diff --git a/README.org b/README.org index d5c731a..9fac8ac 100644 --- a/README.org +++ b/README.org @@ -20,32 +20,34 @@ ** Installation 1. Download the sdcard image -2. Connect a keyboard to the Raspberry Pi and set the password +2. Use initial config file #+begin_src shell -passwd -sudo su -passwd +cp install.nix configuration.nix #+end_src -The default user is nixos - 3. Move the repo to the server and the agenix key #+begin_src shell -scp -R Projects/zion zion:/home/nixos/system +scp -r Projects/zion zion:/home/nixos/system scp .ssh/zion root@zion:/etc/ssh/id_ed25519 #+end_src -4. Rebuild the system using Flakes +4. Mount the firmware partition + +#+begin_src shell +mount /dev/mmcblk1p1 /boot +#+end_src + +5. Rebuild the system using Flakes #+begin_src shell nix-shell -p git -sudo nixos-rebuild switch --flake /home/nixos/system#zion --impure +sudo nixos-rebuild switch --flake /home/nixos/system#zion #+end_src -5. Restore the SQL databases +6. Restore the SQL databases #+begin_src shell -psql -U postgres -f /vault/backups/zion/databases/all.sql +gunzip -c /vault/backups/zion/databases/all.sql.gz | psql -U postgres #+end_src diff --git a/configuration.nix b/configuration.nix index 6d63fec..54aa1ee 100644 --- a/configuration.nix +++ b/configuration.nix @@ -12,24 +12,20 @@ with pkgs; inputs.agenix.packages.aarch64-linux.default ]; - # Add a swap file - swapDevices = [{ - device = "/swapfile"; - size = 4096; - }]; - # Enable zswap zramSwap.enable = true; # Configure basic SSH access services.openssh = { enable = true; - permitRootLogin = "yes"; - passwordAuthentication = false; + settings = { + PermitRootLogin = "yes"; + PasswordAuthentication = false; + }; }; # Cleanup tmp on startup - boot.cleanTmpDir = true; + boot.tmp.cleanOnBoot = true; # Create coolneng user users.users.coolneng = { diff --git a/flake.lock b/flake.lock index 6633460..e9f309a 100644 --- a/flake.lock +++ b/flake.lock @@ -106,11 +106,11 @@ ] }, "locked": { - "lastModified": 1663958238, - "narHash": "sha256-l4VrBCswq500YwsgjK7M8HUmnVWrHYY7DKZ7uZK5Abg=", + "lastModified": 1683490239, + "narHash": "sha256-QKzpvl2XrqbobWq/I/smDa9hEniwctjJybXPVILHP0w=", "owner": "coffeetables", "repo": "nix-matrix-appservices", - "rev": "efdc09f26e3b01801edaa3b0e2bdd46d9d133bba", + "rev": "e795d2fbc61da45d49802bb3e8f8d0c70ddc1e68", "type": "gitlab" }, "original": { @@ -136,11 +136,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1674550793, - "narHash": "sha256-ljJlIFQZwtBbzWqWTmmw2O5BFmQf1A/DspwMOQtGXHk=", + "lastModified": 1684899633, + "narHash": "sha256-NtwerXX8UFsoNy6k+DukJMriWtEjQtMU/Urbff2O2Dg=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "b7ac0a56029e4f9e6743b9993037a5aaafd57103", + "rev": "4cc688ee711159b9bcb5a367be44007934e1a49d", "type": "github" }, "original": { @@ -151,26 +151,26 @@ }, "nixpkgs": { "locked": { - "lastModified": 1684661732, - "narHash": "sha256-2/Xo/UmUUoMXc0T5tzoUsYjMLLMjEfzRWDAQB0WwtW0=", + "lastModified": 1685865905, + "narHash": "sha256-XJZ/o17eOd2sEsGif+/MQBnfa2DKmndWgJyc7CWajFc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b0671cbf1e5c443f7fbfd4941ee0f8a151435114", + "rev": "e7603eba51f2c7820c0a182c6bbb351181caa8e7", "type": "github" }, "original": { "id": "nixpkgs", - "ref": "nixos-22.11", + "ref": "nixos-23.05", "type": "indirect" } }, "nixpkgs-unstable": { "locked": { - "lastModified": 