diff --git a/flake.lock b/flake.lock index 3348a05..d4e6d06 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1770165109, - "narHash": "sha256-9VnK6Oqai65puVJ4WYtCTvlJeXxMzAp/69HhQuTdl/I=", + "lastModified": 1762618334, + "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=", "owner": "ryantm", "repo": "agenix", - "rev": "b027ee29d959fda4b60b57566d64c98a202e0feb", + "rev": "fcdea223397448d35d9b31f798479227e80183f6", "type": "github" }, "original": { @@ -30,11 +30,11 @@ ] }, "locked": { - "lastModified": 1772058043, - "narHash": "sha256-m1cmQgb6tBcHkndKZ8BSsw6PRNJMG89FZwoYVOuKi34=", + "lastModified": 1769608722, + "narHash": "sha256-yWUG0Emd9EuqIZ8jQ6fxqf7USw7Gtcqb4+sBhn+S+Wg=", "owner": "AdnanHodzic", "repo": "auto-cpufreq", - "rev": "5d600d710bb2aa331e1a4370e08476bcdea1cab5", + "rev": "a11a98c46bf6a77d0c2e0ea8d87acef78507cae5", "type": "github" }, "original": { @@ -50,11 +50,11 @@ ] }, "locked": { - "lastModified": 1773889306, - "narHash": "sha256-PAqwnsBSI9SVC2QugvQ3xeYCB0otOwCacB1ueQj2tgw=", + "lastModified": 1769524058, + "narHash": "sha256-zygdD6X1PcVNR2PsyK4ptzrVEiAdbMqLos7utrMDEWE=", "owner": "nix-community", "repo": "disko", - "rev": "5ad85c82cc52264f4beddc934ba57f3789f28347", + "rev": "71a3fc97d80881e91710fe721f1158d3b96ae14d", "type": "github" }, "original": { @@ -144,11 +144,11 @@ ] }, "locked": { - "lastModified": 1774559029, - "narHash": "sha256-deix7yg3j6AhjMPnFDCmWB3f83LsajaaULP5HH2j34k=", + "lastModified": 1769580047, + "narHash": "sha256-tNqCP/+2+peAXXQ2V8RwsBkenlfWMERb+Uy6xmevyhM=", "owner": "nix-community", "repo": "home-manager", - "rev": "a0bb0d11514f92b639514220114ac8063c72d0a3", + "rev": "366d78c2856de6ab3411c15c1cb4fb4c2bf5c826", "type": "github" }, "original": { @@ -181,11 +181,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1774465523, - "narHash": "sha256-4v7HPm63Q90nNn4fgkgKsjW1AH2Klw7XzPtHJr562nM=", + "lastModified": 1769302137, + "narHash": "sha256-QEDtctEkOsbx8nlFh4yqPEOtr4tif6KTqWwJ37IM2ds=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "de895be946ad1d8aafa0bb6dfc7e7e0e9e466a29", + "rev": "a351494b0e35fd7c0b7a1aae82f0afddf4907aa8", "type": "github" }, "original": { @@ -197,11 +197,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1774388614, - "narHash": "sha256-tFwzTI0DdDzovdE9+Ras6CUss0yn8P9XV4Ja6RjA+nU=", + "lastModified": 1769598131, + "narHash": "sha256-e7VO/kGLgRMbWtpBqdWl0uFg8Y2XWFMdz0uUJvlML8o=", "owner": "nixos", "repo": "nixpkgs", - "rev": "1073dad219cb244572b74da2b20c7fe39cb3fa9e", + "rev": "fa83fd837f3098e3e678e6cf017b2b36102c7211", "type": "github" }, "original": { @@ -261,16 +261,16 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1774386573, - "narHash": "sha256-4hAV26quOxdC6iyG7kYaZcM3VOskcPUrdCQd/nx8obc=", + "lastModified": 1769861584, + "narHash": "sha256-Tu85RXpHMAWmsltAEKsG1IB7JfNGbekeHh2CSR0/xG8=", "owner": "nixos", "repo": "nixpkgs", - "rev": "46db2e09e1d3f113a13c0d7b81e2f221c63b8ce9", + "rev": "015e5f32a6258dc210b8e02fb47d86983959e243", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-unstable", + "ref": "pull/483348/merge", "repo": "nixpkgs", "type": "github" } @@ -338,11 +338,11 @@ "secrets": { "flake": false, "locked": { - "lastModified": 1774571252, - "narHash": "sha256-NU/vfItTMSjaRTXe0UDzbWR8UnhkBUFU47OpqEpxKb4=", + "lastModified": 1769426267, + "narHash": "sha256-OBHSfMHZ+sWEtigOxTfIGnkZLPOz2P7VR8+KA2KY89g=", "ref": "refs/heads/main", - "rev": "7965907ae885d77acb3c4ecc11cee096a12af868", - "revCount": 25, + "rev": "ebefef468e16eb692df0a3d54352c94a56110a97", + "revCount": 20, "type": "git", "url": "ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git" }, diff --git a/flake.nix b/flake.nix index 04be147..6615b6c 100644 --- a/flake.nix +++ b/flake.nix @@ -115,7 +115,7 @@ ]; }; - busch = nixpkgs.lib.nixosSystem rec { + server = nixpkgs.lib.nixosSystem rec { system = "x86_64-linux"; specialArgs = { @@ -123,8 +123,7 @@ }; modules = [ - ./hosts/busch - disko.nixosModules.disko + ./hosts/nixos-server-test proxmox-nixos.nixosModules.proxmox-ve ({...