summaryrefslogtreecommitdiffstats
path: root/lass/1systems
diff options
context:
space:
mode:
authormakefu <github@syntax-fehler.de>2023-01-30 23:43:04 +0100
committermakefu <github@syntax-fehler.de>2023-01-30 23:43:04 +0100
commit369fa6b7eb3f0fa3e1034bcad438eeda017949f8 (patch)
tree22f7891595fba32a7e66b755617e0d49b91993f3 /lass/1systems
parentdbc3870841223051e4f617b4c06065c168c69c10 (diff)
parentc7417c8bc1b50d466dae493ac3619d9f324f34f8 (diff)
Merge remote-tracking branch 'lass/master'
Diffstat (limited to 'lass/1systems')
-rw-r--r--lass/1systems/aergia/config.nix76
-rw-r--r--lass/1systems/aergia/disk.nix64
-rw-r--r--lass/1systems/aergia/install.sh3
-rw-r--r--lass/1systems/aergia/physical.nix86
-rw-r--r--lass/1systems/aergia/source.nix21
-rw-r--r--lass/1systems/green/config.nix2
-rw-r--r--lass/1systems/hilum/disk.nix53
-rwxr-xr-xlass/1systems/hilum/flash-stick.sh37
-rw-r--r--lass/1systems/hilum/physical.nix43
-rw-r--r--lass/1systems/neoprism/config.nix6
-rw-r--r--lass/1systems/orange/config.nix21
-rw-r--r--lass/1systems/orange/physical.nix7
-rw-r--r--lass/1systems/radio/config.nix2
-rw-r--r--lass/1systems/ubik/config.nix33
-rw-r--r--lass/1systems/ubik/physical.nix7
-rw-r--r--lass/1systems/yellow/config.nix11
16 files changed, 455 insertions, 17 deletions
diff --git a/lass/1systems/aergia/config.nix b/lass/1systems/aergia/config.nix
new file mode 100644
index 000000000..ed5bbcf12
--- /dev/null
+++ b/lass/1systems/aergia/config.nix
@@ -0,0 +1,76 @@
+{ config, lib, pkgs, ... }:
+
+{
+ imports = [
+ <stockholm/lass>
+
+ <stockholm/lass/2configs/retiolum.nix>
+ <stockholm/lass/2configs/exim-retiolum.nix>
+ <stockholm/lass/2configs/baseX.nix>
+ <stockholm/lass/2configs/pipewire.nix>
+ <stockholm/lass/2configs/browsers.nix>
+ <stockholm/lass/2configs/programs.nix>
+ <stockholm/lass/2configs/network-manager.nix>
+ <stockholm/lass/2configs/syncthing.nix>
+ <stockholm/lass/2configs/sync/sync.nix>
+ <stockholm/lass/2configs/games.nix>
+ <stockholm/lass/2configs/steam.nix>
+ <stockholm/lass/2configs/wine.nix>
+ <stockholm/lass/2configs/fetchWallpaper.nix>
+ <stockholm/lass/2configs/yellow-mounts/samba.nix>
+ <stockholm/lass/2configs/pass.nix>
+ <stockholm/lass/2configs/mail.nix>
+ <stockholm/lass/2configs/bitcoin.nix>
+ # <stockholm/lass/2configs/xonsh.nix>
+ <stockholm/lass/2configs/review.nix>
+ <stockholm/lass/2configs/dunst.nix>
+ <stockholm/lass/2configs/print.nix>
+ <stockholm/lass/2configs/br.nix>
+ ];
+
+ system.stateVersion = "22.11";
+
+ krebs.build.host = config.krebs.hosts.aergia;
+
+ environment.systemPackages = with pkgs; [
+ brain
+ bank
+ l-gen-secrets
+ generate-secrets
+ ];
+
+ programs.adb.enable = true;
+
+ hardware.bluetooth = {
+ enable = true;
+ powerOnBoot = true;
+ };
+ hardware.pulseaudio.package = pkgs.pulseaudioFull;
+
+ lass.browser.config = {
+ fy = { browser = "chromium"; groups = [ "audio" "video" ]; hidden = true; };
