Commit e60b6f5f35b6
Changed files (6)
imperative
nagoya
systems
nagoya
imperative/nagoya/README.org
@@ -1,6 +1,14 @@
#+TITLE: Nagoya Configuration
#+FILETAGS: imperative debian server nagoya
+#+begin_quote
+⚠️ *DEPRECATED:* This imperative setup is now deprecated in favor of the declarative system-manager configuration at =~/src/home/systems/nagoya/system.nix=.
+
+The imperative scripts are kept as a backup fallback only.
+
+To use system-manager, see the deployment instructions in =CLAUDE.md=.
+#+end_quote
+
Configuration scripts for the Nagoya system, a Debian-based server.
* Overview
systems/nagoya/home.nix
@@ -0,0 +1,8 @@
+{ config, lib, pkgs, ... }:
+{
+ # Syncthing will be configured here via home-manager
+ # For now, just enable the user service
+ services.syncthing = {
+ enable = true;
+ };
+}
systems/nagoya/system.nix
@@ -0,0 +1,97 @@
+{
+ config,
+ lib,
+ pkgs,
+ globals,
+ hostname,
+ ...
+}:
+{
+ config = {
+ # Platform
+ nixpkgs.hostPlatform = "aarch64-linux";
+
+ # System packages
+ environment.systemPackages = with pkgs; [
+ docker
+ docker-compose
+ kind
+ wireguard-tools
+ syncthing
+ vim
+ htop
+ curl
+ git
+ ];
+
+ # Docker systemd service
+ systemd.services.docker = {
+ description = "Docker Application Container Engine";
+ wants = [ "network-online.target" ];
+ after = [ "network-online.target" "containerd.service" ];
+ wantedBy = [ "system-manager.target" ];
+ path = [ pkgs.docker pkgs.kmod pkgs.iptables ];
+ serviceConfig = {
+ Type = "notify";
+ ExecStart = "${pkgs.docker}/bin/dockerd";
+ ExecReload = "${pkgs.coreutils}/bin/kill -s HUP $MAINPID";
+ TimeoutStartSec = "0";
+ RestartSec = "2";
+ Restart = "always";
+ Delegate = "yes";
+ KillMode = "process";
+ LimitNOFILE = "infinity";
+ LimitNPROC = "infinity";
+ TasksMax = "infinity";
+ };
+ };
+
+ # Containerd systemd service (required by Docker)
+ systemd.services.containerd = {
+ description = "containerd container runtime";
+ wants = [ "network-online.target" ];
+ after = [ "network-online.target" ];
+ wantedBy = [ "system-manager.target" ];
+ serviceConfig = {
+ Type = "notify";
+ ExecStart = "${pkgs.docker}/bin/containerd";
+ Restart = "always";
+ Delegate = "yes";
+ KillMode = "process";
+ LimitNOFILE = "1048576";
+ TasksMax = "infinity";
+ };
+ };
+
+ # WireGuard wg0 service
+ systemd.services.wireguard-wg0 = {
+ description = "WireGuard VPN (wg0)";
+ wants = [ "network-online.target" ];
+ after = [ "network-online.target" ];
+ wantedBy = [ "system-manager.target" ];
+ serviceConfig = {
+ Type = "oneshot";
+ RemainAfterExit = true;
+ ExecStart = "${pkgs.wireguard-tools}/bin/wg-quick up wg0";
+ ExecStop = "${pkgs.wireguard-tools}/bin/wg-quick down wg0";
+ };
+ };
+
+ # WireGuard configuration file
+ # NOTE: Private key must be added manually to /etc/wireguard/private.key
+ environment.etc."wireguard/wg0.conf" = {
+ text = ''
+ [Interface]
+ PrivateKey = PLACEHOLDER_REPLACE_MANUALLY
+ Address = 10.100.0.80/24
+
+ [Peer]
+ PublicKey = +H3fxErP9HoFUrPgU19ra9+GDLQw+VwvLWx3lMct7QI=
+ AllowedIPs = 10.100.0.0/24
+ Endpoint = 167.99.17.238:51820
+ PersistentKeepalive = 25
+ '';
+ mode = "0600";
+ };
+ };
+}
systems/system-manager.nix
@@ -14,7 +14,9 @@
];
nixpkgs = {
- overlays = [
+ # NOTE: Overlays might cause infinite recursion in system-manager
+ # Only apply them for NixOS systems
+ overlays = lib.optionals (!(config.system-manager.allowAnyDistro or false)) [
# Our own flake exports (from overlays and pkgs dir)
outputs.overlays.additions
outputs.overlays.modifications
@@ -36,9 +38,10 @@
allowUnfree = true;
};
};
- nix = {
+ nix = lib.optionalAttrs (!(config.system-manager.allowAnyDistro or false)) {
# This will add each flake input as a registry
# To make nix3 commands consistent with your flake
+ # NOTE: These options only exist in NixOS, not in system-manager
registry = lib.mkForce (lib.mapAttrs (_: value: { flake = value; }) inputs);
# This will additionally add your inputs to the system's legacy channels
@@ -46,7 +49,8 @@
nixPath = lib.mkForce (
lib.mapAttrsToList (key: value: "${key}=${value.to.path}") config.nix.registry
);
-
+ } // lib.optionalAttrs (!(config.system-manager.allowAnyDistro or false)) {
+ # NOTE: optimise only exists in NixOS, not in system-manager
optimise = {
automatic = true;
dates = [
@@ -54,6 +58,7 @@
"12:10"
];
};
+ } // {
settings = {
auto-optimise-store = true;
@@ -96,9 +101,11 @@
keep-derivations = true
builders-use-substitutes = true
'';
-
+ }
+ // lib.optionalAttrs (!(config.system-manager.allowAnyDistro or false)) {
# On laptops at least, make the daemon and builders low priority
# to have a responding system while building
+ # NOTE: These options only exist in NixOS, not in system-manager
daemonIOSchedClass = "idle";
daemonCPUSchedPolicy = "idle";
};
flake.nix
@@ -145,12 +145,15 @@
};
# system-manager configurations
- # FIXME set this up
systemConfigs = {
aion = libx.mkSystemManager {
hostname = "aion";
system = "aarch64-linux";
};
+ nagoya = libx.mkSystemManager {
+ hostname = "nagoya";
+ system = "aarch64-linux";
+ };
};
images = {
secrets.nix
@@ -19,6 +19,7 @@ let
kyushu = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINd795m+P54GlGJdMaGci9pQ9N942VUz8ri2F14+LWxg"; # ssh-keyscan -q -t ed25519 kyushu.sbr.pm
aion = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAXDNi2KtoRU83y/V5OWnMbFWmxwBknPmrNWV4RChE7R"; # ssh-keyscan -q -t ed25519 aion.sbr.pm
aix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEoUicDySCGETPAgmI0P3UrgZEXXw3zNsyCIylUP0bML"; # ssh-keyscan -q -t ed25519 aix.sbr.pm
+ nagoya = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIfep1SkMsAPHggXFLfEJNzZb7eoihtkqDeQruG+TbhF";
# TODO: kobe
desktops = [
kyushu
@@ -30,6 +31,7 @@ let
athena
demeter
kerkouane
+ nagoya
rhea
sakhalin
shikoku