Kabbone/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add persistence to gid/uid services of microvm and set vsock.cid

Browse Source
This commit is contained in:
Kabbone
2026-04-25 17:38:42 +02:00
parent f7035e0daf
commit f50a5caee5
11 changed files with 322 additions and 318 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
hosts/default.nix
View File

@@ -16,7 +16,9 @@
{ lib, inputs, nixpkgs, nixpkgs-unstable, nixos-hardware, home-manager, home-manager-unstable, agenix, jovian-nixos, microvm, impermanence, lanzaboote, ... }:
let
user = "kabbone";
# Default user — desktop hosts share this; server hosts may override per-host
# by passing a different `user` value in their own specialArgs block.
defaultUser = "kabbone";
location = builtins.getEnv "HOME" + "/.setup";
system = "x86_64-linux";
@@ -42,8 +44,9 @@ let
# Helper: returns [hm-module, config-attrset] for the modules list.
# hm - the home-manager flake input to use (stable or unstable)
# user - the username whose home-manager config to build
# hmImports - list of home.nix paths for this host
mkHM = hm: hmImports: [
mkHM = hm: user: hmImports: [
hm.nixosModules.home-manager
{
home-manager.useGlobalPkgs = true;
@@ -57,7 +60,7 @@ in
{
hades = lib.nixosSystem { # Desktop profile
inherit system;
specialArgs = { inherit inputs user location nixos-hardware agenix microvm nixpkgs lanzaboote; };
specialArgs = { inherit inputs location nixos-hardware agenix microvm nixpkgs lanzaboote; user = defaultUser; };
modules = [
agenix.nixosModules.default
microvm.nixosModules.host
@@ -68,12 +71,12 @@ in
nixos-hardware.nixosModules.common-cpu-amd
nixos-hardware.nixosModules.common-gpu-amd
nixos-hardware.nixosModules.common-pc-ssd
] ++ (mkHM home-manager [ ./home.nix ./desktop/home.nix ]);
] ++ (mkHM home-manager defaultUser [ ./home.nix ./desktop/home.nix ]);
};
lifebook = lib.nixosSystem { # Laptop profile
inherit system;
specialArgs = { inherit inputs user location nixos-hardware agenix lanzaboote; };
specialArgs = { inherit inputs location nixos-hardware agenix lanzaboote; user = defaultUser; };
modules = [
agenix.nixosModules.default
lanzaboote.nixosModules.lanzaboote
@@ -81,93 +84,93 @@ in
./configuration_common.nix
nixos-hardware.nixosModules.common-cpu-intel
nixos-hardware.nixosModules.common-pc-ssd
] ++ (mkHM home-manager [ ./home.nix ./lifebook/home.nix ]);
] ++ (mkHM home-manager defaultUser [ ./home.nix ./lifebook/home.nix ]);
};
steamdeck = nixpkgs-unstable.lib.nixosSystem { # steamdeck profile
inherit system;
specialArgs = { inherit inputs user location nixos-hardware agenix jovian-nixos lanzaboote; };
specialArgs = { inherit inputs location nixos-hardware agenix jovian-nixos lanzaboote; user = defaultUser; };
modules = [
agenix.nixosModules.default
jovian-nixos.nixosModules.default
lanzaboote.nixosModules.lanzaboote
./steamdeck
./configuration_common.nix
] ++ (mkHM home-manager-unstable [ ./home.nix ./steamdeck/home.nix ]);
] ++ (mkHM home-manager-unstable defaultUser [ ./home.nix ./steamdeck/home.nix ]);
};
kabtop = lib.nixosSystem { # Server profile
inherit system;
specialArgs = { inherit inputs user location nixos-hardware agenix impermanence; };
specialArgs = { inherit inputs location nixos-hardware agenix impermanence; user = defaultUser; };
modules = [
agenix.nixosModules.default
microvm.nixosModules.host
./kabtop
./configuration_server.nix
./configuration_common.nix
nixos-hardware.nixosModules.common-cpu-amd
nixos-hardware.nixosModules.common-pc-ssd
] ++ (mkHM home-manager [ ./home_server.nix ./kabtop/home.nix ]);
] ++ (mkHM home-manager defaultUser [ ./home_server.nix ./kabtop/home.nix ]);
};
nasbak = lib.nixosSystem { # Server profile
inherit system;
specialArgs = { inherit inputs user location nixos-hardware agenix; };
specialArgs = { inherit inputs location nixos-hardware agenix; user = defaultUser; };
modules = [
agenix.nixosModules.default
./nasbackup
./configuration_server.nix
./configuration_common.nix
nixos-hardware.nixosModules.common-cpu-intel
nixos-hardware.nixosModules.common-pc-ssd
] ++ (mkHM home-manager [ ./home_server.nix ./nasbackup/home.nix ]);
] ++ (mkHM home-manager defaultUser [ ./home_server.nix ./nasbackup/home.nix ]);
};
jupiter = lib.nixosSystem { # Server profile
inherit system;
specialArgs = { inherit inputs user location nixos-hardware agenix; };
specialArgs = { inherit inputs location nixos-hardware agenix; user = defaultUser; };
modules = [
agenix.nixosModules.default
./jupiter
./configuration_server.nix
./configuration_common.nix
nixos-hardware.nixosModules.common-cpu-intel
nixos-hardware.nixosModules.common-pc-ssd
] ++ (mkHM home-manager [ ./home_server.nix ./jupiter/home.nix ]);
] ++ (mkHM home-manager defaultUser [ ./home_server.nix ./jupiter/home.nix ]);
};
kabtopci = lib.nixosSystem { # Server profile
inherit system;
specialArgs = { inherit inputs user location nixos-hardware agenix impermanence; };
specialArgs = { inherit inputs location nixos-hardware agenix impermanence; user = defaultUser; };
modules = [
agenix.nixosModules.default
microvm.nixosModules.host
./kabtopci
./configuration_server.nix
./configuration_common.nix
nixos-hardware.nixosModules.common-pc-ssd
] ++ (mkHM home-manager [ ./home_server.nix ./kabtopci/home.nix ]);
] ++ (mkHM home-manager defaultUser [ ./home_server.nix ./kabtopci/home.nix ]);
};
kubemaster-1 = lib.nixosSystem { # Server profile
inherit system;
specialArgs = { inherit inputs user location nixos-hardware agenix impermanence; };
specialArgs = { inherit inputs location nixos-hardware agenix impermanence; user = defaultUser; };
modules = [
agenix.nixosModules.default
microvm.nixosModules.host
./kubemaster-1
./configuration_server.nix
./configuration_common.nix
nixos-hardware.nixosModules.common-cpu-intel
nixos-hardware.nixosModules.common-pc-ssd
] ++ (mkHM home-manager [ ./home_server.nix ./kubemaster-1/home.nix ]);
] ++ (mkHM home-manager defaultUser [ ./home_server.nix ./kubemaster-1/home.nix ]);
};
dmz = lib.nixosSystem { # Server profile
inherit system;
specialArgs = { inherit inputs user location nixos-hardware agenix impermanence; };
specialArgs = { inherit inputs location nixos-hardware agenix impermanence; user = defaultUser; };
modules = [
agenix.nixosModules.default
microvm.nixosModules.host
./dmz
./configuration_server.nix
./configuration_common.nix
nixos-hardware.nixosModules.common-pc-ssd
] ++ (mkHM home-manager [ ./home_server.nix ./dmz/home.nix ]);
] ++ (mkHM home-manager defaultUser [ ./home_server.nix ./dmz/home.nix ]);
};
# vm = lib.nixosSystem { # VM profile

61
hosts/dmz/default.nix
View File

@@ -1,59 +1,40 @@
#
# Specific system configuration settings for desktop
#
# flake.nix
# ├─ ./hosts
# │ └─ ./laptop
# │ ├─ default.nix *
# │ └─ hardware-configuration.nix
# └─ ./modules
# ├─ ./desktop
# │ └─ ./hyprland
# │ └─ hyprland.nix
# ├─ ./modules
# │ └─ ./programs
# │ └─ waybar.nix
# └─ ./hardware
# └─ default.nix
# DMZ — demilitarised zone server configuration
#
{ config, pkgs, user, agenix, impermanence, ... }:
{
imports = # For now, if applying to other system, swap files
[(import ./hardware-configuration.nix)] ++ # Current system hardware config @ /etc/nixos/hardware-configuration.nix
[(import ../../modules/wm/virtualisation/docker.nix)] ++ # Docker
[(import ../../modules/wm/virtualisation/kvm-intel.nix)] ++ # Docker
(import ../../modules/services/dmz); # Server Services
imports = [
./hardware-configuration.nix
../../modules/server
] ++ (import ../../modules/services/dmz);
boot = { # Boot options
# ── Server module options ───────────────────────────────────────────────
myServer.virtualisation.enable = true;
myServer.virtualisation.cpu = "intel";
# ── Host-specific settings ──────────────────────────────────────────────
boot = {
kernelPackages = pkgs.linuxPackages_latest;
loader = { # EFI Boot
systemd-boot.enable = true;
efi = {
canTouchEfiVariables = true;
efiSysMountPoint = "/boot";
};
timeout = 1; # Grub auto select time
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
efi.efiSysMountPoint = "/boot";
timeout = 1;
};
};
programs = {
zsh.enable = true;
};
services = {
qemuGuest.enable = true;
avahi = { # Needed to find wireless printer
enable = true;
avahi = {
enable = true;
nssmdns4 = true;
publish = { # Needed for detecting the scanner
enable = true;
addresses = true;
publish = {
enable = true;
addresses = true;
userServices = true;
};
};
};
}

73
hosts/jupiter/default.nix
View File

@@ -1,43 +1,19 @@
#
# Specific system configuration settings for desktop
#
# flake.nix
# ├─ ./hosts
# │ └─ ./laptop
# │ ├─ default.nix *
# │ └─ hardware-configuration.nix
# └─ ./modules
# ├─ ./desktop
# │ └─ ./hyprland
# │ └─ hyprland.nix
# ├─ ./modules
# │ └─ ./programs
# │ └─ waybar.nix
# └─ ./hardware
# └─ default.nix
# Jupiter — NAS server configuration
#
{ config, pkgs, inputs, user, ... }:
{
imports = # For now, if applying to other ssystem, swap files
[(import ./hardware-configuration.nix)] ++ # Current system hardware config @ /etc/nixos/hardware-configuration.nix
#(import ../../modules/wm/virtualisation) ++ # Docker
(import ../../modules/services/nas) ++ # Server Services
(import ../../modules/hardware); # Hardware devices
imports = [
./hardware-configuration.nix
../../modules/server
] ++ (import ../../modules/services/nas);
boot = { # Boot options
kernelPackages = pkgs.linuxPackages_latest;
# ── Server module options ───────────────────────────────────────────────
# No virtualisation on the NAS
loader = { # EFI Boot
systemd-boot.enable = true;
efi = {
canTouchEfiVariables = true;
efiSysMountPoint = "/boot";
};
timeout = 1; # Grub auto select time
};
};
# ── Host-specific settings ──────────────────────────────────────────────
# Example: host-specific overlay — only jupiter gets these packages in its pkgs.
# nixpkgs.overlays = [
@@ -46,35 +22,36 @@
# firefox = inputs.nixpkgs-unstable.legacyPackages.${prev.system}.firefox;
# })
# ];
#
# environment = {
# systemPackages = with pkgs; [
# corosync-qdevice
# ];
# };
boot = {
kernelPackages = pkgs.linuxPackages_latest;
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
efi.efiSysMountPoint = "/boot";
timeout = 1;
};
};
programs = {
zsh.enable = true;
ssh.startAgent = false;
gnupg.agent = {
enable = false;
enable = false;
enableSSHSupport = true;
pinentryPackage = pkgs.pinentry-curses;
pinentryPackage = pkgs.pinentry-curses;
};
};
services = {
qemuGuest.enable = true;
avahi = { # Needed to find wireless printer
enable = true;
avahi = {
enable = true;
nssmdns4 = true;
publish = { # Needed for detecting the scanner
enable = true;
addresses = true;
publish = {
enable = true;
addresses = true;
userServices = true;
};
};
};
}

120
hosts/kabtop/default.nix
View File

@@ -1,111 +1,55 @@
#
# Specific system configuration settings for desktop
#
# flake.nix
# ├─ ./hosts
# │ └─ ./laptop
# │ ├─ default.nix *
# │ └─ hardware-configuration.nix
# └─ ./modules
# ├─ ./desktop
# │ └─ ./hyprland
# │ └─ hyprland.nix
# ├─ ./modules
# │ └─ ./programs
# │ └─ waybar.nix
# └─ ./hardware
# └─ default.nix
# Kabtop — server configuration
#
{ config, pkgs, user, agenix, impermanence, ... }:
{
imports = # For now, if applying to other system, swap files
[(import ./hardware-configuration.nix)] ++ # Current system hardware config @ /etc/nixos/hardware-configuration.nix
[(import ../../modules/wm/virtualisation/docker.nix)] ++ # Docker
[(import ../../modules/wm/virtualisation/kvm-amd.nix)] ++ # kvm module options
(import ../../modules/services/server); # Server Services
imports = [
./hardware-configuration.nix
../../modules/server
] ++ (import ../../modules/services/server);
boot = { # Boot options
# ── Server module options ───────────────────────────────────────────────
myServer.virtualisation.enable = true;
myServer.virtualisation.cpu = "amd";
myServer.fail2ban.enable = true;
# ── Host-specific settings ──────────────────────────────────────────────
boot = {
kernelPackages = pkgs.linuxPackages_latest;
loader = { # EFI Boot
grub = {
loader = {
grub = {
enable = true;
device = "/dev/sda";
};
timeout = 1; # Grub auto select time
};
timeout = 1;
};
};
environment = {
etc = {
"fail2ban/filter.d/open-webui.conf" = {
source = ../../modules/services/server/fail2ban/filter/open-webui.conf;
mode = "0444";
};
"fail2ban/filter.d/gitea.conf" = {
source = ../../modules/services/server/fail2ban/filter/gitea.conf;
mode = "0444";
};
"fail2ban/filter.d/nextcloud.conf" = {
source = ../../modules/services/server/fail2ban/filter/nextcloud.conf;
mode = "0444";
};
environment.etc = {
"fail2ban/filter.d/open-webui.conf" = {
source = ../../modules/services/server/fail2ban/filter/open-webui.conf;
mode = "0444";
};
"fail2ban/filter.d/gitea.conf" = {
source = ../../modules/services/server/fail2ban/filter/gitea.conf;
mode = "0444";
};
"fail2ban/filter.d/nextcloud.conf" = {
source = ../../modules/services/server/fail2ban/filter/nextcloud.conf;
mode = "0444";
};
};
programs = {
zsh.enable = true;
ssh.startAgent = false;
gnupg.agent = {
enable = true;
enableSSHSupport = true;
pinentryPackage = pkgs.pinentry-curses;
enable = true;
enableSSHSupport = true;
pinentryPackage = pkgs.pinentry-curses;
};
};
services = {
#auto-cpufreq.enable = true;
qemuGuest.enable = true;
#avahi = { # Needed to find wireless printer
# enable = true;
# nssmdns = true;
# publish = { # Needed for detecting the scanner
# enable = true;
# addresses = true;
# userServices = true;
# };
#};
fail2ban = {
enable = true;
maxretry = 5;
jails.DEFAULT.settings = {
findtime = "15m";
};
jails = {
open-webui = ''
enabled = true
filter = open-webui
backend = systemd
action = iptables-allports
'';
gitea = ''
enabled = true
filter = gitea
backend = systemd
action = iptables-allports
'';
nextcloud = ''
backend = auto
enabled = true
filter = nextcloud
logpath = /var/lib/nextcloud/data/nextcloud.log
action = iptables-allports
'';
};
};
};
services.qemuGuest.enable = true;
}

47
hosts/kabtopci/default.nix
View File

@@ -1,45 +1,28 @@
#
# Specific system configuration settings for desktop
#
# flake.nix
# ├─ ./hosts
# │ └─ ./laptop
# │ ├─ default.nix *
# │ └─ hardware-configuration.nix
# └─ ./modules
# ├─ ./desktop
# │ └─ ./hyprland
# │ └─ hyprland.nix
# ├─ ./modules
# │ └─ ./programs
# │ └─ waybar.nix
# └─ ./hardware
# └─ default.nix
# Kabtopci — CI server configuration
#
{ config, pkgs, user, agenix, impermanence, ... }:
{
imports = # For now, if applying to other system, swap files
[(import ./hardware-configuration.nix)] ++ # Current system hardware config @ /etc/nixos/hardware-configuration.nix
[(import ../../modules/wm/virtualisation/docker.nix)] ++ # Docker
[(import ../../modules/wm/virtualisation/kvm-amd.nix)] ++ # Docker
(import ../../modules/services/kabtopci); # Server Services
imports = [
./hardware-configuration.nix
../../modules/server
] ++ (import ../../modules/services/kabtopci);
boot = { # Boot options
# ── Server module options ───────────────────────────────────────────────
myServer.virtualisation.enable = true;
myServer.virtualisation.cpu = "amd";
# ── Host-specific settings ──────────────────────────────────────────────
boot = {
kernelPackages = pkgs.linuxPackages_latest;
loader = { # EFI Boot
grub = {
loader = {
grub = {
enable = true;
device = "/dev/vda";
};
timeout = 1; # Grub auto select time
};
timeout = 1;
};
};
programs = {
zsh.enable = true;
};
}

