commit edcdb13c03a1547d884f3556f65393f8a671b3f6 Author: Petru Paler Date: Fri Jun 30 07:15:01 2023 +0100 c1 config that passes nix flake check diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..98498c6 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +*.swp +.tmp diff --git a/c1-hardware.nix b/c1-hardware.nix new file mode 100644 index 0000000..c748107 --- /dev/null +++ b/c1-hardware.nix @@ -0,0 +1,59 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/42e95613-29c2-4a47-a3cc-3627f18fdec2"; + fsType = "btrfs"; + options = [ "subvol=root" ]; + }; + + boot.initrd.luks.devices."luksroot".device = "/dev/disk/by-uuid/7fa539a0-6c91-49ec-9df2-e81708a07662"; + + fileSystems."/persist" = + { device = "/dev/disk/by-uuid/42e95613-29c2-4a47-a3cc-3627f18fdec2"; + fsType = "btrfs"; + options = [ "subvol=persist" ]; + }; + + fileSystems."/nix" = + { device = "/dev/disk/by-uuid/42e95613-29c2-4a47-a3cc-3627f18fdec2"; + fsType = "btrfs"; + options = [ "subvol=nix" ]; + }; + + fileSystems."/var/log" = + { device = "/dev/disk/by-uuid/42e95613-29c2-4a47-a3cc-3627f18fdec2"; + fsType = "btrfs"; + options = [ "subvol=log" ]; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/D8C2-9216"; + fsType = "vfat"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/c1.nix b/c1.nix new file mode 100644 index 0000000..64c77e2 --- /dev/null +++ b/c1.nix @@ -0,0 +1,15 @@ +{ pkgs, inputs, hostname, ... }: +{ + imports = [ + inputs.impermanence.nixosModules.impermanence + ./compute-node.nix + ./c1-hardware.nix + ]; + + networking.hostName = hostname; + + swapDevices = pkgs.lib.mkForce [ { + device = "/dev/disk/by-id/nvme-eui.002538b981b03d98-part2"; + randomEncryption.enable = true; + }]; +} diff --git a/compute-node.nix b/compute-node.nix new file mode 100644 index 0000000..ae9dd41 --- /dev/null +++ b/compute-node.nix @@ -0,0 +1,133 @@ +{ config, pkgs, inputs, ... }: +{ + boot.initrd.kernelModules = [ "usb_storage" ]; + boot.initrd.luks.devices."luksroot" = { + allowDiscards = true; + bypassWorkqueues = true; + keyFileSize = 4096; + keyFile = "/dev/sda"; + }; + + fileSystems."/".options = ["compress=zstd" "noatime" ]; + fileSystems."/nix".options = ["compress=zstd" "noatime" ]; + fileSystems."/persist".options = ["compress=zstd" "noatime" ]; + fileSystems."/persist".neededForBoot = true; + fileSystems."/var/log".options = ["compress=zstd" "noatime" ]; + fileSystems."/var/log".neededForBoot = true; + + # reset / at each boot + # Note `lib.mkBefore` is used instead of `lib.mkAfter` here. + boot.initrd.postDeviceCommands = pkgs.lib.mkBefore '' + mkdir -p /mnt + + # We first mount the btrfs root to /mnt + # so we can manipulate btrfs subvolumes. + mount -o subvol=/ /dev/mapper/luksroot /mnt + + # While we're tempted to just delete /root and create + # a new snapshot from /root-blank, /root is already + # populated at this point with a number of subvolumes, + # which makes `btrfs subvolume delete` fail. + # So, we remove them first. + # + # /root contains subvolumes: + # - /root/var/lib/portables + # - /root/var/lib/machines + # + # I suspect these are related to systemd-nspawn, but + # since I don't use it I'm not 100% sure. + # Anyhow, deleting these subvolumes hasn't resulted + # in any issues so far, except for fairly + # benign-looking errors from systemd-tmpfiles. + btrfs subvolume list -o /mnt/root | + cut -f9 -d' ' | + while read subvolume; do + echo "deleting /$subvolume subvolume..." + btrfs subvolume delete "/mnt/$subvolume" + done && + echo "deleting /root subvolume..." && + btrfs subvolume delete /mnt/root + + echo "restoring blank /root subvolume..." + btrfs subvolume snapshot /mnt/root-blank /mnt/root + + # Once we're done rolling back to a blank snapshot, + # we can unmount /mnt and continue on the boot process. + umount /mnt + ''; + + # configure impermanence + environment.persistence."