fixup neko config for tmpfs/btrfs/luks
This commit is contained in:
parent
8c5b984620
commit
a9eecc6d9a
133
common.nix
133
common.nix
|
@ -19,16 +19,18 @@ in
|
||||||
|
|
||||||
# This value determines the NixOS release from which the default
|
# This value determines the NixOS release from which the default
|
||||||
# settings for stateful data, like file locations and database versions
|
# settings for stateful data, like file locations and database versions
|
||||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
# on your system were taken. It's perfectly fine and recommended to leave
|
||||||
# this value at the release version of the first install of this system.
|
# this value at the release version of the first install of this system.
|
||||||
# Before changing this value read the documentation for this option
|
# Before changing this value read the documentation for this option
|
||||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||||
system.stateVersion = "22.11"; # Did you read the comment?
|
system.stateVersion = "23.05"; # Did you read the comment?
|
||||||
|
|
||||||
|
# use the latest kernel
|
||||||
|
boot.kernelPackages = pkgs.linuxPackages_latest;
|
||||||
|
|
||||||
# Use the systemd-boot EFI boot loader.
|
# Use the systemd-boot EFI boot loader.
|
||||||
boot.loader.systemd-boot.enable = true;
|
boot.loader.systemd-boot.enable = true;
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
boot.loader.efi.efiSysMountPoint = "/boot";
|
|
||||||
|
|
||||||
# use a high resolution
|
# use a high resolution
|
||||||
boot.loader.systemd-boot.consoleMode = "max";
|
boot.loader.systemd-boot.consoleMode = "max";
|
||||||
|
@ -39,52 +41,6 @@ in
|
||||||
# setup the console stuff early
|
# setup the console stuff early
|
||||||
console.earlySetup = true;
|
console.earlySetup = true;
|
||||||
|
|
||||||
# zfs & NTFS for Windows stuff
|
|
||||||
boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
|
|
||||||
boot.supportedFilesystems = [ "zfs" "ntfs" ];
|
|
||||||
services.zfs.autoScrub.enable = true;
|
|
||||||
services.zfs.trim.enable = true;
|
|
||||||
|
|
||||||
# persistent nix
|
|
||||||
fileSystems."/nix" = {
|
|
||||||
device = "zroot/nix";
|
|
||||||
fsType = "zfs";
|
|
||||||
};
|
|
||||||
|
|
||||||
# persistent homes
|
|
||||||
fileSystems."/home" = {
|
|
||||||
device = "zroot/home";
|
|
||||||
fsType = "zfs";
|
|
||||||
};
|
|
||||||
|
|
||||||
# non persistent root
|
|
||||||
fileSystems."/" = {
|
|
||||||
device = "none";
|
|
||||||
fsType = "tmpfs";
|
|
||||||
options = [ "defaults" "size=8G" "mode=755" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
# bind mount persistent nixos config, per host different
|
|
||||||
fileSystems."/etc/nixos" = {
|
|
||||||
device = "/home/cullmann/install/nixos/${config.networking.hostName}";
|
|
||||||
options = [ "bind" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
# bind mount persistent root home
|
|
||||||
fileSystems."/root" = {
|
|
||||||
device = "/home/root";
|
|
||||||
options = [ "bind" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
# some stuff is needed to early for environment.persistence
|
|
||||||
environment.etc = {
|
|
||||||
# stable host keys
|
|
||||||
"ssh/ssh_host_rsa_key".source = "/nix/persistent/ssh_host_rsa_key";
|
|
||||||
"ssh/ssh_host_rsa_key.pub".source = "/nix/persistent/ssh_host_rsa_key.pub";
|
|
||||||
"ssh/ssh_host_ed25519_key".source = "/nix/persistent/ssh_host_ed25519_key";
|
|
||||||
"ssh/ssh_host_ed25519_key.pub".source = "/nix/persistent/ssh_host_ed25519_key.pub";
|
|
||||||
};
|
|
||||||
|
|
||||||
# keep some stuff persistent
|
# keep some stuff persistent
|
||||||
environment.persistence."/nix/persistent" = {
|
environment.persistence."/nix/persistent" = {
|
||||||
directories = [
|
directories = [
|
||||||
|
@ -104,41 +60,25 @@ in
|
||||||
|
|
||||||
# ensure firewall is up, allow ssh and http in
|
# ensure firewall is up, allow ssh and http in
|
||||||
networking.firewall.enable = true;
|
networking.firewall.enable = true;
|
||||||
networking.firewall.allowedTCPPorts = [ 22 80 ];
|
networking.firewall.logRefusedConnections = false;
|
||||||
|
|
||||||
# secure dns with local resolve via fritz.box
|
# OpenSSH daemon config
|
||||||
networking = {
|
services.openssh = {
|
||||||
nameservers = [ "127.0.0.1" "::1" ];
|
# enable with public key only auth
|
||||||
dhcpcd.extraConfig = "nohook resolv.conf";
|
|
||||||
resolvconf.useLocalResolver = true;
|
|
||||||
};
|
|
||||||
environment.etc = {
|
|
||||||
forwarding_rules = {
|
|
||||||
text = ''
|
|
||||||
fritz.box 192.168.13.1
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
services.dnscrypt-proxy2 = {
|
|
||||||
