phoenix: init host

flake.lock

@@ -47,6 +47,26 @@
         "type": "github"
       }
     },
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1729281548,
+        "narHash": "sha256-MuojlSnwAJAwfhgmW8ZtZrwm2Sko4fqubCvReqbUzYw=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "a6a3179ddf396dfc28a078e2f169354d0c137125",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
     "flake-utils": {
       "inputs": {
         "systems": "systems_2"
@@ -173,6 +193,7 @@
       "inputs": {
         "agenix": "agenix",
         "darwin": "darwin",
+        "disko": "disko",
         "flake-utils": "flake-utils",
         "home-manager": "home-manager",
         "home-manager-unstable": "home-manager-unstable",

flake.nix

@@ -21,11 +21,27 @@
     home-manager-unstable.inputs.nixpkgs.follows = "nixpkgs-unstable";
 
     impermanence.url = "github:nix-community/impermanence/master";
+
+    disko.url = "github:nix-community/disko";
+    disko.inputs.nixpkgs.follows = "nixpkgs";
   };
 
   description = "Hillion Nix flake";
 
-  outputs = { self, nixpkgs, nixpkgs-unstable, nixos-hardware, flake-utils, agenix, home-manager, home-manager-unstable, darwin, impermanence, ... }@inputs:
+  outputs =
+    { self
+    , nixpkgs
+    , nixpkgs-unstable
+    , nixos-hardware
+    , flake-utils
+    , agenix
+    , home-manager
+    , home-manager-unstable
+    , darwin
+    , impermanence
+    , disko
+    , ...
+    }@inputs:
     let
       getSystemOverlays = system: nixpkgsConfig: [
         (final: prev: {
@@ -55,6 +71,7 @@
 
                 agenix.nixosModules.default
                 impermanence.nixosModules.impermanence
+                disko.nixosModules.disko
 
                 home-manager-pick.nixosModules.default
                 {

hosts/phoenix.st.hillion.co.uk/README.md

@@ -0,0 +1,7 @@
+# phoenix.st.ts.hillion.co.uk
+
+Additional installation step for Clevis/Tang:
+
+    $ echo -n $DISK_ENCRYPTION_PASSWORD | clevis encrypt sss "$(cat /etc/nixos/hosts/phoenix.st.ts.hillion.co.uk/clevis_config.json)" >/mnt/disk_encryption.jwe
+    $ sudo chown root:root /mnt/disk_encryption.jwe
+    $ sudo chmod 0400 /mnt/disk_encryption.jwe

hosts/phoenix.st.hillion.co.uk/clevis_config.json

@@ -0,0 +1,14 @@
+{
+  "t": 1,
+  "pins": {
+    "tang": [
+      {
+        "url": "http://10.64.50.21:7654"
+      },
+      {
+        "url": "http://10.64.50.25:7654"
+      }
+    ]
+  }
+}
+

hosts/phoenix.st.hillion.co.uk/default.nix

@@ -0,0 +1,99 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports = [
+    ./disko.nix
+    ./hardware-configuration.nix
+  ];
+
+  config = {
+    system.stateVersion = "24.05";
+
+    networking.hostName = "phoenix";
+    networking.domain = "st.ts.hillion.co.uk";
+
+    boot.loader.systemd-boot.enable = true;
+    boot.loader.efi.canTouchEfiVariables = true;
+
+    boot.kernelParams = [
+      "ip=dhcp"
+      "zfs.zfs_arc_max=34359738368"
+    ];
+    boot.initrd = {
+      availableKernelModules = [ "igb" ]; # TODO: find the right one
+      network.enable = true;
+      clevis = {
+        enable = true;
+        useTang = true;
+        devices = {
+          "disk0-crypt".secretFile = "/data/disk_encryption.jwe";
+          "disk1-crypt".secretFile = "/data/disk_encryption.jwe";
+        };
+      };
+    };
+
+    custom.defaults = true;
+    custom.locations.autoServe = true;
+
+    # zram swap: used in the hope it will give the ZFS ARC more room to back off
+    zramSwap = {
+      enable = true;
+      memoryPercent = 200;
+      algorithm = "zstd";
+    };
+
+    ## Filesystems
+    fileSystems."/data".options = [ "compress=zstd" ];
+
+    services.btrfs.autoScrub = {
+      enable = true;
+      interval = "Tue, 02:00";
+      # All filesystems includes the BTRFS parts of all the hard drives. This
+      # would take forever and is redundant as they get fully read regularly.
+      fileSystems = [ "/data" ];
+    };
+
+    ## Chia
+    age.secrets."chia/farmer.key" = {
+      file = ../../secrets/chia/farmer.key.age;
+      owner = "chia";
+      group = "chia";
+    };
+    custom.chia = {
+      enable = true;
+      openFirewall = true;
+      keyFile = config.age.secrets."chia/farmer.key".path;
+    };
+
+    ## Networking
+    networking = {
+      interfaces.tbd0.name = "eth0";
+      interfaces.tbd1.name = "eth1";
+      interfaces.tbd2.name = "eth2";
+      interfaces.tbd3.name = "eth3";
+    };
+    networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
+
+    networking.firewall = {
+      trustedInterfaces = [ "tailscale0" ];
+      allowedTCPPorts = lib.mkForce [ ];
+      allowedUDPPorts = lib.mkForce [ ];
+      interfaces = {
+        eth0 = {
+          allowedTCPPorts = lib.mkForce [ ];
+          allowedUDPPorts = lib.mkForce [ ];
+        };
+      };
+    };
+    networking.firewall.interfaces."tailscale0".allowedTCPPorts = [
+      80 # Caddy (restic.phoenix.st.ts.)
+    ];
+
+    ## Tailscale
+    age.secrets."tailscale/phoenix.st.ts.hillion.co.uk".file = ../../secrets/tailscale/phoenix.st.ts.hillion.co.uk.age;
+    services.tailscale = {
+      enable = true;
+      authKeyFile = config.age.secrets."tailscale/phoenix.st.ts.hillion.co.uk".path;
+    };
+  };
+}

hosts/phoenix.st.hillion.co.uk/disko.nix

@@ -0,0 +1,101 @@
+{
+  disko.devices = {
+    disk = {
+      disk0 = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+            };
+
+            disk0-crypt = {
+              size = "100%";
+              content = {
+                type = "luks";
+                name = "disk0-crypt";
+                settings = {
+                  allowDiscards = true;
+                };
+              };
+            };
+
+            swap = {
+              size = "64G";
+              content = {
+                type = "swap";
+                randomEncryption = true;
+              };
+            };
+          };
+        };
+      };
+
+      disk1 = {
+        type = "disk";
+        device = "/dev/nvme1n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            disk1-crypt = {
+              size = "100%";
+              content = {
+                type = "luks";
+                name = "disk1-crypt";
+                settings = {
+                  allowDiscards = true;
+                };
+
+                content = {
+                  type = "btrfs";
+                  extraArgs = [
+                    "-d raid1"
+                    "/dev/mapper/disk0-crypt"
+                  ];
+
+                  subvolumes = {
+                    "/data" = {
+                      mountpoint = "/data";
+                      mountOptions = [ "compress=zstd" "ssd" ];
+                    };
+                    "/nix" = {
+                      mountpoint = "/nix";
+                      mountOptions = [ "compress=zstd" "ssd" ];
+                    };
+                  };
+                };
+              };
+            };
+
+            swap = {
+              size = "64G";
+              content = {
+                type = "swap";
+                randomEncryption = true;
+              };
+            };
+          };
+        };
+      };
+    };
+
+    nodev = {
+      "/" = {
+        fsType = "tmpfs";
+        mountOptions = [
+          "mode=755"
+          "size=100%"
+        ];
+      };
+    };
+  };
+}

hosts/phoenix.st.hillion.co.uk/hardware-configuration.nix

@@ -0,0 +1,30 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "nvme" "ahci" "xhci_pci" "thunderbolt" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp201s0f3u2u3.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp4s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp5s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp6s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp8s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/phoenix.st.hillion.co.uk/system

@@ -0,0 +1 @@
+x86_64-linux