coolneng/zion
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Compare commits

base: coolneng:db447ddb8bd0b31bb69eeb097c9325a905680add
Branches Tags
coolneng:master
..
compare: coolneng:b8ae40febd239bdd67e362c604316c4f7077c815
Branches Tags
coolneng:master

No commits in common. "db447ddb8bd0b31bb69eeb097c9325a905680add" and "b8ae40febd239bdd67e362c604316c4f7077c815" have entirely different histories.
db447ddb8b ... b8ae40febd

13 changed files with 305 additions and 395 deletions
Show Stats Expand all files Collapse all files

64
configuration.nix
View File

@ -9,41 +9,13 @@
with pkgs; with pkgs;
{ {
# Kernel configuration
boot = {
blacklistedKernelModules = [
"btusb"
"bluetooth"
];
kernelParams = [
"zfs.zfs_arc_max=8589934592"
"zfs.zfs_arc_min=1073741824"
];
supportedFilesystems = [ "zfs" ];
zfs = {
requestEncryptionCredentials = false;
extraPools = [ "vault" ];
};
};
# Secure boot using lanzaboote
boot.loader = {
efi.canTouchEfiVariables = true;
systemd-boot = {
enable = false;
configurationLimit = 50;
editor = false;
};
timeout = 3;
};
# Declare system packages # Declare system packages
environment.systemPackages = [ environment.systemPackages = [
libraspberrypi libraspberrypi
htop htop
neovim neovim
git git
inputs.agenix.packages.${config.nixpkgs.localSystem.system}.default inputs.agenix.packages.aarch64-linux.default
]; ];
# Configure basic SSH access # Configure basic SSH access
@ -85,6 +57,12 @@ with pkgs;
time.timeZone = "Europe/Brussels"; time.timeZone = "Europe/Brussels";
services.timesyncd.enable = true; services.timesyncd.enable = true;
# Enable ZFS support
boot.supportedFilesystems = [ "zfs" ];
# Don't import encrypted datasets
boot.zfs.requestEncryptionCredentials = false;
# Scrub zpool monthly # Scrub zpool monthly
services.zfs.autoScrub = { services.zfs.autoScrub = {
enable = true; enable = true;
@ -95,9 +73,9 @@ with pkgs;
nix = { nix = {
settings = { settings = {
auto-optimise-store = true; auto-optimise-store = true;
trusted-users = [ experimental-features = [
"root" "nix-command"
"coolneng" "flakes"
]; ];
}; };
gc = { gc = {
@ -109,7 +87,6 @@ with pkgs;
keep-outputs = true keep-outputs = true
keep-derivations = true keep-derivations = true
gc-keep-outputs = true gc-keep-outputs = true
experimental-features = nix-command flakes
''; '';
}; };
@ -127,7 +104,9 @@ with pkgs;
programs.fish.enable = true; programs.fish.enable = true;
users.users.root = { users.users.root = {
shell = "${fish}/bin/fish"; shell = "${fish}/bin/fish";
openssh.authorizedKeys.keys = config.users.users.coolneng.openssh.authorizedKeys.keys; openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRqINHR7/zc+c3/PuR+NeSsBHXXzBiEtFWSK6QaxQTW coolneng@panacea"
];
}; };
# Keep logs for a month # Keep logs for a month
@ -144,7 +123,7 @@ with pkgs;
programs.fish.interactiveShellInit = "${./scripts/motd.sh}"; programs.fish.interactiveShellInit = "${./scripts/motd.sh}";
# NixOS version # NixOS version
system.stateVersion = "24.11"; system.stateVersion = "22.05";
# Specify secrets # Specify secrets
age = { age = {
@ -207,11 +186,6 @@ with pkgs;
owner = "matrix-as-signal"; owner = "matrix-as-signal";
group = "matrix-as-signal"; group = "matrix-as-signal";
}; };
secrets.acme = {
file = secrets/acme.age;
owner = "acme";
group = "nginx";
};
identityPaths = [ "/etc/ssh/id_ed25519" ]; identityPaths = [ "/etc/ssh/id_ed25519" ];
}; };
@ -225,6 +199,15 @@ with pkgs;
]; ];
}; };
# Limit the memory and CPU use of Nix
systemd.services.nixos-upgrade.serviceConfig = {
MemoryHigh = [ "500M" ];
MemoryMax = [ "2G" ];
MemorySwapMax = [ "500M" ];
CPUWeight = [ "50" ];
CPUQuota = [ "50%" ];
};
# Configure git for auto-upgrade # Configure git for auto-upgrade
programs.git = { programs.git = {
enable = true; enable = true;
@ -250,6 +233,7 @@ with pkgs;
./modules/periodic.nix ./modules/periodic.nix
./modules/communication.nix ./modules/communication.nix
./modules/information.nix ./modules/information.nix
./modules/device.nix
./modules/containers.nix ./modules/containers.nix
]; ];

