2024-04-18 17:53:15 -04:00
|
|
|
{ config, pkgs, ... }:
|
2024-04-13 17:37:28 -04:00
|
|
|
let
|
|
|
|
|
keygen = key: {
|
|
|
|
|
"${key}" = {
|
2024-04-13 18:31:09 -04:00
|
|
|
format = "binary";
|
|
|
|
|
sopsFile = ./keys/${key};
|
|
|
|
|
mode = "0400";
|
|
|
|
|
path = "/crypto/keys/${key}";
|
|
|
|
|
};
|
2024-04-13 17:37:28 -04:00
|
|
|
};
|
2024-04-13 18:31:09 -04:00
|
|
|
in
|
2024-03-03 18:06:28 -05:00
|
|
|
{
|
2024-04-10 18:23:40 -04:00
|
|
|
|
2024-03-03 18:06:28 -05:00
|
|
|
systemd.services.hydra-notify.serviceConfig.EnvironmentFile =
|
|
|
|
|
config.sops.secrets."hydra/environment".path;
|
2024-02-06 23:58:33 +01:00
|
|
|
programs.git.lfs.enable = false;
|
2024-02-05 22:45:43 +01:00
|
|
|
networking = {
|
|
|
|
|
hostId = "dc2f9781";
|
|
|
|
|
firewall.enable = false;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
nixpkgs.config.packageOverrides = pkgs: {
|
2024-03-03 18:06:28 -05:00
|
|
|
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
|
2024-02-05 22:45:43 +01:00
|
|
|
};
|
|
|
|
|
|
2023-12-26 04:07:18 +01:00
|
|
|
boot = {
|
|
|
|
|
zfs.extraPools = [ "ZFS-primary" ];
|
2023-12-27 10:03:13 +01:00
|
|
|
loader.grub.device = "/dev/sda";
|
|
|
|
|
filesystem = "zfs";
|
|
|
|
|
useSystemdBoot = true;
|
2024-03-03 18:06:28 -05:00
|
|
|
kernelParams = [
|
|
|
|
|
"i915.force_probe=56a5"
|
|
|
|
|
"i915.enable_guc=2"
|
|
|
|
|
];
|
2024-02-18 00:27:02 -05:00
|
|
|
kernel.sysctl = {
|
|
|
|
|
"vm.overcommit_memory" = 1;
|
|
|
|
|
"vm.swappiness" = 10;
|
|
|
|
|
};
|
2024-02-17 15:51:38 +01:00
|
|
|
binfmt.emulatedSystems = [ "aarch64-linux" ];
|
2023-12-26 04:07:18 +01:00
|
|
|
};
|
2023-12-23 07:39:10 +01:00
|
|
|
|
2024-02-03 22:00:35 +01:00
|
|
|
nix = {
|
|
|
|
|
extraOptions = ''
|
|
|
|
|
allowed-uris = github: gitlab: git+https:// git+ssh:// https://
|
2024-02-06 20:35:02 +01:00
|
|
|
builders-use-substitutes = true
|
2024-02-03 22:00:35 +01:00
|
|
|
'';
|
|
|
|
|
|
2024-03-03 18:06:28 -05:00
|
|
|
buildMachines = [
|
|
|
|
|
{
|
|
|
|
|
hostName = "localhost";
|
|
|
|
|
maxJobs = 2;
|
|
|
|
|
protocol = "ssh-ng";
|
|
|
|
|
speedFactor = 2;
|
|
|
|
|
systems = [
|
|
|
|
|
"x86_64-linux"
|
|
|
|
|
"aarch64-linux"
|
2024-04-17 01:31:45 -04:00
|
|
|
"i686-linux"
|
2024-03-03 18:06:28 -05:00
|
|
|
];
|
2024-02-07 00:51:31 +01:00
|
|
|
|
2024-03-03 18:06:28 -05:00
|
|
|
supportedFeatures = [
|
|
|
|
|
"kvm"
|
|
|
|
|
"nixos-test"
|
|
|
|
|
"big-parallel"
|
|
|
|
|
"benchmark"
|
|
|
|
|
];
|
|
|
|
|
}
|
|
|
|
|
];
|
2024-02-03 22:00:35 +01:00
|
|
|
};
|
2024-02-02 06:31:40 +01:00
|
|
|
|
2024-02-01 05:24:04 +01:00
|
|
|
hardware = {
|
|
|
|
|
enableAllFirmware = true;
|
|
|
|
|
opengl = {
|
|
|
|
|
enable = true;
|
|
|
|
|
extraPackages = with pkgs; [
|
|
|
|
|
intel-media-driver # LIBVA_DRIVER_NAME=iHD
|
|
|
|
|
vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
|
|
|
|
|
vaapiVdpau
|
|
|
|
|
libvdpau-va-gl
|
|
|
|
|
intel-compute-runtime
|
|
|
|
|
intel-media-sdk
|
|
|
|
|
];
|
|
|
|
|
};
|
2024-01-27 12:00:32 -05:00
|
|
|
};
|
|
|
|
|
|
2024-04-18 17:53:15 -04:00
|
|
|
virtualisation.docker.daemon.settings.data-root = "/var/lib/docker2";
|
2023-12-23 07:39:10 +01:00
|
|
|
|
2024-02-05 22:45:43 +01:00
|
|
|
environment.systemPackages = with pkgs; [
