Merge branch 'production' into next

fix opencv
devices.srv1.node2: enable kvm
2024-10-22 21:18:44 +08:00 · 2024-09-26 21:42:49 +08:00 · 2024-09-26 21:42:02 +08:00 · 2024-09-26 20:41:26 +08:00 · 2024-09-26 15:31:59 +08:00 · 2024-09-26 15:23:59 +08:00
25 changed files with 301 additions and 387 deletions
--- a/devices/nas/default.nix
+++ b/devices/nas/default.nix
@ -24,7 +24,7 @@ inputs:
              };
            };
          };
-          decrypt.manual =
+          luks.manual =
          {
            enable = true;
            devices =
--- a/devices/pc/default.nix
+++ b/devices/pc/default.nix
@ -13,7 +13,7 @@ inputs:
            vfat."/dev/disk/by-uuid/7A60-4232" = "/boot";
            btrfs."/dev/mapper/root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
          };
-          decrypt.auto =
+          luks.auto =
          {
            "/dev/disk/by-uuid/4c73288c-bcd8-4a7e-b683-693f9eed2d81" = { mapper = "root1"; ssd = true; };
            "/dev/disk/by-uuid/4be45329-a054-4c20-8965-8c5b7ee6b35d" =
@ -41,7 +41,7 @@ inputs:
            # SERIALIZE SGX WAITPKG WIDEKL XSAVE XSAVEOPT
            "alderlake"
          ];
-          remote.master = { enable = true; hosts = [ "xmupc1" "xmupc2" "srv1-node0" "srv1-node1" ]; };
+          remote.master = { enable = true; hosts = [ "xmupc1" "xmupc2" ]; };
          githubToken.enable = true;
        };
        nixpkgs =
--- a/devices/srv1/default.nix
+++ b/devices/srv1/default.nix
@ -66,7 +66,7 @@ inputs:
          setupFirewall = true;
        };
      };
-      user.users = [ "chn" ];
+      user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" ];
    };
  };
 }
--- a/devices/srv1/node0/default.nix
+++ b/devices/srv1/node0/default.nix
@ -6,7 +6,6 @@ inputs:
    {
      system =
      {
-        nix = { marches = [ "cascadelake" "broadwell" ]; remote.slave.enable = true; };
        nixpkgs.march = "cascadelake";
        networking.networkd.static =
        {
@ -17,11 +16,7 @@ inputs:
      };
      services =
      {
-        xray.client =
-        {
-          enable = true;
-          dnsmasq.extraInterfaces = [ "eno146" ];
-        };
+        xray.client = { enable = true; dnsmasq.extraInterfaces = [ "eno146" ]; };
        beesd.instances.root = { device = "/"; hashTableSizeMB = 512; threads = 4; };
        wireguard =
        {
@ -30,33 +25,13 @@ inputs:
          publicKey = "Br+ou+t9M9kMrnNnhTvaZi2oNFRygzebA1NqcHWADWM=";
          wireguardIp = "192.168.83.9";
        };
+        nfs = { root = "/"; exports = [ "/home" ]; accessLimit = "192.168.178.0/24"; };
      };
      packages.packages._prebuildPackages =
        [ inputs.topInputs.self.nixosConfigurations.srv1-node1.pkgs.localPackages.vasp.intel ];
    };
-    services.nfs.server =
-    {
-      enable = true;
-      exports = 
-      ''
-        / 192.168.178.0/24(rw,no_root_squash,fsid=0,sync,crossmnt)
-        /home 192.168.178.0/24(rw,no_root_squash,sync,crossmnt)
-      '';
-    };
-    networking =
-    {
-      firewall.allowedTCPPorts = [ 2049 ];
-    };
+    # allow other machine access network by this machine
    systemd.network.networks."10-eno146".networkConfig.IPMasquerade = "both";
-    services.rpcbind.enable = true;
-    fileSystems =
-    {
-      "/nix/share/home" =
-      {
-        device = "/home";
-        options = [ "rbind" ];
-      };
-    };
    # without this, tproxy does not work
    # TODO: why?
    networking.firewall.trustedInterfaces = [ "eno146" ];
--- a/devices/srv1/node1/default.nix
+++ b/devices/srv1/node1/default.nix
@ -7,49 +7,21 @@ inputs:
      system =
      {
        nixpkgs.march = "broadwell";
-        networking.networkd.static =
-        {
-          eno1 = { ip = "192.168.1.11"; mask = 24; gateway = "192.168.1.1"; };
-          eno2 = { ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
-        };
+        networking.networkd.static.eno2 =
+          { ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
        cluster.nodeType = "worker";
-        initrd.sshd.enable = true;
-        nix.remote.slave.enable = true;
+        fileSystems.mount.nfs."192.168.178.1:/home" = "/home";
      };
      services.beesd.instances.root = { device = "/"; hashTableSizeMB = 256; threads = 4; };
      packages.packages._prebuildPackages =
        [ inputs.topInputs.self.nixosConfigurations.srv1-node0.config.system.build.toplevel ];
    };
-    specialisation =
+    specialisation.no-share-home.configuration =
    {
-      no-share-home.configuration =
-      {
-        nixos =
-        {
-          services.slurm.enable = inputs.lib.mkForce false;
-          system.cluster.nodeType = inputs.lib.mkForce "master";
-        };
-        system.nixos.tags = [ "no-share-home" ];
-      };
+      nixos.system.fileSystems.mount.nfs = inputs.lib.mkForce null;
+      system.nixos.tags = [ "no-share-home" ];
    };
-    fileSystems = inputs.lib.mkIf (inputs.config.nixos.system.cluster.nodeType == "worker")
-    {
-      "/home" =
-      {
-        device = "192.168.178.1:/home";
-        fsType = "nfs";
-        neededForBoot = true;
-      };
-    };
-    boot.initrd.network.enable = true; 
    boot.initrd.systemd.network.networks."10-eno2" = inputs.config.systemd.network.networks."10-eno2";
-    boot.initrd.systemd.extraBin =
-    {
-      "ifconfig" = "${inputs.pkgs.nettools}/bin/ifconfig";
-      "mount.nfs" = "${inputs.pkgs.nfs-utils}/bin/mount.nfs";
-      "mount.nfs4" = "${inputs.pkgs.nfs-utils}/bin/mount.nfs4";
-    };
-    services.rpcbind.enable = true;
    # make slurm sub process to be able to communicate with the master
    networking.firewall.trustedInterfaces = [ "eno2" ];
  };
--- a/devices/srv1/node2/default.nix
+++ b/devices/srv1/node2/default.nix
@ -7,46 +7,34 @@ inputs:
      system =
      {
        nixpkgs.march = "broadwell";
-        networking.networkd.static.eno2 =
-          { ip = "192.168.178.3"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
+        networking.networkd.static =
+        {
+          eno1 = { ip = "192.168.1.12"; mask = 24; gateway = "192.168.1.1"; dns = "192.168.1.1"; };
+          eno2 = { ip = "192.168.178.3"; mask = 24; };
+        };
        cluster.nodeType = "worker";
-        initrd.sshd.enable = true;
-        nix.remote.slave.enable = true;
+        fileSystems.mount =
+        {
+          nfs."192.168.178.1:/home" = "/home";
+          btrfs."/dev/disk/by-partlabel/srv1-node2-nodatacow" =
+            { "/nix/nodatacow" = "/nix/nodatacow"; "/nix/backups" = "/nix/backups"; };
+        };
+      };
+      services =
+      {
+        xray.client.enable = true;
+        beesd.instances.root = { device = "/"; hashTableSizeMB = 256; threads = 4; };
      };
-      services.beesd.instances.root = { device = "/"; hashTableSizeMB = 256; threads = 4; };
      packages.packages._prebuildPackages =
        [ inputs.topInputs.self.nixosConfigurations.srv1-node0.config.system.build.toplevel ];
+      virtualization.kvmHost = { enable = true; gui = true; };
    };
-    specialisation =
+    specialisation.no-share-home.configuration =
    {
-      no-share-home.configuration =
-      {
-        nixos =
-        {
-          services.slurm.enable = inputs.lib.mkForce false;
-          system.cluster.nodeType = inputs.lib.mkForce "master";
-        };
-        system.nixos.tags = [ "no-share-home" ];
-      };
+      nixos.system.fileSystems.mount.nfs = inputs.lib.mkForce null;
+      system.nixos.tags = [ "no-share-home" ];
    };
-    fileSystems = inputs.lib.mkIf (inputs.config.nixos.system.cluster.nodeType == "worker")
-    {
-      "/home" =
-      {
-        device = "192.168.178.1:/home";
-        fsType = "nfs";
-        neededForBoot = true;
-      };
-    };
-    boot.initrd.network.enable = true; 
    boot.initrd.systemd.network.networks."10-eno2" = inputs.config.systemd.network.networks."10-eno2";
-    boot.initrd.systemd.extraBin =
-    {
-      "ifconfig" = "${inputs.pkgs.nettools}/bin/ifconfig";
-      "mount.nfs" = "${inputs.pkgs.nfs-utils}/bin/mount.nfs";
-      "mount.nfs4" = "${inputs.pkgs.nfs-utils}/bin/mount.nfs4";
-    };
-    services.rpcbind.enable = true;
    # make slurm sub process to be able to communicate with the master
    networking.firewall.trustedInterfaces = [ "eno2" ];
  };
--- a/devices/srv1/node2/secrets/default.yaml
+++ b/devices/srv1/node2/secrets/default.yaml
@ -1,4 +1,5 @@
-hello: ENC[AES256_GCM,data:/WGwXDnQio1BwD/zPoURTjVzTasWICOA7CBsgT5DbYIkKLt5DxzogeYWpiqjVg==,iv:BY82U/y9V8PYtn3Bre+nabGBcVgFbppIQZb7GhgY62I=,tag:JFqrezoWNJ8ZACCKQ43n5g==,type:str]
+xray-client:
+    uuid: ENC[AES256_GCM,data:U+unsiKt9vNo/EXEpLHR0Ny3DxQEwx7a40KmwZDZki7RQEuM,iv:7w90HNM5lfh2VY20AcUEVdu5X2uxqXxR0hARncmMR60=,tag:xIbKc+9SF5LP/tY/XoGYxA==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -23,8 +24,8 @@ sops:
            MVU1UW9lWFJnSTE2aC9ZL0huYURUK3MK5U4cLWRMm+FFo8ATE/OoAcHzYHFMpOtV
            Q5kbq5PDMdp4qvoM3T4kLsB34oU55HjFvac0pilOhNRrz4xRMQgvoQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-20T05:30:52Z"
-    mac: ENC[AES256_GCM,data:nSrkKUo4yB57aetzdJ1sjSKcm5STQ6jfMhvY4/tXft2P9zRYigSP4PkZj7z+knxcIx9sFdA86h8X45oUjxaAa5xDJpgmvC/EEKxm5rZtVTxYYYdy40W72qThVuKUasWpYrrGZbZEbTu3Dad1yfJTilwofRtxoo1Nmj5lMvw+HRo=,iv:UvBSF5GLEj+hTZksrIV3Ow+HQ/xjqwCUuwqkdz8g0Qg=,tag:U5wJPhmeevB2i2GBgMGBFQ==,type:str]
+    lastmodified: "2024-09-26T04:24:23Z"
+    mac: ENC[AES256_GCM,data:GS9TPomEy3rHaanqMWkqGV9NX8lsYMnujxhuWTnJxdgfCP8scOEo2O+ATlmxmcmKquXlq+zo4LF6RCzF65eSvpSKcIDQRc0yDgBQ5+M8gXv1lk0WNdicpHJsEk8j/ostJTwEkV5QDyp3+J6lRNtFMQnrZ7+UxpgQwK7DaP8mnF4=,iv:1BEb2Xr8jQO6M19bC+jlGGSI0aT1MEgEoYwLuCT1T9U=,tag:Be7BQsjWq7PZBrgsrH/cjA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.0
--- a/devices/srv1/node3/default.nix
+++ b/devices/srv1/node3/default.nix
@ -10,43 +10,18 @@ inputs:
        networking.networkd.static.eno2 =
          { ip = "192.168.178.4"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
        cluster.nodeType = "worker";
-        initrd.sshd.enable = true;
-        nix.remote.slave.enable = true;
+        fileSystems.mount.nfs."192.168.178.1:/home" = "/home";
      };
      services.beesd.instances.root = { device = "/"; hashTableSizeMB = 256; threads = 4; };
      packages.packages._prebuildPackages =
        [ inputs.topInputs.self.nixosConfigurations.srv1-node0.config.system.build.toplevel ];
    };
-    specialisation =
+    specialisation.no-share-home.configuration =
    {
-      no-share-home.configuration =
-      {
-        nixos =
-        {
-          services.slurm.enable = inputs.lib.mkForce false;
-          system.cluster.nodeType = inputs.lib.mkForce "master";
-        };
-        system.nixos.tags = [ "no-share-home" ];
-      };
+      nixos.system.fileSystems.mount.nfs = inputs.lib.mkForce null;
+      system.nixos.tags = [ "no-share-home" ];
    };
-    fileSystems = inputs.lib.mkIf (inputs.config.nixos.system.cluster.nodeType == "worker")
-    {
-      "/home" =
-      {
-        device = "192.168.178.1:/home";
-        fsType = "nfs";
-        neededForBoot = true;
-      };
-    };
-    boot.initrd.network.enable = true; 
    boot.initrd.systemd.network.networks."10-eno2" = inputs.config.systemd.network.networks."10-eno2";
-    boot.initrd.systemd.extraBin =
-    {
-      "ifconfig" = "${inputs.pkgs.nettools}/bin/ifconfig";
-      "mount.nfs" = "${inputs.pkgs.nfs-utils}/bin/mount.nfs";
-      "mount.nfs4" = "${inputs.pkgs.nfs-utils}/bin/mount.nfs4";
-    };
-    services.rpcbind.enable = true;
    # make slurm sub process to be able to communicate with the master
    networking.firewall.trustedInterfaces = [ "eno2" ];
  };
--- a/devices/surface/default.nix
+++ b/devices/surface/default.nix
@ -14,7 +14,7 @@ inputs:
            vfat."/dev/disk/by-uuid/4596-D670" = "/boot";
            btrfs."/dev/mapper/root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
          };
-          decrypt.auto =
+          luks.auto =
          {
            "/dev/disk/by-uuid/eda0042b-ffd5-47d1-b828-4cf99d744c9f" = { mapper = "root1"; ssd = true; };
            "/dev/disk/by-uuid/41d83848-f3dd-4b2f-946f-de1d2ae1cbd4" = { mapper = "swap"; ssd = true; };
--- a/devices/vps4/default.nix
+++ b/devices/vps4/default.nix
@ -16,7 +16,7 @@ inputs:
              "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
            };
          };
-          decrypt.manual =
+          luks.manual =
          {
            enable = true;
            devices."/dev/disk/by-uuid/bf7646f9-496c-484e-ada0-30335da57068" = { mapper = "root"; ssd = true; };
--- a/devices/vps6/default.nix
+++ b/devices/vps6/default.nix
@ -16,7 +16,7 @@ inputs:
              "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
            };
          };
-          decrypt.manual =
+          luks.manual =
          {
            enable = true;
            devices."/dev/disk/by-uuid/4f8aca22-9ec6-4fad-b21a-fd9d8d0514e8" = { mapper = "root"; ssd = true; };
@ -36,7 +36,7 @@ inputs:
      {
        snapper.enable = true;
        sshd = {};
-        xray.server = { serverName = "vps6.xserver.chn.moe"; userNumber = 21; };
+        xray.server = { serverName = "vps6.xserver.chn.moe"; userNumber = 22; };
        frpServer = { enable = true; serverName = "frp.chn.moe"; };
        nginx =
        {
--- a/devices/vps6/secrets.yaml
+++ b/devices/vps6/secrets.yaml
@ -46,6 +46,8 @@ xray-server:
        user19: ENC[AES256_GCM,data:+Mh15DR9xvFAwks86iuHEA9FpObKWTSuVOEzUDpBUS/h0hOz,iv:zYIkic2bibvwCBpomnJ9465mda1rbm3RERBZY9twXuc=,tag:bwdL6DAGgkGYhYFI2C4A+A==,type:str]
        #ENC[AES256_GCM,data:1g2gohLbiixMes8=,iv:E3HA6cAdv3BdLMcrrcWW4Zsc2KLtW7L8Xrk9Z57l49o=,tag:rZ7W9ckf7lzJ23u5zwQiwg==,type:comment]
        user20: ENC[AES256_GCM,data:3UbVnn9oMRc0zZR46tWxwM9VFOvMOYm690csUomEVBcS3xPm,iv:KHuPXttLAFr7WT/qa/UYLY8GRsPWYZPyKNmdUh4iFQQ=,tag:jN8rQ0Gv+qnhwOWGH+CwlA==,type:str]
+        #ENC[AES256_GCM,data:GzxXsTbEvdHV7A0=,iv:uxUG4hnYEsmJtnqbEwamwhtLt3UClt7ktmkGyAFdxsc=,tag:sF8YQ2cejAezI3Bbp9qKIw==,type:comment]
+        user21: ENC[AES256_GCM,data:hgDJ11crZaWcKrc+ZDQklXwpnvt/sMbARkx3sLZfQGZqQZeA,iv:2Re+hdJuT5yg/qTymfpN+KdU3criOmwuqqg+SHb8iAo=,tag:s16N6u5cRDaoWxnrCkamuw==,type:str]
    private-key: ENC[AES256_GCM,data:ts/LRGFAsYqvGvkvlxUI42IW1a8cGsSkpZhMDd3QVceRKvhPb1SRDaXoSw==,iv:6xX9xFIFUNlLBZ6CPBOz9JbHpvC4+QG9ZaCZcWdl12c=,tag:DYIa+QTV8vyl1l7OKKykTw==,type:str]
 nginx:
    #ENC[AES256_GCM,data:85LrqdTMIhSa,iv:mIQPYz8VPd5AxeMCQEdTGMD0Iqa5QEAa5+8JVFaj3JM=,tag:TcZd7S3WRPpEV9lHI1fzbw==,type:comment]
@ -89,8 +91,8 @@ sops:
            ZXFTU3ZCaW1pTVh0RUJzdDdGdHlPYTgK2mlgcX2kEc8+2UDdBnhUm6IIuh8V6agW
            ooxH9OEPXUVI/4JcDo4v8ZUhAyU1ehLH0Ef7PJCChOZe2KZmWSNbhA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-15T03:48:21Z"
-    mac: ENC[AES256_GCM,data:kZDIr2NHVew+BsreAoYNAcP/3i2A7U1RGIiA6qok1EsXLcunO+vfjIZl3L/0CEEH4+u6PEXQ51atzufqOGpoq9XqorBMRDEdlhitZZIUZm8Cji9BJxixeTUQ+KmFEbdw8H1XDIPWOQJCmTUbkOElMzHO4BNtTpdjE4u1IZ0bUiY=,iv:cCjln5wrScDz7A5/OHVoAj671VtkBmK7H0pnpKLsjD8=,tag:rohzoGp2V1sS03W0z5hM/A==,type:str]
+    lastmodified: "2024-09-26T04:24:17Z"
+    mac: ENC[AES256_GCM,data:AXhLmyZWGD6KvMkyHqmCERE6eNE3pD5Pa/9mRBWZe4hiXL4mKTzCn5C/ODGQ1ZeQjDdP+awjJRvLRjMiYFhVlU8rKpg/f2G1gDr4cIbr61sCdzXKX8wFW0G7bJWxxpAC4X59+u9EJ3sNcyf7bJrMdkTzTYpgXh29mtl2bprcdJQ=,iv:pK4hYexcWng3GwOmWGqgyMsmATnXgcwR3NH4UxCwpvE=,tag:zpv64JWoXc5cDCukDuW51g==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.0
--- a/devices/vps7/default.nix
+++ b/devices/vps7/default.nix
@ -16,7 +16,7 @@ inputs:
              "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
            };
          };
-          decrypt.manual =
+          luks.manual =
          {
            enable = true;
            devices."/dev/disk/by-uuid/db48c8de-bcf7-43ae-a977-60c4f390d5c4" = { mapper = "root"; ssd = true; };
--- a/flake.lock
+++ b/flake.lock
@ -953,11 +953,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1727241804,
-        "narHash": "sha256-TOGSjuA+/xZgz/+HIC6dyYouT4X4qLHQ0eSXY731wBc=",
+        "lastModified": 1727355718,
+        "narHash": "sha256-AvmneY2JNPdqXWrSSSWNeNCZeCTBXVu10WDFYlD/IHM=",
        "owner": "CHN-beta",
        "repo": "nixpkgs",
-        "rev": "2ca64bcc4748b2ceaa1d48f4140c21682dab9309",
+        "rev": "17fe8ed6ac90b3ca5ca23e5ad9e95a2051db6c8b",
        "type": "github"
      },
      "original": {
--- a/modules/packages/default.nix
+++ b/modules/packages/default.nix
@ -24,19 +24,9 @@ inputs:
              excludePythonPackages))
            (builtins.concatLists (builtins.map (packageFunction: packageFunction pythonPackages)
              (_pythonPackages ++ extraPythonPackages)))))
-        (inputs.pkgs.callPackage ({ stdenv }: stdenv.mkDerivation
-        {
-          name = "prebuild-packages";
-          propagateBuildInputs = inputs.lib.lists.subtractLists excludePrebuildPackages
-            (_prebuildPackages ++ extraPrebuildPackages);
-          phases = [ "installPhase" ];
-          installPhase =
-          ''
-            runHook preInstall
-            mkdir -p $out
-            runHook postInstall
-          '';
-        }) {})
+        (inputs.pkgs.writeTextDir "share/prebuild-packages"
+          (builtins.concatStringsSep "\n" (builtins.map builtins.toString
+            (inputs.lib.lists.subtractLists excludePrebuildPackages (_prebuildPackages ++ extraPrebuildPackages)))))
      ];
  };
 }
--- a/modules/services/nfs.nix
+++ b/modules/services/nfs.nix
@ -0,0 +1,29 @@
+inputs:
+{
+  options.nixos.services.nfs = let inherit (inputs.lib) mkOption types; in mkOption
+  {
+    type = types.nullOr (types.submodule { options =
+    {
+      root = mkOption { type = types.nonEmptyStr; };
+      exports = mkOption { type = types.listOf types.nonEmptyStr; };
+      accessLimit = mkOption { type = types.nonEmptyStr; };
+    };});
+    default = null;
+  };
+  config = let inherit (inputs.config.nixos.services) nfs; in inputs.lib.mkIf (nfs != null)
+  {
+    services =
+    {
+      rpcbind.enable = true;
+      nfs.server =
+      {
+        enable = true;
+        exports = "${nfs.root} ${nfs.accessLimit}(rw,no_root_squash,fsid=0,sync,crossmnt)\n"
+          + builtins.concatStringsSep "\n" (builtins.map
+            (export: "${export} ${nfs.accessLimit}(rw,no_root_squash,sync,crossmnt)")
+            nfs.exports);
+      };
+    };
+    networking.firewall.allowedTCPPorts = [ 2049 ];
+  };
+}
--- a/modules/system/fileSystems/default.nix
+++ b/modules/system/fileSystems/default.nix
@ -1,5 +1,6 @@
 inputs:
 {
+  imports = inputs.localLib.findModules ./.;
  options.nixos.system.fileSystems = let inherit (inputs.lib) mkOption types; in
  {
    mount =
@ -9,41 +10,6 @@ inputs:
      # device.subvol = mountPoint;
      btrfs = mkOption { type = types.attrsOf (types.attrsOf types.nonEmptyStr); default = {}; };
    };
-    decrypt =
-    {
-      auto = mkOption
-      {
-        type = types.attrsOf (types.submodule
-        {
-          options =
-          {
-            mapper = mkOption { type = types.nonEmptyStr; };
-            ssd = mkOption { type = types.bool; default = false; };
-            before = mkOption { type = types.nullOr (types.listOf types.nonEmptyStr); default = null; };
-          };
-        });
-        default = {};
-      };
-      manual =
-      {
-        enable = mkOption { type = types.bool; default = false; };
-        devices = mkOption
-        {
-          type = types.attrsOf (types.submodule
-          {
-            options =
-            {
-              mapper = mkOption { type = types.nonEmptyStr; };
-              ssd = mkOption { type = types.bool; default = false; };
-            };
-          });
-          default = {};
-        };
-        keyFile = mkOption
-          { type = types.path; default = ./. + "/${inputs.config.nixos.system.networking.hostname}.key"; };
-        delayedMount = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
-      };
-    };
    # generate using: sudo mdadm --examine --scan
    mdadm = mkOption { type = types.nullOr types.lines; default = null; };
    swap = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
@ -66,205 +32,112 @@ inputs:
      default = null;
    };
  };
-  config =
-    let
-      inherit (builtins) listToAttrs map concatLists concatStringsSep;
-      inherit (inputs.lib) mkMerge mkIf;
-      inherit (inputs.localLib) attrsToList;
-      inherit (inputs.config.nixos.system) fileSystems;
-    in mkMerge
-    [
-      # mount.vfat
-      {
-        fileSystems = listToAttrs (map
-          (device:
-          {
-            name = device.value;
-            value = { device = device.name; fsType = "vfat"; neededForBoot = true; options = [ "noatime" ]; };
-          })
-          (attrsToList fileSystems.mount.vfat));
-      }
-      # mount.btrfs
-      # Disable CoW for VM image and database: sudo chattr +C images
-      # resize btrfs:
-      # sudo btrfs filesystem resize -50G /nix
-      # sudo cryptsetup status root
-      # sudo cryptsetup -b 3787456512 resize root
-      # sudo cfdisk /dev/nvme1n1p3
-      {
-        fileSystems = listToAttrs (concatLists (map
+  config = let inherit (inputs.config.nixos.system) fileSystems; in inputs.lib.mkMerge
+  [
+    # mount.vfat
+    {
+      fileSystems = builtins.listToAttrs (builtins.map
+        (device:
+        {
+          name = device.value;
+          value = { device = device.name; fsType = "vfat"; neededForBoot = true; options = [ "noatime" ]; };
+        })
+        (inputs.localLib.attrsToList fileSystems.mount.vfat));
+    }
+    # mount.btrfs
+    # Disable CoW for VM image and database: sudo chattr +C images
+    # resize btrfs:
+    # sudo btrfs filesystem resize -50G /nix
+    # sudo cryptsetup status root
+    # sudo cryptsetup -b 3787456512 resize root
+    # sudo cfdisk /dev/nvme1n1p3
+    {
+      fileSystems =  builtins.listToAttrs (builtins.concatLists (builtins.map
+        (device: builtins.map
          (
-            device: map
-              (
-                subvol:
-                {
-                  name = subvol.value;
-                  value =
-                  {
-                    device = device.name;
-                    fsType = "btrfs";
-                    # zstd:15 cause sound stuttering
-                    # test on e20dae7d8b317f95718b5f4175bd4246c09735de mathematica ~15G
-                    # zstd:15 5m33s 7.16G
-                    # zstd:8 54s 7.32G
-                    # zstd:3 17s 7.52G
-                    options = [ "compress-force=zstd" "subvol=${subvol.name}" "acl" "noatime" ];
-                    neededForBoot = true;
-                  };
-                }
-              )
-              (attrsToList device.value)
+            subvol:
+            {
+              name = subvol.value;
+              value =
+              {
+                device = device.name;
+                fsType = "btrfs";
+                # zstd:15 cause sound stuttering
+                # test on e20dae7d8b317f95718b5f4175bd4246c09735de mathematica ~15G
+                # zstd:15 5m33s 7.16G
+                # zstd:8 54s 7.32G
+                # zstd:3 17s 7.52G
+                options = [ "compress-force=zstd" "subvol=${subvol.name}" "acl" "noatime" ];
+                neededForBoot = true;
+              };
+            }
          )
-          (attrsToList fileSystems.mount.btrfs)));
+          (inputs.localLib.attrsToList device.value)
+        )
+        (inputs.localLib.attrsToList fileSystems.mount.btrfs)));
+    }
+    # mdadm
+    (inputs.lib.mkIf (fileSystems.mdadm != null)
+      { boot.initrd.services.swraid = { enable = true; mdadmConf = fileSystems.mdadm; }; }
+    )
+    # swap
+    { swapDevices = builtins.map (device: { device = device; }) fileSystems.swap; }
+    # resume
+    (inputs.lib.mkIf (fileSystems.resume != null) { boot =
+    (
+      if builtins.typeOf fileSystems.resume == "string" then
+        { resumeDevice = fileSystems.resume; }
+      else
+      {
+        resumeDevice = fileSystems.resume.device;
+        kernelModules = [ "resume_offset=${builtins.toString fileSystems.resume.offset}" ];
      }
-      # decrypt.auto
-      (
-        mkIf (fileSystems.decrypt.auto != null)
+    );})
+    # rollingRootfs
+    (inputs.lib.mkIf (fileSystems.rollingRootfs != null)
+    {
+      boot.initrd.systemd =
+      {
+        extraBin =
        {
-          boot.initrd =
-          {
-            luks.devices = (listToAttrs (map
-              (
-                device:
-                {
-                  name = device.value.mapper;
-                  value =
-                  {
-                    device = device.name;
-                    allowDiscards = device.value.ssd;
-                    bypassWorkqueues = device.value.ssd;
-                    crypttabExtraOpts = [ "fido2-device=auto" "x-initrd.attach" ];
-                  };
-                }
-              )
-              (attrsToList fileSystems.decrypt.auto)));
-            systemd.services =
-              let
-                createService = device:
-                {
-                  name = "systemd-cryptsetup@${device.value.mapper}";
-                  value =
-                  {
-                    before = map (device: "systemd-cryptsetup@${device}.service") device.value.before;
-                    overrideStrategy = "asDropin";
-                  };
-                };
-              in
-                listToAttrs (map createService
-                  (builtins.filter (device: device.value.before != null) (attrsToList fileSystems.decrypt.auto)));
-          };
-        }
-      )
-      # decrypt.manual
-      (
-        mkIf (fileSystems.decrypt.manual.enable)
+          grep = "${inputs.pkgs.gnugrep}/bin/grep";
+          awk = "${inputs.pkgs.gawk}/bin/awk";
+          chattr = "${inputs.pkgs.e2fsprogs}/bin/chattr";
+          lsmod = "${inputs.pkgs.kmod}/bin/lsmod";
+        };
+        services.roll-rootfs =
        {
-          boot.initrd =
-          {
-            luks.forceLuksSupportInInitrd = true;
-            systemd =
-            {
-              extraBin =
-              {
-                cryptsetup = "${inputs.pkgs.cryptsetup.bin}/bin/cryptsetup";
-                usbip = "${inputs.config.boot.kernelPackages.usbip}/bin/usbip";
-                sed = "${inputs.pkgs.gnused}/bin/sed";
-                awk = "${inputs.pkgs.gawk}/bin/awk";
-                decrypt = inputs.pkgs.writeShellScript "decrypt"
-                ''
-                  modprobe vhci-hcd
-                  busid=$(usbip list -r 127.0.0.1 | head -n4 | tail -n1 | awk '{print $1}' | sed 's/://')
-                  usbip attach -r 127.0.0.1 -b $busid
-                  ${concatStringsSep "\n" (map
-                    (device: ''systemd-cryptsetup attach ${device.value.mapper} ${device.name} "" fido2-device=auto''
-                      + (if device.value.ssd then ",discard" else ""))
-                    (attrsToList fileSystems.decrypt.manual.devices))}
-                '';
-              };
-              services.wait-manual-decrypt =
-              {
-                wantedBy = [ "initrd-root-fs.target" ];
-                before = [ "roll-rootfs.service" ];
-                unitConfig.DefaultDependencies = false;
-                serviceConfig.Type = "oneshot";
-                script = concatStringsSep "\n" (map
-                  (device: "while [ ! -e /dev/mapper/${device.value.mapper} ]; do sleep 1; done")
-                  (attrsToList fileSystems.decrypt.manual.devices));
-              };
-            };
-          };
-          fileSystems = listToAttrs (map
-            (mount: { name = mount; value.options = [ "x-systemd.device-timeout=48h" ]; })
-            fileSystems.decrypt.manual.delayedMount);
-        }
-      )
-      # mdadm
-      (
-        mkIf (fileSystems.mdadm != null)
-          { boot.initrd.services.swraid = { enable = true; mdadmConf = fileSystems.mdadm; }; }
-      )
-      # swap
-      { swapDevices = map (device: { device = device; }) fileSystems.swap; }
-      # resume
-      (
-        mkIf (fileSystems.resume != null) { boot =
-        (
-          if builtins.typeOf fileSystems.resume == "string" then
-            { resumeDevice = fileSystems.resume; }
-          else
-          {
-            resumeDevice = fileSystems.resume.device;
-            kernelModules = [ "resume_offset=${builtins.toString fileSystems.resume.offset}" ];
-          }
-        );}
-      )
-      # rollingRootfs
-      (
-        mkIf (fileSystems.rollingRootfs != null)
-        {
-          boot.initrd.systemd =
-          {
-            extraBin =
-            {
-              grep = "${inputs.pkgs.gnugrep}/bin/grep";
-              awk = "${inputs.pkgs.gawk}/bin/awk";
-              chattr = "${inputs.pkgs.e2fsprogs}/bin/chattr";
-              lsmod = "${inputs.pkgs.kmod}/bin/lsmod";
-            };
-            services.roll-rootfs =
-            {
-              wantedBy = [ "initrd.target" ];
-              after = [ "cryptsetup.target" "systemd-hibernate-resume.service" ];
-              before = [ "local-fs-pre.target" "sysroot.mount" ];
-              unitConfig.DefaultDependencies = false;
-              serviceConfig.Type = "oneshot";
-              script =
-                let
-                  inherit (fileSystems.rollingRootfs) device path waitDevices;
-                  waitDevice = concatStringsSep "\n" (builtins.map
-                    (device: "while ! [ -e ${device} ]; do sleep 1; done") (waitDevices ++ [ device ]));
-                in
-                ''
-                  while ! lsmod | grep -q btrfs; do sleep 1; done
-                  ${waitDevice}
-                  mount ${device} /mnt -m
-                  if [ -f /mnt${path}/current/.timestamp ]
-                  then
-                    timestamp=$(cat /mnt${path}/current/.timestamp)
-                    subvolid=$(btrfs subvolume show /mnt${path}/current | grep 'Subvolume ID:' | awk '{print $NF}')
-                    mv /mnt${path}/current /mnt${path}/$timestamp-$subvolid
-                    btrfs property set -ts /mnt${path}/$timestamp-$subvolid ro true
-                  fi
-                  btrfs subvolume create /mnt${path}/current
-                  chattr +C /mnt${path}/current
-                  echo $(date '+%Y%m%d%H%M%S') > /mnt${path}/current/.timestamp
-                  umount /mnt
-                '';
-            };
-          };
-        }
-      )
-    ];
+          wantedBy = [ "initrd.target" ];
+          after = [ "cryptsetup.target" "systemd-hibernate-resume.service" ];
+          before = [ "local-fs-pre.target" "sysroot.mount" ];
+          unitConfig.DefaultDependencies = false;
+          serviceConfig.Type = "oneshot";
+          script =
+            let
+              inherit (fileSystems.rollingRootfs) device path waitDevices;
+              waitDevice = builtins.concatStringsSep "\n" (builtins.map
+                (device: "while ! [ -e ${device} ]; do sleep 1; done") (waitDevices ++ [ device ]));
+            in
+            ''
+              while ! lsmod | grep -q btrfs; do sleep 1; done
+              ${waitDevice}
+              mount ${device} /mnt -m
+              if [ -f /mnt${path}/current/.timestamp ]
+              then
+                timestamp=$(cat /mnt${path}/current/.timestamp)
+                subvolid=$(btrfs subvolume show /mnt${path}/current | grep 'Subvolume ID:' | awk '{print $NF}')
+                mv /mnt${path}/current /mnt${path}/$timestamp-$subvolid
+                btrfs property set -ts /mnt${path}/$timestamp-$subvolid ro true
+              fi
+              btrfs subvolume create /mnt${path}/current
+              chattr +C /mnt${path}/current
+              echo $(date '+%Y%m%d%H%M%S') > /mnt${path}/current/.timestamp
+              umount /mnt
+            '';
+        };
+      };
+    })
+  ];
 }


--- a/modules/system/fileSystems/luks/default.nix
+++ b/modules/system/fileSystems/luks/default.nix
@ -0,0 +1,80 @@
+inputs:
+{
+  options.nixos.system.fileSystems.luks = let inherit (inputs.lib) mkOption types; in
+  {
+    auto = mkOption
+    {
+      type = types.attrsOf (types.submodule { options =
+      {
+        mapper = mkOption { type = types.nonEmptyStr; };
+        ssd = mkOption { type = types.bool; default = false; };
+        before = mkOption { type = types.nullOr (types.listOf types.nonEmptyStr); default = null; };
+      };});
+      default = {};
+    };
+    manual =
+    {
+      enable = mkOption { type = types.bool; default = false; };
+      devices = mkOption
+      {
+        type = types.attrsOf (types.submodule { options =
+        {
+          mapper = mkOption { type = types.nonEmptyStr; };
+          ssd = mkOption { type = types.bool; default = false; };
+        };});
+        default = {};
+      };
+      delayedMount = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
+    };
+  };
+  config = let inherit (inputs.config.nixos.system.fileSystems) luks; in inputs.lib.mkMerge
+  [
+    (inputs.lib.mkIf (luks.auto != null) { boot.initrd =
+    {
+      luks.devices = (builtins.listToAttrs (builtins.map
+        (device:
+        {
+          name = device.value.mapper;
+          value =
+          {
+            device = device.name;
+            allowDiscards = device.value.ssd;
+            bypassWorkqueues = device.value.ssd;
+            crypttabExtraOpts = [ "fido2-device=auto" "x-initrd.attach" ];
+          };
+        })
+        (inputs.localLib.attrsToList luks.auto)));
+      systemd.services = builtins.listToAttrs (builtins.map
+        (device:
+        {
+          name = "systemd-cryptsetup@${device.value.mapper}";
+          value =
+          {
+            before = map (device: "systemd-cryptsetup@${device}.service") device.value.before;
+            overrideStrategy = "asDropin";
+          };
+        })
+        (builtins.filter (device: device.value.before != null) (inputs.localLib.attrsToList luks.auto)));
+    };})
+    (inputs.lib.mkIf luks.manual.enable
+    {
+      boot.initrd =
+      {
+        luks.forceLuksSupportInInitrd = true;
+        systemd.services.wait-manual-decrypt =
+        {
+          wantedBy = [ "initrd-root-fs.target" ];
+          before = [ "roll-rootfs.service" ];
+          unitConfig.DefaultDependencies = false;
+          serviceConfig.Type = "oneshot";
+          script = builtins.concatStringsSep "\n" (builtins.map
+            (device: "while [ ! -e /dev/mapper/${device.value.mapper} ]; do sleep 1; done")
+            (inputs.localLib.attrsToList luks.manual.devices));
+        };
+      };
+      fileSystems = builtins.listToAttrs (builtins.map
+        (mount: { name = mount; value.options = [ "x-systemd.device-timeout=48h" ]; })
+        luks.manual.delayedMount);
+    })
+  ];
+}
--- a/modules/system/fileSystems/luks/nas.key
+++ b/modules/system/fileSystems/luks/nas.key
--- a/modules/system/fileSystems/luks/vps4.key
+++ b/modules/system/fileSystems/luks/vps4.key
--- a/modules/system/fileSystems/luks/vps6.key
+++ b/modules/system/fileSystems/luks/vps6.key
--- a/modules/system/fileSystems/luks/vps7.key
+++ b/modules/system/fileSystems/luks/vps7.key
--- a/modules/system/fileSystems/nfs.nix
+++ b/modules/system/fileSystems/nfs.nix
@ -0,0 +1,28 @@
+inputs:
+{
+  options.nixos.system.fileSystems.mount.nfs = let inherit (inputs.lib) mkOption types; in mkOption
+  {
+    type = types.nullOr (types.attrsOf types.nonEmptyStr); default = null;
+  };
+  config = let inherit (inputs.config.nixos.system.fileSystems.mount) nfs; in inputs.lib.mkIf (nfs != null)
+  {
+    fileSystems = builtins.listToAttrs (builtins.map
+      (device:
+      {
+        name = device.value;
+        value = { device = device.name; fsType = "nfs"; neededForBoot = true; };
+      })
+      (inputs.localLib.attrsToList nfs));
+    boot.initrd =
+    {
+      network.enable = true;
+      systemd.extraBin =
+      {
+        "ifconfig" = "${inputs.pkgs.nettools}/bin/ifconfig";
+        "mount.nfs" = "${inputs.pkgs.nfs-utils}/bin/mount.nfs";
+        "mount.nfs4" = "${inputs.pkgs.nfs-utils}/bin/mount.nfs4";
+      };
+    };
+    services.rpcbind.enable = true;
+  };
+}
--- a/modules/user/chn/default.nix
+++ b/modules/user/chn/default.nix
@ -56,7 +56,7 @@ inputs:
                    (system:
                    {
                      name = system.config.nixos.system.networking.hostname;
-                      value = system.config.nixos.system.fileSystems.decrypt.manual;
+                      value = system.config.nixos.system.fileSystems.luks.manual;
                    })
                    (builtins.attrValues inputs.topInputs.self.nixosConfigurations));
                cat = "${inputs.pkgs.coreutils}/bin/cat";
@ -68,7 +68,8 @@ inputs:
                  (builtins.map (system: builtins.concatStringsSep "\n"
                    [
                      "decrypt-${system.name}() {"
-                      "  key=$(${cat} ${system.value.keyFile} | ${gpg} --decrypt)"
+                      "  key=$(${cat} ${inputs.topInputs.self}/modules/system/fileSystems/luks/${system.name}.key \\"
+                      "    | ${gpg} --decrypt)"
                      (builtins.concatStringsSep "\n" (builtins.map
                        (device: "  echo $key | ${ssh} root@initrd.${system.name}.chn.moe cryptsetup luksOpen "
                          + (if device.value.ssd then "--allow-discards " else "")
--- a/packages/sbatch-tui/src/main.cpp
+++ b/packages/sbatch-tui/src/main.cpp
@ -138,10 +138,10 @@ int main()
          state.job_name, state.output_file, state.vasp_version_entries[state.vasp_version_selected]
        );
    else state.submit_command =
-      "sbatch --ntasks={}\n--cpus-per-task={}\n--hint=nomultithread\n--job-name='{}'\n--output='{}'"
-      "\n--wrap=\"vasp-intel srun vasp-{}\""_f
+      "sbatch --ntasks={}\n--cpus-per-task={}\n--export=ALL,OMP_NUM_THREADS={}\n--hint=nomultithread\n--job-name='{}'\n"
+      "--output='{}'\n--wrap=\"vasp-intel srun --mpi=pmix vasp-{}\""_f
      (
-        state.mpi_threads, state.openmp_threads, state.job_name, state.output_file,
+        state.mpi_threads, state.openmp_threads, state.openmp_threads, state.job_name, state.output_file,
        state.vasp_version_entries[state.vasp_version_selected]
      );
Author	SHA1	Message	Date
chn	45cd321bce	Merge branch 'production' into next	2024-09-26 21:42:49 +08:00
chn	4f35f43613	fix opencv	2024-09-26 21:42:02 +08:00
chn	7d27bad072	devices.srv1.node2: enable kvm	2024-09-26 20:41:26 +08:00
chn	5944409604	devices.srv1: add users	2024-09-26 15:31:59 +08:00
chn	198fccc7bf	packages.sbatch-tui: fix	2024-09-26 15:23:59 +08:00
chn	cf3882becc	modules.packages: fix prebuild-packages	2024-09-26 13:51:57 +08:00
chn	c80617c6c0	modules.services.nfs: fix	2024-09-26 13:27:16 +08:00
chn	4fea6edcad	fix build	2024-09-26 12:47:46 +08:00
chn	e574916fd0	devices.srv1: fix network	2024-09-26 12:24:57 +08:00
chn	e72bec278e	modules.system.fileSystems.nfs: init	2024-09-26 12:16:15 +08:00
chn	515b6eedc1	modules.system.fileSystems: 整理	2024-09-26 12:00:26 +08:00
chn	bab49afeb3	modules.system.fileSystems.luks: split	2024-09-26 11:54:34 +08:00
chn	8faa50a427	modules.services.nfs: init	2024-09-26 11:23:07 +08:00