Various changes, and added a live-disk config.

2021-07-16 12:57:36 -07:00 · 2021-07-16 12:57:36 -07:00 · 7b889633d8
commit 7b889633d8
parent df7761b11b
14 changed files with 190 additions and 57 deletions
--- a/config/hardware/lambda.nix
+++ b/config/hardware/lambda.nix
@ -1,8 +1,13 @@
 { config, lib, pkgs, ... }:

-{
+with lib;
+let
+
+in {
  imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];

+  system.stateVersion = "21.05";
+
  boot = {
    initrd = {
      availableKernelModules = [
@ -19,34 +24,62 @@
    };

    kernelModules = [ "kvm-amd" ];
-    kernelPackages = pkgs.linuxPackages_latest;
+    kernelPackages = pkgs.linuxPackages.zfs;
+    supportedFilesystems = [ "zfs" ];

    loader.grub = {
      enable = true;
      version = 2;
-      device = "/dev/disk/by-label/nixos-root";
+      device = "/dev/disk/by-label/lambda-root";
    };
  };

  fileSystems = {
-    "/" = {
-      device = "/dev/disk/by-label/nixos-root";
-      fsType = "btrfs";
+    "/boot" = {
+      device = "/dev/disk/by-label/lambda-boot";
+      fsType = "ext4";
    };

-    "/boot" = {
-      device = "/dev/disk/by-label/nixos-boot";
-      fsType = "ext4";
+    "/" = {
+      device = "lambda/transient/root";
+      fsType = "zfs";
+    };
+
+    "/nix" = {
+      device = "lambda/transient/nix";
+      fsType = "zfs";
+    };
+
+    "/var/log" = {
+      device = "lambda/transient/logs";
+      fsType = "zfs";
+      neededForBoot = true;
+    };
+
+    "/home" = {
+      device = "lambda/persistent/home";
+      fsType = "zfs";
+    };
+
+    "/state" = {
+      device = "lambda/persistent/state";
+      fsType = "zfs";
    };
  };

-  swapDevices = [{ device = "/dev/disk/by-label/nixos-swap"; }];
+  boot.initrd.postDeviceCommands = lib.mkAfter ''
+    ${pkgs.zfs}/bin/zfs rollback -r lambda/transient/root@blank
+  '';
+
+  swapDevices = [{ device = "/dev/disk/by-label/lambda-swap"; }];

  nix.maxJobs = lib.mkDefault 12;

  hardware.bluetooth.enable = false;

  networking = {
+    hostId = substring 0 8 (fileContents /etc/machine-id);
+
    macvlans = {
      intif0 = {
        interface = "enp3s0f1";
--- a/config/hardware/plato.nix
+++ b/config/hardware/plato.nix
@ -1,7 +1,6 @@
 { config, lib, pkgs, ... }:

-with lib;
-{
+with lib; {
  imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];

  boot = {
@ -18,7 +17,7 @@ with lib;
    };

    supportedFilesystems = [ "zfs" ];
-    kernelPackages = pkgs.linuxPackages_latest;
+    kernelPackages = pkgs.linuxPackages.zfs;
  };

  fileSystems = {
--- a/config/host-config/lambda.nix
+++ b/config/host-config/lambda.nix
@ -5,13 +5,6 @@ let
  shinobi-od-port = "7082";

 in {
-  # TODO: remove?
-  nixpkgs.config.permittedInsecurePackages = [
-    "openssh-with-gssapi-8.4p1" # CVE-2021-28041
-  ];
-
-  fudo.slynk.enable = true;
-
  networking = {
    interfaces = {
      enp3s0f0.useDHCP = false;
@ -23,19 +16,34 @@ in {
    };
  };

-  fudo.secrets.host-secrets.lambda = {
-    host-keytab = {
-      source-file = /state/secrets/kerberos/lambda.keytab;
-      target-file = "/etc/krb5.keytab";
-      user = "root";
+  fudo.secrets = {
+    host-secrets.lambda = {
+      host-keytab = {
+        source-file = /state/secrets/kerberos/lambda.keytab;
+        target-file = "/etc/krb5.keytab";
+        user = "root";
+      };
    };
+
+    secret-group = "fudo-secrets";
+    secret-users = [ "niten" ];
+    secret-paths = [ "/state/secrets" ];
  };

