nix
/
nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Changes for lambda, with tmpfs root

This commit is contained in:
Root 2021-07-20 18:28:12 -07:00
parent 7b889633d8
commit d69ae43b1a
10 changed files with 154 additions and 114 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
config/hardware/lambda.nix
View File

@ -23,14 +23,13 @@ in {
kernelModules = [ ];
};
kernelModules = [ "kvm-amd" ];
kernelPackages = pkgs.linuxPackages.zfs;
kernelModules = [ "kvm-intel" ];
supportedFilesystems = [ "zfs" ];
loader.grub = {
enable = true;
version = 2;
device = "/dev/disk/by-label/lambda-root";
device = "/dev/disk/by-id/wwn-0x600508b1001cecf6b880f591f9b18b29";
};
};
@ -38,11 +37,13 @@ in {
"/boot" = {
device = "/dev/disk/by-label/lambda-boot";
fsType = "ext4";
options = [ "noexec" ];
};
"/" = {
device = "lambda/transient/root";
fsType = "zfs";
device = "none";
fsType = "tmpfs";
options = [ "noexec" ];
};
"/nix" = {
@ -54,29 +55,20 @@ in {
device = "lambda/transient/logs";
fsType = "zfs";
neededForBoot = true;
};
"/home" = {
device = "lambda/persistent/home";
fsType = "zfs";
options = [ "noexec" ];
};
"/state" = {
device = "lambda/persistent/state";
fsType = "zfs";
options = [ "noexec" ];
};
};
boot.initrd.postDeviceCommands = lib.mkAfter ''
${pkgs.zfs}/bin/zfs rollback -r lambda/transient/root@blank
'';
swapDevices = [{ device = "/dev/disk/by-label/lambda-swap"; }];
nix.maxJobs = lib.mkDefault 12;
hardware.bluetooth.enable = false;
networking = {
hostId = substring 0 8 (fileContents /etc/machine-id);

159
config/host-config/lambda.nix
View File

@ -3,8 +3,11 @@
let
shinobi-port = "7080";
shinobi-od-port = "7082";
state-dir = /state;
in {
boot.loader.grub.copyKernels = true;
networking = {
interfaces = {
enp3s0f0.useDHCP = false;
@ -12,7 +15,7 @@ in {
enp4s0f0.useDHCP = false;
enp4s0f1.useDHCP = false;
intif0 = { useDHCP = true; };
intif0.useDHCP = true;
};
};
@ -33,89 +36,115 @@ in {
systemd.tmpfiles.rules = [
"L /root/.gnupg - - - - /state/root/gnupg"
# "L /root/.emacs.d - - - - /state/root/emacs.d"
"L /root/.ssh/id_rsa - - - - /state/root/ssh/id_rsa"
"L /root/.ssh/id_rsa.pub - - - - /state/root/ssh/id_rsa.pub"
"L /root/.ssh/known_hosts - - - - /state/root/ssh/known_hosts"
"L /etc/ssh/ssh_host_ed25519_key - - - - /state/ssh/ssh_host_ed25519_key"
"L /etc/ssh/ssh_host_rsa_key - - - - /state/ssh/ssh_host_rsa_key"
"L /root/.ssh/id_rsa - - - - ${state-dir}/root/ssh/id_rsa"
"L /root/.ssh/id_rsa.pub - - - - ${state-dir}/state/root/ssh/id_rsa.pub"
"L /root/.ssh/known_hosts - - - - ${state-dir}/root/ssh/known_hosts"
];
environment.etc = {
"ssh/ssh_host_rsa_key" = {
source = "${state-dir}/ssh/ssh_host_rsa_key";
user = "root";
group = "root";
mode = "0400";
};
"ssh/ssh_host_rsa_key.pub" = {
source = "${state-dir}/ssh/ssh_host_rsa_key.pub";
user = "root";
group = "root";
mode = "0444";
};
"ssh/ssh_host_ed25519_key" = {
source = "${state-dir}/ssh/ssh_host_ed25519_key";
user = "root";
group = "root";
mode = "0400";
};
"ssh/ssh_host_ed25519_key.pub" = {
source = "${state-dir}/ssh/ssh_host_ed25519_key.pub";
user = "root";
group = "root";
mode = "0444";
};
"machine-id".source = "${state-dir}/host/machine-id";
};
security.sudo.extraConfig = ''
# Due to rollback, sudo will lecture after every reboot
Defaults lecture = never
'';
virtualisation = {
docker = {
enable = true;
enableOnBoot = true;
autoPrune = { enable = true; };
};
# virtualisation = {
# docker = {
# enable = true;
# enableOnBoot = true;
# autoPrune = { enable = true; };
# };
oci-containers = {
containers = {
shinobi = {
image = "shinobisystems/shinobi:latest";
ports = [ "${shinobi-port}:8080" ];
volumes = [
"/state/shinobi/plugins:/home/Shinobi/plugins"
"/state/shinobi/config:/home/Shinobi/config"
"/state/shinobi/videos:/home/Shinobi/videos"
"/state/shinobi/db-data:/var/lib/mysql"
"/etc/localtime:/etc/localtime:ro"
];
};
# oci-containers = {
# containers = {
# shinobi = {
# image = "shinobisystems/shinobi:latest";
# ports = [ "${shinobi-port}:8080" ];
# volumes = [
# "/state/shinobi/plugins:/home/Shinobi/plugins"
# "/state/shinobi/config:/home/Shinobi/config"
# "/state/shinobi/videos:/home/Shinobi/videos"
# "/state/shinobi/db-data:/var/lib/mysql"
# "/etc/localtime:/etc/localtime:ro"
# ];
# };
# shinobi-od = {
# image = "shinobisystems/shinobi-tensorflow:latest";
# volumes =
# [ "/srv/shinobi/od-config:/home/Shinobi/docker-plugins/tensorflow" ];
# ports = [ "${shinobi-od-port}:8082" ];
# environment = {
# PLUGIN_HOST = "panopticon.sea.fudo.org";
# PLUGIN_PORT = shinobi-port;
# PLUGIN_KEY = "30sWllylOxsDcE4vQXEPaXNfe5DiB3";
# # shinobi-od = {
# # image = "shinobisystems/shinobi-tensorflow:latest";
# # volumes =
# # [ "/srv/shinobi/od-config:/home/Shinobi/docker-plugins/tensorflow" ];
# # ports = [ "${shinobi-od-port}:8082" ];
# # environment = {
# # PLUGIN_HOST = "panopticon.sea.fudo.org";
# # PLUGIN_PORT = shinobi-port;
# # PLUGIN_KEY = "30sWllylOxsDcE4vQXEPaXNfe5DiB3";
# # };
# # };
# # photoprism = { image = "photoprism/photoprism"; };
# };
# };
# };
# photoprism = { image = "photoprism/photoprism"; };
};
};
};
# services.nginx = {
# enable = true;
# recommendedGzipSettings = true;
# recommendedOptimisation = true;
# recommendedProxySettings = true;
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
virtualHosts = {
"panopticon.sea.fudo.org" = {
locations."/" = {
proxyPass = "http://localhost:${shinobi-port}";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
};
# "panopticon-od.sea.fudo.org" = {
# virtualHosts = {
# "panopticon.sea.fudo.org" = {
# locations."/" = {
# proxyPass = "http://localhost:${shinobi-od-port}";
# proxyPass = "http://localhost:${shinobi-port}";
# extraConfig = ''
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "Upgrade";
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-By $server_addr:$server_port;
# proxy_set_header X-Forwarded-For $remote_addr;
# proxy_set_header X-Forwarded-Proto $scheme;
# '';
# };
# };
};
};
# # "panopticon-od.sea.fudo.org" = {
# # locations."/" = {
# # proxyPass = "http://localhost:${shinobi-od-port}";
# # extraConfig = ''
# # proxy_http_version 1.1;
# # proxy_set_header Upgrade $http_upgrade;
# # proxy_set_header Connection "Upgrade";
# # '';
# # };
# # };
# };
# };
}

3
config/hosts/lambda.nix
View File

@ -1,6 +1,6 @@
{
description = "sea.fudo.org experiment server.";
docker-server = true;
docker-server = false;
ssh-fingerprints = [
"1 1 128919958a358d44d1c8d76d29b1fa1514f9ad35"
"1 2 cd0ae0bb7e65f4058efdb2d7073de97ac403b1ef6f1527a23c60390d9a6bad88"
@ -14,4 +14,5 @@
profile = "server";
ssh-pubkey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvgQsinDcoBZzneroy0QsCJUdiT8KdcI0YKWbSc++w8";
enable-gui = false;
}

2
config/sites.nix
View File

@ -21,7 +21,7 @@
speed-factor = 2;
};
};
enable-distributed-builds = true;
enable-distributed-builds = false;
keytab-directory = "/state/secrets/kerberos";
# FIXME: good idea?
# network-mounts = {

1
configuration.nix
View File

@ -10,6 +10,7 @@ in {
hostname = local.hostname;
home-manager-package = <home-manager>;
pkgs = pkgs;
include-secrets = false;
})
];
}

30
home-manager/niten.nix
View File

@ -10,6 +10,23 @@ let
enable-gui = host-config.enable-gui;
doom-emacs-minus-deps = pkgs.callPackage (pkgs.fetchgit {
url = "https://github.com/vlaci/nix-doom-emacs.git";
rev = "3893c50877a9d2d5d4aeee524ba1539f22115f1f";
sha256 = "1jz8mxh143a4470mq303ng6dh3bxi6mcppqli4z0m13qhqssh4fx";
}) {
doomPrivateDir = "${pkgs.doom-emacs-config}/";
};
doom-emacs = doom-emacs-minus-deps.overrideAttrs (old: rec {
nativeBuildInputs = old.nativeBuildInputs ++ [
pkgs.clang
pkgs.cmake
pkgs.libclang
];
});
gui-packages = with pkgs; [
exodus
firefox
@ -35,6 +52,8 @@ let
clojure
cmake
curl
# doom-emacs
doom-emacs-config
doomEmacsInit
enca
file
@ -56,6 +75,7 @@ let
lshw
minecraft
mkpasswd
mplayer
mtr
nixfmt
nix-index
@ -121,15 +141,13 @@ in {
if enable-gui then common-packages ++ gui-packages else common-packages;
file = {
".doom.d" = {
source = pkgs.doom-emacs-config;
recursive = true;
onChange = "${pkgs.doomEmacsInit}/bin/doom-emacs-init.sh";
};
".local/share/openttd/baseset" =
mkIf enable-gui { source = "${pkgs.openttd-data}/data"; };
".emacs.d/init.el".text = ''
(load "default.el")
'';
# ".xsessions" = {
# mode = "0554";
# text = ''

4
initialize.nix
View File

@ -1,4 +1,4 @@
{ hostname, home-manager-package, pkgs, ... }:
{ hostname, home-manager-package, pkgs, include-secrets ? true, ... }:
let
host-config = import (./. + "/config/hosts/${hostname}.nix");
@ -20,5 +20,7 @@ in {
config = {
instance = { hostname = hostname; };
fudo.secrets.enable = include-secrets;
};
}

8
lib/fudo/secrets.nix
View File

@ -91,6 +91,12 @@ let
in {
options.fudo.secrets = with types; {
enable = mkOption {
type = bool;
description = "Include secrets in the build (disable when secrets are unavailable)";
default = true;
};
host-secrets = mkOption {
type = attrsOf (attrsOf (submodule secretOpts));
description = "Map of hosts to host secrets";
@ -117,7 +123,7 @@ in {
};
};
config = {
config = mkIf cfg.enable {
users.groups = {
${cfg.secret-group} = { members = cfg.secret-users ++ nix-build-users; };
};

15
lib/fudo/users.nix
View File

@ -214,21 +214,6 @@ in {
filterAttrs (username: userOpts: userOpts.home-manager-config != null)
sys.local-users;
in mapAttrs (username: userOpts: userOpts.home-manager-config) home-manager-users;
# users = let
# home-manager-users =
# filterAttrs (username: userOpts: userOpts.home-manager-config != null)
# local-users;
# common-user-config = username: {
# home.file.".k5login" = {
# source = pkgs.writeText "${username}-k5login" ''
# ${concatStringsSep "\n" config.fudo.users.${username}.k5login}
# '';
# };
# };
# in mapAttrs (username: userOpts:
# userOpts.home-manager-config // (common-user-config username))
# home-manager-users;
};
};
}

6
live-disk.nix
View File

@ -45,6 +45,12 @@ in {
"$6$a1q2Duoe35hd5$IaZGXPfqyGv9uq5DQm7DZq0vIHsUs39sLktBiBBqMiwl/f/Z4jSvNZLJp9DZJYe5u2qGBYh1ca.jsXvQA8FPZ/";
extraGroups = [ "wheel" ];
};
root = {
authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPwh522lvafTJYA0X2uFdP7Ws+Um1f8gZsARK1Y5nMzf6ZcWBF1jplTOKUVSOl4isMWni0Tu0TnX4zqCcgocWUVbwIwXSIRYqdiCPvVOH+/Ibc97n1/dYxk5JPMtbrsEw6/gWZxVg0qwe0J3dQWldEMiDY7iWhlrmIr7YL+Y3PUd7DOwp3PbfWfNyzTfE1kXcz5YvTeN+txFhbbXT0oS2R2wtc1vYXFZ/KbNstjqd+i8jszAq3ZkbbwL3aNR0RO4n8+GoIILGw8Ya4eP7D6+mYk608IhAoxpGyMrUch2TC2uvOK3rd/rw1hsTxf4AKjAZbrfd/FJaYru9ZeoLjD4bRGMdVp56F1m7pLvRiWRK62pV2Q/fjx+4KjHUrgyPd601eUIP0ayS/Rfuq8ijLpBJgO5/Y/6mFus/kjZIfRR9dXfLM67IMpyEzEITYrc/R2sedWf+YHxSh6eguAZ/kLzioar1nHLR7Wzgeu0tgWkD78WQGjpXGoefAz3xHeBg3Et0="
];
};
};
# groups = { wheel = { members = [ "niten" ]; }; };