From df303dcc2bfbfa7a7268404c72c421882e6e4837 Mon Sep 17 00:00:00 2001 From: Simon Bruder Date: Tue, 26 Jan 2021 18:42:42 +0100 Subject: [PATCH] fuuko: Init --- machines/default.nix | 6 ++ machines/fuuko/README.md | 27 ++++++ machines/fuuko/configuration.nix | 32 +++++++ machines/fuuko/hardware-configuration.nix | 106 ++++++++++++++++++++++ 4 files changed, 171 insertions(+) create mode 100644 machines/fuuko/README.md create mode 100644 machines/fuuko/configuration.nix create mode 100644 machines/fuuko/hardware-configuration.nix diff --git a/machines/default.nix b/machines/default.nix index c5ed895..8191a27 100644 --- a/machines/default.nix +++ b/machines/default.nix @@ -18,4 +18,10 @@ lib.mapAttrs vueko = { target = "root@vueko.sbruder.de"; }; + fuuko = { + # FIXME: Since the unlock script forces IPv4 connectivity (since only that + # can be guarenteed), I have to use an internal IP address for now. This + # can be changed once DNS has an A record too. + target = "root@192.168.100.61"; + }; } diff --git a/machines/fuuko/README.md b/machines/fuuko/README.md new file mode 100644 index 0000000..cce2f6f --- /dev/null +++ b/machines/fuuko/README.md @@ -0,0 +1,27 @@ +# fuuko + +## Hardware + +HP MicroServer Gen8 with an [Intel Xeon E3-1220L +v2](https://ark.intel.com/content/www/us/en/ark/products/65735/intel-xeon-processor-e3-1220l-v2-3m-cache-2-30-ghz.html) +and 8 GiB ECC RAM (1600 MHz). It isn’t the best choice, but I already had it +lying around and it is acceptable after changing the CPU from the original +Celeron. I decided not to use another consumer-grade computer for this, since +the server offers ECC memory and therefore should be more reliable. + +The SSD (Crucial BX500 240GB) is connected to the first drive slot in a 3.5 ″ +adapter. I originally wanted to connect it to the internal ODD SATA port, but +since it only supports SATA2 (3Gbit/s) and does not support booting from it, +requiring an additional boot drive, I decided against this. + +For storage it has two Hard drives (Seagate Exos E 7E8 ST8000NM000A and WD +Ultrastar DC HC320 0B36404) in BTRFS RAID1. They are connected to the 2rd and +3th bay. Bay 3 is only SATA2, but that should not be the bottleneck. + +## Purpose + +It is my main server handling most long-runing tasks and services. + +## Name + +Fuuko Ibuki is a student in *Clannad* who carves starfish out of wood. diff --git a/machines/fuuko/configuration.nix b/machines/fuuko/configuration.nix new file mode 100644 index 0000000..1a329b2 --- /dev/null +++ b/machines/fuuko/configuration.nix @@ -0,0 +1,32 @@ +{ config, lib, pkgs, ... }: +{ + imports = [ + ./hardware-configuration.nix + ../../modules + ../../users/simon + ]; + + sbruder = { + wireguard.home.enable = true; + nginx.hardening.enable = true; + }; + + services.nginx = { + enable = true; + + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + virtualHosts."fuuko.home.sbruder.de" = { + enableACME = true; + forceSSL = true; + }; + }; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + networking.hostName = "fuuko"; + + system.stateVersion = "20.09"; +} diff --git a/machines/fuuko/hardware-configuration.nix b/machines/fuuko/hardware-configuration.nix new file mode 100644 index 0000000..caa280a --- /dev/null +++ b/machines/fuuko/hardware-configuration.nix @@ -0,0 +1,106 @@ +{ config, lib, modulesPath, pkgs, ... }: + +{ + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + + + ]; + + boot = { + kernelModules = [ "kvm-intel" ]; + blacklistedKernelModules = [ "acpi_power_meter" ]; # constantly pollutes kernel log + extraModulePackages = [ ]; + supportedFilesystems = [ "btrfs" ]; + kernelParams = + let + mainInterface = config.systemd.network.networks.eno1; + first = lib.flip lib.elemAt 0; + in + [ + "ip=${first mainInterface.address}::${first mainInterface.gateway}::${config.networking.hostName}:${mainInterface.name}" + ]; + initrd = { + availableKernelModules = [ + "aesni_intel" # hardware crypto for luks + "ahci" + "ehci_pci" + "sd_mod" + "tg3" # network interface + "uhci_hcd" + "usb_storage" + "usbhid" + "xhci_pci" + ]; + kernelModules = [ ]; + network.enable = true; # remote unlocking + luks.devices = { + root = { + name = "root"; + device = "/dev/disk/by-uuid/72b59109-8df1-4fca-9b2e-d9dc973fce75"; + preLVM = true; + allowDiscards = true; + }; + }; + }; + loader.grub.device = "/dev/disk/by-id/ata-CT240BX500SSD1_2045E4C67C52"; + }; + + krops.secrets.luks-data = { }; + + environment.etc.crypttab.text = + let + keyfile = config.krops.secrets.luks-data.source; # path is not yet available + in + '' + data0 UUID=aa692e73-2b75-4239-8a87-5f5b69ea56c5 ${keyfile} luks + data1 UUID=1f4120b6-a3a0-4973-8c4c-a4d6703eea2a ${keyfile} luks + ''; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/c45b49b9-bc3c-4e53-85ae-0d430ba1cafb"; + fsType = "ext4"; + options = [ "discard" "noatime" ]; + }; + "/boot" = { + device = "/dev/disk/by-uuid/a1ceeabf-fe24-42ce-9ffc-99ebe7b97d5c"; + fsType = "ext2"; + }; + "/data" = { + device = "/dev/mapper/data0"; + fsType = "btrfs"; + options = [ "compress=zstd" ]; + }; + }; + + services.btrfs.autoScrub = { + enable = true; + fileSystems = [ "/data" ]; + }; + + swapDevices = [ + { + device = "/dev/disk/by-partuuid/e62d8794-aff9-44d0-8080-06cf4c128306"; + randomEncryption.enable = true; + } + ]; + + powerManagement.cpuFreqGovernor = "performance"; + + networking.useDHCP = false; + systemd.network = { + enable = true; + networks = { + eno1 = { + name = "eno1"; + dns = [ "192.168.100.1" ]; + domains = [ "home.sbruder.de" ]; + address = [ "192.168.100.61/24" ]; + gateway = [ "192.168.100.1" ]; + }; + }; + }; + services.resolved.enable = false; +}