temmie/nfs-mounts: generate systemd units ourselves

2026-02-20 17:07:51 +01:00 · 2026-01-22 17:34:35 +09:00
14 changed files with 85 additions and 170 deletions
--- a/README.md
+++ b/README.md
@@ -43,7 +43,6 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
 | [kommode][kom]             | Virtual  | Gitea + Gitea pages                                       |
 | [lupine][lup]              | Physical | Gitea CI/CD runners                                       |
 |  shark                     | Virtual  | Test host for authentication, absolutely horrendous       |
 | [skrott][skr]              | Physical | Kiosk, snacks and soda                                    |
 | [wenche][wen]              | Virtual  | Nix-builders, general purpose compute                     |
 ## Documentation
@@ -60,5 +59,4 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
 [ild]: https://wiki.pvv.ntnu.no/wiki/Maskiner/ildkule
 [kom]: https://wiki.pvv.ntnu.no/wiki/Maskiner/kommode
 [lup]: https://wiki.pvv.ntnu.no/wiki/Maskiner/lupine
 [skr]: https://wiki.pvv.ntnu.no/wiki/Maskiner/Skrott
 [wen]: https://wiki.pvv.ntnu.no/wiki/Maskiner/wenche
--- a/base/default.nix
+++ b/base/default.nix
@@ -81,7 +81,7 @@
    AllowHibernation=no
  '';
-  # users.mutableUsers = lib.mkDefault false;
+  users.mutableUsers = lib.mkDefault false;
  users.groups."drift".name = "drift";
--- a/flake.lock
+++ b/flake.lock
@@ -8,11 +8,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1769362210,
+        "lastModified": 1768138611,
-        "narHash": "sha256-QCQD7Ofin5UYL0i5Sv34gfJ0p5pv1hwZspE/Ufe84L8=",
+        "narHash": "sha256-KfZX6wpuwE2IRKLjh0DrEviE4f6kqLJWwKIE5QJSqa4=",
        "ref": "main",
-        "rev": "1d01e1b2cb8fb2adee96c0b4f065c43c45eae290",
+        "rev": "cb385097dcda5fb9772f903688d078b30a66ccd4",
-        "revCount": 229,
+        "revCount": 221,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/dibbler.git"
      },
--- a/flake.nix
+++ b/flake.nix
@@ -69,54 +69,37 @@
  in {
    inputs = lib.mapAttrs (_: src: src.outPath) inputs;
-    pkgs = forAllSystems (system: import nixpkgs {
+    pkgs = forAllSystems (system:
-      inherit system;
+      import nixpkgs {
-      config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
+        inherit system;
-        [
+        config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
-          "nvidia-x11"
+          [
-          "nvidia-settings"
+            "nvidia-x11"
-        ];
+            "nvidia-settings"
-    });
+          ];
      });
    nixosConfigurations = let
      unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
      nixosConfig =
        nixpkgs:
        name:
        configurationPath:
        extraArgs@{
-          localSystem ? "x86_64-linux", # buildPlatform
+          system ? "x86_64-linux",
          crossSystem ? "x86_64-linux", # hostPlatform
          specialArgs ? { },
          modules ? [ ],
          overlays ? [ ],
          enableDefaults ? true,
          ...
        }:
        let
          commonPkgsConfig = {
            inherit localSystem crossSystem;
            config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
              [
                "nvidia-x11"
                "nvidia-settings"
              ];
            overlays = (lib.optionals enableDefaults [
              # Global overlays go here
              inputs.roowho2.overlays.default
            ]) ++ overlays;
          };
          pkgs = import nixpkgs commonPkgsConfig;
          unstablePkgs = import nixpkgs-unstable commonPkgsConfig;
        in
        lib.nixosSystem (lib.recursiveUpdate
        {
-          system = crossSystem;
+          inherit system;
          inherit pkgs;
          specialArgs = {
-            inherit inputs unstablePkgs;
+            inherit unstablePkgs inputs;
            values = import ./values.nix;
            fp = path: ./${path};
          } // specialArgs;
@@ -130,10 +113,22 @@
            sops-nix.nixosModules.sops
            inputs.roowho2.nixosModules.default
          ]) ++ modules;
          pkgs = import nixpkgs {
            inherit system;
            config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
              [
                "nvidia-x11"
                "nvidia-settings"
              ];
            overlays = (lib.optionals enableDefaults [
              # Global overlays go here
              inputs.roowho2.overlays.default
            ]) ++ overlays;
          };
        }
        (builtins.removeAttrs extraArgs [
-          "localSystem"
+          "system"
          "crossSystem"
          "modules"
          "overlays"
          "specialArgs"
@@ -168,6 +163,7 @@
      bekkalokk = stableNixosConfig "bekkalokk" {
        overlays = [
          (final: prev: {
            heimdal = unstablePkgs.heimdal;
            mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
            simplesamlphp = final.callPackage ./packages/simplesamlphp { };
            bluemap = final.callPackage ./packages/bluemap.nix { };
@@ -226,7 +222,7 @@
        ];
      };
      skrott = stableNixosConfig "skrott" {
-        crossSystem = "aarch64-linux";
+        system = "aarch64-linux";
        modules = [
          (nixpkgs + "/nixos/modules/installer/sd-card/sd-image-aarch64.nix")
          inputs.dibbler.nixosModules.default
--- a/hosts/gluttony/configuration.nix
+++ b/hosts/gluttony/configuration.nix
@@ -10,16 +10,9 @@
    (fp /base)
  ];
  boot.loader.systemd-boot.enable = false;
  systemd.network.enable = lib.mkForce false;
  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
  boot.loader = {
    systemd-boot.enable = false; # no uefi support on this device
    grub.device = "/dev/sda";
    grub.enable = true;
  };
  boot.tmp.cleanOnBoot = true;
  networking =
    let
      hostConf = values.hosts.gluttony;
--- a/hosts/skrott/configuration.nix
+++ b/hosts/skrott/configuration.nix
@@ -1,12 +1,10 @@
-{ config, pkgs, lib, fp, values, ... }: {
+{ config, pkgs, lib, fp, ... }: {
  imports = [
    # ./hardware-configuration.nix
    (fp /base)
  ];
  sops.defaultSopsFile = fp /secrets/skrott/skrott.yaml;
  boot = {
    consoleLogLevel = 0;
    enableContainers = false;
@@ -21,17 +19,11 @@
  services.logrotate.enable = lib.mkForce false;
  services.nginx.enable = lib.mkForce false;
  services.postfix.enable = lib.mkForce false;
  services.smartd.enable = lib.mkForce false;
  services.udisks2.enable = lib.mkForce false;
  services.thermald.enable = lib.mkForce false;
  services.promtail.enable = lib.mkForce false;
  boot.supportedFilesystems.zfs = lib.mkForce false;
  documentation.enable = lib.mkForce false;
  # TODO: can we reduce further?
  sops.secrets = {
-    "dibbler/postgresql/password" = {
+    "dibbler/postgresql/url" = {
      owner = "dibbler";
      group = "dibbler";
    };
@@ -41,16 +33,10 @@
  networking = {
    hostName = "skrot";
    defaultGateway = values.hosts.gateway;
    defaultGateway6 = values.hosts.gateway6;
    interfaces.eth0 = {
      useDHCP = false;
      ipv4.addresses = [{
-        address = values.hosts.skrott.ipv4;
+        address = "129.241.210.235";
        prefixLength = 25;
      }];
      ipv6.addresses = [{
        address = values.hosts.skrott.ipv6;
        prefixLength = 25;
      }];
    };
@@ -64,15 +50,7 @@
    settings = {
      general.quit_allowed = false;
-      database = {
+      database.url = config.sops.secrets."dibbler/postgresql/url".path;
        type = "postgresql";
        postgresql = {
          username = "pvv_vv";
          dbname = "pvv_vv";
          host = "postgres.pvv.ntnu.no";
          password_file = config.sops.secrets."dibbler/postgresql/password".path;
        };
      };
    };
  };
@@ -89,5 +67,5 @@
  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
-  system.stateVersion = "25.11";
+  system.stateVersion = "25.05";
 }
--- a/hosts/temmie/configuration.nix
+++ b/hosts/temmie/configuration.nix
@@ -1,21 +1,18 @@
 { config, fp, pkgs, values, ... }:
 {
  imports = [
-    # Include the results of the hardware scan.
+      # Include the results of the hardware scan.
-    ./hardware-configuration.nix
+      ./hardware-configuration.nix
-    (fp /base)
+      (fp /base)
-    ./services/nfs-mounts.nix
+      ./services/nfs-mounts.nix
-    ./services/userweb.nix
+    ];
  ];
  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
    matchConfig.Name = "ens18";
    address = with values.hosts.temmie; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };
  services.nginx.enable = false;
  services.qemuGuest.enable = true;
  # Don't change (even during upgrades) unless you know what you are doing.
--- a/hosts/temmie/services/nfs-mounts.nix
+++ b/hosts/temmie/services/nfs-mounts.nix
@@ -1,19 +1,14 @@
-{ lib, values, ... }:
+{ lib, ... }:
 let
  # See microbel:/etc/exports
  letters = [ "a" "b" "c" "d"  "h" "i" "j" "k" "l" "m" "z" ];
 in
 {
  systemd.targets."pvv-homedirs" = {
    description = "PVV Homedir Partitions";
  };
  systemd.mounts = map (l: {
-    description = "PVV Homedir Partition ${l}";
+    description = "PVV Homedirs Partition ${l}";
    before = [ "remote-fs.target" ];
    wantedBy = [ "multi-user.target" ];
    requiredBy = [ "pvv-homedirs.target" ];
    type = "nfs";
    what = "homepvv${l}.pvv.ntnu.no:/export/home/pvv/${l}";
@@ -21,27 +16,10 @@ in
    options = lib.concatStringsSep "," [
      "nfsvers=3"
      # NOTE: this is a bit unfortunate. The address above seems to resolve to IPv6 sometimes,
      #       and it doesn't seem possible to specify proto=tcp,tcp6, meaning we have to tell
      #       NFS which exact address to use here, despite it being specified in the `what` attr :\
      "proto=tcp"
-      "addr=${values.hosts.microbel.ipv4}"
+      "auto"
      "mountproto=tcp"
      "mounthost=${values.hosts.microbel.ipv4}"
      "port=2049"
      # NOTE: this is yet more unfortunate. When enabling locking, it will sometimes complain about connection failed.
      #       dmesg(1) reveals that it has something to do with registering the lockdv1 RPC service (errno: 111), not
      #       quite sure how to fix it. Living life on dangerous mode for now.
      "nolock"
      # Don't wait on every read/write
      "async"
      # Always keep mounted
      "noauto"
      # We don't want to update access time constantly
      "noatime"
@@ -57,4 +35,17 @@ in
      # "noexec"
    ];
  }) letters;
  systemd.automounts = map (l: {
    description = "PVV Homedirs Partition ${l}";
    wantedBy = [ "multi-user.target" ];
    where = "/run/pvv-home-mounts/${l}";
    automountConfig = {
      # Unmount if not accessed in 5 mins
      TimeoutIdleSec = "5min";
    };
  }) letters;
 }
--- a/hosts/temmie/services/userweb.nix
+++ b/hosts/temmie/services/userweb.nix
@@ -1,29 +0,0 @@
 { ... }:
 {
  services.httpd = {
    enable = true;
    # extraModules = [];
    # virtualHosts."userweb.pvv.ntnu.no" = {
    virtualHosts."temmie.pvv.ntnu.no" = {
      forceSSL = true;
      enableACME = true;
    };
  };
  systemd.services.httpd = {
    after = [ "pvv-homedirs.target" ];
    requires = [ "pvv-homedirs.target" ];
    serviceConfig = {
      ProtectHome = "tmpfs";
      BindPaths = let
        letters = [ "a" "b" "c" "d"  "h" "i" "j" "k" "l" "m" "z" ];
      in map (l: "/run/pvv-home-mounts/${l}:/home/pvv/${l}") letters;
    };
  };
  # TODO: create phpfpm pools with php environments that contain packages similar to those present on tom
 }
--- a/secrets/skrott/skrott.yaml
+++ b/secrets/skrott/skrott.yaml
@@ -1,6 +1,6 @@
 dibbler:
    postgresql:
-        password: ENC[AES256_GCM,data:2n85TO709GJc7/qoYp2RXO8Ttfo=,iv:5ZCZPEQQXPGYfDd1qPhDwDfm1Gds1M8PEX9IiCsHcrw=,tag:PAseyFBAe56pLj5Uv8Jd7A==,type:str]
+        url: ENC[AES256_GCM,data:rHmeviBKp5b33gZ+nRweJ9YSobG4OSOxypMcyGb3/Za5DyVjydEgWBkcugrLuy1fUYIu1UV93JizCRLqOOsNkg7ON2AGhw==,iv:mWgLeAmnVaRNuKI4jIKRtW5ZPjnt2tGqjfDbZkuAIXk=,tag:iHSkFcMmTWEFlIH7lVmN1Q==,type:str]
 sops:
    age:
        - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
@@ -48,8 +48,8 @@ sops:
            ZE5tMXJOYlFMOVNJU3FEZFB4TlZ1U00KHnunzKMy91oc92ptcaKCE1sfkhFGvf0S
            vRX/nyQnBGqD3X3yfvkt+aQnoLxcjoanpJVM9VeigyPu1mRg0OOxXg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-01-25T14:03:57Z"
+    lastmodified: "2026-01-11T17:28:43Z"
-    mac: ENC[AES256_GCM,data:RBf3LjVNSclsPN7I4QPaDUjWbKlaccjk3rzsRNdRe3+OvJSd7MsS9RfpUFCqUtO7ZkkocXHmkHA8z8LNxs6vejT9czMsLLQD14qHZS6fFdTnToOx3Kt5UuviPO/2UryVI+6HWORkH1aqFJhzkSMop2TO5mzuOTfbCEBLYUUuS6s=,iv:NQs8O1hIbjzGBTZo+gCuisj3edraFGk/Y146HmfPmQY=,tag:4g9IXw2UFC5V9EIHuWJqdA==,type:str]
+    mac: ENC[AES256_GCM,data:l43vquKg33LndSXOm0hsPcalQRXjqbb30QvptXuBsmQrcEVVh20Aqp92l+rwgv60P03ZtK4SKxm/udVVoqViFTwCLYtCC5GEn4OqbD94LQKzl+XLe7yLWwv2WF8ueu170YpZ97uFxUrhOoaOaKUgnAV+4CocixG5hfadpqA3yYE=,iv:a6RRILzz4gDUuiSZPVoqjlIMu4NZG+D5Q+brusfh9PU=,tag:Y8nKbnctjka44eH15x8oCA==,type:str]
    pgp:
        - created_at: "2026-01-11T17:12:49Z"
          enc: |-
--- a/topology/default.nix
+++ b/topology/default.nix
@@ -53,7 +53,7 @@ in {
  nodes.ntnu-pvv-router = mkRouter "NTNU PVV Gateway" {
    interfaceGroups = [ ["wan1"] ["eth1"] ];
    connections.eth1 = mkConnection "knutsen" "em1";
-    interfaces.eth1.network = "ntnu";
+    interfaces.eth1.network = "pvv";
  };
  nodes.knutsen = mkRouter "knutsen" {
@@ -82,8 +82,6 @@ in {
        (mkConnection "buskerud" "eth1")
        # (mkConnection "knutsen" "eth1")
        (mkConnection "powerpuff-cluster" "eth1")
        (mkConnection "powerpuff-cluster" "eth2")
        (mkConnection "powerpuff-cluster" "eth3")
        (mkConnection "lupine-1" "enp0s31f6")
        (mkConnection "lupine-2" "enp0s31f6")
        (mkConnection "lupine-3" "enp0s31f6")
@@ -141,7 +139,7 @@ in {
    hardware.info = "Dell PowerEdge R730 x 3";
-    interfaceGroups = [ [ "eth1" "eth2" "eth3" ] ];
+    interfaceGroups = [ [ "eth1" ] ];
    services = {
      proxmox = {
@@ -169,13 +167,6 @@ in {
    interfaces.ens18.network = "pvv";
  };
  nodes.temmie = {
    guestType = "proxmox";
    parent = config.nodes.powerpuff-cluster.id;
    interfaces.ens18.network = "pvv";
  };
  nodes.ustetind = {
    guestType = "proxmox LXC";
    parent = config.nodes.powerpuff-cluster.id;
@@ -228,7 +219,7 @@ in {
        (mkConnection "demiurgen" "eno1")
        (mkConnection "sanctuary" "ethernet_0")
        (mkConnection "torskas" "eth0")
-        (mkConnection "skrot" "eth0")
+        (mkConnection "skrott" "eth0")
        (mkConnection "homeassistant" "eth0")
        (mkConnection "orchid" "eth0")
        (mkConnection "principal" "em0")
@@ -258,12 +249,6 @@ in {
    interfaces.ens4.network = "ntnu";
  };
  nodes.gluttony = {
    guestType = "openstack";
    parent = config.nodes.stackit.id;
    interfaces.ens3.network = "ntnu";
  };
  nodes.wenche = {
    guestType = "openstack";
    parent = config.nodes.stackit.id;
--- a/topology/non-nixos-machines.nix
+++ b/topology/non-nixos-machines.nix
@@ -290,6 +290,21 @@ in {
    };
  };
  nodes.skrott = mkDevice "skrott" {
    # TODO: the interface name is likely wrong
    interfaceGroups = [ [ "eth0" ] ];
    interfaces.eth0 = {
      # mac = "";
      addresses = [
        "129.241.210.235"
      ];
      gateways = [
        values.hosts.gateway
        values.hosts.gateway6
      ];
    };
  };
  nodes.torskas = mkDevice "torskas" {
    deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/arch_linux.svg";
--- a/users/felixalb.nix
+++ b/users/felixalb.nix
@@ -9,9 +9,8 @@
    ];
    shell = pkgs.zsh;
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDKzPICGew7uN0cmvRmbwkwTCodTBUgEhkoftQnZuO4Q felixalbrigtsen@gmail.com"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBTXSL0w7OUcz1LzEt1T3I3K5RgyNV+MYz0x/1RbpDHQ felixalb@worf"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDKzPICGew7uN0cmvRmbwkwTCodTBUgEhkoftQnZuO4Q felixalb@pvv.ntnu.no"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJky33ynjqyWP+hh24gFCMFIEqe3CjIIowGM9jiPbT79 felixalb@sisko.home.feal.no"
    ];
  };
 }
--- a/values.nix
+++ b/values.nix
@@ -69,18 +69,10 @@ in rec {
      ipv4 = pvv-ipv4 223;
      ipv6 = pvv-ipv6 223;
    };
    microbel = {
      ipv4 = pvv-ipv4 179;
      ipv6 = pvv-ipv6 "1:2";
    };
    ustetind = {
      ipv4 = pvv-ipv4 234;
      ipv6 = pvv-ipv6 234;
    };
    skrott = {
      ipv4 = pvv-ipv4 235;
      ipv6 = pvv-ipv6 235;
    };
    temmie = {
      ipv4 = pvv-ipv4 167;
      ipv6 = pvv-ipv6 167;