:0"; + boot.loader.grub.device = config.mainDisk; boot.loader.grub.efiInstallAsRemovable = true; - fileSystems."/" = - { device = "/dev/disk/by-uuid/6db29cdd-ff64-496d-b541-5f1616665dc2"; - fsType = "ext4"; - }; - - boot.initrd.luks.devices."usb_nix".device = "/dev/disk/by-uuid/3c8ab3af-57fb-4564-9e27-b2766404f5d4"; - - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/2B9E-5131"; - fsType = "vfat"; - }; - swapDevices = [ ]; nix.maxJobs = lib.mkDefault 4; diff --git a/lass/1systems/neoprism/config.nix b/lass/1systems/neoprism/config.nix index 8e5a60c36..7f6be782e 100644 --- a/lass/1systems/neoprism/config.nix +++ b/lass/1systems/neoprism/config.nix @@ -9,10 +9,16 @@ <stockholm/lass/2configs/consul.nix> <stockholm/lass/2configs/yellow-host.nix> <stockholm/lass/2configs/radio/container-host.nix> + <stockholm/lass/2configs/ubik-host.nix> # other containers <stockholm/lass/2configs/riot.nix> ]; krebs.build.host = config.krebs.hosts.neoprism; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + services.nginx.enable = true; + security.acme.acceptTerms = true; + security.acme.defaults.email = "acme@lassul.us"; } diff --git a/lass/1systems/orange/config.nix b/lass/1systems/orange/config.nix new file mode 100644 index 000000000..3bc20878e --- /dev/null +++ b/lass/1systems/orange/config.nix @@ -0,0 +1,21 @@ +with import <stockholm/lib>; +{ config, lib, pkgs, ... }: +{ + imports = [ + <stockholm/lass> + <stockholm/lass/2configs> + <stockholm/lass/2configs/retiolum.nix> + ]; + + krebs.build.host = config.krebs.hosts.orange; + + security.acme = { + acceptTerms = true; + defaults.email = "acme@lassul.us"; + }; + + krebs.sync-containers3.inContainer = { + enable = true; + pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFQWzKuXrwQopBc1mzb2VpljmwAs7Y8bRl9a8hBXLC+l"; + }; +} diff --git a/lass/1systems/orange/physical.nix b/lass/1systems/orange/physical.nix new file mode 100644 index 000000000..8577daf34 --- /dev/null +++ b/lass/1systems/orange/physical.nix @@ -0,0 +1,7 @@ +{ + imports = [ + ./config.nix + ]; + boot.isContainer = true; + networking.useDHCP = true; +} diff --git a/lass/1systems/radio/config.nix b/lass/1systems/radio/config.nix index 2fd23a448..5e34335d3 100644 --- a/lass/1systems/radio/config.nix +++ b/lass/1systems/radio/config.nix @@ -17,7 +17,7 @@ with import <stockholm/lib>; defaults.email = "acme@lassul.us"; }; - lass.sync-containers3.inContainer = { + krebs.sync-containers3.inContainer = { enable = true; pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOvPKdbVwMEFCDMyNAzR8NdVjTbQL2G+03Xomxn6KKFt"; }; diff --git a/lass/1systems/ubik/config.nix b/lass/1systems/ubik/config.nix new file mode 100644 index 000000000..1d836d4ec --- /dev/null +++ b/lass/1systems/ubik/config.nix @@ -0,0 +1,33 @@ +with import <stockholm/lib>; +{ config, lib, pkgs, ... }: +{ + imports = [ + <stockholm/lass> + <stockholm/lass/2configs> + <stockholm/lass/2configs/retiolum.nix> + ]; + + krebs.build.host = config.krebs.hosts.ubik; + + krebs.sync-containers3.inContainer = { + enable = true; + pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPBFGMjH0+Dco6DVFZbByENMci8CFTLXCL7j53yctPnM"; + }; + + networking.firewall.allowedTCPPorts = [ 80 ]; + services.nextcloud = { + enable = true; + hostName = "c.apanowicz.de"; + package = pkgs.nextcloud25; + config.adminpassFile = "/run/nextcloud.pw"; + https = true; + }; + systemd.services.nextcloud-setup.serviceConfig.ExecStartPre = [ + "+${pkgs.writeDash "copy-pw" '' + ${pkgs.rsync}/bin/rsync \ + --chown nextcloud:nextcloud \ + --chmod 0700 \ + /var/src/secrets/nextcloud.pw /run/nextcloud.pw + ''}" + ]; +} diff --git a/lass/1systems/ubik/physical.nix b/lass/1systems/ubik/physical.nix new file mode 100644 index 000000000..8577daf34 --- /dev/null +++ b/lass/1systems/ubik/physical.nix @@ -0,0 +1,7 @@ +{ + imports = [ + ./config.nix + ]; + boot.isContainer = true; + networking.useDHCP = true; +} diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix index 06561e9cf..ff8189e24 100644 --- a/lass/1systems/yellow/config.nix +++ b/lass/1systems/yellow/config.nix @@ -9,7 +9,7 @@ in { krebs.build.host = config.krebs.hosts.yellow; - lass.sync-containers3.inContainer = { + krebs.sync-containers3.inContainer = { enable = true; pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN737BAP36KiZO97mPKTIUGJUcr97ps8zjfFag6cUiYL"; }; @@ -40,6 +40,7 @@ in { security.acme.certs."jelly.r".server = config.krebs.ssl.acmeURL; security.acme.certs."radar.r".server = config.krebs.ssl.acmeURL; security.acme.certs."sonar.r".server = config.krebs.ssl.acmeURL; + security.acme.certs."transmission.r".server = config.krebs.ssl.acmeURL; services.nginx = { enable = true; package = pkgs.nginx.override { @@ -152,6 +153,14 @@ in { proxy_set_header Accept-Encoding ""; ''; }; + virtualHosts."transmission.r" = { + enableACME = true; + addSSL = true; + locations."/".extraConfig = '' + proxy_pass http://localhost:9091/; + proxy_set_header Accept-Encoding ""; + ''; + }; virtualHosts."radar.r" = { enableACME = true; addSSL = true; |