242
flake.lock generated
View File

@ -23,39 +23,6 @@
"type": "github" "type": "github"
} }
}, },
"crane": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"rust-overlay": [
"lanzaboote",
"rust-overlay"
]
},
"locked": {
"lastModified": 1681177078,
"narHash": "sha256-ZNIjBDou2GOabcpctiQykEQVkI8BDwk7TyvlWlI4myE=",
"owner": "ipetkov",
"repo": "crane",
"rev": "0c9f468ff00576577d83f5019a66c557ede5acf6",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"darwin": { "darwin": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -94,22 +61,6 @@
} }
}, },
"flake-compat": { "flake-compat": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1641205782, "lastModified": 1641205782,
@ -125,67 +76,6 @@
"type": "github" "type": "github"
} }
}, },
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1680392223,
"narHash": "sha256-n3g7QFr85lDODKt250rkZj2IFS3i4/8HBU2yKHO3tqw=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "dcc36e45d054d7bb554c9cdab69093debd91a0b5",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1681202837,
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "cfacdce06f30d2b68473a46042957675eebb3401",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1660459072,
"narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -207,37 +97,10 @@
"type": "github" "type": "github"
} }
}, },
"lanzaboote": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1682802423,
"narHash": "sha256-Fb5TeRTdvUlo/5Yi2d+FC8a6KoRLk2h1VE0/peMhWPs=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "64b903ca87d18cef2752c19c098af275c6e51d63",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "v0.3.0",
"repo": "lanzaboote",
"type": "github"
}
},
"nix-matrix-appservices": { "nix-matrix-appservices": {
"inputs": { "inputs": {
"devshell": "devshell", "devshell": "devshell",
"flake-compat": "flake-compat_2", "flake-compat": "flake-compat",
"nixlib": "nixlib", "nixlib": "nixlib",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
@ -274,51 +137,34 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1740646007, "lastModified": 1729742320,
"narHash": "sha256-dMReDQobS3kqoiUCQIYI9c0imPXRZnBubX20yX/G5LE=", "narHash": "sha256-u3Of8xRkN//me8PU+RucKA59/6RNy4B2jcGAF36P4jI=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "009b764ac98a3602d41fc68072eeec5d24fc0e49", "rev": "e8a2f6d5513fe7b7d15701b2d05404ffdc3b6dda",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "master",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"type": "github" "type": "github"
} }
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1740463929, "lastModified": 1733384649,
"narHash": "sha256-4Xhu/3aUdCKeLfdteEHMegx5ooKQvwPHNkOgNCXQrvc=", "narHash": "sha256-K5DJ2LpPqht7K76bsxetI+YHhGGRyVteTPRQaIIKJpw=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "5d7db4668d7a0c6cc5fc8cf6ef33b008b2b1ed8b", "rev": "190c31a89e5eec80dd6604d7f9e5af3802a58a13",
"type": "github" "type": "github"
}, },
"original": { "original": {
"id": "nixpkgs", "id": "nixpkgs",
"ref": "nixos-24.11", "ref": "nixos-24.05",
"type": "indirect" "type": "indirect"
} }
}, },
"nixpkgs-stable": {
"locked": {
"lastModified": 1678872516,
"narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-22.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1729880355, "lastModified": 1729880355,
@ -334,72 +180,15 @@
"type": "indirect" "type": "indirect"
} }
}, },
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"gitignore": "gitignore",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1681413034,
"narHash": "sha256-/t7OjNQcNkeWeSq/CFLYVBfm+IEnkjoSm9iKvArnUUI=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "d3de8f69ca88fb6f8b09e5b598be5ac98d28ede5",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix", "agenix": "agenix",
"lanzaboote": "lanzaboote",
"nix-matrix-appservices": "nix-matrix-appservices", "nix-matrix-appservices": "nix-matrix-appservices",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable" "nixpkgs-unstable": "nixpkgs-unstable"
} }
}, },
"rust-overlay": {
"inputs": {
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1682129965,
"narHash": "sha256-1KRPIorEL6pLpJR04FwAqqnt4Tzcm4MqD84yhlD+XSk=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "2c417c0460b788328220120c698630947547ee83",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"systems": { "systems": {
"locked": { "locked": {
"lastModified": 1681028828, "lastModified": 1681028828,
@ -414,21 +203,6 @@
"repo": "default", "repo": "default",
"type": "github" "type": "github"
} }
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

