Compare commits

..

No commits in common. "master" and "metrics-server" have entirely different histories.

40 changed files with 363 additions and 761 deletions

View File

@ -8,80 +8,71 @@ flakeDir="${FLAKE_DIR}" # Path to the flake file (and op
update=false # Whether to update flake.lock (false by default) update=false # Whether to update flake.lock (false by default)
user=$(/run/current-system/sw/bin/whoami) # Which user account to use for git commands (defaults to whoever called the script) user=$(/run/current-system/sw/bin/whoami) # Which user account to use for git commands (defaults to whoever called the script)
reboot=false reboot=false
remote=false remainingArgs="" # All remaining arguments that haven't yet been processed (will be passed to nixos-rebuild)
remainingArgs="" # All remaining arguments that haven't yet been processed (will be passed to nixos-rebuild)
function usage() { function usage() {
echo "nixos-rebuild Operations Script (NOS) updates your system and your flake.lock file by pulling the latest versions." echo "nixos-rebuild Operations Script (NOS) updates your system and your flake.lock file by pulling the latest versions."
echo "" echo ""
echo "Running the script with no parameters performs the following operations:" echo "Running the script with no parameters performs the following operations:"
echo " 1. Pull the latest version of the config" echo " 1. Pull the latest version of the config"
echo " 2. Update your flake.lock file" echo " 2. Update your flake.lock file"
echo " 3. Commit any changes back to the repository" echo " 3. Commit any changes back to the repository"
echo " 4. Run 'nixos-rebuild switch'." echo " 4. Run 'nixos-rebuild switch'."
echo "" echo ""
echo "Advanced usage: nixos-upgrade-script.sh [-o|--operation operation] [-f|--flake path-to-flake] [extra nixos-rebuild parameters]" echo "Advanced usage: nixos-upgrade-script.sh [-o|--operation operation] [-f|--flake path-to-flake] [extra nixos-rebuild parameters]"
echo "Options:" echo "Options:"
echo " -h, --help Show this help screen." echo " -h, --help Show this help screen."
echo " -o, --operation The nixos-rebuild operation to perform." echo " -o, --operation The nixos-rebuild operation to perform."
echo " -f, --flake <path> The path to your flake.nix file (and optionally, the hostname to build)." echo " -f, --flake <path> The path to your flake.nix file (and optionally, the hostname to build)."
echo " -U, --update Update and commit flake.lock." echo " -U, --update Update and commit flake.lock."
echo " -R, --build-host <user@host> Attempt build on remote host." echo " -u, --user Which user account to run git commands under."
echo " -r, --reboot Reboots system is there is a kernel or init update" echo ""
echo " -u, --user Which user account to run git commands under." exit 2
echo ""
exit 2
} }
# Argument processing logic shamelessly stolen from https://stackoverflow.com/questions/192249/how-do-i-parse-command-line-arguments-in-bash
POSITIONAL_ARGS=() POSITIONAL_ARGS=()
while [[ $# -gt 0 ]]; do while [[ $# -gt 0 ]]; do
case "$1" in case "$1" in
--flake | -f) --flake|-f)
flakeDir="$2" flakeDir="$2"
shift shift
shift shift
;; ;;
--operation | -o) --update|--upgrade|-U)
operation="$2" update=true
shift shift
shift ;;
;; --reboot|-r)
--user | -u) reboot=true
user="$2" shift
shift ;;
shift --operation|-o)
;; operation="$2"
--build-host | -R) shift
remote=true shift
host="$2" ;;
shift --user|-u)
shift user="$2"
;; shift
--update | --upgrade | -U) shift
update=true ;;
shift --help|-h)
;; usage
--reboot | -r) exit 0
reboot=true ;;
shift *)
;; POSITIONAL_ARGS+=("$1") # save positional arg
--help | -h) shift
usage ;;
exit 0 esac
;;
*)
POSITIONAL_ARGS+=("$1") # save positional arg
shift
;;
esac
done done
remainingArgs=${POSITIONAL_ARGS[@]} remainingArgs=${POSITIONAL_ARGS[@]}
set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
if [ -z "${flakeDir}" ]; then if [ -z "${flakeDir}" ]; then
echo "Flake directory not specified. Use '--flake <path>' or set \$FLAKE_DIR." echo "Flake directory not specified. Use '--flake <path>' or set \$FLAKE_DIR."
exit 1 exit 1
fi fi
cd $flakeDir cd $flakeDir
@ -94,22 +85,16 @@ echo "Pulling the latest version of the repository..."
/run/wrappers/bin/sudo -u $user git pull /run/wrappers/bin/sudo -u $user git pull
if [ $update = true ]; then if [ $update = true ]; then
echo "Updating flake.lock..." echo "Updating flake.lock..."
/run/wrappers/bin/sudo -u $user nix flake update --commit-lock-file && /run/wrappers/bin/sudo -u $user git push /run/wrappers/bin/sudo -u $user nix flake update --commit-lock-file && /run/wrappers/bin/sudo -u $user git push
else else
echo "Skipping 'nix flake update'..." echo "Skipping 'nix flake update'..."
fi fi
options="--flake $flakeDir $remainingArgs --use-remote-sudo" options="--flake $flakeDir $remainingArgs --use-remote-sudo"
echo "Running this operation: nixos-rebuild $operation $options" echo "Running this operation: nixos-rebuild $operation $options"
/run/wrappers/bin/sudo -u root /run/current-system/sw/bin/nixos-rebuild $operation $options
if [ $remote = true ]; then
echo "Attempting remote build..."
/run/wrappers/bin/sudo -u root /run/current-system/sw/bin/nixos-rebuild $operation $options --build-host "$host"
else
/run/wrappers/bin/sudo -u root /run/current-system/sw/bin/nixos-rebuild $operation $options
fi
echo "Checking if reboot is necessary" echo "Checking if reboot is necessary"
reboot_diff=$(diff <(readlink /run/booted-system/{initrd,kernel,kernel-modules}) <(readlink /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})) reboot_diff=$(diff <(readlink /run/booted-system/{initrd,kernel,kernel-modules}) <(readlink /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules}))

