Upgrade to NixOS 23.05 and SSD boot

2023-06-08 18:30:16 +02:00 · 2023-06-08 18:30:16 +02:00 · 110a98c3d4
parent 95a024a6e7
commit 110a98c3d4
14 changed files with 107 additions and 117 deletions
--- a/README.org
+++ b/README.org
@ -20,32 +20,34 @@
 ** Installation

 1. Download the sdcard image
-2. Connect a keyboard to the Raspberry Pi and set the password
+2. Use initial config file

 #+begin_src shell
-passwd
-sudo su
-passwd
+cp install.nix configuration.nix
 #+end_src

-The default user is nixos
-
 3. Move the repo to the server and the agenix key

 #+begin_src shell
-scp -R Projects/zion zion:/home/nixos/system
+scp -r Projects/zion zion:/home/nixos/system
 scp .ssh/zion root@zion:/etc/ssh/id_ed25519
 #+end_src

-4. Rebuild the system using Flakes
+4. Mount the firmware partition
+
+#+begin_src shell
+mount /dev/mmcblk1p1 /boot
+#+end_src
+
+5. Rebuild the system using Flakes

 #+begin_src shell
 nix-shell -p git
-sudo nixos-rebuild switch --flake /home/nixos/system#zion --impure
+sudo nixos-rebuild switch --flake /home/nixos/system#zion
 #+end_src

-5. Restore the SQL databases
+6. Restore the SQL databases

 #+begin_src shell
-psql -U postgres -f /vault/backups/zion/databases/all.sql
+gunzip -c /vault/backups/zion/databases/all.sql.gz | psql -U postgres
 #+end_src
--- a/configuration.nix
+++ b/configuration.nix
@ -12,24 +12,20 @@ with pkgs;
    inputs.agenix.packages.aarch64-linux.default
  ];

-  # Add a swap file
-  swapDevices = [{
-    device = "/swapfile";
-    size = 4096;
-  }];
-
  # Enable zswap
  zramSwap.enable = true;

  # Configure basic SSH access
  services.openssh = {
    enable = true;
-    permitRootLogin = "yes";
-    passwordAuthentication = false;
+    settings = {
+      PermitRootLogin = "yes";
+      PasswordAuthentication = false;
+    };
  };

  # Cleanup tmp on startup
-  boot.cleanTmpDir = true;
+  boot.tmp.cleanOnBoot = true;

  # Create coolneng user
  users.users.coolneng = {
--- a/flake.lock
+++ b/flake.lock
@ -106,11 +106,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1663958238,
-        "narHash": "sha256-l4VrBCswq500YwsgjK7M8HUmnVWrHYY7DKZ7uZK5Abg=",
+        "lastModified": 1683490239,
+        "narHash": "sha256-QKzpvl2XrqbobWq/I/smDa9hEniwctjJybXPVILHP0w=",
        "owner": "coffeetables",
        "repo": "nix-matrix-appservices",
-        "rev": "efdc09f26e3b01801edaa3b0e2bdd46d9d133bba",
+        "rev": "e795d2fbc61da45d49802bb3e8f8d0c70ddc1e68",
        "type": "gitlab"
      },
      "original": {
@ -136,11 +136,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1674550793,
-        "narHash": "sha256-ljJlIFQZwtBbzWqWTmmw2O5BFmQf1A/DspwMOQtGXHk=",
+        "lastModified": 1684899633,
+        "narHash": "sha256-NtwerXX8UFsoNy6k+DukJMriWtEjQtMU/Urbff2O2Dg=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "b7ac0a56029e4f9e6743b9993037a5aaafd57103",
+        "rev": "4cc688ee711159b9bcb5a367be44007934e1a49d",
        "type": "github"
      },
      "original": {
@ -151,26 +151,26 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1684661732,
-        "narHash": "sha256-2/Xo/UmUUoMXc0T5tzoUsYjMLLMjEfzRWDAQB0WwtW0=",
+        "lastModified": 1685865905,
+        "narHash": "sha256-XJZ/o17eOd2sEsGif+/MQBnfa2DKmndWgJyc7CWajFc=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "b0671cbf1e5c443f7fbfd4941ee0f8a151435114",
+        "rev": "e7603eba51f2c7820c0a182c6bbb351181caa8e7",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
-        "ref": "nixos-22.11",
+        "ref": "nixos-23.05",
        "type": "indirect"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1679437018,
-        "narHash": "sha256-vOuiDPLHSEo/7NkiWtxpHpHgoXoNmrm+wkXZ6a072Fc=",
+        "lastModified": 1685931219,
+        "narHash": "sha256-8EWeOZ6LKQfgAjB/USffUSELPRjw88A+xTcXnOUvO5M=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "19cf008bb18e47b6e3b4e16e32a9a4bdd4b45f7e",
+        "rev": "7409480d5c8584a1a83c422530419efe4afb0d19",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -2,7 +2,7 @@
  description = "System configuration for zion";

