From c056588475d58b0fcac74be664ae391e70611690 Mon Sep 17 00:00:00 2001 From: iFargle Date: Tue, 19 Dec 2023 11:17:00 +0900 Subject: [PATCH] Add nuc-server, make docker/podman common services --- flake.nix | 3 + .../services}/docker.nix | 13 ----- .../services}/podman.nix | 0 nixos/hosts/framework-server/default.nix | 4 +- nixos/hosts/nuc-server/cron.nix | 57 +++++++++++++++++++ nixos/hosts/nuc-server/default.nix | 55 ++++++++++++++++++ nixos/hosts/nuc-server/disks.nix | 57 +++++++++++++++++++ nixos/hosts/nuc-server/mounts.nix | 14 +++++ 8 files changed, 188 insertions(+), 15 deletions(-) rename nixos/{hosts/framework-server => common/services}/docker.nix (63%) rename nixos/{hosts/framework-server => common/services}/podman.nix (100%) create mode 100644 nixos/hosts/nuc-server/cron.nix create mode 100644 nixos/hosts/nuc-server/default.nix create mode 100644 nixos/hosts/nuc-server/disks.nix create mode 100644 nixos/hosts/nuc-server/mounts.nix diff --git a/flake.nix b/flake.nix index 9b3af553..8b22f2e8 100644 --- a/flake.nix +++ b/flake.nix @@ -45,6 +45,7 @@ osaka-linode-01 = libx.mkHost { hostname = "osaka-linode-01"; type = "small"; }; nixos-vm-01 = libx.mkHost { hostname = "nixos-vm-01"; }; framework-server = libx.mkHost { hostname = "framework-server"; }; + nuc-server = libx.mkHost { hostname = "nuc-server"; }; nixos-desktop = libx.mkHost { hostname = "nixos-desktop"; desktop = "gnome"; gpu = "nvidia"; }; nixos-framework = libx.mkHost { hostname = "nixos-framework"; desktop = "hyprland"; gpu = "amd"; theme = "green"; }; backups-rpi4 = libx.mkHost { hostname = "backups-rpi4"; platform = "aarch64-linux"; type = "small"; }; @@ -54,6 +55,7 @@ "albert@osaka-linode-01" = libx.mkHome { hostname = "osaka-linode-01"; }; "albert@nixos-vm-01" = libx.mkHome { hostname = "nixos-vm-01"; }; "albert@framework-server" = libx.mkHome { hostname = "framework-server"; }; + "albert@nuc-server" = libx.mkHome { hostname = "nuc-server"; }; "albert@nixos-desktop" = libx.mkHome { hostname = "nixos-desktop"; desktop = "gnome"; }; "albert@nixos-framework" = libx.mkHome { hostname = "nixos-framework"; desktop = "hyprland"; theme = "green"; }; "albert@backups-rpi4" = libx.mkHome { hostname = "backups-rpi4"; platform = "aarch64-linux"; type = "small"; }; @@ -63,6 +65,7 @@ osaka-linode-01 = libx.deploy { hostname = "osaka-linode-01"; }; nixos-vm-01 = libx.deploy { hostname = "nixos-vm-01"; }; framework-server = libx.deploy { hostname = "framework-server"; }; + # nuc-server = libx.deploy { hostname = "nuc-server"; }; # nixos-desktop = libx.deploy { hostname = "nixos-desktop"; }; # nixos-framework = libx.deploy { hostname = "nixos-framework"; }; backups-rpi4 = libx.deploy { hostname = "backups-rpi4"; platform = "aarch64-linux"; }; diff --git a/nixos/hosts/framework-server/docker.nix b/nixos/common/services/docker.nix similarity index 63% rename from nixos/hosts/framework-server/docker.nix rename to nixos/common/services/docker.nix index 42b45fbb..3ed70f97 100644 --- a/nixos/hosts/framework-server/docker.nix +++ b/nixos/common/services/docker.nix @@ -18,17 +18,4 @@ ctop inputs.compose2nix.packages.x86_64-linux.default ]; - - networking.firewall.allowedUDPPorts = [ - 3478 # Headscale DERP UDP - 10000 # Jitsi - ]; - networking.firewall.allowedTCPPorts = [ - 80 # HTTP - 443 # HTTPS - 42420 # Vintage Story - 25565 # Minecraft - 1443 # Headscale DERP - 4443 # Jitsi - ]; } diff --git a/nixos/hosts/framework-server/podman.nix b/nixos/common/services/podman.nix similarity index 100% rename from nixos/hosts/framework-server/podman.nix rename to nixos/common/services/podman.nix diff --git a/nixos/hosts/framework-server/default.nix b/nixos/hosts/framework-server/default.nix index e606d087..c89f02e7 100644 --- a/nixos/hosts/framework-server/default.nix +++ b/nixos/hosts/framework-server/default.nix @@ -2,13 +2,13 @@ imports = [ inputs.nixos-hardware.nixosModules.framework-13th-gen-intel (modulesPath + "/installer/scan/not-detected.nix") - ./disks.nix ../../common/modules/secureboot.nix ../../common/modules/udev-rules.nix ../../common/services/fwupd.nix ../../common/modules/ssh-luks.nix + ../../common/services/docker.nix + ./disks.nix ./builder.nix - ./docker.nix ./wireguard.nix ./cron.nix ]; diff --git a/nixos/hosts/nuc-server/cron.nix b/nixos/hosts/nuc-server/cron.nix new file mode 100644 index 00000000..4f879780 --- /dev/null +++ b/nixos/hosts/nuc-server/cron.nix @@ -0,0 +1,57 @@ +{ pkgs, ... }: { + services.cron = { + enable = true; + systemCronJobs = [ + # Back up Local-Storage to NFS Storage + "0 9 * * * root rsync -avr /Local-Storage/Data/Docker/ifargle.com/vpn-stack/ /Storage/Data/Docker/ifargle.com/vpn-stack/" + # Back up running containers weekly + "0 0 * * * root rm -rf /Storage/Backups/Docker/ifargle.com/*; for i in $(docker ps --format '{{.Names}}'); do docker export $i | gzip -cf | cat > /Storage/Backups/Docker/ifargle.com/$i.tar.gz; done" + # Restart the VPN stack + "0 0 * * * root /Storage/Data/docker-compose/ifargle.com/scripts/restart-vpn.sh" + ]; + }; + +# Old crontab: +# @reboot /usr/bin/mount -a +# @reboot /usr/sbin/modprobe ip_tables +# +# # Sync /Local-Storage/ to /Storage/ +# 0 9 * * * /usr/bin/rsync -avr /Local-Storage/Data/Docker/ifargle.com/vpn-stack/ /Storage/Data/Docker/ifargle.com/vpn-stack/ +# +# # Sync sysctl.io's docker home: +# # 0 7 * * * /usr/bin/rsync -avr --delete albert@framework-server:/Storage/Data/Docker/ /Storage/Data/Docker/ + +# # Sync sysctl.io's nextcloud container InstantUpload directory +# # 0 5 * * * /usr/bin/rsync -avr albert@framework-server:/Storage/Data/Docker/nextcloud/html/data/albert/files/InstantUpload/ /Storage/Video/Pictures/InstantUpload/ +# # 0 5 * * * /usr/bin/rsync -avr albert@framework-server:/Storage/Data/Docker/nextcloud/html/data/albert/files/Wallpapers/ /Storage/Video/Pictures/Wallpapers + +# # Restart VPN Stack +# 0 0 * * * /Storage/Data/docker-compose/ifargle.com/scripts/restart-vpn.sh + +# # /usr/bin/reposync currently used repos +# # RHEL / Rocky 8 +# @daily /usr/bin/reposync -p /Storage/Data/Software/Repositories/RockyLinux/8/appstream --download-metadata --repo=appstream +# @daily /usr/bin/reposync -p /Storage/Data/Software/Repositories/RockyLinux/8/baseos --download-metadata --repo=baseos +# @daily /usr/bin/reposync -p /Storage/Data/Software/Repositories/RockyLinux/8/docker-ce-stable --download-metadata --repo=docker-ce-stable +# @daily /usr/bin/reposync -p /Storage/Data/Software/Repositories/RockyLinux/8/epel --download-metadata --repo=epel +# @daily /usr/bin/reposync -p /Storage/Data/Software/Repositories/RockyLinux/8/extras --download-metadata --repo=extras +# @daily /usr/bin/reposync -p /Storage/Data/Software/Repositories/RockyLinux/8/powertools --download-metadata --repo=powertools +# @daily /usr/bin/reposync -p /Storage/Data/Software/Repositories/RockyLinux/8/rpmfusion-free-updates --download-metadata --repo=rpmfusion-free-updates +# @daily /usr/bin/reposync -p /Storage/Data/Software/Repositories/RockyLinux/8/tailscale-stable --download-metadata --repo=tailscale-stable +# # RHEL / Rocky 9 +# @daily /usr/bin/reposync -p /Storage/Data/Software/Repositories/RockyLinux/9/appstream --download-metadata --repo=appstream --releasever=9 +# @daily /usr/bin/reposync -p /Storage/Data/Software/Repositories/RockyLinux/9/baseos --download-metadata --repo=baseos --releasever=9 +# @daily /usr/bin/reposync -p /Storage/Data/Software/Repositories/RockyLinux/9/docker-ce-stable --download-metadata --repo=docker-ce-stable --releasever=9 +# @daily /usr/bin/reposync -p /Storage/Data/Software/Repositories/RockyLinux/9/epel --download-metadata --repo=epel --releasever=9 +# @daily /usr/bin/reposync -p /Storage/Data/Software/Repositories/RockyLinux/9/extras --download-metadata --repo=extras --releasever=9 +# @daily /usr/bin/reposync -p /Storage/Data/Software/Repositories/RockyLinux/9/powertools --download-metadata --repo=powertools --releasever=9 +# @daily /usr/bin/reposync -p /Storage/Data/Software/Repositories/RockyLinux/9/rpmfusion-free-updates --download-metadata --repo=rpmfusion-free-updates --releasever=9 +# @daily /usr/bin/reposync -p /Storage/Data/Software/Repositories/RockyLinux/9/tailscale-stable --download-metadata --repo=tailscale-stable --releasever=9 +# +# +# # Back up the running containers weekly +# @weekly source ~/.bashrc; rm -rf /Storage/Backups/Docker/ifargle.com/*; for i in $(docker ps --format '{{.Names}}'); do docker export $i | gzip -cf | cat > /Storage/Backups/Docker/ifargle.com/$i.tar.gz; done +# +# # back up crontab: +# 0 0 * * * /usr/bin/crontab -l > /Storage/Data/Temporary/crontab +} \ No newline at end of file diff --git a/nixos/hosts/nuc-server/default.nix b/nixos/hosts/nuc-server/default.nix new file mode 100644 index 00000000..8b7dc389 --- /dev/null +++ b/nixos/hosts/nuc-server/default.nix @@ -0,0 +1,55 @@ +{ inputs, config, lib, pkgs, modulesPath, desktop, username, platform, ... }: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ../../common/modules/secureboot.nix + ../../common/modules/ssh-luks.nix + ../../common/services/podman.nix + ./disks.nix + ./mounts.nix + ./cron.nix + ]; + + environment.systemPackages = [ + inputs.deploy-rs.packages.${platform}.deploy-rs + ]; + + # steam , etc + nixpkgs.config.allowUnfree = true; + + boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "thunderbolt" "sd_mod" "uas" ]; + boot.initrd.kernelModules = [ "r8152" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = with config.boot.kernelPackages; [ acpi_call ]; + + networking.useDHCP = lib.mkDefault true; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + powerManagement.cpuFreqGovernor = lib.mkDefault "performance"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + + # Set your time zone. + time.timeZone = "America/Los_Angeles"; + + # Set the networking hostname: + networking.hostName = "nuc-server"; + networking.firewall.allowedTCPPorts = [ 22 ]; + + # Generic Tailscale configs are in /nixos/common/services/tailscale.nix + # Set up the secrets file: + sops.secrets."tailscale_keys/nuc-server" = { + owner = "root"; + sopsFile = ../../../secrets/tailscale.yaml; + restartUnits = [ + "tailscaled.service" + "tailscaled-autoconnect.service" + ]; + }; + services.tailscale.authKeyFile = "/run/secrets/tailscale_keys/nuc-server"; + services.tailscale.extraUpFlags = [ + "--advertise-exit-node" + "--advertise-routes=10.2.0.0/24,192.168.1.13/32,192.168.1.14/32" + ]; + + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = true; + }; +} diff --git a/nixos/hosts/nuc-server/disks.nix b/nixos/hosts/nuc-server/disks.nix new file mode 100644 index 00000000..bec29eed --- /dev/null +++ b/nixos/hosts/nuc-server/disks.nix @@ -0,0 +1,57 @@ +{ + imports = [ ../../common/services/snapper.nix ]; + + services.btrfs.autoScrub.enable = true; + services.btrfs.autoScrub.interval = "weekly"; + + disko.devices.disk.nvme0 = { + device = "/dev/nvme0n1"; + content = { + type = "table"; + format = "gpt"; + partitions = [ + { + name = "BOOT"; + start = "0%"; + end = "550MiB"; + bootable = true; + flags = [ "esp" ]; + fs-type = "fat32"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + } # partition 1 (ESP) + { + name = "LUKS"; + start = "550MiB"; + end = "100%"; + content = { + type = "luks"; + name = "ROOT"; + extraOpenArgs = [ "--allow-discards" ]; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; # root + "/home" = { + mountpoint = "/home"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; # home + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; # nix + }; # subvolumes + }; # content.content + }; # content + } # partition 2 (/ BTRFS) + ]; # partitions + }; # content + }; # disko.devices.disk.nvme0 +} # root diff --git a/nixos/hosts/nuc-server/mounts.nix b/nixos/hosts/nuc-server/mounts.nix new file mode 100644 index 00000000..bed2ef66 --- /dev/null +++ b/nixos/hosts/nuc-server/mounts.nix @@ -0,0 +1,14 @@ +{ + filesystems."/Storage/Data" = { + device = "192.168.1.13:/Data"; + fsType = "nfs"; + }; + filesystems."/Storage/Video" = { + device = "192.168.1.13:/Video"; + fsType = "nfs"; + }; + filesystems."/Storage/Backups" = { + device = "192.168.1.13:/Backups"; + fsType = "nfs"; + }; +} \ No newline at end of file