chaos/nixfiles
1
0
Fork 0
Code Issues 2 Releases Activity

more trimming and tidying

Browse source
This commit is contained in:
chaos 2024-07-24 14:32:44 +01:00
parent 86d258c77f
commit 77822ebe33
No known key found for this signature in database
15 changed files with 53 additions and 281 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
hosts/hetzner-arm/containers/jellyfin/default.nix
View file

@ -1,15 +1,17 @@
{ {
self, self,
hostPath,
tree, tree,
inputs, inputs,
pkgs, pkgs,
config, config,
lib,
... ...
}: let }: let
inherit (lib.lists) flatten;
containerName = "jellyfin"; containerName = "jellyfin";
containerAddresses = import "${hostPath}/data/containerAddresses.nix"; containerAddresses = import "../../data/containerAddresses.nix";
hostIP = containerAddresses.host; hostIP = containerAddresses.host;
containerIP = containerAddresses.containers.${containerName}; containerIP = containerAddresses.containers.${containerName};
@ -43,22 +45,22 @@ in {
inherit inputs; inherit inputs;
inherit tree; inherit tree;
inherit self; inherit self;
inherit hostPath;
}; };
config = {...}: { config = {...}: {
nixpkgs.pkgs = pkgs; nixpkgs.pkgs = pkgs;
imports = with tree; imports = flatten (with tree; [
[ presets.nixos.containerBase
presets.nixos.containerBase
./secrets.nix (with hosts.hetzner-arm.containers.jellyfin.profiles; [
]
++ (with hosts.hetzner-arm.containers.jellyfin.profiles; [
mediaMount mediaMount
jellyfin jellyfin
restic restic
]); ])
./secrets.nix
]);
home-manager.users.root.home.stateVersion = "24.05"; home-manager.users.root.home.stateVersion = "24.05";
system.stateVersion = "24.05"; system.stateVersion = "24.05";

17
hosts/hetzner-arm/containers/mail/default.nix
View file

@ -5,10 +5,10 @@
inputs, inputs,
config, config,
pkgs, pkgs,
hostPath,
... ...
}: let }: let
inherit (lib.modules) mkMerge mkForce; inherit (lib.modules) mkMerge mkForce;
inherit (lib.lists) flatten;
ports = [ ports = [
# SMTP # SMTP
@ -44,24 +44,23 @@ in {
inherit inputs; inherit inputs;
inherit tree; inherit tree;
inherit self; inherit self;
inherit hostPath;
}; };
config = {...}: { config = {...}: {
nixpkgs.pkgs = pkgs; nixpkgs.pkgs = pkgs;
imports = with tree; imports = flatten (with tree; [
[ presets.nixos.containerBase
presets.nixos.containerBase
./secrets.nix (with hosts.hetzner-arm.containers.mail; [
]
++ (with hosts.hetzner-arm.containers.mail; [
modules.mailserver modules.mailserver
profiles.mailserver profiles.mailserver
profiles.restic profiles.restic
]); ])
./secrets.nix
]);
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d /var/lib/acme - root root" "d /var/lib/acme - root root"

21
hosts/hetzner-arm/containers/storage/default.nix
View file

@ -1,6 +1,5 @@
{ {
self, self,
hostPath,
tree, tree,
lib, lib,
inputs, inputs,
@ -8,8 +7,9 @@
... ...
}: let }: let
inherit (lib.attrsets) attrValues; inherit (lib.attrsets) attrValues;
inherit (lib.lists) flatten;
containerAddresses = import "${hostPath}/data/containerAddresses.nix"; containerAddresses = import "../../data/containerAddresses.nix";
hostIP = containerAddresses.host; hostIP = containerAddresses.host;
containerIP = containerAddresses.containers.storage; containerIP = containerAddresses.containers.storage;
@ -47,26 +47,27 @@ in {
inherit inputs; inherit inputs;
inherit tree; inherit tree;
inherit self; inherit self;
inherit hostPath;
}; };
config = {...}: { config = {...}: {
nixpkgs.pkgs = pkgs; nixpkgs.pkgs = pkgs;
imports = with tree; imports = flatten (with tree; [
[ presets.nixos.containerBase
presets.nixos.containerBase
./secrets.nix (with hosts.hetzner-arm.containers.storage.profiles; [
]
++ (with hosts.hetzner-arm.containers.storage.profiles; [
rcloneConfigs rcloneConfigs
rcloneServe rcloneServe
rcloneSync rcloneSync
users users
]); ])
./secrets.nix
]);
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
rclone rclone
fuse fuse
fuse3 fuse3
]; ];

