feat(ops/machines): add NixOS configuration for nevsky
This is just a carbon-copy of other machine configurations for now. The plan is to switch this over to sixos, but I have to get a sane NixOS setup first because this still requires a lot of experimentation (and stuff to be built *on* this machine, since it's the fastest one we have). Change-Id: I2e55e63ed5192eb748855999bb87d43498e706fc Reviewed-on: https://cl.tvl.fyi/c/depot/+/12971 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
This commit is contained in:
		
							parent
							
								
									dacbde58ea
								
							
						
					
					
						commit
						70282aa412
					
				
					 3 changed files with 164 additions and 2 deletions
				
			
		|  | @ -31,8 +31,9 @@ let | ||||||
|       # |       # | ||||||
|       # 1. User SSH keys are set in //users. |       # 1. User SSH keys are set in //users. | ||||||
|       # 2. Some personal websites or demo projects are served from it. |       # 2. Some personal websites or demo projects are served from it. | ||||||
|       [ "ops" "machines" "whitby" ] |  | ||||||
|       [ "ops" "machines" "bugry" ] |       [ "ops" "machines" "bugry" ] | ||||||
|  |       [ "ops" "machines" "nevsky" ] | ||||||
|  |       [ "ops" "machines" "whitby" ] | ||||||
| 
 | 
 | ||||||
|       # Due to evaluation order this also affects these targets. |       # Due to evaluation order this also affects these targets. | ||||||
|       # TODO(tazjin): Can this one be removed somehow? |       # TODO(tazjin): Can this one be removed somehow? | ||||||
|  |  | ||||||
							
								
								
									
										160
									
								
								ops/machines/nevsky/default.nix
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										160
									
