tsuki: move to bare metal, set up zfs

2024-01-23 05:24:47 +01:00 · 2024-01-23 05:24:47 +01:00 · 0d3e805611
parent 3a52ba8901
commit 0d3e805611
15 changed files with 180 additions and 109 deletions
--- a/hosts/tsuki/configuration.nix
+++ b/hosts/tsuki/configuration.nix
@ -1,7 +1,7 @@
 { config, lib, secrets, modulesPath, ... }:
 {
  imports = [
-    (modulesPath + "/profiles/qemu-guest.nix")
+    ./hardware-configuration.nix

    ./services/atuin.nix
    ./services/borg.nix
@ -32,14 +32,12 @@
    headless = true;
    dataDrives = {
      drives = {
-        backup = "/data2/backup";
-        momiji = "/data2/momiji";
-        cirno = "/data2/cirno";
-        media = "/data2/media";
-        postgres = "/data2/postgres";
-        home = "/data2/home";
+        backup = "/data/backup";
+        cirno = "/data/cirno";
+        media = "/data/media";
+        home = "/home";
      };
-      default = "/data2/momiji";
+      default = "/data";
    };
  };

@ -88,62 +86,24 @@

  sops.secrets."drives/cirno/credentials" = {};

-  fileSystems = let
-    nfsDrive = drivename: {
-      device = "10.0.0.36:/mnt/PoolsClosed/${drivename}";
-      fsType = "nfs";
-      options = [ "vers=3" "local_lock=all" ];
-    };
-  in {
-    "/" = {
-      device = "/dev/disk/by-uuid/54b9fd58-0df5-410c-ab87-766860967653";
-      fsType = "btrfs";
-    };
-
-    "/boot" = {
-      device = "/dev/disk/by-uuid/0A60-2885";
-      fsType = "vfat";
-    };
-
-    "/data2/backup" = nfsDrive "backup";
-    "/data2/momiji" = nfsDrive "momiji";
-    "/data2/media" = nfsDrive "media";
-    "/data2/postgres" = nfsDrive "postgres";
-    "/data2/home" = nfsDrive "home";
-
-    "/data2/cirno" = {
-      device = "//10.0.0.36/cirno";
-      fsType = "cifs";
-      options = [
-        "vers=3.0"
-        "cred=${config.sops.secrets."drives/cirno/credentials".path}"
-        "rw"
-        "uid=1000"
-      ];
-    };
-  };
-
-  swapDevices = [{ device = "/dev/disk/by-uuid/92a1a33f-89a8-45de-a45e-6c303172cd7f"; }];

  virtualisation = {
    docker.enable = true;
  };

+  services.zfs.autoScrub.enable = true;
+
  boot = {
-    initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
-    initrd.kernelModules = [ ];
-    kernelModules = [ ];
-    extraModulePackages = [ ];
+    zfs.requestEncryptionCredentials = false;
    loader = {
      grub = {
        enable = true;
        efiSupport = true;
-        fsIdentifier = "label";
-        device = "nodev";
        efiInstallAsRemovable = true;
+        mirroredBoots = [
+          { devices = [ "nodev" ]; path = "/boot"; }
+        ];
      };
-      # efi.efiSysMountPoint = "/boot/efi";
-      # efi.canTouchEfiVariables = true;
    };
  };
 }
--- a/hosts/tsuki/hardware-configuration.nix
+++ b/hosts/tsuki/hardware-configuration.nix
@ -0,0 +1,80 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ata_piix" "megaraid_sas" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "momiji/root";
+      fsType = "zfs";
+    };
+
+  fileSystems."/data" =
+    { device = "momiji/data";
+      fsType = "zfs";
+    };
+
+  fileSystems."/nix" =
+    { device = "momiji/nix";
+      fsType = "zfs";
+    };
+
+  fileSystems."/home" =
+    { device = "momiji/home";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var" =
+    { device = "momiji/var";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/lib/postgresql" =
+    { device = "momiji/data/postgres";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/lib/minecraft" =
+    { device = "momiji/data/minecraft";
+      fsType = "zfs";
+    };
+
+  fileSystems."/data/media" =
+    { device = "momiji/data/media";
+      fsType = "zfs";
+    };
+
+  fileSystems."/data/backup" =
+    { device = "momiji/data/backup";
+      fsType = "zfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/66C8-A92E";
+      fsType = "vfat";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno2.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno3.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno4.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/tsuki/services/gitea/default.nix
+++ b/hosts/tsuki/services/gitea/default.nix
@ -27,11 +27,10 @@ in {
    user = "git";
    package = unstable-pkgs.gitea;

-    stateDir = "${config.machineVars.dataDrives.default}/var/gitea";
-
    dump = {
      enable = true;
      interval = "weekly";
+      backupDir = "/data/backup/gitea";
    };

    database = {
--- a/hosts/tsuki/services/grafana/default.nix
+++ b/hosts/tsuki/services/grafana/default.nix
@ -19,7 +19,6 @@

  services.grafana = {
    enable = true;
-    dataDir = "${config.machineVars.dataDrives.default}/var/grafana";

    provision = {
      enable = true;
--- a/hosts/tsuki/services/headscale.nix
+++ b/hosts/tsuki/services/headscale.nix
@ -14,9 +14,6 @@
  services.headscale = {
    enable = true;

-    # TODO: make PR
-    # dataDir = "${config.machineVars.dataDrives.default}/var/headscale";
-
    port = 39304;

    settings = {
--- a/hosts/tsuki/services/hedgedoc.nix
+++ b/hosts/tsuki/services/hedgedoc.nix
@ -8,7 +8,6 @@

    services.hedgedoc = {
      enable = true;
-      workDir = "${config.machineVars.dataDrives.default}/var/hedgedoc";
      environmentFile = config.sops.secrets."hedgedoc/env".path;
      settings = {
        domain = "docs.nani.wtf";
--- a/hosts/tsuki/services/matrix/default.nix
+++ b/hosts/tsuki/services/matrix/default.nix
@ -14,7 +14,7 @@
  services.matrix-synapse-next = {
    enable = true;
    enableNginx = true;
-    dataDir = "${config.machineVars.dataDrives.default}/var/matrix";
+    dataDir = "/var/lib/matrix";

    workers = {
      federationSenders = 3;
--- a/hosts/tsuki/services/minecraft/default.nix
+++ b/hosts/tsuki/services/minecraft/default.nix
@ -1,13 +1,77 @@
 { pkgs, lib, config, inputs, secrets, ... }:
+let
+  cfg = config.services.minecraft-servers;
+
+  # See https://docs.papermc.io/paper/aikars-flags
+  jvmOpts = lib.concatStringsSep " " [
+    "-Xms5G"
+    "-Xmx15G"
+    "-XX:+UseG1GC"
+    "-XX:+ParallelRefProcEnabled"
+    "-XX:MaxGCPauseMillis=200"
+    "-XX:+UnlockExperimentalVMOptions"
+    "-XX:+DisableExplicitGC"
+    "-XX:+AlwaysPreTouch"
+    "-XX:G1NewSizePercent=30"
+    "-XX:G1MaxNewSizePercent=40"
+    "-XX:G1HeapRegionSize=8M"
+    "-XX:G1ReservePercent=20"
+    "-XX:G1HeapWastePercent=5"
+    "-XX:G1MixedGCCountTarget=4"
+    "-XX:InitiatingHeapOccupancyPercent=15"
+    "-XX:G1MixedGCLiveThresholdPercent=90"
+    "-XX:G1RSetUpdatingPauseTimePercent=5"
+    "-XX:SurvivorRatio=32"
+    "-XX:+PerfDisableSharedMem"
+    "-XX:MaxTenuringThreshold=1"
+    "-Dusing.aikars.flags=https://mcflags.emc.gs"
+    "-Daikars.new.flags=true"
+  ];
+
+  # serverPackage = inputs.minecraft.packages.x86_64-linux.paper-server-1_20_2;
+  # serverPackage = pkgs.paperServers.paper-1_20_2;
+
+  # lazymc-config = ((pkgs.formats.toml { }).generate "lazymc.toml" {
+  #   # public = {
+  #   #   version = builtins.head
+  #   #     (builtins.match "([[:digit:]].*[[:digit:]]*.[[:digit:]]*)-build.*" serverPackage.version);
+  #   #   protocol = 765;
+  #   # };
+  #   server = {
+  #     directory = "${cfg.dataDir}/kakuland";
+  #     command = "${serverPackage}/bin/minecraft-server ${jvmOpts}";
+  #     freeze_process = false;
+  #     probe_on_start = true;
+  #   };
+  #   rcon = {
+  #     enabled = true;
+  #     password = "mcrcond";
+  #     randomize_password = false;
+  #   };
+  #   advanced.rewrite_server_properties = false;
+  # }).override {
+  #   runCommand = pkgs.runCommandLocal;
+  # };
+
+  # lazymcServerPackage = pkgs.writeShellScriptBin "minecraft-server" ''
+  #   exec ${lib.getExe pkgs.lazymc} -c ${lazymc-config}
+  # '';
+in
 {
+  # ugly hack for https://github.com/Infinidoge/nix-minecraft/pull/54
+  services.minecraft-server.dataDir = "/srv/minecraft";
+
  services.minecraft-servers = {
    enable = true;
    eula = true;
    openFirewall = true;
-    dataDir = "${config.machineVars.dataDrives.default}/var/minecraft";
+    dataDir = "/var/lib/minecraft";
    servers.kakuland = {
      enable = true;

+      # package = lazymcServerPackage;
+      package = pkgs.paperServers.paper-1_20_4;
+
      serverProperties = {
        allow-flight = true;
        allow-nether = true;
@ -18,7 +82,6 @@
        enable-command-block = false;
        enable-jmx-monitoring = false;
        enable-query = false;
-        enable-rcon = false;
        enable-status = true;
        enforce-secure-profile = false;
        enforce-whitelist = false;
@ -47,14 +110,16 @@
        pvp = true;
        # "query.port" = 25565;
        rate-limit = 0;
-        # rcon.password=
-        # rcon.port=25575
+        enable-rcon = true;
+        "rcon.password" = "mcrcond";
+        "rcon.port" = 25575;
        require-resource-pack = false;
        # resource-pack=
        # resource-pack-prompt=
        # resource-pack-sha1=
        server-ip = "0.0.0.0";
        server-port = 25565;
+        # server-port = 25566;
        simulation-distance = 10;
        spawn-animals = true;
        spawn-monsters = true;
@ -67,33 +132,7 @@
        white-list = true;
      };

-      package = inputs.minecraft.packages.x86_64-linux.paper-server;
-
-      # See https://docs.papermc.io/paper/aikars-flags
-      jvmOpts = lib.concatStringsSep " " [
-        "-Xms5G"
-        "-Xmx15G"
-        "-XX:+UseG1GC"
-        "-XX:+ParallelRefProcEnabled"
-        "-XX:MaxGCPauseMillis=200"
-        "-XX:+UnlockExperimentalVMOptions"
-        "-XX:+DisableExplicitGC"
-        "-XX:+AlwaysPreTouch"
-        "-XX:G1NewSizePercent=30"
-        "-XX:G1MaxNewSizePercent=40"
-        "-XX:G1HeapRegionSize=8M"
-        "-XX:G1ReservePercent=20"
-        "-XX:G1HeapWastePercent=5"
-        "-XX:G1MixedGCCountTarget=4"
-        "-XX:InitiatingHeapOccupancyPercent=15"
-        "-XX:G1MixedGCLiveThresholdPercent=90"
-        "-XX:G1RSetUpdatingPauseTimePercent=5"
-        "-XX:SurvivorRatio=32"
-        "-XX:+PerfDisableSharedMem"
-        "-XX:MaxTenuringThreshold=1"
-        "-Dusing.aikars.flags=https://mcflags.emc.gs"
-        "-Daikars.new.flags=true"
-      ];
+      inherit jvmOpts;

      symlinks = let
        rawFile = file: pkgs.runCommandLocal (builtins.baseNameOf file) {} ''
@ -147,6 +186,9 @@
  systemd.services.minecraft-server-kakuland.requires = [ "postgresql.service" ];
  systemd.services.minecraft-server-kakuland.after = [
    "postgresql.service"
-    "data2-momiji.mount"
+    # "data2-momiji.mount"
  ];
+
+  networking.firewall.allowedTCPPorts = [ 25565 ];
+  networking.firewall.allowedUDPPorts = [ 25565 ];
 }
--- a/hosts/tsuki/services/minecraft/pluginConfigs/serverBackup.nix
+++ b/hosts/tsuki/services/minecraft/pluginConfigs/serverBackup.nix
@ -45,7 +45,7 @@
  BackupLimiter = 0;
  KeepUniqueBackups = false;
  UpdateAvailableMessage = true;
-  BackupDestination = "Backups/";
+  BackupDestination = "/data/backup/minecraft/kakuland";

  # Ftp = {
  #   UploadBackup = false;
--- a/hosts/tsuki/services/osuchan.nix
+++ b/hosts/tsuki/services/osuchan.nix
@ -1,12 +1,12 @@
-{ secrets, config, ... }:
+{ config, ... }:
 {
+  sops.secrets."osuchan/envfile" = {
+    restartUnits = [ "osuchan.service" ];
+  };
+
  services.osuchan = {
    enable = true;
    port = 9283;
-    secretFile = "${config.machineVars.dataDrives.default}/keys/osuchan/envfile";
+    secretFile = config.sops.secrets."osuchan/envfile".path;
  };
-
-  systemd.services.osuchan.after = [
-    "data2-momiji.mount"
-  ];
 }
--- a/hosts/tsuki/services/plex.nix
+++ b/hosts/tsuki/services/plex.nix
@ -4,7 +4,6 @@ in {
  services.plex = {
    enable = true;
    openFirewall = true;
-    dataDir = "${config.machineVars.dataDrives.default}/var/plex";
  };

