diff --git a/flake.nix b/flake.nix index 9edfb91..0219785 100644 --- a/flake.nix +++ b/flake.nix @@ -40,13 +40,15 @@ outputs = inputs @ { self, nixpkgs, nixpkgs-stable, nixos-hardware, home-manager, nur, agenix, jovian-nixos, microvm, ... }: # Function that tells my flake which to use and what do what to do with the dependencies. let # Variables that can be used in the config files user = "kabbone"; + userdmz = "diablo"; + userserver = "mephisto"; location = "$HOME/.setup"; in # Use above variables in ... { nixosConfigurations = ( # NixOS configurations import ./hosts { # Imports ./hosts/default.nix inherit (nixpkgs) lib; - inherit inputs nixpkgs nixpkgs-stable nixos-hardware home-manager nur user location agenix jovian-nixos microvm; # Also inherit home-manager so it does not need to be defined here. + inherit inputs nixpkgs nixpkgs-stable nixos-hardware home-manager nur user userdmz userserver location agenix jovian-nixos microvm; # Also inherit home-manager so it does not need to be defined here. nix.allowedUsers = [ "@wheel" ]; security.sudo.execWheelOnly = true; } diff --git a/hosts/configuration_server.nix b/hosts/configuration_server.nix index 207f083..13bf8af 100644 --- a/hosts/configuration_server.nix +++ b/hosts/configuration_server.nix @@ -75,16 +75,6 @@ EDITOR = "nvim"; VISUAL = "nvim"; }; - etc = { - "fail2ban/filter.d/gitea.conf" = { - source = ../modules/services/server/fail2ban/filter/gitea.conf; - mode = "0444"; - }; - "fail2ban/filter.d/nextcloud.conf" = { - source = ../modules/services/server/fail2ban/filter/nextcloud.conf; - mode = "0444"; - }; - }; systemPackages = with pkgs; [ # Default packages install system-wide vim git @@ -117,29 +107,6 @@ ports = [ 2220 ]; openFirewall = true; }; - fail2ban = { - enable = true; - maxretry = 5; - jails.DEFAULT.settings = { - findtime = "15m"; - bantime = "1h"; - }; - jails = { - gitea = '' - enabled = true - filter = gitea - backend = systemd - action = iptables-allports - ''; - nextcloud = '' - backend = auto - enabled = true - filter = nextcloud - logpath = /var/lib/nextcloud/data/nextcloud.log - action = iptables-allports - ''; - }; - }; #flatpak.enable = true; # download flatpak file from website - sudo flatpak install - reboot if not showing up # sudo flatpak uninstall --delete-data (> flatpak list --app) - flatpak uninstall --unused diff --git a/hosts/default.nix b/hosts/default.nix index 98aba30..4a88a87 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -11,7 +11,7 @@ # └─ ./home.nix # -{ lib, inputs, nixpkgs, nixos-hardware, home-manager, nur, user, location, agenix, jovian-nixos, microvm, ... }: +{ lib, inputs, nixpkgs, nixos-hardware, home-manager, nur, user, userdmz, userserver, location, agenix, jovian-nixos, microvm, ... }: let system = "x86_64-linux"; # System architecture @@ -109,10 +109,10 @@ in ]; }; - dmz = lib.nixosSystem { # Desktop profile + server = lib.nixosSystem { # Desktop profile inherit system; - #user = "dmz-user"; - specialArgs = { inherit inputs user location nixos-hardware nur agenix; }; + specialArgs = { inherit inputs userserver location nixos-hardware nur agenix; }; + user = userserver; modules = [ agenix.nixosModules.default nur.nixosModules.nur @@ -135,6 +135,32 @@ in ]; }; + dmz = lib.nixosSystem { # Desktop profile + inherit system; + specialArgs = { inherit inputs usersdmz location nixos-hardware nur agenix; }; + user = userdmz; + modules = [ + agenix.nixosModules.default + nur.nixosModules.nur + ./dmz + ./configuration_server.nix + nixos-hardware.nixosModules.common-cpu-amd + nixos-hardware.nixosModules.common-pc-ssd + + home-manager.nixosModules.home-manager { + nixpkgs.overlays = [ + nur.overlay + ]; + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.extraSpecialArgs = { inherit user; }; + home-manager.users.