								
								ops/machines/nevsky/default.nix
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,160 @@ | ||||||
|  | { depot, lib, pkgs, ... }: # readTree options | ||||||
|  | { config, ... }: # passed by module system | ||||||
|  | 
 | ||||||
|  | let | ||||||
|  |   mod = name: depot.path.origSrc + ("/ops/modules/" + name); | ||||||
|  | in | ||||||
|  | { | ||||||
|  |   imports = [ | ||||||
|  |     (mod "tvl-users.nix") | ||||||
|  |   ]; | ||||||
|  | 
 | ||||||
|  |   hardware.cpu.amd.updateMicrocode = true; | ||||||
|  |   hardware.enableRedistributableFirmware = true; | ||||||
|  | 
 | ||||||
|  |   boot = { | ||||||
|  |     tmp.useTmpfs = true; | ||||||
|  |     kernelModules = [ "kvm-amd" ]; | ||||||
|  |     supportedFilesystems = [ "zfs" ]; | ||||||
|  |     kernelParams = [ | ||||||
|  |       "ip=188.225.81.75::188.225.81.1:255.255.255.0:nevsky:enp1s0f0np0:none" | ||||||
|  |     ]; | ||||||
|  | 
 | ||||||
|  |     initrd = { | ||||||
|  |       availableKernelModules = [ "nvme" "xhci_pci" "usbhid" "ice" ]; | ||||||
|  | 
 | ||||||
|  |       # initrd SSH for disk unlocking | ||||||
|  |       network = { | ||||||
|  |         enable = true; | ||||||
|  |         ssh = { | ||||||
|  |           enable = true; | ||||||
|  |           port = 2222; | ||||||
|  |           authorizedKeys = | ||||||
|  |             depot.users.tazjin.keys.all | ||||||
|  |             ++ depot.users.lukegb.keys.all | ||||||
|  |             ++ depot.users.sterni.keys.all; | ||||||
|  | 
 | ||||||
|  |           hostKeys = [ | ||||||
|  |             /etc/secrets/initrd_host_ed25519_key | ||||||
|  |           ]; | ||||||
|  |         }; | ||||||
|  | 
 | ||||||
|  |         # this will launch the zfs password prompt on login and kill the | ||||||
|  |         # other prompt | ||||||
|  |         postCommands = '' | ||||||
|  |           echo "zfs load-key -a && killall zfs" >> /root/.profile | ||||||
|  |         ''; | ||||||
|  |       }; | ||||||
|  |     }; | ||||||
|  | 
 | ||||||
|  |     kernel.sysctl = { | ||||||
|  |       "net.ipv4.tcp_congestion_control" = "bbr"; | ||||||
|  |     }; | ||||||
|  | 
 | ||||||
|  |     loader.systemd-boot.enable = true; | ||||||
|  |     loader.efi.canTouchEfiVariables = true; | ||||||
|  |     zfs.requestEncryptionCredentials = true; | ||||||
|  |   }; | ||||||
|  | 
 | ||||||
|  |   fileSystems = { | ||||||
|  |     "/" = { | ||||||
|  |       device = "tank/root"; | ||||||
|  |       fsType = "zfs"; | ||||||
|  |     }; | ||||||
|  | 
 | ||||||
|  |     "/boot" = { | ||||||
|  |       device = "/dev/disk/by-uuid/CCB4-8821"; | ||||||
|  |       fsType = "vfat"; | ||||||
|  |     }; | ||||||
|  | 
 | ||||||
|  |     "/nix" = { | ||||||
|  |       device = "tank/nix"; | ||||||
|  |       fsType = "zfs"; | ||||||
|  |     }; | ||||||
|  | 
 | ||||||
|  |     "/home" = { | ||||||
|  |       device = "tank/home"; | ||||||
|  |       fsType = "zfs"; | ||||||
|  |     }; | ||||||
|  | 
 | ||||||
|  |     "/depot" = { | ||||||
|  |       device = "tank/depot"; | ||||||
|  |       fsType = "zfs"; | ||||||
|  |     }; | ||||||
|  |   }; | ||||||
|  | 
 | ||||||
|  |   networking = { | ||||||
|  |     hostName = "nevsky"; | ||||||
|  |     domain = "tvl.fyi"; | ||||||
|  |     hostId = "0117d088"; | ||||||
|  |     useDHCP = false; | ||||||
|  | 
 | ||||||
|  |     interfaces.enp1s0f0np0.ipv4.addresses = [{ | ||||||
|  |       address = "188.225.81.75"; | ||||||
|  |       prefixLength = 24; | ||||||
|  |     }]; | ||||||
|  | 
 | ||||||
|  |     defaultGateway = "188.225.81.1"; | ||||||
|  | 
 | ||||||
|  |     interfaces.enp1s0f0np0.ipv6.addresses = [{ | ||||||
|  |       address = "2a03:6f00:2:514b:0:feed:edef:beef"; | ||||||
|  |       prefixLength = 64; | ||||||
|  |     }]; | ||||||
|  | 
 | ||||||
|  |     defaultGateway6 = { | ||||||
|  |       address = "2a03:6f00:2:514b::1"; | ||||||
|  |       interface = "enp1s0f0np0"; | ||||||
|  |     }; | ||||||
|  | 
 | ||||||
|  |     nameservers = [ | ||||||
|  |       "8.8.8.8" | ||||||
|  |       "8.8.4.4" | ||||||
|  |     ]; | ||||||
|  | 
 | ||||||
|  |     firewall.allowedTCPPorts = [ 22 80 443 ]; | ||||||
|  |   }; | ||||||
|  | 
 | ||||||
|  |   # Generate an immutable /etc/resolv.conf from the nameserver settings | ||||||
|  |   # above (otherwise DHCP overwrites it): | ||||||
|  |   environment.etc."resolv.conf" = with lib; { | ||||||
|  |     source = pkgs.writeText "resolv.conf" '' | ||||||
|  |       ${concatStringsSep "\n" (map (ns: "nameserver ${ns}") config.networking.nameservers)} | ||||||
|  |       options edns0 | ||||||
|  |     ''; | ||||||
|  |   }; | ||||||
|  | 
 | ||||||
|  |   services.openssh = { | ||||||
|  |     enable = true; | ||||||
|  |     settings = { | ||||||
|  |       PasswordAuthentication = false; | ||||||
|  |       KbdInteractiveAuthentication = false; | ||||||
|  |     }; | ||||||
|  |   }; | ||||||
|  | 
 | ||||||
|  |   services.fail2ban.enable = true; | ||||||
|  | 
 | ||||||
|  |   programs.mtr.enable = true; | ||||||
|  |   programs.mosh.enable = true; | ||||||
|  | 
 | ||||||
|  |   time.timeZone = "UTC"; | ||||||
|  |   nixpkgs.hostPlatform = "x86_64-linux"; | ||||||
|  | 
 | ||||||
|  |   services.fwupd.enable = true; | ||||||
|  | 
 | ||||||
|  |   # Join TVL Tailscale network at net.tvl.fyi | ||||||
|  |   services.tailscale = { | ||||||
|  |     enable = true; | ||||||
|  |     useRoutingFeatures = "both"; | ||||||
|  |   }; | ||||||
|  | 
 | ||||||
|  |   security.sudo.extraRules = [ | ||||||
|  |     { | ||||||
|  |       groups = [ "wheel" ]; | ||||||
|  |       commands = [{ command = "ALL"; options = [ "NOPASSWD" ]; }]; | ||||||
|  |     } | ||||||
|  |   ]; | ||||||
|  | 
 | ||||||
|  |   zramSwap.enable = true; | ||||||
|  | 
 | ||||||
|  |   system.stateVersion = "24.11"; | ||||||
|  | } | ||||||
|  | @ -63,6 +63,7 @@ in rec { | ||||||
|   whitbySystem = (nixosFor depot.ops.machines.whitby).system; |   whitbySystem = (nixosFor depot.ops.machines.whitby).system; | ||||||
|   sandunySystem = (nixosFor depot.ops.machines.sanduny).system; |   sandunySystem = (nixosFor depot.ops.machines.sanduny).system; | ||||||
|   bugrySystem = (nixosFor depot.ops.machines.bugry).system; |   bugrySystem = (nixosFor depot.ops.machines.bugry).system; | ||||||
|  |   nevskySystem = (nixosFor depot.ops.machines.nevsky).system; | ||||||
|   nixeryDev01System = (nixosFor depot.ops.machines.nixery-01).system; |   nixeryDev01System = (nixosFor depot.ops.machines.nixery-01).system; | ||||||
|   meta.ci.targets = [ "sandunySystem" "whitbySystem" "bugrySystem" "nixeryDev01System" ]; |   meta.ci.targets = [ "sandunySystem" "whitbySystem" "bugrySystem" "nevskySystem" "nixeryDev01System" ]; | ||||||
| } | } | ||||||
|  |  | ||||||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue