iofq/nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

monorepo lab stuff, init zen

Browse source
This commit is contained in:
iofq 2025-12-27 22:26:02 -06:00
parent cfc15bba89
commit 645e09f9dd
54 changed files with 67498 additions and 406 deletions
Download patch file Download diff file Expand all files Collapse all files

63
nixos/configuration.nix
View file

@ -1,66 +1,7 @@
{
inputs,
pkgs,
host,
lib,
...
}:
{
# Create plugdev group
networking.hostName = host.hostName;
time.timeZone = "America/Chicago";
users = {
groups.plugdev = { };
groups.${host.username} = { };
users.${host.username} = {
isNormalUser = true;
group = "${host.username}";
extraGroups = [
"wheel"
"plugdev"
"video"
"adbusers"
"network"
];
};
};
programs = {
nix-index = {
enableBashIntegration = false;
enableZshIntegration = false;
};
nix-index-database.comma.enable = true;
};
# Enable flakes and unfree packages
nix = {
package = pkgs.nixVersions.nix_2_31; # https://github.com/serokell/deploy-rs/issues/340
registry.nixpkgs.flake = inputs.nixpkgs;
settings = {
auto-optimise-store = true;
substituters = [
"https://nix-community.cachix.org"
"https://install.determinate.systems"
"https://nvim-treesitter-main.cachix.org"
];
trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"cache.flakehub.com-3:hJuILl5sVK4iKm86JzgdXW12Y2Hwd5G07qKtHTOcDCM="
"nvim-treesitter-main.cachix.org-1:cbwE6blfW5+BkXXyeAXoVSu1gliqPLHo2m98E4hWfZQ="
];
trusted-users = [ host.username ];
experimental-features = [
"nix-command"
"flakes"
];
# lazy-trees = true; # https://github.com/serokell/deploy-rs/issues/340
};
channel.enable = false;
nixPath = [ "nixpkgs=flake:nixpkgs" ];
gc = {
automatic = true;
dates = "00:00";
options = "--delete-older-than 14d";
};
};
security.sudo-rs.enable = true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

4
nixos/consensus/backups.nix
View file

@ -16,13 +16,13 @@
passwordFile = config.sops.secrets."b2-immich/password".path;
paths = [
"/srv/immich"
"/rice/immich"
];
timerConfig = {
OnCalendar = "06:00";
};
pruneOpts = [
"--keep-daily 14"
"--keep-daily 31"
"--keep-monthly 6"
"--keep-yearly 1"
];

165
nixos/consensus/configuration.nix
View file

@ -1,6 +1,6 @@
{
lib,
pkgs,
pkgs-unstable,
config,
...
}:
@ -16,105 +16,57 @@
};
};
};
documentation = {
enable = lib.mkDefault false;
info.enable = lib.mkDefault false;
man.enable = lib.mkDefault false;
nixos.enable = lib.mkDefault false;
};
environment.systemPackages = with pkgs; [
git
vim
docker-compose
tmux
];
system-net.openssh.ports = [2022];
services = {
# zfs.autoScrub.enable = true;
# zfs.autoSnapshot.enable = true;
zfs.autoScrub.enable = true;
zfs.autoSnapshot.enable = true;
fstrim.enable = true;
tailscale.enable = true;
nfs.server = {
enable = true;
exports = ''
/rice 192.168.1.0/24(rw,fsid=0,no_subtree_check) 100.87.58.70(rw,fsid=0,no_subtree_check)
'';
};
k3s = {
enable = true;
role = "server";
extraFlags = toString [
"--disable=traefik"
];
};
fail2ban = {
enable = true;
maxretry = 5;
bantime = "1h";
ignoreIP = [
"172.16.0.0/12"
"192.168.0.0/16"
"10.0.0.0/8"
"tailc353f.ts.net"
];
bantime-increment = {
enable = true;
multipliers = "1 2 4 8 16 32 64 128 256";
maxtime = "24h";
overalljails = true;
};
};
openssh = {
enable = true;
ports = [ 2022 ];
settings = {
PasswordAuthentication = false;
PermitRootLogin = "prohibit-password";
PermitEmptyPasswords = false;
PermitTunnel = false;
UseDns = false;
KbdInteractiveAuthentication = false;
X11Forwarding = false;
MaxAuthTries = 3;
MaxSessions = 2;
ClientAliveInterval = 300;
ClientAliveCountMax = 0;
TCPKeepAlive = false;
AllowTcpForwarding = false;
AllowAgentForwarding = false;
LogLevel = "VERBOSE";
};
hostKeys = [
{
path = "/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
"--flannel-iface=tailscale0"
];
};
immich = {
enable = false;
enable = true;
package = pkgs-unstable.immich;
port = 2283;
host = "localhost";
openFirewall = true;
machine-learning.enable = true;
mediaLocation = "/srv/immich";
mediaLocation = "/rice/immich";
accelerationDevices = null;
};
nginx = {
enable = true;
# virtualHosts."img.10110110.xyz" = {
# forceSSL = true;
# useACMEHost = "10110110.xyz";
# locations."/" = {
# proxyPass = "http://localhost:${toString config.services.immich.port}";
# proxyWebsockets = true;
# recommendedProxySettings = true;
# extraConfig = ''
# client_max_body_size 50000M;
# proxy_read_timeout 600s;
# proxy_send_timeout 600s;
# send_timeout 600s;
# '';
# };
# };
virtualHosts."fs.10110110.xyz" = {
virtualHosts."img.10110110.xyz" = {
forceSSL = true;
useACMEHost = "10110110.xyz";
root = "/var/www/nginx";
extraConfig = "autoindex on;";
locations."/" = {
proxyPass = "http://localhost:${toString config.services.immich.port}";
proxyWebsockets = true;
recommendedProxySettings = true;
extraConfig = ''
client_max_body_size 50000M;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
send_timeout 600s;
'';
};
};
};
};
@ -122,64 +74,44 @@
kernel.sysctl = {
"vm.swappiness" = 6;
};
tmp.cleanOnBoot = true;
# supportedFilesystems = ["zfs"];
# zfs.forceImportRoot = false;
# zfs.extraPools = ["rice"];
};
networking = {
hostId = "91238132";
hostName = "consensus";
firewall = {
enable = true;
allowedTCPPorts = [
22
80
443
2022
8080
8443
2049 #nfs
8080 #unifi
8443 #unifi
10001
6443
25565
25566
9001
30303
10250
6443 #k8s
25565 #mc
25566 #mc
9001 #eth
30303 #eth
];
allowedUDPPorts = [
9001
30303
];
logRefusedConnections = true;
};
};
zramSwap.enable = false;
swapDevices = [
{
device = "/swapfile";
size = 16 * 1024;
}
];
virtualisation.docker.enable = true;
system-sys = {
zram = false;
swapSize = 16;
};
virtualisation.docker = {
enable = true;
extraOptions = "--dns 1.1.1.1";
};
users.users = {
root = {
openssh.authorizedKeys.keys = [
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHM4Zr0PFN7QdOG2aJ+nuzRCK6caulrpY6bphA1Ppl8Y e@t14''
];
};
e = {
isNormalUser = true;
extraGroups = [ "wheel" ];
home = "/home/e";
openssh.authorizedKeys.keys = [
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHM4Zr0PFN7QdOG2aJ+nuzRCK6caulrpY6bphA1Ppl8Y e@t14''
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJou+k8HtIWdlztpWog7fVfJgxJnRIo7c5xVPUBhBxhi'' # phone
];
};
immich.extraGroups = [ "video" "render" ];
};
security.sudo-rs.wheelNeedsPassword = false;
security.acme = {
acceptTerms = true;
defaults.email = "acme@10110110.xyz";
@ -192,6 +124,11 @@
};
};
};
nix.settings.trusted-users = [ "e" ];
hardware.graphics = {
enable = true;
extraPackages = with pkgs; [
intel-media-driver # For Broadwell (2014) or newer processors. LIBVA_DRIVER_NAME=iHD
];
};
system.stateVersion = "23.11";
}

3
nixos/consensus/hardware-configuration.nix
View file

@ -12,6 +12,9 @@
"xen_blkfront"
"vmw_pvscsi"
];
boot.supportedFilesystems = [ "zfs" ];
boot.zfs.forceImportRoot = false;
boot.zfs.extraPools = [ "rice" ];
boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = {
device = "/dev/mapper/vg-root";

