feat(ops/machines): add NixOS configuration for nevsky r/9082

This is just a carbon-copy of other machine configurations for now. The plan is to switch this over to sixos, but I have to get a sane NixOS setup first because this still requires a lot of experimentation (and stuff to be built *on* this machine, since it's the fastest one we have). Change-Id: I2e55e63ed5192eb748855999bb87d43498e706fc Reviewed-on: https://cl.tvl.fyi/c/depot/+/12971 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
author: Vincent Ambo <mail@tazj.in> 2025-01-11T19·23+0300
committer: tazjin <mail@tazj.in> 2025-01-12T21·50+0000
commit: 70282aa41223920fc53e07cb39d55d9ea90e8c4f (patch)
tree: 9e0e4bc8a9c8c612f1f9fdccd1130f5c9bd42113 /ops/machines
parent: dacbde58ea97891a32ce4d874aba0fc09328c1d5 (diff)
1 files changed, 160 insertions, 0 deletions
diff --git a/ops/machines/nevsky/default.nix b/ops/machines/nevsky/default.nix
new file mode 100644
index 000000000000..2f3a0f7ae246
--- /dev/null
+++ b/ops/machines/nevsky/default.nix
@@ -0,0 +1,160 @@
+{ depot, lib, pkgs, ... }: # readTree options
+{ config, ... }: # passed by module system
+
+let
+  mod = name: depot.path.origSrc + ("/ops/modules/" + name);
+in
+{
+  imports = [
+    (mod "tvl-users.nix")
+  ];
+
+  hardware.cpu.amd.updateMicrocode = true;
+  hardware.enableRedistributableFirmware = true;
+
+  boot = {
+    tmp.useTmpfs = true;
+    kernelModules = [ "kvm-amd" ];
+    supportedFilesystems = [ "zfs" ];
+    kernelParams = [
+      "ip=188.225.81.75::188.225.81.1:255.255.255.0:nevsky:enp1s0f0np0:none"
+    ];
+
+    initrd = {
+      availableKernelModules = [ "nvme" "xhci_pci" "usbhid" "ice" ];
+
+      # initrd SSH for disk unlocking
+      network = {
+        enable = true;
+        ssh = {
+          enable = true;
+          port = 2222;
+          authorizedKeys =
+            depot.users.tazjin.keys.all
+            ++ depot.users.lukegb.keys.all
+            ++ depot.users.sterni.keys.all;
+
+          hostKeys = [
+            /etc/secrets/initrd_host_ed25519_key
+          ];
+        };
+
+        # this will launch the zfs password prompt on login and kill the
+        # other prompt
+        postCommands = ''
+          echo "zfs load-key -a && killall zfs" >> /root/.profile
+        '';
+      };
+    };
+
+    kernel.sysctl = {
+      "net.ipv4.tcp_congestion_control" = "bbr";
+    };
+
+    loader.systemd-boot.enable = true;
+    loader.efi.canTouchEfiVariables = true;
+    zfs.requestEncryptionCredentials = true;
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "tank/root";
+      fsType = "zfs";
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/CCB4-8821";
+      fsType = "vfat";
+    };
+
+    "/nix" = {
+      device = "tank/nix";
+      fsType = "zfs";
+    };
+
+    "/home" = {
+      device = "tank/home";
+      fsType = "zfs";
+    };
+
+    "/depot" = {
+      device = "tank/depot";
+      fsType = "zfs";
+    };
+  };
+
+  networking = {
+    hostName = "nevsky";
+    domain = "tvl.fyi";
+    hostId = "0117d088";
+    useDHCP = false;
+
+    interfaces.enp1s0f0np0.ipv4.addresses = [{
+      address = "188.225.81.75";
+      prefixLength = 24;
+    }];
+
+    defaultGateway = "188.225.81.1";
+
+    interfaces.enp1s0f0np0.ipv6.addresses = [{
+      address = "2a03:6f00:2:514b:0:feed:edef:beef";
+      prefixLength = 64;
+    }];
+
+    defaultGateway6 = {
+      address = "2a03:6f00:2:514b::1";
+      interface = "enp1s0f0np0";
+    };
+
+    nameservers = [
+      "8.8.8.8"
+      "8.8.4.4"
+    ];
+
+    firewall.allowedTCPPorts = [ 22 80 443 ];
+  };
+
+  # Generate an immutable /etc/resolv.conf from the nameserver settings
+  # above (otherwise DHCP overwrites it):
+  environment.etc."resolv.conf" = with lib; {
+    source = pkgs.writeText "resolv.conf" ''
+      ${concatStringsSep "\n" (map (ns: "nameserver ${ns}") config.networking.nameservers)}
+      options edns0
+    '';
+  };
+
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+    };
+  };
+
+  services.fail2ban.enable = true;
+
+  programs.mtr.enable = true;
+  programs.mosh.enable = true;
+
+  time.timeZone = "UTC";
+  nixpkgs.hostPlatform = "x86_64-linux";
+
+  services.fwupd.enable = true;
+
+  # Join TVL Tailscale network at net.tvl.fyi
+  services.tailscale = {
+    enable = true;
+    useRoutingFeatures = "both";
+  };
+
+  security.sudo.extraRules = [
+    {
+      groups = [ "wheel" ];
+      commands = [{ command = "ALL"; options = [ "NOPASSWD" ]; }];
+    }
+  ];
+
+  zramSwap.enable = true;
+
+  system.stateVersion = "24.11";
+}
author	Vincent Ambo <mail@tazj.in>	2025-01-11T19·23+0300
committer	tazjin <mail@tazj.in>	2025-01-12T21·50+0000
commit	70282aa41223920fc53e07cb39d55d9ea90e8c4f (patch)
tree	9e0e4bc8a9c8c612f1f9fdccd1130f5c9bd42113 /ops/machines
parent	dacbde58ea97891a32ce4d874aba0fc09328c1d5 (diff)