palo/nixos-config
palo/nixos-config
1
0
Fork 0
Code Issues Pull requests Actions Projects Releases Wiki Activity

working on orbi

Browse source
This commit is contained in:
Ingolf Wagner 2024-02-16 22:21:05 +01:00
parent 4d79e88566
commit c97adde5f4
Signed by: palo
GPG key ID: 76BF5F1928B9618B
8 changed files with 159 additions and 175 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

39
flake.lock
View file

@ -1039,6 +1039,22 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_8": {
"locked": {
"lastModified": 1707929101,
"narHash": "sha256-mF639zYYhQ6+LZgIP33weVdOmLbY7GHAhK+XsIFEEqU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "4dec2a6e52b5d910b428468680707f7f73a1219f",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
}
},
"nose": { "nose": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -1285,6 +1301,11 @@
"secrets": "secrets", "secrets": "secrets",
"smoke": "smoke", "smoke": "smoke",
"sops-nix": "sops-nix", "sops-nix": "sops-nix",
"srvos": "srvos",
"srvos_nixpkgs": [
"srvos",
"nixpkgs"
],
"stylix": "stylix", "stylix": "stylix",
"taskshell": "taskshell" "taskshell": "taskshell"
} }
@ -1397,6 +1418,24 @@
"type": "github" "type": "github"
} }
}, },
"srvos": {
"inputs": {
"nixpkgs": "nixpkgs_8"
},
"locked": {
"lastModified": 1708003942,
"narHash": "sha256-M0d1ouJUVCDiorvuAXifrR03geHGAf+3ELD7kuayWfI=",
"owner": "nix-community",
"repo": "srvos",
"rev": "e19a0dc562b1df371772d90613f91c2a6b1839b3",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "srvos",
"type": "github"
}
},
"stylix": { "stylix": {
"inputs": { "inputs": {
"base16": "base16", "base16": "base16",

31
flake.nix
View file

@ -51,6 +51,8 @@
url = "github:Mic92/retiolum"; url = "github:Mic92/retiolum";
#url = "git+file:///home/palo/dev/nixos/retiolum"; #url = "git+file:///home/palo/dev/nixos/retiolum";
}; };
srvos.url = "github:nix-community/srvos";
srvos_nixpkgs.follows = "srvos/nixpkgs";
landingpage = { landingpage = {
#url = "git+file:///home/palo/dev/landingpage"; #url = "git+file:///home/palo/dev/landingpage";
url = "github:mrVanDalo/landingpage"; url = "github:mrVanDalo/landingpage";
@ -110,6 +112,8 @@
, private_assets , private_assets
, retiolum , retiolum
, secrets , secrets
, srvos
, srvos_nixpkgs
, smoke , smoke
, sops-nix , sops-nix
, stylix , stylix
@ -122,9 +126,9 @@
inherit (nixpkgs) lib; inherit (nixpkgs) lib;
meta = rec { meta = {nixpackages ? nixpkgs}: rec {
system = "x86_64-linux"; system = "x86_64-linux";
pkgs = import nixpkgs { pkgs = import nixpackages {
inherit system; inherit system;
config.allowUnfree = true; config.allowUnfree = true;
config.permittedInsecurePackages = [ config.permittedInsecurePackages = [
@ -179,9 +183,10 @@
{ name { name
, host ? "${name}.private" , host ? "${name}.private"
, modules , modules
, nixpackages ? nixpkgs
}: }:
nixosSystem { nixosSystem {
inherit (meta) system specialArgs pkgs; inherit (meta { nixpackages = nixpackages; }) system specialArgs pkgs;
modules = modules ++ defaultModules ++ [ modules = modules ++ defaultModules ++ [
{ {
_module.args.nixinate = { _module.args.nixinate = {
@ -355,6 +360,21 @@
} }
]; ];
}; };
orbi = nixosConfigurationSetup {
name = "orbi";
host = "95.216.66.212";
modules = [
homeManagerModules
srvos.nixosModules.hardware-hetzner-online-intel
srvos.nixosModules.server
srvos.nixosModules.mixins-terminfo
{ home-manager.sharedModules = [{ programs.doom-emacs.enable = false; }]; }
{
home-manager.users.mainUser = import ./nixos/homes/palo;
home-manager.users.root = import ./nixos/homes/root;
}
];
};
robi = nixosConfigurationSetup { robi = nixosConfigurationSetup {
name = "robi"; name = "robi";
modules = [ modules = [
@ -370,8 +390,3 @@
}; };
} }

