Upgrade to NixOS 23.05 and SSD boot

This commit is contained in:
coolneng 2023-06-08 18:30:16 +02:00
parent 95a024a6e7
commit 110a98c3d4
Signed by: coolneng
GPG Key ID: 9893DA236405AF57
14 changed files with 107 additions and 117 deletions

View File

@ -20,32 +20,34 @@
** Installation ** Installation
1. Download the sdcard image 1. Download the sdcard image
2. Connect a keyboard to the Raspberry Pi and set the password 2. Use initial config file
#+begin_src shell #+begin_src shell
passwd cp install.nix configuration.nix
sudo su
passwd
#+end_src #+end_src
The default user is nixos
3. Move the repo to the server and the agenix key 3. Move the repo to the server and the agenix key
#+begin_src shell #+begin_src shell
scp -R Projects/zion zion:/home/nixos/system scp -r Projects/zion zion:/home/nixos/system
scp .ssh/zion root@zion:/etc/ssh/id_ed25519 scp .ssh/zion root@zion:/etc/ssh/id_ed25519
#+end_src #+end_src
4. Rebuild the system using Flakes 4. Mount the firmware partition
#+begin_src shell
mount /dev/mmcblk1p1 /boot
#+end_src
5. Rebuild the system using Flakes
#+begin_src shell #+begin_src shell
nix-shell -p git nix-shell -p git
sudo nixos-rebuild switch --flake /home/nixos/system#zion --impure sudo nixos-rebuild switch --flake /home/nixos/system#zion
#+end_src #+end_src
5. Restore the SQL databases 6. Restore the SQL databases
#+begin_src shell #+begin_src shell
psql -U postgres -f /vault/backups/zion/databases/all.sql gunzip -c /vault/backups/zion/databases/all.sql.gz | psql -U postgres
#+end_src #+end_src

View File

@ -12,24 +12,20 @@ with pkgs;
inputs.agenix.packages.aarch64-linux.default inputs.agenix.packages.aarch64-linux.default
]; ];
# Add a swap file
swapDevices = [{
device = "/swapfile";
size = 4096;
}];
# Enable zswap # Enable zswap
zramSwap.enable = true; zramSwap.enable = true;
# Configure basic SSH access # Configure basic SSH access
services.openssh = { services.openssh = {
enable = true; enable = true;
permitRootLogin = "yes"; settings = {
passwordAuthentication = false; PermitRootLogin = "yes";
PasswordAuthentication = false;
};
}; };
# Cleanup tmp on startup # Cleanup tmp on startup
boot.cleanTmpDir = true; boot.tmp.cleanOnBoot = true;
# Create coolneng user # Create coolneng user
users.users.coolneng = { users.users.coolneng = {

View File

@ -106,11 +106,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1663958238, "lastModified": 1683490239,
"narHash": "sha256-l4VrBCswq500YwsgjK7M8HUmnVWrHYY7DKZ7uZK5Abg=", "narHash": "sha256-QKzpvl2XrqbobWq/I/smDa9hEniwctjJybXPVILHP0w=",
"owner": "coffeetables", "owner": "coffeetables",
"repo": "nix-matrix-appservices", "repo": "nix-matrix-appservices",
"rev": "efdc09f26e3b01801edaa3b0e2bdd46d9d133bba", "rev": "e795d2fbc61da45d49802bb3e8f8d0c70ddc1e68",
"type": "gitlab" "type": "gitlab"
}, },
"original": { "original": {
@ -136,11 +136,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1674550793, "lastModified": 1684899633,
"narHash": "sha256-ljJlIFQZwtBbzWqWTmmw2O5BFmQf1A/DspwMOQtGXHk=", "narHash": "sha256-NtwerXX8UFsoNy6k+DukJMriWtEjQtMU/Urbff2O2Dg=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "b7ac0a56029e4f9e6743b9993037a5aaafd57103", "rev": "4cc688ee711159b9bcb5a367be44007934e1a49d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -151,26 +151,26 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1684661732, "lastModified": 1685865905,
"narHash": "sha256-2/Xo/UmUUoMXc0T5tzoUsYjMLLMjEfzRWDAQB0WwtW0=", "narHash": "sha256-XJZ/o17eOd2sEsGif+/MQBnfa2DKmndWgJyc7CWajFc=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "b0671cbf1e5c443f7fbfd4941ee0f8a151435114", "rev": "e7603eba51f2c7820c0a182c6bbb351181caa8e7",
"type": "github" "type": "github"
}, },
"original": { "original": {
"id": "nixpkgs", "id": "nixpkgs",
"ref": "nixos-22.11", "ref": "nixos-23.05",
"type": "indirect" "type": "indirect"
} }
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1679437018, "lastModified": 1685931219,
"narHash": "sha256-vOuiDPLHSEo/7NkiWtxpHpHgoXoNmrm+wkXZ6a072Fc=", "narHash": "sha256-8EWeOZ6LKQfgAjB/USffUSELPRjw88A+xTcXnOUvO5M=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "19cf008bb18e47b6e3b4e16e32a9a4bdd4b45f7e", "rev": "7409480d5c8584a1a83c422530419efe4afb0d19",
"type": "github" "type": "github"
}, },
"original": { "original": {