67
hosts/kubemaster-1/default.nix
View File

@@ -1,58 +1,37 @@
#
# Specific system configuration settings for desktop
#
# flake.nix
# ├─ ./hosts
# │ └─ ./laptop
# │ ├─ default.nix *
# │ └─ hardware-configuration.nix
# └─ ./modules
# ├─ ./desktop
# │ └─ ./hyprland
# │ └─ hyprland.nix
# ├─ ./modules
# │ └─ ./programs
# │ └─ waybar.nix
# └─ ./hardware
# └─ default.nix
# Kubemaster-1 — Kubernetes master server configuration
#
{ config, pkgs, user, agenix, impermanence, ... }:
{
imports = # For now, if applying to other system, swap files
[(import ./hardware-configuration.nix)] ++ # Current system hardware config @ /etc/nixos/hardware-configuration.nix
[(import ../../modules/wm/virtualisation/docker.nix)] ++ # Docker
[(import ../../modules/wm/virtualisation/kvm-intel.nix)] ++ # Docker
(import ../../modules/services/kubemaster); # Server Services
imports = [
./hardware-configuration.nix
../../modules/server
] ++ (import ../../modules/services/kubemaster);
boot = { # Boot options
# ── Server module options ───────────────────────────────────────────────
myServer.virtualisation.enable = true;
myServer.virtualisation.cpu = "intel";
# ── Host-specific settings ──────────────────────────────────────────────
boot = {
kernelPackages = pkgs.linuxPackages_latest;
loader = { # EFI Boot
systemd-boot.enable = true;
efi = {
canTouchEfiVariables = true;
efiSysMountPoint = "/boot";
};
timeout = 1; # Grub auto select time
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
efi.efiSysMountPoint = "/boot";
timeout = 1;
};
};
programs = {
zsh.enable = true;
};
services = {
avahi = { # Needed to find wireless printer
enable = true;
nssmdns4 = true;
publish = { # Needed for detecting the scanner
enable = true;
addresses = true;
userServices = true;
};
services.avahi = {
enable = true;
nssmdns4 = true;
publish = {
enable = true;
addresses = true;
userServices = true;
};
};
}

62
hosts/nasbackup/default.nix
View File

@@ -1,66 +1,48 @@
#
# Specific system configuration settings for desktop
#
# flake.nix
# ├─ ./hosts
# │ └─ ./laptop
# │ ├─ default.nix *
# │ └─ hardware-configuration.nix
# └─ ./modules
# ├─ ./desktop
# │ └─ ./hyprland
# │ └─ hyprland.nix
# ├─ ./modules
# │ └─ ./programs
# │ └─ waybar.nix
# └─ ./hardware
# └─ default.nix
# Nasbak — NAS backup server configuration
#
{ config, pkgs, user, ... }:
{
imports = # For now, if applying to other system, swap files
[(import ./hardware-configuration.nix)] ++ # Current system hardware config @ /etc/nixos/hardware-configuration.nix
#[(import ../../modules/wm/virtualisation/docker.nix)] ++ # Docker
(import ../../modules/services/nasbackup) ++ # Server Services
(import ../../modules/hardware); # Hardware devices
imports = [
./hardware-configuration.nix
../../modules/server
] ++ (import ../../modules/services/nasbackup);
boot = { # Boot options
# ── Server module options ───────────────────────────────────────────────
# No virtualisation on the backup NAS
# ── Host-specific settings ──────────────────────────────────────────────
boot = {
kernelPackages = pkgs.linuxPackages_latest;
loader = { # EFI Boot
systemd-boot.enable = true;
efi = {
canTouchEfiVariables = true;
efiSysMountPoint = "/boot";
};
timeout = 1; # Grub auto select time
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
efi.efiSysMountPoint = "/boot";
timeout = 1;
};
};
programs = {
zsh.enable = true;
ssh.startAgent = false;
gnupg.agent = {
enable = false;
enable = false;
enableSSHSupport = true;
pinentryPackage = pkgs.pinentry-curses;
pinentryPackage = pkgs.pinentry-curses;
};
};
services = {
qemuGuest.enable = true;
avahi = { # Needed to find wireless printer
enable = true;
avahi = {
enable = true;
nssmdns4 = true;
publish = { # Needed for detecting the scanner
enable = true;
addresses = true;
publish = {
enable = true;
addresses = true;
userServices = true;
};
};
};
}