-  fudo.ipfs = {
-    enable = true;
-    users = [ "niten" ];
-    api-address = "/ip4/0.0.0.0/tcp/5001";
-  };
+  systemd.tmpfiles.rules = [
+    "L /root/.gnupg - - - - /state/root/gnupg"
+    # "L /root/.emacs.d - - - - /state/root/emacs.d"
+    "L /root/.ssh/id_rsa - - - - /state/root/ssh/id_rsa"
+    "L /root/.ssh/id_rsa.pub - - - - /state/root/ssh/id_rsa.pub"
+    "L /root/.ssh/known_hosts - - - - /state/root/ssh/known_hosts"
+    "L /etc/ssh/ssh_host_ed25519_key - - - - /state/ssh/ssh_host_ed25519_key"
+    "L /etc/ssh/ssh_host_rsa_key - - - - /state/ssh/ssh_host_rsa_key"
+  ];
+
+  security.sudo.extraConfig = ''
+    # Due to rollback, sudo will lecture after every reboot
+    Defaults lecture = never
+  '';

  virtualisation = {
    docker = {
@ -50,10 +58,10 @@ in {
          image = "shinobisystems/shinobi:latest";
          ports = [ "${shinobi-port}:8080" ];
          volumes = [
-            "/srv/shinobi/plugins:/home/Shinobi/plugins"
-            "/srv/shinobi/config:/home/Shinobi/config"
-            "/srv/shinobi/videos:/home/Shinobi/videos"
-            "/srv/shinobi/db-data:/var/lib/mysql"
+            "/state/shinobi/plugins:/home/Shinobi/plugins"
+            "/state/shinobi/config:/home/Shinobi/config"
+            "/state/shinobi/videos:/home/Shinobi/videos"
+            "/state/shinobi/db-data:/var/lib/mysql"
            "/etc/localtime:/etc/localtime:ro"
          ];
        };
--- a/config/host-config/nostromo.nix
+++ b/config/host-config/nostromo.nix
@ -37,6 +37,12 @@ in {
  #   };
  # };

+  fudo.ipfs = {
+    enable = true;
+    users = [ "niten" ];
+    api-address = "/ip4/0.0.0.0/tcp/5001";
+  };
+
  virtualisation = {
    libvirtd = {
      enable = true;
--- a/config/profile-config/common-ui.nix
+++ b/config/profile-config/common-ui.nix
@ -25,7 +25,7 @@ in {
    xserver = mkIf enable-gui {
      enable = true;

-      desktopManager.gnome3.enable = true;
+      desktopManager.gnome.enable = true;

      displayManager.gdm = {
        enable = true;
@ -68,7 +68,7 @@ in {
  console.font =
    lib.mkDefault "${pkgs.terminus_font}/share/consolefonts/ter-g18n.psf.gz";

-  services.gnome3 = mkIf enable-gui {
+  services.gnome = mkIf enable-gui {
    evolution-data-server.enable = mkForce false;
    gnome-user-share.enable = mkForce false;
  };
@ -76,7 +76,7 @@ in {
  programs.steam.enable = enable-gui;

  fonts = mkIf enable-gui {
-    enableFontDir = true;
+    fontDir.enable = true;
    fontconfig.enable = true;
    #fontconfig.antialias = true;
    #fontconfig.penultimate.enable = true;
--- a/config/profile-config/common.nix
+++ b/config/profile-config/common.nix
@ -28,6 +28,7 @@ in {
  # TODO: remove?
  nixpkgs.config.permittedInsecurePackages = [
    "openssh-with-gssapi-8.4p1" # CVE-2021-28041
+    "zfs-kernel"
  ];

  nixpkgs.config.allowUnfree = true;
@ -135,6 +136,4 @@ in {
      };
    };
  };
-
-  services.dbus.socketActivated = true;
 }
--- a/config/profile-config/server.nix
+++ b/config/profile-config/server.nix
@ -50,8 +50,6 @@ in {

    system.autoUpgrade.enable = false;

-    security = { hideProcessInformation = true; };
-
    networking.networkmanager.enable = mkForce false;

    services = {
--- a/home-manager/niten.nix
+++ b/home-manager/niten.nix
@ -14,6 +14,7 @@ let
    exodus
    firefox
    jq
+    nyxt
    openttd
    redshift
    signal-desktop
@ -22,6 +23,7 @@ let
  ];

