diff --git a/flake.nix b/flake.nix index c899750..0e075cb 100644 --- a/flake.nix +++ b/flake.nix @@ -181,25 +181,27 @@ }; # Real Systems - bastion-in-training = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ - ./systems/bastion/bastion-in-training.nix - - lix-module.nixosModules.default - home-manager.nixosModules.home-manager - disko.nixosModules.default - ]; - }; bastion = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; modules = [ - ./systems/bastion/bastion-actual.nix + { + networking.hostName = "bastion"; + networking.hostId = "0d13f99b"; + system.stateVersion = "24.11"; + time.timeZone = "America/Chicago"; + + sops.defaultSopsFile = ./secrets.yaml; + } + + ./systems/bastion/configuration.nix + + sops-nix.nixosModules.sops lix-module.nixosModules.default home-manager.nixosModules.home-manager disko.nixosModules.default ]; + specialArgs = { inherit inputs pkgs-unstable; }; }; blockhouse = nixpkgs.lib.nixosSystem { diff --git a/systems/bastion/bastion-actual.nix b/systems/bastion/bastion-actual.nix deleted file mode 100644 index 20c5f32..0000000 --- a/systems/bastion/bastion-actual.nix +++ /dev/null @@ -1,119 +0,0 @@ -{ pkgs, ... }: { - networking.hostName = "bastion"; - networking.hostId = "0d13f99b"; - - # WARNING: BUILT-IN ETHERNET HARDWARE IS BORKED!!! - # https://xcp-ng.org/docs/networking.html#intel-i218-i219-slow-speed - # https://serverfault.com/questions/581265/disable-tcp-checksum-offloading-on-kvm-virtual-network - - imports = [ - ./bastion_base.nix - - ../../features/gpu/intel.nix - ../../tweaks/powersave.nix - - ../../features/frigate-mpv-cage.nix - ]; - - boot.loader.grub.mirroredBoots = [ - { - devices = [ "nodev" ]; - path = "/boot0"; - } - { - devices = [ "nodev" ]; - path = "/boot1"; - } - ]; - - fileSystems = { - "/boot0" = { - device = "/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_500GB_S58SNG0MA07159M-part1"; - fsType = "vfat"; - options = [ "nofail" ]; - }; - "/boot1" = { - device = "/dev/disk/by-id/ata-PNY_CS900_1TB_SSD_PNY244624111201023FB-part1"; - fsType = "vfat"; - options = [ "nofail" ]; - }; - - "/exports/Frigate" = { - device = "bastion-frigate"; - fsType = "zfs"; - }; - "/exports/MyBook" = { - device = "MyBook/root"; - fsType = "zfs"; - options = [ "nofail" ]; - }; - }; - - ############################################################################## - ############################################################################## - ############################################################################## - # Networking - - systemd.network.networks = { - "30-eno1" = { - matchConfig.Name = "eno1"; - networkConfig.Bridge = "br0"; - linkConfig.RequiredForOnline = "enslaved"; - }; - "30-enp0s20f0u8" = { - matchConfig.Name = "enp0s20f0u8"; - networkConfig.Bridge = "br0"; - linkConfig.RequiredForOnline = "enslaved"; - }; - - "90-tinc" = { - matchConfig.Name = "tinc.dotspace"; - address = [ "10.86.84.105/32" ]; - routes = [ { Destination = "10.86.84.0/24"; } ]; - }; - }; - - services.tinc.networks.dotspace = { - name = "bastion"; - ed25519PrivateKeyFile = "/root/tinc/mlaga97space_ed25519_key.priv"; - - chroot = false; - settings.ConnectTo = [ "fortress" "citadel" ]; - }; - - ############################################################################## - ############################################################################## - ############################################################################## - # Services - - hardware.coral.pcie.enable = true; - - services.apcupsd = { - enable = true; - configText = '' - UPSTYPE usb - NISIP 0.0.0.0 - BATTERYLEVEL 5 - MINUTES 3 - ''; - }; - - # TODO: Put scripts into version control - services.cron = { - enable = true; - mailto = ""; - systemCronJobs = [ - - # Sync Restic from Archive to MyBook daily at 0600 - "0 6 * * * root /home/lauren_lagarde/bin/SyncRestic > /dev/null" - - # Copy footage from Frigate to MyBook and clear up space on both every 10 minutes - "*/10 * * * * root /home/lauren_lagarde/bin/MaintainFrigate > /dev/null" - - # Grab a still photo