coolneng/zion
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Compare commits

base: coolneng:b8ae40febd239bdd67e362c604316c4f7077c815
Branches Tags
coolneng:master
...
compare: coolneng:db447ddb8bd0b31bb69eeb097c9325a905680add
Branches Tags
coolneng:master

10 Commits
b8ae40febd ... db447ddb8b

Author SHA1 Message Date
coolneng
db447ddb8b
Refer to main users SSH keys for root 2025-02-28 04:16:14 +01:00
coolneng
45562df6cf
Use DNS-01 for ACME 2025-02-28 04:16:06 +01:00
coolneng
0b3e10fd70
Change CPU architecture of podman containers 2025-02-28 04:14:44 +01:00
coolneng
f2386e8020
Adapt ddclient to upstream changes 2025-02-28 04:14:25 +01:00
coolneng
9504d4c5a1
Disable automatic ZFS encrypted dataset import 2025-02-27 21:05:22 +01:00
coolneng
9335bdeac9
Enabled Aoostar R1 specific tweaks 2025-02-27 21:05:22 +01:00
coolneng
3b471f8e32
Add installation script 2025-02-27 21:05:22 +01:00
coolneng
ccd5019abd
Upgrade to NixOS 24.11 2025-02-27 21:05:22 +01:00
coolneng
a0573d8aab
Adapt LAN configuration 2025-02-27 21:05:22 +01:00
coolneng
a389e1395d
Remove Raspberry Pi 4 specific bits 2025-02-27 18:00:49 +01:00
13 changed files with 395 additions and 305 deletions
Show Stats Expand all files Collapse all files

64
configuration.nix
View File

@ -9,13 +9,41 @@
with pkgs;
{
# Kernel configuration
boot = {
blacklistedKernelModules = [
"btusb"
"bluetooth"
];
kernelParams = [
"zfs.zfs_arc_max=8589934592"
"zfs.zfs_arc_min=1073741824"
];
supportedFilesystems = [ "zfs" ];
zfs = {
requestEncryptionCredentials = false;
extraPools = [ "vault" ];
};
};
# Secure boot using lanzaboote
boot.loader = {
efi.canTouchEfiVariables = true;
systemd-boot = {
enable = false;
configurationLimit = 50;
editor = false;
};
timeout = 3;
};
# Declare system packages
environment.systemPackages = [
libraspberrypi
htop
neovim
git
inputs.agenix.packages.aarch64-linux.default
inputs.agenix.packages.${config.nixpkgs.localSystem.system}.default
];
# Configure basic SSH access
@ -57,12 +85,6 @@ with pkgs;
time.timeZone = "Europe/Brussels";
services.timesyncd.enable = true;
# Enable ZFS support
boot.supportedFilesystems = [ "zfs" ];
# Don't import encrypted datasets
boot.zfs.requestEncryptionCredentials = false;
# Scrub zpool monthly
services.zfs.autoScrub = {
enable = true;
@ -73,9 +95,9 @@ with pkgs;
nix = {
settings = {
auto-optimise-store = true;
experimental-features = [
"nix-command"
"flakes"
trusted-users = [
"root"
"coolneng"
];
};
gc = {
@ -87,6 +109,7 @@ with pkgs;
keep-outputs = true
keep-derivations = true
gc-keep-outputs = true
experimental-features = nix-command flakes
'';
};
@ -104,9 +127,7 @@ with pkgs;
programs.fish.enable = true;
users.users.root = {
shell = "${fish}/bin/fish";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRqINHR7/zc+c3/PuR+NeSsBHXXzBiEtFWSK6QaxQTW coolneng@panacea"
];
openssh.authorizedKeys.keys = config.users.users.coolneng.openssh.authorizedKeys.keys;
};
# Keep logs for a month
@ -123,7 +144,7 @@ with pkgs;
programs.fish.interactiveShellInit = "${./scripts/motd.sh}";
# NixOS version
system.stateVersion = "22.05";
system.stateVersion = "24.11";
# Specify secrets
age = {
@ -186,6 +207,11 @@ with pkgs;
owner = "matrix-as-signal";
group = "matrix-as-signal";
};
secrets.acme = {
file = secrets/acme.age;
owner = "acme";
group = "nginx";
};
identityPaths = [ "/etc/ssh/id_ed25519" ];
};
@ -199,15 +225,6 @@ with pkgs;
];
};
# Limit the memory and CPU use of Nix
systemd.services.nixos-upgrade.serviceConfig = {
MemoryHigh = [ "500M" ];
MemoryMax = [ "2G" ];
MemorySwapMax = [ "500M" ];
CPUWeight = [ "50" ];
CPUQuota = [ "50%" ];
};
# Configure git for auto-upgrade
programs.git = {
enable = true;
@ -233,7 +250,6 @@ with pkgs;
./modules/periodic.nix
./modules/communication.nix
./modules/information.nix
./modules/device.nix
./modules/containers.nix
];