  common-packages = with pkgs; [
+    ant
    asdf
    atop
    binutils
@ -31,12 +33,14 @@ let
    cdrtools
    cargo
    clojure
+    cmake
    curl
    doomEmacsInit
    enca
    file
    fortune
    git
+    gnome.gnome-tweaks
    gnutls
    gnupg
    google-chrome
@ -50,6 +54,7 @@ let
    lispPackages.quicklisp
    lsof
    lshw
+    minecraft
    mkpasswd
    mtr
    nixfmt
@ -58,11 +63,14 @@ let
    nix-prefetch-git
    nyxt
    nmap
+    opencv-java
    openldap
    openssl
    pciutils
+    pipewire
    pv
    pwgen
+    python
    ruby
    rustc
    sbcl
--- a/live-disk.nix
+++ b/live-disk.nix
@ -0,0 +1,70 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+  nixos-version = "21.05";
+
+  home-manager-package = builtins.fetchGit {
+    url = "https://github.com/nix-community/home-manager.git";
+    ref = "release-${nixos-version}";
+  };
+
+in {
+  imports = [
+    <nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix>
+    <nixpkgs/nixos/modules/installer/cd-dvd/channel.nix>
+    "${home-manager-package}/nixos"
+    ./packages
+  ];
+
+  hardware.enableAllFirmware = true;
+  nixpkgs.config.allowUnfree = true;
+
+  environment.systemPackages = with pkgs; [
+    btrfs-progs
+    doomEmacsInit
+    emacs
+    git
+    gparted
+    nix-prefetch-scripts
+    wget
+  ];
+
+  services.openssh = {
+    enable = true;
+    startWhenNeeded = true;
+    permitRootLogin = mkDefault "prohibit-password";
+  };
+
+  users = {
+    users = {
+      niten = {
+        isNormalUser = true;
+        createHome = true;
+        hashedPassword =
+          "$6$a1q2Duoe35hd5$IaZGXPfqyGv9uq5DQm7DZq0vIHsUs39sLktBiBBqMiwl/f/Z4jSvNZLJp9DZJYe5u2qGBYh1ca.jsXvQA8FPZ/";
+        extraGroups = [ "wheel" ];
+      };
+    };
+
+    # groups = { wheel = { members = [ "niten" ]; }; };
+  };
+
+  home-manager = {
+    useGlobalPkgs = true;
+
+    users = {
+      niten = {
+        home = {
+          file = {
+            ".doom.d" = {
+              source = pkgs.doom-emacs-config;
+              recursive = true;
+              onChange = "${pkgs.doomEmacsInit}/bin/doom-emacs-init.sh";
+            };
+          };
+        };
+      };
+    };
+  };
+}
--- a/nixops/seattle.nix
+++ b/nixops/seattle.nix
@ -12,7 +12,7 @@ in {
  };

  limina = define-host "10.0.0.1" "limina";
-  lambda = define-host "10.0.0.11" "lambda";
+  # lambda = define-host "10.0.0.11" "lambda";
  nostromo = define-host "10.0.0.10" "nostromo";
  plato = define-host "10.0.0.21" "plato";
  spark = define-host "10.0.0.108" "spark";
--- a/packages/archiva.nix
+++ b/packages/archiva.nix
@ -1,8 +1,9 @@
-{ pkgs, fetchurl, ... }:
+{ pkgs, lib, fetchurl, ... }:

 let
  version = "2.2.5";
-  url = "https://mirrors.sonic.net/apache/archiva/${version}/binaries/apache-archiva-${version}-bin.tar.gz";
+  url =
+    "https://mirrors.sonic.net/apache/archiva/${version}/binaries/apache-archiva-${version}-bin.tar.gz";
  sha256 = "01119af2d9950eacbcce0b7f8db5067b166ad26c1e1701bef829105441bb6e29";

 in pkgs.stdenv.mkDerivation {
@ -13,7 +14,7 @@ in pkgs.stdenv.mkDerivation {
    sha256 = sha256;
  };

-  phases = ["installPhase"];
+  phases = [ "installPhase" ];

  buildInputs = with pkgs; [ stdenv procps makeWrapper ];

@ -22,6 +23,8 @@ in pkgs.stdenv.mkDerivation {
    tar -xzf $src
    cd apache-archiva-${version}
    mv {LICENSE,NOTICE,apps,bin,conf,contexts,lib,logs,temp} $out
-    makeWrapper $out/bin/archiva $out/bin/archivaWrapped --set PATH ${pkgs.stdenv.lib.makeBinPath [ pkgs.procps ]}
+    makeWrapper $out/bin/archiva $out/bin/archivaWrapped --set PATH ${
+      lib.makeBinPath [ pkgs.procps ]
+    }
  '';
 }
--- a/packages/default.nix
+++ b/packages/default.nix
@ -66,10 +66,16 @@ in {
      buildInputs = oldAttrs.buildInputs ++ [ pkgs.krb5 ];
    });

