diff options
| author | Kenny Ballou <kb@devnulllabs.io> | 2023-01-25 16:40:02 -0700 |
|---|---|---|
| committer | Kenny Ballou <kb@devnulllabs.io> | 2023-01-25 16:40:02 -0700 |
| commit | 055b1e6dc6ed98d3d0cd3fe35f6a4bc8e48b4765 (patch) | |
| tree | 7281c6bc638f707da831fc8764473372c16d6991 /systems | |
| parent | a4d84ebc921edb92389930fb74541c45cff9b240 (diff) | |
| download | dotfiles-055b1e6dc6ed98d3d0cd3fe35f6a4bc8e48b4765.tar.gz dotfiles-055b1e6dc6ed98d3d0cd3fe35f6a4bc8e48b4765.tar.xz | |
yak: rebuild: LVM and headless
It's a SLURM box on my desk now! Weeeeee
Signed-off-by: Kenny Ballou <kb@devnulllabs.io>
Diffstat (limited to 'systems')
| -rw-r--r-- | systems/yak.scm | 99 | ||||
| -rw-r--r-- | systems/yak/nftables-rules.nft | 119 |
2 files changed, 118 insertions, 100 deletions
diff --git a/systems/yak.scm b/systems/yak.scm index 3a1a1776..3653427c 100644 --- a/systems/yak.scm +++ b/systems/yak.scm @@ -1,4 +1,4 @@ -(define-module (systems daeva) +(define-module (systems yak) #:use-module (guix) #:use-module (guix records) #:use-module (guix utils) @@ -9,6 +9,7 @@ #:use-module (gnu services cups) #:use-module (gnu services dbus) #:use-module (gnu services desktop) + #:use-module (gnu services docker) #:use-module (gnu services linux) #:use-module (gnu services mcron) #:use-module (gnu services networking) @@ -32,15 +33,12 @@ #:use-module (kbg services dict) #:use-module (kbg services nftables) #:use-module (kbg services slurm) - #:use-module (kbg system setuid-programs) #:use-module ((kbg system mcron) :prefix mcron:) #:use-module (kbg system xorg)) (define yak-system (operating-system (kernel linux-lts) - (kernel-loadable-modules - (list v4l2loopback-linux-module)) (firmware (list linux-firmware)) (initrd microcode-initrd) (host-name "yak") @@ -56,34 +54,76 @@ (targets '("/boot/efi")) (keyboard-layout keyboard-layout))) + (mapped-devices + (list (mapped-device + (source "vg0") + (targets (list "vg0-root" "vg0-var" "vg0-tmp" "vg0-nix" "vg0-guix" "vg0-var" "vg0-swap")) + (type lvm-device-mapping)) + (mapped-device + (source "vg1") + (targets (list "vg1-home")) + (type lvm-device-mapping)))) + (file-systems (append (list (file-system - (device (uuid "acc24667-d071-48dc-81f7-b077e838b29f")) + (device "/dev/mapper/vg0-root") (mount-point "/") - (type "ext4")) + (type "ext4") + (needed-for-boot? #t) + (dependencies mapped-devices)) + (file-system + (device "/dev/mapper/vg0-guix") + (mount-point "/gnu") + (type "xfs") + (needed-for-boot? #t) + (dependencies mapped-devices)) + (file-system + (device "/dev/mapper/vg0-nix") + (mount-point "/nix") + (type "xfs") + (needed-for-boot? #f) + (dependencies mapped-devices)) + (file-system + (device "/dev/mapper/vg0-var") + (mount-point "/var") + (type "ext4") + (needed-for-boot? #t) + (dependencies mapped-devices)) + (file-system + (device "/dev/mapper/vg0-tmp") + (mount-point "/tmp") + (type "ext4") + (needed-for-boot? #t) + (dependencies mapped-devices)) + (file-system + (device "/dev/mapper/vg0-opt") + (mount-point "/opt") + (type "ext4") + (needed-for-boot? #f) + (dependencies mapped-devices)) (file-system (device (uuid "EAB6-6000" 'fat)) (mount-point "/boot/efi") (type "vfat")) (file-system - (device (uuid "1ca489ef-8d04-40a5-bd1c-a5ee9333a27a")) + (device "/dev/mapper/vg1-home") (mount-point "/home") - (type "xfs"))) + (type "xfs") + (needed-for-boot? #f) + (dependencies mapped-devices))) %base-file-systems)) - ;; uuid=47b44fb7-4f6f-4ef5-bb17-2c509a80bc52 - (swap-devices (list (swap-space (target "/swapfile")))) + (swap-devices (list (swap-space (target "/dev/mapper/vg0-swap") + (dependencies mapped-devices) + (discard? #t)))) (users (cons (user-account (name "kb") (group "users") - (supplementary-groups '("audio" - "input" + (supplementary-groups '("input" "kvm" - "lp" "netdev" "tty" - "video" "wheel"))) %base-user-accounts)) @@ -92,25 +132,7 @@ %kbg-bare-desktop-packages %base-packages)) - ;; Add GNOME and Xfce---we can choose at the log-in screen - ;; by clicking the gear. Use the "desktop" services, which - ;; include the X11 log-in service, networking with - ;; NetworkManager, and more. - (services (append (list (service gnome-desktop-service-type) - ;;(geoclue-service) - (bluetooth-service #:auto-enable? #t) - (service cups-service-type - (cups-configuration - (web-interface? #t) - (extensions - (list cups-filters hplip-minimal splix)))) - dictionary-service - (set-xorg-configuration - (xorg-configuration - (keyboard-layout keyboard-layout) - (extra-config (list %xorg-libinput-config)))) - (service nix-service-type) - (service pcscd-service-type) + (services (append (list (service nix-service-type) (service tlp-service-type (tlp-configuration (cpu-scaling-governor-on-ac (list "performance")) @@ -121,9 +143,10 @@ (service openssh-service-type (openssh-configuration (x11-forwarding? #f) - (password-authentication? #f) + (password-authentication? #t) (permit-root-login 'prohibit-password))) (nftables-service "yak") + (service singularity-service-type) (service munge-service-type) (service slurm-service-type (slurm-configuration @@ -164,12 +187,10 @@ (simple-service 'my-cron-jobs mcron-service-type (list mcron:guix-gc-repair-job))) - %kbg-desktop-services)) + (modify-services %kbg-desktop-services + (delete gdm-service-type)))) ;; Allow resolution of '.local' host names with mDNS. - (name-service-switch %mdns-host-lookup-nss) - - (setuid-programs (append %kb-setuid-programs - %setuid-programs)))) + (name-service-switch %mdns-host-lookup-nss))) yak-system diff --git a/systems/yak/nftables-rules.nft b/systems/yak/nftables-rules.nft index c572c647..2c1d83a5 100644 --- a/systems/yak/nftables-rules.nft +++ b/systems/yak/nftables-rules.nft @@ -1,74 +1,71 @@ table inet filter { chain input { type filter hook input priority 0; policy drop; - ct state invalid counter drop comment "drop invalid packets" - ct state established,related counter accept comment "accept related connections" - iif lo counter accept - iif != lo ip daddr 127.0.0.1/8 counter drop - iif != lo ip6 daddr ::1/128 counter drop - ip protocol icmp counter accept - ip6 nexthdr ipv6-icmp counter accept - udp dport domain ip saddr 172.16.0.0/12 counter accept - tcp dport ssh counter accept - tcp dport 3000 ip saddr 127.0.0.1/8 counter accept - tcp dport 8000 ip saddr 127.0.0.1/8 counter accept - tcp dport 8080 ip saddr { 127.0.0.1/8, 10.0.0.0/8 } counter accept - tcp dport 1714-1764 ip saddr 10.0.0.0/8 counter accept comment "KDEConnect" - udp dport 1714-1764 ip saddr 10.0.0.0/8 counter accept comment "KDEConnect" - tcp dport http-alt ip saddr { 127.0.0.1/8, 10.0.0.0/8 } counter accept - counter + ct state invalid drop comment "drop invalid packets" + ct state established,related accept comment "accept related connections" + iif lo accept + iif != lo ip daddr 127.0.0.1/8 drop + iif != lo ip6 daddr ::1/128 drop + ip protocol icmp accept + ip6 nexthdr ipv6-icmp accept + udp dport domain ip saddr 172.16.0.0/12 accept + tcp dport ssh accept + tcp dport 3000 ip saddr 127.0.0.1/8 accept + tcp dport 8000 ip saddr 127.0.0.1/8 accept + tcp dport 8080 ip saddr { 127.0.0.1/8, 10.0.0.0/8 } accept + tcp dport 1714-1764 ip saddr 10.0.0.0/8 accept comment "KDEConnect" + udp dport 1714-1764 ip saddr 10.0.0.0/8 accept comment "KDEConnect" + tcp dport http-alt ip saddr { 127.0.0.1/8, 10.0.0.0/8 } accept } chain forward { type filter hook forward priority 0; policy drop; - ct state established,related counter accept - counter + ct state established,related accept } chain output { type filter hook output priority 0; policy drop; - ct state established,related counter accept - icmp type echo-request counter accept - icmp type echo-reply counter accept - ip daddr 127.0.0.0/8 counter accept - ip6 daddr ::1 counter accept - udp dport domain counter accept - tcp dport 853 counter accept comment "DNS over TLS" - udp dport 853 counter accept comment "DNS over TLS" - tcp dport http counter accept - tcp dport https counter accept - udp dport https counter accept - tcp dport ssh counter accept - tcp dport bootps counter accept - udp dport bootps counter accept - tcp dport ntp counter accept - udp dport ntp counter accept - tcp dport nntps counter accept - udp dport nntps counter accept - tcp dport submission counter accept - tcp dport imaps counter accept - tcp dport 2222 counter accept - tcp dport hkp counter accept - udp dport hkp counter accept - tcp dport 9100 counter accept - tcp dport git counter accept - udp dport git counter accept - tcp dport rsync counter accept - udp dport rsync counter accept - tcp dport 8000 counter accept - tcp dport http-alt counter accept - udp dport openvpn counter accept - tcp dport postgresql ip daddr { 127.0.0.1/8, 10.0.0.0/8 } counter accept - tcp dport 5222 counter accept comment "XMPP" - tcp dport 6697 counter accept comment "IRC" - tcp dport 2049 ip daddr 10.0.0.0/8 counter accept comment "NFS" - udp dport 2049 ip daddr 10.0.0.0/8 counter accept comment "NFS" - tcp dport 20048 ip daddr 10.0.0.0/8 counter accept comment "NFS" - udp dport 20048 ip daddr 10.0.0.0/8 counter accept comment "NFS" - udp dport 19302-19309 counter accept comment "Google Meet Ports" - tcp dport 1714-1764 counter accept comment "KDEConnect" - udp dport 1714-1764 counter accept comment "KDEConnect" - udp dport 51820 counter accept comment "WireGuard" - counter + ct state established,related accept + icmp type echo-request accept + icmp type echo-reply accept + ip daddr 127.0.0.0/8 accept + ip6 daddr ::1 accept + udp dport domain accept + tcp dport 853 accept comment "DNS over TLS" + udp dport 853 accept comment "DNS over TLS" + tcp dport http accept + tcp dport https accept + udp dport https accept + tcp dport ssh accept + tcp dport bootps accept + udp dport bootps accept + tcp dport ntp accept + udp dport ntp accept + tcp dport nntps accept + udp dport nntps accept + tcp dport submission accept + tcp dport imaps accept + tcp dport 2222 accept + tcp dport hkp accept + udp dport hkp accept + tcp dport 9100 accept + tcp dport git accept + udp dport git accept + tcp dport rsync accept + udp dport rsync accept + tcp dport 8000 accept + tcp dport http-alt accept + udp dport openvpn accept + tcp dport postgresql ip daddr { 127.0.0.1/8, 10.0.0.0/8 } accept + tcp dport 5222 accept comment "XMPP" + tcp dport 6697 accept comment "IRC" + tcp dport 2049 ip daddr 10.0.0.0/8 accept comment "NFS" + udp dport 2049 ip daddr 10.0.0.0/8 accept comment "NFS" + tcp dport 20048 ip daddr 10.0.0.0/8 accept comment "NFS" + udp dport 20048 ip daddr 10.0.0.0/8 accept comment "NFS" + udp dport 19302-19309 accept comment "Google Meet Ports" + tcp dport 1714-1764 accept comment "KDEConnect" + udp dport 1714-1764 accept comment "KDEConnect" + udp dport 51820 accept comment "WireGuard" } } |