mirror of
https://git.sr.ht/~magic_rb/dotfiles
synced 2024-11-29 11:36:16 +01:00
Fixup heater, prepare for compute rig
Signed-off-by: magic_rb <magic_rb@redalder.org>
This commit is contained in:
parent
39e63f2e09
commit
6f18aa5f55
|
@ -12,6 +12,7 @@
|
|||
(lib')
|
||||
flip
|
||||
mapAttrs
|
||||
loadSecrets
|
||||
singleton
|
||||
;
|
||||
|
||||
|
@ -24,7 +25,7 @@ in {
|
|||
specialArgs = {
|
||||
config' = config';
|
||||
inputs' = inputs;
|
||||
secret = lib'.loadSecrets;
|
||||
secret = loadSecrets inputs.secret;
|
||||
};
|
||||
modules =
|
||||
singleton
|
||||
|
@ -34,32 +35,24 @@ in {
|
|||
...
|
||||
}: {
|
||||
imports = [
|
||||
./xserver.nix
|
||||
../../common/steam.nix
|
||||
./grub.nix
|
||||
./networking.nix
|
||||
./filesystems.nix
|
||||
./hardware.nix
|
||||
./users.nix
|
||||
./nixpkgs.nix
|
||||
../../common/sound.nix
|
||||
];
|
||||
./impermenance.nix
|
||||
../../common/remote_access.nix
|
||||
|
||||
_module.args.nixinate = {
|
||||
host = secret.network.ips.heater or "";
|
||||
sshUser = "main";
|
||||
buildOn = "local";
|
||||
substituteOnTarget = true;
|
||||
hermetic = false;
|
||||
nixOptions = [
|
||||
"--override-input secret path://$HOME/dotfiles/secret"
|
||||
inputs.notnft.nixosModules.default
|
||||
inputs.self.nixosModules.notnft
|
||||
inputs.impermenance.nixosModules.impermanence
|
||||
];
|
||||
};
|
||||
|
||||
services.fwupd.enable = true;
|
||||
|
||||
time.timeZone = "Europe/Amsterdam";
|
||||
system.stateVersion = "20.09";
|
||||
system.stateVersion = "23.11";
|
||||
});
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,75 +1,58 @@
|
|||
{secret, ...}: let
|
||||
nfsOptions = [
|
||||
"noauto"
|
||||
"X-mount.mkdir"
|
||||
"x-systemd.device-timeout=10"
|
||||
"timeo=14"
|
||||
"soft"
|
||||
"noatime"
|
||||
"x-systemd.after=wireguard-wg0.target"
|
||||
"x-systemd.wants=wireguard-wg0.target"
|
||||
];
|
||||
|
||||
blowholeAddress = secret.network.ips.blowhole.dns or "";
|
||||
in {
|
||||
systemd.services.nix-daemon.environment.TMPDIR = "/nix/tmp";
|
||||
|
||||
fileSystems = {
|
||||
"/" = {
|
||||
device = "heater-zpool/local/root";
|
||||
device = "none";
|
||||
fsType = "tmpfs";
|
||||
options = ["defaults" "size=512M" "mode=755" "noexec"];
|
||||
};
|
||||
|
||||
"/tmp" = {
|
||||
device = "none";
|
||||
fsType = "tmpfs";
|
||||
options = ["defaults" "size=512M" "mode=755"];
|
||||
};
|
||||
|
||||
"/nix/persist" = {
|
||||
device = "heater-ssd/persist";
|
||||
fsType = "zfs";
|
||||
neededForBoot = true;
|
||||
};
|
||||
|
||||
"/nix" = {
|
||||
device = "heater-zpool/local/nix";
|
||||
device = "heater-ssd/local/nix";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
"/home" = {
|
||||
device = "heater-zpool/safe/home";
|
||||
device = "heater-ssd/ephemeral/home";
|
||||
fsType = "zfs";
|
||||
neededForBoot = true;
|
||||
};
|
||||
|
||||
"/var/lib/nomad" = {
|
||||
device = "heater-zpool/persist/nomad";
|
||||
"/root" = {
|
||||
device = "heater-ssd/ephemeral/root";
|
||||
fsType = "zfs";
|
||||
neededForBoot = true;
|
||||
};
|
||||
|
||||
"/var/lib/syncthing" = {
|
||||
