nix
/
nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added limina

This commit is contained in:
Root 2021-04-05 15:44:45 -07:00
parent 4da2c85fb1
commit 555fcd869e
4 changed files with 172 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

112
config/hardware/limina.nix Normal file
View File

@ -0,0 +1,112 @@
{ config, lib, pkgs, ... }:
with lib;
{
imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
boot = {
initrd = {
availableKernelModules =
[ "ahci" "xhci_pci" "ehci_pci" "usbhid" "usb_storage" "sd_mod" ];
kernelModules = [ ];
};
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
supportedFilesystems = [ "zfs" ];
kernelPackages = pkgs.linuxPackages_latest;
};
fileSystems = {
"/boot" = {
device = "/dev/disk/by-label/BOOT";
fsType = "vfat";
};
"/" = {
device = "zroot/transient/root";
fsType = "zfs";
};
"/nix" = {
device = "zroot/transient/nix";
fsType = "zfs";
};
"/var/log" = {
device = "zroot/transient/logs";
fsType = "zfs";
neededForBoot = true;
};
"/home" = {
device = "zroot/persistent/home";
fsType = "zfs";
};
"/state" = {
device = "zroot/persistent/state";
fsType = "zfs";
};
};
services.zfs.autoScrub.enable = true;
swapDevices = [{ device = "/dev/disk/by-label/swap"; }];
nix.maxJobs = lib.mkDefault 4;
hardware.bluetooth.enable = false;
networking = {
hostId = substring 0 8 (fileContents /state/etc/machine-id);
macvlans = {
extif0 = {
interface = "enp1s0";
mode = "bridge";
};
intif0 = {
interface = "enp2s0";
mode = "bridge";
};
intif1 = {
interface = "enp3s0";
mode = "bridge";
};
intif2 = {
interface = "enp4s0";
mode = "bridge";
};
};
interfaces = {
enp1s0.useDHCP = false;
enp2s0.useDHCP = false;
enp3s0.useDHCP = false;
enp4s0.useDHCP = false;
# output of: echo limina-${if}|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
extif0 = {
macAddress = "02:fd:79:94:a2:a8";
useDHCP = true;
};
intif0 = {
macAddress = "02:dc:59:b4:a7:8c";
};
intif1 = {
macAddress = "02:df:43:1d:8a:63";
};
intif2 = {
macAddress = "02:55:d9:05:23:36";
};
};
};
}

56
config/hosts/limina.nix Normal file
View File

@ -0,0 +1,56 @@
{ config, lib, pkgs, ... }:
with lib; {
config = {
# TODO: remove?
nixpkgs.config.permittedInsecurePackages = [
"openssh-with-gssapi-8.4p1" # CVE-2021-28041
];
environment.etc = {
nixos.source = "/state/nixos";
adjtime.source = "/state/etc/adjtime";
NIXOS.source = "/state/etc/NIXOS";
machine-id.source = "/state/etc/machine-id";
"host-config.nix".source = "/state/etc/host-config.nix";
};
system.stateVersion = "20.09";
boot.initrd.postDeviceCommands = lib.mkAfter ''
${pkgs.zfs}/bin/zfs rollback -r zroot/transient/root@blank
'';
security.sudo.extraConfig = ''
# rollback results in sudo lectures after each reboot
Defaults lecture = never
'';
systemd.tmpfiles.rules = [
"L /root/.gnupg - - - - /state/root/gnupg"
"L /root/.emacs.d - - - - /state/root/emacs.d"
"L /root/.ssh/id_rsa - - - - /state/root/ssh/id_rsa"
"L /root/.ssh/id_rsa.pub - - - - /state/root/ssh/id_rsa.pub"
"L /root/.ssh/known_hosts - - - - /state/root/ssh/known_hosts"
"L /etc/ssh/ssh_host_ed25519_key - - - - /state/ssh/ssh_host_ed25519_key"
"L /etc/ssh/ssh_host_rsa_key - - - - /state/ssh/ssh_host_rsa_key"
];
services = {
openssh = {
hostKeys = [
{
path = "/state/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
{
path = "/state/ssh/ssh_host_rsa_key";
type = "rsa";
bits = 4096;
}
];
};
};
};
}

4
config/networks/sea.fudo.org.nix
View File

@ -67,6 +67,10 @@ in {
};
hosts = {
limina = {
ip-address = "10.0.0.6";
mac-address = "02:fd:79:94:a2:a8";
};
nostromo = {
ip-address = "10.0.0.1";
mac-address = "46:54:76:06:f1:10";

6
config/profiles/server.nix
View File

@ -4,10 +4,6 @@ with lib;
let
serverPackages = with pkgs; [
emacs-nox
ldns
ldns.examples
jdk14_headless
racket-minimal
reboot-if-necessary
test-config
];
@ -55,8 +51,6 @@ in {
config = {
environment = {
systemPackages = serverPackages;
# noXlibs = lib.mkForce true;
};
system.autoUpgrade.enable = false;