diff --git a/hosts/tsuki/configuration.nix b/hosts/tsuki/configuration.nix index df653fb..08d717a 100644 --- a/hosts/tsuki/configuration.nix +++ b/hosts/tsuki/configuration.nix @@ -1,7 +1,7 @@ { config, lib, secrets, modulesPath, ... }: { imports = [ - (modulesPath + "/profiles/qemu-guest.nix") + ./hardware-configuration.nix ./services/atuin.nix ./services/borg.nix @@ -32,14 +32,12 @@ headless = true; dataDrives = { drives = { - backup = "/data2/backup"; - momiji = "/data2/momiji"; - cirno = "/data2/cirno"; - media = "/data2/media"; - postgres = "/data2/postgres"; - home = "/data2/home"; + backup = "/data/backup"; + cirno = "/data/cirno"; + media = "/data/media"; + home = "/home"; }; - default = "/data2/momiji"; + default = "/data"; }; }; @@ -88,62 +86,24 @@ sops.secrets."drives/cirno/credentials" = {}; - fileSystems = let - nfsDrive = drivename: { - device = "10.0.0.36:/mnt/PoolsClosed/${drivename}"; - fsType = "nfs"; - options = [ "vers=3" "local_lock=all" ]; - }; - in { - "/" = { - device = "/dev/disk/by-uuid/54b9fd58-0df5-410c-ab87-766860967653"; - fsType = "btrfs"; - }; - - "/boot" = { - device = "/dev/disk/by-uuid/0A60-2885"; - fsType = "vfat"; - }; - - "/data2/backup" = nfsDrive "backup"; - "/data2/momiji" = nfsDrive "momiji"; - "/data2/media" = nfsDrive "media"; - "/data2/postgres" = nfsDrive "postgres"; - "/data2/home" = nfsDrive "home"; - - "/data2/cirno" = { - device = "//10.0.0.36/cirno"; - fsType = "cifs"; - options = [ - "vers=3.0" - "cred=${config.sops.secrets."drives/cirno/credentials".path}" - "rw" - "uid=1000" - ]; - }; - }; - - swapDevices = [{ device = "/dev/disk/by-uuid/92a1a33f-89a8-45de-a45e-6c303172cd7f"; }]; virtualisation = { docker.enable = true; }; + services.zfs.autoScrub.enable = true; + boot = { - initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; - initrd.kernelModules = [ ]; - kernelModules = [ ]; - extraModulePackages = [ ]; + zfs.requestEncryptionCredentials = false; loader = { grub = { enable = true; efiSupport = true; - fsIdentifier = "label"; - device = "nodev"; efiInstallAsRemovable = true; + mirroredBoots = [ + { devices = [ "nodev" ]; path = "/boot"; } + ]; }; - # efi.efiSysMountPoint = "/boot/efi"; - # efi.canTouchEfiVariables = true; }; }; } diff --git a/hosts/tsuki/hardware-configuration.nix b/hosts/tsuki/hardware-configuration.nix new file mode 100644 index 0000000..baf8df2 --- /dev/null +++ b/hosts/tsuki/hardware-configuration.nix @@ -0,0 +1,80 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ata_piix" "megaraid_sas" "usb_storage" "usbhid" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "momiji/root"; + fsType = "zfs"; + }; + + fileSystems."/data" = + { device = "momiji/data"; + fsType = "zfs"; + }; + + fileSystems."/nix" = + { device = "momiji/nix"; + fsType = "zfs"; + }; + + fileSystems."/home" = + { device = "momiji/home"; + fsType = "zfs"; + }; + + fileSystems."/var" = + { device = "momiji/var"; + fsType = "zfs"; + }; + + fileSystems."/var/lib/postgresql" = + { device = "momiji/data/postgres"; + fsType = "zfs"; + }; + + fileSystems."/var/lib/minecraft" = + { device = "momiji/data/minecraft"; + fsType = "zfs"; + }; + + fileSystems."/data/media" = + { device = "momiji/data/media"; + fsType = "zfs"; + }; + + fileSystems."/data/backup" = + { device = "momiji/data/backup"; + fsType = "zfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/66C8-A92E"; + fsType = "vfat"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + # networking.interfaces.eno2.useDHCP = lib.mkDefault true; + # networking.interfaces.eno3.useDHCP = lib.mkDefault true; + # networking.interfaces.eno4.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/tsuki/services/gitea/default.nix b/hosts/tsuki/services/gitea/default.nix index 5b5c300..22796be 100644 --- a/hosts/tsuki/services/gitea/default.nix +++ b/hosts/tsuki/services/gitea/default.nix @@ -27,11 +27,10 @@ in { user = "git"; package = unstable-pkgs.gitea; - stateDir = "${config.machineVars.dataDrives.default}/var/gitea"; - dump = { enable = true; interval = "weekly"; + backupDir = "/data/backup/gitea"; }; database = { diff --git a/hosts/tsuki/services/grafana/default.nix b/hosts/tsuki/services/grafana/default.nix index e30b39f..ef25a22 100644 --- a/hosts/tsuki/services/grafana/default.nix +++ b/hosts/tsuki/services/grafana/default.nix @@ -19,7 +19,6 @@ services.grafana = { enable = true; - dataDir = "${config.machineVars.dataDrives.default}/var/grafana"; provision = { enable = true; diff --git a/hosts/tsuki/services/headscale.nix b/hosts/tsuki/services/headscale.nix index a5db47e..89a6afa 100644 --- a/hosts/tsuki/services/headscale.nix +++ b/hosts/tsuki/services/headscale.nix @@ -14,9 +14,6 @@ services.headscale = { enable = true; - # TODO: make PR - # dataDir = "${config.machineVars.dataDrives.default}/var/headscale"; - port = 39304; settings = { diff --git a/hosts/tsuki/services/hedgedoc.nix b/hosts/tsuki/services/hedgedoc.nix index f32f6cf..84d210c 100644 --- a/hosts/tsuki/services/hedgedoc.nix +++ b/hosts/tsuki/services/hedgedoc.nix @@ -8,7 +8,6 @@ services.hedgedoc = { enable = true; - workDir = "${config.machineVars.dataDrives.default}/var/hedgedoc"; environmentFile = config.sops.secrets."hedgedoc/env".path; settings = { domain = "docs.nani.wtf"; diff --git a/hosts/tsuki/services/matrix/default.nix b/hosts/tsuki/services/matrix/default.nix index a4a7e59..1c560cc 100644 --- a/hosts/tsuki/services/matrix/default.nix +++ b/hosts/tsuki/services/matrix/default.nix @@ -14,7 +14,7 @@ services.matrix-synapse-next = { enable = true; enableNginx = true; - dataDir = "${config.machineVars.dataDrives.default}/var/matrix"; + dataDir = "/var/lib/matrix"; workers = { federationSenders = 3; diff --git a/hosts/tsuki/services/minecraft/default.nix b/hosts/tsuki/services/minecraft/default.nix index 008e8fa..8e056ae 100644 --- a/hosts/tsuki/services/minecraft/default.nix +++ b/hosts/tsuki/services/minecraft/default.nix @@ -1,13 +1,77 @@ { pkgs, lib, config, inputs, secrets, ... }: +let + cfg = config.services.minecraft-servers; + + # See https://docs.papermc.io/paper/aikars-flags + jvmOpts = lib.concatStringsSep " " [ + "-Xms5G" + "-Xmx15G" + "-XX:+UseG1GC" + "-XX:+ParallelRefProcEnabled" + "-XX:MaxGCPauseMillis=200" + "-XX:+UnlockExperimentalVMOptions" + "-XX:+DisableExplicitGC" + "-XX:+AlwaysPreTouch" + "-XX:G1NewSizePercent=30" + "-XX:G1MaxNewSizePercent=40" + "-XX:G1HeapRegionSize=8M" + "-XX:G1ReservePercent=20" + "-XX:G1HeapWastePercent=5" + "-XX:G1MixedGCCountTarget=4" + "-XX:InitiatingHeapOccupancyPercent=15" + "-XX:G1MixedGCLiveThresholdPercent=90" + "-XX:G1RSetUpdatingPauseTimePercent=5" + "-XX:SurvivorRatio=32" + "-XX:+PerfDisableSharedMem" + "-XX:MaxTenuringThreshold=1" + "-Dusing.aikars.flags=https://mcflags.emc.gs" + "-Daikars.new.flags=true" + ]; + + # serverPackage = inputs.minecraft.packages.x86_64-linux.paper-server-1_20_2; + # serverPackage = pkgs.paperServers.paper-1_20_2; + + # lazymc-config = ((pkgs.formats.toml { }).generate "lazymc.toml" { + # # public = { + # # version = builtins.head + # # (builtins.match "([[:digit:]].*[[:digit:]]*.[[:digit:]]*)-build.*" serverPackage.version); + # # protocol = 765; + # # }; + # server = { + # directory = "${cfg.dataDir}/kakuland"; + # command = "${serverPackage}/bin/minecraft-server ${jvmOpts}"; + # freeze_process = false; + # probe_on_start = true; + # }; + # rcon = { + # enabled = true; + # password = "mcrcond"; + # randomize_password = false; + # }; + # advanced.rewrite_server_properties = false; + # }).override { + # runCommand = pkgs.runCommandLocal; + # }; + + # lazymcServerPackage = pkgs.writeShellScriptBin "minecraft-server" '' + # exec ${lib.getExe pkgs.lazymc} -c ${lazymc-config} + # ''; +in { + # ugly hack for https://github.com/Infinidoge/nix-minecraft/pull/54 + services.minecraft-server.dataDir = "/srv/minecraft"; + services.minecraft-servers = { enable = true; eula = true; openFirewall = true; - dataDir = "${config.machineVars.dataDrives.default}/var/minecraft"; + dataDir = "/var/lib/minecraft"; servers.kakuland = { enable = true; + # package = lazymcServerPackage; + package = pkgs.paperServers.paper-1_20_4; + serverProperties = { allow-flight = true; allow-nether = true; @@ -18,7 +82,6 @@ enable-command-block = false; enable-jmx-monitoring = false; enable-query = false; - enable-rcon = false; enable-status = true; enforce-secure-profile = false; enforce-whitelist = false; @@ -47,14 +110,16 @@ pvp = true; # "query.port" = 25565; rate-limit = 0; - # rcon.password= - # rcon.port=25575 + enable-rcon = true; + "rcon.password" = "mcrcond"; + "rcon.port" = 25575; require-resource-pack = false; # resource-pack= # resource-pack-prompt= # resource-pack-sha1= server-ip = "0.0.0.0"; server-port = 25565; + # server-port = 25566; simulation-distance = 10; spawn-animals = true; spawn-monsters = true; @@ -67,33 +132,7 @@ white-list = true; }; - package = inputs.minecraft.packages.x86_64-linux.paper-server; - - # See https://docs.papermc.io/paper/aikars-flags - jvmOpts = lib.concatStringsSep " " [ - "-Xms5G" - "-Xmx15G" - "-XX:+UseG1GC" - "-XX:+ParallelRefProcEnabled" - "-XX:MaxGCPauseMillis=200" - "-XX:+UnlockExperimentalVMOptions" - "-XX:+DisableExplicitGC" - "-XX:+AlwaysPreTouch" - "-XX:G1NewSizePercent=30" - "-XX:G1MaxNewSizePercent=40" - "-XX:G1HeapRegionSize=8M" - "-XX:G1ReservePercent=20" - "-XX:G1HeapWastePercent=5" - "-XX:G1MixedGCCountTarget=4" - "-XX:InitiatingHeapOccupancyPercent=15" - "-XX:G1MixedGCLiveThresholdPercent=90" - "-XX:G1RSetUpdatingPauseTimePercent=5" - "-XX:SurvivorRatio=32" - "-XX:+PerfDisableSharedMem" - "-XX:MaxTenuringThreshold=1" - "-Dusing.aikars.flags=https://mcflags.emc.gs" - "-Daikars.new.flags=true" - ]; + inherit jvmOpts; symlinks = let rawFile = file: pkgs.runCommandLocal (builtins.baseNameOf file) {} '' @@ -147,6 +186,9 @@ systemd.services.minecraft-server-kakuland.requires = [ "postgresql.service" ]; systemd.services.minecraft-server-kakuland.after = [ "postgresql.service" - "data2-momiji.mount" + # "data2-momiji.mount" ]; + + networking.firewall.allowedTCPPorts = [ 25565 ]; + networking.firewall.allowedUDPPorts = [ 25565 ]; } diff --git a/hosts/tsuki/services/minecraft/pluginConfigs/serverBackup.nix b/hosts/tsuki/services/minecraft/pluginConfigs/serverBackup.nix index 15c3b39..432c8e4 100644 --- a/hosts/tsuki/services/minecraft/pluginConfigs/serverBackup.nix +++ b/hosts/tsuki/services/minecraft/pluginConfigs/serverBackup.nix @@ -45,7 +45,7 @@ BackupLimiter = 0; KeepUniqueBackups = false; UpdateAvailableMessage = true; - BackupDestination = "Backups/"; + BackupDestination = "/data/backup/minecraft/kakuland"; # Ftp = { # UploadBackup = false; diff --git a/hosts/tsuki/services/osuchan.nix b/hosts/tsuki/services/osuchan.nix index c7e45ed..4975c14 100644 --- a/hosts/tsuki/services/osuchan.nix +++ b/hosts/tsuki/services/osuchan.nix @@ -1,12 +1,12 @@ -{ secrets, config, ... }: +{ config, ... }: { + sops.secrets."osuchan/envfile" = { + restartUnits = [ "osuchan.service" ]; + }; + services.osuchan = { enable = true; port = 9283; - secretFile = "${config.machineVars.dataDrives.default}/keys/osuchan/envfile"; + secretFile = config.sops.secrets."osuchan/envfile".path; }; - - systemd.services.osuchan.after = [ - "data2-momiji.mount" - ]; } diff --git a/hosts/tsuki/services/plex.nix b/hosts/tsuki/services/plex.nix index f21c80e..df92160 100644 --- a/hosts/tsuki/services/plex.nix +++ b/hosts/tsuki/services/plex.nix @@ -4,7 +4,6 @@ in { services.plex = { enable = true; openFirewall = true; - dataDir = "${config.machineVars.dataDrives.default}/var/plex"; }; systemd.services.plex.serviceConfig = { diff --git a/hosts/tsuki/services/postgres.nix b/hosts/tsuki/services/postgres.nix index 198fa45..2f7c2cc 100644 --- a/hosts/tsuki/services/postgres.nix +++ b/hosts/tsuki/services/postgres.nix @@ -10,7 +10,6 @@ in { host all all 127.0.0.1/32 trust host all all ::1/128 trust ''; - dataDir = "${config.machineVars.dataDrives.drives.postgres}/${config.services.postgresql.package.psqlSchema}"; settings = { max_connections = 150; }; @@ -18,16 +17,15 @@ in { services.postgresqlBackup = { enable = true; - location = "${config.machineVars.dataDrives.drives.backup}/postgres"; + location = "/data/backup/postgres"; backupAll = true; }; systemd.services.postgresqlBackup = { - requires = [ "postgresql.service" "data2-backup.mount" ]; + requires = [ "postgresql.service" ]; }; systemd.services.postgresql = { - requires = [ "data2-postgres.mount" ]; serviceConfig = { Restart = "always"; RestartSec = 3; diff --git a/hosts/tsuki/services/scrapers/nhk-easy-news/default.nix b/hosts/tsuki/services/scrapers/nhk-easy-news/default.nix index 4e394f7..2d2478b 100644 --- a/hosts/tsuki/services/scrapers/nhk-easy-news/default.nix +++ b/hosts/tsuki/services/scrapers/nhk-easy-news/default.nix @@ -14,9 +14,7 @@ in { ProtectHome = true; ProtectProc = "invisible"; ProtectSystem = "strict"; - WorkingDirectory = "/var/lib/nhk_easy_news_scraper"; - StateDirectory = "nhk_easy_news_scraper"; - StateDirectoryMode = "0755"; + WorkingDirectory = "/data/scrapers/nhk-easy-news"; }; }; diff --git a/hosts/tsuki/services/taskserver.nix b/hosts/tsuki/services/taskserver.nix index f353625..5497c09 100644 --- a/hosts/tsuki/services/taskserver.nix +++ b/hosts/tsuki/services/taskserver.nix @@ -12,7 +12,6 @@ enable = true; fqdn = "todo.nani.wtf"; listenPort = 19233; - dataDir = "${config.machineVars.dataDrives.default}/var/taskserver"; organisations.h7x4 = { groups = [ "users" ]; diff --git a/secrets/default.yaml b/secrets/default.yaml index 9d1a1d5..c1a8b87 100644 --- a/secrets/default.yaml +++ b/secrets/default.yaml @@ -22,7 +22,8 @@ postgres: grafana: ENC[AES256_GCM,data:bsxzS/xkNdSJvOSQfZY8RRK03ckfKAoYeiZlgrSxXVqTEQ==,iv:wb8bFITgGLToagEczdm7MwUmXl3tyYmrYqSZOblEz0I=,tag:ZboMGI4QdmOK+LVBDCl2Pg==,type:str] pgadmin: oauth2_secret: ENC[AES256_GCM,data:A1Upe1Ja76++ZdOx5YhuKjpaont4m5ChRzn/YVpJbnFzWy1tFlBkOr6UgBj7Wopg,iv:hY+b7AVSrSgHu/10reIjUjJ8+yR4FrZe2JgGiAowfGs=,tag:thy6O1Y3FGTWaQXqlU9aYg==,type:str] - initialPassword: ENC[AES256_GCM,data:674lqcGTDCOYBNocf0LQuQB1cbMus0iZOcvwbadpAXrF4DPQSetqrg==,iv:y8hfzLh6i7LxR11fmM9T0z2t7202JMAiZzi/1iCWPvM=,tag:lHwCBWaWsArrAJ0rZ8Xk/w==,type:str] +osuchan: + envfile: ENC[AES256_GCM,data:gaO+3haU1jMkqRm1PiSSd4oTcoPvgbsRHWfhPnXJbFSv4cXsqeS1xRrbZZftu5g2nfr+vb8ljtmGyk3dVLOHo5SzVQlJzcJNKoVp9XTLlmbC1AuKjxv3p7dWyD71n5reO52uDlbNJQPMzgOw70DM7wTffCaLbDUIyB+bPcESxiYHC2S3kITZErCdJczEKpRPjS0wM9kjENN9HN1WobhquZ1w7gXfXIx174QUV3LdJMrhaibzDZEu4dBaxVkxbKRa78bPNCN6LVD4U1woG0IeIh6CGCGtGghIkhcUIZsUauXPw7g/uQHPcJF3/h64I7477j9D1Qrrz0bN3kU9jyAro5jv1hcRUS6b,iv:zbJol31niHWz+0DXGE4vm2T7aXAZfbdj0rN7xlSctGg=,tag:kDCQUPjeHWMWQ22tE8ar4A==,type:str] sops: kms: [] gcp_kms: []