+ qt = { browser = "qutebrowser"; groups = [ "audio" "video" ]; hidden = true; };
+ };
+
+ nix.trustedUsers = [ "root" "lass" ];
+
+ # nix.extraOptions = ''
+ # extra-experimental-features = nix-command flakes
+ # '';
+
+ services.tor = {
+ enable = true;
+ client.enable = true;
+ };
+
+ documentation.nixos.enable = true;
+ boot.binfmt.emulatedSystems = [
+ "aarch64-linux"
+ ];
+
+ boot.cleanTmpDir = true;
+
+ # vbox
+ virtualisation.virtualbox.host.enable = true;
+ users.users.mainUser.extraGroups = [ "vboxusers" ];
+}
diff --git a/lass/1systems/aergia/disk.nix b/lass/1systems/aergia/disk.nix
new file mode 100644
index 000000000..0ae0892ee
--- /dev/null
+++ b/lass/1systems/aergia/disk.nix
@@ -0,0 +1,64 @@
+{ lib, ... }:
+{
+ disk = {
+ main = {
+ type = "disk";
+ device = "/dev/nvme0n1";
+ content = {
+ type = "table";
+ format = "gpt";
+ partitions = [
+ {
+ name = "boot";
+ type = "partition";
+ start = "0";
+ end = "1M";
+ part-type = "primary";
+ flags = ["bios_grub"];
+ }
+ {
+ type = "partition";
+ name = "ESP";
+ start = "1MiB";
+ end = "1GiB";
+ fs-type = "fat32";
+ bootable = true;
+ content = {
+ type = "filesystem";
+ format = "vfat";
+ mountpoint = "/boot";
+ };
+ }
+ {
+ name = "root";
+ type = "partition";
+ start = "1GiB";
+ end = "100%";
+ content = {
+ type = "luks";
+ name = "aergia1";
+ content = {
+ type = "btrfs";
+ extraArgs = "-f"; # Override existing partition
+ subvolumes = {
+ # Subvolume name is different from mountpoint
+ "/rootfs" = {
+ mountpoint = "/";
+ };
+ # Mountpoints inferred from subvolume name
+ "/home" = {
+ mountOptions = [];
+ };
+ "/nix" = {
+ mountOptions = [];
+ };
+ };
+ };
+ };
+ }
+ ];
+ };
+ };
+ };
+}
+
diff --git a/lass/1systems/aergia/install.sh b/lass/1systems/aergia/install.sh
new file mode 100644
index 000000000..0e4f0ab4c
--- /dev/null
+++ b/lass/1systems/aergia/install.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+target=$1
diff --git a/lass/1systems/aergia/physical.nix b/lass/1systems/aergia/physical.nix
new file mode 100644
index 000000000..de5f7540e
--- /dev/null
+++ b/lass/1systems/aergia/physical.nix
@@ -0,0 +1,86 @@
+{ config, lib, pkgs, modulesPath, ... }:
+{
+ imports = [
+ ./config.nix
+ (modulesPath + "/installer/scan/not-detected.nix")
+ ];
+ disko.devices = import ./disk.nix;
+
+ networking.hostId = "deadbeef";
+ # boot.loader.efi.canTouchEfiVariables = true;
+ boot.loader.grub = {
+ enable = true;
+ device = "/dev/nvme0n1";
+ efiSupport = true;
+ efiInstallAsRemovable = true;
+ };
+
+ boot.kernelPackages = pkgs.linuxPackages_latest;
+
+ boot.kernelParams = [
+ # Enable energy savings during sleep
+ "mem_sleep_default=deep"
+ "initcall_blacklist=acpi_cpufreq_init"
+
+ # for ryzenadj -i
+ "iomem=relaxed"
+ ];
+
+ # Enables the amd cpu scaling https://www.kernel.org/doc/html/latest/admin-guide/pm/amd-pstate.html
+ # On recent AMD CPUs this can be more energy efficient.
