From f47b8d09f80c7dbd7e6851feccf443aa43abeee7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Motiejus=20Jak=C5=A1tys?= Date: Tue, 16 Jul 2024 05:40:40 +0300 Subject: [PATCH] fwminex: reinstall --- flake.nix | 26 +++--- hosts/fwminex/configuration.nix | 142 ++++++++++++-------------------- 2 files changed, 63 insertions(+), 105 deletions(-) diff --git a/flake.nix b/flake.nix index b8b386e..a89bf66 100644 --- a/flake.nix +++ b/flake.nix @@ -205,25 +205,19 @@ modules = [ {nixpkgs.overlays = overlays;} ./hosts/fwminex/configuration.nix - - ./modules - ./modules/profiles/desktop - - nur.nixosModules.nur - agenix.nixosModules.default home-manager.nixosModules.home-manager nixos-hardware.nixosModules.framework-12th-gen-intel - nix-index-database.nixosModules.nix-index - { - age.secrets = { - motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age; - root-passwd-hash.file = ./secrets/root_passwd_hash.age; - sasl-passwd.file = ./secrets/postfix_sasl_passwd.age; - syncthing-key.file = ./secrets/fwminex/syncthing/key.pem.age; - syncthing-cert.file = ./secrets/fwminex/syncthing/cert.pem.age; - }; - } + #agenix.nixosModules.default + #{ + # age.secrets = { + # motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age; + # root-passwd-hash.file = ./secrets/root_passwd_hash.age; + # sasl-passwd.file = ./secrets/postfix_sasl_passwd.age; + # syncthing-key.file = ./secrets/fwminex/syncthing/key.pem.age; + # syncthing-cert.file = ./secrets/fwminex/syncthing/cert.pem.age; + # }; + #} ]; specialArgs = {inherit myData;} // inputs; diff --git a/hosts/fwminex/configuration.nix b/hosts/fwminex/configuration.nix index 2ed5b78..d006e2b 100644 --- a/hosts/fwminex/configuration.nix +++ b/hosts/fwminex/configuration.nix @@ -1,89 +1,84 @@ -{ - pkgs, - config, - myData, - ... -}: { +{myData, ...}: let + nvme = "/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_2TB_S6P1NS0TA01331A_1"; +in { imports = [ - ../../modules/profiles/autorandr + ../../modules + ../../modules/profiles/btrfs ]; boot = { - initrd.availableKernelModules = ["usb_storage" "sd_mod" "xhci_pci" "thunderbolt" "nvme" "usbhid"]; + kernelModules = ["kvm-intel"]; loader.systemd-boot.enable = true; - supportedFilesystems = ["zfs"]; - zfs = { - forceImportRoot = false; - devNodes = "/dev/disk/by-id/"; + initrd = { + availableKernelModules = ["xhci_pci" "thunderbolt" "nvme" "usbhid" "tpm_tis"]; + systemd = { + enableTpm2 = true; + emergencyAccess = true; + }; + luks.devices = { + luksroot = { + device = "${nvme}-part3"; + allowDiscards = true; + crypttabExtraOpts = ["tpm2-device=auto"]; + }; + }; }; }; + security.tpm2.enable = true; + + swapDevices = [ + { + device = "${nvme}-part2"; + randomEncryption.enable = true; + } + ]; + fileSystems = { "/" = { - device = "rpool/nixos/root"; - fsType = "zfs"; + device = "/dev/mapper/luksroot"; + fsType = "btrfs"; + options = ["compress=zstd"]; }; "/boot" = { - device = "/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_2TB_S6P1NS0TA01331A_1-part2"; + device = "${nvme}-part1"; fsType = "vfat"; }; - "/home" = { - device = "rpool/nixos/home"; - fsType = "zfs"; - }; - "/nix" = { - device = "rpool/nixos/nix"; - fsType = "zfs"; - }; - "/var/lib" = { - device = "rpool/nixos/var/lib"; - fsType = "zfs"; - }; - "/var/log" = { - device = "rpool/nixos/var/log"; - fsType = "zfs"; - }; }; hardware.cpu.intel.updateMicrocode = true; nixpkgs.hostPlatform = "x86_64-linux"; - boot.binfmt.emulatedSystems = ["aarch64-linux"]; - systemd.services.zfs-mount.enable = false; mj = { - stateVersion = "23.05"; + stateVersion = "24.05"; timeZone = "Europe/Vilnius"; username = "motiejus"; - base = { - zfs.enable = true; - users = { - enable = true; - devTools = true; - root.hashedPasswordFile = config.age.secrets.root-passwd-hash.path; - user.hashedPasswordFile = config.age.secrets.motiejus-passwd-hash.path; - }; - - snapshot = { - enable = true; - mountpoints = ["/home" "/var/lib" "/var/log"]; - }; - - unitstatus = { - enable = true; - email = "motiejus+alerts@jakstys.lt"; - }; + base.users = { + enable = true; + user.initialPassword = "live"; + #root.hashedPasswordFile = config.age.secrets.root-work-passwd-hash.path; + #user.hashedPasswordFile = config.age.secrets.motiejus-work-passwd-hash.path; }; services = { sshguard.enable = false; tailscale = { enable = true; - verboseLogs = true; + verboseLogs = false; }; + #remote-builder.client = let + # host = myData.hosts."fra1-a.servers.jakst"; + #in { + # enable = true; + # inherit (host) system supportedFeatures; + # hostName = host.jakstIP; + # sshKey = "/etc/ssh/ssh_host_ed25519_key"; + #}; + node_exporter = { enable = true; extraSubnets = [myData.subnets.vno1.cidr]; @@ -99,46 +94,15 @@ }; }; - postfix = { - enable = true; - saslPasswdPath = config.age.secrets.sasl-passwd.path; - }; - - syncthing = { - enable = true; - dataDir = "/home/motiejus/"; - user = "motiejus"; - group = "users"; - }; - - wifibackup = { - enable = true; - toPath = "/home/${config.mj.username}/M-Active/.wifi"; - toUser = config.mj.username; - }; - - remote-builder.client = let - host = myData.hosts."fra1-a.servers.jakst"; - in { - enable = true; - inherit (host) system supportedFeatures; - hostName = host.jakstIP; - sshKey = "/etc/ssh/ssh_host_ed25519_key"; - }; + #postfix = { + # enable = true; + # saslPasswdPath = config.age.secrets.sasl-passwd.path; + #}; }; }; - programs.mepo.enable = true; - - virtualisation.virtualbox.host.enable = true; - users.extraGroups.vboxusers.members = ["motiejus"]; - - environment.systemPackages = with pkgs; [ - tesseract - ]; - networking = { - hostId = "3a54afcd"; + hostId = "a6b19da0"; hostName = "fwminex"; domain = "motiejus.jakst"; firewall.rejectPackets = true;