From 3440111c0f97588a1d81b8a2a945b7b71fc11394 Mon Sep 17 00:00:00 2001 From: Lauren Lagarde Date: Mon, 14 Jul 2025 23:12:12 -0500 Subject: [PATCH] Attempt to update blockhouse to 25.05 flake and break out a few common items --- flake.nix | 23 +++ nixos/features/gpu/nvidia.nix | 3 + nixos/features/openssh-server.nix | 1 + systems/blockhouse/configuration.nix | 231 ++++++++------------------- 4 files changed, 97 insertions(+), 161 deletions(-) diff --git a/flake.nix b/flake.nix index b358299..d4fd693 100644 --- a/flake.nix +++ b/flake.nix @@ -206,6 +206,29 @@ ]; }; + blockhouse = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + { + networking.hostName = "blockhouse"; + networking.hostId = "ed658529"; + + system.stateVersion = "23.11"; + time.timeZone = "America/Chicago"; + + sops.defaultSopsFile = ./secrets.yaml; + } + + ./systems/blockhouse/configuration.nix + + sops-nix.nixosModules.sops + lix-module.nixosModules.default + home-manager.nixosModules.home-manager + disko.nixosModules.default + ]; + specialArgs = { inherit inputs pkgs-unstable; }; + }; + stronghold = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; modules = [ diff --git a/nixos/features/gpu/nvidia.nix b/nixos/features/gpu/nvidia.nix index 1866605..9723301 100644 --- a/nixos/features/gpu/nvidia.nix +++ b/nixos/features/gpu/nvidia.nix @@ -10,6 +10,9 @@ # Fix stupid UI scaling bug services.xserver.dpi = 96; + # Docker NVIDIA + virtualisation.docker.enableNvidia = true; + hardware.nvidia = { # Modesetting is required. modesetting.enable = true; diff --git a/nixos/features/openssh-server.nix b/nixos/features/openssh-server.nix index 06d8376..9ccf294 100644 --- a/nixos/features/openssh-server.nix +++ b/nixos/features/openssh-server.nix @@ -3,6 +3,7 @@ enable = true; settings = { PermitRootLogin = lib.mkForce "no"; + StreamLocalBindUnlink = "yes"; PasswordAuthentication = false; }; }; diff --git a/systems/blockhouse/configuration.nix b/systems/blockhouse/configuration.nix index a23c8f8..bd70b8b 100755 --- a/systems/blockhouse/configuration.nix +++ b/systems/blockhouse/configuration.nix @@ -1,72 +1,65 @@ { config, lib, pkgs, modulesPath, ... }: { + imports = [ + # Core Features + ../../nixos/features/base.nix + ../../nixos/features/tui-apps.nix + ../../nixos/features/openssh-server.nix - nixpkgs.config.allowUnfree = true; - nix.settings.experimental-features = [ "nix-command" "flakes" ]; + # Core Tweaks + ../../nixos/tweaks/zram.nix + ../../nixos/tweaks/enable_flakes.nix + ../../nixos/tweaks/disable_nixos_user.nix + ../../nixos/tweaks/systemd-resolved_nonsense.nix + + # Dotspace + ../../secrets/dotspace.nix + ../../secrets/dotspace_shares.nix + ../../nixos/features/stronghold-binary-cache.nix + + # Users + ../../users/lauren_lagarde/lauren_lagarde.nix + ../../users/ashley_funkhouser/ashley_funkhouser.nix + + # Blockhouse Features + ../../nixos/tweaks/aarch64-crosscompile.nix + ../../nixos/features/gpu/nvidia.nix + ../../nixos/features/networking/networkd-br0.nix + ../../nixos/features/virtualization/dockge.nix + ../../nixos/features/virtualization/docker.nix + ../../nixos/features/virtualization/libvirt-host.nix + + # Blockhouse + ../../nixos/tweaks/zfs.nix + ../../nixos/tweaks/disable_firewall.nix + ]; ############################################################################## ############################################################################## ############################################################################## # Bootloader / Kernel - boot.supportedFilesystems = [ "ntfs" ]; boot.loader.efi.canTouchEfiVariables = true; boot.loader.grub = { enable = true; zfsSupport = true; efiSupport = true; - mirroredBoots = [ - { - devices = [ "nodev" ]; - path = "/boot0"; - } - { - devices = [ "nodev" ]; - path = "/boot1"; - } - ]; - }; - - # Activated at 1400 on April 10, 2024 - powerManagement.cpuFreqGovernor = "performance"; - - boot.extraModprobeConfig = '' - # Under low-write conditions, wait up to 30 seconds before committing data to disk - options zfs zfs_txg_timeout=30 - - # Stupid silent data corruption bug (https://github.com/openzfs/zfs/issues/15933) - options zfs zfs_bclone_enabled=0 - options zfs zfs_dmu_offset_next_sync=0 - ''; - - boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; - - boot.kernel.sysctl."net.ipv6.conf.all.disable_ipv6" = true; - - ############################################################################## - ############################################################################## - ############################################################################## - # NVIDIA - - hardware.opengl.enable = true; - hardware.opengl.driSupport32Bit = true; - hardware.nvidia = { - modesetting.enable = true; - powerManagement.enable = false; - powerManagement.finegrained = false; - open = false; - package = config.boot.kernelPackages.nvidiaPackages.stable; - nvidiaSettings = true; - }; - services.xserver.videoDrivers = [ "nvidia" ]; - virtualisation.docker = { - enable = true; - enableNvidia = true; }; ############################################################################## ############################################################################## ############################################################################## - # Filesystems + # Local Filesystems + + boot.loader.grub.mirroredBoots = [ + { + devices = [ "nodev" ]; + path = "/boot0"; + } + { + devices = [ "nodev" ]; + path = "/boot1"; + } + ]; fileSystems = { "/" = { @@ -103,19 +96,15 @@ }; }; - # TODO: Add back dotspace shares - ############################################################################## ############################################################################## ############################################################################## # Services - services.uptimed.enable = true; - services.samba = { enable = true; openFirewall = true; - shares = { + settings = { Parlor = { path = "/exports/Parlor"; comment = "Fast Data Storage"; @@ -181,7 +170,6 @@ ############################################################################## # Users - users.mutableUsers = false; users.users = { # System Users blockhouse = { @@ -194,26 +182,6 @@ shell = pkgs.shadow; # TODO: Secret passwords? }; - - # Human users - lauren_lagarde = { - isNormalUser = true; - description = "Lauren Lagarde"; - extraGroups = [ "wheel" "docker" "libvirtd" ]; - initialHashedPassword = "$y$j9T$KqTFvSj9TYmRXugVbiSgj.$RbvxcGlY/DbLFioa64ntY5RO4Ym0CMswhegeQj5qHyD"; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCl881A1gvgCx+4ECrmJnO2QCTiqjaOLfAegKAAkvWNFKL0rDfsj8tZULUcyn87HYsRrdmqCOQ62GOjQyK803azq7QTxwY4vjczkJxico4LnIToTobcz+JkgF6Rf/h74bs9dHk4ZU853FRBz3wi/14rI10Iwckt37B1ayJacpELuzFobKYip2FjiL1vNH3tiAFR131z+YBByvNX+uJYEhpsI0xry9zbsSUWUq5/YFpmjezblzYRokfsReYiKJeQBeROSeRC/xFBSnikECSylNI4sw5VIpGXFIxL5xhss+s+3dnb+LFQ+zInOYxkVRydYc/In9Wz6Tu7v07K8bjvE7nQwHenoGtRW590Xu0rJApS+k8Cu16sCO2QFj/aI+gCrhU0ymM0aicr0hFAME6Y7j9HcR6PxYxnXZjI7cfqhO5TG8jot25SPzJcvH3EV5oPKtAkw9XA+8+nAI9czFlUgHnuMJAqw1IGOD3qozwqZ5yn1+kG7FZJRpvaPc5pK2HtqaAKJmnRuVaWcFuNALh86gr7Qn8IEp8Q+YyKmDqrMZ4KLJUMnVqn4y0HVS1eB5nVujaJZUGJWA4q3og0FE/2kH74WEp2ZtuJAoEPcgfZ6Ns7BmmXIZU7qu4kQoQ73b3mn6hCi5xlQ/sClzwHYkRPo4tST64ED/UIRPCYe1byNUWSww== lauren@lagarde.dev" - ]; - }; - ashley_funkhouser = { - isNormalUser = true; - description = "Ashley Funkhouser"; - extraGroups = [ "wheel" "docker" "libvirtd" ]; - initialHashedPassword = "$y$j9T$b.JgT15KeFXOjWQ0gJ7Ae0$n1KSyoAa8E.zI.4WZ6ze.Sk0RqXayZRrZK2319C77W/"; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwgQE831tqVEbb5bhLH9XkhmiIxTJ4YlL0Yjha2MJ0uoXfC7y+twp2fJB0FjmXvrU5li2mAes5DVakq0RqG5MtkbGSFN9/lJPuis+k6OzTTihe3PGTkRqaC6JWAs5Db7yHlaq0a+qLpniXPH/9/W/IqjRB67EPvfPkZ7VefjeEkJ1aPSoobws8DJUGum5PAg1oLTGwgirGMSlpWNOCxt8h3dynjrRLbUG4afU/FvbQDy27J0ODIN5CPDj8ZiTgz1s0KsA702dXz8UiioDp8ES9gOOfLqye50lga3UuK47jNJXelwmIAvCdPj1LKpy4HvmdIH8F4CsCqwkzbF1/s55quWvf/olhcWofayKcjP6Vbs8k3M6cshjcXPKBbr2FnpznHZCPSDq0Htk6a/YfFGh3Jy96x5PJW29deKJ9pjEvTufWDBhU6Uqd/80QGpGg/VBNiMot5qPrcdKM3kN7aPxU1mlbF9ICG/T0E7mSGEQHYqKd2LGfbielvobE/pdPbErjTRzl9KeqYiN9NA8Um5r8KDj8w/E9oF6DMpqulFA9fdMYtMTeEVPXxt6c7S1+VzOkfSbRt/p5Ql5FF294f6lvN01gbbJrGrfAstXmyPKGmJ/OSYrTEX7hhpaDJytW9KgzAebdkP2C5CQnwyJHaTDr1dEDSieoB0JgRFMWuvBNUQ== ajfunk27@gmail.com" - ]; - }; }; ############################################################################## @@ -221,76 +189,42 @@ ############################################################################## # Network - networking = { - hostName = "blockhouse"; - hostId = "ed658529"; + # Disable IPv6? + networking.enableIPv6 = false; + boot.kernel.sysctl."net.ipv6.conf.all.disable_ipv6" = true; - enableIPv6 = false; - useNetworkd = true; - firewall.enable = false; - }; - - services.resolved.extraConfig = "ResolveUnicastSingleLabel=yes"; - - systemd.network = { - enable = true; - netdevs = { - "20-br0".netdevConfig = { - Kind = "bridge"; - Name = "br0"; - }; + systemd.network.networks = { + "30-eno1" = { + matchConfig.Name = "eno1"; + networkConfig.Bridge = "br0"; + linkConfig.RequiredForOnline = "enslaved"; + }; + "30-enp37s0" = { + matchConfig.Name = "enp37s0"; + networkConfig.Bridge = "br0"; + linkConfig.RequiredForOnline = "enslaved"; + }; + "30-enp40s0" = { + matchConfig.Name = "enp40s0"; + networkConfig.Bridge = "br0"; + linkConfig.RequiredForOnline = "enslaved"; }; - networks = { - "30-eno1" = { - matchConfig.Name = "eno1"; - networkConfig.Bridge = "br0"; - linkConfig.RequiredForOnline = "enslaved"; - }; - "30-enp37s0" = { - matchConfig.Name = "enp37s0"; - networkConfig.Bridge = "br0"; - linkConfig.RequiredForOnline = "enslaved"; - }; - "30-enp40s0" = { - matchConfig.Name = "enp40s0"; - networkConfig.Bridge = "br0"; - linkConfig.RequiredForOnline = "enslaved"; - }; - "40-br0" = { - matchConfig.Name = "br0"; - bridgeConfig = {}; - linkConfig = { - RequiredForOnline = "routable"; - }; - networkConfig = { - DHCP = "ipv4"; - IPv6AcceptRA = true; - }; - }; - - "90-tinc" = { - matchConfig.Name = "tinc.mlaga97spa"; - address = [ "10.86.84.104/32" ]; - routes = [ { routeConfig = { Destination = "10.86.84.0/24"; }; } ]; - }; + "90-tinc" = { + matchConfig.Name = "tinc.dotspace"; + address = [ "10.86.84.104/32" ]; + routes = [ { Destination = "10.86.84.0/24"; } ]; }; }; - services.tinc.networks.mlaga97space = { + services.tinc.networks.dotspace = { name = "blockhouse"; ed25519PrivateKeyFile = "/root/tinc/mlaga97space_ed25519_key.priv"; chroot = false; - settings = { - ConnectTo = [ "fortress" "casemate" "vm_docker_0" "vm_docker_1" "vm_docker_2" ]; - }; - # TODO: dotspace.nix + settings.ConnectTo = [ "fortress" "casemate" "vm_docker_0" "vm_docker_1" "vm_docker_2" ]; }; - # Set your time zone. - time.timeZone = "America/Chicago"; - ############################################################################## ############################################################################## ############################################################################## @@ -299,6 +233,7 @@ services.cron = { enable = true; + mailto = ""; systemCronJobs = [ "* * * * * lauren_lagarde /home/lauren_lagarde/bin/DriveStats" "* * * * * lauren_lagarde /home/lauren_lagarde/bin/PublishStats" @@ -307,30 +242,4 @@ # Collate LongCam ]; }; - - ############################################################################## - ############################################################################## - ############################################################################## - # Other Services - - virtualisation.libvirtd.enable = true; - - services.openssh.enable = true; - services.openssh.settings = { - PermitRootLogin = "no"; - StreamLocalBindUnlink = "yes"; - }; - - services.smartd.enable = true; - - environment.systemPackages = with pkgs; [ - bc git vim btop tmux iotop byobu - cifs-utils samba ffmpeg libvirt tinc_pre restic rclone nixos-generators - ]; - - zramSwap.enable = true; - zramSwap.algorithm = "zstd"; - zramSwap.memoryPercent = 200; - - system.stateVersion = "23.11"; }