diff options
| author | Vincent Ambo <tazjin@google.com> | 2020-02-11T15·41+0000 |
|---|---|---|
| committer | Vincent Ambo <tazjin@google.com> | 2020-02-11T15·41+0000 |
| commit | 3b88611336ad565c2130105411ec152ca20065f5 (patch) | |
| tree | ed58e284f2752ab60380b8cd7d06a67466ab3d93 | |
| parent | a8792f8372b7bad98af04f2cd1fa204429ad8bd7 (diff) | |
feat(ops/nixos): Add initial configuration for host camden r/534
| -rw-r--r-- | ops/nixos/camden/default.nix | 90 | ||||
| -rw-r--r-- | ops/nixos/default.nix | 7 | ||||
| -rw-r--r-- | ops/nixos/nugget/default.nix | 6 |
3 files changed, 96 insertions, 7 deletions
diff --git a/ops/nixos/camden/default.nix b/ops/nixos/camden/default.nix new file mode 100644 index 000000000000..9a960600db4d --- /dev/null +++ b/ops/nixos/camden/default.nix @@ -0,0 +1,90 @@ +# This file configures camden.tazj.in, my homeserver. + +{ pkgs, lib, ... }: + +config: let + nixpkgs = import pkgs.third_party.nixpkgsSrc { + config.allowUnfree = true; + }; +in pkgs.lib.fix(self: { + # camden is intended to boot unattended, despite having an encrypted + # root partition. + # + # The below configuration uses an externally connected USB drive + # that contains a LUKS key file to unlock the disk automatically at + # boot. + # + # TODO(tazjin): Configure LUKS unlocking via SSH instead. + boot = { + initrd = { + availableKernelModules = [ + "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" + "rtsx_usb_sdmmc" "r8169" + ]; + + kernelModules = [ "dm-snapshot" ]; + + luks.devices.camden-crypt = { + fallbackToPassword = true; + device = "/dev/disk/by-label/camden-crypt"; + keyFile = "/dev/sdb"; + keyFileSize = 4096; + }; + }; + + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + + cleanTmpDir = true; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-label/camden-root"; + fsType = "ext4"; + }; + + "/home" = { + device = "/dev/disk/by-label/camden-home"; + fsType = "ext4"; + }; + + "/boot" = { + device = "/dev/disk/by-label/BOOT"; + fsType = "vfat"; + }; + }; + + + # TODO(tazjin): audit these (from generated hardware-config) + nix.maxJobs = lib.mkDefault 4; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + + networking = { + hostName = "camden"; + interfaces.enp1s0.useDHCP = true; + firewall.allowedTCPPorts = [ 22 8080 80 443 ]; + }; + + time.timeZone = "UTC"; + + # System-wide application setup + programs.fish.enable = true; + environment.systemPackages = with nixpkgs; [ + curl emacs26-nox git gnupg pass pciutils + ]; + + # Services setup + services.openssh.enable = true; + + users.users.tazjin = { + isNormalUser = true; + uid = 1000; + extraGroups = [ "wheel" ]; + shell = nixpkgs.fish; + }; + + system.stateVersion = "19.09"; +}) diff --git a/ops/nixos/default.nix b/ops/nixos/default.nix index d4aa9705d6a7..55bc03f90bdf 100644 --- a/ops/nixos/default.nix +++ b/ops/nixos/default.nix @@ -11,8 +11,6 @@ let ); }).system; - nuggetSystem = systemFor [ pkgs.ops.nixos.nugget ]; - rebuilder = pkgs.third_party.writeShellScriptBin "rebuilder" '' set -ue if [[ $EUID -ne 0 ]]; then @@ -35,5 +33,8 @@ let $system/bin/switch-to-configuration switch ''; in { - inherit nuggetSystem rebuilder; + inherit rebuilder; + + nuggetSystem = systemFor [ pkgs.ops.nixos.nugget ]; + camdenSystem = systemFor [ pkgs.ops.nixos.camden ]; } diff --git a/ops/nixos/nugget/default.nix b/ops/nixos/nugget/default.nix index c8ab867fd899..a71fb0b96aaf 100644 --- a/ops/nixos/nugget/default.nix +++ b/ops/nixos/nugget/default.nix @@ -1,10 +1,8 @@ -# This file contains the configuration for my home desktop. +# This file configures nugget, my home desktop machine. -{ pkgs, ... }: +{ pkgs, lib, ... }: config: let - inherit (pkgs) lib; - nixpkgs = import pkgs.third_party.nixpkgsSrc { config.allowUnfree = true; }; |