43
nixos/default.nix
View file

@ -1,6 +1,7 @@
{
inputs,
pkgs,
pkgs-stable,
attrs,
system,
...
@ -11,7 +12,10 @@ let
inputs.sops-nix.nixosModules.sops
inputs.nix-index-database.nixosModules.nix-index
# inputs.determinate.nixosModules.default # https://github.com/serokell/deploy-rs/issues/340
];
] ++ builtins.attrValues
(builtins.mapAttrs
(name: _: ./modules/${name})
(builtins.readDir ./modules));
in
{
t14 = inputs.nixpkgs.lib.nixosSystem {
@ -28,9 +32,10 @@ in
inputs.nixos-hardware.nixosModules.lenovo-thinkpad-t14-amd-gen1
];
};
consensus = inputs.nixpkgs.lib.nixosSystem {
inherit pkgs;
consensus = inputs.nixpkgs-stable.lib.nixosSystem {
pkgs = pkgs-stable;
specialArgs = {
pkgs-unstable = pkgs;
inherit inputs system attrs;
host = {
hostName = "consensus";
@ -38,12 +43,24 @@ in
};
};
modules = defaultModules ++ [
inputs.microvm.nixosModules.host
./consensus/configuration.nix
];
};
oracle1 = inputs.nixpkgs.lib.nixosSystem {
inherit pkgs;
zen = inputs.nixpkgs-stable.lib.nixosSystem {
pkgs = pkgs-stable;
specialArgs = {
inherit inputs system attrs;
host = {
hostName = "zen";
inherit (attrs) username;
};
};
modules = defaultModules ++ [
./zen/configuration.nix
];
};
oracle1 = inputs.nixpkgs-stable.lib.nixosSystem {
pkgs = pkgs-stable;
specialArgs = {
inherit inputs system attrs;
host = {
@ -51,20 +68,6 @@ in
inherit (attrs) username;
};
};
modules = defaultModules ++ [
./oracle/configuration.nix
./oracle/forgejo.nix
];
};
oracle2 = inputs.nixpkgs.lib.nixosSystem {
inherit pkgs;
specialArgs = {
inherit inputs system attrs;
host = {
hostName = "oracle2";
inherit (attrs) username;
};
};
modules = defaultModules ++ [
./oracle/configuration.nix
];

105
nixos/modules/net.nix Normal file
View file

@ -0,0 +1,105 @@
{ host, pkgs, config, lib, ...}:
let cfg = config.system-net; in {
options.system-net = {
enable = lib.mkOption {
type = lib.types.bool;
default = true;
};
dns = lib.mkOption {
type = lib.types.bool;
default = true;
};
openssh = {
enable = lib.mkOption {
type = lib.types.bool;
default = true;
};
ports = lib.mkOption {
type = lib.types.listOf lib.types.int;
default = [22];
};
};
tailscale = lib.mkOption {
type = lib.types.bool;
default = true;
};
nfs = lib.mkOption {
type = lib.types.bool;
default = false;
};
};
config = lib.mkIf cfg.enable {
services = {
tailscale.enable = cfg.tailscale;
resolved = lib.mkIf cfg.dns {
enable = true;
fallbackDns = [
"1.1.1.1"
"9.9.9.9"
];
};
fail2ban = {
enable = true;
maxretry = 5;
bantime = "1h";
ignoreIP = [
"172.16.0.0/12"
"192.168.0.0/16"
"10.0.0.0/8"
"tailc353f.ts.net"
];
bantime-increment = {
enable = true;
multipliers = "1 2 4 8 16 32 64 128 256";
maxtime = "24h";
overalljails = true;
};
};
openssh = {
enable = cfg.openssh.enable;
ports = cfg.openssh.ports;
settings = {
PasswordAuthentication = false;
PermitRootLogin = "prohibit-password";
PermitEmptyPasswords = false;
PermitTunnel = false;
UseDns = false;
KbdInteractiveAuthentication = false;
X11Forwarding = false;
MaxAuthTries = 3;
MaxSessions = 2;
ClientAliveInterval = 300;
ClientAliveCountMax = 0;
TCPKeepAlive = false;
AllowTcpForwarding = false;
AllowAgentForwarding = false;
LogLevel = "VERBOSE";
};
hostKeys = [
{
path = "/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
};
};
systemd = {
mounts = [{
type = "nfs";
mountConfig = {
Options = "noatime";
};
what = "consensus:/rice";
where = "/mnt/rice";
}];
automounts = [{
wantedBy = [ "multi-user.target" ];
automountConfig = {
TimeoutIdleSec = "600";
};
where = "/mnt/rice";
}];
};
};
}

46
nixos/modules/nix.nix Normal file
View file

@ -0,0 +1,46 @@
{ host, pkgs, config, lib, ...}:
let cfg = config.system-nix; in {
options.system-nix = {
enable = lib.mkOption {
type = lib.types.bool;
default = true;
};
};
config = lib.mkIf cfg.enable {
programs = {
nix-index = {
enableBashIntegration = false;
enableZshIntegration = false;
};
nix-index-database.comma.enable = true;
};
nix = {
package = pkgs.nixVersions.nix_2_31; # https://github.com/serokell/deploy-rs/issues/340
settings = {
auto-optimise-store = true;
substituters = [
"https://install.determinate.systems"
"https://nvim-treesitter-main.cachix.org"
];
trusted-public-keys = [
"cache.flakehub.com-3:hJuILl5sVK4iKm86JzgdXW12Y2Hwd5G07qKtHTOcDCM="
"nvim-treesitter-main.cachix.org-1:cbwE6blfW5+BkXXyeAXoVSu1gliqPLHo2m98E4hWfZQ="
];
trusted-users = [ host.username ];
experimental-features = [
"nix-command"
"flakes"
];
# lazy-trees = true; # https://github.com/serokell/deploy-rs/issues/340
};
channel.enable = false;
nixPath = [ "nixpkgs=flake:nixpkgs" ];
gc = {
automatic = true;
dates = "00:00";
options = "--delete-older-than 14d";
};
};
};
}

17
nixos/modules/pkgs.nix Normal file
View file

@ -0,0 +1,17 @@
{ pkgs, config, lib, ...}:
let cfg = config.system-pkgs; in {
options.system-pkgs = {
enable = lib.mkOption {
type = lib.types.bool;
default = true;
};
};
config = lib.mkIf cfg.enable {
environment.systemPackages = with pkgs; [
git
vim
tmux
];
};
}

78
nixos/modules/system.nix Normal file
View file

@ -0,0 +1,78 @@
{ host, config, lib, ...}:
let cfg = config.system-sys; in {
options.system-sys = {
enable = lib.mkOption {
type = lib.types.bool;
default = true;
};
swapSize = lib.mkOption {
type = lib.types.int;
default = 4;
};
zram = lib.mkOption {
type = lib.types.bool;
default = true;
};
documentation = lib.mkOption {
type = lib.types.bool;
default = false;
};
};
config = lib.mkIf cfg.enable {
time.timeZone = "America/Chicago";
boot.tmp.cleanOnBoot = true;
zramSwap.enable = cfg.zram;
security.sudo-rs = {
enable = true;
wheelNeedsPassword = false;
};
swapDevices = [
{
device = "/swapfile";
size = cfg.swapSize * 1024;
}
];
documentation = lib.mkIf cfg.documentation {
enable = lib.mkDefault false;
info.enable = lib.mkDefault false;
man.enable = lib.mkDefault false;
nixos.enable = lib.mkDefault false;
};
networking = {
domain = "";
hostName = host.hostName;
firewall = {
enable = true;
allowedTCPPorts = [
22
];
logRefusedConnections = true;
};
};
users = {
groups.plugdev = { };
groups.${host.username} = { };
users.${host.username} = {
isNormalUser = true;
group = "${host.username}";
home = "/home/e";
extraGroups = [
"wheel"
"plugdev"
"video"
"adbusers"
"network"
];
openssh.authorizedKeys.keys = [
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHM4Zr0PFN7QdOG2aJ+nuzRCK6caulrpY6bphA1Ppl8Y e@t14''
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJou+k8HtIWdlztpWog7fVfJgxJnRIo7c5xVPUBhBxhi'' # phone
];
};
};
users.users.root.openssh.authorizedKeys.keys = [
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDcL53Gdrj5V9YDwKlCBIcgqiS+zHtOQpJlnOHTevJCJ e@t14''
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHM4Zr0PFN7QdOG2aJ+nuzRCK6caulrpY6bphA1Ppl8Y e@t14''
];
};
}

62
nixos/oracle/configuration.nix
View file

@ -2,79 +2,23 @@
{
imports = [
./hardware-configuration.nix
./forgejo.nix
];
boot.tmp.cleanOnBoot = true;
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
"net.ipv6.conf.all.forwarding" = 1;
};
zramSwap.enable = true;
swapDevices = [
{
device = "/swapfile";
size = 2 * 1024;
}
];
services = {
fail2ban.enable = true;
fail2ban.maxretry = 5;
fail2ban.bantime = "1h";
fail2ban.ignoreIP = [
"172.16.0.0/12"
"192.168.0.0/16"
"10.0.0.0/8"
"tailc353f.ts.net"
];
fail2ban.bantime-increment = {
enable = true;
multipliers = "1 2 4 8 16 32 64 128 256";
maxtime = "24h";
overalljails = true;
};
tailscale.enable = true;
openssh = {
enable = true;
ports = [
22
2022
];
settings = {
PasswordAuthentication = false;
PermitRootLogin = "prohibit-password";
PermitEmptyPasswords = false;
UseDns = false;
KbdInteractiveAuthentication = false;
X11Forwarding = false;
AllowTcpForwarding = false;
AllowAgentForwarding = false;
};
hostKeys = [
{
path = "/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
};
};
system-net.openssh.ports = [22 2022];
networking = {
domain = "";
hostId = "81238132";
hostName = host.hostName;
hostId = "00238132";
firewall = {
enable = true;
allowedTCPPorts = [
22
2022
80
443
];
logRefusedConnections = true;
};
};
users.users.root.openssh.authorizedKeys.keys = [
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDcL53Gdrj5V9YDwKlCBIcgqiS+zHtOQpJlnOHTevJCJ e@t14''
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHM4Zr0PFN7QdOG2aJ+nuzRCK6caulrpY6bphA1Ppl8Y e@t14''
];
system.stateVersion = "23.11";
}

2
nixos/oracle/forgejo.nix
View file

@ -76,7 +76,7 @@ in
"/var/lib/forgejo"
];
timerConfig = {
OnCalendar = "*-*-* */6:00:00";
OnCalendar = "06:00";
};
pruneOpts = [
"--keep-daily 31"

1
nixos/oracle/hardware-configuration.nix
View file

@ -21,5 +21,4 @@
device = "/dev/sda1";
fsType = "ext4";
};
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

14
nixos/t14/configuration.nix
View file

@ -44,11 +44,8 @@ in
dns = "systemd-resolved";
};
firewall = {
enable = true;
allowedTCPPorts = [ 11111 ];
allowedUDPPorts = [ ];
trustedInterfaces = [ "tailscale0" ];
logRefusedConnections = true;
};
};
@ -86,7 +83,8 @@ in
];
};
};
system-net.nfs = true;
system-sys.zram = false;
hardware = {
graphics = {
enable = true;
@ -100,13 +98,6 @@ in
enableAllFirmware = true;
};
services = {
resolved = {
enable = true;
fallbackDns = [
"1.1.1.1"
];
};
tailscale.enable = true;
pipewire = {
enable = true;
alsa.enable = true;
@ -157,7 +148,6 @@ in
trezord.enable = true;
udisks2.enable = true; # kindle
ollama.enable = true;
};
fonts = {
# Set a sane system-wide default font

1
nixos/t14/hardware-configuration.nix
View file

@ -15,6 +15,7 @@
initrd.kernelModules = ["amdgpu"];
kernelModules = ["kvm-amd"];
extraModulePackages = [];
supportedFilesystems = [ "nfs" "btrfs" ];
tmp = {
useTmpfs = true;
};

54
nixos/zen/configuration.nix Normal file
View file

@ -0,0 +1,54 @@
{ host, config, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
];
sops.secrets = {
"password" = {
sopsFile = ../../secrets/k8s.yaml;
};
forgejo-runner = {
sopsFile = ../../secrets/forgejo-runner.yaml;
};
};
system-sys.zram = false;
networking = {
hostId = "81238132";
firewall = {
allowedTCPPorts = [
22
10250
25565 #mc
25566 #mc
];
};
};
virtualisation.podman.enable = true;
services.gitea-actions-runner = {
package = pkgs.forgejo-runner;
instances.default = {
enable = true;
name = host.hostName;
url = "https://git.10110110.xyz";
tokenFile = config.sops.secrets.forgejo-runner.path;
labels = [
"ubuntu-latest:docker://node:24-bullseye"
"nix-upstream-latest:docker://nixos/nix:latest"
];
};
};
services.k3s = {
enable = true;
role = "agent";
extraFlags = toString [
"--flannel-iface=tailscale0"
];
tokenFile = config.sops.secrets."password".path;
serverAddr = "https://consensus:6443";
};
services.logind.lidSwitch = "ignore";
services.logind.lidSwitchExternalPower = "ignore";
hardware.enableRedistributableFirmware = true;
hardware.firmware = [ pkgs.linux-firmware ];
system.stateVersion = "23.11";
}

14
nixos/zen/hardware-configuration.nix Normal file
View file

@ -0,0 +1,14 @@
{ lib, modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.loader.grub = {
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
};
fileSystems."/boot" = { device = "/dev/disk/by-uuid/EECE-9ACB"; fsType = "vfat"; };
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = { device = "/dev/sda2"; fsType = "ext4"; };
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}