Kabbone/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add persistence to gid/uid services of microvm and set vsock.cid

Browse Source
This commit is contained in:
Kabbone
2026-04-25 17:38:42 +02:00
parent f7035e0daf
commit f50a5caee5
11 changed files with 322 additions and 318 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
hosts/default.nix
View File

@@ -16,7 +16,9 @@
{ lib, inputs, nixpkgs, nixpkgs-unstable, nixos-hardware, home-manager, home-manager-unstable, agenix, jovian-nixos, microvm, impermanence, lanzaboote, ... }: { lib, inputs, nixpkgs, nixpkgs-unstable, nixos-hardware, home-manager, home-manager-unstable, agenix, jovian-nixos, microvm, impermanence, lanzaboote, ... }:
let let
user = "kabbone"; # Default user — desktop hosts share this; server hosts may override per-host
# by passing a different `user` value in their own specialArgs block.
defaultUser = "kabbone";
location = builtins.getEnv "HOME" + "/.setup"; location = builtins.getEnv "HOME" + "/.setup";
system = "x86_64-linux"; system = "x86_64-linux";
@@ -42,8 +44,9 @@ let
# Helper: returns [hm-module, config-attrset] for the modules list. # Helper: returns [hm-module, config-attrset] for the modules list.
# hm - the home-manager flake input to use (stable or unstable) # hm - the home-manager flake input to use (stable or unstable)
# user - the username whose home-manager config to build
# hmImports - list of home.nix paths for this host # hmImports - list of home.nix paths for this host
mkHM = hm: hmImports: [ mkHM = hm: user: hmImports: [
hm.nixosModules.home-manager hm.nixosModules.home-manager
{ {
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = true;
@@ -57,7 +60,7 @@ in
{ {
hades = lib.nixosSystem { # Desktop profile hades = lib.nixosSystem { # Desktop profile
inherit system; inherit system;
specialArgs = { inherit inputs user location nixos-hardware agenix microvm nixpkgs lanzaboote; }; specialArgs = { inherit inputs location nixos-hardware agenix microvm nixpkgs lanzaboote; user = defaultUser; };
modules = [ modules = [
agenix.nixosModules.default agenix.nixosModules.default
microvm.nixosModules.host microvm.nixosModules.host
@@ -68,12 +71,12 @@ in
nixos-hardware.nixosModules.common-cpu-amd nixos-hardware.nixosModules.common-cpu-amd
nixos-hardware.nixosModules.common-gpu-amd nixos-hardware.nixosModules.common-gpu-amd
nixos-hardware.nixosModules.common-pc-ssd nixos-hardware.nixosModules.common-pc-ssd
] ++ (mkHM home-manager [ ./home.nix ./desktop/home.nix ]); ] ++ (mkHM home-manager defaultUser [ ./home.nix ./desktop/home.nix ]);
}; };
lifebook = lib.nixosSystem { # Laptop profile lifebook = lib.nixosSystem { # Laptop profile
inherit system; inherit system;
specialArgs = { inherit inputs user location nixos-hardware agenix lanzaboote; }; specialArgs = { inherit inputs location nixos-hardware agenix lanzaboote; user = defaultUser; };
modules = [ modules = [
agenix.nixosModules.default agenix.nixosModules.default
lanzaboote.nixosModules.lanzaboote lanzaboote.nixosModules.lanzaboote
@@ -81,93 +84,93 @@ in
./configuration_common.nix ./configuration_common.nix
nixos-hardware.nixosModules.common-cpu-intel nixos-hardware.nixosModules.common-cpu-intel
nixos-hardware.nixosModules.common-pc-ssd nixos-hardware.nixosModules.common-pc-ssd
] ++ (mkHM home-manager [ ./home.nix ./lifebook/home.nix ]); ] ++ (mkHM home-manager defaultUser [ ./home.nix ./lifebook/home.nix ]);
}; };
steamdeck = nixpkgs-unstable.lib.nixosSystem { # steamdeck profile steamdeck = nixpkgs-unstable.lib.nixosSystem { # steamdeck profile
inherit system; inherit system;
specialArgs = { inherit inputs user location nixos-hardware agenix jovian-nixos lanzaboote; }; specialArgs = { inherit inputs location nixos-hardware agenix jovian-nixos lanzaboote; user = defaultUser; };
modules = [ modules = [
agenix.nixosModules.default agenix.nixosModules.default
jovian-nixos.nixosModules.default jovian-nixos.nixosModules.default
lanzaboote.nixosModules.lanzaboote lanzaboote.nixosModules.lanzaboote
./steamdeck ./steamdeck
./configuration_common.nix ./configuration_common.nix
] ++ (mkHM home-manager-unstable [ ./home.nix ./steamdeck/home.nix ]); ] ++ (mkHM home-manager-unstable defaultUser [ ./home.nix ./steamdeck/home.nix ]);
}; };
kabtop = lib.nixosSystem { # Server profile kabtop = lib.nixosSystem { # Server profile
inherit system; inherit system;
specialArgs = { inherit inputs user location nixos-hardware agenix impermanence; }; specialArgs = { inherit inputs location nixos-hardware agenix impermanence; user = defaultUser; };
modules = [ modules = [
agenix.nixosModules.default agenix.nixosModules.default
microvm.nixosModules.host microvm.nixosModules.host
./kabtop ./kabtop
./configuration_server.nix ./configuration_common.nix
nixos-hardware.nixosModules.common-cpu-amd nixos-hardware.nixosModules.common-cpu-amd
nixos-hardware.nixosModules.common-pc-ssd nixos-hardware.nixosModules.common-pc-ssd
] ++ (mkHM home-manager [ ./home_server.nix ./kabtop/home.nix ]); ] ++ (mkHM home-manager defaultUser [ ./home_server.nix ./kabtop/home.nix ]);
}; };
nasbak = lib.nixosSystem { # Server profile nasbak = lib.nixosSystem { # Server profile
inherit system; inherit system;
specialArgs = { inherit inputs user location nixos-hardware agenix; }; specialArgs = { inherit inputs location nixos-hardware agenix; user = defaultUser; };
modules = [ modules = [
agenix.nixosModules.default agenix.nixosModules.default
./nasbackup ./nasbackup
./configuration_server.nix ./configuration_common.nix
nixos-hardware.nixosModules.common-cpu-intel nixos-hardware.nixosModules.common-cpu-intel
nixos-hardware.nixosModules.common-pc-ssd nixos-hardware.nixosModules.common-pc-ssd
] ++ (mkHM home-manager [ ./home_server.nix ./nasbackup/home.nix ]); ] ++ (mkHM home-manager defaultUser [ ./home_server.nix ./nasbackup/home.nix ]);
}; };
jupiter = lib.nixosSystem { # Server profile jupiter = lib.nixosSystem { # Server profile
inherit system; inherit system;
specialArgs = { inherit inputs user location nixos-hardware agenix; }; specialArgs = { inherit inputs location nixos-hardware agenix; user = defaultUser; };
modules = [ modules = [
agenix.nixosModules.default agenix.nixosModules.default
./jupiter ./jupiter
./configuration_server.nix ./configuration_common.nix
nixos-hardware.nixosModules.common-cpu-intel nixos-hardware.nixosModules.common-cpu-intel
nixos-hardware.nixosModules.common-pc-ssd nixos-hardware.nixosModules.common-pc-ssd
] ++ (mkHM home-manager [ ./home_server.nix ./jupiter/home.nix ]); ] ++ (mkHM home-manager defaultUser [ ./home_server.nix ./jupiter/home.nix ]);
}; };
kabtopci = lib.nixosSystem { # Server profile kabtopci = lib.nixosSystem { # Server profile
inherit system; inherit system;
specialArgs = { inherit inputs user location nixos-hardware agenix impermanence; }; specialArgs = { inherit inputs location nixos-hardware agenix impermanence; user = defaultUser; };
modules = [ modules = [
agenix.nixosModules.default agenix.nixosModules.default
microvm.nixosModules.host microvm.nixosModules.host
./kabtopci ./kabtopci
./configuration_server.nix ./configuration_common.nix
nixos-hardware.nixosModules.common-pc-ssd nixos-hardware.nixosModules.common-pc-ssd
] ++ (mkHM home-manager [ ./home_server.nix ./kabtopci/home.nix ]); ] ++ (mkHM home-manager defaultUser [ ./home_server.nix ./kabtopci/home.nix ]);
}; };
kubemaster-1 = lib.nixosSystem { # Server profile kubemaster-1 = lib.nixosSystem { # Server profile
inherit system; inherit system;
specialArgs = { inherit inputs user location nixos-hardware agenix impermanence; }; specialArgs = { inherit inputs location nixos-hardware agenix impermanence; user = defaultUser; };
modules = [ modules = [
agenix.nixosModules.default agenix.nixosModules.default
microvm.nixosModules.host microvm.nixosModules.host
./kubemaster-1 ./kubemaster-1
./configuration_server.nix ./configuration_common.nix
nixos-hardware.nixosModules.common-cpu-intel nixos-hardware.nixosModules.common-cpu-intel
nixos-hardware.nixosModules.common-pc-ssd nixos-hardware.nixosModules.common-pc-ssd
] ++ (mkHM home-manager [ ./home_server.nix ./kubemaster-1/home.nix ]); ] ++ (mkHM home-manager defaultUser [ ./home_server.nix ./kubemaster-1/home.nix ]);
}; };
dmz = lib.nixosSystem { # Server profile dmz = lib.nixosSystem { # Server profile
inherit system; inherit system;
specialArgs = { inherit inputs user location nixos-hardware agenix impermanence; }; specialArgs = { inherit inputs location nixos-hardware agenix impermanence; user = defaultUser; };
modules = [ modules = [
agenix.nixosModules.default agenix.nixosModules.default
microvm.nixosModules.host microvm.nixosModules.host
./dmz ./dmz
./configuration_server.nix ./configuration_common.nix
nixos-hardware.nixosModules.common-pc-ssd nixos-hardware.nixosModules.common-pc-ssd
] ++ (mkHM home-manager [ ./home_server.nix ./dmz/home.nix ]); ] ++ (mkHM home-manager defaultUser [ ./home_server.nix ./dmz/home.nix ]);
}; };
# vm = lib.nixosSystem { # VM profile # vm = lib.nixosSystem { # VM profile

61
hosts/dmz/default.nix
View File

@@ -1,59 +1,40 @@
# #
# Specific system configuration settings for desktop # DMZ — demilitarised zone server configuration
#
# flake.nix
# ├─ ./hosts
# │ └─ ./laptop
# │ ├─ default.nix *
# │ └─ hardware-configuration.nix
# └─ ./modules
# ├─ ./desktop
# │ └─ ./hyprland
# │ └─ hyprland.nix
# ├─ ./modules
# │ └─ ./programs
# │ └─ waybar.nix
# └─ ./hardware
# └─ default.nix
# #
{ config, pkgs, user, agenix, impermanence, ... }: { config, pkgs, user, agenix, impermanence, ... }:
{ {
imports = # For now, if applying to other system, swap files imports = [
[(import ./hardware-configuration.nix)] ++ # Current system hardware config @ /etc/nixos/hardware-configuration.nix ./hardware-configuration.nix
[(import ../../modules/wm/virtualisation/docker.nix)] ++ # Docker ../../modules/server
[(import ../../modules/wm/virtualisation/kvm-intel.nix)] ++ # Docker ] ++ (import ../../modules/services/dmz);
(import ../../modules/services/dmz); # Server Services
boot = { # Boot options # ── Server module options ───────────────────────────────────────────────
myServer.virtualisation.enable = true;
myServer.virtualisation.cpu = "intel";
# ── Host-specific settings ──────────────────────────────────────────────
boot = {
kernelPackages = pkgs.linuxPackages_latest; kernelPackages = pkgs.linuxPackages_latest;
loader = {
loader = { # EFI Boot systemd-boot.enable = true;
systemd-boot.enable = true; efi.canTouchEfiVariables = true;
efi = { efi.efiSysMountPoint = "/boot";
canTouchEfiVariables = true; timeout = 1;
efiSysMountPoint = "/boot";
};
timeout = 1; # Grub auto select time
}; };
}; };
programs = {
zsh.enable = true;
};
services = { services = {
qemuGuest.enable = true; qemuGuest.enable = true;
avahi = { # Needed to find wireless printer avahi = {
enable = true; enable = true;
nssmdns4 = true; nssmdns4 = true;
publish = { # Needed for detecting the scanner publish = {
enable = true; enable = true;
addresses = true; addresses = true;
userServices = true; userServices = true;
}; };
}; };
}; };
} }

73
hosts/jupiter/default.nix
View File

@@ -1,43 +1,19 @@
# #
# Specific system configuration settings for desktop # Jupiter — NAS server configuration
#
# flake.nix
# ├─ ./hosts
# │ └─ ./laptop
# │ ├─ default.nix *
# │ └─ hardware-configuration.nix
# └─ ./modules
# ├─ ./desktop
# │ └─ ./hyprland
# │ └─ hyprland.nix
# ├─ ./modules
# │ └─ ./programs
# │ └─ waybar.nix
# └─ ./hardware
# └─ default.nix
# #
{ config, pkgs, inputs, user, ... }: { config, pkgs, inputs, user, ... }:
{ {
imports = # For now, if applying to other ssystem, swap files imports = [
[(import ./hardware-configuration.nix)] ++ # Current system hardware config @ /etc/nixos/hardware-configuration.nix ./hardware-configuration.nix
#(import ../../modules/wm/virtualisation) ++ # Docker ../../modules/server
(import ../../modules/services/nas) ++ # Server Services ] ++ (import ../../modules/services/nas);
(import ../../modules/hardware); # Hardware devices
boot = { # Boot options # ── Server module options ───────────────────────────────────────────────
kernelPackages = pkgs.linuxPackages_latest; # No virtualisation on the NAS
loader = { # EFI Boot # ── Host-specific settings ──────────────────────────────────────────────
systemd-boot.enable = true;
efi = {
canTouchEfiVariables = true;
efiSysMountPoint = "/boot";
};
timeout = 1; # Grub auto select time
};
};
# Example: host-specific overlay — only jupiter gets these packages in its pkgs. # Example: host-specific overlay — only jupiter gets these packages in its pkgs.
# nixpkgs.overlays = [ # nixpkgs.overlays = [
@@ -46,35 +22,36 @@
# firefox = inputs.nixpkgs-unstable.legacyPackages.${prev.system}.firefox; # firefox = inputs.nixpkgs-unstable.legacyPackages.${prev.system}.firefox;
# }) # })
# ]; # ];
#
# environment = { boot = {
# systemPackages = with pkgs; [ kernelPackages = pkgs.linuxPackages_latest;
# corosync-qdevice loader = {
# ]; systemd-boot.enable = true;
# }; efi.canTouchEfiVariables = true;
efi.efiSysMountPoint = "/boot";
timeout = 1;
};
};
programs = { programs = {
zsh.enable = true;
ssh.startAgent = false; ssh.startAgent = false;
gnupg.agent = { gnupg.agent = {
enable = false; enable = false;
enableSSHSupport = true; enableSSHSupport = true;
pinentryPackage = pkgs.pinentry-curses; pinentryPackage = pkgs.pinentry-curses;
}; };
}; };
services = { services = {
qemuGuest.enable = true; qemuGuest.enable = true;
avahi = { # Needed to find wireless printer avahi = {
enable = true; enable = true;
nssmdns4 = true; nssmdns4 = true;
publish = { # Needed for detecting the scanner publish = {
enable = true; enable = true;
addresses = true; addresses = true;
userServices = true; userServices = true;
}; };
}; };
}; };
} }

120
hosts/kabtop/default.nix
View File

@@ -1,111 +1,55 @@
# #
# Specific system configuration settings for desktop # Kabtop — server configuration
#
# flake.nix
# ├─ ./hosts
# │ └─ ./laptop
# │ ├─ default.nix *
# │ └─ hardware-configuration.nix
# └─ ./modules
# ├─ ./desktop
# │ └─ ./hyprland
# │ └─ hyprland.nix
# ├─ ./modules
# │ └─ ./programs
# │ └─ waybar.nix
# └─ ./hardware
# └─ default.nix
# #
{ config, pkgs, user, agenix, impermanence, ... }: { config, pkgs, user, agenix, impermanence, ... }:
{ {
imports = # For now, if applying to other system, swap files imports = [
[(import ./hardware-configuration.nix)] ++ # Current system hardware config @ /etc/nixos/hardware-configuration.nix ./hardware-configuration.nix
[(import ../../modules/wm/virtualisation/docker.nix)] ++ # Docker ../../modules/server
[(import ../../modules/wm/virtualisation/kvm-amd.nix)] ++ # kvm module options ] ++ (import ../../modules/services/server);
(import ../../modules/services/server); # Server Services
boot = { # Boot options # ── Server module options ───────────────────────────────────────────────
myServer.virtualisation.enable = true;
myServer.virtualisation.cpu = "amd";
myServer.fail2ban.enable = true;
# ── Host-specific settings ──────────────────────────────────────────────
boot = {
kernelPackages = pkgs.linuxPackages_latest; kernelPackages = pkgs.linuxPackages_latest;
loader = {
loader = { # EFI Boot grub = {
grub = {
enable = true; enable = true;
device = "/dev/sda"; device = "/dev/sda";
}; };
timeout = 1; # Grub auto select time timeout = 1;
}; };
}; };
environment = { environment.etc = {
etc = { "fail2ban/filter.d/open-webui.conf" = {
"fail2ban/filter.d/open-webui.conf" = { source = ../../modules/services/server/fail2ban/filter/open-webui.conf;
source = ../../modules/services/server/fail2ban/filter/open-webui.conf; mode = "0444";
mode = "0444"; };
}; "fail2ban/filter.d/gitea.conf" = {
"fail2ban/filter.d/gitea.conf" = { source = ../../modules/services/server/fail2ban/filter/gitea.conf;
source = ../../modules/services/server/fail2ban/filter/gitea.conf; mode = "0444";
mode = "0444"; };
}; "fail2ban/filter.d/nextcloud.conf" = {
"fail2ban/filter.d/nextcloud.conf" = { source = ../../modules/services/server/fail2ban/filter/nextcloud.conf;
source = ../../modules/services/server/fail2ban/filter/nextcloud.conf; mode = "0444";
mode = "0444";
};
}; };
}; };
programs = { programs = {
zsh.enable = true;
ssh.startAgent = false; ssh.startAgent = false;
gnupg.agent = { gnupg.agent = {
enable = true; enable = true;
enableSSHSupport = true; enableSSHSupport = true;
pinentryPackage = pkgs.pinentry-curses; pinentryPackage = pkgs.pinentry-curses;
}; };
}; };
services = { services.qemuGuest.enable = true;
#auto-cpufreq.enable = true;
qemuGuest.enable = true;
#avahi = { # Needed to find wireless printer
# enable = true;
# nssmdns = true;
# publish = { # Needed for detecting the scanner
# enable = true;
# addresses = true;
# userServices = true;
# };
#};
fail2ban = {
enable = true;
maxretry = 5;
jails.DEFAULT.settings = {
findtime = "15m";
};
jails = {
open-webui = ''
enabled = true
filter = open-webui
backend = systemd
action = iptables-allports
'';
gitea = ''
enabled = true
filter = gitea
backend = systemd
action = iptables-allports
'';
nextcloud = ''
backend = auto
enabled = true
filter = nextcloud
logpath = /var/lib/nextcloud/data/nextcloud.log
action = iptables-allports
'';
};
};
};
} }

47
hosts/kabtopci/default.nix
View File

@@ -1,45 +1,28 @@
# #
# Specific system configuration settings for desktop # Kabtopci — CI server configuration
#
# flake.nix
# ├─ ./hosts
# │ └─ ./laptop
# │ ├─ default.nix *
# │ └─ hardware-configuration.nix
# └─ ./modules
# ├─ ./desktop
# │ └─ ./hyprland
# │ └─ hyprland.nix
# ├─ ./modules
# │ └─ ./programs
# │ └─ waybar.nix
# └─ ./hardware
# └─ default.nix
# #
{ config, pkgs, user, agenix, impermanence, ... }: { config, pkgs, user, agenix, impermanence, ... }:
{ {
imports = # For now, if applying to other system, swap files imports = [
[(import ./hardware-configuration.nix)] ++ # Current system hardware config @ /etc/nixos/hardware-configuration.nix ./hardware-configuration.nix
[(import ../../modules/wm/virtualisation/docker.nix)] ++ # Docker ../../modules/server
[(import ../../modules/wm/virtualisation/kvm-amd.nix)] ++ # Docker ] ++ (import ../../modules/services/kabtopci);
(import ../../modules/services/kabtopci); # Server Services
boot = { # Boot options # ── Server module options ───────────────────────────────────────────────
myServer.virtualisation.enable = true;
myServer.virtualisation.cpu = "amd";
# ── Host-specific settings ──────────────────────────────────────────────
boot = {
kernelPackages = pkgs.linuxPackages_latest; kernelPackages = pkgs.linuxPackages_latest;
loader = {
loader = { # EFI Boot grub = {
grub = {
enable = true; enable = true;
device = "/dev/vda"; device = "/dev/vda";
}; };
timeout = 1; # Grub auto select time timeout = 1;
}; };
}; };
programs = {
zsh.enable = true;
};
} }

67
hosts/kubemaster-1/default.nix
View File

@@ -1,58 +1,37 @@
# #
# Specific system configuration settings for desktop # Kubemaster-1 — Kubernetes master server configuration
#
# flake.nix
# ├─ ./hosts
# │ └─ ./laptop
# │ ├─ default.nix *
# │ └─ hardware-configuration.nix
# └─ ./modules
# ├─ ./desktop
# │ └─ ./hyprland
# │ └─ hyprland.nix
# ├─ ./modules
# │ └─ ./programs
# │ └─ waybar.nix
# └─ ./hardware
# └─ default.nix
# #
{ config, pkgs, user, agenix, impermanence, ... }: { config, pkgs, user, agenix, impermanence, ... }:
{ {
imports = # For now, if applying to other system, swap files imports = [
[(import ./hardware-configuration.nix)] ++ # Current system hardware config @ /etc/nixos/hardware-configuration.nix ./hardware-configuration.nix
[(import ../../modules/wm/virtualisation/docker.nix)] ++ # Docker ../../modules/server
[(import ../../modules/wm/virtualisation/kvm-intel.nix)] ++ # Docker ] ++ (import ../../modules/services/kubemaster);
(import ../../modules/services/kubemaster); # Server Services
boot = { # Boot options # ── Server module options ───────────────────────────────────────────────
myServer.virtualisation.enable = true;
myServer.virtualisation.cpu = "intel";
# ── Host-specific settings ──────────────────────────────────────────────
boot = {
kernelPackages = pkgs.linuxPackages_latest; kernelPackages = pkgs.linuxPackages_latest;
loader = {
loader = { # EFI Boot systemd-boot.enable = true;
systemd-boot.enable = true; efi.canTouchEfiVariables = true;
efi = { efi.efiSysMountPoint = "/boot";
canTouchEfiVariables = true; timeout = 1;
efiSysMountPoint = "/boot";
};
timeout = 1; # Grub auto select time
}; };
}; };
programs = { services.avahi = {
zsh.enable = true; enable = true;
}; nssmdns4 = true;
publish = {
services = { enable = true;
avahi = { # Needed to find wireless printer addresses = true;
enable = true; userServices = true;
nssmdns4 = true;
publish = { # Needed for detecting the scanner
enable = true;
addresses = true;
userServices = true;
};
}; };
}; };
} }

62
hosts/nasbackup/default.nix
View File

@@ -1,66 +1,48 @@
# #
# Specific system configuration settings for desktop # Nasbak — NAS backup server configuration
#
# flake.nix
# ├─ ./hosts
# │ └─ ./laptop
# │ ├─ default.nix *
# │ └─ hardware-configuration.nix
# └─ ./modules
# ├─ ./desktop
# │ └─ ./hyprland
# │ └─ hyprland.nix
# ├─ ./modules
# │ └─ ./programs
# │ └─ waybar.nix
# └─ ./hardware
# └─ default.nix
# #
{ config, pkgs, user, ... }: { config, pkgs, user, ... }:
{ {
imports = # For now, if applying to other system, swap files imports = [
[(import ./hardware-configuration.nix)] ++ # Current system hardware config @ /etc/nixos/hardware-configuration.nix ./hardware-configuration.nix
#[(import ../../modules/wm/virtualisation/docker.nix)] ++ # Docker ../../modules/server
(import ../../modules/services/nasbackup) ++ # Server Services ] ++ (import ../../modules/services/nasbackup);
(import ../../modules/hardware); # Hardware devices
boot = { # Boot options # ── Server module options ───────────────────────────────────────────────
# No virtualisation on the backup NAS
# ── Host-specific settings ──────────────────────────────────────────────
boot = {
kernelPackages = pkgs.linuxPackages_latest; kernelPackages = pkgs.linuxPackages_latest;
loader = {
loader = { # EFI Boot systemd-boot.enable = true;
systemd-boot.enable = true; efi.canTouchEfiVariables = true;
efi = { efi.efiSysMountPoint = "/boot";
canTouchEfiVariables = true; timeout = 1;
efiSysMountPoint = "/boot";
};
timeout = 1; # Grub auto select time
}; };
}; };
programs = { programs = {
zsh.enable = true;
ssh.startAgent = false; ssh.startAgent = false;
gnupg.agent = { gnupg.agent = {
enable = false; enable = false;
enableSSHSupport = true; enableSSHSupport = true;
pinentryPackage = pkgs.pinentry-curses; pinentryPackage = pkgs.pinentry-curses;
}; };
}; };
services = { services = {
qemuGuest.enable = true; qemuGuest.enable = true;
avahi = { # Needed to find wireless printer avahi = {
enable = true; enable = true;
nssmdns4 = true; nssmdns4 = true;
publish = { # Needed for detecting the scanner publish = {
enable = true; enable = true;
addresses = true; addresses = true;
userServices = true; userServices = true;
}; };
}; };
}; };
} }

151
modules/server/default.nix Normal file
View File

@@ -0,0 +1,151 @@
#
# Server module — import this instead of configuration_server.nix + manual virtualisation imports.
#
# Usage in hosts/<hostname>/default.nix:
#
# imports = [
# ./hardware-configuration.nix
# ../../modules/server
# ];
#
# myServer.virtualisation.enable = true;
# myServer.virtualisation.cpu = "amd"; # amd | intel | none (default)
#
# myServer.sshPort = 2220; # default
# myServer.fail2ban.enable = true;
#
# myServer.extraSystemPackages = with pkgs; [ some-tool ];
#
{ config, lib, pkgs, user, ... }:
let
cfg = config.myServer;
in
{
# ── Options ──────────────────────────────────────────────────────────────
options.myServer = with lib; {
uid = mkOption {
type = types.int;
default = 3000;
description = "UID for the server user.";
};
sshPort = mkOption {
type = types.port;
default = 2220;
description = "Port openssh listens on.";
};
sudoRequiresPassword = mkOption {
type = types.bool;
default = true;
description = "Whether wheel users must enter a password for sudo.";
};
autoUpgrade.enable = mkOption {
type = types.bool;
default = true;
description = "Enable automatic NixOS upgrades (inherits flake URL from configuration_common.nix).";
};
virtualisation = {
enable = mkEnableOption "container/VM stack (podman with docker-compat, KVM tuning)";
cpu = mkOption {
type = types.enum [ "amd" "intel" "none" ];
default = "none";
description = "CPU type selects KVM kernel parameters when virtualisation is enabled.";
};
};
extraGroups = mkOption {
type = types.listOf types.str;
default = [];
description = "Additional groups for the server user beyond the defaults.";
};
extraSystemPackages = mkOption {
type = types.listOf types.package;
default = [];
description = "Additional system packages specific to this host.";
};
fail2ban = {
enable = mkEnableOption "fail2ban intrusion prevention";
};
};
# ── Configuration ────────────────────────────────────────────────────────
config = lib.mkMerge [
# ── Base server config ────────────────────────────────────────────────
{
users.users.${user} = {
isNormalUser = true;
uid = cfg.uid;
extraGroups = [ "wheel" "networkmanager" "kvm" "libvirtd" ] ++ cfg.extraGroups;
};
security.sudo.wheelNeedsPassword = cfg.sudoRequiresPassword;
environment.systemPackages = with pkgs; [
ffmpeg
smartmontools
htop
] ++ cfg.extraSystemPackages;
services.openssh = {
ports = [ cfg.sshPort ];
openFirewall = true;
};
nix.extraOptions = ''
keep-outputs = true
keep-derivations = true
'';
system.autoUpgrade.enable = cfg.autoUpgrade.enable;
}
# ── Virtualisation (podman/docker-compat) ─────────────────────────────
(lib.mkIf cfg.virtualisation.enable {
virtualisation.podman = {
enable = true;
autoPrune.enable = true;
dockerCompat = true;
};
users.groups.docker.members = [ user ];
})
# ── KVM AMD ─────────────────────────────────────────────────────────
(lib.mkIf (cfg.virtualisation.enable && cfg.virtualisation.cpu == "amd") {
boot.extraModprobeConfig = ''
options kvm_amd nested=0 avic=1 npt=1
'';
})
# ── KVM Intel ───────────────────────────────────────────────────────
(lib.mkIf (cfg.virtualisation.enable && cfg.virtualisation.cpu == "intel") {
boot.extraModprobeConfig = ''
options kvm_intel nested=1
options kvm_intel emulate_invalid_guest_state=0
options kvm ignore_nsrs=1
'';
})
# ── Fail2ban ──────────────────────────────────────────────────────────
(lib.mkIf cfg.fail2ban.enable {
services.fail2ban = {
enable = true;
maxretry = 5;
jails.DEFAULT.settings.findtime = "15m";
};
})
];
}

2
modules/services/dmz/microvm.nix
View File

@@ -84,6 +84,7 @@ in
persistence."/persist" = { persistence."/persist" = {
directories = [ directories = [
"/var/log" "/var/log"
"/var/lib/nixos"
"/var/lib/private" "/var/lib/private"
]; ];
@@ -95,6 +96,7 @@ in
microvm = { microvm = {
hypervisor = "cloud-hypervisor"; hypervisor = "cloud-hypervisor";
vsock.cid = 3;
vcpu = 4; vcpu = 4;
mem = 4096; mem = 4096;
interfaces = [ interfaces = [

1
modules/services/kabtopci/microvm.nix
View File

@@ -84,6 +84,7 @@ in
persistence."/persist" = { persistence."/persist" = {
directories = [ directories = [
"/var/log" "/var/log"
"/var/lib/nixos"
"/var/lib/private" "/var/lib/private"
]; ];

1
modules/services/server/microvm.nix
View File

@@ -84,6 +84,7 @@ in
persistence."/persist" = { persistence."/persist" = {
directories = [ directories = [
"/var/log" "/var/log"
"/var/lib/nixos"
"/var/lib/private" "/var/lib/private"
]; ];