diff --git a/configurations.nix b/configurations.nix index caaed52..05ccb4f 100644 --- a/configurations.nix +++ b/configurations.nix @@ -40,7 +40,8 @@ let srvos.nixosModules.server # srvos.nixosModules.mixins-telegraf - # srvos.nixosModules.mixins-terminfo + srvos.nixosModules.mixins-trusted-nix-caches + srvos.nixosModules.mixins-terminfo agenix.nixosModules.default ({ pkgs @@ -55,6 +56,11 @@ let "nixpkgs=${pkgs.path}" "nur=${nur}" ]; + + environment.systemPackages = [ + pkgs.kitty.terminfo + ]; + # TODO: share nixpkgs for each machine to speed up local evaluation. #nixpkgs.pkgs = self.inputs.nixpkgs.legacyPackages.${system}; @@ -88,7 +94,16 @@ in ./hosts/epyc.nix ]; }; + vieuxtype = nixosSystem { + system = "x86_64-linux"; + modules = + commonModules + ++ colmenaModules + ++ [ + ./hosts/vieuxtype.nix + ]; }; + }; flake.colmena = { meta.nixpkgs = import nixpkgs { @@ -101,5 +116,14 @@ in ./hosts/epyc.nix ]; }; + vieuxtype = { + system = "x86_64-linux"; + modules = + commonModules + ++ [ + ./hosts/vieuxtype.nix + ]; + }; + }; } diff --git a/docs/vieuxtype.lstopo.svg b/docs/vieuxtype.lstopo.svg new file mode 100644 index 0000000..da866d3 --- /dev/null +++ b/docs/vieuxtype.lstopo.svg @@ -0,0 +1,63 @@ + + + + Machine (5936MB total) + + Package L#0 + + L3 (16MB) + + L2 (4096KB) + + L1d (32KB) + + L1i (32KB) + + Core L#0 + + PU L#0 + P#0 + + NUMANode L#0 P#0 (5936MB) + + + + + + + + + + + + PCI 00:01.1 + + Block sr0 + 541 MB + + PCI 00:02.0 + + PCI 00:03.0 + + PCI 00:05.0 + + Block sda + 40 GB + + PCI 00:12.0 + + Net ens18 + + PCI 00:13.0 + + Net ens19 + + PCI 00:14.0 + + Net ens20 + + MemoryModule + + Host: vieuxtype + Date: Mon 05 Jun 2023 08:15:31 PM CEST + diff --git a/docs/vieuxtype.md b/docs/vieuxtype.md new file mode 100644 index 0000000..ca86ff2 --- /dev/null +++ b/docs/vieuxtype.md @@ -0,0 +1,83 @@ +# vieuxtype + +``` +System: Host: vieuxtype Kernel: 6.1.31 x86_64 bits: 64 compiler: gcc v: 12.2.0 + parameters: initrd=\efi\nixos\mf13ryz0gl48s8672gzg80lvq9yd8189-initrd-linux-6.1.31-initrd.efi + init=/nix/store/5c8yhqcmf24d61m99cpqc3ffjma90cxs-nixos-system-vieuxtype-23.05.553.e7603eba51f/init + console=ttyS0,115200 panic=30 boot.panic_on_fail loglevel=4 + Console: N/A Distro: NixOS 23.05 (Stoat) +Machine: Type: Kvm System: QEMU product: Standard PC (i440FX + PIIX, 1996) v: pc-i440fx-7.2 + serial: N/A Chassis: type: 1 v: pc-i440fx-7.2 serial: N/A + Mobo: N/A model: N/A serial: N/A UEFI: EFI Development Kit II / OVMF v: 3.20230228-2 + date: 04/04/2023 +Memory: RAM: total: 5.8 GiB used: 820.6 MiB (13.8%) + Array-1: capacity: 6 GiB slots: 1 EC: Multi-bit ECC max-module-size: 6 GiB note: est. + Device-1: DIMM 0 size: 6 GiB speed: N/A type: RAM detail: other bus-width: Unknown + total: Unknown manufacturer: QEMU part-no: Not Specified serial: Not Specified +PCI Slots: Message: No PCI Slot data found. +CPU: Info: Single Core model: Common KVM bits: 64 type: MCP arch: Netburst Presler + family: F (15) model-id: 6 stepping: 1 microcode: 1 cache: L2: 16 MiB + flags: lm nx pae sse sse2 sse3 bogomips: 5199 + Speed: 2600 MHz min/max: N/A base/boost: 2000/2000 Core speed (MHz): 1: 2600 + Vulnerabilities: Type: itlb_multihit status: KVM: VMX unsupported + Type: l1tf mitigation: PTE Inversion + Type: mds + status: Vulnerable: Clear CPU buffers attempted, no microcode; SMT Host state unknown + Type: meltdown mitigation: PTI + Type: mmio_stale_data status: Unknown: No mitigations + Type: retbleed status: Not affected + Type: spec_store_bypass status: Vulnerable + Type: spectre_v1 mitigation: usercopy/swapgs barriers and __user pointer sanitization + Type: spectre_v2 + mitigation: Retpolines, STIBP: disabled, RSB filling, PBRSB-eIBRS: Not affected + Type: srbds status: Not affected + Type: tsx_async_abort status: Not affected +Graphics: Device-1: vendor: Red Hat driver: bochs-drm v: N/A alternate: bochs bus-ID: 00:02.0 + chip-ID: 1234:1111 class-ID: 0300 + Display: server: No display server data found. Headless machine? tty: N/A + Message: Advanced graphics data unavailable in console for root. +Audio: Message: No device data found. +Network: Device-1: Intel 82371AB/EB/MB PIIX4 ACPI vendor: Red Hat Qemu virtual machine + type: network bridge driver: piix4_smbus v: N/A modules: i2c_piix4 port: 10c0 + bus-ID: 00:01.3 chip-ID: 8086:7113 class-ID: 0680 + Device-2: Red Hat Virtio network driver: virtio-pci v: 1 modules: virtio_pci port: 10e0 + bus-ID: 00:12.0 chip-ID: 1af4:1000 class-ID: 0200 + IF: ens18 state: up speed: -1 duplex: unknown mac: da:3e:b0:11:ae:0a + IP v4: 169.254.129.42/16 type: noprefixroute scope: global broadcast: 169.254.255.255 + IP v6: 2a01:e0a:5f9:9681:33ba:55f5:6e55:beef/64 type: temporary dynamic scope: global + IP v6: 2a01:e0a:5f9:9681:d83e:b0ff:fe11:ae0a/64 type: dynamic mngtmpaddr scope: global + IP v6: 2a01:e0a:5f9:9681:a498:fffb:e48d:299/64 scope: global + IP v6: fe80::d83e:b0ff:fe11:ae0a/64 scope: link + Device-3: Red Hat Virtio network driver: virtio-pci v: 1 modules: virtio_pci port: 1400 + bus-ID: 00:13.0 chip-ID: 1af4:1000 class-ID: 0200 + IF: ens19 state: up speed: -1 duplex: unknown mac: 72:38:5f:a6:82:5a + IP v4: 10.32.64.196/20 type: dynamic noprefixroute scope: global + broadcast: 10.32.79.255 + IP v6: fe80::7038:5fff:fea6:825a/64 scope: link + Device-4: Red Hat Virtio network driver: virtio-pci v: 1 modules: virtio_pci port: 1420 + bus-ID: 00:14.0 chip-ID: 1af4:1000 class-ID: 0200 + IF: ens20 state: up speed: -1 duplex: unknown mac: 8e:38:09:a2:8c:9e + IP v4: 10.32.64.224/20 type: dynamic noprefixroute scope: global + broadcast: 10.32.79.255 + IP v6: fe80::8c38:9ff:fea2:8c9e/64 scope: link + IF-ID-1: tailscale0 state: unknown speed: -1 duplex: full mac: N/A + IP v6: fe80::7d4f:3369:71cc:66d5/64 virtual: stable-privacy scope: link + WAN IP: 82.65.118.1 +Drives: Local Storage: total: 40 GiB used: 10.33 GiB (25.8%) + ID-1: /dev/sda maj-min: 8:0 vendor: QEMU model: HARDDISK size: 40 GiB block-size: + physical: 512 B logical: 512 B speed: serial: drive-scsi0 rev: 2.5+ + scheme: GPT + SMART: no +Partition: ID-1: / raw-size: 11.5 GiB size: 11.22 GiB (97.55%) used: 10.27 GiB (91.6%) fs: ext4 + block-size: 4096 B dev: /dev/sda1 maj-min: 8:1 + ID-2: /boot raw-size: 511 MiB size: 510 MiB (99.80%) used: 54.9 MiB (10.8%) fs: vfat + block-size: 512 B dev: /dev/sda3 maj-min: 8:3 +Swap: Kernel: swappiness: 60 (default) cache-pressure: 100 (default) + ID-1: swap-1 type: partition size: 8 GiB used: 0 KiB (0.0%) priority: -2 dev: /dev/sda2 + maj-min: 8:2 +Sensors: Message: No sensor data found. Is lm-sensors configured? +Info: Processes: 107 Uptime: N/A wakeups: 1 Init: systemd v: 253 target: multi-user.target + tool: systemctl Compilers: gcc: 12.2.0 Packages: 899 nix-default: 9 nix-sys: 881 + lib: 155 nix-usr: 9 lib: 3 Client: Sudo v: 1.9.13p3 inxi: 3.3.04 +``` +![hardware topology](vieuxtype.lstopo.svg) diff --git a/hosts/vieuxtype.nix b/hosts/vieuxtype.nix new file mode 100644 index 0000000..41bd6e5 --- /dev/null +++ b/hosts/vieuxtype.nix @@ -0,0 +1,28 @@ +{ + imports = [ + ../modules/hardware/vm.nix + ../modules/gitea.nix + ../modules/tailscale.nix + ../modules/users/yvan.nix + ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/fe1d2e0d-9210-4a2d-b584-d1e131747ea3"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/8782-7801"; + fsType = "vfat"; + }; + + swapDevices = + [{ device = "/dev/disk/by-uuid/c9511ddb-e41f-436c-ad1f-9b587ed0ba11"; }]; + + networking.hostName = "vieuxtype"; + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + # simd.arch = "znver3"; + system.stateVersion = "23.05"; +} diff --git a/modules/gitea.nix b/modules/gitea.nix new file mode 100644 index 0000000..1fd9dc7 --- /dev/null +++ b/modules/gitea.nix @@ -0,0 +1,34 @@ +{ ... }: { + services.gitea = { + enable = true; + appName = "Newtype's Git"; + mailerPasswordFile = "/var/lib/secrets/gitea/mailpw"; + settings = { + server = { + ROOT_URL = "https://git.newtype.fr"; + DOMAIN = "git.newtype.fr"; + }; + service.DISABLE_REGISTRATION = true; + session.COOKIE_SECURE = true; + mailer = { + ENABLED = true; + HOST = "mail.gandi.net:465"; + USER = "git@newtype.fr"; + FROM = "Newtype's Git "; + IS_TLS_ENABLED = true; + }; + }; + }; + + services.nginx = { + enable = true; + virtualHosts."git.newtype.fr" = { + enableACME = true; + forceSSL = true; + locations."/" = { proxyPass = "http://127.0.0.1:3000"; }; + }; + }; + + security.acme.certs = { "git.newtype.fr".email = "contact@newtype.fr"; }; + security.acme.acceptTerms = true; +} diff --git a/modules/hardware/vm.nix b/modules/hardware/vm.nix new file mode 100644 index 0000000..9d457ec --- /dev/null +++ b/modules/hardware/vm.nix @@ -0,0 +1,14 @@ +{ lib, modulesPath, ... }: { + imports = [ "${modulesPath}/profiles/qemu-guest.nix" ]; + + boot.initrd.availableKernelModules = + [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + services.qemuGuest.enable = true; + + # VMs are noisy for this type of thing usually. + nix.settings.max-jobs = lib.mkDefault 1; +} diff --git a/modules/hosts.nix b/modules/hosts.nix index 9a5bc26..794b6d8 100644 --- a/modules/hosts.nix +++ b/modules/hosts.nix @@ -37,11 +37,14 @@ in ) "Please add network configuration for ${config.networking.hostName}. None found in ${./hosts.nix}"; - # usually, for each host there is a hostname.dse.in.tum.de and hostname.r domain + # usually, for each host there is a hostname.infra.newtype.fr networking.newtype.hosts = { epyc = { ipv6 = "2001:470:ca5e:dee:587c:7a50:f36c:cae8"; }; + vieuxtype = { + ipv6 = "2a01:e0a:5f9:9681:a498:fffb:e48d:299"; + }; }; }; } diff --git a/modules/nix-daemon.nix b/modules/nix-daemon.nix index ffda29f..b45d3a8 100644 --- a/modules/nix-daemon.nix +++ b/modules/nix-daemon.nix @@ -24,11 +24,19 @@ in config = { warnings = lib.optionals (config.simd.arch == null) [ "Please set simd.arch for ${config.networking.hostName}" ]; + # Allow more open files for non-root users to run NixOS VM tests. + security.pam.loginLimits = [ + { domain = "*"; item = "nofile"; type = "-"; value = "20480"; } + ]; nix = { + # Garbage-collect often gc.automatic = true; - gc.dates = "03:15"; - gc.options = "--delete-older-than 30d"; + gc.dates = "*:45"; + gc.options = ''--max-freed "$((128 * 1024**3 - 1024 * $(df -P -k /nix/store | tail -n 1 | ${pkgs.gawk}/bin/awk '{ print $4 }')))"''; + + # Randomize GC to avoid thundering herd effects. + gc.randomizedDelaySec = "1800"; # 2.11, 2.12 suffers from a bug with remote builders… package = pkgs.nixVersions.nix_2_13; diff --git a/modules/packages.nix b/modules/packages.nix index c396d63..1086d5f 100644 --- a/modules/packages.nix +++ b/modules/packages.nix @@ -1,4 +1,7 @@ { pkgs, ... }: { + # documentation.dev.enable = true; + # environment.extraOutputsToInstall = [ "info" "man" "devman" ]; + # this extends the list from: # https://github.com/numtide/srvos/blob/master/server.nix#L10 environment.systemPackages = with pkgs; [ @@ -34,6 +37,23 @@ usbutils ipmitool + + (neovim.override { + viAlias = true; + vimAlias = true; + configure = { + packages.myPlugins = with pkgs.vimPlugins; { + start = [ vim-lastplace vim-nix ]; + opt = [ ]; + }; + }; + }) + # tries to default to soft-float due to out-dated cc-rs ] ++ lib.optional (!stdenv.hostPlatform.isRiscV) bandwhich; + + programs.vim.defaultEditor = true; + environment.variables = { EDITOR = "nvim"; }; + programs.mosh.enable = true; + programs.tmux.enable = true; } diff --git a/modules/tailscale.nix b/modules/tailscale.nix new file mode 100644 index 0000000..14ffc74 --- /dev/null +++ b/modules/tailscale.nix @@ -0,0 +1,5 @@ +{ config, ... }: { + services.tailscale.enable = true; + networking.firewall.checkReversePath = "loose"; + networking.firewall.allowedUDPPorts = [ config.services.tailscale.port ]; +} diff --git a/modules/users/admins.nix b/modules/users/admins.nix index 2101ef7..f7c44d1 100644 --- a/modules/users/admins.nix +++ b/modules/users/admins.nix @@ -13,7 +13,6 @@ in isNormalUser = true; home = "/home/raito"; inherit extraGroups; - shell = "/run/current-system/sw/bin/zsh"; uid = 1000; openssh.authorizedKeys.keyFiles = [ ./keys/raito.keys ]; }; @@ -23,7 +22,6 @@ in isNormalUser = true; home = "/home/luj"; inherit (config.users.users.raito) extraGroups; - shell = "/run/current-system/sw/bin/zsh"; uid = 1001; openssh.authorizedKeys.keyFiles = [ ./keys/luj.keys ]; }; @@ -33,7 +31,6 @@ in isNormalUser = true; home = "/home/gdd"; inherit (config.users.users.raito) extraGroups; - shell = "/run/current-system/sw/bin/zsh"; uid = 1002; openssh.authorizedKeys.keyFiles = [ ./keys/gdd.keys ]; }; @@ -43,7 +40,6 @@ in isNormalUser = true; home = "/home/akechi"; inherit (config.users.users.raito) extraGroups; - shell = "/run/current-system/sw/bin/zsh"; uid = 1003; openssh.authorizedKeys.keyFiles = [ ./keys/akechi.keys ]; }; @@ -53,7 +49,6 @@ in isNormalUser = true; home = "/home/tomate"; inherit (config.users.users.raito) extraGroups; - shell = "/run/current-system/sw/bin/zsh"; uid = 1004; openssh.authorizedKeys.keyFiles = [ ./keys/tomate.keys ]; }; diff --git a/modules/users/yvan.nix b/modules/users/yvan.nix new file mode 100644 index 0000000..e9f11a9 --- /dev/null +++ b/modules/users/yvan.nix @@ -0,0 +1,17 @@ +{ ... }: { + users.users.yvan = { + isNormalUser = true; + home = "/home/yvan"; + description = "Yvan's account"; + extraGroups = [ "wheel" "www-data" ]; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdMWQ1D9VJNrIzvgU8QMQwhy7Q/OFI9JNLpo/Kr0uXCeZBtSn9eMzZa88Q8gDaHnlc/BlTnlSomWP/S9u8+j21d+rXgDyPgJUqMjGBxFo4lZue3DlACXKQcwWXiNlGQKFPzSNBN62N3cRwm1R7Won9xVwedS4UnxsXbOGHkBnajQx40Ej3WRVBVbSjKKGaZKKCNO5hfistRP7RtqhwxYK7D/CyOfwnIUuBAnC3QYDYDph7SD2E5OX3rKwPDPnei0zaIMMXyFrMtv/czYOsisOud2H/VX0vipQh59qji/ZNSE31LemF4VcvC1307JX3uEwSfVWiBsWGPGfc/epQ4ixl yvan@X230" # Yvan's X230 + ]; + }; + + services.mastodon = { + enable = true; + smtp = { host = "mail.gandi.net"; fromAddress = "yvan@sraka.xyz"; }; + localDomain = "sraka.xyz"; + }; +} diff --git a/modules/zsh.nix b/modules/zsh.nix index bba3962..df628fb 100644 --- a/modules/zsh.nix +++ b/modules/zsh.nix @@ -5,4 +5,13 @@ programs.zsh.interactiveShellInit = '' source ${pkgs.zsh-nix-shell}/share/zsh-nix-shell/nix-shell.plugin.zsh ''; + + programs.zsh = { + autosuggestions.enable = true; + promptInit = '' + source ${pkgs.grml-zsh-config}/etc/zsh/zshrc + ''; + }; + + users.defaultUserShell = pkgs.zsh; }