|
2024-03-24 13:08:42 -04:00
|
|
|
attic-client
|
|
|
|
|
attic
|
2024-02-05 22:45:43 +01:00
|
|
|
docker-compose
|
|
|
|
|
jellyfin-ffmpeg
|
|
|
|
|
];
|
2023-12-23 07:39:10 +01:00
|
|
|
|
|
|
|
|
services = {
|
|
|
|
|
samba.enable = true;
|
|
|
|
|
nfs.server.enable = true;
|
2023-12-25 13:30:28 -05:00
|
|
|
openssh.ports = [ 666 ];
|
2023-12-29 00:00:49 -05:00
|
|
|
smartd.enable = true;
|
2023-12-29 00:17:27 -05:00
|
|
|
zfs = {
|
|
|
|
|
trim.enable = true;
|
2023-12-29 11:42:31 -05:00
|
|
|
autoScrub.enable = true;
|
2023-12-29 00:17:27 -05:00
|
|
|
};
|
2024-02-01 05:24:04 +01:00
|
|
|
|
|
|
|
|
postgresql = {
|
|
|
|
|
enable = true;
|
|
|
|
|
enableJIT = true;
|
2024-02-02 04:25:10 +01:00
|
|
|
identMap = ''
|
|
|
|
|
# ArbitraryMapName systemUser DBUser
|
|
|
|
|
superuser_map root postgres
|
|
|
|
|
superuser_map alice postgres
|
|
|
|
|
# Let other names login as themselves
|
|
|
|
|
superuser_map /^(.*)$ \1
|
|
|
|
|
'';
|
|
|
|
|
|
2024-03-24 13:08:42 -04:00
|
|
|
ensureDatabases = [ "atticd" ];
|
|
|
|
|
ensureUsers = [
|
|
|
|
|
{
|
|
|
|
|
name = "atticd";
|
|
|
|
|
ensureDBOwnership = true;
|
|
|
|
|
}
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
# initialScript = config.sops.secrets."postgres/init".path;
|
|
|
|
|
|
2024-02-01 05:24:04 +01:00
|
|
|
upgrade = {
|
|
|
|
|
enable = true;
|
2024-03-24 13:08:42 -04:00
|
|
|
stopServices = [
|
|
|
|
|
"hydra-evaluator"
|
|
|
|
|
"hydra-init"
|
|
|
|
|
"hydra-notify"
|
|
|
|
|
"hydra-queue-runner"
|
|
|
|
|
"hydra-send-stats"
|
|
|
|
|
"hydra-server"
|
|
|
|
|
"atticd"
|
|
|
|
|
];
|
2024-02-01 05:24:04 +01:00
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
hydra = {
|
|
|
|
|
enable = true;
|
|
|
|
|
hydraURL = "http://localhost:3000";
|
|
|
|
|
smtpHost = "alicehuston.xyz";
|
|
|
|
|
notificationSender = "hydra@alicehuston.xyz";
|
2024-02-10 16:39:33 -05:00
|
|
|
gcRootsDir = "/ZFS/ZFS-primary/hydra";
|
2024-02-01 05:24:04 +01:00
|
|
|
useSubstitutes = true;
|
2024-04-17 01:31:45 -04:00
|
|
|
buildMachinesFiles = [ ];
|
2024-02-01 05:24:04 +01:00
|
|
|
minimumDiskFree = 50;
|
|
|
|
|
minimumDiskFreeEvaluator = 100;
|
|
|
|
|
};
|
2024-02-01 16:50:14 -05:00
|
|
|
|
|
|
|
|
nix-serve = {
|
|
|
|
|
enable = true;
|
|
|
|
|
secretKeyFile = config.sops.secrets."nix-serve/secret-key".path;
|
|
|
|
|
};
|
2024-03-24 13:08:42 -04:00
|
|
|
atticd = {
|
|
|
|
|
enable = true;
|
|
|
|
|
|
|
|
|
|
credentialsFile = config.sops.secrets."attic/secret-key".path;
|
|
|
|
|
|
|
|
|
|
settings = {
|
|
|
|
|
listen = "[::]:8183";
|
|
|
|
|
allowed-hosts = [ "attic.alicehuston.xyz" ];
|
|
|
|
|
api-endpoint = "https://attic.alicehuston.xyz";
|
|
|
|
|
compression.type = "none"; # let ZFS do the compressing
|
|
|
|
|
database = {
|
|
|
|
|
url = "postgres://atticd?host=/run/postgresql";
|
|
|
|
|
# disable postgres, using SOPS fails at below :(
|
|
|
|
|
# https://github.com/zhaofengli/attic/blob/main/nixos/atticd.nix#L57
|
|
|
|
|
# url = "sqlite:///ZFS/ZFS-primary/attic/server.db?mode=rwc";
|
|
|
|
|
heartbeat = true;
|
|
|
|
|
};
|
|
|
|
|
storage = {
|
|
|
|
|
type = "local";
|
|
|
|
|
path = "/ZFS/ZFS-primary/attic/storage";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