  systemd.services.plex.serviceConfig = {
--- a/hosts/tsuki/services/postgres.nix
+++ b/hosts/tsuki/services/postgres.nix
@ -10,7 +10,6 @@ in {
      host all all 127.0.0.1/32 trust
      host all all ::1/128 trust
    '';
-    dataDir = "${config.machineVars.dataDrives.drives.postgres}/${config.services.postgresql.package.psqlSchema}";
    settings = {
      max_connections = 150;
    };
@ -18,16 +17,15 @@ in {

  services.postgresqlBackup = {
    enable = true;
-    location = "${config.machineVars.dataDrives.drives.backup}/postgres";
+    location = "/data/backup/postgres";
    backupAll = true;
  };

  systemd.services.postgresqlBackup = {
-    requires = [ "postgresql.service" "data2-backup.mount" ];
+    requires = [ "postgresql.service" ];
  };

  systemd.services.postgresql = {
-    requires = [ "data2-postgres.mount" ];
    serviceConfig = {
      Restart = "always";
      RestartSec = 3;
--- a/hosts/tsuki/services/scrapers/nhk-easy-news/default.nix
+++ b/hosts/tsuki/services/scrapers/nhk-easy-news/default.nix
@ -14,9 +14,7 @@ in {
      ProtectHome = true;
      ProtectProc = "invisible";
      ProtectSystem = "strict";
-      WorkingDirectory = "/var/lib/nhk_easy_news_scraper";
-      StateDirectory = "nhk_easy_news_scraper";
-      StateDirectoryMode = "0755";
+      WorkingDirectory = "/data/scrapers/nhk-easy-news";
    };
  };

--- a/hosts/tsuki/services/taskserver.nix
+++ b/hosts/tsuki/services/taskserver.nix
@ -12,7 +12,6 @@
    enable = true;
    fqdn = "todo.nani.wtf";
    listenPort = 19233;
-    dataDir = "${config.machineVars.dataDrives.default}/var/taskserver";

    organisations.h7x4 = {
      groups = [ "users" ];
--- a/secrets/default.yaml
+++ b/secrets/default.yaml
@ -22,7 +22,8 @@ postgres:
    grafana: ENC[AES256_GCM,data:bsxzS/xkNdSJvOSQfZY8RRK03ckfKAoYeiZlgrSxXVqTEQ==,iv:wb8bFITgGLToagEczdm7MwUmXl3tyYmrYqSZOblEz0I=,tag:ZboMGI4QdmOK+LVBDCl2Pg==,type:str]
 pgadmin:
    oauth2_secret: ENC[AES256_GCM,data:A1Upe1Ja76++ZdOx5YhuKjpaont4m5ChRzn/YVpJbnFzWy1tFlBkOr6UgBj7Wopg,iv:hY+b7AVSrSgHu/10reIjUjJ8+yR4FrZe2JgGiAowfGs=,tag:thy6O1Y3FGTWaQXqlU9aYg==,type:str]
-    initialPassword: ENC[AES256_GCM,data:674lqcGTDCOYBNocf0LQuQB1cbMus0iZOcvwbadpAXrF4DPQSetqrg==,iv:y8hfzLh6i7LxR11fmM9T0z2t7202JMAiZzi/1iCWPvM=,tag:lHwCBWaWsArrAJ0rZ8Xk/w==,type:str]
+osuchan:
+    envfile: ENC[AES256_GCM,data:gaO+3haU1jMkqRm1PiSSd4oTcoPvgbsRHWfhPnXJbFSv4cXsqeS1xRrbZZftu5g2nfr+vb8ljtmGyk3dVLOHo5SzVQlJzcJNKoVp9XTLlmbC1AuKjxv3p7dWyD71n5reO52uDlbNJQPMzgOw70DM7wTffCaLbDUIyB+bPcESxiYHC2S3kITZErCdJczEKpRPjS0wM9kjENN9HN1WobhquZ1w7gXfXIx174QUV3LdJMrhaibzDZEu4dBaxVkxbKRa78bPNCN6LVD4U1woG0IeIh6CGCGtGghIkhcUIZsUauXPw7g/uQHPcJF3/h64I7477j9D1Qrrz0bN3kU9jyAro5jv1hcRUS6b,iv:zbJol31niHWz+0DXGE4vm2T7aXAZfbdj0rN7xlSctGg=,tag:kDCQUPjeHWMWQ22tE8ar4A==,type:str]
 sops:
    kms: []
    gcp_kms: []