From 3c5e7179bbfc68fbfc62a89872b6d5cc48ac45cb Mon Sep 17 00:00:00 2001 From: arcnmx Date: Sun, 24 Nov 2024 13:51:35 -0800 Subject: [PATCH] chore(gengetsu): common nixos.hw.c4130 --- modules/extern/nixos/kyuuto.nix | 44 +++++++------- nixos/base/access.nix | 23 ++++---- nixos/base/ssh.nix | 9 ++- nixos/base/system.nix | 7 ++- nixos/hw/c4130.nix | 6 +- nixos/hw/headless.nix | 14 +++++ nixos/hw/metal.nix | 12 +++- nixos/kyuuto/nfs.nix | 60 ++++++++++++++------ nixos/netboot/kyuuto.nix | 34 ++++++----- nixos/nfs.nix | 10 +++- nixos/reisen-ct/proxmox.nix | 12 ++-- systems/gengetsu/default.nix | 10 ++-- systems/gengetsu/hardware-configuration.nix | 47 +++++++++++++++ systems/gengetsu/nixos.nix | 40 +------------ systems/logistics/hardware-configuration.nix | 9 +++ systems/logistics/nixos.nix | 5 -- systems/mugetsu/hardware-configuration.nix | 1 + systems/mugetsu/nixos.nix | 6 +- 18 files changed, 217 insertions(+), 132 deletions(-) create mode 100644 nixos/hw/headless.nix create mode 100644 systems/gengetsu/hardware-configuration.nix diff --git a/modules/extern/nixos/kyuuto.nix b/modules/extern/nixos/kyuuto.nix index 452f7c13..14c770ae 100644 --- a/modules/extern/nixos/kyuuto.nix +++ b/modules/extern/nixos/kyuuto.nix @@ -104,7 +104,8 @@ ]; nfs.fstabOptions = [ "noauto" - "lazytime" "noatime" + "lazytime" + "noatime" #"nfsvers=4" "soft" "nocto" @@ -116,7 +117,8 @@ ]; smb.fstabOptions = [ "noauto" - "lazytime" "noatime" + "lazytime" + "noatime" (mkIf (config.smb.user != null) "user=${config.smb.user}") ]; automount.fstabOptions = [ @@ -129,28 +131,30 @@ cfg, nfsSubpath, smbSubpath, - }: mkIf cfg.enable { - device = mkMerge [ - (mkIf config.nfs.enable "nfs.${config.domain}:/srv/fs/${nfsSubpath}") - (mkIf config.smb.enable ''\\smb.${config.domain}\${smbSubpath}'') - ]; - fsType = mkMerge [ - (mkIf config.nfs.enable "nfs4") - (mkIf config.smb.enable "smb3") - ]; - options = mkMerge (setFilesystemOptions - ++ [ - (mkIf cfg.krb5.enable [ - "sec=krb5" - (mkIf config.nfs.enable "nfsvers=4") - ]) - ]); - }; + }: + mkIf cfg.enable { + device = mkMerge [ + (mkIf config.nfs.enable "nfs.${config.domain}:/srv/fs/${nfsSubpath}") + (mkIf config.smb.enable ''\\smb.${config.domain}\${smbSubpath}'') + ]; + fsType = mkMerge [ + (mkIf config.nfs.enable "nfs4") + (mkIf config.smb.enable "smb3") + ]; + options = mkMerge (setFilesystemOptions + ++ [ + (mkIf cfg.krb5.enable [ + "sec=krb5" + (mkIf config.nfs.enable "nfsvers=4") + ]) + ]); + }; in { "/mnt/kyuuto-media" = mkKyuutoFs { cfg = config.media; nfsSubpath = "kyuuto/media"; - smbSubpath = if config.smb.user != null && access.local.enable + smbSubpath = + if config.smb.user != null && access.local.enable then "kyuuto-media" else if config.smb.user != null then "kyuuto-library-net" diff --git a/nixos/base/access.nix b/nixos/base/access.nix index 891da730..e1769424 100644 --- a/nixos/base/access.nix +++ b/nixos/base/access.nix @@ -2,11 +2,20 @@ config, pkgs, meta, + lib, ... -}: { - security.sudo.wheelNeedsPassword = false; +}: let + inherit (lib.modules) mkIf mkDefault; +in { + imports = let + inherit (meta) nixos; + in [ + nixos.users + ]; - security.polkit.extraConfig = '' + security.sudo.wheelNeedsPassword = mkDefault false; + + security.polkit.extraConfig = mkIf (!config.security.sudo.wheelNeedsPassword) '' polkit.addRule(function(action, subject) { if (subject.isInGroup("wheel")) { return polkit.Result.YES; @@ -14,12 +23,6 @@ }); ''; - imports = let - inherit (meta) nixos; - in [ - nixos.users - ]; - users.motd = '' ${config.networking.hostName}.