commit 11f1275cc76f5ebedd9650c3109edcd5b4145fdd
parent 4bd8baa1d70643f3b3008979393e225440deec6e
Author: Vincent Demeester <vincent@sbr.pm>
Date: Wed, 3 Jun 2020 15:35:38 +0200
systems: migrate okinawa and sakhalin 🍶
… and make wakasu track nixos unstable 😸
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Diffstat:
4 files changed, 367 insertions(+), 1 deletion(-)
diff --git a/hardware/gigabyte-brix.nix b/hardware/gigabyte-brix.nix
@@ -0,0 +1,17 @@
+{ config, pkgs, ... }:
+
+{
+ boot = {
+ initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
+ kernelModules = [ "kvm-intel" ];
+ extraModulePackages = [ ];
+ kernelParams = [
+ "kvm_intel.nested=1"
+ "intel_iommu=on"
+ ];
+ loader.efi.canTouchEfiVariables = true;
+ };
+ hardware = {
+ cpu.intel.updateMicrocode = true;
+ };
+}
diff --git a/hosts.nix b/hosts.nix
@@ -1,5 +1,7 @@
{
hokkaido = { arch = "x86_64-linux"; type = "unstable"; };
- # wakasu = { arch = "x86_64-linux"; };
+ wakasu = { arch = "x86_64-linux"; type = "unstable"; };
+ okinawa = { arch = "x86_64-linux"; };
+ sakhalin = { arch = "x86_64-linux"; };
# mypi = { arch = "aarch64-linux" };
}
diff --git a/systems/okinawa.nix b/systems/okinawa.nix
@@ -0,0 +1,131 @@
+{ lib, ... }:
+
+with lib;
+let
+ hostname = "okinawa";
+ secretPath = ../secrets/machines.nix;
+ secretCondition = (builtins.pathExists secretPath);
+
+ ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}";
+ ips = lists.optionals secretCondition ([ "${ip}/24" ]);
+ endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP;
+ endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0;
+ endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey;
+in
+{
+ imports = [
+ ../hardware/gigabyte-brix.nix
+ ../modules
+ (import ../users).vincent
+ (import ../users).root
+ ];
+
+ fileSystems."/" = {
+ device = "/dev/disk/by-uuid/f10a12e7-d711-4bec-8246-a063de66589a";
+ fsType = "ext4";
+ options = [ "noatime" "discard" ];
+ };
+ fileSystems."/home" = {
+ device = "/dev/disk/by-uuid/0cd32a1a-5eab-4cba-8c9c-de310645b8b1";
+ fsType = "ext4";
+ options = [ "noatime" "discard" ];
+ };
+ fileSystems."/boot" = {
+ device = "/dev/disk/by-uuid/B89C-E217";
+ fsType = "vfat";
+ };
+ fileSystems."/mnt/naha" = {
+ device = "/dev/disk/by-uuid/9e2c7dda-2469-4f28-8d64-b34a609e3136";
+ fsType = "ext4";
+ options = [ "noatime" ];
+ };
+ swapDevices = [{ device = "/dev/disk/by-uuid/de4449cb-a158-409f-9e22-32a7b2c98c86"; }];
+
+ networking = {
+ hostName = hostname;
+ firewall.enable = false; # we are in safe territory :D
+ bridges.br1.interfaces = [ "enp0s31f6" ];
+ useDHCP = false;
+ interfaces.br1 = {
+ useDHCP = true;
+ };
+ };
+
+ profiles = {
+ avahi.enable = true;
+ ssh.enable = true;
+ syncthing.enable = true;
+ virtualization = { enable = true; nested = true; listenTCP = true; };
+ # FIXME remove the need for it
+ users.enable = false;
+ };
+
+ services = {
+ bind = {
+ enable = true;
+ forwarders = [ "8.8.8.8" "8.8.4.4" ];
+ cacheNetworks = [ "192.168.1.0/24" "127.0.0.0/8" "10.100.0.0/24" ];
+ zones = [
+ {
+ # home
+ name = "home";
+ slaves = [ ];
+ file = ../assets/db.home;
+ }
+ {
+ # home.reverse
+ name = "192.168.1.in-addr.arpa";
+ slaves = [ ];
+ file = ../assets/db.192.168.1;
+ }
+ {
+ # vpn
+ name = "vpn";
+ slaves = [ ];
+ file = ../assets/db.vpn;
+ }
+ {
+ # vpn.reverse
+ name = "10.100.0.in-addr.arpa";
