tsuki: move to bare metal, set up zfs

hosts/tsuki/configuration.nix

@@ -1,7 +1,7 @@
 { config, lib, secrets, modulesPath, ... }:
 {
   imports = [
-    (modulesPath + "/profiles/qemu-guest.nix")
+    ./hardware-configuration.nix
 
     ./services/atuin.nix
     ./services/borg.nix
@@ -32,14 +32,12 @@
     headless = true;
     dataDrives = {
       drives = {
-        backup = "/data2/backup";
+        backup = "/data/backup";
-        momiji = "/data2/momiji";
+        cirno = "/data/cirno";
-        cirno = "/data2/cirno";
+        media = "/data/media";
-        media = "/data2/media";
+        home = "/home";
-        postgres = "/data2/postgres";
-        home = "/data2/home";
       };
-      default = "/data2/momiji";
+      default = "/data";
     };
   };
 
@@ -88,62 +86,24 @@
 
   sops.secrets."drives/cirno/credentials" = {};
 
-  fileSystems = let
-    nfsDrive = drivename: {
-      device = "10.0.0.36:/mnt/PoolsClosed/${drivename}";
-      fsType = "nfs";
-      options = [ "vers=3" "local_lock=all" ];
-    };
-  in {
-    "/" = {
-      device = "/dev/disk/by-uuid/54b9fd58-0df5-410c-ab87-766860967653";
-      fsType = "btrfs";
-    };
-
-    "/boot" = {
-      device = "/dev/disk/by-uuid/0A60-2885";
-      fsType = "vfat";
-    };
-
-    "/data2/backup" = nfsDrive "backup";
-    "/data2/momiji" = nfsDrive "momiji";
-    "/data2/media" = nfsDrive "media";
-    "/data2/postgres" = nfsDrive "postgres";
-    "/data2/home" = nfsDrive "home";
-
-    "/data2/cirno" = {
-      device = "//10.0.0.36/cirno";
-      fsType = "cifs";
-      options = [
-        "vers=3.0"
-        "cred=${config.sops.secrets."drives/cirno/credentials".path}"
-        "rw"
-        "uid=1000"
-      ];
-    };
-  };
-
-  swapDevices = [{ device = "/dev/disk/by-uuid/92a1a33f-89a8-45de-a45e-6c303172cd7f"; }];
 
   virtualisation = {
     docker.enable = true;
   };
 
+  services.zfs.autoScrub.enable = true;
+
   boot = {
-    initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+    zfs.requestEncryptionCredentials = false;
-    initrd.kernelModules = [ ];
-    kernelModules = [ ];
-    extraModulePackages = [ ];
     loader = {
       grub = {
         enable = true;
         efiSupport = true;
-        fsIdentifier = "label";
-        device = "nodev";
         efiInstallAsRemovable = true;
+        mirroredBoots = [
+          { devices = [ "nodev" ]; path = "/boot"; }
+        ];
       };
-      # efi.efiSysMountPoint = "/boot/efi";
-      # efi.canTouchEfiVariables = true;
     };
   };
 }

hosts/tsuki/hardware-configuration.nix

@@ -0,0 +1,80 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ata_piix" "megaraid_sas" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "momiji/root";
+      fsType = "zfs";
+    };
+
+  fileSystems."/data" =
+    { device = "momiji/data";
+      fsType = "zfs";
+    };
+
+  fileSystems."/nix" =
+    { device = "momiji/nix";
+      fsType = "zfs";
+    };
+
+  fileSystems."/home" =
+    { device = "momiji/home";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var" =
+    { device = "momiji/var";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/lib/postgresql" =
+    { device = "momiji/data/postgres";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/lib/minecraft" =
+    { device = "momiji/data/minecraft";
+      fsType = "zfs";
+    };
+
+  fileSystems."/data/media" =
+    { device = "momiji/data/media";
+      fsType = "zfs";
+    };
+
+  fileSystems."/data/backup" =
+    { device = "momiji/data/backup";
+      fsType = "zfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/66C8-A92E";
+      fsType = "vfat";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno2.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno3.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno4.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/tsuki/services/gitea/default.nix

@@ -27,11 +27,10 @@ in {
     user = "git";
     package = unstable-pkgs.gitea;
 
-    stateDir = "${config.machineVars.dataDrives.default}/var/gitea";
-
     dump = {
       enable = true;
       interval = "weekly";
+      backupDir = "/data/backup/gitea";
     };
 
     database = {

hosts/tsuki/services/grafana/default.nix

@@ -19,7 +19,6 @@
 
   services.grafana = {
     enable = true;
-    dataDir = "${config.machineVars.dataDrives.default}/var/grafana";
 
     provision = {
       enable = true;

hosts/tsuki/services/headscale.nix

@@ -14,9 +14,6 @@
   services.headscale = {
     enable = true;
 
-    # TODO: make PR
-    # dataDir = "${config.machineVars.dataDrives.default}/var/headscale";
-
     port = 39304;
 
     settings = {

hosts/tsuki/services/hedgedoc.nix

@@ -8,7 +8,6 @@
 
     services.hedgedoc = {
       enable = true;
-      workDir = "${config.machineVars.dataDrives.default}/var/hedgedoc";
       environmentFile = config.sops.secrets."hedgedoc/env".path;
       settings = {
         domain = "docs.nani.wtf";

hosts/tsuki/services/matrix/default.nix

@@ -14,7 +14,7 @@
   services.matrix-synapse-next = {
     enable = true;
     enableNginx = true;
-    dataDir = "${config.machineVars.dataDrives.default}/var/matrix";
+    dataDir = "/var/lib/matrix";
 
     workers = {
       federationSenders = 3;

hosts/tsuki/services/minecraft/default.nix

@@ -1,13 +1,77 @@
 { pkgs, lib, config, inputs, secrets, ... }:
+let
+  cfg = config.services.minecraft-servers;
+
+  # See https://docs.papermc.io/paper/aikars-flags
+  jvmOpts = lib.concatStringsSep " " [
+    "-Xms5G"
+    "-Xmx15G"
+    "-XX:+UseG1GC"
+    "-XX:+ParallelRefProcEnabled"
+    "-XX:MaxGCPauseMillis=200"
+    "-XX:+UnlockExperimentalVMOptions"
+    "-XX:+DisableExplicitGC"
+    "-XX:+AlwaysPreTouch"
+    "-XX:G1NewSizePercent=30"
+    "-XX:G1MaxNewSizePercent=40"
+    "-XX:G1HeapRegionSize=8M"
+    "-XX:G1ReservePercent=20"
+    "-XX:G1HeapWastePercent=5"
+    "-XX:G1MixedGCCountTarget=4"
+    "-XX:InitiatingHeapOccupancyPercent=15"
+    "-XX:G1MixedGCLiveThresholdPercent=90"
+    "-XX:G1RSetUpdatingPauseTimePercent=5"
+    "-XX:SurvivorRatio=32"
+    "-XX:+PerfDisableSharedMem"
+    "-XX:MaxTenuringThreshold=1"
+    "-Dusing.aikars.flags=https://mcflags.emc.gs"
+    "-Daikars.new.flags=true"
+  ];
+
+  # serverPackage = inputs.minecraft.packages.x86_64-linux.paper-server-1_20_2;
+  # serverPackage = pkgs.paperServers.paper-1_20_2;
+
+  # lazymc-config = ((pkgs.formats.toml { }).generate "lazymc.toml" {
+  #   # public = {
+  #   #   version = builtins.head
+  #   #     (builtins.match "([[:digit:]].*[[:digit:]]*.[[:digit:]]*)-build.*" serverPackage.version);
+  #   #   protocol = 765;
+  #   # };
+  #   server = {
+  #     directory = "${cfg.dataDir}/kakuland";
+  #     command = "${serverPackage}/bin/minecraft-server ${jvmOpts}";
+  #     freeze_process = false;
+  #     probe_on_start = true;
+  #   };
+  #   rcon = {
+  #     enabled = true;
+  #     password = "mcrcond";
+  #     randomize_password = false;
+  #   };
+  #   advanced.rewrite_server_properties = false;
+  # }).override {
+  #   runCommand = pkgs.runCommandLocal;
+  # };
+
+  # lazymcServerPackage = pkgs.writeShellScriptBin "minecraft-server" ''
+  #   exec ${lib.getExe pkgs.lazymc} -c ${lazymc-config}
+  # '';
+in
 {
+  # ugly hack for https://github.com/Infinidoge/nix-minecraft/pull/54
+  services.minecraft-server.dataDir = "/srv/minecraft";
+
   services.minecraft-servers = {
     enable = true;
     eula = true;
     openFirewall = true;
-    dataDir = "${config.machineVars.dataDrives.default}/var/minecraft";
+    dataDir = "/var/lib/minecraft";
     servers.kakuland = {
       enable = true;
 
+      # package = lazymcServerPackage;
+      package = pkgs.paperServers.paper-1_20_4;
+
       serverProperties = {
         allow-flight = true;
         allow-nether = true;
@@ -18,7 +82,6 @@
         enable-command-block = false;
         enable-jmx-monitoring = false;
         enable-query = false;
-        enable-rcon = false;
         enable-status = true;
         enforce-secure-profile = false;
         enforce-whitelist = false;
@@ -47,14 +110,16 @@
         pvp = true;
         # "query.port" = 25565;
         rate-limit = 0;
-        # rcon.password=
+        enable-rcon = true;
-        # rcon.port=25575
+        "rcon.password" = "mcrcond";
+        "rcon.port" = 25575;
         require-resource-pack = false;
         # resource-pack=
         # resource-pack-prompt=
         # resource-pack-sha1=
         server-ip = "0.0.0.0";
         server-port = 25565;
+        # server-port = 25566;
         simulation-distance = 10;
         spawn-animals = true;
         spawn-monsters = true;
@@ -67,33 +132,7 @@
         white-list = true;
       };
 
-      package = inputs.minecraft.packages.x86_64-linux.paper-server;
+      inherit jvmOpts;
-
-      # See https://docs.papermc.io/paper/aikars-flags
-      jvmOpts = lib.concatStringsSep " " [
-        "-Xms5G"
-        "-Xmx15G"
-        "-XX:+UseG1GC"
-        "-XX:+ParallelRefProcEnabled"
-        "-XX:MaxGCPauseMillis=200"
-        "-XX:+UnlockExperimentalVMOptions"
-        "-XX:+DisableExplicitGC"
-        "-XX:+AlwaysPreTouch"
-        "-XX:G1NewSizePercent=30"
-        "-XX:G1MaxNewSizePercent=40"
-        "-XX:G1HeapRegionSize=8M"
-        "-XX:G1ReservePercent=20"
-        "-XX:G1HeapWastePercent=5"
-        "-XX:G1MixedGCCountTarget=4"
-        "-XX:InitiatingHeapOccupancyPercent=15"
-        "-XX:G1MixedGCLiveThresholdPercent=90"
-        "-XX:G1RSetUpdatingPauseTimePercent=5"
-        "-XX:SurvivorRatio=32"
-        "-XX:+PerfDisableSharedMem"
-        "-XX:MaxTenuringThreshold=1"
-        "-Dusing.aikars.flags=https://mcflags.emc.gs"
-        "-Daikars.new.flags=true"
-      ];
 
       symlinks = let
         rawFile = file: pkgs.runCommandLocal (builtins.baseNameOf file) {} ''
@@ -147,6 +186,9 @@
   systemd.services.minecraft-server-kakuland.requires = [ "postgresql.service" ];
   systemd.services.minecraft-server-kakuland.after = [
     "postgresql.service"
-    "data2-momiji.mount"
+    # "data2-momiji.mount"
   ];
+
+  networking.firewall.allowedTCPPorts = [ 25565 ];
+  networking.firewall.allowedUDPPorts = [ 25565 ];
 }

hosts/tsuki/services/minecraft/pluginConfigs/serverBackup.nix

@@ -45,7 +45,7 @@
   BackupLimiter = 0;
   KeepUniqueBackups = false;
   UpdateAvailableMessage = true;
-  BackupDestination = "Backups/";
+  BackupDestination = "/data/backup/minecraft/kakuland";
 
   # Ftp = {
   #   UploadBackup = false;

hosts/tsuki/services/osuchan.nix

@@ -1,12 +1,12 @@
-{ secrets, config, ... }:
+{ config, ... }:
 {
+  sops.secrets."osuchan/envfile" = {
+    restartUnits = [ "osuchan.service" ];
+  };
+
   services.osuchan = {
     enable = true;
     port = 9283;
-    secretFile = "${config.machineVars.dataDrives.default}/keys/osuchan/envfile";
+    secretFile = config.sops.secrets."osuchan/envfile".path;
   };
-
-  systemd.services.osuchan.after = [
-    "data2-momiji.mount"
-  ];
 }

hosts/tsuki/services/plex.nix

@@ -4,7 +4,6 @@ in {
   services.plex = {
     enable = true;
     openFirewall = true;
-    dataDir = "${config.machineVars.dataDrives.default}/var/plex";
   };
 
   systemd.services.plex.serviceConfig = {

hosts/tsuki/services/postgres.nix

@@ -10,7 +10,6 @@ in {
       host all all 127.0.0.1/32 trust
       host all all ::1/128 trust
     '';
-    dataDir = "${config.machineVars.dataDrives.drives.postgres}/${config.services.postgresql.package.psqlSchema}";
     settings = {
       max_connections = 150;
     };
@@ -18,16 +17,15 @@ in {
 
   services.postgresqlBackup = {
     enable = true;
-    location = "${config.machineVars.dataDrives.drives.backup}/postgres";
+    location = "/data/backup/postgres";
     backupAll = true;
   };
 
   systemd.services.postgresqlBackup = {
-    requires = [ "postgresql.service" "data2-backup.mount" ];
+    requires = [ "postgresql.service" ];
   };
 
   systemd.services.postgresql = {
-    requires = [ "data2-postgres.mount" ];
     serviceConfig = {
       Restart = "always";
       RestartSec = 3;

hosts/tsuki/services/scrapers/nhk-easy-news/default.nix

@@ -14,9 +14,7 @@ in {
       ProtectHome = true;
       ProtectProc = "invisible";
       ProtectSystem = "strict";
-      WorkingDirectory = "/var/lib/nhk_easy_news_scraper";
+      WorkingDirectory = "/data/scrapers/nhk-easy-news";
-      StateDirectory = "nhk_easy_news_scraper";
-      StateDirectoryMode = "0755";
     };
   };
 

hosts/tsuki/services/taskserver.nix

@@ -12,7 +12,6 @@
     enable = true;
     fqdn = "todo.nani.wtf";
     listenPort = 19233;
-    dataDir = "${config.machineVars.dataDrives.default}/var/taskserver";
 
     organisations.h7x4 = {
       groups = [ "users" ];

secrets/default.yaml

@@ -22,7 +22,8 @@ postgres:
     grafana: ENC[AES256_GCM,data:bsxzS/xkNdSJvOSQfZY8RRK03ckfKAoYeiZlgrSxXVqTEQ==,iv:wb8bFITgGLToagEczdm7MwUmXl3tyYmrYqSZOblEz0I=,tag:ZboMGI4QdmOK+LVBDCl2Pg==,type:str]
 pgadmin:
     oauth2_secret: ENC[AES256_GCM,data:A1Upe1Ja76++ZdOx5YhuKjpaont4m5ChRzn/YVpJbnFzWy1tFlBkOr6UgBj7Wopg,iv:hY+b7AVSrSgHu/10reIjUjJ8+yR4FrZe2JgGiAowfGs=,tag:thy6O1Y3FGTWaQXqlU9aYg==,type:str]
-    initialPassword: ENC[AES256_GCM,data:674lqcGTDCOYBNocf0LQuQB1cbMus0iZOcvwbadpAXrF4DPQSetqrg==,iv:y8hfzLh6i7LxR11fmM9T0z2t7202JMAiZzi/1iCWPvM=,tag:lHwCBWaWsArrAJ0rZ8Xk/w==,type:str]
+osuchan:
+    envfile: ENC[AES256_GCM,data:gaO+3haU1jMkqRm1PiSSd4oTcoPvgbsRHWfhPnXJbFSv4cXsqeS1xRrbZZftu5g2nfr+vb8ljtmGyk3dVLOHo5SzVQlJzcJNKoVp9XTLlmbC1AuKjxv3p7dWyD71n5reO52uDlbNJQPMzgOw70DM7wTffCaLbDUIyB+bPcESxiYHC2S3kITZErCdJczEKpRPjS0wM9kjENN9HN1WobhquZ1w7gXfXIx174QUV3LdJMrhaibzDZEu4dBaxVkxbKRa78bPNCN6LVD4U1woG0IeIh6CGCGtGghIkhcUIZsUauXPw7g/uQHPcJF3/h64I7477j9D1Qrrz0bN3kU9jyAro5jv1hcRUS6b,iv:zbJol31niHWz+0DXGE4vm2T7aXAZfbdj0rN7xlSctGg=,tag:kDCQUPjeHWMWQ22tE8ar4A==,type:str]
 sops:
     kms: []
     gcp_kms: []