}: { diff --git a/hosts/busch/disko.nix b/hosts/busch/disko.nix deleted file mode 100644 index 5563eae..0000000 --- a/hosts/busch/disko.nix +++ /dev/null @@ -1,107 +0,0 @@ -{ - disko.devices = { - disk = { - disk1 = { - type = "disk"; - device = "/dev/disk/by-id/ata-Samsung_SSD_850_PRO_256GB_S251NX0H423575T"; - content = { - type = "gpt"; - partitions = { - MBR = { - type = "EF02"; # for grub MBR - size = "1M"; - priority = 1; # Needs to be first partition - }; - ESP = { - priority = 1; - name = "ESP"; - size = "2G"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ "umask=0077" ]; - }; - }; - crypt_p1 = { - size = "100%"; - content = { - type = "luks"; - name = "p1"; - settings = { - allowDiscards = true; - }; - }; - }; - }; - }; - }; - disk2 = { - type = "disk"; - device = "/dev/disk/by-id/ata-Samsung_SSD_850_PRO_256GB_S251NXAG833792N"; - content = { - type = "gpt"; - partitions = { - MBR = { - type = "EF02"; # for grub MBR - size = "1M"; - priority = 1; # Needs to be first partition - }; - ESP = { - priority = 1; - name = "ESP"; - size = "2G"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot-fallback"; - mountOptions = [ "umask=0077" ]; - }; - }; - crypt_p2 = { - size = "100%"; - content = { - type = "luks"; - name = "p2"; - settings = { - allowDiscards = true; - }; - content = { - type = "btrfs"; - extraArgs = [ - "-d raid1" - "-m raid1" - "/dev/mapper/p1" - ]; - subvolumes = { - "/rootfs" = { - mountpoint = "/"; - }; - "/home" = { - mountOptions = [ "compress=zstd" ]; - mountpoint = "/home"; - }; - "/nix" = { - mountOptions = [ "compress=zstd" "noatime" ]; - mountpoint = "/nix"; - }; - "/pve-cluster" = { - mountOptions = [ "compress=zstd" ]; - mountpoint = "/var/lib/pve-cluster"; - }; - "/swap" = { - mountpoint = "/.swapvol"; - swap.swapfile.size = "32G"; - }; - }; - }; - }; - }; - }; - }; - }; - }; - }; -} diff --git a/hosts/busch/hardware-configuration.nix b/hosts/busch/hardware-configuration.nix deleted file mode 100644 index 2de4340..0000000 --- a/hosts/busch/hardware-configuration.nix +++ /dev/null @@ -1,22 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "ehci_pci" "mpt3sas" "usbhid" "usb_storage" "sr_mod" ]; - boot.initrd.kernelModules = [ "vfio_pci" "vfio" "vfio_iommu_type1" ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - boot.kernelParams = [ "intel_iommu=on" "iommu=pt" "vfio-pci.ids=1000:0087" ]; - - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} diff --git a/hosts/busch/default.nix b/hosts/nixos-server-test/default.nix similarity index 83% rename from hosts/busch/default.nix rename to hosts/nixos-server-test/default.nix index bf64cb7..409e2fa 100644 --- a/hosts/busch/default.nix +++ b/hosts/nixos-server-test/default.nix @@ -3,16 +3,10 @@ { imports = [ - ./disko.nix - ../../modules/nix.nix - ../../modules/auto-upgrade.nix ../../modules/locale.nix ../../modules/server-cli.nix ../../modules/sshd.nix - ${inputs.secrets}/modules/opkssh.nix - - ../../modules/intel-cpu.nix # Include the results of the hardware scan. ./hardware-configuration.nix ]; @@ -20,10 +14,11 @@ boot = { loader.grub = { enable = true; + device = "/dev/vda"; }; tmp.useTmpfs = true; }; - networking.hostName = "busch"; # Define your hostname. + networking.hostName = "nixos-server"; # Define your hostname. users = { users = { julius = { @@ -48,18 +43,12 @@ ]; }; - services = { - proxmox-ve = { - enable = true; - ipAddress = "192.168.7.252"; + services.proxmox-ve = { + enable = true; + ipAddress = "192.168.122.71"; - # Make vmbr0 bridge visible in Proxmox web interface - bridges = [ "vmbr0" ]; - }; - openiscsi = { - enable = true; - name = "busch"; - }; + # Make vmbr0 bridge visible in Proxmox web interface + bridges = [ "vmbr0" ]; }; networking.useDHCP = false; @@ -68,7 +57,7 @@ enable = true; networks."10-lan" = { - matchConfig.Name = [ "enp0s25" ]; + matchConfig.Name = [ "enp1s0" ]; networkConfig = { Bridge = "vmbr0"; }; diff --git a/hosts/nixos-server-test/hardware-configuration.nix b/hosts/nixos-server-test/hardware-configuration.nix new file mode 100644 index 0000000..6dfd7c4 --- /dev/null +++ b/hosts/nixos-server-test/hardware-configuration.nix @@ -0,0 +1,31 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/e46c412a-8b6d-41b8-b53c-65d7a8fc39ed"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/modules/intel-cpu.nix b/modules/intel-cpu.nix deleted file mode 100644 index 7e037c3..0000000 --- a/modules/intel-cpu.