Compare commits

..

82 Commits

Author SHA1 Message Date
Sam cb449a4083 Merge branch 'master' of git.bitlab21.com:sam/nixos 2025-01-24 14:07:10 +00:00
Sam 55dac5b5c8 fix saned subnet ip 2025-01-24 14:07:07 +00:00
Sam 9fbcb97a67 add sane filewall 2025-01-24 14:06:43 +00:00
Sam b70ff19505 small fix sane 2025-01-24 13:52:47 +00:00
Sam cb3d0c53d0 Merge branch 'master' of git.bitlab21.com:sam/nixos 2025-01-24 13:51:11 +00:00
Sam 867de36bf2 enable printing on semita 2025-01-24 13:51:07 +00:00
Sam fad69be936 setup remote scanning 2025-01-24 13:50:26 +00:00
Sam 4b3aa6463e Merge branch 'master' of git.bitlab21.com:sam/nixos 2025-01-24 12:33:25 +00:00
Sam 04695d4526 print server for merlin 2025-01-24 12:33:21 +00:00
System administrator a8b91ff861 manual declare hw conf for sparky 2025-01-24 11:55:11 +00:00
Sam c5d3d7c7df sparky autoupgrade and change home persistence 2025-01-24 10:58:35 +00:00
Sam 4308e476fb add homeshare nfs client to semita 2025-01-24 10:35:24 +00:00
Sam cc351fda28 modify nixos update script to add remote build 2025-01-24 00:21:13 +00:00
Sam d131fe3cc2 modify nixos update script to add remote build 2025-01-24 00:14:51 +00:00
Sam f1e58a9285 add remote build to update script 2025-01-23 23:40:11 +00:00
Sam ab4d9e6f81 add nvidia support to docker container 2025-01-23 21:20:44 +00:00
Sam 302ce2a84f add blackbox exporter 2025-01-23 15:28:41 +00:00
Sam 7c12cd2dc7 flake.lock: Update
Flake lock file updates:

• Updated input 'nix-bitcoin':
    'github:fort-nix/nix-bitcoin/33dbb41d581b86decf421cb3835c426d557e0e9c?narHash=sha256-JN/PFBOVqWKc76zSdOunYoG5Q0m8W4zfrEh3V4EOIuk%3D' (2024-12-18)
  → 'github:fort-nix/nix-bitcoin/dc4d14e07324e43b8773e3eb5eb2a10c6b469287?narHash=sha256-FJ0ATgYWavH3ZeA0ofTEMS%2B22HqYN2Lqu3G6IsqbKIg%3D' (2025-01-21)
• Updated input 'nix-bitcoin/nixpkgs-unstable':
    'github:NixOS/nixpkgs/71a6392e367b08525ee710a93af2e80083b5b3e2?narHash=sha256-0XovF7BYP50rTD2v4r55tR5MuBLet7q4xIz6Rgh3BBU%3D' (2024-12-13)
  → 'github:NixOS/nixpkgs/300081d0cc72df578b02d914df941b8ec62240e6?narHash=sha256-hFA6SmioeqvGW/XvZa9bxniAeulksCOcj3kokdNT/YE%3D' (2025-01-20)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/0d6514cc638f30997676f5be71317c7dc917ef0f?narHash=sha256-w5xL1oUVRZRC6mZ9CcuhfLn3b1vB5SXEMyzBQH8btvc%3D' (2025-01-22)
  → 'github:nixos/nixpkgs/f7b572b004be8e60c6727b3856a13efe17323212?narHash=sha256-xP8UQqo3XSXy92tQ%2BwFvps46rVHnIc8W7ShQ5CUQALo%3D' (2025-01-22)
• Updated input 'nur':
    'github:nix-community/NUR/71551eca173cc56fbf4b3d781ac5d152635e05d9?narHash=sha256-%2BU9pqH8KBC0QrwkqtA8RzmKXyxLTzmUBElR0JBRS11c%3D' (2025-01-22)
  → 'github:nix-community/NUR/80b6ff6a51dbebbe0bcc71858ae9a299e1207704?narHash=sha256-Jr7tmhsZVAebD/TCpijDqcxr4w15wnPCOrlk%2Bt4lrJA%3D' (2025-01-23)
2025-01-23 03:18:10 +00:00
Sam 19cdd825af remove pihole and bitcoind from restic backup 2025-01-22 23:25:04 +00:00
Sam 41e0737541 Merge branch 'development' 2025-01-22 20:47:01 +00:00
Sam d89fe5e5e7 change qbittorrent data mount dir 2025-01-22 20:46:37 +00:00
Sam 46cc81b5e9 port forwarding in gluetun container 2025-01-22 20:08:13 +00:00
Sam acf5706bf6 change data drive locations and minor backup modifications 2025-01-22 19:15:53 +00:00
Sam daef8c69a5 flake.lock: Update
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/eea315cf7d26ae50d3873d56dcf87e8845a23fc5?narHash=sha256-qA5D6Wm9JzrvUvD7zOvK29x5SvemGRyk9oahasLtHXI%3D' (2025-01-21)
  → 'github:nixos/nixpkgs/0d6514cc638f30997676f5be71317c7dc917ef0f?narHash=sha256-w5xL1oUVRZRC6mZ9CcuhfLn3b1vB5SXEMyzBQH8btvc%3D' (2025-01-22)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/5df43628fdf08d642be8ba5b3625a6c70731c19c?narHash=sha256-Tbk1MZbtV2s5aG%2BiM99U8FqwxU/YNArMcWAv6clcsBc%3D' (2025-01-16)
  → 'github:nixos/nixpkgs/9e4d5190a9482a1fb9d18adf0bdb83c6e506eaab?narHash=sha256-nmKOgAU48S41dTPIXAq0AHZSehWUn6ZPrUKijHAMmIk%3D' (2025-01-21)
• Updated input 'nur':
    'github:nix-community/NUR/34215e55d69fe1292c4fee669444983d79cce53f?narHash=sha256-R0z3fxhP6YZXZ7MCAmx3yhqBgOldZyQMHK4eJJY4gS8%3D' (2025-01-21)
  → 'github:nix-community/NUR/71551eca173cc56fbf4b3d781ac5d152635e05d9?narHash=sha256-%2BU9pqH8KBC0QrwkqtA8RzmKXyxLTzmUBElR0JBRS11c%3D' (2025-01-22)
• Updated input 'nur/nixpkgs':
    'github:nixos/nixpkgs/5df43628fdf08d642be8ba5b3625a6c70731c19c?narHash=sha256-Tbk1MZbtV2s5aG%2BiM99U8FqwxU/YNArMcWAv6clcsBc%3D' (2025-01-16)
  → 'github:nixos/nixpkgs/9e4d5190a9482a1fb9d18adf0bdb83c6e506eaab?narHash=sha256-nmKOgAU48S41dTPIXAq0AHZSehWUn6ZPrUKijHAMmIk%3D' (2025-01-21)
2025-01-22 03:22:21 +00:00
Sam b1374413d5 citadel downgrade linux kernel due to build errors 2025-01-21 23:43:44 +00:00
Sam ec85809206 modify distributed builds local machine 2025-01-21 23:36:46 +00:00
Sam 47245c4844 add subnet ip variable to fileserver and update secrets 2025-01-21 23:24:21 +00:00
Sam b0f9e82700 Merge branch 'master' of git.bitlab21.com:sam/nixos 2025-01-21 17:20:01 +00:00
Sam ba170a0ee4 deactivate auto updates on semita 2025-01-21 17:19:55 +00:00
Sam 33275e894f add rest of containers to merlin 2025-01-21 17:18:17 +00:00
Sam 4e57f67e92 Merge branch 'development' of git.bitlab21.com:sam/nixos into development 2025-01-21 17:17:57 +00:00
Sam 1d5dc592ad remove containers and mounts from semita] 2025-01-21 17:17:27 +00:00
Sam ca31181af0 add containers to merlin 2025-01-21 13:06:21 +00:00
Sam 235cdd4442 minor modification 2025-01-21 11:41:30 +00:00
Sam b79add0811 update flake.lock 2025-01-21 11:37:15 +00:00
Sam 2208bcf968 modify bootstrap script and change btrfsMountDevice in merlin 2025-01-21 11:05:08 +00:00
Sam ef393ba038 flake.lock: Update
Flake lock file updates:

• Updated input 'nur':
    'github:nix-community/NUR/2a1db46a5c59c4e367483fb159ef0ac429c40551?narHash=sha256-I5D1H9ah8ZHZ01VX1H8JGvHe4dqsYKAQhY17IW39uYk%3D' (2025-01-20)
  → 'github:nix-community/NUR/ebc0c383da65e99b2b04a616e9911556d09bbc9b?narHash=sha256-5N2pMCQYz%2B6aBXHh648if/IIqPZtk/mvaBP3dPnFlmM%3D' (2025-01-21)
2025-01-21 06:23:41 +00:00
Sam b0da513526 flake.lock: Update
Flake lock file updates:

• Updated input 'nur':
    'github:nix-community/NUR/f9cf00fbb45d981304918dfddc20fe46521c8e1d?narHash=sha256-KcLYxT0seQnwjOOCI13qHTq1WNb8UIaxNMSu2w3b%2B7c%3D' (2025-01-20)
  → 'github:nix-community/NUR/2a1db46a5c59c4e367483fb159ef0ac429c40551?narHash=sha256-I5D1H9ah8ZHZ01VX1H8JGvHe4dqsYKAQhY17IW39uYk%3D' (2025-01-20)
• Updated input 'sops-nix':
    'github:mic92/sops-nix/4c4fb93f18b9072c6fa1986221f9a3d7bf1fe4b6?narHash=sha256-GXUE9%2BFgxoZU8v0p6ilBJ8NH7k8nKmZjp/7dmMrCv3o%3D' (2025-01-17)
  → 'github:mic92/sops-nix/015d461c16678fc02a2f405eb453abb509d4e1d4?narHash=sha256-j9IdflJwRtqo9WpM0OfAZml47eBblUHGNQTe62OUqTw%3D' (2025-01-20)
2025-01-21 03:05:09 +00:00
Sam 3b1a73bfb4 Merge branch 'development' 2025-01-20 23:28:07 +00:00
Sam c156ef427e added remotebuilder public key 2025-01-20 23:27:51 +00:00
Sam 597cec2099 update flake.lock 2025-01-20 23:16:23 +00:00
Sam 515e653f9e flake update 2025-01-20 21:37:42 +00:00
Sam 4c98876b31 Merge branch 'development' of git.bitlab21.com:sam/nixos into development 2025-01-20 21:31:06 +00:00
Sam 224bba965c change autoupdate merlin to 3am 2025-01-20 21:31:01 +00:00
Sam 48bcee3ed6 change semita push autoupdate 2025-01-20 21:29:46 +00:00
Sam 03cd70fc86 update flake secrets and add remote builder to merlin 2025-01-20 21:28:31 +00:00
Sam a76cdbb0c8 add push updates to merlin 2025-01-20 21:16:52 +00:00
Sam bc033a9e57 Add auto updates to merlin, mount btcnode disk and minor refactor 2025-01-20 21:13:01 +00:00
Sam 6b44db92ca Merge branch 'development' of git.bitlab21.com:sam/nixos into development 2025-01-20 16:40:49 +00:00
Sam e87b6ca768 ADD: nvidia x11 drivers 2025-01-20 16:40:44 +00:00
Sam a48f13668e Merge git.bitlab21.com:sam/nixos into development 2025-01-20 16:38:54 +00:00
Sam 6df5c71ea1 ADD: nvidia drivers 2025-01-20 10:26:01 +00:00
Sam 92a5c93e6a ADD: default editor to admin hm session.vars 2025-01-20 10:01:53 +00:00
Sam dd46fb52a8 Merge branch 'development' of git.bitlab21.com:sam/nixos into development 2025-01-20 10:00:29 +00:00
Sam b737c360e5 MODIFY: add ssh keys to admin user 2025-01-20 09:58:16 +00:00
Sam a92ed489cb flake.lock: Update
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/1a0411805bc16f5a9571683e986aa1e583673b50?narHash=sha256-nN3e6WnE6cP4GLbDnDRY/cO1vB3HmWViht7m17vXgOE%3D' (2025-01-19)
  → 'github:nixos/nixpkgs/890f8d10603772918fbc568506ddd61f2264d3df?narHash=sha256-GlClp1IHdAImlw2xlQX0j74geniodHZhYnHocFwBFuI%3D' (2025-01-19)
• Updated input 'nur':
    'github:nix-community/NUR/de30640a76ddbada94babffe43f5e457282bed08?narHash=sha256-zWmNplzxsbMus2InIAVS9L9O1fscm%2BSG1XNjMUZxwqQ%3D' (2025-01-19)
  → 'github:nix-community/NUR/e7161d719b6e296bb4341f88ece66a89ac7322a9?narHash=sha256-IEp1dmer6FraEFyQEww2%2BH08TlRZbluGW5DMDKytcSk%3D' (2025-01-20)
2025-01-20 06:26:06 +00:00
Sam 27a5149ad2 MODIFY: port forwarding on semita for tailscale router 2025-01-20 00:07:37 +00:00
Sam ecebf8427d MODIFY: root pwd 2025-01-19 20:07:50 +00:00
Sam 59ed91f5de ADD: zpool to merlin persist 2025-01-19 19:52:24 +00:00
Sam d6fb0ed23c FIX: add persistance config for merlin 2025-01-19 19:42:02 +00:00
Sam 9345729ae2 MODIFY: persist admin homedir 2025-01-19 19:40:01 +00:00
Sam 2b67f11eab MODIFY: merlin host setup 2025-01-19 19:18:31 +00:00
Sam 1854ee0f33 MODIFY: merlin host setup 2025-01-19 14:57:00 +00:00
Sam 1187131524 Merge branch 'master' of git.bitlab21.com:sam/nixos 2025-01-19 12:31:03 +00:00
Sam dd3d73f0a3 FIX: persist tailscale dir 2025-01-19 12:30:51 +00:00
Sam ba181205c4 FEATURE: setup nfs-client on citadel 2025-01-19 12:22:50 +00:00
Sam ee98b5cf89 MODIFY: update flake secrets 2025-01-19 12:22:29 +00:00
Sam 6a9add44bd minor fix 2025-01-19 11:33:25 +00:00
Sam 59fb1d7193 MODIFY: remove bind-mounts from semita 2025-01-19 11:33:03 +00:00
Sam d783ee2665 MODIFY: change docker to homeshareDataLocation in configVars 2025-01-19 11:31:56 +00:00
Sam 84d5521949 FEATURE: add nfs-server configuration 2025-01-19 11:31:33 +00:00
Sam 8d69a14fb6 FEATURE: add nfs-clients for new fileserver 2025-01-19 11:30:52 +00:00
Sam 4453af9e45 MODIFY: remove bind-mounts from fileserver 2025-01-19 11:30:04 +00:00
Sam 4534d564f2 MODIFY: update flake.lock secrets 2025-01-19 11:28:47 +00:00
Sam 82b89bd6d0 FEATURE: add bind mounts for homeshare
- mount homeshare directories to media from homeshareDataLocation in configVars
2025-01-19 10:30:46 +00:00
Sam 6e236ff544 flake.lock: Update
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/8773174492fc61571b578f34a59953baba46471a?narHash=sha256-9mWmMXCto7e8U9hM8ZFozElv4dgOMTe308SSc7rEEFs%3D' (2025-01-18)
  → 'github:nixos/nixpkgs/eacdab35066b0bb1c9413c96898e326b76398a81?narHash=sha256-r3fxHvh%2BM/mBgCZXOACzRFPsJdix2QSsKazb7VCXXo0%3D' (2025-01-19)
• Updated input 'nur':
    'github:nix-community/NUR/cca606d5ab57ea665046167db8a486155e1cfbb0?narHash=sha256-JgZyCTqBWYo0RKhG6v3I3wS9kcpQhVHP0o5lvPLEvFw%3D' (2025-01-18)
  → 'github:nix-community/NUR/0b2b53ac3bd61384876cf8461d32e698064297ea?narHash=sha256-Ue2TumKTw%2B6VUSKdgHE93gViUTOJDmS2I0HjLbmrHls%3D' (2025-01-19)
2025-01-19 06:23:06 +00:00
Sam 3f0409ce73 Merge branch 'development' of git.bitlab21.com:sam/nixos into development 2025-01-18 11:48:37 +00:00
Sam 68c7d6d852 BUGFIX: fix conditional script construction in nixosAutoUpgrade.nix module 2025-01-18 11:48:32 +00:00
Sam 7559c51120 Merge branch 'development' of git.bitlab21.com:sam/nixos into development 2025-01-18 11:16:04 +00:00
Sam d20f09ac39 flake.lock: Update
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/e406743d5e0b2e40c53919aad5ece69af4ab54eb?narHash=sha256-ZYuYx2w2m86425CHyAyZLqu9NPE3zVFaQGNuKoTx/hw%3D' (2025-01-17)
  → 'github:nixos/nixpkgs/8773174492fc61571b578f34a59953baba46471a?narHash=sha256-9mWmMXCto7e8U9hM8ZFozElv4dgOMTe308SSc7rEEFs%3D' (2025-01-18)
• Updated input 'nur':
    'github:nix-community/NUR/92679ee687f57ed49dc9af0d4bdc6cbe6127c3da?narHash=sha256-mST0rIiY0ZURqfJUCeS7ziUg2QO5QhUxoGfmDxT2M7M%3D' (2025-01-17)
  → 'github:nix-community/NUR/cca606d5ab57ea665046167db8a486155e1cfbb0?narHash=sha256-JgZyCTqBWYo0RKhG6v3I3wS9kcpQhVHP0o5lvPLEvFw%3D' (2025-01-18)
2025-01-18 06:02:15 +00:00
Sam 1a81ffe2dc update flake.lock 2025-01-18 00:26:01 +00:00
Sam da1b00ac33 import nixosUpgrade module for sparky 2025-01-17 09:40:29 +00:00
44 changed files with 917 additions and 460 deletions

View File

@ -8,6 +8,7 @@ flakeDir="${FLAKE_DIR}" # Path to the flake file (and op
update=false # Whether to update flake.lock (false by default) update=false # Whether to update flake.lock (false by default)
user=$(/run/current-system/sw/bin/whoami) # Which user account to use for git commands (defaults to whoever called the script) user=$(/run/current-system/sw/bin/whoami) # Which user account to use for git commands (defaults to whoever called the script)
reboot=false reboot=false
remote=false
remainingArgs="" # All remaining arguments that haven't yet been processed (will be passed to nixos-rebuild) remainingArgs="" # All remaining arguments that haven't yet been processed (will be passed to nixos-rebuild)
function usage() { function usage() {
@ -25,12 +26,13 @@ function usage() {
echo " -o, --operation The nixos-rebuild operation to perform." echo " -o, --operation The nixos-rebuild operation to perform."
echo " -f, --flake <path> The path to your flake.nix file (and optionally, the hostname to build)." echo " -f, --flake <path> The path to your flake.nix file (and optionally, the hostname to build)."
echo " -U, --update Update and commit flake.lock." echo " -U, --update Update and commit flake.lock."
echo " -R, --build-host <user@host> Attempt build on remote host."
echo " -r, --reboot Reboots system is there is a kernel or init update"
echo " -u, --user Which user account to run git commands under." echo " -u, --user Which user account to run git commands under."
echo "" echo ""
exit 2 exit 2
} }
# Argument processing logic shamelessly stolen from https://stackoverflow.com/questions/192249/how-do-i-parse-command-line-arguments-in-bash
POSITIONAL_ARGS=() POSITIONAL_ARGS=()
while [[ $# -gt 0 ]]; do while [[ $# -gt 0 ]]; do
case "$1" in case "$1" in
@ -39,14 +41,6 @@ while [[ $# -gt 0 ]]; do
shift shift
shift shift
;; ;;
--update|--upgrade|-U)
update=true
shift
;;
--reboot|-r)
reboot=true
shift
;;
--operation | -o) --operation | -o)
operation="$2" operation="$2"
shift shift
@ -57,6 +51,20 @@ while [[ $# -gt 0 ]]; do
shift shift
shift shift
;; ;;
--build-host | -R)
remote=true
host="$2"
shift
shift
;;
--update | --upgrade | -U)
update=true
shift
;;
--reboot | -r)
reboot=true
shift
;;
--help | -h) --help | -h)
usage usage
exit 0 exit 0
@ -67,6 +75,7 @@ while [[ $# -gt 0 ]]; do
;; ;;
esac esac
done done
remainingArgs=${POSITIONAL_ARGS[@]} remainingArgs=${POSITIONAL_ARGS[@]}
set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
@ -94,7 +103,13 @@ fi
options="--flake $flakeDir $remainingArgs --use-remote-sudo" options="--flake $flakeDir $remainingArgs --use-remote-sudo"
echo "Running this operation: nixos-rebuild $operation $options" echo "Running this operation: nixos-rebuild $operation $options"
if [ $remote = true ]; then
echo "Attempting remote build..."
/run/wrappers/bin/sudo -u root /run/current-system/sw/bin/nixos-rebuild $operation $options --build-host "$host"
else
/run/wrappers/bin/sudo -u root /run/current-system/sw/bin/nixos-rebuild $operation $options /run/wrappers/bin/sudo -u root /run/current-system/sw/bin/nixos-rebuild $operation $options
fi
echo "Checking if reboot is necessary" echo "Checking if reboot is necessary"
reboot_diff=$(diff <(readlink /run/booted-system/{initrd,kernel,kernel-modules}) <(readlink /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})) reboot_diff=$(diff <(readlink /run/booted-system/{initrd,kernel,kernel-modules}) <(readlink /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules}))

