diff --git a/flake.nix b/flake.nix index cb622a5..a6b1177 100644 --- a/flake.nix +++ b/flake.nix @@ -160,7 +160,7 @@ { "durincore" = mkNixosConfig { # T470 Thinkpad Intel i7-6600U - # Nix dev laptop + # Backup Nix dev laptop hostname = "durincore"; system = "x86_64-linux"; hardwareModules = [ @@ -259,6 +259,23 @@ { home-manager.users.jahanson = ./nixos/home/jahanson/server.nix; } ]; }; + + "shadowfax" = mkNixosConfig { + # Pro WS WRX80E-SAGE SE WIFI - AMD Ryzen Threadripper PRO 3955WX 16-Cores + # Workloads server + hostname = "shadowfax"; + system = "x86_64-linux"; + hardwareModules = [ + lix-module.nixosModules.default + ./nixos/profiles/hw-threadripperpro.nix + ]; + profileModules = [ + vscode-server.nixosModules.default + ./nixos/profiles/role-dev.nix + ./nixos/profiles/role-server.nix + { home-manager.users.jahanson = ./nixos/home/jahanson/server.nix; } + ]; + }; }; # Convenience output that aggregates the outputs for home, nixos. diff --git a/nixos/hosts/shadowfax/default.nix b/nixos/hosts/shadowfax/default.nix new file mode 100644 index 0000000..362b70d --- /dev/null +++ b/nixos/hosts/shadowfax/default.nix @@ -0,0 +1,156 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, inputs, ... }: +{ + imports = + [ + inputs.disko.nixosModules.disko + (import ../../profiles/disko-nixos.nix { disks = [ "/dev/nvme4n1" ]; }) + ]; + + boot = { + initrd = { + kernelModules = [ "nfs" ]; + supportedFilesystems = [ "nfs" ]; + }; + + kernelModules = [ "kvm-intel" "vfio" "vfio_iommu_type1" "vfio_pci" "vfio_virqfd" ]; + extraModulePackages = [ ]; + kernelParams = [ "iommu=pt" "intel_iommu=on" "zfs.zfs_arc_max=107374182400" ]; # 100GB + }; + + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAGSFTSVPt43PBpSMSF1dGTzN2JbxztDZUml7g4+PnWe CSI-Driver@talos" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO/W445gX2IINRbE6crIMwgN6Ks8LTzAXR86pS9xp335 root@Sting" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBROTzSefJGJeCNUgNLbE5l4sHHg2fHUO4sCwqvP+zAd root@Gollum" + ]; + + # VSCode Compatibility Settings + programs.nix-ld.enable = true; + services.vscode-server = { + enable = true; + }; + + # Home Manager + home-manager.users.jahanson = { + # Git settings + # TODO: Move to config module. + programs.git = { + enable = true; + userName = "Joseph Hanson"; + userEmail = "joe@veri.dev"; + + extraConfig = { + core.autocrlf = "input"; + init.defaultBranch = "main"; + pull.rebase = true; + rebase.autoStash = true; + }; + }; + }; + + # Network settings + networking = { + hostName = "gandalf"; + hostId = "e2fc95cd"; + useDHCP = false; # needed for bridge + networkmanager.enable = true; + # TODO: Add ports specifically. + firewall.enable = false; + interfaces = { + "enp130s0f0".useDHCP = true; + "enp130s0f1".useDHCP = true; + }; + + # For VMs + # bridges = { + # "br0" = { + # interfaces = [ "enp130s0f1" ]; + # }; + # }; + }; + + swapDevices = [ ]; + + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + + sops = { + secrets = { + "lego/dnsimple/token" = { + mode = "0444"; + sopsFile = ./secrets.sops.yaml; + }; + "borg/repository/passphrase" = { + sopsFile = ./secrets.sops.yaml; + }; + }; + }; + + # no de + services = { + xserver = { + enable = false; + displayManager.gdm.enable = false; + desktopManager.gnome.enable = false; + }; + }; + + # System settings and services. + mySystem = { + purpose = "Production"; + system = { + motd.networkInterfaces = [ "enp130s0f0" "enp130s0f1" ]; + # Incus + incus = { + enable = true; + }; + # ZFS + zfs.enable = true; + zfs.mountPoolsAtBoot = [ "eru" ]; + # NFS + nfs.enable = true; + # Samba + samba = { + enable = true; + shares = import ./config/samba-shares.nix { }; + extraConfig = import ./config/samba-config.nix { }; + }; + resticBackup = { + local.enable = false; + remote.enable = false; + local.noWarning = true; + remote.noWarning = true; + }; + # Borg + # My only borg backup was for the Unifi controller. I've since installed a UDM SE. + # borgbackup = { + # enable = true; + # paths = [ "/eru/containers/volumes/unifi/" ]; + # exclude = [ ]; + # repo = "ssh://t3zvn0dd@t3zvn0dd.repo.borgbase.com/./repo"; + # repoKeyPath = config.sops.secrets."borg/repository/passphrase".path; + # }; + }; + services = { + podman.enable = true; + libvirt-qemu.enable = true; + + # Sanoid + sanoid = { + enable = true; + inherit (sanoidConfig.outputs) templates datasets; + }; + + # Unifi & Lego-Auto + # unifi.enable = true; + lego-auto = { + enable = true; + dnsimpleTokenPath = "${config.sops.secrets."lego/dnsimple/token".path}"; + domains = "gandalf.jahanson.tech"; + email = "joe@veri.dev"; + provider = "dnsimple"; + }; + }; + }; +} diff --git a/nixos/profiles/hw-threadripperpro.nix b/nixos/profiles/hw-threadripperpro.nix new file mode 100644 index 0000000..2d26abe --- /dev/null +++ b/nixos/profiles/hw-threadripperpro.nix @@ -0,0 +1,32 @@ +{ lib, ... }: { + imports = [ ]; + + boot = { + loader.systemd-boot.enable = true; + loader.efi.canTouchEfiVariables = true; + initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ]; + initrd.kernelModules = [ ]; + kernelModules = [ "kvm-amd" ]; + extraModulePackages = [ ]; + }; + + mySystem = { + services.openssh.enable = true; + security.wheelNeedsSudoPassword = false; + + # Restic backups disabled. + # TODO: configure storagebox for hetzner backups + system.resticBackup = { + local.enable = false; + local.noWarning = true; + remote.enable = false; + remote.noWarning = true; + }; + }; + + networking.useDHCP = lib.mkDefault true; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + # not supported + services.smartd.enable = false; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +}