diff --git a/flake.nix b/flake.nix index d61bcc8..e8d1f34 100644 --- a/flake.nix +++ b/flake.nix @@ -198,6 +198,24 @@ ]; }; + xcy = nixpkgs.lib.nixosSystem rec { + system = "x86_64-linux"; + + specialArgs = { + inherit inputs outputs; + pkgs-unstable = import nixpkgs-unstable { + inherit system; + }; + }; + + modules = [ + disko.nixosModules.disko + agenix.nixosModules.default + lanzaboote.nixosModules.lanzaboote + ./hosts/xcy + ]; + }; + }; homeConfigurations = { diff --git a/hosts/xcy/default.nix b/hosts/xcy/default.nix new file mode 100644 index 0000000..0c62fef --- /dev/null +++ b/hosts/xcy/default.nix @@ -0,0 +1,104 @@ +{ inputs, outputs, config, lib, pkgs, pkgs-unstable, ... }: + +{ + imports = + [ + ./secrets.nix + ./disko.nix + + ../../users/julius/nixos-server.nix + ../../modules/nix.nix + ../../modules/locale.nix + ../../modules/server-cli.nix + ../../modules/sshd.nix + ../../modules/docker.nix + ../../modules/hawser.nix + ../../modules/netbird-client.nix + ../../modules/auto-upgrade.nix + "${inputs.secrets}/modules/opkssh.nix" + # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + services.netbird-client = { + enable = true; + managementUrl = "https://netbird.jfreudenberger.de"; + host.setupKey = "86D1861F-193B-44F5-9B03-1E34C126FA6F"; + docker.setupKey = "A9715FB6-8BF2-4274-BE02-43740A3BD4D9"; + }; + + services.hawser = { + enable = true; + dockhandServerUrl = "wss://dockhand-connect.jfreudenberger.de/api/hawser/connect"; + tokenSecretFile = config.age.secrets.hawser-token; + }; + + networking.firewall = { + checkReversePath = "loose"; + allowedTCPPorts = [ + # Ports for Unifi Server + 11443 + 5005 + 9543 + 6789 + 8080 + 8443 + 8444 + 11084 + 5671 + 8880 + 8881 + 8882 + + # Home assistant + 8123 + ]; + allowedUDPPorts = [ + # Unifi Server + 3478 + 5514 + 10003 + ]; + }; + + + boot.kernel.sysctl = { + "net.ipv4.conf.all.forwarding" = true; + "net.ipv6.conf.all.forwarding" = true; + }; + + boot = { + tmp.cleanOnBoot = true; + tmp.useTmpfs = true; + growPartition = true; + initrd.systemd.enable = true; + loader = { + efi.canTouchEfiVariables = true; + grub.enable = false; + systemd-boot.enable = false; + }; + lanzaboote = { + enable = true; + pkiBundle = "/var/lib/sbctl"; + extraEfiSysMountPoints = [ + "/boot-fallback" + ]; + }; + }; + + networking.hostName = "xcy"; # Define your hostname. + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how + # to actually do that. + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "25.05"; # Did you read the comment? +} diff --git a/hosts/xcy/disko.nix b/hosts/xcy/disko.nix new file mode 100644 index 0000000..a75ce71 --- /dev/null +++ b/hosts/xcy/disko.nix @@ -0,0 +1,103 @@ +{ + disko.devices = { + disk = { + disk1 = { + type = "disk"; + device = "/dev/disk/by-id/ata-Samsung_SSD_850_PRO_256GB_S251NX0H809669K"; + content = { + type = "gpt"; + partitions = { + MBR = { + type = "EF02"; # for grub MBR + size = "1M"; + priority = 1; # Needs to be first partition + }; + ESP = { + priority = 1; + name = "ESP"; + size = "2G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + crypt_p1 = { + size = "100%"; + content = { + type = "luks"; + name = "p1"; + settings = { + allowDiscards = true; + }; + }; + }; + }; + }; + }; + disk2 = { + type = "disk"; + device = "/dev/disk/by-id/nvme-eui.1843558044350001001b448b4495a259"; + content = { + type = "gpt"; + partitions = { + MBR = { + type = "EF02"; # for grub MBR + size = "1M"; + priority = 1; # Needs to be first partition + }; + ESP = { + priority = 1; + name = "ESP"; + size = "2G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot-fallback"; + mountOptions = [ "umask=0077" ]; + }; + }; + crypt_p2 = { + size = "100%"; + content = { + type = "luks"; + name = "p2"; + settings = { + allowDiscards = true; + }; + content = { + type = "btrfs"; + extraArgs = [ + "-d raid1" + "-m raid1" + "/dev/mapper/p1" + ]; + subvolumes = { + "/rootfs" = { + mountpoint = "/"; + }; + "/home" = { + mountOptions = [ "compress=zstd" ]; + mountpoint = "/home"; + }; + "/nix" = { + mountOptions = [ "compress=zstd" "noatime" ]; + mountpoint = "/nix"; + }; + "/swap" = { + mountpoint = "/.swapvol"; + swap.swapfile.size = "32G"; + }; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/xcy/hardware-configuration.nix b/hosts/xcy/hardware-configuration.nix new file mode 100644 index 0000000..d4ae174 --- /dev/null +++ b/hosts/xcy/hardware-configuration.nix @@ -0,0 +1,25 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/xcy/secrets.nix b/hosts/xcy/secrets.nix new file mode 100644 index 0000000..4add6e7 --- /dev/null +++ b/hosts/xcy/secrets.nix @@ -0,0 +1,6 @@ +{ inputs, ... }: +{ + age.secrets = { + hawser-token.file = "${inputs.secrets}/secrets/xcy/hawser-token"; + }; +}