/persist" = { + directories = [ + "/etc/nixos" + ]; + files = [ + "/etc/machine-id" + "/etc/ssh/ssh_host_ed25519_key" + "/etc/ssh/ssh_host_ed25519_key.pub" + "/etc/ssh/ssh_host_rsa_key" + "/etc/ssh/ssh_host_rsa_key.pub" + ]; + }; + + security.sudo = { + extraConfig = '' + # rollback results in sudo lectures after each reboot + Defaults lecture = never + ''; + wheelNeedsPassword = false; + }; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.networkmanager.enable = true; + + time.timeZone = "Europe/Lisbon"; + + users.mutableUsers = false; + users.users.ppetru = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + + openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCdZ9dHN+DamoyRAIS8v7Ph85KyJ9zYdgwoqkp7F+smEJEdDKboHE5LA49IDQk4cgkR5xNEMtxANpJm+AXNAhQOPVl/w57vI/Z+TBtSvDoj8LuAvKjmmrPfok2iyD2IIlbctcw8ypn1revZwDb1rBFefpbbZdr5h+75tVqqmNebzxk6UQsfL++lU8HscWwYKzxrrom5aJL6wxNTfy7/Htkt4FHzoKAc5gcB2KM/q0s6NvZzX9WtdHHwAR1kib2EekssjDM9VLecX75Xhtbp+LrHOJKRnxbIanXos4UZUzaJctdNTcOYzEVLvV0BCYaktbI+uVvJcC0qo28bXbHdS3rTGRu8CsykFneJXnrrRIJw7mYWhJSTV9bf+6j/lnFNAurbiYmd4SzaTgbGjj2j38Gr/CTsyv8Rho7P3QUWbRRZnn4a7eVPtjGagqwIwS59YDxRcOy2Wdsw35ry/N2G802V7Cr3hUqeaAIev2adtn4FaG72C8enacYUeACPEhi7TYdsDzuuyt31W7AQa5Te4Uda20rTa0Y9N5Lw85uGB2ebbdYWlO2CqI/m+xNYcPkKqL7zZILz782jDw1sxWd/RUbEgJNrWjsKZ7ybiEMmhpw5vLiMGOeqQWIT6cBCNjocmW0ocU+FBLhhioyrvuZOyacoEZLoklatsL0DMkvvkbT0Ew== petru@paler.net" ]; + }; + + environment.systemPackages = with pkgs; [ + vim + ]; + + services.openssh = { + enable = true; + allowSFTP = false; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + }; + extraConfig = '' + AllowTcpForwarding yes + X11Forwarding no + AllowAgentForwarding no + AllowStreamLocalForwarding no + AuthenticationMethods publickey + ''; + }; + + networking.firewall = { + enable = true; + allowedTCPPorts = [ 22 ]; + allowedUDPPorts = [ ]; + }; + + system.copySystemConfiguration = false; # not supported with flakes + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It's perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.05"; # Did you read the comment? +} + diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..6d4ae43 --- /dev/null +++ b/flake.lock @@ -0,0 +1,97 @@ +{ + "nodes": { + "deploy-rs": { + "inputs": { + "flake-compat": "flake-compat", + "nixpkgs": [ + "nixpkgs" + ], + "utils": "utils" + }, + "locked": { + "lastModified": 1686747123, + "narHash": "sha256-XUQK9kwHpTeilHoad7L4LjMCCyY13Oq383CoFADecRE=", + "owner": "serokell", + "repo": "deploy-rs", + "rev": "724463b5a94daa810abfc64a4f87faef4e00f984", + "type": "github" + }, + "original": { + "owner": "serokell", + "repo": "deploy-rs", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1668681692, + "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "009399224d5e398d03b22badca40a37ac85412a1", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "impermanence": { + "locked": { + "lastModified": 1684264534, + "narHash": "sha256-K0zr+ry3FwIo3rN2U/VWAkCJSgBslBisvfRIPwMbuCQ=", + "owner": "nix-community", + "repo": "impermanence", + "rev": "89253fb1518063556edd5e54509c30ac3089d5e6", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "impermanence", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1687829761, + "narHash": "sha256-QRe1Y8SS3M4GeC58F/6ajz6V0ZLUVWX3ZAMgov2N3/g=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "9790f3242da2152d5aa1976e3e4b8b414f4dd206", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "deploy-rs": "deploy-rs", + "impermanence": "impermanence", + "nixpkgs": "nixpkgs" + } + }, + "utils": { + "locked": { + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..0b547c8 --- /dev/null +++ b/flake.nix @@ -0,0 +1,36 @@ +{ + description = "Alo cluster"; + + inputs = { + deploy-rs.url = "github:serokell/deploy-rs"; + deploy-rs.inputs.nixpkgs.follows = "nixpkgs"; + impermanence.url = "github:nix-community/impermanence"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05"; + }; + + outputs = { self, nixpkgs, deploy-rs, ... }@inputs: + let + mkNixos = hostname: modules: nixpkgs.lib.nixosSystem { + inherit modules; + specialArgs = { inherit inputs hostname; }; + }; + in { + nixosConfigurations = { + c1 = mkNixos "c1" [ ./c1.nix ]; + }; + + deploy = { + nodes = { + c1 = { + hostname = "c1"; + profiles.system = { + user = "root"; + path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.c1; + }; + }; + }; + }; + + checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; + }; +}