Commit cc310059 authored by Marc 'risson' Schmitt's avatar Marc 'risson' Schmitt
Browse files

Introduce lama-corp NixOS module

parent ab0bbe5a
Pipeline #156078297 failed with stage
in 74 minutes and 37 seconds
......@@ -5,9 +5,11 @@
/default.nix @risson
/shell.nix @risson
/data/ @risson
/scripts/ @risson
/rfcs/ @risson @diego
/data/ @risson @diego
/hosts/cuckoo/ @risson
/hosts/giraffe/ @risson
/hosts/hedgehog/ @risson
/hosts/kvm-1/ @risson @diego
......@@ -20,13 +22,10 @@
/hosts/web-1/ @risson @ddorn
/hosts/web-2/ @risson @ddorn
/modules/* @risson @ddorn
/modules/nixos/ @risson @ddorn
/modules/risson/ @risson
/modules/diego/ @ddorn
/modules/home/* @risson @ddorn
/modules/home/default/ @risson @ddorn
/modules/home/server/ @risson @ddorn
/modules/home/workstation/ @risson @ddorn
/modules/home/risson/ @risson
/modules/home/diego/ @ddorn
/deploy/bar.nix @risson
/deploy/fsn.nix @risson @ddorn
/deploy/primaries.nix @risson @ddorn
# dotshabka
Shabka configuration files
Directory layout:
* `data`: static data such as IP addresses, SSH keys, etc.;
* `deploy`: deployments files for `morph`;
* `hosts`: configuration for each host;
* `modules`: custom NixOS/home-manager modules;
* `rfcs`: see [rfcs/README.md];
let
defaultDeployment = { config }: {
secrets = {
"borg/nas-system.ssh.key" = {
source = "../secrets/hosts/${config.networking.hostName}/borg/nas-system.ssh.key";
destination = "/srv/secrets/borg/nas-system.ssh.key";
"borg/system.ssh.key" = {
source = "../secrets/hosts/${config.networking.hostName}/borg/system.ssh.key";
destination = "/srv/secrets/borg/system.ssh.key";
owner.user = "root";
owner.group = "root";
permissions = "0400";
......
......@@ -23,9 +23,9 @@ in with import <dotshabka/data/space.lama-corp> {}; {
"giraffe.srv.nbg.lama-corp.space" = with nbg.srv.giraffe; { config, ... }: {
deployment = defaultDeployment { inherit config wg; } // {
secrets = {
"borg/nas-system.ssh.key" = {
source = "../secrets/hosts/${config.networking.hostName}/borg/nas-system.ssh.key";
destination = "/srv/secrets/borg/nas-system.ssh.key";
"borg/system.ssh.key" = {
source = "../secrets/hosts/${config.networking.hostName}/borg/system.ssh.key";
destination = "/srv/secrets/borg/system.ssh.key";
owner.user = "root";
owner.group = "root";
permissions = "0400";
......
......@@ -4,16 +4,15 @@ with lib;
{
imports = [
<shabka/modules/nixos>
<dotshabka/modules/nixos>
<dotshabka/modules/nixos/server>
./hardware-configuration.nix
./networking.nix
] ++ (optionals (builtins.pathExists "${<dotshabka>}/secrets")
(singleton "${<dotshabka>}/secrets"));
lama-corp.profiles.server.enable = true;
shabka.workstation.sound.enable = true;
hardware.pulseaudio = {
......
......@@ -6,6 +6,7 @@ with import <dotshabka/data/space.lama-corp/bar/srv/cuckoo> { };
networking = {
hostName = "cuckoo"; # Define your hostname.
domain = "srv.bar.lama-corp.space";
hostId = "448ab20b";
bridges = {
"${internal.interface}" = {
......
......@@ -4,18 +4,34 @@ with lib;
{
imports = [
<shabka/modules/nixos>
<dotshabka/modules/nixos>
<dotshabka/modules/nixos/server>
./hardware-configuration.nix
./networking
./monitoring
./backups.nix
] ++ (optionals (builtins.pathExists "${<dotshabka>}/secrets")
(singleton "${<dotshabka>}/secrets"));
lama-corp = {
profiles = {
primary.enable = true;
vm = {
enable = true;
vmType = "hetzner";
};
};
common.backups.startAt = "*-*-* *:33:53 UTC";
luks.enable = true;
unbound.enable = mkForce false;
};
# No users needed as we have a console access to this host
shabka.users.enable = mkForce false;
services.zfs.autoSnapshot.enable = mkForce false;
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
......