${config.networking.domain} @@ -27,7 +30,7 @@ users.defaultUserShell = pkgs.zsh; users.users.root = { - hashedPassword = "$6$SLue7utn4qXtW1TE$yQOliCPKgkiFST5H6iqCCwT2dn3o4e/h39MaCbhOXVreFQrkWe7ZzJUOzC0u28/0.Hzs6xKSiJnGjbLXvGstr1"; + hashedPassword = mkDefault "$6$SLue7utn4qXtW1TE$yQOliCPKgkiFST5H6iqCCwT2dn3o4e/h39MaCbhOXVreFQrkWe7ZzJUOzC0u28/0.Hzs6xKSiJnGjbLXvGstr1"; openssh.authorizedKeys.keys = with pkgs.lib; (concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups diff --git a/nixos/base/ssh.nix b/nixos/base/ssh.nix index 14b6f6a9..1e78bc50 100644 --- a/nixos/base/ssh.nix +++ b/nixos/base/ssh.nix @@ -1,10 +1,11 @@ { config, lib, - pkgs, ... }: let - inherit (lib.modules) mkDefault; + inherit (lib.modules) mkIf mkDefault; + inherit (lib.lists) head; + cfg = config.services.openssh; publicPort = 62954; in { /* @@ -33,4 +34,8 @@ in { }; programs.mosh.enable = true; + + boot.initrd.network.ssh = mkIf cfg.enable { + port = mkDefault (head cfg.ports); + }; } diff --git a/nixos/base/system.nix b/nixos/base/system.nix index 7966225d..f391af2c 100644 --- a/nixos/base/system.nix +++ b/nixos/base/system.nix @@ -1,9 +1,11 @@ { config, + gensokyo-zone, lib, pkgs, ... }: let + inherit (gensokyo-zone.lib) mkAlmostOptionDefault; inherit (lib.modules) mkDefault; in { hardware.enableRedistributableFirmware = mkDefault true; @@ -23,7 +25,8 @@ in { services.journald.extraConfig = "SystemMaxUse=512M"; users.mutableUsers = mkDefault false; boot.tmp = { - useTmpfs = mkDefault true; - tmpfsSize = mkDefault "80%"; + cleanOnBoot = mkAlmostOptionDefault true; + useTmpfs = mkAlmostOptionDefault true; + tmpfsSize = mkAlmostOptionDefault "80%"; }; } diff --git a/nixos/hw/c4130.nix b/nixos/hw/c4130.nix index 94dbb01b..c8ce0ed8 100644 --- a/nixos/hw/c4130.nix +++ b/nixos/hw/c4130.nix @@ -4,16 +4,14 @@ lib, ... }: let - inherit (lib.modules) mkIf mkMerge mkDefault; + inherit (lib.modules) mkIf mkMerge; in { imports = [ + ./headless.nix ./metal.nix ]; boot = { - loader = { - systemd-boot.enable = mkDefault true; - }; initrd = { systemd.network = mkIf config.networking.useNetworkd { networks."40-eno1" = { diff --git a/nixos/hw/headless.nix b/nixos/hw/headless.nix new file mode 100644 index 00000000..60287b78 --- /dev/null +++ b/nixos/hw/headless.nix @@ -0,0 +1,14 @@ +{ + config, + lib, + ... +}: let + inherit (lib.modules) mkDefault; +in { + boot = { + initrd.systemd.emergencyAccess = mkDefault true; + consoleLogLevel = mkDefault 5; + }; + services.getty.autologinUser = mkDefault "root"; + documentation.enable = mkDefault false; +} diff --git a/nixos/hw/metal.nix b/nixos/hw/metal.nix index ab87c23e..9bb60c3c 100644 --- a/nixos/hw/metal.nix +++ b/nixos/hw/metal.nix @@ -1,9 +1,19 @@ { pkgs, config, + gensokyo-zone, lib, ... -}: { +}: let + inherit (gensokyo-zone.lib) mkAlmostOptionDefault; +in { + boot = { + loader = { + systemd-boot.enable = mkAlmostOptionDefault true; + efi.canTouchEfiVariables = mkAlmostOptionDefault true; + }; + }; + environment.systemPackages = [ pkgs.pciutils pkgs.usbutils diff --git a/nixos/kyuuto/nfs.nix b/nixos/kyuuto/nfs.nix index 43413909..3c0abbc8 100644 --- a/nixos/kyuuto/nfs.nix +++ b/nixos/kyuuto/nfs.nix @@ -15,7 +15,13 @@ data = "${nfsRoot}/kyuuto/data"; systems = "${nfsRoot}/kyuuto/systems"; }; - mkSystemExport = { name, fsid, machine, flags ? ["async"], machineFlags ? flagSets.metal }: { + mkSystemExport = { + name, + fsid, + machine, + flags ? ["async"], + machineFlags ? flagSets.metal, + }: { flags = flagSets.common ++ ["fsid=${toString fsid}"] ++ flags; clients = { ${name} = { @@ -28,12 +34,18 @@ }; }; }; - mkSystemExports = name: { machine, fileSystems }: let + mkSystemExports = name: { + machine, + fileSystems, + }: let systemRoot = "${nfsRoot.systems}/${name}"; - mapSystemExport = fsName: fs: nameValuePair "${systemRoot}/${fsName}" (mkSystemExport ({ - inherit name machine; - } // fs)); - in mapAttrs' mapSystemExport fileSystems; + mapSystemExport = fsName: fs: + nameValuePair "${systemRoot}/${fsName}" (mkSystemExport ({ + inherit name machine; + } + // fs)); + in + mapAttrs' mapSystemExport fileSystems; exportedSystems = { gengetsu = { machine = flagSets.gengetsuClients; @@ -105,21 +117,33 @@ in { "nfs-mountd.service" ]; before = wantedBy; - mkMount = { what, where, ... }@args: { - inherit type options wantedBy before; - } // args; - mkSystemMount = { name, fsName }: let + mkMount = { + what, + where, + ... + } @ args: + { + inherit type options wantedBy before; + } + // args; + mkSystemMount = { + name, + fsName, + }: let systemRoot = "${nfsRoot.systems}/${name}"; - in mkMount { - what = "${kyuuto.dataDir}/systems/${name}/fs/${fsName}"; - where = "${systemRoot}/${fsName}"; - }; - mapSystemMounts = name: { fileSystems, ... }: let - mapFileSystem = fsName: fs: mkSystemMount { inherit name fsName; }; - in mapAttrsToList mapFileSystem fileSystems; + in + mkMount { + what = "${kyuuto.dataDir}/systems/${name}/fs/${fsName}"; + where = "${systemRoot}/${fsName}"; + }; + mapSystemMounts = name: {fileSystems, ...}: let + mapFileSystem = fsName: fs: mkSystemMount {inherit name fsName;}; + in + mapAttrsToList mapFileSystem fileSystems; systemMounts = let systemMounts = mapAttrsToList mapSystemMounts exportedSystems; - in concatLists systemMounts; + in + concatLists systemMounts; exportMounts = map mkMount [ { what = kyuuto.mountDir; diff --git a/nixos/netboot/kyuuto.nix b/nixos/netboot/kyuuto.nix index 361ccedb..53e38475 100644 --- a/nixos/netboot/kyuuto.nix +++ b/nixos/netboot/kyuuto.nix @@ -29,7 +29,8 @@ in { default = [ "nolock" # required in order to mount in initrd when statd daemon isn't running "nocto" - "lazytime" "noatime" + "lazytime" + "noatime" "actimeo=${toString defaultCacheTimeoutMax}" "acregmin=${toString defaultCacheTimeoutMin}" "acdirmin=${toString defaultCacheTimeoutMin}" @@ -47,7 +48,8 @@ in { }; }; availableKernelModules = mkIf nfsEnabled [ - "nfsv4" "nfsv3" + "nfsv4" + "nfsv3" ]; extraUtilsCommands = mkIf (nfsEnabled && !config.boot.initrd.systemd.enable) '' copy_bin_and_libs ${cfg.nfs.package}/sbin/mount.nfs @@ -60,7 +62,7 @@ in { (mkIf config.boot.initrd.network.enable [ pkgs.iproute2 ]) - [ pkgs.util-linux pkgs.gnugrep ] + [pkgs.util-linux pkgs.gnugrep] ]; network = mkIf config.networking.useNetworkd { enable = mkDefault true; @@ -69,20 +71,24 @@ in { }; loader = { systemd-boot.enable = true; - efi.canTouchEfiVariables = false; + efi.canTouchEfiVariables = mkIf cfg.boot.enable false; }; }; fileSystems = let - nfsUrl = access.proxyUrlFor { - serviceName = "nfs"; - scheme = ""; - defaultPort = 2049; - # XXX: consider using dns hostname here instead? (does this require the dns_resolver kernel module?) - getAddressFor = "getAddress4For"; - } + ":/srv/fs/kyuuto/systems/${systemConfig.name}"; - nfsOpts = [ - "sec=${cfg.nfs.security}" - ] ++ cfg.nfs.flags; + nfsUrl = + access.proxyUrlFor { + serviceName = "nfs"; + scheme = ""; + defaultPort = 2049; + # XXX: consider using dns hostname here instead? (does this require the dns_resolver kernel module?) + getAddressFor = "getAddress4For"; + } + + ":/srv/fs/kyuuto/systems/${systemConfig.name}"; + nfsOpts = + [ + "sec=${cfg.nfs.security}" + ] + ++ cfg.nfs.flags; in { "/" = { device = "${nfsUrl}/root"; diff --git a/nixos/nfs.nix b/nixos/nfs.nix index e9a2b1be..a112543e 100644 --- a/nixos/nfs.nix +++ b/nixos/nfs.nix @@ -63,9 +63,11 @@ in { optional (local.enable or false && local.address4 != null) "${local.address4}/32" ++ optional (local.enable or false && local.address6 != null) "${local.address6}/128"; allowed = - if addrs != [] then addrs + if addrs != [] + then addrs else lib.warn "${name} NFS: falling back to all LAN" cidrForNetwork.allLan.all; - in allowed; + in + allowed; mkC4130Client = name: mkMetalClient name ++ mkMetalClient "idrac-${name}"; in { common = [ @@ -91,7 +93,9 @@ in { "ro" ]; metal = [ - "sec=sys" "no_root_squash" "rw" + "sec=sys" + "no_root_squash" + "rw" ]; # client machines clientGroups = [ diff --git a/nixos/reisen-ct/proxmox.nix b/nixos/reisen-ct/proxmox.nix index 2bf10c27..5938ed52 100644 --- a/nixos/reisen-ct/proxmox.nix +++ b/nixos/reisen-ct/proxmox.nix @@ -3,6 +3,7 @@ gensokyo-zone, lib, modulesPath, + meta, ... }: let inherit (gensokyo-zone.lib) unmerged; @@ -10,17 +11,20 @@ inherit (lib.attrsets) mapAttrsToList; inherit (systemConfig) proxmox; in { - imports = [ + imports = let + inherit (meta) nixos; + in [ + nixos.hw.headless (modulesPath + "/virtualisation/proxmox-lxc.nix") ]; - services.getty.autologinUser = mkDefault "root"; - documentation.enable = mkDefault false; - environment.variables = { # nix default is way too big GC_INITIAL_HEAP_SIZE = mkDefault "8M"; }; + # XXX: this might be okay if the nix daemon's tmp is overridden + # (but still avoid since containers are usually low on provisioned memory) + boot.tmp.useTmpfs = mkDefault false; proxmoxLXC.privileged = mkIf (proxmox.container.enable && proxmox.container.privileged) true; diff --git a/systems/gengetsu/default.nix b/systems/gengetsu/default.nix index 025d358a..0707cdaa 100644 --- a/systems/gengetsu/default.nix +++ b/systems/gengetsu/default.nix @@ -6,12 +6,10 @@ _: { modules = [ ./nixos.nix ]; - deploy.hostname = "10.1.1.204"; - deploy.sshOpts = []; - #exports = { - #services = { - #}; - #}; + exports = { + services = { + }; + }; network.networks = { local = { macAddress = "54:48:10:f3:fe:aa"; diff --git a/systems/gengetsu/hardware-configuration.nix b/systems/gengetsu/hardware-configuration.nix new file mode 100644 index 00000000..db8e8352 --- /dev/null +++ b/systems/gengetsu/hardware-configuration.nix @@ -0,0 +1,47 @@ +{ + meta, + config, + ... +}: { + imports = let + inherit (meta) nixos; + in [ + nixos.hw.c4130 + #nixos.netboot.kyuuto + ]; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/bf317f5d-ffc2-45fd-9621-b645ff7223fc"; + fsType = "xfs"; + options = ["lazytime" "noatime"]; + }; + "/boot" = { + device = "/dev/disk/by-label/boot"; + fsType = "vfat"; + options = ["fmask=0077" "dmask=0077"]; + }; + }; + + networking.useNetworkd = true; + systemd.network = { + networks."40-eno1" = { + inherit (config.systemd.network.links.eno1) matchConfig; + address = ["10.1.1.61/24"]; + gateway = ["10.1.1.1"]; + DHCP = "no"; + networkConfig = { + IPv6AcceptRA = true; + }; + linkConfig = { + Multicast = true; + }; + }; + links.eno1 = { + matchConfig = { + Type = "ether"; + MACAddress = "54:48:10:f3:fe:aa"; + }; + }; + }; +} diff --git a/systems/gengetsu/nixos.nix b/systems/gengetsu/nixos.nix index 0bcbec41..6582f479 100644 --- a/systems/gengetsu/nixos.nix +++ b/systems/gengetsu/nixos.nix @@ -1,47 +1,11 @@ -{ - meta, - config, - lib, - modulesPath, - pkgs, - ... -}: { +{meta, ...}: { imports = let inherit (meta) nixos; in [ + ./hardware-configuration.nix #nixos.sops nixos.base ]; - boot = { - initrd = { - availableKernelModules = ["ahci" "xhci_pci" "ehci_pci" "usbhid" "usb_storage" "sd_mod" "sr_mod"]; - kernelModules = []; - systemd.emergencyAccess = true; - }; - kernelModules = []; - extraModulePackages = []; - loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; - }; - }; - - fileSystems = { - "/" = { - device = "/dev/disk/by-uuid/bf317f5d-ffc2-45fd-9621-b645ff7223fc"; - fsType = "xfs"; - }; - "/boot" = { - device = "/dev/disk/by-label/boot"; - fsType = "vfat"; - options = ["fmask=0077" "dmask=0077"]; - }; - }; - - environment.systemPackages = [ - pkgs.ipmitool - ]; - system.stateVersion = "24.05"; } diff --git a/systems/logistics/hardware-configuration.nix b/systems/logistics/hardware-configuration.nix index 3cbe162e..0fea7c9a 100644 --- a/systems/logistics/hardware-configuration.nix +++ b/systems/logistics/hardware-configuration.nix @@ -2,12 +2,19 @@ config, pkgs, lib, + meta, ... }: let inherit (lib.modules) mkIf; opengl32 = false; opencl = false; in { + imports = let + inherit (meta) nixos; + in [ + nixos.hw.metal + ]; + boot = { initrd.availableKernelModules = ["xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc"]; kernelModules = ["kvm-intel"]; @@ -41,4 +48,6 @@ in { ]; }; }; + + networking.networkmanager.enable = true; } diff --git a/systems/logistics/nixos.nix b/systems/logistics/nixos.nix index 11bb646b..ae896cc3 100644 --- a/systems/logistics/nixos.nix +++ b/systems/logistics/nixos.nix @@ -21,11 +21,6 @@ in { ./hardware-configuration.nix ]; - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - - networking.networkmanager.enable = true; - services.xserver = { enable = true; displayManager.lightdm.enable = true; diff --git a/systems/mugetsu/hardware-configuration.nix b/systems/mugetsu/hardware-configuration.nix index 259b7038..df890f3f 100644 --- a/systems/mugetsu/hardware-configuration.nix +++ b/systems/mugetsu/hardware-configuration.nix @@ -7,6 +7,7 @@ inherit (meta) nixos; in [ nixos.hw.c4130 + nixos.netboot.kyuuto ]; fileSystems = { diff --git a/systems/mugetsu/nixos.nix b/systems/mugetsu/nixos.nix index c5084b9c..6d444dec 100644 --- a/systems/mugetsu/nixos.nix +++ b/systems/mugetsu/nixos.nix @@ -1,14 +1,10 @@ -{ - meta, - ... -}: { +{meta, ...}: { imports = let inherit (meta) nixos; in [ ./hardware-configuration.nix #nixos.sops nixos.base - nixos.netboot.kyuuto ]; system.stateVersion = "24.11";