mirror of
https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git
synced 2026-05-21 05:51:12 +02:00
Compare commits
8 Commits
1024b428ac
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
|
0d7f05e56d | ||
|
|
4a67eddf52 | ||
|
|
08a23bd380 | ||
|
|
28b67c3578 | ||
|
|
e5804c043a | ||
|
|
9c227f3022 | ||
|
|
69fdf709d7 | ||
|
|
30ec70fa5f |
@@ -39,6 +39,7 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
|
||||
| bikkje | Virtual | Experimental login box |
|
||||
| [brzeczyszczykiewicz][brz] | Physical | Shared music player |
|
||||
| [georg][geo] | Physical | Shared music player |
|
||||
| [gluttony][glu] | Virtual | General purpose compute |
|
||||
| [ildkule][ild] | Virtual | Logging and monitoring host, prometheus, grafana, ... |
|
||||
| [kommode][kom] | Virtual | Gitea + Gitea pages |
|
||||
| [lupine][lup] | Physical | Gitea CI/CD runners |
|
||||
@@ -57,6 +58,7 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
|
||||
[bic]: https://wiki.pvv.ntnu.no/wiki/Maskiner/bicep
|
||||
[brz]: https://wiki.pvv.ntnu.no/wiki/Maskiner/brzęczyszczykiewicz
|
||||
[geo]: https://wiki.pvv.ntnu.no/wiki/Maskiner/georg
|
||||
[glu]: https://wiki.pvv.ntnu.no/wiki/Maskiner/gluttony
|
||||
[ild]: https://wiki.pvv.ntnu.no/wiki/Maskiner/ildkule
|
||||
[kom]: https://wiki.pvv.ntnu.no/wiki/Maskiner/kommode
|
||||
[lup]: https://wiki.pvv.ntnu.no/wiki/Maskiner/lupine
|
||||
|
||||
@@ -7,7 +7,13 @@
|
||||
"ax25"
|
||||
"batman-adv"
|
||||
"can"
|
||||
"dccp"
|
||||
"ipx"
|
||||
"llc"
|
||||
"n-hdlc"
|
||||
"netrom"
|
||||
"p8022"
|
||||
"p8023"
|
||||
"psnap"
|
||||
"rds"
|
||||
"rose"
|
||||
@@ -23,7 +29,6 @@
|
||||
"cramfs"
|
||||
"efs"
|
||||
"exofs"
|
||||
"orangefs"
|
||||
"freevxfs"
|
||||
"gfs2"
|
||||
"hfs"
|
||||
@@ -35,10 +40,12 @@
|
||||
"nilfs2"
|
||||
"ntfs"
|
||||
"omfs"
|
||||
"orangefs"
|
||||
"qnx4"
|
||||
"qnx6"
|
||||
"sysv"
|
||||
"ubifs"
|
||||
"udf"
|
||||
"ufs"
|
||||
|
||||
# Legacy hardware
|
||||
|
||||
@@ -1,17 +1,24 @@
|
||||
{ ... }:
|
||||
{ pkgs, lib, ... }:
|
||||
let
|
||||
modulesToBan = [
|
||||
# copy.fail
|
||||
"af_alg"
|
||||
"algif_aead"
|
||||
"algif_hash"
|
||||
"algif_rng"
|
||||
"algif_skcipher"
|
||||
|
||||
# dirtyfrag / Fragnesia
|
||||
"esp4"
|
||||
"esp6"
|
||||
"rxrpc"
|
||||
|
||||
# PinTheft
|
||||
"rds"
|
||||
];
|
||||
in
|
||||
{
|
||||
boot.blacklistedKernelModules = [
|
||||
"rxrpc" # dirtyfrag
|
||||
"esp6" # dirtyfrag
|
||||
"esp4" # dirtyfrag
|
||||
];
|
||||
boot.extraModprobeConfig = ''
|
||||
# dirtyfrag
|
||||
install esp4 /bin/false
|
||||
# dirtyfrag
|
||||
install esp6 /bin/false
|
||||
# dirtyfrag
|
||||
install rxrpc /bin/false
|
||||
'';
|
||||
boot.blacklistedKernelModules = modulesToBan;
|
||||
|
||||
boot.extraModprobeConfig = lib.concatMapStringsSep "\n" (mod: "install ${mod} ${lib.getExe' pkgs.coreutils "false"}") modulesToBan;
|
||||
}
|
||||
|
||||
132
flake.nix
132
flake.nix
@@ -49,8 +49,14 @@
|
||||
qotd.inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
|
||||
outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
|
||||
let
|
||||
outputs = {
|
||||
self,
|
||||
nixpkgs,
|
||||
nixpkgs-unstable,
|
||||
sops-nix,
|
||||
disko,
|
||||
...
