From 107cc6e53fe7d4a171bb3e6ea5722503126cd5b6 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Mon, 5 Jun 2023 17:50:07 +0200 Subject: [PATCH] infra: steal from the best (Mic92's cluster TUM's infra.) --- .envrc | 1 + configurations.nix | 105 ++++++++ flake.lock | 315 +++++++++++++++++++++++ flake.nix | 108 ++++++++ hosts/epyc.nix | 13 + modules/auto-upgrade.nix | 25 ++ modules/builder.nix | 11 + modules/fck-spectr.nix | 16 ++ modules/hardware/supermicro-H12SSL-i.nix | 41 +++ modules/hosts.nix | 47 ++++ modules/ipmi-supermicro.nix | 7 + modules/network.nix | 49 ++++ modules/nix-daemon.nix | 60 +++++ modules/packages.nix | 39 +++ modules/tor-ssh.nix | 18 ++ modules/users/admins.nix | 70 +++++ modules/users/keys/akechi.keys | 2 + modules/users/keys/gdd.keys | 1 + modules/users/keys/luj.keys | 11 + modules/users/keys/raito.keys | 3 + modules/users/keys/tomate.keys | 1 + modules/zsh.nix | 8 + 22 files changed, 951 insertions(+) create mode 100644 .envrc create mode 100644 configurations.nix create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 hosts/epyc.nix create mode 100644 modules/auto-upgrade.nix create mode 100644 modules/builder.nix create mode 100644 modules/fck-spectr.nix create mode 100644 modules/hardware/supermicro-H12SSL-i.nix create mode 100644 modules/hosts.nix create mode 100644 modules/ipmi-supermicro.nix create mode 100644 modules/network.nix create mode 100644 modules/nix-daemon.nix create mode 100644 modules/packages.nix create mode 100644 modules/tor-ssh.nix create mode 100644 modules/users/admins.nix create mode 100644 modules/users/keys/akechi.keys create mode 100644 modules/users/keys/gdd.keys create mode 100644 modules/users/keys/luj.keys create mode 100644 modules/users/keys/raito.keys create mode 100644 modules/users/keys/tomate.keys create mode 100644 modules/zsh.nix diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..3550a30 --- /dev/null +++ b/.envrc @@ -0,0 +1 @@ +use flake diff --git a/configurations.nix b/configurations.nix new file mode 100644 index 0000000..caaed52 --- /dev/null +++ b/configurations.nix @@ -0,0 +1,105 @@ +{ self, ... }: +let + inherit + (self.inputs) + nixpkgs + home-manager + agenix + nur + colmena + flake-registry + nixos-hardware + nixpkgs-unstable + srvos + disko + ; + nixosSystem = nixpkgs.lib.makeOverridable nixpkgs.lib.nixosSystem; + + colmenaModules = [ + colmena.nixosModules.deploymentOptions + ]; + + commonModules = [ + { + _module.args.self = self; + _module.args.inputs = self.inputs; + srvos.flake = self; + } + # only include admins here for monitoring/backup infrastructure + ./modules/users/admins.nix + ./modules/packages.nix + ./modules/nix-daemon.nix + ./modules/auto-upgrade.nix + ./modules/tor-ssh.nix + ./modules/hosts.nix + ./modules/network.nix + ./modules/zsh.nix + + + disko.nixosModules.disko + srvos.nixosModules.server + + # srvos.nixosModules.mixins-telegraf + # srvos.nixosModules.mixins-terminfo + + agenix.nixosModules.default + ({ pkgs + , config + , lib + , ... + }: let + sopsFile = ./. + "/hosts/${config.networking.hostName}.yml"; + in { + nix.nixPath = [ + "home-manager=${home-manager}" + "nixpkgs=${pkgs.path}" + "nur=${nur}" + ]; + # TODO: share nixpkgs for each machine to speed up local evaluation. + #nixpkgs.pkgs = self.inputs.nixpkgs.legacyPackages.${system}; + + #users.withSops = builtins.pathExists sopsFile; + #sops.secrets = lib.mkIf (config.users.withSops) { + # root-password-hash.neededForUsers = true; + #}; + # sops.defaultSopsFile = lib.mkIf (builtins.pathExists sopsFile) sopsFile; + + nix.extraOptions = '' + flake-registry = ${flake-registry}/flake-registry.json + ''; + + nix.registry = { + home-manager.flake = home-manager; + nixpkgs.flake = nixpkgs; + nur.flake = nur; + }; + time.timeZone = "UTC"; + }) + ]; +in +{ + flake.nixosConfigurations = { + epyc = nixosSystem { + system = "x86_64-linux"; + modules = + commonModules + ++ colmenaModules + ++ [ + ./hosts/epyc.nix + ]; + }; + }; + + flake.colmena = { + meta.nixpkgs = import nixpkgs { + system = "x86_64-linux"; + }; + epyc = { + imports = + commonModules + ++ [ + ./hosts/epyc.nix + ]; + }; + }; +} diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..1e7db14 --- /dev/null +++ b/flake.lock @@ -0,0 +1,315 @@ +{ + "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1684153753, + "narHash": "sha256-PVbWt3qrjYAK+T5KplFcO+h7aZWfEj1UtyoKlvcDxh0=", + "owner": "ryantm", + "repo": "agenix", + "rev": "db5637d10f797bb251b94ef9040b237f4702cde3", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "colmena": { + "inputs": { + "flake-compat": "flake-compat", + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ], + "stable": "stable" + }, + "locked": { + "lastModified": 1685163780, + "narHash": "sha256-tMwseHtEFDpO3WKeZKWqrKRAZI6TiEULidxEbzicuFg=", + "owner": "zhaofengli", + "repo": "colmena", + "rev": "c61bebae1dc1d57237577080b1ca1e37a3fbcebf", + "type": "github" + }, + "original": { + "owner": "zhaofengli", + "repo": "colmena", + "type": "github" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1673295039, + "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "87b9d090ad39b25b2400029c64825fc2a8868943", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1685970051, + "narHash": "sha256-F5ZxBD2DeNd+Q0dDKYBhv76kfjVG/X0ccXjSKpa8KdI=", + "owner": "nix-community", + "repo": "disko", + "rev": "29d632d7e8fa86f937153ecdfd7d768411001d2d", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1685662779, + "narHash": "sha256-cKDDciXGpMEjP1n6HlzKinN0H+oLmNpgeCTzYnsA2po=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "71fb97f0d875fd4de4994dfb849f2c75e17eb6c3", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-registry": { + "flake": false, + "locked": { + "lastModified": 1682423975, + "narHash": "sha256-zvOBrH3hwCedgpaWiOSHYSt+fgF/RhaJs8R5qOX6AYc=", + "owner": "NixOS", + "repo": "flake-registry", + "rev": "8054bfa00d60437297d670ab3296a117e7059a10", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "flake-registry", + "type": "github" + } + }, + "flake-utils": { + "locked": { + "lastModified": 1659877975, + "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1682203081, + "narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_2": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1667907331, + "narHash": "sha256-bHkAwkYlBjkupPUFcQjimNS8gxWSWjOTevEuwdnp5m0=", + "owner": "rycee", + "repo": "home-manager", + "rev": "6639e3a837fc5deb6f99554072789724997bc8e5", + "type": "github" + }, + "original": { + "owner": "rycee", + "ref": "release-22.05", + "repo": "home-manager", + "type": "github" + } + }, + "nixos-hardware": { + "locked": { + "lastModified": 