JuliusFreudenberger/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: JuliusFreudenberger:9e11d4bf7f2c8d63dc598d85c7ff75b699d00170
Branches Tags
JuliusFreudenberger:main
JuliusFreudenberger:sway
..
compare: JuliusFreudenberger:0aff64102df098f647dd721588b1dff9401bef87
Branches Tags
JuliusFreudenberger:main
JuliusFreudenberger:sway

11 commits
9e11d4bf7f ... 0aff64102d

Author SHA1 Message Date
JuliusFreudenberger
0aff64102d Update flake.lock 2026-03-27 01:39:38 +01:00
JuliusFreudenberger
502fecdd4e Switch from zen kernel to latest kernel for laptops 
Due to build failure at least in release 25.11.
 2026-03-27 01:38:42 +01:00
JuliusFreudenberger
13ca1dc205 Add config for busch 
Busch is the proxmox host used for various vms, which will be defined
through terraform or similar.
 2026-03-27 01:36:29 +01:00
JuliusFreudenberger
f2b2e26ba9 Add sample for opkssh module 
Module will not be added here as usernames, principals and the client id
have to be specified directly.
Setting them via age secrets is not possible.
 2026-03-27 01:29:56 +01:00
JuliusFreudenberger
a525d2bffa Add intel-cpu module 2026-03-27 01:21:16 +01:00
JuliusFreudenberger
7d11cef3f8 rofirefox: set main program 2026-03-11 23:13:59 +01:00
JuliusFreudenberger
edbde98006 Remove firewall rules for wireguard and set rpfilter to loose 2026-03-11 23:13:30 +01:00
JuliusFreudenberger
179f615ad4 Remove texlive from system closure 2026-03-11 22:55:25 +01:00
JuliusFreudenberger
b441618575 Add fail2ban to sshd module 2026-03-11 22:53:54 +01:00
JuliusFreudenberger
b3ec023cad Fix service naming in newt module 2026-03-11 22:51:29 +01:00
JuliusFreudenberger
b4abb27490 Use unstable gerbil in pangolin module 2026-03-11 22:49:50 +01:00
15 changed files with 235 additions and 92 deletions
Download patch file Download diff file Expand all files Collapse all files

