diff --git a/flake.lock b/flake.lock index d4e6d06..3348a05 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1762618334, - "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=", + "lastModified": 1770165109, + "narHash": "sha256-9VnK6Oqai65puVJ4WYtCTvlJeXxMzAp/69HhQuTdl/I=", "owner": "ryantm", "repo": "agenix", - "rev": "fcdea223397448d35d9b31f798479227e80183f6", + "rev": "b027ee29d959fda4b60b57566d64c98a202e0feb", "type": "github" }, "original": { @@ -30,11 +30,11 @@ ] }, "locked": { - "lastModified": 1769608722, - "narHash": "sha256-yWUG0Emd9EuqIZ8jQ6fxqf7USw7Gtcqb4+sBhn+S+Wg=", + "lastModified": 1772058043, + "narHash": "sha256-m1cmQgb6tBcHkndKZ8BSsw6PRNJMG89FZwoYVOuKi34=", "owner": "AdnanHodzic", "repo": "auto-cpufreq", - "rev": "a11a98c46bf6a77d0c2e0ea8d87acef78507cae5", + "rev": "5d600d710bb2aa331e1a4370e08476bcdea1cab5", "type": "github" }, "original": { @@ -50,11 +50,11 @@ ] }, "locked": { - "lastModified": 1769524058, - "narHash": "sha256-zygdD6X1PcVNR2PsyK4ptzrVEiAdbMqLos7utrMDEWE=", + "lastModified": 1773889306, + "narHash": "sha256-PAqwnsBSI9SVC2QugvQ3xeYCB0otOwCacB1ueQj2tgw=", "owner": "nix-community", "repo": "disko", - "rev": "71a3fc97d80881e91710fe721f1158d3b96ae14d", + "rev": "5ad85c82cc52264f4beddc934ba57f3789f28347", "type": "github" }, "original": { @@ -144,11 +144,11 @@ ] }, "locked": { - "lastModified": 1769580047, - "narHash": "sha256-tNqCP/+2+peAXXQ2V8RwsBkenlfWMERb+Uy6xmevyhM=", + "lastModified": 1774559029, + "narHash": "sha256-deix7yg3j6AhjMPnFDCmWB3f83LsajaaULP5HH2j34k=", "owner": "nix-community", "repo": "home-manager", - "rev": "366d78c2856de6ab3411c15c1cb4fb4c2bf5c826", + "rev": "a0bb0d11514f92b639514220114ac8063c72d0a3", "type": "github" }, "original": { @@ -181,11 +181,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1769302137, - "narHash": "sha256-QEDtctEkOsbx8nlFh4yqPEOtr4tif6KTqWwJ37IM2ds=", + "lastModified": 1774465523, + "narHash": "sha256-4v7HPm63Q90nNn4fgkgKsjW1AH2Klw7XzPtHJr562nM=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "a351494b0e35fd7c0b7a1aae82f0afddf4907aa8", + "rev": "de895be946ad1d8aafa0bb6dfc7e7e0e9e466a29", "type": "github" }, "original": { @@ -197,11 +197,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1769598131, - "narHash": "sha256-e7VO/kGLgRMbWtpBqdWl0uFg8Y2XWFMdz0uUJvlML8o=", + "lastModified": 1774388614, + "narHash": "sha256-tFwzTI0DdDzovdE9+Ras6CUss0yn8P9XV4Ja6RjA+nU=", "owner": "nixos", "repo": "nixpkgs", - "rev": "fa83fd837f3098e3e678e6cf017b2b36102c7211", + "rev": "1073dad219cb244572b74da2b20c7fe39cb3fa9e", "type": "github" }, "original": { @@ -261,16 +261,16 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1769861584, - "narHash": "sha256-Tu85RXpHMAWmsltAEKsG1IB7JfNGbekeHh2CSR0/xG8=", + "lastModified": 1774386573, + "narHash": "sha256-4hAV26quOxdC6iyG7kYaZcM3VOskcPUrdCQd/nx8obc=", "owner": "nixos", "repo": "nixpkgs", - "rev": "015e5f32a6258dc210b8e02fb47d86983959e243", + "rev": "46db2e09e1d3f113a13c0d7b81e2f221c63b8ce9", "type": "github" }, "original": { "owner": "nixos", - "ref": "pull/483348/merge", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -338,11 +338,11 @@ "secrets": { "flake": false, "locked": { - "lastModified": 1769426267, - "narHash": "sha256-OBHSfMHZ+sWEtigOxTfIGnkZLPOz2P7VR8+KA2KY89g=", + "lastModified": 1774571252, + "narHash": "sha256-NU/vfItTMSjaRTXe0UDzbWR8UnhkBUFU47OpqEpxKb4=", "ref": "refs/heads/main", - "rev": "ebefef468e16eb692df0a3d54352c94a56110a97", - "revCount": 20, + "rev": "7965907ae885d77acb3c4ecc11cee096a12af868", + "revCount": 25, "type": "git", "url": "ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git" }, diff --git a/flake.nix b/flake.nix index 6615b6c..04be147 100644 --- a/flake.nix +++ b/flake.nix @@ -115,7 +115,7 @@ ]; }; - server = nixpkgs.lib.nixosSystem rec { + busch = nixpkgs.lib.nixosSystem rec { system = "x86_64-linux"; specialArgs = { @@ -123,7 +123,8 @@ }; modules = [ - ./hosts/nixos-server-test + ./hosts/busch + disko.nixosModules.disko proxmox-nixos.nixosModules.proxmox-ve ({...}: { diff --git a/hosts/nixos-server-test/default.nix b/hosts/busch/default.nix similarity index 83% rename from hosts/nixos-server-test/default.nix rename to hosts/busch/default.nix index 409e2fa..bf64cb7 100644 --- a/hosts/nixos-server-test/default.nix +++ b/hosts/busch/default.nix @@ -3,10 +3,16 @@ { imports = [ + ./disko.nix + ../../modules/nix.nix + ../../modules/auto-upgrade.nix ../../modules/locale.nix ../../modules/server-cli.nix ../../modules/sshd.nix + ${inputs.secrets}/modules/opkssh.nix + + ../../modules/intel-cpu.nix # Include the results of the hardware scan. ./hardware-configuration.nix ]; @@ -14,11 +20,10 @@ boot = { loader.grub = { enable = true; - device = "/dev/vda"; }; tmp.useTmpfs = true; }; - networking.hostName = "nixos-server"; # Define your hostname. + networking.hostName = "busch"; # Define your hostname. users = { users = { julius = { @@ -43,12 +48,18 @@ ]; }; - services.proxmox-ve = { - enable = true; - ipAddress = "192.168.122.71"; + services = { + proxmox-ve = { + enable = true; + ipAddress = "192.168.7.252"; - # Make vmbr0 bridge visible in Proxmox web interface - bridges = [ "vmbr0" ]; + # Make vmbr0 bridge visible in Proxmox web interface + bridges = [ "vmbr0" ]; + }; + openiscsi = { + enable = true; + name = "busch"; + }; }; networking.useDHCP = false; @@ -57,7 +68,7 @@ enable = true; networks."10-lan" = { - matchConfig.Name = [ "enp1s0" ]; + matchConfig.Name = [ "enp0s25" ]; networkConfig = { Bridge = "vmbr0"; }; diff --git a/hosts/busch/disko.nix b/hosts/busch/disko.nix new file mode 100644 index 0000000..5563eae --- /dev/null +++ b/hosts/busch/disko.nix @@ -0,0 +1,107 @@ +{ + disko.devices = { + disk = { + disk1 = { + type = "disk"; + device = "/dev/disk/by-id/ata-Samsung_SSD_850_PRO_256GB_S251NX0H423575T"; + content = { + type = "gpt"; + partitions = { + MBR = { + type = "EF02"; # for grub MBR + size = "1M"; + priority = 1; # Needs to be first partition + }; + ESP = { + priority = 1; + name = "ESP"; + size = "2G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + crypt_p1 = { + size = "100%"; + content = { + type = "luks"; + name = "p1"; + settings = { + allowDiscards = true; + }; + }; + }; + }; + }; + }; + disk2 = { + type = "disk"; + device = "/dev/disk/by-id/ata-Samsung_SSD_850_PRO_256GB_S251NXAG833792N"; + content = { + type = "gpt"; + partitions = { + MBR = { + type = "EF02"; # for grub MBR + size = "1M"; + priority = 1; # Needs to be first partition + }; + ESP = { + priority = 1; + name = "ESP"; + size = "2G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot-fallback"; + mountOptions = [ "umask=0077" ]; + }; + }; + crypt_p2 = { + size = "100%"; + content = { + type = "luks"; + name = "p2"; + settings = { + allowDiscards = true; + }; + content = { + type = "btrfs"; + extraArgs = [ + "-d raid1" + "-m raid1" + "/dev/mapper/p1" + ]; + subvolumes = { + "/rootfs" = { + mountpoint = "/"; + }; + "/home" = { + mountOptions = [ "compress=zstd" ]; + mountpoint = "/home"; + }; + "/nix" = { + mountOptions = [ "compress=zstd" "noatime" ]; + mountpoint = "/nix"; + }; + "/pve-cluster" = { + mountOptions = [ "compress=zstd" ]; + mountpoint = "/var/lib/pve-cluster"; + }; + "/swap" = { + mountpoint = "/.swapvol"; + swap.swapfile.size = "32G"; + }; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/busch/hardware-configuration.nix b/hosts/busch/hardware-configuration.nix new file mode 100644 index 0000000..2de4340 --- /dev/null +++ b/hosts/busch/hardware-configuration.nix @@ -0,0 +1,22 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "ehci_pci" "mpt3sas" "usbhid" "usb_storage" "sr_mod" ]; + boot.initrd.kernelModules = [ "vfio_pci" "vfio" "vfio_iommu_type1" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + boot.kernelParams = [ "intel_iommu=on" "iommu=pt" "vfio-pci.ids=1000:0087" ]; + + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/nixos-server-test/hardware-configuration.nix b/hosts/nixos-server-test/hardware-configuration.nix deleted file mode 100644 index 6dfd7c4..0000000 --- a/hosts/nixos-server-test/hardware-configuration.nix +++ /dev/null @@ -1,31 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/e46c412a-8b6d-41b8-b53c-65d7a8fc39ed"; - fsType = "ext4"; - }; - - swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/modules/intel-cpu.nix b/modules/intel-cpu.nix new file mode 100644 index 0000000..7e037c3 --- /dev/null +++ b/modules/intel-cpu.nix @@ -0,0 +1,12 @@ +{ + pkgs, + ... +}: { + hardware.graphics = { + enable = true; + extraPackages = with pkgs; [ + intel-media-driver # Enable Hardware Acceleration + vpl-gpu-rt # Enable QSV + ]; + }; +} diff --git a/modules/laptop.nix b/modules/laptop.nix index 49e7492..9a95899 100644 --- a/modules/laptop.nix +++ b/modules/laptop.nix @@ -4,7 +4,7 @@ ... }: { - boot.kernelPackages = pkgs.linuxKernel.packages.linux_zen; + boot.kernelPackages = pkgs.linuxPackages_latest; services.logind.settings.Login = { HandleLidSwitch= "suspend-then-hibernate"; diff --git a/modules/network-client.nix b/modules/network-client.nix index 4efdecd..a72a9f3 100644 --- a/modules/network-client.nix +++ b/modules/network-client.nix @@ -13,19 +13,7 @@ firewall = { # if packets are still dropped, they will show up in dmesg logReversePathDrops = true; - # wireguard trips rpfilter up - extraCommands = '' - iptables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 1194 -j RETURN - ip6tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 1194 -j RETURN - iptables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 1194 -j RETURN - ip6tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 1194 -j RETURN - ''; - extraStopCommands = '' - iptables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 1194 -j RETURN || true - ip6tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 1194 -j RETURN || true - iptables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 1194 -j RETURN || true - ip6tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 1194 -j RETURN || true - ''; + checkReversePath = "loose"; }; }; } diff --git a/modules/newt.nix b/modules/newt.nix index 1f8dafd..5f7a8f4 100644 --- a/modules/newt.nix +++ b/modules/newt.nix @@ -44,16 +44,16 @@ in { }; }; - systemd.services."docker-pangolin" = { + systemd.services."docker-newt" = { after = [ - "docker-network-pangolin.service" + "docker-network-newt.service" ]; requires = [ - "docker-network-pangolin.service" + "docker-network-newt.service" ]; }; - systemd.services."docker-network-pangolin" = { + systemd.services."docker-network-newt" = { path = [ pkgs.docker ]; serviceConfig = { Type = "oneshot"; diff --git a/modules/opkssh.sample.nix b/modules/opkssh.sample.nix new file mode 100644 index 0000000..55c8383 --- /dev/null +++ b/modules/opkssh.sample.nix @@ -0,0 +1,18 @@ +{ + ... +}: { + services.opkssh = { + enable = true; + providers = { + pocket-id = { + issuer = "https://example.com"; + clientId = ""; + lifetime = "12h"; + }; + }; + authorizations = [ + { user = ""; principal = ""; issuer = "https://example.com"; } + ]; + }; +} + diff --git a/modules/pangolin.nix b/modules/pangolin.nix index 3da3c9e..55e5fed 100644 --- a/modules/pangolin.nix +++ b/modules/pangolin.nix @@ -1,5 +1,8 @@ { pkgs-unstable, + utils, + config, + lib, ... }: { @@ -26,6 +29,13 @@ }; }; + systemd.services.gerbil.serviceConfig.ExecStart = lib.mkForce (utils.escapeSystemdExecArgs [ + (lib.getExe pkgs-unstable.fosrl-gerbil) + "--reachableAt=http://localhost:${toString config.services.gerbil.port}" + "--generateAndSaveKeyTo=${toString config.services.pangolin.dataDir}/config/key" + "--remoteConfig=http://localhost:3001/api/v1/gerbil/get-config" + ]); + } # Settings needed on the host diff --git a/modules/sshd.nix b/modules/sshd.nix index 49af4a5..551c0d4 100644 --- a/modules/sshd.nix +++ b/modules/sshd.nix @@ -3,11 +3,17 @@ lib, ... }: { - services.openssh = { - enable = true; - settings = { - PasswordAuthentication = false; - PermitRootLogin = "no"; + services = { + openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "no"; + }; + }; + fail2ban = { + enable = true; + bantime = "1h"; }; }; } diff --git a/modules/typesetting.nix b/modules/typesetting.nix index b4e321f..272b263 100644 --- a/modules/typesetting.nix +++ b/modules/typesetting.nix @@ -7,8 +7,6 @@ typst typstyle - texliveFull - pandoc zotero diff --git a/pkgs/rofirefox/default.nix b/pkgs/rofirefox/default.nix index 2030d4f..66805e2 100644 --- a/pkgs/rofirefox/default.nix +++ b/pkgs/rofirefox/default.nix @@ -37,6 +37,7 @@ meta = with lib; { platforms = platforms.all; + mainProgram = "rofirefox"; }; }