View File

@ -271,11 +271,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1737043064, "lastModified": 1735882644,
"narHash": "sha256-I/OuxGwXwRi5gnFPsyCvVR+IfFstA+QXEpHu1hvsgD8=", "narHash": "sha256-3FZAG+pGt3OElQjesCAWeMkQ7C/nB1oTHLRQ8ceP110=",
"owner": "cachix", "owner": "cachix",
"repo": "git-hooks.nix", "repo": "git-hooks.nix",
"rev": "94ee657f6032d913fe0ef49adaa743804635b0bb", "rev": "a5a961387e75ae44cc20f0a57ae463da5e959656",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -460,11 +460,11 @@
"nixpkgs-unstable": "nixpkgs-unstable" "nixpkgs-unstable": "nixpkgs-unstable"
}, },
"locked": { "locked": {
"lastModified": 1737481937, "lastModified": 1734508046,
"narHash": "sha256-FJ0ATgYWavH3ZeA0ofTEMS+22HqYN2Lqu3G6IsqbKIg=", "narHash": "sha256-JN/PFBOVqWKc76zSdOunYoG5Q0m8W4zfrEh3V4EOIuk=",
"owner": "fort-nix", "owner": "fort-nix",
"repo": "nix-bitcoin", "repo": "nix-bitcoin",
"rev": "dc4d14e07324e43b8773e3eb5eb2a10c6b469287", "rev": "33dbb41d581b86decf421cb3835c426d557e0e9c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -501,16 +501,15 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1736820923, "lastModified": 1736370755,
"narHash": "sha256-SDuKLOWAh8VJRXlNWQn9QE99bjeEUAAbYXqrKGbsiyk=", "narHash": "sha256-iWcjToBpx4PUd74uqvIGAfqqVfyrvRLRauC/SxEKIF0=",
"owner": "lnl7", "owner": "lnl7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "944c2b181792ae7ae6b20c0df3f44879c11706c9", "rev": "57733bd1dc81900e13438e5b4439239f1b29db0e",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "lnl7", "owner": "lnl7",
"ref": "nix-darwin-24.11",
"repo": "nix-darwin", "repo": "nix-darwin",
"type": "github" "type": "github"
} }
@ -539,11 +538,11 @@
}, },
"nix-secrets": { "nix-secrets": {
"locked": { "locked": {
"lastModified": 1737643624, "lastModified": 1737144574,
"narHash": "sha256-RAnbZSi2yagPCpNcm3U3wA6FAzbhGUi9ifvnu6Du3Rs=", "narHash": "sha256-g0B0+UkiRusGm5QkGC6uHa7Ybq6J7RgeF4aa/nrCeLg=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "5260822187ce58af680e5aceba8fb01f10415def", "rev": "471fa5ee6f6d12f02c0e06a6fd595b7646139da4",
"revCount": 248, "revCount": 211,
"type": "git", "type": "git",
"url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
}, },
@ -585,11 +584,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1737370608, "lastModified": 1734126203,
"narHash": "sha256-hFA6SmioeqvGW/XvZa9bxniAeulksCOcj3kokdNT/YE=", "narHash": "sha256-0XovF7BYP50rTD2v4r55tR5MuBLet7q4xIz6Rgh3BBU=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "300081d0cc72df578b02d914df941b8ec62240e6", "rev": "71a6392e367b08525ee710a93af2e80083b5b3e2",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -601,11 +600,11 @@
}, },
"nixpkgs-unstable_2": { "nixpkgs-unstable_2": {
"locked": { "locked": {
"lastModified": 1737469691, "lastModified": 1736883708,
"narHash": "sha256-nmKOgAU48S41dTPIXAq0AHZSehWUn6ZPrUKijHAMmIk=", "narHash": "sha256-uQ+NQ0/xYU0N1CnXsa2zghgNaOPxWpMJXSUJJ9W7140=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "9e4d5190a9482a1fb9d18adf0bdb83c6e506eaab", "rev": "eb62e6aa39ea67e0b8018ba8ea077efe65807dc8",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -633,11 +632,11 @@
}, },
"nixpkgs_3": { "nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1737584761, "lastModified": 1737097711,
"narHash": "sha256-xP8UQqo3XSXy92tQ+wFvps46rVHnIc8W7ShQ5CUQALo=", "narHash": "sha256-Zql7TDxEMAOASLSu0wBlfM5SIY+4Pz2R/k17O/asCYc=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "f7b572b004be8e60c6727b3856a13efe17323212", "rev": "3cbc78cfa611511c04f47c4932509f9dbdf4381a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -649,11 +648,11 @@
}, },
"nixpkgs_4": { "nixpkgs_4": {
"locked": { "locked": {
"lastModified": 1737469691, "lastModified": 1736883708,
"narHash": "sha256-nmKOgAU48S41dTPIXAq0AHZSehWUn6ZPrUKijHAMmIk=", "narHash": "sha256-uQ+NQ0/xYU0N1CnXsa2zghgNaOPxWpMJXSUJJ9W7140=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "9e4d5190a9482a1fb9d18adf0bdb83c6e506eaab", "rev": "eb62e6aa39ea67e0b8018ba8ea077efe65807dc8",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -678,11 +677,11 @@
"treefmt-nix": "treefmt-nix_2" "treefmt-nix": "treefmt-nix_2"
}, },
"locked": { "locked": {
"lastModified": 1737283156, "lastModified": 1736598792,
"narHash": "sha256-FyHmM6vvz+UxCrPZo/poIaZBZejLHVKkAH4cjtUxZDA=", "narHash": "sha256-G6/9vT12RAxkNWQPEX9p8tTx/i8jJcmISpbVDGbEPGc=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixvim", "repo": "nixvim",
"rev": "abcbd250b8a2c7aab1f4b2b9e01598ee24b42337", "rev": "2004ff4547f11d25da78f393fe797dde2b831ce7",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -699,11 +698,11 @@
"treefmt-nix": "treefmt-nix_3" "treefmt-nix": "treefmt-nix_3"
}, },
"locked": { "locked": {
"lastModified": 1737602136, "lastModified": 1737107600,
"narHash": "sha256-Jr7tmhsZVAebD/TCpijDqcxr4w15wnPCOrlk+t4lrJA=", "narHash": "sha256-pBF7pAmSRlmmObXbS71v0YM5sEC4/4HvesFV3oz2xQU=",
"owner": "nix-community", "owner": "nix-community",
"repo": "NUR", "repo": "NUR",
"rev": "80b6ff6a51dbebbe0bcc71858ae9a299e1207704", "rev": "b65350213a768bdf4d2da001537a6635edcd562a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -784,11 +783,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1737411508, "lastModified": 1737107480,
"narHash": "sha256-j9IdflJwRtqo9WpM0OfAZml47eBblUHGNQTe62OUqTw=", "narHash": "sha256-GXUE9+FgxoZU8v0p6ilBJ8NH7k8nKmZjp/7dmMrCv3o=",
"owner": "mic92", "owner": "mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "015d461c16678fc02a2f405eb453abb509d4e1d4", "rev": "4c4fb93f18b9072c6fa1986221f9a3d7bf1fe4b6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -886,11 +885,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1737103437, "lastModified": 1736154270,
"narHash": "sha256-uPNWcYbhY2fjY3HOfRCR5jsfzdzemhfxLSxwjXYXqNc=", "narHash": "sha256-p2r8xhQZ3TYIEKBoiEhllKWQqWNJNoT9v64Vmg4q8Zw=",
"owner": "numtide", "owner": "numtide",
"repo": "treefmt-nix", "repo": "treefmt-nix",
"rev": "d1ed3b385f8130e392870cfb1dbfaff8a63a1899", "rev": "13c913f5deb3a5c08bb810efd89dc8cb24dd968b",
"type": "github" "type": "github"
}, },
"original": { "original": {

View File

@ -118,7 +118,7 @@
merlin = nixpkgs.lib.nixosSystem { merlin = nixpkgs.lib.nixosSystem {
inherit specialArgs; inherit specialArgs;
modules = [ modules = [
./hosts/merlin ./hosts/nebula
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
{ {
home-manager.extraSpecialArgs = specialArgs; home-manager.extraSpecialArgs = specialArgs;

View File

@ -26,6 +26,7 @@
pkgs.hunspellDicts.en_US pkgs.hunspellDicts.en_US
pkgs.set_wm_class pkgs.set_wm_class
pkgs.xorg.xkill pkgs.xorg.xkill
pkgs.krita
pkgs.R pkgs.R
pkgs.gimp pkgs.gimp
pkgs.gajim pkgs.gajim

View File

@ -1,11 +0,0 @@
{
...
}: {
imports = [
./users/admin
./common/core
./common/optional/git.nix
./common/optional/sops.nix
];
}

View File

@ -1,4 +1,4 @@
{ outputs, ... }: { config, pkgs, lib, outputs, ... }:
{ {
home.username = "admin"; home.username = "admin";
@ -7,16 +7,6 @@
imports = [ imports = [
] ++ (builtins.attrValues outputs.homeManagerModules); # import all homeManagerModules? ] ++ (builtins.attrValues outputs.homeManagerModules); # import all homeManagerModules?
programs.ssh = {
enable = true;
matchBlocks = {
"git.bitlab21.com" = {
identitiesOnly = true;
identityFile = ["~/.ssh/deploy_key-ssh-ed25519"];
};
};
};
home.packages = [ home.packages = [
]; ];
@ -27,7 +17,6 @@
]; ];
home.sessionVariables = { home.sessionVariables = {
EDITOR = "nvim";
}; };
programs.home-manager.enable = true; programs.home-manager.enable = true;

View File

@ -11,11 +11,13 @@
fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence
dev = "/dev/nvme0n1"; # depends on target hardware dev = "/dev/nvme0n1"; # depends on target hardware
encrypted = true; # currrently only applies to btrfs encrypted = true; # currrently only applies to btrfs
btrfsMountDevice = "/dev/mapper/crypted"; btrfsMountDevice =
if encrypted
then "/dev/mapper/crypted"
else "/dev/root_vg/root";
user = "sam"; user = "sam";
impermanence = true; impermanence = true;
piholeIp = configVars.networking.addresses.pihole.ip; piholeIp = configVars.networking.addresses.pihole.ip;
merlinIp = configVars.networking.addresses.merlin.ip;
gatewayIp = configVars.networking.addresses.gateway.ip; gatewayIp = configVars.networking.addresses.gateway.ip;
in { in {
imports = [ imports = [
@ -46,11 +48,9 @@ in {
../common/optional/pipewire.nix ../common/optional/pipewire.nix
../common/optional/openssh.nix ../common/optional/openssh.nix
../common/optional/dwm.nix ../common/optional/dwm.nix
../common/optional/nfs-mounts/media.nix
../common/optional/fileserver/nfs-client/media.nix ../common/optional/nfs-mounts/homeshare.nix
../common/optional/fileserver/nfs-client/photos.nix ../common/optional/nfs-mounts/photos.nix
../common/optional/fileserver/nfs-client/personal.nix
../common/optional/printing.nix ../common/optional/printing.nix
../common/optional/backlight.nix ../common/optional/backlight.nix
../common/optional/xmodmap-arrow-remaps.nix ../common/optional/xmodmap-arrow-remaps.nix
@ -58,21 +58,19 @@ in {
../common/optional/gaming.nix ../common/optional/gaming.nix
../common/optional/powersave.nix ../common/optional/powersave.nix
../common/optional/restic-backup.nix ../common/optional/restic-backup.nix
../common/optional/distributed-builds/local-machine.nix
# This machine is used for remote building
../common/optional/distributed-builds/remote-builder-machine.nix
# ../../modules/nixos # ../../modules/nixos
outputs.nixosModules.nixosAutoUpgrade outputs.nixosModules.nixosAutoUpgrade
]; ];
boot = { boot = {
supportedFilesystems = ["nfs"];
blacklistedKernelModules = ["snd_hda_intel" "snd_soc_skl"]; blacklistedKernelModules = ["snd_hda_intel" "snd_soc_skl"];
kernelModules = ["iwlwifi"]; kernelModules = ["iwlwifi"];
initrd.kernelModules = ["thinkpad-acpi" "acpi-call" "nfs"]; initrd.kernelModules = ["thinkpad-acpi" "acpi-call"];
# BUG: Using older linux kernel because of build errors kernelPackages = pkgs.linuxPackagesFor pkgs.linux_latest;
# see https://github.com/NixOS/nixpkgs/issues/375605
# kernelPackages = pkgs.linuxPackagesFor pkgs.linux_latest;
kernelPackages = pkgs.linuxKernel.packages.linux_6_12;
extraModulePackages = [ extraModulePackages = [
config.boot.kernelPackages.acpi_call config.boot.kernelPackages.acpi_call
]; ];
@ -94,7 +92,6 @@ in {
enable = true; enable = true;
persistent = true; persistent = true;
reboot = false; reboot = false;
remote = "remotebuild@${merlinIp}";
pushUpdates = false; pushUpdates = false;
configDir = "/etc/nixos"; configDir = "/etc/nixos";
onCalendar = "*-*-* 08:00:00"; onCalendar = "*-*-* 08:00:00";
@ -107,8 +104,15 @@ in {
xkb.options = "caps:swapescape"; xkb.options = "caps:swapescape";
dpi = 196; dpi = 196;
upscaleDefaultCursor = true; upscaleDefaultCursor = true;
# FIXME this doesnt work for some reason
# displayManager.sessionCommands = pkgs.writeShellScriptBin "key-remaps" ''
# ${pkgs.xorg.xmodmap}/bin/xmodmap -e "keycode 64 = Mode_switch"
# ${pkgs.xorg.xmodmap}/bin/xmodmap -e "keycode 43 = h H Left H"
# ${pkgs.xorg.xmodmap}/bin/xmodmap -e "keycode 44 = j J Down J"
# ${pkgs.xorg.xmodmap}/bin/xmodmap -e "keycode 45 = k K Up K"
# ${pkgs.xorg.xmodmap}/bin/xmodmap -e "keycode 46 = l L Right L"
# '';
}; };
# enable oom killer when system ram drops below 5% free # enable oom killer when system ram drops below 5% free
earlyoom = { earlyoom = {
enable = true; enable = true;
@ -161,6 +165,18 @@ in {
powerManagement.finegrained = true; powerManagement.finegrained = true;
open = false; open = false;
nvidiaSettings = true; nvidiaSettings = true;
# # FIXME issue with stable nvidia driver and latest linux kernel
# # use mkDriver to specify newer nvidia driver that is compatible
# # see: https://github.com/NixOS/nixpkgs/issues/341844#issuecomment-2351075413
# # and https://discourse.nixos.org/t/builder-for-nvidia-x11-550-78-6-10-drv-failed-with-exit-code-2/49360/32
# package = config.boot.kernelPackages.nvidiaPackages.mkDriver {
# version = "555.58.02";
# sha256_64bit = "sha256-xctt4TPRlOJ6r5S54h5W6PT6/3Zy2R4ASNFPu8TSHKM=";
# sha256_aarch64 = "sha256-wb20isMrRg8PeQBU96lWJzBMkjfySAUaqt4EgZnhyF8=";
# openSha256 = "sha256-8hyRiGB+m2hL3c9MDA/Pon+Xl6E788MZ50WrrAGUVuY=";
# settingsSha256 = "sha256-ZpuVZybW6CFN/gz9rx+UJvQ715FZnAOYfHn5jt5Z2C8=";
# persistencedSha256 = "sha256-a1D7ZZmcKFWfPjjH1REqPM5j/YLWKnbkP9qfRyIyxAw=";
# };
}; };
# https://bbs.archlinux.org/viewtopic.php?id=297276 for NVreg_EnableGpuFirmware fix # https://bbs.archlinux.org/viewtopic.php?id=297276 for NVreg_EnableGpuFirmware fix
# https://discourse.nixos.org/t/how-to-use-nvidia-prime-offload-to-run-the-x-server-on-the-integrated-board/9091/15 # https://discourse.nixos.org/t/how-to-use-nvidia-prime-offload-to-run-the-x-server-on-the-integrated-board/9091/15

View File

@ -1,36 +0,0 @@
{
device ? throw "Must define a device, e.g. /dev/sda",
fsModule ? "Must specify submodule"
}:
{
disko.devices = {
disk = {
main = {
type = "disk";
inherit device;
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
start = "1M";
end = "128M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = ["umask=0077"];
};
};
root = {
size = "100%";
content = import "${fsModule}";
};
};
};
};
};
};
}

View File

@ -19,6 +19,7 @@
"/swap" = { "/swap" = {
mountOptions = [ "noatime" ]; mountOptions = [ "noatime" ];
mountpoint = "/.swapvol"; mountpoint = "/.swapvol";
swap.swapfile.size = "8192M";
}; };
}; };
} }

View File

@ -1,8 +1,11 @@
{ device, fsType, encrypted, impermanence, ... }: { device, fsType, encrypted, impermanence, ... }:
let let
fsModule = if impermanence then ./${fsType}/persist.nix else ./${fsType}/standard.nix; fsModule = if impermanence then ./${fsType}/persist.nix else ./${fsType}/standard.nix;
basic = import ./basic.nix { inherit device; fsModule = fsModule; }; basic = import ./${fsType}/basic.nix { inherit device; };
lvm = import ./lvm.nix { inherit device; fsModule = fsModule; };
luks = import ./luks.nix { inherit device; fsModule = fsModule; }; luks = import ./luks.nix { inherit device; fsModule = fsModule; };
in in
if fsType == "btrfs" && encrypted then luks if fsType == "ext4" then basic
else basic else if fsType == "btrfs" && encrypted then luks
else if fsType == "btrfs" then lvm
else null

View File

@ -1,4 +1,5 @@
{config, ...}: let {config, ...}:
let
openVpnPwd = config.sops.secrets."software/proton/openvpn_password".path; openVpnPwd = config.sops.secrets."software/proton/openvpn_password".path;
openVpnUser = config.sops.secrets."software/proton/openvpn_user".path; openVpnUser = config.sops.secrets."software/proton/openvpn_user".path;
in { in {
@ -7,18 +8,6 @@ in {
"software/proton/openvpn_user" = {}; "software/proton/openvpn_user" = {};
}; };
networking = {
firewall = {
enable = true;
allowedTCPPorts = [
6887
];
allowedUDPPorts = [
6887
];
};
};
virtualisation.arion = { virtualisation.arion = {
backend = "podman-socket"; backend = "podman-socket";
projects.arrstack = { projects.arrstack = {
@ -30,7 +19,7 @@ in {
"6887:6887/udp" # qbittorrent torrenting port "6887:6887/udp" # qbittorrent torrenting port
]; ];
image = "qmcgaw/gluetun"; image = "qmcgaw/gluetun";
capabilities = {NET_ADMIN = true;}; capabilities = { NET_ADMIN = true; };
container_name = "glutun"; container_name = "glutun";
restart = "always"; restart = "always";
volumes = [ volumes = [
@ -42,7 +31,6 @@ in {
VPN_SERVICE_PROVIDER = "protonvpn"; VPN_SERVICE_PROVIDER = "protonvpn";
VPN_TYPE = "openvpn"; VPN_TYPE = "openvpn";
SERVER_COUNTRIES = "Switzerland"; SERVER_COUNTRIES = "Switzerland";
VPN_PORT_FORWARDING = "on";
}; };
devices = ["/dev/net/tun:/dev/net/tun"]; devices = ["/dev/net/tun:/dev/net/tun"];
}; };
@ -53,17 +41,18 @@ in {
restart = "always"; restart = "always";
volumes = [ volumes = [
"/srv/docker/media-server/arrstack/qbittorrent:/config" "/srv/docker/media-server/arrstack/qbittorrent:/config"
"/media/media/downloads:/downloads" "/media/media:/media"
]; ];
environment = { environment = {
TZ = "Europe/London"; TZ="Europe/London";
WEBUI_PORT = 8076; WEBUI_PORT=8076;
TORRENTING_PORT = 6887; TORRENTING_PORT=6887;
PUID = 1000; PUID=1000;
PGID = 1000; PGID=1000;
}; };
network_mode = "service:gluetun"; network_mode = "service:gluetun";
}; };
}; };
}; };
}; };

View File

@ -1,29 +0,0 @@
{
virtualisation.arion = {
backend = "podman-socket";
projects.syncthing = {
settings = {
services.syncthing.service = {
ports = [
"8384:8384"
"22000:22000/tcp"
"22000:22000/udp"
"21027:21027/udp"
];
container_name = "syncthing";
image = "lscr.io/linuxserver/syncthing:latest";
restart = "always";
environment = {
PUID = "1000";
GUID = "1000";
};
volumes = [
"/srv/docker/syncthing/appdata/config:/config"
"/srv/docker/syncthing/data:/data"
];
};
};
};
};
}

View File

@ -3,28 +3,29 @@ let
remoteMachineIp = configVars.networking.addresses.remote-builder.ip; remoteMachineIp = configVars.networking.addresses.remote-builder.ip;
in in
{ {
# nix.distributedBuilds = true; nix.distributedBuilds = true;
# nix.settings.builders-use-substitutes = true; nix.settings.builders-use-substitutes = true;
# nix.settings.max-jobs = 0; nix.settings.max-jobs = 0;
# nix.settings.trusted-substituters = ["ssh://${remoteMachineIp}"]; nix.settings.trusted-substituters = ["ssh://${remoteMachineIp}"];
# nix.settings.substituters = ["ssh://${remoteMachineIp}"]; nix.settings.substituters = ["ssh://${remoteMachineIp}"];
#
# nix.buildMachines = [
# {
# hostName = "remotebuild@${remoteMachineIp}";
# speedFactor = 1;
# maxJobs = 10;
# sshKey = "/root/.ssh/remotebuild";
# system = pkgs.stdenv.hostPlatform.system;
# supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
# }
# ];
programs.ssh.knownHosts = { nix.buildMachines = [
"merlin" = { {
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFSGyrQvwa7gj0tG/EX3siWzGT9badUkD0yw0YGkcNeQ root@merlin"; hostName = "remotebuild@${remoteMachineIp}";
}; speedFactor = 1;
}; maxJobs = 10;
sshKey = "/root/.ssh/remotebuild";
system = pkgs.stdenv.hostPlatform.system;
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
}
];
# TODO: set known host here when have static ip on main server
# programs.ssh.knownHosts = {
# "merlin" = {
# publicKey = "server pubkey";
# };
# };
programs.ssh.extraConfig = '' programs.ssh.extraConfig = ''
Host ${remoteMachineIp} Host ${remoteMachineIp}

View File

@ -0,0 +1,27 @@
{...}:
{
fileSystems."/exports" = {
device = "/dev/vdb1";
fsType = "ext4";
};
services.nfs.server = {
enable = true;
# fixed rpc.statd port; for firewall
lockdPort = 4001;
mountdPort = 4002;
statdPort = 4000;
extraNfsdConfig = '''';
exports = ''
/exports *(rw,insecure,all_squash)
'';
};
# open nfs ports
networking.firewall = {
enable = true;
# for NFSv3; view with `rpcinfo -p`
allowedTCPPorts = [ 111 2049 4000 4001 4002 20048 ];
allowedUDPPorts = [ 111 2049 4000 4001 4002 20048 ];
};
}

View File

@ -1,10 +0,0 @@
{configVars, pkgs, ...}: let
fileserverIp = configVars.networking.addresses.fileserver.ip;
in {
environment.systemPackages = [pkgs.nfs-utils];
fileSystems."/media/media" = {
device = "${fileserverIp}:/srv/export/media";
fsType = "nfs";
options = ["noatime" "_netdev"];
};
}

View File

@ -1,10 +0,0 @@
{configVars, pkgs, ...}: let
fileserverIp = configVars.networking.addresses.fileserver.ip;
in {
environment.systemPackages = [pkgs.nfs-utils];
fileSystems."/media/personal" = {
device = "${fileserverIp}:/srv/export/personal";
fsType = "nfs";
options = ["noatime" "_netdev"];
};
}

View File

@ -1,10 +0,0 @@
{configVars, pkgs, ...}: let
fileserverIp = configVars.networking.addresses.fileserver.ip;
in {
environment.systemPackages = [pkgs.nfs-utils];
fileSystems."/media/photos" = {
device = "${fileserverIp}:/srv/export/photos";
fsType = "nfs";
options = ["noatime" "_netdev"];
};
}

View File

@ -1,42 +0,0 @@
{configVars, ...}:
let
homeshareDataLocation = configVars.locations.homeshareDataLocation;
subnetIp = configVars.networking.addresses.subnet.ip;
in {
fileSystems."/srv/export/photos" = {
device = "${homeshareDataLocation}/photos";
options = [ "bind" ];
};
fileSystems."/srv/export/personal" = {
device = "${homeshareDataLocation}/personal";
options = [ "bind" ];
};
fileSystems."/srv/export/media" = {
device = "${homeshareDataLocation}/media";
options = [ "bind" ];
};
services.nfs.server = {
enable = true;
# fixed rpc.statd port; for firewall
lockdPort = 4001;
mountdPort = 4002;
statdPort = 4000;
extraNfsdConfig = '''';
exports = ''
/srv/export/photos ${subnetIp}/24(rw,sync,no_subtree_check)
/srv/export/media ${subnetIp}/24(rw,sync,no_subtree_check)
/srv/export/personal ${subnetIp}/24(rw,sync,no_subtree_check)
'';
};
# open nfs ports
networking.firewall = {
enable = true;
# for NFSv3; view with `rpcinfo -p`
allowedTCPPorts = [ 111 2049 4000 4001 4002 20048 ];
allowedUDPPorts = [ 111 2049 4000 4001 4002 20048 ];
};
}

View File

@ -0,0 +1,9 @@
{
fileSystems."/media/homeshare" = {
device = "10.0.10.30:/mnt/homeshare";
fsType = "nfs";
options = [ "noatime" "_netdev" ];
};
}

View File

@ -0,0 +1,9 @@
{configVars, ...}: let
mediaDataMountPoint = configVars.locations.mediaDataMountPoint;
in {
fileSystems.${mediaDataMountPoint} = {
device = "10.0.10.30:/mnt/media";
fsType = "nfs";
options = ["noatime" "_netdev"];
};
}

View File

@ -0,0 +1,9 @@
{configVars, ...}: let
photosDataMountPoint = configVars.locations.photosDataMountPoint;
in {
fileSystems.${photosDataMountPoint} = {
device = "10.0.10.30:/mnt/photos";
fsType = "nfs";
options = ["noatime" "_netdev" "ro"];
};
}

View File

@ -65,16 +65,6 @@ in {
pkgs.apacheHttpd pkgs.apacheHttpd
]; ];
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
};
services.openssh = { services.openssh = {
enable = true; enable = true;
settings.PasswordAuthentication = false; settings.PasswordAuthentication = false;

View File

@ -17,14 +17,6 @@ in {
]; ];
}; };
services.restic.backups = {
daily = {
paths = [
baseddataData
];
};
};
networking.nat.enable = true; networking.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"]; networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "br0"; networking.nat.externalInterface = "br0";
@ -295,16 +287,6 @@ in {
}; };
}; };
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
};
services.openssh = { services.openssh = {
enable = true; enable = true;
settings.PasswordAuthentication = false; settings.PasswordAuthentication = false;

View File

@ -3,15 +3,14 @@
lib, lib,
inputs, inputs,
configVars, configVars,
config,
outputs,
... ...
}: let }: let
containerName = "docker"; containerName = "docker";
containerIp = configVars.networking.addresses.docker.ip; containerIp = configVars.networking.addresses.docker.ip;
gatewayIp = configVars.networking.addresses.gateway.ip; gatewayIp = configVars.networking.addresses.gateway.ip;
dockerContainerData = configVars.locations.dockerContainerData; dockerContainerData = configVars.locations.dockerContainerData;
homeshareDataLocation = configVars.locations.homeshareDataLocation; mediaDataMountPoint = configVars.locations.mediaDataMountPoint;
photosDataMountPoint = configVars.locations.photosDataMountPoint;
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
arion = inputs.arion; arion = inputs.arion;
sops-nix = inputs.sops-nix; sops-nix = inputs.sops-nix;
@ -25,6 +24,8 @@ in {
paths = [ paths = [
dockerContainerData dockerContainerData
]; ];
exclude = [
];
}; };
}; };
@ -45,14 +46,6 @@ in {
]; ];
extraFlags = ["--private-users-ownership=chown"]; extraFlags = ["--private-users-ownership=chown"];
allowedDevices = [ allowedDevices = [
{
node = "/dev/nvidia0";
modifier = "rwm";
}
{
node = "/dev/nvidiactl";
modifier = "rwm";
}
{ {
node = "/dev/fuse"; node = "/dev/fuse";
modifier = "rwm"; modifier = "rwm";
@ -86,11 +79,7 @@ in {
nixpkgs = pkgs.path; nixpkgs = pkgs.path;
bindMounts = { bindMounts = {
"/media/photos" = { "/media/photos" = {
hostPath = "${homeshareDataLocation}/photos"; hostPath = photosDataMountPoint;
isReadOnly = false;
};
"/run/opengl-driver/lib" = {
hostPath = "/run/opengl-driver/lib";
isReadOnly = false; isReadOnly = false;
}; };
"/dev/dri" = { "/dev/dri" = {
@ -98,7 +87,7 @@ in {
isReadOnly = false; isReadOnly = false;
}; };
"/media/media" = { "/media/media" = {
hostPath = "${homeshareDataLocation}/media"; hostPath = mediaDataMountPoint;
isReadOnly = false; isReadOnly = false;
}; };
"/srv/docker" = { "/srv/docker" = {
@ -119,13 +108,7 @@ in {
secretsDirectory = builtins.toString inputs.nix-secrets; secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml"; secretsFile = "${secretsDirectory}/secrets.yaml";
in { in {
nixpkgs.overlays = [
outputs.overlays.unstable-packages
];
networking = { networking = {
enableIPv6 = false;
defaultGateway = "${gatewayIp}"; defaultGateway = "${gatewayIp}";
interfaces.eth0.ipv4.addresses = [ interfaces.eth0.ipv4.addresses = [
{ {
@ -141,26 +124,6 @@ in {
useHostResolvConf = lib.mkForce false; useHostResolvConf = lib.mkForce false;
}; };
hardware.graphics = {
enable = true;
};
nixpkgs.config.allowUnfreePredicate = pkg:
builtins.elem (lib.getName pkg) [
"nvidia-x11"
"nvidia-settings"
"nvidia-persistenced"
];
services.xserver.videoDrivers = ["nvidia"];
hardware.nvidia = {
modesetting.enable = true;
powerManagement.enable = false;
open = false;
nvidiaSettings = false;
package = config.boot.kernelPackages.nvidiaPackages.stable;
};
services.resolved.enable = true; services.resolved.enable = true;
sops = { sops = {
@ -178,7 +141,6 @@ in {
../arion-containers/arrstack.nix ../arion-containers/arrstack.nix
../arion-containers/jellyfin.nix ../arion-containers/jellyfin.nix
../arion-containers/photoprism.nix ../arion-containers/photoprism.nix
../arion-containers/syncthing.nix
]; ];
environment.systemPackages = [ environment.systemPackages = [
@ -188,13 +150,10 @@ in {
pkgs.dive pkgs.dive
pkgs.podman-tui pkgs.podman-tui
pkgs.podman-compose pkgs.podman-compose
pkgs.unstable.nvidia-container-toolkit
]; ];
virtualisation = { virtualisation = {
containers.cdi.dynamic.nvidia.enable = true;
podman = { podman = {
enableNvidia = true;
enable = true; enable = true;
dockerSocket.enable = true; dockerSocket.enable = true;
defaultNetwork.settings.dns_enabled = true; defaultNetwork.settings.dns_enabled = true;

View File

@ -6,18 +6,8 @@
}: let }: let
containerName = "metrics-server"; containerName = "metrics-server";
containerIp = configVars.networking.addresses.metrics-server.ip; containerIp = configVars.networking.addresses.metrics-server.ip;
dockerContainerIp = configVars.networking.addresses.docker.ip; dockerContainerIp = configVars.networking.addresses.docker.ip;
smWorkerIp = configVars.networking.addresses.sm-worker.ip; semitaIp = configVars.networking.addresses.semita.ip;
merlinIp = configVars.networking.addresses.merlin.ip;
bdWorker = configVars.networking.addresses.bd-worker.ip;
pihole = configVars.networking.addresses.pihole.ip;
bitcoinNode = configVars.networking.addresses.bitcoin-node.ip;
postres = configVars.networking.addresses.postgres.ip;
backupServer = configVars.networking.addresses.backup-server.ip;
http_endpoints = configVars.metrics-server.blackbox.http_endpoints;
gatewayIp = configVars.networking.addresses.gateway.ip; gatewayIp = configVars.networking.addresses.gateway.ip;
metricsServerContainerData = configVars.locations.metricsServerContainerData; metricsServerContainerData = configVars.locations.metricsServerContainerData;
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
@ -31,6 +21,8 @@ in {
paths = [ paths = [
metricsServerContainerData metricsServerContainerData
]; ];
exclude = [
];
}; };
}; };
@ -73,7 +65,6 @@ in {
allowedTCPPorts = [ allowedTCPPorts = [
config.services.prometheus.port config.services.prometheus.port
config.services.grafana.port config.services.grafana.port
config.services.prometheus.exporters.blackbox.port
]; ];
}; };
useHostResolvConf = lib.mkForce false; useHostResolvConf = lib.mkForce false;
@ -99,77 +90,22 @@ in {
{ {
targets = [ targets = [
"${dockerContainerIp}:9100" "${dockerContainerIp}:9100"
"${smWorkerIp}:9100" "${semitaIp}:9100"
"${merlinIp}:9100"
"${bdWorker}:9100"
"${pihole}:9100"
"${bitcoinNode}:9100"
"${postres}:9100"
"${backupServer}:9100"
]; ];
} }
]; ];
} }
{
job_name = "blackbox";
scrape_interval = "30s";
scrape_timeout = "15s";
metrics_path = "/probe";
params.module = ["http_basic"];
relabel_configs = [
{
source_labels = ["__address__"];
target_label = "__param_target";
}
{
source_labels = ["__param_target"];
target_label = "instance";
}
{
target_label = "__address__";
replacement = "${config.services.prometheus.exporters.blackbox.listenAddress}:${toString config.services.prometheus.exporters.blackbox.port}";
}
];
static_configs = [
{targets = http_endpoints;}
];
}
]; ];
}; };
services.grafana = { services.grafana = {
enable = true; enable = true;
settings.server = { port = 2342;
http_port = 2342; addr = "0.0.0.0";
http_addr = "0.0.0.0";
};
}; };
services.prometheus = { services.prometheus = {
exporters = { exporters = {
blackbox = {
enable = true;
configFile = pkgs.writeText "blackbox-conf.yaml" ''
modules:
http_basic:
prober: http
timeout: 5s
http:
preferred_ip_protocol: ip4
valid_http_versions: ["HTTP/1.1", "HTTP/2"]
method: GET
fail_if_ssl: false
fail_if_not_ssl: true
tls_config:
insecure_skip_verify: true
tcp_connect:
prober: tcp
tcp:
preferred_ip_protocol: ip4
'';
};
node = { node = {
enable = true; enable = true;
enabledCollectors = ["systemd"]; enabledCollectors = ["systemd"];

View File

@ -10,7 +10,6 @@
containerIp = configVars.networking.addresses.bitcoin-node.ip; containerIp = configVars.networking.addresses.bitcoin-node.ip;
mempoolPort = configVars.networking.addresses.bitcoin-node.services.mempool.port; mempoolPort = configVars.networking.addresses.bitcoin-node.services.mempool.port;
bitcoinNodeContainerData = configVars.locations.bitcoinNodeContainerData; bitcoinNodeContainerData = configVars.locations.bitcoinNodeContainerData;
bitcoindData = configVars.locations.bitcoindData;
gatewayIp = configVars.networking.addresses.gateway.ip; gatewayIp = configVars.networking.addresses.gateway.ip;
allowip = configVars.networking.addresses.bitcoin-node.services.bitcoind.allowip; allowip = configVars.networking.addresses.bitcoin-node.services.bitcoind.allowip;
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
@ -22,7 +21,7 @@ in {
bitcoinNodeContainerData bitcoinNodeContainerData
]; ];
exclude = [ exclude = [
"${bitcoindData}" "${bitcoinNodeContainerData}/bitcoind"
"${bitcoinNodeContainerData}/electrs" "${bitcoinNodeContainerData}/electrs"
]; ];
}; };
@ -49,10 +48,6 @@ in {
hostPath = bitcoinNodeContainerData; hostPath = bitcoinNodeContainerData;
isReadOnly = false; isReadOnly = false;
}; };
"/var/lib/bitcoind" = {
hostPath = bitcoindData;
isReadOnly = false;
};
}; };
config = { config = {
@ -186,16 +181,6 @@ in {
lnd.public = true; lnd.public = true;
}; };
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
};
services.openssh = { services.openssh = {
enable = true; enable = true;
settings.PasswordAuthentication = false; settings.PasswordAuthentication = false;

View File

@ -16,6 +16,16 @@ in {
networking.nat.internalInterfaces = ["ve-+"]; networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "br0"; networking.nat.externalInterface = "br0";
services.restic.backups = {
daily = {
paths = [
piholeContainerData
];
exclude = [
];
};
};
environment.persistence."/persist" = { environment.persistence."/persist" = {
hideMounts = true; hideMounts = true;
directories = [ directories = [
@ -68,7 +78,7 @@ in {
useHostResolvConf = lib.mkForce false; useHostResolvConf = lib.mkForce false;
}; };
services.resolved.enable = false; services.resolved.enable = true;
imports = [ imports = [
arion.nixosModules.arion arion.nixosModules.arion
@ -79,8 +89,6 @@ in {
pkgs.vim pkgs.vim
pkgs.git pkgs.git
pkgs.arion pkgs.arion
pkgs.lsof
pkgs.podman-compose
]; ];
virtualisation = { virtualisation = {
@ -94,16 +102,6 @@ in {
networking.firewall.interfaces."podman+".allowedUDPPorts = [53]; networking.firewall.interfaces."podman+".allowedUDPPorts = [53];
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
};
services.openssh = { services.openssh = {
enable = true; enable = true;
settings.PasswordAuthentication = false; settings.PasswordAuthentication = false;

View File

@ -123,16 +123,6 @@ in {
# EOF # EOF
# ''; # '';
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
};
services.openssh = { services.openssh = {
enable = true; enable = true;
settings.PasswordAuthentication = false; settings.PasswordAuthentication = false;

View File

@ -24,14 +24,6 @@ in {
]; ];
}; };
services.restic.backups = {
daily = {
paths = [
semitamapsData
];
};
};
containers."${containerName}" = { containers."${containerName}" = {
enableTun = true; enableTun = true;
@ -108,7 +100,6 @@ in {
pkgs.vim pkgs.vim
pkgs.git pkgs.git
pkgs.arion pkgs.arion
pkgs.podman-compose
pkgs.jdk pkgs.jdk
]; ];
@ -137,16 +128,6 @@ in {
}; };
}; };
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
};
services.openssh = { services.openssh = {
enable = true; enable = true;
settings.PasswordAuthentication = false; settings.PasswordAuthentication = false;

View File

@ -4,10 +4,13 @@
hideMounts = true; hideMounts = true;
directories = [ directories = [
"/etc/nixos" "/etc/nixos"
"/srv"
"/var/log" "/var/log"
"/var/lib/nixos" "/var/lib/nixos"
"/var/lib/systemd/coredump" "/var/lib/systemd/coredump"
"/etc/NetworkManager/system-connections" "/etc/NetworkManager/system-connections"
"/var/lib/flatpak"
"/run/secrets-for-users"
]; ];
files = [ files = [
"/etc/ssh/ssh_host_ed25519_key" "/etc/ssh/ssh_host_ed25519_key"

View File

@ -1,31 +1,31 @@
{ { pkgs, inputs, config, lib, ... }:
pkgs, let
inputs, ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
config,
lib,
...
}: let
username = "admin"; username = "admin";
pubKeys = lib.filesystem.listFilesRecursive ../keys; pubKeys = lib.filesystem.listFilesRecursive (../keys);
hostname = config.networking.hostName; hostname = config.networking.hostName;
sopsHashedPasswordFile = config.sops.secrets."passwords/${username}".path; sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/${username}".path;
secretsDirectory = builtins.toString inputs.nix-secrets; secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml"; secretsFile = "${secretsDirectory}/secrets.yaml";
in {
in
{
users.users.${username} = { users.users.${username} = {
isNormalUser = true; isNormalUser = true;
shell = pkgs.zsh; shell = pkgs.zsh; # default shell
hashedPasswordFile = sopsHashedPasswordFile; hashedPasswordFile = sopsHashedPasswordFile;
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
extraGroups = [ extraGroups = [
"wheel" "wheel"
] ++ ifTheyExist [
"docker"
"lxc"
"git"
"podman"
]; ];
};
environment.persistence."/persist" = { packages = with pkgs; [
directories = [
"/home/${username}"
]; ];
}; };
@ -44,16 +44,13 @@ in {
mode = "0644"; mode = "0644";
owner = "${username}"; owner = "${username}";
}; };
"github-access-token" = {
mode = "0655";
};
}; };
programs.zsh.enable = true; programs.zsh.enable = true;
programs.fuse.userAllowOther = true; programs.fuse.userAllowOther = true;
home-manager = { home-manager = {
extraSpecialArgs = {inherit inputs;}; extraSpecialArgs = { inherit inputs; };
users = { users = {
${username} = import ../../../../home/${hostname}.nix; ${username} = import ../../../../home/${hostname}.nix;
}; };

