mlaga97/mlaga97-nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Get bastion back synced up

Browse source
This commit is contained in:
Lauren Lagarde 2025-07-15 20:36:39 -05:00
parent 204f23cae0
commit f626e4b16c
3 changed files with 109 additions and 130 deletions
Download patch file Download diff file Expand all files Collapse all files

24
flake.nix
View file

@ -181,25 +181,27 @@
};
# Real Systems
bastion-in-training = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
./systems/bastion/bastion-in-training.nix
lix-module.nixosModules.default
home-manager.nixosModules.home-manager
disko.nixosModules.default
];
};
bastion = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
./systems/bastion/bastion-actual.nix
{
networking.hostName = "bastion";
networking.hostId = "0d13f99b";
system.stateVersion = "24.11";
time.timeZone = "America/Chicago";
sops.defaultSopsFile = ./secrets.yaml;
}
./systems/bastion/configuration.nix
sops-nix.nixosModules.sops
lix-module.nixosModules.default
home-manager.nixosModules.home-manager
disko.nixosModules.default
];
specialArgs = { inherit inputs pkgs-unstable; };
};
blockhouse = nixpkgs.lib.nixosSystem {

119
systems/bastion/bastion-actual.nix
View file

@ -1,119 +0,0 @@
{ pkgs, ... }: {
networking.hostName = "bastion";
networking.hostId = "0d13f99b";
# WARNING: BUILT-IN ETHERNET HARDWARE IS BORKED!!!
# https://xcp-ng.org/docs/networking.html#intel-i218-i219-slow-speed
# https://serverfault.com/questions/581265/disable-tcp-checksum-offloading-on-kvm-virtual-network
imports = [
./bastion_base.nix
../../features/gpu/intel.nix
../../tweaks/powersave.nix
../../features/frigate-mpv-cage.nix
];
boot.loader.grub.mirroredBoots = [
{
devices = [ "nodev" ];
path = "/boot0";
}
{
devices = [ "nodev" ];
path = "/boot1";
}
];
fileSystems = {
"/boot0" = {
device = "/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_500GB_S58SNG0MA07159M-part1";
fsType = "vfat";
options = [ "nofail" ];
};
"/boot1" = {
device = "/dev/disk/by-id/ata-PNY_CS900_1TB_SSD_PNY244624111201023FB-part1";
fsType = "vfat";
options = [ "nofail" ];
};
"/exports/Frigate" = {
device = "bastion-frigate";
fsType = "zfs";
};
"/exports/MyBook" = {
device = "MyBook/root";
fsType = "zfs";
options = [ "nofail" ];
};
};
##############################################################################
##############################################################################
##############################################################################
# Networking
systemd.network.networks = {
"30-eno1" = {
matchConfig.Name = "eno1";
networkConfig.Bridge = "br0";
linkConfig.RequiredForOnline = "enslaved";
};
"30-enp0s20f0u8" = {
matchConfig.Name = "enp0s20f0u8";
networkConfig.Bridge = "br0";
linkConfig.RequiredForOnline = "enslaved";
};
"90-tinc" = {
matchConfig.Name = "tinc.dotspace";
address = [ "10.86.84.105/32" ];
routes = [ { Destination = "10.86.84.0/24"; } ];
};
};
services.tinc.networks.dotspace = {
name = "bastion";
ed25519PrivateKeyFile = "/root/tinc/mlaga97space_ed25519_key.priv";
chroot = false;
settings.ConnectTo = [ "fortress" "citadel" ];
};
##############################################################################
##############################################################################
##############################################################################
# Services
hardware.coral.pcie.enable = true;
services.apcupsd = {
enable = true;
configText = ''
UPSTYPE usb
NISIP 0.0.0.0
BATTERYLEVEL 5
MINUTES 3
'';
};
# TODO: Put scripts into version control
services.cron = {
enable = true;
mailto = "";
systemCronJobs = [
# Sync Restic from Archive to MyBook daily at 0600
"0 6 * * * root /home/lauren_lagarde/bin/SyncRestic > /dev/null"
# Copy footage from Frigate to MyBook and clear up space on both every 10 minutes
"*/10 * * * * root /home/lauren_lagarde/bin/MaintainFrigate > /dev/null"
# Grab a still photo from all cameras once per minute
"* * * * * root /home/lauren_lagarde/bin/GetAllCameraImages > /dev/null"
# TODO: Automatically Collate Camera Images Monthly
];
};
}

