From 3b88611336ad565c2130105411ec152ca20065f5 Mon Sep 17 00:00:00 2001 From: Vincent Ambo Date: Tue, 11 Feb 2020 15:41:00 +0000 Subject: feat(ops/nixos): Add initial configuration for host camden --- ops/nixos/camden/default.nix | 90 ++++++++++++++++++++++++++++++++++++++++++++ ops/nixos/default.nix | 7 ++-- ops/nixos/nugget/default.nix | 6 +-- 3 files changed, 96 insertions(+), 7 deletions(-) create mode 100644 ops/nixos/camden/default.nix (limited to 'ops/nixos') diff --git a/ops/nixos/camden/default.nix b/ops/nixos/camden/default.nix new file mode 100644 index 0000000000..9a960600db --- /dev/null +++ b/ops/nixos/camden/default.nix @@ -0,0 +1,90 @@ +# This file configures camden.tazj.in, my homeserver. + +{ pkgs, lib, ... }: + +config: let + nixpkgs = import pkgs.third_party.nixpkgsSrc { + config.allowUnfree = true; + }; +in pkgs.lib.fix(self: { + # camden is intended to boot unattended, despite having an encrypted + # root partition. + # + # The below configuration uses an externally connected USB drive + # that contains a LUKS key file to unlock the disk automatically at + # boot. + # + # TODO(tazjin): Configure LUKS unlocking via SSH instead. + boot = { + initrd = { + availableKernelModules = [ + "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" + "rtsx_usb_sdmmc" "r8169" + ]; + + kernelModules = [ "dm-snapshot" ]; + + luks.devices.camden-crypt = { + fallbackToPassword = true; + device = "/dev/disk/by-label/camden-crypt"; + keyFile = "/dev/sdb"; + keyFileSize = 4096; + }; + }; + + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + + cleanTmpDir = true; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-label/camden-root"; + fsType = "ext4"; + }; + + "/home" = { + device = "/dev/disk/by-label/camden-home"; + fsType = "ext4"; + }; + + "/boot" = { + device = "/dev/disk/by-label/BOOT"; + fsType = "vfat"; + }; + }; + + + # TODO(tazjin): audit these (from generated hardware-config) + nix.maxJobs = lib.mkDefault 4; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + + networking = { + hostName = "camden"; + interfaces.enp1s0.useDHCP = true; + firewall.allowedTCPPorts = [ 22 8080 80 443 ]; + }; + + time.timeZone = "UTC"; + + # System-wide application setup + programs.fish.enable = true; + environment.systemPackages = with nixpkgs; [ + curl emacs26-nox git gnupg pass pciutils + ]; + + # Services setup + services.openssh.enable = true; + + users.users.tazjin = { + isNormalUser = true; + uid = 1000; + extraGroups = [ "wheel" ]; + shell = nixpkgs.fish; + }; + + system.stateVersion = "19.09"; +}) diff --git a/ops/nixos/default.nix b/ops/nixos/default.nix index d4aa9705d6..55bc03f90b 100644 --- a/ops/nixos/default.nix +++ b/ops/nixos/default.nix @@ -11,8 +11,6 @@ let ); }).system; - nuggetSystem = systemFor [ pkgs.ops.nixos.nugget ]; - rebuilder = pkgs.third_party.writeShellScriptBin "rebuilder" '' set -ue if [[ $EUID -ne 0 ]]; then @@ -35,5 +33,8 @@ let $system/bin/switch-to-configuration switch ''; in { - inherit nuggetSystem rebuilder; + inherit rebuilder; + + nuggetSystem = systemFor [ pkgs.ops.nixos.nugget ]; + camdenSystem = systemFor [ pkgs.ops.nixos.camden ]; } diff --git a/ops/nixos/nugget/default.nix b/ops/nixos/nugget/default.nix index c8ab867fd8..a71fb0b96a 100644 --- a/ops/nixos/nugget/default.nix +++ b/ops/nixos/nugget/default.nix @@ -1,10 +1,8 @@ -# This file contains the configuration for my home desktop. +# This file configures nugget, my home desktop machine. -{ pkgs, ... }: +{ pkgs, lib, ... }: config: let - inherit (pkgs) lib; - nixpkgs = import pkgs.third_party.nixpkgsSrc { config.allowUnfree = true; }; -- cgit 1.4.1