View File

@ -133,7 +133,6 @@ in {
environment.persistence."/persist" = { environment.persistence."/persist" = {
directories = [ directories = [
"/home/${username}" "/home/${username}"
"/var/lib/tailscale"
]; ];
}; };

View File

@ -1,70 +1,32 @@
{ { inputs, ... }:
inputs, let
configVars, # Disko setup
lib,
config,
outputs,
...
}: let
fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence
dev = "/dev/disk/by-id/wwn-0x5001b448b5f7cc7f"; dev = "/dev/disk/by-id/ata-QEMU_HARDDISK_QM00005";
encrypted = false; # currrently only applies to btrfs encrypted = false; # currrently only applies to btrfs
btrfsMountDevice = "/dev/disk/by-id/wwn-0x5001b448b5f7cc7f-part2"; impermanence = false;
impermanence = true; user = "admin";
in
{
imports =
[
# Create users for this host
../common/users/${user}
homeshareDataLocation = configVars.locations.homeshareDataLocation; # Root disk configuration
inputs.disko.nixosModules.disko
(import ../common/disks { device = dev; impermanence = impermanence; fsType = fsType; encrypted = encrypted; })
piholeIp = configVars.networking.addresses.pihole.ip; # Import core options
gatewayIp = configVars.networking.addresses.gateway.ip; ./hardware-configuration.nix
merlinIp = configVars.networking.addresses.merlin.ip; ../common/core
in {
imports = [
# Create users for this host
../common/users/admin
# Disk configuration # Import optional options
inputs.disko.nixosModules.disko ../common/optional/openssh.nix
(import ../common/disks { ../common/optional/docker
device = dev; ../common/optional/docker/postgres.nix
impermanence = impermanence;
fsType = fsType;
encrypted = encrypted;
})
# Impermanence ];
../common/optional/persistence.nix
(import ../common/disks/btrfs/impermanence.nix {
btrfsMountDevice = btrfsMountDevice;
lib = lib;
})
# Import core options
./hardware-configuration.nix
../common/core
# Import optional options
../common/optional/openssh.nix
../common/optional/restic-backup.nix
../common/optional/docker.nix
../common/optional/nix-ld.nix
../common/optional/fileserver/nfs-server/homeshare.nix
# Nixos containers
../common/optional/nixos-containers/docker.nix
../common/optional/nixos-containers/baseddata-worker.nix
../common/optional/nixos-containers/pihole.nix
../common/optional/nixos-containers/semitamaps-worker.nix
../common/optional/nixos-containers/nix-bitcoin.nix
../common/optional/nixos-containers/postgres.nix
../common/optional/nixos-containers/baseddata-worker.nix
../common/optional/nixos-containers/backup-server.nix
../common/optional/nixos-containers/metrics-server.nix
# This machine is used for remote building
../common/optional/distributed-builds/remote-builder-machine.nix
outputs.nixosModules.nixosAutoUpgrade
];
boot = { boot = {
loader = { loader = {
@ -74,102 +36,17 @@ in {
}; };
}; };
fileSystems."/mnt/main-ssd" = {
device = "/dev/disk/by-uuid/ba884006-e813-4b67-9fe6-62aea08b3b59";
fsType = "ext4";
};
fileSystems."/mnt/btcnode" = {
device = "/dev/disk/by-uuid/1dc56ec7-322f-44be-b6ad-79360fdfef93";
fsType = "btrfs";
};
networking = { networking = {
hostName = "merlin"; hostName = "merlin";
nameservers = ["${piholeIp}" "${gatewayIp}" "8.8.8.8"]; networkmanager.enable = true;
defaultGateway = "${gatewayIp}";
useDHCP = false;
enableIPv6 = false; enableIPv6 = false;
bridges = {
br0 = {
interfaces = ["eth0"];
};
};
interfaces.br0 = {
ipv4.addresses = [
{
"address" = "${merlinIp}";
"prefixLength" = 24;
}
];
};
}; };
environment.persistence."/persist" = { boot.supportedFilesystems = [ "zfs" ];
directories = [
"/etc/zpool"
"/var/lib/tailscale"
];
};
services.restic.backups = {
daily = {
paths = [
homeshareDataLocation
];
};
};
# Enable OpenGL
hardware.graphics = {
enable = true;
};
# enable tailscale
services.tailscale.useRoutingFeatures = "server";
services.tailscale.enable = true;
nixpkgs.config.allowUnfreePredicate = pkg:
builtins.elem (lib.getName pkg) [
"nvidia-x11"
"nvidia-settings"
"nvidia-persistenced"
];
# Load nvidia driver
services.xserver.videoDrivers = ["nvidia"];
hardware.nvidia = {
modesetting.enable = true;
powerManagement.enable = false;
open = false;
nvidiaSettings = false;
package = config.boot.kernelPackages.nvidiaPackages.stable;
};
system.services.nixosAutoUpgrade = {
enable = true;
persistent = false;
reboot = true;
pushUpdates = true;
configDir = "/etc/nixos";
onCalendar = "*-*-* 03:00:00";
user = "admin";
};
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
};
boot.supportedFilesystems = ["zfs"];
boot.zfs.forceImportRoot = false; boot.zfs.forceImportRoot = false;
networking.hostId = "18aec5d7"; networking.hostId = "18aec5d7";
boot.zfs.extraPools = ["deepzfs" "nvme-zpool"]; boot.zfs.extraPools = [ "zspeed" ];
services.libinput.enable = true; services.libinput.enable = true;
} }

View File

@ -4,6 +4,9 @@
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
{ {
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.initrd.kernelModules = [ "dm-snapshot" ];

View File

@ -18,7 +18,6 @@
impermanence = true; impermanence = true;
piholeIp = configVars.networking.addresses.pihole.ip; piholeIp = configVars.networking.addresses.pihole.ip;
gatewayIp = configVars.networking.addresses.gateway.ip; gatewayIp = configVars.networking.addresses.gateway.ip;
merlinIp = configVars.networking.addresses.merlin.ip;
semitaIp = configVars.networking.addresses.semita.ip; semitaIp = configVars.networking.addresses.semita.ip;
in { in {
imports = [ imports = [
@ -55,12 +54,31 @@ in {
../common/optional/gaming.nix ../common/optional/gaming.nix
../common/optional/restic-backup.nix ../common/optional/restic-backup.nix
../common/optional/distributed-builds/local-machine.nix # nfs mounts
../common/optional/nfs-mounts/media.nix
../common/optional/nfs-mounts/homeshare.nix
../common/optional/nfs-mounts/photos.nix
# nixos-containers
../common/optional/nixos-containers/nix-bitcoin.nix
../common/optional/nixos-containers/postgres.nix
../common/optional/nixos-containers/baseddata-worker.nix
../common/optional/nixos-containers/semitamaps-worker.nix
../common/optional/nixos-containers/backup-server.nix
../common/optional/nixos-containers/docker.nix
# ../common/optional/nixos-containers/pihole.nix
../common/optional/nixos-containers/metrics-server.nix
# # Build nix derivations on remote machine
# ../common/optional/distributed-builds/local-machine.nix
outputs.nixosModules.nixosAutoUpgrade outputs.nixosModules.nixosAutoUpgrade
]; ];
services.tailscale.useRoutingFeatures = "server"; fileSystems."/mnt/main-ssd" = {
device = "/dev/disk/by-uuid/ba884006-e813-4b67-9fe6-62aea08b3b59";
fsType = "ext4";
};
boot = { boot = {
blacklistedKernelModules = ["snd_hda_intel" "snd_soc_skl"]; blacklistedKernelModules = ["snd_hda_intel" "snd_soc_skl"];
@ -84,12 +102,21 @@ in {
}; };
}; };
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
};
system.services.nixosAutoUpgrade = { system.services.nixosAutoUpgrade = {
enable = true; enable = true;
persistent = true; persistent = true;
remote = "remotebuild@${merlinIp}";
reboot = false; reboot = false;
pushUpdates = false; pushUpdates = true;
configDir = "/etc/nixos"; configDir = "/etc/nixos";
onCalendar = "*-*-* 06:00:00"; onCalendar = "*-*-* 06:00:00";
user = "sam"; user = "sam";