${user} = { + imports = [(import ./home_server.nix)] ++ [(import ./dmz/home.nix)]; + }; + } + ]; + }; + nas = lib.nixosSystem { # Desktop profile inherit system; #user = "dmz-user"; diff --git a/hosts/desktop/default.nix b/hosts/desktop/default.nix index a05a43f..ca99ae8 100644 --- a/hosts/desktop/default.nix +++ b/hosts/desktop/default.nix @@ -25,7 +25,6 @@ #[(import ../../modules/desktop/hyprland/default.nix)] ++ # Window Manager [(import ../../modules/desktop/sway/default.nix)] ++ # Window Manager (import ../../modules/desktop/virtualisation) ++ # Docker - [(import ./microvm.nix)] ++ (import ../../modules/hardware); # Hardware devices boot = { # Boot options @@ -60,7 +59,6 @@ programs = { # No xbacklight, this is the alterantive zsh.enable = true; dconf.enable = true; - light.enable = true; ssh.startAgent = false; gnupg.agent = { enable = true; diff --git a/hosts/dmz/default.nix b/hosts/dmz/default.nix new file mode 100644 index 0000000..686f09a --- /dev/null +++ b/hosts/dmz/default.nix @@ -0,0 +1,59 @@ +# +# Specific system configuration settings for desktop +# +# flake.nix +# ├─ ./hosts +# │ └─ ./laptop +# │ ├─ default.nix * +# │ └─ hardware-configuration.nix +# └─ ./modules +# ├─ ./desktop +# │ └─ ./hyprland +# │ └─ hyprland.nix +# ├─ ./modules +# │ └─ ./programs +# │ └─ waybar.nix +# └─ ./hardware +# └─ default.nix +# + +{ config, pkgs, user, ... }: + +{ + imports = # For now, if applying to other system, swap files + [(import ./hardware-configuration.nix)] ++ # Current system hardware config @ /etc/nixos/hardware-configuration.nix + [(import ../../modules/desktop/virtualisation/docker.nix)] ++ # Docker + (import ../../modules/services/dmz) ++ # Server Services + (import ../../modules/hardware); # Hardware devices + + boot = { # Boot options + kernelPackages = pkgs.linuxPackages_latest; + + loader = { # EFI Boot + systemd-boot.enable = true; + efi = { + canTouchEfiVariables = true; + efiSysMountPoint = "/boot"; + }; + timeout = 1; # Grub auto select time + }; + }; + + programs = { # No xbacklight, this is the alterantive + zsh.enable = true; + }; + + services = { + qemuGuest.enable = true; + avahi = { # Needed to find wireless printer + enable = true; + nssmdns = true; + publish = { # Needed for detecting the scanner + enable = true; + addresses = true; + userServices = true; + }; + }; + }; + +} diff --git a/hosts/dmz/hardware-configuration.nix b/hosts/dmz/hardware-configuration.nix new file mode 100644 index 0000000..7e84622 --- /dev/null +++ b/hosts/dmz/hardware-configuration.nix @@ -0,0 +1,104 @@ +# +# Hardware settings for Teclast F5 10" Laptop +# NixOS @ sda2 +# +# flake.nix +# └─ ./hosts +# └─ ./laptop +# └─ hardware-configuration.nix * +# +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ]; + boot.initrd.kernelModules = [ "vfio_pci" "vfio" "vfio_iommu_type1" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + boot.tmp.useTmpfs = false; + boot.tmp.cleanOnBoot = true; + zramSwap.enable = true; + + services.btrfs.autoScrub = { + enable = true; + interval = "monthly"; + fileSystems = [ + "/" + ]; + }; + + fileSystems."