8
flake.nix
View File

@ -2,13 +2,13 @@
description = "System configuration for zion"; description = "System configuration for zion";
inputs = { inputs = {
nixpkgs.url = "nixpkgs/nixos-24.11"; nixpkgs.url = "nixpkgs/nixos-24.05";
nixpkgs-unstable.url = "nixpkgs/nixos-unstable"; nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
agenix = { agenix = {
url = "github:ryantm/agenix"; url = "github:ryantm/agenix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
nixos-hardware.url = "github:NixOS/nixos-hardware/master"; nixos-hardware.url = "github:NixOS/nixos-hardware";
nix-matrix-appservices = { nix-matrix-appservices = {
url = "gitlab:coffeetables/nix-matrix-appservices"; url = "gitlab:coffeetables/nix-matrix-appservices";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
@ -26,7 +26,7 @@
... ...
}@inputs: }@inputs:
let let
system = "x86_64-linux"; system = "aarch64-linux";
pkgs = import pkgs { inherit system; }; pkgs = import pkgs { inherit system; };
@ -41,8 +41,8 @@
modules = [ modules = [
(import ./configuration.nix) (import ./configuration.nix)
agenix.nixosModules.age agenix.nixosModules.age
nixos-hardware.nixosModules.raspberry-pi-4
nix-matrix-appservices.nixosModule nix-matrix-appservices.nixosModule
nixos-hardware.nixosModules.aoostar-r1-n100
]; ];
specialArgs = { specialArgs = {
inherit inputs; inherit inputs;

4
modules/containers.nix
View File

@ -20,7 +20,7 @@
containers = { containers = {
# Openbooks configuration # Openbooks configuration
openbooks = { openbooks = {
image = "evanbuss/openbooks@sha256:4fa9188885368c2303b7dc527d48b3159aaa7022010e29b3ed96842018793590"; image = "evanbuss/openbooks@sha256:16609c3da954715f8f98b5de6c838146914ae700b2a700b4d9aad8b23c9217da";
ports = [ "127.0.0.1:9000:80" ]; ports = [ "127.0.0.1:9000:80" ];
cmd = [ cmd = [
"--name" "--name"
@ -34,7 +34,7 @@
}; };
# Prometheus MQTT integration # Prometheus MQTT integration
mqtt2prometheus = { mqtt2prometheus = {
image = "hikhvar/mqtt2prometheus@sha256:8e166d36feaa5ddcad703eef3a2c5167a154d6eef306a40fe6509861580c0714"; image = "hikhvar/mqtt2prometheus@sha256:ad133b8cef2d82c5573864598b1c8361753adc7e4ac53da28bc9b6afdf05aeaf";
ports = [ "127.0.0.1:9641:9641" ]; ports = [ "127.0.0.1:9641:9641" ];
volumes = [ "/vault/mqtt2prometheus/config.yaml:/config.yaml" ]; volumes = [ "/vault/mqtt2prometheus/config.yaml:/config.yaml" ];
}; };

41
modules/device.nix Normal file
View File

@ -0,0 +1,41 @@
{
config,
lib,
pkgs,
...
}:
with pkgs;
{
# A bunch of boot parameters needed for optimal runtime on RPi 4B
boot.kernelPackages = linuxPackages_rpi4;
boot.kernelParams = [
"zfs.zfs_arc_max=134217728"
"console=TTYAMA0,115200"
"console=tty1"
"8250.nr_uarts=1"
"iomem=relaxed"
"strict-devmem=0"
];
# Enable SATA-HAT GPIO features
boot.loader = {
grub.enable = false;
generic-extlinux-compatible.enable = lib.mkForce false;
raspberryPi = {
enable = true;
version = 4;
firmwareConfig = ''
iomem=relaxed
strict-devmem=0
'';
};
};
# Load PWM hardware timers
hardware.raspberry-pi."4".pwm0.enable = true;
# Enable I2C
hardware.raspberry-pi."4".i2c1.enable = true;
}

