steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

rename sj-bm-hostkey0 -> hstk0

Browse source
This commit is contained in:
steveej 2024-07-26 13:47:57 +02:00
parent 92be66cbb5
commit b30596b3a6
14 changed files with 348 additions and 577 deletions
Download patch file Download diff file Expand all files Collapse all files

0
nix/os/devices/sj-bm-hostkey0/.gitignore → nix/os/devices/hstk0/.gitignore vendored
View file

0
nix/os/devices/sj-bm-hostkey0/README.md → nix/os/devices/hstk0/README.md
View file

155
nix/os/devices/hstk0/configuration.nix Normal file
View file

@ -0,0 +1,155 @@
{
modulesPath,
repoFlake,
packages',
pkgs,
lib,
config,
nodeFlake,
nodeName,
system,
...
}: {
disabledModules = [
];
imports = [
nodeFlake.inputs.disko.nixosModules.disko
repoFlake.inputs.sops-nix.nixosModules.sops
nodeFlake.inputs.srvos.nixosModules.roles-nix-remote-builder
{
roles.nix-remote-builder.schedulerPublicKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQ22z5rDdCLYH+MEoEt+tXJXTJqoeZNqvJl2n4aB+Kn steveej@steveej-x13s"
# TODO: make this a reference to the private key's secret
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC8FHuK0k86iBWq41+NAhVwJqH1ZpGJe+q01m7iLviz6 root@steveej-t14"
];
}
../../snippets/nix-settings.nix
{
nix.settings.sandbox = lib.mkForce "relaxed";
}
../../snippets/mycelium.nix
# user config
../../profiles/common/user.nix
{
users.commonUsers = {
enable = true;
enableNonRoot = true;
};
}
../../snippets/home-manager-with-zsh.nix
# {
# home-manager.users.steveej = {pkgs, ...}: {
# imports = [
# ../../../home-manager/programs/pass.nix
# ../../../home-manager/programs/openvscode-server.nix
# ];
# };
# }
];
services.openssh = {
enable = true;
openFirewall = true;
settings.PermitRootLogin = "yes";
extraConfig = ''
StreamLocalBindUnlink yes
'';
};
boot = {
kernel = {
sysctl = {
"net.ipv4.conf.all.forwarding" = true;
"net.ipv6.conf.all.forwarding" = true;
};
};
};
networking = {
hostName = nodeName;
useNetworkd = true;
useDHCP = true;
nat.enable = true;
firewall.enable = true;
firewall.allowedTCPPorts = [
5201
];
firewall.allowedUDPPorts = [
5201
];
};
disko.devices = let
disk = id: {
type = "disk";
device = "/dev/${id}";
content = {
type = "gpt";
partitions = {
boot = {
size = "1M";
type = "EF02"; # for grub MBR
};
mdadm = {
size = "100%";
content = {
type = "mdraid";
name = "raid0";
};
};
};
};
};
in {
disk = {
sda = disk "sda";
sdb = disk "sdb";
};
mdadm = {
raid0 = {
type = "mdadm";
level = 0;
content = {
type = "gpt";
partitions = {
primary = {
size = "100%";
content = {
type = "filesystem";
format = "btrfs";
mountpoint = "/";
};
};
};
};
};
};
};
system.stateVersion = "24.05";
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.initrd.includeDefaultModules = true;
boot.initrd.kernelModules = [
"dm-raid"
"dm-integrity"
"xhci_pci_renesas"
];
hardware.enableRedistributableFirmware = true;
virtualisation.libvirtd.enable = true;
boot.binfmt.emulatedSystems = [
"aarch64-linux"
];
}

0
nix/os/devices/sj-bm-hostkey0/default.nix → nix/os/devices/hstk0/default.nix
View file

124
nix/os/devices/hstk0/flake.lock generated Normal file
View file

@ -0,0 +1,124 @@
{
"nodes": {
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1719401812,
"narHash": "sha256-QONBQ/arBsKZNJuSd3sMIkSYFlBoRJpvf1jGlMfcOuI=",
"owner": "nix-community",
"repo": "disko",
"rev": "b6a1262796b2990ec3cc60bb2ec23583f35b2f43",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"get-flake": {
"locked": {
"lastModified": 1714237590,
"narHash": "sha256-9gtHdGbzFHaR20xORN8IYd67ROWS+1nqQ5CsPf9MD8I=",
"owner": "ursi",
"repo": "get-flake",
"rev": "a6c57417d1b857b8be53aba4095869a0f438c502",
"type": "github"
},
"original": {
"owner": "ursi",
"repo": "get-flake",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1718530513,
"narHash": "sha256-BmO8d0r+BVlwWtMLQEYnwmngqdXIuyFzMwvmTcLMee8=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "a1fddf0967c33754271761d91a3d921772b30d0e",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-24.05",
"repo": "home-manager",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1719253556,
"narHash": "sha256-A/76RFUVxZ/7Y8+OMVL1Lc8LRhBxZ8ZE2bpMnvZ1VpY=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "fc07dc3bdf2956ddd64f24612ea7fc894933eb2e",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1719254875,
"narHash": "sha256-ECni+IkwXjusHsm9Sexdtq8weAq/yUyt1TWIemXt3Ko=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "2893f56de08021cffd9b6b6dfc70fd9ccd51eb60",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"disko": "disko",
"get-flake": "get-flake",
"home-manager": "home-manager",
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable",
"srvos": "srvos"
}
},
"srvos": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1719189969,
"narHash": "sha256-6MSZrWvXSvUKIr0iC9eSbQ09NSm+j1Oh4o9Gentu1CU=",
"owner": "numtide",
"repo": "srvos",
"rev": "4f314be1307c8d5f1fb3d882a67e09dbdf285850",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "srvos",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

15
nix/os/devices/sj-bm-hostkey0/flake.nix → nix/os/devices/hstk0/flake.nix
View file

@ -12,8 +12,6 @@
disko.inputs.nixpkgs.follows = "nixpkgs";
srvos.url = "github:numtide/srvos";
srvos.inputs.nixpkgs.follows = "nixpkgs";
mycelium.url = "github:threefoldtech/mycelium";
};
# outputs = _: {};
@ -25,7 +23,7 @@
...
} @ attrs: let
system = "x86_64-linux";
nodeName = "sj-bm-hostkey0";
nodeName = "hostkey-0";
mkNixosConfiguration = {extraModules ? [], ...} @ attrs:
nixpkgs.lib.nixosSystem (
@ -41,17 +39,6 @@
modules =
[
./configuration.nix
# flake registry
{
nix.registry.nixpkgs.flake = nixpkgs;
}
({lib, ...}: {
nixpkgs.overlays = [
(final: previous: {})
];
})
]
++ extraModules;
}

244
nix/os/devices/sj-bm-hostkey0/configuration.nix
View file

@ -1,244 +0,0 @@
{
modulesPath,
repoFlake,
packages',
pkgs,
lib,
config,
nodeFlake,
nodeName,
system,
...
}: let
pkgsUnstable = import nodeFlake.inputs.nixpkgs-unstable {inherit (pkgs) system config;};
pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium {inherit (pkgs) system config;};
in {
disabledModules = [
];
imports = [
nodeFlake.inputs.disko.nixosModules.disko
repoFlake.inputs.sops-nix.nixosModules.sops
nodeFlake.inputs.srvos.nixosModules.roles-nix-remote-builder
{
roles.nix-remote-builder.schedulerPublicKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQ22z5rDdCLYH+MEoEt+tXJXTJqoeZNqvJl2n4aB+Kn steveej@steveej-x13s"
# TODO: make this a reference to the private key's secret
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC8FHuK0k86iBWq41+NAhVwJqH1ZpGJe+q01m7iLviz6 root@steveej-t14"
];
}
../../profiles/common/user.nix
../../snippets/nix-settings.nix
../../snippets/nix-settings-holo-chain.nix
{
nix.settings.sandbox = lib.mkForce "relaxed";
}
../../snippets/holo-zerotier.nix
# TODO
# ./network.nix
# ./monitoring.nix
# user config
../../snippets/home-manager-with-zsh.nix
{
users.commonUsers = {
enable = true;
enableNonRoot = true;
};
home-manager.users.steveej = {pkgs, ...}: {
imports = [
../../../home-manager/programs/pass.nix
];
home.packages = [
pkgs.nil
pkgs.nixd
pkgs.nixpkgs-fmt
pkgs.alejandra
pkgs.nixfmt
repoFlake.packages.${system}.rperf
# TODO: automate linking this
# 1. get the commit with: `codium --version`
# 2. create the binary directory: `mkdir -p /home/steveej/.vscodium-server/bin/c8ce3ba4bc6b30b3b10edc61481cb85b1d2396bc/bin/`
# 3. link the binary. this relies on the client-side setting `"remote.SSH.experimental.serverBinaryName": "openvscode-server"` : ln -s $(which openvscode-server) /home/steveej/.vscodium-server/bin/c8ce3ba4bc6b30b3b10edc61481cb85b1d2396bc/bin/
/*
e.g.:
```
(
set -e
export COMMIT=$(codium --version | rg '^[0-9a-f]{40}$')
ssh bm-hostkey0 "pkill -9 openvscode; rm -rf /home/steveej/.vscodium-server/bin/$COMMIT; mkdir -p /home/steveej/.vscodium-server/bin/$COMMIT/bin/; ln -s \$(which openvscode-server) /home/steveej/.vscodium-server/bin/$COMMIT/bin/"
)
```
*/
(pkgsVscodium.openvscode-server.overrideAttrs (attrs: {
src = repoFlake.inputs.openvscode-server;
version = "1.88.1";
yarnCache = attrs.yarnCache.overrideAttrs (_: {outputHash = "sha256-89c6GYLT2RzHqwxBKegYqB6g5rEJ6/nH53cnfV7b0Ts=";});
}))
pkgs.waypipe
];
};
programs.zsh.enable = true;
users.defaultUserShell = pkgs.zsh;
environment.pathsToLink = ["/share/zsh"];
}
../../snippets/mycelium.nix
];
services.openssh.enable = true;
services.openssh.settings.PermitRootLogin = "yes";
services.openssh.extraConfig = ''
StreamLocalBindUnlink yes
'';
boot = {
kernel = {
sysctl = {
"net.ipv4.conf.all.forwarding" = true;
"net.ipv6.conf.all.forwarding" = true;
};
};
};
networking = {
hostName = nodeName;
useNetworkd = true;
useDHCP = true;
# No local firewall.
nat.enable = true;
firewall.enable = false;
firewall.allowedTCPPorts = [
5201
];
firewall.allowedUDPPorts = [
5201
];
};
disko.devices = let
disk = id: {
type = "disk";
device = "/dev/${id}";
content = {
type = "gpt";
partitions = {
boot = {
size = "1M";
type = "EF02"; # for grub MBR
};
mdadm = {
size = "100%";
content = {
type = "mdraid";
name = "raid0";
};
};
};
};
};
in {
disk = {
sda = disk "sda";
sdb = disk "sdb";
};
mdadm = {
raid0 = {
type = "mdadm";
level = 0;
content = {
type = "gpt";
partitions = {
primary = {
size = "100%";
content = {
type = "filesystem";
format = "btrfs";
mountpoint = "/";
};
};
};
};
};
};
};
system.stateVersion = "23.11";
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.initrd.includeDefaultModules = true;
boot.initrd.kernelModules = [
"dm-raid"
"dm-integrity"
"xhci_pci_renesas"
];
hardware.enableRedistributableFirmware = true;
environment.systemPackages = [
pkgs.hdparm
pkgs.fuse
];
programs.fuse.userAllowOther = true;
services.caddy.enable = true;
services.caddy.email = "mail@stefanjunker.de";
services.caddy.globalConfig = ''
auto_https disable_redirects
'';
services.caddy.virtualHosts = let
holochainDomain = "dev.infra.holochain.org";
in {
"${nodeName}.${holochainDomain}" = {
extraConfig = ''
handle_path /s3/* {
reverse_proxy http://127.0.0.1:9000
}
'';
};
};
# home-manager.users.steveej = _: {
# imports = [
# ../../../home-manager/configuration/text-minimal.nix
# ];
# home.sessionVariables = {
# };
# home.packages = with pkgs; [
# ];
# };
virtualisation.libvirtd.enable = true;
virtualisation.docker.enable = true;
virtualisation.podman.enable = true;
virtualisation.podman.autoPrune.enable = true;
# virtualisation.podman.dockerSocket.enable = true;
boot.binfmt.emulatedSystems = [
"aarch64-linux"
];
steveej.holo-zerotier = {
enable = true;
autostart = false;
};
}

245
nix/os/devices/sj-bm-hostkey0/flake.lock generated
View file

@ -1,245 +0,0 @@
{
"nodes": {
"crane": {
"inputs": {
"nixpkgs": [
"mycelium",
"nixpkgs"
]
},
"locked": {
"lastModified": 1716745752,
"narHash": "sha256-8K1R9Yg4r08rYk86Yq+lu3E9L3uRUb4xMqYHgl0VGS0=",
"owner": "ipetkov",
"repo": "crane",
"rev": "19ca94ec2d288de334ae932107816b4a97736cd8",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1717415925,
"narHash": "sha256-KhclrqEQFrDr6Z8WqtvCdqtR7Fg35aMyfk7ANtx34Ys=",
"owner": "nix-community",
"repo": "disko",
"rev": "b106b5df3654d83197aff4826e3e34a5a5335b1c",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"flake-compat": {
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"revCount": 57,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"id": "flake-utils",
"type": "indirect"
}
},
"get-flake": {
"locked": {
"lastModified": 1714237590,
"narHash": "sha256-9gtHdGbzFHaR20xORN8IYd67ROWS+1nqQ5CsPf9MD8I=",
"owner": "ursi",
"repo": "get-flake",
"rev": "a6c57417d1b857b8be53aba4095869a0f438c502",
"type": "github"
},
"original": {
"owner": "ursi",
"repo": "get-flake",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1716736833,
"narHash": "sha256-rNObca6dm7Qs524O4st8VJH6pZ/Xe1gxl+Rx6mcWYo0=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "a631666f5ec18271e86a5cde998cba68c33d9ac6",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-24.05",
"repo": "home-manager",
"type": "github"
}
},
"mycelium": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat",
"flake-utils": "flake-utils",
"nix-filter": "nix-filter",
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1717421726,
"narHash": "sha256-51B13+DTS+ZzbGPWIMMA9VwxJ34gVpbzQb0YxlzI96s=",
"owner": "threefoldtech",
"repo": "mycelium",
"rev": "c2c1243876382b8ed987f820864c66323ee33cb9",
"type": "github"
},
"original": {
"owner": "threefoldtech",
"repo": "mycelium",
"type": "github"
}
},
"nix-filter": {
"locked": {
"lastModified": 1710156097,
"narHash": "sha256-1Wvk8UP7PXdf8bCCaEoMnOT1qe5/Duqgj+rL8sRQsSM=",
"owner": "numtide",
"repo": "nix-filter",
"rev": "3342559a24e85fc164b295c3444e8a139924675b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "nix-filter",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1716509168,
"narHash": "sha256-4zSIhSRRIoEBwjbPm3YiGtbd8HDWzFxJjw5DYSDy1n8=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "bfb7a882678e518398ce9a31a881538679f6f092",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1717196966,
"narHash": "sha256-yZKhxVIKd2lsbOqYd5iDoUIwsRZFqE87smE2Vzf6Ck0=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "57610d2f8f0937f39dbd72251e9614b1561942d8",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1717144377,
"narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "805a384895c696f802a9bf5bf4720f37385df547",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"disko": "disko",
"get-flake": "get-flake",
"home-manager": "home-manager",
"mycelium": "mycelium",
"nixpkgs": "nixpkgs_2",
"nixpkgs-unstable": "nixpkgs-unstable",
"srvos": "srvos"
}
},
"srvos": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1717376170,
"narHash": "sha256-603uKDAsg8KKVvMzNxIgTrHvXu6vRYx32NO3tuQCIg4=",
"owner": "numtide",
"repo": "srvos",
"rev": "96998137e26a92debda49fc2a32d4852d754abb4",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "srvos",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",
"version": 7
}