jahanson/mochi
1
0
Fork 0
Code Issues 1 Pull requests 1 Projects Releases Packages Wiki Activity Actions

🚀 Nixpkgs 24.05 --> 24.11 🚀
All checks were successful
Build / nix-build (native-x86_64, telperion) (push) Successful in 6m42s
Details
Build / nix-build (native-x86_64, gandalf) (push) Successful in 23m34s
Details
Build / nix-build (native-x86_64, shadowfax) (push) Successful in 24m59s
Details

Browse source
This commit is contained in:
Joseph Hanson 2024-12-03 13:21:04 -06:00
parent 6dd240d563
commit 9a4e4eeff0
Signed by: jahanson
SSH key fingerprint: SHA256:vy6dKBECV522aPAwklFM3ReKAVB086rT3oWwiuiFG7o
14 changed files with 111 additions and 238 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

64
flake.lock
View file

@ -134,11 +134,11 @@
"systems": "systems_2"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"type": "github"
},
"original": {
@ -223,35 +223,20 @@
]
},
"locked": {
"lastModified": 1726989464,
"narHash": "sha256-Vl+WVTJwutXkimwGprnEtXc/s/s8sMuXzqXaspIGlwM=",
"lastModified": 1733050161,
"narHash": "sha256-lYnT+EYE47f5yY3KS/Kd4pJ6CO9fhCqumkYYkQ3TK20=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "2f23fa308a7c067e52dfcc30a0758f47043ec176",
"rev": "62d536255879be574ebfe9b87c4ac194febf47c5",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-24.05",
"ref": "release-24.11",
"repo": "home-manager",
"type": "github"
}
},
"impermanence": {
"locked": {
"lastModified": 1731242966,
"narHash": "sha256-B3C3JLbGw0FtLSWCjBxU961gLNv+BOOBC6WvstKLYMw=",
"owner": "nix-community",
"repo": "impermanence",
"rev": "3ed3f0eaae9fcc0a8331e77e9319c8a4abd8a71a",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "impermanence",
"type": "github"
}
},
"krewfile": {
"inputs": {
"flake-utils": "flake-utils",
@ -277,15 +262,15 @@
"lix": {
"flake": false,
"locked": {
"lastModified": 1723503926,
"narHash": "sha256-Rosl9iA9MybF5Bud4BTAQ9adbY81aGmPfV8dDBGl34s=",
"rev": "bcaeb6388b8916ac6d1736e3aa2b13313e6a6bd2",
"lastModified": 1729298361,
"narHash": "sha256-hiGtfzxFkDc9TSYsb96Whg0vnqBVV7CUxyscZNhed0U=",
"rev": "ad9d06f7838a25beec425ff406fe68721fef73be",
"type": "tarball",
"url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/bcaeb6388b8916ac6d1736e3aa2b13313e6a6bd2.tar.gz?rev=bcaeb6388b8916ac6d1736e3aa2b13313e6a6bd2"
"url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/ad9d06f7838a25beec425ff406fe68721fef73be.tar.gz?rev=ad9d06f7838a25beec425ff406fe68721fef73be"
},
"original": {
"type": "tarball",
"url": "https://git.lix.systems/lix-project/lix/archive/2.91.0.tar.gz"
"url": "https://git.lix.systems/lix-project/lix/archive/2.91.1.tar.gz"
}
},
"lix-module": {
@ -298,15 +283,15 @@
]
},
"locked": {
"lastModified": 1723510904,
"narHash": "sha256-zNW/rqNJwhq2lYmQf19wJerRuNimjhxHKmzrWWFJYts=",
"rev": "622a2253a071a1fb97a4d3c8103a91114acc1140",
"lastModified": 1732605668,
"narHash": "sha256-DN5/166jhiiAW0Uw6nueXaGTueVxhfZISAkoxasmz/g=",
"rev": "f19bd752910bbe3a861c9cad269bd078689d50fe",
"type": "tarball",
"url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/622a2253a071a1fb97a4d3c8103a91114acc1140.tar.gz"
"url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/f19bd752910bbe3a861c9cad269bd078689d50fe.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://git.lix.systems/lix-project/nixos-module/archive/2.91.0.tar.gz"
"url": "https://git.lix.systems/lix-project/nixos-module/archive/2.91.1-2.tar.gz"
}
},
"mk-naked-shell": {
@ -456,16 +441,16 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1733016324,
"narHash": "sha256-8qwPSE2g1othR1u4uP86NXxm6i7E9nHPyJX3m3lx7Q4=",
"lastModified": 1733120037,
"narHash": "sha256-En+gSoVJ3iQKPDU1FHrR6zIxSLXKjzKY+pnh9tt+Yts=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "7e1ca67996afd8233d9033edd26e442836cc2ad6",
"rev": "f9f0d5c5380be0a599b1fb54641fa99af8281539",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-24.05",
"ref": "nixos-24.11",
"repo": "nixpkgs",
"type": "github"
}
@ -552,11 +537,11 @@
},
"nur": {
"locked": {
"lastModified": 1733231429,
"narHash": "sha256-2ekVchNHMyTg/YRXLRj3OO3CU5t0HiEQnr27GMUs1uA=",
"lastModified": 1733245290,
"narHash": "sha256-q0vf2tINCUKk7XPDSKMdzp96c+x3pWUxwl0Y10c+UxQ=",
"owner": "nix-community",
"repo": "NUR",
"rev": "5a1c6c849704bbbdfc60289e7107bba4b9995b91",
"rev": "1a776f27abb96c4563f290bc7cffdc8cd7755fdd",
"type": "github"
},
"original": {
@ -653,7 +638,6 @@
"inputs": {
"disko": "disko",
"home-manager": "home-manager",
"impermanence": "impermanence",
"krewfile": "krewfile",
"lix-module": "lix-module",
"nix-index-database": "nix-index-database",

46
flake.nix
View file

@ -3,20 +3,16 @@
inputs = {
# Nixpkgs and unstable
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
# Lix - Substitution of the Nix package manager, focused on correctness, usability, and growth and committed to doing right by its community.
# https://git.lix.systems/lix-project/lix
lix-module = {
url = "https://git.lix.systems/lix-project/nixos-module/archive/2.91.0.tar.gz";
url = "https://git.lix.systems/lix-project/nixos-module/archive/2.91.1-2.tar.gz";
inputs.nixpkgs.follows = "nixpkgs";
};
# impermanence
# https://github.com/nix-community/impermanence
impermanence.url = "github:nix-community/impermanence";
# Nix User Repository: User contributed nix packages
nur.url = "github:nix-community/NUR";
@ -33,7 +29,7 @@
# home-manager - Manage user configuration with nix
# https://github.com/nix-community/home-manager
home-manager = {
url = "github:nix-community/home-manager/release-24.05";
url = "github:nix-community/home-manager/release-24.11";
inputs.nixpkgs.follows = "nixpkgs";
};
@ -97,7 +93,7 @@
};
outputs =
{ self, nixpkgs, sops-nix, home-manager, nix-vscode-extensions, impermanence, disko, talhelper, lix-module, vscode-server, krewfile, ... } @ inputs:
{ self, nixpkgs, sops-nix, home-manager, nix-vscode-extensions, disko, talhelper, lix-module, vscode-server, krewfile, ... } @ inputs:
let
forAllSystems = nixpkgs.lib.genAttrs [
"aarch64-linux"
@ -135,7 +131,6 @@
, baseModules ? [
sops-nix.nixosModules.sops
home-manager.nixosModules.home-manager
impermanence.nixosModules.impermanence
./nixos/profiles/global.nix # all machines get a global profile
./nixos/modules/nixos # all machines get nixos modules
./nixos/hosts/${hostname} # load this host's config folder for machine-specific config
@ -198,6 +193,23 @@
];
};
"shadowfax" = mkNixosConfig {
# Pro WS WRX80E-SAGE SE WIFI - AMD Ryzen Threadripper PRO 3955WX 16-Cores
# Workloads server
hostname = "shadowfax";
system = "x86_64-linux";
hardwareModules = [
lix-module.nixosModules.default
./nixos/profiles/hw-threadripperpro.nix
];
profileModules = [
vscode-server.nixosModules.default
./nixos/profiles/role-dev.nix
./nixos/profiles/role-server.nix
{ home-manager.users.jahanson = ./nixos/home/jahanson/server.nix; }
];
};
"gandalf" = mkNixosConfig {
# X9DRi-LN4+/X9DR3-LN4+ - Intel(R) Xeon(R) CPU E5-2650 v2
# NAS
@ -215,22 +227,6 @@
];
};
"shadowfax" = mkNixosConfig {
# Pro WS WRX80E-SAGE SE WIFI - AMD Ryzen Threadripper PRO 3955WX 16-Cores
# Workloads server
hostname = "shadowfax";
system = "x86_64-linux";
hardwareModules = [
lix-module.nixosModules.default
./nixos/profiles/hw-threadripperpro.nix
];
profileModules = [
vscode-server.nixosModules.default
./nixos/profiles/role-dev.nix
./nixos/profiles/role-server.nix
{ home-manager.users.jahanson = ./nixos/home/jahanson/server.nix; }
];
};
};
# Convenience output that aggregates the outputs for home, nixos.

