From de5e7866c55e8cc22ebaf24d0694caa12ef2415e Mon Sep 17 00:00:00 2001 From: Fabian Date: Tue, 25 Feb 2020 21:37:53 +0000 Subject: [PATCH 01/10] Add montalin --- hardware/nuc.nix | 21 +++++++++++++ host/montalin.nix | 78 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 99 insertions(+) create mode 100644 hardware/nuc.nix create mode 100644 host/montalin.nix diff --git a/hardware/nuc.nix b/hardware/nuc.nix new file mode 100644 index 0000000..cb5341a --- /dev/null +++ b/hardware/nuc.nix @@ -0,0 +1,21 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, ... }: + +{ + imports = + [ + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; +# boot.kernelModules = [ "kvm-intel" "virtio" "tun" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; +# boot.kernelParams = [ "console=ttyS0,115200n8" ]; + + + powerManagement.cpuFreqGovernor = "ondemand"; + nix.maxJobs = lib.mkDefault 8; +} diff --git a/host/montalin.nix b/host/montalin.nix new file mode 100644 index 0000000..8c84733 --- /dev/null +++ b/host/montalin.nix @@ -0,0 +1,78 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +{ + + imports = + [ + ../hardware/nuc.nix + ../role/base.nix + ]; + + boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/3a0a5071-67ab-4e13-a0b7-d31b86f5e8b1"; + boot.initrd.luks.devices."swap".device = "/dev/disk/by-uuid/6dee6e3c-e2f3-46c5-8751-5fce8c80ed49"; + + fileSystems."/" = + { device = "/dev/mapper/root"; + fsType = "btrfs"; + }; + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/0065-E4EA"; + fsType = "vfat"; + }; + swapDevices = + [ { device = "/dev/mapper/swap"; } + ]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = "montalin"; # Define your hostname. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.useDHCP = false; + networking.interfaces.eno1.useDHCP = true; + networking.interfaces.wlp1s0.useDHCP = true; + + #networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + #networking.wireless.networks = { + # yummi = { + # psk = "cookies!"; + # }; + #}; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Set your time zone. + # time.timeZone = "Europe/Amsterdam"; + + # List services that you want to enable: + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # Define a user account. Don't forget to set a password with ‘passwd’. + # users.users.jane = { + # isNormalUser = true; + # extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. + # }; + + # This value determines the NixOS release with which your system is to be + # compatible, in order to avoid breaking some software such as database + # servers. You should change this only after NixOS release notes say you + # should. + system.stateVersion = "19.09"; # Did you read the comment? + +} From d8402078bd3e40c8aaad60101dbdb4192bd54c2a Mon Sep 17 00:00:00 2001 From: Fabian Date: Wed, 26 Feb 2020 20:54:29 +0000 Subject: [PATCH 02/10] Add dropbear --- host/montalin.nix | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/host/montalin.nix b/host/montalin.nix index 8c84733..cc4d9f2 100644 --- a/host/montalin.nix +++ b/host/montalin.nix @@ -27,6 +27,32 @@ [ { device = "/dev/mapper/swap"; } ]; + + boot.loader.timeout = 2; + boot.initrd.availableKernelModules = [ "virtio-pci" "e1000e" ]; + boot.initrd.network = { + enable = true; + ssh = { + enable = true; + port = 2222; + # hostECDSAKey = /var/src/secrets/dropbear/ecdsa-hostkey; + # this includes the ssh keys of all users in the wheel group, but you can just specify some keys manually + # authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users); + # Key generation with dropbearkey -t -f + hostRSAKey = /boot/dropbear_rsa_host_key; + hostECDSAKey = /boot/dropbear_ecdsa_host_key; + }; + postCommands = '' + echo 'cryptsetup-askpass' >> /root/.profile + ''; + }; + boot.kernelParams = ["ip=::::montalin:eth0:dhcp"]; + +boot.initrd.postMountCommands = '' + ip link set eth0 down + ''; + + # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; From 38017ebceca067818fa368f7e9d669aa8411f5c7 Mon Sep 17 00:00:00 2001 From: Fabian Date: Wed, 26 Feb 2020 20:54:49 +0000 Subject: [PATCH 03/10] Add fwupd and some system utilites --- role/base.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/role/base.nix b/role/base.nix index c510210..2d616d5 100644 --- a/role/base.nix +++ b/role/base.nix @@ -12,8 +12,12 @@ environment.systemPackages = with pkgs; [ wget curl vim tmux git ncat bind + fwupd pciutils dmidecode ]; + services.fwupd.enable = true; + + # Networking networking.firewall = { allowPing = true; From acfde18601be041728f4f291733c15ca99a99427 Mon Sep 17 00:00:00 2001 From: Fabian Date: Wed, 26 Feb 2020 22:02:02 +0000 Subject: [PATCH 04/10] Clean up montalin configuration --- hardware/nuc.nix | 2 +- host/montalin.nix | 47 ++++++++++------------------------------------- role/base.nix | 3 +++ role/dropbear.nix | 26 ++++++++++++++++++++++++++ 4 files changed, 40 insertions(+), 38 deletions(-) create mode 100644 role/dropbear.nix diff --git a/hardware/nuc.nix b/hardware/nuc.nix index cb5341a..8c3cc2f 100644 --- a/hardware/nuc.nix +++ b/hardware/nuc.nix @@ -8,7 +8,7 @@ [ ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "e1000e" "virtio-pci"]; boot.initrd.kernelModules = [ ]; # boot.kernelModules = [ "kvm-intel" "virtio" "tun" ]; boot.kernelModules = [ "kvm-intel" ]; diff --git a/host/montalin.nix b/host/montalin.nix index cc4d9f2..784010c 100644 --- a/host/montalin.nix +++ b/host/montalin.nix @@ -10,47 +10,20 @@ [ ../hardware/nuc.nix ../role/base.nix + ../role/dropbear.nix ]; - boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/3a0a5071-67ab-4e13-a0b7-d31b86f5e8b1"; - boot.initrd.luks.devices."swap".device = "/dev/disk/by-uuid/6dee6e3c-e2f3-46c5-8751-5fce8c80ed49"; - - fileSystems."/" = - { device = "/dev/mapper/root"; - fsType = "btrfs"; - }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/0065-E4EA"; - fsType = "vfat"; - }; - swapDevices = - [ { device = "/dev/mapper/swap"; } - ]; - - - boot.loader.timeout = 2; - boot.initrd.availableKernelModules = [ "virtio-pci" "e1000e" ]; - boot.initrd.network = { - enable = true; - ssh = { - enable = true; - port = 2222; - # hostECDSAKey = /var/src/secrets/dropbear/ecdsa-hostkey; - # this includes the ssh keys of all users in the wheel group, but you can just specify some keys manually - # authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users); - # Key generation with dropbearkey -t -f - hostRSAKey = /boot/dropbear_rsa_host_key; - hostECDSAKey = /boot/dropbear_ecdsa_host_key; - }; - postCommands = '' - echo 'cryptsetup-askpass' >> /root/.profile - ''; + boot.initrd.luks.devices = { + "root".device = "/dev/disk/by-uuid/3a0a5071-67ab-4e13-a0b7-d31b86f5e8b1"; + "swap".device = "/dev/disk/by-uuid/6dee6e3c-e2f3-46c5-8751-5fce8c80ed49"; }; - boot.kernelParams = ["ip=::::montalin:eth0:dhcp"]; -boot.initrd.postMountCommands = '' - ip link set eth0 down - ''; + fileSystems = { + "/" = { device = "/dev/mapper/root"; fsType = "btrfs"; }; + "/boot" = { device = "/dev/disk/by-uuid/0065-E4EA"; fsType = "vfat"; }; + }; + + swapDevices = [{ device = "/dev/mapper/swap"; }]; # Use the systemd-boot EFI boot loader. diff --git a/role/base.nix b/role/base.nix index 2d616d5..faeb031 100644 --- a/role/base.nix +++ b/role/base.nix @@ -3,6 +3,9 @@ { system.autoUpgrade.enable = true; + system.autoUpgrade.allowReboot = true; + + boot.loader.timeout = 2; i18n = { consoleFont = "Lat2-Terminus16"; diff --git a/role/dropbear.nix b/role/dropbear.nix new file mode 100644 index 0000000..19ab61a --- /dev/null +++ b/role/dropbear.nix @@ -0,0 +1,26 @@ +{ config, pkgs, ... }: + +{ + # Note: This implementation currently only allows eth0 (first interface) with dhcp. + boot.initrd.network = { + enable = true; + ssh = { + enable = true; + port = 2222; + # this includes the ssh keys of all users in the wheel group, + # but you can just specify some keys manually + #authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users); + hostRSAKey = /boot/dropbear_rsa_host_key; + hostECDSAKey = /boot/dropbear_ecdsa_host_key; + # Key generation with dropbearkey -t -f + }; + postCommands = '' + echo 'cryptsetup-askpass' >> /root/.profile + ''; + }; + boot.kernelParams = ["ip=::::montalin:eth0:dhcp"]; + + boot.initrd.postMountCommands = '' + ip link set eth0 down + ''; +} From 58ce179e1b0834c76596041b4fa4b2234a8f3efc Mon Sep 17 00:00:00 2001 From: Fabian Date: Wed, 26 Feb 2020 22:02:29 +0000 Subject: [PATCH 05/10] Add parted to base set --- role/base.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/role/base.nix b/role/base.nix index faeb031..8766d59 100644 --- a/role/base.nix +++ b/role/base.nix @@ -15,7 +15,7 @@ environment.systemPackages = with pkgs; [ wget curl vim tmux git ncat bind - fwupd pciutils dmidecode + fwupd pciutils dmidecode parted ]; services.fwupd.enable = true; From 89121d488a78ff4f065c2db920bcad206937e9cd Mon Sep 17 00:00:00 2001 From: Fabian Date: Thu, 27 Feb 2020 21:02:07 +0000 Subject: [PATCH 06/10] Move tmp to tmpfs and add smartctl --- host/montalin.nix | 2 +- role/base.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/host/montalin.nix b/host/montalin.nix index 784010c..97ef6a0 100644 --- a/host/montalin.nix +++ b/host/montalin.nix @@ -13,6 +13,7 @@ ../role/dropbear.nix ]; + boot.tmpOnTmpfs = true; boot.initrd.luks.devices = { "root".device = "/dev/disk/by-uuid/3a0a5071-67ab-4e13-a0b7-d31b86f5e8b1"; "swap".device = "/dev/disk/by-uuid/6dee6e3c-e2f3-46c5-8751-5fce8c80ed49"; @@ -25,7 +26,6 @@ swapDevices = [{ device = "/dev/mapper/swap"; }]; - # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; diff --git a/role/base.nix b/role/base.nix index 8766d59..7d4ca94 100644 --- a/role/base.nix +++ b/role/base.nix @@ -15,7 +15,7 @@ environment.systemPackages = with pkgs; [ wget curl vim tmux git ncat bind - fwupd pciutils dmidecode parted + fwupd pciutils dmidecode smartmontools parted ]; services.fwupd.enable = true; From 26220b54ec9cbb406ea29ea55e0935c56e46079c Mon Sep 17 00:00:00 2001 From: Fabian Date: Thu, 27 Feb 2020 21:02:28 +0000 Subject: [PATCH 07/10] Add borg backup --- host/montalin.nix | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/host/montalin.nix b/host/montalin.nix index 97ef6a0..bdc354b 100644 --- a/host/montalin.nix +++ b/host/montalin.nix @@ -17,11 +17,13 @@ boot.initrd.luks.devices = { "root".device = "/dev/disk/by-uuid/3a0a5071-67ab-4e13-a0b7-d31b86f5e8b1"; "swap".device = "/dev/disk/by-uuid/6dee6e3c-e2f3-46c5-8751-5fce8c80ed49"; + "backup".device = "/dev/disk/by-uuid/a965933d-516c-46cf-8384-006b1770e46b"; }; fileSystems = { "/" = { device = "/dev/mapper/root"; fsType = "btrfs"; }; - "/boot" = { device = "/dev/disk/by-uuid/0065-E4EA"; fsType = "vfat"; }; + "/var/backup" = { device = "/dev/mapper/backup"; fsType = "ext4"; }; + "/boot" = { device = "/dev/disk/by-uuid/0065-E4EA"; fsType = "vfat"; options = [ "defaults" "noatime" ]; }; }; swapDevices = [{ device = "/dev/mapper/swap"; }]; @@ -30,6 +32,11 @@ boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; + + + environment.systemPackages = [ pkgs.borgbackup ]; + + networking.hostName = "montalin"; # Define your hostname. # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. From e5d92728f0035df028df8811d32b013edae3a414 Mon Sep 17 00:00:00 2001 From: Fabian Date: Thu, 27 Feb 2020 21:18:14 +0000 Subject: [PATCH 08/10] Enable nuc microcode updates --- hardware/nuc.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hardware/nuc.nix b/hardware/nuc.nix index 8c3cc2f..e5d0a42 100644 --- a/hardware/nuc.nix +++ b/hardware/nuc.nix @@ -15,7 +15,7 @@ boot.extraModulePackages = [ ]; # boot.kernelParams = [ "console=ttyS0,115200n8" ]; - + hardware.cpu.intel.updateMicrocode = true; powerManagement.cpuFreqGovernor = "ondemand"; nix.maxJobs = lib.mkDefault 8; } From 746680731e86fc4e69759332456d4f46d6eef981 Mon Sep 17 00:00:00 2001 From: Fabian Date: Sun, 1 Mar 2020 00:26:08 +0000 Subject: [PATCH 09/10] Add timed backup --- host/montalin.nix | 5 ++-- role/backup.nix | 66 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 69 insertions(+), 2 deletions(-) create mode 100644 role/backup.nix diff --git a/host/montalin.nix b/host/montalin.nix index bdc354b..262a392 100644 --- a/host/montalin.nix +++ b/host/montalin.nix @@ -11,6 +11,7 @@ ../hardware/nuc.nix ../role/base.nix ../role/dropbear.nix + (import ../role/backup.nix {systemdMount = "var-backup.mount"; borgArchiveFolder = "/var/backup/montalin";}) ]; boot.tmpOnTmpfs = true; @@ -21,8 +22,8 @@ }; fileSystems = { - "/" = { device = "/dev/mapper/root"; fsType = "btrfs"; }; - "/var/backup" = { device = "/dev/mapper/backup"; fsType = "ext4"; }; + "/" = { device = "/dev/mapper/root"; fsType = "btrfs"; options = [ "defaults" "noatime" ]; }; + "/var/backup" = { device = "/dev/mapper/backup"; fsType = "ext4"; options = [ "defaults" "noauto" "noatime" ]; }; "/boot" = { device = "/dev/disk/by-uuid/0065-E4EA"; fsType = "vfat"; options = [ "defaults" "noatime" ]; }; }; diff --git a/role/backup.nix b/role/backup.nix new file mode 100644 index 0000000..e019b7e --- /dev/null +++ b/role/backup.nix @@ -0,0 +1,66 @@ +{ + systemdMount, + borgArchiveFolder, + keepWithin? "14d", + keepWeekly? "4", + keepMonthly? "6", + keepYearly? "-1", +}: + +let pkgs = import{}; +in +{ + + systemd = { + services.backup = { + description = "Backup of all user data and system configuration with BorgBackup"; + serviceConfig.Type = "oneshot"; + path = with pkgs; [ bash borgbackup ]; + script = '' + #!/usr/bin/env bash + set -euo pipefail + IFS=$'\n\t' + + systemctl start ${systemdMount} + + export BORG_REPO=${borgArchiveFolder} \ + BORG_BASE_DIR=${borgArchiveFolder}/borg-base-dir + + echo "Backup started at `date`" + borg create --exclude /var/backup \ + --exclude /var/tmp \ + --exclude /var/cache \ + $BORG_REPO::{hostname}-{now} \ + /etc \ + /home \ + /root \ + /var + + sync + echo "Backup finished at `date`" + + echo "Backup prune started at `date`" + borg prune --prefix '{hostname}-' \ + --keep-within ${keepWithin} \ + --keep-weekly ${keepWeekly} \ + --keep-monthly ${keepMonthly} \ + --keep-yearly ${keepYearly} + sync + echo "Backup prune finished at `date`" + + systemctl stop ${systemdMount} + ''; + }; + + timers.backup = { + description = "Backup Schedule"; + + timerConfig = { + OnCalendar = "13:37"; + Persistent = "true"; + }; + + wantedBy = [ "timers.target" ]; + }; + }; +} From bebb3da27a203b6780a54fe1913d408ac7880e54 Mon Sep 17 00:00:00 2001 From: Fabian Date: Sun, 1 Mar 2020 00:54:15 +0000 Subject: [PATCH 10/10] Add disk shutdown for backup --- host/montalin.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/host/montalin.nix b/host/montalin.nix index 262a392..266e9c7 100644 --- a/host/montalin.nix +++ b/host/montalin.nix @@ -29,6 +29,11 @@ swapDevices = [{ device = "/dev/mapper/swap"; }]; + # Get disk identifier with `udevadm info -n /dev/sdX | grep ID_SERIAL_SHORT` + services.udev.extraRules = '' + ACTION=="add", KERNEL=="sd[a-z]", ENV{ID_SERIAL_SHORT}=="WD-WXH1A89L54LA", RUN+="${pkgs.hdparm}/bin/hdparm -S 60 /dev/%k" + ''; + # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true;