From 0780cdefc8bbec9561b1390520c55e098c3d3923 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Wed, 15 May 2024 11:01:15 +0200 Subject: [PATCH 1/2] fujitsu: init --- flake.lock | 6 +-- flake.nix | 14 ++++++ hosts/fujitsu/default.nix | 56 ++++++++++++++++++++++++ hosts/fujitsu/hardware-configuration.nix | 47 ++++++++++++++++++++ hosts/iso/default.nix | 1 + hosts/nuc/hardware-configuration.nix | 56 +++++++++++------------- hosts/vm/hardware-configuration.nix | 13 +++--- shared/systemd.nix | 3 +- users/rouven/modules/packages.nix | 3 +- 9 files changed, 156 insertions(+), 43 deletions(-) create mode 100644 hosts/fujitsu/default.nix create mode 100644 hosts/fujitsu/hardware-configuration.nix diff --git a/flake.lock b/flake.lock index a9c3792..b91ba33 100644 --- a/flake.lock +++ b/flake.lock @@ -332,11 +332,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1715447595, - "narHash": "sha256-VsVAUQOj/cS1LCOmMjAGeRksXIAdPnFIjCQ0XLkCsT0=", + "lastModified": 1715534503, + "narHash": "sha256-5ZSVkFadZbFP1THataCaSf0JH2cAH3S29hU9rrxTEqk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "062ca2a9370a27a35c524dc82d540e6e9824b652", + "rev": "2057814051972fa1453ddfb0d98badbea9b83c06", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 1a30099..22d4107 100644 --- a/flake.nix +++ b/flake.nix @@ -119,6 +119,20 @@ } ]; }; + fujitsu = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = attrs; + modules = [ + nix-index-database.nixosModules.nix-index + impermanence.nixosModules.impermanence + agenix.nixosModules.default + ./hosts/fujitsu + ./shared + { + nixpkgs.overlays = [ self.overlays.default ]; + } + ]; + }; falkenstein = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = attrs; diff --git a/hosts/fujitsu/default.nix b/hosts/fujitsu/default.nix new file mode 100644 index 0000000..2d9820f --- /dev/null +++ b/hosts/fujitsu/default.nix @@ -0,0 +1,56 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ config, lib, pkgs, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ]; + + boot.loader.grub.enable = true; + boot.loader.grub.devices = [ "/dev/sda" "/dev/sdb" ]; + services.btrfs.autoScrub.enable = true; + + # TODO move to netwurking + networking.hostName = "fujitsu"; # Define your hostname. + + time.timeZone = "Europe/Berlin"; + console = { + font = "Lat2-Terminus16"; + keyMap = "dvorak"; + }; + + environment.systemPackages = with pkgs; [ + vim + htop-vim + helix + lsof + btdu + tcpdump + mtr + ]; + programs.git = { + enable = true; + config = { + user.name = "Rouven Seifert"; + user.email = "rouven@rfive.de"; + }; + }; + + services.openssh.enable = true; + services.journald.gateway.enable = true; + programs.mosh.enable = true; + + users.users.root.initialHashedPassword = "$y$j9T$hYM7FT2hn3O7OWBn9uz8e0$XquxONcPSke6YjdRGwOzGxC0/92hgP7PIB0y0K.Qdr/"; + users.users.root.openssh.authorizedKeys.keyFiles = [ + ../../keys/ssh/rouven-thinkpad + ../../keys/ssh/root-thinkpad + ../../keys/ssh/rouven-pixel + ../../keys/ssh/root-falkenstein + ]; + + system.stateVersion = "24.05"; # Did you read the comment? +} + diff --git a/hosts/fujitsu/hardware-configuration.nix b/hosts/fujitsu/hardware-configuration.nix new file mode 100644 index 0000000..da29632 --- /dev/null +++ b/hosts/fujitsu/hardware-configuration.nix @@ -0,0 +1,47 @@ +{ config, lib, modulesPath, ... }: + +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "ehci_pci" "ata_piix" "usb_storage" "usbhid" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/sda2"; + fsType = "btrfs"; + options = [ "subvol=root" ]; + }; + + fileSystems."/nix" = { + device = "/dev/sda2"; + fsType = "btrfs"; + options = [ "subvol=nix" "compress=zstd" "noatime" ]; + }; + + fileSystems."/var/lib" = { + device = "/dev/sda2"; + fsType = "btrfs"; + options = [ "subvol=lib" "compress=zstd" "noatime" ]; + }; + + fileSystems."