Kabbone/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

hosts: add dmz, cleanups

Browse Source
This commit is contained in:
Kabbone 2023-10-16 10:33:47 +02:00
parent 5dc2c8a98b
commit 9cee80bed2
Signed by: Kabbone
SSH Key Fingerprint: SHA256:A5zPB5I6u5V78V51c362BBdCwhDhfDUVbt7NfKdjWBY
12 changed files with 338 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
flake.nix
View File

@ -40,13 +40,15 @@
outputs = inputs @ { self, nixpkgs, nixpkgs-stable, nixos-hardware, home-manager, nur, agenix, jovian-nixos, microvm, ... }: # Function that tells my flake which to use and what do what to do with the dependencies. outputs = inputs @ { self, nixpkgs, nixpkgs-stable, nixos-hardware, home-manager, nur, agenix, jovian-nixos, microvm, ... }: # Function that tells my flake which to use and what do what to do with the dependencies.
let # Variables that can be used in the config files let # Variables that can be used in the config files
user = "kabbone"; user = "kabbone";
userdmz = "diablo";
userserver = "mephisto";
location = "$HOME/.setup"; location = "$HOME/.setup";
in # Use above variables in ... in # Use above variables in ...
{ {
nixosConfigurations = ( # NixOS configurations nixosConfigurations = ( # NixOS configurations
import ./hosts { # Imports ./hosts/default.nix import ./hosts { # Imports ./hosts/default.nix
inherit (nixpkgs) lib; inherit (nixpkgs) lib;
inherit inputs nixpkgs nixpkgs-stable nixos-hardware home-manager nur user location agenix jovian-nixos microvm; # Also inherit home-manager so it does not need to be defined here. inherit inputs nixpkgs nixpkgs-stable nixos-hardware home-manager nur user userdmz userserver location agenix jovian-nixos microvm; # Also inherit home-manager so it does not need to be defined here.
nix.allowedUsers = [ "@wheel" ]; nix.allowedUsers = [ "@wheel" ];
security.sudo.execWheelOnly = true; security.sudo.execWheelOnly = true;
} }

33
hosts/configuration_server.nix
View File

@ -75,16 +75,6 @@
EDITOR = "nvim"; EDITOR = "nvim";
VISUAL = "nvim"; VISUAL = "nvim";
}; };
etc = {
"fail2ban/filter.d/gitea.conf" = {
source = ../modules/services/server/fail2ban/filter/gitea.conf;
mode = "0444";
};
"fail2ban/filter.d/nextcloud.conf" = {
source = ../modules/services/server/fail2ban/filter/nextcloud.conf;
mode = "0444";
};
};
systemPackages = with pkgs; [ # Default packages install system-wide systemPackages = with pkgs; [ # Default packages install system-wide
vim vim
git git
@ -117,29 +107,6 @@
ports = [ 2220 ]; ports = [ 2220 ];
openFirewall = true; openFirewall = true;
}; };
fail2ban = {
enable = true;
maxretry = 5;
jails.DEFAULT.settings = {
findtime = "15m";
bantime = "1h";
};
jails = {
gitea = ''
enabled = true
filter = gitea
backend = systemd
action = iptables-allports
'';
nextcloud = ''
backend = auto
enabled = true
filter = nextcloud
logpath = /var/lib/nextcloud/data/nextcloud.log
action = iptables-allports
'';
};
};
#flatpak.enable = true; # download flatpak file from website - sudo flatpak install <path> - reboot if not showing up #flatpak.enable = true; # download flatpak file from website - sudo flatpak install <path> - reboot if not showing up
# sudo flatpak uninstall --delete-data <app-id> (> flatpak list --app) - flatpak uninstall --unused # sudo flatpak uninstall --delete-data <app-id> (> flatpak list --app) - flatpak uninstall --unused

34
hosts/default.nix
View File

@ -11,7 +11,7 @@
# └─ ./home.nix # └─ ./home.nix
# #
{ lib, inputs, nixpkgs, nixos-hardware, home-manager, nur, user, location, agenix, jovian-nixos, microvm, ... }: { lib, inputs, nixpkgs, nixos-hardware, home-manager, nur, user, userdmz, userserver, location, agenix, jovian-nixos, microvm, ... }:
let let
system = "x86_64-linux"; # System architecture system = "x86_64-linux"; # System architecture
@ -109,10 +109,10 @@ in
]; ];
}; };
dmz = lib.nixosSystem { # Desktop profile server = lib.nixosSystem { # Desktop profile
inherit system; inherit system;
#user = "dmz-user"; specialArgs = { inherit inputs userserver location nixos-hardware nur agenix; };
specialArgs = { inherit inputs user location nixos-hardware nur agenix; }; user = userserver;
modules = [ modules = [
agenix.nixosModules.default agenix.nixosModules.default
nur.nixosModules.nur nur.nixosModules.nur
@ -135,6 +135,32 @@ in
]; ];
}; };
dmz = lib.nixosSystem { # Desktop profile
inherit system;
specialArgs = { inherit inputs usersdmz location nixos-hardware nur agenix; };
user = userdmz;
modules = [
agenix.nixosModules.default
nur.nixosModules.nur
./dmz
./configuration_server.nix
nixos-hardware.nixosModules.common-cpu-amd
nixos-hardware.nixosModules.common-pc-ssd
home-manager.nixosModules.home-manager {
nixpkgs.overlays = [
nur.overlay
];
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.extraSpecialArgs = { inherit user; };
home-manager.users.${user} = {
imports = [(import ./home_server.nix)] ++ [(import ./dmz/home.nix)];
};
}
];
};
nas = lib.nixosSystem { # Desktop profile nas = lib.nixosSystem { # Desktop profile
inherit system; inherit system;
#user = "dmz-user"; #user = "dmz-user";

2
hosts/desktop/default.nix
View File

@ -25,7 +25,6 @@
#[(import ../../modules/desktop/hyprland/default.nix)] ++ # Window Manager #[(import ../../modules/desktop/hyprland/default.nix)] ++ # Window Manager
[(import ../../modules/desktop/sway/default.nix)] ++ # Window Manager [(import ../../modules/desktop/sway/default.nix)] ++ # Window Manager
(import ../../modules/desktop/virtualisation) ++ # Docker (import ../../modules/desktop/virtualisation) ++ # Docker
[(import ./microvm.nix)] ++
(import ../../modules/hardware); # Hardware devices (import ../../modules/hardware); # Hardware devices
boot = { # Boot options boot = { # Boot options
@ -60,7 +59,6 @@
programs = { # No xbacklight, this is the alterantive programs = { # No xbacklight, this is the alterantive
zsh.enable = true; zsh.enable = true;
dconf.enable = true; dconf.enable = true;
light.enable = true;
ssh.startAgent = false; ssh.startAgent = false;
gnupg.agent = { gnupg.agent = {
enable = true; enable = true;

59
hosts/dmz/default.nix Normal file
View File

@ -0,0 +1,59 @@
#
# Specific system configuration settings for desktop
#
# flake.nix
# ├─ ./hosts
# │ └─ ./laptop
# │ ├─ default.nix *
# │ └─ hardware-configuration.nix
# └─ ./modules
# ├─ ./desktop
# │ └─ ./hyprland
# │ └─ hyprland.nix
# ├─ ./modules
# │ └─ ./programs
# │ └─ waybar.nix
# └─ ./hardware
# └─ default.nix
#
{ config, pkgs, user, ... }:
{
imports = # For now, if applying to other system, swap files
[(import ./hardware-configuration.nix)] ++ # Current system hardware config @ /etc/nixos/hardware-configuration.nix
[(import ../../modules/desktop/virtualisation/docker.nix)] ++ # Docker
(import ../../modules/services/dmz) ++ # Server Services
(import ../../modules/hardware); # Hardware devices
boot = { # Boot options
kernelPackages = pkgs.linuxPackages_latest;
loader = { # EFI Boot
systemd-boot.enable = true;
efi = {
canTouchEfiVariables = true;
efiSysMountPoint = "/boot";
};
timeout = 1; # Grub auto select time
};
};
programs = { # No xbacklight, this is the alterantive
zsh.enable = true;
};
services = {
qemuGuest.enable = true;
avahi = { # Needed to find wireless printer
enable = true;
nssmdns = true;
publish = { # Needed for detecting the scanner
enable = true;
addresses = true;
userServices = true;
};
};
};
}

