diff --git a/config/hardware/lambda.nix b/config/hardware/lambda.nix index 97a4d2a..fcc3e56 100644 --- a/config/hardware/lambda.nix +++ b/config/hardware/lambda.nix @@ -1,8 +1,13 @@ { config, lib, pkgs, ... }: -{ +with lib; +let + +in { imports = [ ]; + system.stateVersion = "21.05"; + boot = { initrd = { availableKernelModules = [ @@ -19,34 +24,62 @@ }; kernelModules = [ "kvm-amd" ]; - kernelPackages = pkgs.linuxPackages_latest; + kernelPackages = pkgs.linuxPackages.zfs; + supportedFilesystems = [ "zfs" ]; loader.grub = { enable = true; version = 2; - device = "/dev/disk/by-label/nixos-root"; + device = "/dev/disk/by-label/lambda-root"; }; }; fileSystems = { - "/" = { - device = "/dev/disk/by-label/nixos-root"; - fsType = "btrfs"; + "/boot" = { + device = "/dev/disk/by-label/lambda-boot"; + fsType = "ext4"; }; - "/boot" = { - device = "/dev/disk/by-label/nixos-boot"; - fsType = "ext4"; + "/" = { + device = "lambda/transient/root"; + fsType = "zfs"; + }; + + "/nix" = { + device = "lambda/transient/nix"; + fsType = "zfs"; + }; + + "/var/log" = { + device = "lambda/transient/logs"; + fsType = "zfs"; + neededForBoot = true; + }; + + "/home" = { + device = "lambda/persistent/home"; + fsType = "zfs"; + }; + + "/state" = { + device = "lambda/persistent/state"; + fsType = "zfs"; }; }; - swapDevices = [{ device = "/dev/disk/by-label/nixos-swap"; }]; + boot.initrd.postDeviceCommands = lib.mkAfter '' + ${pkgs.zfs}/bin/zfs rollback -r lambda/transient/root@blank + ''; + + swapDevices = [{ device = "/dev/disk/by-label/lambda-swap"; }]; nix.maxJobs = lib.mkDefault 12; hardware.bluetooth.enable = false; networking = { + hostId = substring 0 8 (fileContents /etc/machine-id); + macvlans = { intif0 = { interface = "enp3s0f1"; diff --git a/config/hardware/plato.nix b/config/hardware/plato.nix index 1fa1150..9c5d32b 100644 --- a/config/hardware/plato.nix +++ b/config/hardware/plato.nix @@ -1,7 +1,6 @@ { config, lib, pkgs, ... }: -with lib; -{ +with lib; { imports = [ ]; boot = { @@ -18,7 +17,7 @@ with lib; }; supportedFilesystems = [ "zfs" ]; - kernelPackages = pkgs.linuxPackages_latest; + kernelPackages = pkgs.linuxPackages.zfs; }; fileSystems = { diff --git a/config/host-config/lambda.nix b/config/host-config/lambda.nix index 83ae093..69f6445 100644 --- a/config/host-config/lambda.nix +++ b/config/host-config/lambda.nix @@ -5,13 +5,6 @@ let shinobi-od-port = "7082"; in { - # TODO: remove? - nixpkgs.config.permittedInsecurePackages = [ - "openssh-with-gssapi-8.4p1" # CVE-2021-28041 - ]; - - fudo.slynk.enable = true; - networking = { interfaces = { enp3s0f0.useDHCP = false; @@ -23,19 +16,34 @@ in { }; }; - fudo.secrets.host-secrets.lambda = { - host-keytab = { - source-file = /state/secrets/kerberos/lambda.keytab; - target-file = "/etc/krb5.keytab"; - user = "root"; + fudo.secrets = { + host-secrets.lambda = { + host-keytab = { + source-file = /state/secrets/kerberos/lambda.keytab; + target-file = "/etc/krb5.keytab"; + user = "root"; + }; }; + + secret-group = "fudo-secrets"; + secret-users = [ "niten" ]; + secret-paths = [ "/state/secrets" ]; }; - fudo.ipfs = { - enable = true; - users = [ "niten" ]; - api-address = "/ip4/0.0.0.0/tcp/5001"; - }; + systemd.tmpfiles.rules = [ + "L /root/.gnupg - - - - /state/root/gnupg" + # "L /root/.emacs.d - - - - /state/root/emacs.d" + "L /root/.ssh/id_rsa - - - - /state/root/ssh/id_rsa" + "L /root/.ssh/id_rsa.pub - - - - /state/root/ssh/id_rsa.pub" + "L /root/.ssh/known_hosts - - - - /state/root/ssh/known_hosts" + "L /etc/ssh/ssh_host_ed25519_key - - - - /state/ssh/ssh_host_ed25519_key" + "L /etc/ssh/ssh_host_rsa_key - - - - /state/ssh/ssh_host_rsa_key" + ]; + + security.sudo.extraConfig = '' + # Due to rollback, sudo will lecture after every reboot + Defaults lecture = never + ''; virtualisation = { docker = { @@ -50,10 +58,10 @@ in { image = "shinobisystems/shinobi:latest"; ports = [ "${shinobi-port}:8080" ]; volumes = [ - "/srv/shinobi/plugins:/home/Shinobi/plugins" - "/srv/shinobi/config:/home/Shinobi/config" - "/srv/shinobi/videos:/home/Shinobi/videos" - "/srv/shinobi/db-data:/var/lib/mysql" + "/state/shinobi/plugins:/home/Shinobi/plugins" + "/state/shinobi/config:/home/Shinobi/config" + "/state/shinobi/videos:/home/Shinobi/videos" + "/state/shinobi/db-data:/var/lib/mysql" "/etc/localtime:/etc/localtime:ro" ]; }; diff --git a/config/host-config/nostromo.nix b/config/host-config/nostromo.nix index c4c0d5f..adcf11c 100644 --- a/config/host-config/nostromo.nix +++ b/config/host-config/nostromo.nix @@ -37,6 +37,12 @@ in { # }; # }; + fudo.ipfs = { + enable = true; + users = [ "niten" ]; + api-address = "/ip4/0.0.0.0/tcp/5001"; + }; + virtualisation = { libvirtd = { enable = true; diff --git a/config/profile-config/common-ui.nix b/config/profile-config/common-ui.nix index 8506b4c..19f7eb8 100644 --- a/config/profile-config/common-ui.nix +++ b/config/profile-config/common-ui.nix @@ -25,7 +25,7 @@ in { xserver = mkIf enable-gui { enable = true; - desktopManager.gnome3.enable = true; + desktopManager.gnome.enable = true; displayManager.gdm = { enable = true; @@ -68,7 +68,7 @@ in { console.font = lib.mkDefault "${pkgs.terminus_font}/share/consolefonts/ter-g18n.psf.gz"; - services.gnome3 = mkIf enable-gui { + services.gnome = mkIf enable-gui { evolution-data-server.enable = mkForce false; gnome-user-share.enable = mkForce false; }; @@ -76,7 +76,7 @@ in { programs.steam.enable = enable-gui; fonts = mkIf enable-gui { - enableFontDir = true; + fontDir.enable = true; fontconfig.enable = true; #fontconfig.antialias = true; #fontconfig.penultimate.enable = true; diff --git a/config/profile-config/common.nix b/config/profile-config/common.nix index 741bcdb..d82892f 100644 --- a/config/profile-config/common.nix +++ b/config/profile-config/common.nix @@ -28,6 +28,7 @@ in { # TODO: remove? nixpkgs.config.permittedInsecurePackages = [ "openssh-with-gssapi-8.4p1" # CVE-2021-28041 + "zfs-kernel" ]; nixpkgs.config.allowUnfree = true; @@ -135,6 +136,4 @@ in { }; }; }; - - services.dbus.socketActivated = true; } diff --git a/config/profile-config/server.nix b/config/profile-config/server.nix index d2de911..368fe7f 100644 --- a/config/profile-config/server.nix +++ b/config/profile-config/server.nix @@ -50,8 +50,6 @@ in { system.autoUpgrade.enable = false; - security = { hideProcessInformation = true; }; - networking.networkmanager.enable = mkForce false; services = { diff --git a/home-manager/niten.nix b/home-manager/niten.nix index 7ca7fb5..126bcdd 100644 --- a/home-manager/niten.nix +++ b/home-manager/niten.nix @@ -14,6 +14,7 @@ let exodus firefox jq + nyxt openttd redshift signal-desktop @@ -22,6 +23,7 @@ let ]; common-packages = with pkgs; [ + ant asdf atop binutils @@ -31,12 +33,14 @@ let