Attempt to update blockhouse to 25.05 flake and break out a few common items

2025-07-14 23:12:12 -05:00 · 2025-07-14 23:12:12 -05:00 · 3440111c0f
commit 3440111c0f
parent ea09a0fac8
4 changed files with 97 additions and 161 deletions
--- a/flake.nix
+++ b/flake.nix
@ -206,6 +206,29 @@
        ];
      };
      blockhouse = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
        modules = [
          {
            networking.hostName = "blockhouse";
            networking.hostId = "ed658529";
            system.stateVersion = "23.11";
            time.timeZone = "America/Chicago";
            sops.defaultSopsFile = ./secrets.yaml;
          }
          ./systems/blockhouse/configuration.nix
          sops-nix.nixosModules.sops
          lix-module.nixosModules.default
          home-manager.nixosModules.home-manager
          disko.nixosModules.default
        ];
        specialArgs = { inherit inputs pkgs-unstable; };
      };
      stronghold = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
        modules = [
--- a/nixos/features/gpu/nvidia.nix
+++ b/nixos/features/gpu/nvidia.nix
@ -10,6 +10,9 @@
  # Fix stupid UI scaling bug
  services.xserver.dpi = 96;
  # Docker NVIDIA
  virtualisation.docker.enableNvidia = true;
  hardware.nvidia = {
    # Modesetting is required.
    modesetting.enable = true;
--- a/nixos/features/openssh-server.nix
+++ b/nixos/features/openssh-server.nix
@ -3,6 +3,7 @@
    enable = true;
    settings = {
      PermitRootLogin = lib.mkForce "no";
      StreamLocalBindUnlink = "yes";
      PasswordAuthentication = false;
    };
  };
--- a/systems/blockhouse/configuration.nix
+++ b/systems/blockhouse/configuration.nix
@ -1,72 +1,65 @@
 { config, lib, pkgs, modulesPath, ... }: {
  imports = [
    # Core Features
    ../../nixos/features/base.nix
    ../../nixos/features/tui-apps.nix
    ../../nixos/features/openssh-server.nix
-  nixpkgs.config.allowUnfree = true;
+    # Core Tweaks
-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+    ../../nixos/tweaks/zram.nix
    ../../nixos/tweaks/enable_flakes.nix
    ../../nixos/tweaks/disable_nixos_user.nix
    ../../nixos/tweaks/systemd-resolved_nonsense.nix
    # Dotspace
    ../../secrets/dotspace.nix
    ../../secrets/dotspace_shares.nix
    ../../nixos/features/stronghold-binary-cache.nix
    # Users
    ../../users/lauren_lagarde/lauren_lagarde.nix
    ../../users/ashley_funkhouser/ashley_funkhouser.nix
    # Blockhouse Features
    ../../nixos/tweaks/aarch64-crosscompile.nix
    ../../nixos/features/gpu/nvidia.nix
    ../../nixos/features/networking/networkd-br0.nix
    ../../nixos/features/virtualization/dockge.nix
    ../../nixos/features/virtualization/docker.nix
    ../../nixos/features/virtualization/libvirt-host.nix
    # Blockhouse
    ../../nixos/tweaks/zfs.nix
    ../../nixos/tweaks/disable_firewall.nix
  ];
  ##############################################################################
  ##############################################################################
  ##############################################################################
  # Bootloader / Kernel
  boot.supportedFilesystems = [ "ntfs" ];
  boot.loader.efi.canTouchEfiVariables = true;
  boot.loader.grub = {
    enable = true;
    zfsSupport = true;
    efiSupport = true;
    mirroredBoots = [
      {
        devices = [ "nodev" ];
        path = "/boot0";
      }
      {
        devices = [ "nodev" ];
        path = "/boot1";
      }
    ];
  };
  # Activated at 1400 on April 10, 2024
  powerManagement.cpuFreqGovernor = "performance";
  boot.extraModprobeConfig = ''
    # Under low-write conditions, wait up to 30 seconds before committing data to disk
    options zfs zfs_txg_timeout=30
    # Stupid silent data corruption bug (https://github.com/openzfs/zfs/issues/15933)
    options zfs zfs_bclone_enabled=0
    options zfs zfs_dmu_offset_next_sync=0
  '';
  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
  boot.kernel.sysctl."net.ipv6.conf.all.disable_ipv6" = true;
  ##############################################################################
  ##############################################################################
  ##############################################################################
  # NVIDIA
  hardware.opengl.enable = true;
  hardware.opengl.driSupport32Bit = true;
  hardware.nvidia = {
    modesetting.enable = true;
    powerManagement.enable = false;
    powerManagement.finegrained = false;
    open = false;
    package = config.boot.kernelPackages.nvidiaPackages.stable;
    nvidiaSettings = true;
  };
  services.xserver.videoDrivers = [ "nvidia" ];
  virtualisation.docker = {
    enable = true;
    enableNvidia = true;
  };
  ##############################################################################
  ##############################################################################
  ##############################################################################
-  # Filesystems
+  # Local Filesystems
  boot.loader.grub.mirroredBoots = [
    {
      devices = [ "nodev" ];
      path = "/boot0";
    }
    {
      devices = [ "nodev" ];
      path = "/boot1";
    }
  ];
  fileSystems = {
    "/" = {
@ -103,19 +96,15 @@
    };
  };
  # TODO: Add back dotspace shares
  ##############################################################################
  ##############################################################################
  ##############################################################################
  # Services
  services.uptimed.enable = true;
  services.samba = {
    enable = true;
    openFirewall = true;
-    shares = {
+    settings = {
      Parlor = {
        path = "/exports/Parlor";
        comment = "Fast Data Storage";
@ -181,7 +170,6 @@
  ##############################################################################
  # Users
  users.mutableUsers = false;
  users.users = {
    # System Users
    blockhouse = {
@ -194,26 +182,6 @@
      shell = pkgs.shadow;
      # TODO: Secret passwords?
    };
    # Human users
    lauren_lagarde = {
      isNormalUser = true;
      description = "Lauren Lagarde";
      extraGroups = [ "wheel" "docker" "libvirtd" ];
      initialHashedPassword = "$y$j9T$KqTFvSj9TYmRXugVbiSgj.$RbvxcGlY/DbLFioa64ntY5RO4Ym0CMswhegeQj5qHyD";
      openssh.authorizedKeys.keys = [
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCl881A1gvgCx+4ECrmJnO2QCTiqjaOLfAegKAAkvWNFKL0rDfsj8tZULUcyn87HYsRrdmqCOQ62GOjQyK803azq7QTxwY4vjczkJxico4LnIToTobcz+JkgF6Rf/h74bs9dHk4ZU853FRBz3wi/14rI10Iwckt37B1ayJacpELuzFobKYip2FjiL1vNH3tiAFR131z+YBByvNX+uJYEhpsI0xry9zbsSUWUq5/YFpmjezblzYRokfsReYiKJeQBeROSeRC/xFBSnikECSylNI4sw5VIpGXFIxL5xhss+s+3dnb+LFQ+zInOYxkVRydYc/In9Wz6Tu7v07K8bjvE7nQwHenoGtRW590Xu0rJApS+k8Cu16sCO2QFj/aI+gCrhU0ymM0aicr0hFAME6Y7j9HcR6PxYxnXZjI7cfqhO5TG8jot25SPzJcvH3EV5oPKtAkw9XA+8+nAI9czFlUgHnuMJAqw1IGOD3qozwqZ5yn1+kG7FZJRpvaPc5pK2HtqaAKJmnRuVaWcFuNALh86gr7Qn8IEp8Q+YyKmDqrMZ4KLJUMnVqn4y0HVS1eB5nVujaJZUGJWA4q3og0FE/2kH74WEp2ZtuJAoEPcgfZ6Ns7BmmXIZU7qu4kQoQ73b3mn6hCi5xlQ/sClzwHYkRPo4tST64ED/UIRPCYe1byNUWSww== lauren@lagarde.dev"
      ];
    };
    ashley_funkhouser = {
      isNormalUser = true;
      description = "Ashley Funkhouser";
      extraGroups = [ "wheel" "docker" "libvirtd" ];
      initialHashedPassword = "$y$j9T$b.JgT15KeFXOjWQ0gJ7Ae0$n1KSyoAa8E.zI.4WZ6ze.Sk0RqXayZRrZK2319C77W/";
      openssh.authorizedKeys.keys = [
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwgQE831tqVEbb5bhLH9XkhmiIxTJ4YlL0Yjha2MJ0uoXfC7y+twp2fJB0FjmXvrU5li2mAes5DVakq0RqG5MtkbGSFN9/lJPuis+k6OzTTihe3PGTkRqaC6JWAs5Db7yHlaq0a+qLpniXPH/9/W/IqjRB67EPvfPkZ7VefjeEkJ1aPSoobws8DJUGum5PAg1oLTGwgirGMSlpWNOCxt8h3dynjrRLbUG4afU/FvbQDy27J0ODIN5CPDj8ZiTgz1s0KsA702dXz8UiioDp8ES9gOOfLqye50lga3UuK47jNJXelwmIAvCdPj1LKpy4HvmdIH8F4CsCqwkzbF1/s55quWvf/olhcWofayKcjP6Vbs8k3M6cshjcXPKBbr2FnpznHZCPSDq0Htk6a/YfFGh3Jy96x5PJW29deKJ9pjEvTufWDBhU6Uqd/80QGpGg/VBNiMot5qPrcdKM3kN7aPxU1mlbF9ICG/T0E7mSGEQHYqKd2LGfbielvobE/pdPbErjTRzl9KeqYiN9NA8Um5r8KDj8w/E9oF6DMpqulFA9fdMYtMTeEVPXxt6c7S1+VzOkfSbRt/p5Ql5FF294f6lvN01gbbJrGrfAstXmyPKGmJ/OSYrTEX7hhpaDJytW9KgzAebdkP2C5CQnwyJHaTDr1dEDSieoB0JgRFMWuvBNUQ== ajfunk27@gmail.com"
      ];
    };
  };
  ##############################################################################
@ -221,76 +189,42 @@
  ##############################################################################
  # Network
-  networking = {
+  # Disable IPv6?
-    hostName = "blockhouse";
+  networking.enableIPv6 = false;
-    hostId = "ed658529";
+  boot.kernel.sysctl."net.ipv6.conf.all.disable_ipv6" = true;
-    enableIPv6 = false;
+  systemd.network.networks = {
-    useNetworkd = true;
+    "30-eno1" = {
-    firewall.enable = false;
+      matchConfig.Name = "eno1";
-  };
+      networkConfig.Bridge = "br0";
-
+      linkConfig.RequiredForOnline = "enslaved";
-  services.resolved.extraConfig = "ResolveUnicastSingleLabel=yes";
+    };
-
+    "30-enp37s0" = {
-  systemd.network = {
+      matchConfig.Name = "enp37s0";
-    enable = true;
+      networkConfig.Bridge = "br0";
-    netdevs = {
+      linkConfig.RequiredForOnline = "enslaved";
-      "20-br0".netdevConfig = {
+    };
-        Kind = "bridge";
+    "30-enp40s0" = {
-        Name = "br0";
+      matchConfig.Name = "enp40s0";
-      };
+      networkConfig.Bridge = "br0";
      linkConfig.RequiredForOnline = "enslaved";
    };
    networks = {
      "30-eno1" = {
        matchConfig.Name = "eno1";
        networkConfig.Bridge = "br0";
        linkConfig.RequiredForOnline = "enslaved";
      };
      "30-enp37s0" = {
        matchConfig.Name = "enp37s0";
        networkConfig.Bridge = "br0";
        linkConfig.RequiredForOnline = "enslaved";
      };
      "30-enp40s0" = {
        matchConfig.Name = "enp40s0";
        networkConfig.Bridge = "br0";
        linkConfig.RequiredForOnline = "enslaved";
      };
-      "40-br0" = {
+    "90-tinc" = {
-        matchConfig.Name = "br0";
+      matchConfig.Name = "tinc.dotspace";
-        bridgeConfig = {};
+      address = [ "10.86.84.104/32" ];
-        linkConfig = {
+      routes = [ { Destination = "10.86.84.0/24"; } ];
          RequiredForOnline = "routable";
        };
        networkConfig = {
          DHCP = "ipv4";
          IPv6AcceptRA = true;
        };
      };
      "90-tinc" = {
        matchConfig.Name = "tinc.mlaga97spa";
        address = [ "10.86.84.104/32" ];
        routes = [ { routeConfig = { Destination = "10.86.84.0/24"; }; } ];
      };
    };
  };
-  services.tinc.networks.mlaga97space = {
+  services.tinc.networks.dotspace = {
    name = "blockhouse";
    ed25519PrivateKeyFile = "/root/tinc/mlaga97space_ed25519_key.priv";
    chroot = false;
-    settings = {
+    settings.ConnectTo = [ "fortress" "casemate" "vm_docker_0" "vm_docker_1" "vm_docker_2" ];
      ConnectTo = [ "fortress" "casemate" "vm_docker_0" "vm_docker_1" "vm_docker_2" ];
    };
    # TODO: dotspace.nix
  };    
  # Set your time zone.
  time.timeZone = "America/Chicago";
  ##############################################################################
  ##############################################################################
  ##############################################################################
@ -299,6 +233,7 @@
  services.cron = {
    enable = true;
    mailto = "";
    systemCronJobs = [
      "* * * * *	lauren_lagarde		/home/lauren_lagarde/bin/DriveStats"
      "* * * * *	lauren_lagarde		/home/lauren_lagarde/bin/PublishStats"
@ -307,30 +242,4 @@
      # Collate LongCam
    ];
  };
  ##############################################################################
  ##############################################################################
  ##############################################################################
  # Other Services
  virtualisation.libvirtd.enable = true;
  services.openssh.enable = true;
  services.openssh.settings = {
    PermitRootLogin = "no";
    StreamLocalBindUnlink = "yes";
  };
  services.smartd.enable = true;
  environment.systemPackages = with pkgs; [
    bc git vim btop tmux iotop byobu
    cifs-utils samba ffmpeg libvirt tinc_pre restic rclone nixos-generators
  ];
  zramSwap.enable = true;
  zramSwap.algorithm = "zstd";
  zramSwap.memoryPercent = 200;
  system.stateVersion = "23.11";
 }