From 70282aa41223920fc53e07cb39d55d9ea90e8c4f Mon Sep 17 00:00:00 2001 From: Vincent Ambo Date: Sat, 11 Jan 2025 22:23:52 +0300 Subject: [PATCH] feat(ops/machines): add NixOS configuration for nevsky This is just a carbon-copy of other machine configurations for now. The plan is to switch this over to sixos, but I have to get a sane NixOS setup first because this still requires a lot of experimentation (and stuff to be built *on* this machine, since it's the fastest one we have). Change-Id: I2e55e63ed5192eb748855999bb87d43498e706fc Reviewed-on: https://cl.tvl.fyi/c/depot/+/12971 Tested-by: BuildkiteCI Reviewed-by: sterni --- default.nix | 3 +- ops/machines/nevsky/default.nix | 160 ++++++++++++++++++++++++++++++++ ops/nixos.nix | 3 +- 3 files changed, 164 insertions(+), 2 deletions(-) create mode 100644 ops/machines/nevsky/default.nix diff --git a/default.nix b/default.nix index 653ea57c2..d7623eeee 100644 --- a/default.nix +++ b/default.nix @@ -31,8 +31,9 @@ let # # 1. User SSH keys are set in //users. # 2. Some personal websites or demo projects are served from it. - [ "ops" "machines" "whitby" ] [ "ops" "machines" "bugry" ] + [ "ops" "machines" "nevsky" ] + [ "ops" "machines" "whitby" ] # Due to evaluation order this also affects these targets. # TODO(tazjin): Can this one be removed somehow? diff --git a/ops/machines/nevsky/default.nix b/ops/machines/nevsky/default.nix new file mode 100644 index 000000000..2f3a0f7ae --- /dev/null +++ b/ops/machines/nevsky/default.nix @@ -0,0 +1,160 @@ +{ depot, lib, pkgs, ... }: # readTree options +{ config, ... }: # passed by module system + +let + mod = name: depot.path.origSrc + ("/ops/modules/" + name); +in +{ + imports = [ + (mod "tvl-users.nix") + ]; + + hardware.cpu.amd.updateMicrocode = true; + hardware.enableRedistributableFirmware = true; + + boot = { + tmp.useTmpfs = true; + kernelModules = [ "kvm-amd" ]; + supportedFilesystems = [ "zfs" ]; + kernelParams = [ + "ip=188.225.81.75::188.225.81.1:255.255.255.0:nevsky:enp1s0f0np0:none" + ]; + + initrd = { + availableKernelModules = [ "nvme" "xhci_pci" "usbhid" "ice" ]; + + # initrd SSH for disk unlocking + network = { + enable = true; + ssh = { + enable = true; + port = 2222; + authorizedKeys = + depot.users.tazjin.keys.all + ++ depot.users.lukegb.keys.all + ++ depot.users.sterni.keys.all; + + hostKeys = [ + /etc/secrets/initrd_host_ed25519_key + ]; + }; + + # this will launch the zfs password prompt on login and kill the + # other prompt + postCommands = '' + echo "zfs load-key -a && killall zfs" >> /root/.profile + ''; + }; + }; + + kernel.sysctl = { + "net.ipv4.tcp_congestion_control" = "bbr"; + }; + + loader.systemd-boot.enable = true; + loader.efi.canTouchEfiVariables = true; + zfs.requestEncryptionCredentials = true; + }; + + fileSystems = { + "/" = { + device = "tank/root"; + fsType = "zfs"; + }; + + "/boot" = { + device = "/dev/disk/by-uuid/CCB4-8821"; + fsType = "vfat"; + }; + + "/nix" = { + device = "tank/nix"; + fsType = "zfs"; + }; + + "/home" = { + device = "tank/home"; + fsType = "zfs"; + }; + + "/depot" = { + device = "tank/depot"; + fsType = "zfs"; + }; + }; + + networking = { + hostName = "nevsky"; + domain = "tvl.fyi"; + hostId = "0117d088"; + useDHCP = false; + + interfaces.enp1s0f0np0.ipv4.addresses = [{ + address = "188.225.81.75"; + prefixLength = 24; + }]; + + defaultGateway = "188.225.81.1"; + + interfaces.enp1s0f0np0.ipv6.addresses = [{ + address = "2a03:6f00:2:514b:0:feed:edef:beef"; + prefixLength = 64; + }]; + + defaultGateway6 = { + address = "2a03:6f00:2:514b::1"; + interface = "enp1s0f0np0"; + }; + + nameservers = [ + "8.8.8.8" + "8.8.4.4" + ]; + + firewall.allowedTCPPorts = [ 22 80 443 ]; + }; + + # Generate an immutable /etc/resolv.conf from the nameserver settings + # above (otherwise DHCP overwrites it): + environment.etc."resolv.conf" = with lib; { + source = pkgs.writeText "resolv.conf" '' + ${concatStringsSep "\n" (map (ns: "nameserver ${ns}") config.networking.nameservers)} + options edns0 + ''; + }; + + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + }; + }; + + services.fail2ban.enable = true; + + programs.mtr.enable = true; + programs.mosh.enable = true; + + time.timeZone = "UTC"; + nixpkgs.hostPlatform = "x86_64-linux"; + + services.fwupd.enable = true; + + # Join TVL Tailscale network at net.tvl.fyi + services.tailscale = { + enable = true; + useRoutingFeatures = "both"; + }; + + security.sudo.extraRules = [ + { + groups = [ "wheel" ]; + commands = [{ command = "ALL"; options = [ "NOPASSWD" ]; }]; + } + ]; + + zramSwap.enable = true; + + system.stateVersion = "24.11"; +} diff --git a/ops/nixos.nix b/ops/nixos.nix index 082d8d786..7a744c6b6 100644 --- a/ops/nixos.nix +++ b/ops/nixos.nix @@ -63,6 +63,7 @@ in rec { whitbySystem = (nixosFor depot.ops.machines.whitby).system; sandunySystem = (nixosFor depot.ops.machines.sanduny).system; bugrySystem = (nixosFor depot.ops.machines.bugry).system; + nevskySystem = (nixosFor depot.ops.machines.nevsky).system; nixeryDev01System = (nixosFor depot.ops.machines.nixery-01).system; - meta.ci.targets = [ "sandunySystem" "whitbySystem" "bugrySystem" "nixeryDev01System" ]; + meta.ci.targets = [ "sandunySystem" "whitbySystem" "bugrySystem" "nevskySystem" "nixeryDev01System" ]; }