diff --git a/flake.nix b/flake.nix index 3fa246c..74a3034 100644 --- a/flake.nix +++ b/flake.nix @@ -167,6 +167,24 @@ ]; }; + srv03 = nixpkgs.lib.nixosSystem rec { + system = "x86_64-linux"; + + specialArgs = { + inherit inputs outputs; + pkgs-unstable = import nixpkgs-unstable { + inherit system; + config.allowUnfree = true; + }; + }; + + modules = [ + disko.nixosModules.disko + agenix.nixosModules.default + ./hosts/srv03 + ]; + }; + }; homeConfigurations = { diff --git a/hosts/srv03/default.nix b/hosts/srv03/default.nix new file mode 100644 index 0000000..b56205c --- /dev/null +++ b/hosts/srv03/default.nix @@ -0,0 +1,91 @@ +{ inputs, outputs, config, lib, pkgs, ... }: + +{ + imports = + [ + ./secrets.nix + + ../../modules/disko/legacy-full-ext4-swap.nix + + ../../users/julius/nixos-server.nix + ../../modules/nix.nix + ../../modules/locale.nix + ../../modules/server-cli.nix + ../../modules/sshd.nix + ../../modules/qemu-guest.nix + ../../modules/docker.nix + ../../modules/traefik.nix + ../../modules/pocket-id.nix + ../../modules/auto-upgrade.nix + "${inputs.secrets}/modules/opkssh.nix" + # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + #services.openssh.openFirewall = false; + + services = { + traefik-docker = { + enable = true; + dashboardUrl = "traefik.netbird.jfreudenberger.de"; + dnsChallengeProvider = "inwx"; + dnsSecrets = [ + config.age.secrets.inwx + ]; + }; + + pocket-id-docker.enable = true; + pocket-id = { + settings = { + APP_URL = "https://login.jfreudenberger.de"; + TRUST_PROXY = true; + }; + environmentFile = config.age.secrets.pocket-id.path; + }; + }; + + systemd.network = { + enable = true; + networks."10-wan" = { + matchConfig.Name = "enp1s0"; + networkConfig.DHCP = "no"; + address = [ + "46.224.47.24/32" + "2a01:4f8:c013:bf68::1/64" + ]; + routes = [ + { Gateway = "172.31.1.1"; GatewayOnLink = true; } + { Gateway = "fe80::1"; GatewayOnLink = true; } + ]; + dns = [ "9.9.9.9" ]; + }; + }; + + boot = { + tmp.cleanOnBoot = true; + growPartition = true; + kernelParams = [ "console=ttyS0" ]; + loader = { + grub.enable = true; + }; + }; + + # Disable classic networking configuration + networking.useDHCP = lib.mkForce false; + + networking.hostName = "srv03"; # Define your hostname. + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how + # to actually do that. + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "25.05"; # Did you read the comment? +} diff --git a/hosts/srv03/hardware-configuration.nix b/hosts/srv03/hardware-configuration.nix new file mode 100644 index 0000000..729ee98 --- /dev/null +++ b/hosts/srv03/hardware-configuration.nix @@ -0,0 +1,24 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/srv03/secrets.nix b/hosts/srv03/secrets.nix new file mode 100644 index 0000000..2a119d0 --- /dev/null +++ b/hosts/srv03/secrets.nix @@ -0,0 +1,7 @@ +{ inputs, ... }: +{ + age.secrets = { + inwx.file = "${inputs.secrets}/secrets/dns-management/inwx"; + pocket-id.file = "${inputs.secrets}/secrets/srv03/pocket-id"; + }; +} diff --git a/modules/disko/legacy-full-ext4-swap.nix b/modules/disko/legacy-full-ext4-swap.nix new file mode 100644 index 0000000..c06727f --- /dev/null +++ b/modules/disko/legacy-full-ext4-swap.nix @@ -0,0 +1,45 @@ +{ + disko.devices = { + disk = { + sda = { + type = "disk"; + device = "/dev/sda"; + content = { + type = "gpt"; + partitions = { + MBR = { + type = "EF02"; # for grub MBR + size = "1M"; + priority = 1; # Needs to be first partition + }; + ESP = { + size = "1G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + end = "-1G"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + encryptedSwap = { + size = "100%"; + content = { + type = "swap"; + randomEncryption = true; + priority = 100; + }; + }; + }; + }; + }; + }; + }; +}