From c97adde5f44cbfa1446476ff0b7f7483acd7ecc3 Mon Sep 17 00:00:00 2001 From: Ingolf Wagner Date: Fri, 16 Feb 2024 22:21:05 +0100 Subject: [PATCH] working on orbi --- flake.lock | 39 ++++++ flake.nix | 31 +++-- nixos/components/mainUser.nix | 2 +- nixos/machines/orbi/configuration.nix | 113 +++++++----------- nixos/machines/orbi/disko-config.nix | 33 ++--- .../machines/orbi/hardware-configuration.nix | 26 +--- nixos/machines/orbi/hetzner.nix | 88 +++++--------- nixos/system/all/defaults.nix | 2 +- 8 files changed, 159 insertions(+), 175 deletions(-) diff --git a/flake.lock b/flake.lock index e478452..ac73972 100644 --- a/flake.lock +++ b/flake.lock @@ -1039,6 +1039,22 @@ "type": "github" } }, + "nixpkgs_8": { + "locked": { + "lastModified": 1707929101, + "narHash": "sha256-mF639zYYhQ6+LZgIP33weVdOmLbY7GHAhK+XsIFEEqU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "4dec2a6e52b5d910b428468680707f7f73a1219f", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, "nose": { "flake": false, "locked": { @@ -1285,6 +1301,11 @@ "secrets": "secrets", "smoke": "smoke", "sops-nix": "sops-nix", + "srvos": "srvos", + "srvos_nixpkgs": [ + "srvos", + "nixpkgs" + ], "stylix": "stylix", "taskshell": "taskshell" } @@ -1397,6 +1418,24 @@ "type": "github" } }, + "srvos": { + "inputs": { + "nixpkgs": "nixpkgs_8" + }, + "locked": { + "lastModified": 1708003942, + "narHash": "sha256-M0d1ouJUVCDiorvuAXifrR03geHGAf+3ELD7kuayWfI=", + "owner": "nix-community", + "repo": "srvos", + "rev": "e19a0dc562b1df371772d90613f91c2a6b1839b3", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "srvos", + "type": "github" + } + }, "stylix": { "inputs": { "base16": "base16", diff --git a/flake.nix b/flake.nix index d848fc4..4cdb83b 100644 --- a/flake.nix +++ b/flake.nix @@ -51,6 +51,8 @@ url = "github:Mic92/retiolum"; #url = "git+file:///home/palo/dev/nixos/retiolum"; }; + srvos.url = "github:nix-community/srvos"; + srvos_nixpkgs.follows = "srvos/nixpkgs"; landingpage = { #url = "git+file:///home/palo/dev/landingpage"; url = "github:mrVanDalo/landingpage"; @@ -110,6 +112,8 @@ , private_assets , retiolum , secrets + , srvos + , srvos_nixpkgs , smoke , sops-nix , stylix @@ -122,9 +126,9 @@ inherit (nixpkgs) lib; - meta = rec { + meta = {nixpackages ? nixpkgs}: rec { system = "x86_64-linux"; - pkgs = import nixpkgs { + pkgs = import nixpackages { inherit system; config.allowUnfree = true; config.permittedInsecurePackages = [ @@ -179,9 +183,10 @@ { name , host ? "${name}.private" , modules + , nixpackages ? nixpkgs }: nixosSystem { - inherit (meta) system specialArgs pkgs; + inherit (meta { nixpackages = nixpackages; }) system specialArgs pkgs; modules = modules ++ defaultModules ++ [ { _module.args.nixinate = { @@ -355,6 +360,21 @@ } ]; }; + orbi = nixosConfigurationSetup { + name = "orbi"; + host = "95.216.66.212"; + modules = [ + homeManagerModules + srvos.nixosModules.hardware-hetzner-online-intel + srvos.nixosModules.server + srvos.nixosModules.mixins-terminfo + { home-manager.sharedModules = [{ programs.doom-emacs.enable = false; }]; } + { + home-manager.users.mainUser = import ./nixos/homes/palo; + home-manager.users.root = import ./nixos/homes/root; + } + ]; + }; robi = nixosConfigurationSetup { name = "robi"; modules = [ @@ -370,8 +390,3 @@ }; } - - - - - diff --git a/nixos/components/mainUser.nix b/nixos/components/mainUser.nix index 21b4d29..4805d9e 100644 --- a/nixos/components/mainUser.nix +++ b/nixos/components/mainUser.nix @@ -59,7 +59,7 @@ in users = { - mutableUsers = true; + mutableUsers = lib.mkDefault true; defaultUserShell = pkgs.zsh; diff --git a/nixos/machines/orbi/configuration.nix b/nixos/machines/orbi/configuration.nix index 9b4a38e..9b64665 100644 --- a/nixos/machines/orbi/configuration.nix +++ b/nixos/machines/orbi/configuration.nix @@ -1,110 +1,87 @@ { lib, config, pkgs, ... }: { imports = [ - ../../system/all/nginx.nix + #../../system/all/nginx.nix ../../system/all/borg-jobs.nix ../../system/all/defaults.nix ../../system/server/packages.nix ../../components - ../../modules + ./disko-config.nix ./hetzner.nix # services - ./borg.nix - ./codimd.nix - ./gitea.nix - ./nextcloud.nix - ./packages.nix - ./taskserver.nix - ./vaultwarden.nix - ./nginx.nix - ./nginx-wkd.nix + #./borg.nix + #./codimd.nix + #./gitea.nix + #./nextcloud.nix + #./packages.nix + #./taskserver.nix + #./vaultwarden.nix + #./nginx.nix + #./nginx-wkd.nix - ./network-tinc.nix - ./network-wireguard.nix + #./network-tinc.nix + #./network-wireguard.nix - ./media-share.nix - ./media-jellyfin.nix - ./media-syncthing.nix - ./media-transmission.nix - ./media-transmission2.nix - ./media-arr.nix - #./media-tdarr.nix - #./media-unmanic.nix + #./media-share.nix + #./media-jellyfin.nix + #./media-syncthing.nix + #./media-transmission.nix + #./media-transmission2.nix + #./media-arr.nix - ./sync-opentracker.nix - ./sync-torrent.nix + #./sync-opentracker.nix + #./sync-torrent.nix #./social-jitsi.nix # matrix - ./terranix-dendrite.nix + # ------ + #./terranix-dendrite.nix # logging - ./loki.nix - ./loki-promtail.nix - ./prometheus.nix - ./grafana.nix + #./loki.nix + #./loki-promtail.nix + ##./prometheus.nix + #./grafana.nix ./telegraf.nix - ./cache.nix + #./cache.nix ]; + components.terminal.enable = true; components.mainUser.enable = true; components.gui.enable = false; - components.network.enable = true; components.network.wifi.enable = false; - # 2 hours = 2 * 60 * 60 = 7200 seconds - #services.netdata.config.global.history = 7200; - # 4 hours = 4 * 60 * 60 = 14440 seconds - services.netdata.config.global.history = 14440; - # 24 hours = 24 * 60 * 60 = 86400 seconds - #services.netdata.config.global.history = 86400; - - services.sshguard.enable = true; - - # Shell configuration - # ------------------- - #programs.custom. zsh.enable = true; users.users.root.shell = pkgs.zsh; security.acme.acceptTerms = true; security.acme.defaults.email = "contact@ingolf-wagner.de"; sops.defaultSopsFile = ../../secrets/robi.yaml; - # virtualisation.docker.enable = false; - services.printing.enable = false; + services.smartd.enable = true; - # chungus rsync - users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJkqVvuJSvRMO5pG2CHNNBxjB7HlJudK4TQs3BhbOWOD" ]; - fileSystems."/var/lib/nextcloud" = - { - device = "/dev/vg/nextcloud"; - fsType = "ext4"; - }; - - fileSystems."/var/lib/borgbackup" = - { - device = "/dev/vg/borg"; - fsType = "ext4"; - }; - - fileSystems."/media" = - { - device = "/dev/vg/media"; - fsType = "ext4"; - }; - - # usually part of the wifi.nix module - # because Networkd-wait-online is just failing. - #systemd.services.systemd-networkd-wait-online.enable = false; - systemd.services.NetworkManager-wait-online.enable = false; + # Use GRUB2 as the boot loader. + # We don't use systemd-boot because Hetzner uses BIOS legacy boot. + boot.loader.systemd-boot.enable = false; + boot.loader.grub = { + enable = true; + efiSupport = false; + }; + boot.loader.grub.mirroredBoots = [ + { path = "/boot-1"; devices = [ "/dev/sda" ]; } + { path = "/boot-2"; devices = [ "/dev/sdb" ]; } + ]; + boot.tmp.useTmpfs = true; # make /tmp a tmpfs (performance!) + boot.supportedFilesystems = [ "zfs" ]; + # head -c4 /dev/urandom | od -A none -t x4 + networking.hostId = "5bb982a6"; } diff --git a/nixos/machines/orbi/disko-config.nix b/nixos/machines/orbi/disko-config.nix index 1d489ad..a3c5aec 100644 --- a/nixos/machines/orbi/disko-config.nix +++ b/nixos/machines/orbi/disko-config.nix @@ -39,14 +39,15 @@ in { name = "zfs"; start = "500MiB"; - size = "500GB"; + end = "500GiB"; content = { type = "luks"; name = "root_${disk}"; settings = { # if you want to use the key for interactive login be sure there is no trailing newline - # for example use `echo -n "password" > /tmp/secret.key` - keyFile = "/tmp/secret.key"; + # for example use `echo -n "password" > /run/secret.key` + # or use nixos-anywhere --disk-encryption-keys /run/secret.key + keyFile = "/run/secret.key"; allowDiscards = true; }; content = { @@ -57,13 +58,14 @@ in } { name = "zfs"; - size = "100%"; + start = "500GiB"; + end = "100%"; content = { type = "luks"; settings = { # if you want to use the key for interactive login be sure there is no trailing newline - # for example use `echo -n "password" > /tmp/secret.key` - keyFile = "/tmp/secret.key"; + # for example use `echo -n "password" > /run/secret.key` + keyFile = "/run/secret.key"; allowDiscards = true; }; name = "media_${disk}"; @@ -75,8 +77,7 @@ in } ]; }; - } - ); + } ); zpool = { @@ -123,22 +124,22 @@ in options = { mountpoint = "legacy"; compression = "lz4"; - "com.sun:auto-snapshot:daily" = false; - "com.sun:auto-snapshot:weekly" = false; - "com.sun:auto-snapshot:monthly" = false; + #"com.sun:auto-snapshot:daily" = false; + #"com.sun:auto-snapshot:weekly" = false; + #"com.sun:auto-snapshot:monthly" = false; }; }; # todo make sure this disk has some minimum space "nextcloud" = { type = "zfs_fs"; - mountpoint = "/var/lib/nextcloud/"; + mountpoint = "/var/lib/nextcloud"; options = { mountpoint = "legacy"; compression = "lz4"; - "com.sun:auto-snapshot:hourly" = true; - "com.sun:auto-snapshot:daily" = true; - "com.sun:auto-snapshot:weekly" = false; - "com.sun:auto-snapshot:monthly" = false; + "com.sun:auto-snapshot:hourly" = toString true; + "com.sun:auto-snapshot:daily" = toString true; + #"com.sun:auto-snapshot:weekly" = false; + #"com.sun:auto-snapshot:monthly" = false; }; }; }; diff --git a/nixos/machines/orbi/hardware-configuration.nix b/nixos/machines/orbi/hardware-configuration.nix index 31cbc51..3a99b1b 100644 --- a/nixos/machines/orbi/hardware-configuration.nix +++ b/nixos/machines/orbi/hardware-configuration.nix @@ -4,35 +4,11 @@ { config, lib, pkgs, modulesPath, ... }: { - imports = - [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; boot.initrd.availableKernelModules = [ "ahci" "sd_mod" ]; boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { - device = "/dev/disk/by-uuid/d6a794d2-1da4-4457-9a9a-a39bf9521ae4"; - fsType = "ext4"; - }; - - fileSystems."/boot-1" = - { - device = "/dev/disk/by-uuid/519D-F289"; - fsType = "vfat"; - }; - - fileSystems."/boot-2" = - { - device = "/dev/disk/by-uuid/519E-6EF1"; - fsType = "vfat"; - }; - - swapDevices = [ ]; - - powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; } diff --git a/nixos/machines/orbi/hetzner.nix b/nixos/machines/orbi/hetzner.nix index 0adbb30..3acab2b 100644 --- a/nixos/machines/orbi/hetzner.nix +++ b/nixos/machines/orbi/hetzner.nix @@ -2,7 +2,7 @@ let - hostName = "robi"; + hostName = "orbi"; # apt install -y lshw # lshw -C network | grep -Poh 'driver=[[:alnum:]]+' @@ -13,13 +13,13 @@ let # From the Hetzner control panel ipv4 = { - address = "144.76.13.147"; # the ip address - gateway = "144.76.13.129"; # the gateway ip address - netmask = "255.255.255.224"; # the netmask -- might not be the same for you! - prefixLength = 27; # must match the netmask, see + address = "95.216.66.212"; # the ip address + gateway = "95.216.66.193"; # the gateway ip address + netmask = "255.255.255.192"; # the netmask -- might not be the same for you! + prefixLength = 26; # must match the netmask, see }; ipv6 = { - address = "2a01:4f8:190:9147::1"; # the ipv6 addres + address = "2a01:4f9:2b:326::2"; # the ipv6 addres gateway = "fe80::1"; # the ipv6 gateway prefixLength = 64; # shown in the control panel }; @@ -30,59 +30,32 @@ in imports = [ # Include the results of the hardware scan. - ./hardware-configuration.nix + # ./hardware-configuration.nix ]; # needed lvm for raid - boot.initrd.kernelModules = [ - "dm-snapshot" - "dm_mirror" - "dm_raid" - "dm_region_hash" - ]; + #boot.initrd.kernelModules = [ ]; # Use GRUB2 as the boot loader. # We don't use systemd-boot because Hetzner uses BIOS legacy boot. - boot.loader.systemd-boot.enable = false; - boot.loader.grub = { - enable = true; - efiSupport = false; - }; - - # This will mirror all UEFI files, kernels, grub menus and - # things needed to boot to the other drive. - boot.loader.grub.mirroredBoots = [ - { path = "/boot-1"; devices = [ "/dev/sda" ]; } - { path = "/boot-2"; devices = [ "/dev/sdb" ]; } - ]; - - # We want to still be able to boot without one of these - fileSystems."/boot-1".options = [ "nofail" ]; - fileSystems."/boot-2".options = [ "nofail" ]; - - boot.initrd.luks.reusePassphrases = true; - boot.initrd.luks.devices = { - a_encrypted = { - device = "/dev/sda3"; - preLVM = true; - }; - b_encrypted = { - device = "/dev/sdb3"; - preLVM = true; - }; - }; + #boot.loader.systemd-boot.enable = false; + #boot.loader.grub = { + # enable = true; + # efiSupport = false; + #}; networking.hostName = hostName; # Network configuration (Hetzner uses static IP assignments, and we don't use DHCP here) - networking.useDHCP = false; - networking.interfaces.${networkInterface} = { - ipv4 = { addresses = [{ address = ipv4.address; prefixLength = ipv4.prefixLength; }]; }; - ipv6 = { addresses = [{ address = ipv6.address; prefixLength = ipv6.prefixLength; }]; }; - }; - networking.defaultGateway = ipv4.gateway; - networking.defaultGateway6 = { address = ipv6.gateway; interface = networkInterface; }; - networking.nameservers = [ "8.8.8.8" ]; + #networking.useDHCP = false; + #networking.interfaces.${networkInterface} = { + # ipv4 = { addresses = [{ address = ipv4.address; prefixLength = ipv4.prefixLength; }]; }; + # ipv6 = { addresses = [{ address = ipv6.address; prefixLength = ipv6.prefixLength; }]; }; + #}; + #networking.defaultGateway = ipv4.gateway; + #networking.defaultGateway6 = { address = ipv6.gateway; interface = networkInterface; }; + #networking.nameservers = [ "8.8.8.8" "1.1.1.1" ]; + systemd.network.networks."10-uplink".networkConfig.Address = ipv6.address; # Initial empty root password for easy login: users.users.root.initialHashedPassword = ""; @@ -96,18 +69,21 @@ in ]; services.openssh.enable = true; + services.sshguard.enable = true; - system.stateVersion = "21.05"; + system.stateVersion = "23.11"; # enable ssh on init # ------------------ - boot.kernelParams = [ - # See for docs on this - # ip=::::::::: - # The server ip refers to the NFS server -- we don't need it. - "ip=${ipv4.address}::${ipv4.gateway}:${ipv4.netmask}:${hostName}-initrd:${networkInterface}:off:8.8.8.8" - ]; + #boot.kernelParams = [ + # # See for docs on this + # # ip=::::::::: + # # The server ip refers to the NFS server -- we don't need it. + # "ip=${ipv4.address}::${ipv4.gateway}:${ipv4.netmask}:${hostName}-initrd:${networkInterface}:off:8.8.8.8" + #]; + + boot.kernelParams = [ "ip=dhcp" ]; boot.initrd.availableKernelModules = [ networkInterfaceModule ]; boot.initrd.network.enable = true; boot.initrd.network.ssh = { diff --git a/nixos/system/all/defaults.nix b/nixos/system/all/defaults.nix index 78db4cc..6fcac20 100644 --- a/nixos/system/all/defaults.nix +++ b/nixos/system/all/defaults.nix @@ -12,7 +12,7 @@ # some system stuff # ----------------- - time.timeZone = lib.mkDefault "Europe/Berlin"; + time.timeZone = "Europe/Berlin"; #time.timeZone = lib.mkDefault "Pacific/Auckland"; #time.timeZone = lib.mkDefault "Asia/Singapore"; #time.timeZone = lib.mkDefault "Asia/Makassar";