diff --git a/hosts/default.nix b/hosts/default.nix index e21af5b..e2dd41f 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -16,7 +16,9 @@ { lib, inputs, nixpkgs, nixpkgs-unstable, nixos-hardware, home-manager, home-manager-unstable, agenix, jovian-nixos, microvm, impermanence, lanzaboote, ... }: let - user = "kabbone"; + # Default user — desktop hosts share this; server hosts may override per-host + # by passing a different `user` value in their own specialArgs block. + defaultUser = "kabbone"; location = builtins.getEnv "HOME" + "/.setup"; system = "x86_64-linux"; @@ -42,8 +44,9 @@ let # Helper: returns [hm-module, config-attrset] for the modules list. # hm - the home-manager flake input to use (stable or unstable) + # user - the username whose home-manager config to build # hmImports - list of home.nix paths for this host - mkHM = hm: hmImports: [ + mkHM = hm: user: hmImports: [ hm.nixosModules.home-manager { home-manager.useGlobalPkgs = true; @@ -57,7 +60,7 @@ in { hades = lib.nixosSystem { # Desktop profile inherit system; - specialArgs = { inherit inputs user location nixos-hardware agenix microvm nixpkgs lanzaboote; }; + specialArgs = { inherit inputs location nixos-hardware agenix microvm nixpkgs lanzaboote; user = defaultUser; }; modules = [ agenix.nixosModules.default microvm.nixosModules.host @@ -68,12 +71,12 @@ in nixos-hardware.nixosModules.common-cpu-amd nixos-hardware.nixosModules.common-gpu-amd nixos-hardware.nixosModules.common-pc-ssd - ] ++ (mkHM home-manager [ ./home.nix ./desktop/home.nix ]); + ] ++ (mkHM home-manager defaultUser [ ./home.nix ./desktop/home.nix ]); }; lifebook = lib.nixosSystem { # Laptop profile inherit system; - specialArgs = { inherit inputs user location nixos-hardware agenix lanzaboote; }; + specialArgs = { inherit inputs location nixos-hardware agenix lanzaboote; user = defaultUser; }; modules = [ agenix.nixosModules.default lanzaboote.nixosModules.lanzaboote @@ -81,93 +84,93 @@ in ./configuration_common.nix nixos-hardware.nixosModules.common-cpu-intel nixos-hardware.nixosModules.common-pc-ssd - ] ++ (mkHM home-manager [ ./home.nix ./lifebook/home.nix ]); + ] ++ (mkHM home-manager defaultUser [ ./home.nix ./lifebook/home.nix ]); }; steamdeck = nixpkgs-unstable.lib.nixosSystem { # steamdeck profile inherit system; - specialArgs = { inherit inputs user location nixos-hardware agenix jovian-nixos lanzaboote; }; + specialArgs = { inherit inputs location nixos-hardware agenix jovian-nixos lanzaboote; user = defaultUser; }; modules = [ agenix.nixosModules.default jovian-nixos.nixosModules.default lanzaboote.nixosModules.lanzaboote ./steamdeck ./configuration_common.nix - ] ++ (mkHM home-manager-unstable [ ./home.nix ./steamdeck/home.nix ]); + ] ++ (mkHM home-manager-unstable defaultUser [ ./home.nix ./steamdeck/home.nix ]); }; kabtop = lib.nixosSystem { # Server profile inherit system; - specialArgs = { inherit inputs user location nixos-hardware agenix impermanence; }; + specialArgs = { inherit inputs location nixos-hardware agenix impermanence; user = defaultUser; }; modules = [ agenix.nixosModules.default microvm.nixosModules.host ./kabtop - ./configuration_server.nix + ./configuration_common.nix nixos-hardware.nixosModules.common-cpu-amd nixos-hardware.nixosModules.common-pc-ssd - ] ++ (mkHM home-manager [ ./home_server.nix ./kabtop/home.nix ]); + ] ++ (mkHM home-manager defaultUser [ ./home_server.nix ./kabtop/home.nix ]); }; nasbak = lib.nixosSystem { # Server profile inherit system; - specialArgs = { inherit inputs user location nixos-hardware agenix; }; + specialArgs = { inherit inputs location nixos-hardware