96
systems/bastion/bastion_base.nix → systems/bastion/configuration.nix
View file

@ -1,3 +1,6 @@
# WARNING: BUILT-IN ETHERNET HARDWARE IS BORKED!!!
# https://xcp-ng.org/docs/networking.html#intel-i218-i219-slow-speed
# https://serverfault.com/questions/581265/disable-tcp-checksum-offloading-on-kvm-virtual-network
{ pkgs, ... }: {
imports = [
# Core Features
@ -30,6 +33,12 @@
# Bastion Tweaks
../../tweaks/zfs.nix
../../tweaks/disable_firewall.nix
# Bastion IRL
../../features/gpu/intel.nix
../../tweaks/powersave.nix
../../features/frigate-mpv-cage.nix
];
##############################################################################
@ -49,11 +58,43 @@
##############################################################################
# Local Filesystems
boot.loader.grub.mirroredBoots = [
{
devices = [ "nodev" ];
path = "/boot0";
}
{
devices = [ "nodev" ];
path = "/boot1";
}
];
fileSystems = {
"/" = {
device = "bastion-root/root";
fsType = "zfs";
};
"/boot0" = {
device = "/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_500GB_S58SNG0MA07159M-part1";
fsType = "vfat";
options = [ "nofail" ];
};
"/boot1" = {
device = "/dev/disk/by-id/ata-PNY_CS900_1TB_SSD_PNY244624111201023FB-part1";
fsType = "vfat";
options = [ "nofail" ];
};
"/exports/Frigate" = {
device = "bastion-frigate";
fsType = "zfs";
};
"/exports/MyBook" = {
device = "MyBook/root";
fsType = "zfs";
options = [ "nofail" ];
};
};
##############################################################################
@ -61,11 +102,34 @@
##############################################################################
# Services
hardware.coral.pcie.enable = true;
services.apcupsd = {
enable = true;
configText = ''
UPSTYPE usb
NISIP 0.0.0.0
BATTERYLEVEL 5
MINUTES 3
'';
};
services.cron = {
enable = true;
mailto = "";
systemCronJobs = [
"* * * * * lauren_lagarde /home/lauren_lagarde/bin/PublishStats > /dev/null"
# Sync Restic from Archive to MyBook daily at 0600
"0 6 * * * root /home/lauren_lagarde/bin/SyncRestic > /dev/null"
# Copy footage from Frigate to MyBook and clear up space on both every 10 minutes
"*/10 * * * * root /home/lauren_lagarde/bin/MaintainFrigate > /dev/null"
# Grab a still photo from all cameras once per minute
"* * * * * root /home/lauren_lagarde/bin/GetAllCameraImages > /dev/null"
# TODO: Automatically Collate Camera Images Monthly
];
};
@ -115,6 +179,38 @@
};
};
##############################################################################
##############################################################################
##############################################################################
# Networking
systemd.network.networks = {
"30-eno1" = {
matchConfig.Name = "eno1";
networkConfig.Bridge = "br0";
linkConfig.RequiredForOnline = "enslaved";
};
"30-enp0s20f0u8" = {
matchConfig.Name = "enp0s20f0u8";
networkConfig.Bridge = "br0";
linkConfig.RequiredForOnline = "enslaved";
};
"90-tinc" = {
matchConfig.Name = "tinc.dotspace";
address = [ "10.86.84.105/32" ];
routes = [ { Destination = "10.86.84.0/24"; } ];
};
};
services.tinc.networks.dotspace = {
name = "bastion";
ed25519PrivateKeyFile = "/root/tinc/mlaga97space_ed25519_key.priv";
chroot = false;
settings.ConnectTo = [ "fortress" "citadel" ];
};
##############################################################################
##############################################################################
##############################################################################