reo101/rix101
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(jeeves)!: add config

Browse source 
Automatic disk partitioning using `disko`
Automatic secrets management using `agenix`
Automatic deployment using `deploy-rs`
This commit is contained in:
reo101 2023-10-16 21:42:10 +03:00
parent 64950f00f3
commit 8f17e5849a
Signed by: reo101
GPG key ID: 675AA7EF13964ACB
12 changed files with 869 additions and 55 deletions
Download patch file Download diff file Expand all files Collapse all files

122
machines/nixos/x86_64-linux/jeeves/configuration.nix Normal file
View file

@ -0,0 +1,122 @@
{ inputs, outputs, lib, pkgs, config, ... }:
{
imports = [
(import ./disko.nix { inherit inputs outputs; })
inputs.agenix.nixosModules.default
./network.nix
];
nixpkgs = {
hostPlatform = "x86_64-linux";
config = {
allowUnfree = true;
};
overlays = [
];
};
networking.hostName = "jeeves";
boot = {
loader.systemd-boot.enable = true;
kernelPackages = pkgs.linuxPackages_latest;
initrd.availableKernelModules = [
"nvme"
];
};
hardware.enableRedistributableFirmware = true;
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
nix = {
registry =
lib.mapAttrs
(_: value: {
flake = value;
})
inputs;
nixPath =
lib.mapAttrsToList
(key: value:
"${key}=${value.to.path}")
config.nix.registry;
settings = {
experimental-features = "nix-command flakes";
auto-optimise-store = true;
};
};
programs.zsh.enable = true;
environment.systemPackages = with pkgs; [
git
neovim
];
# NOTE: made with `mkpasswd -m sha-516`
age.secrets."home/jeeves_password".file = ../../../../secrets/home/jeeves_password.age;
users = {
mutableUsers = true;
users = {
jeeves = {
isNormalUser = true;
shell = pkgs.zsh;
passwordFile = config.age.secrets."home/jeeves_password".path;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBj8ZGcvI80WrJWV+dNy1a3L973ydSNqtwcVHzurDUaW (none)"
];
extraGroups = [
"wheel"
"networkmanager"
"audio"
"docker"
];
};
};
};
# reo101.jellyfin = {
# enable = true;
# image = "docker.io/jellyfin/jellyfin:latest";
# volumes = [
# "/var/cache/jellyfin/config:/config"
# "/var/cache/jellyfin/cache:/cache"
# "/var/log/jellyfin:/log"
# "/data/media/jellyfin:/media:ro"
# ];
# ports = [
# "8096:8096"
# ];
# };
security.sudo.extraRules= [
{
users = [
"jeeves"
];
commands = [
{
command = "ALL" ;
options= [ "NOPASSWD" ]; # "SETENV" # Adding the following could be a good idea
}
];
}
];
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
};
};
boot.plymouth = {
enable = true;
};
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
system.stateVersion = "23.05";
}

42
machines/nixos/x86_64-linux/jeeves/deploy.nix Normal file
View file

@ -0,0 +1,42 @@
{
# This is the hostname by which you'll refer to this machine using reploy-rs
hostname = "jeeves.reo101.xyz";
# This is the user that deploy-rs will use when connecting.
# This will default to your own username if not specified anywhere
sshUser = "jeeves";
# This is the user that the profile will be deployed to (will use sudo if not the same as above).
# If `sshUser` is specified, this will be the default (though it will _not_ default to your own username)
user = "root";
# Which sudo command to use. Must accept at least two arguments:
# the user name to execute commands as and the rest is the command to execute
# This will default to "sudo -u" if not specified anywhere.
sudo = "sudo -u";
# This is an optional list of arguments that will be passed to SSH.
sshOpts = [ "-p" "727" ];
# Fast connection to the node. If this is true, copy the whole closure instead of letting the node substitute.
# This defaults to `false`
fastConnection = false;
# If the previous profile should be re-activated if activation fails.
# This defaults to `true`
autoRollback = true;
# See the earlier section about Magic Rollback for more information.
# This defaults to `true`
magicRollback = true;
# The path which deploy-rs will use for temporary files, this is currently only used by `magicRollback` to create an inotify watcher in for confirmations
# If not specified, this will default to `/tmp`
# (if `magicRollback` is in use, this _must_ be writable by `user`)
tempPath = "/tmp";
# Build the derivation on the target system
# Will also fetch all external dependencies from the target system's substituters.
# This default to `false`
remoteBuild = true;
}

200
machines/nixos/x86_64-linux/jeeves/disko.nix Normal file
View file

@ -0,0 +1,200 @@
{ inputs, outputs, ... }:
{ lib, pkgs, config, ... }:
{
imports = [
inputs.disko.nixosModules.disko
];
environment.systemPackages = with pkgs; [
# `statfs` for btrfs commands
gocryptfs
];
# If on installer
disko.enableConfig = true;
# `head -c 8 /etc/machine-id`
networking.hostId = "1418566e";
# NOTE: needed for mounting `/key` (for LUKS)
boot.initrd.kernelModules = [
"uas"
"ext4"
];
# HACK: for troubleshooting
# see https://github.com/NixOS/nixpkgs/blob/9d6655c6222211adada5eeec4a91cb255b50dcb6/nixos/modules/system/boot/stage-1-init.sh#L45-L49
boot.initrd.preFailCommands = ''
export allowShell=1
'';
# NOTE: doesn't get mounted early enough, see below
# fileSystems."/key" = {
# device = "/dev/disk/by-partlabel/key";
# fsType = "ext4";
# neededForBoot = true;
# };
disko = {
devices = {
disk = {
# NOTE: we could do this to setup a usb for the keys
# but disko overrides it with no option of ignoring when partitioning
# (i.e. tell disko to only use this only for decalartion)
# key = {
# type = "disk";
# device = "/dev/disk/by-id/usb-USB2.0_Flash_Disk_1000000000001D8B-0";
# content = {
# type = "gpt";
# partitions = {
# key = {
# label = "key";
# size = "100%";
# content = {
# type = "filesystem";
# format = "ext4";
# mountpoint = "/key";
# };
# };
# };
# };
# };
ssd1 = {
type = "disk";
device = "/dev/disk/by-id/nvme-eui.e8238fa6bf530001001b448b4ebde3a6";
content = {
type = "gpt";
partitions = {
boot = {
label = "boot_mbr";
size = "1M";
type = "EF02"; # for grub MBR
priority = 1;
};
ESP = {
label = "boot";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
priority = 2;
};
root = {
label = "root";
size = "100%";
content = {
type = "luks";
name = "root";
extraOpenArgs = [ ];
settings = {
keyFile = "/key/root";
# HACK: we need to manually wait for and mount the partition containing the keys
preOpenCommands = ''
# Prepare (kernel modules and directory for mounting)
modprobe uas
modprobe ext4
mkdir -m "0755" -p "/key"
# Loop until mounted (+ initial wait)
sleep 5
until mount -n -t "ext4" -o "ro" "/dev/disk/by-partlabel/key" "/key" 2>&1 1>/dev/null; do
echo 'Could not find a partition with label `key` (at `/dev/disk/by-partlabel/key`), retrying...'
sleep 2
done
'';
};
content = {
type = "btrfs";
extraArgs = [ "-f" ]; # Override existing partition
subvolumes = {
"/root" = {
mountpoint = "/";
};
};
};
};
priority = 3;
};
};
};
};
hdd1 = {
type = "disk";
device = "/dev/disk/by-id/ata-WDC_WD8003FFBX-68B9AN0_VYJB5TUM";
content = {
type = "gpt";
partitions = {
mdadm = {
label = "hdd1";
size = "100%";
content = {
type = "mdraid";
name = "tank";
};
};
};
};
};
hdd2 = {
type = "disk";
device = "/dev/disk/by-id/ata-WDC_WD8003FFBX-68B9AN0_VYHZTWSM";
content = {
type = "gpt";
partitions = {
mdadm = {
label = "hdd2";
size = "100%";
content = {
type = "mdraid";
name = "tank";
};
};
};
};
};
};
mdadm = {
tank = {
type = "mdadm";
level = 1;
content = {
type = "luks";
name = "tank";
extraOpenArgs = [ "--allow-discards" ];
settings.keyFile = "/key/tank";
content = {
type = "btrfs";
extraArgs = [ "-f" ]; # Override existing partition
subvolumes = {
"/home" = {
mountpoint = "/home";
mountOptions = [
"compress=zstd"
];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"compress=zstd"
"noatime"
];
};
"/data" = {
mountpoint = "/data";
mountOptions = [
"compress=zstd"
];
};
"/data/media" = { };
"/data/media/jellyfin" = { };
};
};
};
};
};
};
};
}

69
machines/nixos/x86_64-linux/jeeves/home/jeeves.nix Normal file
View file

@ -0,0 +1,69 @@
{ inputs, outputs, lib, pkgs, config, ... }:
{
imports = [
inputs.wired.homeManagerModules.default
];
nixpkgs = {
overlays = builtins.attrValues outputs.overlays;
config.allowUnfree = true;
};
home = {
username = "jeeves";
homeDirectory = "/home/jeeves";
stateVersion = "23.05";
};
# Let Home Manager install and manage itself.
programs.home-manager.enable = true;
home.packages = with pkgs; [
## Core
neovim
git
gnupg
pciutils # lspci
usbutils # lsusb
## Shell
# zsh
# starship
# zoxide
ripgrep
## Nix
direnv
## Torrents
tremc
## Rust
rustc
cargo
rust-analyzer
clang
openssl
pkg-config
];
reo101 = {
shell = {
enable = true;
direnv = true;
zoxide = true;
shells = [
"zsh"
"nushell"
];
};
};
home.file = {
".config/nvim" = {
source = config.lib.file.mkOutOfStoreSymlink "${config.home.homeDirectory}/.local/src/reovim";
};
};
}

47
machines/nixos/x86_64-linux/jeeves/network.nix Normal file
View file

@ -0,0 +1,47 @@
{ lib, pkgs, config, ... }:
{
environment.systemPackages = with pkgs; [
];
# Networking
age.secrets."home/wifi.env".file = ../../../../secrets/home/wifi.env.age;
networking.wireless = {
iwd.enable = true;
environmentFile = config.age.secrets."home/wifi.env".path;
networks = {
home = {
ssid = "@HOME_WIFI_SSID@";
psk = "@HOME_WIFI_PSK@";
};
};
};
systemd.network = {
enable = true;
wait-online = {
enable = false;
anyInterface = true;
ignoredInterfaces = [
"eth0"
];
};
networks."10-eth0" = {
matchConfig.Name = "eth0";
networkConfig.DHCP = "yes";
};
links."10-eth0" = {
matchConfig.PermanentMACAddress = "04:7c:16:80:3c:2c";
linkConfig.Name = "eth0"; # "enp8s0";
};
networks."15-wan0" = {
matchConfig.Name = "wan0";
networkConfig.DHCP = "yes";
};
links."15-wan0" = {
matchConfig.PermanentMACAddress = "bc:f4:d4:40:5c:ed";
linkConfig.Name = "wan0"; # "wlp15s0";
};
};
}