diff --git a/flake.nix b/flake.nix index e651fe3..a376b61 100644 --- a/flake.nix +++ b/flake.nix @@ -36,15 +36,15 @@ myData = import ./data.nix; in { - nixosConfigurations.vm = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ - ./hosts/vm/configuration.nix - ./modules - ]; + #nixosConfigurations.vm = nixpkgs.lib.nixosSystem { + # system = "x86_64-linux"; + # modules = [ + # ./hosts/vm/configuration.nix + # ./modules + # ]; - specialArgs = {inherit myData;} // inputs; - }; + # specialArgs = {inherit myData;} // inputs; + #}; nixosConfigurations.hel1-a = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; @@ -72,6 +72,24 @@ specialArgs = {inherit myData;} // inputs; }; + nixosConfigurations.vno1-oh2 = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + ./hosts/vno1-oh2/configuration.nix + + ./modules + + agenix.nixosModules.default + + { + age.secrets.motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age; + age.secrets.root-passwd-hash.file = ./secrets/root_passwd_hash.age; + } + ]; + + specialArgs = {inherit myData;} // inputs; + }; + deploy.nodes.hel1-a = { hostname = "hel1-a.servers.jakst"; profiles = { @@ -84,6 +102,18 @@ }; }; + deploy.nodes.vno1-oh2 = { + hostname = "192.168.189.1"; + profiles = { + system = { + sshUser = "root"; + path = + deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.vno1-oh2; + user = "root"; + }; + }; + }; + checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; } // flake-utils.lib.eachDefaultSystem (system: let diff --git a/hosts/vno1-oh2/configuration.nix b/hosts/vno1-oh2/configuration.nix new file mode 100644 index 0000000..6fca3cd --- /dev/null +++ b/hosts/vno1-oh2/configuration.nix @@ -0,0 +1,68 @@ +{ + config, + pkgs, + myData, + ... +}: { + zfs-root = { + boot = { + enable = true; + devNodes = "/dev/disk/by-id/"; + bootDevices = ["nvme-Samsung_SSD_970_EVO_Plus_2TB_S6P1NX0TA00913P"]; + immutable = false; + availableKernelModules = ["ahci" "xhci_pci" "nvme" "usbhid" "sdhci_pci" "r8169"]; + removableEfi = true; + kernelParams = [ + "ip=192.168.189.1::192.168.189.4:255.255.255.0:vno1-oh2.jakstys.lt:enp3s0:off" + ]; + sshUnlock = { + enable = true; + authorizedKeys = builtins.attrValues myData.ssh_pubkeys; + }; + }; + }; + + mj = { + stateVersion = "23.05"; + timeZone = "Europe/Vilnius"; + + base = { + users.passwd = { + root.passwordFile = config.age.secrets.root-passwd-hash.path; + motiejus.passwordFile = config.age.secrets.motiejus-passwd-hash.path; + }; + }; + }; + + services = { + tailscale.enable = true; + + nsd = { + enable = true; + interfaces = ["0.0.0.0" "::"]; + zones = { + "jakstys.lt.".data = myData.jakstysLTZone; + }; + }; + + zfs = { + autoScrub.enable = true; + trim.enable = true; + expandOnBoot = "all"; + }; + }; + + networking = { + hostId = "f9117e1b"; + hostName = "vno1-oh2"; + domain = "jakstys.lt"; + defaultGateway = "192.168.189.4"; + nameservers = ["192.168.189.4"]; + interfaces.enp3s0.ipv4.addresses = [ + { + address = "192.168.189.1"; + prefixLength = 24; + } + ]; + }; +} diff --git a/modules/base/README.md b/modules/base/README.md new file mode 100644 index 0000000..8b527f1 --- /dev/null +++ b/modules/base/README.md @@ -0,0 +1,6 @@ +## From https://github.com/ne9z/dotfiles-flake, branch openzfs-guide + + 857dea48debb4d45021b4005784919e96e63cc4a + + boot/ + fileSystems/ diff --git a/modules/base/boot/default.nix b/modules/base/boot/default.nix new file mode 100644 index 0000000..299fa67 --- /dev/null +++ b/modules/base/boot/default.nix @@ -0,0 +1,171 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.zfs-root.boot; + inherit (lib) mkIf types mkDefault mkOption mkMerge strings; + inherit (builtins) head toString map tail; +in { + options.zfs-root.boot = { + enable = mkOption { + description = "Enable root on ZFS support"; + type = types.bool; + default = false; # TODO: change by @motiejus + }; + devNodes = mkOption { + description = "Specify where to discover ZFS pools"; + type = types.str; + apply = x: + assert (strings.hasSuffix "/" x + || abort "devNodes '${x}' must have trailing slash!"); x; + default = "/dev/disk/by-id/"; + }; + bootDevices = mkOption { + description = "Specify boot devices"; + type = types.nonEmptyListOf types.str; + }; + availableKernelModules = mkOption { + type = types.nonEmptyListOf types.str; + default = ["uas" "nvme" "ahci"]; + }; + kernelParams = mkOption { + type = types.listOf types.str; + default = []; + }; + immutable = mkOption { + description = "Enable root on ZFS immutable root support"; + type = types.bool; + default = false; + }; + removableEfi = mkOption { + description = "install bootloader to fallback location"; + type = types.bool; + default = true; + }; + partitionScheme = mkOption { + default = { + biosBoot = "-part5"; + efiBoot = "-part1"; + swap = "-part4"; + bootPool = "-part2"; + rootPool = "-part3"; + }; + description = "Describe on disk partitions"; + type = types.attrsOf types.str; + }; + sshUnlock = { + enable = mkOption { + type = types.bool; + default = false; + }; + authorizedKeys = mkOption { + type = types.listOf types.str; + default = []; + }; + }; + }; + config = mkIf (cfg.enable) (mkMerge [ + { + zfs-root.fileSystems.datasets = { + "rpool/nixos/home" = mkDefault "/home"; + "rpool/nixos/var/lib" = mkDefault "/var/lib"; + "rpool/nixos/var/log" = mkDefault "/var/log"; + "rpool/nixos/nix" = mkDefault "/nix"; + "bpool/nixos/root" = "/boot"; + }; + } + (mkIf (!cfg.immutable) { + zfs-root.fileSystems.datasets = {"rpool/nixos/root" = "/";}; + }) + (mkIf cfg.immutable { + zfs-root.fileSystems = { + datasets = { + "rpool/nixos/empty" = "/"; + "rpool/nixos/root" = "/oldroot"; + }; + bindmounts = { + "/oldroot/nix" = "/nix"; + "/oldroot/etc/nixos" = "/etc/nixos"; + }; + }; + boot.initrd.postDeviceCommands = '' + if ! grep -q zfs_no_rollback /proc/cmdline; then + zpool import -N rpool + zfs rollback -r rpool/nixos/empty@start + zpool export -a + fi + ''; + }) + { + zfs-root.fileSystems = { + efiSystemPartitions = + map (diskName: diskName + cfg.partitionScheme.efiBoot) + cfg.bootDevices; + swapPartitions = + map (diskName: diskName + cfg.partitionScheme.swap) cfg.bootDevices; + }; + boot = { + kernelPackages = + mkDefault config.boot.zfs.package.latestCompatibleLinuxPackages; + initrd.availableKernelModules = cfg.availableKernelModules; + kernelParams = cfg.kernelParams; + supportedFilesystems = ["zfs"]; + zfs = { + devNodes = cfg.devNodes; + forceImportRoot = mkDefault false; + }; + loader = { + efi = { + canTouchEfiVariables = + if cfg.removableEfi + then false + else true; + efiSysMountPoint = + "/boot/efis/" + + (head cfg.bootDevices) + + cfg.partitionScheme.efiBoot; + }; + generationsDir.copyKernels = true; + grub = { + enable = true; + devices = map (diskName: cfg.devNodes + diskName) cfg.bootDevices; + efiInstallAsRemovable = cfg.removableEfi; + copyKernels = true; + efiSupport = true; + zfsSupport = true; + extraInstallCommands = toString (map (diskName: '' + set -x + ${pkgs.coreutils-full}/bin/cp -r ${config.boot.loader.efi.efiSysMountPoint}/EFI /boot/efis/${diskName}${cfg.partitionScheme.efiBoot} + set +x + '') (tail cfg.bootDevices)); + }; + }; + }; + } + (mkIf cfg.sshUnlock.enable { + boot.initrd = { + network = { + enable = true; + ssh = { + enable = true; + hostKeys = [ + "/var/lib/ssh_unlock_zfs_ed25519_key" + "/var/lib/ssh_unlock_zfs_rsa_key" + ]; + authorizedKeys = cfg.sshUnlock.authorizedKeys; + }; + # FIXME vendored change by motiejus + #postCommands = '' + # tee -a /root/.profile >/dev/null <