242
flake.lock generated
View File

@ -23,6 +23,39 @@
"type": "github"
}
},
"crane": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"rust-overlay": [
"lanzaboote",
"rust-overlay"
]
},
"locked": {
"lastModified": 1681177078,
"narHash": "sha256-ZNIjBDou2GOabcpctiQykEQVkI8BDwk7TyvlWlI4myE=",
"owner": "ipetkov",
"repo": "crane",
"rev": "0c9f468ff00576577d83f5019a66c557ede5acf6",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
@ -61,6 +94,22 @@
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1641205782,
@ -76,6 +125,67 @@
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1680392223,
"narHash": "sha256-n3g7QFr85lDODKt250rkZj2IFS3i4/8HBU2yKHO3tqw=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "dcc36e45d054d7bb554c9cdab69093debd91a0b5",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1681202837,
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "cfacdce06f30d2b68473a46042957675eebb3401",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1660459072,
"narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
@ -97,10 +207,37 @@
"type": "github"
}
},
"lanzaboote": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1682802423,
"narHash": "sha256-Fb5TeRTdvUlo/5Yi2d+FC8a6KoRLk2h1VE0/peMhWPs=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "64b903ca87d18cef2752c19c098af275c6e51d63",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "v0.3.0",
"repo": "lanzaboote",
"type": "github"
}
},
"nix-matrix-appservices": {
"inputs": {
"devshell": "devshell",
"flake-compat": "flake-compat",
"flake-compat": "flake-compat_2",
"nixlib": "nixlib",
"nixpkgs": [
"nixpkgs"
@ -137,34 +274,51 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1729742320,
"narHash": "sha256-u3Of8xRkN//me8PU+RucKA59/6RNy4B2jcGAF36P4jI=",
"lastModified": 1740646007,
"narHash": "sha256-dMReDQobS3kqoiUCQIYI9c0imPXRZnBubX20yX/G5LE=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "e8a2f6d5513fe7b7d15701b2d05404ffdc3b6dda",
"rev": "009b764ac98a3602d41fc68072eeec5d24fc0e49",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "master",
"repo": "nixos-hardware",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1733384649,
"narHash": "sha256-K5DJ2LpPqht7K76bsxetI+YHhGGRyVteTPRQaIIKJpw=",
"lastModified": 1740463929,
"narHash": "sha256-4Xhu/3aUdCKeLfdteEHMegx5ooKQvwPHNkOgNCXQrvc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "190c31a89e5eec80dd6604d7f9e5af3802a58a13",
"rev": "5d7db4668d7a0c6cc5fc8cf6ef33b008b2b1ed8b",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-24.05",
"ref": "nixos-24.11",
"type": "indirect"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1678872516,
"narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-22.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1729880355,
@ -180,15 +334,72 @@
"type": "indirect"
}
},
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"gitignore": "gitignore",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1681413034,
"narHash": "sha256-/t7OjNQcNkeWeSq/CFLYVBfm+IEnkjoSm9iKvArnUUI=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "d3de8f69ca88fb6f8b09e5b598be5ac98d28ede5",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": {
"inputs": {
"agenix": "agenix",
"lanzaboote": "lanzaboote",
"nix-matrix-appservices": "nix-matrix-appservices",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable"
}
},
"rust-overlay": {
"inputs": {
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1682129965,
"narHash": "sha256-1KRPIorEL6pLpJR04FwAqqnt4Tzcm4MqD84yhlD+XSk=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "2c417c0460b788328220120c698630947547ee83",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
@ -203,6 +414,21 @@
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",

8
flake.nix
View File

@ -2,13 +2,13 @@
description = "System configuration for zion";
inputs = {
nixpkgs.url = "nixpkgs/nixos-24.05";
nixpkgs.url = "nixpkgs/nixos-24.11";
nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
agenix = {
url = "github:ryantm/agenix";
inputs.nixpkgs.follows = "nixpkgs";
};
nixos-hardware.url = "github:NixOS/nixos-hardware";
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
nix-matrix-appservices = {
url = "gitlab:coffeetables/nix-matrix-appservices";
inputs.nixpkgs.follows = "nixpkgs";
@ -26,7 +26,7 @@
...
}@inputs:
let
system = "aarch64-linux";
system = "x86_64-linux";
pkgs = import pkgs { inherit system; };
@ -41,8 +41,8 @@
modules = [
(import ./configuration.nix)
agenix.nixosModules.age
nixos-hardware.nixosModules.raspberry-pi-4
nix-matrix-appservices.nixosModule
nixos-hardware.nixosModules.aoostar-r1-n100
];
specialArgs = {
inherit inputs;