29
hosts/hetzner-arm/hetzner-arm.nix
View file

@ -3,25 +3,24 @@
lib, lib,
... ...
}: let }: let
inherit (lib.lists) forEach; inherit (lib.lists) forEach flatten;
in { in {
imports = with tree; imports = flatten (with tree; [
[ (with tree.presets.nixos; [
presets.nixos.serverBase serverBase
presets.nixos.serverHetzner serverHetzner
presets.nixos.serverEncryptedDrive serverEncryptedDrive
])
profiles.nixos.nginx profiles.nixos.nginx
./hardware.nix (forEach [
./secrets.nix
]
++ (forEach [
"storage" "storage"
"mail" "mail"
"jellyfin" "jellyfin"
] (name: ./containers + "/${name}")) ] (name: ./containers + "/${name}"))
++ (with hosts.hetzner-arm.profiles; [
(with hosts.hetzner-arm.profiles; [
staticSites staticSites
gotosocial gotosocial
forgejo forgejo
@ -29,7 +28,11 @@ in {
radicale radicale
vault vault
restic restic
]); ])
./hardware.nix
./secrets.nix
]);
# TODO: environment.noXlibs = true; # TODO: environment.noXlibs = true;

1
hosts/lappy-t495/lappy-t495.nix
View file

@ -25,6 +25,7 @@ in {
]) ])
./secrets.nix ./secrets.nix
./hardware.nix
]); ]);
home-manager.users.root.home.stateVersion = "24.05"; home-manager.users.root.home.stateVersion = "24.05";

49
hosts/nixos-live/nixos-live.nix
View file

@ -1,49 +0,0 @@
{
config,
tree,
modulesPath,
lib,
...
}: let
inherit (lib.modules) mkForce;
in {
imports = with tree; [
(modulesPath + "/installer/cd-dvd/installation-cd-graphical-gnome.nix")
(modulesPath + "/installer/cd-dvd/channel.nix")
users.root
profiles.base
profiles.sshd
profiles.connectivity.iOS
profiles.connectivity.networkManager
];
# disable zfs
nixpkgs.overlays = [
(_final: super: {
zfs = super.zfs.overrideAttrs (_: {
meta.platforms = [];
});
})
];
networking.wireless.enable = mkForce false;
nixpkgs.config.allowBroken = true;
home-manager.users.root = {
imports = with tree; [home.base home.dev];
};
home-manager.users.nixos = {
imports = with tree; [home.base home.dev];
};
isoImage = {
isoBaseName = "nixos-chaos";
compressImage = false;
squashfsCompression = "zstd -Xcompression-level 1";
};
services.openssh.settings.PermitRootLogin = mkForce "yes";
}

46
hosts/nixos.nix
View file

@ -38,58 +38,18 @@
]; ];
nixosUnstableSystem = nixpkgs-unstable.lib.nixosSystem; nixosUnstableSystem = nixpkgs-unstable.lib.nixosSystem;
nixosX86_64LiveWithExtraDepsForMachines = machines:
nixosUnstableSystem {
specialArgs =
defaultSpecialArgs
// {
hostPath = ./nixos-live;
};
system = "x86_64-linux";
modules =
defaultModules
++ [
./nixos-live/nixos-live.nix
({...}: {
system.extraDependencies =
forEach machines (system:
self.nixosConfigurations.${system}.config.system.build.toplevel);
})
];
};
in rec { in rec {
lappy-t495 = nixosUnstableSystem { lappy-t495 = nixosUnstableSystem {
specialArgs = specialArgs =
defaultSpecialArgs defaultSpecialArgs;
// {
hostPath = ./lappy-t495;
};
system = "x86_64-linux"; system = "x86_64-linux";
modules = defaultModules ++ [./lappy-t495/lappy-t495.nix ./lappy-t495/hardware.nix]; modules = defaultModules ++ [./lappy-t495/lappy-t495.nix];
}; };
hetzner-arm = nixosUnstableSystem { hetzner-arm = nixosUnstableSystem {
specialArgs = specialArgs =
defaultSpecialArgs defaultSpecialArgs;
// {
hostPath = ./hetzner-arm;
};
system = "aarch64-linux"; system = "aarch64-linux";
modules = defaultModules ++ [./hetzner-arm/hetzner-arm.nix]; modules = defaultModules ++ [./hetzner-arm/hetzner-arm.nix];
}; };
# nix build .#nixosConfigurations.nixos-live-x86_64.config.system.build.isoImage
nixos-live-x86_64 = nixosX86_64LiveWithExtraDepsForMachines ["lappy-t495"];
# nix --no-sandbox build .#nixosConfigurations.raspberry.config.system.build.sdImage
raspberry = nixosUnstableSystem {
specialArgs =
defaultSpecialArgs
// {
hostPath = ./raspberry;
};
system = "aarch64-linux";
modules = defaultModules ++ [./raspberry/raspberry.nix];
};
} }

65
hosts/raspberry/boot.nix
View file

@ -1,65 +0,0 @@
{
lib,
pkgs,
config,
modulesPath,
...
}: let
inherit (lib.modules) mkForce mkDefault;
inherit (builtins) toFile;
in {
imports = [
(modulesPath + "/installer/sd-card/sd-image.nix")
];
boot = {
supportedFilesystems = mkForce ["vfat"];
consoleLogLevel = mkDefault 7;
kernelParams = ["console=tty0"];
loader = {
grub.enable = false;
generic-extlinux-compatible.enable = true;
};
};
sdImage = {
compressImage = mkForce false;
populateFirmwareCommands = let
configTxt = toFile "config.txt" ''
[pi3]
kernel=u-boot-rpi3.bin
[pi4]
kernel=u-boot-rpi4.bin
enable_gic=1
armstub=armstub8-gic.bin
# Otherwise the resolution will be weird in most cases, compared to
# what the pi3 firmware does by default.
disable_overscan=1
[all]
# Boot in 64-bit mode.
arm_64bit=1
# U-Boot needs this to work, regardless of whether UART is actually used or not.
# Look in arch/arm/mach-bcm283x/Kconfig in the U-Boot tree to see if this is still
# a requirement in the future.
enable_uart=1
# Prevent the firmware from smashing the framebuffer setup done by the mainline kernel
# when attempting to show low-voltage or overtemperature warnings.
avoid_warnings=1
'';
in ''
(cd ${pkgs.raspberrypifw}/share/raspberrypi/boot && cp bootcode.bin fixup*.dat start*.elf $NIX_BUILD_TOP/firmware/)
# Add the config
cp ${configTxt} firmware/config.txt
# Add pi3 specific files
cp ${pkgs.ubootRaspberryPi3_64bit}/u-boot.bin firmware/u-boot-rpi3.bin
# Add pi4 specific files
cp ${pkgs.ubootRaspberryPi4_64bit}/u-boot.bin firmware/u-boot-rpi4.bin
cp ${pkgs.raspberrypi-armstubs}/armstub8-gic.bin firmware/armstub8-gic.bin
cp ${pkgs.raspberrypifw}/share/raspberrypi/boot/bcm2711-rpi-4-b.dtb firmware/
'';
populateRootCommands = ''
mkdir -p ./files/boot
${config.boot.loader.generic-extlinux-compatible.populateCmd} -c ${config.system.build.toplevel} -d ./files/boot
'';
};
}

19
hosts/raspberry/raspberry.nix
View file

@ -1,19 +0,0 @@
{tree, ...}: {
imports = with tree;
[
presets.nixos.serverBase
./secrets.nix
./boot.nix
]
++ (with hosts.raspberry.profiles; []);
networking.enableIPv6 = true;
networking.useDHCP = true;
networking.hostName = "raspberry";
time.timeZone = "Europe/London";
home-manager.users.root.home.stateVersion = "24.05";
system.stateVersion = "24.05";
}

18
hosts/raspberry/secrets.nix
View file

@ -1,18 +0,0 @@
{...}: {
services.secrets = {
enable = true;
vaultLogin = {
enable = true;
loginUsername = "raspberry";
};
requiredVaultPaths = [];
secrets = {
vault_password = {
manual = true;
};
};
};
}

2
profiles/home-manager/base/ssh-aliases.nix
View file

@ -9,7 +9,7 @@ in {
user = "root"; user = "root";
hostname = "${hostname}.servers.genderfucked.monster"; hostname = "${hostname}.servers.genderfucked.monster";
}; };
}) ["hetzner-arm" "hetzner-arm-decrypt" "vault" "vault-decrypt" "raspberry"])) }) ["hetzner-arm" "hetzner-arm-decrypt"]))
{ {
"blahaj" = { "blahaj" = {
user = "chaos"; user = "chaos";

1
profiles/nixos/base/home.nix
View file

@ -19,6 +19,7 @@ in {
}; };
}); });
}; };
config = { config = {
home-manager = { home-manager = {
useGlobalPkgs = true; useGlobalPkgs = true;

9
scripts/deploy/raspberry.sh
View file

@ -1,9 +0,0 @@
#!/usr/bin/env bash
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
cd $SCRIPT_DIR
cd $(git rev-parse --show-toplevel)
DEFAULT_HOST="root@raspberry.servers.genderfucked.monster"
TARGET_HOST=${HOST:-${DEFAULT_HOST}}
nixos-rebuild switch --flake .#raspberry --target-host "$TARGET_HOST" --use-substitutes -s "$@"

14
scripts/deployAll.sh
View file

@ -1,14 +0,0 @@
#!/usr/bin/env bash
set -e
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
cd $SCRIPT_DIR
cd $(git rev-parse --show-toplevel)
HOSTNAME=$(hostname)
[ "${NO_REBUILD}" == "" ] && ./scripts/rebuild.sh "$@"
[ "${HOSTNAME}" != "hetzner-arm" ] && ./scripts/deploy/hetzner-arm.sh "$@"
[ "${HOSTNAME}" != "vault" ] && ./scripts/deploy/vault.sh "$@"
[ "${HOSTNAME}" != "raspberry" ] && ./scripts/deploy/raspberry.sh "$@"

21
scripts/deploySecrets.sh
View file

@ -1,21 +0,0 @@
#!/usr/bin/env bash
set -e
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
cd $SCRIPT_DIR
cd $(git rev-parse --show-toplevel)
ARCH=${1}
HOSTNAME=${2}
SSH=${3}
CONTAINER=${4}
OPTIONAL_CONTAINER=
if [ -n "$CONTAINER" ]; then
OPTIONAL_CONTAINER="-container-${CONTAINER}"
fi
nix build --system ${ARCH} ".#secrets-init-${HOSTNAME}${OPTIONAL_CONTAINER}"
nix-copy-closure --to ${SSH} --use-substitutes $(readlink result)
ssh ${SSH} "$(readlink result)/bin/secrets-init-${HOSTNAME}${OPTIONAL_CONTAINER}"