52
flake.lock generated
View file

@ -10,11 +10,11 @@
"systems": "systems" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1762618334, "lastModified": 1770165109,
"narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=", "narHash": "sha256-9VnK6Oqai65puVJ4WYtCTvlJeXxMzAp/69HhQuTdl/I=",
"owner": "ryantm", "owner": "ryantm",
"repo": "agenix", "repo": "agenix",
"rev": "fcdea223397448d35d9b31f798479227e80183f6", "rev": "b027ee29d959fda4b60b57566d64c98a202e0feb",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -30,11 +30,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1769608722, "lastModified": 1772058043,
"narHash": "sha256-yWUG0Emd9EuqIZ8jQ6fxqf7USw7Gtcqb4+sBhn+S+Wg=", "narHash": "sha256-m1cmQgb6tBcHkndKZ8BSsw6PRNJMG89FZwoYVOuKi34=",
"owner": "AdnanHodzic", "owner": "AdnanHodzic",
"repo": "auto-cpufreq", "repo": "auto-cpufreq",
"rev": "a11a98c46bf6a77d0c2e0ea8d87acef78507cae5", "rev": "5d600d710bb2aa331e1a4370e08476bcdea1cab5",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -50,11 +50,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1769524058, "lastModified": 1773889306,
"narHash": "sha256-zygdD6X1PcVNR2PsyK4ptzrVEiAdbMqLos7utrMDEWE=", "narHash": "sha256-PAqwnsBSI9SVC2QugvQ3xeYCB0otOwCacB1ueQj2tgw=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "71a3fc97d80881e91710fe721f1158d3b96ae14d", "rev": "5ad85c82cc52264f4beddc934ba57f3789f28347",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -144,11 +144,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1769580047, "lastModified": 1774559029,
"narHash": "sha256-tNqCP/+2+peAXXQ2V8RwsBkenlfWMERb+Uy6xmevyhM=", "narHash": "sha256-deix7yg3j6AhjMPnFDCmWB3f83LsajaaULP5HH2j34k=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "366d78c2856de6ab3411c15c1cb4fb4c2bf5c826", "rev": "a0bb0d11514f92b639514220114ac8063c72d0a3",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -181,11 +181,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1769302137, "lastModified": 1774465523,
"narHash": "sha256-QEDtctEkOsbx8nlFh4yqPEOtr4tif6KTqWwJ37IM2ds=", "narHash": "sha256-4v7HPm63Q90nNn4fgkgKsjW1AH2Klw7XzPtHJr562nM=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "a351494b0e35fd7c0b7a1aae82f0afddf4907aa8", "rev": "de895be946ad1d8aafa0bb6dfc7e7e0e9e466a29",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -197,11 +197,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1769598131, "lastModified": 1774388614,
"narHash": "sha256-e7VO/kGLgRMbWtpBqdWl0uFg8Y2XWFMdz0uUJvlML8o=", "narHash": "sha256-tFwzTI0DdDzovdE9+Ras6CUss0yn8P9XV4Ja6RjA+nU=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "fa83fd837f3098e3e678e6cf017b2b36102c7211", "rev": "1073dad219cb244572b74da2b20c7fe39cb3fa9e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -261,16 +261,16 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1769861584, "lastModified": 1774386573,
"narHash": "sha256-Tu85RXpHMAWmsltAEKsG1IB7JfNGbekeHh2CSR0/xG8=", "narHash": "sha256-4hAV26quOxdC6iyG7kYaZcM3VOskcPUrdCQd/nx8obc=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "015e5f32a6258dc210b8e02fb47d86983959e243", "rev": "46db2e09e1d3f113a13c0d7b81e2f221c63b8ce9",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "nixos",
"ref": "pull/483348/merge", "ref": "nixos-unstable",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@ -338,11 +338,11 @@
"secrets": { "secrets": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1769426267, "lastModified": 1774571252,
"narHash": "sha256-OBHSfMHZ+sWEtigOxTfIGnkZLPOz2P7VR8+KA2KY89g=", "narHash": "sha256-NU/vfItTMSjaRTXe0UDzbWR8UnhkBUFU47OpqEpxKb4=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "ebefef468e16eb692df0a3d54352c94a56110a97", "rev": "7965907ae885d77acb3c4ecc11cee096a12af868",
"revCount": 20, "revCount": 25,
"type": "git", "type": "git",
"url": "ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git" "url": "ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git"
}, },

5
flake.nix
View file

@ -115,7 +115,7 @@
]; ];
}; };
server = nixpkgs.lib.nixosSystem rec { busch = nixpkgs.lib.nixosSystem rec {
system = "x86_64-linux"; system = "x86_64-linux";
specialArgs = { specialArgs = {
@ -123,7 +123,8 @@
}; };
modules = [ modules = [
./hosts/nixos-server-test ./hosts/busch
disko.nixosModules.disko
proxmox-nixos.nixosModules.proxmox-ve proxmox-nixos.nixosModules.proxmox-ve
({...}: { ({...}: {