+ slaves = [ ];
+ file = ../assets/db.10.100.0;
+ }
+ ];
+ };
+ nix-binary-cache = {
+ enable = true;
+ domain = "nix.cache.home";
+ aliases = [ "cache.massimo.home" "nix.okinawa.home" ];
+ };
+ syncthing.guiAddress = "0.0.0.0:8384";
+ tarsnap = {
+ enable = true;
+ archives = {
+ documents = {
+ directories = [ "/home/vincent/desktop/documents" ];
+ period = "daily";
+ keyfile = "/etc/nixos/assets/tarsnap.documents.key";
+ };
+ org = {
+ directories = [ "/home/vincent/desktop/org" ];
+ period = "daily";
+ keyfile = "/etc/nixos/assets/tarsnap.org.key";
+ };
+ sites = {
+ directories = [ "/home/vincent/desktop/sites" ];
+ period = "daily";
+ keyfile = "/etc/nixos/assets/tarsnap.sites.key";
+ };
+ };
+ };
+ wireguard = {
+ enable = true;
+ ips = ips;
+ endpoint = endpointIP;
+ endpointPort = endpointPort;
+ endpointPublicKey = endpointPublicKey;
+ };
+ };
+ security.apparmor.enable = true;
+ security.pam.enableSSHAgentAuth = true;
+}
diff --git a/systems/sakhalin.nix b/systems/sakhalin.nix
@@ -0,0 +1,216 @@
+{ pkgs, lib, ... }:
+
+with lib;
+let
+ hostname = "sakhalin";
+ secretPath = ../secrets/machines.nix;
+ secretCondition = (builtins.pathExists secretPath);
+
+ ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}";
+ ips = lists.optionals secretCondition ([ "${ip}/24" ]);
+ endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP;
+ endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0;
+ endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey;
+in
+{
+ imports = [
+ ../hardware/gigabyte-brix.nix
+ ../modules
+ (import ../users).vincent
+ (import ../users).root
+ ];
+
+ fileSystems."/" = {
+ device = "/dev/disk/by-uuid/92ce650d-873e-41c1-a44e-71c2b9191b9d";
+ fsType = "ext4";
+ options = [ "noatime" "discard" ];
+ };
+ fileSystems."/boot" = {
+ device = "/dev/disk/by-uuid/B226-075A";
+ fsType = "vfat";
+ };
+ fileSystems."/home" = {
+ device = "/dev/disk/by-uuid/4f614c00-d94d-42f9-8386-3ecd396aa246";
+ fsType = "ext4";
+ options = [ "noatime" "discard" ];
+ };
+ fileSystems."/mnt/gaia" = {
+ device = "/dev/disk/by-uuid/88d3d686-d451-4ba9-bd6e-373601ed2683";
+ fsType = "ext4";
+ options = [ "noatime" ];
+ };
+ fileSystems."/mnt/toshito" = {
+ device = "/dev/disk/by-uuid/3c7cf84e-2486-417d-9de8-4b7757d483e4";
+ fsType = "ext4";
+ options = [ "noatime" ];
+ };
+ swapDevices = [{ device = "/dev/disk/by-uuid/9eb067d1-b329-4fbb-ae27-38abfbe7c108"; }];
+
+ networking = {
+ hostName = hostname;
+ firewall.enable = false; # we are in safe territory :D
+ bridges.br1.interfaces = [ "enp0s31f6" ];
+ useDHCP = false;
+ interfaces.br1 = {
+ useDHCP = true;
+ };
+ };
+
+ profiles = {
+ avahi.enable = true;
+ git.enable = true;
+ ssh.enable = true;
+ syncthing.enable = true;
+ virtualization = { enable = true; nested = true; listenTCP = true; };
+ # FIXME remove the need for it
+ users.enable = false;
+ };
+
+ fileSystems."/export/gaia" = { device = "/mnt/gaia"; options = [ "bind" ]; };
+ fileSystems."/export/toshito" = { device = "/mnt/toshito"; options = [ "bind" ]; };
+
+ services = {
+ nfs.server = {
+ enable = true;
+ exports = ''
+ /export 192.168.1.0/24(rw,fsid=0,no_subtree_check) 10.100.0.0/24(rw,fsid=0,no_subtree_check)
+ /export/gaia 192.168.1.0/24(rw,fsid=1,no_subtree_check) 10.100.0.0/24(rw,fsid=1,no_subtree_check)
+ /export/toshito 192.168.1.0/24(rw,fsid=2,no_subtree_check) 10.100.0.0/24(rw,fsid=2,no_subtree_check)
+ '';
+ };
+ bind = {
+ enable = true;
+ forwarders = [ "8.8.8.8" "8.8.4.4" ];
+ cacheNetworks = [ "192.168.1.0/24" "127.0.0.0/8" "10.100.0.0/24" ];
+ zones = [
+ {
+ # home
+ name = "home";
+ slaves = [ ];
+ file = ../assets/db.home;
+ }
+ {
+ # home.reverse
+ name = "192.168.1.in-addr.arpa";
+ slaves = [ ];
+ file = ../assets/db.192.168.1;
+ }
+ {
+ # vpn
+ name = "vpn";
+ slaves = [ ];
+ file = ../assets/db.vpn;
+ }
+ {
+ # vpn.reverse
+ name = "10.100.0.in-addr.arpa";
+ slaves = [ ];
+ file = ../assets/db.10.100.0;
+ }
+ ];
+ };
+ syncthing.guiAddress = "0.0.0.0:8384";
+ wireguard = {
+ enable = true;
+ ips = ips;
+ endpoint = endpointIP;
+ endpointPort = endpointPort;
+ endpointPublicKey = endpointPublicKey;
+ };
+ };
+ security.apparmor.enable = true;
+ # -----------------------------------
+ environment.etc."vrsync".text = ''
+ /home/vincent/desktop/pictures/screenshots/ vincent@synodine.home:/volumeUSB2/usbshare/pictures/screenshots/
+ /home/vincent/desktop/pictures/wallpapers/ vincent@synodine.home:/volumeUSB2/usbshare/pictures/wallpapers/
+ /home/vincent/desktop/documents/ vincent@synodine.home:/volume1/documents/
+ /mnt/gaia/photos/ vincent@synodine.home:/volumeUSB2/usbshare/pictures/photos/
+ /mnt/gaia/music/ vincent@synodine.home:/volumeUSB2/usbshare/music/
+ '';
+ systemd.services.vrsync = {
+ description = "vrsync - sync folders to NAS";
+ requires = [ "network-online.target" ];
+ after = [ "network-online.target" ];
+
+ unitConfig.X-StopOnRemoval = false;
+ restartIfChanged = false;
+
+ path = with pkgs; [ rsync coreutils bash openssh ];
+ script = ''
+ ${pkgs.vrsync}/bin/vrsync
+ '';
+
+ startAt = "hourly";
+ serviceConfig = {
+ Type = "oneshot";
+ OnFailure = "status-email-root@%n.service";
+ };
+ };
+ environment.etc."secrets/srht-token".source = pkgs.mkSecret ../secrets/token_srht;
+ # builds.sr.ht: daily builds
+ systemd.services.builds-srht = {
+ description = "Daily builds.sr.ht";
+ requires = [ "network-online.target" ];
+ after = [ "network-online.target" ];
+
+ restartIfChanged = false;
+ unitConfig.X-StopOnRemoval = false;
+
+ serviceConfig = {
+ Type = "oneshot";
+ User = "vincent";
+ OnFailure = "status-email-root@%n.service";
+ };
+
+ script = "${pkgs.my.bus}/bin/bus";
+
+ startAt = "daily";
+ };
+ # ape – sync git mirrors
+ systemd.services.ape = {
+ description = "Ape - sync git mirrors";
+ requires = [ "network-online.target" ];
+ after = [ "network-online.target" ];
+
+ restartIfChanged = false;
+ unitConfig.X-StopOnRemoval = false;
+
+ serviceConfig = {
+ Type = "oneshot";
+ User = "vincent";
+ OnFailure = "status-email-root@%n.service";
+ };
+
+ path = with pkgs; [ git ];
+ script = ''
+ ${pkgs.my.ape}/bin/ape up /home/vincent/var/mirrors
+ '';
+
+ startAt = "hourly";
+ };
+ # mr -i u daily
+ systemd.services.mr = {
+ description = "Update configs daily";
+ requires = [ "network-online.target" ];
+ after = [ "network-online.target" ];
+
+ restartIfChanged = false;
+ unitConfig.X-StopOnRemoval = false;
+
+ serviceConfig = {
+ Type = "oneshot";
+ User = "vincent";
+ OnFailure = "status-email-root@%n.service";
+ };
+
+ path = with pkgs; [ git mr ];
+ script = ''
+ set -e
+ cd /mnt/gaia/src/configs/
+ mr -t run git reset --hard
+ mr -t u
+ '';
+
+ startAt = "daily";
+ };
+}