+    opencv-java = pkgs.opencv.overrideAttrs (oldAttrs: rec {
+      # buildInputs = oldAttrs.buildInputs ++ [ pkgs.ant ];
+      nativeBuildInputs = oldAttrs.nativeBuildInputs ++ [ pkgs.jdk11 pkgs.ant ];
+      # cmakeFlags = oldAttrs.cmakeFlags ++ [ "-DWITH_JAVA=ON" ];
+    });
+
    hll2380dw-cups = import ./hll2380dw-cups.nix {
      inherit (pkgs)
        stdenv fetchurl makeWrapper cups dpkg a2ps ghostscript gnugrep gnused
-        coreutils file perl which;
+        coreutils file perl which lib;
    };

    hll2380dw-lpr = import ./hll2380dw-lp.nix {
--- a/packages/hll2380dw-cups.nix
+++ b/packages/hll2380dw-cups.nix
@ -1,4 +1,5 @@
-{ stdenv, fetchurl, makeWrapper, cups, dpkg, a2ps, ghostscript, gnugrep, gnused, coreutils, file, perl, which }:
+{ stdenv, lib, fetchurl, makeWrapper, cups, dpkg, a2ps, ghostscript, gnugrep
+, gnused, coreutils, file, perl, which }:

 stdenv.mkDerivation rec {
  pname = "hll2380dw-cups";
@ -6,7 +7,8 @@ stdenv.mkDerivation rec {
  platform = "i386";

  src = fetchurl {
-    url = "https://download.brother.com/welcome/dlf101772/hll2380dwcupswrapper-${version}.i386.deb";
+    url =
+      "https://download.brother.com/welcome/dlf101772/hll2380dwcupswrapper-${version}.i386.deb";
    sha256 = "08g3kx5lgwzb3f9ypj8knmpkkj0h3kv1i4gd20rzjxrx6vx1wbpl";
  };

@ -18,9 +20,9 @@ stdenv.mkDerivation rec {
  installPhase = ''
    dpkg-deb -x $src $out
      wrapProgram $out/opt/brother/Printers/HLL2380DW/cupswrapper/paperconfigml1 \
-        --prefix PATH : ${stdenv.lib.makeBinPath [
-          coreutils ghostscript gnugrep gnused
-        ]}
+        --prefix PATH : ${
+          lib.makeBinPath [ coreutils ghostscript gnugrep gnused ]
+        }
    mkdir -p $out/lib/cups/filter/
    ln -s $out/opt/brother/Printers/HLL2380DW/cupswrapper/brother_lpdwrapper_HLL2380DW \
        $out/lib/cups/filter/brother_lpdwrapper_HLL2380DW
@ -31,11 +33,12 @@ stdenv.mkDerivation rec {
    touch $out/HI
  '';

-  meta = with stdenv.lib; {
-    homepage = http://www.brother.com/;
+  meta = with lib; {
+    homepage = "http://www.brother.com/";
    description = "Brother HL-L2380DW combined print driver";
    license = licenses.unfree;
    platforms = [ "x86_64-linux" ];
-    downloadPage = http://support.brother.com/g/b/downloadlist.aspx?c=us_ot&lang=en&prod=hll2380dw_us&os=128;
+    downloadPage =
+      "http://support.brother.com/g/b/downloadlist.aspx?c=us_ot&lang=en&prod=hll2380dw_us&os=128";
  };
 }
--- a/packages/hll2380dw-lp.nix
+++ b/packages/hll2380dw-lp.nix
@ -27,7 +27,7 @@ in stdenv.mkDerivation rec {
      --replace "PRINTER =~" "PRINTER = \"${model}\"; #"
    wrapProgram $dir/lpd/filter_${model} \
      --prefix PATH : ${
-        stdenv.lib.makeBinPath [ coreutils ghostscript gnugrep gnused which ]
+        lib.makeBinPath [ coreutils ghostscript gnugrep gnused which ]
      }
    patchelf --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \
      $dir/lpd/${model}filter
@ -36,7 +36,7 @@ in stdenv.mkDerivation rec {
  meta = {
    homepage = "http://www.brother.com/";
    description = "Brother ${lib.toUpper model} LPR print driver";
-    license = stdenv.lib.licenses.unfree;
+    license = lib.licenses.unfree;
    platforms = [ "i386" "x86_64-linux" ];
    downloadPage =
      "http://support.brother.com/g/b/downloadlist.aspx?c=us_ot&lang=en&prod=hll2380dw_us&os=128";