From 0998d8294e21cd8bdc6ac94525df0aae51bb4b0d Mon Sep 17 00:00:00 2001 From: Franck Cuny Date: Mon, 9 Dec 2024 08:28:01 -0800 Subject: move each machine into a directory it will be easier to break down some configs. --- flake.nix | 2 +- justfile | 36 ++++-- nix/lib/mkSystem.nix | 2 +- nix/machines/hardware/vm-aarch64-utm.nix | 33 ----- nix/machines/hardware/vm-hetzner.nix | 24 ---- nix/machines/hardware/vm-synology.nix | 36 ------ nix/machines/hq-c02fk3q7md6t/default.nix | 8 ++ nix/machines/macbook-air-m2.nix | 13 -- nix/machines/macbook-pro-intel.nix | 8 -- nix/machines/mba-m2/default.nix | 13 ++ nix/machines/vm-aarch64.nix | 4 - nix/machines/vm-aarch64/default.nix | 5 + nix/machines/vm-aarch64/hardware.nix | 33 +++++ nix/machines/vm-hetzner.nix | 202 ------------------------------- nix/machines/vm-hetzner/default.nix | 202 +++++++++++++++++++++++++++++++ nix/machines/vm-hetzner/hardware.nix | 24 ++++ nix/machines/vm-synology.nix | 4 - nix/machines/vm-synology/default.nix | 5 + nix/machines/vm-synology/hardware.nix | 36 ++++++ 19 files changed, 351 insertions(+), 339 deletions(-) delete mode 100644 nix/machines/hardware/vm-aarch64-utm.nix delete mode 100644 nix/machines/hardware/vm-hetzner.nix delete mode 100644 nix/machines/hardware/vm-synology.nix create mode 100644 nix/machines/hq-c02fk3q7md6t/default.nix delete mode 100644 nix/machines/macbook-air-m2.nix delete mode 100644 nix/machines/macbook-pro-intel.nix create mode 100644 nix/machines/mba-m2/default.nix delete mode 100644 nix/machines/vm-aarch64.nix create mode 100644 nix/machines/vm-aarch64/default.nix create mode 100644 nix/machines/vm-aarch64/hardware.nix delete mode 100644 nix/machines/vm-hetzner.nix create mode 100644 nix/machines/vm-hetzner/default.nix create mode 100644 nix/machines/vm-hetzner/hardware.nix delete mode 100644 nix/machines/vm-synology.nix create mode 100644 nix/machines/vm-synology/default.nix create mode 100644 nix/machines/vm-synology/hardware.nix diff --git a/flake.nix b/flake.nix index 178bc25..15cbde8 100644 --- a/flake.nix +++ b/flake.nix @@ -92,7 +92,7 @@ }; # my personal MacBook Air - darwinConfigurations.macbook-air-m2 = mkSystem "macbook-air-m2" { + darwinConfigurations.mba-m2 = mkSystem "mba-m2" { system = "aarch64-darwin"; user = "fcuny"; darwin = true; diff --git a/justfile b/justfile index 94877a0..992a107 100644 --- a/justfile +++ b/justfile @@ -3,18 +3,13 @@ SSH_OPTIONS := "-o PubkeyAuthentication=no -o UserKnownHostsFile=/dev/null -o St nixdisk := "vda" nixaddr := "" +hostname := lowercase(`hostname -s`) + # update dependencies +[group('nix')] update-deps: nix flake update --commit-lock-file -# build (and only build) the configuration for darwin -build-darwin: - darwin-rebuild build --flake .#$(hostname -s) - -# build and switch the configuration for darwin -switch-darwin: - darwin-rebuild switch --flake .#$(hostname -s) - # a simple check to ensure the nix configuration is OK test-nix: nix flake check @@ -24,11 +19,25 @@ test-nix: fmt: nix fmt -build-wildcat: - nixos-rebuild build --target-host fcuny.net --build-host fcuny.net --fast --use-remote-sudo --use-substitutes --flake .#wildcat +[group('machines')] +[macos] +build: + darwin-rebuild build --flake .#{{hostname}} + +[group('machines')] +[macos] +switch: + darwin-rebuild switch --flake .#{{hostname}} + +[group('machines')] +[linux] +build: + nixos-rebuild build --flake .#{{hostname}} -switch-wildcat: - nixos-rebuild switch --target-host fcuny.net --build-host fcuny.net --fast --use-remote-sudo --use-substitutes --flake .#wildcat +[group('machines')] +[linux] +switch: + nixos-rebuild switch --flake .#{{hostname}} vm-bootstrap: #!/usr/bin/env bash @@ -61,5 +70,6 @@ vm-copy: rsync -av -e 'ssh {{SSH_OPTIONS}}' \ --exclude='.git/' \ --exclude='result' \ + --exclude='.direnv/' \ --rsync-path="sudo rsync" \ - $(dirname justfile)/ root@{{nixaddr}}:/nix-config + $(dirname justfile)/ {{nixaddr}}:/nix-config diff --git a/nix/lib/mkSystem.nix b/nix/lib/mkSystem.nix index dbacac6..87af732 100644 --- a/nix/lib/mkSystem.nix +++ b/nix/lib/mkSystem.nix @@ -7,7 +7,7 @@ name: let # The config files for this system. - machineConfig = ../machines/${name}.nix; + machineConfig = ../machines/${name}; userOSConfig = ../users/${user}/${if darwin then "darwin" else "nixos"}.nix; userHMConfig = ../users/${user}/home-manager.nix; diff --git a/nix/machines/hardware/vm-aarch64-utm.nix b/nix/machines/hardware/vm-aarch64-utm.nix deleted file mode 100644 index 084cc74..0000000 --- a/nix/machines/hardware/vm-aarch64-utm.nix +++ /dev/null @@ -1,33 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ lib, modulesPath, ... }: { - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - - boot.initrd.availableKernelModules = [ "xhci_pci" "sr_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = { - device = "/dev/disk/by-label/nixos"; - fsType = "ext4"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-label/boot"; - fsType = "vfat"; - options = [ "fmask=0022" "dmask=0022" ]; - }; - - swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp0s1.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; -} diff --git a/nix/machines/hardware/vm-hetzner.nix b/nix/machines/hardware/vm-hetzner.nix deleted file mode 100644 index 89a92a9..0000000 --- a/nix/machines/hardware/vm-hetzner.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ modulesPath, ... }: { - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - - boot.initrd.availableKernelModules = - [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; - - boot.loader.grub = { - enable = true; - device = "/dev/sda"; - }; - - boot.initrd.kernelModules = [ "nvme" ]; - - fileSystems = { - "/" = { - device = "/dev/sda1"; - fsType = "ext4"; - }; - "/srv" = { - device = "/dev/disk/by-id/scsi-0HC_Volume_101115314"; - fsType = "ext4"; - }; - }; -} diff --git a/nix/machines/hardware/vm-synology.nix b/nix/machines/hardware/vm-synology.nix deleted file mode 100644 index 5511e98..0000000 --- a/nix/machines/hardware/vm-synology.nix +++ /dev/null @@ -1,36 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ lib, modulesPath, ... }: - -{ - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - - boot.initrd.availableKernelModules = - [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = { - device = "/dev/disk/by-label/nixos"; - fsType = "ext4"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-label/boot"; - fsType = "vfat"; - options = [ "fmask=0022" "dmask=0022" ]; - }; - - swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.ens3.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/nix/machines/hq-c02fk3q7md6t/default.nix b/nix/machines/hq-c02fk3q7md6t/default.nix new file mode 100644 index 0000000..001f3d5 --- /dev/null +++ b/nix/machines/hq-c02fk3q7md6t/default.nix @@ -0,0 +1,8 @@ +{ pkgs, ... }: { + imports = [ ../darwin-shared.nix ]; + + system.stateVersion = 5; + + programs.fish.enable = true; + environment.shells = [ pkgs.fish ]; +} diff --git a/nix/machines/macbook-air-m2.nix b/nix/machines/macbook-air-m2.nix deleted file mode 100644 index 9b0265a..0000000 --- a/nix/machines/macbook-air-m2.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ pkgs, ... }: { - imports = [ ./darwin-shared.nix ]; - - system.stateVersion = 5; - - networking.hostName = "mba-fcuny"; - - programs.fish.enable = true; - environment.shells = [ pkgs.fish ]; - - # brew packages I only want to get installed on this machine - homebrew.casks = [ "zoom" ]; -} diff --git a/nix/machines/macbook-pro-intel.nix b/nix/machines/macbook-pro-intel.nix deleted file mode 100644 index 07b464e..0000000 --- a/nix/machines/macbook-pro-intel.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ pkgs, ... }: { - imports = [ ./darwin-shared.nix ]; - - system.stateVersion = 5; - - programs.fish.enable = true; - environment.shells = [ pkgs.fish ]; -} diff --git a/nix/machines/mba-m2/default.nix b/nix/machines/mba-m2/default.nix new file mode 100644 index 0000000..72a4e8b --- /dev/null +++ b/nix/machines/mba-m2/default.nix @@ -0,0 +1,13 @@ +{ pkgs, ... }: { + imports = [ ../darwin-shared.nix ]; + + system.stateVersion = 5; + + networking.hostName = "mba-m2"; + + programs.fish.enable = true; + environment.shells = [ pkgs.fish ]; + + # brew packages I only want to get installed on this machine + homebrew.casks = [ "zoom" ]; +} diff --git a/nix/machines/vm-aarch64.nix b/nix/machines/vm-aarch64.nix deleted file mode 100644 index ac9c74e..0000000 --- a/nix/machines/vm-aarch64.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ ... }: { - imports = [ ./hardware/vm-aarch64-utm.nix ./vm-shared.nix ]; - networking.hostName = "vm-aarch64"; -} diff --git a/nix/machines/vm-aarch64/default.nix b/nix/machines/vm-aarch64/default.nix new file mode 100644 index 0000000..302a80c --- /dev/null +++ b/nix/machines/vm-aarch64/default.nix @@ -0,0 +1,5 @@ +{ ... }: { + imports = [ ./hardware.nix ../vm-shared.nix ]; + + networking.hostName = "vm-aarch64"; +} diff --git a/nix/machines/vm-aarch64/hardware.nix b/nix/machines/vm-aarch64/hardware.nix new file mode 100644 index 0000000..084cc74 --- /dev/null +++ b/nix/machines/vm-aarch64/hardware.nix @@ -0,0 +1,33 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ lib, modulesPath, ... }: { + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-label/nixos"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-label/boot"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s1.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; +} diff --git a/nix/machines/vm-hetzner.nix b/nix/machines/vm-hetzner.nix deleted file mode 100644 index a268779..0000000 --- a/nix/machines/vm-hetzner.nix +++ /dev/null @@ -1,202 +0,0 @@ -{ pkgs, lib, ... }: { - imports = [ ./hardware/vm-hetzner.nix ./vm-shared.nix ]; - - boot.tmp.cleanOnBoot = true; - zramSwap.enable = true; - - networking.hostName = "vm-hetzner"; - networking.domain = "net"; - - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi" - ]; - - # This file was populated at runtime with the networking - # details gathered from the active system. - networking = { - nameservers = - [ "2a01:4ff:ff00::add:2" "2a01:4ff:ff00::add:1" "185.12.64.1" ]; - defaultGateway = "172.31.1.1"; - defaultGateway6 = { - address = "fe80::1"; - interface = "eth0"; - }; - dhcpcd.enable = false; - usePredictableInterfaceNames = lib.mkForce false; - interfaces = { - eth0 = { - ipv4.addresses = [{ - address = "5.78.87.68"; - prefixLength = 32; - }]; - ipv6.addresses = [ - { - address = "2a01:4ff:1f0:d1a3::1"; - prefixLength = 64; - } - { - address = "fe80::9400:3ff:fe98:d6dc"; - prefixLength = 64; - } - ]; - ipv4.routes = [{ - address = "172.31.1.1"; - prefixLength = 32; - }]; - ipv6.routes = [{ - address = "fe80::1"; - prefixLength = 128; - }]; - }; - - }; - firewall.allowedTCPPorts = [ - 22 # ssh - 80 # nginx - 443 # nginx - ]; - }; - services.udev.extraRules = '' - ATTR{address}=="96:00:03:98:d6:dc", NAME="eth0" - - ''; - - security.acme = { - defaults.email = "acme@fcuny.net"; - acceptTerms = true; - }; - - # FIXME: I also ran the following as the git user: - # git config --global init.defaultBranch main - # to ensure that new repositories are created with the default - # branch set to `main'. - # TODO(fcuny): I could create the configuration file to set the default branch - services.gitolite = { - enable = true; - adminPubkey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"; - user = "git"; - group = "git"; - extraGitoliteRc = '' - # Make dirs/files group readable, needed for webserver/cgit. (Default - # setting is 0077.) - $RC{UMASK} = 0027; - $RC{GIT_CONFIG_KEYS} = 'cgit.desc cgit.hide cgit.ignore cgit.owner'; - $RC{LOCAL_CODE} = "$rc{GL_ADMIN_BASE}/local"; - push( @{$RC{ENABLE}}, 'symbolic-ref' ); - ''; - }; - - services.cgit.main = { - enable = true; - package = pkgs.cgit-pink; - user = "git"; - group = "git"; - nginx.virtualHost = "git.fcuny.net"; - scanPath = "/var/lib/gitolite/repositories"; - settings = { - css = "/cgit.css"; - logo = "/cgit.png"; - favicon = "/favicon.ico"; - robots = "noindex, nofollow"; - readme = ":README.md"; - project-list = "/var/lib/gitolite/projects.list"; - about-filter = "${pkgs.cgit-pink}/lib/cgit/filters/about-formatting.sh"; - source-filter = - "${pkgs.cgit-pink}/lib/cgit/filters/syntax-highlighting.py"; - clone-url = - (lib.concatStringsSep " " [ "https://git.fcuny.net/$CGIT_REPO_URL" ]); - enable-log-filecount = 1; - enable-log-linecount = 1; - enable-git-config = 1; - enable-blame = 1; - enable-commit-graph = 1; - enable-follow-links = 1; - enable-index-links = 1; - enable-remote-branches = 1; - enable-subject-links = 1; - enable-tree-linenumbers = 1; - max-atom-items = 108; - max-commit-count = 250; - max-repo-count = 500; - repository-sort = "age"; - snapshots = "tar.gz"; - root-title = "¯\\_(ツ)_/¯"; - root-desc = "source code of my various projects"; - }; - }; - - virtualisation.oci-containers.containers.excalidraw = { - autoStart = true; - image = "excalidraw/excalidraw:latest"; - environment = { TZ = "America/Los_Angeles"; }; - ports = [ "127.0.0.1:3030:80" ]; - extraOptions = [ "--pull=always" ]; - }; - - services.nginx = { - enable = true; - - recommendedProxySettings = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedTlsSettings = true; - - virtualHosts = { - "fcuny.net" = { - # make it the default site: if a request goes through nginx - # without a host header, this will be the default site we serve - # for that request. - default = true; - forceSSL = true; - enableACME = true; - locations = { - "/" = { root = "/srv/www/fcuny.net"; }; - "/.well-known/acme-challenge" = { - root = "/var/lib/acme/acme-challenges"; - }; - }; - }; - "git.fcuny.net" = { - forceSSL = true; - enableACME = true; - locations = { - "/.well-known/acme-challenge" = { - root = "/var/lib/acme/acme-challenges"; - }; - }; - }; - "draw.fcuny.net" = { - forceSSL = true; - enableACME = true; - locations = { - "/".proxyPass = "http://127.0.0.1:3030"; - "/.well-known/acme-challenge" = { - root = "/var/lib/acme/acme-challenges"; - }; - }; - }; - }; - }; - - services.restic.backups.git = { - user = "fcuny"; - passwordFile = "/etc/restic.pw"; - repository = "/srv/backups/git"; - initialize = true; - paths = [ "/var/lib/gitolite" ]; - exclude = [ - "/var/lib/gitolite/.bash_history" - "/var/lib/gitolite/.ssh" - "/var/lib/gitolite/.viminfo" - ]; - extraBackupArgs = [ "--exclude-caches" "--compression=max" ]; - timerConfig = { OnCalendar = "*:0/30"; }; - pruneOpts = [ - "--keep-hourly 36" - "--keep-daily 7" - "--keep-weekly 4" - "--keep-monthly 3" - ]; - }; -} diff --git a/nix/machines/vm-hetzner/default.nix b/nix/machines/vm-hetzner/default.nix new file mode 100644 index 0000000..a268779 --- /dev/null +++ b/nix/machines/vm-hetzner/default.nix @@ -0,0 +1,202 @@ +{ pkgs, lib, ... }: { + imports = [ ./hardware/vm-hetzner.nix ./vm-shared.nix ]; + + boot.tmp.cleanOnBoot = true; + zramSwap.enable = true; + + networking.hostName = "vm-hetzner"; + networking.domain = "net"; + + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi" + ]; + + # This file was populated at runtime with the networking + # details gathered from the active system. + networking = { + nameservers = + [ "2a01:4ff:ff00::add:2" "2a01:4ff:ff00::add:1" "185.12.64.1" ]; + defaultGateway = "172.31.1.1"; + defaultGateway6 = { + address = "fe80::1"; + interface = "eth0"; + }; + dhcpcd.enable = false; + usePredictableInterfaceNames = lib.mkForce false; + interfaces = { + eth0 = { + ipv4.addresses = [{ + address = "5.78.87.68"; + prefixLength = 32; + }]; + ipv6.addresses = [ + { + address = "2a01:4ff:1f0:d1a3::1"; + prefixLength = 64; + } + { + address = "fe80::9400:3ff:fe98:d6dc"; + prefixLength = 64; + } + ]; + ipv4.routes = [{ + address = "172.31.1.1"; + prefixLength = 32; + }]; + ipv6.routes = [{ + address = "fe80::1"; + prefixLength = 128; + }]; + }; + + }; + firewall.allowedTCPPorts = [ + 22 # ssh + 80 # nginx + 443 # nginx + ]; + }; + services.udev.extraRules = '' + ATTR{address}=="96:00:03:98:d6:dc", NAME="eth0" + + ''; + + security.acme = { + defaults.email = "acme@fcuny.net"; + acceptTerms = true; + }; + + # FIXME: I also ran the following as the git user: + # git config --global init.defaultBranch main + # to ensure that new repositories are created with the default + # branch set to `main'. + # TODO(fcuny): I could create the configuration file to set the default branch + services.gitolite = { + enable = true; + adminPubkey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"; + user = "git"; + group = "git"; + extraGitoliteRc = '' + # Make dirs/files group readable, needed for webserver/cgit. (Default + # setting is 0077.) + $RC{UMASK} = 0027; + $RC{GIT_CONFIG_KEYS} = 'cgit.desc cgit.hide cgit.ignore cgit.owner'; + $RC{LOCAL_CODE} = "$rc{GL_ADMIN_BASE}/local"; + push( @{$RC{ENABLE}}, 'symbolic-ref' ); + ''; + }; + + services.cgit.main = { + enable = true; + package = pkgs.cgit-pink; + user = "git"; + group = "git"; + nginx.virtualHost = "git.fcuny.net"; + scanPath = "/var/lib/gitolite/repositories"; + settings = { + css = "/cgit.css"; + logo = "/cgit.png"; + favicon = "/favicon.ico"; + robots = "noindex, nofollow"; + readme = ":README.md"; + project-list = "/var/lib/gitolite/projects.list"; + about-filter = "${pkgs.cgit-pink}/lib/cgit/filters/about-formatting.sh"; + source-filter = + "${pkgs.cgit-pink}/lib/cgit/filters/syntax-highlighting.py"; + clone-url = + (lib.concatStringsSep " " [ "https://git.fcuny.net/$CGIT_REPO_URL" ]); + enable-log-filecount = 1; + enable-log-linecount = 1; + enable-git-config = 1; + enable-blame = 1; + enable-commit-graph = 1; + enable-follow-links = 1; + enable-index-links = 1; + enable-remote-branches = 1; + enable-subject-links = 1; + enable-tree-linenumbers = 1; + max-atom-items = 108; + max-commit-count = 250; + max-repo-count = 500; + repository-sort = "age"; + snapshots = "tar.gz"; + root-title = "¯\\_(ツ)_/¯"; + root-desc = "source code of my various projects"; + }; + }; + + virtualisation.oci-containers.containers.excalidraw = { + autoStart = true; + image = "excalidraw/excalidraw:latest"; + environment = { TZ = "America/Los_Angeles"; }; + ports = [ "127.0.0.1:3030:80" ]; + extraOptions = [ "--pull=always" ]; + }; + + services.nginx = { + enable = true; + + recommendedProxySettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + + virtualHosts = { + "fcuny.net" = { + # make it the default site: if a request goes through nginx + # without a host header, this will be the default site we serve + # for that request. + default = true; + forceSSL = true; + enableACME = true; + locations = { + "/" = { root = "/srv/www/fcuny.net"; }; + "/.well-known/acme-challenge" = { + root = "/var/lib/acme/acme-challenges"; + }; + }; + }; + "git.fcuny.net" = { + forceSSL = true; + enableACME = true; + locations = { + "/.well-known/acme-challenge" = { + root = "/var/lib/acme/acme-challenges"; + }; + }; + }; + "draw.fcuny.net" = { + forceSSL = true; + enableACME = true; + locations = { + "/".proxyPass = "http://127.0.0.1:3030"; + "/.well-known/acme-challenge" = { + root = "/var/lib/acme/acme-challenges"; + }; + }; + }; + }; + }; + + services.restic.backups.git = { + user = "fcuny"; + passwordFile = "/etc/restic.pw"; + repository = "/srv/backups/git"; + initialize = true; + paths = [ "/var/lib/gitolite" ]; + exclude = [ + "/var/lib/gitolite/.bash_history" + "/var/lib/gitolite/.ssh" + "/var/lib/gitolite/.viminfo" + ]; + extraBackupArgs = [ "--exclude-caches" "--compression=max" ]; + timerConfig = { OnCalendar = "*:0/30"; }; + pruneOpts = [ + "--keep-hourly 36" + "--keep-daily 7" + "--keep-weekly 4" + "--keep-monthly 3" + ]; + }; +} diff --git a/nix/machines/vm-hetzner/hardware.nix b/nix/machines/vm-hetzner/hardware.nix new file mode 100644 index 0000000..89a92a9 --- /dev/null +++ b/nix/machines/vm-hetzner/hardware.nix @@ -0,0 +1,24 @@ +{ modulesPath, ... }: { + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot.initrd.availableKernelModules = + [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; + + boot.loader.grub = { + enable = true; + device = "/dev/sda"; + }; + + boot.initrd.kernelModules = [ "nvme" ]; + + fileSystems = { + "/" = { + device = "/dev/sda1"; + fsType = "ext4"; + }; + "/srv" = { + device = "/dev/disk/by-id/scsi-0HC_Volume_101115314"; + fsType = "ext4"; + }; + }; +} diff --git a/nix/machines/vm-synology.nix b/nix/machines/vm-synology.nix deleted file mode 100644 index 643c821..0000000 --- a/nix/machines/vm-synology.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ ... }: { - imports = [ ./hardware/vm-synology.nix ./vm-shared.nix ]; - networking.hostName = "vm-synology"; -} diff --git a/nix/machines/vm-synology/default.nix b/nix/machines/vm-synology/default.nix new file mode 100644 index 0000000..928ab86 --- /dev/null +++ b/nix/machines/vm-synology/default.nix @@ -0,0 +1,5 @@ +{ ... }: { + imports = [ ./hardware.nix ../vm-shared.nix ]; + + networking.hostName = "vm-synology"; +} diff --git a/nix/machines/vm-synology/hardware.nix b/nix/machines/vm-synology/hardware.nix new file mode 100644 index 0000000..5511e98 --- /dev/null +++ b/nix/machines/vm-synology/hardware.nix @@ -0,0 +1,36 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ lib, modulesPath, ... }: + +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot.initrd.availableKernelModules = + [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-label/nixos"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-label/boot"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens3.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} -- cgit 1.4.1