Add initial config for tower

2022-09-08 20:31:44 +01:00
parent 544fcc3d00
commit 64847d5e8e
24 changed files with 171 additions and 36 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -98,6 +98,7 @@
        # Systems
        nixos/installer.nix
        nixos/boxes/colony
+        nixos/boxes/tower

        # Homes
        home-manager/configs/castle.nix
--- a/nixos/boxes/tower/default.nix
+++ b/nixos/boxes/tower/default.nix
@@ -0,0 +1,130 @@
+{ lib, ... }: {
+  nixos.systems.tower = {
+    system = "x86_64-linux";
+    nixpkgs = "mine";
+    home-manager = "mine";
+
+    configuration = { lib, pkgs, modulesPath, config, systems, assignments, allAssignments, ... }:
+      let
+        inherit (lib) mkIf mkMerge mkForce;
+      in
+      {
+        hardware = {
+          enableRedistributableFirmware = true;
+          cpu = {
+            intel.updateMicrocode = true;
+          };
+        };
+
+        boot = {
+          loader.efi.canTouchEfiVariables = true;
+          kernelPackages = pkgs.linuxKernel.packages.linux_5_19;
+          kernelModules = [ "kvm-intel" ];
+          kernelParams = [ "intel_iommu=on" ];
+          initrd = {
+            availableKernelModules = [ "nvme" "xhci_pci" "usb_storage" "usbhid" "thunderbolt" ];
+            luks = {
+              reusePassphrases = true;
+              devices = {
+                persist = {
+                  device = "/dev/disk/by-uuid/27840c6f-445c-4b95-8c39-e69d07219f33";
+                  allowDiscards = true;
+                  preLVM = false;
+                };
+                home = {
+                  device = "/dev/disk/by-uuid/c16c5038-7883-42c3-960a-a085a99364eb";
+                  allowDiscards = true;
+                  preLVM = false;
+                };
+              };
+            };
+          };
+        };
+
+        fileSystems = {
+          "/boot" = {
+            device = "/dev/disk/by-partuuid/66bc15d3-83dd-ea47-9753-3fb88eab903f";
+            fsType = "vfat";
+          };
+          "/nix" = {
+            device = "/dev/disk/by-uuid/cd597ff0-ca72-4a13-84c8-91b9c09e0a29";
+            fsType = "ext4";
+          };
+
+          "/persist" = {
+            device = "/dev/disk/by-uuid/1e9b6a54-bd8d-4ff3-8c06-7b214a35db57";
+            fsType = "ext4";
+            neededForBoot = true;
+          };
+          "/home" = {
+            device = "/dev/disk/by-uuid/5dc99dd6-0d05-45b3-acb6-03c29a9b9388";
+            fsType = "ext4";
+          };
+        };
+
+        console.keyMap = "uk";
+
+        services = {
+          lvm = {
+            boot.thin.enable = true;
+            dmeventd.enable = true;
+          };
+          fstrim.enable = true;
+
+          resolved = {
+            enable = true;
+            extraConfig = mkForce "";
+          };
+        };
+
+        networking = {
+          networkmanager = {
+            enable = true;
+            dns = "systemd-resolved";
+            wifi = {
+              backend = "wpa_supplicant";
+            };
+            extraConfig = ''
+              [main]
+              no-auto-default=*
+            '';
+          };
+        };
+
+        environment.systemPackages = with pkgs; [
+          dhcpcd
+          pciutils
+          usbutils
+          lm_sensors
+          linuxPackages.cpupower
+          brightnessctl
+        ];
+
+        systemd = {
+          network = {
+            links = {
+              "10-wifi" = {
+                matchConfig.MACAddress = "8c:f8:c5:55:96:1e";
+                linkConfig.Name = "wifi";
+              };
+            };
+          };
+        };
+
+        my = {
+          user = {
+            tmphome = false;
+          };
+
+          #deploy.generate.system.mode = "boot";
+          secrets = {
+            key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOU+UxJh8PZoiXV+0CRumv9Xsk6Fks4YMYRZcThmaJkB";
+          };
+
+          firewall = {
+            enable = true;
+          };
+        };
+      };
+  };
+}
--- a/nixos/modules/common.nix
+++ b/nixos/modules/common.nix
@@ -86,6 +86,7 @@ in
      };

      time.timeZone = mkDefault "Europe/Dublin";
+      i18n.defaultLocale = "en_IE.UTF-8";

      boot = {
        # Use latest LTS release by default
--- a/nixos/modules/tmproot.nix
+++ b/nixos/modules/tmproot.nix
@@ -337,6 +337,9 @@ in
          "/var/lib/cni"
        ];
      })
+      (mkIf config.networking.networkmanager.enable {
+        my.tmproot.persistence.config.directories = [ "/var/lib/NetworkManager" ];
+      })
      (mkIf config.my.build.isDevVM {
        fileSystems = mkVMOverride {
          # Hijack the "root" device for persistence in the VM
--- a/nixos/modules/user.nix
+++ b/nixos/modules/user.nix
@@ -11,6 +11,7 @@ in
  options.my.user = with lib.types; {
    enable = mkBoolOpt' true "Whether to create a primary user.";
    passwordSecret = mkOpt' (nullOr str) "user-passwd.txt" "Name of user password secret.";
+    tmphome = mkBoolOpt' true "Whether to persist home directory files under tmproot";
    config = mkOption {
      type = options.users.users.type.nestedTypes.elemType;
      default = { };
@@ -46,7 +47,7 @@ in
            _module.args.name = lib.mkForce user'.name;
          };
        };
