commit f47b8d09f80c7dbd7e6851feccf443aa43abeee7 (tree)
parent 3ace3540892b8b67f660d60af902b9140184e3b1
Author: Motiejus Jakštys <motiejus@jakstys.lt>
Date: Tue, 16 Jul 2024 05:40:40 +0300
fwminex: reinstall
Diffstat:
2 files changed, 63 insertions(+), 105 deletions(-)
diff --git a/flake.nix b/flake.nix
@@ -205,25 +205,19 @@
modules = [
{nixpkgs.overlays = overlays;}
./hosts/fwminex/configuration.nix
-
- ./modules
- ./modules/profiles/desktop
-
- nur.nixosModules.nur
- agenix.nixosModules.default
home-manager.nixosModules.home-manager
nixos-hardware.nixosModules.framework-12th-gen-intel
- nix-index-database.nixosModules.nix-index
- {
- age.secrets = {
- motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
- root-passwd-hash.file = ./secrets/root_passwd_hash.age;
- sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
- syncthing-key.file = ./secrets/fwminex/syncthing/key.pem.age;
- syncthing-cert.file = ./secrets/fwminex/syncthing/cert.pem.age;
- };
- }
+ #agenix.nixosModules.default
+ #{
+ # age.secrets = {
+ # motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
+ # root-passwd-hash.file = ./secrets/root_passwd_hash.age;
+ # sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
+ # syncthing-key.file = ./secrets/fwminex/syncthing/key.pem.age;
+ # syncthing-cert.file = ./secrets/fwminex/syncthing/cert.pem.age;
+ # };
+ #}
];
specialArgs = {inherit myData;} // inputs;
diff --git a/hosts/fwminex/configuration.nix b/hosts/fwminex/configuration.nix
@@ -1,89 +1,84 @@
-{
- pkgs,
- config,
- myData,
- ...
-}: {
+{myData, ...}: let
+ nvme = "/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_2TB_S6P1NS0TA01331A_1";
+in {
imports = [
- ../../modules/profiles/autorandr
+ ../../modules
+ ../../modules/profiles/btrfs
];
boot = {
- initrd.availableKernelModules = ["usb_storage" "sd_mod" "xhci_pci" "thunderbolt" "nvme" "usbhid"];
+ kernelModules = ["kvm-intel"];
loader.systemd-boot.enable = true;
- supportedFilesystems = ["zfs"];
- zfs = {
- forceImportRoot = false;
- devNodes = "/dev/disk/by-id/";
+ initrd = {
+ availableKernelModules = ["xhci_pci" "thunderbolt" "nvme" "usbhid" "tpm_tis"];
+ systemd = {
+ enableTpm2 = true;
+ emergencyAccess = true;
+ };
+ luks.devices = {
+ luksroot = {
+ device = "${nvme}-part3";
+ allowDiscards = true;
+ crypttabExtraOpts = ["tpm2-device=auto"];
+ };
+ };
};
};
+ security.tpm2.enable = true;
+
+ swapDevices = [
+ {
+ device = "${nvme}-part2";
+ randomEncryption.enable = true;
+ }
+ ];
+
fileSystems = {
"/" = {
- device = "rpool/nixos/root";
- fsType = "zfs";
+ device = "/dev/mapper/luksroot";
+ fsType = "btrfs";
+ options = ["compress=zstd"];
};
"/boot" = {
- device = "/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_2TB_S6P1NS0TA01331A_1-part2";
+ device = "${nvme}-part1";
fsType = "vfat";
};
- "/home" = {
- device = "rpool/nixos/home";
- fsType = "zfs";
- };
- "/nix" = {
- device = "rpool/nixos/nix";
- fsType = "zfs";
- };
- "/var/lib" = {
- device = "rpool/nixos/var/lib";
- fsType = "zfs";
- };
- "/var/log" = {
- device = "rpool/nixos/var/log";
- fsType = "zfs";
- };
};
hardware.cpu.intel.updateMicrocode = true;
nixpkgs.hostPlatform = "x86_64-linux";
- boot.binfmt.emulatedSystems = ["aarch64-linux"];
-
systemd.services.zfs-mount.enable = false;
mj = {
- stateVersion = "23.05";
+ stateVersion = "24.05";
timeZone = "Europe/Vilnius";
username = "motiejus";
- base = {
- zfs.enable = true;
- users = {
- enable = true;
- devTools = true;
- root.hashedPasswordFile = config.age.secrets.root-passwd-hash.path;
- user.hashedPasswordFile = config.age.secrets.motiejus-passwd-hash.path;
- };
-
- snapshot = {
- enable = true;
- mountpoints = ["/home" "/var/lib" "/var/log"];
- };
-
- unitstatus = {
- enable = true;
- email = "motiejus+alerts@jakstys.lt";
- };
+ base.users = {
+ enable = true;
+ user.initialPassword = "live";
+ #root.hashedPasswordFile = config.age.secrets.root-work-passwd-hash.path;
+ #user.hashedPasswordFile = config.age.secrets.motiejus-work-passwd-hash.path;
};
services = {
sshguard.enable = false;
tailscale = {
enable = true;
- verboseLogs = true;
+ verboseLogs = false;
};
+ #remote-builder.client = let
+ # host = myData.hosts."fra1-a.servers.jakst";
+ #in {
+ # enable = true;
+ # inherit (host) system supportedFeatures;
+ # hostName = host.jakstIP;
+ # sshKey = "/etc/ssh/ssh_host_ed25519_key";
+ #};
+
node_exporter = {
enable = true;
extraSubnets = [myData.subnets.vno1.cidr];
@@ -99,46 +94,15 @@
};
};
- postfix = {
- enable = true;
- saslPasswdPath = config.age.secrets.sasl-passwd.path;
- };
-
- syncthing = {
- enable = true;
- dataDir = "/home/motiejus/";
- user = "motiejus";
- group = "users";
- };
-
- wifibackup = {
- enable = true;
- toPath = "/home/${config.mj.username}/M-Active/.wifi";
- toUser = config.mj.username;
- };
-
- remote-builder.client = let
- host = myData.hosts."fra1-a.servers.jakst";
- in {
- enable = true;
- inherit (host) system supportedFeatures;
- hostName = host.jakstIP;
- sshKey = "/etc/ssh/ssh_host_ed25519_key";
- };
+ #postfix = {
+ # enable = true;
+ # saslPasswdPath = config.age.secrets.sasl-passwd.path;
+ #};
};
};
- programs.mepo.enable = true;
-
- virtualisation.virtualbox.host.enable = true;
- users.extraGroups.vboxusers.members = ["motiejus"];
-
- environment.systemPackages = with pkgs; [
- tesseract
- ];
-
networking = {
- hostId = "3a54afcd";
+ hostId = "a6b19da0";
hostName = "fwminex";
domain = "motiejus.jakst";
firewall.rejectPackets = true;
