Upgrade to NixOS 23.05 and SSD boot

2023-06-08 18:30:16 +02:00
parent 95a024a6e7
commit 110a98c3d4
14 changed files with 107 additions and 117 deletions
--- a/modules/communication.nix
+++ b/modules/communication.nix
@@ -11,17 +11,6 @@ let
    conn_max_lifetime = -1;
  };

-  latest-mautrix-signal = mautrix-signal.overrideAttrs (old: rec {
-    version = "0.4.2";
-    src = fetchFromGitHub {
-      owner = "mautrix";
-      repo = "signal";
-      rev = "refs/tags/v${version}";
-      sha256 = "UbetU1n9zD/mVFaJc9FECDq/Zell1TI/aYPsGXGB8Js=";
-    };
-
-  });
-
 in {
  # Matrix server configuration
  services.dendrite = {
@@ -95,7 +84,7 @@ in {
      signal = {
        port = 8338;
        format = "mautrix-python";
-        package = latest-mautrix-signal;
+        package = mautrix-signal;
        serviceConfig = {
          StateDirectory = [ "matrix-as-signal" "signald" ];
          JoinNamespaceOf = "signald.service";
--- a/modules/containers.nix
+++ b/modules/containers.nix
@@ -54,4 +54,10 @@
      ${podman}/bin/podman pod exists cgm-repo || ${podman}/bin/podman pod create -n cgm-repo -p '127.0.0.1:1337:1337'
    '';
  };
+
+  # Start services after ZFS mount
+  systemd.services.podman-mongodb.unitConfig.RequiresMountsFor =
+    [ "vault.mount" ];
+  systemd.services.podman-mqtt2prometheus.unitConfig.RequiresMountsFor =
+    [ "vault.mount" ];
 }
--- a/modules/datasync.nix
+++ b/modules/datasync.nix
@@ -97,4 +97,10 @@
    monthly = 12;
  };

+  # Start services after ZFS mount
+  systemd.services.syncthing.unitConfig.RequiresMountsFor =
+    [ "vault-syncthing.mount" ];
+  systemd.services.radicale.unitConfig.RequiresMountsFor =
+    [ "vault-radicale.mount" ];
+
 }
--- a/modules/device.nix
+++ b/modules/device.nix
@@ -18,18 +18,19 @@ with pkgs;
  boot.loader = {
    grub.enable = false;
    generic-extlinux-compatible.enable = lib.mkForce false;
-  };
-  boot.loader.raspberryPi = {
-    enable = true;
-    version = 4;
-    firmwareConfig = ''
-      iomem=relaxed
-      strict-devmem=0
-      dtoverlay=w1-gpio
-    '';
+    raspberryPi = {
+      enable = true;
+      version = 4;
+      firmwareConfig = ''
+        iomem=relaxed
+        strict-devmem=0
+        dtoverlay=w1-gpio
+      '';
+    };
  };

  boot.kernelModules = [ "pwm_bcm2835" "w1-gpio" "w1-therm" ];
+
  # Load PWM hardware timers
  hardware.raspberry-pi."4".pwm0.enable = true;

--- a/modules/devops.nix
+++ b/modules/devops.nix
@@ -1,10 +1,7 @@
-{ config, pkgs, pkgs-unstable, lib, ... }: {
+{ config, pkgs, lib, ... }: {
  # Set up Gitea with LFS support
  services.gitea = {
    enable = true;
-    domain = "git.coolneng.duckdns.org";
-    rootUrl = "https://git.coolneng.duckdns.org";
-    package = pkgs-unstable.gitea;
    database = {
      type = "postgres";
      passwordFile = config.age.secrets.gitea.path;
@@ -16,10 +13,17 @@
      contentDir = "${config.services.gitea.repositoryRoot}/data/lfs";
    };
    settings = {
+      server = {
+        DISABLE_SSH = true;
+        DOMAIN = "git.coolneng.duckdns.org";
+        ROOTURL = "https://git.coolneng.duckdns.org";
+      };
      ui.DEFAULT_THEME = "arc-green";
      session.COOKIE_SECURE = true;
-      server.DISABLE_SSH = true;
      actions.ENABLED = true;
    };
  };
+
+  # Start services after ZFS mount
+  systemd.services.gitea.unitConfig.RequiresMountsFor = [ "vault-git.mount" ];
 }
--- a/modules/hardware-configuration.nix
+++ b/modules/hardware-configuration.nix
@@ -6,18 +6,28 @@
 {
  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];

-  boot.initrd.availableKernelModules = [ "xhci_pci" ];
+  boot.initrd.availableKernelModules = [ "xhci_pci" "usb_storage" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];

  fileSystems."/" = {
-    device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
-    fsType = "ext4";
+    device = "sysion/root";
+    fsType = "zfs";
+  };
+
+  fileSystems."/nix" = {
+    device = "sysion/root/nix";
+    fsType = "zfs";
+  };
+
+  fileSystems."/home" = {
+    device = "sysion/home";
+    fsType = "zfs";
  };

  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/2178-694E";
+    device = "/dev/disk/by-uuid/06AD-825C";
    fsType = "vfat";
  };

@@ -102,7 +112,8 @@
    options = [ "bind" ];
  };

-  swapDevices = [ ];
+  swapDevices =
+    [{ device = "/dev/disk/by-uuid/835f9dd4-cc27-4443-b5e1-381c2f4b2afc"; }];

