pi5-1

Author: randomizedcoder

arm/pi5-1/.gitignore

@@ -1,2 +1,4 @@
 result
 ./result
+old-result
+./old-result

arm/pi5-1/Makefile

@@ -1,11 +1,13 @@
 
 # https://wiki.nixos.org/wiki/NixOS_on_ARM/Building_Images#Compiling_through_binfmt_QEMU
 all:
-	nix build .#packages.aarch64-linux.sdcard
+	nix build .#packages.aarch64-linux.sdcard;
 
+update:
+	sudo nix flake update;
 
 flash:
-	sudo dd if=/nix/store/z5bdj3iczgzm3qjgn6lvjswd0lmflkza-nixos-sd-image-24.11.20250119.107d5ef-aarch64-linux.img/sd-image/nixos-sd-image-24.11.20250119.107d5ef-aarch64-linux.img of=/dev/sda bs=10MB oflag=dsync status=progress
+	sudo dd if=/nix/store/z5bdj3iczgzm3qjgn6lvjswd0lmflkza-nixos-sd-image-24.11.20250119.107d5ef-aarch64-linux.img/sd-image/nixos-sd-image-24.11.20250119.107d5ef-aarch64-linux.img of=/dev/sda bs=10MB oflag=dsync status=progress;
 
 # this was copied from video: https://www.youtube.com/watch?v=6Le0IbPRzOE
 # time. 53.54

arm/pi5-1/configuration.nix

@@ -0,0 +1,49 @@
+#
+# arm/pi5-1/configuration.nix
+#
+
+{ config, pkgs, lib, ... }:
+
+# https://nixos.wiki/wiki/FAQ#How_can_I_install_a_package_from_unstable_while_remaining_on_the_stable_channel.3F
+# https://discourse.nixos.org/t/differences-between-nix-channels/13998
+
+{
+  # https://nixos.wiki/wiki/NixOS_modules
+  imports =
+    [
+      ./sysctl.nix
+      ./services.ssh.nix
+      ./nodeExporter.nix
+      ./docker-daemon.nix
+    ];
+
+  # https://nixos.wiki/wiki/Nix_Cookbook
+  nix = {
+    settings = {
+      auto-optimise-store = true;
+      #experimental-features = [ "nix-command" "flakes" ];
+      experimental-features = [ "nix-command" "flakes" ];
+
+      download-buffer-size = "100000000";
+    };
+
+    gc = {
+      automatic = true;                  # Enable automatic execution of the task
+      dates = "weekly";                  # Schedule the task to run weekly
+      options = "--delete-older-than 10d";  # Specify options for the task: delete files older than 10 days
+      randomizedDelaySec = "14m";        # Introduce a randomized delay of up to 14 minutes before executing the task
+    };
+  };
+
+  networking.firewall.enable = true;
+
+  services.lldpd.enable = true;
+
+  services.timesyncd.enable = true;
+
+  services.fstrim.enable = true;
+
+  nixpkgs.config = {
+    allowUnfree = true;
+  };
+}

arm/pi5-1/docker-daemon.nix

@@ -0,0 +1,27 @@
+
+{ config, pkgs, ... }:
+
+{
+  # https://nixos.wiki/wiki/Docker
+  # https://search.nixos.org/options?from=0&size=50&sort=alpha_asc&query=virtualisation.docker
+  # https://search.nixos.org/options?channel=24.05&show=virtualisation.docker.extraOptions&from=0&size=50&sort=alpha_asc&type=packages&query=virtualisation.docker
+  # https://github.com/NixOS/nixpkgs/issues/68349
+  virtualisation.docker.enable = true;
+  virtualisation.docker.daemon.settings = {
+    data-root = "/home/das/docker/";
+    userland-proxy = false;
+    experimental = true;
+    ipv6 = true;
+    fixed-cidr-v6 = "fd00::/80";
+    metrics-addr = "0.0.0.0:9323";
+    # log-driver = "json-file";
+    # log-opts.max-size = "10m";
+    # log-opts.max-file = "10";
+  };
+  #this doesn't work
+  #virtualisation.docker.daemon.settings.log-opts.max-size = "10m";
+  # https://docs.docker.com/reference/cli/dockerd/
+  #virtualisation.docker.extraOptions = "--userland-proxy=false";
+  #virtualisation.docker.extraOptions = "--log-opt=max-size=10m";
+  #virtualisation.docker.extraOptions = "--ipv6";
+}

arm/pi5-1/extra-config.nix

@@ -1,13 +1,16 @@
 {
   description = "Base system for raspberry pi 5";
   inputs = {
-    nixpkgs.url = "nixpkgs/nixos-24.11";
+    nixpkgs.url = "nixpkgs/nixos-unstable";
+    # nixpkgs.url = "nixpkgs/nixos-24.11";
+    # nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
     nixos-generators = {
       url = "github:nix-community/nixos-generators";
       inputs.nixpkgs.follows = "nixpkgs";
     };
   };
 
+  #outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, ... }:
   outputs = { self, nixpkgs, nixos-generators, ... }:
   {
     nixosModules = {
@@ -28,6 +31,14 @@
               "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGMCFUMSCFJX95eLfm7P9r72NBp9I1FiXwNwJ+x/HGPV das@t"
             ];
           };
+          brent = {
+            password = "admin123";
+            isNormalUser = true;
+            extraGroups = [ "wheel" ];
+            openssh.authorizedKeys.keys = [
+              "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBHhM04LlDK/gOItDXa2mzMof6LhXT9IBJ9liFPEn0xJ brent@mckee.is"
+            ];
+          };
         };
       };
     };
@@ -37,7 +48,7 @@
         system = "aarch64-linux";
         format = "sd-aarch64";
         modules = [
-          ./extra-config.nix
+          ./configuration.nix
           self.nixosModules.system
           self.nixosModules.users
           ( { ... }: {

arm/pi5-1/flake.nix

@@ -0,0 +1,23 @@
+{ config, pkgs, ... }:
+{
+  # https://nixos.org/manual/nixos/stable/#module-services-prometheus-exporters
+  # https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/monitoring/prometheus/default.nix
+  services.prometheus.exporters.node = {
+    enable = true;
+    port = 9000;
+    # https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/monitoring/prometheus/exporters.nix
+    enabledCollectors = [ "systemd" ];
+    # /nix/store/zgsw0yx18v10xa58psanfabmg95nl2bb-node_exporter-1.8.1/bin/node_exporter  --help
+    extraFlags = [
+      "--collector.ethtool"
+      "--collector.softirqs"
+      "--collector.tcpstat"
+      #"--collector.wifi"
+      "--collector.filesystem.ignored-mount-points='/nix/store'"];
+  };
+
+  # https://search.nixos.org/options?channel=24.05&from=200&size=50&sort=relevance&type=packages&query=services.prometheus.exporters
+  services.prometheus.exporters.systemd.enable = true;
+  services.prometheus.exporters.smartctl.enable = true;
+  services.prometheus.exporters.process.enable = true;
+}

arm/pi5-1/nodeExporter.nix

@@ -0,0 +1,51 @@
+{ pkgs, config, ... }:
+{
+  # https://nixos.wiki/wiki/SSH
+  # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix
+  # https://github.com/NixOS/nixpkgs/blob/47457869d5b12bdd72303d6d2ba4bfcc26fe8531/nixos/modules/services/security/sshguard.nix
+  services.openssh = {
+    enable = true;
+    openFirewall = true;
+    settings = {
+      # default key algos: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix#L546
+      # KexAlgorithms = [
+      #   "mlkem768x25519-sha256"
+      #   "sntrup761x25519-sha512"
+      #   "sntrup761x25519-sha512@openssh.com"
+      #   "curve25519-sha256"
+      #   "curve25519-sha256@libssh.org"
+      #   "diffie-hellman-group-exchange-sha256"
+      # ];
+      Ciphers = [
+        "chacha20-poly1305@openssh.com"
+        "aes256-gcm@openssh.com"
+        "aes128-gcm@openssh.com"
+        # shortned default list
+      ];
+      Macs = [
+        "hmac-sha2-512-etm@openssh.com"
+        "hmac-sha2-256-etm@openssh.com"
+        "umac-128-etm@openssh.com"
+      ];
+      # HostKeyAlgorithms = [
+      #   "ssh-ed25519-cert-v01@openssh.com"
+      #   "sk-ssh-ed25519-cert-v01@openssh.com"
+      #   "rsa-sha2-512-cert-v01@openssh.com"
+      #   "rsa-sha2-256-cert-v01@openssh.com"
+      #   "ssh-ed25519"
+      #   "sk-ssh-ed25519@openssh.com"
+      #   "rsa-sha2-512"
+      #   "rsa-sha2-256"
+      # ];
+      UsePAM = true;
+      KbdInteractiveAuthentication = true;
+      PermitRootLogin = "prohibit-password";
+      PasswordAuthentication = false;
+      ChallengeResponseAuthentication = false;
+      X11Forwarding = false;
+      GatewayPorts = "no";
+    };
+  };
+
+  services.sshguard.enable = true;
+}

arm/pi5-1/services.ssh.nix

@@ -0,0 +1,43 @@
+{ config, pkgs, ... }:
+
+{
+  # https://www.kernel.org/doc/html/latest/networking/ip-sysctl.html
+  boot.kernel.sysctl = {
+    # detect dead connections more quickly
+    "net.ipv4.tcp_keepalive_intvl" = 30;
+    #net.ipv4.tcp_keepalive_intvl = 75
+    "net.ipv4.tcp_keepalive_probes" = 4;
+    #net.ipv4.tcp_keepalive_probes = 9
+    "net.ipv4.tcp_keepalive_time" = 120;
+    #net.ipv4.tcp_keepalive_time = 7200
+    # 30 * 4 = 120 seconds. / 60 = 2 minutes
+    # default: 75 seconds * 9 = 675 seconds. /60 = 11.25 minutes
+    "net.ipv4.tcp_rmem" = "4096	1000000	16000000";
+    "net.ipv4.tcp_wmem" = "4096	1000000	16000000";
+    #net.ipv4.tcp_rmem = 4096       131072  6291456
+    #net.ipv4.tcp_wmem = 4096       16384   4194304
+    # https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.rst?plain=1#L1042
+    # https://lwn.net/Articles/560082/
+    "net.ipv4.tcp_notsent_lowat" = "131072";
+    #net.ipv4.tcp_notsent_lowat = 4294967295
+    # enable Enable reuse of TIME-WAIT sockets globally
+    "net.ipv4.tcp_tw_reuse" = 1;
+    #net.ipv4.tcp_tw_reuse=2
+    "net.ipv4.tcp_timestamps" = 1;
+    "net.ipv4.tcp_ecn" = 1;
+    "net.core.default_qdisc" = "cake";
+    "net.ipv4.tcp_congestion_control" = "cubic";
+    #net.ipv4.tcp_congestion_control=bbr
+    "net.core.rmem_default" = 26214400;
+    "net.core.rmem_max" = 26214400;
+    "net.core.wmem_default" = 26214400;
+    "net.core.wmem_max" = 26214400;
+    #net.core.optmem_max = 20480
+    #net.core.rmem_default = 212992
+    #net.core.rmem_max = 212992
+    #net.core.wmem_default = 212992
+    #net.core.wmem_max = 212992
+    "net.ipv4.ip_local_port_range" = "1025 65535";
+    #net.ipv4.ip_local_port_range ="32768 60999"
+  };
+}

arm/pi5-1/sysctl.nix

@@ -47,6 +47,7 @@
       ./trafficserver.nix
       ./athens.nix
       ./remote-builder.nix
+      ./services.ssh.nix
     ];
 