enable = true;
|
enable = true;
|
||||||
settings = {
|
settings.PasswordAuthentication = false;
|
||||||
ipv6_servers = true;
|
settings.KbdInteractiveAuthentication = false;
|
||||||
require_dnssec = true;
|
|
||||||
sources.public-resolvers = {
|
# only ed25519 keys, make them persistent
|
||||||
urls = [
|
hostKeys = [{
|
||||||
"https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
|
path = "/nix/persistent/ssh_host_ed25519_key";
|
||||||
"https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
|
type = "ed25519";
|
||||||
];
|
}];
|
||||||
cache_file = "/nix/persistent/public-resolvers.md";
|
|
||||||
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
|
|
||||||
};
|
|
||||||
forwarding_rules = "/etc/forwarding_rules";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
systemd.services.dnscrypt-proxy2.serviceConfig = {
|
|
||||||
StateDirectory = "dnscrypt-proxy";
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# guard the ssh service
|
||||||
|
services.sshguard.enable = true;
|
||||||
|
|
||||||
# block some crap, see https://github.com/StevenBlack/hosts#nixos
|
# block some crap, see https://github.com/StevenBlack/hosts#nixos
|
||||||
networking.extraHosts = let
|
networking.extraHosts = let
|
||||||
hostsPath = https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts;
|
hostsPath = https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts;
|
||||||
|
@ -305,14 +245,6 @@ in
|
||||||
# proper lutris gaming for 32-bit stuff
|
# proper lutris gaming for 32-bit stuff
|
||||||
hardware.opengl.driSupport32Bit = true;
|
hardware.opengl.driSupport32Bit = true;
|
||||||
|
|
||||||
# Enable the OpenSSH daemon.
|
|
||||||
services.openssh = {
|
|
||||||
enable = true;
|
|
||||||
startWhenNeeded = true;
|
|
||||||
settings.PasswordAuthentication = false;
|
|
||||||
settings.PermitRootLogin = "yes";
|
|
||||||
};
|
|
||||||
|
|
||||||
# virus scanner, we only want the updater running
|
# virus scanner, we only want the updater running
|
||||||
services.clamav.updater.enable = true;
|
services.clamav.updater.enable = true;
|
||||||
|
|
||||||
|
@ -334,8 +266,8 @@ in
|
||||||
from = "noreply@home.local";
|
from = "noreply@home.local";
|
||||||
host = "babylon2k.com";
|
host = "babylon2k.com";
|
||||||
port = "587";
|
port = "587";
|
||||||
user = builtins.readFile "/home/root/nixos/mailuser";
|
user = builtins.readFile "/data/nixos/mailuser.secret";
|
||||||
password = builtins.readFile "/home/root/nixos/mailpassword";
|
password = builtins.readFile "/data/nixos/mailpassword.secret";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
defaults = {
|
defaults = {
|
||||||
|
@ -352,20 +284,6 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# allow the ZFS service to send mails
|
|
||||||
services.zfs.zed.settings = {
|
|
||||||
ZED_DEBUG_LOG = "/tmp/zed.debug.log";
|
|
||||||
ZED_EMAIL_ADDR = [ "root" ];
|
|
||||||
ZED_EMAIL_PROG = "${pkgs.msmtp}/bin/msmtp";
|
|
||||||
ZED_EMAIL_OPTS = "@ADDRESS@";
|
|
||||||
|
|
||||||
ZED_NOTIFY_INTERVAL_SECS = 3600;
|
|
||||||
ZED_NOTIFY_VERBOSE = true;
|
|
||||||
|
|
||||||
ZED_USE_ENCLOSURE_LEDS = true;
|
|
||||||
ZED_SCRUB_AFTER_RESILVER = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
# use ZSH per default
|
# use ZSH per default
|
||||||
users.defaultUserShell = pkgs.zsh;
|
users.defaultUserShell = pkgs.zsh;
|
||||||
|
|
||||||
|
@ -397,9 +315,6 @@ in
|
||||||
Defaults lecture = never
|
Defaults lecture = never
|
||||||
'';
|
'';
|
||||||
|
|
||||||
# use some small web server to have easy file sharing at home
|
|
||||||
services.nginx.enable = true;
|
|
||||||
|
|
||||||
# no need for upower
|
# no need for upower
|
||||||
services.upower.enable = pkgs.lib.mkForce false;
|
services.upower.enable = pkgs.lib.mkForce false;
|
||||||
|
|
||||||
|
@ -422,7 +337,7 @@ in
|
||||||
|
|
||||||
users.users.root = {
|
users.users.root = {
|
||||||
# init password
|
# init password
|
||||||
hashedPassword = builtins.readFile "/home/root/nixos/passwd";
|
hashedPassword = builtins.readFile "/data/nixos/password.secret";
|
||||||
|
|
||||||
# use same keys as my main user
|
# use same keys as my main user
|
||||||
openssh.authorizedKeys.keys = pkgs.lib.splitString "\n" (builtins.readFile "/home/cullmann/.ssh/authorized_keys");
|
openssh.authorizedKeys.keys = pkgs.lib.splitString "\n" (builtins.readFile "/home/cullmann/.ssh/authorized_keys");
|
||||||
|
@ -462,7 +377,7 @@ in
|
||||||
extraGroups = [ "wheel" ];
|
extraGroups = [ "wheel" ];
|
||||||
|
|
||||||
# init password
|
# init password
|
||||||
hashedPassword = builtins.readFile "/home/root/nixos/passwd";
|
hashedPassword = builtins.readFile "/data/nixos/password.secret";
|
||||||
};
|
};