+ boot.kernelModules = [ "amd-pstate" "kvm-amd" ];
+
+ # hardware.cpu.amd.updateMicrocode = true;
+
+ services.xserver.videoDrivers = [
+ "amdgpu"
+ ];
+
+ boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
+
+ environment.systemPackages = [
+ pkgs.vulkan-tools
+ pkgs.ryzenadj
+ (pkgs.writers.writeDashBin "set_tdp" ''
+ set -efux
+ watt=$1
+ value=$(( $watt * 1000 ))
+ ${pkgs.ryzenadj}/bin/ryzenadj --stapm-limit="$value" --fast-limit="$value" --slow-limit="$value"
+ '')
+ ];
+
+ # textsize
+ services.xserver.dpi = 200;
+ hardware.video.hidpi.enable = lib.mkDefault true;
+
+ # corectrl
+ programs.corectrl.enable = true;
+ users.users.mainUser.extraGroups = [ "corectrl" ];
+
+ # use newer ryzenadj
+ nixpkgs.config.packageOverrides = super: {
+ ryzenadj = super.ryzenadj.overrideAttrs (old: {
+ version = "unstable-2023-01-15";
+ src = pkgs.fetchFromGitHub {
+ owner = "FlyGoat";
+ repo = "RyzenAdj";
+ rev = "1052fb52b2c0e23ac4cd868c4e74d4a9510be57c"; # unstable on 2023-01-15
+ sha256 = "sha256-/IxkbQ1XrBrBVrsR4EdV6cbrFr1m+lGwz+rYBqxYG1k=";
+ };
+ });
+ };
+
+ # keyboard quirks
+ services.xserver.displayManager.sessionCommands = ''
+ xmodmap -e 'keycode 96 = F12 Insert F12 F12' # rebind shift + F12 to shift + insert
+ '';
+ services.udev.extraHwdb = /* sh */ ''
+ # disable back buttons
+ evdev:input:b0003v2F24p0135* # /dev/input/event2
+ KEYBOARD_KEY_70026=reserved
+ KEYBOARD_KEY_70027=reserved
+ '';
+
+ # ignore power key
+ services.logind.extraConfig = "HandlePowerKey=ignore";
+}
diff --git a/lass/1systems/aergia/source.nix b/lass/1systems/aergia/source.nix
new file mode 100644
index 000000000..abbf26c75
--- /dev/null
+++ b/lass/1systems/aergia/source.nix
@@ -0,0 +1,21 @@
+{ lib, pkgs, test, ... }: let
+ npkgs = lib.importJSON ../../../krebs/nixpkgs-unstable.json;
+in {
+ nixpkgs = (if test then lib.mkForce ({ derivation = let
+ rev = npkgs.rev;
+ sha256 = npkgs.sha256;
+ in ''
+ with import (builtins.fetchTarball {
+ url = "https://github.com/nixos/nixpkgs/archive/${rev}.tar.gz";
+ sha256 = "${sha256}";
+ }) {};
+ pkgs.fetchFromGitHub {
+ owner = "nixos";
+ repo = "nixpkgs";
+ rev = "${rev}";
+ sha256 = "${sha256}";
+ }
+ ''; }) else {
+ git.ref = lib.mkForce npkgs.rev;
+ });
+}
diff --git a/lass/1systems/green/config.nix b/lass/1systems/green/config.nix
index cd38c3585..077f7b3fa 100644
--- a/lass/1systems/green/config.nix
+++ b/lass/1systems/green/config.nix
@@ -27,7 +27,7 @@ with import <stockholm/lib>;
krebs.build.host = config.krebs.hosts.green;
- lass.sync-containers3.inContainer = {
+ krebs.sync-containers3.inContainer = {
enable = true;
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFlUMf943qEQG64ob81p6dgoHq4jUjq7tSvmSdEOEU2y";
};
diff --git a/lass/1systems/hilum/disk.nix b/lass/1systems/hilum/disk.nix
new file mode 100644