cdrtools cargo clojure + cmake curl doomEmacsInit enca file fortune git + gnome.gnome-tweaks gnutls gnupg google-chrome @@ -50,6 +54,7 @@ let lispPackages.quicklisp lsof lshw + minecraft mkpasswd mtr nixfmt @@ -58,11 +63,14 @@ let nix-prefetch-git nyxt nmap + opencv-java openldap openssl pciutils + pipewire pv pwgen + python ruby rustc sbcl diff --git a/live-disk.nix b/live-disk.nix new file mode 100644 index 0000000..002f190 --- /dev/null +++ b/live-disk.nix @@ -0,0 +1,70 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + nixos-version = "21.05"; + + home-manager-package = builtins.fetchGit { + url = "https://github.com/nix-community/home-manager.git"; + ref = "release-${nixos-version}"; + }; + +in { + imports = [ + + + "${home-manager-package}/nixos" + ./packages + ]; + + hardware.enableAllFirmware = true; + nixpkgs.config.allowUnfree = true; + + environment.systemPackages = with pkgs; [ + btrfs-progs + doomEmacsInit + emacs + git + gparted + nix-prefetch-scripts + wget + ]; + + services.openssh = { + enable = true; + startWhenNeeded = true; + permitRootLogin = mkDefault "prohibit-password"; + }; + + users = { + users = { + niten = { + isNormalUser = true; + createHome = true; + hashedPassword = + "$6$a1q2Duoe35hd5$IaZGXPfqyGv9uq5DQm7DZq0vIHsUs39sLktBiBBqMiwl/f/Z4jSvNZLJp9DZJYe5u2qGBYh1ca.jsXvQA8FPZ/"; + extraGroups = [ "wheel" ]; + }; + }; + + # groups = { wheel = { members = [ "niten" ]; }; }; + }; + + home-manager = { + useGlobalPkgs = true; + + users = { + niten = { + home = { + file = { + ".doom.d" = { + source = pkgs.doom-emacs-config; + recursive = true; + onChange = "${pkgs.doomEmacsInit}/bin/doom-emacs-init.sh"; + }; + }; + }; + }; + }; + }; +} diff --git a/nixops/seattle.nix b/nixops/seattle.nix index 46c647d..359ad70 100644 --- a/nixops/seattle.nix +++ b/nixops/seattle.nix @@ -12,7 +12,7 @@ in { }; limina = define-host "10.0.0.1" "limina"; - lambda = define-host "10.0.0.11" "lambda"; + # lambda = define-host "10.0.0.11" "lambda"; nostromo = define-host "10.0.0.10" "nostromo"; plato = define-host "10.0.0.21" "plato"; spark = define-host "10.0.0.108" "spark"; diff --git a/packages/archiva.nix b/packages/archiva.nix index 054cc8d..7545d44 100644 --- a/packages/archiva.nix +++ b/packages/archiva.nix @@ -1,8 +1,9 @@ -{ pkgs, fetchurl, ... }: +{ pkgs, lib, fetchurl, ... }: let version = "2.2.5"; - url = "https://mirrors.sonic.net/apache/archiva/${version}/binaries/apache-archiva-${version}-bin.tar.gz"; + url = + "https://mirrors.sonic.net/apache/archiva/${version}/binaries/apache-archiva-${version}-bin.tar.gz"; sha256 = "01119af2d9950eacbcce0b7f8db5067b166ad26c1e1701bef829105441bb6e29"; in pkgs.stdenv.mkDerivation { @@ -13,7 +14,7 @@ in pkgs.stdenv.mkDerivation { sha256 = sha256; }; - phases = ["installPhase"]; + phases = [ "installPhase" ]; buildInputs = with pkgs; [ stdenv procps makeWrapper ]; @@ -22,6 +23,8 @@ in pkgs.stdenv.mkDerivation { tar -xzf $src cd apache-archiva-${version} mv {LICENSE,NOTICE,apps,bin,conf,contexts,lib,logs,temp} $out - makeWrapper $out/bin/archiva $out/bin/archivaWrapped --set PATH ${pkgs.stdenv.lib.makeBinPath [ pkgs.procps ]} + makeWrapper $out/bin/archiva $out/bin/archivaWrapped --set PATH ${ + lib.makeBinPath [ pkgs.procps ] + } ''; } diff --git a/packages/default.nix b/packages/default.nix index 5d48cbb..8e4c23f 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -66,10 +66,16 @@ in { buildInputs = oldAttrs.buildInputs ++ [ pkgs.krb5 ]; }); + opencv-java = pkgs.opencv.overrideAttrs (oldAttrs: rec { + # buildInputs = oldAttrs.buildInputs ++ [ pkgs.ant ]; + nativeBuildInputs = oldAttrs.nativeBuildInputs ++ [ pkgs.jdk11 pkgs.ant ]; + # cmakeFlags = oldAttrs.cmakeFlags ++ [ "-DWITH_JAVA=ON" ]; + }); + hll2380dw-cups = import ./hll2380dw-cups.nix { inherit (pkgs) stdenv fetchurl makeWrapper cups dpkg a2ps ghostscript gnugrep gnused - coreutils file perl which; + coreutils file perl which lib; }; hll2380dw-lpr = import ./hll2380dw-lp.nix { diff --git a/packages/hll2380dw-cups.nix b/packages/hll2380dw-cups.nix index 4e9059c..0a73dd9 100644 --- a/packages/hll2380dw-cups.nix +++ b/packages/hll2380dw-cups.nix @@ -1,4 +1,5 @@ -{ stdenv, fetchurl, makeWrapper, cups, dpkg, a2ps, ghostscript, gnugrep, gnused, coreutils, file, perl, which }: +{ stdenv, lib, fetchurl, makeWrapper, cups, dpkg, a2ps, ghostscript, gnugrep +, gnused, coreutils, file, perl, which }: stdenv.mkDerivation rec { pname = "hll2380dw-cups"; @@ -6,7 +7,8 @@ stdenv.mkDerivation rec { platform = "i386"; src = fetchurl { - url = "https://download.brother.com/welcome/dlf101772/hll2380dwcupswrapper-${version}.i386.deb"; + url = + "https://download.brother.com/welcome/dlf101772/hll2380dwcupswrapper-${version}.i386.deb"; sha256 = "08g3kx5lgwzb3f9ypj8knmpkkj0h3kv1i4gd20rzjxrx6vx1wbpl"; }; @@ -18,9 +20,9 @@ stdenv.mkDerivation rec { installPhase = '' dpkg-deb -x $src $out wrapProgram $out/opt/brother/Printers/HLL2380DW/cupswrapper/paperconfigml1 \ - --prefix PATH : ${stdenv.lib.makeBinPath [ - coreutils ghostscript gnugrep gnused - ]} + --prefix PATH : ${ + lib.makeBinPath [ coreutils ghostscript gnugrep gnused ] + } mkdir -p $out/lib/cups/filter/ ln -s $out/opt/brother/Printers/HLL2380DW/cupswrapper/brother_lpdwrapper_HLL2380DW \ $out/lib/cups/filter/brother_lpdwrapper_HLL2380DW @@ -31,11 +33,12 @@ stdenv.mkDerivation rec { touch $out/HI ''; - meta = with stdenv.lib; { - homepage = http://www.brother.com/; + meta = with lib; { + homepage = "http://www.brother.com/"; description = "Brother HL-L2380DW combined print driver"; license = licenses.unfree; platforms = [ "x86_64-linux" ]; - downloadPage = http://support.brother.com/g/b/downloadlist.aspx?c=us_ot&lang=en&prod=hll2380dw_us&os=128; + downloadPage = + "http://support.brother.com/g/b/downloadlist.aspx?c=us_ot&lang=en&prod=hll2380dw_us&os=128"; }; } diff --git a/packages/hll2380dw-lp.nix b/packages/hll2380dw-lp.nix index 7e82041..06e4fce 100644 --- a/packages/hll2380dw-lp.nix +++ b/packages/hll2380dw-lp.nix @@ -27,7 +27,7 @@ in stdenv.mkDerivation rec { --replace "PRINTER =~" "PRINTER = \"${model}\"; #" wrapProgram $dir/lpd/filter_${model} \ --prefix PATH : ${ - stdenv.lib.makeBinPath [ coreutils ghostscript gnugrep gnused which ] + lib.makeBinPath [ coreutils ghostscript gnugrep gnused which ] } patchelf --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \ $dir/lpd/${model}filter @@ -36,7 +36,7 @@ in stdenv.mkDerivation rec { meta = { homepage = "http://www.brother.com/"; description = "Brother ${lib.toUpper model} LPR print driver"; - license = stdenv.lib.licenses.unfree; + license = lib.licenses.unfree; platforms = [ "i386" "x86_64-linux" ]; downloadPage = "http://support.brother.com/g/b/downloadlist.aspx?c=us_ot&lang=en&prod=hll2380dw_us&os=128";