From d69ae43b1a0c66eae3af4bc125a9b78ba8ea2ab6 Mon Sep 17 00:00:00 2001 From: Root Date: Tue, 20 Jul 2021 18:28:12 -0700 Subject: [PATCH] Changes for lambda, with tmpfs root --- config/hardware/lambda.nix | 24 ++--- config/host-config/lambda.nix | 175 ++++++++++++++++++++-------------- config/hosts/lambda.nix | 3 +- config/sites.nix | 2 +- configuration.nix | 1 + home-manager/niten.nix | 30 ++++-- initialize.nix | 4 +- lib/fudo/secrets.nix | 8 +- lib/fudo/users.nix | 15 --- live-disk.nix | 6 ++ 10 files changed, 154 insertions(+), 114 deletions(-) diff --git a/config/hardware/lambda.nix b/config/hardware/lambda.nix index fcc3e56..63a72c2 100644 --- a/config/hardware/lambda.nix +++ b/config/hardware/lambda.nix @@ -23,14 +23,13 @@ in { kernelModules = [ ]; }; - kernelModules = [ "kvm-amd" ]; - kernelPackages = pkgs.linuxPackages.zfs; + kernelModules = [ "kvm-intel" ]; supportedFilesystems = [ "zfs" ]; loader.grub = { enable = true; version = 2; - device = "/dev/disk/by-label/lambda-root"; + device = "/dev/disk/by-id/wwn-0x600508b1001cecf6b880f591f9b18b29"; }; }; @@ -38,11 +37,13 @@ in { "/boot" = { device = "/dev/disk/by-label/lambda-boot"; fsType = "ext4"; + options = [ "noexec" ]; }; "/" = { - device = "lambda/transient/root"; - fsType = "zfs"; + device = "none"; + fsType = "tmpfs"; + options = [ "noexec" ]; }; "/nix" = { @@ -54,29 +55,20 @@ in { device = "lambda/transient/logs"; fsType = "zfs"; neededForBoot = true; - }; - - "/home" = { - device = "lambda/persistent/home"; - fsType = "zfs"; + options = [ "noexec" ]; }; "/state" = { device = "lambda/persistent/state"; fsType = "zfs"; + options = [ "noexec" ]; }; }; - boot.initrd.postDeviceCommands = lib.mkAfter '' - ${pkgs.zfs}/bin/zfs rollback -r lambda/transient/root@blank - ''; - swapDevices = [{ device = "/dev/disk/by-label/lambda-swap"; }]; nix.maxJobs = lib.mkDefault 12; - hardware.bluetooth.enable = false; - networking = { hostId = substring 0 8 (fileContents /etc/machine-id); diff --git a/config/host-config/lambda.nix b/config/host-config/lambda.nix index 69f6445..e7e655b 100644 --- a/config/host-config/lambda.nix +++ b/config/host-config/lambda.nix @@ -3,8 +3,11 @@ let shinobi-port = "7080"; shinobi-od-port = "7082"; + state-dir = /state; in { + boot.loader.grub.copyKernels = true; + networking = { interfaces = { enp3s0f0.useDHCP = false; @@ -12,7 +15,7 @@ in { enp4s0f0.useDHCP = false; enp4s0f1.useDHCP = false; - intif0 = { useDHCP = true; }; + intif0.useDHCP = true; }; }; @@ -33,89 +36,115 @@ in { systemd.tmpfiles.rules = [ "L /root/.gnupg - - - - /state/root/gnupg" # "L /root/.emacs.d - - - - /state/root/emacs.d" - "L /root/.ssh/id_rsa - - - - /state/root/ssh/id_rsa" - "L /root/.ssh/id_rsa.pub - - - - /state/root/ssh/id_rsa.pub" - "L /root/.ssh/known_hosts - - - - /state/root/ssh/known_hosts" - "L /etc/ssh/ssh_host_ed25519_key - - - - /state/ssh/ssh_host_ed25519_key" - "L /etc/ssh/ssh_host_rsa_key - - - - /state/ssh/ssh_host_rsa_key" + "L /root/.ssh/id_rsa - - - - ${state-dir}/root/ssh/id_rsa" + "L /root/.ssh/id_rsa.pub - - - - ${state-dir}/state/root/ssh/id_rsa.pub" + "L /root/.ssh/known_hosts - - - - ${state-dir}/root/ssh/known_hosts" ]; + environment.etc = { + "ssh/ssh_host_rsa_key" = { + source = "${state-dir}/ssh/ssh_host_rsa_key"; + user = "root"; + group = "root"; + mode = "0400"; + }; + "ssh/ssh_host_rsa_key.pub" = { + source = "${state-dir}/ssh/ssh_host_rsa_key.pub"; + user = "root"; + group = "root"; + mode = "0444"; + }; + "ssh/ssh_host_ed25519_key" = { + source = "${state-dir}/ssh/ssh_host_ed25519_key"; + user = "root"; + group = "root"; + mode = "0400"; + }; + "ssh/ssh_host_ed25519_key.pub" = { + source = "${state-dir}/ssh/ssh_host_ed25519_key.pub"; + user = "root"; + group = "root"; + mode = "0444"; + }; + "machine-id".source = "${state-dir}/host/machine-id"; + }; + security.sudo.extraConfig = '' # Due to rollback, sudo will lecture after every reboot Defaults lecture = never ''; - virtualisation = { - docker = { - enable = true; - enableOnBoot = true; - autoPrune = { enable = true; }; - }; + # virtualisation = { + # docker = { + # enable = true; + # enableOnBoot = true; + # autoPrune = { enable = true; }; + # }; - oci-containers = { - containers = { - shinobi = { - image = "shinobisystems/shinobi:latest"; - ports = [ "${shinobi-port}:8080" ]; - volumes = [ - "/state/shinobi/plugins:/home/Shinobi/plugins" - "/state/shinobi/config:/home/Shinobi/config" - "/state/shinobi/videos:/home/Shinobi/videos" - "/state/shinobi/db-data:/var/lib/mysql" - "/etc/localtime:/etc/localtime:ro" - ]; - }; + # oci-containers = { + # containers = { + # shinobi = { + # image = "shinobisystems/shinobi:latest"; + # ports = [ "${shinobi-port}:8080" ]; + # volumes = [ + # "/state/shinobi/plugins:/home/Shinobi/plugins" + # "/state/shinobi/config:/home/Shinobi/config" + # "/state/shinobi/videos:/home/Shinobi/videos" + # "/state/shinobi/db-data:/var/lib/mysql" + # "/etc/localtime:/etc/localtime:ro" + # ]; + # }; - # shinobi-od = { - # image = "shinobisystems/shinobi-tensorflow:latest"; - # volumes = - # [ "/srv/shinobi/od-config:/home/Shinobi/docker-plugins/tensorflow" ]; - # ports = [ "${shinobi-od-port}:8082" ]; - # environment = { - # PLUGIN_HOST = "panopticon.sea.fudo.org"; - # PLUGIN_PORT = shinobi-port; - # PLUGIN_KEY = "30sWllylOxsDcE4vQXEPaXNfe5DiB3"; - # }; - # }; + # # shinobi-od = { + # # image = "shinobisystems/shinobi-tensorflow:latest"; + # # volumes = + # # [ "/srv/shinobi/od-config:/home/Shinobi/docker-plugins/tensorflow" ]; + # # ports = [ "${shinobi-od-port}:8082" ]; + # # environment = { + # # PLUGIN_HOST = "panopticon.sea.fudo.org"; + # # PLUGIN_PORT = shinobi-port; + # # PLUGIN_KEY = "30sWllylOxsDcE4vQXEPaXNfe5DiB3"; + # # }; + # # }; - # photoprism = { image = "photoprism/photoprism"; }; - }; - }; - }; + # # photoprism = { image = "photoprism/photoprism"; }; + # }; + # }; + # }; - services.nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; + # services.nginx = { + # enable = true; + # recommendedGzipSettings = true; + # recommendedOptimisation = true; + # recommendedProxySettings = true; - virtualHosts = { - "panopticon.sea.fudo.org" = { - locations."/" = { - proxyPass = "http://localhost:${shinobi-port}"; - extraConfig = '' - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; + # virtualHosts = { + # "panopticon.sea.fudo.org" = { + # locations."/" = { + # proxyPass = "http://localhost:${shinobi-port}"; + # extraConfig = '' + # proxy_http_version 1.1; + # proxy_set_header Upgrade $http_upgrade; + # proxy_set_header Connection "Upgrade"; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-By $server_addr:$server_port; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - ''; - }; - }; - # "panopticon-od.sea.fudo.org" = { - # locations."/" = { - # proxyPass = "http://localhost:${shinobi-od-port}"; - # extraConfig = '' - # proxy_http_version 1.1; - # proxy_set_header Upgrade $http_upgrade; - # proxy_set_header Connection "Upgrade"; - # ''; - # }; - # }; - }; - }; + # proxy_set_header Host $host; + # proxy_set_header X-Real-IP $remote_addr; + # proxy_set_header X-Forwarded-By $server_addr:$server_port; + # proxy_set_header X-Forwarded-For $remote_addr; + # proxy_set_header X-Forwarded-Proto $scheme; + # ''; + # }; + # }; + # # "panopticon-od.sea.fudo.org" = { + # # locations."/" = { + # # proxyPass = "http://localhost:${shinobi-od-port}"; + # # extraConfig = '' + # # proxy_http_version 1.1; + # # proxy_set_header Upgrade $http_upgrade; + # # proxy_set_header Connection "Upgrade"; + # # ''; + # # }; + # # }; + # }; + # }; } diff --git a/config/hosts/lambda.nix b/config/hosts/lambda.nix index 7f53fc0..33bee8b 100644 --- a/config/hosts/lambda.nix +++ b/config/hosts/lambda.nix @@ -1,6 +1,6 @@ { description = "sea.fudo.org experiment server."; - docker-server = true; + docker-server = false; ssh-fingerprints = [ "1 1 128919958a358d44d1c8d76d29b1fa1514f9ad35" "1 2 cd0ae0bb7e65f4058efdb2d7073de97ac403b1ef6f1527a23c60390d9a6bad88" @@ -14,4 +14,5 @@ profile = "server"; ssh-pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvgQsinDcoBZzneroy0QsCJUdiT8KdcI0YKWbSc++w8"; + enable-gui = false; } diff --git a/config/sites.nix b/config/sites.nix index 17e56da..f6e08f3 100644 --- a/config/sites.nix +++ b/config/sites.nix @@ -21,7 +21,7 @@ speed-factor = 2; }; }; - enable-distributed-builds = true; + enable-distributed-builds = false; keytab-directory = "/state/secrets/kerberos"; # FIXME: good idea? # network-mounts = { diff --git a/configuration.nix b/configuration.nix index a9aadbe..e8e6b69 100644 --- a/configuration.nix +++ b/configuration.nix @@ -10,6 +10,7 @@ in { hostname = local.hostname; home-manager-package = ; pkgs = pkgs; + include-secrets = false; }) ]; } diff --git a/home-manager/niten.nix b/home-manager/niten.nix index 126bcdd..1fe42cd 100644 --- a/home-manager/niten.nix +++ b/home-manager/niten.nix @@ -10,6 +10,23 @@ let enable-gui = host-config.enable-gui; + doom-emacs-minus-deps = pkgs.callPackage (pkgs.fetchgit { + url = "https://github.com/vlaci/nix-doom-emacs.git"; + rev = "3893c50877a9d2d5d4aeee524ba1539f22115f1f"; + sha256 = "1jz8mxh143a4470mq303ng6dh3bxi6mcppqli4z0m13qhqssh4fx"; + }) { + doomPrivateDir = "${pkgs.doom-emacs-config}/"; + }; + + + doom-emacs = doom-emacs-minus-deps.overrideAttrs (old: rec { + nativeBuildInputs = old.nativeBuildInputs ++ [ + pkgs.clang + pkgs.cmake + pkgs.libclang + ]; + }); + gui-packages = with pkgs; [ exodus firefox @@ -35,6 +52,8 @@ let clojure cmake curl + # doom-emacs + doom-emacs-config doomEmacsInit enca file @@ -56,6 +75,7 @@ let lshw minecraft mkpasswd + mplayer mtr nixfmt nix-index @@ -121,15 +141,13 @@ in { if enable-gui then common-packages ++ gui-packages else common-packages; file = { - ".doom.d" = { - source = pkgs.doom-emacs-config; - recursive = true; - onChange = "${pkgs.doomEmacsInit}/bin/doom-emacs-init.sh"; - }; - ".local/share/openttd/baseset" = mkIf enable-gui { source = "${pkgs.openttd-data}/data"; }; + ".emacs.d/init.el".text = '' + (load "default.el") + ''; + # ".xsessions" = { # mode = "0554"; # text = '' diff --git a/initialize.nix b/initialize.nix index 5f6366f..d9e2cbc 100644 --- a/initialize.nix +++ b/initialize.nix @@ -1,4 +1,4 @@ -{ hostname, home-manager-package, pkgs, ... }: +{ hostname, home-manager-package, pkgs, include-secrets ? true, ... }: let host-config = import (./. + "/config/hosts/${hostname}.nix"); @@ -20,5 +20,7 @@ in { config = { instance = { hostname = hostname; }; + + fudo.secrets.enable = include-secrets; }; } diff --git a/lib/fudo/secrets.nix b/lib/fudo/secrets.nix index 78571b6..befc479 100644 --- a/lib/fudo/secrets.nix +++ b/lib/fudo/secrets.nix @@ -91,6 +91,12 @@ let in { options.fudo.secrets = with types; { + enable = mkOption { + type = bool; + description = "Include secrets in the build (disable when secrets are unavailable)"; + default = true; + }; + host-secrets = mkOption { type = attrsOf (attrsOf (submodule secretOpts)); description = "Map of hosts to host secrets"; @@ -117,7 +123,7 @@ in { }; }; - config = { + config = mkIf cfg.enable { users.groups = { ${cfg.secret-group} = { members = cfg.secret-users ++ nix-build-users; }; }; diff --git a/lib/fudo/users.nix b/lib/fudo/users.nix index c450305..d8eff14 100644 --- a/lib/fudo/users.nix +++ b/lib/fudo/users.nix @@ -214,21 +214,6 @@ in { filterAttrs (username: userOpts: userOpts.home-manager-config != null) sys.local-users; in mapAttrs (username: userOpts: userOpts.home-manager-config) home-manager-users; - - # users = let - # home-manager-users = - # filterAttrs (username: userOpts: userOpts.home-manager-config != null) - # local-users; - # common-user-config = username: { - # home.file.".k5login" = { - # source = pkgs.writeText "${username}-k5login" '' - # ${concatStringsSep "\n" config.fudo.users.${username}.k5login} - # ''; - # }; - # }; - # in mapAttrs (username: userOpts: - # userOpts.home-manager-config // (common-user-config username)) - # home-manager-users; }; }; } diff --git a/live-disk.nix b/live-disk.nix index 002f190..7a57e42 100644 --- a/live-disk.nix +++ b/live-disk.nix @@ -45,6 +45,12 @@ in { "$6$a1q2Duoe35hd5$IaZGXPfqyGv9uq5DQm7DZq0vIHsUs39sLktBiBBqMiwl/f/Z4jSvNZLJp9DZJYe5u2qGBYh1ca.jsXvQA8FPZ/"; extraGroups = [ "wheel" ]; }; + + root = { + authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPwh522lvafTJYA0X2uFdP7Ws+Um1f8gZsARK1Y5nMzf6ZcWBF1jplTOKUVSOl4isMWni0Tu0TnX4zqCcgocWUVbwIwXSIRYqdiCPvVOH+/Ibc97n1/dYxk5JPMtbrsEw6/gWZxVg0qwe0J3dQWldEMiDY7iWhlrmIr7YL+Y3PUd7DOwp3PbfWfNyzTfE1kXcz5YvTeN+txFhbbXT0oS2R2wtc1vYXFZ/KbNstjqd+i8jszAq3ZkbbwL3aNR0RO4n8+GoIILGw8Ya4eP7D6+mYk608IhAoxpGyMrUch2TC2uvOK3rd/rw1hsTxf4AKjAZbrfd/FJaYru9ZeoLjD4bRGMdVp56F1m7pLvRiWRK62pV2Q/fjx+4KjHUrgyPd601eUIP0ayS/Rfuq8ijLpBJgO5/Y/6mFus/kjZIfRR9dXfLM67IMpyEzEITYrc/R2sedWf+YHxSh6eguAZ/kLzioar1nHLR7Wzgeu0tgWkD78WQGjpXGoefAz3xHeBg3Et0=" + ]; + }; }; # groups = { wheel = { members = [ "niten" ]; }; };