From a9eecc6d9ae5c8dac9c0ab6d0e6bc21c4e1eb867 Mon Sep 17 00:00:00 2001 From: Christoph Cullmann Date: Fri, 9 Jun 2023 18:26:35 +0200 Subject: [PATCH] fixup neko config for tmpfs/btrfs/luks --- common.nix | 133 ++++++-------------------------- neko/configuration.nix | 7 +- neko/hardware-configuration.nix | 50 ++++++++++-- 3 files changed, 71 insertions(+), 119 deletions(-) diff --git a/common.nix b/common.nix index b959dda..8ad9303 100644 --- a/common.nix +++ b/common.nix @@ -19,16 +19,18 @@ in # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave + # on your system were taken. It's perfectly fine and recommended to leave # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "22.11"; # Did you read the comment? + system.stateVersion = "23.05"; # Did you read the comment? + + # use the latest kernel + boot.kernelPackages = pkgs.linuxPackages_latest; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - boot.loader.efi.efiSysMountPoint = "/boot"; # use a high resolution boot.loader.systemd-boot.consoleMode = "max"; @@ -39,52 +41,6 @@ in # setup the console stuff early console.earlySetup = true; - # zfs & NTFS for Windows stuff - boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; - boot.supportedFilesystems = [ "zfs" "ntfs" ]; - services.zfs.autoScrub.enable = true; - services.zfs.trim.enable = true; - - # persistent nix - fileSystems."/nix" = { - device = "zroot/nix"; - fsType = "zfs"; - }; - - # persistent homes - fileSystems."/home" = { - device = "zroot/home"; - fsType = "zfs"; - }; - - # non persistent root - fileSystems."/" = { - device = "none"; - fsType = "tmpfs"; - options = [ "defaults" "size=8G" "mode=755" ]; - }; - - # bind mount persistent nixos config, per host different - fileSystems."/etc/nixos" = { - device = "/home/cullmann/install/nixos/${config.networking.hostName}"; - options = [ "bind" ]; - }; - - # bind mount persistent root home - fileSystems."/root" = { - device = "/home/root"; - options = [ "bind" ]; - }; - - # some stuff is needed to early for environment.persistence - environment.etc = { - # stable host keys - "ssh/ssh_host_rsa_key".source = "/nix/persistent/ssh_host_rsa_key"; - "ssh/ssh_host_rsa_key.pub".source = "/nix/persistent/ssh_host_rsa_key.pub"; - "ssh/ssh_host_ed25519_key".source = "/nix/persistent/ssh_host_ed25519_key"; - "ssh/ssh_host_ed25519_key.pub".source = "/nix/persistent/ssh_host_ed25519_key.pub"; - }; - # keep some stuff persistent environment.persistence."/nix/persistent" = { directories = [ @@ -104,41 +60,25 @@ in # ensure firewall is up, allow ssh and http in networking.firewall.enable = true; - networking.firewall.allowedTCPPorts = [ 22 80 ]; + networking.firewall.logRefusedConnections = false; - # secure dns with local resolve via fritz.box - networking = { - nameservers = [ "127.0.0.1" "::1" ]; - dhcpcd.extraConfig = "nohook resolv.conf"; - resolvconf.useLocalResolver = true; - }; - environment.etc = { - forwarding_rules = { - text = '' - fritz.box 192.168.13.1 - ''; - }; - }; - services.dnscrypt-proxy2 = { + # OpenSSH daemon config + services.openssh = { + # enable with public key only auth enable = true; - settings = { - ipv6_servers = true; - require_dnssec = true; - sources.public-resolvers = { - urls = [ - "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md" - "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" - ]; - cache_file = "/nix/persistent/public-resolvers.md"; - minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; - }; - forwarding_rules = "/etc/forwarding_rules"; - }; - }; - systemd.services.dnscrypt-proxy2.serviceConfig = { - StateDirectory = "dnscrypt-proxy"; + settings.PasswordAuthentication = false; + settings.KbdInteractiveAuthentication = false; + + # only ed25519 keys, make them persistent + hostKeys = [{ + path = "/nix/persistent/ssh_host_ed25519_key"; + type = "ed25519"; + }]; }; + # guard the ssh service + services.sshguard.enable = true; + # block some crap, see https://github.com/StevenBlack/hosts#nixos networking.extraHosts = let hostsPath = https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts; @@ -305,14 +245,6 @@ in # proper lutris gaming for 32-bit stuff hardware.opengl.driSupport32Bit = true; - # Enable the OpenSSH daemon. - services.openssh = { - enable = true; - startWhenNeeded = true; - settings.PasswordAuthentication = false; - settings.PermitRootLogin = "yes"; - }; - # virus scanner, we only want the updater running services.clamav.updater.enable = true; @@ -334,8 +266,8 @@ in from = "noreply@home.local"; host = "babylon2k.com"; port = "587"; - user = builtins.readFile "/home/root/nixos/mailuser"; - password = builtins.readFile "/home/root/nixos/mailpassword"; + user = builtins.readFile "/data/nixos/mailuser.secret"; + password = builtins.readFile "/data/nixos/mailpassword.secret"; }; }; defaults = { @@ -352,20 +284,6 @@ in }; }; - # allow the ZFS service to send mails - services.zfs.zed.settings = { - ZED_DEBUG_LOG = "/tmp/zed.debug.log"; - ZED_EMAIL_ADDR = [ "root" ]; - ZED_EMAIL_PROG = "${pkgs.msmtp}/bin/msmtp"; - ZED_EMAIL_OPTS = "@ADDRESS@"; - - ZED_NOTIFY_INTERVAL_SECS = 3600; - ZED_NOTIFY_VERBOSE = true; - - ZED_USE_ENCLOSURE_LEDS = true; - ZED_SCRUB_AFTER_RESILVER = true; - }; - # use ZSH per default users.defaultUserShell = pkgs.zsh; @@ -397,9 +315,6 @@ in Defaults lecture = never ''; - # use some small web server to have easy file sharing at home - services.nginx.enable = true; - # no need for upower services.upower.enable = pkgs.lib.mkForce false; @@ -422,7 +337,7 @@ in users.users.root = { # init password - hashedPassword = builtins.readFile "/home/root/nixos/passwd"; + hashedPassword = builtins.readFile "/data/nixos/password.secret"; # use same keys as my main user openssh.authorizedKeys.keys = pkgs.lib.splitString "\n" (builtins.readFile "/home/cullmann/.ssh/authorized_keys"); @@ -462,7 +377,7 @@ in extraGroups = [ "wheel" ]; # init password - hashedPassword = builtins.readFile "/home/root/nixos/passwd"; + hashedPassword = builtins.readFile "/data/nixos/password.secret"; }; home-manager.users.cullmann = { pkgs, ... }: { diff --git a/neko/configuration.nix b/neko/configuration.nix index fe794fa..7b8f3e8 100644 --- a/neko/configuration.nix +++ b/neko/configuration.nix @@ -1,6 +1,6 @@ # Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). +# and in the NixOS manual (accessible by running `nixos-help`). { config, pkgs, ... }: @@ -11,10 +11,9 @@ ./hardware-configuration.nix # Shared config of all machines - /home/cullmann/install/nixos/common.nix + /data/nixos/common.nix ]; - # host name & id + # host name networking.hostName = "neko"; - networking.hostId = "eb707291"; } diff --git a/neko/hardware-configuration.nix b/neko/hardware-configuration.nix index 99d8b67..27a1a93 100644 --- a/neko/hardware-configuration.nix +++ b/neko/hardware-configuration.nix @@ -9,26 +9,64 @@ ]; boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ]; - boot.initrd.kernelModules = [ "i915" ]; + boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; - # Intel ARC - boot.kernelParams = [ "i915.force_probe=56a0" "i915.enable_guc=1" ]; + fileSystems."/" = + { device = "none"; + fsType = "tmpfs"; + }; fileSystems."/boot" = - { device = "/dev/disk/by-uuid/9CF2-12FF"; + { device = "/dev/disk/by-uuid/D6ED-7B8C"; fsType = "vfat"; }; fileSystems."/boot-fallback" = - { device = "/dev/disk/by-uuid/9CF2-9E07"; + { device = "/dev/disk/by-uuid/D6ED-BC4A"; fsType = "vfat"; }; + boot.initrd.luks.devices."crypt-disk1".device = "/dev/disk/by-uuid/d24c36a7-d39c-4de5-8fc0-33ff0262e964"; + boot.initrd.luks.devices."crypt-disk1".allowDiscards = true; + boot.initrd.luks.devices."crypt-disk1".bypassWorkqueues = true; + boot.initrd.luks.devices."crypt-disk2".device = "/dev/disk/by-uuid/cde8caa0-be38-4ff8-a3b3-aa82bc587550"; + boot.initrd.luks.devices."crypt-disk2".allowDiscards = true; + boot.initrd.luks.devices."crypt-disk2".bypassWorkqueues = true; + + fileSystems."/nix" = + { device = "/dev/mapper/crypt-disk1"; + fsType = "btrfs"; + options = [ "device=/dev/mapper/crypt-disk2" "subvol=nix" "noatime" "compress=zstd" ]; + }; + + fileSystems."/data" = + { device = "/dev/mapper/crypt-disk1"; + fsType = "btrfs"; + options = [ "device=/dev/mapper/crypt-disk2" "subvol=data" "noatime" "compress=zstd" ]; + }; + + fileSystems."/home" = + { device = "/data/home"; + fsType = "none"; + options = [ "bind" ]; + }; + + fileSystems."/root" = + { device = "/data/root"; + fsType = "none"; + options = [ "bind" ]; + }; + + fileSystems."/etc/nixos" = + { device = "/data/nixos/neko"; + fsType = "none"; + options = [ "bind" ]; + }; + swapDevices = [ ]; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; }