ops/nixos: rework everything to factor common things out
This commit is contained in:
parent
f99775ddf2
commit
1e7fcadc97
9 changed files with 386 additions and 179 deletions
|
@ -1,8 +1,12 @@
|
|||
{ depot, lib, pkgs, rebuilder, ... }:
|
||||
{ config, ... }:
|
||||
{ depot, lib, pkgs, rebuilder, config, ... }:
|
||||
let
|
||||
inherit (depot.ops) secrets;
|
||||
in {
|
||||
imports = [
|
||||
../lib/zfs.nix
|
||||
../lib/bgp.nix
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [
|
||||
"xhci_pci"
|
||||
"ahci"
|
||||
|
@ -12,24 +16,7 @@ in {
|
|||
"sd_mod"
|
||||
"sr_mod"
|
||||
];
|
||||
boot.kernelModules = [ "kvm-intel" "tcp_bbr" ];
|
||||
boot.kernel.sysctl = {
|
||||
"net.ipv6.conf.default.accept_ra" = 0;
|
||||
"net.ipv6.conf.all.accept_ra" = 0;
|
||||
"net.ipv6.conf.default.autoconf" = 0;
|
||||
"net.ipv6.conf.all.autoconf" = 0;
|
||||
};
|
||||
boot.supportedFilesystems = [ "zfs" ];
|
||||
boot.zfs.devNodes = "/dev/disk/by-partuuid";
|
||||
services.zfs.autoScrub.enable = true;
|
||||
services.zfs.autoSnapshot = {
|
||||
enable = true;
|
||||
monthly = 1;
|
||||
};
|
||||
|
||||
boot.initrd.postDeviceCommands = lib.mkAfter ''
|
||||
zfs rollback -r zfast/local/root@blank
|
||||
'';
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
|
||||
powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
|
||||
|
||||
|
@ -52,11 +39,6 @@ in {
|
|||
};
|
||||
|
||||
nix.maxJobs = lib.mkDefault 12;
|
||||
hardware.enableRedistributableFirmware = true;
|
||||
|
||||
nixpkgs.config = { allowUnfree = true; };
|
||||
|
||||
nix.nixPath = [ "depot=/home/lukegb/depot/" "nixpkgs=/home/lukegb/depot/third_party/nixpkgs/" ];
|
||||
|
||||
# Use systemd-boot.
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
|
@ -91,19 +73,10 @@ in {
|
|||
firewall.allowPing = true;
|
||||
};
|
||||
|
||||
# Select internationalisation properties.
|
||||
i18n.defaultLocale = "en_GB.UTF-8";
|
||||
console.keyMap = "us";
|
||||
|
||||
# Set your time zone.
|
||||
time.timeZone = "Etc/UTC";
|
||||
|
||||
# List packages installed in system profile. To search, run:
|
||||
# $ nix search wget
|
||||
environment.systemPackages = with pkgs; [
|
||||
vim
|
||||
mercurial
|
||||
rxvt_unicode.terminfo
|
||||
rebuilder
|
||||
];
|
||||
|
||||
|
@ -113,13 +86,7 @@ in {
|
|||
# Define a user account.
|
||||
users.mutableUsers = false;
|
||||
users.users = {
|
||||
root.hashedPassword = secrets.passwordHashes.root;
|
||||
lukegb = {
|
||||
isNormalUser = true;
|
||||
uid = 1000;
|
||||
extraGroups = [ "wheel" "content" ];
|
||||
hashedPassword = secrets.passwordHashes.root;
|
||||
};
|
||||
lukegb.extraGroups = [ "wheel" "content" ];
|
||||
content = {
|
||||
isSystemUser = true;
|
||||
extraGroups = [ "content" ];
|
||||
|
@ -129,9 +96,6 @@ in {
|
|||
content = {};
|
||||
};
|
||||
|
||||
boot.kernel.sysctl."net.ipv4.tcp_congestion_control" = "bbr";
|
||||
boot.kernel.sysctl."net.core.default_qdisc" = "fq_codel";
|
||||
|
||||
services.openssh.hostKeys = [
|
||||
{
|
||||
path = "/persist/etc/ssh/ssh_host_ed25519_key";
|
||||
|
|
|
@ -1,10 +1,16 @@
|
|||
{ depot, lib, pkgs, ... }@args:
|
||||
let
|
||||
inherit (builtins) foldl' mapAttrs;
|
||||
systemFor = config:
|
||||
(depot.third_party.nixos {
|
||||
configuration = config;
|
||||
}).system;
|
||||
baseModule = name: { ... }: {
|
||||
_module.args = args // {
|
||||
rebuilder = rebuilder name;
|
||||
};
|
||||
};
|
||||
systemFor = systemName: config:
|
||||
(depot.third_party.nixeval {
|
||||
system = builtins.currentSystem;
|
||||
modules = [ (baseModule systemName) (args: { imports = [ lib/common.nix config ]; }) ];
|
||||
}).config.system.build.toplevel;
|
||||
systems = [ "porcorosso" "ixvm-fra01" "marukuru" "clouvider-fra01" ];
|
||||
rebuilder = system:
|
||||
pkgs.writeShellScriptBin "rebuilder" ''
|
||||
|
@ -18,7 +24,6 @@ let
|
|||
"$system/bin/switch-to-configuration" switch
|
||||
'';
|
||||
systemCfgs = lib.genAttrs systems
|
||||
(name: import (./. + "/${name}") (args // { rebuilder = rebuilder name; }));
|
||||
mapAttrValues = (f: set: mapAttrs (name: f) set);
|
||||
systemDrvs = mapAttrValues (systemCfg: systemFor systemCfg) systemCfgs;
|
||||
(name: import (./. + "/${name}"));
|
||||
systemDrvs = mapAttrs systemFor systemCfgs;
|
||||
in systemDrvs
|
||||
|
|
|
@ -1,9 +1,8 @@
|
|||
{ depot, lib, pkgs, rebuilder, ... }:
|
||||
{ config, ... }:
|
||||
{ depot, lib, pkgs, rebuilder, config, ... }:
|
||||
let
|
||||
inherit (depot.ops) secrets;
|
||||
in {
|
||||
imports = [ ./bird.nix ];
|
||||
imports = [ ../lib/bgp.nix ];
|
||||
|
||||
boot.initrd.availableKernelModules = [
|
||||
"ata_piix"
|
||||
|
@ -11,13 +10,6 @@ in {
|
|||
"sd_mod"
|
||||
"sr_mod"
|
||||
];
|
||||
boot.kernelModules = [ "tcp_bbr" ];
|
||||
boot.kernel.sysctl = {
|
||||
"net.ipv6.conf.default.accept_ra" = 0;
|
||||
"net.ipv6.conf.all.accept_ra" = 0;
|
||||
"net.ipv6.conf.default.autoconf" = 0;
|
||||
"net.ipv6.conf.all.autoconf" = 0;
|
||||
};
|
||||
|
||||
fileSystems = {
|
||||
"/" = {
|
||||
|
@ -30,11 +22,6 @@ in {
|
|||
];
|
||||
|
||||
nix.maxJobs = lib.mkDefault 2;
|
||||
hardware.enableRedistributableFirmware = true;
|
||||
|
||||
nixpkgs.config = { allowUnfree = true; };
|
||||
|
||||
nix.nixPath = [ "depot=/home/lukegb/depot/" "nixpkgs=/home/lukegb/depot/third_party/nixpkgs/" ];
|
||||
|
||||
# Use GRUB2.
|
||||
boot.loader.grub.enable = true;
|
||||
|
@ -95,43 +82,100 @@ in {
|
|||
ATTR{address}=="00:50:56:a3:6e:0f", NAME="ens-nlix"
|
||||
'';
|
||||
|
||||
# Select internationalisation properties.
|
||||
i18n.defaultLocale = "en_GB.UTF-8";
|
||||
console.keyMap = "us";
|
||||
|
||||
# Set your time zone.
|
||||
time.timeZone = "Etc/UTC";
|
||||
|
||||
# List packages installed in system profile. To search, run:
|
||||
# $ nix search wget
|
||||
environment.systemPackages = with pkgs; [
|
||||
vim
|
||||
mercurial
|
||||
rxvt_unicode.terminfo
|
||||
rebuilder
|
||||
];
|
||||
|
||||
programs.mtr.enable = true;
|
||||
services.openssh.enable = true;
|
||||
|
||||
networking.firewall = {
|
||||
allowPing = true;
|
||||
};
|
||||
environment.systemPackages = with pkgs; [];
|
||||
|
||||
# Define a user account.
|
||||
users.mutableUsers = false;
|
||||
users.users = {
|
||||
root.hashedPassword = secrets.passwordHashes.root;
|
||||
lukegb = {
|
||||
isNormalUser = true;
|
||||
uid = 1000;
|
||||
extraGroups = [ "wheel" "networkmanager" "bird2" ];
|
||||
hashedPassword = secrets.passwordHashes.root;
|
||||
lukegb.extraGroups = [ "networkmanager" "bird2" ];
|
||||
};
|
||||
|
||||
services.lukegbgp = let local = {
|
||||
asn = 205479;
|
||||
}; in {
|
||||
enable = true;
|
||||
config = {
|
||||
local = {
|
||||
routerID = "141.98.136.124";
|
||||
};
|
||||
peering = {
|
||||
ixvm = {
|
||||
local = local // {
|
||||
v4 = "141.98.136.124";
|
||||
v6 = "2a09:11c0:f1:bc0b::2";
|
||||
};
|
||||
remote = {
|
||||
asn = 209844;
|
||||
export_community = 2000;
|
||||
routers = [{
|
||||
v4 = "141.98.136.97";
|
||||
v6 = "2a09:11c0:f1:bc0b::1";
|
||||
} {
|
||||
v4 = "141.98.136.126";
|
||||
v6 = "2a09:11c0:f1:bc0b::3";
|
||||
}];
|
||||
};
|
||||
};
|
||||
kleyrex = {
|
||||
local = local // {
|
||||
v4 = "193.189.83.41";
|
||||
v6 = "2001:7f8:33::a120:5479:1";
|
||||
};
|
||||
remote = {
|
||||
asn = 31142;
|
||||
export_community = 2001;
|
||||
routers = [{
|
||||
v4 = "193.189.82.251";
|
||||
v6 = "2001:7f8:33::a103:1142:1";
|
||||
} {
|
||||
v4 = "193.189.82.252";
|
||||
v6 = "2001:7f8:33::a103:1142:2";
|
||||
} {
|
||||
v4 = "193.189.82.253";
|
||||
v6 = "2001:7f8:33::a103:1142:3";
|
||||
}];
|
||||
};
|
||||
};
|
||||
locix = {
|
||||
local = local // {
|
||||
v4 = "185.1.166.219";
|
||||
v6 = "2001:7f8:f2:e1::a20:5479:1";
|
||||
};
|
||||
remote = {
|
||||
asn = 202409;
|
||||
export_community = 2002;
|
||||
routers = [{
|
||||
v4 = "185.1.166.100";
|
||||
v6 = "2001:7f8:f2:e1::babe:1";
|
||||
} {
|
||||
v4 = "185.1.166.200";
|
||||
v6 = "2001:7f8:f2:e1::dead:1";
|
||||
} {
|
||||
v4 = "185.1.166.254";
|
||||
v6 = "2001:7f8:f2:e1::be5a";
|
||||
}];
|
||||
};
|
||||
};
|
||||
nlix = {
|
||||
local = local // {
|
||||
v4 = "193.239.118.225";
|
||||
v6 = "2001:7f8:13::a520:5479:1";
|
||||
};
|
||||
remote = {
|
||||
asn = 34307;
|
||||
export_community = 2003;
|
||||
routers = [{
|
||||
v4 = "193.239.116.255";
|
||||
v6 = "2001:7f8:13::a503:4307:1";
|
||||
} {
|
||||
enabled = false;
|
||||
v4 = "193.239.117.0";
|
||||
v6 = "2001:7f8:13::a503:4307:2";
|
||||
}];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
boot.kernel.sysctl."net.ipv4.tcp_congestion_control" = "bbr";
|
||||
boot.kernel.sysctl."net.core.default_qdisc" = "fq_codel";
|
||||
|
||||
system.stateVersion = "20.03";
|
||||
}
|
||||
|
|
180
ops/nixos/lib/bgp.nix
Normal file
180
ops/nixos/lib/bgp.nix
Normal file
|
@ -0,0 +1,180 @@
|
|||
{ lib, config, ... }:
|
||||
let
|
||||
generateSnippet = base: args: lib.concatStringsSep "\n" (lib.mapAttrsToList ( ixName: ix: generateSnippetForIX (args // { ixName = ixName; ix = ix; }) ) base );
|
||||
generateSnippetForIX = { ixName, ix, ... }@args: ''
|
||||
ipv4 table ${ixName}4;
|
||||
ipv6 table ${ixName}6;
|
||||
protocol pipe ${ixName}pipe_4 {
|
||||
table ${ixName}4;
|
||||
peer table master4;
|
||||
import where ((ro, ${toString ix.local.asn}, ${toString ix.remote.export_community}) ~ bgp_ext_community);
|
||||
export all;
|
||||
};
|
||||
protocol pipe ${ixName}pipe_6 {
|
||||
table ${ixName}6;
|
||||
peer table master6;
|
||||
import where ((ro, ${toString ix.local.asn}, ${toString ix.remote.export_community}) ~ bgp_ext_community);
|
||||
export all;
|
||||
};
|
||||
'' + lib.concatImapStringsSep "\n" ( i: v: generateSnippetForRouter (args // { routerNum = i; router = v; }) ) ix.remote.routers;
|
||||
enabledSnippet = { enabled ? true, ... }: "disabled ${if enabled then "off" else "on"}";
|
||||
generateSnippetForRouter = { ixName, ix, routerNum, router, ... }: ''
|
||||
protocol bgp ${ixName}${toString routerNum}_4 {
|
||||
${enabledSnippet router};
|
||||
local ${ix.local.v4} as ${toString ix.local.asn};
|
||||
neighbor ${router.v4} as ${toString ix.remote.asn};
|
||||
ipv4 {
|
||||
table ${ixName}4;
|
||||
import all;
|
||||
export where ((ro, ${toString ix.local.asn}, 1000) ~ bgp_ext_community);
|
||||
};
|
||||
};
|
||||
protocol bgp ${ixName}${toString routerNum}_6 {
|
||||
${enabledSnippet router};
|
||||
local ${ix.local.v6} as ${toString ix.local.asn};
|
||||
neighbor ${router.v6} as ${toString ix.remote.asn};
|
||||
ipv6 {
|
||||
table ${ixName}6;
|
||||
import all;
|
||||
export where ((ro, ${toString ix.local.asn}, 1000) ~ bgp_ext_community);
|
||||
};
|
||||
};
|
||||
'';
|
||||
|
||||
inherit (lib) mkOption mkAfter types;
|
||||
in {
|
||||
options.services.lukegbgp = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
};
|
||||
config = mkOption { # lukegbgp.config
|
||||
type = with types; submodule {
|
||||
options = {
|
||||
local = mkOption { # lukegbgp.config.local
|
||||
type = submodule {
|
||||
options = {
|
||||
routerID = mkOption { # lukegbgp.config.local.routerID
|
||||
type = str;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
peering = mkOption { # lukegbgp.config.peering
|
||||
type = attrsOf (submodule {
|
||||
options = {
|
||||
local = mkOption { # lukegbgp.config.peering.<foo>.local
|
||||
type = submodule {
|
||||
options = {
|
||||
asn = mkOption { # lukegbgp.config.peering.<foo>.local.asn
|
||||
type = int;
|
||||
};
|
||||
v4 = mkOption { # lukegbgp.config.peering.<foo>.local.v4
|
||||
type = str;
|
||||
};
|
||||
v6 = mkOption { # lukegbgp.config.peering.<foo>.local.v6
|
||||
type = str;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
remote = mkOption { # lukegbgp.config.peering.<foo>.remote
|
||||
type = submodule {
|
||||
options = {
|
||||
asn = mkOption { # lukegbgp.config.peering.<foo>.remote.asn
|
||||
type = int;
|
||||
};
|
||||
export_community = mkOption { # lukegbgp.config.peering.<foo>.remote.export_community
|
||||
type = int;
|
||||
};
|
||||
routers = mkOption { # lukegbgp.config.peering.<foo>.remote.routers
|
||||
type = listOf (submodule {
|
||||
options = {
|
||||
enabled = mkOption { # lukegbgp.config.peering.<foo>.remote.routers.<n>.enabled
|
||||
type = bool;
|
||||
default = true;
|
||||
};
|
||||
v4 = mkOption { # lukegbgp.config.peering.<foo>.remote.routers.<n>.v4
|
||||
type = str;
|
||||
};
|
||||
v6 = mkOption { # lukegbgp.config.peering.<foo>.remote.routers.<n>.v6
|
||||
type = str;
|
||||
};
|
||||
};
|
||||
});
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
});
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
services.bird2 = lib.mkIf config.services.lukegbgp.enable {
|
||||
enable = true;
|
||||
config = ''
|
||||
router id ${config.services.lukegbgp.config.local.routerID};
|
||||
|
||||
${generateSnippet config.services.lukegbgp.config.peering {}}
|
||||
|
||||
protocol kernel {
|
||||
persist;
|
||||
ipv4 {
|
||||
import none;
|
||||
export all;
|
||||
};
|
||||
};
|
||||
protocol kernel {
|
||||
persist;
|
||||
ipv6 {
|
||||
import none;
|
||||
export all;
|
||||
};
|
||||
};
|
||||
protocol device {
|
||||
};
|
||||
|
||||
protocol static export4 {
|
||||
ipv4 {
|
||||
import filter {
|
||||
bgp_ext_community.add((ro, 205479, 1000));
|
||||
bgp_ext_community.add((ro, 205479, 2000));
|
||||
bgp_ext_community.add((ro, 205479, 2001));
|
||||
bgp_ext_community.add((ro, 205479, 2002));
|
||||
bgp_ext_community.add((ro, 205479, 2003));
|
||||
accept;
|
||||
};
|
||||
};
|
||||
route 92.118.31.0/24 blackhole;
|
||||
};
|
||||
protocol static export6 {
|
||||
ipv6 {
|
||||
import filter {
|
||||
bgp_ext_community.add((ro, 205479, 1000));
|
||||
bgp_ext_community.add((ro, 205479, 2000));
|
||||
bgp_ext_community.add((ro, 205479, 2001));
|
||||
bgp_ext_community.add((ro, 205479, 2002));
|
||||
bgp_ext_community.add((ro, 205479, 2003));
|
||||
accept;
|
||||
};
|
||||
};
|
||||
route 2a09:a440::/48 blackhole;
|
||||
};
|
||||
'';
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = lib.mkIf config.services.lukegbgp.enable (lib.mkAfter [ 179 ]);
|
||||
|
||||
boot.kernel.sysctl = {
|
||||
"net.ipv6.conf.default.accept_ra" = 0;
|
||||
"net.ipv6.conf.all.accept_ra" = 0;
|
||||
"net.ipv6.conf.default.autoconf" = 0;
|
||||
"net.ipv6.conf.all.autoconf" = 0;
|
||||
};
|
||||
};
|
||||
}
|
44
ops/nixos/lib/common.nix
Normal file
44
ops/nixos/lib/common.nix
Normal file
|
@ -0,0 +1,44 @@
|
|||
{ pkgs, depot, lib, rebuilder, ... }:
|
||||
let
|
||||
inherit (lib) mkDefault;
|
||||
in
|
||||
{
|
||||
hardware.enableRedistributableFirmware = true;
|
||||
|
||||
nix.nixPath = [ "depot=/home/lukegb/depot/" "nixpkgs=/home/lukegb/depot/third_party/nixpkgs/" ];
|
||||
|
||||
i18n.defaultLocale = "en_GB.UTF-8";
|
||||
console.keyMap = "us";
|
||||
|
||||
time.timeZone = mkDefault "Etc/UTC";
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
vim mercurial rxvt_unicode.terminfo rebuilder
|
||||
];
|
||||
|
||||
networking.firewall = {
|
||||
allowPing = true;
|
||||
};
|
||||
|
||||
nixpkgs.config = { allowUnfree = true; };
|
||||
|
||||
users.mutableUsers = false;
|
||||
users.users = let secrets = depot.ops.secrets; in {
|
||||
root.hashedPassword = secrets.passwordHashes.root;
|
||||
lukegb = {
|
||||
isNormalUser = true;
|
||||
uid = 1000;
|
||||
extraGroups = [ "wheel" ];
|
||||
hashedPassword = secrets.passwordHashes.lukegb;
|
||||
};
|
||||
};
|
||||
|
||||
programs.mtr.enable = true;
|
||||
services.openssh.enable = true;
|
||||
|
||||
boot = {
|
||||
kernelModules = [ "tcp_bbr" ];
|
||||
kernel.sysctl."net.ipv4.tcp_congestion_control" = "bbr";
|
||||
kernel.sysctl."net.core.default_qdisc" = "fq_codel";
|
||||
};
|
||||
}
|
32
ops/nixos/lib/zfs.nix
Normal file
32
ops/nixos/lib/zfs.nix
Normal file
|
@ -0,0 +1,32 @@
|
|||
{ lib, config, ... }:
|
||||
let
|
||||
inherit (lib) mkOption types mkAfter mkIf;
|
||||
robCfg = config.services.zfs.rollbackOnBoot;
|
||||
in
|
||||
{
|
||||
options.services.zfs.rollbackOnBoot = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
};
|
||||
snapshot = mkOption {
|
||||
type = types.str;
|
||||
default = "zpool/local/root@blank";
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
boot.supportedFilesystems = [ "zfs" ];
|
||||
boot.zfs.devNodes = "/dev/disk/by-partuuid";
|
||||
services.zfs.autoScrub.enable = true;
|
||||
services.zfs.autoSnapshot = {
|
||||
enable = true;
|
||||
monthly = 1;
|
||||
};
|
||||
|
||||
boot.initrd.postDeviceCommands = mkIf robCfg.enable
|
||||
mkAfter ''
|
||||
zfs rollback -r ${robCfg.snapshot}
|
||||
'';
|
||||
};
|
||||
}
|
|
@ -1,5 +1,4 @@
|
|||
{ depot, lib, pkgs, rebuilder, ... }:
|
||||
{ config, ... }:
|
||||
{ depot, lib, pkgs, rebuilder, config, ... }:
|
||||
let
|
||||
inherit (depot.ops) secrets;
|
||||
myPhp = pkgs.php.withExtensions ({ enabled, all }: enabled ++ [ all.apcu all.mailparse ]);
|
||||
|
@ -54,23 +53,12 @@ in {
|
|||
ATTR{address}=="52:54:00:84:e2:2a", NAME="eth0"
|
||||
'';
|
||||
|
||||
# Select internationalisation properties.
|
||||
i18n.defaultLocale = "en_GB.UTF-8";
|
||||
console.keyMap = "us";
|
||||
|
||||
# Set your time zone.
|
||||
time.timeZone = "Etc/UTC";
|
||||
|
||||
# List packages installed in system profile. To search, run:
|
||||
# $ nix search wget
|
||||
environment.systemPackages = with pkgs; [
|
||||
vim
|
||||
mercurial
|
||||
gitAndTools.gitFull
|
||||
nodejs
|
||||
rxvt_unicode.terminfo
|
||||
python37Packages.pygments
|
||||
rebuilder
|
||||
myPhp
|
||||
];
|
||||
environment.etc."php.d/cache.ini".text = ''
|
||||
|
|
|
@ -1,5 +1,4 @@
|
|||
{ depot, lib, pkgs, rebuilder, ... }:
|
||||
{ config, ... }:
|
||||
{ depot, lib, pkgs, rebuilder, config, ... }:
|
||||
let
|
||||
inherit (depot.ops) secrets;
|
||||
nvidia-offload-profile = ''
|
||||
|
@ -13,6 +12,10 @@ let
|
|||
exec -a "$0" "$@"
|
||||
'');
|
||||
in {
|
||||
imports = [
|
||||
../lib/zfs.nix
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [
|
||||
"xhci_pci"
|
||||
"ahci"
|
||||
|
@ -22,7 +25,7 @@ in {
|
|||
"sd_mod"
|
||||
"rtsx_pci_sdmmc"
|
||||
];
|
||||
boot.kernelModules = [ "kvm-intel" "tcp_bbr" ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
|
||||
fileSystems = let
|
||||
zfs = device: {
|
||||
|
@ -48,27 +51,12 @@ in {
|
|||
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
|
||||
hardware.enableRedistributableFirmware = true;
|
||||
|
||||
nixpkgs.config = { allowUnfree = true; };
|
||||
|
||||
nix.nixPath = [ "depot=/home/lukegb/depot/" "nixpkgs=/home/lukegb/depot/third_party/nixpkgs/" ];
|
||||
|
||||
# Use the systemd-boot EFI boot loader.
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
# Nuke everything on boot.
|
||||
boot.initrd.postDeviceCommands = lib.mkAfter ''
|
||||
zfs rollback -r zpool/local/root@blank
|
||||
'';
|
||||
|
||||
# Enable ZFS.
|
||||
boot.supportedFilesystems = [ "zfs" ];
|
||||
boot.zfs.devNodes = "/dev/disk/by-partuuid";
|
||||
services.zfs.autoScrub.enable = true;
|
||||
services.zfs.autoSnapshot = {
|
||||
enable = true;
|
||||
monthly = 1;
|
||||
};
