mirror of
https://github.com/CHN-beta/nixos.git
synced 2024-10-22 21:18:44 +08:00
Merge branch 'production' into next
This commit is contained in:
commit
45cd321bce
@ -24,7 +24,7 @@ inputs:
|
||||
};
|
||||
};
|
||||
};
|
||||
decrypt.manual =
|
||||
luks.manual =
|
||||
{
|
||||
enable = true;
|
||||
devices =
|
||||
|
@ -13,7 +13,7 @@ inputs:
|
||||
vfat."/dev/disk/by-uuid/7A60-4232" = "/boot";
|
||||
btrfs."/dev/mapper/root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
|
||||
};
|
||||
decrypt.auto =
|
||||
luks.auto =
|
||||
{
|
||||
"/dev/disk/by-uuid/4c73288c-bcd8-4a7e-b683-693f9eed2d81" = { mapper = "root1"; ssd = true; };
|
||||
"/dev/disk/by-uuid/4be45329-a054-4c20-8965-8c5b7ee6b35d" =
|
||||
@ -41,7 +41,7 @@ inputs:
|
||||
# SERIALIZE SGX WAITPKG WIDEKL XSAVE XSAVEOPT
|
||||
"alderlake"
|
||||
];
|
||||
remote.master = { enable = true; hosts = [ "xmupc1" "xmupc2" "srv1-node0" "srv1-node1" ]; };
|
||||
remote.master = { enable = true; hosts = [ "xmupc1" "xmupc2" ]; };
|
||||
githubToken.enable = true;
|
||||
};
|
||||
nixpkgs =
|
||||
|
@ -66,7 +66,7 @@ inputs:
|
||||
setupFirewall = true;
|
||||
};
|
||||
};
|
||||
user.users = [ "chn" ];
|
||||
user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" ];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
@ -6,7 +6,6 @@ inputs:
|
||||
{
|
||||
system =
|
||||
{
|
||||
nix = { marches = [ "cascadelake" "broadwell" ]; remote.slave.enable = true; };
|
||||
nixpkgs.march = "cascadelake";
|
||||
networking.networkd.static =
|
||||
{
|
||||
@ -17,11 +16,7 @@ inputs:
|
||||
};
|
||||
services =
|
||||
{
|
||||
xray.client =
|
||||
{
|
||||
enable = true;
|
||||
dnsmasq.extraInterfaces = [ "eno146" ];
|
||||
};
|
||||
xray.client = { enable = true; dnsmasq.extraInterfaces = [ "eno146" ]; };
|
||||
beesd.instances.root = { device = "/"; hashTableSizeMB = 512; threads = 4; };
|
||||
wireguard =
|
||||
{
|
||||
@ -30,33 +25,13 @@ inputs:
|
||||
publicKey = "Br+ou+t9M9kMrnNnhTvaZi2oNFRygzebA1NqcHWADWM=";
|
||||
wireguardIp = "192.168.83.9";
|
||||
};
|
||||
nfs = { root = "/"; exports = [ "/home" ]; accessLimit = "192.168.178.0/24"; };
|
||||
};
|
||||
packages.packages._prebuildPackages =
|
||||
[ inputs.topInputs.self.nixosConfigurations.srv1-node1.pkgs.localPackages.vasp.intel ];
|
||||
};
|
||||
services.nfs.server =
|
||||
{
|
||||
enable = true;
|
||||
exports =
|
||||
''
|
||||
/ 192.168.178.0/24(rw,no_root_squash,fsid=0,sync,crossmnt)
|
||||
/home 192.168.178.0/24(rw,no_root_squash,sync,crossmnt)
|
||||
'';
|
||||
};
|
||||
networking =
|
||||
{
|
||||
firewall.allowedTCPPorts = [ 2049 ];
|
||||
};
|
||||
# allow other machine access network by this machine
|
||||
systemd.network.networks."10-eno146".networkConfig.IPMasquerade = "both";
|
||||
services.rpcbind.enable = true;
|
||||
fileSystems =
|
||||
{
|
||||
"/nix/share/home" =
|
||||
{
|
||||
device = "/home";
|
||||
options = [ "rbind" ];
|
||||
};
|
||||
};
|
||||
# without this, tproxy does not work
|
||||
# TODO: why?
|
||||
networking.firewall.trustedInterfaces = [ "eno146" ];
|
||||
|
@ -7,49 +7,21 @@ inputs:
|
||||
system =
|
||||
{
|
||||
nixpkgs.march = "broadwell";
|
||||
networking.networkd.static =
|
||||
{
|
||||
eno1 = { ip = "192.168.1.11"; mask = 24; gateway = "192.168.1.1"; };
|
||||
eno2 = { ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
|
||||
};
|
||||
networking.networkd.static.eno2 =
|
||||
{ ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
|
||||
cluster.nodeType = "worker";
|
||||
initrd.sshd.enable = true;
|
||||
nix.remote.slave.enable = true;
|
||||
fileSystems.mount.nfs."192.168.178.1:/home" = "/home";
|
||||
};
|
||||
services.beesd.instances.root = { device = "/"; hashTableSizeMB = 256; threads = 4; };
|
||||
packages.packages._prebuildPackages =
|
||||
[ inputs.topInputs.self.nixosConfigurations.srv1-node0.config.system.build.toplevel ];
|
||||
};
|
||||
specialisation =
|
||||
specialisation.no-share-home.configuration =
|
||||
{
|
||||
no-share-home.configuration =
|
||||
{
|
||||
nixos =
|
||||
{
|
||||
services.slurm.enable = inputs.lib.mkForce false;
|
||||
system.cluster.nodeType = inputs.lib.mkForce "master";
|
||||
};
|
||||
system.nixos.tags = [ "no-share-home" ];
|
||||
};
|
||||
nixos.system.fileSystems.mount.nfs = inputs.lib.mkForce null;
|
||||
system.nixos.tags = [ "no-share-home" ];
|
||||
};
|
||||
fileSystems = inputs.lib.mkIf (inputs.config.nixos.system.cluster.nodeType == "worker")
|
||||
{
|
||||
"/home" =
|
||||
{
|
||||
device = "192.168.178.1:/home";
|
||||
fsType = "nfs";
|
||||
neededForBoot = true;
|
||||
};
|
||||
};
|
||||
boot.initrd.network.enable = true;
|
||||
boot.initrd.systemd.network.networks."10-eno2" = inputs.config.systemd.network.networks."10-eno2";
|
||||
boot.initrd.systemd.extraBin =
|
||||
{
|
||||
"ifconfig" = "${inputs.pkgs.nettools}/bin/ifconfig";
|
||||
"mount.nfs" = "${inputs.pkgs.nfs-utils}/bin/mount.nfs";
|
||||
"mount.nfs4" = "${inputs.pkgs.nfs-utils}/bin/mount.nfs4";
|
||||
};
|
||||
services.rpcbind.enable = true;
|
||||
# make slurm sub process to be able to communicate with the master
|
||||
networking.firewall.trustedInterfaces = [ "eno2" ];
|
||||
};
|
||||
|
@ -7,46 +7,34 @@ inputs:
|
||||
system =
|
||||
{
|
||||
nixpkgs.march = "broadwell";
|
||||
networking.networkd.static.eno2 =
|
||||
{ ip = "192.168.178.3"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
|
||||
networking.networkd.static =
|
||||
{
|
||||
eno1 = { ip = "192.168.1.12"; mask = 24; gateway = "192.168.1.1"; dns = "192.168.1.1"; };
|
||||
eno2 = { ip = "192.168.178.3"; mask = 24; };
|
||||
};
|
||||
cluster.nodeType = "worker";
|
||||
initrd.sshd.enable = true;
|
||||
nix.remote.slave.enable = true;
|
||||
fileSystems.mount =
|
||||
{
|
||||
nfs."192.168.178.1:/home" = "/home";
|
||||
btrfs."/dev/disk/by-partlabel/srv1-node2-nodatacow" =
|
||||
{ "/nix/nodatacow" = "/nix/nodatacow"; "/nix/backups" = "/nix/backups"; };
|
||||
};
|
||||
};
|
||||
services =
|
||||
{
|
||||
xray.client.enable = true;
|
||||
beesd.instances.root = { device = "/"; hashTableSizeMB = 256; threads = 4; };
|
||||
};
|
||||
services.beesd.instances.root = { device = "/"; hashTableSizeMB = 256; threads = 4; };
|
||||
packages.packages._prebuildPackages =
|
||||
[ inputs.topInputs.self.nixosConfigurations.srv1-node0.config.system.build.toplevel ];
|
||||
virtualization.kvmHost = { enable = true; gui = true; };
|
||||
};
|
||||
specialisation =
|
||||
specialisation.no-share-home.configuration =
|
||||
{
|
||||
no-share-home.configuration =
|
||||
{
|
||||
nixos =
|
||||
{
|
||||
services.slurm.enable = inputs.lib.mkForce false;
|
||||
system.cluster.nodeType = inputs.lib.mkForce "master";
|
||||
};
|
||||
system.nixos.tags = [ "no-share-home" ];
|
||||
};
|
||||
nixos.system.fileSystems.mount.nfs = inputs.lib.mkForce null;
|
||||
system.nixos.tags = [ "no-share-home" ];
|
||||
};
|
||||
fileSystems = inputs.lib.mkIf (inputs.config.nixos.system.cluster.nodeType == "worker")
|
||||
{
|
||||
"/home" =
|
||||
{
|
||||
device = "192.168.178.1:/home";
|
||||
fsType = "nfs";
|
||||
neededForBoot = true;
|
||||
};
|
||||
};
|
||||
boot.initrd.network.enable = true;
|
||||
boot.initrd.systemd.network.networks."10-eno2" = inputs.config.systemd.network.networks."10-eno2";
|
||||
boot.initrd.systemd.extraBin =
|
||||
{
|
||||
"ifconfig" = "${inputs.pkgs.nettools}/bin/ifconfig";
|
||||
"mount.nfs" = "${inputs.pkgs.nfs-utils}/bin/mount.nfs";
|
||||
"mount.nfs4" = "${inputs.pkgs.nfs-utils}/bin/mount.nfs4";
|
||||
};
|
||||
services.rpcbind.enable = true;
|
||||
# make slurm sub process to be able to communicate with the master
|
||||
networking.firewall.trustedInterfaces = [ "eno2" ];
|
||||
};
|
||||
|
@ -1,4 +1,5 @@
|
||||
hello: ENC[AES256_GCM,data:/WGwXDnQio1BwD/zPoURTjVzTasWICOA7CBsgT5DbYIkKLt5DxzogeYWpiqjVg==,iv:BY82U/y9V8PYtn3Bre+nabGBcVgFbppIQZb7GhgY62I=,tag:JFqrezoWNJ8ZACCKQ43n5g==,type:str]
|
||||
xray-client:
|
||||
uuid: ENC[AES256_GCM,data:U+unsiKt9vNo/EXEpLHR0Ny3DxQEwx7a40KmwZDZki7RQEuM,iv:7w90HNM5lfh2VY20AcUEVdu5X2uxqXxR0hARncmMR60=,tag:xIbKc+9SF5LP/tY/XoGYxA==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
@ -23,8 +24,8 @@ sops:
|
||||
MVU1UW9lWFJnSTE2aC9ZL0huYURUK3MK5U4cLWRMm+FFo8ATE/OoAcHzYHFMpOtV
|
||||
Q5kbq5PDMdp4qvoM3T4kLsB34oU55HjFvac0pilOhNRrz4xRMQgvoQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-09-20T05:30:52Z"
|
||||
mac: ENC[AES256_GCM,data:nSrkKUo4yB57aetzdJ1sjSKcm5STQ6jfMhvY4/tXft2P9zRYigSP4PkZj7z+knxcIx9sFdA86h8X45oUjxaAa5xDJpgmvC/EEKxm5rZtVTxYYYdy40W72qThVuKUasWpYrrGZbZEbTu3Dad1yfJTilwofRtxoo1Nmj5lMvw+HRo=,iv:UvBSF5GLEj+hTZksrIV3Ow+HQ/xjqwCUuwqkdz8g0Qg=,tag:U5wJPhmeevB2i2GBgMGBFQ==,type:str]
|
||||
lastmodified: "2024-09-26T04:24:23Z"
|
||||
mac: ENC[AES256_GCM,data:GS9TPomEy3rHaanqMWkqGV9NX8lsYMnujxhuWTnJxdgfCP8scOEo2O+ATlmxmcmKquXlq+zo4LF6RCzF65eSvpSKcIDQRc0yDgBQ5+M8gXv1lk0WNdicpHJsEk8j/ostJTwEkV5QDyp3+J6lRNtFMQnrZ7+UxpgQwK7DaP8mnF4=,iv:1BEb2Xr8jQO6M19bC+jlGGSI0aT1MEgEoYwLuCT1T9U=,tag:Be7BQsjWq7PZBrgsrH/cjA==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.0
|
||||
|
@ -10,43 +10,18 @@ inputs:
|
||||
networking.networkd.static.eno2 =
|
||||
{ ip = "192.168.178.4"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
|
||||
cluster.nodeType = "worker";
|
||||
initrd.sshd.enable = true;
|
||||
nix.remote.slave.enable = true;
|
||||
fileSystems.mount.nfs."192.168.178.1:/home" = "/home";
|
||||
};
|
||||
services.beesd.instances.root = { device = "/"; hashTableSizeMB = 256; threads = 4; };
|
||||
packages.packages._prebuildPackages =
|
||||
[ inputs.topInputs.self.nixosConfigurations.srv1-node0.config.system.build.toplevel ];
|
||||
};
|
||||
specialisation =
|
||||
specialisation.no-share-home.configuration =
|
||||
{
|
||||
no-share-home.configuration =
|
||||
{
|
||||
nixos =
|
||||
{
|
||||
services.slurm.enable = inputs.lib.mkForce false;
|
||||
system.cluster.nodeType = inputs.lib.mkForce "master";
|
||||
};
|
||||
system.nixos.tags = [ "no-share-home" ];
|
||||
};
|
||||
nixos.system.fileSystems.mount.nfs = inputs.lib.mkForce null;
|
||||
system.nixos.tags = [ "no-share-home" ];
|
||||
};
|
||||
fileSystems = inputs.lib.mkIf (inputs.config.nixos.system.cluster.nodeType == "worker")
|
||||
{
|
||||
"/home" =
|
||||
{
|
||||
device = "192.168.178.1:/home";
|
||||
fsType = "nfs";
|
||||
neededForBoot = true;
|
||||
};
|
||||
};
|
||||
boot.initrd.network.enable = true;
|
||||
boot.initrd.systemd.network.networks."10-eno2" = inputs.config.systemd.network.networks."10-eno2";
|
||||
boot.initrd.systemd.extraBin =
|
||||
{
|
||||
"ifconfig" = "${inputs.pkgs.nettools}/bin/ifconfig";
|
||||
"mount.nfs" = "${inputs.pkgs.nfs-utils}/bin/mount.nfs";
|
||||
"mount.nfs4" = "${inputs.pkgs.nfs-utils}/bin/mount.nfs4";
|
||||
};
|
||||
services.rpcbind.enable = true;
|
||||
# make slurm sub process to be able to communicate with the master
|
||||
networking.firewall.trustedInterfaces = [ "eno2" ];
|
||||
};
|
||||
|
@ -14,7 +14,7 @@ inputs:
|
||||
vfat."/dev/disk/by-uuid/4596-D670" = "/boot";
|
||||
btrfs."/dev/mapper/root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
|
||||
};
|
||||
decrypt.auto =
|
||||
luks.auto =
|
||||
{
|
||||
"/dev/disk/by-uuid/eda0042b-ffd5-47d1-b828-4cf99d744c9f" = { mapper = "root1"; ssd = true; };
|
||||
"/dev/disk/by-uuid/41d83848-f3dd-4b2f-946f-de1d2ae1cbd4" = { mapper = "swap"; ssd = true; };
|
||||
|
@ -16,7 +16,7 @@ inputs:
|
||||
"/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
|
||||
};
|
||||
};
|
||||
decrypt.manual =
|
||||
luks.manual =
|
||||
{
|
||||
enable = true;
|
||||
devices."/dev/disk/by-uuid/bf7646f9-496c-484e-ada0-30335da57068" = { mapper = "root"; ssd = true; };
|
||||
|
@ -16,7 +16,7 @@ inputs:
|
||||
"/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
|
||||
};
|
||||
};
|
||||
decrypt.manual =
|
||||
luks.manual =
|
||||
{
|
||||
enable = true;
|
||||
devices."/dev/disk/by-uuid/4f8aca22-9ec6-4fad-b21a-fd9d8d0514e8" = { mapper = "root"; ssd = true; };
|
||||
@ -36,7 +36,7 @@ inputs:
|
||||
{
|
||||
snapper.enable = true;
|
||||
sshd = {};
|
||||
xray.server = { serverName = "vps6.xserver.chn.moe"; userNumber = 21; };
|
||||
xray.server = { serverName = "vps6.xserver.chn.moe"; userNumber = 22; };
|
||||
frpServer = { enable = true; serverName = "frp.chn.moe"; };
|
||||
nginx =
|
||||
{
|
||||
|
@ -46,6 +46,8 @@ xray-server:
|
||||
user19: ENC[AES256_GCM,data:+Mh15DR9xvFAwks86iuHEA9FpObKWTSuVOEzUDpBUS/h0hOz,iv:zYIkic2bibvwCBpomnJ9465mda1rbm3RERBZY9twXuc=,tag:bwdL6DAGgkGYhYFI2C4A+A==,type:str]
|
||||
#ENC[AES256_GCM,data:1g2gohLbiixMes8=,iv:E3HA6cAdv3BdLMcrrcWW4Zsc2KLtW7L8Xrk9Z57l49o=,tag:rZ7W9ckf7lzJ23u5zwQiwg==,type:comment]
|
||||
user20: ENC[AES256_GCM,data:3UbVnn9oMRc0zZR46tWxwM9VFOvMOYm690csUomEVBcS3xPm,iv:KHuPXttLAFr7WT/qa/UYLY8GRsPWYZPyKNmdUh4iFQQ=,tag:jN8rQ0Gv+qnhwOWGH+CwlA==,type:str]
|
||||
#ENC[AES256_GCM,data:GzxXsTbEvdHV7A0=,iv:uxUG4hnYEsmJtnqbEwamwhtLt3UClt7ktmkGyAFdxsc=,tag:sF8YQ2cejAezI3Bbp9qKIw==,type:comment]
|
||||
user21: ENC[AES256_GCM,data:hgDJ11crZaWcKrc+ZDQklXwpnvt/sMbARkx3sLZfQGZqQZeA,iv:2Re+hdJuT5yg/qTymfpN+KdU3criOmwuqqg+SHb8iAo=,tag:s16N6u5cRDaoWxnrCkamuw==,type:str]
|
||||
private-key: ENC[AES256_GCM,data:ts/LRGFAsYqvGvkvlxUI42IW1a8cGsSkpZhMDd3QVceRKvhPb1SRDaXoSw==,iv:6xX9xFIFUNlLBZ6CPBOz9JbHpvC4+QG9ZaCZcWdl12c=,tag:DYIa+QTV8vyl1l7OKKykTw==,type:str]
|
||||
nginx:
|
||||
#ENC[AES256_GCM,data:85LrqdTMIhSa,iv:mIQPYz8VPd5AxeMCQEdTGMD0Iqa5QEAa5+8JVFaj3JM=,tag:TcZd7S3WRPpEV9lHI1fzbw==,type:comment]
|
||||
@ -89,8 +91,8 @@ sops:
|
||||
ZXFTU3ZCaW1pTVh0RUJzdDdGdHlPYTgK2mlgcX2kEc8+2UDdBnhUm6IIuh8V6agW
|
||||
ooxH9OEPXUVI/4JcDo4v8ZUhAyU1ehLH0Ef7PJCChOZe2KZmWSNbhA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-09-15T03:48:21Z"
|
||||
mac: ENC[AES256_GCM,data:kZDIr2NHVew+BsreAoYNAcP/3i2A7U1RGIiA6qok1EsXLcunO+vfjIZl3L/0CEEH4+u6PEXQ51atzufqOGpoq9XqorBMRDEdlhitZZIUZm8Cji9BJxixeTUQ+KmFEbdw8H1XDIPWOQJCmTUbkOElMzHO4BNtTpdjE4u1IZ0bUiY=,iv:cCjln5wrScDz7A5/OHVoAj671VtkBmK7H0pnpKLsjD8=,tag:rohzoGp2V1sS03W0z5hM/A==,type:str]
|
||||
lastmodified: "2024-09-26T04:24:17Z"
|
||||
mac: ENC[AES256_GCM,data:AXhLmyZWGD6KvMkyHqmCERE6eNE3pD5Pa/9mRBWZe4hiXL4mKTzCn5C/ODGQ1ZeQjDdP+awjJRvLRjMiYFhVlU8rKpg/f2G1gDr4cIbr61sCdzXKX8wFW0G7bJWxxpAC4X59+u9EJ3sNcyf7bJrMdkTzTYpgXh29mtl2bprcdJQ=,iv:pK4hYexcWng3GwOmWGqgyMsmATnXgcwR3NH4UxCwpvE=,tag:zpv64JWoXc5cDCukDuW51g==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.0
|
||||
|
@ -16,7 +16,7 @@ inputs:
|
||||
"/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
|
||||
};
|
||||
};
|
||||
decrypt.manual =
|
||||
luks.manual =
|
||||
{
|
||||
enable = true;
|
||||
devices."/dev/disk/by-uuid/db48c8de-bcf7-43ae-a977-60c4f390d5c4" = { mapper = "root"; ssd = true; };
|
||||
|
@ -24,19 +24,9 @@ inputs:
|
||||
excludePythonPackages))
|
||||
(builtins.concatLists (builtins.map (packageFunction: packageFunction pythonPackages)
|
||||
(_pythonPackages ++ extraPythonPackages)))))
|
||||
(inputs.pkgs.callPackage ({ stdenv }: stdenv.mkDerivation
|
||||
{
|
||||
name = "prebuild-packages";
|
||||
propagateBuildInputs = inputs.lib.lists.subtractLists excludePrebuildPackages
|
||||
(_prebuildPackages ++ extraPrebuildPackages);
|
||||
phases = [ "installPhase" ];
|
||||
installPhase =
|
||||
''
|
||||
runHook preInstall
|
||||
mkdir -p $out
|
||||
runHook postInstall
|
||||
'';
|
||||
}) {})
|
||||
(inputs.pkgs.writeTextDir "share/prebuild-packages"
|
||||
(builtins.concatStringsSep "\n" (builtins.map builtins.toString
|
||||
(inputs.lib.lists.subtractLists excludePrebuildPackages (_prebuildPackages ++ extraPrebuildPackages)))))
|
||||
];
|
||||
};
|
||||
}
|
||||
|
29
modules/services/nfs.nix
Normal file
29
modules/services/nfs.nix
Normal file
@ -0,0 +1,29 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.services.nfs = let inherit (inputs.lib) mkOption types; in mkOption
|
||||
{
|
||||
type = types.nullOr (types.submodule { options =
|
||||
{
|
||||
root = mkOption { type = types.nonEmptyStr; };
|
||||
exports = mkOption { type = types.listOf types.nonEmptyStr; };
|
||||
accessLimit = mkOption { type = types.nonEmptyStr; };
|
||||
};});
|
||||
default = null;
|
||||
};
|
||||
config = let inherit (inputs.config.nixos.services) nfs; in inputs.lib.mkIf (nfs != null)
|
||||
{
|
||||
services =
|
||||
{
|
||||
rpcbind.enable = true;
|
||||
nfs.server =
|
||||
{
|
||||
enable = true;
|
||||
exports = "${nfs.root} ${nfs.accessLimit}(rw,no_root_squash,fsid=0,sync,crossmnt)\n"
|
||||
+ builtins.concatStringsSep "\n" (builtins.map
|
||||
(export: "${export} ${nfs.accessLimit}(rw,no_root_squash,sync,crossmnt)")
|
||||
nfs.exports);
|
||||
};
|
||||
};
|
||||
networking.firewall.allowedTCPPorts = [ 2049 ];
|
||||
};
|
||||
}
|
@ -1,5 +1,6 @@
|
||||
inputs:
|
||||
{
|
||||
imports = inputs.localLib.findModules ./.;
|
||||
options.nixos.system.fileSystems = let inherit (inputs.lib) mkOption types; in
|
||||
{
|
||||
mount =
|
||||
@ -9,41 +10,6 @@ inputs:
|
||||
# device.subvol = mountPoint;
|
||||
btrfs = mkOption { type = types.attrsOf (types.attrsOf types.nonEmptyStr); default = {}; };
|
||||
};
|
||||
decrypt =
|
||||
{
|
||||
auto = mkOption
|
||||
{
|
||||
type = types.attrsOf (types.submodule
|
||||
{
|
||||
options =
|
||||
{
|
||||
mapper = mkOption { type = types.nonEmptyStr; };
|
||||
ssd = mkOption { type = types.bool; default = false; };
|
||||
before = mkOption { type = types.nullOr (types.listOf types.nonEmptyStr); default = null; };
|
||||
};
|
||||
});
|
||||
default = {};
|
||||
};
|
||||
manual =
|
||||
{
|
||||
enable = mkOption { type = types.bool; default = false; };
|
||||
devices = mkOption
|
||||
{
|
||||
type = types.attrsOf (types.submodule
|
||||
{
|
||||
options =
|
||||
{
|
||||
mapper = mkOption { type = types.nonEmptyStr; };
|
||||
ssd = mkOption { type = types.bool; default = false; };
|
||||
};
|
||||
});
|
||||
default = {};
|
||||
};
|
||||
keyFile = mkOption
|
||||
{ type = types.path; default = ./. + "/${inputs.config.nixos.system.networking.hostname}.key"; };
|
||||
delayedMount = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
|
||||
};
|
||||
};
|
||||
# generate using: sudo mdadm --examine --scan
|
||||
mdadm = mkOption { type = types.nullOr types.lines; default = null; };
|
||||
swap = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
|
||||
@ -66,205 +32,112 @@ inputs:
|
||||
default = null;
|
||||
};
|
||||
};
|
||||
config =
|
||||
let
|
||||
inherit (builtins) listToAttrs map concatLists concatStringsSep;
|
||||
inherit (inputs.lib) mkMerge mkIf;
|
||||
inherit (inputs.localLib) attrsToList;
|
||||
inherit (inputs.config.nixos.system) fileSystems;
|
||||
in mkMerge
|
||||
[
|
||||
# mount.vfat
|
||||
{
|
||||
fileSystems = listToAttrs (map
|
||||
(device:
|
||||
{
|
||||
name = device.value;
|
||||
value = { device = device.name; fsType = "vfat"; neededForBoot = true; options = [ "noatime" ]; };
|
||||
})
|
||||
(attrsToList fileSystems.mount.vfat));
|
||||
}
|
||||
# mount.btrfs
|
||||
# Disable CoW for VM image and database: sudo chattr +C images
|
||||
# resize btrfs:
|
||||
# sudo btrfs filesystem resize -50G /nix
|
||||
# sudo cryptsetup status root
|
||||
# sudo cryptsetup -b 3787456512 resize root
|
||||
# sudo cfdisk /dev/nvme1n1p3
|
||||
{
|
||||
fileSystems = listToAttrs (concatLists (map
|
||||
config = let inherit (inputs.config.nixos.system) fileSystems; in inputs.lib.mkMerge
|
||||
[
|
||||
# mount.vfat
|
||||
{
|
||||
fileSystems = builtins.listToAttrs (builtins.map
|
||||
(device:
|
||||
{
|
||||
name = device.value;
|
||||
value = { device = device.name; fsType = "vfat"; neededForBoot = true; options = [ "noatime" ]; };
|
||||
})
|
||||
(inputs.localLib.attrsToList fileSystems.mount.vfat));
|
||||
}
|
||||
# mount.btrfs
|
||||
# Disable CoW for VM image and database: sudo chattr +C images
|
||||
# resize btrfs:
|
||||
# sudo btrfs filesystem resize -50G /nix
|
||||
# sudo cryptsetup status root
|
||||
# sudo cryptsetup -b 3787456512 resize root
|
||||
# sudo cfdisk /dev/nvme1n1p3
|
||||
{
|
||||
fileSystems = builtins.listToAttrs (builtins.concatLists (builtins.map
|
||||
(device: builtins.map
|
||||
(
|
||||
device: map
|
||||
(
|
||||
subvol:
|
||||
{
|
||||
name = subvol.value;
|
||||
value =
|
||||
{
|
||||
device = device.name;
|
||||
fsType = "btrfs";
|
||||
# zstd:15 cause sound stuttering
|
||||
# test on e20dae7d8b317f95718b5f4175bd4246c09735de mathematica ~15G
|
||||
# zstd:15 5m33s 7.16G
|
||||
# zstd:8 54s 7.32G
|
||||
# zstd:3 17s 7.52G
|
||||
options = [ "compress-force=zstd" "subvol=${subvol.name}" "acl" "noatime" ];
|
||||
neededForBoot = true;
|
||||
};
|
||||
}
|
||||
)
|
||||
(attrsToList device.value)
|
||||
subvol:
|
||||
{
|
||||
name = subvol.value;
|
||||
value =
|
||||
{
|
||||
device = device.name;
|
||||
fsType = "btrfs";
|
||||
# zstd:15 cause sound stuttering
|
||||
# test on e20dae7d8b317f95718b5f4175bd4246c09735de mathematica ~15G
|
||||
# zstd:15 5m33s 7.16G
|
||||
# zstd:8 54s 7.32G
|
||||
# zstd:3 17s 7.52G
|
||||
options = [ "compress-force=zstd" "subvol=${subvol.name}" "acl" "noatime" ];
|
||||
neededForBoot = true;
|
||||
};
|
||||
}
|
||||
)
|
||||
(attrsToList fileSystems.mount.btrfs)));
|
||||
(inputs.localLib.attrsToList device.value)
|
||||
)
|
||||
(inputs.localLib.attrsToList fileSystems.mount.btrfs)));
|
||||
}
|
||||
# mdadm
|
||||
(inputs.lib.mkIf (fileSystems.mdadm != null)
|
||||
{ boot.initrd.services.swraid = { enable = true; mdadmConf = fileSystems.mdadm; }; }
|
||||
)
|
||||
# swap
|
||||
{ swapDevices = builtins.map (device: { device = device; }) fileSystems.swap; }
|
||||
# resume
|
||||
(inputs.lib.mkIf (fileSystems.resume != null) { boot =
|
||||
(
|
||||
if builtins.typeOf fileSystems.resume == "string" then
|
||||
{ resumeDevice = fileSystems.resume; }
|
||||
else
|
||||
{
|
||||
resumeDevice = fileSystems.resume.device;
|
||||
kernelModules = [ "resume_offset=${builtins.toString fileSystems.resume.offset}" ];
|
||||
}
|
||||
# decrypt.auto
|
||||
(
|
||||
mkIf (fileSystems.decrypt.auto != null)
|
||||
);})
|
||||
# rollingRootfs
|
||||
(inputs.lib.mkIf (fileSystems.rollingRootfs != null)
|
||||
{
|
||||
boot.initrd.systemd =
|
||||
{
|
||||
extraBin =
|
||||
{
|
||||
boot.initrd =
|
||||
{
|
||||
luks.devices = (listToAttrs (map
|
||||
(
|
||||
device:
|
||||
{
|
||||
name = device.value.mapper;
|
||||
value =
|
||||
{
|
||||
device = device.name;
|
||||
allowDiscards = device.value.ssd;
|
||||
bypassWorkqueues = device.value.ssd;
|
||||
crypttabExtraOpts = [ "fido2-device=auto" "x-initrd.attach" ];
|
||||
};
|
||||
}
|
||||
)
|
||||
(attrsToList fileSystems.decrypt.auto)));
|
||||
systemd.services =
|
||||
let
|
||||
createService = device:
|
||||
{
|
||||
name = "systemd-cryptsetup@${device.value.mapper}";
|
||||
value =
|
||||
{
|
||||
before = map (device: "systemd-cryptsetup@${device}.service") device.value.before;
|
||||
overrideStrategy = "asDropin";
|
||||
};
|
||||
};
|
||||
in
|
||||
listToAttrs (map createService
|
||||
(builtins.filter (device: device.value.before != null) (attrsToList fileSystems.decrypt.auto)));
|
||||
};
|
||||
}
|
||||
)
|
||||
# decrypt.manual
|
||||
(
|
||||
mkIf (fileSystems.decrypt.manual.enable)
|
||||
grep = "${inputs.pkgs.gnugrep}/bin/grep";
|
||||
awk = "${inputs.pkgs.gawk}/bin/awk";
|
||||
chattr = "${inputs.pkgs.e2fsprogs}/bin/chattr";
|
||||
lsmod = "${inputs.pkgs.kmod}/bin/lsmod";
|
||||
};
|
||||
services.roll-rootfs =
|
||||
{
|
||||
boot.initrd =
|
||||
{
|
||||
luks.forceLuksSupportInInitrd = true;
|
||||
systemd =
|
||||
{
|
||||
extraBin =
|
||||
{
|
||||
cryptsetup = "${inputs.pkgs.cryptsetup.bin}/bin/cryptsetup";
|
||||
usbip = "${inputs.config.boot.kernelPackages.usbip}/bin/usbip";
|
||||
sed = "${inputs.pkgs.gnused}/bin/sed";
|
||||
awk = "${inputs.pkgs.gawk}/bin/awk";
|
||||
decrypt = inputs.pkgs.writeShellScript "decrypt"
|
||||
''
|
||||
modprobe vhci-hcd
|
||||
busid=$(usbip list -r 127.0.0.1 | head -n4 | tail -n1 | awk '{print $1}' | sed 's/://')
|
||||
usbip attach -r 127.0.0.1 -b $busid
|
||||
${concatStringsSep "\n" (map
|
||||
(device: ''systemd-cryptsetup attach ${device.value.mapper} ${device.name} "" fido2-device=auto''
|
||||
+ (if device.value.ssd then ",discard" else ""))
|
||||
(attrsToList fileSystems.decrypt.manual.devices))}
|
||||
'';
|
||||
};
|
||||
services.wait-manual-decrypt =
|
||||
{
|
||||
wantedBy = [ "initrd-root-fs.target" ];
|
||||
before = [ "roll-rootfs.service" ];
|
||||
unitConfig.DefaultDependencies = false;
|
||||
serviceConfig.Type = "oneshot";
|
||||
script = concatStringsSep "\n" (map
|
||||
(device: "while [ ! -e /dev/mapper/${device.value.mapper} ]; do sleep 1; done")
|
||||
(attrsToList fileSystems.decrypt.manual.devices));
|
||||
};
|
||||
};
|
||||
};
|
||||
fileSystems = listToAttrs (map
|
||||
(mount: { name = mount; value.options = [ "x-systemd.device-timeout=48h" ]; })
|
||||
fileSystems.decrypt.manual.delayedMount);
|
||||
}
|
||||
)
|
||||
# mdadm
|
||||
(
|
||||
mkIf (fileSystems.mdadm != null)
|
||||
{ boot.initrd.services.swraid = { enable = true; mdadmConf = fileSystems.mdadm; }; }
|
||||
)
|
||||
# swap
|
||||
{ swapDevices = map (device: { device = device; }) fileSystems.swap; }
|
||||
# resume
|
||||
(
|
||||
mkIf (fileSystems.resume != null) { boot =
|
||||
(
|
||||
if builtins.typeOf fileSystems.resume == "string" then
|
||||
{ resumeDevice = fileSystems.resume; }
|
||||
else
|
||||
{
|
||||
resumeDevice = fileSystems.resume.device;
|
||||
kernelModules = [ "resume_offset=${builtins.toString fileSystems.resume.offset}" ];
|
||||
}
|
||||
);}
|
||||
)
|
||||
# rollingRootfs
|
||||
(
|
||||
mkIf (fileSystems.rollingRootfs != null)
|
||||
{
|
||||
boot.initrd.systemd =
|
||||
{
|
||||
extraBin =
|
||||
{
|
||||
grep = "${inputs.pkgs.gnugrep}/bin/grep";
|
||||
awk = "${inputs.pkgs.gawk}/bin/awk";
|
||||
chattr = "${inputs.pkgs.e2fsprogs}/bin/chattr";
|
||||
lsmod = "${inputs.pkgs.kmod}/bin/lsmod";
|
||||
};
|
||||
services.roll-rootfs =
|
||||
{
|
||||
wantedBy = [ "initrd.target" ];
|
||||
after = [ "cryptsetup.target" "systemd-hibernate-resume.service" ];
|
||||
before = [ "local-fs-pre.target" "sysroot.mount" ];
|
||||
unitConfig.DefaultDependencies = false;
|
||||
serviceConfig.Type = "oneshot";
|
||||
script =
|
||||
let
|
||||
inherit (fileSystems.rollingRootfs) device path waitDevices;
|
||||
waitDevice = concatStringsSep "\n" (builtins.map
|
||||
(device: "while ! [ -e ${device} ]; do sleep 1; done") (waitDevices ++ [ device ]));
|
||||
in
|
||||
''
|
||||
while ! lsmod | grep -q btrfs; do sleep 1; done
|
||||
${waitDevice}
|
||||
mount ${device} /mnt -m
|
||||
if [ -f /mnt${path}/current/.timestamp ]
|
||||
then
|
||||
timestamp=$(cat /mnt${path}/current/.timestamp)
|
||||
subvolid=$(btrfs subvolume show /mnt${path}/current | grep 'Subvolume ID:' | awk '{print $NF}')
|
||||
mv /mnt${path}/current /mnt${path}/$timestamp-$subvolid
|
||||
btrfs property set -ts /mnt${path}/$timestamp-$subvolid ro true
|
||||
fi
|
||||
btrfs subvolume create /mnt${path}/current
|
||||
chattr +C /mnt${path}/current
|
||||
echo $(date '+%Y%m%d%H%M%S') > /mnt${path}/current/.timestamp
|
||||
umount /mnt
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
)
|
||||
];
|
||||
wantedBy = [ "initrd.target" ];
|
||||
after = [ "cryptsetup.target" "systemd-hibernate-resume.service" ];
|
||||
before = [ "local-fs-pre.target" "sysroot.mount" ];
|
||||
unitConfig.DefaultDependencies = false;
|
||||
serviceConfig.Type = "oneshot";
|
||||
script =
|
||||
let
|
||||
inherit (fileSystems.rollingRootfs) device path waitDevices;
|
||||
waitDevice = builtins.concatStringsSep "\n" (builtins.map
|
||||
(device: "while ! [ -e ${device} ]; do sleep 1; done") (waitDevices ++ [ device ]));
|
||||
in
|
||||
''
|
||||
while ! lsmod | grep -q btrfs; do sleep 1; done
|
||||
${waitDevice}
|
||||
mount ${device} /mnt -m
|
||||
if [ -f /mnt${path}/current/.timestamp ]
|
||||
then
|
||||
timestamp=$(cat /mnt${path}/current/.timestamp)
|
||||
subvolid=$(btrfs subvolume show /mnt${path}/current | grep 'Subvolume ID:' | awk '{print $NF}')
|
||||
mv /mnt${path}/current /mnt${path}/$timestamp-$subvolid
|
||||
btrfs property set -ts /mnt${path}/$timestamp-$subvolid ro true
|
||||
fi
|
||||
btrfs subvolume create /mnt${path}/current
|
||||
chattr +C /mnt${path}/current
|
||||
echo $(date '+%Y%m%d%H%M%S') > /mnt${path}/current/.timestamp
|
||||
umount /mnt
|
||||
'';
|
||||
};
|
||||
};
|
||||
})
|
||||
];
|
||||
}
|
||||
|
||||
|
||||
|
80
modules/system/fileSystems/luks/default.nix
Normal file
80
modules/system/fileSystems/luks/default.nix
Normal file
@ -0,0 +1,80 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.system.fileSystems.luks = let inherit (inputs.lib) mkOption types; in
|
||||
{
|
||||
auto = mkOption
|
||||
{
|
||||
type = types.attrsOf (types.submodule { options =
|
||||
{
|
||||
mapper = mkOption { type = types.nonEmptyStr; };
|
||||
ssd = mkOption { type = types.bool; default = false; };
|
||||
before = mkOption { type = types.nullOr (types.listOf types.nonEmptyStr); default = null; };
|
||||
};});
|
||||
default = {};
|
||||
};
|
||||
manual =
|
||||
{
|
||||
enable = mkOption { type = types.bool; default = false; };
|
||||
devices = mkOption
|
||||
{
|
||||
type = types.attrsOf (types.submodule { options =
|
||||
{
|
||||
mapper = mkOption { type = types.nonEmptyStr; };
|
||||
ssd = mkOption { type = types.bool; default = false; };
|
||||
};});
|
||||
default = {};
|
||||
};
|
||||
delayedMount = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
|
||||
};
|
||||
};
|
||||
config = let inherit (inputs.config.nixos.system.fileSystems) luks; in inputs.lib.mkMerge
|
||||
[
|
||||
(inputs.lib.mkIf (luks.auto != null) { boot.initrd =
|
||||
{
|
||||
luks.devices = (builtins.listToAttrs (builtins.map
|
||||
(device:
|
||||
{
|
||||
name = device.value.mapper;
|
||||
value =
|
||||
{
|
||||
device = device.name;
|
||||
allowDiscards = device.value.ssd;
|
||||
bypassWorkqueues = device.value.ssd;
|
||||
crypttabExtraOpts = [ "fido2-device=auto" "x-initrd.attach" ];
|
||||
};
|
||||
})
|
||||
(inputs.localLib.attrsToList luks.auto)));
|
||||
systemd.services = builtins.listToAttrs (builtins.map
|
||||
(device:
|
||||
{
|
||||
name = "systemd-cryptsetup@${device.value.mapper}";
|
||||
value =
|
||||
{
|
||||
before = map (device: "systemd-cryptsetup@${device}.service") device.value.before;
|
||||
overrideStrategy = "asDropin";
|
||||
};
|
||||
})
|
||||
(builtins.filter (device: device.value.before != null) (inputs.localLib.attrsToList luks.auto)));
|
||||
};})
|
||||
(inputs.lib.mkIf luks.manual.enable
|
||||
{
|
||||
boot.initrd =
|
||||
{
|
||||
luks.forceLuksSupportInInitrd = true;
|
||||
systemd.services.wait-manual-decrypt =
|
||||
{
|
||||
wantedBy = [ "initrd-root-fs.target" ];
|
||||
before = [ "roll-rootfs.service" ];
|
||||
unitConfig.DefaultDependencies = false;
|
||||
serviceConfig.Type = "oneshot";
|
||||
script = builtins.concatStringsSep "\n" (builtins.map
|
||||
(device: "while [ ! -e /dev/mapper/${device.value.mapper} ]; do sleep 1; done")
|
||||
(inputs.localLib.attrsToList luks.manual.devices));
|
||||
};
|
||||
};
|
||||
fileSystems = builtins.listToAttrs (builtins.map
|
||||
(mount: { name = mount; value.options = [ "x-systemd.device-timeout=48h" ]; })
|
||||
luks.manual.delayedMount);
|
||||
})
|
||||
];
|
||||
}
|
28
modules/system/fileSystems/nfs.nix
Normal file
28
modules/system/fileSystems/nfs.nix
Normal file
@ -0,0 +1,28 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.system.fileSystems.mount.nfs = let inherit (inputs.lib) mkOption types; in mkOption
|
||||
{
|
||||
type = types.nullOr (types.attrsOf types.nonEmptyStr); default = null;
|
||||
};
|
||||
config = let inherit (inputs.config.nixos.system.fileSystems.mount) nfs; in inputs.lib.mkIf (nfs != null)
|
||||
{
|
||||
fileSystems = builtins.listToAttrs (builtins.map
|
||||
(device:
|
||||
{
|
||||
name = device.value;
|
||||
value = { device = device.name; fsType = "nfs"; neededForBoot = true; };
|
||||
})
|
||||
(inputs.localLib.attrsToList nfs));
|
||||
boot.initrd =
|
||||
{
|
||||
network.enable = true;
|
||||
systemd.extraBin =
|
||||
{
|
||||
"ifconfig" = "${inputs.pkgs.nettools}/bin/ifconfig";
|
||||
"mount.nfs" = "${inputs.pkgs.nfs-utils}/bin/mount.nfs";
|
||||
"mount.nfs4" = "${inputs.pkgs.nfs-utils}/bin/mount.nfs4";
|
||||
};
|
||||
};
|
||||
services.rpcbind.enable = true;
|
||||
};
|
||||
}
|
@ -56,7 +56,7 @@ inputs:
|
||||
(system:
|
||||
{
|
||||
name = system.config.nixos.system.networking.hostname;
|
||||
value = system.config.nixos.system.fileSystems.decrypt.manual;
|
||||
value = system.config.nixos.system.fileSystems.luks.manual;
|
||||
})
|
||||
(builtins.attrValues inputs.topInputs.self.nixosConfigurations));
|
||||
cat = "${inputs.pkgs.coreutils}/bin/cat";
|
||||
@ -68,7 +68,8 @@ inputs:
|
||||
(builtins.map (system: builtins.concatStringsSep "\n"
|
||||
[
|
||||
"decrypt-${system.name}() {"
|
||||
" key=$(${cat} ${system.value.keyFile} | ${gpg} --decrypt)"
|
||||
" key=$(${cat} ${inputs.topInputs.self}/modules/system/fileSystems/luks/${system.name}.key \\"
|
||||
" | ${gpg} --decrypt)"
|
||||
(builtins.concatStringsSep "\n" (builtins.map
|
||||
(device: " echo $key | ${ssh} root@initrd.${system.name}.chn.moe cryptsetup luksOpen "
|
||||
+ (if device.value.ssd then "--allow-discards " else "")
|
||||
|
@ -138,10 +138,10 @@ int main()
|
||||
state.job_name, state.output_file, state.vasp_version_entries[state.vasp_version_selected]
|
||||
);
|
||||
else state.submit_command =
|
||||
"sbatch --ntasks={}\n--cpus-per-task={}\n--hint=nomultithread\n--job-name='{}'\n--output='{}'"
|
||||
"\n--wrap=\"vasp-intel srun vasp-{}\""_f
|
||||
"sbatch --ntasks={}\n--cpus-per-task={}\n--export=ALL,OMP_NUM_THREADS={}\n--hint=nomultithread\n--job-name='{}'\n"
|
||||
"--output='{}'\n--wrap=\"vasp-intel srun --mpi=pmix vasp-{}\""_f
|
||||
(
|
||||
state.mpi_threads, state.openmp_threads, state.job_name, state.output_file,
|
||||
state.mpi_threads, state.openmp_threads, state.openmp_threads, state.job_name, state.output_file,
|
||||
state.vasp_version_entries[state.vasp_version_selected]
|
||||
);
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user