4
modules/containers.nix
View File

@ -20,7 +20,7 @@
containers = {
# Openbooks configuration
openbooks = {
image = "evanbuss/openbooks@sha256:16609c3da954715f8f98b5de6c838146914ae700b2a700b4d9aad8b23c9217da";
image = "evanbuss/openbooks@sha256:4fa9188885368c2303b7dc527d48b3159aaa7022010e29b3ed96842018793590";
ports = [ "127.0.0.1:9000:80" ];
cmd = [
"--name"
@ -34,7 +34,7 @@
};
# Prometheus MQTT integration
mqtt2prometheus = {
image = "hikhvar/mqtt2prometheus@sha256:ad133b8cef2d82c5573864598b1c8361753adc7e4ac53da28bc9b6afdf05aeaf";
image = "hikhvar/mqtt2prometheus@sha256:8e166d36feaa5ddcad703eef3a2c5167a154d6eef306a40fe6509861580c0714";
ports = [ "127.0.0.1:9641:9641" ];
volumes = [ "/vault/mqtt2prometheus/config.yaml:/config.yaml" ];
};

41
modules/device.nix
View File

@ -1,41 +0,0 @@
{
config,
lib,
pkgs,
...
}:
with pkgs;
{
# A bunch of boot parameters needed for optimal runtime on RPi 4B
boot.kernelPackages = linuxPackages_rpi4;
boot.kernelParams = [
"zfs.zfs_arc_max=134217728"
"console=TTYAMA0,115200"
"console=tty1"
"8250.nr_uarts=1"
"iomem=relaxed"
"strict-devmem=0"
];
# Enable SATA-HAT GPIO features
boot.loader = {
grub.enable = false;
generic-extlinux-compatible.enable = lib.mkForce false;
raspberryPi = {
enable = true;
version = 4;
firmwareConfig = ''
iomem=relaxed
strict-devmem=0
'';
};
};
# Load PWM hardware timers
hardware.raspberry-pi."4".pwm0.enable = true;
# Enable I2C
hardware.raspberry-pi."4".i2c1.enable = true;
}

158
modules/hardware-configuration.nix
View File

@ -1,146 +1,58 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [
"xhci_pci"
"usb_storage"
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "sysion/root";
fsType = "zfs";
};
fileSystems."/" =
{ device = "sysion/stateful/root";
fsType = "zfs";
};
fileSystems."/nix" = {
device = "sysion/root/nix";
fsType = "zfs";
};
fileSystems."/nix" =
{ device = "sysion/ephemeral/nix";
fsType = "zfs";
};
fileSystems."/home" = {
device = "sysion/home";
fsType = "zfs";
};
fileSystems."/tmp" =
{ device = "sysion/ephemeral/tmp";
fsType = "zfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/EB8C-3C86";
fsType = "vfat";
};
fileSystems."/home/coolneng" =
{ device = "sysion/stateful/home";
fsType = "zfs";
};
fileSystems."/var/lib/prometheus2" = {
device = "vault/state_directories/prometheus";
fsType = "zfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/C332-4650";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
fileSystems."/var/lib/grafana" = {
device = "vault/state_directories/grafana";
fsType = "zfs";
};
fileSystems."/var/lib/gitea" = {
device = "vault/state_directories/gitea";
fsType = "zfs";
};
fileSystems."/var/lib/matrix-as-facebook" = {
device = "vault/state_directories/matrix-as-facebook";
fsType = "zfs";
};
fileSystems."/var/lib/signald" = {
device = "vault/state_directories/signald";
fsType = "zfs";
};
fileSystems."/var/lib/matrix-as-signal" = {
device = "vault/state_directories/matrix-as-signal";
fsType = "zfs";
};
fileSystems."/vault" = {
device = "vault";
fsType = "zfs";
};
fileSystems."/var/lib/matrix-as-telegram" = {
device = "vault/state_directories/matrix-as-telegram";
fsType = "zfs";
};
fileSystems."/vault/backups" = {
device = "vault/backups";
fsType = "zfs";
};
fileSystems."/vault/mosquitto" = {
device = "vault/mosquitto";
fsType = "zfs";
};
fileSystems."/vault/radicale" = {
device = "vault/radicale";
fsType = "zfs";
};
fileSystems."/vault/git" = {
device = "vault/git";
fsType = "zfs";
};
fileSystems."/vault/syncthing" = {
device = "vault/syncthing";
fsType = "zfs";
};
fileSystems."/vault/backups/zion" = {
device = "vault/backups/zion";
fsType = "zfs";
};
fileSystems."/vault/backups/monolith" = {
device = "vault/backups/monolith";
fsType = "zfs";
};
fileSystems."/var/lib/wallabag" = {
device = "vault/state_directories/wallabag";
fsType = "zfs";
};
fileSystems."/var/lib/containers/storage/overlay" = {
device = "/var/lib/containers/storage/overlay";
fsType = "none";
options = [ "bind" ];
};
swapDevices = [ { device = "/dev/disk/by-uuid/835f9dd4-cc27-4443-b5e1-381c2f4b2afc"; } ];
swapDevices =
[ { device = "/dev/disk/by-uuid/d388feef-a651-4dae-8161-f666136de240"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.cni-podman0.useDHCP = lib.mkDefault true;
# networking.interfaces.end0.useDHCP = lib.mkDefault true;
# networking.interfaces.veth25ee5d84.useDHCP = lib.mkDefault true;
# networking.interfaces.veth6e46f8d7.useDHCP = lib.mkDefault true;
# networking.interfaces.veth8506af14.useDHCP = lib.mkDefault true;
# networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wg0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

