split system/hosts into hosts and devices
This commit is contained in:
parent
561a481f1a
commit
f119df524c
14
flake.nix
14
flake.nix
|
@ -87,8 +87,7 @@
|
||||||
nixserver = {
|
nixserver = {
|
||||||
modules = [
|
modules = [
|
||||||
nixos-mailserver.nixosModules.default
|
nixos-mailserver.nixosModules.default
|
||||||
./system/hardware/hp_probook_g0.nix
|
./system/devices/hp-probook-g0-server.nix
|
||||||
./system/hosts/nixserver
|
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
router-emmc = rec {
|
router-emmc = rec {
|
||||||
|
@ -97,10 +96,8 @@
|
||||||
specialArgs.router-lib = if developing then import /${devPath}/nixos-router/lib.nix { inherit (nixpkgs) lib; } else nixos-router.lib.${system};
|
specialArgs.router-lib = if developing then import /${devPath}/nixos-router/lib.nix { inherit (nixpkgs) lib; } else nixos-router.lib.${system};
|
||||||
specialArgs.server-config = nixosConfigurations.nixserver.config;
|
specialArgs.server-config = nixosConfigurations.nixserver.config;
|
||||||
modules = [
|
modules = [
|
||||||
./system/hardware/bpi_r3/emmc.nix
|
(import ./system/devices/bpi-r3-router.nix "emmc")
|
||||||
./system/hosts/router
|
|
||||||
(if developing then (import /${devPath}/nixos-router) else nixos-router.nixosModules.default)
|
(if developing then (import /${devPath}/nixos-router) else nixos-router.nixosModules.default)
|
||||||
{ networking.hostName = "router"; }
|
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
router-sd = rec {
|
router-sd = rec {
|
||||||
|
@ -109,18 +106,15 @@
|
||||||
specialArgs.router-lib = if developing then import /${devPath}/nixos-router/lib.nix { inherit (nixpkgs) lib; } else nixos-router.lib.${system};
|
specialArgs.router-lib = if developing then import /${devPath}/nixos-router/lib.nix { inherit (nixpkgs) lib; } else nixos-router.lib.${system};
|
||||||
specialArgs.server-config = nixosConfigurations.nixserver.config;
|
specialArgs.server-config = nixosConfigurations.nixserver.config;
|
||||||
modules = [
|
modules = [
|
||||||
./system/hardware/bpi_r3/sd.nix
|
(import ./system/devices/bpi-r3-router.nix "sd")
|
||||||
./system/hosts/router
|
|
||||||
(if developing then (import /${devPath}/nixos-router) else nixos-router.nixosModules.default)
|
(if developing then (import /${devPath}/nixos-router) else nixos-router.nixosModules.default)
|
||||||
{ networking.hostName = "router"; }
|
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
nixmsi = rec {
|
nixmsi = rec {
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
modules = [
|
modules = [
|
||||||
nix-gaming.nixosModules.pipewireLowLatency
|
nix-gaming.nixosModules.pipewireLowLatency
|
||||||
./system/hardware/msi_delta_15.nix
|
./system/devices/msi-delta-15-workstation.nix
|
||||||
./system/hosts/nixmsi.nix
|
|
||||||
];
|
];
|
||||||
home.common.enableNixosModule = false;
|
home.common.enableNixosModule = false;
|
||||||
home.common.extraSpecialArgs = {
|
home.common.extraSpecialArgs = {
|
||||||
|
|
5
system/README.md
Normal file
5
system/README.md
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
- `hardware`: basic config for a device, specifies screen resolution,
|
||||||
|
gpu, etc
|
||||||
|
- `hosts`: mostly hardware-agnostic, specifies config for device "roles"
|
||||||
|
- `devices`: per-device config, like partition tables. This is the entry
|
||||||
|
points which import modules from `hardware` and `hosts`
|
2
system/devices/README.md
Normal file
2
system/devices/README.md
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
This folder is for device-specific, non-portable config. See `../hosts`
|
||||||
|
for device-agnostic configuration.
|
43
system/devices/bpi-r3-router.nix
Normal file
43
system/devices/bpi-r3-router.nix
Normal file
|
@ -0,0 +1,43 @@
|
||||||
|
storage:
|
||||||
|
|
||||||
|
{ config, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
rootUuid = "44444444-4444-4444-8888-888888888888";
|
||||||
|
rootPart = "/dev/disk/by-uuid/${rootUuid}";
|
||||||
|
in
|
||||||
|
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
../hardware/bpi-r3/${storage}.nix
|
||||||
|
../hosts/router
|
||||||
|
];
|
||||||
|
networking.hostName = "nixos-router";
|
||||||
|
|
||||||
|
fileSystems = {
|
||||||
|
# mount root on tmpfs
|
||||||
|
"/" = { device = "none"; fsType = "tmpfs"; neededForBoot = true;
|
||||||
|
options = [ "defaults" "size=2G" "mode=755" ]; };
|
||||||
|
"/persist" =
|
||||||
|
{ device = rootPart; fsType = "btrfs"; neededForBoot = true;
|
||||||
|
options = [ "compress=zstd:15" "subvol=@" ]; };
|
||||||
|
"/boot" =
|
||||||
|
{ device = rootPart; fsType = "btrfs"; neededForBoot = true;
|
||||||
|
options = [ "subvol=@boot" ]; };
|
||||||
|
"/nix" =
|
||||||
|
{ device = rootPart; fsType = "btrfs"; neededForBoot = true;
|
||||||
|
options = [ "compress=zstd:15" "subvol=@nix" ]; };
|
||||||
|
};
|
||||||
|
|
||||||
|
impermanence = {
|
||||||
|
enable = true;
|
||||||
|
path = /persist;
|
||||||
|
directories = [
|
||||||
|
{ directory = /home/${config.common.mainUsername}; user = config.common.mainUsername; group = "users"; mode = "0700"; }
|
||||||
|
{ directory = /root; mode = "0700"; }
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
# technically hostapd/lan0..4 interface config should be here as well
|
||||||
|