index 000000000..926401648
--- /dev/null
+++ b/lass/1systems/hilum/disk.nix
@@ -0,0 +1,53 @@
+{ lib, disk, keyFile, ... }:
+{
+ disk = {
+ main = {
+ type = "disk";
+ device = disk;
+ content = {
+ type = "table";
+ format = "gpt";
+ partitions = [
+ {
+ name = "boot";
+ type = "partition";
+ start = "0";
+ end = "1M";
+ part-type = "primary";
+ flags = ["bios_grub"];
+ }
+ {
+ type = "partition";
+ name = "ESP";
+ start = "1MiB";
+ end = "50%";
+ fs-type = "fat32";
+ bootable = true;
+ content = {
+ type = "filesystem";
+ format = "vfat";
+ mountpoint = "/boot";
+ };
+ }
+ {
+ name = "root";
+ type = "partition";
+ start = "50%";
+ end = "100%";
+ content = {
+ type = "luks";
+ name = "hilum_luks";
+ keyFile = keyFile;
+ content = {
+ type = "filesystem";
+ format = "xfs";
+ mountpoint = "/";
+ };
+ };
+ }
+ ];
+ };
+ };
+ };
+}
+
diff --git a/lass/1systems/hilum/flash-stick.sh b/lass/1systems/hilum/flash-stick.sh
new file mode 100755
index 000000000..17a5fc580
--- /dev/null
+++ b/lass/1systems/hilum/flash-stick.sh
@@ -0,0 +1,37 @@
+#!/bin/sh
+set -efux
+
+disk=$1
+
+export NIXPKGS_ALLOW_UNFREE=1
+(umask 077; pass show admin/hilum/luks > /tmp/hilum.luks)
+trap 'rm -f /tmp/hilum.luks' EXIT
+stockholm_root=$(git rev-parse --show-toplevel)
+ssh root@localhost -t -- $(nix-build \
+ --no-out-link \
+ -I nixpkgs=/var/src/nixpkgs \
+ -I stockholm="$stockholm_root" \
+ -I secrets="$stockholm_root"/lass/2configs/tests/dummy-secrets \
+ -E "with import <nixpkgs> {}; (pkgs.nixos [
+ {
+ luksPassFile = \"/tmp/hilum.luks\";
+ mainDisk = \"$disk\";
+ disko.rootMountPoint = \"/mnt/hilum\";
+ }
+ ./physical.nix
+ ]).disko"
+)
+rm -f /tmp/hilum.luks
+$(nix-build \
+ --no-out-link \
+ -I nixpkgs=/var/src/nixpkgs \
+ "$stockholm_root"/lass/krops.nix -A populate \
+ --argstr name hilum \
+ --argstr target "root@localhost/mnt/hilum/var/src" \
+ --arg force true
+)
+ssh root@localhost << SSH
+NIXOS_CONFIG=/mnt/hilum/var/src/nixos-config nixos-install --no-root-password --root /mnt/hilum -I /var/src
+nixos-enter --root /mnt/hilum -- nixos-rebuild -I /var/src switch --install-bootloader
+umount -Rv /mnt/hilum
+SSH
diff --git a/lass/1systems/hilum/physical.nix b/lass/1systems/hilum/physical.nix
index f8bab57d6..6f160062d 100644
--- a/lass/1systems/hilum/physical.nix
+++ b/lass/1systems/hilum/physical.nix
@@ -1,11 +1,38 @@
-{ lib, pkgs, ... }:
+{ config, lib, pkgs, ... }:
{
imports = [
./config.nix
<nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+ {
+ # nice hack to carry around state passed impurely at the beginning
+ options.mainDisk = let
+ tryFile = path: default:
+ if lib.elem (builtins.baseNameOf path) (lib.attrNames (builtins.readDir (builtins.dirOf path))) then
+ builtins.readFile path
+ else
+ default
+ ;
+ in lib.mkOption {
+ type = lib.types.str;
