From 52eed708f08d3b3f50e0dfb8f514087bbcfc91f1 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Date: Fri, 31 Mar 2023 18:27:25 +0200 Subject: [PATCH] Add initial configuration --- boot.nix | 16 +++++++++++++ configuration.nix | 42 ++++++++++++++++++++++++++++++++++ fs.nix | 10 +++++++++ gitlab-runner.nix | 46 ++++++++++++++++++++++++++++++++++++++ hardware-configuration.nix | 37 ++++++++++++++++++++++++++++++ net.nix | 26 +++++++++++++++++++++ ssh.nix | 24 ++++++++++++++++++++ users.nix | 15 +++++++++++++ 8 files changed, 216 insertions(+) create mode 100644 boot.nix create mode 100644 configuration.nix create mode 100644 fs.nix create mode 100644 gitlab-runner.nix create mode 100644 hardware-configuration.nix create mode 100644 net.nix create mode 100644 ssh.nix create mode 100644 users.nix diff --git a/boot.nix b/boot.nix new file mode 100644 index 0000000..033e9b3 --- /dev/null +++ b/boot.nix @@ -0,0 +1,16 @@ +{ ... }: + +{ + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + + # Select the this using the ID to avoid mismatches + boot.loader.grub.device = "/dev/disk/by-id/ata-INTEL_SSDSC2BB240G7_PHDV6462004Y240AGN"; + + # Enable serial console + boot.kernelParams = [ + "console=tty1" + "console=ttyS0,115200" + ]; +} diff --git a/configuration.nix b/configuration.nix new file mode 100644 index 0000000..4a20d1d --- /dev/null +++ b/configuration.nix @@ -0,0 +1,42 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./hardware-configuration.nix + + ./boot.nix + ./fs.nix + ./gitlab-runner.nix + ./net.nix + ./ssh.nix + ./users.nix + ]; + + systemd.services."serial-getty@ttyS0" = { + enable = true; + wantedBy = [ "getty.target" ]; + serviceConfig.Restart = "always"; + }; + + time.timeZone = "Europe/Madrid"; + i18n.defaultLocale = "en_US.UTF-8"; + + environment.systemPackages = with pkgs; [ + vim wget git htop + ]; + + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + + # Copy the NixOS configuration file and link it from the resulting system + # (/run/current-system/configuration.nix). This is useful in case you + # accidentally delete configuration.nix. + system.copySystemConfiguration = true; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? +} diff --git a/fs.nix b/fs.nix new file mode 100644 index 0000000..7a459dd --- /dev/null +++ b/fs.nix @@ -0,0 +1,10 @@ +{ ... }: + +{ + # Mount the home via NFS + fileSystems."/home" = { + device = "10.0.40.30:/home"; + fsType = "nfs"; + options = [ "nfsvers=3" "rsize=1024" "wsize=1024" "cto" ]; + }; +} diff --git a/gitlab-runner.nix b/gitlab-runner.nix new file mode 100644 index 0000000..67c400d --- /dev/null +++ b/gitlab-runner.nix @@ -0,0 +1,46 @@ +{ pkgs, lib, config, ... }: + +{ + services.gitlab-runner = { + enable = true; + services = { + # runner for executing stuff on host system (very insecure!) + # make sure to add required packages (including git!) + # to `environment.systemPackages` + shell = { + # File should contain at least these two variables: + # `CI_SERVER_URL` + # `REGISTRATION_TOKEN` + registrationConfigFile = "/run/secrets/gitlab-runner-registration"; + executor = "shell"; + tagList = [ "nix" "xeon" ]; + environmentVariables = { + SHELL = "${pkgs.bash}/bin/bash"; + }; + }; + # # runner for everything else + # default = { + # # File should contain at least these two variables: + # # `CI_SERVER_URL` + # # `REGISTRATION_TOKEN` + # registrationConfigFile = "/run/secrets/gitlab-runner-registration"; + # dockerImage = "debian:stable"; + # }; + }; + }; + + #systemd.services.gitlab-runner.serviceConfig.Shell = "${pkgs.bash}/bin/bash"; + systemd.services.gitlab-runner.serviceConfig.DynamicUser = lib.mkForce false; + systemd.services.gitlab-runner.serviceConfig.User = "gitlab-runner"; + systemd.services.gitlab-runner.serviceConfig.Group = "gitlab-runner"; + + users.users.gitlab-runner = { + uid = config.ids.uids.gitlab-runner; + #isNormalUser = true; + home = "/var/lib/gitlab-runner"; + description = "Gitlab Runner"; + group = "gitlab-runner"; + createHome = true; + }; + users.groups.gitlab-runner.gid = config.ids.gids.gitlab-runner; +} diff --git a/hardware-configuration.nix b/hardware-configuration.nix new file mode 100644 index 0000000..c69f868 --- /dev/null +++ b/hardware-configuration.nix @@ -0,0 +1,37 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "ehci_pci" "nvme" "usbhid" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/289f78d9-b339-47de-b321-0a6796b9a79b"; + fsType = "ext4"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/2bac02f9-7ea1-4868-9536-23710f19baca"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eth0.useDHCP = lib.mkDefault true; + # networking.interfaces.eth1.useDHCP = lib.mkDefault true; + # networking.interfaces.ib0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/net.nix b/net.nix new file mode 100644 index 0000000..a9ae546 --- /dev/null +++ b/net.nix @@ -0,0 +1,26 @@ +{ ... }: + +{ + networking = { + hostName = "xeon07"; + + useDHCP = false; + defaultGateway = "10.0.40.30"; + nameservers = ["8.8.8.8"]; + interfaces.eno1.useDHCP = false; + interfaces.eno1.ipv4.addresses = [ { + address = "10.0.40.7"; + prefixLength = 24; + } ]; + + proxy = { + default = "http://localhost:23080/"; + noProxy = "127.0.0.1,localhost,internal.domain"; + }; + + firewall = { + enable = true; + allowedTCPPorts = [ 22 80 443 ]; + }; + }; +} diff --git a/ssh.nix b/ssh.nix new file mode 100644 index 0000000..3c97d4c --- /dev/null +++ b/ssh.nix @@ -0,0 +1,24 @@ +{ ... }: + +{ + # Enable the OpenSSH daemon. + services.openssh.enable = true; + + # Connect to intranet git hosts via proxy + programs.ssh.extraConfig = '' + Host bscpm02.bsc.es bscpm03.bsc.es gitlab-internal.bsc.es alya.gitlab.bsc.es + User git + ProxyCommand nc -X connect -x localhost:23080 %h %p + ''; + + # Authorize keys + users.users = { + root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKBOf4r4lzQfyO0bx5BaREePREw8Zw5+xYgZhXwOZoBO ram@hop" ]; + rarias.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKBOf4r4lzQfyO0bx5BaREePREw8Zw5+xYgZhXwOZoBO ram@hop" ]; + }; + + programs.ssh.knownHosts = { + "gitlab-internal.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9arsAOSRB06hdy71oTvJHG2Mg8zfebADxpvc37lZo3"; + "bscpm03.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM2NuSUPsEhqz1j5b4Gqd+MWFnRqyqY57+xMvBUqHYUS"; + }; +} diff --git a/users.nix b/users.nix new file mode 100644 index 0000000..617ff5e --- /dev/null +++ b/users.nix @@ -0,0 +1,15 @@ +{ ... }: + +{ + users = { + mutableUsers = false; + users.rarias = { + uid = 1880; + isNormalUser = true; + home = "/home/Computational/rarias"; + description = "Rodrigo Arias"; + extraGroups = [ "wheel" ]; + hashedPassword = "$6$u06tkCy13enReBsb$xiI.twRvvTfH4jdS3s68NZ7U9PSbGKs5.LXU/UgoawSwNWhZo2hRAjNL5qG0/lAckzcho2LjD0r3NfVPvthY6/"; + }; + }; +}