Add initial legacy configuration

2025-02-22 20:27:25 +02:00 · 2025-02-22 20:27:25 +02:00 · db07652d99
commit db07652d99
parent febfe1d970
64 changed files with 3287 additions and 13 deletions
--- a/nixos-configurations/ochsenchopf/default.nix
+++ b/nixos-configurations/ochsenchopf/default.nix
@ -0,0 +1,38 @@
+{ ... }:
+{
+
+  imports = [
+    ./filesystems.nix
+    ./networking.nix
+
+    # TODO: Hardware
+
+  ];
+
+  nixpkgs.hostPlatform = "x86_64-linux";
+
+  virtualisation = {
+    # TODO: This should probably be somewhere else.
+    docker = {
+      enable = true;
+      enableOnBoot = false;
+    };
+    libvirtd.enable = true;
+    spiceUSBRedirection.enable = true;
+  };
+  users.extraUsers.fhauser.extraGroups = [ "libvirtd" ];
+
+  boot.extraModprobeConfig = ''
+    options kvm_intel nested=1
+    options kvm_intel emulate_invalid_guest_state=0
+    options kvm ignore_msrs=1
+  '';
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like fi:le locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "24.05"; # Did you read the comment?
+}
--- a/nixos-configurations/ochsenchopf/filesystems.nix
+++ b/nixos-configurations/ochsenchopf/filesystems.nix
@ -0,0 +1,43 @@
+{
+  lib,
+  ...
+}:
+{
+
+  boot.initrd.luks.devices = {
+    "luks".device = "/dev/disk/by-label/luks";
+  };
+
+  fileSystems =
+    let
+      rootdev = "/dev/disk/by-label/hv_ochsenchopf";
+    in
+    {
+      "/" = {
+        device = rootdev;
+        fsType = "btrfs";
+        options = [ "subvol=nixos" ];
+      };
+      "/home" = {
+        device = rootdev;
+        fsType = "btrfs";
+        options = [ "subvol=home" ];
+      };
+      "/boot" = {
+        device = "/dev/disk/by-label/boot";
+        fsType = "vfat";
+      };
+    };
+
+  swapDevices = [ { device = "/dev/disk/by-label/swap"; } ];
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  boot.initrd.systemd.enable = true;
+  boot.lanzaboote = {
+    enable = true;
+    pkiBundle = "/etc/secureboot";
+  };
+}
--- a/nixos-configurations/ochsenchopf/networking.nix
+++ b/nixos-configurations/ochsenchopf/networking.nix
@ -0,0 +1,26 @@
+{ ... }:
+
+{
+  networking = {
+    networkmanager = {
+      enable = true;
+      # Does currently not work...
+      #enableFccUnlock = true;
+    };
+    useDHCP = false;
+  };
+
+  services.tailscale = {
+    enable = true;
+    openFirewall = true;
+    useRoutingFeatures = "client";
+    authKeyFile = "/secrets/wireguard/tailscale-key";
+    extraUpFlags = [
+      "--operator"
+      "fhauser"
+      "--accept-routes"
+      "--exit-node=100.64.0.6"
+      "--login-server=https://vpn.qo.is"
+    ];
+  };
+}
--- a/nixos-configurations/speer/default.nix
+++ b/nixos-configurations/speer/default.nix
@ -0,0 +1,40 @@
+{ ... }:
+{
+
+  imports = [
+    ./filesystems.nix
+    ./networking.nix
+    ./disko-config.nix
+
+    # TODO: Hardware
+  ];
+
+  nixpkgs.hostPlatform = "x86_64-linux";
+
+  virtualisation = {
+    # TODO: This should probably be somewhere else.
+    docker = {
+      enable = true;
+      enableOnBoot = false;
+    };
+    libvirtd.enable = true;
+    spiceUSBRedirection.enable = true;
+  };
+
+  boot.extraModprobeConfig = ''
+    options kvm_intel nested=1
+    options kvm_intel emulate_invalid_guest_state=0
+    options kvm ignore_msrs=1
+  '';
+
+  # Set your time zone.
+  time.timeZone = "Europe/Tallinn";
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like fi:le locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "24.11"; # Did you read the comment?
+}
--- a/nixos-configurations/speer/disko-config.nix
+++ b/nixos-configurations/speer/disko-config.nix
@ -0,0 +1,98 @@
+{ ... }:
+{
+  disko.devices = {
+    disk = rec {
+      system-1 = {
+        type = "disk";
+        device = "/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_2TB_S4J4NX0W821176E";
+        content = {
+          type = "gpt";
+          partitions = {
+            boot = {
+              size = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+              };
+            };
+            raid_system = {
+              start = "30G";
+              size = "100%";
+              content = {
+                type = "mdraid";
+                name = "raid_system";
+              };
+            };
+          };
+        };
+      };
+      #system-2 = {
+      #  type = "disk";
+      #  device = "/dev/disk/by-id/nvme-XXXXX";
+      #  content = pkgs.lib.recursiveUpdate system-1.content {
+      #    partitions.boot.content.mountpoint = "/boot-secondary";
+      #  };
+      #};
+    };
+
+    mdadm = {
+      "raid_system" = {
+        type = "mdadm";
+        level = 1;
+        content = {
+          type = "luks";
+          name = "crypted_system";
+          passwordFile = "/run/secrets/system/hdd.key";
+          settings = {
+            allowDiscards = true;
+            bypassWorkqueues = true;
+          };
+          content = {
+            type = "lvm_pv";
+            vg = "vg_system";
+          };
+        };
+      };
+    };
+    lvm_vg = {
+      vg_system = {
+        type = "lvm_vg";
+        lvs = {
+          swap = {
+            size = "32G";
+            content = {
+              type = "swap";
+              resumeDevice = true;
+            };
+          };
+          data = {
+            size = "1000GB";
+            content = {
+              type = "btrfs";
+              mountOptions = [
+                "defaults"
+                "noatime"
+              ];
+              subvolumes."/home".mountpoint = "/home";
+            };
+          };
+          hv_speer = {
+            size = "200GiB";
+            content = {
+              type = "btrfs";
+              mountOptions = [
+                "defaults"
+                "noatime"
+              ];
+              subvolumes = {
+                "/root".mountpoint = "/";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
--- a/nixos-configurations/speer/filesystems.nix
+++ b/nixos-configurations/speer/filesystems.nix
@ -0,0 +1,22 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+{
+  # Configurations are set in disko-config.nix!
+
+  # mdadm.conf generated by `mdadm --detail --scan`
+  # TODO
+  boot.swraid.enable = true;
+  boot.swraid.mdadmConf = ''
+    MAILADDR root
+  '';
+
+  services.fwupd.daemonSettings.EspLocation = pkgs.lib.mkForce config.disko.devices.disk.system-1.content.partitions.boot.content.mountpoint;
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+}
--- a/nixos-configurations/speer/networking.nix
+++ b/nixos-configurations/speer/networking.nix
@ -0,0 +1,22 @@
+{ ... }:
+{
+  networking = {
+    networkmanager.enable = true;
+    useDHCP = false;
+
+  };
+
+  services.tailscale = {
+    enable = true;
+    openFirewall = true;
+    useRoutingFeatures = "client";
+    authKeyFile = "/secrets/wireguard/tailscale-key";
+    extraUpFlags = [
+      "--operator"
+      "fhauser"
+      "--accept-routes"
+      "--exit-node=100.64.0.6"
+      "--login-server=https://vpn.qo.is"
+    ];
+  };
+}