View File

@ -2,7 +2,7 @@
description = "System configuration for zion"; description = "System configuration for zion";
inputs = { inputs = {
nixpkgs.url = "nixpkgs/nixos-22.11"; nixpkgs.url = "nixpkgs/nixos-23.05";
nixpkgs-unstable.url = "nixpkgs/nixos-unstable"; nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
agenix = { agenix = {
url = "github:ryantm/agenix"; url = "github:ryantm/agenix";

View File

@ -11,17 +11,6 @@ let
conn_max_lifetime = -1; conn_max_lifetime = -1;
}; };
latest-mautrix-signal = mautrix-signal.overrideAttrs (old: rec {
version = "0.4.2";
src = fetchFromGitHub {
owner = "mautrix";
repo = "signal";
rev = "refs/tags/v${version}";
sha256 = "UbetU1n9zD/mVFaJc9FECDq/Zell1TI/aYPsGXGB8Js=";
};
});
in { in {
# Matrix server configuration # Matrix server configuration
services.dendrite = { services.dendrite = {
@ -95,7 +84,7 @@ in {
signal = { signal = {
port = 8338; port = 8338;
format = "mautrix-python"; format = "mautrix-python";
package = latest-mautrix-signal; package = mautrix-signal;
serviceConfig = { serviceConfig = {
StateDirectory = [ "matrix-as-signal" "signald" ]; StateDirectory = [ "matrix-as-signal" "signald" ];
JoinNamespaceOf = "signald.service"; JoinNamespaceOf = "signald.service";

View File

@ -54,4 +54,10 @@
${podman}/bin/podman pod exists cgm-repo || ${podman}/bin/podman pod create -n cgm-repo -p '127.0.0.1:1337:1337' ${podman}/bin/podman pod exists cgm-repo || ${podman}/bin/podman pod create -n cgm-repo -p '127.0.0.1:1337:1337'
''; '';
}; };
# Start services after ZFS mount
systemd.services.podman-mongodb.unitConfig.RequiresMountsFor =
[ "vault.mount" ];
systemd.services.podman-mqtt2prometheus.unitConfig.RequiresMountsFor =
[ "vault.mount" ];
} }

View File

@ -97,4 +97,10 @@
monthly = 12; monthly = 12;
}; };
# Start services after ZFS mount
systemd.services.syncthing.unitConfig.RequiresMountsFor =
[ "vault-syncthing.mount" ];
systemd.services.radicale.unitConfig.RequiresMountsFor =
[ "vault-radicale.mount" ];
} }

View File

@ -18,8 +18,7 @@ with pkgs;
boot.loader = { boot.loader = {
grub.enable = false; grub.enable = false;
generic-extlinux-compatible.enable = lib.mkForce false; generic-extlinux-compatible.enable = lib.mkForce false;
}; raspberryPi = {
boot.loader.raspberryPi = {
enable = true; enable = true;
version = 4; version = 4;
firmwareConfig = '' firmwareConfig = ''
@ -28,8 +27,10 @@ with pkgs;
dtoverlay=w1-gpio dtoverlay=w1-gpio
''; '';
}; };
};
boot.kernelModules = [ "pwm_bcm2835" "w1-gpio" "w1-therm" ]; boot.kernelModules = [ "pwm_bcm2835" "w1-gpio" "w1-therm" ];
# Load PWM hardware timers # Load PWM hardware timers
hardware.raspberry-pi."4".pwm0.enable = true; hardware.raspberry-pi."4".pwm0.enable = true;

View File

@ -1,10 +1,7 @@
{ config, pkgs, pkgs-unstable, lib, ... }: { { config, pkgs, lib, ... }: {
# Set up Gitea with LFS support # Set up Gitea with LFS support
services.gitea = { services.gitea = {
enable = true; enable = true;
domain = "git.coolneng.duckdns.org";
rootUrl = "https://git.coolneng.duckdns.org";
package = pkgs-unstable.gitea;
database = { database = {
type = "postgres"; type = "postgres";
passwordFile = config.age.secrets.gitea.path; passwordFile = config.age.secrets.gitea.path;
@ -16,10 +13,17 @@
contentDir = "${config.services.gitea.repositoryRoot}/data/lfs"; contentDir = "${config.services.gitea.repositoryRoot}/data/lfs";
}; };
settings = { settings = {
server = {
DISABLE_SSH = true;
DOMAIN = "git.coolneng.duckdns.org";
ROOTURL = "https://git.coolneng.duckdns.org";
};
ui.DEFAULT_THEME = "arc-green"; ui.DEFAULT_THEME = "arc-green";
session.COOKIE_SECURE = true; session.COOKIE_SECURE = true;
server.DISABLE_SSH = true;
actions.ENABLED = true; actions.ENABLED = true;
}; };
}; };
# Start services after ZFS mount
systemd.services.gitea.unitConfig.RequiresMountsFor = [ "vault-git.mount" ];
} }

View File

@ -6,18 +6,28 @@
{ {
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = [ "xhci_pci" ]; boot.initrd.availableKernelModules = [ "xhci_pci" "usb_storage" ];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ]; boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = { fileSystems."/" = {
device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888"; device = "sysion/root";
fsType = "ext4"; fsType = "zfs";
};
fileSystems."/nix" = {
device = "sysion/root/nix";
fsType = "zfs";
};
fileSystems."/home" = {
device = "sysion/home";
fsType = "zfs";
}; };
fileSystems."/boot" = { fileSystems."/boot" = {
device = "/dev/disk/by-uuid/2178-694E"; device = "/dev/disk/by-uuid/06AD-825C";
fsType = "vfat"; fsType = "vfat";
}; };
@ -102,7 +112,8 @@
options = [ "bind" ]; options = [ "bind" ];
}; };
swapDevices = [ ]; swapDevices =
[{ device = "/dev/disk/by-uuid/835f9dd4-cc27-4443-b5e1-381c2f4b2afc"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's
@ -110,7 +121,7 @@
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true; networking.useDHCP = lib.mkDefault true;
# networking.interfaces.cni-podman0.useDHCP = lib.mkDefault true; # networking.interfaces.cni-podman0.useDHCP = lib.mkDefault true;
# networking.interfaces.eth0.useDHCP = lib.mkDefault true; # networking.interfaces.end0.useDHCP = lib.mkDefault true;
# networking.interfaces.veth25ee5d84.useDHCP = lib.mkDefault true; # networking.interfaces.veth25ee5d84.useDHCP = lib.mkDefault true;
# networking.interfaces.veth6e46f8d7.useDHCP = lib.mkDefault true; # networking.interfaces.veth6e46f8d7.useDHCP = lib.mkDefault true;
# networking.interfaces.veth8506af14.useDHCP = lib.mkDefault true; # networking.interfaces.veth8506af14.useDHCP = lib.mkDefault true;

View File

@ -11,12 +11,12 @@ in {
useNetworkd = true; useNetworkd = true;
dhcpcd.enable = false; dhcpcd.enable = false;
}; };
systemd.services."systemd-networkd-wait-online".enable = false; systemd.network.wait-online.enable = false;
# Assign a static IP # Assign a static IP
systemd.network.networks."24-home" = { systemd.network.networks."24-home" = {
name = "eth0"; name = "end0";
matchConfig.Name = "eth0"; matchConfig.Name = "end0";
address = [ "192.168.13.2/24" ]; address = [ "192.168.13.2/24" ];
gateway = [ "192.168.13.1" ]; gateway = [ "192.168.13.1" ];
dns = [ "192.168.13.2" ]; dns = [ "192.168.13.2" ];
@ -57,7 +57,9 @@ in {
53 # DNS 53 # DNS
]; ];
extraCommands = '' extraCommands = ''
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ${
config.systemd.network.networks."24-home".name
} -j MASQUERADE
''; '';
}; };
@ -101,23 +103,22 @@ in {
# DNS server with ad-block # DNS server with ad-block
services.dnsmasq = { services.dnsmasq = {
enable = true; enable = true;
servers = [ "51.158.108.203" "137.220.55.93" ]; settings = {
extraConfig = '' domain-needed = true;
domain-needed bogus-priv = true;
bogus-priv no-resolv = true;
no-resolv
listen-address=127.0.0.1,192.168.13.2,10.8.0.1 listen-address = [ "127.0.0.1" "192.168.13.2" "10.8.0.1" ];
bind-interfaces bind-interfaces = true;
server = [ "51.158.108.203" "137.220.55.93" ];
cache-size=10000 cache-size = 10000;
local-ttl=300 local-ttl = 300;
conf-file=/var/lib/dnsmasq/dnsmasq.blacklist.txt conf-file = "/var/lib/dnsmasq/dnsmasq.blacklist.txt";
address=/coolneng.duckdns.org/192.168.13.2 address = "/coolneng.duckdns.org/192.168.13.2";
''; };
}; };
} }

