rpqt/flocon
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

init

Browse Source
This commit is contained in:
Romain Paquet
2025-01-29 21:33:37 +01:00
commit a2247c5b26
30 changed files with 1036 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
hosts/genepi/acme.nix Normal file
View File

@@ -0,0 +1,21 @@
{ config, ... }:
{
security.acme = {
acceptTerms = true;
defaults.email = "admin@rpqt.fr";
};
age.secrets.gandi.file = ../../secrets/gandi.age;
security.acme = {
certs."home.rpqt.fr" = {
group = config.services.nginx.group;
domain = "home.rpqt.fr";
extraDomainNames = [ "*.home.rpqt.fr" ];
dnsProvider = "gandiv5";
dnsPropagationCheck = true;
environmentFile = config.age.secrets.gandi.path;
};
};
}

19
hosts/genepi/boot.nix Normal file
View File

@@ -0,0 +1,19 @@
{ config, ... }:
{
boot.initrd.availableKernelModules = [
"xhci_pci"
"usbhid"
"usb_storage"
];
boot.loader = {
grub.enable = false;
generic-extlinux-compatible.enable = true;
};
boot.supportedFilesystems = [
"btrfs"
"vfat"
];
}

21
hosts/genepi/default.nix Normal file
View File

@@ -0,0 +1,21 @@
{
inputs,
...
}:
{
imports = [
inputs.disko.nixosModules.disko
inputs.nixos-hardware.nixosModules.raspberry-pi-4
inputs.agenix.nixosModules.default
inputs.impermanence.nixosModules.impermanence
./acme.nix
./boot.nix
./disk.nix
./dns.nix
./hardware.nix
./monitoring.nix
./network.nix
./nginx.nix
./persistence.nix
];
}

86
hosts/genepi/disk.nix Normal file
View File

@@ -0,0 +1,86 @@
{
disko.devices.disk.main = {
type = "disk";
device = "/dev/disk/by-id/ata-WD_Green_M.2_2280_480GB_2251E6411147";
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
start = "1M";
end = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
root = {
end = "-4G";
content = {
type = "btrfs";
extraArgs = [
"-L"
"nixos"
"-f" # Override existing partition
];
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [
"subvol=root"
"compress=zstd"
"noatime"
];
};
"/home" = {
mountpoint = "/home";
mountOptions = [
"subvol=home"
"compress=zstd"
"noatime"
];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"subvol=nix"
"compress=zstd"
"noatime"
];
};
"/persist" = {
mountpoint = "/persist";
mountOptions = [
"subvol=persist"
"compress=zstd"
"noatime"
];
};
"/log" = {
mountpoint = "/var/log";
mountOptions = [
"subvol=log"
"compress=zstd"
"noatime"
];
};
};
};
};
swap = {
size = "100%";
content = {
type = "swap";
};
};
};
};
};
fileSystems."/persist".neededForBoot = true;
fileSystems."/var/log".neededForBoot = true;
}

22
hosts/genepi/dns.nix Normal file
View File

@@ -0,0 +1,22 @@
{ config, ... }:
{
# networking.firewall.interfaces."${config.services.tailscale.interfaceName}" = {
# allowedTCPPorts = [ 53 ];
# allowedUDPPorts = [ 53 ];
# };
services.unbound = {
enable = true;
resolveLocalQueries = false;
settings = {
server = {
interface = [ "${config.services.tailscale.interfaceName}" ];
access-control = [ "100.0.0.0/8 allow" ];
local-zone = [ ''"grafana.home.rpqt.fr." redirect'' ];
local-data = [ ''"grafana.home.rpqt.fr. IN A 100.83.123.79"'' ];
};
};
};
}

19
hosts/genepi/hardware.nix Normal file
View File

@@ -0,0 +1,19 @@
{ pkgs, ... }:
{
nixpkgs.hostPlatform = "aarch64-linux";
hardware.enableRedistributableFirmware = true;
hardware = {
raspberry-pi."4".apply-overlays-dtmerge.enable = true;
deviceTree = {
enable = true;
filter = "*rpi-4-*.dtb";
};
};
environment.systemPackages = with pkgs; [
libraspberrypi
raspberrypi-eeprom
];
}

22
hosts/genepi/home.nix Normal file
View File

@@ -0,0 +1,22 @@
{ pkgs, inputs, ... }:
{
home.username = "rpqt";
home.homeDirectory = "/home/rpqt";
home.packages = [
pkgs.helix
pkgs.ripgrep
];
# This value determines the Home Manager release that your configuration is
# compatible with. This helps avoid breakage when a new Home Manager release
# introduces backwards incompatible changes.
#
# You should not change this value, even if you update Home Manager. If you do
# want to update the value, then make sure to first check the Home Manager
# release notes.
home.stateVersion = "24.11";
# Let Home Manager install and manage itself
programs.home-manager.enable = true;
}

53
hosts/genepi/monitoring.nix Normal file
View File

@@ -0,0 +1,53 @@
{ config, ... }:
{
services.grafana = {
enable = true;
settings = {
server = {
http_port = 3000;
domain = "grafana.home.rpqt.fr";
};
};
};
services.nginx.virtualHosts.${config.services.grafana.settings.server.domain} = {
forceSSL = true;
useACMEHost = "home.rpqt.fr";
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
proxyWebsockets = true;
};
};
services.prometheus = {
enable = true;
port = 9001;
scrapeConfigs = [
{
job_name = "genepi";
static_configs = [
{
targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ];
}
];
}
{
job_name = "crocus";
static_configs = [
{
targets = [ "crocus:9002" ];
}
];
}
];
exporters = {
node = {
enable = true;
enabledCollectors = [ "systemd" ];
port = 9002;
};
};
};
}

4
hosts/genepi/network.nix Normal file
View File

@@ -0,0 +1,4 @@
{
networking.hostName = "genepi";
networking.useDHCP = true;
}

7
hosts/genepi/nginx.nix Normal file
View File

@@ -0,0 +1,7 @@
{
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
};
}

51
hosts/genepi/persistence.nix Normal file
View File

@@ -0,0 +1,51 @@
{ lib, ... }:
{
environment.persistence."/persist" = {
enable = true;
directories = [
"/var/lib/nixos"
];
files = [
# so that systemd doesn't think each boot is the first
"/etc/machine-id"
# ssh host keys
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
"/var/lib/tailscaled.state"
];
users.rpqt = {
directories = [ ];
files = [ ];
};
};
# Empty root and remove snapshots older than 30 days
boot.initrd.postDeviceCommands = lib.mkAfter ''
mkdir /btrfs_tmp
mount /dev/disk/by-label/nixos /btrfs_tmp
if [[ -e /btrfs_tmp/root ]]; then
mkdir -p /btrfs_tmp/old_roots
timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")
mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
fi
delete_subvolume_recursively() {
IFS=$'\n'
for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
delete_subvolume_recursively "/btrfs_tmp/$i"
done
btrfs subvolume delete "$1"
}
for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do
delete_subvolume_recursively "$i"
done
btrfs subvolume create /btrfs_tmp/root
umount /btrfs_tmp
rmdir /btrfs_tmp
'';
}