From 62dd3fdc3cda84b0eab6e59672ca97db2806e3b7 Mon Sep 17 00:00:00 2001
From: Vincent Ambo <mail@tazj.in>
Date: Thu, 2 Jul 2020 19:19:08 +0100
Subject: feat(nixos/whitby): Hello, World!

This adds NixOS configuration for the machine whitby.tvl.fyi.

No interesting services are configured yet, so this configuration is
quite plain.

Change-Id: I67b7c75ebd6e298719b52e6b3bd83cc3be3c45d8
Reviewed-on: https://cl.tvl.fyi/c/depot/+/843
Tested-by: BuildkiteCI
Reviewed-by: BuildkiteCI
Reviewed-by: isomer <isomer@tvl.fyi>
Reviewed-by: lukegb <lukegb@tvl.fyi>
---
 ci-builds.nix                |   1 +
 ops/nixos/default.nix        |  13 ++++
 ops/nixos/whitby/default.nix | 148 +++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 162 insertions(+)
 create mode 100644 ops/nixos/default.nix
 create mode 100644 ops/nixos/whitby/default.nix

diff --git a/ci-builds.nix b/ci-builds.nix
index 6358688769..7038de51a8 100644
--- a/ci-builds.nix
+++ b/ci-builds.nix
@@ -57,6 +57,7 @@ in lib.fix (self: {
     journaldriver
     kontemplate
     mq_cli
+    nixos.whitby
   ];
 
   third_party = with depot.third_party; [
diff --git a/ops/nixos/default.nix b/ops/nixos/default.nix
new file mode 100644
index 0000000000..a0d7630d00
--- /dev/null
+++ b/ops/nixos/default.nix
@@ -0,0 +1,13 @@
+# Most of the Nix expressions in this folder are NixOS modules, which
+# are not readTree compatible.
+#
+# Some things (such as system configurations) are, and we import them
+# here manually.
+#
+# TODO(tazjin): Find a more elegant solution for the whole module
+# situation.
+{ ... }@args:
+
+{
+  whitby = import ./whitby/default.nix args;
+}
diff --git a/ops/nixos/whitby/default.nix b/ops/nixos/whitby/default.nix
new file mode 100644
index 0000000000..8e42d84f24
--- /dev/null
+++ b/ops/nixos/whitby/default.nix
@@ -0,0 +1,148 @@
+{ depot, lib, ... }:
+
+let
+  nixpkgs = import depot.third_party.nixpkgsSrc {};
+
+  systemForConfig = configuration: (depot.third_party.nixos {
+    inherit configuration;
+  }).system;
+in systemForConfig {
+  inherit depot;
+  imports = [
+    "${depot.depotPath}/ops/nixos/depot.nix"
+  ];
+
+  hardware = {
+    enableRedistributableFirmware = true;
+    cpu.amd.updateMicrocode = true;
+  };
+
+  boot = {
+    tmpOnTmpfs = true;
+    kernelModules = [ "kvm-amd" ];
+    supportedFilesystems = [ "zfs" ];
+
+    initrd = {
+      availableKernelModules = [
+        "igb" "xhci_pci" "nvme" "ahci" "usbhid" "usb_storage" "sr_mod"
+      ];
+
+      # Enable SSH in the initrd so that we can enter disk encryption
+      # passwords remotely.
+      network = {
+        enable = true;
+        ssh = {
+          enable = true;
+          port = 2222;
+          authorizedKeys = [
+            depot.users.tazjin.keys.frog
+          ];
+
+          hostKeys = [
+            /etc/secrets/initrd_host_ed25519_key
+          ];
+        };
+
+        # this will launch the zfs password prompt on login and kill the
+        # other prompt
+        postCommands = ''
+          echo "zfs load-key -a && killall zfs" >> /root/.profile
+        '';
+      };
+    };
+
+    loader.grub = {
+      enable = true;
+      version = 2;
+      efiSupport = true;
+      efiInstallAsRemovable = true;
+      device = "/dev/disk/by-id/nvme-SAMSUNG_MZQLB1T9HAJR-00007_S439NA0N201620";
+    };
+
+    zfs.requestEncryptionCredentials = true;
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "zroot/root";
+      fsType = "zfs";
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/073E-7FBD";
+      fsType = "vfat";
+    };
+
+    "/nix" = {
+      device = "zroot/nix";
+      fsType = "zfs";
+    };
+
+    "/home" = {
+      device = "zroot/home";
+      fsType = "zfs";
+    };
+  };
+
+  networking = {
+    # Glass is boring, but Luke doesn't like Wapping - the Prospect of
+    # Whitby, however, is quite a pleasant establishment.
+    hostName = "whitby";
+    hostId = "b38ca543";
+    useDHCP = false;
+
+    firewall.allowedTCPPorts = [ 22 80 443 ];
+
+    interfaces.enp196s0.useDHCP = true;
+    interfaces.enp196s0.ipv6.addresses = [
+      {
+        address = "2a01:04f8:0242:5b21::feed:edef:beef";
+        prefixLength = 64;
+      }
+    ];
+  };
+
+  time.timeZone = "UTC";
+
+  nix = {
+    maxJobs = lib.mkDefault 64;
+  };
+
+  programs.mtr.enable = true;
+  services.openssh.enable = true;
+
+  environment.systemPackages = with nixpkgs; [
+    bb
+    curl
+    emacs-nox
+    git
+    htop
+    nano
+    vim
+    zfs
+    zfstools
+  ];
+
+  users = {
+    users.root.openssh.authorizedKeys.keys = [
+      depot.users.tazjin.keys.frog
+    ];
+
+    users.tazjin = {
+      isNormalUser = true;
+      extraGroups = [ "git" "wheel" ];
+      openssh.authorizedKeys.keys = [
+        depot.users.tazjin.keys.frog
+      ];
+    };
+
+    # Set up a user & group for git shenanigans
+    groups.git = {};
+    users.git = {
+      group = "git";
+      isNormalUser = false;
+    };
+  };
+
+  system.stateVersion = "20.03";
+}
-- 
cgit 1.4.1