from all cameras once per minute - "* * * * * root /home/lauren_lagarde/bin/GetAllCameraImages > /dev/null" - - # TODO: Automatically Collate Camera Images Monthly - ]; - }; -} diff --git a/systems/bastion/bastion_base.nix b/systems/bastion/configuration.nix similarity index 59% rename from systems/bastion/bastion_base.nix rename to systems/bastion/configuration.nix index 72ffffc..436e470 100644 --- a/systems/bastion/bastion_base.nix +++ b/systems/bastion/configuration.nix @@ -1,3 +1,6 @@ +# WARNING: BUILT-IN ETHERNET HARDWARE IS BORKED!!! +# https://xcp-ng.org/docs/networking.html#intel-i218-i219-slow-speed +# https://serverfault.com/questions/581265/disable-tcp-checksum-offloading-on-kvm-virtual-network { pkgs, ... }: { imports = [ # Core Features @@ -30,6 +33,12 @@ # Bastion Tweaks ../../tweaks/zfs.nix ../../tweaks/disable_firewall.nix + + # Bastion IRL + ../../features/gpu/intel.nix + ../../tweaks/powersave.nix + + ../../features/frigate-mpv-cage.nix ]; ############################################################################## @@ -49,11 +58,43 @@ ############################################################################## # Local Filesystems + boot.loader.grub.mirroredBoots = [ + { + devices = [ "nodev" ]; + path = "/boot0"; + } + { + devices = [ "nodev" ]; + path = "/boot1"; + } + ]; + fileSystems = { "/" = { device = "bastion-root/root"; fsType = "zfs"; }; + + "/boot0" = { + device = "/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_500GB_S58SNG0MA07159M-part1"; + fsType = "vfat"; + options = [ "nofail" ]; + }; + "/boot1" = { + device = "/dev/disk/by-id/ata-PNY_CS900_1TB_SSD_PNY244624111201023FB-part1"; + fsType = "vfat"; + options = [ "nofail" ]; + }; + + "/exports/Frigate" = { + device = "bastion-frigate"; + fsType = "zfs"; + }; + "/exports/MyBook" = { + device = "MyBook/root"; + fsType = "zfs"; + options = [ "nofail" ]; + }; }; ############################################################################## @@ -61,11 +102,34 @@ ############################################################################## # Services + hardware.coral.pcie.enable = true; + + services.apcupsd = { + enable = true; + configText = '' + UPSTYPE usb + NISIP 0.0.0.0 + BATTERYLEVEL 5 + MINUTES 3 + ''; + }; + services.cron = { enable = true; mailto = ""; systemCronJobs = [ "* * * * * lauren_lagarde /home/lauren_lagarde/bin/PublishStats > /dev/null" + + # Sync Restic from Archive to MyBook daily at 0600 + "0 6 * * * root /home/lauren_lagarde/bin/SyncRestic > /dev/null" + + # Copy footage from Frigate to MyBook and clear up space on both every 10 minutes + "*/10 * * * * root /home/lauren_lagarde/bin/MaintainFrigate > /dev/null" + + # Grab a still photo from all cameras once per minute + "* * * * * root /home/lauren_lagarde/bin/GetAllCameraImages > /dev/null" + + # TODO: Automatically Collate Camera Images Monthly ]; }; @@ -115,6 +179,38 @@ }; }; + ############################################################################## + ############################################################################## + ############################################################################## + # Networking + + systemd.network.networks = { + "30-eno1" = { + matchConfig.Name = "eno1"; + networkConfig.Bridge = "br0"; + linkConfig.RequiredForOnline = "enslaved"; + }; + "30-enp0s20f0u8" = { + matchConfig.Name = "enp0s20f0u8"; + networkConfig.Bridge = "br0"; + linkConfig.RequiredForOnline = "enslaved"; + }; + + "90-tinc" = { + matchConfig.Name = "tinc.dotspace"; + address = [ "10.86.84.105/32" ]; + routes = [ { Destination = "10.86.84.0/24"; } ]; + }; + }; + + services.tinc.networks.dotspace = { + name = "bastion"; + ed25519PrivateKeyFile = "/root/tinc/mlaga97space_ed25519_key.priv"; + + chroot = false; + settings.ConnectTo = [ "fortress" "citadel" ]; + }; + ############################################################################## ############################################################################## ##############################################################################