agenix; user = defaultUser; }; modules = [ agenix.nixosModules.default ./nasbackup - ./configuration_server.nix + ./configuration_common.nix nixos-hardware.nixosModules.common-cpu-intel nixos-hardware.nixosModules.common-pc-ssd - ] ++ (mkHM home-manager [ ./home_server.nix ./nasbackup/home.nix ]); + ] ++ (mkHM home-manager defaultUser [ ./home_server.nix ./nasbackup/home.nix ]); }; jupiter = lib.nixosSystem { # Server profile inherit system; - specialArgs = { inherit inputs user location nixos-hardware agenix; }; + specialArgs = { inherit inputs location nixos-hardware agenix; user = defaultUser; }; modules = [ agenix.nixosModules.default ./jupiter - ./configuration_server.nix + ./configuration_common.nix nixos-hardware.nixosModules.common-cpu-intel nixos-hardware.nixosModules.common-pc-ssd - ] ++ (mkHM home-manager [ ./home_server.nix ./jupiter/home.nix ]); + ] ++ (mkHM home-manager defaultUser [ ./home_server.nix ./jupiter/home.nix ]); }; kabtopci = lib.nixosSystem { # Server profile inherit system; - specialArgs = { inherit inputs user location nixos-hardware agenix impermanence; }; + specialArgs = { inherit inputs location nixos-hardware agenix impermanence; user = defaultUser; }; modules = [ agenix.nixosModules.default microvm.nixosModules.host ./kabtopci - ./configuration_server.nix + ./configuration_common.nix nixos-hardware.nixosModules.common-pc-ssd - ] ++ (mkHM home-manager [ ./home_server.nix ./kabtopci/home.nix ]); + ] ++ (mkHM home-manager defaultUser [ ./home_server.nix ./kabtopci/home.nix ]); }; kubemaster-1 = lib.nixosSystem { # Server profile inherit system; - specialArgs = { inherit inputs user location nixos-hardware agenix impermanence; }; + specialArgs = { inherit inputs location nixos-hardware agenix impermanence; user = defaultUser; }; modules = [ agenix.nixosModules.default microvm.nixosModules.host ./kubemaster-1 - ./configuration_server.nix + ./configuration_common.nix nixos-hardware.nixosModules.common-cpu-intel nixos-hardware.nixosModules.common-pc-ssd - ] ++ (mkHM home-manager [ ./home_server.nix ./kubemaster-1/home.nix ]); + ] ++ (mkHM home-manager defaultUser [ ./home_server.nix ./kubemaster-1/home.nix ]); }; dmz = lib.nixosSystem { # Server profile inherit system; - specialArgs = { inherit inputs user location nixos-hardware agenix impermanence; }; + specialArgs = { inherit inputs location nixos-hardware agenix impermanence; user = defaultUser; }; modules = [ agenix.nixosModules.default microvm.nixosModules.host ./dmz - ./configuration_server.nix + ./configuration_common.nix nixos-hardware.nixosModules.common-pc-ssd - ] ++ (mkHM home-manager [ ./home_server.nix ./dmz/home.nix ]); + ] ++ (mkHM home-manager defaultUser [ ./home_server.nix ./dmz/home.nix ]); }; # vm = lib.nixosSystem { # VM profile diff --git a/hosts/dmz/default.nix b/hosts/dmz/default.nix index 29033ab..793147f 100644 --- a/hosts/dmz/default.nix +++ b/hosts/dmz/default.nix @@ -1,59 +1,40 @@ # -# Specific system configuration settings for desktop -# -# flake.nix -# ├─ ./hosts -# │ └─ ./laptop -# │ ├─ default.nix * -# │ └─ hardware-configuration.nix -# └─ ./modules -# ├─ ./desktop -# │ └─ ./hyprland -# │ └─ hyprland.nix -# ├─ ./modules -# │ └─ ./programs -# │ └─ waybar.nix -# └─ ./hardware -# └─ default.nix +# DMZ — demilitarised zone server configuration # { config, pkgs, user, agenix, impermanence, ... }: { - imports = # For now, if applying to other system, swap files - [(import ./hardware-configuration.nix)] ++ # Current system hardware config @ /etc/nixos/hardware-configuration.nix - [(import ../../modules/wm/virtualisation/docker.nix)] ++ # Docker - [(import ../../modules/wm/virtualisation/kvm-intel.nix)] ++ # Docker - (import ../../modules/services/dmz); # Server Services + imports = [ + ./hardware-configuration.nix + ../../modules/server + ] ++ (import ../../modules/services/dmz); - boot = { # Boot options + # ── Server module options ─────────────────────────────────────────────── + myServer.virtualisation.enable = true; + myServer.virtualisation.cpu = "intel"; + + # ── Host-specific settings ────────────────────────────────────────────── + boot = { kernelPackages = pkgs.linuxPackages_latest; - - loader = { # EFI Boot - systemd-boot.enable = true; - efi = { - canTouchEfiVariables = true; - efiSysMountPoint = "/boot"; - }; - timeout = 1; # Grub auto select time + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + efi.efiSysMountPoint = "/boot"; + timeout = 1; }; }; - programs = { - zsh.enable = true; - }; - services = { qemuGuest.enable = true; - avahi = { # Needed to find wireless printer - enable = true; + avahi = { + enable = true; nssmdns4 = true; - publish = { # Needed for detecting the scanner - enable = true; - addresses = true; + publish = { + enable = true; + addresses = true; userServices = true; }; }; }; - } diff --git a/hosts/jupiter/default.nix b/hosts/jupiter/default.nix index cb7b889..bff8050 100644 --- a/hosts/jupiter/default.nix +++ b/hosts/jupiter/default.nix @@ -1,43 +1,19 @@ # -# Specific system configuration settings for desktop -# -# flake.nix -# ├─ ./hosts -# │ └─ ./laptop -# │ ├─ default.nix * -# │ └─ hardware-configuration.nix -# └─ ./modules -# ├─ ./desktop -# │ └─ ./hyprland -# │ └─ hyprland.nix -# ├─ ./modules -# │ └─ ./programs -# │ └─ waybar.nix -# └─ ./hardware -# └─ default.nix +# Jupiter — NAS server configuration # { config, pkgs, inputs, user, ... }: { - imports = # For now, if applying to other ssystem, swap files - [(import ./hardware-configuration.nix)] ++ # Current system hardware config @ /etc/nixos/hardware-configuration.nix - #(import ../../modules/wm/virtualisation) ++ # Docker - (import ../../modules/services/nas) ++ # Server Services - (import ../../modules/hardware); # Hardware devices + imports = [ + ./hardware-configuration.nix + ../../modules/server + ] ++ (import ../../modules/services/nas); - boot = { # Boot options - kernelPackages = pkgs.linuxPackages_latest; + # ── Server module options ─────────────────────────────────────────────── + # No virtualisation on the NAS - loader = { # EFI Boot - systemd-boot.enable = true; - efi = { - canTouchEfiVariables = true; - efiSysMountPoint = "/boot"; - }; - timeout = 1; # Grub auto select time - }; - }; + # ── Host-specific settings ────────────────────────────────────────────── # Example: host-specific overlay — only jupiter gets these packages in its pkgs. # nixpkgs.overlays = [ @@ -46,35 +22,36 @@ # firefox = inputs.nixpkgs-unstable.legacyPackages.${prev.system}.firefox; # }) # ]; -# -# environment = { -# systemPackages = with pkgs; [ -# corosync-qdevice -# ]; -# }; + + boot = { + kernelPackages = pkgs.linuxPackages_latest; + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + efi.efiSysMountPoint = "/boot"; + timeout = 1; + }; + }; programs = { - zsh.enable = true; ssh.startAgent = false; gnupg.agent = { - enable = false; + enable = false; enableSSHSupport = true; - pinentryPackage = pkgs.pinentry-curses; + pinentryPackage = pkgs.pinentry-curses; }; }; services = { qemuGuest.enable = true; - avahi = { # Needed to find wireless printer - enable = true; + avahi = { + enable = true; nssmdns4 = true; - publish = { # Needed for detecting the scanner - enable = true; - addresses = true; + publish = { + enable = true; + addresses = true; userServices = true; }; }; - }; - } diff --git a/hosts/kabtop/default.nix b/hosts/kabtop/default.nix index 30dcb1d..d236d91 100644 --- a/hosts/kabtop/default.nix +++ b/hosts/kabtop/default.nix @@ -1,111 +1,55 @@ # -# Specific system configuration settings for desktop -# -# flake.nix -# ├─ ./hosts -# │ └─ ./laptop -# │ ├─ default.nix * -# │ └─ hardware-configuration.nix -# └─ ./modules -# ├─ ./desktop -# │ └─ ./hyprland -# │ └─ hyprland.nix -# ├─ ./modules -# │ └─ ./programs -# │ └─ waybar.nix -# └─ ./hardware -# └─ default.nix +# Kabtop — server configuration # { config, pkgs, user, agenix, impermanence, ... }: { - imports = # For now, if applying to other system, swap files - [(import ./hardware-configuration.nix)] ++ # Current system hardware config @ /etc/nixos/hardware-configuration.nix - [(import ../../modules/wm/virtualisation/docker.nix)] ++ # Docker - [(import ../../modules/wm/virtualisation/kvm-amd.nix)] ++ # kvm module options - (import ../../modules/services/server); # Server Services + imports = [ + ./hardware-configuration.nix + ../../modules/server + ] ++ (import ../../modules/services/server); - boot = { # Boot options + # ── Server module options ─────────────────────────────────────────────── + myServer.virtualisation.enable = true; + myServer.virtualisation.cpu = "amd"; + myServer.fail2ban.enable = true; + + # ── Host-specific settings ────────────────────────────────────────────── + boot = { kernelPackages = pkgs.linuxPackages_latest; - - loader = { # EFI Boot - grub = { + loader = { + grub = { enable = true; device = "/dev/sda"; - }; - timeout = 1; # Grub auto select time + }; + timeout = 1; }; }; - environment = { - etc = { - "fail2ban/filter.d/open-webui.conf" = { - source = ../../modules/services/server/fail2ban/filter/open-webui.conf; - mode = "0444"; - }; - "fail2ban/filter.d/gitea.conf" = { - source = ../../modules/services/server/fail2ban/filter/gitea.conf; - mode = "0444"; - }; - "fail2ban/filter.d/nextcloud.conf" = { - source = ../../modules/services/server/fail2ban/filter/nextcloud.conf; - mode = "0444"; - }; + environment.etc = { + "fail2ban/filter.d/open-webui.conf" = { + source = ../../modules/services/server/fail2ban/filter/open-webui.conf; + mode = "0444"; + }; + "fail2ban/filter.d/gitea.conf" = { + source = ../../modules/services/server/fail2ban/filter/gitea.conf; + mode = "0444"; + }; + "fail2ban/filter.d/nextcloud.conf" = { + source = ../../modules/services/server/fail2ban/filter/nextcloud.conf; + mode = "0444"; }; }; programs = { - zsh.enable = true; ssh.startAgent = false; gnupg.agent = { - enable = true; - enableSSHSupport = true; - pinentryPackage = pkgs.pinentry-curses; + enable = true; + enableSSHSupport = true; + pinentryPackage = pkgs.pinentry-curses; }; }; - services = { - #auto-cpufreq.enable = true; - qemuGuest.enable = true; - #avahi = { # Needed to find wireless printer - # enable = true; - # nssmdns = true; - # publish = { # Needed for detecting the scanner - # enable = true; - # addresses = true; - # userServices = true; - # }; - #}; - fail2ban = { - enable = true; - maxretry = 5; - jails.DEFAULT.settings = { - findtime = "15m"; - }; - jails = { - open-webui = '' - enabled = true - filter = open-webui - backend = systemd - action = iptables-allports - ''; - gitea = '' - enabled = true - filter = gitea - backend = systemd - action = iptables-allports - ''; - nextcloud = '' - backend = auto - enabled = true - filter = nextcloud - logpath = /var/lib/nextcloud/data/nextcloud.log - action = iptables-allports - ''; - }; - }; - - }; - + services.qemuGuest.enable = true; } diff --git a/hosts/kabtopci/default.nix b/hosts/kabtopci/default.nix index 19876aa..427b016 100644 --- a/hosts/kabtopci/default.nix +++ b/hosts/kabtopci/default.nix @@ -1,45 +1,28 @@ # -# Specific system configuration settings for desktop -# -# flake.nix -# ├─ ./hosts -# │ └─ ./laptop -# │ ├─ default.nix * -# │ └─ hardware-configuration.nix -# └─ ./modules -# ├─ ./desktop -# │ └─ ./hyprland -# │ └─ hyprland.nix -# ├─ ./modules -# │ └─ ./programs -# │ └─ waybar.nix -# └─ ./hardware -# └─ default.nix +# Kabtopci — CI server configuration # { config, pkgs, user, agenix, impermanence, ... }: { - imports = # For now, if applying to other system, swap files - [(import ./hardware-configuration.nix)] ++ # Current system hardware config @ /etc/nixos/hardware-configuration.nix - [(import ../../modules/wm/virtualisation/docker.nix)] ++ # Docker - [(import ../../modules/wm/virtualisation/kvm-amd.nix)] ++ # Docker - (import ../../modules/services/kabtopci); # Server Services + imports = [ + ./hardware-configuration.nix + ../../modules/server + ] ++ (import ../../modules/services/kabtopci); - boot = { # Boot options + # ── Server module options ─────────────────────────────────────────────── + myServer.virtualisation.enable = true; + myServer.virtualisation.cpu = "amd"; + + # ── Host-specific settings ────────────────────────────────────────────── + boot = { kernelPackages = pkgs.linuxPackages_latest; - - loader = { # EFI Boot - grub = { + loader = { + grub = { enable = true; device = "/dev/vda"; - }; - timeout = 1; # Grub auto select time + }; + timeout = 1; }; }; - - programs = { - zsh.enable = true; - }; - } diff --git a/hosts/kubemaster-1/default.nix b/hosts/kubemaster-1/default.nix index 4a0ae57..6e4f152 100644 --- a/hosts/kubemaster-1/default.nix +++ b/hosts/kubemaster-1/default.nix @@ -1,58 +1,37 @@ # -# Specific system configuration settings for desktop -# -# flake.nix -# ├─ ./hosts -# │ └─ ./laptop -# │ ├─ default.nix * -# │ └─ hardware-configuration.nix -# └─ ./modules -# ├─ ./desktop -# │ └─ ./hyprland -# │ └─ hyprland.nix -# ├─ ./modules -# │ └─ ./programs -# │ └─ waybar.nix -# └─ ./hardware -# └─ default.nix +# Kubemaster-1 — Kubernetes master server configuration # { config, pkgs, user, agenix, impermanence, ... }: { - imports = # For now, if applying to other system, swap files - [(import ./hardware-configuration.nix)] ++ # Current system hardware config @ /etc/nixos/hardware-configuration.nix - [(import ../../modules/wm/virtualisation/docker.nix)] ++ # Docker - [(import ../../modules/wm/virtualisation/kvm-intel.nix)] ++ # Docker - (import ../../modules/services/kubemaster); # Server Services + imports = [ + ./hardware-configuration.nix + ../../modules/server + ] ++ (import ../../modules/services/kubemaster); - boot = { # Boot options + # ── Server module options ─────────────────────────────────────────────── + myServer.virtualisation.enable = true; + myServer.virtualisation.cpu = "intel"; + + # ── Host-specific settings ────────────────────────────────────────────── + boot = { kernelPackages = pkgs.linuxPackages_latest; - - loader = { # EFI Boot - systemd-boot.enable = true; - efi = { - canTouchEfiVariables = true; - efiSysMountPoint = "/boot"; - }; - timeout = 1; # Grub auto select time + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + efi.efiSysMountPoint = "/boot"; + timeout = 1; }; }; - programs = { - zsh.enable = true; - }; - - services = { - avahi = { # Needed to find wireless printer - enable = true; - nssmdns4 = true; - publish = { # Needed for detecting the scanner - enable = true; - addresses = true; - userServices = true; - }; + services.avahi = { + enable = true; + nssmdns4 = true; + publish = { + enable = true; + addresses = true; + userServices = true; }; }; - } diff --git a/hosts/nasbackup/default.nix b/hosts/nasbackup/default.nix index 7315f8b..22de471 100644 --- a/hosts/nasbackup/default.nix +++ b/hosts/nasbackup/default.nix @@ -1,66 +1,48 @@ # -# Specific system configuration settings for desktop -# -# flake.nix -# ├─ ./hosts -# │ └─ ./laptop -# │ ├─ default.nix * -# │ └─ hardware-configuration.nix -# └─ ./modules -# ├─ ./desktop -# │ └─ ./hyprland -# │ └─ hyprland.nix -# ├─ ./modules -# │ └─ ./programs -# │ └─ waybar.nix -# └─ ./hardware -# └─ default.nix +# Nasbak — NAS backup server configuration # { config, pkgs, user, ... }: { - imports = # For now, if applying to other system, swap files - [(import ./hardware-configuration.nix)] ++ # Current system hardware config @ /etc/nixos/hardware-configuration.nix - #[(import ../../modules/wm/virtualisation/docker.nix)] ++ # Docker - (import ../../modules/services/nasbackup) ++ # Server Services - (import ../../modules/hardware); # Hardware devices + imports = [ + ./hardware-configuration.nix + ../../modules/server + ] ++ (import ../../modules/services/nasbackup); - boot = { # Boot options + # ── Server module options ─────────────────────────────────────────────── + # No virtualisation on the backup NAS + + # ── Host-specific settings ────────────────────────────────────────────── + boot = { kernelPackages = pkgs.linuxPackages_latest; - - loader = { # EFI Boot - systemd-boot.enable = true; - efi = { - canTouchEfiVariables = true; - efiSysMountPoint = "/boot"; - }; - timeout = 1; # Grub auto select time + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + efi.efiSysMountPoint = "/boot"; + timeout = 1; }; }; programs = { - zsh.enable = true; ssh.startAgent = false; gnupg.agent = { - enable = false; + enable = false; enableSSHSupport = true; - pinentryPackage = pkgs.pinentry-curses; + pinentryPackage = pkgs.pinentry-curses; }; }; services = { qemuGuest.enable = true; - avahi = { # Needed to find wireless printer - enable = true; + avahi = { + enable = true; nssmdns4 = true; - publish = { # Needed for detecting the scanner - enable = true; - addresses = true; + publish = { + enable = true; + addresses = true; userServices = true; }; }; - }; - } diff --git a/modules/server/default.nix b/modules/server/default.nix new file mode 100644 index 0000000..df05ce4 --- /dev/null +++ b/modules/server/default.nix @@ -0,0 +1,151 @@ +# +# Server module — import this instead of configuration_server.nix + manual virtualisation imports. +# +# Usage in hosts//default.nix: +# +# imports = [ +# ./hardware-configuration.nix +# ../../modules/server +# ]; +# +# myServer.virtualisation.enable = true; +# myServer.virtualisation.cpu = "amd"; # amd | intel | none (default) +# +# myServer.sshPort = 2220; # default +# myServer.fail2ban.enable = true; +# +# myServer.extraSystemPackages = with pkgs; [ some-tool ]; +# + +{ config, lib, pkgs, user, ... }: + +let + cfg = config.myServer; +in +{ + # ── Options ────────────────────────────────────────────────────────────── + + options.myServer = with lib; { + + uid = mkOption { + type = types.int; + default = 3000; + description = "UID for the server user."; + }; + + sshPort = mkOption { + type = types.port; + default = 2220; + description = "Port openssh listens on."; + }; + + sudoRequiresPassword = mkOption { + type = types.bool; + default = true; + description = "Whether wheel users must enter a password for sudo."; + }; + + autoUpgrade.enable = mkOption { + type = types.bool; + default = true; + description = "Enable automatic NixOS upgrades (inherits flake URL from configuration_common.nix)."; + }; + + virtualisation = { + enable = mkEnableOption "container/VM stack (podman with docker-compat, KVM tuning)"; + cpu = mkOption { + type = types.enum [ "amd" "intel" "none" ]; + default = "none"; + description = "CPU type — selects KVM kernel parameters when virtualisation is enabled."; + }; + }; + + extraGroups = mkOption { + type = types.listOf types.str; + default = []; + description = "Additional groups for the server user beyond the defaults."; + }; + + extraSystemPackages = mkOption { + type = types.listOf types.package; + default = []; + description = "Additional system packages specific to this host."; + }; + + fail2ban = { + enable = mkEnableOption "fail2ban intrusion prevention"; + }; + + }; + + # ── Configuration ──────────────────────────────────────────────────────── + + config = lib.mkMerge [ + + # ── Base server config ──────────────────────────────────────────────── + { + users.users.${user} = { + isNormalUser = true; + uid = cfg.uid; + extraGroups = [ "wheel" "networkmanager" "kvm" "libvirtd" ] ++ cfg.extraGroups; + }; + + security.sudo.wheelNeedsPassword = cfg.sudoRequiresPassword; + + environment.systemPackages = with pkgs; [ + ffmpeg + smartmontools + htop + ] ++ cfg.extraSystemPackages; + + services.openssh = { + ports = [ cfg.sshPort ]; + openFirewall = true; + }; + + nix.extraOptions = '' + keep-outputs = true + keep-derivations = true + ''; + + system.autoUpgrade.enable = cfg.autoUpgrade.enable; + } + + # ── Virtualisation (podman/docker-compat) ───────────────────────────── + (lib.mkIf cfg.virtualisation.enable { + virtualisation.podman = { + enable = true; + autoPrune.enable = true; + dockerCompat = true; + }; + + users.groups.docker.members = [ user ]; + }) + + # ── KVM – AMD ───────────────────────────────────────────────────────── + (lib.mkIf (cfg.virtualisation.enable && cfg.virtualisation.cpu == "amd") { + boot.extraModprobeConfig = '' + options kvm_amd nested=0 avic=1 npt=1 + ''; + }) + + # ── KVM – Intel ─────────────────────────────────────────────────────── + (lib.mkIf (cfg.virtualisation.enable && cfg.virtualisation.cpu == "intel") { + boot.extraModprobeConfig = '' + options kvm_intel nested=1 + options kvm_intel emulate_invalid_guest_state=0 + options kvm ignore_nsrs=1 + ''; + }) + + # ── Fail2ban ────────────────────────────────────────────────────────── + (lib.mkIf cfg.fail2ban.enable { + services.fail2ban = { + enable = true; + maxretry = 5; + jails.DEFAULT.settings.findtime = "15m"; + }; + }) + + ]; +} diff --git a/modules/services/dmz/microvm.nix b/modules/services/dmz/microvm.nix index dfa651f..e7411e5 100644 --- a/modules/services/dmz/microvm.nix +++ b/modules/services/dmz/microvm.nix @@ -84,6 +84,7 @@ in persistence."/persist" = { directories = [ "/var/log" + "/var/lib/nixos" "/var/lib/private" ]; @@ -95,6 +96,7 @@ in microvm = { hypervisor = "cloud-hypervisor"; + vsock.cid = 3; vcpu = 4; mem = 4096; interfaces = [ diff --git a/modules/services/kabtopci/microvm.nix b/modules/services/kabtopci/microvm.nix index 1ae0b3b..8f1b828 100644 --- a/modules/services/kabtopci/microvm.nix +++ b/modules/services/kabtopci/microvm.nix @@ -84,6 +84,7 @@ in persistence."/persist" = { directories = [ "/var/log" + "/var/lib/nixos" "/var/lib/private" ]; diff --git a/modules/services/server/microvm.nix b/modules/services/server/microvm.nix index c167276..da719aa 100644 --- a/modules/services/server/microvm.nix +++ b/modules/services/server/microvm.nix @@ -84,6 +84,7 @@ in persistence."/persist" = { directories = [ "/var/log" + "/var/lib/nixos" "/var/lib/private" ];