+ default = tryFile "/etc/hilum-disk" "/dev/sdz";
+ };
+ config.environment.etc.hilum-disk.text = config.mainDisk;
+ }
+ {
+ options.luksPassFile = lib.mkOption {
+ type = lib.types.nullOr lib.types.str;
+ default = null;
+ };
+ }
];
+ disko.devices = import ./disk.nix {
+ inherit lib;
+ disk = config.mainDisk;
+ keyFile = config.luksPassFile;
+ };
+
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
@@ -13,21 +40,9 @@
boot.loader.grub.enable = true;
boot.loader.grub.efiSupport = true;
- boot.loader.grub.device = "/dev/disk/by-id/usb-General_USB_Flash_Disk_0374116060006128-0:0";
+ boot.loader.grub.device = config.mainDisk;
boot.loader.grub.efiInstallAsRemovable = true;
- fileSystems."/" =
- { device = "/dev/disk/by-uuid/6db29cdd-ff64-496d-b541-5f1616665dc2";
- fsType = "ext4";
- };
-
- boot.initrd.luks.devices."usb_nix".device = "/dev/disk/by-uuid/3c8ab3af-57fb-4564-9e27-b2766404f5d4";
-
- fileSystems."/boot" =
- { device = "/dev/disk/by-uuid/2B9E-5131";
- fsType = "vfat";
- };
-
swapDevices = [ ];
nix.maxJobs = lib.mkDefault 4;
diff --git a/lass/1systems/neoprism/config.nix b/lass/1systems/neoprism/config.nix
index 8e5a60c36..7f6be782e 100644
--- a/lass/1systems/neoprism/config.nix
+++ b/lass/1systems/neoprism/config.nix
@@ -9,10 +9,16 @@
<stockholm/lass/2configs/consul.nix>
<stockholm/lass/2configs/yellow-host.nix>
<stockholm/lass/2configs/radio/container-host.nix>
+ <stockholm/lass/2configs/ubik-host.nix>
# other containers
<stockholm/lass/2configs/riot.nix>
];
krebs.build.host = config.krebs.hosts.neoprism;
+
+ networking.firewall.allowedTCPPorts = [ 80 443 ];
+ services.nginx.enable = true;
+ security.acme.acceptTerms = true;
+ security.acme.defaults.email = "acme@lassul.us";
}
diff --git a/lass/1systems/orange/config.nix b/lass/1systems/orange/config.nix
new file mode 100644
index 000000000..3bc20878e
--- /dev/null
+++ b/lass/1systems/orange/config.nix
@@ -0,0 +1,21 @@
+with import <stockholm/lib>;
+{ config, lib, pkgs, ... }:
+{
+ imports = [
+ <stockholm/lass>
+ <stockholm/lass/2configs>
+ <stockholm/lass/2configs/retiolum.nix>
+ ];
+
+ krebs.build.host = config.krebs.hosts.orange;
+
+ security.acme = {
+ acceptTerms = true;
+ defaults.email = "acme@lassul.us";
+ };
+
+ krebs.sync-containers3.inContainer = {
+ enable = true;
+ pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFQWzKuXrwQopBc1mzb2VpljmwAs7Y8bRl9a8hBXLC+l";
+ };
+}
diff --git a/lass/1systems/orange/physical.nix b/lass/1systems/orange/physical.nix
new file mode 100644
index 000000000..8577daf34
--- /dev/null
+++ b/lass/1systems/orange/physical.nix
@@ -0,0 +1,7 @@
+{
+ imports = [
+ ./config.nix
+ ];
+ boot.isContainer = true;
+ networking.useDHCP = true;
+}
diff --git a/lass/1systems/radio/config.nix b/lass/1systems/radio/config.nix
index 2fd23a448..5e34335d3 100644
--- a/lass/1systems/radio/config.nix
+++ b/lass/1systems/radio/config.nix
@@ -17,7 +17,7 @@ with import <stockholm/lib>;
defaults.email = "acme@lassul.us";
};
- lass.sync-containers3.inContainer = {
+ krebs.sync-containers3.inContainer = {
enable = true;
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOvPKdbVwMEFCDMyNAzR8NdVjTbQL2G+03Xomxn6KKFt";
};
diff --git a/lass/1systems/ubik/config.nix b/lass/1systems/ubik/config.nix
new file mode 100644
index 000000000..1d836d4ec
--- /dev/null
+++ b/lass/1systems/ubik/config.nix
@@ -0,0 +1,33 @@
+with import <stockholm/lib>;
+{ config, lib, pkgs, ... }:
+{
+ imports = [
+ <stockholm/lass>
+ <stockholm/lass/2configs>
+ <stockholm/lass/2configs/retiolum.nix>
+ ];
+
+ krebs.build.host = config.krebs.hosts.ubik;
+
+ krebs.sync-containers3.inContainer = {
+ enable = true;
+ pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPBFGMjH0+Dco6DVFZbByENMci8CFTLXCL7j53yctPnM";
+ };
+
+ networking.firewall.allowedTCPPorts = [ 80 ];
+ services.nextcloud = {
+ enable = true;
+ hostName = "c.apanowicz.de";
+ package = pkgs.nextcloud25;
+ config.adminpassFile = "/run/nextcloud.pw";
+ https = true;
+ };
+ systemd.services.nextcloud-setup.serviceConfig.ExecStartPre = [
+ "+${pkgs.writeDash "copy-pw" ''
+ ${pkgs.rsync}/bin/rsync \
+ --chown nextcloud:nextcloud \
+ --chmod 0700 \
+ /var/src/secrets/nextcloud.pw /run/nextcloud.pw
+ ''}"
+ ];
+}
diff --git a/lass/1systems/ubik/physical.nix b/lass/1systems/ubik/physical.nix
new file mode 100644
index 000000000..8577daf34
--- /dev/null
+++ b/lass/1systems/ubik/physical.nix
@@ -0,0 +1,7 @@
+{
+ imports = [
+ ./config.nix
+ ];
+ boot.isContainer = true;
+ networking.useDHCP = true;
+}
diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix
index 06561e9cf..ff8189e24 100644
--- a/lass/1systems/yellow/config.nix
+++ b/lass/1systems/yellow/config.nix
@@ -9,7 +9,7 @@ in {
krebs.build.host = config.krebs.hosts.yellow;
- lass.sync-containers3.inContainer = {
+ krebs.sync-containers3.inContainer = {
enable = true;
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN737BAP36KiZO97mPKTIUGJUcr97ps8zjfFag6cUiYL";
};
@@ -40,6 +40,7 @@ in {
security.acme.certs."jelly.r".server = config.krebs.ssl.acmeURL;
security.acme.certs."radar.r".server = config.krebs.ssl.acmeURL;
security.acme.certs."sonar.r".server = config.krebs.ssl.acmeURL;
+ security.acme.certs."transmission.r".server = config.krebs.ssl.acmeURL;
services.nginx = {
enable = true;
package = pkgs.nginx.override {
@@ -152,6 +153,14 @@ in {
proxy_set_header Accept-Encoding "";
'';
};
+ virtualHosts."transmission.r" = {
+ enableACME = true;
+ addSSL = true;
+ locations."/".extraConfig = ''
+ proxy_pass http://localhost:9091/;
+ proxy_set_header Accept-Encoding "";
+ '';
+ };
virtualHosts."radar.r" = {
enableACME = true;
addSSL = true;