|
||||
} @ inputs: let
|
||||
inherit (nixpkgs) lib;
|
||||
systems = [
|
||||
"x86_64-linux"
|
||||
@@ -71,9 +77,11 @@
|
||||
in {
|
||||
inputs = lib.mapAttrs (_: src: src.outPath) inputs;
|
||||
|
||||
pkgs = forAllSystems (system: import nixpkgs {
|
||||
pkgs = forAllSystems (system:
|
||||
import nixpkgs {
|
||||
inherit system;
|
||||
config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
|
||||
config.allowUnfreePredicate = pkg:
|
||||
builtins.elem (lib.getName pkg)
|
||||
[
|
||||
"nvidia-x11"
|
||||
"nvidia-settings"
|
||||
@@ -81,60 +89,70 @@
|
||||
});
|
||||
|
||||
nixosConfigurations = let
|
||||
nixosConfig =
|
||||
nixpkgs:
|
||||
name:
|
||||
configurationPath:
|
||||
extraArgs@{
|
||||
nixosConfig = nixpkgs: name: configurationPath: extraArgs @ {
|
||||
localSystem ? "x86_64-linux", # buildPlatform
|
||||
crossSystem ? "x86_64-linux", # hostPlatform
|
||||
specialArgs ? { },
|
||||
modules ? [ ],
|
||||
overlays ? [ ],
|
||||
specialArgs ? {},
|
||||
modules ? [],
|
||||
overlays ? [],
|
||||
enableDefaults ? true,
|
||||
...
|
||||
}:
|
||||
let
|
||||
commonPkgsConfig = {
|
||||
config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
|
||||
}: let
|
||||
commonPkgsConfig =
|
||||
{
|
||||
config.allowUnfreePredicate = pkg:
|
||||
builtins.elem (lib.getName pkg)
|
||||
[
|
||||
"nvidia-x11"
|
||||
"nvidia-settings"
|
||||
];
|
||||
overlays = (lib.optionals enableDefaults [
|
||||
overlays =
|
||||
(lib.optionals enableDefaults [
|
||||
# Global overlays go here
|
||||
inputs.roowho2.overlays.default
|
||||
]) ++ overlays;
|
||||
} // (if localSystem != crossSystem then {
|
||||
])
|
||||
++ overlays;
|
||||
}
|
||||
// (
|
||||
if localSystem != crossSystem
|
||||
then {
|
||||
inherit localSystem crossSystem;
|
||||
} else {
|
||||
}
|
||||
else {
|
||||
system = crossSystem;
|
||||
});
|
||||
}
|
||||
);
|
||||
pkgs = import nixpkgs commonPkgsConfig;
|
||||
unstablePkgs = import nixpkgs-unstable commonPkgsConfig;
|
||||
in
|
||||
lib.nixosSystem (lib.recursiveUpdate
|
||||
lib.nixosSystem (
|
||||
lib.recursiveUpdate
|
||||
{
|
||||
system = crossSystem;
|
||||
|
||||
inherit pkgs;
|
||||
|
||||
specialArgs = {
|
||||
specialArgs =
|
||||
{
|
||||
inherit inputs unstablePkgs;
|
||||
values = import ./values.nix;
|
||||
fp = path: ./${path};
|
||||
} // specialArgs;
|
||||
}
|
||||
// specialArgs;
|
||||
|
||||
modules = [
|
||||
modules =
|
||||
[
|
||||
{
|
||||
networking.hostName = lib.mkDefault name;
|
||||
}
|
||||
configurationPath
|
||||
] ++ (lib.optionals enableDefaults [
|
||||
]
|
||||
++ (lib.optionals enableDefaults [
|
||||
sops-nix.nixosModules.sops
|
||||
inputs.roowho2.nixosModules.default
|
||||
self.nixosModules.rsync-pull-targets
|
||||
]) ++ modules;
|
||||
])
|
||||
++ modules;
|
||||
}
|
||||
(builtins.removeAttrs extraArgs [
|
||||
"localSystem"
|
||||
@@ -148,7 +166,8 @@
|
||||
|
||||
stableNixosConfig = name: extraArgs:
|
||||
nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs;
|
||||
in {
|
||||
in
|
||||
{
|
||||
bicep = stableNixosConfig "bicep" {
|
||||
modules = [
|
||||
inputs.matrix-next.nixosModules.default
|
||||
@@ -168,9 +187,9 @@
|
||||
bekkalokk = stableNixosConfig "bekkalokk" {
|
||||
overlays = [
|
||||
(final: prev: {
|
||||
mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
|
||||
simplesamlphp = final.callPackage ./packages/simplesamlphp { };
|
||||
bluemap = final.callPackage ./packages/bluemap.nix { };
|
||||
mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions {};
|
||||
simplesamlphp = final.callPackage ./packages/simplesamlphp {};
|
||||
bluemap = final.callPackage ./packages/bluemap.nix {};
|
||||
})
|
||||
inputs.pvv-nettsiden.overlays.default
|
||||
inputs.qotd.overlays.default
|
||||
@@ -194,10 +213,10 @@
|
||||
];
|
||||
overlays = [inputs.dibbler.overlays.default];
|
||||
};
|
||||
shark = stableNixosConfig "shark" { };
|
||||
wenche = stableNixosConfig "wenche" { };
|
||||
temmie = stableNixosConfig "temmie" { };
|
||||
gluttony = stableNixosConfig "gluttony" { };
|
||||
shark = stableNixosConfig "shark" {};
|
||||
wenche = stableNixosConfig "wenche" {};
|
||||
temmie = stableNixosConfig "temmie" {};
|
||||
gluttony = stableNixosConfig "gluttony" {};
|
||||
|
||||
kommode = stableNixosConfig "kommode" {
|
||||
overlays = [
|
||||
@@ -238,13 +257,14 @@
|
||||
];
|
||||
};
|
||||
}
|
||||
//
|
||||
(let
|
||||
// (let
|
||||
machineNames = map (i: "lupine-${toString i}") (lib.range 1 5);
|
||||
stableLupineNixosConfig = name: extraArgs:
|
||||
nixosConfig nixpkgs name ./hosts/lupine/configuration.nix extraArgs;
|
||||
in lib.genAttrs machineNames (name: stableLupineNixosConfig name {
|
||||
modules = [{ networking.hostName = name; }];
|
||||
in
|
||||
lib.genAttrs machineNames (name:
|
||||
stableLupineNixosConfig name {
|
||||
modules = [{networking.hostName = name;}];
|
||||
specialArgs.lupineName = name;
|
||||
}));
|
||||
|
||||
@@ -268,7 +288,8 @@
|
||||
})
|
||||
];
|
||||
};
|
||||
in pkgs.callPackage ./shell.nix { };
|
||||
in
|
||||
pkgs.callPackage ./shell.nix {};
|
||||
cuda = let
|
||||
cuda-pkgs = import nixpkgs-unstable {
|
||||
inherit system;
|
||||
@@ -277,30 +298,34 @@
|
||||
cudaSupport = true;
|
||||
};
|
||||
};
|
||||
in cuda-pkgs.callPackage ./shells/cuda.nix { };
|
||||
in
|
||||
cuda-pkgs.callPackage ./shells/cuda.nix {};
|
||||
});
|
||||
|
||||
packages = {
|
||||
"x86_64-linux" = let
|
||||
system = "x86_64-linux";
|
||||
pkgs = nixpkgs.legacyPackages.${system};
|
||||
in rec {
|
||||
in
|
||||
rec {
|
||||
default = important-machines;
|
||||
important-machines = pkgs.linkFarm "important-machines"
|
||||
important-machines =
|
||||
pkgs.linkFarm "important-machines"
|
||||
(lib.getAttrs importantMachines self.packages.${system});
|
||||
all-machines = pkgs.linkFarm "all-machines"
|
||||
all-machines =
|
||||
pkgs.linkFarm "all-machines"
|
||||
(lib.getAttrs allMachines self.packages.${system});
|
||||
|
||||
simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
|
||||
simplesamlphp = pkgs.callPackage ./packages/simplesamlphp {};
|
||||
|
||||
bluemap = pkgs.callPackage ./packages/bluemap.nix { };
|
||||
bluemap = pkgs.callPackage ./packages/bluemap.nix {};
|
||||
|
||||
out-of-your-element = pkgs.callPackage ./packages/ooye/package.nix { };
|
||||
out-of-your-element = pkgs.callPackage ./packages/ooye/package.nix {};
|
||||
}
|
||||
//
|
||||
# Mediawiki extensions
|
||||
(lib.pipe null [
|
||||
(_: pkgs.callPackage ./packages/mediawiki-extensions { })
|
||||
(_: pkgs.callPackage ./packages/mediawiki-extensions {})
|
||||
(lib.flip builtins.removeAttrs ["override" "overrideDerivation"])
|
||||
(lib.mapAttrs' (name: lib.nameValuePair "mediawiki-${name}"))
|
||||
])
|
||||
@@ -329,7 +354,8 @@
|
||||
modules = [
|
||||
./topology
|
||||
{
|
||||
nixosConfigurations = lib.mapAttrs (_name: nixosCfg: nixosCfg.extendModules {
|
||||
nixosConfigurations = lib.mapAttrs (_name: nixosCfg:
|
||||
nixosCfg.extendModules {
|
||||
modules = [
|
||||
inputs.nix-topology.nixosModules.default
|
||||
./topology/service-extractors/greg-ng.nix
|
||||
@@ -337,14 +363,16 @@
|
||||
./topology/service-extractors/mysql.nix
|
||||
./topology/service-extractors/gitea-runners.nix
|
||||
];
|
||||
}) self.nixosConfigurations;
|
||||
})
|
||||
self.nixosConfigurations;
|
||||
}
|
||||
];
|
||||
};
|
||||
in {
|
||||
topology = topology'.config.output;
|
||||
topology-png = pkgs.runCommand "pvv-config-topology-png" {
|
||||
nativeBuildInputs = [ pkgs.writableTmpDirAsHomeHook ];
|
||||
topology-png =
|
||||
pkgs.runCommand "pvv-config-topology-png" {
|
||||
nativeBuildInputs = [pkgs.writableTmpDirAsHomeHook];
|
||||
} ''
|
||||
mkdir -p "$out"
|
||||
for file in '${topology'.config.output}'/*.svg; do
|
||||
|
||||
@@ -64,4 +64,11 @@ in
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall.allowedUDPPortRanges = [
|
||||
{
|
||||
from = cfg.settings.rtc.port_range_start;
|
||||
to = cfg.settings.rtc.port_range_end;
|
||||
}
|
||||
];
|
||||
}
|
||||
|
||||
37
hosts/bicep/services/postgresql/cleanup-timers.nix
Normal file
37
hosts/bicep/services/postgresql/cleanup-timers.nix
Normal file
@@ -0,0 +1,37 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
cfg = config.services.postgresql;
|
||||
in
|
||||
{
|
||||
config = lib.mkIf cfg.enable {
|
||||
systemd.services = {
|
||||
postgresql-repack = {
|
||||
requires = [ "postgresql.service" ];
|
||||
after = [ "postgresql.target" ];
|
||||
description = "Repack all PostgreSQL databases";
|
||||
startAt = "Mon 06:00:00";
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
User = "postgres";
|
||||
Group = "postgres";
|
||||
|
||||
ExecStart = "${lib.getExe cfg.package.pkgs.pg_repack} --port=${builtins.toString cfg.settings.port} --all";
|
||||
};
|
||||
};
|
||||
|
||||
postgresql-vacuum-analyze = {
|
||||
requires = [ "postgresql.service" ];
|
||||
after = [ "postgresql.target" ];
|
||||
description = "Vacuum and analyze all PostgreSQL databases";
|
||||
startAt = "Tue 06:00:00";
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
User = "postgres";
|
||||
Group = "postgres";
|
||||
|
||||
ExecStart = "${lib.getExe' cfg.package "psql"} --port=${builtins.toString cfg.settings.port} -tAc 'VACUUM ANALYZE'";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -3,11 +3,15 @@ let
|
||||
cfg = config.services.postgresql;
|
||||
in
|
||||
{
|
||||
imports = [ ./backup.nix ];
|
||||
imports = [
|
||||
./backup.nix
|
||||
./cleanup-timers.nix
|
||||
];
|
||||
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
package = pkgs.postgresql_18;
|
||||
extensions = ps: with ps; [ pg_repack ];
|
||||
enableTCPIP = true;
|
||||
|
||||
authentication = ''
|
||||
|
||||
@@ -22,7 +22,7 @@
|
||||
"sd_mod"
|
||||
];
|
||||
boot.initrd.kernelModules = [ "dm-snapshot" ];
|
||||
boot.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" = {
|
||||
@@ -31,7 +31,7 @@
|
||||
};
|
||||
|
||||
fileSystems."/boot" = {
|
||||
device = "/dev/disk/by-uuid/933A-3005";
|
||||
device = "/dev/disk/by-uuid/BD97-FCA0";
|
||||
fsType = "vfat";
|
||||
options = [
|
||||
"fmask=0077"
|
||||
|
||||
@@ -1,5 +1,11 @@
|
||||
{ config, fp, pkgs, lib, values, ... }:
|
||||
{
|
||||
config,
|
||||
fp,
|
||||
pkgs,
|
||||
lib,
|
||||
values,
|
||||
...
|
||||
}: {
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
./disks.nix
|
||||
@@ -10,8 +16,8 @@
|
||||
./services/journald-remote.nix
|
||||
];
|
||||
|
||||
boot.loader.systemd-boot.enable = false;
|
||||
boot.loader.grub.device = "/dev/sda";
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.systemd-boot.enable = lib.mkForce false;
|
||||
boot.tmp.cleanOnBoot = true;
|
||||
zramSwap.enable = true;
|
||||
|
||||
@@ -29,11 +35,20 @@
|
||||
|
||||
interfaces."ens3" = {
|
||||
ipv4.addresses = [
|
||||
{ address = hostConf.ipv4; prefixLength = 32; }
|
||||
{ address = hostConf.ipv4_internal; prefixLength = 24; }
|
||||
{
|
||||
address = hostConf.ipv4;
|
||||
prefixLength = 32;
|
||||
}
|
||||
{
|
||||
address = hostConf.ipv4_internal;
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
ipv6.addresses = [
|
||||
{ address = hostConf.ipv6; prefixLength = 64; }
|
||||
{
|
||||
address = hostConf.ipv6;
|
||||
prefixLength = 64;
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# Do not modify this file! It was generated by 'nixos-generate-config'
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# Do not modify this file! It was generated by 'nixos-generate-config'
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# Do not modify this file! It was generated by 'nixos-generate-config'
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# Do not modify this file! It was generated by 'nixos-generate-config'
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
14
values.nix
14
values.nix
@@ -86,10 +86,10 @@ in rec {
|
||||
ipv6 = pvv-ipv6 167;
|
||||
};
|
||||
gluttony = {
|
||||
ipv4 = "129.241.100.118";
|
||||
ipv4_internal = "192.168.20.77";
|
||||
ipv4_internal_gw = "192.168.20.1";
|
||||
ipv6 = "2001:700:305:aa07::3b3";
|
||||
ipv4 = "129.241.100.37";
|
||||
ipv4_internal = "192.168.1.219";
|
||||
ipv4_internal_gw = "192.168.1.1";
|
||||
ipv6 = "2001:700:305:8a0f:f816:3eff:fe9b:7a46";
|
||||
};
|
||||
wenche = {
|
||||
ipv4 = pvv-ipv4 240;
|
||||
@@ -118,9 +118,9 @@ in rec {
|
||||
};
|
||||
|
||||
defaultNetworkConfig = {
|
||||
dns = [ "129.241.0.200" "129.241.0.201" "2001:700:300:1900::200" "2001:700:300:1900::201" ];
|
||||
domains = [ "pvv.ntnu.no" "pvv.org" ];
|
||||
gateway = [ hosts.gateway hosts.gateway6 ];
|
||||
dns = ["129.241.0.200" "129.241.0.201" "2001:700:300:1900::200" "2001:700:300:1900::201"];
|
||||
domains = ["pvv.ntnu.no" "pvv.org"];
|
||||
gateway = [hosts.gateway hosts.gateway6];
|
||||
|
||||
networkConfig.IPv6AcceptRA = "no";
|
||||
DHCP = "no";
|
||||
|
||||
Reference in New Issue
Block a user