2
nixos/components/mainUser.nix
View file

@ -59,7 +59,7 @@ in
users = { users = {
mutableUsers = true; mutableUsers = lib.mkDefault true;
defaultUserShell = pkgs.zsh; defaultUserShell = pkgs.zsh;

113
nixos/machines/orbi/configuration.nix
View file

@ -1,110 +1,87 @@
{ lib, config, pkgs, ... }: { { lib, config, pkgs, ... }: {
imports = [ imports = [
../../system/all/nginx.nix #../../system/all/nginx.nix
../../system/all/borg-jobs.nix ../../system/all/borg-jobs.nix
../../system/all/defaults.nix ../../system/all/defaults.nix
../../system/server/packages.nix ../../system/server/packages.nix
../../components ../../components
../../modules ../../modules
./disko-config.nix
./hetzner.nix ./hetzner.nix
# services # services
./borg.nix #./borg.nix
./codimd.nix #./codimd.nix
./gitea.nix #./gitea.nix
./nextcloud.nix #./nextcloud.nix
./packages.nix #./packages.nix
./taskserver.nix #./taskserver.nix
./vaultwarden.nix #./vaultwarden.nix
./nginx.nix #./nginx.nix
./nginx-wkd.nix #./nginx-wkd.nix
./network-tinc.nix #./network-tinc.nix
./network-wireguard.nix #./network-wireguard.nix
./media-share.nix #./media-share.nix
./media-jellyfin.nix #./media-jellyfin.nix
./media-syncthing.nix #./media-syncthing.nix
./media-transmission.nix #./media-transmission.nix
./media-transmission2.nix #./media-transmission2.nix
./media-arr.nix #./media-arr.nix
#./media-tdarr.nix
#./media-unmanic.nix
./sync-opentracker.nix #./sync-opentracker.nix
./sync-torrent.nix #./sync-torrent.nix
#./social-jitsi.nix #./social-jitsi.nix
# matrix # matrix
./terranix-dendrite.nix # ------
#./terranix-dendrite.nix
# logging # logging
./loki.nix #./loki.nix
./loki-promtail.nix #./loki-promtail.nix
./prometheus.nix ##./prometheus.nix
./grafana.nix #./grafana.nix
./telegraf.nix ./telegraf.nix
./cache.nix #./cache.nix
]; ];
components.terminal.enable = true; components.terminal.enable = true;
components.mainUser.enable = true; components.mainUser.enable = true;
components.gui.enable = false; components.gui.enable = false;
components.network.enable = true; components.network.enable = true;
components.network.wifi.enable = false; components.network.wifi.enable = false;
# 2 hours = 2 * 60 * 60 = 7200 seconds
#services.netdata.config.global.history = 7200;
# 4 hours = 4 * 60 * 60 = 14440 seconds
services.netdata.config.global.history = 14440;
# 24 hours = 24 * 60 * 60 = 86400 seconds
#services.netdata.config.global.history = 86400;
services.sshguard.enable = true;
# Shell configuration
# -------------------
#programs.custom. zsh.enable = true;
users.users.root.shell = pkgs.zsh; users.users.root.shell = pkgs.zsh;
security.acme.acceptTerms = true; security.acme.acceptTerms = true;
security.acme.defaults.email = "contact@ingolf-wagner.de"; security.acme.defaults.email = "contact@ingolf-wagner.de";
sops.defaultSopsFile = ../../secrets/robi.yaml; sops.defaultSopsFile = ../../secrets/robi.yaml;
# virtualisation.docker.enable = false;
services.printing.enable = false;
services.smartd.enable = true; services.smartd.enable = true;
# chungus rsync # Use GRUB2 as the boot loader.
users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJkqVvuJSvRMO5pG2CHNNBxjB7HlJudK4TQs3BhbOWOD" ]; # We don't use systemd-boot because Hetzner uses BIOS legacy boot.
fileSystems."/var/lib/nextcloud" = boot.loader.systemd-boot.enable = false;
{ boot.loader.grub = {
device = "/dev/vg/nextcloud"; enable = true;
fsType = "ext4"; efiSupport = false;
}; };
boot.loader.grub.mirroredBoots = [
fileSystems."/var/lib/borgbackup" = { path = "/boot-1"; devices = [ "/dev/sda" ]; }
{ { path = "/boot-2"; devices = [ "/dev/sdb" ]; }
device = "/dev/vg/borg"; ];
fsType = "ext4";
};
fileSystems."/media" =
{
device = "/dev/vg/media";
fsType = "ext4";
};
# usually part of the wifi.nix module
# because Networkd-wait-online is just failing.
#systemd.services.systemd-networkd-wait-online.enable = false;
systemd.services.NetworkManager-wait-online.enable = false;
boot.tmp.useTmpfs = true; # make /tmp a tmpfs (performance!)
boot.supportedFilesystems = [ "zfs" ];
# head -c4 /dev/urandom | od -A none -t x4
networking.hostId = "5bb982a6";
} }