View File

@ -271,11 +271,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1735882644, "lastModified": 1737043064,
"narHash": "sha256-3FZAG+pGt3OElQjesCAWeMkQ7C/nB1oTHLRQ8ceP110=", "narHash": "sha256-I/OuxGwXwRi5gnFPsyCvVR+IfFstA+QXEpHu1hvsgD8=",
"owner": "cachix", "owner": "cachix",
"repo": "git-hooks.nix", "repo": "git-hooks.nix",
"rev": "a5a961387e75ae44cc20f0a57ae463da5e959656", "rev": "94ee657f6032d913fe0ef49adaa743804635b0bb",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -460,11 +460,11 @@
"nixpkgs-unstable": "nixpkgs-unstable" "nixpkgs-unstable": "nixpkgs-unstable"
}, },
"locked": { "locked": {
"lastModified": 1734508046, "lastModified": 1737481937,
"narHash": "sha256-JN/PFBOVqWKc76zSdOunYoG5Q0m8W4zfrEh3V4EOIuk=", "narHash": "sha256-FJ0ATgYWavH3ZeA0ofTEMS+22HqYN2Lqu3G6IsqbKIg=",
"owner": "fort-nix", "owner": "fort-nix",
"repo": "nix-bitcoin", "repo": "nix-bitcoin",
"rev": "33dbb41d581b86decf421cb3835c426d557e0e9c", "rev": "dc4d14e07324e43b8773e3eb5eb2a10c6b469287",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -501,15 +501,16 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1736370755, "lastModified": 1736820923,
"narHash": "sha256-iWcjToBpx4PUd74uqvIGAfqqVfyrvRLRauC/SxEKIF0=", "narHash": "sha256-SDuKLOWAh8VJRXlNWQn9QE99bjeEUAAbYXqrKGbsiyk=",
"owner": "lnl7", "owner": "lnl7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "57733bd1dc81900e13438e5b4439239f1b29db0e", "rev": "944c2b181792ae7ae6b20c0df3f44879c11706c9",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "lnl7", "owner": "lnl7",
"ref": "nix-darwin-24.11",
"repo": "nix-darwin", "repo": "nix-darwin",
"type": "github" "type": "github"
} }
@ -538,11 +539,11 @@
}, },
"nix-secrets": { "nix-secrets": {
"locked": { "locked": {
"lastModified": 1737144574, "lastModified": 1737643624,
"narHash": "sha256-g0B0+UkiRusGm5QkGC6uHa7Ybq6J7RgeF4aa/nrCeLg=", "narHash": "sha256-RAnbZSi2yagPCpNcm3U3wA6FAzbhGUi9ifvnu6Du3Rs=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "471fa5ee6f6d12f02c0e06a6fd595b7646139da4", "rev": "5260822187ce58af680e5aceba8fb01f10415def",
"revCount": 211, "revCount": 248,
"type": "git", "type": "git",
"url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
}, },
@ -584,11 +585,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1734126203, "lastModified": 1737370608,
"narHash": "sha256-0XovF7BYP50rTD2v4r55tR5MuBLet7q4xIz6Rgh3BBU=", "narHash": "sha256-hFA6SmioeqvGW/XvZa9bxniAeulksCOcj3kokdNT/YE=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "71a6392e367b08525ee710a93af2e80083b5b3e2", "rev": "300081d0cc72df578b02d914df941b8ec62240e6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -600,11 +601,11 @@
}, },
"nixpkgs-unstable_2": { "nixpkgs-unstable_2": {
"locked": { "locked": {
"lastModified": 1736883708, "lastModified": 1737469691,
"narHash": "sha256-uQ+NQ0/xYU0N1CnXsa2zghgNaOPxWpMJXSUJJ9W7140=", "narHash": "sha256-nmKOgAU48S41dTPIXAq0AHZSehWUn6ZPrUKijHAMmIk=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "eb62e6aa39ea67e0b8018ba8ea077efe65807dc8", "rev": "9e4d5190a9482a1fb9d18adf0bdb83c6e506eaab",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -632,11 +633,11 @@
}, },
"nixpkgs_3": { "nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1737097711, "lastModified": 1737584761,
"narHash": "sha256-Zql7TDxEMAOASLSu0wBlfM5SIY+4Pz2R/k17O/asCYc=", "narHash": "sha256-xP8UQqo3XSXy92tQ+wFvps46rVHnIc8W7ShQ5CUQALo=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "3cbc78cfa611511c04f47c4932509f9dbdf4381a", "rev": "f7b572b004be8e60c6727b3856a13efe17323212",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -648,11 +649,11 @@
}, },
"nixpkgs_4": { "nixpkgs_4": {
"locked": { "locked": {
"lastModified": 1736883708, "lastModified": 1737469691,
"narHash": "sha256-uQ+NQ0/xYU0N1CnXsa2zghgNaOPxWpMJXSUJJ9W7140=", "narHash": "sha256-nmKOgAU48S41dTPIXAq0AHZSehWUn6ZPrUKijHAMmIk=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "eb62e6aa39ea67e0b8018ba8ea077efe65807dc8", "rev": "9e4d5190a9482a1fb9d18adf0bdb83c6e506eaab",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -677,11 +678,11 @@
"treefmt-nix": "treefmt-nix_2" "treefmt-nix": "treefmt-nix_2"
}, },
"locked": { "locked": {
"lastModified": 1736598792, "lastModified": 1737283156,
"narHash": "sha256-G6/9vT12RAxkNWQPEX9p8tTx/i8jJcmISpbVDGbEPGc=", "narHash": "sha256-FyHmM6vvz+UxCrPZo/poIaZBZejLHVKkAH4cjtUxZDA=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixvim", "repo": "nixvim",
"rev": "2004ff4547f11d25da78f393fe797dde2b831ce7", "rev": "abcbd250b8a2c7aab1f4b2b9e01598ee24b42337",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -698,11 +699,11 @@
"treefmt-nix": "treefmt-nix_3" "treefmt-nix": "treefmt-nix_3"
}, },
"locked": { "locked": {
"lastModified": 1737107600, "lastModified": 1737602136,
"narHash": "sha256-pBF7pAmSRlmmObXbS71v0YM5sEC4/4HvesFV3oz2xQU=", "narHash": "sha256-Jr7tmhsZVAebD/TCpijDqcxr4w15wnPCOrlk+t4lrJA=",
"owner": "nix-community", "owner": "nix-community",
"repo": "NUR", "repo": "NUR",
"rev": "b65350213a768bdf4d2da001537a6635edcd562a", "rev": "80b6ff6a51dbebbe0bcc71858ae9a299e1207704",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -783,11 +784,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1737107480, "lastModified": 1737411508,
"narHash": "sha256-GXUE9+FgxoZU8v0p6ilBJ8NH7k8nKmZjp/7dmMrCv3o=", "narHash": "sha256-j9IdflJwRtqo9WpM0OfAZml47eBblUHGNQTe62OUqTw=",
"owner": "mic92", "owner": "mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "4c4fb93f18b9072c6fa1986221f9a3d7bf1fe4b6", "rev": "015d461c16678fc02a2f405eb453abb509d4e1d4",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -885,11 +886,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1736154270, "lastModified": 1737103437,
"narHash": "sha256-p2r8xhQZ3TYIEKBoiEhllKWQqWNJNoT9v64Vmg4q8Zw=", "narHash": "sha256-uPNWcYbhY2fjY3HOfRCR5jsfzdzemhfxLSxwjXYXqNc=",
"owner": "numtide", "owner": "numtide",
"repo": "treefmt-nix", "repo": "treefmt-nix",
"rev": "13c913f5deb3a5c08bb810efd89dc8cb24dd968b", "rev": "d1ed3b385f8130e392870cfb1dbfaff8a63a1899",
"type": "github" "type": "github"
}, },
"original": { "original": {

View File

@ -118,7 +118,7 @@
merlin = nixpkgs.lib.nixosSystem { merlin = nixpkgs.lib.nixosSystem {
inherit specialArgs; inherit specialArgs;
modules = [ modules = [
./hosts/nebula ./hosts/merlin
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
{ {
home-manager.extraSpecialArgs = specialArgs; home-manager.extraSpecialArgs = specialArgs;

View File

@ -26,7 +26,6 @@
pkgs.hunspellDicts.en_US pkgs.hunspellDicts.en_US
pkgs.set_wm_class pkgs.set_wm_class
pkgs.xorg.xkill pkgs.xorg.xkill
pkgs.krita
pkgs.R pkgs.R
pkgs.gimp pkgs.gimp
pkgs.gajim pkgs.gajim

11
home/merlin.nix Normal file
View File

@ -0,0 +1,11 @@
{
...
}: {
imports = [
./users/admin
./common/core
./common/optional/git.nix
./common/optional/sops.nix
];
}

View File

@ -1,4 +1,4 @@
{ config, pkgs, lib, outputs, ... }: { outputs, ... }:
{ {
home.username = "admin"; home.username = "admin";
@ -7,6 +7,16 @@
imports = [ imports = [
] ++ (builtins.attrValues outputs.homeManagerModules); # import all homeManagerModules? ] ++ (builtins.attrValues outputs.homeManagerModules); # import all homeManagerModules?
programs.ssh = {
enable = true;
matchBlocks = {
"git.bitlab21.com" = {
identitiesOnly = true;
identityFile = ["~/.ssh/deploy_key-ssh-ed25519"];
};
};
};
home.packages = [ home.packages = [
]; ];
@ -17,6 +27,7 @@
]; ];
home.sessionVariables = { home.sessionVariables = {
EDITOR = "nvim";
}; };
programs.home-manager.enable = true; programs.home-manager.enable = true;