104
hosts/dmz/hardware-configuration.nix Normal file
View File

@ -0,0 +1,104 @@
#
# Hardware settings for Teclast F5 10" Laptop
# NixOS @ sda2
#
# flake.nix
# └─ ./hosts
# └─ ./laptop
# └─ hardware-configuration.nix *
#
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ "vfio_pci" "vfio" "vfio_iommu_type1" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.tmp.useTmpfs = false;
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
services.btrfs.autoScrub = {
enable = true;
interval = "monthly";
fileSystems = [
"/"
];
};
fileSystems."/" =
{ device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async" ];
};
fileSystems."/home" =
{ device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async" ];
};
fileSystems."/srv" =
{ device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async" ];
};
fileSystems."/var" =
{ device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@var,discard=async" ];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async" ];
};
fileSystems."/swap" =
{ device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async" ];
};
fileSystems."/mnt/snapshots/root" =
{ device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async" ];
};
swapDevices = [ ];
systemd.network = {
enable = true;
networks = {
"10-lan" = {
matchConfig.Name = "enp34s0";
ntp = [ "192.168.2.1" ];
domains = [ "home.opel-online.de" ];
networkConfig = {
DHCP = "yes";
IPv6AcceptRA = true;
};
};
};
};
networking = {
useDHCP = false; # Deprecated
hostName = "dmz";
firewall = {
enable = true;
allowedUDPPorts = [ ];
allowedTCPPorts = [ ];
};
};
}

39
hosts/dmz/home.nix Normal file
View File

@ -0,0 +1,39 @@
#
# Home-manager configuration for laptop
#
# flake.nix
# ├─ ./hosts
# │ └─ ./laptop
# │ └─ home.nix *
# └─ ./modules
# └─ ./desktop
# └─ ./hyprland
# └─ hyprland.nix
#
{ pkgs, ... }:
{
imports =
[
../../modules/home.nix # Window Manager
];
home = { # Specific packages for laptop
packages = with pkgs; [
# Applications
# Display
#light # xorg.xbacklight not supported. Other option is just use xrandr.
# Power Management
#auto-cpufreq # Power management
#tlp # Power management
];
};
programs = {
alacritty.settings.font.size = 11;
};
}

42
hosts/server/default.nix
View File

@ -38,13 +38,18 @@
}; };
}; };
# environment = { environment = {
# systemPackages = with pkgs; [ etc = {
## simple-scan "fail2ban/filter.d/gitea.conf" = {
## intel-media-driver source = ../../modules/services/server/fail2ban/filter/gitea.conf;
## alacritty mode = "0444";
# ]; };
# }; "fail2ban/filter.d/nextcloud.conf" = {
source = ../../modules/services/server/fail2ban/filter/nextcloud.conf;
mode = "0444";
};
};
};
programs = { # No xbacklight, this is the alterantive programs = { # No xbacklight, this is the alterantive
zsh.enable = true; zsh.enable = true;
@ -67,6 +72,29 @@
userServices = true; userServices = true;
}; };
}; };
fail2ban = {
enable = true;
maxretry = 5;
jails.DEFAULT.settings = {
findtime = "15m";
bantime = "1h";
};
jails = {
gitea = ''
enabled = true
filter = gitea
backend = systemd
action = iptables-allports
'';
nextcloud = ''
backend = auto
enabled = true
filter = nextcloud
logpath = /var/lib/nextcloud/data/nextcloud.log
action = iptables-allports
'';
};
};
}; };