18
modules/networking.nix
View File

@ -13,7 +13,7 @@ in
# Enable systemd-networkd
networking = {
hostName = "zion";
hostId = "4e74ea68";
hostId = "760bfad7";
useDHCP = false;
useNetworkd = true;
dhcpcd.enable = false;
@ -22,10 +22,10 @@ in
# Assign a static IP
systemd.network.networks."24-home" = {
name = "end0";
matchConfig.Name = "end0";
address = [ "192.168.13.2/24" ];
gateway = [ "192.168.13.1" ];
name = "enp2s0";
matchConfig.Name = "enp2s0";
address = [ "192.168.129.2/23" ];
gateway = [ "192.168.128.1" ];
dns = [
"1.1.1.1"
"9.9.9.9"
@ -37,7 +37,6 @@ in
services.ddclient = {
enable = true;
quiet = true;
use = "web, web=freedns";
interval = "30min";
protocol = "duckdns";
domains = [ "coolneng.duckdns.org" ];
@ -91,8 +90,7 @@ in
matchConfig.Name = "wg0";
networkConfig = {
Address = "10.8.0.1/24";
IPForward = true;
IPMasquerade = "ipv4";
IPv4Forwarding = true;
};
};
@ -106,7 +104,7 @@ in
listen-address = [
"127.0.0.1"
"192.168.13.2"
"192.168.129.2"
"10.8.0.1"
];
bind-interfaces = true;
@ -118,7 +116,7 @@ in
conf-file = "${pkgs.dnsmasq}/share/dnsmasq/trust-anchors.conf";
dnssec = false;
address = "/coolneng.duckdns.org/192.168.13.2";
address = "/coolneng.duckdns.org/192.168.129.2";
};
};

16
modules/periodic.nix
View File

@ -35,22 +35,6 @@ in
startAt = "02:00:00";
};
# Enable SATA HAT fans
systemd.services.sata-hat = {
description = "Enable software support for SATA Hat";
wantedBy = [ "default.target" ];
script = ''
${pkgs.bash}/bin/bash -c "/home/coolneng/system/scripts/SATA-hat.sh on"
'';
serviceConfig = {
Type = "oneshot";
RemainAfterExit = "yes";
ExecStop = ''
${pkgs.bash}/bin/bash -c "/home/coolneng/system/scripts/SATA-hat.sh off"
'';
};
};
# Push zion changes to git daily
systemd.user.services.zion-push = {
description = "Push zion changes to git";

11
modules/webstack.nix
View File

@ -175,14 +175,13 @@
acceptTerms = true;
defaults = {
email = "akasroua@disroot.org";
dnsResolver = "127.0.0.1:53";
group = "nginx";
webroot = "/var/lib/acme/acme-challenge";
ocspMustStaple = true;
};
certs."coolneng.duckdns.org".extraDomainNames = lib.attrsets.mapAttrsToList (
name: value: "${name}"
) config.services.nginx.virtualHosts;
certs."coolneng.duckdns.org" = {
domain = "*.coolneng.duckdns.org";
dnsProvider = "duckdns";
environmentFile = config.age.secrets.acme.path;
};
};
# Generate dhparams