# Warning: If you change any of the values here, it will be
|
|
|
|
|
# difficult to reuse existing chunks for newly-uploaded NARs
|
|
|
|
|
# since the cutpoints will be different. As a result, the
|
|
|
|
|
# deduplication ratio will suffer for a while after the change.
|
|
|
|
|
chunking = {
|
|
|
|
|
# The minimum NAR size to trigger chunking
|
|
|
|
|
#
|
|
|
|
|
# If 0, chunking is disabled entirely for newly-uploaded NARs.
|
|
|
|
|
# If 1, all NARs are chunked.
|
|
|
|
|
nar-size-threshold = 64 * 1024; # 64 KiB
|
|
|
|
|
|
|
|
|
|
# The preferred minimum size of a chunk, in bytes
|
|
|
|
|
min-size = 16 * 1024; # 16 KiB
|
|
|
|
|
|
|
|
|
|
# The preferred average size of a chunk, in bytes
|
|
|
|
|
avg-size = 64 * 1024; # 64 KiB
|
|
|
|
|
|
|
|
|
|
# The preferred maximum size of a chunk, in bytes
|
|
|
|
|
max-size = 256 * 1024; # 256 KiB
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
# borrowing from https://github.com/Shawn8901/nix-configuration/blob/4b8d1d44f47aec60feb58ca7b7ab5ed000506e90/modules/nixos/private/hydra.nix
|
|
|
|
|
# configured default webstore for this on root user separately
|
|
|
|
|
systemd.services.attic-watch-store = {
|
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
|
after = [ "network-online.target" ];
|
|
|
|
|
requires = [ "network-online.target" ];
|
|
|
|
|
description = "Upload all store content to binary catch";
|
|
|
|
|
serviceConfig = {
|
|
|
|
|
User = "root";
|
|
|
|
|
Restart = "always";
|
|
|
|
|
ExecStart = "${pkgs.attic}/bin/attic watch-store cache-nix-dot";
|
|
|
|
|
};
|
2023-12-23 07:39:10 +01:00
|
|
|
};
|
|
|
|
|
|
2024-04-13 23:21:16 -04:00
|
|
|
users.users.root.openssh.authorizedKeys.keys = [
|
|
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ/E/y4UJQid6/0D9babh8l/3jTDJRXqZQ5rPcoxwm1j root@palatine-hill"
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
users.users.hydra-queue-runner.openssh.authorizedKeys.keys = [
|
2024-04-13 23:47:31 -04:00
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ/E/y4UJQid6/0D9babh8l/3jTDJRXqZQ5rPcoxwm1j root@palatine-hill"
|
2024-04-13 23:21:16 -04:00
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINHtwvfXg/QFjMAjC4JRjlMAaGPgEfSyhpprNpqbGSJn hydra-queue-runner@palatine-hill"
|
|
|
|
|
];
|
|
|
|
|
|
2024-02-01 16:50:14 -05:00
|
|
|
sops = {
|
|
|
|
|
defaultSopsFile = ./secrets.yaml;
|
2024-04-13 18:31:09 -04:00
|
|
|
secrets =
|
|
|
|
|
{
|
|
|
|
|
"hydra/environment".owner = "hydra";
|
|
|
|
|
"nix-serve/secret-key".owner = "root";
|
|
|
|
|
"attic/secret-key".owner = "root";
|
|
|
|
|
"attic/database-url".owner = "root";
|
|
|
|
|
"postgres/init".owner = "postgres";
|
|
|
|
|
}
|
|
|
|
|
// keygen "zfs-attic-key"
|
|
|
|
|
// keygen "zfs-backup-key"
|
|
|
|
|
// keygen "zfs-calibre-key"
|
|
|
|
|
// keygen "zfs-db-key"
|
|
|
|
|
// keygen "zfs-docker-key"
|
|
|
|
|
// keygen "zfs-games-key"
|
|
|
|
|
// keygen "zfs-hydra-key"
|
|
|
|
|
// keygen "zfs-libvirt-key"
|
|
|
|
|
// keygen "zfs-main-key"
|
|
|
|
|
// keygen "zfs-nxtcld-key"
|
|
|
|
|
// keygen "zfs-torr-key"
|
|
|
|
|
// keygen "zfs-var-docker-key";
|
2024-02-01 16:50:14 -05:00
|
|
|
};
|
|
|
|
|
|
2023-12-23 08:27:00 +01:00
|
|
|
system.stateVersion = "23.05";
|
2023-12-25 12:40:59 -05:00
|
|
|
}
|
