wip vno1-oh2

This commit is contained in:
Motiejus Jakštys 2023-07-22 16:05:44 +03:00
parent 7ac1264454
commit f4446cb506
6 changed files with 357 additions and 8 deletions

View File

@ -36,15 +36,15 @@
myData = import ./data.nix;
in
{
nixosConfigurations.vm = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
./hosts/vm/configuration.nix
./modules
];
#nixosConfigurations.vm = nixpkgs.lib.nixosSystem {
# system = "x86_64-linux";
# modules = [
# ./hosts/vm/configuration.nix
# ./modules
# ];
specialArgs = {inherit myData;} // inputs;
};
# specialArgs = {inherit myData;} // inputs;
#};
nixosConfigurations.hel1-a = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
@ -72,6 +72,24 @@
specialArgs = {inherit myData;} // inputs;
};
nixosConfigurations.vno1-oh2 = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
./hosts/vno1-oh2/configuration.nix
./modules
agenix.nixosModules.default
{
age.secrets.motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
age.secrets.root-passwd-hash.file = ./secrets/root_passwd_hash.age;
}
];
specialArgs = {inherit myData;} // inputs;
};
deploy.nodes.hel1-a = {
hostname = "hel1-a.servers.jakst";
profiles = {
@ -84,6 +102,18 @@
};
};
deploy.nodes.vno1-oh2 = {
hostname = "192.168.189.1";
profiles = {
system = {
sshUser = "root";
path =
deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.vno1-oh2;
user = "root";
};
};
};
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
}
// flake-utils.lib.eachDefaultSystem (system: let

View File

@ -0,0 +1,68 @@
{
config,
pkgs,
myData,
...
}: {
zfs-root = {
boot = {
enable = true;
devNodes = "/dev/disk/by-id/";
bootDevices = ["nvme-Samsung_SSD_970_EVO_Plus_2TB_S6P1NX0TA00913P"];
immutable = false;
availableKernelModules = ["ahci" "xhci_pci" "nvme" "usbhid" "sdhci_pci" "r8169"];
removableEfi = true;
kernelParams = [
"ip=192.168.189.1::192.168.189.4:255.255.255.0:vno1-oh2.jakstys.lt:enp3s0:off"
];
sshUnlock = {
enable = true;
authorizedKeys = builtins.attrValues myData.ssh_pubkeys;
};
};
};
mj = {
stateVersion = "23.05";
timeZone = "Europe/Vilnius";
base = {
users.passwd = {
root.passwordFile = config.age.secrets.root-passwd-hash.path;
motiejus.passwordFile = config.age.secrets.motiejus-passwd-hash.path;
};
};
};
services = {
tailscale.enable = true;
nsd = {
enable = true;
interfaces = ["0.0.0.0" "::"];
zones = {
"jakstys.lt.".data = myData.jakstysLTZone;
};
};
zfs = {
autoScrub.enable = true;
trim.enable = true;
expandOnBoot = "all";
};
};
networking = {
hostId = "f9117e1b";
hostName = "vno1-oh2";
domain = "jakstys.lt";
defaultGateway = "192.168.189.4";
nameservers = ["192.168.189.4"];
interfaces.enp3s0.ipv4.addresses = [
{
address = "192.168.189.1";
prefixLength = 24;
}
];
};
}

6
modules/base/README.md Normal file
View File

@ -0,0 +1,6 @@
## From https://github.com/ne9z/dotfiles-flake, branch openzfs-guide
857dea48debb4d45021b4005784919e96e63cc4a
boot/
fileSystems/

View File

@ -0,0 +1,171 @@
{
config,
lib,
pkgs,
...
}: let
cfg = config.zfs-root.boot;
inherit (lib) mkIf types mkDefault mkOption mkMerge strings;
inherit (builtins) head toString map tail;
in {
options.zfs-root.boot = {
enable = mkOption {
description = "Enable root on ZFS support";
type = types.bool;
default = false; # TODO: change by @motiejus
};
devNodes = mkOption {
description = "Specify where to discover ZFS pools";
type = types.str;
apply = x:
assert (strings.hasSuffix "/" x
|| abort "devNodes '${x}' must have trailing slash!"); x;
default = "/dev/disk/by-id/";
};
bootDevices = mkOption {
description = "Specify boot devices";
type = types.nonEmptyListOf types.str;
};
availableKernelModules = mkOption {
type = types.nonEmptyListOf types.str;
default = ["uas" "nvme" "ahci"];
};
kernelParams = mkOption {
type = types.listOf types.str;
default = [];
};
immutable = mkOption {
description = "Enable root on ZFS immutable root support";
type = types.bool;
default = false;
};
removableEfi = mkOption {
description = "install bootloader to fallback location";
type = types.bool;
default = true;
};
partitionScheme = mkOption {
default = {
biosBoot = "-part5";
efiBoot = "-part1";
swap = "-part4";
bootPool = "-part2";
rootPool = "-part3";
};
description = "Describe on disk partitions";
type = types.attrsOf types.str;
};
sshUnlock = {
enable = mkOption {
type = types.bool;
default = false;
};
authorizedKeys = mkOption {
type = types.listOf types.str;
default = [];
};
};
};
config = mkIf (cfg.enable) (mkMerge [
{
zfs-root.fileSystems.datasets = {
"rpool/nixos/home" = mkDefault "/home";
"rpool/nixos/var/lib" = mkDefault "/var/lib";
"rpool/nixos/var/log" = mkDefault "/var/log";
"rpool/nixos/nix" = mkDefault "/nix";
"bpool/nixos/root" = "/boot";
};
}
(mkIf (!cfg.immutable) {
zfs-root.fileSystems.datasets = {"rpool/nixos/root" = "/";};
})
(mkIf cfg.immutable {
zfs-root.fileSystems = {
datasets = {
"rpool/nixos/empty" = "/";
"rpool/nixos/root" = "/oldroot";
};
bindmounts = {
"/oldroot/nix" = "/nix";
"/oldroot/etc/nixos" = "/etc/nixos";
};
};
boot.initrd.postDeviceCommands = ''
if ! grep -q zfs_no_rollback /proc/cmdline; then
zpool import -N rpool
zfs rollback -r rpool/nixos/empty@start
zpool export -a
fi
'';
})
{
zfs-root.fileSystems = {
efiSystemPartitions =
map (diskName: diskName + cfg.partitionScheme.efiBoot)
cfg.bootDevices;
swapPartitions =
map (diskName: diskName + cfg.partitionScheme.swap) cfg.bootDevices;
};
boot = {
kernelPackages =
mkDefault config.boot.zfs.package.latestCompatibleLinuxPackages;
initrd.availableKernelModules = cfg.availableKernelModules;
kernelParams = cfg.kernelParams;
supportedFilesystems = ["zfs"];
zfs = {
devNodes = cfg.devNodes;
forceImportRoot = mkDefault false;
};
loader = {
efi = {
canTouchEfiVariables =
if cfg.removableEfi
then false
else true;
efiSysMountPoint =
"/boot/efis/"
+ (head cfg.bootDevices)
+ cfg.partitionScheme.efiBoot;
};
generationsDir.copyKernels = true;
grub = {
enable = true;
devices = map (diskName: cfg.devNodes + diskName) cfg.bootDevices;
efiInstallAsRemovable = cfg.removableEfi;
copyKernels = true;
efiSupport = true;
zfsSupport = true;
extraInstallCommands = toString (map (diskName: ''
set -x
${pkgs.coreutils-full}/bin/cp -r ${config.boot.loader.efi.efiSysMountPoint}/EFI /boot/efis/${diskName}${cfg.partitionScheme.efiBoot}
set +x
'') (tail cfg.bootDevices));
};
};
};
}
(mkIf cfg.sshUnlock.enable {
boot.initrd = {
network = {
enable = true;
ssh = {
enable = true;
hostKeys = [
"/var/lib/ssh_unlock_zfs_ed25519_key"
"/var/lib/ssh_unlock_zfs_rsa_key"
];
authorizedKeys = cfg.sshUnlock.authorizedKeys;
};
# FIXME vendored change by motiejus
#postCommands = ''
# tee -a /root/.profile >/dev/null <<EOF
# if zfs load-key rpool/nixos; then
# pkill zfs
# fi
# exit
# EOF'';
};
};
})
]);
}

View File

@ -5,7 +5,9 @@
...
}: {
imports = [
./boot
./initrd
./fileSystems
./snapshot
./sshd
./unitstatus

View File

@ -0,0 +1,72 @@
{
config,
lib,
...
}: let
cfg = config.zfs-root.fileSystems;
inherit (lib) mkIf types mkDefault mkOption mkMerge mapAttrsToList;
in {
options.zfs-root.fileSystems = {
datasets = mkOption {
description = "Set mountpoint for datasets";
type = types.attrsOf types.str;
default = {};
};
bindmounts = mkOption {
description = "Set mountpoint for bindmounts";
type = types.attrsOf types.str;
default = {};
};
efiSystemPartitions = mkOption {
description = "Set mountpoint for efi system partitions";
type = types.listOf types.str;
default = [];
};
swapPartitions = mkOption {
description = "Set swap partitions";
type = types.listOf types.str;
default = [];
};
};
config.fileSystems = mkMerge (mapAttrsToList (dataset: mountpoint: {
"${mountpoint}" = {
device = "${dataset}";
fsType = "zfs";
options = ["X-mount.mkdir" "noatime"];
neededForBoot = true;
};
})
cfg.datasets
++ mapAttrsToList (bindsrc: mountpoint: {
"${mountpoint}" = {
device = "${bindsrc}";
fsType = "none";
options = ["bind" "X-mount.mkdir" "noatime"];
};
})
cfg.bindmounts
++ map (esp: {
"/boot/efis/${esp}" = {
device = "${config.zfs-root.boot.devNodes}${esp}";
fsType = "vfat";
options = [
"x-systemd.idle-timeout=1min"
"x-systemd.automount"
"noauto"
"nofail"
"noatime"
"X-mount.mkdir"
];
};
})
cfg.efiSystemPartitions);
config.swapDevices = mkDefault (map (swap: {
device = "${config.zfs-root.boot.devNodes}${swap}";
discardPolicy = mkDefault "both";
randomEncryption = {
enable = true;
allowDiscards = mkDefault true;
};
})
cfg.swapPartitions);
}