diff --git a/config/common.nix b/config/common.nix index 6c007e2..c91cbb4 100644 --- a/config/common.nix +++ b/config/common.nix @@ -4,15 +4,23 @@ with lib; # Config common to all hosts, which don't belong anywhere else { config = let - home-generator = pkgs.callPackage ../nix-home {}; - host-domain = config.fudo.hosts.${config.instance.hostname}.domain; + hashed-build-seed = pkgs.stdenv.mkDerivation { + name = "build-seed-hash"; + + phases = [ "installPhase" ]; + + buildInputs = with pkgs; [ coreutils ]; + + installPhase = '' + echo "${config.instance.build-seed}" | sha1sum | grep -o "^[^ ]*" > $out + ''; + }; in { nix.nixPath = lib.mkBefore [ "/nix/var/nix/profiles/per-user/$USER/channels" ]; - # home-manager.users.root = home-generator.generate-config { - # username = "root"; - # home-dir = "/root"; - # user-email = "root@${config.instance.hostname}.${host-domain}"; - # } { }; + environment.etc = { + build-timestamp.text = toString config.instance.build-timestamp; + "build-seed.sha1sum".text = "${hashed-build-seed}"; + }; }; } diff --git a/config/hardware/plato.nix b/config/hardware/plato.nix index 16b0f02..a76a1b4 100644 --- a/config/hardware/plato.nix +++ b/config/hardware/plato.nix @@ -1,3 +1,107 @@ +{ config, lib, pkgs, ... }: + +{ + config = { + + boot = { + initrd = { + luks.devices.plato-unlocked = { + device = "/dev/plato/plato-locked"; + preLVM = false; + allowDiscards = true; + }; + availableKernelModules = [ + "xhci_pci" + "ehci_pci" + "ahci" + "usb_storage" + "usbhid" + "sd_mod" + "r8169" + ]; + kernelModules = [ "dm-snapshot" ]; + }; + + loader = { + grub = { + enable = true; + version = 2; + device = "/dev/sda"; + }; + }; + + kernelModules = [ ]; + extraModulePackages = [ ]; + }; + + fileSystems = { + "/" = { + device = "plato-root"; + fsType = "tmpfs"; + options = [ "mode=755" "size=12G" ]; + }; + + "/boot" = { + device = "/dev/disk/by-label/plato-boot"; + fsType = "ext4"; + options = [ "noatime" "nodiratime" "noexec" ]; + }; + + "/nix" = { + device = "/dev/disk/by-label/plato-data"; + fsType = "btrfs"; + options = [ "subvol=@nix" "compress=zstd" "noatime" "nodiratime" ]; + }; + + "/var/log" = { + device = "/dev/disk/by-label/plato-data"; + fsType = "btrfs"; + options = [ "subvol=@log" "compress=zstd" "noatime" "nodiratime" "noexec" ]; + neededForBoot = true; + }; + + "/state" = { + device = "/dev/disk/by-label/plato-data"; + fsType = "btrfs"; + options = [ "subvol=@state" "compress=zstd" "noatime" "nodiratime" "noexec" ]; + }; + + "/home" = { + device = "/dev/disk/by-label/plato-data"; + fsType = "btrfs"; + options = [ "subvol=@home" "compress=zstd" "noatime" "nodiratime" "noexec" ]; + }; + }; + + swapDevices = [{ + device = "/dev/plato/plato-swap"; + randomEncryption.enable = true; + }]; + + networking = { + macvlans = { + intif0 = { + interface = "enp1s0"; + mode = "bridge"; + }; + }; + + interfaces = { + enp1s0.useDHCP = false; + intif0 = { + macAddress = "02:25:b7:67:c4:c2"; + }; + }; + }; + }; +} + + + + + + + { config, lib, pkgs, ... }: with lib; { @@ -69,8 +173,8 @@ with lib; { interfaces = { enp1s0.useDHCP = false; intif0 = { - # output of: echo plato-intif0|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' - macAddress = "02:25:b7:67:c4:c2"; + macAddress = + pkgs.lib.network.generate-mac-address config.instance.hostname "intif0"; }; }; }; diff --git a/config/hardware/socrates.nix b/config/hardware/socrates.nix index debd007..d50aed2 100644 --- a/config/hardware/socrates.nix +++ b/config/hardware/socrates.nix @@ -20,20 +20,6 @@ "r8169" ]; kernelModules = [ "dm-snapshot" ]; - # network = { - # enable = true; - # ssh = { - # enable = true; - # port = 22; - # authorizedKeys = [ - # "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPwh522lvafTJYA0X2uFdP7Ws+Um1f8gZsARK1Y5nMzf6ZcWBF1jplTOKUVSOl4isMWni0Tu0TnX4zqCcgocWUVbwIwXSIRYqdiCPvVOH+/Ibc97n1/dYxk5JPMtbrsEw6/gWZxVg0qwe0J3dQWldEMiDY7iWhlrmIr7YL+Y3PUd7DOwp3PbfWfNyzTfE1kXcz5YvTeN+txFhbbXT0oS2R2wtc1vYXFZ/KbNstjqd+i8jszAq3ZkbbwL3aNR0RO4n8+GoIILGw8Ya4eP7D6+mYk608IhAoxpGyMrUch2TC2uvOK3rd/rw1hsTxf4AKjAZbrfd/FJaYru9ZeoLjD4bRGMdVp56F1m7pLvRiWRK62pV2Q/fjx+4KjHUrgyPd601eUIP0ayS/Rfuq8ijLpBJgO5/Y/6mFus/kjZIfRR9dXfLM67IMpyEzEITYrc/R2sedWf+YHxSh6eguAZ/kLzioar1nHLR7Wzgeu0tgWkD78WQGjpXGoefAz3xHeBg3Et0= niten@plato" - # ]; - # hostKeys = [ - # "/state/ssh/ssh_host_ed25519_key" - # "/state/ssh/ssh_host_rsa_key" - # ]; - # }; - # }; }; loader = { diff --git a/config/host-config/plato.nix b/config/host-config/plato.nix index 0a763cf..e47e076 100644 --- a/config/host-config/plato.nix +++ b/config/host-config/plato.nix @@ -6,19 +6,19 @@ let primary-ip = "10.0.0.21"; in { config = { networking = { + useDHCP = false; + defaultGateway = { address = "10.0.0.1"; interface = "intif0"; }; - interfaces = { - intif0 = { - useDHCP = false; - ipv4.addresses = [{ - address = primary-ip; - prefixLength = 16; - }]; - }; + interfaces.intif0 = { + useDHCP = false; + ipv4.addresses = [{ + address = primary-ip; + prefixLength = 16; + }]; }; }; @@ -28,17 +28,8 @@ in { secret-paths = [ "/state/secrets" ]; }; - # boot.kernelParams = [ "nomodeset" ]; - # console.font = "VGA"; - systemd.tmpfiles.rules = [ - "L /root/.gnupg - - - - /state/root/gnupg" - # "L /root/.emacs.d - - - - /state/root/emacs.d" - "L /root/.ssh/id_rsa - - - - /state/root/ssh/id_rsa" - "L /root/.ssh/id_rsa.pub - - - - /state/root/ssh/id_rsa.pub" - "L /root/.ssh/known_hosts - - - - /state/root/ssh/known_hosts" - "L /etc/ssh/ssh_host_ed25519_key - - - - /state/ssh/ssh_host_ed25519_key" - "L /etc/ssh/ssh_host_rsa_key - - - - /state/ssh/ssh_host_rsa_key" + "L /etc/adjtime - - - - /state/etc/adjtime" ]; environment = { @@ -46,18 +37,11 @@ in { nixopsUnstable ]; etc = { - nixos.source = "/state/nixos"; - adjtime.source = "/state/etc/adjtime"; NIXOS.source = "/state/etc/NIXOS"; - "host-config.nix".source = "/state/etc/host-config.nix"; }; }; - system.stateVersion = "20.09"; - - boot.initrd.postDeviceCommands = lib.mkAfter '' - ${pkgs.zfs}/bin/zfs rollback -r zroot/transient/root@blank - ''; + system.stateVersion = "21.05"; security.sudo.extraConfig = '' # rollback results in sudo lectures after each reboot diff --git a/config/host-config/socrates.nix b/config/host-config/socrates.nix index bdb6037..3103a35 100644 --- a/config/host-config/socrates.nix +++ b/config/host-config/socrates.nix @@ -28,12 +28,9 @@ in { secret-paths = [ "/state/secrets" ]; }; - # systemd.tmpfiles.rules = [ - # "L /root/.gnupg - - - - /state/root/gnupg" - # "L /root/.ssh/id_rsa - - - - /state/root/ssh/id_rsa" - # "L /root/.ssh/id_rsa.pub - - - - /state/root/ssh/id_rsa.pub" - # "L /root/.ssh/known_hosts - - - - /state/root/ssh/known_hosts" - # ]; + systemd.tmpfiles.rules = [ + "L /etc/adjtime - - - - /state/etc/adjtime" + ]; environment = { systemPackages = with pkgs; [ @@ -41,8 +38,6 @@ in { ]; etc = { - nixos.source = "/state/nixos"; - adjtime.source = "/state/etc/adjtime"; NIXOS.source = "/state/etc/NIXOS"; }; }; diff --git a/config/profile-config/common.nix b/config/profile-config/common.nix index 664d7ea..b07da96 100644 --- a/config/profile-config/common.nix +++ b/config/profile-config/common.nix @@ -39,11 +39,6 @@ in { etc.nixos-live.source = ../../.; systemPackages = global-packages; - - # shellInit = '' - # ${pkgs.gnupg}/bin/gpg-connect-agent /bye - # export SSH_AUTH_SOCK=$(${pkgs.gnupg}/bin/gpgconf --list-dirs agent-ssh-socket) - # ''; }; system.autoUpgrade.enable = false;