  inputs = {
-    nixpkgs.url = "nixpkgs/nixos-22.11";
+    nixpkgs.url = "nixpkgs/nixos-23.05";
    nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
    agenix = {
      url = "github:ryantm/agenix";
--- a/modules/communication.nix
+++ b/modules/communication.nix
@ -11,17 +11,6 @@ let
    conn_max_lifetime = -1;
  };

-  latest-mautrix-signal = mautrix-signal.overrideAttrs (old: rec {
-    version = "0.4.2";
-    src = fetchFromGitHub {
-      owner = "mautrix";
-      repo = "signal";
-      rev = "refs/tags/v${version}";
-      sha256 = "UbetU1n9zD/mVFaJc9FECDq/Zell1TI/aYPsGXGB8Js=";
-    };
-
-  });
-
 in {
  # Matrix server configuration
  services.dendrite = {
@ -95,7 +84,7 @@ in {
      signal = {
        port = 8338;
        format = "mautrix-python";
-        package = latest-mautrix-signal;
+        package = mautrix-signal;
        serviceConfig = {
          StateDirectory = [ "matrix-as-signal" "signald" ];
          JoinNamespaceOf = "signald.service";
--- a/modules/containers.nix
+++ b/modules/containers.nix
@ -54,4 +54,10 @@
      ${podman}/bin/podman pod exists cgm-repo || ${podman}/bin/podman pod create -n cgm-repo -p '127.0.0.1:1337:1337'
    '';
  };
+
+  # Start services after ZFS mount
+  systemd.services.podman-mongodb.unitConfig.RequiresMountsFor =
+    [ "vault.mount" ];
+  systemd.services.podman-mqtt2prometheus.unitConfig.RequiresMountsFor =
+    [ "vault.mount" ];
 }
--- a/modules/datasync.nix
+++ b/modules/datasync.nix
@ -97,4 +97,10 @@
    monthly = 12;
  };

+  # Start services after ZFS mount
+  systemd.services.syncthing.unitConfig.RequiresMountsFor =
+    [ "vault-syncthing.mount" ];
+  systemd.services.radicale.unitConfig.RequiresMountsFor =
+    [ "vault-radicale.mount" ];
+
 }
--- a/modules/device.nix
+++ b/modules/device.nix
@ -18,8 +18,7 @@ with pkgs;
  boot.loader = {
    grub.enable = false;
    generic-extlinux-compatible.enable = lib.mkForce false;
-  };
-  boot.loader.raspberryPi = {
+    raspberryPi = {
      enable = true;
      version = 4;
      firmwareConfig = ''
@ -28,8 +27,10 @@ with pkgs;
        dtoverlay=w1-gpio
      '';
    };
+  };

  boot.kernelModules = [ "pwm_bcm2835" "w1-gpio" "w1-therm" ];
+
  # Load PWM hardware timers
  hardware.raspberry-pi."4".pwm0.enable = true;

--- a/modules/devops.nix
+++ b/modules/devops.nix
@ -1,10 +1,7 @@
-{ config, pkgs, pkgs-unstable, lib, ... }: {
+{ config, pkgs, lib, ... }: {
  # Set up Gitea with LFS support
  services.gitea = {
    enable = true;
-    domain = "git.coolneng.duckdns.org";
-    rootUrl = "https://git.coolneng.duckdns.org";
-    package = pkgs-unstable.gitea;
    database = {
      type = "postgres";
      passwordFile = config.age.secrets.gitea.path;
@ -16,10 +13,17 @@
      contentDir = "${config.services.gitea.repositoryRoot}/data/lfs";
    };
    settings = {
+      server = {
+        DISABLE_SSH = true;
+        DOMAIN = "git.coolneng.duckdns.org";
+        ROOTURL = "https://git.coolneng.duckdns.org";
+      };
      ui.DEFAULT_THEME = "arc-green";
      session.COOKIE_SECURE = true;
-      server.DISABLE_SSH = true;
      actions.ENABLED = true;
    };
  };
+
+  # Start services after ZFS mount
+  systemd.services.gitea.unitConfig.RequiresMountsFor = [ "vault-git.mount" ];
 }
--- a/modules/hardware-configuration.nix
+++ b/modules/hardware-configuration.nix
@ -6,18 +6,28 @@
 {
  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];

-  boot.initrd.availableKernelModules = [ "xhci_pci" ];
+  boot.initrd.availableKernelModules = [ "xhci_pci" "usb_storage" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];

  fileSystems."/" = {
-    device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
-    fsType = "ext4";
+    device = "sysion/root";
+    fsType = "zfs";
+  };
+
+  fileSystems."/nix" = {
+    device = "sysion/root/nix";
+    fsType = "zfs";
+  };
+
+  fileSystems."/home" = {
+    device = "sysion/home";
+    fsType = "zfs";
  };

  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/2178-694E";
+    device = "/dev/disk/by-uuid/06AD-825C";
    fsType = "vfat";
  };

@ -102,7 +112,8 @@
    options = [ "bind" ];
  };

-  swapDevices = [ ];
+  swapDevices =
+    [{ device = "/dev/disk/by-uuid/835f9dd4-cc27-4443-b5e1-381c2f4b2afc"; }];

  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
@ -110,7 +121,7 @@
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.cni-podman0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.eth0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.end0.useDHCP = lib.mkDefault true;
  # networking.interfaces.veth25ee5d84.useDHCP = lib.mkDefault true;
  # networking.interfaces.veth6e46f8d7.useDHCP = lib.mkDefault true;
  # networking.interfaces.veth8506af14.useDHCP = lib.mkDefault true;
--- a/modules/networking.nix
+++ b/modules/networking.nix
@ -11,12 +11,12 @@ in {
    useNetworkd = true;
    dhcpcd.enable = false;
  };
-  systemd.services."systemd-networkd-wait-online".enable = false;
+  systemd.network.wait-online.enable = false;

  # Assign a static IP
  systemd.network.networks."24-home" = {
-    name = "eth0";
-    matchConfig.Name = "eth0";
+    name = "end0";
+    matchConfig.Name = "end0";
    address = [ "192.168.13.2/24" ];
    gateway = [ "192.168.13.1" ];
    dns = [ "192.168.13.2" ];
@ -57,7 +57,9 @@ in {
      53 # DNS
    ];
    extraCommands = ''
-      iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
+      iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ${
+        config.systemd.network.networks."24-home".name
+      } -j MASQUERADE
    '';
  };

@ -101,23 +103,22 @@ in {
  # DNS server with ad-block
  services.dnsmasq = {
    enable = true;
-    servers = [ "51.158.108.203" "137.220.55.93" ];
-    extraConfig = ''
-      domain-needed
-      bogus-priv
-      no-resolv
+    settings = {
+      domain-needed = true;
+      bogus-priv = true;
+      no-resolv = true;

-      listen-address=127.0.0.1,192.168.13.2,10.8.0.1
-      bind-interfaces
+      listen-address = [ "127.0.0.1" "192.168.13.2" "10.8.0.1" ];
+      bind-interfaces = true;
+      server = [ "51.158.108.203" "137.220.55.93" ];

-      cache-size=10000
-      local-ttl=300
+      cache-size = 10000;
+      local-ttl = 300;

-      conf-file=/var/lib/dnsmasq/dnsmasq.blacklist.txt
+      conf-file = "/var/lib/dnsmasq/dnsmasq.blacklist.txt";

-      address=/coolneng.duckdns.org/192.168.13.2
-    '';
+      address = "/coolneng.duckdns.org/192.168.13.2";
+    };
  };

 }
-
--- a/modules/periodic.nix
+++ b/modules/periodic.nix
@ -14,6 +14,7 @@ in {
  };

  # Fetch hosts-blocklists daily
+  # FIXME Download the list if the file doesn't exist the first time
  systemd.services.download-dns-blocklist = {
    description = "Download hosts-blocklists";
    wantedBy = [ "default.target" ];
@ -25,16 +26,16 @@ in {
    serviceConfig.Type = "oneshot";
    postStop = ''
      chown -R dnsmasq ${stateDir}
-      systemctl restart dnsmasq
    '';
+    requiredBy = [ "dnsmasq.service" ];
    after = [ "wireguard-wg0.service" ];
    startAt = "02:00:00";
  };

-  # Enable SATA HAT
+  # Enable SATA HAT fans
  systemd.services.sata-hat = {
    description = "Enable software support for SATA Hat";
-    wantedBy = [ "zfs-import.target" ];
+    wantedBy = [ "default.target" ];
    script = ''
      ${pkgs.bash}/bin/bash -c "/home/coolneng/system/scripts/SATA-hat.sh on"
    '';
@ -45,30 +46,6 @@ in {
        ${pkgs.bash}/bin/bash -c "/home/coolneng/system/scripts/SATA-hat.sh off"
      '';
    };
-    before = [ "zfs-import.target" "zfs-import-vault.service" "umount.target" ];
-    requires = [ "systemd-udev-settle.service" ];
-    after = [ "systemd-udev-settle.service" ];
-    conflicts = [ "umount.target" ];
-    requiredBy = [ "syncthing.service" "radicale.service" "gitea.service" ];
-  };
-
-  # HACK: restart services dependent on ZFS afer mount
-  systemd.services.restart-services-mount = {
-    description = "Restart services after the ZFS dataset is mounted";
-    wantedBy = [ "default.target" ];
-    script = ''
-      sleep 5
-      systemctl restart syncthing
-      systemctl restart radicale
-      systemctl restart gitea
-      systemctl restart podman-openbooks
-      systemctl restart podman-mqtt2prometheus
-      systemctl restart podman-mongodb
-      systemctl restart podman-nightscout
-    '';
-    serviceConfig.Type = "oneshot";
-    requires = [ "sata-hat.service" ];
-    after = [ "vault.mount" ];
  };

  # Idle HDDs when not used
--- a/modules/webstack.nix
+++ b/modules/webstack.nix
@ -8,6 +8,7 @@
    recommendedGzipSettings = true;
    recommendedProxySettings = true;
    recommendedOptimisation = true;
+    recommendedBrotliSettings = true;
    clientMaxBodySize = "0";
    sslCiphers =
      "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";
@ -221,5 +222,8 @@
    "dendrite.service"
    "phpfpm-wallabag.service"
    "systemd-tmpfiles-setup.service"
+    "podman-openbooks.service"
+    "podman-mqtt2prometheus.service"
+    "podman-nightscout.service"
  ];
 }
--- a/scripts/SATA-hat.sh
+++ b/scripts/SATA-hat.sh
@ -5,8 +5,6 @@ GPIO_PATH="$BASE_PATH"/gpio
 PWM_PATH="$BASE_PATH"/pwm/pwmchip0

 # GPIO pins
-SATA0=26
-SATA1=25
 CPU_FAN=12

 # Values
@ -50,16 +48,11 @@ set_pwm() {
 }

 turn_on() {
-    set_gpio $SATA0 $HIGH
-    sleep 1
-    set_gpio $SATA1 $HIGH
    set_gpio $CPU_FAN $HIGH
    set_pwm
 }

 turn_off() {
-    set_gpio $SATA0 $LOW clean
-    set_gpio $SATA1 $LOW clean
    set_gpio $CPU_FAN $LOW clean
    set_pwm clean
 }