steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

feat: start migrating steveej-t14 and sj-vps-htz-0 to sops

Browse source
This commit is contained in:
steveej 2023-07-05 15:55:04 +02:00
parent 6587a914e4
commit b481126ae2
55 changed files with 877 additions and 452 deletions
Download patch file Download diff file Expand all files Collapse all files

3
nix/os/devices/steveej-t14/boot.nix
View file

@ -8,7 +8,8 @@
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
# boot.tmpOnTmpfs = lib.mkForce false;
boot.tmpOnTmpfsSize = "100%";
boot.tmp.tmpfsSize = "100%";
# TODO: make this work
# systemd.tmpfiles.rules = lib.mkForce [ "d /tmp 1777 root root 1d" ];
}

1
nix/os/devices/steveej-t14/configuration.nix
View file

@ -10,5 +10,6 @@
./pkg.nix
./user.nix
./boot.nix
./secrets.nix
];
}

11
nix/os/devices/steveej-t14/default.nix
View file

@ -1,12 +1,15 @@
{repoFlake}: let
nodeName = "steveej-t14";
{
nodeName,
repoFlake,
repoFlakeWithSystem,
nodeFlake,
}: let
system = "x86_64-linux";
nodeFlake = repoFlake.inputs.get-flake ./.;
in {
meta.nodeSpecialArgs.${nodeName} = {
inherit repoFlake nodeName nodeFlake;
packages' = repoFlake.packages.${system};
repoFlakeInputs' = repoFlakeWithSystem system ({inputs', ...}: inputs');
};
meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath {

44
nix/os/devices/steveej-t14/hw.nix
View file

@ -20,48 +20,47 @@ in {
services.tlp = {
enable = true;
settings = {
CPU_SCALING_GOVERNOR_ON_AC = "schedutil";
# CPU_SCALING_GOVERNOR_ON_AC = "schedutil";
CPU_SCALING_GOVERNOR_ON_BAT = "schedutil";
CPU_ENERGY_PERF_POLICY_ON_AC="balance_power";
# CPU_ENERGY_PERF_POLICY_ON_AC="balance_power";
CPU_ENERGY_PERF_POLICY_ON_BAT="power";
SCHED_POWERSAVE_ON_AC="1";
# SCHED_POWERSAVE_ON_AC="1";
SCHED_POWERSAVE_ON_BAT="1";
CPU_BOOST_ON_AC="0";
CPU_BOOST_ON_BAT="0";
RADEON_DPM_PERF_LEVEL_ON_AC="auto";
# RADEON_DPM_PERF_LEVEL_ON_AC="auto";
RADEON_DPM_PERF_LEVEL_ON_BAT="low";
RADEON_DPM_STATE_ON_AC="balanced";
# RADEON_DPM_STATE_ON_AC="balanced";
RADEON_DPM_STATE_ON_BAT="battery";
SOUND_POWER_SAVE_ON_AC="1";
# SOUND_POWER_SAVE_ON_AC="1";
SOUND_POWER_SAVE_ON_BAT="1";
# PLATFORM_PROFILE_ON_AC="low-power";
# PLATFORM_PROFILE_ON_BAT="low-power";
PLATFORM_PROFILE_ON_AC="balanced";
# # PLATFORM_PROFILE_ON_AC="low-power";
# # PLATFORM_PROFILE_ON_BAT="low-power";
# PLATFORM_PROFILE_ON_AC="balanced";
PLATFORM_PROFILE_ON_BAT="low-power";
RUNTIME_PM_ON_AC = "auto";
# RUNTIME_PM_ON_AC = "auto";
RUNTIME_PM_ON_BAT = "auto";
PCIE_ASPM_ON_AC="default";
# PCIE_ASPM_ON_AC="default";
PCIE_ASPM_ON_BAT="powersave";
START_CHARGE_THRESH_BAT0 = "75";
STOP_CHARGE_THRESH_BAT0 = "80";
WOL_DISABLE="Y";
WIFI_PWR_ON_AC="on";
# WIFI_PWR_ON_AC="on";
WIFI_PWR_ON_BAT="on";
DEVICES_TO_DISABLE_ON_STARTUP="wwan";
#DEVICES_TO_DISABLE_ON_LAN_CONNECT="wifi wwan";
#DEVICES_TO_DISABLE_ON_WIFI_CONNECT="wwan";
#DEVICES_TO_DISABLE_ON_WWAN_CONNECT="wifi";
# #DEVICES_TO_DISABLE_ON_LAN_CONNECT="wifi wwan";
# #DEVICES_TO_DISABLE_ON_WIFI_CONNECT="wwan";
# #DEVICES_TO_DISABLE_ON_WWAN_CONNECT="wifi";
};
};
@ -71,12 +70,13 @@ in {
[0 0 55]
[1 55 65]
[1 65 75]
[3 75 78]
[4 78 80]
[5 80 82]
[6 82 84]
[7 84 86]
["level full-speed" 86 999]
[2 75 78]
[3 78 80]
[4 80 82]
[5 82 84]
[6 84 86]
[7 86 88]
["level full-speed" 88 999]
];
};

3
nix/os/devices/steveej-t14/pkg.nix
View file

@ -9,6 +9,9 @@
];
})
];
home.sessionVariables = {
};
};
# TODO: fix the following errors with regreet