144
modules/hardware-configuration.nix
View File

@ -1,58 +1,146 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }: {
config,
lib,
pkgs,
modulesPath,
...
}:
{ {
imports = imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "sd_mod" ]; boot.initrd.availableKernelModules = [
"xhci_pci"
"usb_storage"
];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" = {
{ device = "sysion/stateful/root"; device = "sysion/root";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/nix" = fileSystems."/nix" = {
{ device = "sysion/ephemeral/nix"; device = "sysion/root/nix";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/tmp" = fileSystems."/home" = {
{ device = "sysion/ephemeral/tmp"; device = "sysion/home";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/home/coolneng" = fileSystems."/boot" = {
{ device = "sysion/stateful/home"; device = "/dev/disk/by-uuid/EB8C-3C86";
fsType = "zfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/C332-4650";
fsType = "vfat"; fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
}; };
swapDevices = fileSystems."/var/lib/prometheus2" = {
[ { device = "/dev/disk/by-uuid/d388feef-a651-4dae-8161-f666136de240"; } device = "vault/state_directories/prometheus";
]; fsType = "zfs";
};
fileSystems."/var/lib/grafana" = {
device = "vault/state_directories/grafana";
fsType = "zfs";
};
fileSystems."/var/lib/gitea" = {
device = "vault/state_directories/gitea";
fsType = "zfs";
};
fileSystems."/var/lib/matrix-as-facebook" = {
device = "vault/state_directories/matrix-as-facebook";
fsType = "zfs";
};
fileSystems."/var/lib/signald" = {
device = "vault/state_directories/signald";
fsType = "zfs";
};
fileSystems."/var/lib/matrix-as-signal" = {
device = "vault/state_directories/matrix-as-signal";
fsType = "zfs";
};
fileSystems."/vault" = {
device = "vault";
fsType = "zfs";
};
fileSystems."/var/lib/matrix-as-telegram" = {
device = "vault/state_directories/matrix-as-telegram";
fsType = "zfs";
};
fileSystems."/vault/backups" = {
device = "vault/backups";
fsType = "zfs";
};
fileSystems."/vault/mosquitto" = {
device = "vault/mosquitto";
fsType = "zfs";
};
fileSystems."/vault/radicale" = {
device = "vault/radicale";
fsType = "zfs";
};
fileSystems."/vault/git" = {
device = "vault/git";
fsType = "zfs";
};
fileSystems."/vault/syncthing" = {
device = "vault/syncthing";
fsType = "zfs";
};
fileSystems."/vault/backups/zion" = {
device = "vault/backups/zion";
fsType = "zfs";
};
fileSystems."/vault/backups/monolith" = {
device = "vault/backups/monolith";
fsType = "zfs";
};
fileSystems."/var/lib/wallabag" = {
device = "vault/state_directories/wallabag";
fsType = "zfs";
};
fileSystems."/var/lib/containers/storage/overlay" = {
device = "/var/lib/containers/storage/overlay";
fsType = "none";
options = [ "bind" ];
};
swapDevices = [ { device = "/dev/disk/by-uuid/835f9dd4-cc27-4443-b5e1-381c2f4b2afc"; } ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction # still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true; networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp2s0.useDHCP = lib.mkDefault true; # networking.interfaces.cni-podman0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp3s0.useDHCP = lib.mkDefault true; # networking.interfaces.end0.useDHCP = lib.mkDefault true;
# networking.interfaces.veth25ee5d84.useDHCP = lib.mkDefault true;
# networking.interfaces.veth6e46f8d7.useDHCP = lib.mkDefault true;
# networking.interfaces.veth8506af14.useDHCP = lib.mkDefault true;
# networking.interfaces.wg0.useDHCP = lib.mkDefault true; # networking.interfaces.wg0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true; # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
} }

