ops/nixos: rework everything to factor common things out

This commit is contained in:
Luke Granger-Brown 2020-05-08 23:26:21 +01:00
parent f99775ddf2
commit 1e7fcadc97
9 changed files with 386 additions and 179 deletions

View file

@ -1,8 +1,12 @@
{ depot, lib, pkgs, rebuilder, ... }:
{ config, ... }:
{ depot, lib, pkgs, rebuilder, config, ... }:
let
inherit (depot.ops) secrets;
in {
imports = [
../lib/zfs.nix
../lib/bgp.nix
];
boot.initrd.availableKernelModules = [
"xhci_pci"
"ahci"
@ -12,24 +16,7 @@ in {
"sd_mod"
"sr_mod"
];
boot.kernelModules = [ "kvm-intel" "tcp_bbr" ];
boot.kernel.sysctl = {
"net.ipv6.conf.default.accept_ra" = 0;
"net.ipv6.conf.all.accept_ra" = 0;
"net.ipv6.conf.default.autoconf" = 0;
"net.ipv6.conf.all.autoconf" = 0;
};
boot.supportedFilesystems = [ "zfs" ];
boot.zfs.devNodes = "/dev/disk/by-partuuid";
services.zfs.autoScrub.enable = true;
services.zfs.autoSnapshot = {
enable = true;
monthly = 1;
};
boot.initrd.postDeviceCommands = lib.mkAfter ''
zfs rollback -r zfast/local/root@blank
'';
boot.kernelModules = [ "kvm-intel" ];
powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
@ -52,11 +39,6 @@ in {
};
nix.maxJobs = lib.mkDefault 12;
hardware.enableRedistributableFirmware = true;
nixpkgs.config = { allowUnfree = true; };
nix.nixPath = [ "depot=/home/lukegb/depot/" "nixpkgs=/home/lukegb/depot/third_party/nixpkgs/" ];
# Use systemd-boot.
boot.loader.systemd-boot.enable = true;
@ -91,19 +73,10 @@ in {
firewall.allowPing = true;
};
# Select internationalisation properties.
i18n.defaultLocale = "en_GB.UTF-8";
console.keyMap = "us";
# Set your time zone.
time.timeZone = "Etc/UTC";
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
vim
mercurial
rxvt_unicode.terminfo
rebuilder
];
@ -113,13 +86,7 @@ in {
# Define a user account.
users.mutableUsers = false;
users.users = {
root.hashedPassword = secrets.passwordHashes.root;
lukegb = {
isNormalUser = true;
uid = 1000;
extraGroups = [ "wheel" "content" ];
hashedPassword = secrets.passwordHashes.root;
};
lukegb.extraGroups = [ "wheel" "content" ];
content = {
isSystemUser = true;
extraGroups = [ "content" ];
@ -129,9 +96,6 @@ in {
content = {};
};
boot.kernel.sysctl."net.ipv4.tcp_congestion_control" = "bbr";
boot.kernel.sysctl."net.core.default_qdisc" = "fq_codel";
services.openssh.hostKeys = [
{
path = "/persist/etc/ssh/ssh_host_ed25519_key";

View file

@ -1,10 +1,16 @@
{ depot, lib, pkgs, ... }@args:
let
inherit (builtins) foldl' mapAttrs;
systemFor = config:
(depot.third_party.nixos {
configuration = config;
}).system;
baseModule = name: { ... }: {
_module.args = args // {
rebuilder = rebuilder name;
};
};
systemFor = systemName: config:
(depot.third_party.nixeval {
system = builtins.currentSystem;
modules = [ (baseModule systemName) (args: { imports = [ lib/common.nix config ]; }) ];
}).config.system.build.toplevel;
systems = [ "porcorosso" "ixvm-fra01" "marukuru" "clouvider-fra01" ];
rebuilder = system:
pkgs.writeShellScriptBin "rebuilder" ''
@ -18,7 +24,6 @@ let
"$system/bin/switch-to-configuration" switch
'';
systemCfgs = lib.genAttrs systems
(name: import (./. + "/${name}") (args // { rebuilder = rebuilder name; }));
mapAttrValues = (f: set: mapAttrs (name: f) set);
systemDrvs = mapAttrValues (systemCfg: systemFor systemCfg) systemCfgs;
(name: import (./. + "/${name}"));
systemDrvs = mapAttrs systemFor systemCfgs;
in systemDrvs