# but for easier demonstration i'll keep it all in ../hosts/router
|
||||||
|
}
|
54
system/devices/hp-probook-g0-server.nix
Normal file
54
system/devices/hp-probook-g0-server.nix
Normal file
|
@ -0,0 +1,54 @@
|
||||||
|
{ config, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
efiPart = "/dev/disk/by-uuid/3E2A-A5CB";
|
||||||
|
rootUuid = "6aace237-9b48-4294-8e96-196759a5305b";
|
||||||
|
rootPart = "/dev/disk/by-uuid/${rootUuid}";
|
||||||
|
in {
|
||||||
|
imports = [
|
||||||
|
../hardware/hp-probook-g0.nix
|
||||||
|
../hosts/nixserver
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.loader = {
|
||||||
|
grub = {
|
||||||
|
enable = true;
|
||||||
|
device = "nodev";
|
||||||
|
efiSupport = true;
|
||||||
|
efiInstallAsRemovable = true;
|
||||||
|
};
|
||||||
|
efi.efiSysMountPoint = "/boot/efi";
|
||||||
|
};
|
||||||
|
fileSystems = {
|
||||||
|
"/" = { device = "none"; fsType = "tmpfs"; neededForBoot = true;
|
||||||
|
options = [ "defaults" "size=2G" "mode=755" ]; };
|
||||||
|
"/persist" =
|
||||||
|
{ device = rootPart; fsType = "btrfs"; neededForBoot = true;
|
||||||
|
options = [ "compress=zstd:15" ]; };
|
||||||
|
"/boot" =
|
||||||
|
{ device = rootPart; fsType = "btrfs"; neededForBoot = true;
|
||||||
|
options = [ "compress=zstd:15" "subvol=boot" ]; };
|
||||||
|
"/boot/efi" =
|
||||||
|
{ device = efiPart; fsType = "vfat"; };
|
||||||
|
};
|
||||||
|
services.beesd = {
|
||||||
|
filesystems.root = {
|
||||||
|
spec = "UUID=${rootUuid}";
|
||||||
|
hashTableSizeMB = 128;
|
||||||
|
extraOptions = [ "--loadavg-target" "8.0" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
zramSwap.enable = true;
|
||||||
|
swapDevices = [ ];
|
||||||
|
|
||||||
|
impermanence = {
|
||||||
|
enable = true;
|
||||||
|
path = /persist;
|
||||||
|
directories = [
|
||||||
|
{ directory = /home/${config.common.mainUsername}; user = config.common.mainUsername; group = "users"; mode = "0700"; }
|
||||||
|
{ directory = /root; }
|
||||||
|
{ directory = /nix; }
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
114
system/devices/msi-delta-15-workstation.nix
Normal file
114
system/devices/msi-delta-15-workstation.nix
Normal file
|
@ -0,0 +1,114 @@
|
||||||
|
# device-specific non-portable config
|
||||||
|
let
|
||||||
|
efiPart = "/dev/disk/by-uuid/D77D-8CE0";
|
||||||
|
|
||||||
|
encPart = "/dev/disk/by-uuid/ce6ccdf0-7b6a-43ae-bfdf-10009a55041a";
|
||||||
|
cryptrootUuid = "f4edc0df-b50b-42f6-94ed-1c8f88d6cdbb";
|
||||||
|
cryptroot = "/dev/disk/by-uuid/${cryptrootUuid}";
|
||||||
|
|
||||||
|
dataPart = "/dev/disk/by-uuid/f1447692-fa7c-4bd6-9cb5-e44c13fddfe3";
|
||||||
|
datarootUuid = "fa754b1e-ac83-4851-bf16-88efcd40b657";
|
||||||
|
dataroot = "/dev/disk/by-uuid/${datarootUuid}";
|
||||||
|
in {
|
||||||
|
imports = [
|
||||||
|
../hardware/msi-delta-15.nix
|
||||||
|
../hosts/nixmsi.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.initrd = {
|
||||||
|
# insert crypto_keyfile into initrd so that grub can tell the kernel the
|
||||||
|
# encryption key once I unlock the /boot partition
|
||||||
|
secrets."/crypto_keyfile.bin" = "/boot/initrd/crypto_keyfile.bin";
|
||||||
|
luks.devices."cryptroot" = {
|
||||||
|
device = encPart;
|
||||||
|
# idk whether this is needed but it works
|
||||||
|
preLVM = true;
|
||||||
|
# see https://asalor.blogspot.de/2011/08/trim-dm-crypt-problems.html before enabling
|
||||||
|
allowDiscards = true;
|
||||||
|
# improve SSD performance
|
||||||
|
bypassWorkqueues = true;
|
||||||
|
keyFile = "/crypto_keyfile.bin";
|
||||||
|
};
|
||||||
|
luks.devices."dataroot" = {
|
||||||
|
device = dataPart;
|
||||||
|
preLVM = true;
|
||||||
|
allowDiscards = true;
|
||||||
|
bypassWorkqueues = true;
|
||||||
|
keyFile = "/crypto_keyfile.bin";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
boot.loader = {
|
||||||
|
grub = {
|
||||||
|
enable = true;
|
||||||
|
enableCryptodisk = true;
|
||||||
|
efiSupport = true;
|
||||||
|
# nodev = disable bios support
|
||||||
|
device = "nodev";
|
||||||
|
};
|
||||||
|
efi.canTouchEfiVariables = true;
|
||||||
|
efi.efiSysMountPoint = "/boot/efi";
|
||||||
|
};
|
||||||
|
boot.resumeDevice = cryptroot;
|
||||||
|
boot.kernelParams = [
|
||||||
|
"resume=/@swap/swapfile"
|
||||||
|
# resume_offset = $(btrfs inspect-internal map-swapfile -r path/to/swapfile)
|
||||||
|
"resume_offset=533760"
|
||||||
|
];
|
||||||
|
fileSystems = let
|
||||||
|
device = cryptroot;
|
||||||
|
fsType = "btrfs";
|
||||||
|
# max compression! my cpu is pretty good anyway
|
||||||
|
compress = "compress=zstd:15";
|
||||||
|
discard = "discard=async";
|
||||||
|
neededForBoot = true;
|
||||||
|
in {
|
||||||
|
# mount root on tmpfs
|
||||||
|
"/" = { device = "none"; fsType = "tmpfs"; inherit neededForBoot;
|
||||||
|
options = [ "defaults" "size=2G" "mode=755" ]; };
|
||||||
|
"/persist" =
|
||||||
|
{ inherit device fsType neededForBoot;
|
||||||
|
options = [ discard compress "subvol=@" ]; };
|
||||||
|
"/nix" = { inherit device fsType neededForBoot;
|
||||||
|
options = [ discard compress "subvol=@nix" "noatime" ]; };
|
||||||
|
"/swap" = { inherit device fsType neededForBoot;
|
||||||
|
options = [ discard "subvol=@swap" "noatime" ]; };
|
||||||
|
"/home" = { inherit device fsType;
|
||||||
|
options = [ discard compress "subvol=@home" ]; };
|
||||||
|
# why am I even bothering with creating this subvolume every time if I don't use snapshots anyway?
|
||||||
|
"/.snapshots" =
|
||||||
|
{ inherit device fsType;
|
||||||
|
options = [ discard compress "subvol=@snapshots" ]; };
|
||||||
|
"/boot" = { inherit device fsType neededForBoot;
|
||||||
|
options = [ discard compress "subvol=@boot" ]; };
|
||||||
|
"/boot/efi" =
|
||||||
|
{ device = efiPart; fsType = "vfat"; inherit neededForBoot; };
|
||||||
|
"/data" =
|
||||||
|
{ device = dataroot; fsType = "btrfs";
|
||||||
|
options = [ discard compress ]; };
|
||||||
|
};
|
||||||
|
|
||||||
|
impermanence = {
|
||||||
|
enable = true;
|
||||||
|
path = /persist;
|
||||||
|
};
|
||||||
|
|
||||||
|
# fix for my realtek usb ethernet adapter
|
||||||
|
services.tlp.settings.USB_DENYLIST = "0bda:8156";
|
||||||
|
|
||||||
|
swapDevices = [ { device = "/swap/swapfile"; } ];
|
||||||
|
|
||||||
|
# dedupe
|
||||||
|
services.beesd = {
|
||||||
|
# i have a lot of ram :tonystark:
|
||||||
|
filesystems.cryptroot = {
|
||||||
|
spec = "UUID=${cryptrootUuid}";
|
||||||
|
hashTableSizeMB = 128;
|
||||||
|
extraOptions = [ "--loadavg-target" "8.0" ];
|
||||||
|
};
|
||||||
|
filesystems.dataroot = {
|
||||||
|
spec = "UUID=${datarootUuid}";
|
||||||
|
hashTableSizeMB = 256;
|
||||||
|
extraOptions = [ "--loadavg-target" "8.0" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
3
system/hardware/README.md
Normal file
3
system/hardware/README.md
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
This specifies the "lowest common denominator" of all NixOS configs for
|
||||||
|
this device. It simply specifies the hardware (screen resolutions, GPUs,
|
||||||
|
etc). For specific device configs, see `../devices`.
|
3
system/hosts/README.md
Normal file
3
system/hosts/README.md
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
This folder is for (mostly) hardware-agnostic configs. See `../devices`
|
||||||
|
for device-specific config, e.g. the partition tables (those modules
|
||||||
|
also reference `../hardware`)
|
|
@ -3,17 +3,7 @@
|
||||||
, config
|
, config
|
||||||
, ... }:
|
, ... }:
|
||||||
|
|
||||||
let
|
/*
|
||||||
efiPart = "/dev/disk/by-uuid/D77D-8CE0";
|
|
||||||
|
|
||||||
encPart = "/dev/disk/by-uuid/ce6ccdf0-7b6a-43ae-bfdf-10009a55041a";
|
|
||||||
cryptrootUuid = "f4edc0df-b50b-42f6-94ed-1c8f88d6cdbb";
|
|
||||||
cryptroot = "/dev/disk/by-uuid/${cryptrootUuid}";
|
|
||||||
|
|
||||||
dataPart = "/dev/disk/by-uuid/f1447692-fa7c-4bd6-9cb5-e44c13fddfe3";
|
|
||||||
datarootUuid = "fa754b1e-ac83-4851-bf16-88efcd40b657";
|
|
||||||
dataroot = "/dev/disk/by-uuid/${datarootUuid}";
|
|
||||||
/*
|
|
||||||
# for old kernel versions
|
# for old kernel versions
|
||||||
zenKernels = pkgs.callPackage "${nixpkgs}/pkgs/os-specific/linux/kernel/zen-kernels.nix";
|
zenKernels = pkgs.callPackage "${nixpkgs}/pkgs/os-specific/linux/kernel/zen-kernels.nix";
|
||||||
zenKernel = (version: sha256: (zenKernels {
|
zenKernel = (version: sha256: (zenKernels {
|
||||||
|
@ -33,52 +23,14 @@ let
|
||||||
};
|
};
|
||||||
}).zen);
|
}).zen);
|
||||||
zenKernelPackages = version: sha256: pkgs.linuxPackagesFor (zenKernel version sha256);
|
zenKernelPackages = version: sha256: pkgs.linuxPackagesFor (zenKernel version sha256);
|
||||||
*/
|
*/
|
||||||
in {
|
|
||||||
|
{
|
||||||
system.stateVersion = "22.11";
|
system.stateVersion = "22.11";
|
||||||
|
|
||||||
### SECTION 1: HARDWARE/BOOT PARAMETERS ###
|
### SECTION 1: HARDWARE/BOOT PARAMETERS ###
|
||||||
|
|
||||||
boot = {
|
boot = {
|
||||||
initrd = {
|
|
||||||
# insert crypto_keyfile into initrd so that grub can tell the kernel the
|
|
||||||
# encryption key once I unlock the /boot partition
|
|
||||||
secrets."/crypto_keyfile.bin" = "/boot/initrd/crypto_keyfile.bin";
|
|
||||||
luks.devices."cryptroot" = {
|
|
||||||
device = encPart;
|
|
||||||
# idk whether this is needed but it works
|
|
||||||
preLVM = true;
|
|
||||||
# see https://asalor.blogspot.de/2011/08/trim-dm-crypt-problems.html before enabling
|
|
||||||
allowDiscards = true;
|
|
||||||
# improve SSD performance
|
|
||||||
bypassWorkqueues = true;
|
|
||||||
keyFile = "/crypto_keyfile.bin";
|
|
||||||
};
|
|
||||||
luks.devices."dataroot" = {
|
|
||||||
device = dataPart;
|
|
||||||
preLVM = true;
|
|
||||||
allowDiscards = true;
|
|
||||||
bypassWorkqueues = true;
|
|
||||||
keyFile = "/crypto_keyfile.bin";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
resumeDevice = cryptroot;
|
|
||||||
kernelParams = [
|
|
||||||
"resume=/@swap/swapfile"
|
|
||||||
# resume_offset = $(btrfs inspect-internal map-swapfile -r path/to/swapfile)
|
|
||||||
"resume_offset=533760"
|
|
||||||
];
|
|
||||||
loader = {
|
|
||||||
grub = {
|
|
||||||
enable = true;
|
|
||||||
enableCryptodisk = true;
|
|
||||||
efiSupport = true;
|
|
||||||
# nodev = disable bios support
|
|
||||||
device = "nodev";
|
|
||||||
};
|
|
||||||
efi.canTouchEfiVariables = true;
|
|
||||||
efi.efiSysMountPoint = "/boot/efi";
|
|
||||||
};
|
|
||||||
kernel.sysctl = {
|
kernel.sysctl = {
|
||||||
"vm.dirty_ratio" = 4;
|
"vm.dirty_ratio" = 4;
|
||||||
"vm.dirty_background_ratio" = 2;
|
"vm.dirty_background_ratio" = 2;
|
||||||
|
@ -101,12 +53,6 @@ in {
|
||||||
opengl.extraPackages = with pkgs; [ vulkan-validation-layers ];
|
opengl.extraPackages = with pkgs; [ vulkan-validation-layers ];
|
||||||
};
|
};
|
||||||
|
|
||||||
# services.openssh.enable = true;
|
|
||||||
|
|
||||||
services.tlp.enable = true;
|
|
||||||
# fix for my realtek usb ethernet adapter
|
|
||||||
services.tlp.settings.USB_DENYLIST = "0bda:8156";
|
|
||||||
|
|
||||||
# see modules/vfio.nix
|
# see modules/vfio.nix
|
||||||
vfio.enable = true;
|
vfio.enable = true;
|
||||||
vfio.libvirtdGroup = [ config.common.mainUsername ];
|
vfio.libvirtdGroup = [ config.common.mainUsername ];
|
||||||
|
@ -118,63 +64,7 @@ in {
|
||||||
externalInterface = "enp7s0f4u1c2";
|
externalInterface = "enp7s0f4u1c2";
|
||||||
};
|
};
|
||||||
|
|
||||||
fileSystems = let
|
|
||||||
device = cryptroot;
|
|
||||||
fsType = "btrfs";
|
|
||||||
# max compression! my cpu is pretty good anyway
|
|
||||||
compress = "compress=zstd:15";
|
|
||||||
discard = "discard=async";
|
|
||||||
neededForBoot = true;
|
|
||||||
in {
|
|
||||||
# mount root on tmpfs
|
|
||||||
"/" = { device = "none"; fsType = "tmpfs"; inherit neededForBoot;
|
|
||||||
options = [ "defaults" "size=2G" "mode=755" ]; };
|
|
||||||
"/persist" =
|
|
||||||
{ inherit device fsType neededForBoot;
|
|
||||||
options = [ discard compress "subvol=@" ]; };
|
|
||||||
"/nix" = { inherit device fsType neededForBoot;
|
|
||||||
options = [ discard compress "subvol=@nix" "noatime" ]; };
|
|
||||||
"/swap" = { inherit device fsType neededForBoot;
|
|
||||||
options = [ discard "subvol=@swap" "noatime" ]; };
|
|
||||||
"/home" = { inherit device fsType;
|
|
||||||
options = [ discard compress "subvol=@home" ]; };
|
|
||||||
# why am I even bothering with creating this subvolume every time if I don't use snapshots anyway?
|
|
||||||
"/.snapshots" =
|
|
||||||
{ inherit device fsType;
|
|
||||||
options = [ discard compress "subvol=@snapshots" ]; };
|
|
||||||
"/boot" = { inherit device fsType neededForBoot;
|
|
||||||
options = [ discard compress "subvol=@boot" ]; };
|
|
||||||
"/boot/efi" =
|
|
||||||
{ device = efiPart; fsType = "vfat"; inherit neededForBoot; };
|
|
||||||
"/data" =
|
|
||||||
{ device = dataroot; fsType = "btrfs";
|
|
||||||
options = [ discard compress ]; };
|
|
||||||
};
|
|
||||||
|
|
||||||
impermanence = {
|
|
||||||
enable = true;
|
|
||||||
path = /persist;
|
|
||||||
};
|
|
||||||
|
|
||||||
swapDevices = [ { device = "/swap/swapfile"; } ];
|
|
||||||
|
|
||||||
# dedupe
|
|
||||||
services.beesd = {
|
|
||||||
# i have a lot of ram :tonystark:
|
|
||||||
filesystems.cryptroot = {
|
|
||||||
spec = "UUID=${cryptrootUuid}";
|
|
||||||
hashTableSizeMB = 128;
|
|
||||||
extraOptions = [ "--loadavg-target" "8.0" ];
|
|
||||||
};
|
|
||||||
filesystems.dataroot = {
|
|
||||||
spec = "UUID=${datarootUuid}";
|
|
||||||
hashTableSizeMB = 256;
|
|
||||||
extraOptions = [ "--loadavg-target" "8.0" ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
### SECTION 2: SYSTEM CONFIG/ENVIRONMENT ###
|
### SECTION 2: SYSTEM CONFIG/ENVIRONMENT ###
|
||||||
console.font = "${pkgs.terminus_font}/share/consolefonts/ter-v32n.psf.gz";
|
|
||||||
|
|
||||||
networking.useDHCP = true;
|
networking.useDHCP = true;
|
||||||
# networking.firewall.enable = false;
|
# networking.firewall.enable = false;
|
||||||
|
@ -241,4 +131,3 @@ in {
|
||||||
services.sshd.enable = true;
|
services.sshd.enable = true;
|
||||||
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
|
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -6,10 +6,6 @@
|
||||||
let
|
let
|
||||||
cfg = config.server;
|
cfg = config.server;
|
||||||
|
|
||||||
efiPart = "/dev/disk/by-uuid/3E2A-A5CB";
|
|
||||||
rootUuid = "6aace237-9b48-4294-8e96-196759a5305b";
|
|
||||||
rootPart = "/dev/disk/by-uuid/${rootUuid}";
|
|
||||||
|
|
||||||
hosted-domains =
|
hosted-domains =
|
||||||
map
|
map
|
||||||
(prefix: if prefix == null then cfg.domainName else "${prefix}.${cfg.domainName}")
|
(prefix: if prefix == null then cfg.domainName else "${prefix}.${cfg.domainName}")
|
||||||
|
@ -40,69 +36,32 @@ in {
|
||||||
];
|
];
|
||||||
|
|
||||||
system.stateVersion = "22.11";
|
system.stateVersion = "22.11";
|
||||||
|
impermanence.directories = [
|
||||||
boot = {
|
|
||||||
loader = {
|
|
||||||
grub = {
|
|
||||||
enable = true;
|
|
||||||
device = "nodev";
|
|
||||||
efiSupport = true;
|
|
||||||
efiInstallAsRemovable = true;
|
|
||||||
};
|
|
||||||
efi.efiSysMountPoint = "/boot/efi";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
fileSystems = {
|
|
||||||
"/" = { device = "none"; fsType = "tmpfs"; neededForBoot = true;
|
|
||||||
options = [ "defaults" "size=2G" "mode=755" ]; };
|
|
||||||
"/persist" =
|
|
||||||
{ device = rootPart; fsType = "btrfs"; neededForBoot = true;
|
|
||||||
options = [ "compress=zstd:15" ]; };
|
|
||||||
"/boot" =
|
|
||||||
{ device = rootPart; fsType = "btrfs"; neededForBoot = true;
|
|
||||||
options = [ "compress=zstd:15" "subvol=boot" ]; };
|
|
||||||
"/boot/efi" =
|
|
||||||
{ device = efiPart; fsType = "vfat"; };
|
|
||||||
};
|
|
||||||
zramSwap.enable = true;
|
|
||||||
swapDevices = [ ];
|
|
||||||
impermanence = {
|
|
||||||
enable = true;
|
|
||||||
path = /persist;
|
|
||||||
directories = [
|
|
||||||
{ directory = /home/${config.common.mainUsername}; user = config.common.mainUsername; group = "users"; mode = "0700"; }
|
|
||||||
{ directory = /root; }
|
|
||||||
{ directory = /nix; }
|
|
||||||
{ directory = /var/www/${cfg.domainName}; }
|
{ directory = /var/www/${cfg.domainName}; }
|
||||||
];
|
];
|
||||||
};
|
|
||||||
services.beesd = {
|
|
||||||
filesystems.root = {
|
|
||||||
spec = "UUID=${rootUuid}";
|
|
||||||
hashTableSizeMB = 128;
|
|
||||||
extraOptions = [ "--loadavg-target" "8.0" ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
console.font = "${pkgs.terminus_font}/share/consolefonts/ter-v24n.psf.gz";
|
|
||||||
networking.useDHCP = true;
|
networking.useDHCP = true;
|
||||||
networking.firewall = {
|
networking.firewall = {
|
||||||
enable = true;
|
enable = true;
|
||||||
allowedTCPPorts = [
|
allowedTCPPorts = lib.mkMerge [
|
||||||
|
[
|
||||||
# ssh
|
# ssh
|
||||||
22
|
22
|
||||||
# dns
|
|
||||||
53 853
|
|
||||||
# http/s
|
# http/s
|
||||||
80 443
|
80 443
|
||||||
|
]
|
||||||
|
(lib.mkIf config.services.unbound.enable [
|
||||||
|
# dns
|
||||||
|
53 853
|
||||||
|
])
|
||||||
];
|
];
|
||||||
allowedUDPPorts = [
|
allowedUDPPorts = lib.mkIf config.services.unbound.enable [
|
||||||
# dns
|
# dns
|
||||||
53 853
|
53 853
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
# UNBOUND
|
# UNBOUND
|
||||||
users.users.${config.common.mainUsername}.extraGroups = [ config.services.unbound.group ];
|
users.users.${config.common.mainUsername}.extraGroups = lib.mkIf config.services.unbound.enable [ config.services.unbound.group ];
|
||||||
|
|
||||||
#networking.resolvconf.extraConfig = ''
|
#networking.resolvconf.extraConfig = ''
|
||||||
# name_servers="127.0.0.1 ::1"
|
# name_servers="127.0.0.1 ::1"
|
||||||
|
|
|
@ -7,8 +7,6 @@
|
||||||
, ... }:
|
, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
rootUuid = "44444444-4444-4444-8888-888888888888";
|
|
||||||
rootPart = "/dev/disk/by-uuid/${rootUuid}";
|
|
||||||
cfg = config.router-settings;
|
cfg = config.router-settings;
|
||||||
hapdConfig = {
|
hapdConfig = {
|
||||||
inherit (cfg) country_code wpa_passphrase;
|
inherit (cfg) country_code wpa_passphrase;
|
||||||
|
@ -219,7 +217,23 @@ let
|
||||||
|
|
||||||
hosted-domains = builtins.attrNames server-config.services.nginx.virtualHosts;
|
hosted-domains = builtins.attrNames server-config.services.nginx.virtualHosts;
|
||||||
in {
|
in {
|
||||||
router-settings.domainName = "pavluk.org";
|
imports = [ ./options.nix ];
|
||||||
|
system.stateVersion = "22.11";
|
||||||
|
|
||||||
|
boot.kernel.sysctl = {
|
||||||
|
"net.ipv4.conf.all.src_valid_mark" = true;
|
||||||
|
"net.ipv4.conf.default.src_valid_mark" = true;
|
||||||
|
"net.ipv4.conf.all.forwarding" = true;
|
||||||
|
"net.ipv6.conf.all.forwarding" = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
services.openssh.enable = true;
|
||||||
|
services.fail2ban = {
|
||||||
|
enable = true;
|
||||||
|
ignoreIP = [ netCidr4 netCidr6 ];
|
||||||
|
maxretry = 10;
|
||||||
|
};
|
||||||
|
|
||||||
router-settings.dhcpReservations = [
|
router-settings.dhcpReservations = [
|
||||||
{ ipAddress = serverAddress4;
|
{ ipAddress = serverAddress4;
|
||||||
macAddress = cfg.serverMac; }
|
macAddress = cfg.serverMac; }
|
||||||
|
@ -267,47 +281,8 @@ in {
|
||||||
target4.address = serverAddress4; target6.address = serverAddress6;
|
target4.address = serverAddress4; target6.address = serverAddress6;
|
||||||
}) rangesUdpOnly;
|
}) rangesUdpOnly;
|
||||||
|
|
||||||
imports = [ ./options.nix ];
|
|
||||||
system.stateVersion = "22.11";
|
|
||||||
fileSystems = {
|
|
||||||
# mount root on tmpfs
|
|
||||||
"/" = { device = "none"; fsType = "tmpfs"; neededForBoot = true;
|
|
||||||
options = [ "defaults" "size=2G" "mode=755" ]; };
|
|
||||||
"/persist" =
|
|
||||||
{ device = rootPart; fsType = "btrfs"; neededForBoot = true;
|
|
||||||
options = [ "compress=zstd:15" "subvol=@" ]; };
|
|
||||||
"/boot" =
|
|
||||||
{ device = rootPart; fsType = "btrfs"; neededForBoot = true;
|
|
||||||
options = [ "subvol=@boot" ]; };
|
|
||||||
"/nix" =
|
|
||||||
{ device = rootPart; fsType = "btrfs"; neededForBoot = true;
|
|
||||||
options = [ "compress=zstd:15" "subvol=@nix" ]; };
|
|
||||||
};
|
|
||||||
impermanence = {
|
|
||||||
enable = true;
|
|
||||||
path = /persist;
|
|
||||||
directories = [
|
|
||||||
{ directory = /home/${config.common.mainUsername}; user = config.common.mainUsername; group = "users"; mode = "0700"; }
|
|
||||||
{ directory = /root; mode = "0700"; }
|
|
||||||
{ directory = /var/db/dhcpcd; mode = "0755"; }
|
|
||||||
{ directory = /var/lib/private/kea; mode = "0750"; }
|
|
||||||
# for wireguard key
|
|
||||||
{ directory = /secrets; mode = "0000"; }
|
|
||||||
];
|
|
||||||
};
|
|
||||||
boot.kernel.sysctl = {
|
|
||||||
"net.ipv4.conf.all.src_valid_mark" = true;
|
|
||||||
"net.ipv4.conf.default.src_valid_mark" = true;
|
|
||||||
"net.ipv4.conf.all.forwarding" = true;
|
|
||||||
"net.ipv6.conf.all.forwarding" = true;
|
|
||||||
};
|
|
||||||
services.openssh.enable = true;
|
|
||||||
services.fail2ban = {
|
|
||||||
enable = true;
|
|
||||||
ignoreIP = [ netCidr4 netCidr6 ];
|
|
||||||
maxretry = 10;
|
|
||||||
};
|
|
||||||
router.enable = true;
|
router.enable = true;
|
||||||
|
# 2.4g ap
|
||||||
router.interfaces.wlan0 = {
|
router.interfaces.wlan0 = {
|
||||||
bridge = "br0";
|
bridge = "br0";
|
||||||
hostapd.enable = true;
|
hostapd.enable = true;
|
||||||
|
@ -321,6 +296,7 @@ in {
|
||||||
ht_capab = "[LDPC][SHORT-GI-20][SHORT-GI-40][TX-STBC][RX-STBC1][MAX-AMSDU-7935]";
|
ht_capab = "[LDPC][SHORT-GI-20][SHORT-GI-40][TX-STBC][RX-STBC1][MAX-AMSDU-7935]";
|
||||||
} // hapdConfig;
|
} // hapdConfig;
|
||||||
};
|
};
|
||||||
|
# 5g ap
|
||||||
router.interfaces.wlan1 = {
|
router.interfaces.wlan1 = {
|
||||||
bridge = "br0";
|
bridge = "br0";
|
||||||
hostapd.enable = true;
|
hostapd.enable = true;
|
||||||
|
@ -337,6 +313,7 @@ in {
|
||||||
vht_capab = "[RXLDPC][SHORT-GI-80][SHORT-GI-160][TX-STBC-2BY1][SU-BEAMFORMER][SU-BEAMFORMEE][MU-BEAMFORMER][MU-BEAMFORMEE][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN][RX-STBC-1][SOUNDING-DIMENSION-4][BF-ANTENNA-4][VHT160][MAX-MPDU-11454][MAX-A-MPDU-LEN-EXP7]";
|
vht_capab = "[RXLDPC][SHORT-GI-80][SHORT-GI-160][TX-STBC-2BY1][SU-BEAMFORMER][SU-BEAMFORMEE][MU-BEAMFORMER][MU-BEAMFORMEE][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN][RX-STBC-1][SOUNDING-DIMENSION-4][BF-ANTENNA-4][VHT160][MAX-MPDU-11454][MAX-A-MPDU-LEN-EXP7]";
|
||||||
} // hapdConfig;
|
} // hapdConfig;
|
||||||
};
|
};
|
||||||
|
# ethernet lan0-3
|
||||||
router.interfaces.lan0 = {
|
router.interfaces.lan0 = {
|
||||||
bridge = "br0";
|
bridge = "br0";
|
||||||
systemdLinkLinkConfig.MACAddressPolicy = "persistent";
|
systemdLinkLinkConfig.MACAddressPolicy = "persistent";
|
||||||
|
@ -353,15 +330,21 @@ in {
|
||||||
bridge = "br0";
|
bridge = "br0";
|
||||||
systemdLinkLinkConfig.MACAddressPolicy = "persistent";
|
systemdLinkLinkConfig.MACAddressPolicy = "persistent";
|
||||||
};
|
};
|
||||||
|
# sfp lan4
|
||||||
router.interfaces.lan4 = {
|
router.interfaces.lan4 = {
|
||||||
bridge = "br0";
|
bridge = "br0";
|
||||||
systemdLinkLinkConfig.MACAddressPolicy = "persistent";
|
systemdLinkLinkConfig.MACAddressPolicy = "persistent";
|
||||||
};
|
};
|
||||||
/*router.interfaces.lan5 = {
|
/*
|
||||||
|
# sfp lan5
|
||||||
|
router.interfaces.lan5 = {
|
||||||
bridge = "br0";
|
bridge = "br0";
|
||||||
|
# i could try to figure out why this doesn't work... but i don't even have sfp to plug into this
|
||||||
systemdLinkMatchConfig.OriginalName = "eth1";
|
systemdLinkMatchConfig.OriginalName = "eth1";
|
||||||
systemdLinkLinkConfig.MACAddressPolicy = "persistent";
|
systemdLinkLinkConfig.MACAddressPolicy = "persistent";
|
||||||
};*/
|
};
|
||||||
|
*/
|
||||||
|
# ethernet wan
|
||||||
router.interfaces.wan = {
|
router.interfaces.wan = {
|
||||||
dependentServices = [
|
dependentServices = [
|
||||||
{ service = "wireguard-wg0"; inNetns = false; }
|
{ service = "wireguard-wg0"; inNetns = false; }
|
||||||
|
@ -371,7 +354,11 @@ in {
|
||||||
dhcpcd.enable = true;
|
dhcpcd.enable = true;
|
||||||
networkNamespace = "wan";
|
networkNamespace = "wan";
|
||||||
};
|
};
|
||||||
|
# disable default firewall as it uses iptables
|
||||||
|
# (and we have our own firewall)
|
||||||
networking.firewall.enable = false;
|
networking.firewall.enable = false;
|
||||||
|
# br0, which bridges all lan devices
|
||||||
|
# this is "the" lan device
|
||||||
router.interfaces.br0 = {
|
router.interfaces.br0 = {
|
||||||
dependentServices = [ { service = "unbound"; bindType = "wants"; } ];
|
dependentServices = [ { service = "unbound"; bindType = "wants"; } ];
|
||||||
ipv4.addresses = [ {
|
ipv4.addresses = [ {
|
||||||
|
@ -390,7 +377,7 @@ in {
|
||||||
gateways = [ gatewayAddr6 ];
|
gateways = [ gatewayAddr6 ];
|
||||||
radvdSettings.AdvAutonomous = true;
|
radvdSettings.AdvAutonomous = true;
|
||||||
coreradSettings.autonomous = true;
|
coreradSettings.autonomous = true;
|
||||||
# don't autoallocate addresses
|
# don't autoallocate addresses, keep autonomous ones
|
||||||
keaSettings.pools = [ ];
|
keaSettings.pools = [ ];
|
||||||
# just assign the reservations
|
# just assign the reservations
|
||||||
keaSettings.reservations = map (res: {
|
keaSettings.reservations = map (res: {
|
||||||
|
@ -412,6 +399,7 @@ in {
|
||||||
ipv6.radvd.enable = true;
|
ipv6.radvd.enable = true;
|
||||||
ipv6.kea.enable = true;
|
ipv6.kea.enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
router.networkNamespaces.default = {
|
router.networkNamespaces.default = {
|
||||||
# set routing table depending on packet mark
|
# set routing table depending on packet mark
|
||||||
rules = [
|
rules = [
|
||||||
|
@ -420,6 +408,7 @@ in {
|
||||||
# don't add vpn_table as it should be the default
|
# don't add vpn_table as it should be the default
|
||||||
{ ipv6 = false; extraArgs = [ "fwmark" iot_table "table" iot_table ]; }
|
{ ipv6 = false; extraArgs = [ "fwmark" iot_table "table" iot_table ]; }
|
||||||
{ ipv6 = true; extraArgs = [ "fwmark" iot_table "table" iot_table ]; }
|
{ ipv6 = true; extraArgs = [ "fwmark" iot_table "table" iot_table ]; }
|
||||||
|
# below is dnat config
|
||||||
] ++ builtins.concatLists (map (rule: let
|
] ++ builtins.concatLists (map (rule: let
|
||||||
table = if rule.inVpn then 0 else wan_table;
|
table = if rule.inVpn then 0 else wan_table;
|
||||||
forEachPort = func: port:
|
forEachPort = func: port:
|
||||||
|
@ -436,15 +425,18 @@ in {
|
||||||
++ lib.optionals (rule.udp && rule.target4 != null) (map (x: { ipv6 = false; extraArgs = x; }) (gen 32 "udp" rule.target4))
|
++ lib.optionals (rule.udp && rule.target4 != null) (map (x: { ipv6 = false; extraArgs = x; }) (gen 32 "udp" rule.target4))
|
||||||
++ lib.optionals (rule.tcp && rule.target6 != null) (map (x: { ipv6 = true; extraArgs = x; }) (gen 128 "tcp" rule.target6))
|
++ lib.optionals (rule.tcp && rule.target6 != null) (map (x: { ipv6 = true; extraArgs = x; }) (gen 128 "tcp" rule.target6))
|
||||||
++ lib.optionals (rule.udp && rule.target6 != null) (map (x: { ipv6 = true; extraArgs = x; }) (gen 128 "udp" rule.target6))
|
++ lib.optionals (rule.udp && rule.target6 != null) (map (x: { ipv6 = true; extraArgs = x; }) (gen 128 "udp" rule.target6))
|
||||||
|
|
||||||
) (builtins.filter (x: (x.tcp || x.udp) && dnatRuleMode x == "rule") cfg.dnatRules));
|
) (builtins.filter (x: (x.tcp || x.udp) && dnatRuleMode x == "rule") cfg.dnatRules));
|
||||||
|
|
||||||
|
# nftables rules
|
||||||
|
# things to note: this has the code for switching between rtables
|
||||||
|
# otherwise, boring stuff
|
||||||
nftables.stopJsonRules = mkFlushRules {};
|
nftables.stopJsonRules = mkFlushRules {};
|
||||||
nftables.jsonRules = mkRules {
|
nftables.jsonRules = mkRules {
|
||||||
selfIp4 = gatewayAddr4;
|
selfIp4 = gatewayAddr4;
|
||||||
selfIp6 = gatewayAddr6;
|
selfIp6 = gatewayAddr6;
|
||||||
lans = [ "br0" ];
|
lans = [ "br0" ];
|
||||||
wans = [ "wg0" "veth-wan-a" ];
|
wans = [ "wg0" "veth-wan-a" ];
|
||||||
|
logPrefix = "lan ";
|
||||||
netdevIngressWanRules = with notnft.dsl; with payload; [
|
netdevIngressWanRules = with notnft.dsl; with payload; [
|
||||||
# check oif only from vpn
|
# check oif only from vpn
|
||||||
# dont check it from veth-wan-a because of dnat fuckery and because we already check packets coming from wan there
|
# dont check it from veth-wan-a because of dnat fuckery and because we already check packets coming from wan there
|
||||||
|
@ -470,7 +462,6 @@ in {
|
||||||
[(is.eq meta.iifname "veth-wan-a") (is.eq meta.oifname "br0") accept]
|
[(is.eq meta.iifname "veth-wan-a") (is.eq meta.oifname "br0") accept]
|
||||||
# allow dnat ("ct status dnat" doesn't work)
|
# allow dnat ("ct status dnat" doesn't work)
|
||||||
];
|
];
|
||||||
logPrefix = "lan ";
|
|
||||||
inetInboundWanRules = with notnft.dsl; with payload; [
|
inetInboundWanRules = with notnft.dsl; with payload; [
|
||||||
[(is.eq th.dport 22) accept]
|
[(is.eq th.dport 22) accept]
|
||||||
[(is.eq ip.saddr (cidr netnsCidr4)) accept]
|
[(is.eq ip.saddr (cidr netnsCidr4)) accept]
|
||||||
|
@ -539,6 +530,11 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
# veths are virtual ethernet cables
|
||||||
|
# veth-wan-a - located in the default namespace
|
||||||
|
# veth-wan-b - located in the wan namespace
|
||||||
|
# this allows routing traffic to wan namespace from default namespace via veth-wan-a
|
||||||
|
# (and vice versa)
|
||||||
router.veths.veth-wan-a.peerName = "veth-wan-b";
|
router.veths.veth-wan-a.peerName = "veth-wan-b";
|
||||||
router.interfaces.veth-wan-a = {
|
router.interfaces.veth-wan-a = {
|
||||||
ipv4.addresses = [ netnsParsedCidr4 ];
|
ipv4.addresses = [ netnsParsedCidr4 ];
|
||||||
|
@ -566,6 +562,7 @@ in {
|
||||||
address = wanNetnsAddr6;
|
address = wanNetnsAddr6;
|
||||||
inherit (netnsParsedCidr6) prefixLength;
|
inherit (netnsParsedCidr6) prefixLength;
|
||||||
} ];
|
} ];
|
||||||
|
# allow wan->default namespace communication
|
||||||
ipv4.routes = [
|
ipv4.routes = [
|
||||||
{ extraArgs = [ netCidr4 "via" mainNetnsAddr4 ]; }
|
{ extraArgs = [ netCidr4 "via" mainNetnsAddr4 ]; }
|
||||||
];
|
];
|
||||||
|
@ -574,6 +571,7 @@ in {
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
router.networkNamespaces.wan = {
|
router.networkNamespaces.wan = {
|
||||||
|
# this is the even more boring nftables config
|
||||||
nftables.stopJsonRules = mkFlushRules {};
|
nftables.stopJsonRules = mkFlushRules {};
|
||||||
nftables.jsonRules = mkRules {
|
nftables.jsonRules = mkRules {
|
||||||
selfIp4 = wanNetnsAddr4;
|
selfIp4 = wanNetnsAddr4;
|
||||||
|
@ -634,11 +632,15 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# vpn socket is in wan namespace, meaning traffic gets sent through the wan namespace
|
||||||
|
# vpn interface is in default namespace, meaning it can be used in the default namespace
|
||||||
networking.wireguard.interfaces.wg0 = cfg.wireguard // {
|
networking.wireguard.interfaces.wg0 = cfg.wireguard // {
|
||||||
socketNamespace = "wan";
|
socketNamespace = "wan";
|
||||||
interfaceNamespace = "init";
|
interfaceNamespace = "init";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# use main netns's address instead of 127.0.0.1
|
||||||
|
# this ensures all network namespaces can access it
|
||||||
networking.resolvconf.extraConfig = ''
|
networking.resolvconf.extraConfig = ''
|
||||||
name_servers="${mainNetnsAddr4} ${mainNetnsAddr6}"
|
name_servers="${mainNetnsAddr4} ${mainNetnsAddr6}"
|
||||||
'';
|
'';
|
||||||
|
@ -662,7 +664,7 @@ in {
|
||||||
module-config = ''"validator python iterator"'';
|
module-config = ''"validator python iterator"'';
|
||||||
local-zone = [
|
local-zone = [
|
||||||
''"local." static''
|
''"local." static''
|
||||||
''"${cfg.domainName}." typetransparent''
|
''"${server-config.server.domainName}." typetransparent''
|
||||||
];
|
];
|
||||||
local-data = builtins.concatLists (map (domain:
|
local-data = builtins.concatLists (map (domain:
|
||||||
[
|
[
|
||||||
|
@ -676,7 +678,7 @@ in {
|
||||||
};
|
};
|
||||||
networking.hosts."${serverAddress4}" = hosted-domains;
|
networking.hosts."${serverAddress4}" = hosted-domains;
|
||||||
networking.hosts."${serverAddress6}" = hosted-domains;
|
networking.hosts."${serverAddress6}" = hosted-domains;
|
||||||
systemd.services.unbound = {
|
systemd.services.unbound = lib.mkIf config.services.unbound.enable {
|
||||||
environment.PYTHONPATH = "${unbound-python}/${unbound-python.sitePackages}";
|
environment.PYTHONPATH = "${unbound-python}/${unbound-python.sitePackages}";
|
||||||
environment.MDNS_ACCEPT_NAMES = "^.*\\.local\\.$";
|
environment.MDNS_ACCEPT_NAMES = "^.*\\.local\\.$";
|
||||||
# load vpn_domains.json and vpn_ips.json, as well as unvpn_domains.json and unvpn_ips.json
|
# load vpn_domains.json and vpn_ips.json, as well as unvpn_domains.json and unvpn_ips.json
|
||||||
|
@ -710,7 +712,6 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
# run an extra sshd so we can connect even if forwarding/routing between namespaces breaks
|
# run an extra sshd so we can connect even if forwarding/routing between namespaces breaks
|
||||||
# i don't want to connect by uart each time something goes wrong
|
|
||||||
systemd.services.sshd-wan = {
|
systemd.services.sshd-wan = {
|
||||||
description = "SSH Daemon (WAN)";
|
description = "SSH Daemon (WAN)";
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
@ -742,6 +743,7 @@ in {
|
||||||
startWhenNeeded = false;
|
startWhenNeeded = false;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# share printers (and allow unbound to resolve .local)
|
||||||
services.avahi = {
|
services.avahi = {
|
||||||
enable = true;
|
enable = true;
|
||||||
hostName = "router";
|
hostName = "router";
|
||||||
|
@ -757,4 +759,12 @@ in {
|
||||||
# it takes a stupidly long time when done via qemu
|
# it takes a stupidly long time when done via qemu
|
||||||
# (also it's supposed to be disabled by default but it was enabled for me, why?)
|
# (also it's supposed to be disabled by default but it was enabled for me, why?)
|
||||||
documentation.man.generateCaches = false;
|
documentation.man.generateCaches = false;
|
||||||
|
|
||||||
|
impermanence.directories = [
|
||||||
|
# for wireguard key
|
||||||
|
{ directory = /secrets; mode = "0000"; }
|
||||||
|
# my custom impermanence module doesnt detect it
|
||||||
|
{ directory = /var/db/dhcpcd; mode = "0755"; }
|
||||||
|
{ directory = /var/lib/private/kea; mode = "0750"; }
|
||||||
|
];
|
||||||
}
|
}
|
||||||
|
|
|
@ -55,11 +55,18 @@
|
||||||
] ++ (lib.optionals (cfg.resolution == "1920x1080") [
|
] ++ (lib.optionals (cfg.resolution == "1920x1080") [
|
||||||
"fbcon=font:TER16x32"
|
"fbcon=font:TER16x32"
|
||||||
]);
|
]);
|
||||||
|
console.font =
|
||||||
|
lib.mkIf (cfg.resolution == "1920x1080" || cfg.resolution == "1366x768") {
|
||||||
|
"1920x1080" = "${pkgs.terminus_font}/share/consolefonts/ter-v32n.psf.gz";
|
||||||
|
"1366x768" = "${pkgs.terminus_font}/share/consolefonts/ter-v24n.psf.gz";
|
||||||
|
}.${cfg.resolution};
|
||||||
boot.loader.grub = lib.mkIf (cfg.resolution != null) {
|
boot.loader.grub = lib.mkIf (cfg.resolution != null) {
|
||||||
gfxmodeEfi = cfg.resolution;
|
gfxmodeEfi = cfg.resolution;
|
||||||
gfxmodeBios = cfg.resolution;
|
gfxmodeBios = cfg.resolution;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
networking.usePredictableInterfaceNames = lib.mkDefault true;
|
||||||
|
|
||||||
hardware.enableRedistributableFirmware = true;
|
hardware.enableRedistributableFirmware = true;
|
||||||
services.openssh.settings.PasswordAuthentication = false;
|
services.openssh.settings.PasswordAuthentication = false;
|
||||||
services.tlp.settings.USB_EXCLUDE_PHONE = 1;
|
services.tlp.settings.USB_EXCLUDE_PHONE = 1;
|
||||||
|
|
Loading…
Reference in a new issue