jalr/nixos-configuration
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Reinstall magnesium

Browse source
This commit is contained in:
Jakob Lechner 2025-04-09 03:26:34 +02:00
parent 464a1847a6
commit dcb50b0970
9 changed files with 194 additions and 120 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.sops.yaml
View file

@ -4,7 +4,7 @@ keys:
- &host_aluminium age1ne08hny30vrkejqhh7dcx4ql6dmkx6jw9dqkf3cz7mzvt53njy0qh59w44 - &host_aluminium age1ne08hny30vrkejqhh7dcx4ql6dmkx6jw9dqkf3cz7mzvt53njy0qh59w44
- &host_hafnium age1ahnfjspcpwxxk7getcxkj3fypwt37rr6p3xsmp8n2tqqqz8jtg7q2am0et - &host_hafnium age1ahnfjspcpwxxk7getcxkj3fypwt37rr6p3xsmp8n2tqqqz8jtg7q2am0et
- &host_iron age1hx7fdu4mcha7kkxe7yevtvs6xgzgaafgenm3drhvr609wlj94sgqm497je - &host_iron age1hx7fdu4mcha7kkxe7yevtvs6xgzgaafgenm3drhvr609wlj94sgqm497je
- &host_magnesium age1swv42gad884z2v75kateem6k2za6ltkq6wu90ewqp6dp7gxprawslwz0w0 - &host_magnesium age19qkgfaq08kmyxghet48dq4gxwjuy9zpvuyxys9jkmcqa5634537qlxjcd8
- &host_weinturm_pretix_prod age1djjxl3lcvzs85nj0met6w8ujsz8pvr6ngmmdwlxfh0k9d5lkrpdqlzzehf - &host_weinturm_pretix_prod age1djjxl3lcvzs85nj0met6w8ujsz8pvr6ngmmdwlxfh0k9d5lkrpdqlzzehf
- &host_copper age1rrut5ntrkqmvttvmpa5jcmjhr2pfpyaqgu9dmtx6v07lgjxx5ppsl7e5v3 - &host_copper age1rrut5ntrkqmvttvmpa5jcmjhr2pfpyaqgu9dmtx6v07lgjxx5ppsl7e5v3
creation_rules: creation_rules:

16
flake.lock generated
View file

@ -238,6 +238,21 @@
"type": "github" "type": "github"
} }
}, },
"impermanence": {
"locked": {
"lastModified": 1737831083,
"narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=",
"owner": "nix-community",
"repo": "impermanence",
"rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "impermanence",
"type": "github"
}
},
"krops": { "krops": {
"inputs": { "inputs": {
"flake-utils": [ "flake-utils": [
@ -491,6 +506,7 @@
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"gomod2nix": "gomod2nix", "gomod2nix": "gomod2nix",
"home-manager": "home-manager", "home-manager": "home-manager",
"impermanence": "impermanence",
"krops": "krops", "krops": "krops",
"lanzaboote": "lanzaboote", "lanzaboote": "lanzaboote",
"nix-pre-commit-hooks": "nix-pre-commit-hooks", "nix-pre-commit-hooks": "nix-pre-commit-hooks",

6
flake.nix
View file

@ -12,6 +12,8 @@
home-manager.inputs.nixpkgs.follows = "nixpkgs"; home-manager.inputs.nixpkgs.follows = "nixpkgs";
home-manager.url = "github:nix-community/home-manager/release-24.11"; home-manager.url = "github:nix-community/home-manager/release-24.11";
impermanence.url = "github:nix-community/impermanence";
krops.inputs.flake-utils.follows = "flake-utils"; krops.inputs.flake-utils.follows = "flake-utils";
krops.inputs.nixpkgs.follows = "nixpkgs"; krops.inputs.nixpkgs.follows = "nixpkgs";
krops.url = "github:Mic92/krops"; krops.url = "github:Mic92/krops";
@ -107,6 +109,7 @@
command = targetPath: '' command = targetPath: ''
nixos-rebuild switch --flake ${targetPath}/config -L --keep-going nixos-rebuild switch --flake ${targetPath}/config -L --keep-going
''; '';
force = true;
} }
) )
self.nixosConfigurations); self.nixosConfigurations);
@ -173,9 +176,10 @@
] ++ [ ] ++ [
{ nixpkgs.overlays = [ nur.overlays.default ]; } { nixpkgs.overlays = [ nur.overlays.default ]; }
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
inputs.sops-nix.nixosModules.sops
inputs.disko.nixosModules.disko inputs.disko.nixosModules.disko
inputs.impermanence.nixosModules.impermanence
inputs.lanzaboote.nixosModules.lanzaboote inputs.lanzaboote.nixosModules.lanzaboote
inputs.sops-nix.nixosModules.sops
] ++ extraModules; ] ++ extraModules;
}) })
(import ./hosts inputs); (import ./hosts inputs);

6
hosts/default.nix
View file

@ -4,7 +4,7 @@ let
in in
{ {
aluminium = { aluminium = {
targetHost = "192.168.0.1"; targetHost = "jalr-k.duckdns.org";
system = "x86_64-linux"; system = "x86_64-linux";
}; };
jalr-t520 = { jalr-t520 = {
@ -23,8 +23,8 @@ in
targetHost = "jalr-bw.duckdns.org"; targetHost = "jalr-bw.duckdns.org";
}; };
magnesium = { magnesium = {
system = "aarch64"; system = "x86_64-linux";
targetHost = "162.55.35.199"; targetHost = "magnesium.jalr.de";
}; };
tin = { tin = {
system = "x86_64-linux"; system = "x86_64-linux";

58
hosts/magnesium/configuration.nix
View file

@ -1,58 +1,24 @@
{ config, lib, pkgs, ... }: { config, lib, ... }:
{ {
imports = [ imports = [
./hardware-configuration.nix ../../modules/providers/hetzner-cloud.nix
../../users/jalr
./services ./services
../../users/jalr
./persistence.nix
]; ];
networking.hostName = "magnesium"; networking.hostName = "magnesium";
services.openssh.enable = true;
disko.devices.disk.virt.device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_60640534";
security.sudo.wheelNeedsPassword = false; security.sudo.wheelNeedsPassword = false;
networking.useDHCP = false; systemd.network.networks."10-wan".address = [
"2a01:4f8:c013:bab7::1/64"
];
systemd.network = { nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
enable = true;
networks."10-wan" = {
matchConfig.Name = "enp1s0";
networkConfig.DHCP = "no";
address = [
"162.55.35.199/32"
"2a01:4f8:c012:21ba::/64"
];
routes = [
{
Destination = "172.31.1.1";
}
{
Gateway = "172.31.1.1";
GatewayOnLink = true;
}
{
Gateway = "fe80::1";
}
];
};
};
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
jalr = {
bootloader = "systemd-boot";
uefi.enable = true;
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. It's perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.11"; # Did you read the comment?
system.stateVersion = "24.11";
} }

57
hosts/magnesium/hardware-configuration.nix
View file

@ -1,57 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/45dcac99-1f65-48ab-b5bf-8a1507f0b75a";
fsType = "btrfs";
options = [
"subvol=root"
"compress=zstd"
];
};
"/proc" = {
device = "/proc";
options = [ "nosuid" "noexec" "nodev" "hidepid=2" ];
};
"/home" = {
device = "/dev/disk/by-uuid/45dcac99-1f65-48ab-b5bf-8a1507f0b75a";
fsType = "btrfs";
options = [
"subvol=home"
"compress=zstd"
"nodev"
"nosuid"
];
};
"/nix" = {
device = "/dev/disk/by-uuid/45dcac99-1f65-48ab-b5bf-8a1507f0b75a";
fsType = "btrfs";
options = [
"subvol=nix"
"compress=zstd"
"noatime"
"nodev"
];
};
"/boot" = {
device = "/dev/disk/by-uuid/7836-0C48";
fsType = "vfat";
options = [ "nodev" "nosuid" "noexec" ];
};
};
swapDevices = [ ];
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
}

37
hosts/magnesium/persistence.nix Normal file
View file

@ -0,0 +1,37 @@
{ config, lib, ... }:
{
boot.initrd.postDeviceCommands =
let
device = config.disko.devices.disk.virt.content.partitions.linux.device;
in
lib.mkAfter ''
mkdir /mnt
mount -t btrfs "${device}" /mnt
btrfs subvolume list -o /mnt/root | cut -f9 -d' ' | while read subvolume; do
btrfs subvolume delete "/mnt/$subvolume"
done
btrfs subvolume delete /mnt/root
btrfs subvolume snapshot /mnt/root-blank /mnt/root
'';
services.openssh = {
hostKeys = lib.mkForce [{
path = "/persist/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}];
};
services.forgejo.stateDir = "/persist/var/lib/forgejo";
services.postgresql.dataDir = "/persist/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}";
fileSystems."/persist".neededForBoot = true;
environment.persistence."/persist" = {
hideMounts = true;
directories = [
"/var/lib/acme"
"/var/lib/hedgedoc"
"/var/lib/nixos"
"/var/lib/private/ntfy-sh"
];
};
}

24
hosts/magnesium/secrets.yaml
View file

@ -9,27 +9,27 @@ sops:
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: age:
- recipient: age1swv42gad884z2v75kateem6k2za6ltkq6wu90ewqp6dp7gxprawslwz0w0 - recipient: age19qkgfaq08kmyxghet48dq4gxwjuy9zpvuyxys9jkmcqa5634537qlxjcd8
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNS0svemgzNTVsOEo3cDI5 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHMW5lbkRNQS9Gc0VUWndk
QVJ1dDVpK0Zyb3UwTUhWR29RalNPTENiQm1rCjdPbkZBd0hwQ3VvUmRTT2hlZEhp VlJiczFVM1dHUGc2QWZnMHVIVGZzdWJKUUJzCngyNGxaR2JFNG9HbG81c1ZNSlQ3
Snk3cC9OTWZFSFhzMFBoSENMTHB4Qk0KLS0tIEltSEpUWkVmclRKdTA5b09RcGpT MlgvMlNYWVduY1diM3g2U3BiL0J3U2sKLS0tIHBscWxMTzVISkE5WW1CZTNYK1ZM
QTBqZDZLeDFLK0k2MHF4Uk1mQTIxRHcKeLHz+lSnHLyTgw2Aq+IVGpIi9X8SQx+Q elNwdVlJS2NCWUlXcEZvZWsvZ29FRnMK/qa6Qj1yQc91PWk9tMKSyFkMfYcHIKpQ
bCSPPMPIZsL4VLInuZmcd2n/kEr80fQM2P3/ktW8RnViQjTU+kKbMg== jcPmGWbpi2NPL/F0Xz2X/zQQxWzs9uzlS1VH+y8JRe1EPMYJ78NXZw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-01-11T15:28:59Z" lastmodified: "2025-01-11T15:28:59Z"
mac: ENC[AES256_GCM,data:1RnyUrbEI2JKpicmA3QV+5ob+vByahMjc4+ZpLbcMyZv/KXn02VP+OQaLm9NgPfpZmSmRgbdPNQAP4f71z/EjcceyANAhnvql3zuYgSXNp5l/IYo5UFZdWgQa14XTGO518969CDLW1zJnlkBtbtLEVlMJiQ/EraV1eNtgCr5UEU=,iv:0fLjboGiejUI9LxHW80ed+/Lf+jlN5UH7tVqfBptq0w=,tag:4Tyrqy9XwQAm0etooVBNZg==,type:str] mac: ENC[AES256_GCM,data:1RnyUrbEI2JKpicmA3QV+5ob+vByahMjc4+ZpLbcMyZv/KXn02VP+OQaLm9NgPfpZmSmRgbdPNQAP4f71z/EjcceyANAhnvql3zuYgSXNp5l/IYo5UFZdWgQa14XTGO518969CDLW1zJnlkBtbtLEVlMJiQ/EraV1eNtgCr5UEU=,iv:0fLjboGiejUI9LxHW80ed+/Lf+jlN5UH7tVqfBptq0w=,tag:4Tyrqy9XwQAm0etooVBNZg==,type:str]
pgp: pgp:
- created_at: "2024-01-31T01:20:03Z" - created_at: "2025-04-08T22:53:53Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hF4DY/xpNY5WhB0SAQdAKi5BqRHyG+CaeCKH8KuQWVWS8TbO/Kj38hTzbkBuyF8w hF4DY/xpNY5WhB0SAQdAbrDTh/Nvu8ky1ec34AAkKQcTH1G1nDlUCSfobMQsCmAw
lxCni2VsyI4GDdBwy1jzJpqaqkqCwlzUXh7quHKNjZksHSsb8UTy6aZhDt+sz8Xk XPI7V41rBAY2m6J1P/0oy9cHVfE/LUi4E/yCgNG7YIGdUbb9x29x7A3uoP1NAhE5
0l4BM0Dv37SESplctQ4hj8Go48nu3KaYfiE7pyP+HfsZksGn7KTeOWoqC+ET3HX0 0l4BZQGZ+GGa69KZ2mOnWhbKfjtOVNDoaxcpgNWHxrtO35c/tNSCxJ2Uj2Q2u3Nj
k/w1905xtcxInOalYgCpl2NzowAvKKy1mhzN8+bHW9xJq3ca5nYv0qfT0eFDJE1O +SRaHB3tsF8VL85Tn0FEXSWLzL7SfHj78wvaZ/3AxbqdF7WDJkl1hXEnrf2DjBCC
=pqvJ =Gi/Y
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 3044E71E3DEFF49B586CF5809BF4FCCB90854DA9 fp: 3044E71E3DEFF49B586CF5809BF4FCCB90854DA9
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted

108
modules/providers/hetzner-cloud.nix Normal file
View file

@ -0,0 +1,108 @@
{ config
, pkgs
, modulesPath
, ...
}:
let
cfg = config.disko;
in
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
config = {
networking.useDHCP = false;
systemd.network = {
enable = true;
networks."10-wan" = {
matchConfig.Name = "enp1s0";
networkConfig.DHCP = "ipv4";
routes = [
{ Gateway = "fe80::1"; }
];
};
};
boot = {
loader = {
grub.enable = pkgs.hostPlatform.system == "x86_64-linux";
systemd-boot = {
enable = pkgs.hostPlatform.system == "aarch64-linux";
configurationLimit = 10;
};
efi = {
efiSysMountPoint = "/boot";
canTouchEfiVariables = true;
};
};
};
disko.devices = {
disk = {
virt = {
type = "disk";
content = {
type = "gpt";
partitions = {
boot = {
size = "1M";
type = "EF02"; # for grub MBR
priority = 1; # Needs to be first partition
};
esp = {
type = "EF00";
size = "1024M";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "uid=0" "gid=0" "fmask=0077" "dmask=0077" "nodev" "nosuid" "noexec" ];
};
};
linux = {
size = "100%";
content = {
type = "btrfs";
extraArgs = [ "-f" ];
postCreateHook =
let
device = cfg.devices.disk.virt.content.partitions.linux.device;
in
''
mountpoint="$(mktemp -d)"
mount "${device}" "$mountpoint" -o subvol=/
trap 'umount "$mountpoint"; rmdir "$mountpoint"' EXIT
btrfs subvolume snapshot -r $mountpoint/root $mountpoint/root-blank
'';
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [ "compress-force=zstd:1" "noatime" ];
};
"/home" = {
mountpoint = "/home";
mountOptions = [ "compress-force=zstd:1" "noatime" "nodev" "nosuid" ];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [ "compress-force=zstd:1" "noatime" "nodev" ];
};
"/log" = {
mountpoint = "/var/log";
mountOptions = [ "compress-force=zstd:1" "noatime" "nodev" "nosuid" ];
};
"/persist" = {
mountpoint = "/persist";
mountOptions = [ "compress-force=zstd:1" "noatime" "nodev" "nosuid" ];
};
};
};
};
};
};
};
};
};
};
}