tsuki: move to bare metal, set up zfs

This commit is contained in:
Oystein Kristoffer Tveit 2024-01-23 05:24:47 +01:00
parent 3a52ba8901
commit 0d3e805611
Signed by: oysteikt
GPG Key ID: 9F2F7D8250F35146
15 changed files with 180 additions and 109 deletions

View File

@ -1,7 +1,7 @@
{ config, lib, secrets, modulesPath, ... }:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
./hardware-configuration.nix
./services/atuin.nix
./services/borg.nix
@ -32,14 +32,12 @@
headless = true;
dataDrives = {
drives = {
backup = "/data2/backup";
momiji = "/data2/momiji";
cirno = "/data2/cirno";
media = "/data2/media";
postgres = "/data2/postgres";
home = "/data2/home";
backup = "/data/backup";
cirno = "/data/cirno";
media = "/data/media";
home = "/home";
};
default = "/data2/momiji";
default = "/data";
};
};
@ -88,62 +86,24 @@
sops.secrets."drives/cirno/credentials" = {};
fileSystems = let
nfsDrive = drivename: {
device = "10.0.0.36:/mnt/PoolsClosed/${drivename}";
fsType = "nfs";
options = [ "vers=3" "local_lock=all" ];
};
in {
"/" = {
device = "/dev/disk/by-uuid/54b9fd58-0df5-410c-ab87-766860967653";
fsType = "btrfs";
};
"/boot" = {
device = "/dev/disk/by-uuid/0A60-2885";
fsType = "vfat";
};
"/data2/backup" = nfsDrive "backup";
"/data2/momiji" = nfsDrive "momiji";
"/data2/media" = nfsDrive "media";
"/data2/postgres" = nfsDrive "postgres";
"/data2/home" = nfsDrive "home";
"/data2/cirno" = {
device = "//10.0.0.36/cirno";
fsType = "cifs";
options = [
"vers=3.0"
"cred=${config.sops.secrets."drives/cirno/credentials".path}"
"rw"
"uid=1000"
];
};
};
swapDevices = [{ device = "/dev/disk/by-uuid/92a1a33f-89a8-45de-a45e-6c303172cd7f"; }];
virtualisation = {
docker.enable = true;
};
services.zfs.autoScrub.enable = true;
boot = {
initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
initrd.kernelModules = [ ];
kernelModules = [ ];
extraModulePackages = [ ];
zfs.requestEncryptionCredentials = false;
loader = {
grub = {
enable = true;
efiSupport = true;
fsIdentifier = "label";
device = "nodev";
efiInstallAsRemovable = true;
mirroredBoots = [
{ devices = [ "nodev" ]; path = "/boot"; }
];
};
# efi.efiSysMountPoint = "/boot/efi";
# efi.canTouchEfiVariables = true;
};
};
}

View File

@ -0,0 +1,80 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ata_piix" "megaraid_sas" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "momiji/root";
fsType = "zfs";
};
fileSystems."/data" =
{ device = "momiji/data";
fsType = "zfs";
};
fileSystems."/nix" =
{ device = "momiji/nix";
fsType = "zfs";
};
fileSystems."/home" =
{ device = "momiji/home";
fsType = "zfs";
};
fileSystems."/var" =
{ device = "momiji/var";
fsType = "zfs";
};
fileSystems."/var/lib/postgresql" =
{ device = "momiji/data/postgres";
fsType = "zfs";
};
fileSystems."/var/lib/minecraft" =
{ device = "momiji/data/minecraft";
fsType = "zfs";
};
fileSystems."/data/media" =
{ device = "momiji/data/media";
fsType = "zfs";
};
fileSystems."/data/backup" =
{ device = "momiji/data/backup";
fsType = "zfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/66C8-A92E";
fsType = "vfat";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.eno2.useDHCP = lib.mkDefault true;
# networking.interfaces.eno3.useDHCP = lib.mkDefault true;
# networking.interfaces.eno4.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

View File

@ -27,11 +27,10 @@ in {
user = "git";
package = unstable-pkgs.gitea;
stateDir = "${config.machineVars.dataDrives.default}/var/gitea";
dump = {
enable = true;
interval = "weekly";
backupDir = "/data/backup/gitea";
};
database = {

View File

@ -19,7 +19,6 @@
services.grafana = {
enable = true;
dataDir = "${config.machineVars.dataDrives.default}/var/grafana";
provision = {
enable = true;

View File

@ -14,9 +14,6 @@
services.headscale = {
enable = true;
# TODO: make PR
# dataDir = "${config.machineVars.dataDrives.default}/var/headscale";
port = 39304;
settings = {

View File

@ -8,7 +8,6 @@
services.hedgedoc = {
enable = true;
workDir = "${config.machineVars.dataDrives.default}/var/hedgedoc";
environmentFile = config.sops.secrets."hedgedoc/env".path;
settings = {
domain = "docs.nani.wtf";

View File

@ -14,7 +14,7 @@
services.matrix-synapse-next = {
enable = true;
enableNginx = true;
dataDir = "${config.machineVars.dataDrives.default}/var/matrix";
dataDir = "/var/lib/matrix";
workers = {
federationSenders = 3;

View File

@ -1,13 +1,77 @@
{ pkgs, lib, config, inputs, secrets, ... }:
let
cfg = config.services.minecraft-servers;
# See https://docs.papermc.io/paper/aikars-flags
jvmOpts = lib.concatStringsSep " " [
"-Xms5G"
"-Xmx15G"
"-XX:+UseG1GC"
"-XX:+ParallelRefProcEnabled"
"-XX:MaxGCPauseMillis=200"
"-XX:+UnlockExperimentalVMOptions"
"-XX:+DisableExplicitGC"
"-XX:+AlwaysPreTouch"
"-XX:G1NewSizePercent=30"
"-XX:G1MaxNewSizePercent=40"
"-XX:G1HeapRegionSize=8M"
"-XX:G1ReservePercent=20"
"-XX:G1HeapWastePercent=5"
"-XX:G1MixedGCCountTarget=4"
"-XX:InitiatingHeapOccupancyPercent=15"
"-XX:G1MixedGCLiveThresholdPercent=90"
"-XX:G1RSetUpdatingPauseTimePercent=5"
"-XX:SurvivorRatio=32"
"-XX:+PerfDisableSharedMem"
"-XX:MaxTenuringThreshold=1"
"-Dusing.aikars.flags=https://mcflags.emc.gs"
"-Daikars.new.flags=true"
];
# serverPackage = inputs.minecraft.packages.x86_64-linux.paper-server-1_20_2;
# serverPackage = pkgs.paperServers.paper-1_20_2;
# lazymc-config = ((pkgs.formats.toml { }).generate "lazymc.toml" {
# # public = {
# # version = builtins.head
# # (builtins.match "([[:digit:]].*[[:digit:]]*.[[:digit:]]*)-build.*" serverPackage.version);
# # protocol = 765;
# # };
# server = {
# directory = "${cfg.dataDir}/kakuland";
# command = "${serverPackage}/bin/minecraft-server ${jvmOpts}";
# freeze_process = false;
# probe_on_start = true;
# };
# rcon = {
# enabled = true;
# password = "mcrcond";
# randomize_password = false;
# };
# advanced.rewrite_server_properties = false;
# }).override {
# runCommand = pkgs.runCommandLocal;
# };
# lazymcServerPackage = pkgs.writeShellScriptBin "minecraft-server" ''
# exec ${lib.getExe pkgs.lazymc} -c ${lazymc-config}
# '';
in
{
# ugly hack for https://github.com/Infinidoge/nix-minecraft/pull/54
services.minecraft-server.dataDir = "/srv/minecraft";
services.minecraft-servers = {
enable = true;
eula = true;
openFirewall = true;
dataDir = "${config.machineVars.dataDrives.default}/var/minecraft";
dataDir = "/var/lib/minecraft";
servers.kakuland = {
enable = true;
# package = lazymcServerPackage;
package = pkgs.paperServers.paper-1_20_4;
serverProperties = {
allow-flight = true;
allow-nether = true;
@ -18,7 +82,6 @@
enable-command-block = false;
enable-jmx-monitoring = false;
enable-query = false;
enable-rcon = false;
enable-status = true;
enforce-secure-profile = false;
enforce-whitelist = false;
@ -47,14 +110,16 @@
pvp = true;
# "query.port" = 25565;
rate-limit = 0;
# rcon.password=
# rcon.port=25575
enable-rcon = true;
"rcon.password" = "mcrcond";
"rcon.port" = 25575;
require-resource-pack = false;
# resource-pack=
# resource-pack-prompt=
# resource-pack-sha1=
server-ip = "0.0.0.0";
server-port = 25565;
# server-port = 25566;
simulation-distance = 10;
spawn-animals = true;
spawn-monsters = true;
@ -67,33 +132,7 @@
white-list = true;
};
package = inputs.minecraft.packages.x86_64-linux.paper-server;
# See https://docs.papermc.io/paper/aikars-flags
jvmOpts = lib.concatStringsSep " " [
"-Xms5G"
"-Xmx15G"
"-XX:+UseG1GC"
"-XX:+ParallelRefProcEnabled"
"-XX:MaxGCPauseMillis=200"
"-XX:+UnlockExperimentalVMOptions"
"-XX:+DisableExplicitGC"
"-XX:+AlwaysPreTouch"
"-XX:G1NewSizePercent=30"
"-XX:G1MaxNewSizePercent=40"
"-XX:G1HeapRegionSize=8M"
"-XX:G1ReservePercent=20"
"-XX:G1HeapWastePercent=5"
"-XX:G1MixedGCCountTarget=4"
"-XX:InitiatingHeapOccupancyPercent=15"
"-XX:G1MixedGCLiveThresholdPercent=90"
"-XX:G1RSetUpdatingPauseTimePercent=5"
"-XX:SurvivorRatio=32"
"-XX:+PerfDisableSharedMem"
"-XX:MaxTenuringThreshold=1"
"-Dusing.aikars.flags=https://mcflags.emc.gs"
"-Daikars.new.flags=true"
];
inherit jvmOpts;
symlinks = let
rawFile = file: pkgs.runCommandLocal (builtins.baseNameOf file) {} ''
@ -147,6 +186,9 @@
systemd.services.minecraft-server-kakuland.requires = [ "postgresql.service" ];
systemd.services.minecraft-server-kakuland.after = [
"postgresql.service"
"data2-momiji.mount"
# "data2-momiji.mount"
];
networking.firewall.allowedTCPPorts = [ 25565 ];
networking.firewall.allowedUDPPorts = [ 25565 ];
}

View File

@ -45,7 +45,7 @@
BackupLimiter = 0;
KeepUniqueBackups = false;
UpdateAvailableMessage = true;
BackupDestination = "Backups/";
BackupDestination = "/data/backup/minecraft/kakuland";
# Ftp = {
# UploadBackup = false;

View File

@ -1,12 +1,12 @@
{ secrets, config, ... }:
{ config, ... }:
{
sops.secrets."osuchan/envfile" = {
restartUnits = [ "osuchan.service" ];
};
services.osuchan = {
enable = true;
port = 9283;
secretFile = "${config.machineVars.dataDrives.default}/keys/osuchan/envfile";
secretFile = config.sops.secrets."osuchan/envfile".path;
};
systemd.services.osuchan.after = [
"data2-momiji.mount"
];
}

View File

@ -4,7 +4,6 @@ in {
services.plex = {
enable = true;
openFirewall = true;
dataDir = "${config.machineVars.dataDrives.default}/var/plex";
};
systemd.services.plex.serviceConfig = {

View File

@ -10,7 +10,6 @@ in {
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
'';
dataDir = "${config.machineVars.dataDrives.drives.postgres}/${config.services.postgresql.package.psqlSchema}";
settings = {
max_connections = 150;
};
@ -18,16 +17,15 @@ in {
services.postgresqlBackup = {
enable = true;
location = "${config.machineVars.dataDrives.drives.backup}/postgres";
location = "/data/backup/postgres";
backupAll = true;
};
systemd.services.postgresqlBackup = {
requires = [ "postgresql.service" "data2-backup.mount" ];
requires = [ "postgresql.service" ];
};
systemd.services.postgresql = {
requires = [ "data2-postgres.mount" ];
serviceConfig = {
Restart = "always";
RestartSec = 3;

View File

@ -14,9 +14,7 @@ in {
ProtectHome = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
WorkingDirectory = "/var/lib/nhk_easy_news_scraper";
StateDirectory = "nhk_easy_news_scraper";
StateDirectoryMode = "0755";
WorkingDirectory = "/data/scrapers/nhk-easy-news";
};
};

View File

@ -12,7 +12,6 @@
enable = true;
fqdn = "todo.nani.wtf";
listenPort = 19233;
dataDir = "${config.machineVars.dataDrives.default}/var/taskserver";
organisations.h7x4 = {
groups = [ "users" ];

View File

@ -22,7 +22,8 @@ postgres:
grafana: ENC[AES256_GCM,data:bsxzS/xkNdSJvOSQfZY8RRK03ckfKAoYeiZlgrSxXVqTEQ==,iv:wb8bFITgGLToagEczdm7MwUmXl3tyYmrYqSZOblEz0I=,tag:ZboMGI4QdmOK+LVBDCl2Pg==,type:str]
pgadmin:
oauth2_secret: ENC[AES256_GCM,data:A1Upe1Ja76++ZdOx5YhuKjpaont4m5ChRzn/YVpJbnFzWy1tFlBkOr6UgBj7Wopg,iv:hY+b7AVSrSgHu/10reIjUjJ8+yR4FrZe2JgGiAowfGs=,tag:thy6O1Y3FGTWaQXqlU9aYg==,type:str]
initialPassword: ENC[AES256_GCM,data:674lqcGTDCOYBNocf0LQuQB1cbMus0iZOcvwbadpAXrF4DPQSetqrg==,iv:y8hfzLh6i7LxR11fmM9T0z2t7202JMAiZzi/1iCWPvM=,tag:lHwCBWaWsArrAJ0rZ8Xk/w==,type:str]
osuchan:
envfile: ENC[AES256_GCM,data:gaO+3haU1jMkqRm1PiSSd4oTcoPvgbsRHWfhPnXJbFSv4cXsqeS1xRrbZZftu5g2nfr+vb8ljtmGyk3dVLOHo5SzVQlJzcJNKoVp9XTLlmbC1AuKjxv3p7dWyD71n5reO52uDlbNJQPMzgOw70DM7wTffCaLbDUIyB+bPcESxiYHC2S3kITZErCdJczEKpRPjS0wM9kjENN9HN1WobhquZ1w7gXfXIx174QUV3LdJMrhaibzDZEu4dBaxVkxbKRa78bPNCN6LVD4U1woG0IeIh6CGCGtGghIkhcUIZsUauXPw7g/uQHPcJF3/h64I7477j9D1Qrrz0bN3kU9jyAro5jv1hcRUS6b,iv:zbJol31niHWz+0DXGE4vm2T7aXAZfbdj0rN7xlSctGg=,tag:kDCQUPjeHWMWQ22tE8ar4A==,type:str]
sops:
kms: []
gcp_kms: []