21
hosts/nixos-server-test/default.nix → hosts/busch/default.nix
View file

@ -3,10 +3,16 @@
{ {
imports = imports =
[ [
./disko.nix
../../modules/nix.nix ../../modules/nix.nix
../../modules/auto-upgrade.nix
../../modules/locale.nix ../../modules/locale.nix
../../modules/server-cli.nix ../../modules/server-cli.nix
../../modules/sshd.nix ../../modules/sshd.nix
${inputs.secrets}/modules/opkssh.nix
../../modules/intel-cpu.nix
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
@ -14,11 +20,10 @@
boot = { boot = {
loader.grub = { loader.grub = {
enable = true; enable = true;
device = "/dev/vda";
}; };
tmp.useTmpfs = true; tmp.useTmpfs = true;
}; };
networking.hostName = "nixos-server"; # Define your hostname. networking.hostName = "busch"; # Define your hostname.
users = { users = {
users = { users = {
julius = { julius = {
@ -43,13 +48,19 @@
]; ];
}; };
services.proxmox-ve = { services = {
proxmox-ve = {
enable = true; enable = true;
ipAddress = "192.168.122.71"; ipAddress = "192.168.7.252";
# Make vmbr0 bridge visible in Proxmox web interface # Make vmbr0 bridge visible in Proxmox web interface
bridges = [ "vmbr0" ]; bridges = [ "vmbr0" ];
}; };
openiscsi = {
enable = true;
name = "busch";
};
};
networking.useDHCP = false; networking.useDHCP = false;
@ -57,7 +68,7 @@
enable = true; enable = true;
networks."10-lan" = { networks."10-lan" = {
matchConfig.Name = [ "enp1s0" ]; matchConfig.Name = [ "enp0s25" ];
networkConfig = { networkConfig = {
Bridge = "vmbr0"; Bridge = "vmbr0";
}; };

107
hosts/busch/disko.nix Normal file
View file

@ -0,0 +1,107 @@
{
disko.devices = {
disk = {
disk1 = {
type = "disk";
device = "/dev/disk/by-id/ata-Samsung_SSD_850_PRO_256GB_S251NX0H423575T";
content = {
type = "gpt";
partitions = {
MBR = {
type = "EF02"; # for grub MBR
size = "1M";
priority = 1; # Needs to be first partition
};
ESP = {
priority = 1;
name = "ESP";
size = "2G";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
crypt_p1 = {
size = "100%";
content = {
type = "luks";
name = "p1";
settings = {
allowDiscards = true;
};
};
};
};
};
};
disk2 = {
type = "disk";
device = "/dev/disk/by-id/ata-Samsung_SSD_850_PRO_256GB_S251NXAG833792N";
content = {
type = "gpt";
partitions = {
MBR = {
type = "EF02"; # for grub MBR
size = "1M";
priority = 1; # Needs to be first partition
};
ESP = {
priority = 1;
name = "ESP";
size = "2G";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot-fallback";
mountOptions = [ "umask=0077" ];
};
};
crypt_p2 = {
size = "100%";
content = {
type = "luks";
name = "p2";
settings = {
allowDiscards = true;
};
content = {
type = "btrfs";
extraArgs = [
"-d raid1"
"-m raid1"
"/dev/mapper/p1"
];
subvolumes = {
"/rootfs" = {
mountpoint = "/";
};
"/home" = {
mountOptions = [ "compress=zstd" ];
mountpoint = "/home";
};
"/nix" = {
mountOptions = [ "compress=zstd" "noatime" ];
mountpoint = "/nix";
};
"/pve-cluster" = {
mountOptions = [ "compress=zstd" ];
mountpoint = "/var/lib/pve-cluster";
};
"/swap" = {
mountpoint = "/.swapvol";
swap.swapfile.size = "32G";
};
};
};
};
};
};
};
};
};
};
}

22
hosts/busch/hardware-configuration.nix Normal file
View file

@ -0,0 +1,22 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "ehci_pci" "mpt3sas" "usbhid" "usb_storage" "sr_mod" ];
boot.initrd.kernelModules = [ "vfio_pci" "vfio" "vfio_iommu_type1" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.kernelParams = [ "intel_iommu=on" "iommu=pt" "vfio-pci.ids=1000:0087" ];
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

31
hosts/nixos-server-test/hardware-configuration.nix
View file

@ -1,31 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/e46c412a-8b6d-41b8-b53c-65d7a8fc39ed";
fsType = "ext4";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

12
modules/intel-cpu.nix Normal file
View file

@ -0,0 +1,12 @@
{
pkgs,
...
}: {
hardware.graphics = {
enable = true;
extraPackages = with pkgs; [
intel-media-driver # Enable Hardware Acceleration
vpl-gpu-rt # Enable QSV
];
};
}

2
modules/laptop.nix
View file

@ -4,7 +4,7 @@
... ...
}: { }: {
boot.kernelPackages = pkgs.linuxKernel.packages.linux_zen; boot.kernelPackages = pkgs.linuxPackages_latest;
services.logind.settings.Login = { services.logind.settings.Login = {
HandleLidSwitch= "suspend-then-hibernate"; HandleLidSwitch= "suspend-then-hibernate";

14
modules/network-client.nix
View file

@ -13,19 +13,7 @@
firewall = { firewall = {
# if packets are still dropped, they will show up in dmesg # if packets are still dropped, they will show up in dmesg
logReversePathDrops = true; logReversePathDrops = true;
# wireguard trips rpfilter up checkReversePath = "loose";
extraCommands = ''
iptables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 1194 -j RETURN
ip6tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 1194 -j RETURN
iptables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 1194 -j RETURN
ip6tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 1194 -j RETURN
'';
extraStopCommands = ''
iptables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 1194 -j RETURN || true
ip6tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 1194 -j RETURN || true
iptables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 1194 -j RETURN || true
ip6tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 1194 -j RETURN || true
'';
}; };
}; };
} }

8
modules/newt.nix
View file

@ -44,16 +44,16 @@ in {
}; };
}; };
systemd.services."docker-pangolin" = { systemd.services."docker-newt" = {
after = [ after = [
"docker-network-pangolin.service" "docker-network-newt.service"
]; ];
requires = [ requires = [
"docker-network-pangolin.service" "docker-network-newt.service"
]; ];
}; };
systemd.services."docker-network-pangolin" = { systemd.services."docker-network-newt" = {
path = [ pkgs.docker ]; path = [ pkgs.docker ];
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";

18
modules/opkssh.sample.nix Normal file
View file

@ -0,0 +1,18 @@
{
...
}: {
services.opkssh = {
enable = true;
providers = {
pocket-id = {
issuer = "https://example.com";
clientId = "";
lifetime = "12h";
};
};
authorizations = [
{ user = "<username>"; principal = "<email>"; issuer = "https://example.com"; }
];
};
}

10
modules/pangolin.nix
View file

@ -1,5 +1,8 @@
{ {
pkgs-unstable, pkgs-unstable,
utils,
config,
lib,
... ...
}: { }: {
@ -26,6 +29,13 @@
}; };
}; };
systemd.services.gerbil.serviceConfig.ExecStart = lib.mkForce (utils.escapeSystemdExecArgs [
(lib.getExe pkgs-unstable.fosrl-gerbil)
"--reachableAt=http://localhost:${toString config.services.gerbil.port}"
"--generateAndSaveKeyTo=${toString config.services.pangolin.dataDir}/config/key"
"--remoteConfig=http://localhost:3001/api/v1/gerbil/get-config"
]);
} }
# Settings needed on the host # Settings needed on the host

8
modules/sshd.nix
View file

@ -3,11 +3,17 @@
lib, lib,
... ...
}: { }: {
services.openssh = { services = {
openssh = {
enable = true; enable = true;
settings = { settings = {
PasswordAuthentication = false; PasswordAuthentication = false;
PermitRootLogin = "no"; PermitRootLogin = "no";
}; };
}; };
fail2ban = {
enable = true;
bantime = "1h";
};
};
} }

2
modules/typesetting.nix
View file

@ -7,8 +7,6 @@
typst typst
typstyle typstyle
texliveFull
pandoc pandoc
zotero zotero

1
pkgs/rofirefox/default.nix
View file

@ -37,6 +37,7 @@
meta = with lib; { meta = with lib; {
platforms = platforms.all; platforms = platforms.all;
mainProgram = "rofirefox";
}; };
} }