  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
@@ -110,7 +121,7 @@
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.cni-podman0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.eth0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.end0.useDHCP = lib.mkDefault true;
  # networking.interfaces.veth25ee5d84.useDHCP = lib.mkDefault true;
  # networking.interfaces.veth6e46f8d7.useDHCP = lib.mkDefault true;
  # networking.interfaces.veth8506af14.useDHCP = lib.mkDefault true;
--- a/modules/networking.nix
+++ b/modules/networking.nix
@@ -11,12 +11,12 @@ in {
    useNetworkd = true;
    dhcpcd.enable = false;
  };
-  systemd.services."systemd-networkd-wait-online".enable = false;
+  systemd.network.wait-online.enable = false;

  # Assign a static IP
  systemd.network.networks."24-home" = {
-    name = "eth0";
-    matchConfig.Name = "eth0";
+    name = "end0";
+    matchConfig.Name = "end0";
    address = [ "192.168.13.2/24" ];
    gateway = [ "192.168.13.1" ];
    dns = [ "192.168.13.2" ];
@@ -57,7 +57,9 @@ in {
      53 # DNS
    ];
    extraCommands = ''
-      iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
+      iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ${
+        config.systemd.network.networks."24-home".name
+      } -j MASQUERADE
    '';
  };

@@ -101,23 +103,22 @@ in {
  # DNS server with ad-block
  services.dnsmasq = {
    enable = true;
-    servers = [ "51.158.108.203" "137.220.55.93" ];
-    extraConfig = ''
-      domain-needed
-      bogus-priv
-      no-resolv
+    settings = {
+      domain-needed = true;
+      bogus-priv = true;
+      no-resolv = true;

-      listen-address=127.0.0.1,192.168.13.2,10.8.0.1
-      bind-interfaces
+      listen-address = [ "127.0.0.1" "192.168.13.2" "10.8.0.1" ];
+      bind-interfaces = true;
+      server = [ "51.158.108.203" "137.220.55.93" ];

-      cache-size=10000
-      local-ttl=300
+      cache-size = 10000;
+      local-ttl = 300;

-      conf-file=/var/lib/dnsmasq/dnsmasq.blacklist.txt
+      conf-file = "/var/lib/dnsmasq/dnsmasq.blacklist.txt";

-      address=/coolneng.duckdns.org/192.168.13.2
-    '';
+      address = "/coolneng.duckdns.org/192.168.13.2";
+    };
  };

 }
-
--- a/modules/periodic.nix
+++ b/modules/periodic.nix
@@ -14,6 +14,7 @@ in {
  };

  # Fetch hosts-blocklists daily
+  # FIXME Download the list if the file doesn't exist the first time
  systemd.services.download-dns-blocklist = {
    description = "Download hosts-blocklists";
    wantedBy = [ "default.target" ];
@@ -25,16 +26,16 @@ in {
    serviceConfig.Type = "oneshot";
    postStop = ''
      chown -R dnsmasq ${stateDir}
-      systemctl restart dnsmasq
    '';
+    requiredBy = [ "dnsmasq.service" ];
    after = [ "wireguard-wg0.service" ];
    startAt = "02:00:00";
  };

-  # Enable SATA HAT
+  # Enable SATA HAT fans
  systemd.services.sata-hat = {
    description = "Enable software support for SATA Hat";
-    wantedBy = [ "zfs-import.target" ];
+    wantedBy = [ "default.target" ];
    script = ''
      ${pkgs.bash}/bin/bash -c "/home/coolneng/system/scripts/SATA-hat.sh on"
    '';
@@ -45,30 +46,6 @@ in {
        ${pkgs.bash}/bin/bash -c "/home/coolneng/system/scripts/SATA-hat.sh off"
      '';
    };
-    before = [ "zfs-import.target" "zfs-import-vault.service" "umount.target" ];
-    requires = [ "systemd-udev-settle.service" ];
-    after = [ "systemd-udev-settle.service" ];
-    conflicts = [ "umount.target" ];
-    requiredBy = [ "syncthing.service" "radicale.service" "gitea.service" ];
-  };
-
-  # HACK: restart services dependent on ZFS afer mount
-  systemd.services.restart-services-mount = {
-    description = "Restart services after the ZFS dataset is mounted";
-    wantedBy = [ "default.target" ];
-    script = ''
-      sleep 5
-      systemctl restart syncthing
-      systemctl restart radicale
-      systemctl restart gitea
-      systemctl restart podman-openbooks
-      systemctl restart podman-mqtt2prometheus
-      systemctl restart podman-mongodb
-      systemctl restart podman-nightscout
-    '';
-    serviceConfig.Type = "oneshot";
-    requires = [ "sata-hat.service" ];
-    after = [ "vault.mount" ];
  };

  # Idle HDDs when not used
--- a/modules/webstack.nix
+++ b/modules/webstack.nix
@@ -8,6 +8,7 @@
    recommendedGzipSettings = true;
    recommendedProxySettings = true;
    recommendedOptimisation = true;
+    recommendedBrotliSettings = true;
    clientMaxBodySize = "0";
    sslCiphers =
      "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";
@@ -221,5 +222,8 @@
    "dendrite.service"
    "phpfpm-wallabag.service"
    "systemd-tmpfiles-setup.service"
+    "podman-openbooks.service"
+    "podman-mqtt2prometheus.service"
+    "podman-nightscout.service"
  ];
 }