From bd128d43b0cd35543c8ce1b0d7ad6e92128b1cfc Mon Sep 17 00:00:00 2001 From: Malte Tammena Date: Sun, 10 Sep 2023 00:34:14 +0200 Subject: [PATCH] fixes and new stuff --- flake.nix | 3 +- hardware/intel-nuc.nix | 95 ++---------------------------- hosts/cerithium-telescopium.nix | 31 ++++++++++ hosts/chrysomallon-squamiferum.nix | 34 +++++++++++ hosts/granodomus-lima.nix | 1 + modules/base-system.nix | 1 - modules/scanner.nix | 29 --------- overlays/sane-backends.nix | 22 ------- pkgs/netboot.nix | 42 +++++++++++++ 9 files changed, 115 insertions(+), 143 deletions(-) create mode 100644 hosts/cerithium-telescopium.nix create mode 100644 hosts/chrysomallon-squamiferum.nix delete mode 100644 modules/scanner.nix delete mode 100644 overlays/sane-backends.nix create mode 100644 pkgs/netboot.nix diff --git a/flake.nix b/flake.nix index 484c886..41fccf6 100644 --- a/flake.nix +++ b/flake.nix @@ -109,7 +109,6 @@ netcat-openbsd = super.libressl.nc; }) (import ./overlays/qmk-udev-rules.nix) - (import ./overlays/sane-backends.nix) (import ./overlays/logisim.nix) (import ./overlays/fzf-kak.nix) (import ./overlays/prometheus-fritzbox-exporter.nix) @@ -161,7 +160,7 @@ pkgFiles = builtins.attrNames (builtins.readDir ./pkgs); toPackage = file: { name = builtins.replaceStrings [".nix"] [""] file; - value = pkgs.callPackage ./pkgs/${file} {}; + value = pkgs.callPackage ./pkgs/${file} {inherit inputs;}; }; in builtins.listToAttrs (builtins.map toPackage pkgFiles); diff --git a/hardware/intel-nuc.nix b/hardware/intel-nuc.nix index b412dd5..aa4720f 100644 --- a/hardware/intel-nuc.nix +++ b/hardware/intel-nuc.nix @@ -1,6 +1,4 @@ { - lib, - pkgs, modulesPath, ... }: @@ -15,97 +13,16 @@ # === Internal drive === fileSystems."/" = { - device = "zroot/safe/root"; - fsType = "zfs"; - }; - - fileSystems."/nix" = { - device = "zroot/local/nix"; - fsType = "zfs"; - }; - - fileSystems."/var/log/journal" = { - device = "zroot/safe/journal"; - fsType = "zfs"; + device = "/dev/disk/by-label/root"; + fsType = "ext4"; }; fileSystems."/boot" = { - device = "/dev/disk/by-uuid/8BB2-9DCB"; + device = "/dev/disk/by-label/esp"; fsType = "vfat"; }; - # === Swap === - swapDevices = [{device = "/dev/disk/by-uuid/efc7e294-1c18-4dd9-aca5-f868eb9c47fc";}]; + swapDevices = [ + {device = "/dev/disk/by-label/swap";} + ]; } -// ( - # === External drives === - let - cryptsetup = "${pkgs.cryptsetup}/bin/cryptsetup"; - unlockLuksService = label: keyfile: - lib.attrsets.recursiveUpdate { - description = "Unlock luks encrypted device '${label}'"; - bindsTo = ["dev-${label}.device"]; - after = ["dev-${label}.device"]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - ExecStart = '' - ${cryptsetup} luksOpen --key-file ${keyfile} /dev/${label} ${label}opened - ''; - ExecStop = '' - ${cryptsetup} luksClose ${label}opened - ''; - }; - }; - - disks = { - FRA = "8ae45289-82ed-4cf1-9d68-a0e26e5d9bb5"; - BER = "85ce2e58-72fc-4a66-a376-565bb4fc39a1"; - HND = "4a3765fc-155e-453d-a348-d1782447bcfe"; - LEJ = "5e3c2c1e-73f6-43e6-b8f3-71c923cbeb6d"; - }; - in { - # Unlock all luks devices and import the zfs pools if necessary - systemd.services."luks-open-FRA" = - unlockLuksService "FRA" "/root/keys/fra" {}; - systemd.services."luks-open-BER" = unlockLuksService "BER" "/root/keys/ber" { - serviceConfig.ExecStartPost = "${pkgs.zfs}/bin/zpool import zBER"; - }; - systemd.services."luks-open-HND" = unlockLuksService "HND" "/root/keys/hnd" { - serviceConfig.ExecStartPost = "${pkgs.zfs}/bin/zpool import zHND"; - }; - systemd.services."luks-open-LEJ" = - unlockLuksService "LEJ" "/root/keys/lej" {}; - - systemd.mounts = [ - { - what = "/dev/mapper/FRAopened"; - where = "/srv/fra"; - type = "ext4"; - wantedBy = ["default.target"]; - requires = ["luks-open-FRA.service"]; - after = ["luks-open-FRA.service"]; - } - { - what = "/dev/mapper/vg_lej-lv_lej"; - where = "/srv/lej"; - type = "ext4"; - wantedBy = ["default.target"]; - requires = ["luks-open-LEJ.service"]; - after = ["luks-open-LEJ.service"]; - } - ]; - - # Add udev rules for every disk - services.udev.customRules = [ - { - name = "85-rename-and-unlock-disks"; - rules = lib.concatStringsSep "\n" (lib.attrsets.mapAttrsToList - (alias: uuid: '' - SUBSYSTEM=="block", ENV{ID_FS_UUID}=="${uuid}", SYMLINK+="${alias}", TAG+="systemd" - '') - disks); - } - ]; - } -) diff --git a/hosts/cerithium-telescopium.nix b/hosts/cerithium-telescopium.nix new file mode 100644 index 0000000..e9beb2f --- /dev/null +++ b/hosts/cerithium-telescopium.nix @@ -0,0 +1,31 @@ +{ + pkgs, + ... +}: { + imports = [ + ../hardware/intel-nuc.nix + ]; + config = { + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = "cerithium-telescopium"; + networking.networkmanager.enable = true; + + users.extraUsers.kodi.isNormalUser = true; + + services.cage = { + enable = true; + program = "${pkgs.kodi-wayland}/bin/kodi-standalone"; + user = "kodi"; + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.11"; # Did you read the comment? + }; +} diff --git a/hosts/chrysomallon-squamiferum.nix b/hosts/chrysomallon-squamiferum.nix new file mode 100644 index 0000000..d0d333d --- /dev/null +++ b/hosts/chrysomallon-squamiferum.nix @@ -0,0 +1,34 @@ +{ + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/netboot/netboot-minimal.nix") + ]; + + config = { + networking.hostName = "chrysomallon-squamiferum"; + networking.networkmanager.enable = true; + networking.wireless.enable = false; + networking.firewall.enable = false; + settings.ssh.openOutsideVPN = true; + + users.users.nixos.openssh.authorizedKeys.keyFiles = [../users/malte/yubikey.pub]; + + environment.systemPackages = with pkgs; [ + # For special computers + chntpw + # For testing + # geekbench + ]; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.11"; # Did you read the comment? + }; +} diff --git a/hosts/granodomus-lima.nix b/hosts/granodomus-lima.nix index dde5f56..b0e2485 100644 --- a/hosts/granodomus-lima.nix +++ b/hosts/granodomus-lima.nix @@ -75,6 +75,7 @@ ${point "time" faunus-ater} ${point "todo" faunus-ater} ${point "support" faunus-ater} + ${point "config" faunus-ater} ''; }; }; diff --git a/modules/base-system.nix b/modules/base-system.nix index c0fad1f..d06ac79 100644 --- a/modules/base-system.nix +++ b/modules/base-system.nix @@ -24,7 +24,6 @@ in { ./deck.nix ./radicale.nix ./restic.nix - ./scanner.nix ./taskserver.nix ./wakeup.nix ./darkman.nix diff --git a/modules/scanner.nix b/modules/scanner.nix deleted file mode 100644 index 675b9da..0000000 --- a/modules/scanner.nix +++ /dev/null @@ -1,29 +0,0 @@ -{pkgs, ...}: let - # TODO: Can I specify this in a better way? - device = "gt68xx"; - - scan-a4 = pkgs.writeShellApplication { - name = "scan-a4"; - runtimeInputs = with pkgs; [ - sane-backends - imagemagick - ]; - text = '' - if [[ -z $1 ]]; then - echo "Missing filename" - exit 1 - fi - - scanimage --device-name ${device} \ - -x 210 \ - -y 297 \ - -o /tmp/last-scan.png \ - --resolution 150 || exit 2 - convert /tmp/last-scan.png "$1" || exit 3 - ''; - }; -in { - hardware.sane.enable = true; - - environment.systemPackages = [scan-a4]; -} diff --git a/overlays/sane-backends.nix b/overlays/sane-backends.nix deleted file mode 100644 index e8cb211..0000000 --- a/overlays/sane-backends.nix +++ /dev/null @@ -1,22 +0,0 @@ -self: super: { - sane-backends-old = super.sane-backends; - sane-backends = - (super.sane-backends.override { - extraFirmware = [ - { - src = super.fetchurl { - url = "www.meier-geinitz.de/sane/gt68xx-backend/firmware/sbfw.usb"; - sha256 = "12hnacivpy153alfjyr7k92y90nmb5d7z1ca7aix5w7wi0w4jdjv"; - }; - name = "sbfw.usb"; - backend = "gt68xx"; - } - ]; - }) - .overrideAttrs (old: { - patches = (old.patches or []) ++ [../patches/gt68xx.conf.patch]; - }); - libreoffice-fresh = super.lib.recursiveUpdate super.libreoffice-fresh (super.libreoffice-fresh.libreoffice.override { - sane-backends = self.sane-backends-old; - }); -} diff --git a/pkgs/netboot.nix b/pkgs/netboot.nix new file mode 100644 index 0000000..59bb3a2 --- /dev/null +++ b/pkgs/netboot.nix @@ -0,0 +1,42 @@ +{ + writeShellApplication, + pixiecore, + nix, + iptables, + inputs, + build ? inputs.self.nixosConfigurations.chrysomallon-squamiferum.config.system.build, + ... +}: let +netboot = writeShellApplication { + name = "netboot"; + runtimeInputs = [pixiecore]; + text = '' + exec pixiecore boot \ + ${build.kernel}/bzImage \ + ${build.netbootRamdisk}/initrd \ + --cmdline "init=${build.toplevel}/init loglevel=4" \ + --dhcp-no-bind \ + --debug \ + --port 64172 \ + --status-port 64172 \ + "$@" + ''; +}; in writeShellApplication { + name = "run-netboot-server"; + runtimeInputs = [ + netboot + nix + iptables + ]; + text = '' + # Open required firewall ports + sudo iptables -w -I nixos-fw -p udp -m multiport --dports 67,69,4011 -j ACCEPT + sudo iptables -w -I nixos-fw -p tcp -m tcp --dport 64172 -j ACCEPT + + sudo netboot || echo "Closed netboot" + + # Close ports + sudo iptables -w -D nixos-fw -p udp -m multiport --dports 67,69,4011 -j ACCEPT + sudo iptables -w -D nixos-fw -p tcp -m tcp --dport 64172 -j ACCEPT + ''; +}