33
nixos/machines/orbi/disko-config.nix
View file

@ -39,14 +39,15 @@ in
{ {
name = "zfs"; name = "zfs";
start = "500MiB"; start = "500MiB";
size = "500GB"; end = "500GiB";
content = { content = {
type = "luks"; type = "luks";
name = "root_${disk}"; name = "root_${disk}";
settings = { settings = {
# if you want to use the key for interactive login be sure there is no trailing newline # if you want to use the key for interactive login be sure there is no trailing newline
# for example use `echo -n "password" > /tmp/secret.key` # for example use `echo -n "password" > /run/secret.key`
keyFile = "/tmp/secret.key"; # or use nixos-anywhere --disk-encryption-keys /run/secret.key <local-path>
keyFile = "/run/secret.key";
allowDiscards = true; allowDiscards = true;
}; };
content = { content = {
@ -57,13 +58,14 @@ in
} }
{ {
name = "zfs"; name = "zfs";
size = "100%"; start = "500GiB";
end = "100%";
content = { content = {
type = "luks"; type = "luks";
settings = { settings = {
# if you want to use the key for interactive login be sure there is no trailing newline # if you want to use the key for interactive login be sure there is no trailing newline
# for example use `echo -n "password" > /tmp/secret.key` # for example use `echo -n "password" > /run/secret.key`
keyFile = "/tmp/secret.key"; keyFile = "/run/secret.key";
allowDiscards = true; allowDiscards = true;
}; };
name = "media_${disk}"; name = "media_${disk}";
@ -75,8 +77,7 @@ in
} }
]; ];
}; };
} } );
);
zpool = { zpool = {
@ -123,22 +124,22 @@ in
options = { options = {
mountpoint = "legacy"; mountpoint = "legacy";
compression = "lz4"; compression = "lz4";
"com.sun:auto-snapshot:daily" = false; #"com.sun:auto-snapshot:daily" = false;
"com.sun:auto-snapshot:weekly" = false; #"com.sun:auto-snapshot:weekly" = false;
"com.sun:auto-snapshot:monthly" = false; #"com.sun:auto-snapshot:monthly" = false;
}; };
}; };
# todo make sure this disk has some minimum space # todo make sure this disk has some minimum space
"nextcloud" = { "nextcloud" = {
type = "zfs_fs"; type = "zfs_fs";
mountpoint = "/var/lib/nextcloud/"; mountpoint = "/var/lib/nextcloud";
options = { options = {
mountpoint = "legacy"; mountpoint = "legacy";
compression = "lz4"; compression = "lz4";
"com.sun:auto-snapshot:hourly" = true; "com.sun:auto-snapshot:hourly" = toString true;
"com.sun:auto-snapshot:daily" = true; "com.sun:auto-snapshot:daily" = toString true;
"com.sun:auto-snapshot:weekly" = false; #"com.sun:auto-snapshot:weekly" = false;
"com.sun:auto-snapshot:monthly" = false; #"com.sun:auto-snapshot:monthly" = false;
}; };
}; };
}; };