/" = + { device = "/dev/disk/by-label/NIXROOT"; + fsType = "btrfs"; + options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async" ]; + }; + + fileSystems."/home" = + { device = "/dev/disk/by-label/NIXROOT"; + fsType = "btrfs"; + options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async" ]; + }; + + fileSystems."/srv" = + { device = "/dev/disk/by-label/NIXROOT"; + fsType = "btrfs"; + options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async" ]; + }; + + fileSystems."/var" = + { device = "/dev/disk/by-label/NIXROOT"; + fsType = "btrfs"; + options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@var,discard=async" ]; + }; + + fileSystems."/nix" = + { device = "/dev/disk/by-label/NIXROOT"; + fsType = "btrfs"; + options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async" ]; + }; + + fileSystems."/swap" = + { device = "/dev/disk/by-label/NIXROOT"; + fsType = "btrfs"; + options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async" ]; + }; + + fileSystems."/mnt/snapshots/root" = + { device = "/dev/disk/by-label/NIXROOT"; + fsType = "btrfs"; + options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async" ]; + }; + + swapDevices = [ ]; + + systemd.network = { + enable = true; + networks = { + "10-lan" = { + matchConfig.Name = "enp34s0"; + ntp = [ "192.168.2.1" ]; + domains = [ "home.opel-online.de" ]; + networkConfig = { + DHCP = "yes"; + IPv6AcceptRA = true; + }; + }; + }; + }; + networking = { + useDHCP = false; # Deprecated + hostName = "dmz"; + firewall = { + enable = true; + allowedUDPPorts = [ ]; + allowedTCPPorts = [ ]; + }; + }; + +} diff --git a/hosts/dmz/home.nix b/hosts/dmz/home.nix new file mode 100644 index 0000000..03d34bb --- /dev/null +++ b/hosts/dmz/home.nix @@ -0,0 +1,39 @@ +# +# Home-manager configuration for laptop +# +# flake.nix +# ├─ ./hosts +# │ └─ ./laptop +# │ └─ home.nix * +# └─ ./modules +# └─ ./desktop +# └─ ./hyprland +# └─ hyprland.nix +# + +{ pkgs, ... }: + +{ + imports = + [ + ../../modules/home.nix # Window Manager + ]; + + home = { # Specific packages for laptop + packages = with pkgs; [ + # Applications + + # Display + #light # xorg.xbacklight not supported. Other option is just use xrandr. + + # Power Management + #auto-cpufreq # Power management + #tlp # Power management + ]; + }; + + programs = { + alacritty.settings.font.size = 11; + }; + +} diff --git a/hosts/server/default.nix b/hosts/server/default.nix index 739d785..ad044fa 100644 --- a/hosts/server/default.nix +++ b/hosts/server/default.nix @@ -38,13 +38,18 @@ }; }; -# environment = { -# systemPackages = with pkgs; [ -## simple-scan -## intel-media-driver -## alacritty -# ]; -# }; + environment = { + etc = { + "fail2ban/filter.d/gitea.conf" = { + source = ../../modules/services/server/fail2ban/filter/gitea.conf; + mode = "0444"; + }; + "fail2ban/filter.d/nextcloud.conf" = { + source = ../../modules/services/server/fail2ban/filter/nextcloud.conf; + mode = "0444"; + }; + }; + }; programs = { # No xbacklight, this is the alterantive zsh.enable = true; @@ -67,6 +72,29 @@ userServices = true; }; }; + fail2ban = { + enable = true; + maxretry = 5; + jails.DEFAULT.settings = { + findtime = "15m"; + bantime = "1h"; + }; + jails = { + gitea = '' + enabled = true + filter = gitea + backend = systemd + action = iptables-allports + ''; + nextcloud = '' + backend = auto + enabled = true + filter = nextcloud + logpath = /var/lib/nextcloud/data/nextcloud.log + action = iptables-allports + ''; + }; + }; }; diff --git a/hosts/server/hardware-configuration.nix b/hosts/server/hardware-configuration.nix index e9d43dc..38fd455 100644 --- a/hosts/server/hardware-configuration.nix +++ b/hosts/server/hardware-configuration.nix @@ -102,7 +102,7 @@ networking = { useDHCP = false; # Deprecated - hostName = "dmz"; + hostName = "kabtop"; domain = "kabtop.de"; networkmanager = { enable = false; diff --git a/modules/services/dmz/default.nix b/modules/services/dmz/default.nix new file mode 100644 index 0000000..f52062b --- /dev/null +++ b/modules/services/dmz/default.nix @@ -0,0 +1,18 @@ +# +# Services +# +# flake.nix +# ├─ ./hosts +# │ └─ home.nix +# └─ ./modules +# └─ ./services +# └─ default.nix * +# └─ ... +# + +[ + ./microvm.nix +] + +# picom, polybar and sxhkd are pulled from desktop module +# redshift temporarely disables diff --git a/modules/services/dmz/gitea_runner.nix b/modules/services/dmz/gitea_runner.nix new file mode 100644 index 0000000..d6526c8 --- /dev/null +++ b/modules/services/dmz/gitea_runner.nix @@ -0,0 +1,24 @@ +{ lib, config, pkgs, ... }: + +{ + virtualisation = { + podman ={ + enable = true; + autoPrune.enable = true; + }; + }; + + services.gitea-actions-runner.instances = { + nixrunner-test = { + enable = true; + url = "https://git.kabtop.de"; + name = "nix_runner_test"; + #tokenFile = "./gitea_token"; + token = "vlUBkX5IbJKTBO3HAGqFM1fEOw2UqXpX87LcdJRY"; + labels = [ + "debian-latest:docker://node:18-bullseye" + ]; + }; + }; + system.stateVersion = "23.11"; +} diff --git a/hosts/desktop/microvm.nix b/modules/services/dmz/microvm.nix similarity index 72% rename from hosts/desktop/microvm.nix rename to modules/services/dmz/microvm.nix index 0df01d6..ef65a6f 100644 --- a/hosts/desktop/microvm.nix +++ b/modules/services/dmz/microvm.nix @@ -1,4 +1,4 @@ -{ microvm, nixpkgs, ... }: +{ microvm, nixpkgs, user, ... }: let name = "gitea"; in @@ -9,21 +9,38 @@ in # ]; vms = { ${name} = { + pkgs = import nixpkgs { system = "x86_64-linux"; config.allowUnfree = true; }; + imports = [( ./gitea_runner.nix )]; + config = { networking = { hostName = "${name}-runner"; + firewall = { enable = true; - #allowedUDPPorts = [ 53 67 ]; - #allowedTCPPorts = [ 53 80 443 9443 ]; + allowedUDPPorts = [ ]; + allowedTCPPorts = [ ]; }; }; - users.users."kabbone" = { # System User + systemd.network = { + enable = true; + networks = { + "10-lan" = { + matchConfig.Name = "*"; + networkConfig = { + DHCP = "yes"; + IPv6AcceptRA = true; + }; + }; + }; + }; + + users.users.${user} = { # System User isNormalUser = true; extraGroups = [ "wheel" ]; uid = 2000; @@ -48,8 +65,8 @@ in interfaces = [ { type = "macvtap"; - id = "${name}-tap"; - mac = "02:00:00:00:00:01"; + id = "vm-${name}"; + mac = "04:00:00:00:00:01"; macvtap = { link = "enp34s0"; mode = "bridge"; @@ -61,8 +78,8 @@ in tag = "ro-store"; proto = "virtiofs"; }]; - #writableStoreOverlay = "/nix/.rw-store"; - #storeOnDisk = true; + writableStoreOverlay = "/nix/.rw-store"; + storeOnDisk = true; }; system.stateVersion = "23.05"; };