View File

@ -44,7 +44,7 @@ in {
# Import optional options # Import optional options
../common/optional/openssh.nix ../common/optional/openssh.nix
../common/optional/persistence.nix ../common/optional/persistence.nix
# ../common/optional/fileserver/media.nix ../common/optional/nfs-mounts/media.nix
../common/optional/gaming.nix ../common/optional/gaming.nix
../common/optional/printing.nix ../common/optional/printing.nix
outputs.nixosModules.nixosAutoUpgrade outputs.nixosModules.nixosAutoUpgrade

View File

@ -25,10 +25,6 @@ in
description = "Automatically reboots the system if there is a kernel or systemd update."; description = "Automatically reboots the system if there is a kernel or systemd update.";
default = false; default = false;
}; };
remote = lib.mkOption {
type = lib.types.str;
description = "Attempts build on remote host <user@host>.";
};
onCalendar = lib.mkOption { onCalendar = lib.mkOption {
default = "daily"; default = "daily";
type = lib.types.str; type = lib.types.str;
@ -76,12 +72,11 @@ in
unitConfig.RequiresMountsFor = cfg.configDir; unitConfig.RequiresMountsFor = cfg.configDir;
script = lib.strings.concatStrings [ script = lib.strings.concatStrings [
"${auto-update-nixos}/bin/auto-update-nixos --operation ${cfg.operation} " "${auto-update-nixos}/bin/auto-update-nixos --operation ${cfg.operation} "
(if cfg.configDir != "" then "--flake ${cfg.configDir} " else "") (lib.mkIf (cfg.configDir != "") "--flake ${cfg.configDir} ").content
(if cfg.user != "" then "--user ${cfg.user} " else "") (lib.mkIf (cfg.user != "") "--user ${cfg.user} ").content
(if cfg.pushUpdates then "--update " else "") (lib.mkIf (cfg.pushUpdates) "--update ").content
(if cfg.reboot then "--reboot " else "") (lib.mkIf (cfg.reboot) "--reboot ").content
(if cfg.remote != "" then "--build-host ${cfg.remote} " else "") (lib.mkIf (cfg.extraFlags != "") cfg.extraFlags).content
cfg.extraFlags
]; ];
}; };
timers."nixos-upgrade" = { timers."nixos-upgrade" = {

View File

@ -40,48 +40,41 @@ trap cleanup EXIT
# Create the directory for target host keys # Create the directory for target host keys
install -d -m755 "$temp$persist/etc/ssh" install -d -m755 "$temp$persist/etc/ssh"
# Extract ssh keys from secrets # Create ssh keys
echo "Extracting ssh keys" echo "Creating '$hostname' ssh keys"
ssh_private_key=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"ssh_keys""\"][""\"$hostname""\"][""\"id_ed25519""\"]' ~/.local/share/src/nix-secrets/secrets.yaml") ssh-keygen -t ed25519 -f "$temp$persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N ""
echo "$ssh_private_key" > $temp$persist/etc/ssh/ssh_host_ed25519_key
ssh_pub_key=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"ssh_keys""\"][""\"$hostname""\"][""\"id_ed25519.pub""\"]' ~/.local/share/src/nix-secrets/secrets.yaml")
echo "$ssh_pub_key" > $temp$persist/etc/ssh/ssh_host_ed25519_key.pub
# # Extract luks key from secrets # Extract luks key from secrets
# luks_secret=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"luks_passphrase""\"][""\"$hostname""\"]' ~/.local/share/src/nix-secrets/secrets.yaml") luks_secret=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"luks_passphrase""\"][""\"$hostname""\"]' ~/.local/share/src/nix-secrets/secrets.yaml")
# echo "$luks_secret" > /tmp/luks_secret.key echo "$luks_secret" > /tmp/luks_secret.key
# # Create ssh keys # Generate age key from target host and user public ssh key
# echo "Creating '$hostname' ssh keys" echo "Generating age key from target host and user ssh key"
# ssh-keygen -t ed25519 -f "$temp$persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N "" HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp$persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age")
echo -e "Host age key:\n$HOST_AGE_KEY\n"
# # Generate age key from target host and user public ssh key # Update .sops.yaml with new age key:
# echo "Generating age key from target host and user ssh key" SOPS_FILE="$HOME/.local/share/src/nix-secrets/.sops.yaml"
# HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp$persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age") sed -i "{
# echo -e "Host age key:\n$HOST_AGE_KEY\n" # Remove any * and & entries for this host
/[*&]$hostname/ d;
# Inject a new age: entry
# n matches the first line following age: and p prints it, then we transform it while reusing the spacing
/age:/{n; p; s/\(.*- \*\).*/\1$hostname/};
# Inject a new hosts: entry
/&hosts:/{n; p; s/\(.*- &\).*/\1$hostname $HOST_AGE_KEY/}
}" "$SOPS_FILE"
# # Update .sops.yaml with new age key: # Commit and push changes to sops file
# SOPS_FILE="$HOME/.local/share/src/nix-secrets/.sops.yaml" just update-sops-secrets && just update-flake-secrets && just update-flake
# sed -i "{
# # Remove any * and & entries for this host
# /[*&]$hostname/ d;
# # Inject a new age: entry
# # n matches the first line following age: and p prints it, then we transform it while reusing the spacing
# /age:/{n; p; s/\(.*- \*\).*/\1$hostname/};
# # Inject a new hosts: entry
# /&hosts:/{n; p; s/\(.*- &\).*/\1$hostname $HOST_AGE_KEY/}
# }" "$SOPS_FILE"
# # Commit and push changes to sops file
# just update-sops-secrets && just update-flake-secrets && just update-flake
# Copy current nix config over to target # Copy current nix config over to target
echo "copying current nix config to host" echo "copying current nix config to host"
cp -pr . "$temp$persist/etc/nixos" cp -pr . "$temp$persist/etc/nixos"
# Install Nixos to target # Install Nixos to target
SHELL=/bin/sh nix run github:nix-community/nixos-anywhere/1.6.0 -- --extra-files "$temp" --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519" SHELL=/bin/sh nix run github:nix-community/nixos-anywhere/1.3.0 -- --extra-files "$temp" --disk-encryption-keys /tmp/luks_secret.key /tmp/luks_secret.key --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519"
echo $? [ $? != 0 ] && echo "Error installing Nixos" && exit 1
## Delete keys from local known_hosts ## Delete keys from local known_hosts
echo "Deleting host from known_hosts" echo "Deleting host from known_hosts"

View File

@ -3,22 +3,19 @@
inherit (inputs.nix-secrets) inherit (inputs.nix-secrets)
networking networking
email email
metrics-server
; ;
locations = { locations = {
mediaDataMountPoint = "/media/media"; mediaDataMountPoint = "/media/media";
photosDataMountPoint = "/media/photos"; photosDataMountPoint = "/media/photos";
personalDataMountPoint = "/media/personal";
homeshareDataLocation = "/mnt/main-ssd/homeshare";
metricsServerContainerData = "/mnt/main-ssd/metrics-server"; metricsServerContainerData = "/mnt/main-ssd/metrics-server";
dockerContainerData = "/mnt/main-ssd/docker"; dockerContainerData = "/mnt/main-ssd/docker";
piholeContainerData = "/mnt/main-ssd/docker/pihole"; piholeContainerData = "/mnt/main-ssd/docker/pihole";
baseddataData = "/mnt/main-ssd/baseddata-data";
bitcoinNodeContainerData = "/mnt/main-ssd/nix-bitcoin"; bitcoinNodeContainerData = "/mnt/main-ssd/nix-bitcoin";
bitcoindData = "/mnt/btcnode/bitcoind"; backupContainerData = "/mnt/main-ssd/backup";
backupContainerData = "/mnt/deepzfs/backup"; postgresContainerData = "/mnt/main-ssd/postgresql";
postgresContainerData = "/mnt/nvme-zpool/postgresql"; semitamapsData = "/mnt/main-ssd/semitamaps-data";
semitamapsData = "/mnt/nvme-zpool/semitamaps-data"; baseddataData = "/mnt/main-ssd/baseddata-data";
}; };
} }