From 74b770545e78bd9ff9c4c2da951f04eb98531f80 Mon Sep 17 00:00:00 2001 From: Adrian G L Date: Sun, 15 Sep 2024 01:49:23 +0200 Subject: [PATCH] init elysium (gamle sancturary) --- base.nix | 1 + flake.nix | 2 + hosts/elysium/base.nix | 133 ++++++++++++++++++ hosts/elysium/configuration.nix | 167 +++++++++++++++++++++++ hosts/elysium/hardware-configuration.nix | 42 ++++++ hosts/elysium/nvidia.nix | 52 +++++++ 6 files changed, 397 insertions(+) create mode 100644 hosts/elysium/base.nix create mode 100644 hosts/elysium/configuration.nix create mode 100644 hosts/elysium/hardware-configuration.nix create mode 100644 hosts/elysium/nvidia.nix diff --git a/base.nix b/base.nix index 092cce2..cb1f817 100644 --- a/base.nix +++ b/base.nix @@ -67,6 +67,7 @@ wget kitty.terminfo + foot.terminfo ]; programs.zsh.enable = true; diff --git a/flake.nix b/flake.nix index 929c79d..764dda1 100644 --- a/flake.nix +++ b/flake.nix @@ -108,6 +108,8 @@ ildkule = stableNixosConfig "ildkule" { }; #ildkule-unstable = unstableNixosConfig "ildkule" { }; shark = stableNixosConfig "shark" { }; + + elysium = stableNixosConfig "elysium" { }; brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" { modules = [ diff --git a/hosts/elysium/base.nix b/hosts/elysium/base.nix new file mode 100644 index 0000000..94efce9 --- /dev/null +++ b/hosts/elysium/base.nix @@ -0,0 +1,133 @@ +{ config, lib, pkgs, inputs, values, ... }: + +{ + imports = [ + ./modules/snakeoil-certs.nix + ]; + + networking.domain = "pvv.ntnu.no"; + networking.useDHCP = false; + # networking.search = [ "pvv.ntnu.no" "pvv.org" ]; + # networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ]; + # networking.tempAddresses = lib.mkDefault "disabled"; + # networking.defaultGateway = values.hosts.gateway; + + systemd.network.enable = true; + + services.resolved = { + enable = lib.mkDefault true; + dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways... + }; + + time.timeZone = "Europe/Oslo"; + + i18n.defaultLocale = "en_US.UTF-8"; + console = { + font = "Lat2-Terminus16"; + keyMap = "no"; + }; + + system.autoUpgrade = { + enable = true; + flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git"; + flags = [ + "--update-input" "nixpkgs" + "--update-input" "nixpkgs-unstable" + "--no-write-lock-file" + ]; + }; + nix.gc.automatic = true; + nix.gc.options = "--delete-older-than 2d"; + + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + + /* This makes commandline tools like + ** nix run nixpkgs#hello + ** and nix-shell -p hello + ** use the same channel the system + ** was built with + */ + nix.registry = { + nixpkgs.flake = inputs.nixpkgs; + }; + nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ]; + + environment.systemPackages = with pkgs; [ + file + git + gnupg + htop + nano + ripgrep + rsync + screen + tmux + vim + wget + + kitty.terminfo + foot.terminfo + ]; + + programs.zsh.enable = true; + + users.groups."drift".name = "drift"; + + # Trusted users on the nix builder machines + users.groups."nix-builder-users".name = "nix-builder-users"; + + services.openssh = { + enable = true; + extraConfig = '' + PubkeyAcceptedAlgorithms=+ssh-rsa + ''; + settings.PermitRootLogin = "yes"; + }; + + # nginx return 444 for all nonexistent virtualhosts + + systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ]; + + environment.snakeoil-certs = lib.mkIf config.services.nginx.enable { + "/etc/certs/nginx" = { + owner = "nginx"; + group = "nginx"; + }; + }; + + services.nginx = { + recommendedTlsSettings = true; + recommendedProxySettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + + appendConfig = '' + pcre_jit on; + worker_processes auto; + worker_rlimit_nofile 100000; + ''; + eventsConfig = '' + worker_connections 2048; + use epoll; + multi_accept on; + ''; + }; + + systemd.services.nginx.serviceConfig = lib.mkIf config.services.nginx.enable { + LimitNOFILE = 65536; + }; + + services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable { + sslCertificate = "/etc/certs/nginx.crt"; + sslCertificateKey = "/etc/certs/nginx.key"; + addSSL = true; + extraConfig = "return 444;"; + }; + + networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ]; + + security.acme = { + acceptTerms = true; + defaults.email = "drift@pvv.ntnu.no"; + }; +} diff --git a/hosts/elysium/configuration.nix b/hosts/elysium/configuration.nix new file mode 100644 index 0000000..aec3665 --- /dev/null +++ b/hosts/elysium/configuration.nix @@ -0,0 +1,167 @@ +{ config, pkgs, values, ... }: +{ + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ./nvidia.nix + ./base.nix + ../../misc/metrics-exporters.nix + ]; + + sops.defaultSopsFile = ../../secrets/elysium/elysium.yaml; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops.age.keyFile = "/var/lib/sops-nix/key.txt"; + sops.age.generateKey = true; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = "elysium"; # Define your hostname. + + #update this to actual network card. + systemd.network.networks."30-ens18" = values.defaultNetworkConfig // { + matchConfig.Name = "ens18"; + address = with values.hosts.elysium; [ (ipv4 + "/25") (ipv6 + "/64") ]; + }; + + # List packages installed in system profile + environment.systemPackages = with pkgs; [ + zsh + bash + fish + tcsh + + alpine + mutt + mutt-ics + mutt-wizard + notmuch + mailutils + procmail + + irssi + weechat + weechatScripts.edit + + coreutils-full + diffutils + findutils + ripgrep + cvs + gawk + git + gnupg + gnused + groff + less + p7zip + rcs + screen + tmux + tree + unzip + zip + + emacs + helix + joe + micro + nano + neovim + + autossh + inetutils + lynx + mosh + rsync + w3m + + clang + gcc + guile + lua + perl + php + python3 + (python3.withPackages (ps: with ps; [ + numpy + sympy + scipy + requests + imageio + pillow + httpx + pycryptodome + pandas + matplotlib + ])) + ruby + tcl + + + openscad + cura + where-is-my-sddm-theme + firefox + + ]; + + + + + fonts.packages = with pkgs; [ + noto-fonts + noto-fonts-cjk + noto-fonts-emoji + liberation_ttf + fira-code + fira-code-symbols + mplus-outline-fonts.githubRelease + dina-font + proggyfonts + nerdfonts + ubuntu_font_family + + ]; + + # Enable CUPS to print documents. + services.printing.enable = true; + + security.polkit.enable = true; + + services.displayManager = { + enable = true; + sessionPackages = with pkgs; [ sway ]; + sddm = { + enable = true; + theme = "${pkgs.where-is-my-sddm-theme}"; + wayland.enable = true; + wayland.compositor = "kwin"; + autoNumlock = true; + enableHidpi = true; + }; + }; + + services.desktopManager.plasma6.enable = true; + services.desktopManager.plasma6.enableQt5Integration = true; + + qt.platformTheme = "kde"; + + # Configure keymap in X11 + services.xserver.xkb = { + layout = "us,no"; + variant = ","; + }; + + + # List services that you want to enable: + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.05"; # Did you read the comment? + +} diff --git a/hosts/elysium/hardware-configuration.nix b/hosts/elysium/hardware-configuration.nix new file mode 100644 index 0000000..7e8d12c --- /dev/null +++ b/hosts/elysium/hardware-configuration.nix @@ -0,0 +1,42 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + #imports = + # [ (modulesPath + "/profiles/qemu-guest.nix") + # ]; + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/224c45db-9fdc-45d4-b3ad-aaf20b3efa8a"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/CC37-F5FE"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/a1ce3234-78b1-4565-9643-f4a05004424f"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/elysium/nvidia.nix b/hosts/elysium/nvidia.nix new file mode 100644 index 0000000..3d4903e --- /dev/null +++ b/hosts/elysium/nvidia.nix @@ -0,0 +1,52 @@ +{ config, lib, pkgs, ... }: +{ + # Enable OpenGL + hardware.opengl = { + enable = true; + driSupport = true; + driSupport32Bit = true; + }; + + # Load nvidia driver for Xorg and Wayland + services.xserver.videoDrivers = ["nvidia"]; + #boot with nvidia kernel module + boot.initrd.kernelModules = [ "nvidia" ]; + hardware.nvidia = { + # Modesetting is required. + modesetting.enable = true; + # Nvidia power management. Experimental, and can cause sleep/suspend to fail. + #powerManagement.enable = true; + # Fine-grained power management. Turns off GPU when not in use. + # Experimental and only works on modern Nvidia GPUs (Turing or newer). + #powerManagement.finegrained = true; + + # Use the NVidia open source kernel module (not to be confused with the + # independent third-party "nouveau" open source driver). + # Support is limited to the Turing and later architectures. Full list of + # supported GPUs is at: + # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus + # Only available from driver 515.43.04+ + # Currently alpha-quality/buggy, so false is currently the recommended setting. + open = false; + + # Enable the Nvidia settings menu, + # accessible via `nvidia-settings`. + nvidiaSettings = true; + + # Optionally, you may need to select the appropriate driver version for your specific GPU. + package = config.boot.kernelPackages.nvidiaPackages.legacy_470; + }; + + + # Enable the CUDA toolkit + #install packages + environment.systemPackages = with pkgs; [ + #cudaPackages.cudnn + #cudaPackages.cudatoolkit + + nvtopPackages.nvidia + + ]; + + + }