71
scripts/SATA-hat.sh
View File

@ -1,71 +0,0 @@
#!/bin/sh
BASE_PATH=/sys/class
GPIO_PATH="$BASE_PATH"/gpio
PWM_PATH="$BASE_PATH"/pwm/pwmchip0
# GPIO pins
CPU_FAN=12
HDD_FAN=13
# Values
LOW=0
HIGH=1
export_pin() {
if [ ! -e $GPIO_PATH/gpio"$1" ]; then
echo "$1" >$GPIO_PATH/export
fi
}
unexport_pin() {
if [ -e $GPIO_PATH/gpio"$1" ]; then
echo "$1" >$GPIO_PATH/unexport
fi
}
set_gpio() {
export_pin "$1"
echo "out" >$GPIO_PATH/gpio"$1"/direction
echo "$2" >$GPIO_PATH/gpio"$1"/value
if [ "$3" = "clean" ]; then
unexport_pin "$1"
fi
}
enable_pwm_channel() {
echo "$1" >$PWM_PATH/export
echo 40000 >$PWM_PATH/pwm"$1"/period
echo 30000 >$PWM_PATH/pwm"$1"/duty_cycle
echo 1 >$PWM_PATH/pwm"$1"/enable
}
set_pwm() {
if [ "$1" = "clean" ]; then
echo 1 >$PWM_PATH/unexport
else
enable_pwm_channel 1
fi
}
turn_on() {
set_gpio $CPU_FAN $HIGH
set_gpio $HDD_FAN $HIGH
set_pwm
}
turn_off() {
set_gpio $CPU_FAN $LOW clean
set_gpio $HDD_FAN $LOW clean
set_pwm clean
}
trap turn_off INT
if [ "$1" = "on" ]; then
turn_on
else
turn_off
fi
exit 0

66
scripts/install.sh Executable file
View File

@ -0,0 +1,66 @@
#!/bin/sh
partition_disk() {
parted "$DISK" -- mklabel gpt
parted "$DISK" -- mkpart ESP fat32 1MiB 1025MiB
parted "$DISK" -- mkpart linux-swap 1025MiB 17409MiB
parted "$DISK" -- mkpart primary 17409MiB 100%
parted "$DISK" -- set 1 boot on
mkfs.fat -F32 -n BOOT "$DISK"p1
mkswap "$DISK"p2
swapon "$DISK"p2
}
zfs_setup() {
zpool import -f vault
zpool create -f -o ashift=12 -o autotrim=on -O acltype=posixacl -O relatime=on \
-O xattr=sa -O dnodesize=legacy -O normalization=formD -O mountpoint=none \
-O canmount=off -O devices=off -R /mnt -O compression=zstd "$POOL_NAME" "$DISK"p3
zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false "$POOL_NAME"/ephemeral
zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false "$POOL_NAME"/ephemeral/nix
zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false -o sync=disabled -o setuid=off "$POOL_NAME"/ephemeral/tmp
zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false "$POOL_NAME"/stateful
zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=true "$POOL_NAME"/stateful/home
zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false "$POOL_NAME"/stateful/root
}
mount_datasets() {
mount -t zfs sysion/stateful/root /mnt
mkdir -p /mnt/boot
mount "$DISK"p1 /mnt/boot
mkdir -p /mnt/home/coolneng
mount -t zfs sysion/stateful/home /mnt/home/coolneng
mkdir -p /mnt/nix
mount -t zfs sysion/ephemeral/nix /mnt/nix
mkdir -p /mnt/tmp
mount -t zfs sysion/ephemeral/tmp /mnt/tmp
}
install_system() {
nixos-generate-config --root /mnt
mv /mnt/etc/nixos/hardware-configuration.nix modules/hardware-configuration.nix
nix-shell -p git --command "nixos-install --root /mnt --flake .#zion"
}
usage() {
echo "Usage: install.sh <disk>"
echo "disk: full path to the disk (e.g. /dev/sda)"
exit 1
}
if [ $# != 1 ]; then
usage
fi
DISK="$1"
POOL_NAME="sysion"
echo "Let's start by partitioning the disk"
partition_disk
echo "Starting up the ZFS machinery"
zfs_setup
echo "Mounting the horse"
mount_datasets
echo "Lift off to the NixOS planet"
install_system
echo "All ready, time to rejoice"

BIN
secrets/acme.age Normal file
View File

Binary file not shown.

1
secrets/secrets.nix
View File

@ -16,4 +16,5 @@ in
"mqtt-receiver.age".publicKeys = [ zion ];
"facebook.age".publicKeys = [ zion ];
"signal.age".publicKeys = [ zion ];
"acme.age".publicKeys = [ zion ];
}