infra: steal from the best
(Mic92's cluster TUM's infra.)
This commit is contained in:
parent
41aead1a04
commit
107cc6e53f
22 changed files with 951 additions and 0 deletions
1
.envrc
Normal file
1
.envrc
Normal file
|
@ -0,0 +1 @@
|
|||
use flake
|
105
configurations.nix
Normal file
105
configurations.nix
Normal file
|
@ -0,0 +1,105 @@
|
|||
{ self, ... }:
|
||||
let
|
||||
inherit
|
||||
(self.inputs)
|
||||
nixpkgs
|
||||
home-manager
|
||||
agenix
|
||||
nur
|
||||
colmena
|
||||
flake-registry
|
||||
nixos-hardware
|
||||
nixpkgs-unstable
|
||||
srvos
|
||||
disko
|
||||
;
|
||||
nixosSystem = nixpkgs.lib.makeOverridable nixpkgs.lib.nixosSystem;
|
||||
|
||||
colmenaModules = [
|
||||
colmena.nixosModules.deploymentOptions
|
||||
];
|
||||
|
||||
commonModules = [
|
||||
{
|
||||
_module.args.self = self;
|
||||
_module.args.inputs = self.inputs;
|
||||
srvos.flake = self;
|
||||
}
|
||||
# only include admins here for monitoring/backup infrastructure
|
||||
./modules/users/admins.nix
|
||||
./modules/packages.nix
|
||||
./modules/nix-daemon.nix
|
||||
./modules/auto-upgrade.nix
|
||||
./modules/tor-ssh.nix
|
||||
./modules/hosts.nix
|
||||
./modules/network.nix
|
||||
./modules/zsh.nix
|
||||
|
||||
|
||||
disko.nixosModules.disko
|
||||
srvos.nixosModules.server
|
||||
|
||||
# srvos.nixosModules.mixins-telegraf
|
||||
# srvos.nixosModules.mixins-terminfo
|
||||
|
||||
agenix.nixosModules.default
|
||||
({ pkgs
|
||||
, config
|
||||
, lib
|
||||
, ...
|
||||
}: let
|
||||
sopsFile = ./. + "/hosts/${config.networking.hostName}.yml";
|
||||
in {
|
||||
nix.nixPath = [
|
||||
"home-manager=${home-manager}"
|
||||
"nixpkgs=${pkgs.path}"
|
||||
"nur=${nur}"
|
||||
];
|
||||
# TODO: share nixpkgs for each machine to speed up local evaluation.
|
||||
#nixpkgs.pkgs = self.inputs.nixpkgs.legacyPackages.${system};
|
||||
|
||||
#users.withSops = builtins.pathExists sopsFile;
|
||||
#sops.secrets = lib.mkIf (config.users.withSops) {
|
||||
# root-password-hash.neededForUsers = true;
|
||||
#};
|
||||
# sops.defaultSopsFile = lib.mkIf (builtins.pathExists sopsFile) sopsFile;
|
||||
|
||||
nix.extraOptions = ''
|
||||
flake-registry = ${flake-registry}/flake-registry.json
|
||||
'';
|
||||
|
||||
nix.registry = {
|
||||
home-manager.flake = home-manager;
|
||||
nixpkgs.flake = nixpkgs;
|
||||
nur.flake = nur;
|
||||
};
|
||||
time.timeZone = "UTC";
|
||||
})
|
||||
];
|
||||
in
|
||||
{
|
||||
flake.nixosConfigurations = {
|
||||
epyc = nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
modules =
|
||||
commonModules
|
||||
++ colmenaModules
|
||||
++ [
|
||||
./hosts/epyc.nix
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
flake.colmena = {
|
||||
meta.nixpkgs = import nixpkgs {
|
||||
system = "x86_64-linux";
|
||||
};
|
||||
epyc = {
|
||||
imports =
|
||||
commonModules
|
||||
++ [
|
||||
./hosts/epyc.nix
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
315
flake.lock
Normal file
315
flake.lock
Normal file
|
@ -0,0 +1,315 @@
|
|||
{
|
||||
"nodes": {
|
||||
"agenix": {
|
||||
"inputs": {
|
||||
"darwin": "darwin",
|
||||
"home-manager": "home-manager",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1684153753,
|
||||
"narHash": "sha256-PVbWt3qrjYAK+T5KplFcO+h7aZWfEj1UtyoKlvcDxh0=",
|
||||
"owner": "ryantm",
|
||||
"repo": "agenix",
|
||||
"rev": "db5637d10f797bb251b94ef9040b237f4702cde3",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "ryantm",
|
||||
"repo": "agenix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"colmena": {
|
||||
"inputs": {
|
||||
"flake-compat": "flake-compat",
|
||||
"flake-utils": "flake-utils",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"stable": "stable"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1685163780,
|
||||
"narHash": "sha256-tMwseHtEFDpO3WKeZKWqrKRAZI6TiEULidxEbzicuFg=",
|
||||
"owner": "zhaofengli",
|
||||
"repo": "colmena",
|
||||
"rev": "c61bebae1dc1d57237577080b1ca1e37a3fbcebf",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "zhaofengli",
|
||||
"repo": "colmena",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"darwin": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"agenix",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1673295039,
|
||||
"narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
|
||||
"owner": "lnl7",
|
||||
"repo": "nix-darwin",
|
||||
"rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "lnl7",
|
||||
"ref": "master",
|
||||
"repo": "nix-darwin",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"disko": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1685970051,
|
||||
"narHash": "sha256-F5ZxBD2DeNd+Q0dDKYBhv76kfjVG/X0ccXjSKpa8KdI=",
|
||||
"owner": "nix-community",
|
||||
"repo": "disko",
|
||||
"rev": "29d632d7e8fa86f937153ecdfd7d768411001d2d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"repo": "disko",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-compat": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1650374568,
|
||||
"narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"rev": "b4a34015c698c7793d592d66adbab377907a2be8",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-parts": {
|
||||
"inputs": {
|
||||
"nixpkgs-lib": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1685662779,
|
||||
"narHash": "sha256-cKDDciXGpMEjP1n6HlzKinN0H+oLmNpgeCTzYnsA2po=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"rev": "71fb97f0d875fd4de4994dfb849f2c75e17eb6c3",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-registry": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1682423975,
|
||||
"narHash": "sha256-zvOBrH3hwCedgpaWiOSHYSt+fgF/RhaJs8R5qOX6AYc=",
|
||||
"owner": "NixOS",
|
||||
"repo": "flake-registry",
|
||||
"rev": "8054bfa00d60437297d670ab3296a117e7059a10",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"repo": "flake-registry",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-utils": {
|
||||
"locked": {
|
||||
"lastModified": 1659877975,
|
||||
"narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"home-manager": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"agenix",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1682203081,
|
||||
"narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"home-manager_2": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1667907331,
|
||||
"narHash": "sha256-bHkAwkYlBjkupPUFcQjimNS8gxWSWjOTevEuwdnp5m0=",
|
||||
"owner": "rycee",
|
||||
"repo": "home-manager",
|
||||
"rev": "6639e3a837fc5deb6f99554072789724997bc8e5",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "rycee",
|
||||
"ref": "release-22.05",
|
||||
"repo": "home-manager",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixos-hardware": {
|
||||
"locked": {
|
||||
"lastModified": 1684899633,
|
||||
"narHash": "sha256-NtwerXX8UFsoNy6k+DukJMriWtEjQtMU/Urbff2O2Dg=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixos-hardware",
|
||||
"rev": "4cc688ee711159b9bcb5a367be44007934e1a49d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"repo": "nixos-hardware",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1685952468,
|
||||
"narHash": "sha256-YCOr9kttCqoa9IZMjHxX6SlwenTg7FsSmG9TaT76mSE=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "70f7275b32f49bc67ae3532b758b80cb6c27f98a",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "release-23.05",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1685938391,
|
||||
