maurice/snix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(ops/machines): add NixOS configuration for nevsky

Browse source 
This is just a carbon-copy of other machine configurations for now. The plan is
to switch this over to sixos, but I have to get a sane NixOS setup first because
this still requires a lot of experimentation (and stuff to be built *on* this
machine, since it's the fastest one we have).

Change-Id: I2e55e63ed5192eb748855999bb87d43498e706fc
Reviewed-on: https://cl.tvl.fyi/c/depot/+/12971
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
This commit is contained in:
Vincent Ambo 2025-01-11 22:23:52 +03:00 committed by tazjin
parent dacbde58ea
commit 70282aa412
3 changed files with 164 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

160
ops/machines/nevsky/default.nix Normal file
View file

@ -0,0 +1,160 @@
{ depot, lib, pkgs, ... }: # readTree options
{ config, ... }: # passed by module system
let
mod = name: depot.path.origSrc + ("/ops/modules/" + name);
in
{
imports = [
(mod "tvl-users.nix")
];
hardware.cpu.amd.updateMicrocode = true;
hardware.enableRedistributableFirmware = true;
boot = {
tmp.useTmpfs = true;
kernelModules = [ "kvm-amd" ];
supportedFilesystems = [ "zfs" ];
kernelParams = [
"ip=188.225.81.75::188.225.81.1:255.255.255.0:nevsky:enp1s0f0np0:none"
];
initrd = {
availableKernelModules = [ "nvme" "xhci_pci" "usbhid" "ice" ];
# initrd SSH for disk unlocking
network = {
enable = true;
ssh = {
enable = true;
port = 2222;
authorizedKeys =
depot.users.tazjin.keys.all
++ depot.users.lukegb.keys.all
++ depot.users.sterni.keys.all;
hostKeys = [
/etc/secrets/initrd_host_ed25519_key
];
};
# this will launch the zfs password prompt on login and kill the
# other prompt
postCommands = ''
echo "zfs load-key -a && killall zfs" >> /root/.profile
'';
};
};
kernel.sysctl = {
"net.ipv4.tcp_congestion_control" = "bbr";
};
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
zfs.requestEncryptionCredentials = true;
};
fileSystems = {
"/" = {
device = "tank/root";
fsType = "zfs";
};
"/boot" = {
device = "/dev/disk/by-uuid/CCB4-8821";
fsType = "vfat";
};
"/nix" = {
device = "tank/nix";
fsType = "zfs";
};
"/home" = {
device = "tank/home";
fsType = "zfs";
};
"/depot" = {
device = "tank/depot";
fsType = "zfs";
};
};
networking = {
hostName = "nevsky";
domain = "tvl.fyi";
hostId = "0117d088";
useDHCP = false;
interfaces.enp1s0f0np0.ipv4.addresses = [{
address = "188.225.81.75";
prefixLength = 24;
}];
defaultGateway = "188.225.81.1";
interfaces.enp1s0f0np0.ipv6.addresses = [{
address = "2a03:6f00:2:514b:0:feed:edef:beef";
prefixLength = 64;
}];
defaultGateway6 = {
address = "2a03:6f00:2:514b::1";
interface = "enp1s0f0np0";
};
nameservers = [
"8.8.8.8"
"8.8.4.4"
];
firewall.allowedTCPPorts = [ 22 80 443 ];
};
# Generate an immutable /etc/resolv.conf from the nameserver settings
# above (otherwise DHCP overwrites it):
environment.etc."resolv.conf" = with lib; {
source = pkgs.writeText "resolv.conf" ''
${concatStringsSep "\n" (map (ns: "nameserver ${ns}") config.networking.nameservers)}
options edns0
'';
};
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
};
};
services.fail2ban.enable = true;
programs.mtr.enable = true;
programs.mosh.enable = true;
time.timeZone = "UTC";
nixpkgs.hostPlatform = "x86_64-linux";
services.fwupd.enable = true;
# Join TVL Tailscale network at net.tvl.fyi
services.tailscale = {
enable = true;
useRoutingFeatures = "both";
};
security.sudo.extraRules = [
{
groups = [ "wheel" ];
commands = [{ command = "ALL"; options = [ "NOPASSWD" ]; }];
}
];
zramSwap.enable = true;
system.stateVersion = "24.11";
}