Add nougat-2 host

2023-06-27 18:00:45 +02:00 · 2023-06-27 18:00:45 +02:00 · 6235162876
parent e3e8d01ee8
commit 6235162876
5 changed files with 200 additions and 0 deletions
--- a/flake.nix
+++ b/flake.nix
@ -138,6 +138,7 @@

            yule = pubsolaros ++ [users.yule];
            droppie = yule ++ [];
+            nougat-2 = yule ++ [];
          };
        };
      };
@ -171,6 +172,9 @@
        droppie = {
          sshUser = "yule";
        };
+        nougat-2 = {
+          sshUser = "yule";
+        };
      };
    };
 }
--- a/hosts/nougat-2/configuration.nix
+++ b/hosts/nougat-2/configuration.nix
@ -0,0 +1,96 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
+  psCfg = config.pub-solar;
+in {
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+  ];
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.kernelParams = [
+    "boot.shell_on_fail=1"
+    "ip=135.181.179.123::135.181.179.65:255.255.255.192:nougat-2.b12f.io::off"
+  ];
+  networking.hostName = "nougat-2";
+
+  # The mdadm RAID1s were created with 'mdadm --create ... --homehost=hetzner',
+  # but the hostname for each machine may be different, and mdadm's HOMEHOST
+  # setting defaults to '<system>' (using the system hostname).
+  # This results mdadm considering such disks as "foreign" as opposed to
+  # "local", and showing them as e.g. '/dev/md/hetzner:root0'
+  # instead of '/dev/md/root0'.
+  # This is mdadm's protection against accidentally putting a RAID disk
+  # into the wrong machine and corrupting data by accidental sync, see
+  # https://bugzilla.redhat.com/show_bug.cgi?id=606481#c14 and onward.
+  # We do not worry about plugging disks into the wrong machine because
+  # we will never exchange disks between machines, so we tell mdadm to
+  # ignore the homehost entirely.
+  environment.etc."mdadm.conf".text = ''
+    HOMEHOST <ignore>
+    ARRAY /dev/md/SSD metadata=1.2 name=nixos:SSD UUID=f8189c09:cb247cc7:22b79b5f:df888705
+    ARRAY /dev/md/HDD metadata=1.2 name=nixos:HDD UUID=85ed8a8e:9ddc5f09:c6ef6110:c00728fa
+  '';
+  # The RAIDs are assembled in stage1, so we need to make the config
+  # available there.
+  boot.initrd.services.swraid.enable = true;
+  boot.initrd.services.swraid.mdadmConf = config.environment.etc."mdadm.conf".text;
+
+  boot.initrd.network.enable = true;
+  boot.initrd.network.ssh = {
+    enable = true;
+    port = 22;
+    authorizedKeys =
+      if psCfg.user.publicKeys != null
+      then psCfg.user.publicKeys
+      else [];
+    hostKeys = ["/etc/secrets/initrd/ssh_host_ed25519_key"];
+  };
+
+  # Network (Hetzner uses static IP assignments, and we don't use DHCP here)
+  networking.useDHCP = false;
+  networking.interfaces."enp0s31f6".ipv4.addresses = [
+    {
+      address = "135.181.179.123";
+      prefixLength = 26;
+    }
+  ];
+  networking.defaultGateway = "135.181.179.65";
+
+  networking.interfaces."enp0s31f6".ipv6.addresses = [
+    #{
+    #  address = "2a01:4f9:3a:2170::1";
+    #  prefixLength = 64;
+    #}
+  ];
+  networking.defaultGateway6 = {
+    address = "fe80::1";
+    interface = "enp0s31f6";
+  };
+
+  networking.nameservers = ["8.8.8.8"];
+
+  # Initial empty root password for easy login:
+  users.users.root.initialHashedPassword = "";
+  users.users.root.openssh.authorizedKeys.keys =
+    if psCfg.user.publicKeys != null
+    then psCfg.user.publicKeys
+    else [];
+
+  services.openssh.enable = true;
+  services.openssh.settings.PermitRootLogin = "prohibit-password";
+
+  # This value determines the NixOS release with which your system is to be
+  # compatible, in order to avoid breaking some software such as database
+  # servers. You should change this only after NixOS release notes say you
+  # should.
+  system.stateVersion = "23.05"; # Did you read the comment?
+}
--- a/hosts/nougat-2/default.nix
+++ b/hosts/nougat-2/default.nix
@ -0,0 +1,7 @@
+{suites, ...}: {
+  imports =
+    [
+      ./nougat-2.nix
+    ]
+    ++ suites.nougat-2;
+}
--- a/hosts/nougat-2/hardware-configuration.nix
+++ b/hosts/nougat-2/hardware-configuration.nix
@ -0,0 +1,59 @@
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "dm-snapshot"
+    "xhci_pci"
+    "ahci"
+    "nvme"
+    "usbhid"
+    "usb_storage"
+    "sd_mod"
+    "dm-raid"
+    "e1000e"
+  ];
+  boot.initrd.kernelModules = [];
+  boot.kernelModules = ["kvm-intel"];
+  boot.extraModulePackages = [];
+
+  boot.initrd.luks.devices."ssd" = {
+    device = "/dev/disk/by-id/md-uuid-f8189c09:cb247cc7:22b79b5f:df888705";
+  };
+
+  boot.initrd.luks.devices."hdd" = {
+    device = "/dev/disk/by-id/md-uuid-85ed8a8e:9ddc5f09:c6ef6110:c00728fa";
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/cb88e8b9-be51-43eb-a51a-cd021c90771c";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/3F6D-065E";
+    fsType = "vfat";
+  };
+
+  swapDevices = [
+    {device = "/dev/disk/by-uuid/f37e9f96-0174-4cac-a0bb-b63b2a67a4ad";}
+  ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/nougat-2/nougat-2.nix
+++ b/hosts/nougat-2/nougat-2.nix
@ -0,0 +1,34 @@
+{
+  config,
+  pkgs,
+  lib,
+  self,
+  ...
+}:
+with lib; let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+in {
+  imports = [
+    ./configuration.nix
+  ];
+
+  config = {
+    hardware.cpu.intel.updateMicrocode = true;
+
+    pub-solar.core.disk-encryption-active = false;
+    pub-solar.core.lite = true;
+
+    security.sudo.extraRules = [
+      {
+        users = ["${psCfg.user.name}"];
+        commands = [
+          {
+            command = "ALL";
+            options = ["NOPASSWD"];
+          }
+        ];
+      }
+    ];
+  };
+}