"narHash": "sha256-96Jw6TbWDLSopt5jqCW8w1Fc1cjQyZlhfBnJ3OZGpME=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "31cd1b4afbaf0b1e81272ee9c31d1ab606503aed",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixpkgs-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nur": {
|
||||
"locked": {
|
||||
"lastModified": 1685980073,
|
||||
"narHash": "sha256-7BkreZ2cH488dR1XPcdlALj+2g+NvrZdG9ZhwRt0YFI=",
|
||||
"owner": "nix-community",
|
||||
"repo": "NUR",
|
||||
"rev": "de817406e39c1f9be28fde1d62c1f1f0c91acb09",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"repo": "NUR",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"agenix": "agenix",
|
||||
"colmena": "colmena",
|
||||
"disko": "disko",
|
||||
"flake-parts": "flake-parts",
|
||||
"flake-registry": "flake-registry",
|
||||
"home-manager": "home-manager_2",
|
||||
"nixos-hardware": "nixos-hardware",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"nixpkgs-unstable": "nixpkgs-unstable",
|
||||
"nur": "nur",
|
||||
"srvos": "srvos"
|
||||
}
|
||||
},
|
||||
"srvos": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1685966850,
|
||||
"narHash": "sha256-HaWNbihBIBATmSbuXLzA92C4858tNdS9Q5kRHJNagVo=",
|
||||
"owner": "numtide",
|
||||
"repo": "srvos",
|
||||
"rev": "4f22e6fcaf17c6313c2ecdc996760c3e4b14a623",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "srvos",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"stable": {
|
||||
"locked": {
|
||||
"lastModified": 1669735802,
|
||||
"narHash": "sha256-qtG/o/i5ZWZLmXw108N2aPiVsxOcidpHJYNkT45ry9Q=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "731cc710aeebecbf45a258e977e8b68350549522",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-22.11",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
"version": 7
|
||||
}
|
108
flake.nix
Normal file
108
flake.nix
Normal file
|
@ -0,0 +1,108 @@
|
|||
{
|
||||
description = "NixOS configuration with flakes";
|
||||
|
||||
nixConfig.extra-substituters = [
|
||||
"https://newtype.cachix.org"
|
||||
];
|
||||
nixConfig.extra-trusted-public-keys = [
|
||||
"newtype.cachix.org-1:Gd5G2EVFNJslfR3PxA2+JY7mHT6MwVJ6biv5Cg47SD0="
|
||||
];
|
||||
|
||||
# To update all inputs:
|
||||
# $ nix flake update --recreate-lock-file
|
||||
inputs = {
|
||||
disko.url = "github:nix-community/disko";
|
||||
disko.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
||||
flake-parts.url = "github:hercules-ci/flake-parts";
|
||||
flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
|
||||
|
||||
nixpkgs.url = "github:NixOS/nixpkgs/release-23.05";
|
||||
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
|
||||
|
||||
nixos-hardware.url = "github:NixOS/nixos-hardware";
|
||||
nur.url = "github:nix-community/NUR";
|
||||
|
||||
home-manager.url = "github:rycee/home-manager/release-22.05";
|
||||
home-manager.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
||||
agenix.url = "github:ryantm/agenix";
|
||||
agenix.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
||||
colmena.url = "github:zhaofengli/colmena";
|
||||
colmena.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
||||
srvos.url = "github:numtide/srvos";
|
||||
# actually not used when using the modules but than nothing ever will try to fetch this nixpkgs variant
|
||||
srvos.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
||||
flake-registry.url = "github:NixOS/flake-registry";
|
||||
flake-registry.flake = false;
|
||||
};
|
||||
|
||||
outputs =
|
||||
{ flake-parts
|
||||
, ...
|
||||
} @ inputs:
|
||||
(flake-parts.lib.evalFlakeModule
|
||||
{ inherit inputs; }
|
||||
({ self, inputs, ... }: {
|
||||
systems = [ "x86_64-linux" "aarch64-linux" "aarch64-darwin" ];
|
||||
imports = [
|
||||
./configurations.nix
|
||||
# ./modules/monitoring/flake-module.nix
|
||||
# ./pkgs/flake-module.nix
|
||||
# ./templates
|
||||
];
|
||||
perSystem = { self', pkgs, ... }: {
|
||||
devShells.default = pkgs.mkShellNoCC {
|
||||
buildInputs = [
|
||||
pkgs.ipmitool
|
||||
pkgs.colmena
|
||||
|
||||
pkgs.python3.pkgs.invoke
|
||||
#Until nixos-anywhere is packaged
|
||||
pkgs.python3.pkgs.deploykit
|
||||
pkgs.mypy
|
||||
pkgs.pixiecore
|
||||
pkgs.dnsmasq
|
||||
pkgs.python3.pkgs.netaddr
|
||||
pkgs.qemu_kvm
|
||||
pkgs.openssh
|
||||
pkgs.gitMinimal # for git flakes
|
||||
pkgs.rsync
|
||||
pkgs.nix
|
||||
pkgs.coreutils
|
||||
pkgs.curl # when uploading tarballs
|
||||
pkgs.gnugrep
|
||||
pkgs.findutils
|
||||
pkgs.gnused # needed by ssh-copy-id
|
||||
# sops dependencies
|
||||
pkgs.age
|
||||
pkgs.yq-go
|
||||
] ++ pkgs.lib.optional (pkgs.stdenv.isLinux) pkgs.mkpasswd;
|
||||
};
|
||||
packages = {
|
||||
# netboot = pkgs.callPackage ./modules/netboot/netboot.nix {
|
||||
# # this nixosSystem is built for x86_64 machines regardless of the host machine
|
||||
# pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux;
|
||||
# inherit (inputs.nixpkgs.lib) nixosSystem;
|
||||
# extraModules = [
|
||||
# self.inputs.nur.nixosModules.nur
|
||||
# { _module.args.inputs = self.inputs; }
|
||||
# ];
|
||||
# };
|
||||
|
||||
# netboot-pixie-core = pkgs.callPackage ./modules/netboot/netboot-pixie-core.nix {
|
||||
# inherit (self'.packages) netboot;
|
||||
# };
|
||||
};
|
||||
};
|
||||
flake = {
|
||||
hydraJobs = inputs.nixpkgs.lib.mapAttrs' (name: config: inputs.nixpkgs.lib.nameValuePair "nixos-${name}" config.config.system.build.toplevel) self.nixosConfigurations // {
|
||||
devShells = self.devShells.x86_64-linux.default;
|
||||
};
|
||||
};
|
||||
})).config.flake;
|
||||
|
||||
}
|
13
hosts/epyc.nix
Normal file
13
hosts/epyc.nix
Normal file
|
@ -0,0 +1,13 @@
|
|||
{
|
||||
imports = [
|
||||
../modules/ipmi-supermicro.nix
|
||||
../modules/hardware/supermicro-H12SSL-i.nix
|
||||
];
|
||||
|
||||
networking.hostName = "epyc";
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
simd.arch = "znver3";
|
||||
system.stateVersion = "23.05";
|
||||
}
|
25
modules/auto-upgrade.nix
Normal file
25
modules/auto-upgrade.nix
Normal file
|
@ -0,0 +1,25 @@
|
|||
{ pkgs, ... }: {
|
||||
system.autoUpgrade.enable = true;
|
||||
system.autoUpgrade.flake = "git:git.newtype.fr/newtype/newtype-org-configurations";
|
||||
system.autoUpgrade.flags = [ "--option" "accept-flake-config" "true" ];
|
||||
|
||||
# add a random jitter so not all machines reboot at the same time.
|
||||
systemd.timers.auto-reboot.timerConfig.RandomizedDelaySec = 60 * 20;
|
||||
|
||||
systemd.services.auto-reboot = {
|
||||
path = [ pkgs.systemd pkgs.util-linux ];
|
||||
# The last saturday in a month
|
||||
startAt = "Sat *-*~07/1";
|
||||
script = ''
|
||||
booted="$(readlink /run/booted-system/{initrd,kernel,kernel-modules})"
|
||||
built="$(readlink /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})"
|
||||
if [ "''${booted}" = "''${built}" ]; then
|
||||
echo "No kernel update... skipping reboot"
|
||||
else
|
||||
# reboot in 24 hours
|
||||
msg=$(shutdown -r +${toString (60 * 24)} 2>&1)
|
||||
echo "$msg" | wall
|
||||
fi
|
||||
'';
|
||||
};
|
||||
}
|
11
modules/builder.nix
Normal file
11
modules/builder.nix
Normal file
|
@ -0,0 +1,11 @@
|
|||
{
|
||||
users.extraUsers.nix = {
|
||||
isNormalUser = true;
|
||||
home = "/home/nix";
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAZpEtSfB0GDwcELc5/AKNiBZJV9OVfQ0BMFzBlF+8Yd raito@everywhere"
|
||||
];
|
||||
uid = 5001;
|
||||
};
|
||||
nix.settings.trusted-users = [ "nix" ];
|
||||
}
|
16
modules/fck-spectr.nix
Normal file
16
modules/fck-spectr.nix
Normal file
|
@ -0,0 +1,16 @@
|
|||
{
|
||||
# It may leak your data, but look how FAST it is!1!!
|
||||
# https://make-linux-fast-again.com/
|
||||
boot.kernelParams = [
|
||||
"noibrs"
|
||||
"noibpb"
|
||||
"nopti"
|
||||
"nospectre_v2"
|
||||
"nospectre_v1"
|
||||
"l1tf=off"
|
||||
"nospec_store_bypass_disable"
|
||||
"no_stf_barrier"
|
||||
"mds=off"
|
||||
"mitigations=off"
|
||||
];
|
||||
}
|
41
modules/hardware/supermicro-H12SSL-i.nix
Normal file
41
modules/hardware/supermicro-H12SSL-i.nix
Normal file
|
@ -0,0 +1,41 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.kernelParams = [ "pci=realloc" ];
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-amd" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
boot.initrd.systemd.enable = lib.mkForce false;
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/disk/by-uuid/3a81ba8f-f5bb-446c-89a3-ad77e354dae0";
|
||||
fsType = "btrfs";
|
||||
};
|
||||
|
||||
boot.initrd.luks.devices."nixroot" = {
|
||||
device = "/dev/disk/by-uuid/c10d2822-cb83-4666-98f8-0aa04be259bc";
|
||||
keyFile = "/dev/zero";
|
||||
keyFileSize = 1;
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "/dev/disk/by-uuid/AFF2-3149";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
swapDevices =
|
||||
[ { device = "/dev/disk/by-uuid/93e251e1-1bfc-4bd4-8585-ea2eae7795bf"; }
|
||||
];
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
}
|
47
modules/hosts.nix
Normal file
47
modules/hosts.nix
Normal file
|
@ -0,0 +1,47 @@
|
|||
{ lib, config, ... }:
|
||||
let
|
||||
hostOptions = with lib; {
|
||||
ipv4 = mkOption {
|
||||
default = null;
|
||||
type = types.nullOr types.str;
|
||||
description = ''
|
||||
own ipv4 address
|
||||
'';
|
||||
};
|
||||
|
||||
ipv6 = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
description = ''
|
||||
own ipv6 address
|
||||
'';
|
||||
};
|
||||
};
|
||||
in
|
||||
{
|
||||
options = with lib; {
|
||||
networking.newtype.hosts = mkOption {
|
||||
type = with types; attrsOf (submodule [{ options = hostOptions; }]);
|
||||
description = "A host in our cluster";
|
||||
};
|
||||
networking.newtype.currentHost = mkOption {
|
||||
type = with types; submodule [{ options = hostOptions; }];
|
||||
default = config.networking.newtype.hosts.${config.networking.hostName};
|
||||
description = "The host that is described by this configuration";
|
||||
};
|
||||
};
|
||||
config = {
|
||||
warnings =
|
||||
lib.optional (!(config.networking.newtype.hosts ? ${config.networking.hostName}) &&
|
||||
config.networking.hostName != "nixos" # we dont care about nixos netboot/installer images
|
||||
)
|
||||
"Please add network configuration for ${config.networking.hostName}. None found in ${./hosts.nix}";
|
||||
|
||||
# usually, for each host there is a hostname.dse.in.tum.de and hostname.r domain
|
||||
networking.newtype.hosts = {
|
||||
epyc = {
|
||||
ipv6 = "2001:470:ca5e:dee:587c:7a50:f36c:cae8";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
7
modules/ipmi-supermicro.nix
Normal file
7
modules/ipmi-supermicro.nix
Normal file
|
@ -0,0 +1,7 @@
|
|||
{
|
||||
# supermicro uses ttyS1 for SOL
|
||||
boot.kernelParams = [
|
||||
"console=ttyS1,115200n8"
|
||||
"console=tty1"
|
||||
];
|
||||
}
|
49
modules/network.nix
Normal file
49
modules/network.nix
Normal file
|
@ -0,0 +1,49 @@
|
|||
{ config
|
||||
, lib
|
||||
, ...
|
||||
}: {
|
||||
# use networkd
|
||||
networking.dhcpcd.enable = false;
|
||||
systemd.network.enable = true;
|
||||
|
||||
# add an entry to /etc/hosts for each host
|
||||
networking.extraHosts = lib.concatStringsSep "\n" (lib.mapAttrsToList
|
||||
(name: host: ''
|
||||
${lib.optionalString (host.ipv4 != null) "${host.ipv4} ${name}"}
|
||||
${lib.optionalString (host.ipv6 != null) "${host.ipv6} ${name}"}
|
||||
'')
|
||||
config.networking.newtype.hosts);
|
||||
|
||||
# leave container interfaces alone
|
||||
systemd.network.networks."05-veth".extraConfig = ''
|
||||
[Match]
|
||||
Driver = veth
|
||||
|
||||
[Link]
|
||||
Unmanaged = yes
|
||||
'';
|
||||
|
||||
systemd.network.networks."10-nat-lan" = {
|
||||
matchConfig.Name = "nat-lan";
|
||||
linkConfig.RequiredForOnline = true;
|
||||
DHCP = "yes";
|
||||
};
|
||||
|
||||
systemd.network.links."10-nat-lan" = {
|
||||
matchConfig.MACAddress = "3c:ec:ef:7e:bd:c8";
|
||||
linkConfig.Name = "nat-lan";
|
||||
};
|
||||
|
||||
systemd.network.networks."10-wan" = {
|
||||
matchConfig.Name = "wan";
|
||||
linkConfig.RequiredForOnline = true;
|
||||
networkConfig.Address = [ config.networking.newtype.currentHost.ipv6 ];
|
||||
};
|
||||
|
||||
systemd.network.links."10-wan" = {
|
||||
matchConfig.MACAddress = "3c:ec:ef:7e:bd:c9";
|
||||
linkConfig.Name = "wan";
|
||||
};
|
||||
|
||||
deployment.targetHost = "${config.networking.hostName}.infra.newtype.fr";
|
||||
}
|
60
modules/nix-daemon.nix
Normal file
60
modules/nix-daemon.nix
Normal file
|
@ -0,0 +1,60 @@
|
|||
{ lib
|
||||
, config
|
||||
, pkgs
|
||||
, ...
|
||||
}:
|
||||
|
||||
let
|
||||
gcc-system-features = arch: lib.optionals (arch != null) ([ "gccarch-${arch}" ]
|
||||
++ map (x: "gccarch-${x}") lib.systems.architectures.inferiors.${arch});
|
||||
in
|
||||
{
|
||||
options = {
|
||||
simd.arch = lib.mkOption {
|
||||
type = with lib.types; nullOr str;
|
||||
default = null;
|
||||
description = ''
|
||||
Microarchitecture string for nixpkgs.hostPlatform.gcc.march and to generate system-features.
|
||||
Can be determined with: gcc -march=native -Q --help=target | grep march
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
imports = [ ./builder.nix ];
|
||||
|
||||
config = {
|
||||
warnings = lib.optionals (config.simd.arch == null) [ "Please set simd.arch for ${config.networking.hostName}" ];
|
||||
|
||||
nix = {
|
||||
gc.automatic = true;
|
||||
gc.dates = "03:15";
|
||||
gc.options = "--delete-older-than 30d";
|
||||
|
||||
# 2.11, 2.12 suffers from a bug with remote builders…
|
||||
package = pkgs.nixVersions.nix_2_13;
|
||||
|
||||
# should be enough?
|
||||
nrBuildUsers = lib.mkDefault 32;
|
||||
|
||||
# https://github.com/NixOS/nix/issues/719
|
||||
|
||||
settings = {
|
||||
keep-outputs = true;
|
||||
keep-derivations = true;
|
||||
# in zfs we trust
|
||||
fsync-metadata = lib.boolToString (!config.boot.isContainer or config.fileSystems."/".fsType != "zfs");
|
||||
substituters = [
|
||||
"https://nix-community.cachix.org"
|
||||
"https://tum-dse.cachix.org"
|
||||
];
|
||||
system-features = [ "benchmark" "big-parallel" "kvm" "nixos-test" ] ++ gcc-system-features config.simd.arch;
|
||||
trusted-public-keys = [
|
||||
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
|
||||
"tum-dse.cachix.org-1:v67rK18oLwgO0Z4b69l30SrV1yRtqxKpiHodG4YxhNM="
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
};
|
||||
}
|
39
modules/packages.nix
Normal file
39
modules/packages.nix
Normal file
|
@ -0,0 +1,39 @@
|
|||
{ pkgs, ... }: {
|
||||
# this extends the list from:
|
||||
# https://github.com/numtide/srvos/blob/master/server.nix#L10
|
||||
environment.systemPackages = with pkgs; [
|
||||
socat
|
||||
whois
|
||||
|
||||
jq
|
||||
psmisc
|
||||
libarchive
|
||||
sipcalc
|
||||
iperf
|
||||
openssl
|
||||
binutils
|
||||
file
|
||||
wget
|
||||
htop
|
||||
ripgrep
|
||||
lsof
|
||||
tcpdump
|
||||
rsync
|
||||
git
|
||||
tig
|
||||
lazygit
|
||||
python3
|
||||
iotop
|
||||
man-pages
|
||||
netcat
|
||||
mtr
|
||||
(neovim.override { vimAlias = true; })
|
||||
|
||||
pciutils
|
||||
ethtool
|
||||
usbutils
|
||||
|
||||
ipmitool
|
||||
# tries to default to soft-float due to out-dated cc-rs
|
||||
] ++ lib.optional (!stdenv.hostPlatform.isRiscV) bandwhich;
|
||||
}
|
18
modules/tor-ssh.nix
Normal file
18
modules/tor-ssh.nix
Normal file
|
@ -0,0 +1,18 @@
|
|||
{
|
||||
# imports = [ ./sshd ];
|
||||
services.tor = {
|
||||
enable = true;
|
||||
relay.onionServices."ssh".map = [{ port = 22; }];
|
||||
|
||||
settings = {
|
||||
DnsPort = 9053;
|
||||
AutomapHostsOnResolve = true;
|
||||
AutomapHostsSuffixes = [ ".exit" ".onion" ];
|
||||
EnforceDistinctSubnets = true;
|
||||
ExitNodes = "{fr}";
|
||||
EntryNodes = "{fr}";
|
||||
NewCircuitPeriod = 120;
|
||||
DNSPort = 9053;
|
||||
};
|
||||
};
|
||||
}
|
70
modules/users/admins.nix
Normal file
70
modules/users/admins.nix
Normal file
|
@ -0,0 +1,70 @@
|
|||
{ config
|
||||
, lib
|
||||
, ...
|
||||
}:
|
||||
let
|
||||
extraGroups = [ "wheel" "docker" "plugdev" "vboxusers" "adbusers" "input" ];
|
||||
in
|
||||
{
|
||||
config = {
|
||||
users.users = {
|
||||
# Ryan Lahfa
|
||||
raito = {
|
||||
isNormalUser = true;
|
||||
home = "/home/raito";
|
||||
inherit extraGroups;
|
||||
shell = "/run/current-system/sw/bin/zsh";
|
||||
uid = 1000;
|
||||
openssh.authorizedKeys.keyFiles = [ ./keys/raito.keys ];
|
||||
};
|
||||
|
||||
# Julien Malka
|
||||
luj = {
|
||||
isNormalUser = true;
|
||||
home = "/home/luj";
|
||||
inherit (config.users.users.raito) extraGroups;
|
||||
shell = "/run/current-system/sw/bin/zsh";
|
||||
uid = 1001;
|
||||
openssh.authorizedKeys.keyFiles = [ ./keys/luj.keys ];
|
||||
};
|
||||
|
||||
# Gabriel Doriath Döhler
|
||||
gdd = {
|
||||
isNormalUser = true;
|
||||
home = "/home/gdd";
|
||||
inherit (config.users.users.raito) extraGroups;
|
||||
shell = "/run/current-system/sw/bin/zsh";
|
||||
uid = 1002;
|
||||
openssh.authorizedKeys.keyFiles = [ ./keys/gdd.keys ];
|
||||
};
|
||||
|
||||
# Samy Lahfa
|
||||
akechi = {
|
||||
isNormalUser = true;
|
||||
home = "/home/akechi";
|
||||
inherit (config.users.users.raito) extraGroups;
|
||||
shell = "/run/current-system/sw/bin/zsh";
|
||||
uid = 1003;
|
||||
openssh.authorizedKeys.keyFiles = [ ./keys/akechi.keys ];
|
||||
};
|
||||
|
||||
# Tom Hubrecht
|
||||
tomate = {
|
||||
isNormalUser = true;
|
||||
home = "/home/tomate";
|
||||
inherit (config.users.users.raito) extraGroups;
|
||||
shell = "/run/current-system/sw/bin/zsh";
|
||||
uid = 1004;
|
||||
openssh.authorizedKeys.keyFiles = [ ./keys/tomate.keys ];
|
||||
};
|
||||
|
||||
root = {
|
||||
hashedPassword = "$y$j9T$LiCWsEVrg9FlcEwuDGsol.$ghfkPkQGoAt23hI6.vWNLrSdHDnVwxg8EE/2w2pRbT6";
|
||||
# passwordFile = lib.mkIf config.users.withSops config.sops.secrets.root-password-hash.path;
|
||||
openssh.authorizedKeys.keyFiles = lib.concatMap (user: config.users.users.${user}.openssh.authorizedKeys.keyFiles) [ "raito" "luj" "gdd" "akechi" "tomate" ];
|
||||
};
|
||||
};
|
||||
|
||||
nix.settings.trusted-users = [ "raito" "luj" "gdd" "akechi" "tomate" ];
|
||||
};
|
||||
}
|
2
modules/users/keys/akechi.keys
Normal file
2
modules/users/keys/akechi.keys
Normal file
|
@ -0,0 +1,2 @@
|
|||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDmC/lBooMyJZnyuU0/f6Qufi48DCEQ1RNT1l25cbvZWCXRrAJuQUTgb7u2nl8SEiQTRbZy/FTesaoPNBRWtWXK/8M0K58DeTMdNeTV8joW+vwEzRF3LPb9gU3FqCuuFFRqhJNC16cFBxXMCyjmktl8EG9o5yVcT/6HdwvXRKlas+EqXHlZblXxYQfCjWkpd3vzIoEfPwkUpQFlvLltTBT+EUWTiysvF8cCCuBx7EXHX++fNNySDoB9bQJ+sYoAvuhtfZ5eYNePpYQCV71KMEPYBqJ7AQpvdbMa34Rx7mghGCLk580qWTuXf/vqKRD4EAsvPYtK/xJNyjrCTX99TL60NIsBgNzQvvFFIaAsD91nD13gaEvybOjIo1lbzSZhbreX1qdWeUCR32HDUH4fEVv81VSaPbH2zxWqIf8bLDMJ7pCLKncyCZD1yVFCXsDV/J8BQq0c3GtFh3eEt59bkk6iU+LXv9dvwJtCvsp087Yh4qhj0L9z2zgczeljKJtFFTZhWbY3WEKiureoI7iPEJvLB8B6pGF0qQmIjbIIx6gtBoJc891w+XUmaXfHhWsVV7eq2y/AU7BvXAZp3LigWvosmPpoYsgjS0RNp2RJo2ufN6wKBtq+qv0xM+S6JvXo5pf2Oe11qp8hxF32MNv+djFK3Qf/JMkZAQd1Y/vW/Gg8Xw==
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK5vbxUd8I+uF/OY/PpPhSzrLN14Waq82uyQXNPYpHjA
|
1
modules/users/keys/gdd.keys
Normal file
1
modules/users/keys/gdd.keys
Normal file
|
@ -0,0 +1 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc
|
11
modules/users/keys/luj.keys
Normal file
11
modules/users/keys/luj.keys
Normal file
|
@ -0,0 +1,11 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM9Uzb7szWlux7HuxLZej9cBR5MhLz/vaAPPfSoozt2k
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCKfPoMNrnyNWH6J1OvQ+n1rvSS9Sc2iZf6E1JQC+L4
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIESMWr29i3rhj32oLV3DKe57YI+jvNaKjZhhpq6dEjsn
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOCKgHRHAJDSgKqYNfWboL04mnEOM0m0K3TGxBhBNDR
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOpGHx430EpJmbtJc8+lF1CpQ1gXeHT9OeZ08O8yzohF
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEaCGndojnmS5IoqHVMEPRfKuBZotMyqo7wNkAZJWigp
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILxfFq8wx5Bet5Q0gI28/lc9ryYYFQelpZdPPdzxGBbA
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILKIDLmQQ+P+jE4zVRpdVp8fmYEe4nzPDqYZt6A4eyIi
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAkj2xsN7Qt/Ew2QO+HiF2yOjXPRucZ3SbIdPDLJoh22
|
||||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCUt5I3IgONzYsMOFnRXtvR/uLXlIs6oWsCmh6YGgnpGD4M9lFdoYAOeC1faQUnP66sNs6AoacrGlPZ1UkVUqYEoIr2hiNCDRzzLCQ2J/sSaw7Hv0PKT7MWMo8R076M3TrdunCchBJI1noez3waM9aL4b/iYVhxym28ET55QrWjyMQfZL9PXzOKZatNVcK8AmdtSbI+pFrm/tTZPa321drm9PHOo9CL+lG4YmVZcXa0bVfVtk1GXlWwNpCj2ExLmbF1rRpAa05khfnbg3sBSklwf5NRXj11KneodKRF81ji7MtBhIIfoEXSYht7yspdkkS9e9mv16VGV+2ziM8zG3MK/iUq7fg5ksN54D3DNrd9iI5WjQZsLUrK0ypxO2NtvupWGYt3rCyKA/QvynbxOWFp6cy3Evej142hsfbiOcPIgCtGdHIBevp+KmPxkHBqsJPBqb3Y7nOMT1/ggDMtvHZEZJjEI2D2RjZNEXGbq63OPAqEkgmecW0cXlrjLEGhF2E=
|
3
modules/users/keys/raito.keys
Normal file
3
modules/users/keys/raito.keys
Normal file
|
@ -0,0 +1,3 @@
|
|||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU
|
1
modules/users/keys/tomate.keys
Normal file
1
modules/users/keys/tomate.keys
Normal file
|
@ -0,0 +1 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3
|
8
modules/zsh.nix
Normal file
8
modules/zsh.nix
Normal file
|
@ -0,0 +1,8 @@
|
|||
{ pkgs, ... }: {
|
||||
programs.zsh.enable = true;
|
||||
programs.zsh.enableCompletion = true;
|
||||
programs.zsh.enableGlobalCompInit = false;
|
||||
programs.zsh.interactiveShellInit = ''
|
||||
source ${pkgs.zsh-nix-shell}/share/zsh-nix-shell/nix-shell.plugin.zsh
|
||||
'';
|
||||
}
|
Loading…
Reference in a new issue