View File

@ -14,6 +14,7 @@ in {
}; };
# Fetch hosts-blocklists daily # Fetch hosts-blocklists daily
# FIXME Download the list if the file doesn't exist the first time
systemd.services.download-dns-blocklist = { systemd.services.download-dns-blocklist = {
description = "Download hosts-blocklists"; description = "Download hosts-blocklists";
wantedBy = [ "default.target" ]; wantedBy = [ "default.target" ];
@ -25,16 +26,16 @@ in {
serviceConfig.Type = "oneshot"; serviceConfig.Type = "oneshot";
postStop = '' postStop = ''
chown -R dnsmasq ${stateDir} chown -R dnsmasq ${stateDir}
systemctl restart dnsmasq
''; '';
requiredBy = [ "dnsmasq.service" ];
after = [ "wireguard-wg0.service" ]; after = [ "wireguard-wg0.service" ];
startAt = "02:00:00"; startAt = "02:00:00";
}; };
# Enable SATA HAT # Enable SATA HAT fans
systemd.services.sata-hat = { systemd.services.sata-hat = {
description = "Enable software support for SATA Hat"; description = "Enable software support for SATA Hat";
wantedBy = [ "zfs-import.target" ]; wantedBy = [ "default.target" ];
script = '' script = ''
${pkgs.bash}/bin/bash -c "/home/coolneng/system/scripts/SATA-hat.sh on" ${pkgs.bash}/bin/bash -c "/home/coolneng/system/scripts/SATA-hat.sh on"
''; '';
@ -45,30 +46,6 @@ in {
${pkgs.bash}/bin/bash -c "/home/coolneng/system/scripts/SATA-hat.sh off" ${pkgs.bash}/bin/bash -c "/home/coolneng/system/scripts/SATA-hat.sh off"
''; '';
}; };
before = [ "zfs-import.target" "zfs-import-vault.service" "umount.target" ];
requires = [ "systemd-udev-settle.service" ];
after = [ "systemd-udev-settle.service" ];
conflicts = [ "umount.target" ];
requiredBy = [ "syncthing.service" "radicale.service" "gitea.service" ];
};
# HACK: restart services dependent on ZFS afer mount
systemd.services.restart-services-mount = {
description = "Restart services after the ZFS dataset is mounted";
wantedBy = [ "default.target" ];
script = ''
sleep 5
systemctl restart syncthing
systemctl restart radicale
systemctl restart gitea
systemctl restart podman-openbooks
systemctl restart podman-mqtt2prometheus
systemctl restart podman-mongodb
systemctl restart podman-nightscout
'';
serviceConfig.Type = "oneshot";
requires = [ "sata-hat.service" ];
after = [ "vault.mount" ];
}; };
# Idle HDDs when not used # Idle HDDs when not used

View File

@ -8,6 +8,7 @@
recommendedGzipSettings = true; recommendedGzipSettings = true;
recommendedProxySettings = true; recommendedProxySettings = true;
recommendedOptimisation = true; recommendedOptimisation = true;
recommendedBrotliSettings = true;
clientMaxBodySize = "0"; clientMaxBodySize = "0";
sslCiphers = sslCiphers =
"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128"; "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";
@ -221,5 +222,8 @@
"dendrite.service" "dendrite.service"
"phpfpm-wallabag.service" "phpfpm-wallabag.service"
"systemd-tmpfiles-setup.service" "systemd-tmpfiles-setup.service"
"podman-openbooks.service"
"podman-mqtt2prometheus.service"
"podman-nightscout.service"
]; ];
} }

View File

@ -5,8 +5,6 @@ GPIO_PATH="$BASE_PATH"/gpio
PWM_PATH="$BASE_PATH"/pwm/pwmchip0 PWM_PATH="$BASE_PATH"/pwm/pwmchip0
# GPIO pins # GPIO pins
SATA0=26
SATA1=25
CPU_FAN=12 CPU_FAN=12
# Values # Values
@ -50,16 +48,11 @@ set_pwm() {
} }
turn_on() { turn_on() {
set_gpio $SATA0 $HIGH
sleep 1
set_gpio $SATA1 $HIGH
set_gpio $CPU_FAN $HIGH set_gpio $CPU_FAN $HIGH
set_pwm set_pwm
} }
turn_off() { turn_off() {
set_gpio $SATA0 $LOW clean
set_gpio $SATA1 $LOW clean
set_gpio $CPU_FAN $LOW clean set_gpio $CPU_FAN $LOW clean
set_pwm clean set_pwm clean
} }