From b4abb274908764304fe9da203788d5f168016de2 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Wed, 11 Mar 2026 22:49:50 +0100 Subject: [PATCH 01/11] Use unstable gerbil in pangolin module --- modules/pangolin.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/modules/pangolin.nix b/modules/pangolin.nix index 3da3c9e..55e5fed 100644 --- a/modules/pangolin.nix +++ b/modules/pangolin.nix @@ -1,5 +1,8 @@ { pkgs-unstable, + utils, + config, + lib, ... }: { @@ -26,6 +29,13 @@ }; }; + systemd.services.gerbil.serviceConfig.ExecStart = lib.mkForce (utils.escapeSystemdExecArgs [ + (lib.getExe pkgs-unstable.fosrl-gerbil) + "--reachableAt=http://localhost:${toString config.services.gerbil.port}" + "--generateAndSaveKeyTo=${toString config.services.pangolin.dataDir}/config/key" + "--remoteConfig=http://localhost:3001/api/v1/gerbil/get-config" + ]); + } # Settings needed on the host From b3ec023cad94df520d2ed4ddc659cdd90fcbd91b Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Wed, 11 Mar 2026 22:51:29 +0100 Subject: [PATCH 02/11] Fix service naming in newt module --- modules/newt.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/newt.nix b/modules/newt.nix index 1f8dafd..5f7a8f4 100644 --- a/modules/newt.nix +++ b/modules/newt.nix @@ -44,16 +44,16 @@ in { }; }; - systemd.services."docker-pangolin" = { + systemd.services."docker-newt" = { after = [ - "docker-network-pangolin.service" + "docker-network-newt.service" ]; requires = [ - "docker-network-pangolin.service" + "docker-network-newt.service" ]; }; - systemd.services."docker-network-pangolin" = { + systemd.services."docker-network-newt" = { path = [ pkgs.docker ]; serviceConfig = { Type = "oneshot"; From b441618575d8ebf986fc0b60e6310384aca54b0b Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Wed, 11 Mar 2026 22:53:54 +0100 Subject: [PATCH 03/11] Add fail2ban to sshd module --- modules/sshd.nix | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/modules/sshd.nix b/modules/sshd.nix index 49af4a5..551c0d4 100644 --- a/modules/sshd.nix +++ b/modules/sshd.nix @@ -3,11 +3,17 @@ lib, ... }: { - services.openssh = { - enable = true; - settings = { - PasswordAuthentication = false; - PermitRootLogin = "no"; + services = { + openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "no"; + }; + }; + fail2ban = { + enable = true; + bantime = "1h"; }; }; } From 179f615ad4fc0eca1ac3a14f37e551b06efcc01e Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Wed, 11 Mar 2026 22:55:25 +0100 Subject: [PATCH 04/11] Remove texlive from system closure --- modules/typesetting.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/modules/typesetting.nix b/modules/typesetting.nix index b4e321f..272b263 100644 --- a/modules/typesetting.nix +++ b/modules/typesetting.nix @@ -7,8 +7,6 @@ typst typstyle - texliveFull - pandoc zotero From edbde9800623dc6bb2c6e6a3f7485755e80cb5c2 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Wed, 11 Mar 2026 23:13:30 +0100 Subject: [PATCH 05/11] Remove firewall rules for wireguard and set rpfilter to loose --- modules/network-client.nix | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/modules/network-client.nix b/modules/network-client.nix index 4efdecd..a72a9f3 100644 --- a/modules/network-client.nix +++ b/modules/network-client.nix @@ -13,19 +13,7 @@ firewall = { # if packets are still dropped, they will show up in dmesg logReversePathDrops = true; - # wireguard trips rpfilter up - extraCommands = '' - iptables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 1194 -j RETURN - ip6tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 1194 -j RETURN - iptables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 1194 -j RETURN - ip6tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 1194 -j RETURN - ''; - extraStopCommands = '' - iptables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 1194 -j RETURN || true - ip6tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 1194 -j RETURN || true - iptables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 1194 -j RETURN || true - ip6tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 1194 -j RETURN || true - ''; + checkReversePath = "loose"; }; }; } From 7d11cef3f803dea8446f707054a8afa66e764450 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Wed, 11 Mar 2026 23:13:59 +0100 Subject: [PATCH 06/11] rofirefox: set main program --- pkgs/rofirefox/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/rofirefox/default.nix b/pkgs/rofirefox/default.nix index 2030d4f..66805e2 100644 --- a/pkgs/rofirefox/default.nix +++ b/pkgs/rofirefox/default.nix @@ -37,6 +37,7 @@ meta = with lib; { platforms = platforms.all; + mainProgram = "rofirefox"; }; } From a525d2bffa67fa44613683fbe7fbd3ca630e86ef Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Fri, 27 Mar 2026 01:21:16 +0100 Subject: [PATCH 07/11] Add intel-cpu module --- modules/intel-cpu.nix | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 modules/intel-cpu.nix diff --git a/modules/intel-cpu.nix b/modules/intel-cpu.nix new file mode 100644 index 0000000..7e037c3 --- /dev/null +++ b/modules/intel-cpu.nix @@ -0,0 +1,12 @@ +{ + pkgs, + ... +}: { + hardware.graphics = { + enable = true; + extraPackages = with pkgs; [ + intel-media-driver # Enable Hardware Acceleration + vpl-gpu-rt # Enable QSV + ]; + }; +} From f2b2e26ba9858d02c7ce0a81f8bb4c83ff1ebc5d Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Fri, 27 Mar 2026 01:29:56 +0100 Subject: [PATCH 08/11] Add sample for opkssh module Module will not be added here as usernames, principals and the client id have to be specified directly. Setting them via age secrets is not possible. --- modules/opkssh.sample.nix | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 modules/opkssh.sample.nix diff --git a/modules/opkssh.sample.nix b/modules/opkssh.sample.nix new file mode 100644 index 0000000..55c8383 --- /dev/null +++ b/modules/opkssh.sample.nix @@ -0,0 +1,18 @@ +{ + ... +}: { + services.opkssh = { + enable = true; + providers = { + pocket-id = { + issuer = "https://example.com"; + clientId = ""; + lifetime = "12h"; + }; + }; + authorizations = [ + { user = ""; principal = ""; issuer = "https://example.com"; } + ]; + }; +} + From 13ca1dc20569c188f9e879ef547a69323171272a Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Fri, 27 Mar 2026 01:36:29 +0100 Subject: [PATCH 09/11] Add config for busch Busch is the proxmox host used for various vms, which will be defined through terraform or similar. --- flake.nix | 5 +- .../{nixos-server-test => busch}/default.nix | 27 +++-- hosts/busch/disko.nix | 107 ++++++++++++++++++ hosts/busch/hardware-configuration.nix | 22 ++++ .../hardware-configuration.nix | 31 ----- 5 files changed, 151 insertions(+), 41 deletions(-) rename hosts/{nixos-server-test => busch}/default.nix (83%) create mode 100644 hosts/busch/disko.nix create mode 100644 hosts/busch/hardware-configuration.nix delete mode 100644 hosts/nixos-server-test/hardware-configuration.nix diff --git a/flake.nix b/flake.nix index 6615b6c..04be147 100644 --- a/flake.nix +++ b/flake.nix @@ -115,7 +115,7 @@ ]; }; - server = nixpkgs.lib.nixosSystem rec { + busch = nixpkgs.lib.nixosSystem rec { system = "x86_64-linux"; specialArgs = { @@ -123,7 +123,8 @@ }; modules = [ - ./hosts/nixos-server-test + ./hosts/busch + disko.nixosModules.disko proxmox-nixos.nixosModules.proxmox-ve ({...}: { diff --git a/hosts/nixos-server-test/default.nix b/hosts/busch/default.nix similarity index 83% rename from hosts/nixos-server-test/default.nix rename to hosts/busch/default.nix index 409e2fa..bf64cb7 100644 --- a/hosts/nixos-server-test/default.nix +++ b/hosts/busch/default.nix @@ -3,10 +3,16 @@ { imports = [ + ./disko.nix + ../../modules/nix.nix + ../../modules/auto-upgrade.nix ../../modules/locale.nix ../../modules/server-cli.nix ../../modules/sshd.nix + ${inputs.secrets}/modules/opkssh.nix + + ../../modules/intel-cpu.nix # Include the results of the hardware scan. ./hardware-configuration.nix ]; @@ -14,11 +20,10 @@ boot = { loader.grub = { enable = true; - device = "/dev/vda"; }; tmp.useTmpfs = true; }; - networking.hostName = "nixos-server"; # Define your hostname. + networking.hostName = "busch"; # Define your hostname. users = { users = { julius = { @@ -43,12 +48,18 @@ ]; }; - services.proxmox-ve = { - enable = true; - ipAddress = "192.168.122.71"; + services = { + proxmox-ve = { + enable = true; + ipAddress = "192.168.7.252"; - # Make vmbr0 bridge visible in Proxmox web interface - bridges = [ "vmbr0" ]; + # Make vmbr0 bridge visible in Proxmox web interface + bridges = [ "vmbr0" ]; + }; + openiscsi = { + enable = true; + name = "busch"; + }; }; networking.useDHCP = false; @@ -57,7 +68,7 @@ enable = true; networks."10-lan" = { - matchConfig.Name = [ "enp1s0" ]; + matchConfig.Name = [ "enp0s25" ]; networkConfig = { Bridge = "vmbr0"; }; diff --git a/hosts/busch/disko.nix b/hosts/busch/disko.nix new file mode 100644 index 0000000..5563eae --- /dev/null +++ b/hosts/busch/disko.nix @@ -0,0 +1,107 @@ +{ + disko.devices = { + disk = { + disk1 = { + type = "disk"; + device = "/dev/disk/by-id/ata-Samsung_SSD_850_PRO_256GB_S251NX0H423575T"; + content = { + type = "gpt"; + partitions = { + MBR = { + type = "EF02"; # for grub MBR + size = "1M"; + priority = 1; # Needs to be first partition + }; + ESP = { + priority = 1; + name = "ESP"; + size = "2G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + crypt_p1 = { + size = "100%"; + content = { + type = "luks"; + name = "p1"; + settings = { + allowDiscards = true; + }; + }; + }; + }; + }; + }; + disk2 = { + type = "disk"; + device = "/dev/disk/by-id/ata-Samsung_SSD_850_PRO_256GB_S251NXAG833792N"; + content = { + type = "gpt"; + partitions = { + MBR = { + type = "EF02"; # for grub MBR + size = "1M"; + priority = 1; # Needs to be first partition + }; + ESP = { + priority = 1; + name = "ESP"; + size = "2G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot-fallback"; + mountOptions = [ "umask=0077" ]; + }; + }; + crypt_p2 = { + size = "100%"; + content = { + type = "luks"; + name = "p2"; + settings = { + allowDiscards = true; + }; + content = { + type = "btrfs"; + extraArgs = [ + "-d raid1" + "-m raid1" + "/dev/mapper/p1" + ]; + subvolumes = { + "/rootfs" = { + mountpoint = "/"; + }; + "/home" = { + mountOptions = [ "compress=zstd" ]; + mountpoint = "/home"; + }; + "/nix" = { + mountOptions = [ "compress=zstd" "noatime" ]; + mountpoint = "/nix"; + }; + "/pve-cluster" = { + mountOptions = [ "compress=zstd" ]; + mountpoint = "/var/lib/pve-cluster"; + }; + "/swap" = { + mountpoint = "/.swapvol"; + swap.swapfile.size = "32G"; + }; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/busch/hardware-configuration.nix b/hosts/busch/hardware-configuration.nix new file mode 100644 index 0000000..2de4340 --- /dev/null +++ b/hosts/busch/hardware-configuration.nix @@ -0,0 +1,22 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "ehci_pci" "mpt3sas" "usbhid" "usb_storage" "sr_mod" ]; + boot.initrd.kernelModules = [ "vfio_pci" "vfio" "vfio_iommu_type1" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + boot.kernelParams = [ "intel_iommu=on" "iommu=pt" "vfio-pci.ids=1000:0087" ]; + + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/nixos-server-test/hardware-configuration.nix b/hosts/nixos-server-test/hardware-configuration.nix deleted file mode 100644 index 6dfd7c4..0000000 --- a/hosts/nixos-server-test/hardware-configuration.nix +++ /dev/null @@ -1,31 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/e46c412a-8b6d-41b8-b53c-65d7a8fc39ed"; - fsType = "ext4"; - }; - - swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} From 502fecdd4e17e50e4222bca94182a716af937b36 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Fri, 27 Mar 2026 01:38:42 +0100 Subject: [PATCH 10/11] Switch from zen kernel to latest kernel for laptops Due to build failure at least in release 25.11. --- modules/laptop.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/laptop.nix b/modules/laptop.nix index 49e7492..9a95899 100644 --- a/modules/laptop.nix +++ b/modules/laptop.nix @@ -4,7 +4,7 @@ ... }: { - boot.kernelPackages = pkgs.linuxKernel.packages.linux_zen; + boot.kernelPackages = pkgs.linuxPackages_latest; services.logind.settings.Login = { HandleLidSwitch= "suspend-then-hibernate"; From 0aff64102df098f647dd721588b1dff9401bef87 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Fri, 27 Mar 2026 01:39:38 +0100 Subject: [PATCH 11/11] Update flake.lock --- flake.lock | 52 ++++++++++++++++++++++++++-------------------------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/flake.lock b/flake.lock index d4e6d06..3348a05 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1762618334, - "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=", + "lastModified": 1770165109, + "narHash": "sha256-9VnK6Oqai65puVJ4WYtCTvlJeXxMzAp/69HhQuTdl/I=", "owner": "ryantm", "repo": "agenix", - "rev": "fcdea223397448d35d9b31f798479227e80183f6", + "rev": "b027ee29d959fda4b60b57566d64c98a202e0feb", "type": "github" }, "original": { @@ -30,11 +30,11 @@ ] }, "locked": { - "lastModified": 1769608722, - "narHash": "sha256-yWUG0Emd9EuqIZ8jQ6fxqf7USw7Gtcqb4+sBhn+S+Wg=", + "lastModified": 1772058043, + "narHash": "sha256-m1cmQgb6tBcHkndKZ8BSsw6PRNJMG89FZwoYVOuKi34=", "owner": "AdnanHodzic", "repo": "auto-cpufreq", - "rev": "a11a98c46bf6a77d0c2e0ea8d87acef78507cae5", + "rev": "5d600d710bb2aa331e1a4370e08476bcdea1cab5", "type": "github" }, "original": { @@ -50,11 +50,11 @@ ] }, "locked": { - "lastModified": 1769524058, - "narHash": "sha256-zygdD6X1PcVNR2PsyK4ptzrVEiAdbMqLos7utrMDEWE=", + "lastModified": 1773889306, + "narHash": "sha256-PAqwnsBSI9SVC2QugvQ3xeYCB0otOwCacB1ueQj2tgw=", "owner": "nix-community", "repo": "disko", - "rev": "71a3fc97d80881e91710fe721f1158d3b96ae14d", + "rev": "5ad85c82cc52264f4beddc934ba57f3789f28347", "type": "github" }, "original": { @@ -144,11 +144,11 @@ ] }, "locked": { - "lastModified": 1769580047, - "narHash": "sha256-tNqCP/+2+peAXXQ2V8RwsBkenlfWMERb+Uy6xmevyhM=", + "lastModified": 1774559029, + "narHash": "sha256-deix7yg3j6AhjMPnFDCmWB3f83LsajaaULP5HH2j34k=", "owner": "nix-community", "repo": "home-manager", - "rev": "366d78c2856de6ab3411c15c1cb4fb4c2bf5c826", + "rev": "a0bb0d11514f92b639514220114ac8063c72d0a3", "type": "github" }, "original": { @@ -181,11 +181,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1769302137, - "narHash": "sha256-QEDtctEkOsbx8nlFh4yqPEOtr4tif6KTqWwJ37IM2ds=", + "lastModified": 1774465523, + "narHash": "sha256-4v7HPm63Q90nNn4fgkgKsjW1AH2Klw7XzPtHJr562nM=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "a351494b0e35fd7c0b7a1aae82f0afddf4907aa8", + "rev": "de895be946ad1d8aafa0bb6dfc7e7e0e9e466a29", "type": "github" }, "original": { @@ -197,11 +197,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1769598131, - "narHash": "sha256-e7VO/kGLgRMbWtpBqdWl0uFg8Y2XWFMdz0uUJvlML8o=", + "lastModified": 1774388614, + "narHash": "sha256-tFwzTI0DdDzovdE9+Ras6CUss0yn8P9XV4Ja6RjA+nU=", "owner": "nixos", "repo": "nixpkgs", - "rev": "fa83fd837f3098e3e678e6cf017b2b36102c7211", + "rev": "1073dad219cb244572b74da2b20c7fe39cb3fa9e", "type": "github" }, "original": { @@ -261,16 +261,16 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1769861584, - "narHash": "sha256-Tu85RXpHMAWmsltAEKsG1IB7JfNGbekeHh2CSR0/xG8=", + "lastModified": 1774386573, + "narHash": "sha256-4hAV26quOxdC6iyG7kYaZcM3VOskcPUrdCQd/nx8obc=", "owner": "nixos", "repo": "nixpkgs", - "rev": "015e5f32a6258dc210b8e02fb47d86983959e243", + "rev": "46db2e09e1d3f113a13c0d7b81e2f221c63b8ce9", "type": "github" }, "original": { "owner": "nixos", - "ref": "pull/483348/merge", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -338,11 +338,11 @@ "secrets": { "flake": false, "locked": { - "lastModified": 1769426267, - "narHash": "sha256-OBHSfMHZ+sWEtigOxTfIGnkZLPOz2P7VR8+KA2KY89g=", + "lastModified": 1774571252, + "narHash": "sha256-NU/vfItTMSjaRTXe0UDzbWR8UnhkBUFU47OpqEpxKb4=", "ref": "refs/heads/main", - "rev": "ebefef468e16eb692df0a3d54352c94a56110a97", - "revCount": 20, + "rev": "7965907ae885d77acb3c4ecc11cee096a12af868", + "revCount": 25, "type": "git", "url": "ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git" },