18
modules/networking.nix
View File

@ -13,7 +13,7 @@ in
# Enable systemd-networkd # Enable systemd-networkd
networking = { networking = {
hostName = "zion"; hostName = "zion";
hostId = "760bfad7"; hostId = "4e74ea68";
useDHCP = false; useDHCP = false;
useNetworkd = true; useNetworkd = true;
dhcpcd.enable = false; dhcpcd.enable = false;
@ -22,10 +22,10 @@ in
# Assign a static IP # Assign a static IP
systemd.network.networks."24-home" = { systemd.network.networks."24-home" = {
name = "enp2s0"; name = "end0";
matchConfig.Name = "enp2s0"; matchConfig.Name = "end0";
address = [ "192.168.129.2/23" ]; address = [ "192.168.13.2/24" ];
gateway = [ "192.168.128.1" ]; gateway = [ "192.168.13.1" ];
dns = [ dns = [
"1.1.1.1" "1.1.1.1"
"9.9.9.9" "9.9.9.9"
@ -37,6 +37,7 @@ in
services.ddclient = { services.ddclient = {
enable = true; enable = true;
quiet = true; quiet = true;
use = "web, web=freedns";
interval = "30min"; interval = "30min";
protocol = "duckdns"; protocol = "duckdns";
domains = [ "coolneng.duckdns.org" ]; domains = [ "coolneng.duckdns.org" ];
@ -90,7 +91,8 @@ in
matchConfig.Name = "wg0"; matchConfig.Name = "wg0";
networkConfig = { networkConfig = {
Address = "10.8.0.1/24"; Address = "10.8.0.1/24";
IPv4Forwarding = true; IPForward = true;
IPMasquerade = "ipv4";
}; };
}; };
@ -104,7 +106,7 @@ in
listen-address = [ listen-address = [
"127.0.0.1" "127.0.0.1"
"192.168.129.2" "192.168.13.2"
"10.8.0.1" "10.8.0.1"
]; ];
bind-interfaces = true; bind-interfaces = true;
@ -116,7 +118,7 @@ in
conf-file = "${pkgs.dnsmasq}/share/dnsmasq/trust-anchors.conf"; conf-file = "${pkgs.dnsmasq}/share/dnsmasq/trust-anchors.conf";
dnssec = false; dnssec = false;
address = "/coolneng.duckdns.org/192.168.129.2"; address = "/coolneng.duckdns.org/192.168.13.2";
}; };
}; };

16
modules/periodic.nix
View File

@ -35,6 +35,22 @@ in
startAt = "02:00:00"; startAt = "02:00:00";
}; };
# Enable SATA HAT fans
systemd.services.sata-hat = {
description = "Enable software support for SATA Hat";
wantedBy = [ "default.target" ];
script = ''
${pkgs.bash}/bin/bash -c "/home/coolneng/system/scripts/SATA-hat.sh on"
'';
serviceConfig = {
Type = "oneshot";
RemainAfterExit = "yes";
ExecStop = ''
${pkgs.bash}/bin/bash -c "/home/coolneng/system/scripts/SATA-hat.sh off"
'';
};
};
# Push zion changes to git daily # Push zion changes to git daily
systemd.user.services.zion-push = { systemd.user.services.zion-push = {
description = "Push zion changes to git"; description = "Push zion changes to git";

11
modules/webstack.nix
View File

@ -175,13 +175,14 @@
acceptTerms = true; acceptTerms = true;
defaults = { defaults = {
email = "akasroua@disroot.org"; email = "akasroua@disroot.org";
dnsResolver = "127.0.0.1:53";
group = "nginx"; group = "nginx";
webroot = "/var/lib/acme/acme-challenge";
ocspMustStaple = true;
}; };
certs."coolneng.duckdns.org" = { certs."coolneng.duckdns.org".extraDomainNames = lib.attrsets.mapAttrsToList (
domain = "*.coolneng.duckdns.org"; name: value: "${name}"
dnsProvider = "duckdns"; ) config.services.nginx.virtualHosts;
environmentFile = config.age.secrets.acme.path;
};
}; };
# Generate dhparams # Generate dhparams