26
nixos/machines/orbi/hardware-configuration.nix
View file

@ -4,35 +4,11 @@
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
{ {
imports = imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "sd_mod" ]; boot.initrd.availableKernelModules = [ "ahci" "sd_mod" ];
boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" =
{
device = "/dev/disk/by-uuid/d6a794d2-1da4-4457-9a9a-a39bf9521ae4";
fsType = "ext4";
};
fileSystems."/boot-1" =
{
device = "/dev/disk/by-uuid/519D-F289";
fsType = "vfat";
};
fileSystems."/boot-2" =
{
device = "/dev/disk/by-uuid/519E-6EF1";
fsType = "vfat";
};
swapDevices = [ ];
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
} }

88
nixos/machines/orbi/hetzner.nix
View file

@ -2,7 +2,7 @@
let let
hostName = "robi"; hostName = "orbi";
# apt install -y lshw # apt install -y lshw
# lshw -C network | grep -Poh 'driver=[[:alnum:]]+' # lshw -C network | grep -Poh 'driver=[[:alnum:]]+'
@ -13,13 +13,13 @@ let
# From the Hetzner control panel # From the Hetzner control panel
ipv4 = { ipv4 = {
address = "144.76.13.147"; # the ip address address = "95.216.66.212"; # the ip address
gateway = "144.76.13.129"; # the gateway ip address gateway = "95.216.66.193"; # the gateway ip address
netmask = "255.255.255.224"; # the netmask -- might not be the same for you! netmask = "255.255.255.192"; # the netmask -- might not be the same for you!
prefixLength = 27; # must match the netmask, see <https://www.pawprint.net/designresources/netmask-converter.php> prefixLength = 26; # must match the netmask, see <https://www.pawprint.net/designresources/netmask-converter.php>
}; };
ipv6 = { ipv6 = {
address = "2a01:4f8:190:9147::1"; # the ipv6 addres address = "2a01:4f9:2b:326::2"; # the ipv6 addres
gateway = "fe80::1"; # the ipv6 gateway gateway = "fe80::1"; # the ipv6 gateway
prefixLength = 64; # shown in the control panel prefixLength = 64; # shown in the control panel
}; };
@ -30,59 +30,32 @@ in
imports = imports =
[ [
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix # ./hardware-configuration.nix
]; ];
# needed lvm for raid # needed lvm for raid
boot.initrd.kernelModules = [ #boot.initrd.kernelModules = [ ];
"dm-snapshot"
"dm_mirror"
"dm_raid"
"dm_region_hash"
];
# Use GRUB2 as the boot loader. # Use GRUB2 as the boot loader.
# We don't use systemd-boot because Hetzner uses BIOS legacy boot. # We don't use systemd-boot because Hetzner uses BIOS legacy boot.
boot.loader.systemd-boot.enable = false; #boot.loader.systemd-boot.enable = false;
boot.loader.grub = { #boot.loader.grub = {
enable = true; # enable = true;
efiSupport = false; # efiSupport = false;
}; #};
# This will mirror all UEFI files, kernels, grub menus and
# things needed to boot to the other drive.
boot.loader.grub.mirroredBoots = [
{ path = "/boot-1"; devices = [ "/dev/sda" ]; }
{ path = "/boot-2"; devices = [ "/dev/sdb" ]; }
];
# We want to still be able to boot without one of these
fileSystems."/boot-1".options = [ "nofail" ];
fileSystems."/boot-2".options = [ "nofail" ];
boot.initrd.luks.reusePassphrases = true;
boot.initrd.luks.devices = {
a_encrypted = {
device = "/dev/sda3";
preLVM = true;
};
b_encrypted = {
device = "/dev/sdb3";
preLVM = true;
};