......@@ -4,40 +4,20 @@ with lib;
let bootHostSshKeyPath = ../../secrets/hosts/giraffe/boot/host-ssh.key;
in {
warnings = (optional (!(builtins.pathExists bootHostSshKeyPath)) "${
/*warnings = (optional (!(builtins.pathExists bootHostSshKeyPath)) "${
toString bootHostSshKeyPath
} does not exists. You will not be able to decrypt the disks through SSH after a reboot.");
} does not exists. You will not be able to decrypt the disks through SSH after a reboot.");*/
imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ];
boot.initrd.availableKernelModules = [
"ata_piix"
"virtio_pci"
"xhci_pci"
"sd_mod"
"sr_mod"
"aes_x86_64"
"aesni_intel"
"cryptd"
imports = [
<nixpkgs/nixos/modules/profiles/qemu-guest.nix>
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
boot.supportedFilesystems = [ "zfs" ];
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.kernelParams = [ "elevator=none" ];
boot.initrd.postDeviceCommands = mkAfter ''
zfs rollback -r rpool/local/root@blank
'';
boot.loader.grub = {
enable = true;
version = 2;
device = "/dev/sda";
enableCryptodisk = true;
zfsSupport = true;
};
boot.initrd.luks.devices = {
......@@ -48,7 +28,7 @@ in {
};
};
boot.initrd.network = mkIf (builtins.pathExists bootHostSshKeyPath) {
/*boot.initrd.network = mkIf (builtins.pathExists bootHostSshKeyPath) {
enable = true;
ssh = {
enable = true;
......@@ -59,12 +39,7 @@ in {
postCommands = ''
echo 'cryptsetup-askpass' >> /root/.profile
'';
};
services.zfs.autoScrub = {
enable = true;
interval = "*-*-24 05:24:14 UTC";
};
};*/
fileSystems = {
"/" = {
......@@ -97,8 +72,4 @@ in {
[{ device = "/dev/disk/by-uuid/dd184cf2-21db-486b-a810-37991b6586eb"; }];
nix.maxJobs = 1;
powerManagement = mkIf config.shabka.workstation.power.enable {
cpuFreqGovernor = "performance";
};
}
{ ... }:
{
imports = [ ./netdata ./influxdb.nix ./grafana ];
imports = [ ./influxdb.nix ./grafana ];
}
{ config, lib, pkgs, ... }:
with lib;
{
services.netdata.config = {
backend = {
enabled = "yes";
type = "opentsdb";
destination = "giraffe.srv.nbg.lama-corp.space:20042";
};
};
environment.etc = mkIf config.services.netdata.enable {
"netdata/go.d.conf".text = ''
modules:
httpcheck: yes
'';
"netdata/go.d/httpcheck.conf".text =
builtins.readFile ./go.d/httpcheck.conf;
"netdata/go.d/portcheck.conf".text =
builtins.readFile ./go.d/portcheck.conf;
"netdata/go.d/x509check.conf".text =
builtins.readFile ./go.d/x509check.conf;
"netdata/python.d.conf".text = ''
example: no
httpcheck: no
logind: yes
'';
"netdata/health_alarm_notify.conf".text = ''
sendmail="${pkgs.system-sendmail}/bin/sendmail"
curl="${pkgs.curl}/bin/curl"
SEND_EMAIL="YES"
DEFAULT_RECIPIENT_EMAIL="root@lama-corp.ovh"
'';
};
}
......@@ -10,9 +10,7 @@ let
}) {};
in {
imports = [
<shabka/modules/nixos>
<dotshabka/modules/nixos>
<dotshabka/modules/nixos/workstation>
./hardware-configuration.nix
./networking
......@@ -22,13 +20,23 @@ in {
] ++ (optionals (builtins.pathExists "${<dotshabka>}/secrets")
(singleton "${<dotshabka>}/secrets"));
lama-corp = {
common.keyboard.enable = mkForce false;
profiles.workstation = {
enable = true;
isLaptop = true;
primaryUser = "risson";
};
luks.enable = true;
};
nix.extraOptions = ''
experimental-features = nix-command flakes
'';
nix.package = nixpkgs-flakes.nixFlakes;
shabka.keyboard = {
layouts = [ "bepo" "qwerty_intl" ];
layouts = mkForce [ "bepo" "qwerty_intl" ];
enableAtBoot = mkForce false;
};
......@@ -44,9 +52,9 @@ in {
hardware.pulseaudio.zeroconf.discovery.enable = true;
users.users.root = {
hashedPassword =
hashedPassword = mkForce
"$6$qVi/b8BggEoVLgu$V0Mcqu73FWm3djDT4JwflTgK6iMxgxtFBs2m2R.zg1RukAXIcplI.MddMS5SNEhwAThoKCsFQG7D6Q2pXFohr0";
openssh.authorizedKeys.keys = config.shabka.users.users.risson.sshKeys;
openssh.authorizedKeys.keys = mkForce config.shabka.users.users.risson.sshKeys;
};
shabka.users = with import <dotshabka/data/users> { }; {
......