|
||||||
|
|
||||||
home-manager.users.cullmann = { pkgs, ... }: {
|
home-manager.users.cullmann = { pkgs, ... }: {
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
# Edit this configuration file to define what should be installed on
|
# Edit this configuration file to define what should be installed on
|
||||||
# your system. Help is available in the configuration.nix(5) man page
|
# your system. Help is available in the configuration.nix(5) man page
|
||||||
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
# and in the NixOS manual (accessible by running `nixos-help`).
|
||||||
|
|
||||||
{ config, pkgs, ... }:
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
|
@ -11,10 +11,9 @@
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
|
|
||||||
# Shared config of all machines
|
# Shared config of all machines
|
||||||
/home/cullmann/install/nixos/common.nix
|
/data/nixos/common.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
# host name & id
|
# host name
|
||||||
networking.hostName = "neko";
|
networking.hostName = "neko";
|
||||||
networking.hostId = "eb707291";
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -9,26 +9,64 @@
|
||||||
];
|
];
|
||||||
|
|
||||||
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
|
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
|
||||||
boot.initrd.kernelModules = [ "i915" ];
|
boot.initrd.kernelModules = [ ];
|
||||||
boot.kernelModules = [ "kvm-intel" ];
|
boot.kernelModules = [ "kvm-intel" ];
|
||||||
boot.extraModulePackages = [ ];
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
# Intel ARC
|
fileSystems."/" =
|
||||||
boot.kernelParams = [ "i915.force_probe=56a0" "i915.enable_guc=1" ];
|
{ device = "none";
|
||||||
|
fsType = "tmpfs";
|
||||||
|
};
|
||||||
|
|
||||||
fileSystems."/boot" =
|
fileSystems."/boot" =
|
||||||
{ device = "/dev/disk/by-uuid/9CF2-12FF";
|
{ device = "/dev/disk/by-uuid/D6ED-7B8C";
|
||||||
fsType = "vfat";
|
fsType = "vfat";
|
||||||
};
|
};
|
||||||
|
|
||||||
fileSystems."/boot-fallback" =
|
fileSystems."/boot-fallback" =
|
||||||
{ device = "/dev/disk/by-uuid/9CF2-9E07";
|
{ device = "/dev/disk/by-uuid/D6ED-BC4A";
|
||||||
fsType = "vfat";
|
fsType = "vfat";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
boot.initrd.luks.devices."crypt-disk1".device = "/dev/disk/by-uuid/d24c36a7-d39c-4de5-8fc0-33ff0262e964";
|
||||||
|
boot.initrd.luks.devices."crypt-disk1".allowDiscards = true;
|
||||||
|
boot.initrd.luks.devices."crypt-disk1".bypassWorkqueues = true;
|
||||||
|
boot.initrd.luks.devices."crypt-disk2".device = "/dev/disk/by-uuid/cde8caa0-be38-4ff8-a3b3-aa82bc587550";
|
||||||
|
boot.initrd.luks.devices."crypt-disk2".allowDiscards = true;
|
||||||
|
boot.initrd.luks.devices."crypt-disk2".bypassWorkqueues = true;
|
||||||
|
|
||||||
|
fileSystems."/nix" =
|
||||||
|
{ device = "/dev/mapper/crypt-disk1";
|
||||||
|
fsType = "btrfs";
|
||||||
|
options = [ "device=/dev/mapper/crypt-disk2" "subvol=nix" "noatime" "compress=zstd" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/data" =
|
||||||
|
{ device = "/dev/mapper/crypt-disk1";
|
||||||
|
fsType = "btrfs";
|
||||||
|
options = [ "device=/dev/mapper/crypt-disk2" "subvol=data" "noatime" "compress=zstd" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/home" =
|
||||||
|
{ device = "/data/home";
|
||||||
|
fsType = "none";
|
||||||
|
options = [ "bind" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/root" =
|
||||||
|
{ device = "/data/root";
|
||||||
|
fsType = "none";
|
||||||
|
options = [ "bind" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/etc/nixos" =
|
||||||
|
{ device = "/data/nixos/neko";
|
||||||
|
fsType = "none";
|
||||||
|
options = [ "bind" ];
|
||||||
|
};
|
||||||
|
|
||||||
swapDevices = [ ];
|
swapDevices = [ ];
|
||||||
|
|
||||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
|
|
||||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue