diff --git a/ops/nixos/clouvider-fra01/default.nix b/ops/nixos/clouvider-fra01/default.nix index a71c403ad0..b041c77cb1 100644 --- a/ops/nixos/clouvider-fra01/default.nix +++ b/ops/nixos/clouvider-fra01/default.nix @@ -1,8 +1,12 @@ -{ depot, lib, pkgs, rebuilder, ... }: -{ config, ... }: +{ depot, lib, pkgs, rebuilder, config, ... }: let inherit (depot.ops) secrets; in { + imports = [ + ../lib/zfs.nix + ../lib/bgp.nix + ]; + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" @@ -12,24 +16,7 @@ in { "sd_mod" "sr_mod" ]; - boot.kernelModules = [ "kvm-intel" "tcp_bbr" ]; - boot.kernel.sysctl = { - "net.ipv6.conf.default.accept_ra" = 0; - "net.ipv6.conf.all.accept_ra" = 0; - "net.ipv6.conf.default.autoconf" = 0; - "net.ipv6.conf.all.autoconf" = 0; - }; - boot.supportedFilesystems = [ "zfs" ]; - boot.zfs.devNodes = "/dev/disk/by-partuuid"; - services.zfs.autoScrub.enable = true; - services.zfs.autoSnapshot = { - enable = true; - monthly = 1; - }; - - boot.initrd.postDeviceCommands = lib.mkAfter '' - zfs rollback -r zfast/local/root@blank - ''; + boot.kernelModules = [ "kvm-intel" ]; powerManagement.cpuFreqGovernor = lib.mkDefault "performance"; @@ -52,11 +39,6 @@ in { }; nix.maxJobs = lib.mkDefault 12; - hardware.enableRedistributableFirmware = true; - - nixpkgs.config = { allowUnfree = true; }; - - nix.nixPath = [ "depot=/home/lukegb/depot/" "nixpkgs=/home/lukegb/depot/third_party/nixpkgs/" ]; # Use systemd-boot. boot.loader.systemd-boot.enable = true; @@ -91,19 +73,10 @@ in { firewall.allowPing = true; }; - # Select internationalisation properties. - i18n.defaultLocale = "en_GB.UTF-8"; - console.keyMap = "us"; - - # Set your time zone. - time.timeZone = "Etc/UTC"; - # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ - vim mercurial - rxvt_unicode.terminfo rebuilder ]; @@ -113,13 +86,7 @@ in { # Define a user account. users.mutableUsers = false; users.users = { - root.hashedPassword = secrets.passwordHashes.root; - lukegb = { - isNormalUser = true; - uid = 1000; - extraGroups = [ "wheel" "content" ]; - hashedPassword = secrets.passwordHashes.root; - }; + lukegb.extraGroups = [ "wheel" "content" ]; content = { isSystemUser = true; extraGroups = [ "content" ]; @@ -129,9 +96,6 @@ in { content = {}; }; - boot.kernel.sysctl."net.ipv4.tcp_congestion_control" = "bbr"; - boot.kernel.sysctl."net.core.default_qdisc" = "fq_codel"; - services.openssh.hostKeys = [ { path = "/persist/etc/ssh/ssh_host_ed25519_key"; diff --git a/ops/nixos/default.nix b/ops/nixos/default.nix index aed9ac2e03..1f256363a6 100644 --- a/ops/nixos/default.nix +++ b/ops/nixos/default.nix @@ -1,10 +1,16 @@ { depot, lib, pkgs, ... }@args: let inherit (builtins) foldl' mapAttrs; - systemFor = config: - (depot.third_party.nixos { - configuration = config; - }).system; + baseModule = name: { ... }: { + _module.args = args // { + rebuilder = rebuilder name; + }; + }; + systemFor = systemName: config: + (depot.third_party.nixeval { + system = builtins.currentSystem; + modules = [ (baseModule systemName) (args: { imports = [ lib/common.nix config ]; }) ]; + }).config.system.build.toplevel; systems = [ "porcorosso" "ixvm-fra01" "marukuru" "clouvider-fra01" ]; rebuilder = system: pkgs.writeShellScriptBin "rebuilder" '' @@ -18,7 +24,6 @@ let "$system/bin/switch-to-configuration" switch ''; systemCfgs = lib.genAttrs systems - (name: import (./. + "/${name}") (args // { rebuilder = rebuilder name; })); - mapAttrValues = (f: set: mapAttrs (name: f) set); - systemDrvs = mapAttrValues (systemCfg: systemFor systemCfg) systemCfgs; + (name: import (./. + "/${name}")); + systemDrvs = mapAttrs systemFor systemCfgs; in systemDrvs diff --git a/ops/nixos/ixvm-fra01/default.nix b/ops/nixos/ixvm-fra01/default.nix index 62dcfd311a..a3bbc576be 100644 --- a/ops/nixos/ixvm-fra01/default.nix +++ b/ops/nixos/ixvm-fra01/default.nix @@ -1,9 +1,8 @@ -{ depot, lib, pkgs, rebuilder, ... }: -{ config, ... }: +{ depot, lib, pkgs, rebuilder, config, ... }: let inherit (depot.ops) secrets; in { - imports = [ ./bird.nix ]; + imports = [ ../lib/bgp.nix ]; boot.initrd.availableKernelModules = [ "ata_piix" @@ -11,13 +10,6 @@ in { "sd_mod" "sr_mod" ]; - boot.kernelModules = [ "tcp_bbr" ]; - boot.kernel.sysctl = { - "net.ipv6.conf.default.accept_ra" = 0; - "net.ipv6.conf.all.accept_ra" = 0; - "net.ipv6.conf.default.autoconf" = 0; - "net.ipv6.conf.all.autoconf" = 0; - }; fileSystems = { "/" = { @@ -30,11 +22,6 @@ in { ]; nix.maxJobs = lib.mkDefault 2; - hardware.enableRedistributableFirmware = true; - - nixpkgs.config = { allowUnfree = true; }; - - nix.nixPath = [ "depot=/home/lukegb/depot/" "nixpkgs=/home/lukegb/depot/third_party/nixpkgs/" ]; # Use GRUB2. boot.loader.grub.enable = true; @@ -95,43 +82,100 @@ in { ATTR{address}=="00:50:56:a3:6e:0f", NAME="ens-nlix" ''; - # Select internationalisation properties. - i18n.defaultLocale = "en_GB.UTF-8"; - console.keyMap = "us"; - - # Set your time zone. - time.timeZone = "Etc/UTC"; - - # List packages installed in system profile. To search, run: - # $ nix search wget - environment.systemPackages = with pkgs; [ - vim - mercurial - rxvt_unicode.terminfo - rebuilder - ]; - - programs.mtr.enable = true; - services.openssh.enable = true; - - networking.firewall = { - allowPing = true; - }; + environment.systemPackages = with pkgs; []; # Define a user account. - users.mutableUsers = false; users.users = { - root.hashedPassword = secrets.passwordHashes.root; - lukegb = { - isNormalUser = true; - uid = 1000; - extraGroups = [ "wheel" "networkmanager" "bird2" ]; - hashedPassword = secrets.passwordHashes.root; + lukegb.extraGroups = [ "networkmanager" "bird2" ]; + }; + + services.lukegbgp = let local = { + asn = 205479; + }; in { + enable = true; + config = { + local = { + routerID = "141.98.136.124"; + }; + peering = { + ixvm = { + local = local // { + v4 = "141.98.136.124"; + v6 = "2a09:11c0:f1:bc0b::2"; + }; + remote = { + asn = 209844; + export_community = 2000; + routers = [{ + v4 = "141.98.136.97"; + v6 = "2a09:11c0:f1:bc0b::1"; + } { + v4 = "141.98.136.126"; + v6 = "2a09:11c0:f1:bc0b::3"; + }]; + }; + }; + kleyrex = { + local = local // { + v4 = "193.189.83.41"; + v6 = "2001:7f8:33::a120:5479:1"; + }; + remote = { + asn = 31142; + export_community = 2001; + routers = [{ + v4 = "193.189.82.251"; + v6 = "2001:7f8:33::a103:1142:1"; + } { + v4 = "193.189.82.252"; + v6 = "2001:7f8:33::a103:1142:2"; + } { + v4 = "193.189.82.253"; + v6 = "2001:7f8:33::a103:1142:3"; + }]; + }; + }; + locix = { + local = local // { + v4 = "185.1.166.219"; + v6 = "2001:7f8:f2:e1::a20:5479:1"; + }; + remote = { + asn = 202409; + export_community = 2002; + routers = [{ + v4 = "185.1.166.100"; + v6 = "2001:7f8:f2:e1::babe:1"; + } { + v4 = "185.1.166.200"; + v6 = "2001:7f8:f2:e1::dead:1"; + } { + v4 = "185.1.166.254"; + v6 = "2001:7f8:f2:e1::be5a"; + }]; + }; + }; + nlix = { + local = local // { + v4 = "193.239.118.225"; + v6 = "2001:7f8:13::a520:5479:1"; + }; + remote = { + asn = 34307; + export_community = 2003; + routers = [{ + v4 = "193.239.116.255"; + v6 = "2001:7f8:13::a503:4307:1"; + } { + enabled = false; + v4 = "193.239.117.0"; + v6 = "2001:7f8:13::a503:4307:2"; + }]; + }; + }; + }; }; }; - boot.kernel.sysctl."net.ipv4.tcp_congestion_control" = "bbr"; - boot.kernel.sysctl."net.core.default_qdisc" = "fq_codel"; - system.stateVersion = "20.03"; } diff --git a/ops/nixos/lib/bgp.nix b/ops/nixos/lib/bgp.nix new file mode 100644 index 0000000000..032c30c5aa --- /dev/null +++ b/ops/nixos/lib/bgp.nix @@ -0,0 +1,180 @@ +{ lib, config, ... }: +let + generateSnippet = base: args: lib.concatStringsSep "\n" (lib.mapAttrsToList ( ixName: ix: generateSnippetForIX (args // { ixName = ixName; ix = ix; }) ) base ); + generateSnippetForIX = { ixName, ix, ... }@args: '' + ipv4 table ${ixName}4; + ipv6 table ${ixName}6; + protocol pipe ${ixName}pipe_4 { + table ${ixName}4; + peer table master4; + import where ((ro, ${toString ix.local.asn}, ${toString ix.remote.export_community}) ~ bgp_ext_community); + export all; + }; + protocol pipe ${ixName}pipe_6 { + table ${ixName}6; + peer table master6; + import where ((ro, ${toString ix.local.asn}, ${toString ix.remote.export_community}) ~ bgp_ext_community); + export all; + }; + '' + lib.concatImapStringsSep "\n" ( i: v: generateSnippetForRouter (args // { routerNum = i; router = v; }) ) ix.remote.routers; + enabledSnippet = { enabled ? true, ... }: "disabled ${if enabled then "off" else "on"}"; + generateSnippetForRouter = { ixName, ix, routerNum, router, ... }: '' + protocol bgp ${ixName}${toString routerNum}_4 { + ${enabledSnippet router}; + local ${ix.local.v4} as ${toString ix.local.asn}; + neighbor ${router.v4} as ${toString ix.remote.asn}; + ipv4 { + table ${ixName}4; + import all; + export where ((ro, ${toString ix.local.asn}, 1000) ~ bgp_ext_community); + }; + }; + protocol bgp ${ixName}${toString routerNum}_6 { + ${enabledSnippet router}; + local ${ix.local.v6} as ${toString ix.local.asn}; + neighbor ${router.v6} as ${toString ix.remote.asn}; + ipv6 { + table ${ixName}6; + import all; + export where ((ro, ${toString ix.local.asn}, 1000) ~ bgp_ext_community); + }; + }; + ''; + + inherit (lib) mkOption mkAfter types; +in { + options.services.lukegbgp = { + enable = mkOption { + type = types.bool; + default = false; + }; + config = mkOption { # lukegbgp.config + type = with types; submodule { + options = { + local = mkOption { # lukegbgp.config.local + type = submodule { + options = { + routerID = mkOption { # lukegbgp.config.local.routerID + type = str; + }; + }; + }; + }; + peering = mkOption { # lukegbgp.config.peering + type = attrsOf (submodule { + options = { + local = mkOption { # lukegbgp.config.peering..local + type = submodule { + options = { + asn = mkOption { # lukegbgp.config.peering..local.asn + type = int; + }; + v4 = mkOption { # lukegbgp.config.peering..local.v4 + type = str; + }; + v6 = mkOption { # lukegbgp.config.peering..local.v6 + type = str; + }; + }; + }; + }; + remote = mkOption { # lukegbgp.config.peering..remote + type = submodule { + options = { + asn = mkOption { # lukegbgp.config.peering..remote.asn + type = int; + }; + export_community = mkOption { # lukegbgp.config.peering..remote.export_community + type = int; + }; + routers = mkOption { # lukegbgp.config.peering..remote.routers + type = listOf (submodule { + options = { + enabled = mkOption { # lukegbgp.config.peering..remote.routers..enabled + type = bool; + default = true; + }; + v4 = mkOption { # lukegbgp.config.peering..remote.routers..v4 + type = str; + }; + v6 = mkOption { # lukegbgp.config.peering..remote.routers..v6 + type = str; + }; + }; + }); + }; + }; + }; + }; + }; + }); + }; + }; + }; + }; + }; + + config = { + services.bird2 = lib.mkIf config.services.lukegbgp.enable { + enable = true; + config = '' + router id ${config.services.lukegbgp.config.local.routerID}; + + ${generateSnippet config.services.lukegbgp.config.peering {}} + + protocol kernel { + persist; + ipv4 { + import none; + export all; + }; + }; + protocol kernel { + persist; + ipv6 { + import none; + export all; + }; + }; + protocol device { + }; + + protocol static export4 { + ipv4 { + import filter { + bgp_ext_community.add((ro, 205479, 1000)); + bgp_ext_community.add((ro, 205479, 2000)); + bgp_ext_community.add((ro, 205479, 2001)); + bgp_ext_community.add((ro, 205479, 2002)); + bgp_ext_community.add((ro, 205479, 2003)); + accept; + }; + }; + route 92.118.31.0/24 blackhole; + }; + protocol static export6 { + ipv6 { + import filter { + bgp_ext_community.add((ro, 205479, 1000)); + bgp_ext_community.add((ro, 205479, 2000)); + bgp_ext_community.add((ro, 205479, 2001)); + bgp_ext_community.add((ro, 205479, 2002)); + bgp_ext_community.add((ro, 205479, 2003)); + accept; + }; + }; + route 2a09:a440::/48 blackhole; + }; + ''; + }; + + networking.firewall.allowedTCPPorts = lib.mkIf config.services.lukegbgp.enable (lib.mkAfter [ 179 ]); + + boot.kernel.sysctl = { + "net.ipv6.conf.default.accept_ra" = 0; + "net.ipv6.conf.all.accept_ra" = 0; + "net.ipv6.conf.default.autoconf" = 0; + "net.ipv6.conf.all.autoconf" = 0; + }; + }; +} diff --git a/ops/nixos/lib/common.nix b/ops/nixos/lib/common.nix new file mode 100644 index 0000000000..3a60cc4a24 --- /dev/null +++ b/ops/nixos/lib/common.nix @@ -0,0 +1,44 @@ +{ pkgs, depot, lib, rebuilder, ... }: +let +inherit (lib) mkDefault; +in +{ + hardware.enableRedistributableFirmware = true; + + nix.nixPath = [ "depot=/home/lukegb/depot/" "nixpkgs=/home/lukegb/depot/third_party/nixpkgs/" ]; + + i18n.defaultLocale = "en_GB.UTF-8"; + console.keyMap = "us"; + + time.timeZone = mkDefault "Etc/UTC"; + + environment.systemPackages = with pkgs; [ + vim mercurial rxvt_unicode.terminfo rebuilder + ]; + + networking.firewall = { + allowPing = true; + }; + + nixpkgs.config = { allowUnfree = true; }; + + users.mutableUsers = false; + users.users = let secrets = depot.ops.secrets; in { + root.hashedPassword = secrets.passwordHashes.root; + lukegb = { + isNormalUser = true; + uid = 1000; + extraGroups = [ "wheel" ]; + hashedPassword = secrets.passwordHashes.lukegb; + }; + }; + + programs.mtr.enable = true; + services.openssh.enable = true; + + boot = { + kernelModules = [ "tcp_bbr" ]; + kernel.sysctl."net.ipv4.tcp_congestion_control" = "bbr"; + kernel.sysctl."net.core.default_qdisc" = "fq_codel"; + }; +} diff --git a/ops/nixos/lib/zfs.nix b/ops/nixos/lib/zfs.nix new file mode 100644 index 0000000000..78708bf2fa --- /dev/null +++ b/ops/nixos/lib/zfs.nix @@ -0,0 +1,32 @@ +{ lib, config, ... }: +let + inherit (lib) mkOption types mkAfter mkIf; + robCfg = config.services.zfs.rollbackOnBoot; +in +{ + options.services.zfs.rollbackOnBoot = { + enable = mkOption { + type = types.bool; + default = false; + }; + snapshot = mkOption { + type = types.str; + default = "zpool/local/root@blank"; + }; + }; + + config = { + boot.supportedFilesystems = [ "zfs" ]; + boot.zfs.devNodes = "/dev/disk/by-partuuid"; + services.zfs.autoScrub.enable = true; + services.zfs.autoSnapshot = { + enable = true; + monthly = 1; + }; + + boot.initrd.postDeviceCommands = mkIf robCfg.enable + mkAfter '' + zfs rollback -r ${robCfg.snapshot} + ''; + }; +} diff --git a/ops/nixos/marukuru/default.nix b/ops/nixos/marukuru/default.nix index fa0ef93098..442514f334 100644 --- a/ops/nixos/marukuru/default.nix +++ b/ops/nixos/marukuru/default.nix @@ -1,5 +1,4 @@ -{ depot, lib, pkgs, rebuilder, ... }: -{ config, ... }: +{ depot, lib, pkgs, rebuilder, config, ... }: let inherit (depot.ops) secrets; myPhp = pkgs.php.withExtensions ({ enabled, all }: enabled ++ [ all.apcu all.mailparse ]); @@ -54,23 +53,12 @@ in { ATTR{address}=="52:54:00:84:e2:2a", NAME="eth0" ''; - # Select internationalisation properties. - i18n.defaultLocale = "en_GB.UTF-8"; - console.keyMap = "us"; - - # Set your time zone. - time.timeZone = "Etc/UTC"; - # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ - vim - mercurial gitAndTools.gitFull nodejs - rxvt_unicode.terminfo python37Packages.pygments - rebuilder myPhp ]; environment.etc."php.d/cache.ini".text = '' diff --git a/ops/nixos/porcorosso/default.nix b/ops/nixos/porcorosso/default.nix index e76e2ed900..fd08f5a6db 100644 --- a/ops/nixos/porcorosso/default.nix +++ b/ops/nixos/porcorosso/default.nix @@ -1,5 +1,4 @@ -{ depot, lib, pkgs, rebuilder, ... }: -{ config, ... }: +{ depot, lib, pkgs, rebuilder, config, ... }: let inherit (depot.ops) secrets; nvidia-offload-profile = '' @@ -13,6 +12,10 @@ let exec -a "$0" "$@" ''); in { + imports = [ + ../lib/zfs.nix + ]; + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" @@ -22,7 +25,7 @@ in { "sd_mod" "rtsx_pci_sdmmc" ]; - boot.kernelModules = [ "kvm-intel" "tcp_bbr" ]; + boot.kernelModules = [ "kvm-intel" ]; fileSystems = let zfs = device: { @@ -48,27 +51,12 @@ in { powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; hardware.enableRedistributableFirmware = true; - nixpkgs.config = { allowUnfree = true; }; - - nix.nixPath = [ "depot=/home/lukegb/depot/" "nixpkgs=/home/lukegb/depot/third_party/nixpkgs/" ]; - # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - # Nuke everything on boot. - boot.initrd.postDeviceCommands = lib.mkAfter '' - zfs rollback -r zpool/local/root@blank - ''; - - # Enable ZFS. - boot.supportedFilesystems = [ "zfs" ]; - boot.zfs.devNodes = "/dev/disk/by-partuuid"; - services.zfs.autoScrub.enable = true; - services.zfs.autoSnapshot = { - enable = true; - monthly = 1; - }; + # ZFS! + services.zfs.rollbackOnBoot.enable = true; # Enable HyperV guesting virtualisation.hypervGuest.enable = true; @@ -88,21 +76,12 @@ in { networking.interfaces.eno1.useDHCP = false; networking.networkmanager.enable = true; - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Select internationalisation properties. - i18n.defaultLocale = "en_GB.UTF-8"; - console.keyMap = "us"; - # Set your time zone. time.timeZone = "Europe/London"; # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ - vim pciutils nvidia-offload (steam.override { extraProfile = nvidia-offload-profile; }) @@ -135,14 +114,8 @@ in { # Enable the OpenSSH daemon. services.openssh.enable = true; - # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - # networking.firewall.enable = false; - # Enable CUPS to print documents. - # services.printing.enable = true; + services.printing.enable = true; # Enable sound. sound.enable = true; @@ -156,47 +129,23 @@ in { services.xserver.videoDrivers = [ "nvidia" ]; services.xserver.displayManager.gdm = { enable = true; - wayland = true; }; - programs.sway = { - enable = true; - extraPackages = with pkgs; [ - swaylock # lockscreen - swayidle - xwayland # for legacy apps - waybar # status bar - mako # notification daemon - kanshi # autorandr - ]; - }; - programs.waybar.enable = true; - hardware.opengl.driSupport32Bit = true; hardware.opengl.extraPackages32 = with pkgs.pkgsi686Linux; [ libva ]; hardware.pulseaudio.support32Bit = true; # Define a user account. - users.mutableUsers = false; - users.users = { - root.hashedPassword = secrets.passwordHashes.root; - lukegb = { - isNormalUser = true; - uid = 1000; - extraGroups = [ "wheel" "networkmanager" ]; - hashedPassword = secrets.passwordHashes.root; - packages = [ - (pkgs.writeScriptBin "javaws" '' - #!/bin/sh - exec ${depot.nix.pkgs.javaws-env}/bin/javaws-env "$@" - '') - ]; - }; + users.users.lukegb = { + extraGroups = [ "wheel" "networkmanager" ]; + packages = [ + (pkgs.writeScriptBin "javaws" '' + #!/bin/sh + exec ${depot.nix.pkgs.javaws-env}/bin/javaws-env "$@" + '') + ]; }; - boot.kernel.sysctl."net.ipv4.tcp_congestion_control" = "bbr"; - boot.kernel.sysctl."net.core.default_qdisc" = "fq_codel"; - # Things to persist. services.openssh.hostKeys = [ { diff --git a/third_party/default.nix b/third_party/default.nix index 0ee5a3edea..574778478e 100644 --- a/third_party/default.nix +++ b/third_party/default.nix @@ -3,4 +3,5 @@ { nixpkgs = import ./nixpkgs { config.allowUnfree = true; }; nixos = import ./nixpkgs/nixos; + nixeval = import ./nixpkgs/nixos/lib/eval-config.nix; }