View File

@ -11,13 +11,11 @@
fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence
dev = "/dev/nvme0n1"; # depends on target hardware dev = "/dev/nvme0n1"; # depends on target hardware
encrypted = true; # currrently only applies to btrfs encrypted = true; # currrently only applies to btrfs
btrfsMountDevice = btrfsMountDevice = "/dev/mapper/crypted";
if encrypted
then "/dev/mapper/crypted"
else "/dev/root_vg/root";
user = "sam"; user = "sam";
impermanence = true; impermanence = true;
piholeIp = configVars.networking.addresses.pihole.ip; piholeIp = configVars.networking.addresses.pihole.ip;
merlinIp = configVars.networking.addresses.merlin.ip;
gatewayIp = configVars.networking.addresses.gateway.ip; gatewayIp = configVars.networking.addresses.gateway.ip;
in { in {
imports = [ imports = [
@ -48,29 +46,33 @@ in {
../common/optional/pipewire.nix ../common/optional/pipewire.nix
../common/optional/openssh.nix ../common/optional/openssh.nix
../common/optional/dwm.nix ../common/optional/dwm.nix
../common/optional/nfs-mounts/media.nix
../common/optional/nfs-mounts/homeshare.nix ../common/optional/fileserver/nfs-client/media.nix
../common/optional/nfs-mounts/photos.nix ../common/optional/fileserver/nfs-client/photos.nix
../common/optional/printing.nix ../common/optional/fileserver/nfs-client/personal.nix
# ../common/optional/printing.nix
../common/optional/backlight.nix ../common/optional/backlight.nix
../common/optional/xmodmap-arrow-remaps.nix ../common/optional/xmodmap-arrow-remaps.nix
../common/optional/nix-ld.nix ../common/optional/nix-ld.nix
../common/optional/gaming.nix ../common/optional/gaming.nix
../common/optional/powersave.nix ../common/optional/powersave.nix
../common/optional/restic-backup.nix ../common/optional/restic-backup.nix
../common/optional/distributed-builds/local-machine.nix
# This machine is used for remote building
../common/optional/distributed-builds/remote-builder-machine.nix
# ../../modules/nixos # ../../modules/nixos
outputs.nixosModules.nixosAutoUpgrade outputs.nixosModules.nixosAutoUpgrade
]; ];
boot = { boot = {
supportedFilesystems = ["nfs"];
blacklistedKernelModules = ["snd_hda_intel" "snd_soc_skl"]; blacklistedKernelModules = ["snd_hda_intel" "snd_soc_skl"];
kernelModules = ["iwlwifi"]; kernelModules = ["iwlwifi"];
initrd.kernelModules = ["thinkpad-acpi" "acpi-call"]; initrd.kernelModules = ["thinkpad-acpi" "acpi-call" "nfs"];
kernelPackages = pkgs.linuxPackagesFor pkgs.linux_latest; # BUG: Using older linux kernel because of build errors
# see https://github.com/NixOS/nixpkgs/issues/375605
# kernelPackages = pkgs.linuxPackagesFor pkgs.linux_latest;
kernelPackages = pkgs.linuxKernel.packages.linux_6_12;
extraModulePackages = [ extraModulePackages = [
config.boot.kernelPackages.acpi_call config.boot.kernelPackages.acpi_call
]; ];
@ -92,6 +94,7 @@ in {
enable = true; enable = true;
persistent = true; persistent = true;
reboot = false; reboot = false;
remote = "remotebuild@${merlinIp}";
pushUpdates = false; pushUpdates = false;
configDir = "/etc/nixos"; configDir = "/etc/nixos";
onCalendar = "*-*-* 08:00:00"; onCalendar = "*-*-* 08:00:00";
@ -104,15 +107,8 @@ in {
xkb.options = "caps:swapescape"; xkb.options = "caps:swapescape";
dpi = 196; dpi = 196;
upscaleDefaultCursor = true; upscaleDefaultCursor = true;
# FIXME this doesnt work for some reason
# displayManager.sessionCommands = pkgs.writeShellScriptBin "key-remaps" ''
# ${pkgs.xorg.xmodmap}/bin/xmodmap -e "keycode 64 = Mode_switch"
# ${pkgs.xorg.xmodmap}/bin/xmodmap -e "keycode 43 = h H Left H"
# ${pkgs.xorg.xmodmap}/bin/xmodmap -e "keycode 44 = j J Down J"
# ${pkgs.xorg.xmodmap}/bin/xmodmap -e "keycode 45 = k K Up K"
# ${pkgs.xorg.xmodmap}/bin/xmodmap -e "keycode 46 = l L Right L"
# '';
}; };
# enable oom killer when system ram drops below 5% free # enable oom killer when system ram drops below 5% free
earlyoom = { earlyoom = {
enable = true; enable = true;
@ -165,18 +161,6 @@ in {
powerManagement.finegrained = true; powerManagement.finegrained = true;
open = false; open = false;
nvidiaSettings = true; nvidiaSettings = true;
# # FIXME issue with stable nvidia driver and latest linux kernel
# # use mkDriver to specify newer nvidia driver that is compatible
# # see: https://github.com/NixOS/nixpkgs/issues/341844#issuecomment-2351075413
# # and https://discourse.nixos.org/t/builder-for-nvidia-x11-550-78-6-10-drv-failed-with-exit-code-2/49360/32
# package = config.boot.kernelPackages.nvidiaPackages.mkDriver {
# version = "555.58.02";
# sha256_64bit = "sha256-xctt4TPRlOJ6r5S54h5W6PT6/3Zy2R4ASNFPu8TSHKM=";
# sha256_aarch64 = "sha256-wb20isMrRg8PeQBU96lWJzBMkjfySAUaqt4EgZnhyF8=";
# openSha256 = "sha256-8hyRiGB+m2hL3c9MDA/Pon+Xl6E788MZ50WrrAGUVuY=";
# settingsSha256 = "sha256-ZpuVZybW6CFN/gz9rx+UJvQ715FZnAOYfHn5jt5Z2C8=";
# persistencedSha256 = "sha256-a1D7ZZmcKFWfPjjH1REqPM5j/YLWKnbkP9qfRyIyxAw=";
# };
}; };
# https://bbs.archlinux.org/viewtopic.php?id=297276 for NVreg_EnableGpuFirmware fix # https://bbs.archlinux.org/viewtopic.php?id=297276 for NVreg_EnableGpuFirmware fix
# https://discourse.nixos.org/t/how-to-use-nvidia-prime-offload-to-run-the-x-server-on-the-integrated-board/9091/15 # https://discourse.nixos.org/t/how-to-use-nvidia-prime-offload-to-run-the-x-server-on-the-integrated-board/9091/15

View File

@ -0,0 +1,36 @@
{
device ? throw "Must define a device, e.g. /dev/sda",
fsModule ? "Must specify submodule"
}:
{
disko.devices = {
disk = {
main = {
type = "disk";
inherit device;
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
start = "1M";
end = "128M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = ["umask=0077"];
};
};
root = {
size = "100%";
content = import "${fsModule}";
};
};
};
};
};
};
}

View File

@ -19,7 +19,6 @@
"/swap" = { "/swap" = {
mountOptions = [ "noatime" ]; mountOptions = [ "noatime" ];
mountpoint = "/.swapvol"; mountpoint = "/.swapvol";
swap.swapfile.size = "8192M";
}; };
}; };
} }

View File

@ -1,11 +1,8 @@
{ device, fsType, encrypted, impermanence, ... }: { device, fsType, encrypted, impermanence, ... }:
let let
fsModule = if impermanence then ./${fsType}/persist.nix else ./${fsType}/standard.nix; fsModule = if impermanence then ./${fsType}/persist.nix else ./${fsType}/standard.nix;
basic = import ./${fsType}/basic.nix { inherit device; }; basic = import ./basic.nix { inherit device; fsModule = fsModule; };
lvm = import ./lvm.nix { inherit device; fsModule = fsModule; };
luks = import ./luks.nix { inherit device; fsModule = fsModule; }; luks = import ./luks.nix { inherit device; fsModule = fsModule; };
in in
if fsType == "ext4" then basic if fsType == "btrfs" && encrypted then luks
else if fsType == "btrfs" && encrypted then luks else basic
else if fsType == "btrfs" then lvm
else null

View File

@ -1,5 +1,4 @@
{config, ...}: {config, ...}: let
let
openVpnPwd = config.sops.secrets."software/proton/openvpn_password".path; openVpnPwd = config.sops.secrets."software/proton/openvpn_password".path;
openVpnUser = config.sops.secrets."software/proton/openvpn_user".path; openVpnUser = config.sops.secrets."software/proton/openvpn_user".path;
in { in {
@ -8,6 +7,18 @@ in {
"software/proton/openvpn_user" = {}; "software/proton/openvpn_user" = {};
}; };
networking = {
firewall = {
enable = true;
allowedTCPPorts = [
6887
];
allowedUDPPorts = [
6887
];
};
};
virtualisation.arion = { virtualisation.arion = {
backend = "podman-socket"; backend = "podman-socket";
projects.arrstack = { projects.arrstack = {
@ -31,6 +42,7 @@ in {
VPN_SERVICE_PROVIDER = "protonvpn"; VPN_SERVICE_PROVIDER = "protonvpn";
VPN_TYPE = "openvpn"; VPN_TYPE = "openvpn";
SERVER_COUNTRIES = "Switzerland"; SERVER_COUNTRIES = "Switzerland";
VPN_PORT_FORWARDING = "on";
}; };
devices = ["/dev/net/tun:/dev/net/tun"]; devices = ["/dev/net/tun:/dev/net/tun"];
}; };
@ -41,7 +53,7 @@ in {
restart = "always"; restart = "always";
volumes = [ volumes = [
"/srv/docker/media-server/arrstack/qbittorrent:/config" "/srv/docker/media-server/arrstack/qbittorrent:/config"
"/media/media:/media" "/media/media/downloads:/downloads"
]; ];
environment = { environment = {
TZ = "Europe/London"; TZ = "Europe/London";
@ -52,7 +64,6 @@ in {
}; };
network_mode = "service:gluetun"; network_mode = "service:gluetun";
}; };
}; };
}; };
}; };

View File

@ -0,0 +1,29 @@
{
virtualisation.arion = {
backend = "podman-socket";
projects.syncthing = {
settings = {
services.syncthing.service = {
ports = [
"8384:8384"
"22000:22000/tcp"
"22000:22000/udp"
"21027:21027/udp"
];
container_name = "syncthing";
image = "lscr.io/linuxserver/syncthing:latest";
restart = "always";
environment = {
PUID = "1000";
GUID = "1000";
};
volumes = [
"/srv/docker/syncthing/appdata/config:/config"
"/srv/docker/syncthing/data:/data"
];
};
};
};
};
}

View File

@ -3,29 +3,28 @@ let
remoteMachineIp = configVars.networking.addresses.remote-builder.ip; remoteMachineIp = configVars.networking.addresses.remote-builder.ip;
in in
{ {
nix.distributedBuilds = true; # nix.distributedBuilds = true;
nix.settings.builders-use-substitutes = true; # nix.settings.builders-use-substitutes = true;
nix.settings.max-jobs = 0; # nix.settings.max-jobs = 0;
nix.settings.trusted-substituters = ["ssh://${remoteMachineIp}"]; # nix.settings.trusted-substituters = ["ssh://${remoteMachineIp}"];
nix.settings.substituters = ["ssh://${remoteMachineIp}"]; # nix.settings.substituters = ["ssh://${remoteMachineIp}"];
#
# nix.buildMachines = [
# {
# hostName = "remotebuild@${remoteMachineIp}";
# speedFactor = 1;
# maxJobs = 10;
# sshKey = "/root/.ssh/remotebuild";
# system = pkgs.stdenv.hostPlatform.system;
# supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
# }
# ];
nix.buildMachines = [ programs.ssh.knownHosts = {
{ "merlin" = {
hostName = "remotebuild@${remoteMachineIp}"; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFSGyrQvwa7gj0tG/EX3siWzGT9badUkD0yw0YGkcNeQ root@merlin";
speedFactor = 1; };
maxJobs = 10; };
sshKey = "/root/.ssh/remotebuild";
system = pkgs.stdenv.hostPlatform.system;
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
}
];
# TODO: set known host here when have static ip on main server
# programs.ssh.knownHosts = {
# "merlin" = {
# publicKey = "server pubkey";
# };
# };
programs.ssh.extraConfig = '' programs.ssh.extraConfig = ''
Host ${remoteMachineIp} Host ${remoteMachineIp}

View File

@ -1,27 +0,0 @@
{...}:
{
fileSystems."/exports" = {
device = "/dev/vdb1";
fsType = "ext4";
};
services.nfs.server = {
enable = true;
# fixed rpc.statd port; for firewall
lockdPort = 4001;
mountdPort = 4002;
statdPort = 4000;
extraNfsdConfig = '''';
exports = ''
/exports *(rw,insecure,all_squash)
'';
};
# open nfs ports
networking.firewall = {
enable = true;
# for NFSv3; view with `rpcinfo -p`
allowedTCPPorts = [ 111 2049 4000 4001 4002 20048 ];
allowedUDPPorts = [ 111 2049 4000 4001 4002 20048 ];
};
}

View File

@ -0,0 +1,10 @@
{configVars, pkgs, ...}: let
fileserverIp = configVars.networking.addresses.fileserver.ip;
in {
environment.systemPackages = [pkgs.nfs-utils];
fileSystems."/media/media" = {
device = "${fileserverIp}:/srv/export/media";
fsType = "nfs";
options = ["noatime" "_netdev"];
};
}

View File

@ -0,0 +1,10 @@
{configVars, pkgs, ...}: let
fileserverIp = configVars.networking.addresses.fileserver.ip;
in {
environment.systemPackages = [pkgs.nfs-utils];
fileSystems."/media/personal" = {
device = "${fileserverIp}:/srv/export/personal";
fsType = "nfs";
options = ["noatime" "_netdev"];
};
}

View File

@ -0,0 +1,10 @@
{configVars, pkgs, ...}: let
fileserverIp = configVars.networking.addresses.fileserver.ip;
in {
environment.systemPackages = [pkgs.nfs-utils];
fileSystems."/media/photos" = {
device = "${fileserverIp}:/srv/export/photos";
fsType = "nfs";
options = ["noatime" "_netdev"];
};
}

View File

@ -0,0 +1,42 @@
{configVars, ...}:
let
homeshareDataLocation = configVars.locations.homeshareDataLocation;
subnetIp = configVars.networking.addresses.subnet.ip;
in {
fileSystems."/srv/export/photos" = {
device = "${homeshareDataLocation}/photos";
options = [ "bind" ];
};
fileSystems."/srv/export/personal" = {
device = "${homeshareDataLocation}/personal";
options = [ "bind" ];
};
fileSystems."/srv/export/media" = {
device = "${homeshareDataLocation}/media";
options = [ "bind" ];
};
services.nfs.server = {
enable = true;
# fixed rpc.statd port; for firewall
lockdPort = 4001;
mountdPort = 4002;
statdPort = 4000;
extraNfsdConfig = '''';
exports = ''
/srv/export/photos ${subnetIp}/24(rw,sync,no_subtree_check)
/srv/export/media ${subnetIp}/24(rw,sync,no_subtree_check)
/srv/export/personal ${subnetIp}/24(rw,sync,no_subtree_check)
'';
};
# open nfs ports
networking.firewall = {
enable = true;
# for NFSv3; view with `rpcinfo -p`
allowedTCPPorts = [ 111 2049 4000 4001 4002 20048 ];
allowedUDPPorts = [ 111 2049 4000 4001 4002 20048 ];
};
}

View File

@ -1,9 +0,0 @@
{
fileSystems."/media/homeshare" = {
device = "10.0.10.30:/mnt/homeshare";
fsType = "nfs";
options = [ "noatime" "_netdev" ];
};
}

View File

@ -1,9 +0,0 @@
{configVars, ...}: let
mediaDataMountPoint = configVars.locations.mediaDataMountPoint;
in {
fileSystems.${mediaDataMountPoint} = {
device = "10.0.10.30:/mnt/media";
fsType = "nfs";
options = ["noatime" "_netdev"];
};
}

View File

@ -1,9 +0,0 @@
{configVars, ...}: let
photosDataMountPoint = configVars.locations.photosDataMountPoint;
in {
fileSystems.${photosDataMountPoint} = {
device = "10.0.10.30:/mnt/photos";
fsType = "nfs";
options = ["noatime" "_netdev" "ro"];
};
}

View File

@ -65,6 +65,16 @@ in {
pkgs.apacheHttpd pkgs.apacheHttpd
]; ];
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
};
services.openssh = { services.openssh = {
enable = true; enable = true;
settings.PasswordAuthentication = false; settings.PasswordAuthentication = false;

View File

@ -17,6 +17,14 @@ in {
]; ];
}; };
services.restic.backups = {
daily = {
paths = [
baseddataData
];
};
};
networking.nat.enable = true; networking.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"]; networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "br0"; networking.nat.externalInterface = "br0";
@ -287,6 +295,16 @@ in {
}; };
}; };
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
};
services.openssh = { services.openssh = {
enable = true; enable = true;
settings.PasswordAuthentication = false; settings.PasswordAuthentication = false;

View File

@ -3,14 +3,15 @@
lib, lib,
inputs, inputs,
configVars, configVars,
config,
outputs,
... ...
}: let }: let
containerName = "docker"; containerName = "docker";
containerIp = configVars.networking.addresses.docker.ip; containerIp = configVars.networking.addresses.docker.ip;
gatewayIp = configVars.networking.addresses.gateway.ip; gatewayIp = configVars.networking.addresses.gateway.ip;
dockerContainerData = configVars.locations.dockerContainerData; dockerContainerData = configVars.locations.dockerContainerData;
mediaDataMountPoint = configVars.locations.mediaDataMountPoint; homeshareDataLocation = configVars.locations.homeshareDataLocation;
photosDataMountPoint = configVars.locations.photosDataMountPoint;
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
arion = inputs.arion; arion = inputs.arion;
sops-nix = inputs.sops-nix; sops-nix = inputs.sops-nix;
@ -24,8 +25,6 @@ in {
paths = [ paths = [
dockerContainerData dockerContainerData
]; ];
exclude = [
];
}; };
}; };
@ -46,6 +45,14 @@ in {
]; ];
extraFlags = ["--private-users-ownership=chown"]; extraFlags = ["--private-users-ownership=chown"];
allowedDevices = [ allowedDevices = [
{
node = "/dev/nvidia0";
modifier = "rwm";
}
{
node = "/dev/nvidiactl";
modifier = "rwm";
}
{ {
node = "/dev/fuse"; node = "/dev/fuse";
modifier = "rwm"; modifier = "rwm";
@ -79,7 +86,11 @@ in {
nixpkgs = pkgs.path; nixpkgs = pkgs.path;
bindMounts = { bindMounts = {
"/media/photos" = { "/media/photos" = {
hostPath = photosDataMountPoint; hostPath = "${homeshareDataLocation}/photos";
isReadOnly = false;
};
"/run/opengl-driver/lib" = {
hostPath = "/run/opengl-driver/lib";
isReadOnly = false; isReadOnly = false;
}; };
"/dev/dri" = { "/dev/dri" = {
@ -87,7 +98,7 @@ in {
isReadOnly = false; isReadOnly = false;
}; };
"/media/media" = { "/media/media" = {
hostPath = mediaDataMountPoint; hostPath = "${homeshareDataLocation}/media";
isReadOnly = false; isReadOnly = false;
}; };
"/srv/docker" = { "/srv/docker" = {
@ -108,7 +119,13 @@ in {
secretsDirectory = builtins.toString inputs.nix-secrets; secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml"; secretsFile = "${secretsDirectory}/secrets.yaml";
in { in {
nixpkgs.overlays = [
outputs.overlays.unstable-packages
];
networking = { networking = {
enableIPv6 = false;
defaultGateway = "${gatewayIp}"; defaultGateway = "${gatewayIp}";
interfaces.eth0.ipv4.addresses = [ interfaces.eth0.ipv4.addresses = [
{ {
@ -124,6 +141,26 @@ in {
useHostResolvConf = lib.mkForce false; useHostResolvConf = lib.mkForce false;
}; };
hardware.graphics = {
enable = true;
};
nixpkgs.config.allowUnfreePredicate = pkg:
builtins.elem (lib.getName pkg) [
"nvidia-x11"
"nvidia-settings"
"nvidia-persistenced"
];
services.xserver.videoDrivers = ["nvidia"];
hardware.nvidia = {
modesetting.enable = true;
powerManagement.enable = false;
open = false;
nvidiaSettings = false;
package = config.boot.kernelPackages.nvidiaPackages.stable;
};
services.resolved.enable = true; services.resolved.enable = true;
sops = { sops = {
@ -141,6 +178,7 @@ in {
../arion-containers/arrstack.nix ../arion-containers/arrstack.nix
../arion-containers/jellyfin.nix ../arion-containers/jellyfin.nix
../arion-containers/photoprism.nix ../arion-containers/photoprism.nix
../arion-containers/syncthing.nix
]; ];
environment.systemPackages = [ environment.systemPackages = [
@ -150,10 +188,13 @@ in {
pkgs.dive pkgs.dive
pkgs.podman-tui pkgs.podman-tui
pkgs.podman-compose pkgs.podman-compose
pkgs.unstable.nvidia-container-toolkit
]; ];
virtualisation = { virtualisation = {
containers.cdi.dynamic.nvidia.enable = true;
podman = { podman = {
enableNvidia = true;
enable = true; enable = true;
dockerSocket.enable = true; dockerSocket.enable = true;
defaultNetwork.settings.dns_enabled = true; defaultNetwork.settings.dns_enabled = true;

View File

@ -6,8 +6,18 @@
}: let }: let
containerName = "metrics-server"; containerName = "metrics-server";
containerIp = configVars.networking.addresses.metrics-server.ip; containerIp = configVars.networking.addresses.metrics-server.ip;
dockerContainerIp = configVars.networking.addresses.docker.ip; dockerContainerIp = configVars.networking.addresses.docker.ip;
semitaIp = configVars.networking.addresses.semita.ip; smWorkerIp = configVars.networking.addresses.sm-worker.ip;
merlinIp = configVars.networking.addresses.merlin.ip;
bdWorker = configVars.networking.addresses.bd-worker.ip;
pihole = configVars.networking.addresses.pihole.ip;
bitcoinNode = configVars.networking.addresses.bitcoin-node.ip;
postres = configVars.networking.addresses.postgres.ip;
backupServer = configVars.networking.addresses.backup-server.ip;
http_endpoints = configVars.metrics-server.blackbox.http_endpoints;
gatewayIp = configVars.networking.addresses.gateway.ip; gatewayIp = configVars.networking.addresses.gateway.ip;
metricsServerContainerData = configVars.locations.metricsServerContainerData; metricsServerContainerData = configVars.locations.metricsServerContainerData;
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
@ -21,8 +31,6 @@ in {
paths = [ paths = [
metricsServerContainerData metricsServerContainerData
]; ];
exclude = [
];
}; };
}; };
@ -65,6 +73,7 @@ in {
allowedTCPPorts = [ allowedTCPPorts = [
config.services.prometheus.port config.services.prometheus.port
config.services.grafana.port config.services.grafana.port
config.services.prometheus.exporters.blackbox.port
]; ];
}; };
useHostResolvConf = lib.mkForce false; useHostResolvConf = lib.mkForce false;
@ -90,22 +99,77 @@ in {
{ {
targets = [ targets = [
"${dockerContainerIp}:9100" "${dockerContainerIp}:9100"
"${semitaIp}:9100" "${smWorkerIp}:9100"
"${merlinIp}:9100"
"${bdWorker}:9100"
"${pihole}:9100"
"${bitcoinNode}:9100"
"${postres}:9100"
"${backupServer}:9100"
]; ];
} }
]; ];
} }
{
job_name = "blackbox";
scrape_interval = "30s";
scrape_timeout = "15s";
metrics_path = "/probe";
params.module = ["http_basic"];
relabel_configs = [
{
source_labels = ["__address__"];
target_label = "__param_target";
}
{
source_labels = ["__param_target"];
target_label = "instance";
}
{
target_label = "__address__";
replacement = "${config.services.prometheus.exporters.blackbox.listenAddress}:${toString config.services.prometheus.exporters.blackbox.port}";
}
];
static_configs = [
{targets = http_endpoints;}
];
}
]; ];
}; };
services.grafana = { services.grafana = {
enable = true; enable = true;
port = 2342; settings.server = {
addr = "0.0.0.0"; http_port = 2342;
http_addr = "0.0.0.0";
};
}; };
services.prometheus = { services.prometheus = {
exporters = { exporters = {
blackbox = {
enable = true;
configFile = pkgs.writeText "blackbox-conf.yaml" ''
modules:
http_basic:
prober: http
timeout: 5s
http:
preferred_ip_protocol: ip4
valid_http_versions: ["HTTP/1.1", "HTTP/2"]
method: GET
fail_if_ssl: false
fail_if_not_ssl: true
tls_config:
insecure_skip_verify: true
tcp_connect:
prober: tcp
tcp:
preferred_ip_protocol: ip4
'';
};
node = { node = {
enable = true; enable = true;
enabledCollectors = ["systemd"]; enabledCollectors = ["systemd"];

View File

@ -10,6 +10,7 @@
containerIp = configVars.networking.addresses.bitcoin-node.ip; containerIp = configVars.networking.addresses.bitcoin-node.ip;
mempoolPort = configVars.networking.addresses.bitcoin-node.services.mempool.port; mempoolPort = configVars.networking.addresses.bitcoin-node.services.mempool.port;
bitcoinNodeContainerData = configVars.locations.bitcoinNodeContainerData; bitcoinNodeContainerData = configVars.locations.bitcoinNodeContainerData;
bitcoindData = configVars.locations.bitcoindData;
gatewayIp = configVars.networking.addresses.gateway.ip; gatewayIp = configVars.networking.addresses.gateway.ip;
allowip = configVars.networking.addresses.bitcoin-node.services.bitcoind.allowip; allowip = configVars.networking.addresses.bitcoin-node.services.bitcoind.allowip;
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
@ -21,7 +22,7 @@ in {
bitcoinNodeContainerData bitcoinNodeContainerData
]; ];
exclude = [ exclude = [
"${bitcoinNodeContainerData}/bitcoind" "${bitcoindData}"
"${bitcoinNodeContainerData}/electrs" "${bitcoinNodeContainerData}/electrs"
]; ];
}; };
@ -48,6 +49,10 @@ in {
hostPath = bitcoinNodeContainerData; hostPath = bitcoinNodeContainerData;
isReadOnly = false; isReadOnly = false;
}; };
"/var/lib/bitcoind" = {
hostPath = bitcoindData;
isReadOnly = false;
};
}; };
config = { config = {
@ -181,6 +186,16 @@ in {
lnd.public = true; lnd.public = true;
}; };
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
};
services.openssh = { services.openssh = {
enable = true; enable = true;
settings.PasswordAuthentication = false; settings.PasswordAuthentication = false;

View File

@ -16,16 +16,6 @@ in {
networking.nat.internalInterfaces = ["ve-+"]; networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "br0"; networking.nat.externalInterface = "br0";
services.restic.backups = {
daily = {
paths = [
piholeContainerData
];
exclude = [
];
};
};
environment.persistence."/persist" = { environment.persistence."/persist" = {
hideMounts = true; hideMounts = true;
directories = [ directories = [
@ -78,7 +68,7 @@ in {
useHostResolvConf = lib.mkForce false; useHostResolvConf = lib.mkForce false;
}; };
services.resolved.enable = true; services.resolved.enable = false;
imports = [ imports = [
arion.nixosModules.arion arion.nixosModules.arion
@ -89,6 +79,8 @@ in {
pkgs.vim pkgs.vim
pkgs.git pkgs.git
pkgs.arion pkgs.arion
pkgs.lsof
pkgs.podman-compose
]; ];
virtualisation = { virtualisation = {
@ -102,6 +94,16 @@ in {
networking.firewall.interfaces."podman+".allowedUDPPorts = [53]; networking.firewall.interfaces."podman+".allowedUDPPorts = [53];
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
};
services.openssh = { services.openssh = {
enable = true; enable = true;
settings.PasswordAuthentication = false; settings.PasswordAuthentication = false;

View File

@ -123,6 +123,16 @@ in {
# EOF # EOF
# ''; # '';
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
};
services.openssh = { services.openssh = {
enable = true; enable = true;
settings.PasswordAuthentication = false; settings.PasswordAuthentication = false;

View File

@ -24,6 +24,14 @@ in {
]; ];
}; };
services.restic.backups = {
daily = {
paths = [
semitamapsData
];
};
};
containers."${containerName}" = { containers."${containerName}" = {
enableTun = true; enableTun = true;
@ -100,6 +108,7 @@ in {
pkgs.vim pkgs.vim
pkgs.git pkgs.git
pkgs.arion pkgs.arion
pkgs.podman-compose
pkgs.jdk pkgs.jdk
]; ];
@ -128,6 +137,16 @@ in {
}; };
}; };
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
};
services.openssh = { services.openssh = {
enable = true; enable = true;
settings.PasswordAuthentication = false; settings.PasswordAuthentication = false;

View File

@ -4,13 +4,10 @@
hideMounts = true; hideMounts = true;
directories = [ directories = [
"/etc/nixos" "/etc/nixos"
"/srv"
"/var/log" "/var/log"
"/var/lib/nixos" "/var/lib/nixos"
"/var/lib/systemd/coredump" "/var/lib/systemd/coredump"
"/etc/NetworkManager/system-connections" "/etc/NetworkManager/system-connections"
"/var/lib/flatpak"
"/run/secrets-for-users"
]; ];
files = [ files = [
"/etc/ssh/ssh_host_ed25519_key" "/etc/ssh/ssh_host_ed25519_key"

View File

@ -0,0 +1,61 @@
{pkgs, configVars, ...}: let
subnetIp = configVars.networking.addresses.subnet.ip;
in {
networking.firewall = {
allowedTCPPorts = [631];
allowedUDPPorts = [631];
};
services = {
udev.packages = [pkgs.sane-airscan];
ipp-usb.enable = true;
saned = {
enable = true;
extraConfig = "${subnetIp}/24";
};
printing = {
enable = true;
drivers = [pkgs.hplip];
browsing = true;
defaultShared = true;
listenAddresses = ["*:631"];
allowFrom = ["all"];
extraConf = ''
DefaultPaperSize A4
'';
};
avahi = {
enable = true;
nssmdns = true;
openFirewall = true;
publish = {
enable = true;
userServices = true;
};
};
};
hardware = {
sane = {
enable = true;
extraBackends = [pkgs.sane-airscan pkgs.hplipWithPlugin];
openFirewall = true;
};
printers = {
ensurePrinters = [
{
name = "HP_Envy_6000";
location = "Home";
deviceUri = "usb://HP/ENVY%206000%20series?serial=TH0B93F08W&interface=1";
# deviceUri = "usb://Dell/1250c%20Color%20Printer?serial=YNP023240";
model = "HP/hp-deskjet_plus_6000_series.ppd.gz";
ppdOptions = {
PageSize = "A4";
};
}
];
ensureDefaultPrinter = "HP_Envy_6000";
};
};
}

View File

@ -23,14 +23,15 @@ in {
enable = true; enable = true;
extraBackends = [pkgs.sane-airscan]; extraBackends = [pkgs.sane-airscan];
netConf = "${serverIp}"; netConf = "${serverIp}";
openFirewall = true;
}; };
printers = { printers = {
ensurePrinters = [ ensurePrinters = [
{ {
name = "HP_ENVY_6000"; name = "HP_ENVY_6000";
description = "Network printer hosted on bob"; description = "Network printer hosted on bob";
location = "bob"; location = "home";
deviceUri = "ipp://bob/printers/HP_ENVY_6000_series"; deviceUri = "ipp://${serverIp}/printers/HP_Envy_6000";
model = "everywhere"; model = "everywhere";
ppdOptions = { ppdOptions = {
PageSize = "A4"; PageSize = "A4";

View File

@ -1,31 +1,31 @@
{ pkgs, inputs, config, lib, ... }: {
let pkgs,
ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups; inputs,
config,
lib,
...
}: let
username = "admin"; username = "admin";
pubKeys = lib.filesystem.listFilesRecursive (../keys); pubKeys = lib.filesystem.listFilesRecursive ../keys;
hostname = config.networking.hostName; hostname = config.networking.hostName;
sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/${username}".path; sopsHashedPasswordFile = config.sops.secrets."passwords/${username}".path;
secretsDirectory = builtins.toString inputs.nix-secrets; secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml"; secretsFile = "${secretsDirectory}/secrets.yaml";
in {
in
{
users.users.${username} = { users.users.${username} = {
isNormalUser = true; isNormalUser = true;
shell = pkgs.zsh; # default shell shell = pkgs.zsh;
hashedPasswordFile = sopsHashedPasswordFile; hashedPasswordFile = sopsHashedPasswordFile;
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
extraGroups = [ extraGroups = [
"wheel" "wheel"
] ++ ifTheyExist [
"docker"
"lxc"
"git"
"podman"
]; ];
};
packages = with pkgs; [ environment.persistence."/persist" = {
directories = [
"/home/${username}"
]; ];
}; };
@ -44,6 +44,9 @@ in
mode = "0644"; mode = "0644";
owner = "${username}"; owner = "${username}";
}; };
"github-access-token" = {
mode = "0655";
};
}; };
programs.zsh.enable = true; programs.zsh.enable = true;

View File

@ -21,7 +21,6 @@ in {
extraGroups = [ extraGroups = [
"scanner" "scanner"
"lp" "lp"
"wheel"
]; ];
packages = with pkgs; [ packages = with pkgs; [
@ -31,22 +30,9 @@ in {
}; };
environment.persistence."/persist" = { environment.persistence."/persist" = {
hideMounts = true;
users.${username} = {
directories = [ directories = [
"Sync" "/home/${username}"
"Keep"
".ssh"
".config"
".mozilla"
".local"
".zotero"
".var"
".steam"
]; ];
files = [
];
};
}; };
sops.secrets = { sops.secrets = {

View File

@ -133,6 +133,7 @@ in {
environment.persistence."/persist" = { environment.persistence."/persist" = {
directories = [ directories = [
"/home/${username}" "/home/${username}"
"/var/lib/tailscale"
]; ];
}; };

View File

@ -1,21 +1,42 @@
{ inputs, ... }:
let
# Disko setup
fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence
dev = "/dev/disk/by-id/ata-QEMU_HARDDISK_QM00005";
encrypted = false; # currrently only applies to btrfs
impermanence = false;
user = "admin";
in
{ {
imports = inputs,
[ configVars,
# Create users for this host lib,
../common/users/${user} config,
outputs,
...
}: let
fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence
dev = "/dev/disk/by-id/wwn-0x5001b448b5f7cc7f";
encrypted = false; # currrently only applies to btrfs
btrfsMountDevice = "/dev/disk/by-id/wwn-0x5001b448b5f7cc7f-part2";
impermanence = true;
# Root disk configuration homeshareDataLocation = configVars.locations.homeshareDataLocation;
piholeIp = configVars.networking.addresses.pihole.ip;
gatewayIp = configVars.networking.addresses.gateway.ip;
merlinIp = configVars.networking.addresses.merlin.ip;
in {
imports = [
# Create users for this host
../common/users/admin
# Disk configuration
inputs.disko.nixosModules.disko inputs.disko.nixosModules.disko
(import ../common/disks { device = dev; impermanence = impermanence; fsType = fsType; encrypted = encrypted; }) (import ../common/disks {
device = dev;
impermanence = impermanence;
fsType = fsType;
encrypted = encrypted;
})
# Impermanence
../common/optional/persistence.nix
(import ../common/disks/btrfs/impermanence.nix {
btrfsMountDevice = btrfsMountDevice;
lib = lib;
})
# Import core options # Import core options
./hardware-configuration.nix ./hardware-configuration.nix
@ -23,9 +44,27 @@ in
# Import optional options # Import optional options
../common/optional/openssh.nix ../common/optional/openssh.nix
../common/optional/docker ../common/optional/restic-backup.nix
../common/optional/docker/postgres.nix ../common/optional/docker.nix
../common/optional/nix-ld.nix
../common/optional/fileserver/nfs-server/homeshare.nix
../common/optional/print-server.nix
# Nixos containers
../common/optional/nixos-containers/docker.nix
../common/optional/nixos-containers/baseddata-worker.nix
../common/optional/nixos-containers/pihole.nix
../common/optional/nixos-containers/semitamaps-worker.nix
../common/optional/nixos-containers/nix-bitcoin.nix
../common/optional/nixos-containers/postgres.nix
../common/optional/nixos-containers/baseddata-worker.nix
../common/optional/nixos-containers/backup-server.nix
../common/optional/nixos-containers/metrics-server.nix
# This machine is used for remote building
../common/optional/distributed-builds/remote-builder-machine.nix
outputs.nixosModules.nixosAutoUpgrade
]; ];
boot = { boot = {
@ -36,17 +75,102 @@ in
}; };
}; };
fileSystems."/mnt/main-ssd" = {
device = "/dev/disk/by-uuid/ba884006-e813-4b67-9fe6-62aea08b3b59";
fsType = "ext4";
};
fileSystems."/mnt/btcnode" = {
device = "/dev/disk/by-uuid/1dc56ec7-322f-44be-b6ad-79360fdfef93";
fsType = "btrfs";
};
networking = { networking = {
hostName = "merlin"; hostName = "merlin";
networkmanager.enable = true; nameservers = ["${piholeIp}" "${gatewayIp}" "8.8.8.8"];
defaultGateway = "${gatewayIp}";
useDHCP = false;
enableIPv6 = false; enableIPv6 = false;
bridges = {
br0 = {
interfaces = ["eth0"];
};
};
interfaces.br0 = {
ipv4.addresses = [
{
"address" = "${merlinIp}";
"prefixLength" = 24;
}
];
};
};
environment.persistence."/persist" = {
directories = [
"/etc/zpool"
"/var/lib/tailscale"
];
};
services.restic.backups = {
daily = {
paths = [
homeshareDataLocation
];
};
};
# Enable OpenGL
hardware.graphics = {
enable = true;
};
# enable tailscale
services.tailscale.useRoutingFeatures = "server";
services.tailscale.enable = true;
nixpkgs.config.allowUnfreePredicate = pkg:
builtins.elem (lib.getName pkg) [
"nvidia-x11"
"nvidia-settings"
"nvidia-persistenced"
];
# Load nvidia driver
services.xserver.videoDrivers = ["nvidia"];
hardware.nvidia = {
modesetting.enable = true;
powerManagement.enable = false;
open = false;
nvidiaSettings = false;
package = config.boot.kernelPackages.nvidiaPackages.stable;
};
system.services.nixosAutoUpgrade = {
enable = true;
persistent = false;
reboot = true;
pushUpdates = true;
configDir = "/etc/nixos";
onCalendar = "*-*-* 03:00:00";
user = "admin";
};
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
}; };
boot.supportedFilesystems = ["zfs"]; boot.supportedFilesystems = ["zfs"];
boot.zfs.forceImportRoot = false; boot.zfs.forceImportRoot = false;
networking.hostId = "18aec5d7"; networking.hostId = "18aec5d7";
boot.zfs.extraPools = [ "zspeed" ]; boot.zfs.extraPools = ["deepzfs" "nvme-zpool"];
services.libinput.enable = true; services.libinput.enable = true;
} }

View File

@ -4,9 +4,6 @@
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
{ {
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.initrd.kernelModules = [ "dm-snapshot" ];

View File

@ -18,6 +18,7 @@
impermanence = true; impermanence = true;
piholeIp = configVars.networking.addresses.pihole.ip; piholeIp = configVars.networking.addresses.pihole.ip;
gatewayIp = configVars.networking.addresses.gateway.ip; gatewayIp = configVars.networking.addresses.gateway.ip;
merlinIp = configVars.networking.addresses.merlin.ip;
semitaIp = configVars.networking.addresses.semita.ip; semitaIp = configVars.networking.addresses.semita.ip;
in { in {
imports = [ imports = [
@ -48,37 +49,22 @@ in {
../common/optional/pipewire.nix ../common/optional/pipewire.nix
../common/optional/openssh.nix ../common/optional/openssh.nix
../common/optional/dwm.nix ../common/optional/dwm.nix
# ../common/optional/printing.nix ../common/optional/printing.nix
../common/optional/docker.nix ../common/optional/docker.nix
../common/optional/nix-ld.nix ../common/optional/nix-ld.nix
../common/optional/gaming.nix ../common/optional/gaming.nix
../common/optional/restic-backup.nix ../common/optional/restic-backup.nix
# nfs mounts ../common/optional/fileserver/nfs-client/media.nix
../common/optional/nfs-mounts/media.nix ../common/optional/fileserver/nfs-client/photos.nix
../common/optional/nfs-mounts/homeshare.nix ../common/optional/fileserver/nfs-client/personal.nix
../common/optional/nfs-mounts/photos.nix
# nixos-containers ../common/optional/distributed-builds/local-machine.nix
../common/optional/nixos-containers/nix-bitcoin.nix
../common/optional/nixos-containers/postgres.nix
../common/optional/nixos-containers/baseddata-worker.nix
../common/optional/nixos-containers/semitamaps-worker.nix
../common/optional/nixos-containers/backup-server.nix
../common/optional/nixos-containers/docker.nix
# ../common/optional/nixos-containers/pihole.nix
../common/optional/nixos-containers/metrics-server.nix
# # Build nix derivations on remote machine
# ../common/optional/distributed-builds/local-machine.nix
outputs.nixosModules.nixosAutoUpgrade outputs.nixosModules.nixosAutoUpgrade
]; ];
fileSystems."/mnt/main-ssd" = { services.tailscale.useRoutingFeatures = "server";
device = "/dev/disk/by-uuid/ba884006-e813-4b67-9fe6-62aea08b3b59";
fsType = "ext4";
};
boot = { boot = {
blacklistedKernelModules = ["snd_hda_intel" "snd_soc_skl"]; blacklistedKernelModules = ["snd_hda_intel" "snd_soc_skl"];
@ -102,21 +88,12 @@ in {
}; };
}; };
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
};
system.services.nixosAutoUpgrade = { system.services.nixosAutoUpgrade = {
enable = true; enable = true;
persistent = true; persistent = true;
remote = "remotebuild@${merlinIp}";
reboot = false; reboot = false;
pushUpdates = true; pushUpdates = false;
configDir = "/etc/nixos"; configDir = "/etc/nixos";
onCalendar = "*-*-* 06:00:00"; onCalendar = "*-*-* 06:00:00";
user = "sam"; user = "sam";

View File

@ -1,35 +1,19 @@
{ {
inputs,
config,
lib, lib,
configVars, configVars,
outputs, outputs,
pkgs,
... ...
}: let }: let
# Disko setup btrfsMountDevice = "/dev/root_vg/root";
fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence merlinIp = configVars.networking.addresses.merlin.ip;
dev = "/dev/sda"; # depends on target hardware
encrypted = false; # currrently only applies to btrfs
btrfsMountDevice =
if encrypted
then "/dev/mapper/crypted"
else "/dev/root_vg/root";
impermanence = true;
piholeIp = configVars.networking.addresses.pihole.ip; piholeIp = configVars.networking.addresses.pihole.ip;
gatewayIp = configVars.networking.addresses.gateway.ip; gatewayIp = configVars.networking.addresses.gateway.ip;
in { in {
imports = [ imports = [
# Create users for this host # Create users for this host
../common/users/media ../common/users/media
./hardware-configuration.nix
# Disk configuration
inputs.disko.nixosModules.disko
(import ../common/disks {
device = dev;
impermanence = impermanence;
fsType = fsType;
encrypted = encrypted;
})
# Impermanence # Impermanence
(import ../common/disks/btrfs/impermanence.nix { (import ../common/disks/btrfs/impermanence.nix {
@ -44,21 +28,12 @@ in {
# Import optional options # Import optional options
../common/optional/openssh.nix ../common/optional/openssh.nix
../common/optional/persistence.nix ../common/optional/persistence.nix
../common/optional/nfs-mounts/media.nix ../common/optional/fileserver/nfs-client/media.nix
../common/optional/gaming.nix # ../common/optional/printing.nix
../common/optional/printing.nix ../common/optional/distributed-builds/local-machine.nix
outputs.nixosModules.nixosAutoUpgrade outputs.nixosModules.nixosAutoUpgrade
]; ];
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
timeout = 3;
};
};
boot.kernelParams = ["i915.enable_psr=0"];
networking = { networking = {
hostName = "sparky"; hostName = "sparky";
networkmanager.enable = true; networkmanager.enable = true;
@ -66,30 +41,23 @@ in {
nameservers = ["${piholeIp}" "${gatewayIp}" "8.8.8.8"]; nameservers = ["${piholeIp}" "${gatewayIp}" "8.8.8.8"];
}; };
nixpkgs.config.allowUnfreePredicate = pkg:
builtins.elem (lib.getName pkg) [
# Add additional package names here
"nvidia-x11"
"nvidia-settings"
"nvidia-persistenced"
];
services.displayManager.defaultSession = "cinnamon"; services.displayManager.defaultSession = "cinnamon";
services.libinput.enable = true; services.libinput.enable = true;
system.services.nixosAutoUpgrade = { system.services.nixosAutoUpgrade = {
enable = true; enable = true;
persistent = true; persistent = true;
remote = "remotebuild@${merlinIp}";
reboot = false; reboot = false;
pushUpdates = false; pushUpdates = false;
configDir = "/etc/nixos"; configDir = "/etc/nixos";
onCalendar = "*-*-* 07:00:00"; onCalendar = "*-*-* 06:00:00";
user = "media"; user = "root";
}; };
services.xserver = { services.xserver = {
enable = true; enable = true;
videoDrivers = ["nvidia"]; videoDrivers = ["modesetting"];
displayManager.lightdm.enable = true; displayManager.lightdm.enable = true;
exportConfiguration = true; exportConfiguration = true;
deviceSection = '' deviceSection = ''
@ -99,19 +67,4 @@ in {
}; };
}; };
# Enable OpenGL
hardware.opengl = {
enable = true;
driSupport32Bit = true;
};
# Load nvidia driver
hardware.nvidia = {
# https://nixos.wiki/wiki/Nvidia
modesetting.enable = true;
powerManagement.enable = false;
open = false;
nvidiaSettings = true;
package = config.boot.kernelPackages.nvidiaPackages.stable;
};
} }

View File

@ -1,24 +1,76 @@
# Do not modify this file! It was generated by nixos-generate-config { config, lib, pkgs, ... }:
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ {
imports = boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking fileSystems."/" =
# (the default) this is the recommended approach. When using systemd-networkd it's { device = "/dev/disk/by-uuid/7e660e53-6c56-4679-ab25-3a2b1eacaebd";
# still possible to use this option, but it's recommended to use it in conjunction fsType = "btrfs";
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. options = [ "subvol=root" ];
networking.useDHCP = lib.mkDefault true; };
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
fileSystems."/persist" =
{ device = "/dev/disk/by-uuid/7e660e53-6c56-4679-ab25-3a2b1eacaebd";
fsType = "btrfs";
options = [ "subvol=persist" ];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/7e660e53-6c56-4679-ab25-3a2b1eacaebd";
fsType = "btrfs";
options = [ "subvol=nix" ];
};
fileSystems."/.swapvol" =
{ device = "/dev/disk/by-uuid/7e660e53-6c56-4679-ab25-3a2b1eacaebd";
fsType = "btrfs";
options = [ "subvol=swap" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/3DC4-7CCE";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [
{
device = "/.swapvol/swapfile";
size = 2 * 1024;
}
];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# Add hardware support for intel gpus as specified here: https://nixos.wiki/wiki/Jellyfin
nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override {enableHybridCodec = true;};
};
hardware.graphics = {
enable = true;
extraPackages = with pkgs; [
intel-media-driver
intel-vaapi-driver
vaapiVdpau
libvdpau-va-gl
intel-compute-runtime
# only available on unstable
unstable.vpl-gpu-rt
intel-media-sdk
];
};
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
timeout = 3;
};
};
boot.kernelParams = ["i915.enable_psr=0"];
} }

View File

@ -25,6 +25,11 @@ in
description = "Automatically reboots the system if there is a kernel or systemd update."; description = "Automatically reboots the system if there is a kernel or systemd update.";
default = false; default = false;
}; };
remote = lib.mkOption {
type = lib.types.str;
description = "Attempts build on remote host <user@host>.";
default = "";
};
onCalendar = lib.mkOption { onCalendar = lib.mkOption {
default = "daily"; default = "daily";
type = lib.types.str; type = lib.types.str;
@ -72,11 +77,12 @@ in
unitConfig.RequiresMountsFor = cfg.configDir; unitConfig.RequiresMountsFor = cfg.configDir;
script = lib.strings.concatStrings [ script = lib.strings.concatStrings [
"${auto-update-nixos}/bin/auto-update-nixos --operation ${cfg.operation} " "${auto-update-nixos}/bin/auto-update-nixos --operation ${cfg.operation} "
(lib.mkIf (cfg.configDir != "") "--flake ${cfg.configDir} ").content (if cfg.configDir != "" then "--flake ${cfg.configDir} " else "")
(lib.mkIf (cfg.user != "") "--user ${cfg.user} ").content (if cfg.user != "" then "--user ${cfg.user} " else "")
(lib.mkIf (cfg.pushUpdates) "--update ").content (if cfg.pushUpdates then "--update " else "")
(lib.mkIf (cfg.reboot) "--reboot ").content (if cfg.reboot then "--reboot " else "")
(lib.mkIf (cfg.extraFlags != "") cfg.extraFlags).content (if cfg.remote != "" then "--build-host ${cfg.remote} " else "")
cfg.extraFlags
]; ];
}; };
timers."nixos-upgrade" = { timers."nixos-upgrade" = {

View File

@ -40,41 +40,48 @@ trap cleanup EXIT
# Create the directory for target host keys # Create the directory for target host keys
install -d -m755 "$temp$persist/etc/ssh" install -d -m755 "$temp$persist/etc/ssh"
# Create ssh keys # Extract ssh keys from secrets
echo "Creating '$hostname' ssh keys" echo "Extracting ssh keys"
ssh-keygen -t ed25519 -f "$temp$persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N "" ssh_private_key=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"ssh_keys""\"][""\"$hostname""\"][""\"id_ed25519""\"]' ~/.local/share/src/nix-secrets/secrets.yaml")
echo "$ssh_private_key" > $temp$persist/etc/ssh/ssh_host_ed25519_key
ssh_pub_key=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"ssh_keys""\"][""\"$hostname""\"][""\"id_ed25519.pub""\"]' ~/.local/share/src/nix-secrets/secrets.yaml")
echo "$ssh_pub_key" > $temp$persist/etc/ssh/ssh_host_ed25519_key.pub
# Extract luks key from secrets # # Extract luks key from secrets
luks_secret=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"luks_passphrase""\"][""\"$hostname""\"]' ~/.local/share/src/nix-secrets/secrets.yaml") # luks_secret=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"luks_passphrase""\"][""\"$hostname""\"]' ~/.local/share/src/nix-secrets/secrets.yaml")
echo "$luks_secret" > /tmp/luks_secret.key # echo "$luks_secret" > /tmp/luks_secret.key
# Generate age key from target host and user public ssh key # # Create ssh keys
echo "Generating age key from target host and user ssh key" # echo "Creating '$hostname' ssh keys"
HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp$persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age") # ssh-keygen -t ed25519 -f "$temp$persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N ""
echo -e "Host age key:\n$HOST_AGE_KEY\n"
# Update .sops.yaml with new age key: # # Generate age key from target host and user public ssh key
SOPS_FILE="$HOME/.local/share/src/nix-secrets/.sops.yaml" # echo "Generating age key from target host and user ssh key"
sed -i "{ # HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp$persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age")
# Remove any * and & entries for this host # echo -e "Host age key:\n$HOST_AGE_KEY\n"
/[*&]$hostname/ d;
# Inject a new age: entry
# n matches the first line following age: and p prints it, then we transform it while reusing the spacing
/age:/{n; p; s/\(.*- \*\).*/\1$hostname/};
# Inject a new hosts: entry
/&hosts:/{n; p; s/\(.*- &\).*/\1$hostname $HOST_AGE_KEY/}
}" "$SOPS_FILE"
# Commit and push changes to sops file # # Update .sops.yaml with new age key:
just update-sops-secrets && just update-flake-secrets && just update-flake # SOPS_FILE="$HOME/.local/share/src/nix-secrets/.sops.yaml"
# sed -i "{
# # Remove any * and & entries for this host
# /[*&]$hostname/ d;
# # Inject a new age: entry
# # n matches the first line following age: and p prints it, then we transform it while reusing the spacing
# /age:/{n; p; s/\(.*- \*\).*/\1$hostname/};
# # Inject a new hosts: entry
# /&hosts:/{n; p; s/\(.*- &\).*/\1$hostname $HOST_AGE_KEY/}
# }" "$SOPS_FILE"
# # Commit and push changes to sops file
# just update-sops-secrets && just update-flake-secrets && just update-flake
# Copy current nix config over to target # Copy current nix config over to target
echo "copying current nix config to host" echo "copying current nix config to host"
cp -pr . "$temp$persist/etc/nixos" cp -pr . "$temp$persist/etc/nixos"
# Install Nixos to target # Install Nixos to target
SHELL=/bin/sh nix run github:nix-community/nixos-anywhere/1.3.0 -- --extra-files "$temp" --disk-encryption-keys /tmp/luks_secret.key /tmp/luks_secret.key --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519" SHELL=/bin/sh nix run github:nix-community/nixos-anywhere/1.6.0 -- --extra-files "$temp" --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519"
[ $? != 0 ] && echo "Error installing Nixos" && exit 1 echo $?
## Delete keys from local known_hosts ## Delete keys from local known_hosts
echo "Deleting host from known_hosts" echo "Deleting host from known_hosts"

View File

@ -3,19 +3,22 @@
inherit (inputs.nix-secrets) inherit (inputs.nix-secrets)
networking networking
email email
metrics-server
; ;
locations = { locations = {
mediaDataMountPoint = "/media/media"; mediaDataMountPoint = "/media/media";
photosDataMountPoint = "/media/photos"; photosDataMountPoint = "/media/photos";
personalDataMountPoint = "/media/personal";
homeshareDataLocation = "/mnt/main-ssd/homeshare";
metricsServerContainerData = "/mnt/main-ssd/metrics-server"; metricsServerContainerData = "/mnt/main-ssd/metrics-server";
dockerContainerData = "/mnt/main-ssd/docker"; dockerContainerData = "/mnt/main-ssd/docker";
piholeContainerData = "/mnt/main-ssd/docker/pihole"; piholeContainerData = "/mnt/main-ssd/docker/pihole";
bitcoinNodeContainerData = "/mnt/main-ssd/nix-bitcoin";
backupContainerData = "/mnt/main-ssd/backup";
postgresContainerData = "/mnt/main-ssd/postgresql";
semitamapsData = "/mnt/main-ssd/semitamaps-data";
baseddataData = "/mnt/main-ssd/baseddata-data"; baseddataData = "/mnt/main-ssd/baseddata-data";
bitcoinNodeContainerData = "/mnt/main-ssd/nix-bitcoin";
bitcoindData = "/mnt/btcnode/bitcoind";
backupContainerData = "/mnt/deepzfs/backup";
postgresContainerData = "/mnt/nvme-zpool/postgresql";
semitamapsData = "/mnt/nvme-zpool/semitamaps-data";
}; };
} }