From 89399796d0b91e7904ce67de04bd2f60f0d93b5b Mon Sep 17 00:00:00 2001 From: Azat Bahawi Date: Thu, 2 Feb 2023 00:49:21 +0300 Subject: 2023-02-02 --- modules/nixos/common/systemd.nix | 3 +- modules/nixos/common/users.nix | 8 +++-- modules/nixos/openssh.nix | 2 +- modules/nixos/profiles/default.nix | 3 +- modules/nixos/profiles/headful.nix | 4 +-- nixosConfigurations/eonwe/default.nix | 52 ++++++++++++++++++++++++++++++--- nixosConfigurations/yavanna/default.nix | 4 +-- 7 files changed, 59 insertions(+), 17 deletions(-) diff --git a/modules/nixos/common/systemd.nix b/modules/nixos/common/systemd.nix index c1b2539..29020a0 100644 --- a/modules/nixos/common/systemd.nix +++ b/modules/nixos/common/systemd.nix @@ -1,7 +1,6 @@ {pkgs, ...}: { ark = { - # FIXME Enable on a fresh system! - # files = ["/etc/machine-id"]; + files = ["/etc/machine-id"]; directories = ["/var/lib/systemd/coredump"]; }; diff --git a/modules/nixos/common/users.nix b/modules/nixos/common/users.nix index 400bf33..367af41 100644 --- a/modules/nixos/common/users.nix +++ b/modules/nixos/common/users.nix @@ -1,7 +1,8 @@ {lib, ...}: -with lib; { - # TODO Enable on a fresh system. - # ark.directories = [config.my.home]; +with lib; let + home = "/home/${my.username}"; +in { + ark.directories = [home]; users = { mutableUsers = false; @@ -13,6 +14,7 @@ with lib; { isNormalUser = true; uid = 1000; description = my.fullname; + inherit home; inherit (my) hashedPassword; openssh.authorizedKeys.keys = [my.ssh.key]; extraGroups = ["wheel"]; diff --git a/modules/nixos/openssh.nix b/modules/nixos/openssh.nix index 0cd44bd..9a131d7 100644 --- a/modules/nixos/openssh.nix +++ b/modules/nixos/openssh.nix @@ -46,7 +46,7 @@ in { else "ERROR"; MaxAuthTries = 3; PasswordAuthentication = false; - PermitRootLogin = "no"; + PermitRootLogin = mkForce "no"; }; }; diff --git a/modules/nixos/profiles/default.nix b/modules/nixos/profiles/default.nix index 23eb455..0c78b0f 100644 --- a/modules/nixos/profiles/default.nix +++ b/modules/nixos/profiles/default.nix @@ -15,8 +15,7 @@ in { ]; config = mkIf cfg.enable { - # FIXME Enable on a fresh system! - # ark.directories = ["/var/log"]; + ark.directories = ["/var/log"]; programs.less = { enable = true; diff --git a/modules/nixos/profiles/headful.nix b/modules/nixos/profiles/headful.nix index 2d37b47..ca604cb 100644 --- a/modules/nixos/profiles/headful.nix +++ b/modules/nixos/profiles/headful.nix @@ -33,9 +33,7 @@ in { }; boot = { - # Pretty much placebo but has some nice patches for `-march=native` - # optimisations, P-State Zen4 support and Fsync for Wine. - kernelPackages = mkDefault pkgs.linuxPackages_xanmod_latest; + kernelPackages = mkDefault pkgs.linuxPackages_latest; # There are (arguably) not a lot of reasons to keep mitigations enabled # for on machine that is not web-facing. First of all, to completely diff --git a/nixosConfigurations/eonwe/default.nix b/nixosConfigurations/eonwe/default.nix index 8889120..19eb8b1 100644 --- a/nixosConfigurations/eonwe/default.nix +++ b/nixosConfigurations/eonwe/default.nix @@ -72,16 +72,60 @@ with lib; { initrd.kernelModules = ["nvme"]; }; + # Filesystem creation: + # ``` + # mkfs.vfat -F 32 -l nixos-boot /dev/nvmeXnYpZ + # + # zpool create + # -o ashift=12 + # -o autotrim=on + # -O acltype=posixacl + # -O xattr=sa + # -O compression=zstd + # -O atime=off + # -O relatime=off + # -O devices=off + # -O canmount=off + # -O mountpoint=none + # nixos + # /dev/nvmeXnYpZ + # + # zfs create + # nixos/root + # + # zfs create + # -o mountpoint=legacy + # -o relatime=on + # -o encryption=on + # -o keyformat=passphrase + # nixos/root/ark + # + # zfs create + # -o mountpoint=legacy + # nixos/root/nix + # ``` fileSystems = { "/boot" = { - device = "/dev/disk/by-uuid/FF1E-9CFD"; + device = "/dev/disk/by-uuid/1363-02E6"; fsType = "vfat"; }; "/" = { - device = "/dev/disk/by-uuid/20276c1b-7e46-430b-b741-2f4aeb76bc51"; - fsType = "xfs"; - options = ["noatime"]; + device = "none"; + fsType = "tmpfs"; + options = ["size=8G" "mode=755"]; + }; + + "/ark" = { + device = "nixos/root/ark"; + fsType = "zfs"; + neededForBoot = true; + }; + + "/nix" = { + device = "nixos/root/nix"; + fsType = "zfs"; + neededForBoot = true; }; }; diff --git a/nixosConfigurations/yavanna/default.nix b/nixosConfigurations/yavanna/default.nix index d347c61..3073caa 100644 --- a/nixosConfigurations/yavanna/default.nix +++ b/nixosConfigurations/yavanna/default.nix @@ -27,8 +27,8 @@ with lib; { # automatically (IIRC) generated `hardware-configuration.nix' as is. # # There's, however, no indication that any NVME drives are being used and, - # as the matter of fact, the VPS itself is KVM-shire, so... I'm still not - # going to risk it. + # as the matter of fact, the VPS itself is on KVM, so... I'm still not going + # to risk it, though. # # [1]: https://github.com/elitak/nixos-infect initrd.availableKernelModules = ["nvme"]; -- cgit 1.4.1