2
hosts/server/hardware-configuration.nix
View File

@ -102,7 +102,7 @@
networking = { networking = {
useDHCP = false; # Deprecated useDHCP = false; # Deprecated
hostName = "dmz"; hostName = "kabtop";
domain = "kabtop.de"; domain = "kabtop.de";
networkmanager = { networkmanager = {
enable = false; enable = false;

18
modules/services/dmz/default.nix Normal file
View File

@ -0,0 +1,18 @@
#
# Services
#
# flake.nix
# ├─ ./hosts
# │ └─ home.nix
# └─ ./modules
# └─ ./services
# └─ default.nix *
# └─ ...
#
[
./microvm.nix
]
# picom, polybar and sxhkd are pulled from desktop module
# redshift temporarely disables

24
modules/services/dmz/gitea_runner.nix Normal file
View File

@ -0,0 +1,24 @@
{ lib, config, pkgs, ... }:
{
virtualisation = {
podman ={
enable = true;
autoPrune.enable = true;
};
};
services.gitea-actions-runner.instances = {
nixrunner-test = {
enable = true;
url = "https://git.kabtop.de";
name = "nix_runner_test";
#tokenFile = "./gitea_token";
token = "vlUBkX5IbJKTBO3HAGqFM1fEOw2UqXpX87LcdJRY";
labels = [
"debian-latest:docker://node:18-bullseye"
];
};
};
system.stateVersion = "23.11";
}

33
hosts/desktop/microvm.nix → modules/services/dmz/microvm.nix
View File

@ -1,4 +1,4 @@
{ microvm, nixpkgs, ... }: { microvm, nixpkgs, user, ... }:
let let
name = "gitea"; name = "gitea";
in in
@ -9,21 +9,38 @@ in
# ]; # ];
vms = { vms = {
${name} = { ${name} = {
pkgs = import nixpkgs { pkgs = import nixpkgs {
system = "x86_64-linux"; system = "x86_64-linux";
config.allowUnfree = true; config.allowUnfree = true;
}; };
imports = [( ./gitea_runner.nix )];
config = { config = {
networking = { networking = {
hostName = "${name}-runner"; hostName = "${name}-runner";
firewall = { firewall = {
enable = true; enable = true;
#allowedUDPPorts = [ 53 67 ]; allowedUDPPorts = [ ];
#allowedTCPPorts = [ 53 80 443 9443 ]; allowedTCPPorts = [ ];
}; };
}; };
users.users."kabbone" = { # System User systemd.network = {
enable = true;
networks = {
"10-lan" = {
matchConfig.Name = "*";
networkConfig = {
DHCP = "yes";
IPv6AcceptRA = true;
};
};
};
};
users.users.${user} = { # System User
isNormalUser = true; isNormalUser = true;
extraGroups = [ "wheel" ]; extraGroups = [ "wheel" ];
uid = 2000; uid = 2000;
@ -48,8 +65,8 @@ in
interfaces = [ interfaces = [
{ {
type = "macvtap"; type = "macvtap";
id = "${name}-tap"; id = "vm-${name}";
mac = "02:00:00:00:00:01"; mac = "04:00:00:00:00:01";
macvtap = { macvtap = {
link = "enp34s0"; link = "enp34s0";
mode = "bridge"; mode = "bridge";
@ -61,8 +78,8 @@ in
tag = "ro-store"; tag = "ro-store";
proto = "virtiofs"; proto = "virtiofs";
}]; }];
#writableStoreOverlay = "/nix/.rw-store"; writableStoreOverlay = "/nix/.rw-store";
#storeOnDisk = true; storeOnDisk = true;
}; };
system.stateVersion = "23.05"; system.stateVersion = "23.05";
}; };