64
nixos/hosts/gandalf/config/samba-config.nix
View file

@ -1,11 +1,55 @@
{ ... }:
''
workgroup = WORKGROUP
server string = gandalf
netbios name = gandalf
security = user
# note: localhost is the ipv6 localhost ::1
hosts allow = 0.0.0.0/0
guest account = nobody
map to guest = bad user
''
{
global = {
"workgroup" = "WORKGROUP";
"server string" = "gandalf";
"netbios name" = "gandalf";
"security" = "user";
# note: localhost is the ipv6 localhost ::1
"hosts allow" = "0.0.0.0/0";
"guest account" = "nobody";
"map to guest" = "bad user";
};
xen = {
path = "/eru/xen-backups";
browseable = "yes";
"read only" = "no";
"guest ok" = "no";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "apps";
"force group" = "apps";
};
hansonhive = {
path = "/eru/hansonhive";
browseable = "yes";
"read only" = "no";
"guest ok" = "no";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "www-data";
"force group" = "www-data";
};
tm_joe = {
path = "/eru/tm_joe";
"valid users" = "jahanson";
public = "no";
writeable = "yes";
"guest ok" = "no";
"force user" = "jahanson";
"fruit:aapl" = "yes";
"fruit:time machine" = "yes";
"vfs objects" = "catia fruit streams_xattr";
};
tm_elisia = {
path = "/eru/tm_elisia";
"valid users" = "emhanson";
public = "no";
writeable = "yes";
"guest ok" = "no";
"force user" = "emhanson";
"fruit:aapl" = "yes";
"fruit:time machine" = "yes";
"vfs objects" = "catia fruit streams_xattr";
};
}

44
nixos/hosts/gandalf/config/samba-shares.nix
View file

@ -1,44 +0,0 @@
{ ... }: {
xen = {
path = "/eru/xen-backups";
browseable = "yes";
"read only" = "no";
"guest ok" = "no";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "apps";
"force group" = "apps";
};
hansonhive = {
path = "/eru/hansonhive";
browseable = "yes";
"read only" = "no";
"guest ok" = "no";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "www-data";
"force group" = "www-data";
};
tm_joe = {
path = "/eru/tm_joe";
"valid users" = "jahanson";
public = "no";
writeable = "yes";
"guest ok" = "no";
"force user" = "jahanson";
"fruit:aapl" = "yes";
"fruit:time machine" = "yes";
"vfs objects" = "catia fruit streams_xattr";
};
tm_elisia = {
path = "/eru/tm_elisia";
"valid users" = "emhanson";
public = "no";
writeable = "yes";
"guest ok" = "no";
"force user" = "emhanson";
"fruit:aapl" = "yes";
"fruit:time machine" = "yes";
"vfs objects" = "catia fruit streams_xattr";
};
}

12
nixos/hosts/gandalf/default.nix
View file

@ -129,6 +129,11 @@ in
};
# ZFS Exporter
prometheus.exporters.zfs.enable = true;
samba = {
enable = true;
settings = import ./config/samba-config.nix { };
openFirewall = true;
};
};
# System settings and services.
@ -150,12 +155,7 @@ in
zfs.mountPoolsAtBoot = [ "eru" ];
# NFS
nfs.enable = true;
# Samba
samba = {
enable = true;
shares = import ./config/samba-shares.nix { };
extraConfig = import ./config/samba-config.nix { };
};
# Restic
resticBackup = {
local.enable = false;
remote.enable = false;

5
nixos/hosts/shadowfax/default.nix
View file

@ -42,9 +42,8 @@ in
hardware = {
cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
nvidia.open = true;
# TODO: Swap these once I switch to 24.11
# graphics.enable = true;
opengl.enable = true;
graphics.enable = true;
# opengl.enable = true;
nvidia-container-toolkit.enable = true;
};

4
nixos/modules/nixos/security/acme/default.nix
View file

@ -12,10 +12,6 @@ in
"security/acme/env".restartUnits = [ "lego.service" ];
};
environment.persistence."${config.mySystem.system.impermanence.persistPath}" = lib.mkIf config.mySystem.system.impermanence.enable {
directories = [ "/var/lib/acme" ];
};
security.acme = {
acceptTerms = true;
defaults.email = "admin@${config.networking.domain}";

4
nixos/modules/nixos/services/bind/default.nix
View file

@ -34,9 +34,5 @@ in
rm -rf ${config.services.bind.directory}/*.jnl
'';
};
environment.persistence."${config.mySystem.system.impermanence.persistPath}" = mkIf config.mySystem.system.impermanence.enable {
directories = [ services.bind.directory ];
};
};
}

11
nixos/modules/nixos/services/forgejo/default.nix
View file

@ -84,10 +84,10 @@ in
SIGNING_KEY = "default";
};
};
mailerPasswordFile = config.sops.secrets."services/forgejo/smtp/password".path;
# secrets = {
# mailer.PASSWD = config.sops.secrets."services/forgejo/smtp/password".path;
# };
secrets = {
mailer.PASSWD = config.sops.secrets."services/forgejo/smtp/password".path;
};
};
# sops
sops.secrets."services/forgejo/smtp/password" = {
@ -96,8 +96,5 @@ in
mode = "400";
restartUnits = [ "forgejo.service" ];
};
environment.persistence."${config.mySystem.system.impermanence.persistPath}" = lib.mkIf config.mySystem.system.impermanence.enable {
directories = [ "/var/lib/forgejo" ];
};
};
}

4
nixos/modules/nixos/services/onepassword-connect/default.nix
View file

@ -54,9 +54,5 @@ in
];
};
};
environment.persistence."${config.mySystem.system.impermanence.persistPath}" = lib.mkIf config.mySystem.system.impermanence.enable {
directories = [ cfg.dataDir ];
};
};
}

6
nixos/modules/nixos/services/restic/default.nix
View file

@ -64,12 +64,6 @@ in
};
};
environment.persistence = mkIf (cfg.local.enable || cfg.remote.enable) {
"${config.mySystem.system.impermanence.persistPath}" = {
directories = [ "/var/lib/containers" ];
};
};
# useful commands:
# view snapshots - zfs list -t snapshot

2
nixos/modules/nixos/system/default.nix
View file

@ -2,14 +2,12 @@
imports = [
./borg
./fingerprint-reader-on-laptop-lid
./impermanence.nix
./incus
./motd
./nfs
./nix.nix
./openssh.nix
./pushover
./samba
./security.nix
./systempackages.nix
./time.nix

55
nixos/modules/nixos/system/impermanence.nix
View file

@ -1,55 +0,0 @@
{ lib, config, ... }:
let
cfg = config.mySystem.system.impermanence;
in
with lib;
{
options.mySystem.system.impermanence = {
enable = mkEnableOption "system impermanence";
rootBlankSnapshotName = lib.mkOption {
type = lib.types.str;
default = "blank";
};
rootPoolName = lib.mkOption {
type = lib.types.str;
default = "rpool/local/root";
};
persistPath = lib.mkOption {
type = lib.types.str;
default = "/persist";
};
};
config = lib.mkIf cfg.enable {
# move ssh keys
# bind a initrd command to rollback to blank root after boot
boot.initrd.postDeviceCommands = lib.mkAfter ''
zfs rollback -r ${cfg.rootPoolName}@${cfg.rootBlankSnapshotName}
'';
systemd.tmpfiles.rules = mkIf config.services.openssh.enable [
"d /etc/ 0755 root root -" #The - disables automatic cleanup, so the file wont be removed after a period
"d /etc/ssh/ 0755 root root -" #The - disables automatic cleanup, so the file wont be removed after a period
];
environment.persistence."${cfg.persistPath}" = {
hideMounts = true;
directories =
[
"/var/log" # persist logs between reboots for debugging
"/var/lib/cache" # cache files (restic, nginx, contaienrs)
"/var/lib/nixos" # nixos state
];
files = [
"/etc/machine-id"
"/etc/adjtime" # hardware clock adjustment
# ssh keys
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
];
};
};
}

28
nixos/modules/nixos/system/samba/default.nix
View file

@ -1,28 +0,0 @@
{ lib, config, ... }:
let
cfg = config.mySystem.system.samba;
in
{
options.mySystem.system.samba = {
enable = lib.mkEnableOption "samba";
extraConfig = lib.mkOption {
type = lib.types.str;
default = "";
};
shares = lib.mkOption {
type = lib.types.attrsOf (lib.types.attrsOf lib.types.unspecified);
default = "";
};
};
config = lib.mkIf cfg.enable {
services = {
samba = {
enable = true;
inherit (cfg) extraConfig shares;
openFirewall = true;
};
};
};
}