1679437018, - "narHash": "sha256-vOuiDPLHSEo/7NkiWtxpHpHgoXoNmrm+wkXZ6a072Fc=", + "lastModified": 1685931219, + "narHash": "sha256-8EWeOZ6LKQfgAjB/USffUSELPRjw88A+xTcXnOUvO5M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "19cf008bb18e47b6e3b4e16e32a9a4bdd4b45f7e", + "rev": "7409480d5c8584a1a83c422530419efe4afb0d19", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index a0aa019..d91225d 100644 --- a/flake.nix +++ b/flake.nix @@ -2,7 +2,7 @@ description = "System configuration for zion"; inputs = { - nixpkgs.url = "nixpkgs/nixos-22.11"; + nixpkgs.url = "nixpkgs/nixos-23.05"; nixpkgs-unstable.url = "nixpkgs/nixos-unstable"; agenix = { url = "github:ryantm/agenix"; diff --git a/modules/communication.nix b/modules/communication.nix index f681504..ed4e5c4 100644 --- a/modules/communication.nix +++ b/modules/communication.nix @@ -11,17 +11,6 @@ let conn_max_lifetime = -1; }; - latest-mautrix-signal = mautrix-signal.overrideAttrs (old: rec { - version = "0.4.2"; - src = fetchFromGitHub { - owner = "mautrix"; - repo = "signal"; - rev = "refs/tags/v${version}"; - sha256 = "UbetU1n9zD/mVFaJc9FECDq/Zell1TI/aYPsGXGB8Js="; - }; - - }); - in { # Matrix server configuration services.dendrite = { @@ -95,7 +84,7 @@ in { signal = { port = 8338; format = "mautrix-python"; - package = latest-mautrix-signal; + package = mautrix-signal; serviceConfig = { StateDirectory = [ "matrix-as-signal" "signald" ]; JoinNamespaceOf = "signald.service"; diff --git a/modules/containers.nix b/modules/containers.nix index b451285..d454c1f 100644 --- a/modules/containers.nix +++ b/modules/containers.nix @@ -54,4 +54,10 @@ ${podman}/bin/podman pod exists cgm-repo || ${podman}/bin/podman pod create -n cgm-repo -p '127.0.0.1:1337:1337' ''; }; + + # Start services after ZFS mount + systemd.services.podman-mongodb.unitConfig.RequiresMountsFor = + [ "vault.mount" ]; + systemd.services.podman-mqtt2prometheus.unitConfig.RequiresMountsFor = + [ "vault.mount" ]; } diff --git a/modules/datasync.nix b/modules/datasync.nix index 7cbdef7..f1378ad 100644 --- a/modules/datasync.nix +++ b/modules/datasync.nix @@ -97,4 +97,10 @@ monthly = 12; }; + # Start services after ZFS mount + systemd.services.syncthing.unitConfig.RequiresMountsFor = + [ "vault-syncthing.mount" ]; + systemd.services.radicale.unitConfig.RequiresMountsFor = + [ "vault-radicale.mount" ]; + } diff --git a/modules/device.nix b/modules/device.nix index a6e6392..2545754 100644 --- a/modules/device.nix +++ b/modules/device.nix @@ -18,18 +18,19 @@ with pkgs; boot.loader = { grub.enable = false; generic-extlinux-compatible.enable = lib.mkForce false; - }; - boot.loader.raspberryPi = { - enable = true; - version = 4; - firmwareConfig = '' - iomem=relaxed - strict-devmem=0 - dtoverlay=w1-gpio - ''; + raspberryPi = { + enable = true; + version = 4; + firmwareConfig = '' + iomem=relaxed + strict-devmem=0 + dtoverlay=w1-gpio + ''; + }; }; boot.kernelModules = [ "pwm_bcm2835" "w1-gpio" "w1-therm" ]; + # Load PWM hardware timers hardware.raspberry-pi."4".pwm0.enable = true; diff --git a/modules/devops.nix b/modules/devops.nix index 42a1727..da2bc1b 100644 --- a/modules/devops.nix +++ b/modules/devops.nix @@ -1,10 +1,7 @@ -{ config, pkgs, pkgs-unstable, lib, ... }: { +{ config, pkgs, lib, ... }: { # Set up Gitea with LFS support services.gitea = { enable = true; - domain = "git.coolneng.duckdns.org"; - rootUrl = "https://git.coolneng.duckdns.org"; - package = pkgs-unstable.gitea; database = { type = "postgres"; passwordFile = config.age.secrets.gitea.path; @@ -16,10 +13,17 @@ contentDir = "${config.services.gitea.repositoryRoot}/data/lfs"; }; settings = { + server = { + DISABLE_SSH = true; + DOMAIN = "git.coolneng.duckdns.org"; + ROOTURL = "https://git.coolneng.duckdns.org"; + }; ui.DEFAULT_THEME = "arc-green"; session.COOKIE_SECURE = true; - server.DISABLE_SSH = true; actions.ENABLED = true; }; }; + + # Start services after ZFS mount + systemd.services.gitea.unitConfig.RequiresMountsFor = [ "vault-git.mount" ]; } diff --git a/modules/hardware-configuration.nix b/modules/hardware-configuration.nix index 3758176..0d7575e 100644 --- a/modules/hardware-configuration.nix +++ b/modules/hardware-configuration.nix @@ -6,18 +6,28 @@ { imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = [ "xhci_pci" ]; + boot.initrd.availableKernelModules = [ "xhci_pci" "usb_storage" ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; fileSystems."/" = { - device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888"; - fsType = "ext4"; + device = "sysion/root"; + fsType = "zfs"; + }; + + fileSystems."/nix" = { + device = "sysion/root/nix"; + fsType = "zfs"; + }; + + fileSystems."/home" = { + device = "sysion/home"; + fsType = "zfs"; }; fileSystems."/boot" = { - device = "/dev/disk/by-uuid/2178-694E"; + device = "/dev/disk/by-uuid/06AD-825C"; fsType = "vfat"; }; @@ -102,7 +112,8 @@ options = [ "bind" ]; }; - swapDevices = [ ]; + swapDevices = + [{ device = "/dev/disk/by-uuid/835f9dd4-cc27-4443-b5e1-381c2f4b2afc"; }]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's @@ -110,7 +121,7 @@ # with explicit per-interface declarations with `networking.interfaces..useDHCP`. networking.useDHCP = lib.mkDefault true; # networking.interfaces.cni-podman0.useDHCP = lib.mkDefault true; - # networking.interfaces.eth0.useDHCP = lib.mkDefault true; + # networking.interfaces.end0.useDHCP = lib.mkDefault true; # networking.interfaces.veth25ee5d84.useDHCP = lib.mkDefault true; # networking.interfaces.veth6e46f8d7.useDHCP = lib.mkDefault true; # networking.interfaces.veth8506af14.useDHCP = lib.mkDefault true; diff --git a/modules/networking.nix b/modules/networking.nix index c10f45b..21aa8e8 100644 --- a/modules/networking.nix +++ b/modules/networking.nix @@ -11,12 +11,12 @@ in { useNetworkd = true; dhcpcd.enable = false; }; - systemd.services."systemd-networkd-wait-online".enable = false; + systemd.network.wait-online.enable = false; # Assign a static IP systemd.network.networks."24-home" = { - name = "eth0"; - matchConfig.Name = "eth0"; + name = "end0"; + matchConfig.Name = "end0"; address = [ "192.168.13.2/24" ]; gateway = [ "192.168.13.1" ]; dns = [ "192.168.13.2" ]; @@ -57,7 +57,9 @@ in { 53 # DNS ]; extraCommands = '' - iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE + iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ${ + config.systemd.network.networks."24-home".name + } -j MASQUERADE ''; }; @@ -101,23 +103,22 @@ in { # DNS server with ad-block services.dnsmasq = { enable = true; - servers = [ "51.158.108.203" "137.220.55.93" ]; - extraConfig = '' - domain-needed - bogus-priv - no-resolv + settings = { + domain-needed = true; + bogus-priv = true; + no-resolv = true; - listen-address=127.0.0.1,192.168.13.2,10.8.0.1 - bind-interfaces + listen-address = [ "127.0.0.1" "192.168.13.2" "10.8.0.1" ]; + bind-interfaces = true; + server = [ "51.158.108.203" "137.220.55.93" ]; - cache-size=10000 - local-ttl=300 + cache-size = 10000; + local-ttl = 300; - conf-file=/var/lib/dnsmasq/dnsmasq.blacklist.txt + conf-file = "/var/lib/dnsmasq/dnsmasq.blacklist.txt"; - address=/coolneng.duckdns.org/192.168.13.2 - ''; + address = "/coolneng.duckdns.org/192.168.13.2"; + }; }; } - diff --git a/modules/periodic.nix b/modules/periodic.nix index a5aadd8..42f7ed1 100644 --- a/modules/periodic.nix +++ b/modules/periodic.nix @@ -14,6 +14,7 @@ in { }; # Fetch hosts-blocklists daily + # FIXME Download the list if the file doesn't exist the first time systemd.services.download-dns-blocklist = { description = "Download hosts-blocklists"; wantedBy = [ "default.target" ]; @@ -25,16 +26,16 @@ in { serviceConfig.Type = "oneshot"; postStop = '' chown -R dnsmasq ${stateDir} - systemctl restart dnsmasq ''; + requiredBy = [ "dnsmasq.service" ]; after = [ "wireguard-wg0.service" ]; startAt = "02:00:00"; }; - # Enable SATA HAT + # Enable SATA HAT fans systemd.services.sata-hat = { description = "Enable software support for SATA Hat"; - wantedBy = [ "zfs-import.target" ]; + wantedBy = [ "default.target" ]; script = '' ${pkgs.bash}/bin/bash -c "/home/coolneng/system/scripts/SATA-hat.sh on" ''; @@ -45,30 +46,6 @@ in { ${pkgs.bash}/bin/bash -c "/home/coolneng/system/scripts/SATA-hat.sh off" ''; }; - before = [ "zfs-import.target" "zfs-import-vault.service" "umount.target" ]; - requires = [ "systemd-udev-settle.service" ]; - after = [ "systemd-udev-settle.service" ]; - conflicts = [ "umount.target" ]; - requiredBy = [ "syncthing.service" "radicale.service" "gitea.service" ]; - }; - - # HACK: restart services dependent on ZFS afer mount - systemd.services.restart-services-mount = { - description = "Restart services after the ZFS dataset is mounted"; - wantedBy = [ "default.target" ]; - script = '' - sleep 5 - systemctl restart syncthing - systemctl restart radicale - systemctl restart gitea - systemctl restart podman-openbooks - systemctl restart podman-mqtt2prometheus - systemctl restart podman-mongodb - systemctl restart podman-nightscout - ''; - serviceConfig.Type = "oneshot"; - requires = [ "sata-hat.service" ]; - after = [ "vault.mount" ]; }; # Idle HDDs when not used diff --git a/modules/webstack.nix b/modules/webstack.nix index ddc4a98..2e3f363 100644 --- a/modules/webstack.nix +++ b/modules/webstack.nix @@ -8,6 +8,7 @@ recommendedGzipSettings = true; recommendedProxySettings = true; recommendedOptimisation = true; + recommendedBrotliSettings = true; clientMaxBodySize = "0"; sslCiphers = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128"; @@ -221,5 +222,8 @@ "dendrite.service" "phpfpm-wallabag.service" "systemd-tmpfiles-setup.service" + "podman-openbooks.service" + "podman-mqtt2prometheus.service" + "podman-nightscout.service" ]; } diff --git a/scripts/SATA-hat.sh b/scripts/SATA-hat.sh index fd652d4..9cbd704 100755 --- a/scripts/SATA-hat.sh +++ b/scripts/SATA-hat.sh @@ -5,8 +5,6 @@ GPIO_PATH="$BASE_PATH"/gpio PWM_PATH="$BASE_PATH"/pwm/pwmchip0 # GPIO pins -SATA0=26 -SATA1=25 CPU_FAN=12 # Values @@ -50,16 +48,11 @@ set_pwm() { } turn_on() { - set_gpio $SATA0 $HIGH - sleep 1 - set_gpio $SATA1 $HIGH set_gpio $CPU_FAN $HIGH set_pwm } turn_off() { - set_gpio $SATA0 $LOW clean - set_gpio $SATA1 $LOW clean set_gpio $CPU_FAN $LOW clean set_pwm clean }