home

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs | README | LICENSE

commit 11f1275cc76f5ebedd9650c3109edcd5b4145fdd
parent 4bd8baa1d70643f3b3008979393e225440deec6e
Author: Vincent Demeester <vincent@sbr.pm>
Date:   Wed,  3 Jun 2020 15:35:38 +0200

systems: migrate okinawa and sakhalin 🍶

… and make wakasu track nixos unstable 😸

Signed-off-by: Vincent Demeester <vincent@sbr.pm>

Diffstat:
Ahardware/gigabyte-brix.nix | 17+++++++++++++++++
Mhosts.nix | 4+++-
Asystems/okinawa.nix | 131+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Asystems/sakhalin.nix | 216+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
4 files changed, 367 insertions(+), 1 deletion(-)

diff --git a/hardware/gigabyte-brix.nix b/hardware/gigabyte-brix.nix @@ -0,0 +1,17 @@ +{ config, pkgs, ... }: + +{ + boot = { + initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ]; + kernelModules = [ "kvm-intel" ]; + extraModulePackages = [ ]; + kernelParams = [ + "kvm_intel.nested=1" + "intel_iommu=on" + ]; + loader.efi.canTouchEfiVariables = true; + }; + hardware = { + cpu.intel.updateMicrocode = true; + }; +} diff --git a/hosts.nix b/hosts.nix @@ -1,5 +1,7 @@ { hokkaido = { arch = "x86_64-linux"; type = "unstable"; }; - # wakasu = { arch = "x86_64-linux"; }; + wakasu = { arch = "x86_64-linux"; type = "unstable"; }; + okinawa = { arch = "x86_64-linux"; }; + sakhalin = { arch = "x86_64-linux"; }; # mypi = { arch = "aarch64-linux" }; } diff --git a/systems/okinawa.nix b/systems/okinawa.nix @@ -0,0 +1,131 @@ +{ lib, ... }: + +with lib; +let + hostname = "okinawa"; + secretPath = ../secrets/machines.nix; + secretCondition = (builtins.pathExists secretPath); + + ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}"; + ips = lists.optionals secretCondition ([ "${ip}/24" ]); + endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP; + endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0; + endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey; +in +{ + imports = [ + ../hardware/gigabyte-brix.nix + ../modules + (import ../users).vincent + (import ../users).root + ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/f10a12e7-d711-4bec-8246-a063de66589a"; + fsType = "ext4"; + options = [ "noatime" "discard" ]; + }; + fileSystems."/home" = { + device = "/dev/disk/by-uuid/0cd32a1a-5eab-4cba-8c9c-de310645b8b1"; + fsType = "ext4"; + options = [ "noatime" "discard" ]; + }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/B89C-E217"; + fsType = "vfat"; + }; + fileSystems."/mnt/naha" = { + device = "/dev/disk/by-uuid/9e2c7dda-2469-4f28-8d64-b34a609e3136"; + fsType = "ext4"; + options = [ "noatime" ]; + }; + swapDevices = [{ device = "/dev/disk/by-uuid/de4449cb-a158-409f-9e22-32a7b2c98c86"; }]; + + networking = { + hostName = hostname; + firewall.enable = false; # we are in safe territory :D + bridges.br1.interfaces = [ "enp0s31f6" ]; + useDHCP = false; + interfaces.br1 = { + useDHCP = true; + }; + }; + + profiles = { + avahi.enable = true; + ssh.enable = true; + syncthing.enable = true; + virtualization = { enable = true; nested = true; listenTCP = true; }; + # FIXME remove the need for it + users.enable = false; + }; + + services = { + bind = { + enable = true; + forwarders = [ "8.8.8.8" "8.8.4.4" ]; + cacheNetworks = [ "192.168.1.0/24" "127.0.0.0/8" "10.100.0.0/24" ]; + zones = [ + { + # home + name = "home"; + slaves = [ ]; + file = ../assets/db.home; + } + { + # home.reverse + name = "192.168.1.in-addr.arpa"; + slaves = [ ]; + file = ../assets/db.192.168.1; + } + { + # vpn + name = "vpn"; + slaves = [ ]; + file = ../assets/db.vpn; + } + { + # vpn.reverse + name = "10.100.0.in-addr.arpa"; + slaves = [ ]; + file = ../assets/db.10.100.0; + } + ]; + }; + nix-binary-cache = { + enable = true; + domain = "nix.cache.home"; + aliases = [ "cache.massimo.home" "nix.okinawa.home" ]; + }; + syncthing.guiAddress = "0.0.0.0:8384"; + tarsnap = { + enable = true; + archives = { + documents = { + directories = [ "/home/vincent/desktop/documents" ]; + period = "daily"; + keyfile = "/etc/nixos/assets/tarsnap.documents.key"; + }; + org = { + directories = [ "/home/vincent/desktop/org" ]; + period = "daily"; + keyfile = "/etc/nixos/assets/tarsnap.org.key"; + }; + sites = { + directories = [ "/home/vincent/desktop/sites" ]; + period = "daily"; + keyfile = "/etc/nixos/assets/tarsnap.sites.key"; + }; + }; + }; + wireguard = { + enable = true; + ips = ips; + endpoint = endpointIP; + endpointPort = endpointPort; + endpointPublicKey = endpointPublicKey; + }; + }; + security.apparmor.enable = true; + security.pam.enableSSHAgentAuth = true; +} diff --git a/systems/sakhalin.nix b/systems/sakhalin.nix @@ -0,0 +1,216 @@ +{ pkgs, lib, ... }: + +with lib; +let + hostname = "sakhalin"; + secretPath = ../secrets/machines.nix; + secretCondition = (builtins.pathExists secretPath); + + ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}"; + ips = lists.optionals secretCondition ([ "${ip}/24" ]); + endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP; + endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0; + endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey; +in +{ + imports = [ + ../hardware/gigabyte-brix.nix + ../modules + (import ../users).vincent + (import ../users).root + ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/92ce650d-873e-41c1-a44e-71c2b9191b9d"; + fsType = "ext4"; + options = [ "noatime" "discard" ]; + }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/B226-075A"; + fsType = "vfat"; + }; + fileSystems."/home" = { + device = "/dev/disk/by-uuid/4f614c00-d94d-42f9-8386-3ecd396aa246"; + fsType = "ext4"; + options = [ "noatime" "discard" ]; + }; + fileSystems."/mnt/gaia" = { + device = "/dev/disk/by-uuid/88d3d686-d451-4ba9-bd6e-373601ed2683"; + fsType = "ext4"; + options = [ "noatime" ]; + }; + fileSystems."/mnt/toshito" = { + device = "/dev/disk/by-uuid/3c7cf84e-2486-417d-9de8-4b7757d483e4"; + fsType = "ext4"; + options = [ "noatime" ]; + }; + swapDevices = [{ device = "/dev/disk/by-uuid/9eb067d1-b329-4fbb-ae27-38abfbe7c108"; }]; + + networking = { + hostName = hostname; + firewall.enable = false; # we are in safe territory :D + bridges.br1.interfaces = [ "enp0s31f6" ]; + useDHCP = false; + interfaces.br1 = { + useDHCP = true; + }; + }; + + profiles = { + avahi.enable = true; + git.enable = true; + ssh.enable = true; + syncthing.enable = true; + virtualization = { enable = true; nested = true; listenTCP = true; }; + # FIXME remove the need for it + users.enable = false; + }; + + fileSystems."/export/gaia" = { device = "/mnt/gaia"; options = [ "bind" ]; }; + fileSystems."/export/toshito" = { device = "/mnt/toshito"; options = [ "bind" ]; }; + + services = { + nfs.server = { + enable = true; + exports = '' + /export 192.168.1.0/24(rw,fsid=0,no_subtree_check) 10.100.0.0/24(rw,fsid=0,no_subtree_check) + /export/gaia 192.168.1.0/24(rw,fsid=1,no_subtree_check) 10.100.0.0/24(rw,fsid=1,no_subtree_check) + /export/toshito 192.168.1.0/24(rw,fsid=2,no_subtree_check) 10.100.0.0/24(rw,fsid=2,no_subtree_check) + ''; + }; + bind = { + enable = true; + forwarders = [ "8.8.8.8" "8.8.4.4" ]; + cacheNetworks = [ "192.168.1.0/24" "127.0.0.0/8" "10.100.0.0/24" ]; + zones = [ + { + # home + name = "home"; + slaves = [ ]; + file = ../assets/db.home; + } + { + # home.reverse + name = "192.168.1.in-addr.arpa"; + slaves = [ ]; + file = ../assets/db.192.168.1; + } + { + # vpn + name = "vpn"; + slaves = [ ]; + file = ../assets/db.vpn; + } + { + # vpn.reverse + name = "10.100.0.in-addr.arpa"; + slaves = [ ]; + file = ../assets/db.10.100.0; + } + ]; + }; + syncthing.guiAddress = "0.0.0.0:8384"; + wireguard = { + enable = true; + ips = ips; + endpoint = endpointIP; + endpointPort = endpointPort; + endpointPublicKey = endpointPublicKey; + }; + }; + security.apparmor.enable = true; + # ----------------------------------- + environment.etc."vrsync".text = '' + /home/vincent/desktop/pictures/screenshots/ vincent@synodine.home:/volumeUSB2/usbshare/pictures/screenshots/ + /home/vincent/desktop/pictures/wallpapers/ vincent@synodine.home:/volumeUSB2/usbshare/pictures/wallpapers/ + /home/vincent/desktop/documents/ vincent@synodine.home:/volume1/documents/ + /mnt/gaia/photos/ vincent@synodine.home:/volumeUSB2/usbshare/pictures/photos/ + /mnt/gaia/music/ vincent@synodine.home:/volumeUSB2/usbshare/music/ + ''; + systemd.services.vrsync = { + description = "vrsync - sync folders to NAS"; + requires = [ "network-online.target" ]; + after = [ "network-online.target" ]; + + unitConfig.X-StopOnRemoval = false; + restartIfChanged = false; + + path = with pkgs; [ rsync coreutils bash openssh ]; + script = '' + ${pkgs.vrsync}/bin/vrsync + ''; + + startAt = "hourly"; + serviceConfig = { + Type = "oneshot"; + OnFailure = "status-email-root@%n.service"; + }; + }; + environment.etc."secrets/srht-token".source = pkgs.mkSecret ../secrets/token_srht; + # builds.sr.ht: daily builds + systemd.services.builds-srht = { + description = "Daily builds.sr.ht"; + requires = [ "network-online.target" ]; + after = [ "network-online.target" ]; + + restartIfChanged = false; + unitConfig.X-StopOnRemoval = false; + + serviceConfig = { + Type = "oneshot"; + User = "vincent"; + OnFailure = "status-email-root@%n.service"; + }; + + script = "${pkgs.my.bus}/bin/bus"; + + startAt = "daily"; + }; + # ape – sync git mirrors + systemd.services.ape = { + description = "Ape - sync git mirrors"; + requires = [ "network-online.target" ]; + after = [ "network-online.target" ]; + + restartIfChanged = false; + unitConfig.X-StopOnRemoval = false; + + serviceConfig = { + Type = "oneshot"; + User = "vincent"; + OnFailure = "status-email-root@%n.service"; + }; + + path = with pkgs; [ git ]; + script = '' + ${pkgs.my.ape}/bin/ape up /home/vincent/var/mirrors + ''; + + startAt = "hourly"; + }; + # mr -i u daily + systemd.services.mr = { + description = "Update configs daily"; + requires = [ "network-online.target" ]; + after = [ "network-online.target" ]; + + restartIfChanged = false; + unitConfig.X-StopOnRemoval = false; + + serviceConfig = { + Type = "oneshot"; + User = "vincent"; + OnFailure = "status-email-root@%n.service"; + }; + + path = with pkgs; [ git mr ]; + script = '' + set -e + cd /mnt/gaia/src/configs/ + mr -t run git reset --hard + mr -t u + ''; + + startAt = "daily"; + }; +}