From 1145e7faeea90f15f7f852ad70036245e4d16f49 Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm@autogeree.net>
Date: Fri, 10 Jan 2020 04:11:07 +0000
Subject: [PATCH] nixops: add mermet
---
bootstrap/mermet/etc/dropbear/.gitignore | 1 +
.../etc/nixos/hardware-configuration.nix | 143 ----------------
install/logical.nix | 14 +-
install/logical/friot.nix | 35 +---
install/logical/mermet.nix | 15 ++
.../Makefile.make => install/mermet/Makefile | 155 ++++++++++--------
install/mermet/configuration.nix | 8 +
install/mermet/hosting.nix | 2 +
install/mermet/hosting/lab.nix | 8 +
install/mermet/hosting/ptt.nix | 8 +
install/mermet/logical.nix | 8 +
install/mermet/logical/boot.nix | 5 +
install/mermet/logical/etc/inputrc | 67 ++++++++
install/mermet/logical/networking.nix | 6 +
.../mermet/logical/system.nix | 111 ++-----------
install/mermet/logical/zfs.nix | 94 +++++++++++
install/mermet/physical.nix | 2 +
.../mermet/physical/apu2e4.nix | 122 ++++++++++----
.../mermet/physical}/sfdisk.txt | 0
install/mermet/physical/virtualbox.nix | 35 ++++
install/options.nix | 36 ++++
.../physical/{nixos.nix => production.nix} | 8 +-
.../physical/{virtualbox.nix => staging.nix} | 0
shell.nix | 25 ++-
24 files changed, 516 insertions(+), 392 deletions(-)
create mode 100644 bootstrap/mermet/etc/dropbear/.gitignore
delete mode 100644 bootstrap/mermet/etc/nixos/hardware-configuration.nix
create mode 100644 install/logical/mermet.nix
rename bootstrap/mermet/Makefile.make => install/mermet/Makefile (55%)
create mode 100644 install/mermet/configuration.nix
create mode 100644 install/mermet/hosting.nix
create mode 100644 install/mermet/hosting/lab.nix
create mode 100644 install/mermet/hosting/ptt.nix
create mode 100644 install/mermet/logical.nix
create mode 100644 install/mermet/logical/boot.nix
create mode 100644 install/mermet/logical/etc/inputrc
create mode 100644 install/mermet/logical/networking.nix
rename bootstrap/mermet/etc/nixos/configuration.nix => install/mermet/logical/system.nix (58%)
create mode 100644 install/mermet/logical/zfs.nix
create mode 100644 install/mermet/physical.nix
rename bootstrap/mermet/etc/nixos/zfs-configuration.nix => install/mermet/physical/apu2e4.nix (50%)
rename {bootstrap/mermet/etc => install/mermet/physical}/sfdisk.txt (100%)
create mode 100644 install/mermet/physical/virtualbox.nix
create mode 100644 install/options.nix
rename install/physical/{nixos.nix => production.nix} (72%)
rename install/physical/{virtualbox.nix => staging.nix} (100%)
diff --git a/bootstrap/mermet/etc/dropbear/.gitignore b/bootstrap/mermet/etc/dropbear/.gitignore
new file mode 100644
index 0000000..5e74a2f
--- /dev/null
+++ b/bootstrap/mermet/etc/dropbear/.gitignore
@@ -0,0 +1 @@
+*-key
diff --git a/bootstrap/mermet/etc/nixos/hardware-configuration.nix b/bootstrap/mermet/etc/nixos/hardware-configuration.nix
deleted file mode 100644
index 0935ef5..0000000
--- a/bootstrap/mermet/etc/nixos/hardware-configuration.nix
+++ /dev/null
@@ -1,143 +0,0 @@
-# Do not modify this file! It was generated by ânixos-generate-configâ
-# and may be overwritten by future invocations. Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, ... }:
-
-{
- imports =
- [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
- ];
-
- boot.loader = {
- grub = {
- enable = true;
- version = 2;
- copyKernels = true;
- # efiSupport = true;
- devices = [
- "/dev/disk/by-id/ata-Samsung_SSD_840_EVO_250GB_S1DBNSAF340110R"
- ];
- /*
- mirroredBoots = [
- { devices = [ "${disk_id}" ];
- path = "/boot${bootnum}";
- }
- ];
- */
- };
- /*
- efi = {
- canTouchEfiVariables = true;
- efiSysMountPoint = "/boot/efi";
- efiInstallAsRemovable = false;
- };
- */
- };
-
- boot.initrd = {
- availableKernelModules = [
- "ehci_pci" "ahci" "uas" "sd_mod"
- # Made the AES modules available at initrd,
- # to speedup the deciphering of the root.
- "aes_x86_64"
- "aesni_intel"
- "cryptd"
- ];
- kernelModules = [ ];
- };
- boot.kernelModules = [ ];
- boot.extraModulePackages = [ ];
- boot.kernelParams = [
- "gfxpayload=text"
- "console=tty0"
- "console=ttyS0,115200n8"
- # DEBUG: "boot.shell_on_fail"
- ];
- boot.kernel = {
- sysctl = {
- "vm.swappiness" = 10;
- "vm.vfs_cache_pressure" = 50;
- };
- };
-
- # Clean /tmp automatically on boot.
- boot.cleanTmpDir = true;
-
- fileSystems."/" =
- { device = "rpool/root";
- fsType = "zfs";
- };
-
- fileSystems."/boot" =
- { device = "/dev/disk/by-uuid/dc3c5387-17d2-43b3-bfa2-bf73afacca07";
- fsType = "ext2";
- };
- /*
- { device = "bpool/boot";
- fsType = "zfs";
- };
- */
-
- fileSystems."/boot/efi" =
- { device = "/dev/disk/by-uuid/62E6-E65F";
- fsType = "vfat";
- };
-
- fileSystems."/home" =
- { device = "rpool/home";
- fsType = "zfs";
- };
-
- fileSystems."/nix" =
- { device = "rpool/nix";
- fsType = "zfs";
- };
-
- fileSystems."/nix/var" =
- { device = "rpool/nix/var";
- fsType = "zfs";
- };
-
- fileSystems."/var" =
- { device = "rpool/var";
- fsType = "zfs";
- };
-
- fileSystems."/var/cache" =
- { device = "rpool/var/cache";
- fsType = "zfs";
- };
-
- fileSystems."/var/log" =
- { device = "rpool/var/log";
- fsType = "zfs";
- };
-
- fileSystems."/var/mail" =
- { device = "rpool/var/mail";
- fsType = "zfs";
- };
-
- fileSystems."/var/tmp" =
- { device = "rpool/var/tmp";
- fsType = "zfs";
- };
-
- fileSystems."/var/www" =
- { device = "rpool/var/www";
- fsType = "zfs";
- };
-
- swapDevices =
- [ { device = "/dev/disk/by-partuuid/6b1eaa35-776b-4e60-b21e-7bcee535dd8b";
- randomEncryption = {
- enable = true;
- cipher = "aes-xts-plain64";
- source = "/dev/urandom";
- };
- }
- ];
-
- nix.maxJobs = lib.mkDefault 4;
- powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
-}
diff --git a/install/logical.nix b/install/logical.nix
index 780eef5..def0af8 100644
--- a/install/logical.nix
+++ b/install/logical.nix
@@ -1,4 +1,14 @@
{
-network.description = "Commonsoft Network";
-friot = import logical/friot.nix;
+ network = {
+ description = "Sourcephile";
+ #enableRollback = true;
+ };
+
+ defaults = {
+ imports = [ ];
+ };
+
+ # machines
+ #friot = import logical/friot.nix;
+ mermet = import mermet/configuration.nix;
}
diff --git a/install/logical/friot.nix b/install/logical/friot.nix
index b6f13f3..e121543 100644
--- a/install/logical/friot.nix
+++ b/install/logical/friot.nix
@@ -7,6 +7,7 @@ let inherit (builtins.extraBuiltins) pass;
in {
imports = [
<nixpkgs-sourcephile/install/modules.nix>
+ ../options.nix
../overlays/tools/networking/shorewall/service.nix
../overlays/tools/networking/shorewall6/service.nix
../overlays/servers/mail/rspamd/service.nix
@@ -24,40 +25,6 @@ imports = [
friot/openldap.nix
#friot/discourse.nix
];
-options = {
- enable = lib.mkEnableOption "friot";
- networking.domainBase = lib.mkOption {
- type = types.str;
- description = "Base network name.";
- example = "example";
- };
- networking.domainAliases = lib.mkOption {
- type = types.listOf types.str;
- description = "Domain aliases.";
- example = [ "example.org" "example.net" ];
- };
- networking.zones = lib.mkOption {
- type = types.attrsOf (types.submodule ({name, options, config, ...}: {
- options = {
- iface = lib.mkOption {
- type = types.str;
- description = "Interface name.";
- example = "eth0";
- };
- ipv4 = lib.mkOption {
- type = types.str;
- description = "Static IPv4 address of the machine.";
- example = "1.2.3.4";
- };
- ipv6 = lib.mkOption {
- type = types.str;
- description = "Static IPv6 address of the machine.";
- example = "fe80::1";
- };
- };
- }));
- };
-};
config = {
nix = {
extraOptions = ''
diff --git a/install/logical/mermet.nix b/install/logical/mermet.nix
new file mode 100644
index 0000000..6df6654
--- /dev/null
+++ b/install/logical/mermet.nix
@@ -0,0 +1,15 @@
+{pkgs, lib, config, system, ...}:
+let inherit (builtins.extraBuiltins) pass;
+ inherit (lib) types;
+ inherit (config) networking;
+ userPass = name: pass "${networking.domainBase}/${networking.hostName}/login/${name}";
+in {
+imports = [
+ <nixpkgs-sourcephile/install/modules.nix>
+ ../overlays/tools/networking/shorewall/service.nix
+ ../overlays/tools/networking/shorewall6/service.nix
+ ../overlays/servers/mail/rspamd/service.nix
+ ../overlays.nix
+ ../options.nix
+];
+}
diff --git a/bootstrap/mermet/Makefile.make b/install/mermet/Makefile
similarity index 55%
rename from bootstrap/mermet/Makefile.make
rename to install/mermet/Makefile
index 43ccbc6..b9aa950 100644
--- a/bootstrap/mermet/Makefile.make
+++ b/install/mermet/Makefile
@@ -1,11 +1,11 @@
-mermet_mnt := mermet
-mermet_rpool := rpool
-mermet_bpool := bpool
-mermet_disk := $(shell sed -ne 's/^device: \(.*\)/\1/p' bootstrap/$(mermet_mnt)/etc/sfdisk.txt)
-mermet_cipher :=
+mermet_disk := $(shell sed -ne 's/^device: \(.*\)/\1/p' physical/sfdisk.txt)
+mermet_cipher :=
#mermet_cipher := aes-128-gcm
mermet_autotrim :=
mermet_reservation := 40G
+#mermet_channel := $$(nix-env -p /nix/var/nix/profiles/per-user/$$USER/channels -q nixpkgs --no-name --out-path)
+MERMET_PHYSICAL ?= apu2e4
+MERMET_HOSTING ?= lab
mermet-wipeout: mermet-umount
sudo zpool labelclear -f $(mermet_disk)-part3 || true
@@ -14,18 +14,18 @@ mermet-wipeout: mermet-umount
mermet-partition:
sudo modprobe zfs
- sudo $$(which sfdisk) $(mermet_disk) <bootstrap/$(mermet_mnt)/etc/sfdisk.txt
+ sudo $$(which sfdisk) $(mermet_disk) <physical/sfdisk.txt
sudo $$(which sgdisk) --randomize-guids $(mermet_disk)
sudo partprobe
mermet-format:
# DOC: https://github.com/zfsonlinux/zfs/wiki/Debian-Buster-Root-on-ZFS
- sudo mkdir -p /mnt/$(mermet_mnt)
+ sudo mkdir -p /mnt/mermet
blkid -t TYPE=ext2 $(mermet_disk)-part3; test $$? != 2 || \
mkfs.ext2 $(mermet_disk)-part3
# bpool
## NOTE: enable only ZFS features supported by GRUB
- #sudo zpool list $(mermet_bpool) 2>/dev/null || \
+ #sudo zpool list bpool 2>/dev/null || \
#sudo zpool create -o ashift=12 -d \
# -o feature@allocation_classes=enabled \
# -o feature@async_destroy=enabled \
@@ -50,7 +50,7 @@ mermet-format:
# -o feature@skein=disabled \
# -o feature@edonr=disabled \
# -O normalization=formD \
- # -R /mnt/$(mermet_mnt) $(mermet_bpool) $(mermet_disk)-part3
+ # -R /mnt/mermet bpool $(mermet_disk)-part3
#sudo zfs set \
# acltype=posixacl \
# canmount=off \
@@ -59,7 +59,7 @@ mermet-format:
# relatime=on \
# xattr=sa \
# mountpoint=/ \
- # $(mermet_bpool)
+ # bpool
# swap
# FIXME: configure with a volatile key in configuration.nix
@@ -70,13 +70,13 @@ mermet-format:
#sudo mkswap --check --label swap
#sudo cryptsetup luksClose $(mermet_disk)-part4 mermet-swap
# rpool
- sudo zpool list $(mermet_rpool) 2>/dev/null || \
+ sudo zpool list rpool 2>/dev/null || \
sudo zpool create -o ashift=12 \
$(if $(mermet_cipher),-O encryption=$(mermet_cipher) \
-O keyformat=passphrase \
-O keylocation=prompt) \
-O normalization=formD \
- -R /mnt/$(mermet_mnt) $(mermet_rpool) $(mermet_disk)-part5
+ -R /mnt/mermet rpool $(mermet_disk)-part5
sudo zfs set \
acltype=posixacl \
atime=off \
@@ -88,20 +88,20 @@ mermet-format:
$(if $(mermet_reservation),reservation=$(mermet_reservation)) \
xattr=sa \
mountpoint=/ \
- $(mermet_rpool)
+ rpool
# /
# NOTE: mountpoint=legacy is required to let NixOS mount the ZFS filesystems.
- sudo zfs list $(mermet_rpool)/root 2>/dev/null || \
+ sudo zfs list rpool/root 2>/dev/null || \
sudo zfs create \
-o canmount=on \
-o mountpoint=legacy \
- $(mermet_rpool)/root
+ rpool/root
# /boot
- #sudo zfs list $(mermet_bpool)/boot 2>/dev/null || \
+ #sudo zfs list bpool/boot 2>/dev/null || \
#sudo zfs create \
# -o canmount=on \
# -o mountpoint=legacy \
- # $(mermet_bpool)/boot
+ # bpool/boot
# /boot/efi
sudo blkid $(mermet_disk)-part2 -t TYPE=vfat || \
sudo mkfs.vfat -F 32 -s 1 -n EFI $(mermet_disk)-part2
@@ -117,51 +117,51 @@ mermet-format:
var/tmp \
var/www \
; do \
- sudo zfs list $(mermet_rpool)/"$$p" 2>/dev/null || \
+ sudo zfs list rpool/"$$p" 2>/dev/null || \
sudo zfs create \
-o canmount=on \
-o mountpoint=legacy \
- $(mermet_rpool)/"$$p" ; \
+ rpool/"$$p" ; \
done
sudo zfs set \
com.sun:auto-snapshot=false \
- $(mermet_rpool)/nix
+ rpool/nix
sudo zfs set \
sync=always \
- $(mermet_rpool)/nix/var
+ rpool/nix/var
sudo zfs set \
com.sun:auto-snapshot=false \
- $(mermet_rpool)/var/cache
+ rpool/var/cache
sudo zfs set \
com.sun:auto-snapshot=false \
sync=disabled \
- $(mermet_rpool)/var/tmp
+ rpool/var/tmp
mermet-mount:
# scan needed zpools
- #sudo zpool list $(mermet_bpool) || \
- #sudo zpool import -f $(mermet_bpool)
- sudo zpool list $(mermet_rpool) || \
- sudo zpool import -f $(mermet_rpool)
+ #sudo zpool list bpool || \
+ #sudo zpool import -f bpool
+ sudo zpool list rpool || \
+ sudo zpool import -f rpool
# load encryption key
- zfs get -H encryption $(mermet_rpool) | \
- grep -q '^$(mermet_rpool)\s*encryption\s*off' || \
- zfs get -H keystatus $(mermet_rpool) | \
- grep -q '^$(mermet_rpool)\s*keystatus\s*available' || \
- sudo zfs load-key $(mermet_rpool)
+ zfs get -H encryption rpool | \
+ grep -q '^rpool\s*encryption\s*off' || \
+ zfs get -H keystatus rpool | \
+ grep -q '^rpool\s*keystatus\s*available' || \
+ sudo zfs load-key rpool
# /
- sudo mkdir -p /mnt/$(mermet_mnt)
- sudo mountpoint /mnt/$(mermet_mnt) || \
- sudo mount -v -t zfs $(mermet_rpool)/root /mnt/$(mermet_mnt)
+ sudo mkdir -p /mnt/mermet
+ sudo mountpoint /mnt/mermet || \
+ sudo mount -v -t zfs rpool/root /mnt/mermet
# /boot
- sudo mkdir -p /mnt/$(mermet_mnt)/boot
- sudo mountpoint /mnt/$(mermet_mnt)/boot || \
- sudo mount -v $(mermet_disk)-part3 /mnt/$(mermet_mnt)/boot
- #sudo mount -v -t zfs $(mermet_bpool)/boot /mnt/$(mermet_mnt)/boot
+ sudo mkdir -p /mnt/mermet/boot
+ sudo mountpoint /mnt/mermet/boot || \
+ sudo mount -v $(mermet_disk)-part3 /mnt/mermet/boot
+ #sudo mount -v -t zfs bpool/boot /mnt/mermet/boot
# /boot/efi
- sudo mkdir -p /mnt/$(mermet_mnt)/boot/efi
- sudo mountpoint /mnt/$(mermet_mnt)/boot/efi || \
- sudo mount -v $(mermet_disk)-part2 /mnt/$(mermet_mnt)/boot/efi
+ sudo mkdir -p /mnt/mermet/boot/efi
+ sudo mountpoint /mnt/mermet/boot/efi || \
+ sudo mount -v $(mermet_disk)-part2 /mnt/mermet/boot/efi
# /*
for p in \
home \
@@ -174,35 +174,48 @@ mermet-mount:
var/tmp \
var/www \
; do \
- sudo mkdir -p /mnt/$(mermet_mnt)/"$$p"; \
- sudo mountpoint /mnt/$(mermet_mnt)/"$$p" || \
- sudo mount -v -t zfs $(mermet_rpool)/"$$p" /mnt/$(mermet_mnt)/"$$p" ; \
+ sudo mkdir -p /mnt/mermet/"$$p"; \
+ sudo mountpoint /mnt/mermet/"$$p" || \
+ sudo mount -v -t zfs rpool/"$$p" /mnt/mermet/"$$p" ; \
done
- sudo chmod 1777 /mnt/$(mermet_mnt)/var/tmp
+ sudo chmod 1777 /mnt/mermet/var/tmp
mermet-bootstrap: mermet-mount
- sudo mkdir -p bootstrap/$(mermet_mnt)/etc/nixos
- sudo rm -rf "/mnt/$(mermet_mnt)/etc/nixos"
- sudo mkdir -p /mnt/$(mermet_mnt)/etc
- sudo install -D -o root -g root -m 600 \
- bootstrap/$(mermet_mnt)/etc/dropbear/host-ecdsa-key \
- /mnt/$(mermet_mnt)/etc/dropbear/host-ecdsa-key
- sudo cp -vr \
- bootstrap/$(mermet_mnt)/etc/nixos \
- /mnt/$(mermet_mnt)/etc/
- #test "$$(sudo grub-probe /mnt/$(mermet_mnt)/boot)" = zfs
+ sudo rm -rf /mnt/mermet/etc/nixos
+ #test "$$(sudo grub-probe /mnt/mermet/boot)" = zfs
# NOTE: nixos-install will install GRUB following configuration.nix
# BIOS
#sudo grub-install $(mermet_disk)
# UEFI
#sudo grub-install \
# --target=x86_64-efi \
- # --efi-directory=/mnt/$(mermet_mnt)/boot/efi \
+ # --efi-directory=/mnt/mermet/boot/efi \
# --bootloader-id=nixos \
# --recheck \
# --no-floppy
- sudo NIX_PATH="$$NIX_PATH" PATH="$$PATH" $$(which nixos-install) \
- --root /mnt/$(mermet_mnt) \
+
+ pass sourcephile/mermet/dropbear/host-ecdsa.key | \
+ sudo install -D -o root -g root -m 400 /dev/stdin \
+ /mnt/mermet/etc/dropbear/host-ecdsa.key && \
+ test -s /mnt/mermet/etc/dropbear/host-ecdsa.key
+
+ #trap "test ! -e SHRED-ME || sudo find SHRED-ME -type f -exec shred -u {} + && sudo rm -rf SHRED-ME" EXIT ;
+ sudo \
+ GNUPGHOME="$$GNUPGHOME" \
+ GPG_TTY="$$GPG_TTY" \
+ LANG="$$LANG" \
+ LC_CTYPE="$$LC_CTYPE" \
+ MERMET_HOSTING="$(MERMET_HOSTING)" \
+ MERMET_PHYSICAL="$(MERMET_PHYSICAL)" \
+ NIXOS_CONFIG="$$(readlink -e ./configuration.nix)" \
+ NIX_CONF_DIR="$$NIX_CONF_DIR" \
+ NIX_PATH="$$NIX_PATH" \
+ PASSWORD_STORE_DIR="$$PASSWORD_STORE_DIR" \
+ PATH="$$PATH" \
+ SSL_CERT_FILE="$$SSL_CERT_FILE" \
+ $$(which nixos-install) \
+ --root /mnt/mermet \
+ $(if $(mermet_channel),--channel "$(mermet_channel)") \
--no-root-passwd
mermet-umount:
@@ -220,16 +233,16 @@ mermet-umount:
var \
"" \
; do \
- ! sudo mountpoint /mnt/$(mermet_mnt)/"$$p" || \
- sudo umount -v /mnt/$(mermet_mnt)/"$$p" ; \
+ ! sudo mountpoint /mnt/mermet/"$$p" || \
+ sudo umount -v /mnt/mermet/"$$p" ; \
done
- ! sudo zpool list $(mermet_rpool) 2>/dev/null || \
- zfs get -H encryption $(mermet_rpool) | \
- grep -q '^$(mermet_rpool)\s*encryption\s*off' || \
- zfs get -H keystatus $(mermet_rpool) | \
- grep -q '^$(mermet_rpool)\s*keystatus\s*unavailable' || \
- sudo zfs unload-key $(mermet_rpool)
- #! sudo zpool list $(mermet_bpool) 2>/dev/null || \
- #sudo zpool export $(mermet_bpool)
- ! sudo zpool list $(mermet_rpool) 2>/dev/null || \
- sudo zpool export $(mermet_rpool)
+ ! sudo zpool list rpool 2>/dev/null || \
+ zfs get -H encryption rpool | \
+ grep -q '^rpool\s*encryption\s*off' || \
+ zfs get -H keystatus rpool | \
+ grep -q '^rpool\s*keystatus\s*unavailable' || \
+ sudo zfs unload-key rpool
+ #! sudo zpool list bpool 2>/dev/null || \
+ #sudo zpool export bpool
+ ! sudo zpool list rpool 2>/dev/null || \
+ sudo zpool export rpool
diff --git a/install/mermet/configuration.nix b/install/mermet/configuration.nix
new file mode 100644
index 0000000..1c0b494
--- /dev/null
+++ b/install/mermet/configuration.nix
@@ -0,0 +1,8 @@
+{ pkgs, lib, config, ... }:
+{
+ imports =
+ [ ./physical.nix
+ ./hosting.nix
+ ./logical.nix
+ ];
+}
diff --git a/install/mermet/hosting.nix b/install/mermet/hosting.nix
new file mode 100644
index 0000000..d80cb10
--- /dev/null
+++ b/install/mermet/hosting.nix
@@ -0,0 +1,2 @@
+with builtins;
+import (toPath ./. + "/hosting/" + getEnv "MERMET_HOSTING" + ".nix")
diff --git a/install/mermet/hosting/lab.nix b/install/mermet/hosting/lab.nix
new file mode 100644
index 0000000..779b17e
--- /dev/null
+++ b/install/mermet/hosting/lab.nix
@@ -0,0 +1,8 @@
+{ pkgs, lib, config, ... }:
+{
+ networking = {
+ interfaces.enp1s0.useDHCP = true;
+ interfaces.enp2s0.useDHCP = true;
+ interfaces.enp3s0.useDHCP = true;
+ };
+}
diff --git a/install/mermet/hosting/ptt.nix b/install/mermet/hosting/ptt.nix
new file mode 100644
index 0000000..779b17e
--- /dev/null
+++ b/install/mermet/hosting/ptt.nix
@@ -0,0 +1,8 @@
+{ pkgs, lib, config, ... }:
+{
+ networking = {
+ interfaces.enp1s0.useDHCP = true;
+ interfaces.enp2s0.useDHCP = true;
+ interfaces.enp3s0.useDHCP = true;
+ };
+}
diff --git a/install/mermet/logical.nix b/install/mermet/logical.nix
new file mode 100644
index 0000000..9f84450
--- /dev/null
+++ b/install/mermet/logical.nix
@@ -0,0 +1,8 @@
+{ config, lib, pkgs, ... }:
+{
+ imports =
+ [ ./logical/boot.nix
+ ./logical/zfs.nix
+ ./logical/system.nix
+ ];
+}
diff --git a/install/mermet/logical/boot.nix b/install/mermet/logical/boot.nix
new file mode 100644
index 0000000..96c205b
--- /dev/null
+++ b/install/mermet/logical/boot.nix
@@ -0,0 +1,5 @@
+{ pkgs, lib, config, ... }:
+{
+ # Clean /tmp automatically on boot.
+ boot.cleanTmpDir = true;
+}
diff --git a/install/mermet/logical/etc/inputrc b/install/mermet/logical/etc/inputrc
new file mode 100644
index 0000000..d3da985
--- /dev/null
+++ b/install/mermet/logical/etc/inputrc
@@ -0,0 +1,67 @@
+# /etc/inputrc - global inputrc for libreadline
+# See readline(3readline) and `info rluserman' for more information.
+
+# Be 8 bit clean.
+set input-meta on
+set output-meta on
+
+# To allow the use of 8bit-characters like the german umlauts, uncomment
+# the line below. However this makes the meta key not work as a meta key,
+# which is annoying to those which don't need to type in 8-bit characters.
+
+# set convert-meta off
+
+# try to enable the application keypad when it is called. Some systems
+# need this to enable the arrow keys.
+# set enable-keypad on
+
+# see /usr/share/doc/bash/inputrc.arrows for other codes of arrow keys
+
+# do not bell on tab-completion
+# set bell-style none
+# set bell-style visible
+
+# some defaults / modifications for the emacs mode
+$if mode=emacs
+
+# allow the use of the Home/End keys
+"\e[1~": beginning-of-line
+"\e[4~": end-of-line
+
+# allow the use of the Delete/Insert keys
+"\e[3~": delete-char
+"\e[2~": quoted-insert
+
+# mappings for "page up" and "page down" to step to the beginning/end
+# of the history
+# "\e[5~": beginning-of-history
+# "\e[6~": end-of-history
+
+# alternate mappings for "page up" and "page down" to search the history
+# "\e[5~": history-search-backward
+# "\e[6~": history-search-forward
+
+# mappings for Ctrl-left-arrow and Ctrl-right-arrow for word moving
+"\e[1;5C": forward-word
+"\e[1;5D": backward-word
+"\e[5C": forward-word
+"\e[5D": backward-word
+"\e\e[C": forward-word
+"\e\e[D": backward-word
+
+$if term=rxvt
+"\e[7~": beginning-of-line
+"\e[8~": end-of-line
+"\eOc": forward-word
+"\eOd": backward-word
+$endif
+
+# for non RH/Debian xterm, can't hurt for RH/Debian xterm
+# "\eOH": beginning-of-line
+# "\eOF": end-of-line
+
+# for freebsd console
+# "\e[H": beginning-of-line
+# "\e[F": end-of-line
+
+$endif
diff --git a/install/mermet/logical/networking.nix b/install/mermet/logical/networking.nix
new file mode 100644
index 0000000..dcf53ce
--- /dev/null
+++ b/install/mermet/logical/networking.nix
@@ -0,0 +1,6 @@
+{ config, lib, pkgs, ... }:
+{
+ networking = {
+ hostName = "mermet";
+ };
+}
diff --git a/bootstrap/mermet/etc/nixos/configuration.nix b/install/mermet/logical/system.nix
similarity index 58%
rename from bootstrap/mermet/etc/nixos/configuration.nix
rename to install/mermet/logical/system.nix
index efb2243..1777211 100644
--- a/bootstrap/mermet/etc/nixos/configuration.nix
+++ b/install/mermet/logical/system.nix
@@ -1,15 +1,5 @@
-# Edit this configuration file to define what should be installed on
-# your system. Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ânixos-helpâ).
-
-{ config, lib, pkgs, ... }:
-
+{ pkgs, lib, config, ... }:
{
- imports =
- [ ./hardware-configuration.nix
- ./zfs-configuration.nix
- ];
-
nix = {
autoOptimiseStore = true;
extraOptions = ''
@@ -35,25 +25,6 @@
};
#overlays = import ../overlays.nix;
};
-
- time = {
- timeZone = "Europe/Paris";
- };
-
- i18n = {
- consoleFont = "Lat2-Terminus16";
- consoleKeyMap = "fr";
- defaultLocale = "fr_FR.UTF-8";
- };
-
- networking = {
- hostName = "mermet";
- wireless.enable = false;
- interfaces.enp1s0.useDHCP = true;
- interfaces.enp2s0.useDHCP = true;
- interfaces.enp3s0.useDHCP = true;
- };
-
users = {
mutableUsers = false;
users = {
@@ -74,6 +45,16 @@
enable = false; # NOTE: useless on this machine, and CPU intensive.
};
+ time = {
+ timeZone = "Europe/Paris";
+ };
+
+ i18n = {
+ consoleFont = "Lat2-Terminus16";
+ consoleKeyMap = "fr";
+ defaultLocale = "fr_FR.UTF-8";
+ };
+
services = {
openssh = {
enable = true;
@@ -106,75 +87,7 @@
zfs
];
- etc."inputrc".text = ''
- # /etc/inputrc - global inputrc for libreadline
- # See readline(3readline) and `info rluserman' for more information.
-
- # Be 8 bit clean.
- set input-meta on
- set output-meta on
-
- # To allow the use of 8bit-characters like the german umlauts, uncomment
- # the line below. However this makes the meta key not work as a meta key,
- # which is annoying to those which don't need to type in 8-bit characters.
-
- # set convert-meta off
-
- # try to enable the application keypad when it is called. Some systems
- # need this to enable the arrow keys.
- # set enable-keypad on
-
- # see /usr/share/doc/bash/inputrc.arrows for other codes of arrow keys
-
- # do not bell on tab-completion
- # set bell-style none
- # set bell-style visible
-
- # some defaults / modifications for the emacs mode
- $if mode=emacs
-
- # allow the use of the Home/End keys
- "\e[1~": beginning-of-line
- "\e[4~": end-of-line
-
- # allow the use of the Delete/Insert keys
- "\e[3~": delete-char
- "\e[2~": quoted-insert
-
- # mappings for "page up" and "page down" to step to the beginning/end
- # of the history
- # "\e[5~": beginning-of-history
- # "\e[6~": end-of-history
-
- # alternate mappings for "page up" and "page down" to search the history
- # "\e[5~": history-search-backward
- # "\e[6~": history-search-forward
-
- # mappings for Ctrl-left-arrow and Ctrl-right-arrow for word moving
- "\e[1;5C": forward-word
- "\e[1;5D": backward-word
- "\e[5C": forward-word
- "\e[5D": backward-word
- "\e\e[C": forward-word
- "\e\e[D": backward-word
-
- $if term=rxvt
- "\e[7~": beginning-of-line
- "\e[8~": end-of-line
- "\eOc": forward-word
- "\eOd": backward-word
- $endif
-
- # for non RH/Debian xterm, can't hurt for RH/Debian xterm
- # "\eOH": beginning-of-line
- # "\eOF": end-of-line
-
- # for freebsd console
- # "\e[H": beginning-of-line
- # "\e[F": end-of-line
-
- $endif
- '';
+ etc."inputrc".text = lib.readFile etc/inputrc;
};
programs = {
diff --git a/install/mermet/logical/zfs.nix b/install/mermet/logical/zfs.nix
new file mode 100644
index 0000000..01272d0
--- /dev/null
+++ b/install/mermet/logical/zfs.nix
@@ -0,0 +1,94 @@
+{ pkgs, lib, config, ... }:
+
+{
+ imports = [];
+ boot.supportedFilesystems = [ "zfs" ];
+
+ # The 32-bit host id of the machine, formatted as 8 hexadecimal characters.
+ # You should try to make this id unique among your machines.
+ # Manually generated with : head -c4 /dev/urandom | od -A none -t x4 | cut -d ' ' -f 2
+ networking.hostId = "69c40b03";
+
+ # noop, the recommended elevator with zfs.
+ boot.kernelParams = [
+ "elevator=noop"
+ ];
+
+ # FIXME: Uncomment [on a working system] to ensure extra safeguards are active that zfs uses to protect zfs pools:
+ #boot.zfs.forceImportAll = false;
+ #boot.zfs.forceImportRoot = false;
+
+ boot.zfs.enableUnstable = true;
+ boot.zfs.requestEncryptionCredentials = true;
+
+ # Enables periodic scrubbing of ZFS pools.
+ services.zfs.autoScrub.enable = true;
+
+ /*
+ # Enable the (OpenSolaris-compatible) ZFS auto-snapshotting service.
+ services.zfs.autoSnapshot = {
+ enable = true;
+ frequent = ;
+ hourly = ;
+ daily = ;
+ weekly = ;
+ monthly = ;
+ };
+ */
+ /*
+ fileSystems."/boot" =
+ { device = "bpool/boot";
+ fsType = "zfs";
+ };
+ */
+ fileSystems."/" =
+ { device = "rpool/root";
+ fsType = "zfs";
+ };
+
+ fileSystems."/home" =
+ { device = "rpool/home";
+ fsType = "zfs";
+ };
+
+ fileSystems."/nix" =
+ { device = "rpool/nix";
+ fsType = "zfs";
+ };
+
+ fileSystems."/nix/var" =
+ { device = "rpool/nix/var";
+ fsType = "zfs";
+ };
+
+ fileSystems."/var" =
+ { device = "rpool/var";
+ fsType = "zfs";
+ };
+
+ fileSystems."/var/cache" =
+ { device = "rpool/var/cache";
+ fsType = "zfs";
+ };
+
+ fileSystems."/var/log" =
+ { device = "rpool/var/log";
+ fsType = "zfs";
+ };
+
+ fileSystems."/var/mail" =
+ { device = "rpool/var/mail";
+ fsType = "zfs";
+ };
+
+ fileSystems."/var/tmp" =
+ { device = "rpool/var/tmp";
+ fsType = "zfs";
+ };
+
+ fileSystems."/var/www" =
+ { device = "rpool/var/www";
+ fsType = "zfs";
+ };
+
+}
diff --git a/install/mermet/physical.nix b/install/mermet/physical.nix
new file mode 100644
index 0000000..acea9dd
--- /dev/null
+++ b/install/mermet/physical.nix
@@ -0,0 +1,2 @@
+with builtins;
+import (toPath ./. + "/physical/" + getEnv "MERMET_PHYSICAL" + ".nix")
diff --git a/bootstrap/mermet/etc/nixos/zfs-configuration.nix b/install/mermet/physical/apu2e4.nix
similarity index 50%
rename from bootstrap/mermet/etc/nixos/zfs-configuration.nix
rename to install/mermet/physical/apu2e4.nix
index 29a03a6..ea89b0f 100644
--- a/bootstrap/mermet/etc/nixos/zfs-configuration.nix
+++ b/install/mermet/physical/apu2e4.nix
@@ -1,8 +1,69 @@
-{ config, lib, pkgs, ... }:
-
+{ pkgs, lib, config, ... }:
+let inherit (builtins.extraBuiltins) pass pass-to-file;
+ inherit (config) networking;
+ userPass = name: pass "${networking.domainBase}/${networking.hostName}/login/${name}";
+in
{
- imports = [];
- boot.supportedFilesystems = [ "zfs" ];
+ imports =
+ [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+ ];
+
+ boot.loader = {
+ grub = {
+ enable = true;
+ version = 2;
+ copyKernels = true;
+ # efiSupport = true;
+ devices = [
+ "/dev/disk/by-id/ata-Samsung_SSD_840_EVO_250GB_S1DBNSAF340110R"
+ ];
+ /*
+ mirroredBoots = [
+ { devices = [ "${disk_id}" ];
+ path = "/boot${bootnum}";
+ }
+ ];
+ */
+ };
+ /*
+ efi = {
+ canTouchEfiVariables = true;
+ efiSysMountPoint = "/boot/efi";
+ efiInstallAsRemovable = false;
+ };
+ */
+ };
+
+ boot.initrd = {
+ availableKernelModules = [
+ "ahci"
+ "ehci_pci"
+ "sd_mod"
+ "uas"
+ # Made the AES modules available at initrd,
+ # to speedup the deciphering of the root.
+ "aes_x86_64"
+ "aesni_intel"
+ "cryptd"
+ ];
+ kernelModules = [ ];
+ };
+ boot.kernelModules = [ ];
+ boot.extraModulePackages = [ ];
+ boot.kernelParams = [
+ "gfxpayload=text"
+ "console=tty0"
+ "console=ttyS0,115200n8"
+ # DEBUG: "boot.shell_on_fail"
+ "zfs.zfs_arc_max=262144000" # 250Mo
+ ];
+ boot.kernel = {
+ sysctl = {
+ "vm.swappiness" = 10;
+ "vm.vfs_cache_pressure" = 50;
+ };
+ };
+
boot.initrd.network = {
# This will use udhcp to get an ip address.
# Make sure you have added the kernel module for your network driver to `boot.initrd.availableKernelModules`,
@@ -18,7 +79,8 @@
# dropbear uses key format different from openssh; can be generated by using:
# $ nix-shell -p dropbear --command "dropbearkey -t ecdsa -f /tmp/initrd-ssh-key"
# WARNINg: this key will be in the NixOS store and the initrd and thus maybe on cleartext storage.
- hostECDSAKey = ../dropbear/host-ecdsa-key;
+ # Unfortunately pass cannot be used here because the key is not a valid Nix string.
+ hostECDSAKey = ../../../.sec/dropbear/mermet-ecdsa.key ;
# public ssh key used for login
authorizedKeys = [
# julm
@@ -33,38 +95,26 @@
'';
};
- # The 32-bit host id of the machine, formatted as 8 hexadecimal characters.
- # You should try to make this id unique among your machines.
- # Manually generated with : head -c4 /dev/urandom | od -A none -t x4 | cut -d ' ' -f 2
- networking.hostId = "69c40b03";
-
- # noop, the recommended elevator with zfs.
- # shell_on_fail allows to force import manually in the case of zfs import failure.
- boot.kernelParams = [
- "elevator=noop"
- "zfs.zfs_arc_max=262144000" # 250Mo
- ];
-
- # FIXME: Uncomment [on a working system] to ensure extra safeguards are active that zfs uses to protect zfs pools:
- #boot.zfs.forceImportAll = false;
- #boot.zfs.forceImportRoot = false;
-
- boot.zfs.enableUnstable = true;
- boot.zfs.requestEncryptionCredentials = true;
+ fileSystems."/boot" =
+ { device = "/dev/disk/by-uuid/dc3c5387-17d2-43b3-bfa2-bf73afacca07";
+ fsType = "ext2";
+ };
- # Enables periodic scrubbing of ZFS pools.
- services.zfs.autoScrub.enable = true;
+ fileSystems."/boot/efi" =
+ { device = "/dev/disk/by-uuid/62E6-E65F";
+ fsType = "vfat";
+ };
- /*
- # Enable the (OpenSolaris-compatible) ZFS auto-snapshotting service.
- services.zfs.autoSnapshot = {
- enable = true;
- frequent = ;
- hourly = ;
- daily = ;
- weekly = ;
- monthly = ;
- };
- */
+ swapDevices =
+ [ { device = "/dev/disk/by-partuuid/6b1eaa35-776b-4e60-b21e-7bcee535dd8b";
+ randomEncryption = {
+ enable = true;
+ cipher = "aes-xts-plain64";
+ source = "/dev/urandom";
+ };
+ }
+ ];
+ nix.maxJobs = lib.mkDefault 4;
+ powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
}
diff --git a/bootstrap/mermet/etc/sfdisk.txt b/install/mermet/physical/sfdisk.txt
similarity index 100%
rename from bootstrap/mermet/etc/sfdisk.txt
rename to install/mermet/physical/sfdisk.txt
diff --git a/install/mermet/physical/virtualbox.nix b/install/mermet/physical/virtualbox.nix
new file mode 100644
index 0000000..4a91669
--- /dev/null
+++ b/install/mermet/physical/virtualbox.nix
@@ -0,0 +1,35 @@
+{ pkgs, lib, config, options, ... }:
+let ipv4 = if options.networking.privateIPv4.isDefined
+ then config.networking.privateIPv4
+ else "X.X.X.X";
+in {
+config = {
+ deployment.targetEnv = "virtualbox";
+ deployment.virtualbox.headless = true;
+ deployment.virtualbox.memorySize = 1024;
+ deployment.virtualbox.vcpu = 2;
+ deployment.virtualbox.disks.disk1.baseImage = ../../../.cache/nixops/virtualbox/nixops.vmdk;
+ #deployment.virtualbox.disks.disk1.size = 6024;
+ # NOTE: resize not yet supported.
+
+ deployment.storeKeysOnMachine = true;
+ networking = {
+ interfaces."enp0s8" = {
+ #macAddress = "00:11:22:33:44:55";
+ #ipv4.addresses = [ { address = ipv4; prefixLength = 32; } ];
+ ipv6.addresses = [ { address = "fe80::1"; prefixLength = 10; } ];
+ };
+ zones = {
+ net = {
+ iface = "enp0s3";
+ ipv4 = ipv4;
+ };
+ lan = {
+ iface = "enp0s8";
+ ipv4 = ipv4;
+ #ipv6 = "fe80::1";
+ };
+ };
+ };
+};
+}
diff --git a/install/options.nix b/install/options.nix
new file mode 100644
index 0000000..5c6cfb7
--- /dev/null
+++ b/install/options.nix
@@ -0,0 +1,36 @@
+{pkgs, lib, config, system, ...}: {
+options = {
+ enable = lib.mkEnableOption "friot";
+ networking.domainBase = lib.mkOption {
+ type = types.str;
+ description = "Base network name.";
+ example = "example";
+ };
+ networking.domainAliases = lib.mkOption {
+ type = types.listOf types.str;
+ description = "Domain aliases.";
+ example = [ "example.org" "example.net" ];
+ };
+ networking.zones = lib.mkOption {
+ type = types.attrsOf (types.submodule ({name, options, config, ...}: {
+ options = {
+ iface = lib.mkOption {
+ type = types.str;
+ description = "Interface name.";
+ example = "eth0";
+ };
+ ipv4 = lib.mkOption {
+ type = types.str;
+ description = "Static IPv4 address of the machine.";
+ example = "1.2.3.4";
+ };
+ ipv6 = lib.mkOption {
+ type = types.str;
+ description = "Static IPv6 address of the machine.";
+ example = "fe80::1";
+ };
+ };
+ }));
+ };
+};
+}
diff --git a/install/physical/nixos.nix b/install/physical/production.nix
similarity index 72%
rename from install/physical/nixos.nix
rename to install/physical/production.nix
index d0cd497..68731ab 100644
--- a/install/physical/nixos.nix
+++ b/install/physical/production.nix
@@ -1,5 +1,7 @@
+# Sourcephile physical network
{
- friot = {pkgs, config, ...}: {
+ /*
+ friot = {pkgs, lib, config, ...}: {
deployment.targetHost = "1.2.3.4";
deployment.autoLuks = {
# NOTE: not working on virtualbox deployment
@@ -21,4 +23,8 @@
};
};
};
+ */
+ mermet = {pkgs, lib, config, ...}: {
+ deployment.targetHost = "mermet.sourcephile.fr";
+ };
}
diff --git a/install/physical/virtualbox.nix b/install/physical/staging.nix
similarity index 100%
rename from install/physical/virtualbox.nix
rename to install/physical/staging.nix
diff --git a/shell.nix b/shell.nix
index 950b09b..afb6ea5 100644
--- a/shell.nix
+++ b/shell.nix
@@ -30,10 +30,10 @@ let
#nix-plugins.nix-with-extra-builtins
];
};
- nixos-generate-config =
- (pkgs.nixos {}).nixos-generate-config;
- nixos-install =
- (pkgs.nixos {}).nixos-install;
+ nixos = pkgs.nixos {};
+ nixos-generate-config = nixos.nixos-generate-config;
+ nixos-install = nixos.nixos-install;
+ nixos-enter = nixos.nixos-enter;
in
pkgs.stdenv.mkDerivation {
name = "sourcephile-nix";
@@ -45,11 +45,12 @@ pkgs.stdenv.mkDerivation {
nixpkgs
nixos-generate-config
nixos-install
+ nixos-enter
#pkgs.binutils
pkgs.coreutils
pkgs.cryptsetup
pkgs.curl
- pkgs.direnv
+ #pkgs.direnv
#pkgs.dnsutils
#pkgs.dropbear
pkgs.e2fsprogs
@@ -86,10 +87,13 @@ pkgs.stdenv.mkDerivation {
pkgs.xdg_utils
pkgs.zfs
pkgs.fio
+ pkgs.strace
#pkgs.zfstools
];
#enableParallelBuilding = true;
shellHook = ''
+ echo >&2 "nix: running shellHook"
+
# nix
export NIX_PATH="nixpkgs=${nixpkgs}:nixpkgs-sourcephile=$PWD/.lib/nixpkgs-sourcephile"
#NIX_PATH+=":nixpkgs-overlays="$PWD"/install/overlays.nix"
@@ -103,6 +107,14 @@ pkgs.stdenv.mkDerivation {
export PATH="$PATH_NIXOS:$PATH_FHS_VBOX:$PATH_FHS:$PATH:$PATH_NIX"
ln -sfn ${sourcephile-nix-build}/bin "$PWD"/.bin
+ # nix.conf
+ export NIX_CONF_DIR="$PWD"/.config/nix
+ install -D /dev/stdin "$PWD"/.config/nix/nix.conf <<-EOF
+ auto-optimise-store = true
+ plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins/libnix-extra-builtins.so
+ extra-builtins-file = ${sourcephile-nix-build-modules.nix-plugins.extra-builtins}
+ EOF
+
# NOTE: sudo needs to be own by root with the setuid bit,
# but this won't be the case for the sudo provided by Nix outside NixOS,
# hence the addition of $PATH_FHS in shellHook
@@ -125,6 +137,7 @@ pkgs.stdenv.mkDerivation {
export PASSWORD_STORE_DIR="$PWD"/../sec/pass
# openssl
+ export NIX_SSL_CERT_FILE="${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
export SSL_CERT_FILE="${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
# git
@@ -135,7 +148,7 @@ pkgs.stdenv.mkDerivation {
"$gitdir"/hooks/prepare-commit-msg
# nixops
- export NIXOPS_DEPLOYMENT="virtualbox"
+ #export NIXOPS_DEPLOYMENT="staging"
export NIXOPS_STATE="$PWD"/.sec/nixops/state.nixops
# Extend the Nix interpreter
# to enable builtins.extraBuiltins,
--
2.47.2