View file

@ -1,9 +1,8 @@
{ depot, lib, pkgs, rebuilder, ... }:
{ config, ... }:
{ depot, lib, pkgs, rebuilder, config, ... }:
let
inherit (depot.ops) secrets;
in {
imports = [ ./bird.nix ];
imports = [ ../lib/bgp.nix ];
boot.initrd.availableKernelModules = [
"ata_piix"
@ -11,13 +10,6 @@ in {
"sd_mod"
"sr_mod"
];
boot.kernelModules = [ "tcp_bbr" ];
boot.kernel.sysctl = {
"net.ipv6.conf.default.accept_ra" = 0;
"net.ipv6.conf.all.accept_ra" = 0;
"net.ipv6.conf.default.autoconf" = 0;
"net.ipv6.conf.all.autoconf" = 0;
};
fileSystems = {
"/" = {
@ -30,11 +22,6 @@ in {
];
nix.maxJobs = lib.mkDefault 2;
hardware.enableRedistributableFirmware = true;
nixpkgs.config = { allowUnfree = true; };
nix.nixPath = [ "depot=/home/lukegb/depot/" "nixpkgs=/home/lukegb/depot/third_party/nixpkgs/" ];
# Use GRUB2.
boot.loader.grub.enable = true;
@ -95,43 +82,100 @@ in {
ATTR{address}=="00:50:56:a3:6e:0f", NAME="ens-nlix"
'';
# Select internationalisation properties.
i18n.defaultLocale = "en_GB.UTF-8";
console.keyMap = "us";
# Set your time zone.
time.timeZone = "Etc/UTC";
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
vim
mercurial
rxvt_unicode.terminfo
rebuilder
];
programs.mtr.enable = true;
services.openssh.enable = true;
networking.firewall = {
allowPing = true;
};
environment.systemPackages = with pkgs; [];
# Define a user account.
users.mutableUsers = false;
users.users = {
root.hashedPassword = secrets.passwordHashes.root;
lukegb = {
isNormalUser = true;
uid = 1000;
extraGroups = [ "wheel" "networkmanager" "bird2" ];
hashedPassword = secrets.passwordHashes.root;
};
lukegb.extraGroups = [ "networkmanager" "bird2" ];
};
boot.kernel.sysctl."net.ipv4.tcp_congestion_control" = "bbr";
boot.kernel.sysctl."net.core.default_qdisc" = "fq_codel";
services.lukegbgp = let local = {
asn = 205479;
}; in {
enable = true;
config = {
local = {
routerID = "141.98.136.124";
};
peering = {
ixvm = {
local = local // {
v4 = "141.98.136.124";
v6 = "2a09:11c0:f1:bc0b::2";
};
remote = {
asn = 209844;
export_community = 2000;
routers = [{
v4 = "141.98.136.97";
v6 = "2a09:11c0:f1:bc0b::1";
} {
v4 = "141.98.136.126";
v6 = "2a09:11c0:f1:bc0b::3";
}];
};
};
kleyrex = {
local = local // {
v4 = "193.189.83.41";
v6 = "2001:7f8:33::a120:5479:1";
};
remote = {
asn = 31142;
export_community = 2001;
routers = [{
v4 = "193.189.82.251";
v6 = "2001:7f8:33::a103:1142:1";
} {
v4 = "193.189.82.252";
v6 = "2001:7f8:33::a103:1142:2";
} {
v4 = "193.189.82.253";
v6 = "2001:7f8:33::a103:1142:3";
}];
};
};
locix = {
local = local // {
v4 = "185.1.166.219";
v6 = "2001:7f8:f2:e1::a20:5479:1";
};
remote = {
asn = 202409;
export_community = 2002;
routers = [{
v4 = "185.1.166.100";
v6 = "2001:7f8:f2:e1::babe:1";
} {
v4 = "185.1.166.200";
v6 = "2001:7f8:f2:e1::dead:1";
} {
v4 = "185.1.166.254";
v6 = "2001:7f8:f2:e1::be5a";
}];
};
};
nlix = {
local = local // {
v4 = "193.239.118.225";
v6 = "2001:7f8:13::a520:5479:1";
};
remote = {
asn = 34307;
export_community = 2003;
routers = [{
v4 = "193.239.116.255";
v6 = "2001:7f8:13::a503:4307:1";
} {
enabled = false;
v4 = "193.239.117.0";
v6 = "2001:7f8:13::a503:4307:2";
}];
};
};
};
};
};
system.stateVersion = "20.03";
}