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ - pkgs, - ... -}: { - hardware.graphics = { - enable = true; - extraPackages = with pkgs; [ - intel-media-driver # Enable Hardware Acceleration - vpl-gpu-rt # Enable QSV - ]; - }; -} diff --git a/modules/laptop.nix b/modules/laptop.nix index 9a95899..49e7492 100644 --- a/modules/laptop.nix +++ b/modules/laptop.nix @@ -4,7 +4,7 @@ ... }: { - boot.kernelPackages = pkgs.linuxPackages_latest; + boot.kernelPackages = pkgs.linuxKernel.packages.linux_zen; services.logind.settings.Login = { HandleLidSwitch= "suspend-then-hibernate"; diff --git a/modules/network-client.nix b/modules/network-client.nix index a72a9f3..4efdecd 100644 --- a/modules/network-client.nix +++ b/modules/network-client.nix @@ -13,7 +13,19 @@ firewall = { # if packets are still dropped, they will show up in dmesg logReversePathDrops = true; - checkReversePath = "loose"; + # wireguard trips rpfilter up + extraCommands = '' + iptables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 1194 -j RETURN + ip6tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 1194 -j RETURN + iptables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 1194 -j RETURN + ip6tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 1194 -j RETURN + ''; + extraStopCommands = '' + iptables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 1194 -j RETURN || true + ip6tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 1194 -j RETURN || true + iptables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 1194 -j RETURN || true + ip6tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 1194 -j RETURN || true + ''; }; }; } diff --git a/modules/newt.nix b/modules/newt.nix index 5f7a8f4..1f8dafd 100644 --- a/modules/newt.nix +++ b/modules/newt.nix @@ -44,16 +44,16 @@ in { }; }; - systemd.services."docker-newt" = { + systemd.services."docker-pangolin" = { after = [ - "docker-network-newt.service" + "docker-network-pangolin.service" ]; requires = [ - "docker-network-newt.service" + "docker-network-pangolin.service" ]; }; - systemd.services."docker-network-newt" = { + systemd.services."docker-network-pangolin" = { path = [ pkgs.docker ]; serviceConfig = { Type = "oneshot"; diff --git a/modules/opkssh.sample.nix b/modules/opkssh.sample.nix deleted file mode 100644 index 55c8383..0000000 --- a/modules/opkssh.sample.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ - ... -}: { - services.opkssh = { - enable = true; - providers = { - pocket-id = { - issuer = "https://example.com"; - clientId = ""; - lifetime = "12h"; - }; - }; - authorizations = [ - { user = ""; principal = ""; issuer = "https://example.com"; } - ]; - }; -} - diff --git a/modules/pangolin.nix b/modules/pangolin.nix index 55e5fed..3da3c9e 100644 --- a/modules/pangolin.nix +++ b/modules/pangolin.nix @@ -1,8 +1,5 @@ { pkgs-unstable, - utils, - config, - lib, ... }: { @@ -29,13 +26,6 @@ }; }; - systemd.services.gerbil.serviceConfig.ExecStart = lib.mkForce (utils.escapeSystemdExecArgs [ - (lib.getExe pkgs-unstable.fosrl-gerbil) - "--reachableAt=http://localhost:${toString config.services.gerbil.port}" - "--generateAndSaveKeyTo=${toString config.services.pangolin.dataDir}/config/key" - "--remoteConfig=http://localhost:3001/api/v1/gerbil/get-config" - ]); - } # Settings needed on the host diff --git a/modules/sshd.nix b/modules/sshd.nix index 551c0d4..49af4a5 100644 --- a/modules/sshd.nix +++ b/modules/sshd.nix @@ -3,17 +3,11 @@ lib, ... }: { - services = { - openssh = { - enable = true; - settings = { - PasswordAuthentication = false; - PermitRootLogin = "no"; - }; - }; - fail2ban = { - enable = true; - bantime = "1h"; + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "no"; }; }; } diff --git a/modules/typesetting.nix b/modules/typesetting.nix index 272b263..b4e321f 100644 --- a/modules/typesetting.nix +++ b/modules/typesetting.nix @@ -7,6 +7,8 @@ typst typstyle + texliveFull + pandoc zotero diff --git a/pkgs/rofirefox/default.nix b/pkgs/rofirefox/default.nix index 66805e2..2030d4f 100644 --- a/pkgs/rofirefox/default.nix +++ b/pkgs/rofirefox/default.nix @@ -37,7 +37,6 @@ meta = with lib; { platforms = platforms.all; - mainProgram = "rofirefox"; }; }