device = "heater-zpool/persist/syncthing";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
"/etc/vault-agent" = {
|
||||
device = "heater-zpool/persist/vault-agent";
|
||||
"/nix/tmp" = {
|
||||
device = "heater-ssd/ephemeral/nix-tmp";
|
||||
fsType = "zfs";
|
||||
neededForBoot = true;
|
||||
};
|
||||
|
||||
"/boot" = {
|
||||
device = "/dev/disk/by-uuid/5e590840-9e62-4231-8ac5-e6a27325254d";
|
||||
device = "/dev/disk/by-uuid/c0a6bfbb-3553-4dc9-a299-b70070b8a52b";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
"/boot/EFI" = {
|
||||
device = "/dev/disk/by-uuid/D381-9D12";
|
||||
device = "/dev/disk/by-uuid/90B0-657C";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
"/mnt/cartman" = {
|
||||
device = "${blowholeAddress}:/mnt/cartman";
|
||||
fsType = "nfs";
|
||||
options = nfsOptions;
|
||||
};
|
||||
|
||||
"/mnt/kyle" = {
|
||||
device = "${blowholeAddress}:/mnt/kyle";
|
||||
fsType = "nfs";
|
||||
options = nfsOptions;
|
||||
};
|
||||
|
||||
"/mnt/stan" = {
|
||||
device = "${blowholeAddress}:/mnt/stan";
|
||||
fsType = "nfs";
|
||||
options = nfsOptions;
|
||||
};
|
||||
};
|
||||
|
||||
swapDevices = [];
|
||||
|
|
|
@ -3,6 +3,7 @@
|
|||
lib,
|
||||
...
|
||||
}: {
|
||||
boot.initrd.systemd.enable = true;
|
||||
boot.loader = {
|
||||
systemd-boot.enable = false;
|
||||
efi.canTouchEfiVariables = true;
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
singleton
|
||||
;
|
||||
|
||||
kernelPackages = pkgs.linuxKernel.packages.linux_6_1;
|
||||
kernelPackages = pkgs.linuxKernel.packages.linux_6_6;
|
||||
in {
|
||||
boot = {
|
||||
initrd.availableKernelModules = [
|
||||
|
|
82
nixos/systems/heater/impermenance.nix
Normal file
82
nixos/systems/heater/impermenance.nix
Normal file
|
@ -0,0 +1,82 @@
|
|||
{
|
||||
inputs',
|
||||
pkgs,
|
||||
...
|
||||
}: let
|
||||
rollbackStart = pkgs.writeText "rollback-start" ''
|
||||
${pkgs.rolling_datasets}/bin/roll_dataset "heater-ssd/ephemeral/home" "10"
|
||||
${pkgs.rolling_datasets}/bin/roll_dataset "heater-ssd/ephemeral/root" "10"
|
||||
${pkgs.rolling_datasets}/bin/roll_dataset "heater-ssd/ephemeral/nix-tmp" "10"
|
||||
'';
|
||||
in {
|
||||
nixpkgs.overlays = [
|
||||
inputs'.self.overlays.show-files-to-be-deleted
|
||||
inputs'.self.overlays.rolling_datasets
|
||||
];
|
||||
|
||||
environment.systemPackages = [
|
||||
pkgs.show-files-to-be-deleted
|
||||
];
|
||||
|
||||
environment.persistence."/nix/persist" = {
|
||||
hideMounts = true;
|
||||
|
||||
directories = [
|
||||
"/var/log"
|
||||
"/var/lib/nixos"
|
||||
"/var/lib/systemd/coredump"
|
||||
];
|
||||
files = [
|
||||
"/etc/machine-id"
|
||||
"/etc/ssh/ssh_host_rsa_key"
|
||||
"/etc/ssh/ssh_host_rsa_key.pub"
|
||||
"/etc/ssh/ssh_host_ed25519_key"
|
||||
"/etc/ssh/ssh_host_ed25519_key.pub"
|
||||
];
|
||||
};
|
||||
|
||||
boot.initrd.systemd.storePaths = with pkgs; [
|
||||
zfs
|
||||
busybox
|
||||
rolling_datasets
|
||||
rollbackStart
|
||||
];
|
||||
boot.initrd.systemd.services.rollback = {
|
||||
description = "Rollback ZFS datasets to a pristine state";
|
||||
wantedBy = [
|
||||
"initrd.target"
|
||||
];
|
||||
after = [
|
||||
"zfs-import-heater-ssd.service"
|
||||
];
|
||||
before = [
|
||||
"sysroot.mount"
|
||||
];
|
||||
path = with pkgs; [
|
||||
zfs
|
||||
busybox
|
||||
];
|
||||
unitConfig.DefaultDependencies = "no";
|
||||
serviceConfig.Type = "oneshot";
|
||||
serviceConfig.ExecStart = "/bin/sh ${rollbackStart}";
|
||||
};
|
||||
|
||||
systemd.services."mount-old-datasets" = {
|
||||
description = "Mount old versions of datasets";
|
||||
|
||||
wantedBy = ["local-fs.target"];
|
||||
after = ["local-fs.target"];
|
||||
|
||||
script = ''
|
||||
${pkgs.rolling_datasets}/bin/mount_datasets "heater-ssd/ephemeral/home" "/home/.old"
|
||||
${pkgs.rolling_datasets}/bin/mount_datasets "heater-ssd/ephemeral/root" "/root/.old"
|
||||
${pkgs.rolling_datasets}/bin/mount_datasets "heater-ssd/ephemeral/nix-tmp" "/nix/tmp/.old"
|
||||
'';
|
||||
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = "yes";
|
||||
TimeoutStartSec = "5m";
|
||||
};
|
||||
};
|
||||
}
|
|
@ -10,12 +10,6 @@
|
|||
nixpkgs.overlays =
|
||||
(with config'.flake.overlays; [
|
||||
emacsclient-remote
|
||||
magic-screenshot
|
||||
emacs-rofi
|
||||
tree-sitter-grammars
|
||||
emacs-master-nativecomp
|
||||
ledger-compat
|
||||
thingiverse-downloader
|
||||
])
|
||||
++ (with inputs'.nixng.overlays; [
|
||||
default
|
||||
|
|
|
@ -16,8 +16,8 @@
|
|||
secret = secret;
|
||||
};
|
||||
home-manager.users.main = {
|
||||
imports = [(inputs'.self + "/home-manager/modules/profiles/workstation.nix")];
|
||||
imports = [(inputs'.self + "/home-manager/modules/profiles/server.nix")];
|
||||
|
||||
home.stateVersion = "21.05";
|
||||
home.stateVersion = "23.11";
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,16 +0,0 @@
|
|||
{
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}: let
|
||||
inherit
|
||||
(lib)
|
||||
getExe
|
||||
;
|
||||
in {
|
||||
imports = [
|
||||
../../common/xserver.nix
|
||||
];
|
||||
|
||||
services.xserver.videoDrivers = ["nvidia"];
|
||||
}
|
|
@ -124,6 +124,8 @@
|
|||
[(is.eq ip.protocol (f: with f; set [tcp])) (is.eq th.dport (set [22 4646 8200])) (is.eq ip.saddr (secret.network.ips.omen.vpn or "")) (is.eq ip.daddr (secret.network.ips.toothpick or "")) accept]
|
||||
# TCP 22 altra
|
||||
[(is.eq ip.protocol (f: with f; set [tcp])) (is.eq th.dport (set [22])) (is.eq ip.saddr (secret.network.ips.omen.vpn or "")) (is.eq ip.daddr (secret.network.ips.altra.ip or "")) accept]
|
||||
# TCP 22 heater
|
||||
[(is.eq ip.protocol (f: with f; set [tcp])) (is.eq th.dport (set [22])) (is.eq ip.saddr (secret.network.ips.omen.vpn or "")) (is.eq ip.daddr (secret.network.ips.heater or "")) accept]
|
||||
# ICMP to blowhole, toothpick, altra
|
||||
[(is.eq ip.protocol (f: f.icmp)) (is.eq ip.saddr (secret.network.ips.omen.vpn or "")) (is.eq ip.daddr (set [(secret.network.ips.toothpick or "") (secret.network.ips.altra.ip or "") (secret.network.ips.blowhole.ip or "")])) accept]
|
||||
[(is.eq ip.protocol (f: f.tcp)) (is.eq th.dport 8883) (is.eq ip.saddr (secret.network.ips.omen.vpn or "")) (is.eq ip.daddr (secret.network.ips.altra.ip or "")) accept]
|
||||
|
|
Loading…
Reference in a new issue