71
scripts/SATA-hat.sh Executable file
View File

@ -0,0 +1,71 @@
#!/bin/sh
BASE_PATH=/sys/class
GPIO_PATH="$BASE_PATH"/gpio
PWM_PATH="$BASE_PATH"/pwm/pwmchip0
# GPIO pins
CPU_FAN=12
HDD_FAN=13
# Values
LOW=0
HIGH=1
export_pin() {
if [ ! -e $GPIO_PATH/gpio"$1" ]; then
echo "$1" >$GPIO_PATH/export
fi
}
unexport_pin() {
if [ -e $GPIO_PATH/gpio"$1" ]; then
echo "$1" >$GPIO_PATH/unexport
fi
}
set_gpio() {
export_pin "$1"
echo "out" >$GPIO_PATH/gpio"$1"/direction
echo "$2" >$GPIO_PATH/gpio"$1"/value
if [ "$3" = "clean" ]; then
unexport_pin "$1"
fi
}
enable_pwm_channel() {
echo "$1" >$PWM_PATH/export
echo 40000 >$PWM_PATH/pwm"$1"/period
echo 30000 >$PWM_PATH/pwm"$1"/duty_cycle
echo 1 >$PWM_PATH/pwm"$1"/enable
}
set_pwm() {
if [ "$1" = "clean" ]; then
echo 1 >$PWM_PATH/unexport
else
enable_pwm_channel 1
fi
}
turn_on() {
set_gpio $CPU_FAN $HIGH
set_gpio $HDD_FAN $HIGH
set_pwm
}
turn_off() {
set_gpio $CPU_FAN $LOW clean
set_gpio $HDD_FAN $LOW clean
set_pwm clean
}
trap turn_off INT
if [ "$1" = "on" ]; then
turn_on
else
turn_off
fi
exit 0

66
scripts/install.sh
View File

@ -1,66 +0,0 @@
#!/bin/sh
partition_disk() {
parted "$DISK" -- mklabel gpt
parted "$DISK" -- mkpart ESP fat32 1MiB 1025MiB
parted "$DISK" -- mkpart linux-swap 1025MiB 17409MiB
parted "$DISK" -- mkpart primary 17409MiB 100%
parted "$DISK" -- set 1 boot on
mkfs.fat -F32 -n BOOT "$DISK"p1
mkswap "$DISK"p2
swapon "$DISK"p2
}
zfs_setup() {
zpool import -f vault
zpool create -f -o ashift=12 -o autotrim=on -O acltype=posixacl -O relatime=on \
-O xattr=sa -O dnodesize=legacy -O normalization=formD -O mountpoint=none \
-O canmount=off -O devices=off -R /mnt -O compression=zstd "$POOL_NAME" "$DISK"p3
zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false "$POOL_NAME"/ephemeral
zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false "$POOL_NAME"/ephemeral/nix
zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false -o sync=disabled -o setuid=off "$POOL_NAME"/ephemeral/tmp
zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false "$POOL_NAME"/stateful
zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=true "$POOL_NAME"/stateful/home
zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false "$POOL_NAME"/stateful/root
}
mount_datasets() {
mount -t zfs sysion/stateful/root /mnt
mkdir -p /mnt/boot
mount "$DISK"p1 /mnt/boot
mkdir -p /mnt/home/coolneng
mount -t zfs sysion/stateful/home /mnt/home/coolneng
mkdir -p /mnt/nix
mount -t zfs sysion/ephemeral/nix /mnt/nix
mkdir -p /mnt/tmp
mount -t zfs sysion/ephemeral/tmp /mnt/tmp
}
install_system() {
nixos-generate-config --root /mnt
mv /mnt/etc/nixos/hardware-configuration.nix modules/hardware-configuration.nix
nix-shell -p git --command "nixos-install --root /mnt --flake .#zion"
}
usage() {
echo "Usage: install.sh <disk>"
echo "disk: full path to the disk (e.g. /dev/sda)"
exit 1
}
if [ $# != 1 ]; then
usage
fi
DISK="$1"
POOL_NAME="sysion"
echo "Let's start by partitioning the disk"
partition_disk
echo "Starting up the ZFS machinery"
zfs_setup
echo "Mounting the horse"
mount_datasets
echo "Lift off to the NixOS planet"
install_system
echo "All ready, time to rejoice"

BIN
secrets/acme.age
View File

Binary file not shown.

1
secrets/secrets.nix
View File

@ -16,5 +16,4 @@ in
"mqtt-receiver.age".publicKeys = [ zion ]; "mqtt-receiver.age".publicKeys = [ zion ];
"facebook.age".publicKeys = [ zion ]; "facebook.age".publicKeys = [ zion ];
"signal.age".publicKeys = [ zion ]; "signal.age".publicKeys = [ zion ];
"acme.age".publicKeys = [ zion ];
} }