180
ops/nixos/lib/bgp.nix Normal file
View file

@ -0,0 +1,180 @@
{ lib, config, ... }:
let
generateSnippet = base: args: lib.concatStringsSep "\n" (lib.mapAttrsToList ( ixName: ix: generateSnippetForIX (args // { ixName = ixName; ix = ix; }) ) base );
generateSnippetForIX = { ixName, ix, ... }@args: ''
ipv4 table ${ixName}4;
ipv6 table ${ixName}6;
protocol pipe ${ixName}pipe_4 {
table ${ixName}4;
peer table master4;
import where ((ro, ${toString ix.local.asn}, ${toString ix.remote.export_community}) ~ bgp_ext_community);
export all;
};
protocol pipe ${ixName}pipe_6 {
table ${ixName}6;
peer table master6;
import where ((ro, ${toString ix.local.asn}, ${toString ix.remote.export_community}) ~ bgp_ext_community);
export all;
};
'' + lib.concatImapStringsSep "\n" ( i: v: generateSnippetForRouter (args // { routerNum = i; router = v; }) ) ix.remote.routers;
enabledSnippet = { enabled ? true, ... }: "disabled ${if enabled then "off" else "on"}";
generateSnippetForRouter = { ixName, ix, routerNum, router, ... }: ''
protocol bgp ${ixName}${toString routerNum}_4 {
${enabledSnippet router};
local ${ix.local.v4} as ${toString ix.local.asn};
neighbor ${router.v4} as ${toString ix.remote.asn};
ipv4 {
table ${ixName}4;
import all;
export where ((ro, ${toString ix.local.asn}, 1000) ~ bgp_ext_community);
};
};
protocol bgp ${ixName}${toString routerNum}_6 {
${enabledSnippet router};
local ${ix.local.v6} as ${toString ix.local.asn};
neighbor ${router.v6} as ${toString ix.remote.asn};
ipv6 {
table ${ixName}6;
import all;
export where ((ro, ${toString ix.local.asn}, 1000) ~ bgp_ext_community);
};
};
'';
inherit (lib) mkOption mkAfter types;
in {
options.services.lukegbgp = {
enable = mkOption {
type = types.bool;
default = false;
};
config = mkOption { # lukegbgp.config
type = with types; submodule {
options = {
local = mkOption { # lukegbgp.config.local
type = submodule {
options = {
routerID = mkOption { # lukegbgp.config.local.routerID
type = str;
};
};
};
};
peering = mkOption { # lukegbgp.config.peering
type = attrsOf (submodule {
options = {
local = mkOption { # lukegbgp.config.peering.<foo>.local
type = submodule {
options = {
asn = mkOption { # lukegbgp.config.peering.<foo>.local.asn
type = int;
};
v4 = mkOption { # lukegbgp.config.peering.<foo>.local.v4
type = str;
};
v6 = mkOption { # lukegbgp.config.peering.<foo>.local.v6
type = str;
};
};
};
};
remote = mkOption { # lukegbgp.config.peering.<foo>.remote
type = submodule {
options = {
asn = mkOption { # lukegbgp.config.peering.<foo>.remote.asn
type = int;
};
export_community = mkOption { # lukegbgp.config.peering.<foo>.remote.export_community
type = int;
};
routers = mkOption { # lukegbgp.config.peering.<foo>.remote.routers
type = listOf (submodule {
options = {
enabled = mkOption { # lukegbgp.config.peering.<foo>.remote.routers.<n>.enabled
type = bool;
default = true;
};
v4 = mkOption { # lukegbgp.config.peering.<foo>.remote.routers.<n>.v4
type = str;
};
v6 = mkOption { # lukegbgp.config.peering.<foo>.remote.routers.<n>.v6
type = str;
};
};
});
};
};
};
};
};
});
};
};
};
};
};
config = {
services.bird2 = lib.mkIf config.services.lukegbgp.enable {
enable = true;
config = ''
router id ${config.services.lukegbgp.config.local.routerID};
${generateSnippet config.services.lukegbgp.config.peering {}}
protocol kernel {
persist;
ipv4 {
import none;
export all;
};
};
protocol kernel {
persist;
ipv6 {
import none;
export all;
};
};
protocol device {
};
protocol static export4 {
ipv4 {
import filter {
bgp_ext_community.add((ro, 205479, 1000));
bgp_ext_community.add((ro, 205479, 2000));
bgp_ext_community.add((ro, 205479, 2001));
bgp_ext_community.add((ro, 205479, 2002));
bgp_ext_community.add((ro, 205479, 2003));
accept;
};
};
route 92.118.31.0/24 blackhole;
};
protocol static export6 {
ipv6 {
import filter {
bgp_ext_community.add((ro, 205479, 1000));
bgp_ext_community.add((ro, 205479, 2000));
bgp_ext_community.add((ro, 205479, 2001));
bgp_ext_community.add((ro, 205479, 2002));
bgp_ext_community.add((ro, 205479, 2003));
accept;
};
};
route 2a09:a440::/48 blackhole;
};
'';
};
networking.firewall.allowedTCPPorts = lib.mkIf config.services.lukegbgp.enable (lib.mkAfter [ 179 ]);
boot.kernel.sysctl = {
"net.ipv6.conf.default.accept_ra" = 0;
"net.ipv6.conf.all.accept_ra" = 0;
"net.ipv6.conf.default.autoconf" = 0;
"net.ipv6.conf.all.autoconf" = 0;
};
};
}

44
ops/nixos/lib/common.nix Normal file
View file

@ -0,0 +1,44 @@
{ pkgs, depot, lib, rebuilder, ... }:
let
inherit (lib) mkDefault;
in
{
hardware.enableRedistributableFirmware = true;
nix.nixPath = [ "depot=/home/lukegb/depot/" "nixpkgs=/home/lukegb/depot/third_party/nixpkgs/" ];
i18n.defaultLocale = "en_GB.UTF-8";
console.keyMap = "us";
time.timeZone = mkDefault "Etc/UTC";
environment.systemPackages = with pkgs; [
vim mercurial rxvt_unicode.terminfo rebuilder
];
networking.firewall = {
allowPing = true;
};
nixpkgs.config = { allowUnfree = true; };
users.mutableUsers = false;
users.users = let secrets = depot.ops.secrets; in {
root.hashedPassword = secrets.passwordHashes.root;
lukegb = {
isNormalUser = true;
uid = 1000;
extraGroups = [ "wheel" ];
hashedPassword = secrets.passwordHashes.lukegb;
};
};
programs.mtr.enable = true;
services.openssh.enable = true;
boot = {
kernelModules = [ "tcp_bbr" ];
kernel.sysctl."net.ipv4.tcp_congestion_control" = "bbr";
kernel.sysctl."net.core.default_qdisc" = "fq_codel";
};
}

32
ops/nixos/lib/zfs.nix Normal file
View file

@ -0,0 +1,32 @@
{ lib, config, ... }:
let
inherit (lib) mkOption types mkAfter mkIf;
robCfg = config.services.zfs.rollbackOnBoot;
in
{
options.services.zfs.rollbackOnBoot = {
enable = mkOption {
type = types.bool;
default = false;
};
snapshot = mkOption {
type = types.str;
default = "zpool/local/root@blank";
};
};
config = {
boot.supportedFilesystems = [ "zfs" ];
boot.zfs.devNodes = "/dev/disk/by-partuuid";
services.zfs.autoScrub.enable = true;
services.zfs.autoSnapshot = {
enable = true;
monthly = 1;
};
boot.initrd.postDeviceCommands = mkIf robCfg.enable
mkAfter ''
zfs rollback -r ${robCfg.snapshot}
'';
};
}

View file

@ -1,5 +1,4 @@
{ depot, lib, pkgs, rebuilder, ... }:
{ config, ... }:
{ depot, lib, pkgs, rebuilder, config, ... }:
let
inherit (depot.ops) secrets;
myPhp = pkgs.php.withExtensions ({ enabled, all }: enabled ++ [ all.apcu all.mailparse ]);
@ -54,23 +53,12 @@ in {
ATTR{address}=="52:54:00:84:e2:2a", NAME="eth0"
'';
# Select internationalisation properties.
i18n.defaultLocale = "en_GB.UTF-8";
console.keyMap = "us";
# Set your time zone.
time.timeZone = "Etc/UTC";
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
vim
mercurial
gitAndTools.gitFull
nodejs
rxvt_unicode.terminfo
python37Packages.pygments
rebuilder
myPhp
];
environment.etc."php.d/cache.ini".text = ''

View file

@ -1,5 +1,4 @@
{ depot, lib, pkgs, rebuilder, ... }:
{ config, ... }:
{ depot, lib, pkgs, rebuilder, config, ... }:
let
inherit (depot.ops) secrets;
nvidia-offload-profile = ''
@ -13,6 +12,10 @@ let
exec -a "$0" "$@"
'');
in {
imports = [
../lib/zfs.nix
];
boot.initrd.availableKernelModules = [
"xhci_pci"
"ahci"
@ -22,7 +25,7 @@ in {
"sd_mod"
"rtsx_pci_sdmmc"
];
boot.kernelModules = [ "kvm-intel" "tcp_bbr" ];
boot.kernelModules = [ "kvm-intel" ];
fileSystems = let
zfs = device: {
@ -48,27 +51,12 @@ in {
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.enableRedistributableFirmware = true;
nixpkgs.config = { allowUnfree = true; };
nix.nixPath = [ "depot=/home/lukegb/depot/" "nixpkgs=/home/lukegb/depot/third_party/nixpkgs/" ];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# Nuke everything on boot.
boot.initrd.postDeviceCommands = lib.mkAfter ''
zfs rollback -r zpool/local/root@blank
'';
# Enable ZFS.
boot.supportedFilesystems = [ "zfs" ];
boot.zfs.devNodes = "/dev/disk/by-partuuid";
services.zfs.autoScrub.enable = true;
services.zfs.autoSnapshot = {
enable = true;
monthly = 1;
};
# ZFS!
services.zfs.rollbackOnBoot.enable = true;
# Enable HyperV guesting
virtualisation.hypervGuest.enable = true;
@ -88,21 +76,12 @@ in {
networking.interfaces.eno1.useDHCP = false;
networking.networkmanager.enable = true;
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Select internationalisation properties.
i18n.defaultLocale = "en_GB.UTF-8";
console.keyMap = "us";
# Set your time zone.
time.timeZone = "Europe/London";
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
vim
pciutils
nvidia-offload
(steam.override { extraProfile = nvidia-offload-profile; })
@ -135,14 +114,8 @@ in {
# Enable the OpenSSH daemon.
services.openssh.enable = true;
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# Enable CUPS to print documents.
# services.printing.enable = true;
services.printing.enable = true;
# Enable sound.
sound.enable = true;
@ -156,35 +129,15 @@ in {
services.xserver.videoDrivers = [ "nvidia" ];
services.xserver.displayManager.gdm = {
enable = true;
wayland = true;
};
programs.sway = {
enable = true;
extraPackages = with pkgs; [
swaylock # lockscreen
swayidle
xwayland # for legacy apps
waybar # status bar
mako # notification daemon
kanshi # autorandr
];
};
programs.waybar.enable = true;
hardware.opengl.driSupport32Bit = true;
hardware.opengl.extraPackages32 = with pkgs.pkgsi686Linux; [ libva ];
hardware.pulseaudio.support32Bit = true;
# Define a user account.
users.mutableUsers = false;
users.users = {
root.hashedPassword = secrets.passwordHashes.root;
lukegb = {
isNormalUser = true;
uid = 1000;
users.users.lukegb = {
extraGroups = [ "wheel" "networkmanager" ];
hashedPassword = secrets.passwordHashes.root;
packages = [
(pkgs.writeScriptBin "javaws" ''
#!/bin/sh
@ -192,10 +145,6 @@ in {
'')
];
};
};
boot.kernel.sysctl."net.ipv4.tcp_congestion_control" = "bbr";
boot.kernel.sysctl."net.core.default_qdisc" = "fq_codel";
# Things to persist.
services.openssh.hostKeys = [

View file

@ -3,4 +3,5 @@
{
nixpkgs = import ./nixpkgs { config.allowUnfree = true; };
nixos = import ./nixpkgs/nixos;
nixeval = import ./nixpkgs/nixos/lib/eval-config.nix;
}