Add Shadowfax

2024-09-03 20:56:49 -05:00 · 2024-09-03 20:56:49 -05:00 · 0e304182af
commit 0e304182af
parent 2e9baab4d5
3 changed files with 206 additions and 1 deletions
--- a/flake.nix
+++ b/flake.nix
@ -160,7 +160,7 @@
        {
          "durincore" = mkNixosConfig {
            # T470 Thinkpad Intel i7-6600U
-            # Nix dev laptop
+            # Backup Nix dev laptop
            hostname = "durincore";
            system = "x86_64-linux";
            hardwareModules = [
@ -259,6 +259,23 @@
              { home-manager.users.jahanson = ./nixos/home/jahanson/server.nix; }
            ];
          };
+
+          "shadowfax" = mkNixosConfig {
+            # Pro WS WRX80E-SAGE SE WIFI - AMD Ryzen Threadripper PRO 3955WX 16-Cores
+            # Workloads server
+            hostname = "shadowfax";
+            system = "x86_64-linux";
+            hardwareModules = [
+              lix-module.nixosModules.default
+              ./nixos/profiles/hw-threadripperpro.nix
+            ];
+            profileModules = [
+              vscode-server.nixosModules.default
+              ./nixos/profiles/role-dev.nix
+              ./nixos/profiles/role-server.nix
+              { home-manager.users.jahanson = ./nixos/home/jahanson/server.nix; }
+            ];
+          };
        };

      # Convenience output that aggregates the outputs for home, nixos.
--- a/nixos/hosts/shadowfax/default.nix
+++ b/nixos/hosts/shadowfax/default.nix
@ -0,0 +1,156 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, inputs, ... }:
+{
+  imports =
+    [
+      inputs.disko.nixosModules.disko
+      (import ../../profiles/disko-nixos.nix { disks = [ "/dev/nvme4n1" ]; })
+    ];
+
+  boot = {
+    initrd = {
+      kernelModules = [ "nfs" ];
+      supportedFilesystems = [ "nfs" ];
+    };
+
+    kernelModules = [ "kvm-intel" "vfio" "vfio_iommu_type1" "vfio_pci" "vfio_virqfd" ];
+    extraModulePackages = [ ];
+    kernelParams = [ "iommu=pt" "intel_iommu=on" "zfs.zfs_arc_max=107374182400" ]; # 100GB
+  };
+
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAGSFTSVPt43PBpSMSF1dGTzN2JbxztDZUml7g4+PnWe CSI-Driver@talos"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO/W445gX2IINRbE6crIMwgN6Ks8LTzAXR86pS9xp335 root@Sting"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBROTzSefJGJeCNUgNLbE5l4sHHg2fHUO4sCwqvP+zAd root@Gollum"
+  ];
+
+  # VSCode Compatibility Settings
+  programs.nix-ld.enable = true;
+  services.vscode-server = {
+    enable = true;
+  };
+
+  # Home Manager
+  home-manager.users.jahanson = {
+    # Git settings
+    # TODO: Move to config module.
+    programs.git = {
+      enable = true;
+      userName = "Joseph Hanson";
+      userEmail = "joe@veri.dev";
+
+      extraConfig = {
+        core.autocrlf = "input";
+        init.defaultBranch = "main";
+        pull.rebase = true;
+        rebase.autoStash = true;
+      };
+    };
+  };
+
+  # Network settings
+  networking = {
+    hostName = "gandalf";
+    hostId = "e2fc95cd";
+    useDHCP = false; # needed for bridge
+    networkmanager.enable = true;
+    # TODO: Add ports specifically.
+    firewall.enable = false;
+    interfaces = {
+      "enp130s0f0".useDHCP = true;
+      "enp130s0f1".useDHCP = true;
+    };
+
+    # For VMs
+    # bridges = {
+    #   "br0" = {
+    #     interfaces = [ "enp130s0f1" ];
+    #   };
+    # };
+  };
+
+  swapDevices = [ ];
+
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+
+  sops = {
+    secrets = {
+      "lego/dnsimple/token" = {
+        mode = "0444";
+        sopsFile = ./secrets.sops.yaml;
+      };
+      "borg/repository/passphrase" = {
+        sopsFile = ./secrets.sops.yaml;
+      };
+    };
+  };
+
+  # no de
+  services = {
+    xserver = {
+      enable = false;
+      displayManager.gdm.enable = false;
+      desktopManager.gnome.enable = false;
+    };
+  };
+
+  # System settings and services.
+  mySystem = {
+    purpose = "Production";
+    system = {
+      motd.networkInterfaces = [ "enp130s0f0" "enp130s0f1" ];
+      # Incus
+      incus = {
+        enable = true;
+      };
+      # ZFS
+      zfs.enable = true;
+      zfs.mountPoolsAtBoot = [ "eru" ];
+      # NFS
+      nfs.enable = true;
+      # Samba
+      samba = {
+        enable = true;
+        shares = import ./config/samba-shares.nix { };
+        extraConfig = import ./config/samba-config.nix { };
+      };
+      resticBackup = {
+        local.enable = false;
+        remote.enable = false;
+        local.noWarning = true;
+        remote.noWarning = true;
+      };
+      # Borg
+      # My only borg backup was for the Unifi controller. I've since installed a UDM SE.
+      # borgbackup = {
+      #   enable = true;
+      #   paths = [ "/eru/containers/volumes/unifi/" ];
+      #   exclude = [ ];
+      #   repo = "ssh://t3zvn0dd@t3zvn0dd.repo.borgbase.com/./repo";
+      #   repoKeyPath = config.sops.secrets."borg/repository/passphrase".path;
+      # };
+    };
+    services = {
+      podman.enable = true;
+      libvirt-qemu.enable = true;
+
+      # Sanoid
+      sanoid = {
+        enable = true;
+        inherit (sanoidConfig.outputs) templates datasets;
+      };
+
+      # Unifi & Lego-Auto
+      # unifi.enable = true;
+      lego-auto = {
+        enable = true;
+        dnsimpleTokenPath = "${config.sops.secrets."lego/dnsimple/token".path}";
+        domains = "gandalf.jahanson.tech";
+        email = "joe@veri.dev";
+        provider = "dnsimple";
+      };
+    };
+  };
+}
--- a/nixos/profiles/hw-threadripperpro.nix
+++ b/nixos/profiles/hw-threadripperpro.nix
@ -0,0 +1,32 @@
+{ lib, ... }: {
+  imports = [ ];
+
+  boot = {
+    loader.systemd-boot.enable = true;
+    loader.efi.canTouchEfiVariables = true;
+    initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
+    initrd.kernelModules = [ ];
+    kernelModules = [ "kvm-amd" ];
+    extraModulePackages = [ ];
+  };
+
+  mySystem = {
+    services.openssh.enable = true;
+    security.wheelNeedsSudoPassword = false;
+
+    # Restic backups disabled.
+    # TODO: configure storagebox for hetzner backups
+    system.resticBackup = {
+      local.enable = false;
+      local.noWarning = true;
+      remote.enable = false;
+      remote.noWarning = true;
+    };
+  };
+
+  networking.useDHCP = lib.mkDefault true;
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  # not supported
+  services.smartd.enable = false;
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}