Commit 1ac54d22c2ea
Changed files (4)
systems
sakhalin
systems/sakhalin/boot.nix
@@ -0,0 +1,58 @@
+{ pkgs, ... }:
+{
+ boot = {
+ loader.systemd-boot.netbootxyz.enable = true;
+ # initrd.systemd.enable = lib.mkForce false;
+ initrd.availableKernelModules = [
+ "nvme"
+ "rtsx_pci_sdmmc"
+ "thunderbolt"
+ "dm-mod"
+ ];
+ # initrd = {
+ # luks.devices."cryptroot" = {
+ # crypttabExtraOpts = [ "fido2-device=auto" ];
+ # };
+ # systemd = {
+ # fido2.enable = true;
+ # };
+ # };
+
+ blacklistedKernelModules = [
+ "sierra_net" # sierra wireless modules
+ "cdc_mbim" # modem mobile broadband modules
+ "cdc_ncm" # similar
+ ];
+ kernelModules = [
+ "ahci" # sata controller, might not be needed
+ "nvme" # required for nvme disks
+ "thunderbolt" # required for thunderbolt (dock, …)
+ # from thinkpad x1 gen 9
+ "dm-mod"
+ "cryptd" # required for encryption
+ "xhci_pci" # usb controller related
+ "usb_storage" # usb storage related
+ "sd_mod" # block device related
+ "sdhci_pci" # block device related as well
+ "aesni-intel" # advanced encryption for intel
+ "kvm_intel"
+ ];
+
+ kernelParams = [
+ # Kernel GPU Savings Options (NOTE i915 chipset only)
+ # "i915.enable_rc6=1"
+ # "i915.enable_fbc=1"
+ # "i915.lvds_use_ssc=0"
+ # "drm.debug=0"
+ # "drm.vblankoffdelay=1"
+ "kvm_intel.nested=1"
+ "intel_iommu=on"
+ ];
+
+ kernelPackages = pkgs.linuxPackages_latest;
+ loader.efi.canTouchEfiVariables = true;
+ };
+ hardware = {
+ cpu.intel.updateMicrocode = true;
+ };
+}
systems/sakhalin/extra.nix
@@ -0,0 +1,186 @@
+{
+ globals,
+ pkgs,
+ ...
+}:
+{
+
+ imports = [
+ ../common/services/containers.nix
+ ../common/services/docker.nix
+ ../common/services/lxd.nix
+ ../common/desktop/binfmt.nix # TODO: move to something else than desktop
+ ../common/services/prometheus-exporters-node.nix
+ ];
+ services = {
+ atuin = {
+ enable = true;
+ host = "0.0.0.0";
+ openRegistration = false;
+ };
+
+ # services.postgresql.enable = true;
+ # services.postgresql.package = pkgs.postgresql_15;
+ # services.postgresql.dataDir = "/var/lib/postgresql/15";
+ # services.postgresqlBackup.databases = [ "atuin" "homepage_production" "nextcloud" ];
+ # services.postgresqlBackup.enable = true;
+ # services.postgresqlBackup.location = "/var/backup/postgresql";
+ # services.postgresqlBackup.startAt = "*-*-* 02:15:00";
+
+ grafana = {
+ enable = true;
+ settings = {
+ server = {
+ http_addr = "0.0.0.0";
+ http_port = 3000;
+ domain = "graphana.sbr.pm";
+ };
+ };
+ };
+ prometheus = {
+ enable = true;
+ port = 9001;
+ scrapeConfigs = [
+ {
+ job_name = "node";
+ static_configs = [
+ {
+ # TODO: make this dynamic
+ targets = [
+ "aion.sbr.pm:9100"
+ "aix.sbr.pm:9000"
+ "aomi.sbr.pm:9000"
+ "athena.sbr.pm:9000"
+ "demeter.sbr.pm:9000"
+ "kerkouane.sbr.pm:9000"
+ "sakhalin.sbr.pm:9000"
+ "shikoku.sbr.pm:9000"
+ ];
+ }
+ ];
+ }
+ {
+ job_name = "bind";
+ static_configs = [
+ {
+ targets = [
+ "demeter.sbr.pm:9009"
+ "athena.sbr.pm:9009"
+ ];
+ }
+ ];
+ }
+ {
+ job_name = "nginx";
+ static_configs = [
+ {
+ targets = [ "kerkouane.sbr.pm:9001" ];
+ }
+ ];
+ }
+ ];
+ exporters.node = {
+ enable = true;
+ port = 9000;
+ enabledCollectors = [
+ "systemd"
+ "processes"
+ ];
+ extraFlags = [
+ "--collector.ethtool"
+ "--collector.softirqs"
+ "--collector.tcpstat"
+ ];
+ };
+ };
+ tarsnap = {
+ enable = true;
+ archives = {
+ documents = {
+ directories = [ "/home/vincent/desktop/documents" ];
+ period = "daily";
+ keyfile = "/etc/nixos/assets/tarsnap.documents.key";
+ };
+ org = {
+ directories = [ "/home/vincent/desktop/org" ];
+ period = "daily";
+ keyfile = "/etc/nixos/assets/tarsnap.org.key";
+ };
+ };
+ };
+ nfs.server = {
+ enable = true;
+ exports = ''
+ /export 192.168.1.0/24(rw,fsid=0,no_subtree_check) 10.100.0.0/24(rw,fsid=0,no_subtree_check)
+ /export/gaia 192.168.1.0/24(rw,fsid=1,no_subtree_check) 10.100.0.0/24(rw,fsid=1,no_subtree_check)
+ /export/toshito 192.168.1.0/24(rw,fsid=2,no_subtree_check) 10.100.0.0/24(rw,fsid=2,no_subtree_check)
+ '';
+ };
+ wireguard = {
+ enable = true;
+ ips = globals.fn.wg-ips globals.machines.sakhalin.net.vpn.ips;
+ endpoint = "${globals.net.vpn.endpoint}";
+ endpointPublicKey = "${globals.machines.kerkouane.net.vpn.pubkey}";
+ };
+ };
+ environment.systemPackages = with pkgs; [ yt-dlp ]; # -----------------------------------
+ environment.etc."vrsync".text = ''
+ /home/vincent/desktop/pictures/screenshots/ vincent@synodine.home:/volumeUSB2/usbshare/pictures/screenshots/
+ /home/vincent/desktop/pictures/wallpapers/ vincent@synodine.home:/volumeUSB2/usbshare/pictures/wallpapers/
+ /home/vincent/desktop/documents/ vincent@synodine.home:/volume1/documents/
+ /mnt/gaia/photos/ vincent@synodine.home:/volumeUSB2/usbshare/pictures/photos/
+ /mnt/gaia/music/ vincent@synodine.home:/volumeUSB2/usbshare/music/
+ '';
+ systemd.services.vrsync = {
+ description = "vrsync - sync folders to NAS";
+ requires = [ "network-online.target" ];
+ after = [ "network-online.target" ];
+
+ unitConfig.X-StopOnRemoval = false;
+ restartIfChanged = false;
+
+ path = with pkgs; [
+ rsync
+ coreutils
+ bash
+ openssh
+ ];
+ script = ''
+ ${pkgs.vrsync}/bin/vrsync
+ '';
+
+ startAt = "hourly";
+ serviceConfig = {
+ Type = "oneshot";
+ OnFailure = "status-email-root@%n.service";
+ };
+ };
+ # mr -i u daily
+ systemd.services.mr = {
+ description = "Update configs daily";
+ requires = [ "network-online.target" ];
+ after = [ "network-online.target" ];
+
+ restartIfChanged = false;
+ unitConfig.X-StopOnRemoval = false;
+
+ serviceConfig = {
+ Type = "oneshot";
+ User = "vincent";
+ OnFailure = "status-email-root@%n.service";
+ };
+
+ path = with pkgs; [
+ git
+ mr
+ ];
+ script = ''
+ set -e
+ cd /mnt/gaia/src/configs/
+ mr -t run git reset --hard
+ mr -t u
+ '';
+
+ startAt = "daily";
+ };
+}
systems/sakhalin/hardware.nix
@@ -0,0 +1,58 @@
+{
+ ...
+}:
+{
+ imports = [
+ ../common/hardware/acpid.nix
+ ];
+ fileSystems."/" = {
+ device = "/dev/disk/by-uuid/92ce650d-873e-41c1-a44e-71c2b9191b9d";
+ fsType = "ext4";
+ options = [
+ "noatime"
+ "discard"
+ ];
+ };
+ fileSystems."/boot" = {
+ device = "/dev/disk/by-uuid/B226-075A";
+ fsType = "vfat";
+ };
+ fileSystems."/home" = {
+ device = "/dev/disk/by-uuid/4f614c00-d94d-42f9-8386-3ecd396aa246";
+ fsType = "ext4";
+ options = [
+ "noatime"
+ "discard"
+ ];
+ };
+ fileSystems."/mnt/gaia" = {
+ device = "/dev/disk/by-uuid/88d3d686-d451-4ba9-bd6e-373601ed2683";
+ fsType = "ext4";
+ options = [ "noatime" ];
+ };
+ fileSystems."/mnt/toshito" = {
+ device = "/dev/disk/by-uuid/3c7cf84e-2486-417d-9de8-4b7757d483e4";
+ fsType = "ext4";
+ options = [ "noatime" ];
+ };
+
+ fileSystems."/export/gaia" = {
+ device = "/mnt/gaia";
+ options = [ "bind" ];
+ };
+ fileSystems."/export/toshito" = {
+ device = "/mnt/toshito";
+ options = [ "bind" ];
+ };
+
+ swapDevices = [ { device = "/dev/disk/by-uuid/9eb067d1-b329-4fbb-ae27-38abfbe7c108"; } ];
+
+ networking = {
+ firewall.enable = false; # we are in safe territory :D
+ bridges.br1.interfaces = [ "enp0s31f6" ];
+ useDHCP = false;
+ interfaces.br1 = {
+ useDHCP = true;
+ };
+ };
+}
globals.nix
@@ -286,7 +286,7 @@ in
net = {
ips = [ "192.168.1.70" ];
vpn = {
- # pubkey = "foUoAvJXGyFV4pfEE6ISwivAgXpmYmHwpGq6X+HN+yA=";
+ pubkey = "OAjw1l0z56F8kj++tqoasNHEMIWBEwis6iaWNAh1jlk=";
ips = [ "10.100.0.16" ];
};
names = [