-        tmproot = {
+        tmproot = mkIf cfg.tmphome {
          unsaved.ignore = [
            # Auto-generated (on activation?)
            "/home/${user'.name}/.nix-profile"
--- a/secrets/chatterbox/nul.ie.signing.key.age
+++ b/secrets/chatterbox/nul.ie.signing.key.age
@@ -1,10 +1,9 @@
 age-encryption.org/v1
-> ssh-ed25519 ZB3e6Q iCLxItNihRG7KUDgcUm4vrtWQblN5hdYwvAegw0m5DQ
-nQSrxGdOaWjtjYssejOg1DoNRnIYNznRzDJUEcWCUgA
-> X25519 eE1k40fJ67VXFqUJ8pB2Ll8/s1K0kD3YkfMQnOqKiTw
-nH9+nHG8pAVLn5krLSNGc18FEMcp6o5NKkf/ciuFPY8
-> U|8z(Y7-grease n 6
-DNyQQUnKJ9kGTrZY0pj67eeuEMpyn69awH4v0+RZiS9GaVRNPz9dv6VfzI178NDv
-wb2gQLYc/5QFlvKo1pYx12AxxF3LvrwhNm8w9nvVjXUzFqn7SvoFxszxtw
--- bQBm6Njo6zu9+Xwao1BlMfBUXYL8TbytByW27Hde/Tg
-<EFBFBD><EFBFBD>v<EFBFBD><EFBFBD><EFBFBD>\<5C>'<27><>_<05><><EFBFBD><EFBFBD>H<EFBFBD><48><EFBFBD><EFBFBD><EFBFBD>(=a<><61>Jf<4A><66><16>+<2B><><EFBFBD>R<EFBFBD><1F><><EFBFBD><EFBFBD>,(<28><>+<2B><>W<EFBFBD>{?<02>Zn<5A>Q<EFBFBD><51>~<7E>a<EFBFBD>><3E><>)<29><><EFBFBD>gF<67><46>X<EFBFBD>rM4<4D><34>y<EFBFBD><79>
+-> ssh-ed25519 ZB3e6Q LYlElJVGV47nZ5AxrU6C8AfCrK3Br1DqMnozUVbzXAY
+DthCj922i2ud9PJrBtVpkF6Mvs0tG/xQViIZxNewI9Q
+-> X25519 D3YiBnszJ0a/e5VOVEonqGB7T0OWC7p7w3cNU7G3skc
+/IQOnNqHGu/nY1g6QijCr5mpfmGEs6SAGK9/jiOqtd4
+-> $Yg5VBMZ-grease XSfpS" k} (
+EPfUi7eQKyf8bB6C9PIvVieDte6X7IR54zhP+CcmAw
+--- KflE5p2fLkFzlQbOCpF/lZWO6Nq2m273tgE0/UqMeS4
+
--- a/secrets/chatterbox/synapse.yaml.age
+++ b/secrets/chatterbox/synapse.yaml.age
--- a/secrets/dhparams.pem.age
+++ b/secrets/dhparams.pem.age
--- a/secrets/estuary/netdata/powerdns.conf.age
+++ b/secrets/estuary/netdata/powerdns.conf.age
--- a/secrets/estuary/netdata/powerdns_recursor.conf.age
+++ b/secrets/estuary/netdata/powerdns_recursor.conf.age
--- a/secrets/estuary/pdns/auth.conf.age
+++ b/secrets/estuary/pdns/auth.conf.age
@@ -1,10 +1,10 @@
 age-encryption.org/v1
-> ssh-ed25519 n8CpUw gSOLNKBwaCiP9TqcaIBrRF7HnQrXziYl13GzjVS1ryk
-kgXnpg8IMVfNnb9meGPbAYGbgkeiWF5USDd7KlJGJmA
-> X25519 oL6s/UbRmFIcZ62H7766Q0Bu4KoFwzICgGPB/ogTvj0
-FTWqAvm3Eq2AzhC+5xAUGMuZYbVtrPt+c1QBtXMdv/A
-> 54{PX{A-grease CyetKe> >}$Pn iQ)-0sK r
-68Ze/tRYRoVy0x619dD1ibTGYaAGoljMxE2Ll5Sx+V9jRzi/DHtq/xyQTgvJfv3z
-JM7E+KJZetXLLlvpOGKw3GBm
--- TWJdBHQyXz0rCxKloRqmXut0GODBw32Lwjnj9gFJAFI
-<EFBFBD><EFBFBD>!=<0B><><19><12><>I0r<><72><EFBFBD>J<EFBFBD>v<EFBFBD><76>#(<28>2<EFBFBD><32>R<EFBFBD>8	[-<0F>VI<56>}p<>,}v<>j<EFBFBD>H<>#<23>qJ?<3F><><EFBFBD>!<21><10>v<EFBFBD>~P<><EFBFBD>
+-> ssh-ed25519 n8CpUw +WNV+VmndEK6SO6/M0Mh7XdMSquucY7JCiP1vzoOpzo
+JnOXYQ14pYWebHAmdkBz916L1CtE6vzQuIq3wi1cQT4
+-> X25519 drGGpRjQ3kFmp61N+iY00xmoBzcXwZm0FQsc6DYp/C0
+bEHnwq7dkfrFOHGiGWZC4CT9PIndHoaj4Od4U9xpcKs
+-> a3$-grease
+jvREqtF9g1ba8FTAJ6d6z6AjWLn8+U5dbQ5awJr5VHjIxAKeyP6W1TxtCkOXAXqE
+d8Yk0M+aZi4
+--- KXJZwwgadyYXvRvO2iL3Kz9UtXhVFvJj/GphM24WH94
+<EFBFBD>ԨWW<><57><EFBFBD><EFBFBD>5<>q<EFBFBD><71>=<3D><><EFBFBD><EFBFBD>b~M<><4D><17><>J~<7E><19>L<EFBFBD><18><><EFBFBD><EFBFBD>dB<64><42><EFBFBD>?I<><49>Nm=P<><50><EFBFBD><EFBFBD><EFBFBD><EFBFBD>0_Y<5F>,^<5E>G<EFBFBD>i<EFBFBD>3<EFBFBD>
--- a/secrets/estuary/pdns/recursor.conf.age
+++ b/secrets/estuary/pdns/recursor.conf.age
--- a/secrets/hercules/aws-credentials.ini.age
+++ b/secrets/hercules/aws-credentials.ini.age
--- a/secrets/hercules/binary-caches.json.age
+++ b/secrets/hercules/binary-caches.json.age
--- a/secrets/hercules/cluster-join-token.key.age
+++ b/secrets/hercules/cluster-join-token.key.age
--- a/secrets/jackflix/mullvad-privkey.age
+++ b/secrets/jackflix/mullvad-privkey.age
--- a/secrets/middleman/cloudflare-credentials.conf.age
+++ b/secrets/middleman/cloudflare-credentials.conf.age
--- a/secrets/middleman/nginx-sso.yaml.age
+++ b/secrets/middleman/nginx-sso.yaml.age
--- a/secrets/minio.env.age
+++ b/secrets/minio.env.age
--- a/secrets/nix-cache-gc.ini.age
+++ b/secrets/nix-cache-gc.ini.age
--- a/secrets/pdns-file-records.key.age
+++ b/secrets/pdns-file-records.key.age
--- a/secrets/user-passwd.txt.age
+++ b/secrets/user-passwd.txt.age
--- a/secrets/vaultwarden.env.age
+++ b/secrets/vaultwarden.env.age
@@ -1,9 +1,9 @@
 age-encryption.org/v1
-> ssh-ed25519 HJ/J7A A4ybdNG0bDSIBDnjktzi1DpmGrkvNt0SE+YqCHNokEg
-gwL+6yhXPM3oFkq3S/4PlWzi1h43yBRW1atvYbg2Ax4
-> X25519 R8AIKLRKCLCUmJB3A/z+9iQOfwbqNRm7GgZQX1PgHXM
-nP+UagGakkcI4c59CHSldzGvJLzDXJE16u+LggSLUcM
-> iS[]-grease
-NLqKdqlhdrhVyfNihGFsQC+jvA9wu60
--- KDffMrsRX2L2uqdu0ReWQnIcqkYjWfNh4s7KgXTYpDA
-<05>-<2D><>)<29><>h<EFBFBD><68>i<EFBFBD>@X"Āe<C480><65><EFBFBD>Ʃ<EFBFBD>q}J<>a&rJ	<09>!I<><49><EFBFBD>:<3A>7;~<7E>v<EFBFBD><76><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD>*=<3D>e<EFBFBD>N<EFBFBD><4E><EFBFBD>Kb<4B>Wp#<23><>B<EFBFBD><42>m<EFBFBD>ux<75><78>q<EFBFBD><71><EFBFBD>Xn<7F>+<2B><>B<EFBFBD>G<EFBFBD>aLȂ<4C>Der<65><04>O1<4F><31>^<5E>t]c"<22>dI<><18>RR<52><52><EFBFBD><EFBFBD>G|Q
+-> ssh-ed25519 HJ/J7A NqWZhc47n2idkqNF0eDDxRnSxqVUDjbcO1o0y5BP1zs
+XxVv9/92wbfmVjLkcaPa2a3tG3Sum1BMah76TlwkWDo
+-> X25519 PQawUoZR/P8odnakuANiD412yhi9KUrMUNJqAajHsWU
+4WfDINFhcVwpUNrauwPHKcj12WUHIsBoDcfwUtfGMDs
+-> u-grease s]
+jQtjx5qzgSmYzBa1eg
+--- I1w442aozyjdXob2uZTFHsPllJZvTUOVSYQlAf52Mt8
+fԌ<EFBFBD><EFBFBD><EFBFBD><EFBFBD>Γ<EFBFBD>jJ1U<EFBFBD>`<17><>
--- a/secrets/whale2/valheim.env.age
+++ b/secrets/whale2/valheim.env.age
@@ -1,10 +1,10 @@
 age-encryption.org/v1
-> ssh-ed25519 /EJXvg b3pIwQhBXVof+e+HdCC16M5tc0VuUvvKF+Fj2pytlEE
-NwnBuKXpj9eP1k7D+U2J7Ms7q5kbB4E2zpH34Sx7MzY
-> X25519 w3Wk4YORf+FrC94zpv8TqrwEWDJpuC8IE2YWn6TWRns
-xWF9B4SfS2Gun3xMJodwU0WRtd1GmC3NpyW0xb/K2Sw
-> IuQD#-grease gEpQSQM`
-fjTI1cPFEs0gIqaF5NDOQcqNmfLDStGXaBUjEYa/JjAV7MCTRjpdUU/5DtkH33av
-Ji1k8hfgxQ
--- UTwjr4FXUeSfijgp5VAZIIGmV/lsfxGwHFUHkC9jHrg
-<EFBFBD>=!<21>b<EFBFBD><62>&W\0Op([<5B><>[ϟ<>]<5D>_4<5F>J8<4A><38><EFBFBD>A<EFBFBD><41>i9<69><1D><>3<EFBFBD>@<40><><EFBFBD>~I<><49><EFBFBD>5
+-> ssh-ed25519 /EJXvg zqgNJtsJoogjGP75yueFFWd3oe0H64W5CQcujNCWZ0M
+cVeKmN0jo/y7n5QS2Dp4U0uxK+jGwlQnwXNxR87z020
+-> X25519 J2MeXbL+kGLV3MePB1RMphd7XUfAiL7BTfRWut5lkTE
+PlaRjS9QfL0R1wTx5XJNhjOn2PCG/6QIT3x8I5QG9wo
+-> |#-grease t|Z9XXy p:XF
+LPPVfms2cH4f51GHS7rSwzBOBQulDAANNYGwl22AkZfSNHotvpHdguuJ0S1D+aEj
+d7jlo/xce10TcNJwKYNeTn775g
+--- l2P0/sNogMDU0AmwSuK8BPJnXTj3a7jwwQ0P7ho8Etw
+52F4<EFBFBD>bC涹<EFBFBD><02>&<26><>iK<69><4B>/<2F><><EFBFBD>AY<41><59>x&ԭ/<2F><>g<17><>Q&zI<7A>g<EFBFBD>$d<><64><EFBFBD>md<6D><64>