......@@ -13,25 +13,24 @@ with lib;
"${shabka.external.nixos-hardware.path}/lenovo/thinkpad/t495"
];
boot.initrd.availableKernelModules = [ "nvme" "ehci_pci" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" "aes_x86_64" "aesni_amd" "cryptd" ];
boot.initrd.kernelModules = [ ];
boot.initrd.availableKernelModules = [
"nvme"
"ehci_pci"
"xhci_pci"
"usb_storage"
"sd_mod"
"rtsx_pci_sdmmc"
];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
boot.supportedFilesystems = [ "zfs" ];
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.kernelParams = [ "elevator=none" ];
boot.initrd.postDeviceCommands = mkAfter ''
zfs rollback -r rpool/local/root@blank
'';
boot.loader.grub = {
enable = true;
version = 2;
device = "nodev";
efiSupport = true;
enableCryptodisk = true;
zfsSupport = true;
extraInitrd = /boot/initramfs.keys.gz;
};
boot.loader.efi = {
......
......@@ -7,21 +7,14 @@
{
imports = [
<shabka/modules/home>
<dotshabka/modules/home>
<dotshabka/modules/home/workstation>
<dotshabka/modules/home/risson>
<dotshabka/modules/home/risson/workstation>
<dotshabka/modules/risson>
./mail.nix
];
shabka.nixosConfig = nixosConfig;
lama-corp.graphical = true;
/*home.file.".gnupg/scdaemon.conf".text = ''
reader-port Yubico YubiKey
disable-ccid
card-timeout 5
'';*/
shabka.nixosConfig = nixosConfig;
shabka.keyboard.layouts = [ "bepo" "qwerty_intl" ];
home.keyboard.options = [ "grp:alt_caps_toggle" "caps:swapescape" ];
......
......@@ -5,39 +5,16 @@ with lib;
{
services.borgbackup = {
jobs = {
"nas-system" = {
repo = "ssh://borg@nas.srv.bar.lama-corp.space/./backups/system";
compression = "zlib,1";
encryption.mode = "none";
environment.BORG_RSH =
"ssh -i /srv/secrets/root/backups/borg-nas-backups-system.ssh.key";
"system" = {
paths = [
"/srv"
"/var/db"
"/var/lib"
"/var/log"
];
exclude = [
"/srv/http/thefractal.space/imgs/*" # they can get recreated
"/srv/vm/*" # VMs backup themselves
"/var/lib/docker/*" # Don't care
];
startAt = "*-*-* *:44:30 UTC";
prune = {
keep = {
within = "1d";
daily = 7;
weekly = 4;
monthly = 12;
};
};
extraCreateArgs = "--stats --progress --checkpoint-interval 600";
extraPruneArgs = "--stats --save-space --list --progress";
};
"nas-homes" = {
......
......@@ -2,14 +2,9 @@
with lib;
let
shabka = import <shabka> { };
dotshabka = import <dotshabka> { };
in {
{
imports = [
<shabka/modules/nixos>
<dotshabka/modules/nixos>
<dotshabka/modules/nixos/server>
./hardware-configuration.nix
./networking
......@@ -21,6 +16,15 @@ in {
] ++ (optionals (builtins.pathExists "${<dotshabka>}/secrets")
(singleton "${<dotshabka>}/secrets"));
lama-corp = {
profiles = {
primary.enable = true;
};
luks.enable = true;
common.backups.startAt = "*-*-* *:44:30 UTC";
};
shabka.virtualisation.docker.enable = true;
# This value determines the NixOS release with which your system is to be
......
......@@ -8,20 +8,13 @@ in {
toString bootHostSshKeyPath
} does not exists. You will not be able to decrypt the disks through SSH after a reboot.");
imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
boot.initrd.availableKernelModules = [ "ahci" "igb" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.loader.grub = {
enable = true;
version = 2;
copyKernels = true;
efiSupport = false;
enableCryptodisk = true;
devices = [ "/dev/sda" "/dev/sdb" ];
};
......@@ -143,4 +136,5 @@ in {
];
nix.maxJobs = mkDefault 12;
hardware.enableRedistributableFirmware = true;
}
......@@ -7,15 +7,11 @@
{
imports = [
<shabka/modules/home>
<dotshabka/modules/home>
<dotshabka/modules/home/server>
] ++ (optionals (userName == "risson") [
<dotshabka/modules/home/risson>
<dotshabka/modules/home/risson/server>
<dotshabka/modules/risson>
./risson.nix
]) ++ (optionals (userName == "diego") [
<dotshabka/modules/home/diego>
<dotshabka/modules/home/diego/server>
<dotshabka/modules/diego>
./diego.nix
]);
......
{ ... }:
{
imports = [ ./netdata ./logrotate.nix ./smartd.nix ];
imports = [ ./logrotate.nix ./smartd.nix ];
}
{ config, lib, pkgs, ... }:
with lib;
{
environment.etc = mkIf config.services.netdata.enable {
"netdata/go.d/unbound.conf".text = builtins.readFile ./go.d/unbound.conf;
"netdata/python.d.conf".text = ''
example: no
logind: yes
'';
};
}
......@@ -20,6 +20,7 @@ with srv.kvm-1; {
networking = {
hostName = "kvm-1";
domain = "srv.fsn.lama-corp.space";
hostId = "007f0101";
nameservers = with import <dotshabka/data> { };
[ "127.0.0.1" "::1" ] ++ externalNameservers;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment