diff options
| author | Azat Bahawi <azat@bahawi.net> | 2022-12-17 16:39:09 +0300 |
|---|---|---|
| committer | Azat Bahawi <azat@bahawi.net> | 2022-12-17 16:39:09 +0300 |
| commit | 8f137c28230623259a964484adcf31fe00756594 (patch) | |
| tree | 82bce6a13fda125087cf6d9dc80aa91d9230d6c4 /nixosConfigurations | |
| parent | 3229e56e0d3620ddc735edcfbbefb167efa3b23f (diff) | |
2022-12-17
Diffstat (limited to 'nixosConfigurations')
| -rw-r--r-- | nixosConfigurations/default.nix | 96 | ||||
| -rw-r--r-- | nixosConfigurations/eonwe/default.nix | 72 | ||||
| -rw-r--r-- | nixosConfigurations/manwe/default.nix | 88 | ||||
| -rw-r--r-- | nixosConfigurations/manwe/mailserver.nix | 94 | ||||
| -rw-r--r-- | nixosConfigurations/manwe/webserver.nix | 23 | ||||
| -rw-r--r-- | nixosConfigurations/melian/default.nix | 108 | ||||
| -rw-r--r-- | nixosConfigurations/test-headful/default.nix | 19 | ||||
| -rw-r--r-- | nixosConfigurations/test-headless/default.nix | 13 | ||||
| -rw-r--r-- | nixosConfigurations/varda/default.nix | 62 | ||||
| -rw-r--r-- | nixosConfigurations/yavanna/default.nix | 46 |
10 files changed, 621 insertions, 0 deletions
diff --git a/nixosConfigurations/default.nix b/nixosConfigurations/default.nix new file mode 100644 index 0000000..8ebeda4 --- /dev/null +++ b/nixosConfigurations/default.nix @@ -0,0 +1,96 @@ +{ + inputs, + lib, +}: +with lib; let + mkConfiguration = name: { + modules ? [], + configuration ? ./${name}, + this ? my.configurations.${name}, + extraSpecialArgs ? { + localUsername = my.username; + localHostname = this.hostname; + }, + }: + nameValuePair name (nixosSystem { + inherit (this) system; + modules = + modules + ++ attrValues inputs.self.modules + ++ attrValues inputs.self.nixosModules + ++ optional (configuration != null) (import configuration); + specialArgs = + { + inherit inputs lib this; + } + // extraSpecialArgs; + }); +in + mapAttrs' mkConfiguration { + # A dummy configuration to test the "headless" profile. + test-headless = { + modules = with inputs; [ + "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix" + nixpkgs.nixosModules.notDetected + ]; + this = { + hostname = "test-headless"; + system = "x86_64-linux"; + isHeadless = true; + isHeadful = false; + }; + }; + + # A dummy configuration to test the "headful" profile. + test-headful = { + modules = with inputs; [ + "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix" + nixpkgs.nixosModules.notDetected + ]; + this = { + hostname = "test-headful"; + system = "x86_64-linux"; + isHeadless = false; + isHeadful = true; + }; + }; + + # A beefy desktop: 7950x/rx6750xt/128GB. + eonwe.modules = with inputs; [ + nixos-hardware.nixosModules.common-cpu-amd + nixos-hardware.nixosModules.common-gpu-amd + nixos-hardware.nixosModules.common-pc-ssd + nixpkgs.nixosModules.notDetected + ]; + + # ThinkPad T480. + melian.modules = with inputs; [ + nixos-hardware.nixosModules.common-pc-laptop-ssd + nixos-hardware.nixosModules.lenovo-thinkpad-t480 + nixpkgs.nixosModules.notDetected + ]; + + # VPS: Germany + manwe.modules = with inputs; [ + "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix" + nixos-hardware.nixosModules.common-cpu-amd + nixos-hardware.nixosModules.common-pc-ssd + nixpkgs.nixosModules.notDetected + ]; + + # VPS: Germany + varda.modules = with inputs; [ + "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix" + nixos-hardware.nixosModules.common-cpu-amd + nixos-hardware.nixosModules.common-pc-ssd + nixpkgs.nixosModules.notDetected + ]; + + # VPS: France + yavanna.modules = with inputs; [ + "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix" + nixos-hardware.nixosModules.common-cpu-intel + nixos-hardware.nixosModules.common-pc-hdd + nixpkgs.nixosModules.notDetected + ]; + } diff --git a/nixosConfigurations/eonwe/default.nix b/nixosConfigurations/eonwe/default.nix new file mode 100644 index 0000000..a867837 --- /dev/null +++ b/nixosConfigurations/eonwe/default.nix @@ -0,0 +1,72 @@ +{ + config, + lib, + pkgs, + this, + ... +}: +with lib; { + nixfiles.modules = { + wireguard.client.enable = true; + + syncthing.enable = true; + + openssh.server.enable = true; + + games = { + lutris.enable = true; + steam.enable = true; + }; + android.enable = true; + bluetooth.enable = true; + discord.enable = true; + libvirtd.enable = true; + qutebrowser.enable = true; + }; + + hm.programs = { + firefox.profiles.default.settings."media.ffmpeg.vaapi.enabled" = true; + + mpv.config = { + hwdec = "vdpau"; + vo = "gpu"; + profile = "gpu-hq"; + }; + }; + + boot = { + # Silence benign MCE errors: + # ``` + # mce: [Hardware Error]: CPU 1: Machine Check: 0 Bank 29: ffffffffffffffff + # mce: [Hardware Error]: TSC 0 MISC ff1fffffffffffff SYND ffffffffffffffff IPID ffffffffffffffff + # mce: [Hardware Error]: PROCESSOR 2:a60f12 TIME 1669988017 SOCKET 0 APIC 2 microcode a601201 + # ``` + kernelParams = ["mce=nobootlog"]; + + initrd.availableKernelModules = [ + "ahci" + "nvme" + "sd_mod" + "usb_storage" + "usbhid" + "xhci_pci" + ]; + }; + + fileSystems = { + "/boot" = { + device = "/dev/disk/by-uuid/FF1E-9CFD"; + fsType = "vfat"; + }; + + "/" = { + device = "/dev/disk/by-uuid/20276c1b-7e46-430b-b741-2f4aeb76bc51"; + fsType = "xfs"; + options = ["noatime"]; + }; + }; + + # No swap space is declared here because the system already has 128Gb of RAM. + # I didn't manage to even hit 100Gb mark even when running large + # computations/compiling something big. +} diff --git a/nixosConfigurations/manwe/default.nix b/nixosConfigurations/manwe/default.nix new file mode 100644 index 0000000..b8dd324 --- /dev/null +++ b/nixosConfigurations/manwe/default.nix @@ -0,0 +1,88 @@ +{ + config, + lib, + this, + ... +}: +with lib; { + imports = [ + ./mailserver.nix + ./webserver.nix + ]; + + nixfiles.modules = { + nsd = { + enable = true; + fqdn = "ns1.${config.networking.domain}"; + }; + unbound.enable = true; + + wireguard.server.enable = true; + + acme.enable = true; + + monitoring.enable = true; + + postgresql.enable = true; + + git.server = { + enable = true; + domain = "git.${my.domain.azahi}"; + }; + + gotify.enable = true; + matrix.dendrite = { + enable = true; + domain = my.domain.azahi; + }; + radicale.enable = true; + rss-bridge.enable = true; + shadowsocks.enable = true; + soju = { + enable = true; + domain = my.domain.azahi; + }; + vaultwarden.enable = true; + }; + + boot = { + loader.grub = { + enable = true; + device = "/dev/sda"; + }; + + initrd.availableKernelModules = [ + "ata_piix" + "sd_mod" + "sr_mod" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + ]; + }; + + fileSystems = { + "/boot" = { + device = "/dev/sda1"; + fsType = "xfs"; + options = ["noatime"]; + }; + + "/" = { + device = "/dev/sda2"; + fsType = "xfs"; + options = ["noatime"]; + }; + }; + + swapDevices = [ + { + device = "/dev/sda3"; + } + ]; + + zramSwap = { + enable = true; + memoryPercent = 25; + }; +} diff --git a/nixosConfigurations/manwe/mailserver.nix b/nixosConfigurations/manwe/mailserver.nix new file mode 100644 index 0000000..a4b552a --- /dev/null +++ b/nixosConfigurations/manwe/mailserver.nix @@ -0,0 +1,94 @@ +{ + config, + inputs, + lib, + ... +}: +with lib; { + imports = [inputs.simple-nixos-mailserver.nixosModule]; + + secrets = { + dkim-key-azahi-cc = { + file = "${inputs.self}/secrets/dkim-key-azahi-cc"; + path = "/var/dkim/${my.domain.azahi}.${config.mailserver.dkimSelector}.key"; + owner = "opendkim"; + group = "opendkim"; + }; + dkim-key-rohan-net = { + file = "${inputs.self}/secrets/dkim-key-rohan-net"; + path = "/var/dkim/${my.domain.rohan}.${config.mailserver.dkimSelector}.key"; + owner = "opendkim"; + group = "opendkim"; + }; + dkim-key-gondor-net = { + file = "${inputs.self}/secrets/dkim-key-gondor-net"; + path = "/var/dkim/${my.domain.gondor}.${config.mailserver.dkimSelector}.key"; + owner = "opendkim"; + group = "opendkim"; + }; + dkim-key-shire-me = { + file = "${inputs.self}/secrets/dkim-key-shire-me"; + path = "/var/dkim/${my.domain.shire}.${config.mailserver.dkimSelector}.key"; + owner = "opendkim"; + group = "opendkim"; + }; + }; + + nixfiles.modules.acme.enable = true; + + mailserver = let + cert = config.certs.${my.domain.shire}; + in { + enable = true; + + fqdn = config.networking.domain; + domains = with my.domain; [azahi gondor rohan shire]; + + localDnsResolver = false; + + certificateScheme = 1; + certificateFile = "${cert.directory}/fullchain.pem"; + keyFile = "${cert.directory}/key.pem"; + + lmtpSaveToDetailMailbox = "no"; + + loginAccounts = with my.domain; { + "azahi@${shire}" = { + hashedPassword = "@HASHED_PASSWORD@"; + aliases = [ + "@${azahi}" + "@${rohan}" + "@${gondor}" + "abuse@${shire}" + "admin@${shire}" + "ceo@${shire}" + "postmaster@${shire}" + ]; + }; + "samwise@${shire}" = { + hashedPassword = "@HASHED_PASSWORD@"; + aliases = ["chad@${shire}"]; + quota = "1G"; + }; + "pippin@${shire}" = { + hashedPassword = "@HASHED_PASSWORD@"; + quota = "1G"; + }; + "meriadoc@${shire}" = { + hashedPassword = "@HASHED_PASSWORD@"; + quota = "1G"; + }; + }; + }; + + services.fail2ban.jails = { + dovecot = '' + enabled = true + mode = aggressive + ''; + postfix = '' + enabled = true + mode = aggressive + ''; + }; +} diff --git a/nixosConfigurations/manwe/webserver.nix b/nixosConfigurations/manwe/webserver.nix new file mode 100644 index 0000000..4dded7e --- /dev/null +++ b/nixosConfigurations/manwe/webserver.nix @@ -0,0 +1,23 @@ +{ + inputs, + lib, + ... +}: +with lib; { + nixfiles.modules.nginx.virtualHosts = with my.domain; + { + ${shire}.locations."/".return = "301 https://www.youtube.com/watch?v=dQw4w9WgXcQ"; + "git.${shire}".locations."/".return = "301 https://git.${azahi}"; + "bitwarden.${shire}".locations."/".return = "301 https://vaultwarden.${shire}"; + ${azahi} = { + serverAliases = ["frodo.${gondor}" "frodo.${rohan}"]; + locations."/".root = inputs.azahi-cc; + }; + } + // (let + frodo = "301 https://frodo."; + in { + ${gondor}.locations."/".return = concatStrings [frodo gondor]; + ${rohan}.locations."/".return = concatStrings [frodo rohan]; + }); +} diff --git a/nixosConfigurations/melian/default.nix b/nixosConfigurations/melian/default.nix new file mode 100644 index 0000000..3ba854c --- /dev/null +++ b/nixosConfigurations/melian/default.nix @@ -0,0 +1,108 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; { + nixfiles.modules = { + wireguard.client.enable = true; + + syncthing.enable = true; + + bluetooth.enable = true; + + throttled.enable = true; + }; + + hardware.trackpoint = { + enable = true; + speed = 500; + sensitivity = 250; + }; + + powerManagement = let + modprobe = "${pkgs.kmod}/bin/modprobe"; + in { + enable = true; + + # This fixes an issue with not being able to suspend or wake up from suspend + # due to a kernel bug[1]. + # + # [1]: https://bbs.archlinux.org/viewtopic.php?id=270964 + # [1]: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/522998 + # [1]: https://bugs.launchpad.net/ubuntu/+source/pm-utils/+bug/562484/comments/3 + # [1]: https://gist.github.com/ioggstream/8f380d398aef989ac455b93b92d42048 + powerDownCommands = "${modprobe} -r xhci_pci"; + powerUpCommands = "${modprobe} xhci_pci"; + }; + + services = { + thinkfan = { + enable = true; + + settings = { + sensors = [ + { + hwmon = "/sys/class/hwmon"; + name = "coretemp"; + indices = [1]; + } + ]; + fans = [{tpacpi = "/proc/acpi/ibm/fan";}]; + levels = [ + ["level auto" 0 50] + ["level disengaged" 50 32767] + ]; + }; + }; + + fwupd.enable = true; + }; + + boot = { + initrd = { + availableKernelModules = [ + "ahci" + "nvme" + "sd_mod" + "usb_storage" + "usbhid" + "xhci_pci" + ]; + + luks.devices."root" = { + device = "/dev/disk/by-uuid/c1b46f24-eec0-47d2-a142-75ddfd7bb218"; + allowDiscards = true; + bypassWorkqueues = true; + }; + }; + }; + + fileSystems = { + "/boot" = { + device = "/dev/disk/by-uuid/1083-C8A0"; + fsType = "vfat"; + }; + + "/" = { + device = "/dev/disk/by-uuid/bb8b09dc-cc67-47e5-8280-532b17a9e62a"; + fsType = "xfs"; + options = ["noatime"]; + }; + }; + + # NOTE This makes hibernation pretty much impossible because the partition is + # encrypted. + swapDevices = [ + { + device = "/swapfile"; + size = 8 * 1024; + } + ]; + + zramSwap = { + enable = true; + memoryPercent = 25; + }; +} diff --git a/nixosConfigurations/test-headful/default.nix b/nixosConfigurations/test-headful/default.nix new file mode 100644 index 0000000..25db8c7 --- /dev/null +++ b/nixosConfigurations/test-headful/default.nix @@ -0,0 +1,19 @@ +{lib, ...}: +with lib; { + nixfiles.modules = { + dwm.enable = true; + kde.enable = false; + xmonad.enable = false; + }; + + boot.loader.systemd-boot.enable = true; + fileSystems."/".device = "/dev/null"; + + documentation = { + enable = mkForce false; + man = { + enable = mkForce false; + man-db.enable = mkForce false; + }; + }; +} diff --git a/nixosConfigurations/test-headless/default.nix b/nixosConfigurations/test-headless/default.nix new file mode 100644 index 0000000..919a436 --- /dev/null +++ b/nixosConfigurations/test-headless/default.nix @@ -0,0 +1,13 @@ +{lib, ...}: +with lib; { + nixfiles.modules = { + endlessh-go.enable = mkForce false; + node-exporter.enable = mkForce false; + promtail.enable = mkForce false; + }; + + boot.loader.systemd-boot.enable = true; + fileSystems."/".device = "/dev/null"; + + documentation.enable = mkForce false; +} diff --git a/nixosConfigurations/varda/default.nix b/nixosConfigurations/varda/default.nix new file mode 100644 index 0000000..5e0914e --- /dev/null +++ b/nixosConfigurations/varda/default.nix @@ -0,0 +1,62 @@ +{ + lib, + this, + ... +}: +with lib; { + nixfiles.modules = { + wireguard.client.enable = true; + + acme.enable = true; + + games.minecraft.server = { + enable = false; # Disabled because no one is playing now. + memory = "6G"; + }; + }; + + boot = { + loader = { + efi.canTouchEfiVariables = true; + + systemd-boot = { + enable = true; + configurationLimit = 10; + }; + }; + + initrd.availableKernelModules = [ + "ata_piix" + "sd_mod" + "sr_mod" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + ]; + }; + + fileSystems = { + "/boot" = { + device = "/dev/disk/by-uuid/03FD-B6C0"; + fsType = "vfat"; + }; + + "/" = { + device = "/dev/disk/by-uuid/b07e8273-915a-424c-8c55-cdc2bd482f49"; + fsType = "xfs"; + options = ["noatime"]; + }; + }; + + swapDevices = [ + { + device = "/swapfile"; + size = 4 * 1024; + } + ]; + + zramSwap = { + enable = true; + memoryPercent = 25; + }; +} diff --git a/nixosConfigurations/yavanna/default.nix b/nixosConfigurations/yavanna/default.nix new file mode 100644 index 0000000..e3172a6 --- /dev/null +++ b/nixosConfigurations/yavanna/default.nix @@ -0,0 +1,46 @@ +{ + lib, + this, + ... +}: +with lib; { + nixfiles.modules = { + wireguard.client.enable = true; + + syncthing.enable = true; + + acme.enable = true; + + rtorrent.enable = true; + }; + + boot = { + loader.grub = { + enable = true; + device = "/dev/sda"; + }; + + initrd = { + availableKernelModules = ["uhci_hcd" "ahci"]; + kernelModules = ["nvme"]; + }; + }; + + fileSystems."/" = { + device = "/dev/sda1"; + fsType = "ext4"; + options = ["noatime"]; + }; + + swapDevices = [ + { + device = "/swapfile"; + size = 4 * 1024; + } + ]; + + zramSwap = { + enable = true; + memoryPercent = 25; + }; +} |