/var/log" = { + device = "/dev/sda2"; + fsType = "btrfs"; + options = [ "subvol=log" "compress=zstd" "noatime" ]; + }; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s25.useDHCP = lib.mkDefault true; + # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/iso/default.nix b/hosts/iso/default.nix index 7797518..645a8e6 100644 --- a/hosts/iso/default.nix +++ b/hosts/iso/default.nix @@ -11,6 +11,7 @@ programs.git.enable = true; environment.systemPackages = with pkgs; [ helix + vim ]; # in case we need to rescue a zfs machine diff --git a/hosts/nuc/hardware-configuration.nix b/hosts/nuc/hardware-configuration.nix index 2ac61dc..10991c5 100644 --- a/hosts/nuc/hardware-configuration.nix +++ b/hosts/nuc/hardware-configuration.nix @@ -16,42 +16,36 @@ boot.extraModulePackages = [ ]; services.fstrim.enable = true; - fileSystems."/" = - { - device = "tmpfs"; - fsType = "tmpfs"; - options = [ "mode=755" ]; - }; + fileSystems."/" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = [ "mode=755" ]; + }; - fileSystems."/var/lib" = - { - device = "/dev/disk/by-uuid/16b0bd14-1b07-477d-a20d-982f9467f6df"; - fsType = "btrfs"; - options = [ "subvol=lib" "compress=zstd" "discard=async" "noatime" ]; - }; + fileSystems."/var/lib" = { + device = "/dev/disk/by-uuid/16b0bd14-1b07-477d-a20d-982f9467f6df"; + fsType = "btrfs"; + options = [ "subvol=lib" "compress=zstd" "discard=async" "noatime" ]; + }; - fileSystems."/var/log" = - { - device = "/dev/disk/by-uuid/16b0bd14-1b07-477d-a20d-982f9467f6df"; - fsType = "btrfs"; - options = [ "subvol=log" "compress=zstd" "discard=async" "noatime" ]; - }; + fileSystems."/var/log" = { + device = "/dev/disk/by-uuid/16b0bd14-1b07-477d-a20d-982f9467f6df"; + fsType = "btrfs"; + options = [ "subvol=log" "compress=zstd" "discard=async" "noatime" ]; + }; - fileSystems."/nix" = - { - device = "/dev/disk/by-uuid/16b0bd14-1b07-477d-a20d-982f9467f6df"; - fsType = "btrfs"; - options = [ "subvol=nix" "compress=zstd" "discard=async" "noatime" ]; - }; + fileSystems."/nix" = { + device = "/dev/disk/by-uuid/16b0bd14-1b07-477d-a20d-982f9467f6df"; + fsType = "btrfs"; + options = [ "subvol=nix" "compress=zstd" "discard=async" "noatime" ]; + }; - fileSystems."/boot" = - { - device = "/dev/disk/by-uuid/0135-7C8C"; - fsType = "vfat"; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/0135-7C8C"; + fsType = "vfat"; + }; - swapDevices = - [{ device = "/dev/disk/by-uuid/fdedb47c-a370-4005-ac37-1c186e667de0"; }]; + swapDevices = [{ device = "/dev/disk/by-uuid/fdedb47c-a370-4005-ac37-1c186e667de0"; }]; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; diff --git a/hosts/vm/hardware-configuration.nix b/hosts/vm/hardware-configuration.nix index 612cba4..90cb1db 100644 --- a/hosts/vm/hardware-configuration.nix +++ b/hosts/vm/hardware-configuration.nix @@ -11,13 +11,12 @@ boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { - - # Replace with actual config - device = "/dev/sda"; - fsType = "ext4"; - }; + # fileSystems."/" = + # { + # # Replace with actual config + # device = "/dev/sda"; + # fsType = "ext4"; + # }; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } diff --git a/shared/systemd.nix b/shared/systemd.nix index cb53f89..bb6a7d5 100644 --- a/shared/systemd.nix +++ b/shared/systemd.nix @@ -3,7 +3,8 @@ { systemd = { - package = lib.mkDefault (nixpkgs-systemd-256.legacyPackages.x86_64-linux.systemd.override { withHomed = false; }); + # package = lib.mkDefault (nixpkgs-systemd-256.legacyPackages.x86_64-linux.systemd.override { withHomed = false; }); + package = lib.mkDefault (pkgs.systemd.override { withHomed = false; }); sleep.extraConfig = '' HibernateDelaySec=2h ''; diff --git a/users/rouven/modules/packages.nix b/users/rouven/modules/packages.nix index fe33497..36cdcc6 100644 --- a/users/rouven/modules/packages.nix +++ b/users/rouven/modules/packages.nix @@ -24,6 +24,7 @@ # internet google-chrome + liferea # messaging tdesktop @@ -35,7 +36,7 @@ # cryptography yubikey-manager - # python311Packages.pyhanko # broken, TODO fix + python311Packages.pyhanko # broken, TODO fix bitwarden-cli # misc From 0ef795ca18b229f9c51e4f606f930b8f98fc26d4 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Wed, 15 May 2024 13:23:05 +0200 Subject: [PATCH 2/2] fujitsu: configure network and impermanence --- hosts/fujitsu/default.nix | 21 ++++++---- hosts/fujitsu/hardware-configuration.nix | 17 ++++---- hosts/fujitsu/modules/networks/default.nix | 47 ++++++++++++++++++++++ hosts/thinkpad/modules/networks/uni.nix | 2 +- 4 files changed, 68 insertions(+), 19 deletions(-) create mode 100644 hosts/fujitsu/modules/networks/default.nix diff --git a/hosts/fujitsu/default.nix b/hosts/fujitsu/default.nix index 2d9820f..7dc15f2 100644 --- a/hosts/fujitsu/default.nix +++ b/hosts/fujitsu/default.nix @@ -1,20 +1,25 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ config, lib, pkgs, ... }: - +{ pkgs, ... }: { imports = [ ./hardware-configuration.nix + ./modules/networks ]; boot.loader.grub.enable = true; boot.loader.grub.devices = [ "/dev/sda" "/dev/sdb" ]; services.btrfs.autoScrub.enable = true; - # TODO move to netwurking - networking.hostName = "fujitsu"; # Define your hostname. + environment.persistence."/nix/persist/system" = { + directories = [ + "/etc/ssh" + "/root/.borgmatic" + "/root/.local/share/zsh" + "/root/.config/borg/security" + ]; + files = [ + "/etc/machine-id" + ]; + }; time.timeZone = "Europe/Berlin"; console = { diff --git a/hosts/fujitsu/hardware-configuration.nix b/hosts/fujitsu/hardware-configuration.nix index da29632..75fc55a 100644 --- a/hosts/fujitsu/hardware-configuration.nix +++ b/hosts/fujitsu/hardware-configuration.nix @@ -11,9 +11,15 @@ boot.extraModulePackages = [ ]; fileSystems."/" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = [ "mode=755" ]; + }; + + fileSystems."/boot" = { device = "/dev/sda2"; fsType = "btrfs"; - options = [ "subvol=root" ]; + options = [ "subvol=boot" "noatime" ]; }; fileSystems."/nix" = { @@ -33,15 +39,6 @@ fsType = "btrfs"; options = [ "subvol=log" "compress=zstd" "noatime" ]; }; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp0s25.useDHCP = lib.mkDefault true; - # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true; - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/hosts/fujitsu/modules/networks/default.nix b/hosts/fujitsu/modules/networks/default.nix new file mode 100644 index 0000000..47e61c2 --- /dev/null +++ b/hosts/fujitsu/modules/networks/default.nix @@ -0,0 +1,47 @@ +{ ... }: +{ + networking = { + hostName = "fujitsu"; + domain = "rfive.de"; + useNetworkd = true; + enableIPv6 = true; + nftables.enable = true; + firewall = { + extraInputRules = '' + ip saddr 192.168.0.0/16 tcp dport 19531 accept comment "Allow journald gateway access from local networks" + ''; + }; + }; + services.resolved = { + enable = true; + fallbackDns = [ + "9.9.9.9" + "149.112.112.112" + "2620:fe::fe" + "2620:fe::9" + ]; + }; + + + systemd.network = { + enable = true; + networks."10-loopback" = { + matchConfig.Name = "lo"; + linkConfig.RequiredForOnline = false; + }; + networks."10-wired" = { + matchConfig.Name = "enp2s0"; + address = [ "192.168.42.3/24" ]; + routes = [{ + routeConfig.Gateway = "192.168.42.1"; + }]; + networkConfig = { + DNS = [ + "192.168.42.1" + ]; + LLDP = true; + EmitLLDP = "nearest-bridge"; + }; + }; + }; +} diff --git a/hosts/thinkpad/modules/networks/uni.nix b/hosts/thinkpad/modules/networks/uni.nix index eedc098..08129be 100644 --- a/hosts/thinkpad/modules/networks/uni.nix +++ b/hosts/thinkpad/modules/networks/uni.nix @@ -23,7 +23,7 @@ identity="rose159e@tu-dresden.de" password="@EDUROAM_AUTH@" phase2="auth=PAP" - bssid_ignore=7c:5a:1c:02:3d:ef + bssid_ignore=7c:5a:1c:02:3d:ef,82:5a:1c:02:3d:ef ''; extraConfig = '' scan_ssid=1