palo/nixos-config
palo/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

working on orbi

Browse source
This commit is contained in:
Ingolf Wagner 2024-02-16 22:21:05 +01:00
parent 4d79e88566
commit c97adde5f4
No known key found for this signature in database
GPG key ID: 76BF5F1928B9618B
8 changed files with 159 additions and 175 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

39
flake.lock
View file

@ -1039,6 +1039,22 @@
"type": "github"
}
},
"nixpkgs_8": {
"locked": {
"lastModified": 1707929101,
"narHash": "sha256-mF639zYYhQ6+LZgIP33weVdOmLbY7GHAhK+XsIFEEqU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "4dec2a6e52b5d910b428468680707f7f73a1219f",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
}
},
"nose": {
"flake": false,
"locked": {
@ -1285,6 +1301,11 @@
"secrets": "secrets",
"smoke": "smoke",
"sops-nix": "sops-nix",
"srvos": "srvos",
"srvos_nixpkgs": [
"srvos",
"nixpkgs"
],
"stylix": "stylix",
"taskshell": "taskshell"
}
@ -1397,6 +1418,24 @@
"type": "github"
}
},
"srvos": {
"inputs": {
"nixpkgs": "nixpkgs_8"
},
"locked": {
"lastModified": 1708003942,
"narHash": "sha256-M0d1ouJUVCDiorvuAXifrR03geHGAf+3ELD7kuayWfI=",
"owner": "nix-community",
"repo": "srvos",
"rev": "e19a0dc562b1df371772d90613f91c2a6b1839b3",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "srvos",
"type": "github"
}
},
"stylix": {
"inputs": {
"base16": "base16",

31
flake.nix
View file

@ -51,6 +51,8 @@
url = "github:Mic92/retiolum";
#url = "git+file:///home/palo/dev/nixos/retiolum";
};
srvos.url = "github:nix-community/srvos";
srvos_nixpkgs.follows = "srvos/nixpkgs";
landingpage = {
#url = "git+file:///home/palo/dev/landingpage";
url = "github:mrVanDalo/landingpage";
@ -110,6 +112,8 @@
, private_assets
, retiolum
, secrets
, srvos
, srvos_nixpkgs
, smoke
, sops-nix
, stylix
@ -122,9 +126,9 @@
inherit (nixpkgs) lib;
meta = rec {
meta = {nixpackages ? nixpkgs}: rec {
system = "x86_64-linux";
pkgs = import nixpkgs {
pkgs = import nixpackages {
inherit system;
config.allowUnfree = true;
config.permittedInsecurePackages = [
@ -179,9 +183,10 @@
{ name
, host ? "${name}.private"
, modules
, nixpackages ? nixpkgs
}:
nixosSystem {
inherit (meta) system specialArgs pkgs;
inherit (meta { nixpackages = nixpackages; }) system specialArgs pkgs;
modules = modules ++ defaultModules ++ [
{
_module.args.nixinate = {
@ -355,6 +360,21 @@
}
];
};
orbi = nixosConfigurationSetup {
name = "orbi";
host = "95.216.66.212";
modules = [
homeManagerModules
srvos.nixosModules.hardware-hetzner-online-intel
srvos.nixosModules.server
srvos.nixosModules.mixins-terminfo
{ home-manager.sharedModules = [{ programs.doom-emacs.enable = false; }]; }
{
home-manager.users.mainUser = import ./nixos/homes/palo;
home-manager.users.root = import ./nixos/homes/root;
}
];
};
robi = nixosConfigurationSetup {
name = "robi";
modules = [
@ -370,8 +390,3 @@
};
}

2
nixos/components/mainUser.nix
View file

@ -59,7 +59,7 @@ in
users = {
mutableUsers = true;
mutableUsers = lib.mkDefault true;
defaultUserShell = pkgs.zsh;

113
nixos/machines/orbi/configuration.nix
View file

@ -1,110 +1,87 @@
{ lib, config, pkgs, ... }: {
imports = [
../../system/all/nginx.nix
#../../system/all/nginx.nix
../../system/all/borg-jobs.nix
../../system/all/defaults.nix
../../system/server/packages.nix
../../components
../../modules
./disko-config.nix
./hetzner.nix
# services
./borg.nix
./codimd.nix
./gitea.nix
./nextcloud.nix
./packages.nix
./taskserver.nix
./vaultwarden.nix
./nginx.nix
./nginx-wkd.nix
#./borg.nix
#./codimd.nix
#./gitea.nix
#./nextcloud.nix
#./packages.nix
#./taskserver.nix
#./vaultwarden.nix
#./nginx.nix
#./nginx-wkd.nix
./network-tinc.nix
./network-wireguard.nix
#./network-tinc.nix
#./network-wireguard.nix
./media-share.nix
./media-jellyfin.nix
./media-syncthing.nix
./media-transmission.nix
./media-transmission2.nix
./media-arr.nix
#./media-tdarr.nix
#./media-unmanic.nix
#./media-share.nix
#./media-jellyfin.nix
#./media-syncthing.nix
#./media-transmission.nix
#./media-transmission2.nix
#./media-arr.nix
./sync-opentracker.nix
./sync-torrent.nix
#./sync-opentracker.nix
#./sync-torrent.nix
#./social-jitsi.nix
# matrix
./terranix-dendrite.nix
# ------
#./terranix-dendrite.nix
# logging
./loki.nix
./loki-promtail.nix
./prometheus.nix
./grafana.nix
#./loki.nix
#./loki-promtail.nix
##./prometheus.nix
#./grafana.nix
./telegraf.nix
./cache.nix
#./cache.nix
];
components.terminal.enable = true;
components.mainUser.enable = true;
components.gui.enable = false;
components.network.enable = true;
components.network.wifi.enable = false;
# 2 hours = 2 * 60 * 60 = 7200 seconds
#services.netdata.config.global.history = 7200;
# 4 hours = 4 * 60 * 60 = 14440 seconds
services.netdata.config.global.history = 14440;
# 24 hours = 24 * 60 * 60 = 86400 seconds
#services.netdata.config.global.history = 86400;
services.sshguard.enable = true;
# Shell configuration
# -------------------
#programs.custom. zsh.enable = true;
users.users.root.shell = pkgs.zsh;
security.acme.acceptTerms = true;
security.acme.defaults.email = "contact@ingolf-wagner.de";
sops.defaultSopsFile = ../../secrets/robi.yaml;
# virtualisation.docker.enable = false;
services.printing.enable = false;
services.smartd.enable = true;
# chungus rsync
users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJkqVvuJSvRMO5pG2CHNNBxjB7HlJudK4TQs3BhbOWOD" ];
fileSystems."/var/lib/nextcloud" =
{
device = "/dev/vg/nextcloud";
fsType = "ext4";
};
fileSystems."/var/lib/borgbackup" =
{
device = "/dev/vg/borg";
fsType = "ext4";
};
fileSystems."/media" =
{
device = "/dev/vg/media";
fsType = "ext4";
};
# usually part of the wifi.nix module
# because Networkd-wait-online is just failing.
#systemd.services.systemd-networkd-wait-online.enable = false;
systemd.services.NetworkManager-wait-online.enable = false;
# Use GRUB2 as the boot loader.
# We don't use systemd-boot because Hetzner uses BIOS legacy boot.
boot.loader.systemd-boot.enable = false;
boot.loader.grub = {
enable = true;
efiSupport = false;
};
boot.loader.grub.mirroredBoots = [
{ path = "/boot-1"; devices = [ "/dev/sda" ]; }
{ path = "/boot-2"; devices = [ "/dev/sdb" ]; }
];
boot.tmp.useTmpfs = true; # make /tmp a tmpfs (performance!)
boot.supportedFilesystems = [ "zfs" ];
# head -c4 /dev/urandom | od -A none -t x4
networking.hostId = "5bb982a6";
}

33
nixos/machines/orbi/disko-config.nix
View file

@ -39,14 +39,15 @@ in
{
name = "zfs";
start = "500MiB";
size = "500GB";
end = "500GiB";
content = {
type = "luks";
name = "root_${disk}";
settings = {
# if you want to use the key for interactive login be sure there is no trailing newline
# for example use `echo -n "password" > /tmp/secret.key`
keyFile = "/tmp/secret.key";
# for example use `echo -n "password" > /run/secret.key`
# or use nixos-anywhere --disk-encryption-keys /run/secret.key <local-path>
keyFile = "/run/secret.key";
allowDiscards = true;
};
content = {
@ -57,13 +58,14 @@ in
}
{
name = "zfs";
size = "100%";
start = "500GiB";
end = "100%";
content = {
type = "luks";
settings = {
# if you want to use the key for interactive login be sure there is no trailing newline
# for example use `echo -n "password" > /tmp/secret.key`
keyFile = "/tmp/secret.key";
# for example use `echo -n "password" > /run/secret.key`
keyFile = "/run/secret.key";
allowDiscards = true;
};
name = "media_${disk}";
@ -75,8 +77,7 @@ in
}
];
};
}
);
} );
zpool = {
@ -123,22 +124,22 @@ in
options = {
mountpoint = "legacy";
compression = "lz4";
"com.sun:auto-snapshot:daily" = false;
"com.sun:auto-snapshot:weekly" = false;
"com.sun:auto-snapshot:monthly" = false;
#"com.sun:auto-snapshot:daily" = false;
#"com.sun:auto-snapshot:weekly" = false;
#"com.sun:auto-snapshot:monthly" = false;
};
};
# todo make sure this disk has some minimum space
"nextcloud" = {
type = "zfs_fs";
mountpoint = "/var/lib/nextcloud/";
mountpoint = "/var/lib/nextcloud";
options = {
mountpoint = "legacy";
compression = "lz4";
"com.sun:auto-snapshot:hourly" = true;
"com.sun:auto-snapshot:daily" = true;
"com.sun:auto-snapshot:weekly" = false;
"com.sun:auto-snapshot:monthly" = false;
"com.sun:auto-snapshot:hourly" = toString true;
"com.sun:auto-snapshot:daily" = toString true;
#"com.sun:auto-snapshot:weekly" = false;
#"com.sun:auto-snapshot:monthly" = false;
};
};
};

26
nixos/machines/orbi/hardware-configuration.nix
View file

@ -4,35 +4,11 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = [ "ahci" "sd_mod" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{
device = "/dev/disk/by-uuid/d6a794d2-1da4-4457-9a9a-a39bf9521ae4";
fsType = "ext4";
};
fileSystems."/boot-1" =
{
device = "/dev/disk/by-uuid/519D-F289";
fsType = "vfat";
};
fileSystems."/boot-2" =
{
device = "/dev/disk/by-uuid/519E-6EF1";
fsType = "vfat";
};
swapDevices = [ ];
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
}

88
nixos/machines/orbi/hetzner.nix
View file

@ -2,7 +2,7 @@
let
hostName = "robi";
hostName = "orbi";
# apt install -y lshw
# lshw -C network | grep -Poh 'driver=[[:alnum:]]+'
@ -13,13 +13,13 @@ let
# From the Hetzner control panel
ipv4 = {
address = "144.76.13.147"; # the ip address
gateway = "144.76.13.129"; # the gateway ip address
netmask = "255.255.255.224"; # the netmask -- might not be the same for you!
prefixLength = 27; # must match the netmask, see <https://www.pawprint.net/designresources/netmask-converter.php>
address = "95.216.66.212"; # the ip address
gateway = "95.216.66.193"; # the gateway ip address
netmask = "255.255.255.192"; # the netmask -- might not be the same for you!
prefixLength = 26; # must match the netmask, see <https://www.pawprint.net/designresources/netmask-converter.php>
};
ipv6 = {
address = "2a01:4f8:190:9147::1"; # the ipv6 addres
address = "2a01:4f9:2b:326::2"; # the ipv6 addres
gateway = "fe80::1"; # the ipv6 gateway
prefixLength = 64; # shown in the control panel
};
@ -30,59 +30,32 @@ in
imports =
[
# Include the results of the hardware scan.
./hardware-configuration.nix
# ./hardware-configuration.nix
];
# needed lvm for raid
boot.initrd.kernelModules = [
"dm-snapshot"
"dm_mirror"
"dm_raid"
"dm_region_hash"
];
#boot.initrd.kernelModules = [ ];
# Use GRUB2 as the boot loader.
# We don't use systemd-boot because Hetzner uses BIOS legacy boot.
boot.loader.systemd-boot.enable = false;
boot.loader.grub = {
enable = true;
efiSupport = false;
};
# This will mirror all UEFI files, kernels, grub menus and
# things needed to boot to the other drive.
boot.loader.grub.mirroredBoots = [
{ path = "/boot-1"; devices = [ "/dev/sda" ]; }
{ path = "/boot-2"; devices = [ "/dev/sdb" ]; }
];
# We want to still be able to boot without one of these
fileSystems."/boot-1".options = [ "nofail" ];
fileSystems."/boot-2".options = [ "nofail" ];
boot.initrd.luks.reusePassphrases = true;
boot.initrd.luks.devices = {
a_encrypted = {
device = "/dev/sda3";
preLVM = true;
};
b_encrypted = {
device = "/dev/sdb3";
preLVM = true;
};
};
#boot.loader.systemd-boot.enable = false;
#boot.loader.grub = {
# enable = true;
# efiSupport = false;
#};
networking.hostName = hostName;
# Network configuration (Hetzner uses static IP assignments, and we don't use DHCP here)
networking.useDHCP = false;
networking.interfaces.${networkInterface} = {
ipv4 = { addresses = [{ address = ipv4.address; prefixLength = ipv4.prefixLength; }]; };
ipv6 = { addresses = [{ address = ipv6.address; prefixLength = ipv6.prefixLength; }]; };
};
networking.defaultGateway = ipv4.gateway;
networking.defaultGateway6 = { address = ipv6.gateway; interface = networkInterface; };
networking.nameservers = [ "8.8.8.8" ];
#networking.useDHCP = false;
#networking.interfaces.${networkInterface} = {
# ipv4 = { addresses = [{ address = ipv4.address; prefixLength = ipv4.prefixLength; }]; };
# ipv6 = { addresses = [{ address = ipv6.address; prefixLength = ipv6.prefixLength; }]; };
#};
#networking.defaultGateway = ipv4.gateway;
#networking.defaultGateway6 = { address = ipv6.gateway; interface = networkInterface; };
#networking.nameservers = [ "8.8.8.8" "1.1.1.1" ];
systemd.network.networks."10-uplink".networkConfig.Address = ipv6.address;
# Initial empty root password for easy login:
users.users.root.initialHashedPassword = "";
@ -96,18 +69,21 @@ in
];
services.openssh.enable = true;
services.sshguard.enable = true;
system.stateVersion = "21.05";
system.stateVersion = "23.11";
# enable ssh on init
# ------------------
boot.kernelParams = [
# See <https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt> for docs on this
# ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>:<dns0-ip>:<dns1-ip>:<ntp0-ip>
# The server ip refers to the NFS server -- we don't need it.
"ip=${ipv4.address}::${ipv4.gateway}:${ipv4.netmask}:${hostName}-initrd:${networkInterface}:off:8.8.8.8"
];
#boot.kernelParams = [
# # See <https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt> for docs on this
# # ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>:<dns0-ip>:<dns1-ip>:<ntp0-ip>
# # The server ip refers to the NFS server -- we don't need it.
# "ip=${ipv4.address}::${ipv4.gateway}:${ipv4.netmask}:${hostName}-initrd:${networkInterface}:off:8.8.8.8"
#];
boot.kernelParams = [ "ip=dhcp" ];
boot.initrd.availableKernelModules = [ networkInterfaceModule ];
boot.initrd.network.enable = true;
boot.initrd.network.ssh = {

2
nixos/system/all/defaults.nix
View file

@ -12,7 +12,7 @@
# some system stuff
# -----------------
time.timeZone = lib.mkDefault "Europe/Berlin";
time.timeZone = "Europe/Berlin";
#time.timeZone = lib.mkDefault "Pacific/Auckland";
#time.timeZone = lib.mkDefault "Asia/Singapore";
#time.timeZone = lib.mkDefault "Asia/Makassar";