};
networking.hostName = hostName; networking.hostName = hostName;
# Network configuration (Hetzner uses static IP assignments, and we don't use DHCP here) # Network configuration (Hetzner uses static IP assignments, and we don't use DHCP here)
networking.useDHCP = false; #networking.useDHCP = false;
networking.interfaces.${networkInterface} = { #networking.interfaces.${networkInterface} = {
ipv4 = { addresses = [{ address = ipv4.address; prefixLength = ipv4.prefixLength; }]; }; # ipv4 = { addresses = [{ address = ipv4.address; prefixLength = ipv4.prefixLength; }]; };
ipv6 = { addresses = [{ address = ipv6.address; prefixLength = ipv6.prefixLength; }]; }; # ipv6 = { addresses = [{ address = ipv6.address; prefixLength = ipv6.prefixLength; }]; };
}; #};
networking.defaultGateway = ipv4.gateway; #networking.defaultGateway = ipv4.gateway;
networking.defaultGateway6 = { address = ipv6.gateway; interface = networkInterface; }; #networking.defaultGateway6 = { address = ipv6.gateway; interface = networkInterface; };
networking.nameservers = [ "8.8.8.8" ]; #networking.nameservers = [ "8.8.8.8" "1.1.1.1" ];
systemd.network.networks."10-uplink".networkConfig.Address = ipv6.address;
# Initial empty root password for easy login: # Initial empty root password for easy login:
users.users.root.initialHashedPassword = ""; users.users.root.initialHashedPassword = "";
@ -96,18 +69,21 @@ in
]; ];
services.openssh.enable = true; services.openssh.enable = true;
services.sshguard.enable = true;
system.stateVersion = "21.05"; system.stateVersion = "23.11";
# enable ssh on init # enable ssh on init
# ------------------ # ------------------
boot.kernelParams = [ #boot.kernelParams = [
# See <https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt> for docs on this # # See <https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt> for docs on this
# ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>:<dns0-ip>:<dns1-ip>:<ntp0-ip> # # ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>:<dns0-ip>:<dns1-ip>:<ntp0-ip>
# The server ip refers to the NFS server -- we don't need it. # # The server ip refers to the NFS server -- we don't need it.
"ip=${ipv4.address}::${ipv4.gateway}:${ipv4.netmask}:${hostName}-initrd:${networkInterface}:off:8.8.8.8" # "ip=${ipv4.address}::${ipv4.gateway}:${ipv4.netmask}:${hostName}-initrd:${networkInterface}:off:8.8.8.8"
]; #];
boot.kernelParams = [ "ip=dhcp" ];
boot.initrd.availableKernelModules = [ networkInterfaceModule ]; boot.initrd.availableKernelModules = [ networkInterfaceModule ];
boot.initrd.network.enable = true; boot.initrd.network.enable = true;
boot.initrd.network.ssh = { boot.initrd.network.ssh = {

2
nixos/system/all/defaults.nix
View file

@ -12,7 +12,7 @@
# some system stuff # some system stuff
# ----------------- # -----------------
time.timeZone = lib.mkDefault "Europe/Berlin"; time.timeZone = "Europe/Berlin";
#time.timeZone = lib.mkDefault "Pacific/Auckland"; #time.timeZone = lib.mkDefault "Pacific/Auckland";
#time.timeZone = lib.mkDefault "Asia/Singapore"; #time.timeZone = lib.mkDefault "Asia/Singapore";
#time.timeZone = lib.mkDefault "Asia/Makassar"; #time.timeZone = lib.mkDefault "Asia/Makassar";