   # Bootloader.
@@ -190,54 +191,54 @@
      enableSSHSupport = true;
   };
 
-  # https://nixos.wiki/wiki/SSH
-  # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix
-  # https://github.com/NixOS/nixpkgs/blob/47457869d5b12bdd72303d6d2ba4bfcc26fe8531/nixos/modules/services/security/sshguard.nix
-  services.openssh = {
-    enable = true;
-    openFirewall = true;
-    settings = {
-      # default key algos: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix#L546
-      # KexAlgorithms = [
-      #   "mlkem768x25519-sha256"
-      #   "sntrup761x25519-sha512"
-      #   "sntrup761x25519-sha512@openssh.com"
-      #   "curve25519-sha256"
-      #   "curve25519-sha256@libssh.org"
-      #   "diffie-hellman-group-exchange-sha256"
-      # ];
-      Ciphers = [
-        "chacha20-poly1305@openssh.com"
-        "aes256-gcm@openssh.com"
-        "aes128-gcm@openssh.com"
-        # shortned default list
-      ];
-      Macs = [
-        "hmac-sha2-512-etm@openssh.com"
-        "hmac-sha2-256-etm@openssh.com"
-        "umac-128-etm@openssh.com"
-      ];
-      # HostKeyAlgorithms = [
-      #   "ssh-ed25519-cert-v01@openssh.com"
-      #   "sk-ssh-ed25519-cert-v01@openssh.com"
-      #   "rsa-sha2-512-cert-v01@openssh.com"
-      #   "rsa-sha2-256-cert-v01@openssh.com"
-      #   "ssh-ed25519"
-      #   "sk-ssh-ed25519@openssh.com"
-      #   "rsa-sha2-512"
-      #   "rsa-sha2-256"
-      # ];
-      UsePAM = true;
-      KbdInteractiveAuthentication = true;
-      PermitRootLogin = "prohibit-password";
-      PasswordAuthentication = false;
-      ChallengeResponseAuthentication = false;
-      X11Forwarding = false;
-      GatewayPorts = "no";
-    };
-  };
+  # # https://nixos.wiki/wiki/SSH
+  # # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix
+  # # https://github.com/NixOS/nixpkgs/blob/47457869d5b12bdd72303d6d2ba4bfcc26fe8531/nixos/modules/services/security/sshguard.nix
+  # services.openssh = {
+  #   enable = true;
+  #   openFirewall = true;
+  #   settings = {
+  #     # default key algos: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix#L546
+  #     # KexAlgorithms = [
+  #     #   "mlkem768x25519-sha256"
+  #     #   "sntrup761x25519-sha512"
+  #     #   "sntrup761x25519-sha512@openssh.com"
+  #     #   "curve25519-sha256"
+  #     #   "curve25519-sha256@libssh.org"
+  #     #   "diffie-hellman-group-exchange-sha256"
+  #     # ];
+  #     Ciphers = [
+  #       "chacha20-poly1305@openssh.com"
+  #       "aes256-gcm@openssh.com"
+  #       "aes128-gcm@openssh.com"
+  #       # shortned default list
+  #     ];
+  #     Macs = [
+  #       "hmac-sha2-512-etm@openssh.com"
+  #       "hmac-sha2-256-etm@openssh.com"
+  #       "umac-128-etm@openssh.com"
+  #     ];
+  #     # HostKeyAlgorithms = [
+  #     #   "ssh-ed25519-cert-v01@openssh.com"
+  #     #   "sk-ssh-ed25519-cert-v01@openssh.com"
+  #     #   "rsa-sha2-512-cert-v01@openssh.com"
+  #     #   "rsa-sha2-256-cert-v01@openssh.com"
+  #     #   "ssh-ed25519"
+  #     #   "sk-ssh-ed25519@openssh.com"
+  #     #   "rsa-sha2-512"
+  #     #   "rsa-sha2-256"
+  #     # ];
+  #     UsePAM = true;
+  #     KbdInteractiveAuthentication = true;
+  #     PermitRootLogin = "prohibit-password";
+  #     PasswordAuthentication = false;
+  #     ChallengeResponseAuthentication = false;
+  #     X11Forwarding = false;
+  #     GatewayPorts = "no";
+  #   };
+  # };
 
-  services.sshguard.enable = true;
+  # services.sshguard.enable = true;
 
   # search for serivces url
   #https://github.com/search?q=repo%3ANixOS%2Fnixpkgs+path%3A%2F%5Enixos%5C%2Fmodules%5C%2Fservices%5C%2F%2F+openssh&type=code