1684899633, + "narHash": "sha256-NtwerXX8UFsoNy6k+DukJMriWtEjQtMU/Urbff2O2Dg=", + "owner": "NixOS", + "repo": "nixos-hardware", + "rev": "4cc688ee711159b9bcb5a367be44007934e1a49d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixos-hardware", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1685952468, + "narHash": "sha256-YCOr9kttCqoa9IZMjHxX6SlwenTg7FsSmG9TaT76mSE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "70f7275b32f49bc67ae3532b758b80cb6c27f98a", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1685938391, + "narHash": "sha256-96Jw6TbWDLSopt5jqCW8w1Fc1cjQyZlhfBnJ3OZGpME=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "31cd1b4afbaf0b1e81272ee9c31d1ab606503aed", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nur": { + "locked": { + "lastModified": 1685980073, + "narHash": "sha256-7BkreZ2cH488dR1XPcdlALj+2g+NvrZdG9ZhwRt0YFI=", + "owner": "nix-community", + "repo": "NUR", + "rev": "de817406e39c1f9be28fde1d62c1f1f0c91acb09", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "NUR", + "type": "github" + } + }, + "root": { + "inputs": { + "agenix": "agenix", + "colmena": "colmena", + "disko": "disko", + "flake-parts": "flake-parts", + "flake-registry": "flake-registry", + "home-manager": "home-manager_2", + "nixos-hardware": "nixos-hardware", + "nixpkgs": "nixpkgs", + "nixpkgs-unstable": "nixpkgs-unstable", + "nur": "nur", + "srvos": "srvos" + } + }, + "srvos": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1685966850, + "narHash": "sha256-HaWNbihBIBATmSbuXLzA92C4858tNdS9Q5kRHJNagVo=", + "owner": "numtide", + "repo": "srvos", + "rev": "4f22e6fcaf17c6313c2ecdc996760c3e4b14a623", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "srvos", + "type": "github" + } + }, + "stable": { + "locked": { + "lastModified": 1669735802, + "narHash": "sha256-qtG/o/i5ZWZLmXw108N2aPiVsxOcidpHJYNkT45ry9Q=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "731cc710aeebecbf45a258e977e8b68350549522", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-22.11", + "repo": "nixpkgs", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..13302ee --- /dev/null +++ b/flake.nix @@ -0,0 +1,108 @@ +{ + description = "NixOS configuration with flakes"; + + nixConfig.extra-substituters = [ + "https://newtype.cachix.org" + ]; + nixConfig.extra-trusted-public-keys = [ + "newtype.cachix.org-1:Gd5G2EVFNJslfR3PxA2+JY7mHT6MwVJ6biv5Cg47SD0=" + ]; + + # To update all inputs: + # $ nix flake update --recreate-lock-file + inputs = { + disko.url = "github:nix-community/disko"; + disko.inputs.nixpkgs.follows = "nixpkgs"; + + flake-parts.url = "github:hercules-ci/flake-parts"; + flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs"; + + nixpkgs.url = "github:NixOS/nixpkgs/release-23.05"; + nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; + + nixos-hardware.url = "github:NixOS/nixos-hardware"; + nur.url = "github:nix-community/NUR"; + + home-manager.url = "github:rycee/home-manager/release-22.05"; + home-manager.inputs.nixpkgs.follows = "nixpkgs"; + + agenix.url = "github:ryantm/agenix"; + agenix.inputs.nixpkgs.follows = "nixpkgs"; + + colmena.url = "github:zhaofengli/colmena"; + colmena.inputs.nixpkgs.follows = "nixpkgs"; + + srvos.url = "github:numtide/srvos"; + # actually not used when using the modules but than nothing ever will try to fetch this nixpkgs variant + srvos.inputs.nixpkgs.follows = "nixpkgs"; + + flake-registry.url = "github:NixOS/flake-registry"; + flake-registry.flake = false; + }; + + outputs = + { flake-parts + , ... + } @ inputs: + (flake-parts.lib.evalFlakeModule + { inherit inputs; } + ({ self, inputs, ... }: { + systems = [ "x86_64-linux" "aarch64-linux" "aarch64-darwin" ]; + imports = [ + ./configurations.nix + # ./modules/monitoring/flake-module.nix + # ./pkgs/flake-module.nix + # ./templates + ]; + perSystem = { self', pkgs, ... }: { + devShells.default = pkgs.mkShellNoCC { + buildInputs = [ + pkgs.ipmitool + pkgs.colmena + + pkgs.python3.pkgs.invoke + #Until nixos-anywhere is packaged + pkgs.python3.pkgs.deploykit + pkgs.mypy + pkgs.pixiecore + pkgs.dnsmasq + pkgs.python3.pkgs.netaddr + pkgs.qemu_kvm + pkgs.openssh + pkgs.gitMinimal # for git flakes + pkgs.rsync + pkgs.nix + pkgs.coreutils + pkgs.curl # when uploading tarballs + pkgs.gnugrep + pkgs.findutils + pkgs.gnused # needed by ssh-copy-id + # sops dependencies + pkgs.age + pkgs.yq-go + ] ++ pkgs.lib.optional (pkgs.stdenv.isLinux) pkgs.mkpasswd; + }; + packages = { + # netboot = pkgs.callPackage ./modules/netboot/netboot.nix { + # # this nixosSystem is built for x86_64 machines regardless of the host machine + # pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux; + # inherit (inputs.nixpkgs.lib) nixosSystem; + # extraModules = [ + # self.inputs.nur.nixosModules.nur + # { _module.args.inputs = self.inputs; } + # ]; + # }; + + # netboot-pixie-core = pkgs.callPackage ./modules/netboot/netboot-pixie-core.nix { + # inherit (self'.packages) netboot; + # }; + }; + }; + flake = { + hydraJobs = inputs.nixpkgs.lib.mapAttrs' (name: config: inputs.nixpkgs.lib.nameValuePair "nixos-${name}" config.config.system.build.toplevel) self.nixosConfigurations // { + devShells = self.devShells.x86_64-linux.default; + }; + }; + })).config.flake; + +} diff --git a/hosts/epyc.nix b/hosts/epyc.nix new file mode 100644 index 0000000..029b051 --- /dev/null +++ b/hosts/epyc.nix @@ -0,0 +1,13 @@ +{ + imports = [ + ../modules/ipmi-supermicro.nix + ../modules/hardware/supermicro-H12SSL-i.nix + ]; + + networking.hostName = "epyc"; + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + simd.arch = "znver3"; + system.stateVersion = "23.05"; +} diff --git a/modules/auto-upgrade.nix b/modules/auto-upgrade.nix new file mode 100644 index 0000000..ef3f0db --- /dev/null +++ b/modules/auto-upgrade.nix @@ -0,0 +1,25 @@ +{ pkgs, ... }: { + system.autoUpgrade.enable = true; + system.autoUpgrade.flake = "git:git.newtype.fr/newtype/newtype-org-configurations"; + system.autoUpgrade.flags = [ "--option" "accept-flake-config" "true" ]; + + # add a random jitter so not all machines reboot at the same time. + systemd.timers.auto-reboot.timerConfig.RandomizedDelaySec = 60 * 20; + + systemd.services.auto-reboot = { + path = [ pkgs.systemd pkgs.util-linux ]; + # The last saturday in a month + startAt = "Sat *-*~07/1"; + script = '' + booted="$(readlink /run/booted-system/{initrd,kernel,kernel-modules})" + built="$(readlink /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})" + if [ "''${booted}" = "''${built}" ]; then + echo "No kernel update... skipping reboot" + else + # reboot in 24 hours + msg=$(shutdown -r +${toString (60 * 24)} 2>&1) + echo "$msg" | wall + fi + ''; + }; +} diff --git a/modules/builder.nix b/modules/builder.nix new file mode 100644 index 0000000..89833b5 --- /dev/null +++ b/modules/builder.nix @@ -0,0 +1,11 @@ +{ + users.extraUsers.nix = { + isNormalUser = true; + home = "/home/nix"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAZpEtSfB0GDwcELc5/AKNiBZJV9OVfQ0BMFzBlF+8Yd raito@everywhere" + ]; + uid = 5001; + }; + nix.settings.trusted-users = [ "nix" ]; +} diff --git a/modules/fck-spectr.nix b/modules/fck-spectr.nix new file mode 100644 index 0000000..c2351a0 --- /dev/null +++ b/modules/fck-spectr.nix @@ -0,0 +1,16 @@ +{ + # It may leak your data, but look how FAST it is!1!! + # https://make-linux-fast-again.com/ + boot.kernelParams = [ + "noibrs" + "noibpb" + "nopti" + "nospectre_v2" + "nospectre_v1" + "l1tf=off" + "nospec_store_bypass_disable" + "no_stf_barrier" + "mds=off" + "mitigations=off" + ]; +} diff --git a/modules/hardware/supermicro-H12SSL-i.nix b/modules/hardware/supermicro-H12SSL-i.nix new file mode 100644 index 0000000..455f2f4 --- /dev/null +++ b/modules/hardware/supermicro-H12SSL-i.nix @@ -0,0 +1,41 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.kernelParams = [ "pci=realloc" ]; + boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + boot.initrd.systemd.enable = lib.mkForce false; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/3a81ba8f-f5bb-446c-89a3-ad77e354dae0"; + fsType = "btrfs"; + }; + + boot.initrd.luks.devices."nixroot" = { + device = "/dev/disk/by-uuid/c10d2822-cb83-4666-98f8-0aa04be259bc"; + keyFile = "/dev/zero"; + keyFileSize = 1; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/AFF2-3149"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/93e251e1-1bfc-4bd4-8585-ea2eae7795bf"; } + ]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/modules/hosts.nix b/modules/hosts.nix new file mode 100644 index 0000000..9a5bc26 --- /dev/null +++ b/modules/hosts.nix @@ -0,0 +1,47 @@ +{ lib, config, ... }: +let + hostOptions = with lib; { + ipv4 = mkOption { + default = null; + type = types.nullOr types.str; + description = '' + own ipv4 address + ''; + }; + + ipv6 = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + own ipv6 address + ''; + }; + }; +in +{ + options = with lib; { + networking.newtype.hosts = mkOption { + type = with types; attrsOf (submodule [{ options = hostOptions; }]); + description = "A host in our cluster"; + }; + networking.newtype.currentHost = mkOption { + type = with types; submodule [{ options = hostOptions; }]; + default = config.networking.newtype.hosts.${config.networking.hostName}; + description = "The host that is described by this configuration"; + }; + }; + config = { + warnings = + lib.optional (!(config.networking.newtype.hosts ? ${config.networking.hostName}) && + config.networking.hostName != "nixos" # we dont care about nixos netboot/installer images + ) + "Please add network configuration for ${config.networking.hostName}. None found in ${./hosts.nix}"; + + # usually, for each host there is a hostname.dse.in.tum.de and hostname.r domain + networking.newtype.hosts = { + epyc = { + ipv6 = "2001:470:ca5e:dee:587c:7a50:f36c:cae8"; + }; + }; + }; +} diff --git a/modules/ipmi-supermicro.nix b/modules/ipmi-supermicro.nix new file mode 100644 index 0000000..0d93534 --- /dev/null +++ b/modules/ipmi-supermicro.nix @@ -0,0 +1,7 @@ +{ + # supermicro uses ttyS1 for SOL + boot.kernelParams = [ + "console=ttyS1,115200n8" + "console=tty1" + ]; +} diff --git a/modules/network.nix b/modules/network.nix new file mode 100644 index 0000000..f2b1d08 --- /dev/null +++ b/modules/network.nix @@ -0,0 +1,49 @@ +{ config +, lib +, ... +}: { + # use networkd + networking.dhcpcd.enable = false; + systemd.network.enable = true; + + # add an entry to /etc/hosts for each host + networking.extraHosts = lib.concatStringsSep "\n" (lib.mapAttrsToList + (name: host: '' + ${lib.optionalString (host.ipv4 != null) "${host.ipv4} ${name}"} + ${lib.optionalString (host.ipv6 != null) "${host.ipv6} ${name}"} + '') + config.networking.newtype.hosts); + + # leave container interfaces alone + systemd.network.networks."05-veth".extraConfig = '' + [Match] + Driver = veth + + [Link] + Unmanaged = yes + ''; + + systemd.network.networks."10-nat-lan" = { + matchConfig.Name = "nat-lan"; + linkConfig.RequiredForOnline = true; + DHCP = "yes"; + }; + + systemd.network.links."10-nat-lan" = { + matchConfig.MACAddress = "3c:ec:ef:7e:bd:c8"; + linkConfig.Name = "nat-lan"; + }; + + systemd.network.networks."10-wan" = { + matchConfig.Name = "wan"; + linkConfig.RequiredForOnline = true; + networkConfig.Address = [ config.networking.newtype.currentHost.ipv6 ]; + }; + + systemd.network.links."10-wan" = { + matchConfig.MACAddress = "3c:ec:ef:7e:bd:c9"; + linkConfig.Name = "wan"; + }; + + deployment.targetHost = "${config.networking.hostName}.infra.newtype.fr"; +} diff --git a/modules/nix-daemon.nix b/modules/nix-daemon.nix new file mode 100644 index 0000000..ffda29f --- /dev/null +++ b/modules/nix-daemon.nix @@ -0,0 +1,60 @@ +{ lib +, config +, pkgs +, ... +}: + +let + gcc-system-features = arch: lib.optionals (arch != null) ([ "gccarch-${arch}" ] + ++ map (x: "gccarch-${x}") lib.systems.architectures.inferiors.${arch}); +in +{ + options = { + simd.arch = lib.mkOption { + type = with lib.types; nullOr str; + default = null; + description = '' + Microarchitecture string for nixpkgs.hostPlatform.gcc.march and to generate system-features. + Can be determined with: gcc -march=native -Q --help=target | grep march + ''; + }; + }; + + imports = [ ./builder.nix ]; + + config = { + warnings = lib.optionals (config.simd.arch == null) [ "Please set simd.arch for ${config.networking.hostName}" ]; + + nix = { + gc.automatic = true; + gc.dates = "03:15"; + gc.options = "--delete-older-than 30d"; + + # 2.11, 2.12 suffers from a bug with remote builders… + package = pkgs.nixVersions.nix_2_13; + + # should be enough? + nrBuildUsers = lib.mkDefault 32; + + # https://github.com/NixOS/nix/issues/719 + + settings = { + keep-outputs = true; + keep-derivations = true; + # in zfs we trust + fsync-metadata = lib.boolToString (!config.boot.isContainer or config.fileSystems."/".fsType != "zfs"); + substituters = [ + "https://nix-community.cachix.org" + "https://tum-dse.cachix.org" + ]; + system-features = [ "benchmark" "big-parallel" "kvm" "nixos-test" ] ++ gcc-system-features config.simd.arch; + trusted-public-keys = [ + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + "tum-dse.cachix.org-1:v67rK18oLwgO0Z4b69l30SrV1yRtqxKpiHodG4YxhNM=" + ]; + }; + }; + + nixpkgs.config.allowUnfree = true; + }; +} diff --git a/modules/packages.nix b/modules/packages.nix new file mode 100644 index 0000000..c396d63 --- /dev/null +++ b/modules/packages.nix @@ -0,0 +1,39 @@ +{ pkgs, ... }: { + # this extends the list from: + # https://github.com/numtide/srvos/blob/master/server.nix#L10 + environment.systemPackages = with pkgs; [ + socat + whois + + jq + psmisc + libarchive + sipcalc + iperf + openssl + binutils + file + wget + htop + ripgrep + lsof + tcpdump + rsync + git + tig + lazygit + python3 + iotop + man-pages + netcat + mtr + (neovim.override { vimAlias = true; }) + + pciutils + ethtool + usbutils + + ipmitool + # tries to default to soft-float due to out-dated cc-rs + ] ++ lib.optional (!stdenv.hostPlatform.isRiscV) bandwhich; +} diff --git a/modules/tor-ssh.nix b/modules/tor-ssh.nix new file mode 100644 index 0000000..0b956ed --- /dev/null +++ b/modules/tor-ssh.nix @@ -0,0 +1,18 @@ +{ + # imports = [ ./sshd ]; + services.tor = { + enable = true; + relay.onionServices."ssh".map = [{ port = 22; }]; + + settings = { + DnsPort = 9053; + AutomapHostsOnResolve = true; + AutomapHostsSuffixes = [ ".exit" ".onion" ]; + EnforceDistinctSubnets = true; + ExitNodes = "{fr}"; + EntryNodes = "{fr}"; + NewCircuitPeriod = 120; + DNSPort = 9053; + }; + }; +} diff --git a/modules/users/admins.nix b/modules/users/admins.nix new file mode 100644 index 0000000..2101ef7 --- /dev/null +++ b/modules/users/admins.nix @@ -0,0 +1,70 @@ +{ config +, lib +, ... +}: +let + extraGroups = [ "wheel" "docker" "plugdev" "vboxusers" "adbusers" "input" ]; +in +{ + config = { + users.users = { + # Ryan Lahfa + raito = { + isNormalUser = true; + home = "/home/raito"; + inherit extraGroups; + shell = "/run/current-system/sw/bin/zsh"; + uid = 1000; + openssh.authorizedKeys.keyFiles = [ ./keys/raito.keys ]; + }; + + # Julien Malka + luj = { + isNormalUser = true; + home = "/home/luj"; + inherit (config.users.users.raito) extraGroups; + shell = "/run/current-system/sw/bin/zsh"; + uid = 1001; + openssh.authorizedKeys.keyFiles = [ ./keys/luj.keys ]; + }; + + # Gabriel Doriath Döhler + gdd = { + isNormalUser = true; + home = "/home/gdd"; + inherit (config.users.users.raito) extraGroups; + shell = "/run/current-system/sw/bin/zsh"; + uid = 1002; + openssh.authorizedKeys.keyFiles = [ ./keys/gdd.keys ]; + }; + + # Samy Lahfa + akechi = { + isNormalUser = true; + home = "/home/akechi"; + inherit (config.users.users.raito) extraGroups; + shell = "/run/current-system/sw/bin/zsh"; + uid = 1003; + openssh.authorizedKeys.keyFiles = [ ./keys/akechi.keys ]; + }; + + # Tom Hubrecht + tomate = { + isNormalUser = true; + home = "/home/tomate"; + inherit (config.users.users.raito) extraGroups; + shell = "/run/current-system/sw/bin/zsh"; + uid = 1004; + openssh.authorizedKeys.keyFiles = [ ./keys/tomate.keys ]; + }; + + root = { + hashedPassword = "$y$j9T$LiCWsEVrg9FlcEwuDGsol.$ghfkPkQGoAt23hI6.vWNLrSdHDnVwxg8EE/2w2pRbT6"; + # passwordFile = lib.mkIf config.users.withSops config.sops.secrets.root-password-hash.path; + openssh.authorizedKeys.keyFiles = lib.concatMap (user: config.users.users.${user}.openssh.authorizedKeys.keyFiles) [ "raito" "luj" "gdd" "akechi" "tomate" ]; + }; + }; + + nix.settings.trusted-users = [ "raito" "luj" "gdd" "akechi" "tomate" ]; + }; +} diff --git a/modules/users/keys/akechi.keys b/modules/users/keys/akechi.keys new file mode 100644 index 0000000..af70f5c --- /dev/null +++ b/modules/users/keys/akechi.keys @@ -0,0 +1,2 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDmC/lBooMyJZnyuU0/f6Qufi48DCEQ1RNT1l25cbvZWCXRrAJuQUTgb7u2nl8SEiQTRbZy/FTesaoPNBRWtWXK/8M0K58DeTMdNeTV8joW+vwEzRF3LPb9gU3FqCuuFFRqhJNC16cFBxXMCyjmktl8EG9o5yVcT/6HdwvXRKlas+EqXHlZblXxYQfCjWkpd3vzIoEfPwkUpQFlvLltTBT+EUWTiysvF8cCCuBx7EXHX++fNNySDoB9bQJ+sYoAvuhtfZ5eYNePpYQCV71KMEPYBqJ7AQpvdbMa34Rx7mghGCLk580qWTuXf/vqKRD4EAsvPYtK/xJNyjrCTX99TL60NIsBgNzQvvFFIaAsD91nD13gaEvybOjIo1lbzSZhbreX1qdWeUCR32HDUH4fEVv81VSaPbH2zxWqIf8bLDMJ7pCLKncyCZD1yVFCXsDV/J8BQq0c3GtFh3eEt59bkk6iU+LXv9dvwJtCvsp087Yh4qhj0L9z2zgczeljKJtFFTZhWbY3WEKiureoI7iPEJvLB8B6pGF0qQmIjbIIx6gtBoJc891w+XUmaXfHhWsVV7eq2y/AU7BvXAZp3LigWvosmPpoYsgjS0RNp2RJo2ufN6wKBtq+qv0xM+S6JvXo5pf2Oe11qp8hxF32MNv+djFK3Qf/JMkZAQd1Y/vW/Gg8Xw== +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK5vbxUd8I+uF/OY/PpPhSzrLN14Waq82uyQXNPYpHjA diff --git a/modules/users/keys/gdd.keys b/modules/users/keys/gdd.keys new file mode 100644 index 0000000..f176c04 --- /dev/null +++ b/modules/users/keys/gdd.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc diff --git a/modules/users/keys/luj.keys b/modules/users/keys/luj.keys new file mode 100644 index 0000000..c9c3829 --- /dev/null +++ b/modules/users/keys/luj.keys @@ -0,0 +1,11 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM9Uzb7szWlux7HuxLZej9cBR5MhLz/vaAPPfSoozt2k +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCKfPoMNrnyNWH6J1OvQ+n1rvSS9Sc2iZf6E1JQC+L4 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIESMWr29i3rhj32oLV3DKe57YI+jvNaKjZhhpq6dEjsn +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOCKgHRHAJDSgKqYNfWboL04mnEOM0m0K3TGxBhBNDR +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOpGHx430EpJmbtJc8+lF1CpQ1gXeHT9OeZ08O8yzohF +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEaCGndojnmS5IoqHVMEPRfKuBZotMyqo7wNkAZJWigp +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILxfFq8wx5Bet5Q0gI28/lc9ryYYFQelpZdPPdzxGBbA +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILKIDLmQQ+P+jE4zVRpdVp8fmYEe4nzPDqYZt6A4eyIi +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAkj2xsN7Qt/Ew2QO+HiF2yOjXPRucZ3SbIdPDLJoh22 +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCUt5I3IgONzYsMOFnRXtvR/uLXlIs6oWsCmh6YGgnpGD4M9lFdoYAOeC1faQUnP66sNs6AoacrGlPZ1UkVUqYEoIr2hiNCDRzzLCQ2J/sSaw7Hv0PKT7MWMo8R076M3TrdunCchBJI1noez3waM9aL4b/iYVhxym28ET55QrWjyMQfZL9PXzOKZatNVcK8AmdtSbI+pFrm/tTZPa321drm9PHOo9CL+lG4YmVZcXa0bVfVtk1GXlWwNpCj2ExLmbF1rRpAa05khfnbg3sBSklwf5NRXj11KneodKRF81ji7MtBhIIfoEXSYht7yspdkkS9e9mv16VGV+2ziM8zG3MK/iUq7fg5ksN54D3DNrd9iI5WjQZsLUrK0ypxO2NtvupWGYt3rCyKA/QvynbxOWFp6cy3Evej142hsfbiOcPIgCtGdHIBevp+KmPxkHBqsJPBqb3Y7nOMT1/ggDMtvHZEZJjEI2D2RjZNEXGbq63OPAqEkgmecW0cXlrjLEGhF2E= diff --git a/modules/users/keys/raito.keys b/modules/users/keys/raito.keys new file mode 100644 index 0000000..7a717dd --- /dev/null +++ b/modules/users/keys/raito.keys @@ -0,0 +1,3 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU diff --git a/modules/users/keys/tomate.keys b/modules/users/keys/tomate.keys new file mode 100644 index 0000000..c5428d0 --- /dev/null +++ b/modules/users/keys/tomate.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3 diff --git a/modules/zsh.nix b/modules/zsh.nix new file mode 100644 index 0000000..bba3962 --- /dev/null +++ b/modules/zsh.nix @@ -0,0 +1,8 @@ +{ pkgs, ... }: { + programs.zsh.enable = true; + programs.zsh.enableCompletion = true; + programs.zsh.enableGlobalCompInit = false; + programs.zsh.interactiveShellInit = '' + source ${pkgs.zsh-nix-shell}/share/zsh-nix-shell/nix-shell.plugin.zsh + ''; +}