7
nix/os/devices/steveej-t14/secrets.nix Normal file
View file

@ -0,0 +1,7 @@
{config, ...}: {
sops.secrets.radicale_htpasswd = {
sopsFile = ../../../../secrets/steveej-t14/radicale_htpasswd;
format = "binary";
owner = config.users.users.steveej.name;
};
}

79
nix/os/devices/steveej-t14/system.nix
View file

@ -3,6 +3,7 @@
lib,
config,
nodeName,
repoFlake,
...
}: let
passwords = import ../../../variables/passwords.crypt.nix;
@ -10,18 +11,37 @@ in {
nix.settings = {
substituters = [
"https://holochain-ci.cachix.org"
# "https://cache.holo.host/"
"https://cache.holo.host/"
];
trusted-public-keys = [
"holochain-ci.cachix.org-1:5IUSkZc0aoRS53rfkvH9Kid40NpyjwCMCzwRTXy+QN8="
# "cache.holo.host-1:lNXIXtJgS9Iuw4Cu6X0HINLu9sTfcjEntnrgwMQIMcE="
# "cache.holo.host-2:ZJCkX3AUYZ8soxTLfTb60g+F3MkWD7hkH9y8CgqwhDQ="
"cache.holo.host-1:lNXIXtJgS9Iuw4Cu6X0HINLu9sTfcjEntnrgwMQIMcE="
"cache.holo.host-2:ZJCkX3AUYZ8soxTLfTb60g+F3MkWD7hkH9y8CgqwhDQ="
];
extra-experimental-features = ["impure-derivations"];
system-features = ["recursive-nix" "big-parallel"];
};
networking.extraHosts = ''
# qemu box
172.24.40.13 steveej-qemu.infra.holochain.org
172.24.40.13 steveej-qemu.d.dweb.city
# bare metal
192.168.14.117 steveej-hw1.infra.holochain.org
192.168.14.117 steveej-hw1.d.dweb.city
192.168.14.117 steveej-hw2.infra.holochain.org
192.168.14.117 steveej-hw2.d.dweb.city
192.168.14.117 steveej-hw3.infra.holochain.org
192.168.14.117 steveej-hw3.d.dweb.city
192.168.14.117 steveej-hw4.infra.holochain.org
192.168.14.117 steveej-hw4.d.dweb.city
172.24.135.11 emerge3.d.dweb.city
172.24.74.194 emerge4.d.dweb.city
'';
networking.bridges."virbr1".interfaces = [];
networking.interfaces."virbr1".ipv4.addresses = [
{
@ -35,7 +55,7 @@ in {
# TODO: upstream feature for inverse rule to work: `! --in-interface zt+`
networking.firewall.interfaces."eth+".allowedTCPPorts = [
22
22
# syncthing
22000
@ -43,9 +63,10 @@ in {
# iperf3
5201
];
networking.firewall.interfaces."eth+".allowedUDPPorts = [
networking.firewall.interfaces."eth+".allowedUDPPorts = [
# syncthing
22000 21027
22000
21027
];
networking.firewall.logRefusedConnections = false;
@ -96,8 +117,50 @@ in {
services.zerotierone = {
enable = true;
joinNetworks = [
"93afae5963c547f1"
passwords.zerotier.dweb2023.networkId
# moved to the service below as it's now secret
];
};
systemd.services.zerotieroneSecretNetworks = {
enable = true;
requiredBy = ["zerotierone.service"];
partOf = ["zerotierone.service"];
serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = true;
script = let
secret = config.sops.secrets.zerotieroneNetworks;
in ''
# include the secret's hash to trigger a restart on change
# ${builtins.hashString "sha256" (builtins.toJSON secret)}
${config.systemd.services.zerotierone.preStart}
rm -rf /var/lib/zerotier-one/networks.d/*.conf
for network in `grep -v '#' ${secret.path}`; do
touch /var/lib/zerotier-one/networks.d/''${network}.conf
done
'';
};
sops.secrets.zerotieroneNetworks = {
sopsFile = ../../../../secrets/zerotierone.txt;
format = "binary";
};
sops.secrets.nomad-holochain-agent-ca = {
sopsFile = ../../../../secrets/steveej-t14/nomad-holochain-infra.yaml;
owner = config.users.extraUsers.steveej.name;
};
sops.secrets.nomad-holochain-cli-cert = {
sopsFile = ../../../../secrets/steveej-t14/nomad-holochain-infra.yaml;
owner = config.users.extraUsers.steveej.name;
};
sops.secrets.nomad-holochain-cli-key = {
sopsFile = ../../../../secrets/steveej-t14/nomad-holochain-infra.yaml;
owner = config.users.extraUsers.steveej.name;
};
}

5
nix/os/devices/steveej-t14/user.nix
View file

@ -1,15 +1,16 @@
{
config,
pkgs,
lib,
...
}: let
passwords = import ../../../variables/passwords.crypt.nix;
keys = import ../../../variables/keys.nix;
inherit (import ../../lib/default.nix {}) mkUser;
inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser;
in {
users.extraUsers.steveej2 = mkUser {
uid = 1001;
openssh.authorizedKeys.keys = keys.users.steveej.openssh;
passwordFile = config.sops.secrets.sharedUsers-steveej.path;
};
nix.settings.trusted-users = ["steveej"];