|
||||
# ZFS!
|
||||
services.zfs.rollbackOnBoot.enable = true;
|
||||
|
||||
# Enable HyperV guesting
|
||||
virtualisation.hypervGuest.enable = true;
|
||||
|
@ -88,21 +76,12 @@ in {
|
|||
networking.interfaces.eno1.useDHCP = false;
|
||||
networking.networkmanager.enable = true;
|
||||
|
||||
# Configure network proxy if necessary
|
||||
# networking.proxy.default = "http://user:password@proxy:port/";
|
||||
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
|
||||
|
||||
# Select internationalisation properties.
|
||||
i18n.defaultLocale = "en_GB.UTF-8";
|
||||
console.keyMap = "us";
|
||||
|
||||
# Set your time zone.
|
||||
time.timeZone = "Europe/London";
|
||||
|
||||
# List packages installed in system profile. To search, run:
|
||||
# $ nix search wget
|
||||
environment.systemPackages = with pkgs; [
|
||||
vim
|
||||
pciutils
|
||||
nvidia-offload
|
||||
(steam.override { extraProfile = nvidia-offload-profile; })
|
||||
|
@ -135,14 +114,8 @@ in {
|
|||
# Enable the OpenSSH daemon.
|
||||
services.openssh.enable = true;
|
||||
|
||||
# Open ports in the firewall.
|
||||
# networking.firewall.allowedTCPPorts = [ ... ];
|
||||
# networking.firewall.allowedUDPPorts = [ ... ];
|
||||
# Or disable the firewall altogether.
|
||||
# networking.firewall.enable = false;
|
||||
|
||||
# Enable CUPS to print documents.
|
||||
# services.printing.enable = true;
|
||||
services.printing.enable = true;
|
||||
|
||||
# Enable sound.
|
||||
sound.enable = true;
|
||||
|
@ -156,47 +129,23 @@ in {
|
|||
services.xserver.videoDrivers = [ "nvidia" ];
|
||||
services.xserver.displayManager.gdm = {
|
||||
enable = true;
|
||||
wayland = true;
|
||||
};
|
||||
|
||||
programs.sway = {
|
||||
enable = true;
|
||||
extraPackages = with pkgs; [
|
||||
swaylock # lockscreen
|
||||
swayidle
|
||||
xwayland # for legacy apps
|
||||
waybar # status bar
|
||||
mako # notification daemon
|
||||
kanshi # autorandr
|
||||
];
|
||||
};
|
||||
programs.waybar.enable = true;
|
||||
|
||||
hardware.opengl.driSupport32Bit = true;
|
||||
hardware.opengl.extraPackages32 = with pkgs.pkgsi686Linux; [ libva ];
|
||||
hardware.pulseaudio.support32Bit = true;
|
||||
|
||||
# Define a user account.
|
||||
users.mutableUsers = false;
|
||||
users.users = {
|
||||
root.hashedPassword = secrets.passwordHashes.root;
|
||||
lukegb = {
|
||||
isNormalUser = true;
|
||||
uid = 1000;
|
||||
extraGroups = [ "wheel" "networkmanager" ];
|
||||
hashedPassword = secrets.passwordHashes.root;
|
||||
packages = [
|
||||
(pkgs.writeScriptBin "javaws" ''
|
||||
#!/bin/sh
|
||||
exec ${depot.nix.pkgs.javaws-env}/bin/javaws-env "$@"
|
||||
'')
|
||||
];
|
||||
};
|
||||
users.users.lukegb = {
|
||||
extraGroups = [ "wheel" "networkmanager" ];
|
||||
packages = [
|
||||
(pkgs.writeScriptBin "javaws" ''
|
||||
#!/bin/sh
|
||||
exec ${depot.nix.pkgs.javaws-env}/bin/javaws-env "$@"
|
||||
'')
|
||||
];
|
||||
};
|
||||
|
||||
boot.kernel.sysctl."net.ipv4.tcp_congestion_control" = "bbr";
|
||||
boot.kernel.sysctl."net.core.default_qdisc" = "fq_codel";
|
||||
|
||||
# Things to persist.
|
||||
services.openssh.hostKeys = [
|
||||
{
|
||||
|
|
1
third_party/default.nix
vendored
1
third_party/default.nix
vendored
|
@ -3,4 +3,5 @@
|
|||
{
|
||||
nixpkgs = import ./nixpkgs { config.allowUnfree = true; };
|
||||
nixos = import ./nixpkgs/nixos;
|
||||
nixeval = import ./nixpkgs/nixos/lib/eval-config.nix;
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue