@@ -923,153 +949,157 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
{{template "base/footer" .}} ''; - in { - # systemd.tmpfiles.settings = { - # "10-forgejo" = { - # "/storage/forgejo" = { - # "d" = { - # mode = "0700"; - # user = "forgejo"; - # group = "nogroup"; - # }; - # }; - # }; - # }; - services.forgejo = { - enable = true; - package = pkgs.unstable-packages.forgejo; - stateDir = "/storage/forgejo"; - settings = { - DEFAULT = { - APP_NAME = "git.lyte.dev"; - }; - server = { - ROOT_URL = "https://git.lyte.dev"; - HTTP_ADDR = "127.0.0.1"; - HTTP_PORT = 3088; - DOMAIN = "git.lyte.dev"; - }; - migrations = { - ALLOWED_DOMAINS = "*.github.com,github.com,gitlab.com,*.gitlab.com"; - }; - actions = { - ENABLED = true; - }; - service = { - DISABLE_REGISTRATION = true; - }; - session = { - COOKIE_SECURE = true; - }; - log = { - # LEVEL = "Debug"; - }; - ui = { - THEMES = "catppuccin-mocha-sapphire,forgejo-auto,forgejo-light,forgejo-dark"; - DEFAULT_THEME = "catppuccin-mocha-sapphire"; - }; - indexer = { - REPO_INDEXER_ENABLED = "true"; - REPO_INDEXER_PATH = "indexers/repos.bleve"; - MAX_FILE_SIZE = "1048576"; - # REPO_INDEXER_INCLUDE = - REPO_INDEXER_EXCLUDE = "resources/bin/**"; - }; - "markup.asciidoc" = { - ENABLED = true; - NEED_POSTPROCESS = true; - FILE_EXTENSIONS = ".adoc,.asciidoc"; - RENDER_COMMAND = "${pkgs.asciidoctor}/bin/asciidoctor --embedded --safe-mode=secure --out-file=- -"; - IS_INPUT_FILE = false; - }; - }; - lfs = { + in + { + # systemd.tmpfiles.settings = { + # "10-forgejo" = { + # "/storage/forgejo" = { + # "d" = { + # mode = "0700"; + # user = "forgejo"; + # group = "nogroup"; + # }; + # }; + # }; + # }; + services.forgejo = { enable = true; - }; - dump = { - enable = false; - }; - database = { - # TODO: move to postgres? - type = "sqlite3"; - }; - }; - services.restic.commonPaths = [ - config.services.forgejo.stateDir - ]; - sops.secrets = { - "forgejo-runner.env" = {mode = "0400";}; - }; - systemd.services.gitea-runner-beefcake.after = ["sops-nix.service"]; - - systemd.services.forgejo = { - preStart = lib.mkAfter '' - rm -rf ${config.services.forgejo.stateDir}/custom/public - mkdir -p ${config.services.forgejo.stateDir}/custom/public/ - mkdir -p ${config.services.forgejo.stateDir}/custom/public/assets/ - mkdir -p ${config.services.forgejo.stateDir}/custom/public/assets/img/ - mkdir -p ${config.services.forgejo.stateDir}/custom/public/assets/css/ - mkdir -p ${config.services.forgejo.stateDir}/custom/templates/custom/ - ln -sf ${logos.png} ${config.services.forgejo.stateDir}/custom/public/assets/img/logo.png - ln -sf ${logos.svg} ${config.services.forgejo.stateDir}/custom/public/assets/img/logo.svg - ln -sf ${logos.png} ${config.services.forgejo.stateDir}/custom/public/assets/img/favicon.png - ln -sf ${logos.svg-with-background} ${config.services.forgejo.stateDir}/custom/public/assets/img/favicon.svg - ln -sf ${theme}/theme-catppuccin-mocha-sapphire.css ${config.services.forgejo.stateDir}/custom/public/assets/css/ - ln -sf ${forgejoCustomCss} ${config.services.forgejo.stateDir}/custom/public/assets/css/iosevkalyte.css - ln -sf ${forgejoCustomHeaderTmpl} ${config.services.forgejo.stateDir}/custom/templates/custom/header.tmpl - ln -sf ${forgejoCustomHomeTmpl} ${config.services.forgejo.stateDir}/custom/templates/home.tmpl - ''; - }; - - services.gitea-actions-runner = { - # TODO: simple git-based automation would be dope? maybe especially for - # mirroring to github super easy? - package = pkgs.forgejo-runner; - instances."beefcake" = { - enable = true; - name = "beefcake"; - url = "https://git.lyte.dev"; + package = pkgs.unstable-packages.forgejo; + stateDir = "/storage/forgejo"; settings = { - container = { - # use the shared network which is bridged by default - # this lets us hit git.lyte.dev just fine - network = "podman"; + DEFAULT = { + APP_NAME = "git.lyte.dev"; + }; + server = { + ROOT_URL = "https://git.lyte.dev"; + HTTP_ADDR = "127.0.0.1"; + HTTP_PORT = 3088; + DOMAIN = "git.lyte.dev"; + }; + migrations = { + ALLOWED_DOMAINS = "*.github.com,github.com,gitlab.com,*.gitlab.com"; + }; + actions = { + ENABLED = true; + }; + service = { + DISABLE_REGISTRATION = true; + }; + session = { + COOKIE_SECURE = true; + }; + log = { + # LEVEL = "Debug"; + }; + ui = { + THEMES = "catppuccin-mocha-sapphire,forgejo-auto,forgejo-light,forgejo-dark"; + DEFAULT_THEME = "catppuccin-mocha-sapphire"; + }; + indexer = { + REPO_INDEXER_ENABLED = "true"; + REPO_INDEXER_PATH = "indexers/repos.bleve"; + MAX_FILE_SIZE = "1048576"; + # REPO_INDEXER_INCLUDE = + REPO_INDEXER_EXCLUDE = "resources/bin/**"; + }; + "markup.asciidoc" = { + ENABLED = true; + NEED_POSTPROCESS = true; + FILE_EXTENSIONS = ".adoc,.asciidoc"; + RENDER_COMMAND = "${pkgs.asciidoctor}/bin/asciidoctor --embedded --safe-mode=secure --out-file=- -"; + IS_INPUT_FILE = false; }; }; - labels = [ - # type ":host" does not depend on docker/podman/lxc - "podman" - "nix:docker://git.lyte.dev/lytedev/nix:latest" - "beefcake:host" - "nixos-host:host" - ]; - tokenFile = config.sops.secrets."forgejo-runner.env".path; - hostPackages = with pkgs; [ - nix - bash - coreutils - curl - gawk - gitMinimal - gnused - nodejs - gnutar # needed for cache action - wget - ]; + lfs = { + enable = true; + }; + dump = { + enable = false; + }; + database = { + # TODO: move to postgres? + type = "sqlite3"; + }; }; - }; - # environment.systemPackages = with pkgs; [nodejs]; - services.caddy.virtualHosts."git.lyte.dev" = { - extraConfig = '' - reverse_proxy :${toString config.services.forgejo.settings.server.HTTP_PORT} - ''; - }; - services.caddy.virtualHosts."http://git.beefcake.lan" = { - extraConfig = '' - reverse_proxy :${toString config.services.forgejo.settings.server.HTTP_PORT} - ''; - }; - }) + services.restic.commonPaths = [ + config.services.forgejo.stateDir + ]; + sops.secrets = { + "forgejo-runner.env" = { + mode = "0400"; + }; + }; + systemd.services.gitea-runner-beefcake.after = [ "sops-nix.service" ]; + + systemd.services.forgejo = { + preStart = lib.mkAfter '' + rm -rf ${config.services.forgejo.stateDir}/custom/public + mkdir -p ${config.services.forgejo.stateDir}/custom/public/ + mkdir -p ${config.services.forgejo.stateDir}/custom/public/assets/ + mkdir -p ${config.services.forgejo.stateDir}/custom/public/assets/img/ + mkdir -p ${config.services.forgejo.stateDir}/custom/public/assets/css/ + mkdir -p ${config.services.forgejo.stateDir}/custom/templates/custom/ + ln -sf ${logos.png} ${config.services.forgejo.stateDir}/custom/public/assets/img/logo.png + ln -sf ${logos.svg} ${config.services.forgejo.stateDir}/custom/public/assets/img/logo.svg + ln -sf ${logos.png} ${config.services.forgejo.stateDir}/custom/public/assets/img/favicon.png + ln -sf ${logos.svg-with-background} ${config.services.forgejo.stateDir}/custom/public/assets/img/favicon.svg + ln -sf ${theme}/theme-catppuccin-mocha-sapphire.css ${config.services.forgejo.stateDir}/custom/public/assets/css/ + ln -sf ${forgejoCustomCss} ${config.services.forgejo.stateDir}/custom/public/assets/css/iosevkalyte.css + ln -sf ${forgejoCustomHeaderTmpl} ${config.services.forgejo.stateDir}/custom/templates/custom/header.tmpl + ln -sf ${forgejoCustomHomeTmpl} ${config.services.forgejo.stateDir}/custom/templates/home.tmpl + ''; + }; + + services.gitea-actions-runner = { + # TODO: simple git-based automation would be dope? maybe especially for + # mirroring to github super easy? + package = pkgs.forgejo-runner; + instances."beefcake" = { + enable = true; + name = "beefcake"; + url = "https://git.lyte.dev"; + settings = { + container = { + # use the shared network which is bridged by default + # this lets us hit git.lyte.dev just fine + network = "podman"; + }; + }; + labels = [ + # type ":host" does not depend on docker/podman/lxc + "podman" + "nix:docker://git.lyte.dev/lytedev/nix:latest" + "beefcake:host" + "nixos-host:host" + ]; + tokenFile = config.sops.secrets."forgejo-runner.env".path; + hostPackages = with pkgs; [ + nix + bash + coreutils + curl + gawk + gitMinimal + gnused + nodejs + gnutar # needed for cache action + wget + ]; + }; + }; + # environment.systemPackages = with pkgs; [nodejs]; + services.caddy.virtualHosts."git.lyte.dev" = { + extraConfig = '' + reverse_proxy :${toString config.services.forgejo.settings.server.HTTP_PORT} + ''; + }; + services.caddy.virtualHosts."http://git.beefcake.lan" = { + extraConfig = '' + reverse_proxy :${toString config.services.forgejo.settings.server.HTTP_PORT} + ''; + }; + } + ) { services.restic.commonPaths = [ config.services.vaultwarden.backupDir @@ -1083,9 +1113,9 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 ROCKET_ADDRESS = "127.0.0.1"; ROCKET_PORT = 8222; /* - TODO: smtp setup? - right now, I think I configured this manually by temporarily setting ADMIN_TOKEN - and then configuring in https://bw.lyte.dev/admin + TODO: smtp setup? + right now, I think I configured this manually by temporarily setting ADMIN_TOKEN + and then configuring in https://bw.lyte.dev/admin */ }; }; @@ -1100,10 +1130,10 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 group = "atuin"; }; users.extraGroups = { - "atuin" = {}; + "atuin" = { }; }; services.postgresql = { - ensureDatabases = ["atuin"]; + ensureDatabases = [ "atuin" ]; ensureUsers = [ { name = "atuin"; @@ -1132,396 +1162,414 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 { # jland minecraft server /* - users.groups.jland = { - gid = 982; - }; - users.users.jland = { - uid = 986; + users.groups.jland = { + gid = 982; + }; + users.users.jland = { + uid = 986; + isSystemUser = true; + createHome = false; + group = "jland"; + }; + virtualisation.oci-containers.containers.minecraft-jland = { + autoStart = false; + + # sending commands: https://docker-minecraft-server.readthedocs.io/en/latest/commands/ + image = "docker.io/itzg/minecraft-server"; + # user = "${toString config.users.users.jland.uid}:${toString config.users.groups.jland.gid}"; + extraOptions = [ + "--tty" + "--interactive" + ]; + environment = { + EULA = "true"; + ## UID = toString config.users.users.jland.uid; + ## GID = toString config.users.groups.jland.gid; + STOP_SERVER_ANNOUNCE_DELAY = "20"; + TZ = "America/Chicago"; + VERSION = "1.20.1"; + MEMORY = "8G"; + MAX_MEMORY = "16G"; + TYPE = "FORGE"; + FORGE_VERSION = "47.1.3"; + ALLOW_FLIGHT = "true"; + ENABLE_QUERY = "true"; + + MODPACK = "/data/origination-files/Server-Files-0.2.14.zip"; + + ## TYPE = "AUTO_CURSEFORGE"; + ## CF_SLUG = "monumental-experience"; + ## CF_FILE_ID = "4826863"; # 2.2.53 + + ## due to + ## Nov 02 13:45:22 beefcake minecraft-jland[2738672]: me.itzg.helpers.errors.GenericException: The modpack authors have indicated this file is not allowed for project distribution. Please download the client zip file from https://www.curseforge.com/minecraft/modpacks/monumental-experience and pass via CF_MODPACK_ZIP environment variable or place indownloads repo directory. + ## we must upload manually + ## CF_MODPACK_ZIP = "/data/origination-files/Monumental+Experience-2.2.53.zip"; + + ## ENABLE_AUTOPAUSE = "true"; # TODO: must increate or disable max-tick-time + ## May also have mod/loader incompatibilities? + ## https://docker-minecraft-server.readthedocs.io/en/latest/misc/autopause-autostop/autopause/ + }; + environmentFiles = [ + # config.sops.secrets."jland.env".path + ]; + ports = ["26965:25565"]; + volumes = [ + "/storage/jland/data:/data" + "/storage/jland/worlds:/worlds" + ]; + }; + networking.firewall.allowedTCPPorts = [ + 26965 + ]; + } + { + # dawncraft minecraft server + systemd.tmpfiles.rules = [ + "d /storage/dawncraft/ 0770 1000 1000 -" + "d /storage/dawncraft/data/ 0770 1000 1000 -" + "d /storage/dawncraft/worlds/ 0770 1000 1000 -" + "d /storage/dawncraft/downloads/ 0770 1000 1000 -" + ]; + virtualisation.oci-containers.containers.minecraft-dawncraft = { + autoStart = false; + + # sending commands: https://docker-minecraft-server.readthedocs.io/en/latest/commands/ + image = "docker.io/itzg/minecraft-server"; + extraOptions = [ + "--tty" + "--interactive" + ]; + environment = { + EULA = "true"; + + STOP_SERVER_ANNOUNCE_DELAY = "20"; + TZ = "America/Chicago"; + VERSION = "1.18.2"; + MEMORY = "8G"; + MAX_MEMORY = "32G"; + + ALLOW_FLIGHT = "true"; + ENABLE_QUERY = "true"; + SERVER_PORT = "26968"; + QUERY_PORT = "26968"; + + TYPE = "AUTO_CURSEFORGE"; + CF_SLUG = "dawn-craft"; + + CF_EXCLUDE_MODS = "368398"; + CF_FORCE_SYNCHRONIZE = "true"; + # CF_FILE_ID = "5247696"; # 2.0.7 server + }; + environmentFiles = [ + config.sops.secrets."dawncraft.env".path + ]; + ports = ["26968:26968/tcp" "26968:26968/udp"]; + volumes = [ + "/storage/dawncraft/data:/data" + "/storage/dawncraft/worlds:/worlds" + "/storage/dawncraft/downloads:/downloads" + ]; + }; + networking.firewall.allowedTCPPorts = [ + 26968 + ]; + */ + } + ( + { ... }: + let + port = 26969; + dir = "/storage/flanilla"; + user = "flanilla"; + in + # uid = config.users.users.flanilla.uid; + # gid = config.users.groups.flanilla.gid; + { + # flanilla family minecraft server + users.groups.${user} = { }; + users.users.${user} = { isSystemUser = true; createHome = false; - group = "jland"; + home = dir; + group = user; }; - virtualisation.oci-containers.containers.minecraft-jland = { + virtualisation.oci-containers.containers.minecraft-flanilla = { autoStart = false; - # sending commands: https://docker-minecraft-server.readthedocs.io/en/latest/commands/ - image = "docker.io/itzg/minecraft-server"; - # user = "${toString config.users.users.jland.uid}:${toString config.users.groups.jland.gid}"; - extraOptions = [ - "--tty" - "--interactive" - ]; - environment = { - EULA = "true"; - ## UID = toString config.users.users.jland.uid; - ## GID = toString config.users.groups.jland.gid; - STOP_SERVER_ANNOUNCE_DELAY = "20"; - TZ = "America/Chicago"; - VERSION = "1.20.1"; - MEMORY = "8G"; - MAX_MEMORY = "16G"; - TYPE = "FORGE"; - FORGE_VERSION = "47.1.3"; - ALLOW_FLIGHT = "true"; - ENABLE_QUERY = "true"; - - MODPACK = "/data/origination-files/Server-Files-0.2.14.zip"; - - ## TYPE = "AUTO_CURSEFORGE"; - ## CF_SLUG = "monumental-experience"; - ## CF_FILE_ID = "4826863"; # 2.2.53 - - ## due to - ## Nov 02 13:45:22 beefcake minecraft-jland[2738672]: me.itzg.helpers.errors.GenericException: The modpack authors have indicated this file is not allowed for project distribution. Please download the client zip file from https://www.curseforge.com/minecraft/modpacks/monumental-experience and pass via CF_MODPACK_ZIP environment variable or place indownloads repo directory. - ## we must upload manually - ## CF_MODPACK_ZIP = "/data/origination-files/Monumental+Experience-2.2.53.zip"; - - ## ENABLE_AUTOPAUSE = "true"; # TODO: must increate or disable max-tick-time - ## May also have mod/loader incompatibilities? - ## https://docker-minecraft-server.readthedocs.io/en/latest/misc/autopause-autostop/autopause/ - }; environmentFiles = [ # config.sops.secrets."jland.env".path ]; - ports = ["26965:25565"]; - volumes = [ - "/storage/jland/data:/data" - "/storage/jland/worlds:/worlds" - ]; - }; - networking.firewall.allowedTCPPorts = [ - 26965 - ]; - } - { - # dawncraft minecraft server - systemd.tmpfiles.rules = [ - "d /storage/dawncraft/ 0770 1000 1000 -" - "d /storage/dawncraft/data/ 0770 1000 1000 -" - "d /storage/dawncraft/worlds/ 0770 1000 1000 -" - "d /storage/dawncraft/downloads/ 0770 1000 1000 -" - ]; - virtualisation.oci-containers.containers.minecraft-dawncraft = { - autoStart = false; - - # sending commands: https://docker-minecraft-server.readthedocs.io/en/latest/commands/ image = "docker.io/itzg/minecraft-server"; + # user = "${toString uid}:${toString gid}"; extraOptions = [ "--tty" "--interactive" ]; environment = { EULA = "true"; - + MOTD = "Flanilla Survival! Happy hunting!"; + # UID = toString uid; + # GID = toString gid; STOP_SERVER_ANNOUNCE_DELAY = "20"; TZ = "America/Chicago"; - VERSION = "1.18.2"; + VERSION = "1.21"; + OPS = "lytedev"; + MODE = "survival"; + DIFFICULTY = "easy"; + ONLINE_MODE = "false"; MEMORY = "8G"; - MAX_MEMORY = "32G"; - + MAX_MEMORY = "16G"; ALLOW_FLIGHT = "true"; ENABLE_QUERY = "true"; - SERVER_PORT = "26968"; - QUERY_PORT = "26968"; - - TYPE = "AUTO_CURSEFORGE"; - CF_SLUG = "dawn-craft"; - - CF_EXCLUDE_MODS = "368398"; - CF_FORCE_SYNCHRONIZE = "true"; - # CF_FILE_ID = "5247696"; # 2.0.7 server + ENABLE_COMMAND_BLOCK = "true"; }; - environmentFiles = [ - config.sops.secrets."dawncraft.env".path - ]; - ports = ["26968:26968/tcp" "26968:26968/udp"]; + ports = [ "${toString port}:25565" ]; + volumes = [ - "/storage/dawncraft/data:/data" - "/storage/dawncraft/worlds:/worlds" - "/storage/dawncraft/downloads:/downloads" + "${dir}/data:/data" + "${dir}/worlds:/worlds" ]; }; + systemd.services.podman-minecraft-flanilla.serviceConfig = { + User = user; + Group = user; + }; + systemd.tmpfiles.settings = { + "10-${user}-survival" = { + "${dir}/data" = { + "d" = { + mode = "0770"; + user = user; + group = user; + }; + }; + "${dir}/worlds" = { + "d" = { + mode = "0770"; + user = user; + group = user; + }; + }; + }; + }; + services.restic.commonPaths = [ dir ]; networking.firewall.allowedTCPPorts = [ - 26968 + port ]; - */ - } - ({...}: let - port = 26969; - dir = "/storage/flanilla"; - user = "flanilla"; + } + ) + ( + { ... }: + let + port = 26968; + dir = "/storage/flanilla-creative"; + user = "flanilla"; + in # uid = config.users.users.flanilla.uid; # gid = config.users.groups.flanilla.gid; - in { - # flanilla family minecraft server - users.groups.${user} = {}; - users.users.${user} = { - isSystemUser = true; - createHome = false; - home = dir; - group = user; - }; - virtualisation.oci-containers.containers.minecraft-flanilla = { - autoStart = false; + { + # flanilla family minecraft server + users.groups.${user} = { }; + users.users.${user} = { + isSystemUser = true; + createHome = false; + home = lib.mkForce dir; + group = user; + }; + virtualisation.oci-containers.containers.minecraft-flanilla-creative = { + autoStart = true; + image = "docker.io/itzg/minecraft-server"; + # user = "${toString uid}:${toString gid}"; + extraOptions = [ + "--tty" + "--interactive" + ]; + environment = { + EULA = "true"; + MOTD = "Flanilla Creative! Have fun building!"; + # UID = toString uid; + # GID = toString gid; + STOP_SERVER_ANNOUNCE_DELAY = "20"; + TZ = "America/Chicago"; + VERSION = "1.21"; + OPS = "lytedev"; + MODE = "creative"; + DIFFICULTY = "peaceful"; + ONLINE_MODE = "false"; + MEMORY = "8G"; + MAX_MEMORY = "16G"; + ALLOW_FLIGHT = "true"; + ENABLE_QUERY = "true"; + ENABLE_COMMAND_BLOCK = "true"; + }; + ports = [ "${toString port}:25565" ]; - environmentFiles = [ - # config.sops.secrets."jland.env".path + volumes = [ + "${dir}/data:/data" + "${dir}/worlds:/worlds" + ]; + }; + # systemd.services.podman-minecraft-flanilla-creative.serviceConfig = { + # User = user; + # Group = user; + # }; + systemd.tmpfiles.settings = { + "10-${user}-creative" = { + "${dir}/data" = { + "d" = { + mode = "0770"; + user = user; + group = user; + }; + }; + "${dir}/worlds" = { + "d" = { + mode = "0770"; + user = user; + group = user; + }; + }; + }; + }; + services.restic.commonPaths = [ dir ]; + networking.firewall.allowedTCPPorts = [ + port ]; - image = "docker.io/itzg/minecraft-server"; - # user = "${toString uid}:${toString gid}"; - extraOptions = ["--tty" "--interactive"]; - environment = { - EULA = "true"; - MOTD = "Flanilla Survival! Happy hunting!"; - # UID = toString uid; - # GID = toString gid; - STOP_SERVER_ANNOUNCE_DELAY = "20"; - TZ = "America/Chicago"; - VERSION = "1.21"; - OPS = "lytedev"; - MODE = "survival"; - DIFFICULTY = "easy"; - ONLINE_MODE = "false"; - MEMORY = "8G"; - MAX_MEMORY = "16G"; - ALLOW_FLIGHT = "true"; - ENABLE_QUERY = "true"; - ENABLE_COMMAND_BLOCK = "true"; - }; - ports = ["${toString port}:25565"]; - - volumes = [ - "${dir}/data:/data" - "${dir}/worlds:/worlds" - ]; - }; - systemd.services.podman-minecraft-flanilla.serviceConfig = { - User = user; - Group = user; - }; - systemd.tmpfiles.settings = { - "10-${user}-survival" = { - "${dir}/data" = { - "d" = { - mode = "0770"; - user = user; - group = user; - }; - }; - "${dir}/worlds" = { - "d" = { - mode = "0770"; - user = user; - group = user; - }; - }; - }; - }; - services.restic.commonPaths = [dir]; - networking.firewall.allowedTCPPorts = [ - port - ]; - }) - ({...}: let - port = 26968; - dir = "/storage/flanilla-creative"; - user = "flanilla"; - # uid = config.users.users.flanilla.uid; - # gid = config.users.groups.flanilla.gid; - in { - # flanilla family minecraft server - users.groups.${user} = {}; - users.users.${user} = { - isSystemUser = true; - createHome = false; - home = lib.mkForce dir; - group = user; - }; - virtualisation.oci-containers.containers.minecraft-flanilla-creative = { - autoStart = true; - image = "docker.io/itzg/minecraft-server"; - # user = "${toString uid}:${toString gid}"; - extraOptions = ["--tty" "--interactive"]; - environment = { - EULA = "true"; - MOTD = "Flanilla Creative! Have fun building!"; - # UID = toString uid; - # GID = toString gid; - STOP_SERVER_ANNOUNCE_DELAY = "20"; - TZ = "America/Chicago"; - VERSION = "1.21"; - OPS = "lytedev"; - MODE = "creative"; - DIFFICULTY = "peaceful"; - ONLINE_MODE = "false"; - MEMORY = "8G"; - MAX_MEMORY = "16G"; - ALLOW_FLIGHT = "true"; - ENABLE_QUERY = "true"; - ENABLE_COMMAND_BLOCK = "true"; - }; - ports = ["${toString port}:25565"]; - - volumes = [ - "${dir}/data:/data" - "${dir}/worlds:/worlds" - ]; - }; - # systemd.services.podman-minecraft-flanilla-creative.serviceConfig = { - # User = user; - # Group = user; - # }; - systemd.tmpfiles.settings = { - "10-${user}-creative" = { - "${dir}/data" = { - "d" = { - mode = "0770"; - user = user; - group = user; - }; - }; - "${dir}/worlds" = { - "d" = { - mode = "0770"; - user = user; - group = user; - }; - }; - }; - }; - services.restic.commonPaths = [dir]; - networking.firewall.allowedTCPPorts = [ - port - ]; - }) - ({ - config, - options, - ... - }: let - domain = "idm.h.lyte.dev"; - name = "kanidm"; - user = name; - group = name; - storage = "/storage/${name}"; - in { - # kanidm - config = { - # reload certs from caddy every 5 minutes - # TODO: ideally some kind of file watcher service would make way more sense here? - # or we could simply setup the permissions properly somehow? - systemd.timers."copy-kanidm-certificates-from-caddy" = { - wantedBy = ["timers.target"]; - timerConfig = { - OnBootSec = "10m"; # 10 minutes after booting - OnUnitActiveSec = "5m"; # every 5 minutes afterwards - Unit = "copy-kanidm-certificates-from-caddy.service"; - }; - }; - - systemd.services."copy-kanidm-certificates-from-caddy" = { - # get the certificates that caddy provisions for us - script = '' - umask 077 - # this line should be unnecessary now that we have this in tmpfiles - install -d -m 0700 -o "${name}" -g "${name}" "${storage}/data" "${storage}/certs" - cd /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/idm.h.lyte.dev - install -m 0700 -o "${name}" -g "${name}" idm.h.lyte.dev.key idm.h.lyte.dev.crt "${storage}/certs" - ''; - path = with pkgs; [rsync]; - serviceConfig = { - Type = "oneshot"; - User = "root"; - }; - }; - - systemd.tmpfiles.settings."10-kanidm" = { - "${config.services.kanidm.serverSettings.online_backup.path}".d = { - user = name; - group = name; - mode = "0700"; - }; - "${storage}/data".d = { - inherit user group; - mode = "0700"; - }; - "${storage}/certs".d = { - inherit user group; - mode = "0700"; - }; - }; - - services.kanidm = { - enableServer = true; - serverSettings = { - inherit domain; - origin = "https://${domain}"; - bindaddress = "127.0.0.1:8443"; - tls_chain = "${storage}/certs/idm.h.lyte.dev.crt"; - tls_key = "${storage}/certs/idm.h.lyte.dev.key"; - log_level = "info"; - online_backup = { - path = "${storage}/backups/"; - schedule = "00 22 * * *"; - versions = 50; + } + ) + ( + { + config, + options, + ... + }: + let + domain = "idm.h.lyte.dev"; + name = "kanidm"; + user = name; + group = name; + storage = "/storage/${name}"; + in + { + # kanidm + config = { + # reload certs from caddy every 5 minutes + # TODO: ideally some kind of file watcher service would make way more sense here? + # or we could simply setup the permissions properly somehow? + systemd.timers."copy-kanidm-certificates-from-caddy" = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnBootSec = "10m"; # 10 minutes after booting + OnUnitActiveSec = "5m"; # every 5 minutes afterwards + Unit = "copy-kanidm-certificates-from-caddy.service"; }; }; - enablePam = false; - unixSettings = { - # pam_allowed_login_groups = []; + systemd.services."copy-kanidm-certificates-from-caddy" = { + # get the certificates that caddy provisions for us + script = '' + umask 077 + # this line should be unnecessary now that we have this in tmpfiles + install -d -m 0700 -o "${name}" -g "${name}" "${storage}/data" "${storage}/certs" + cd /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/idm.h.lyte.dev + install -m 0700 -o "${name}" -g "${name}" idm.h.lyte.dev.key idm.h.lyte.dev.crt "${storage}/certs" + ''; + path = with pkgs; [ rsync ]; + serviceConfig = { + Type = "oneshot"; + User = "root"; + }; }; - enableClient = true; - clientSettings = { - uri = "https://idm.h.lyte.dev"; + systemd.tmpfiles.settings."10-kanidm" = { + "${config.services.kanidm.serverSettings.online_backup.path}".d = { + user = name; + group = name; + mode = "0700"; + }; + "${storage}/data".d = { + inherit user group; + mode = "0700"; + }; + "${storage}/certs".d = { + inherit user group; + mode = "0700"; + }; }; - provision = { - # enable = true; - # instanceUrl = "https://${domain}"; - # adminPasswordFile = config.sops.secrets.kanidm-admin-password-file.path - # idmAdminPasswordFile = config.sops.secrets.kanidm-admin-password-file.path - # autoRemove = true; - # groups = { - # myGroup = { - # members = ["myUser" /* ...*/]; - # } - # }; - # persons = { - # myUser = { - # displayName = "display name"; - # legalName = "My User"; - # mailAddresses = ["myuser@example.com"]; - # groups = ["myGroup"]; - # } - # }; - # systems = { - # oauth2 = { - # mySystem = { - # enableLegacyCrypto = false; - # enableLocalhostRedirects = true; # only for public - # allowInsecureClientDisablePkce = false; - # basicSecretFile = config.sops.secrets.basic-secret-file... - # claimMap = {}; - # }; - # }; - # }; + services.kanidm = { + enableServer = true; + serverSettings = { + inherit domain; + origin = "https://${domain}"; + bindaddress = "127.0.0.1:8443"; + tls_chain = "${storage}/certs/idm.h.lyte.dev.crt"; + tls_key = "${storage}/certs/idm.h.lyte.dev.key"; + log_level = "info"; + online_backup = { + path = "${storage}/backups/"; + schedule = "00 22 * * *"; + versions = 50; + }; + }; + + enablePam = false; + unixSettings = { + # pam_allowed_login_groups = []; + }; + + enableClient = true; + clientSettings = { + uri = "https://idm.h.lyte.dev"; + }; + + provision = { + # enable = true; + # instanceUrl = "https://${domain}"; + # adminPasswordFile = config.sops.secrets.kanidm-admin-password-file.path + # idmAdminPasswordFile = config.sops.secrets.kanidm-admin-password-file.path + # autoRemove = true; + # groups = { + # myGroup = { + # members = ["myUser" /* ...*/]; + # } + # }; + # persons = { + # myUser = { + # displayName = "display name"; + # legalName = "My User"; + # mailAddresses = ["myuser@example.com"]; + # groups = ["myGroup"]; + # } + # }; + # systems = { + # oauth2 = { + # mySystem = { + # enableLegacyCrypto = false; + # enableLocalhostRedirects = true; # only for public + # allowInsecureClientDisablePkce = false; + # basicSecretFile = config.sops.secrets.basic-secret-file... + # claimMap = {}; + # }; + # }; + # }; + }; + }; + + services.caddy.virtualHosts."idm.h.lyte.dev" = { + extraConfig = ''reverse_proxy https://idm.h.lyte.dev:8443''; + }; + + networking = { + extraHosts = '' + ::1 idm.h.lyte.dev + 127.0.0.1 idm.h.lyte.dev + ''; }; }; - - services.caddy.virtualHosts."idm.h.lyte.dev" = { - extraConfig = ''reverse_proxy https://idm.h.lyte.dev:8443''; - }; - - networking = { - extraHosts = '' - ::1 idm.h.lyte.dev - 127.0.0.1 idm.h.lyte.dev - ''; - }; - }; - }) + } + ) { systemd.tmpfiles.settings = { "10-audiobookshelf" = { @@ -1548,7 +1596,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 }; }; }; - users.groups.audiobookshelf = {}; + users.groups.audiobookshelf = { }; users.users.audiobookshelf = { isSystemUser = true; group = "audiobookshelf"; @@ -1584,13 +1632,25 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 job_name = "beefcake"; static_configs = [ { - targets = let inherit (config.services.prometheus.exporters.node) port listenAddress; in ["${listenAddress}:${toString port}"]; + targets = + let + inherit (config.services.prometheus.exporters.node) port listenAddress; + in + [ "${listenAddress}:${toString port}" ]; } { - targets = let inherit (config.services.prometheus.exporters.zfs) port listenAddress; in ["${listenAddress}:${toString port}"]; + targets = + let + inherit (config.services.prometheus.exporters.zfs) port listenAddress; + in + [ "${listenAddress}:${toString port}" ]; } { - targets = let inherit (config.services.prometheus.exporters.postgres) port listenAddress; in ["${listenAddress}:${toString port}"]; + targets = + let + inherit (config.services.prometheus.exporters.postgres) port listenAddress; + in + [ "${listenAddress}:${toString port}" ]; } ]; } @@ -1615,15 +1675,15 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 }; }; /* - TODO: promtail? - idrac exporter? - restic exporter? - smartctl exporter? - systemd exporter? - NOTE: we probably don't want this exposed - services.caddy.virtualHosts."prometheus.h.lyte.dev" = { - extraConfig = ''reverse_proxy :${toString config.services.prometheus.port}''; - }; + TODO: promtail? + idrac exporter? + restic exporter? + smartctl exporter? + systemd exporter? + NOTE: we probably don't want this exposed + services.caddy.virtualHosts."prometheus.h.lyte.dev" = { + extraConfig = ''reverse_proxy :${toString config.services.prometheus.port}''; + }; */ } { @@ -1754,8 +1814,8 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 containers.actual = { image = "ghcr.io/actualbudget/actual-server:25.2.1"; autoStart = true; - ports = ["5006:5006"]; - volumes = ["/storage/actual:/data"]; + ports = [ "5006:5006" ]; + volumes = [ "/storage/actual:/data" ]; }; }; @@ -1769,7 +1829,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 package = pkgs.factorio-headless.override { versionsJson = ./factorio-versions.json; }; - admins = ["lytedev"]; + admins = [ "lytedev" ]; autosave-interval = 5; game-name = "Flanwheel Online"; description = "Space Age 2.0"; @@ -1783,52 +1843,58 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 extraSettingsFile = config.sops.secrets.factorio-server-settings.path; }; sops.secrets = { - factorio-server-settings = {mode = "0777";}; - }; - } - ({ - pkgs, - config, - ... - }: let - port = builtins.head config.services.conduwuit.settings.global.port; - sPort = toString port; - in { - sops.secrets.matrix-registration-token-file.mode = "0400"; - services.conduwuit = { - enable = true; - settings = { - global = { - allow_check_for_updates = true; - allow_federation = false; - registration_token_file = config.sops.secrets.matrix-registration-token-file.path; - server_name = "lyte.dev"; - }; + factorio-server-settings = { + mode = "0777"; }; }; - services.caddy.virtualHosts."matrix.lyte.dev".extraConfig = '' - reverse_proxy /_matrix/* :${sPort} - reverse_proxy /_synapse/client/* :${sPort} - ''; - services.caddy.virtualHosts."lyte.dev:8448".extraConfig = '' - reverse_proxy /_matrix/* :${sPort} - ''; - # TODO: backups - # TODO: reverse proxy - }) + } + ( + { + pkgs, + config, + ... + }: + let + port = builtins.head config.services.conduwuit.settings.global.port; + sPort = toString port; + in + { + sops.secrets.matrix-registration-token-file.mode = "0400"; + services.conduwuit = { + enable = true; + settings = { + global = { + allow_check_for_updates = true; + allow_federation = false; + registration_token_file = config.sops.secrets.matrix-registration-token-file.path; + server_name = "lyte.dev"; + }; + }; + }; + services.caddy.virtualHosts."matrix.lyte.dev".extraConfig = '' + reverse_proxy /_matrix/* :${sPort} + reverse_proxy /_synapse/client/* :${sPort} + ''; + services.caddy.virtualHosts."lyte.dev:8448".extraConfig = '' + reverse_proxy /_matrix/* :${sPort} + ''; + # TODO: backups + # TODO: reverse proxy + } + ) ]; /* - TODO: non-root processes and services that access secrets need to be part of - the 'keys' group + TODO: non-root processes and services that access secrets need to be part of + the 'keys' group - systemd.services.some-service = { - serviceConfig.SupplementaryGroups = [ config.users.groups.keys.name ]; - }; - or - users.users.example-user.extraGroups = [ config.users.groups.keys.name ]; + systemd.services.some-service = { + serviceConfig.SupplementaryGroups = [ config.users.groups.keys.name ]; + }; + or + users.users.example-user.extraGroups = [ config.users.groups.keys.name ]; - TODO: declarative directory quotas? for storage/$USER and /home/$USER + TODO: declarative directory quotas? for storage/$USER and /home/$USER */ environment.systemPackages = with pkgs; [ @@ -1846,34 +1912,34 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 services.tailscale.useRoutingFeatures = "server"; /* - # https://github.com/NixOS/nixpkgs/blob/04af42f3b31dba0ef742d254456dc4c14eedac86/nixos/modules/services/misc/lidarr.nix#L72 - services.lidarr = { - enable = true; - dataDir = "/storage/lidarr"; - }; + # https://github.com/NixOS/nixpkgs/blob/04af42f3b31dba0ef742d254456dc4c14eedac86/nixos/modules/services/misc/lidarr.nix#L72 + services.lidarr = { + enable = true; + dataDir = "/storage/lidarr"; + }; - services.radarr = { - enable = true; - dataDir = "/storage/radarr"; - }; + services.radarr = { + enable = true; + dataDir = "/storage/radarr"; + }; - services.sonarr = { - enable = true; - dataDir = "/storage/sonarr"; - }; + services.sonarr = { + enable = true; + dataDir = "/storage/sonarr"; + }; - services.bazarr = { - enable = true; - listenPort = 6767; - }; + services.bazarr = { + enable = true; + listenPort = 6767; + }; - networking.firewall.allowedTCPPorts = [9876 9877]; - networking.firewall.allowedUDPPorts = [9876 9877]; - networking.firewall.allowedUDPPortRanges = [ - { - from = 27000; - to = 27100; - } - ]; + networking.firewall.allowedTCPPorts = [9876 9877]; + networking.firewall.allowedUDPPorts = [9876 9877]; + networking.firewall.allowedUDPPortRanges = [ + { + from = 27000; + to = 27100; + } + ]; */ } diff --git a/packages/hosts/bigtower.nix b/packages/hosts/bigtower.nix index 8ad667a..df77948 100644 --- a/packages/hosts/bigtower.nix +++ b/packages/hosts/bigtower.nix @@ -3,7 +3,8 @@ lib, config, ... -}: { +}: +{ system.stateVersion = "24.05"; home-manager.users.daniel.home.stateVersion = "24.05"; networking.hostName = "bigtower"; @@ -14,22 +15,25 @@ fileSystems."/" = { device = "/dev/disk/by-uuid/5b6c2d65-2704-4ed1-b06d-5ee7110b3d28"; fsType = "btrfs"; - options = ["subvol=root"]; + options = [ "subvol=root" ]; }; fileSystems."/nix" = { device = "/dev/disk/by-uuid/5b6c2d65-2704-4ed1-b06d-5ee7110b3d28"; fsType = "btrfs"; - options = ["subvol=nix"]; + options = [ "subvol=nix" ]; }; fileSystems."/home" = { device = "/dev/disk/by-uuid/5b6c2d65-2704-4ed1-b06d-5ee7110b3d28"; fsType = "btrfs"; - options = ["subvol=home"]; + options = [ "subvol=home" ]; }; fileSystems."/boot" = { device = "/dev/disk/by-uuid/CE80-4623"; fsType = "vfat"; - options = ["fmask=0022" "dmask=0022"]; + options = [ + "fmask=0022" + "dmask=0022" + ]; }; } ]; @@ -43,9 +47,14 @@ # kernelPackages = pkgs.linuxPackages_zen; loader.efi.canTouchEfiVariables = true; loader.systemd-boot.enable = true; - initrd.availableKernelModules = ["xhci_pci" "nvme" "ahci" "usbhid"]; - kernelModules = ["kvm-amd"]; - supportedFilesystems = ["ntfs"]; + initrd.availableKernelModules = [ + "xhci_pci" + "nvme" + "ahci" + "usbhid" + ]; + kernelModules = [ "kvm-amd" ]; + supportedFilesystems = [ "ntfs" ]; }; hardware.bluetooth = { diff --git a/packages/hosts/default.nix b/packages/hosts/default.nix index 0e2dd15..c3df17b 100644 --- a/packages/hosts/default.nix +++ b/packages/hosts/default.nix @@ -8,170 +8,187 @@ nixpkgs-unstable, home-manager-unstable, ... -}: let - baseHost = { - nixpkgs, - home-manager, - ... - }: (path: ({system ? "x86_64-linux"}: (nixpkgs.lib.nixosSystem { - inherit system; - modules = [ - ({ - config, - lib, - pkgs, - modulesPath, - ... - }: { - imports = with self.outputs.nixosModules; [ - (modulesPath + "/installer/scan/not-detected.nix") - home-manager.nixosModules.home-manager - sops-nix.nixosModules.sops - disko.nixosModules.disko - deno-netlify-ddns-client - shell-defaults-and-applications - wifi - printing - podman - virtual-machines - postgres - gaming - gnome - daniel - root - ]; - - config = { - lyte.shell.enable = lib.mkDefault true; - nixpkgs.config.allowUnfree = lib.mkDefault true; - - sops = { - age = { - sshKeyPaths = lib.mkDefault ["/etc/ssh/ssh_host_ed25519_key"]; - keyFile = lib.mkDefault "/var/lib/sops-nix/key.txt"; - generateKey = lib.mkDefault true; - }; - }; - - nix = { - nixPath = lib.mapAttrsToList (key: value: "${key}=${value.to.path}") config.nix.registry; - registry = lib.mapAttrs (_: value: {flake = value;}) self.inputs; - - settings = +}: +let + baseHost = + { + nixpkgs, + home-manager, + ... + }: + ( + path: + ( + { + system ? "x86_64-linux", + }: + (nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + ( { - trusted-users = lib.mkDefault ["@wheel"]; - extra-experimental-features = lib.mkDefault ["nix-command" "flakes"]; - auto-optimise-store = lib.mkDefault true; + config, + lib, + pkgs, + modulesPath, + ... + }: + { + imports = with self.outputs.nixosModules; [ + (modulesPath + "/installer/scan/not-detected.nix") + home-manager.nixosModules.home-manager + sops-nix.nixosModules.sops + disko.nixosModules.disko + deno-netlify-ddns-client + shell-defaults-and-applications + wifi + printing + podman + virtual-machines + postgres + gaming + gnome + daniel + root + ]; + + config = { + lyte.shell.enable = lib.mkDefault true; + nixpkgs.config.allowUnfree = lib.mkDefault true; + + sops = { + age = { + sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ]; + keyFile = lib.mkDefault "/var/lib/sops-nix/key.txt"; + generateKey = lib.mkDefault true; + }; + }; + + nix = { + nixPath = lib.mapAttrsToList (key: value: "${key}=${value.to.path}") config.nix.registry; + registry = lib.mapAttrs (_: value: { flake = value; }) self.inputs; + + settings = { + trusted-users = lib.mkDefault [ "@wheel" ]; + extra-experimental-features = lib.mkDefault [ + "nix-command" + "flakes" + ]; + auto-optimise-store = lib.mkDefault true; + } // self.nixConfig; + }; + + systemd.services.nix-daemon.environment.TMPDIR = lib.mkDefault "/var/tmp"; # TODO: why did I do this again? + boot.tmp.cleanOnBoot = lib.mkDefault true; + programs.gnupg.agent.enable = lib.mkDefault true; + time.timeZone = lib.mkDefault "America/Chicago"; + i18n.defaultLocale = lib.mkDefault "en_US.UTF-8"; + hardware.enableRedistributableFirmware = lib.mkDefault true; + + home-manager.useGlobalPkgs = lib.mkDefault true; + home-manager.backupFileExtension = lib.mkDefault "hm-backup"; + + users.users.root = { + openssh.authorizedKeys.keys = lib.mkDefault [ self.constants.pubkey ]; + }; + + services = { + openssh = { + enable = lib.mkDefault true; + + settings = { + PasswordAuthentication = lib.mkDefault false; + KbdInteractiveAuthentication = lib.mkDefault false; + PermitRootLogin = lib.mkForce "prohibit-password"; + }; + + openFirewall = lib.mkDefault true; + + /* + listenAddresses = [ + { addr = "0.0.0.0"; port = 22; } + ]; + */ + }; + avahi = { + enable = lib.mkDefault true; + reflector = lib.mkDefault true; + openFirewall = lib.mkDefault true; + nssmdns4 = lib.mkDefault true; + }; + tailscale = { + enable = lib.mkDefault true; + useRoutingFeatures = lib.mkDefault "client"; + }; + journald.extraConfig = lib.mkDefault "SystemMaxUse=1G"; + xserver.xkb = { + layout = lib.mkDefault "us"; + + # have the caps-lock key instead be a ctrl key + options = lib.mkDefault "ctrl:nocaps"; + }; + smartd.enable = lib.mkDefault true; + fwupd.enable = lib.mkDefault true; + }; + + console = { + useXkbConfig = lib.mkDefault true; + earlySetup = lib.mkDefault true; + + colors = + with self.constants.style.colors; + lib.mkDefault [ + bg + red + green + orange + blue + purple + yellow + fg3 + fgdim + red + green + orange + blue + purple + yellow + fg + ]; + }; + + networking = { + hostName = lib.mkDefault "set-a-hostname-dingus"; + + useDHCP = lib.mkDefault true; + firewall = { + enable = lib.mkDefault true; + allowPing = lib.mkDefault true; + }; + }; + }; } - // self.nixConfig; - }; + ) - systemd.services.nix-daemon.environment.TMPDIR = lib.mkDefault "/var/tmp"; # TODO: why did I do this again? - boot.tmp.cleanOnBoot = lib.mkDefault true; - programs.gnupg.agent.enable = lib.mkDefault true; - time.timeZone = lib.mkDefault "America/Chicago"; - i18n.defaultLocale = lib.mkDefault "en_US.UTF-8"; - hardware.enableRedistributableFirmware = lib.mkDefault true; - - home-manager.useGlobalPkgs = lib.mkDefault true; - home-manager.backupFileExtension = lib.mkDefault "hm-backup"; - - users.users.root = { - openssh.authorizedKeys.keys = lib.mkDefault [self.constants.pubkey]; - }; - - services = { - openssh = { - enable = lib.mkDefault true; - - settings = { - PasswordAuthentication = lib.mkDefault false; - KbdInteractiveAuthentication = lib.mkDefault false; - PermitRootLogin = lib.mkForce "prohibit-password"; + { + _module.args = { + hardware = hardware.outputs.nixosModules; + diskoConfigurations = self.outputs.diskoConfigurations; }; - - openFirewall = lib.mkDefault true; - - /* - listenAddresses = [ - { addr = "0.0.0.0"; port = 22; } - ]; - */ - }; - avahi = { - enable = lib.mkDefault true; - reflector = lib.mkDefault true; - openFirewall = lib.mkDefault true; - nssmdns4 = lib.mkDefault true; - }; - tailscale = { - enable = lib.mkDefault true; - useRoutingFeatures = lib.mkDefault "client"; - }; - journald.extraConfig = lib.mkDefault "SystemMaxUse=1G"; - xserver.xkb = { - layout = lib.mkDefault "us"; - - # have the caps-lock key instead be a ctrl key - options = lib.mkDefault "ctrl:nocaps"; - }; - smartd.enable = lib.mkDefault true; - fwupd.enable = lib.mkDefault true; - }; - - console = { - useXkbConfig = lib.mkDefault true; - earlySetup = lib.mkDefault true; - - colors = with self.constants.style.colors; - lib.mkDefault [ - bg - red - green - orange - blue - purple - yellow - fg3 - fgdim - red - green - orange - blue - purple - yellow - fg - ]; - }; - - networking = { - hostName = lib.mkDefault "set-a-hostname-dingus"; - - useDHCP = lib.mkDefault true; - firewall = { - enable = lib.mkDefault true; - allowPing = lib.mkDefault true; - }; - }; - }; - }) - - { - _module.args = { - hardware = hardware.outputs.nixosModules; - diskoConfigurations = self.outputs.diskoConfigurations; - }; - } - (import path) - ]; - }))); - stableHost = baseHost {inherit nixpkgs home-manager;}; + } + (import path) + ]; + }) + ) + ); + stableHost = baseHost { inherit nixpkgs home-manager; }; host = baseHost { nixpkgs = nixpkgs-unstable; home-manager = home-manager-unstable; }; -in { - beefcake = stableHost ./beefcake.nix {}; - dragon = host ./dragon.nix {}; - arm-dragon = host ./dragon.nix {system = "aarch64-linux";}; +in +{ + beefcake = stableHost ./beefcake.nix { }; + dragon = host ./dragon.nix { }; + arm-dragon = host ./dragon.nix { system = "aarch64-linux"; }; } diff --git a/packages/hosts/dragon.nix b/packages/hosts/dragon.nix index 37a3580..4d416d1 100644 --- a/packages/hosts/dragon.nix +++ b/packages/hosts/dragon.nix @@ -5,7 +5,8 @@ hardware, diskoConfigurations, ... -}: { +}: +{ system.stateVersion = "24.11"; home-manager.users.daniel.home.stateVersion = "24.11"; networking.hostName = "dragon"; @@ -14,19 +15,26 @@ kernelPackages = pkgs.linuxPackages_latest; loader.efi.canTouchEfiVariables = true; loader.systemd-boot.enable = true; - initrd.availableKernelModules = ["xhci_pci" "nvme" "ahci" "usbhid"]; - kernelModules = ["kvm-amd"]; - supportedFilesystems = ["ntfs"]; + initrd.availableKernelModules = [ + "xhci_pci" + "nvme" + "ahci" + "usbhid" + ]; + kernelModules = [ "kvm-amd" ]; + supportedFilesystems = [ "ntfs" ]; }; imports = with hardware; [ - (diskoConfigurations.unencrypted {disk = "/dev/nvme0n1";}) + (diskoConfigurations.unencrypted { disk = "/dev/nvme0n1"; }) common-cpu-amd common-gpu-amd common-pc-ssd ]; - sops.secrets.ddns-pass = {mode = "0400";}; + sops.secrets.ddns-pass = { + mode = "0400"; + }; services.deno-netlify-ddns-client = { passwordFile = config.sops.secrets.ddns-pass.path; enable = true; diff --git a/packages/hosts/foxtrot.nix b/packages/hosts/foxtrot.nix index 0e2dbcf..2d959d5 100644 --- a/packages/hosts/foxtrot.nix +++ b/packages/hosts/foxtrot.nix @@ -1,4 +1,5 @@ -{pkgs, ...}: { +{ pkgs, ... }: +{ imports = [ { system.stateVersion = "24.11"; @@ -10,16 +11,16 @@ # TODO: move this to disko? # NOTE(oninstall): /* - sudo btrfs subvolume create /swap - sudo btrfs filesystem mkswapfile --size 32g --uuid clear /swap/swapfile - sudo swapon /swap/swapfile + sudo btrfs subvolume create /swap + sudo btrfs filesystem mkswapfile --size 32g --uuid clear /swap/swapfile + sudo swapon /swap/swapfile */ ]; # findmnt -no UUID -T /swap/swapfile # boot.resumeDevice = "/dev/disk/by-uuid/81c3354a-f629-4b6b-a249-7705aeb9f0d5"; # systemd.sleep.extraConfig = "HibernateDelaySec=180m"; services.fwupd.enable = true; - services.fwupd.extraRemotes = ["lvfs-testing"]; + services.fwupd.extraRemotes = [ "lvfs-testing" ]; } ]; @@ -75,19 +76,21 @@ } ]; }; - services.hypridle = let - secondsPerMinute = 60; - lockSeconds = 10 * secondsPerMinute; - in { - settings = { - listener = [ - { - timeout = lockSeconds + 55; - on-timeout = ''systemctl suspend''; - } - ]; + services.hypridle = + let + secondsPerMinute = 60; + lockSeconds = 10 * secondsPerMinute; + in + { + settings = { + listener = [ + { + timeout = lockSeconds + 55; + on-timeout = ''systemctl suspend''; + } + ]; + }; }; - }; wayland.windowManager.hyprland = { settings = { @@ -117,19 +120,19 @@ }; /* - "BOE 0x0BCA Unknown" = { - mode = "2256x1504@60Hz"; - position = "0,0"; - scale = toString scale; - }; + "BOE 0x0BCA Unknown" = { + mode = "2256x1504@60Hz"; + position = "0,0"; + scale = toString scale; + }; - "Dell Inc. DELL U2720Q D3TM623" = { - # desktop left vertical monitor - mode = "1920x1080@60Hz"; - # transform = "90"; - # scale = "1.5"; - position = "${toString (builtins.floor (2256 / scale))},0"; - }; + "Dell Inc. DELL U2720Q D3TM623" = { + # desktop left vertical monitor + mode = "1920x1080@60Hz"; + # transform = "90"; + # scale = "1.5"; + position = "${toString (builtins.floor (2256 / scale))},0"; + }; */ }; }; @@ -163,15 +166,15 @@ # https://github.com/void-linux/void-packages/issues/50417#issuecomment-2131802836 fix framework 13 not shutting down /* - kernelPatches = [ - { - name = "framework13shutdownfix"; - patch = builtins.fetchurl { - url = "https://github.com/void-linux/void-packages/files/15445612/0001-Add-hopefully-a-solution-for-shutdown-regression.PATCH"; - sha256 = "sha256:10zcnzy5hkam2cnxx441b978gzhvnqlcc49k7bpz9dc28xyjik50"; - }; - } - ]; + kernelPatches = [ + { + name = "framework13shutdownfix"; + patch = builtins.fetchurl { + url = "https://github.com/void-linux/void-packages/files/15445612/0001-Add-hopefully-a-solution-for-shutdown-regression.PATCH"; + sha256 = "sha256:10zcnzy5hkam2cnxx441b978gzhvnqlcc49k7bpz9dc28xyjik50"; + }; + } + ]; */ loader = { @@ -189,10 +192,10 @@ # NOTE(oninstall): /* - sudo filefrag -v /swap/swapfile | awk '$1=="0:" {print substr($4, 1, length($4)-2)}' - the above won't work for btrfs, instead you need btrfs inspect-internal map-swapfile -r /swap/swapfile - https://wiki.archlinux.org/title/Power_management/Suspend_and_hibernate#Hibernation_into_swap_file - many of these come from https://wiki.archlinux.org/title/Framework_Laptop_13#Suspend + sudo filefrag -v /swap/swapfile | awk '$1=="0:" {print substr($4, 1, length($4)-2)}' + the above won't work for btrfs, instead you need btrfs inspect-internal map-swapfile -r /swap/swapfile + https://wiki.archlinux.org/title/Power_management/Suspend_and_hibernate#Hibernation_into_swap_file + many of these come from https://wiki.archlinux.org/title/Framework_Laptop_13#Suspend */ kernelParams = [ "rtc_cmos.use_acpi_alarm=1" @@ -205,8 +208,12 @@ # NOTE(oninstall): "resume_offset=3421665" ]; - initrd.availableKernelModules = ["xhci_pci" "nvme" "thunderbolt"]; - kernelModules = ["kvm-amd"]; + initrd.availableKernelModules = [ + "xhci_pci" + "nvme" + "thunderbolt" + ]; + kernelModules = [ "kvm-amd" ]; }; hardware.bluetooth = { enable = true; @@ -214,26 +221,26 @@ # simply resume the power state at the time of hibernation powerOnBoot = false; - package = pkgs.bluez.overrideAttrs (finalAttrs: previousAttrs: rec { - version = "5.78"; - src = pkgs.fetchurl { - url = "mirror://kernel/linux/bluetooth/bluez-${version}.tar.xz"; - sha256 = "sha256-gw/tGRXF03W43g9eb0X83qDcxf9f+z0x227Q8A1zxeM="; - }; - patches = []; - buildInputs = - previousAttrs.buildInputs - ++ [ + package = pkgs.bluez.overrideAttrs ( + finalAttrs: previousAttrs: rec { + version = "5.78"; + src = pkgs.fetchurl { + url = "mirror://kernel/linux/bluetooth/bluez-${version}.tar.xz"; + sha256 = "sha256-gw/tGRXF03W43g9eb0X83qDcxf9f+z0x227Q8A1zxeM="; + }; + patches = [ ]; + buildInputs = previousAttrs.buildInputs ++ [ pkgs.python3Packages.pygments ]; - }); + } + ); }; powerManagement.cpuFreqGovernor = "ondemand"; /* - powerManagement.resumeCommands = '' - modprobe -rv mt7921e - modprobe -v mt7921e - ''; + powerManagement.resumeCommands = '' + modprobe -rv mt7921e + modprobe -v mt7921e + ''; */ services.power-profiles-daemon = { @@ -253,38 +260,42 @@ }; /* - services.tlp = { - enable = true; - settings = { - CPU_ENERGY_PERF_POLICY_ON_BAT = "power"; - CPU_SCALING_GOVERNOR_ON_BAT = "ondemand"; - CPU_MIN_PERF_ON_BAT = 0; - CPU_MAX_PERF_ON_BAT = 80; + services.tlp = { + enable = true; + settings = { + CPU_ENERGY_PERF_POLICY_ON_BAT = "power"; + CPU_SCALING_GOVERNOR_ON_BAT = "ondemand"; + CPU_MIN_PERF_ON_BAT = 0; + CPU_MAX_PERF_ON_BAT = 80; - CPU_SCALING_GOVERNOR_ON_AC = "performance"; - CPU_ENERGY_PERF_POLICY_ON_AC = "performance"; - CPU_MIN_PERF_ON_AC = 0; - CPU_MAX_PERF_ON_AC = 100; + CPU_SCALING_GOVERNOR_ON_AC = "performance"; + CPU_ENERGY_PERF_POLICY_ON_AC = "performance"; + CPU_MIN_PERF_ON_AC = 0; + CPU_MAX_PERF_ON_AC = 100; + }; }; - }; */ - networking.firewall.allowedTCPPorts = let - stardewValley = 24642; - factorio = 34197; - in [ - 8000 # dev stuff - factorio - stardewValley - 7777 - ]; - networking.firewall.allowedUDPPorts = let - stardewValley = 24642; - factorio = 34197; - in [ - 8000 # dev stuff - factorio - stardewValley - 7777 - ]; + networking.firewall.allowedTCPPorts = + let + stardewValley = 24642; + factorio = 34197; + in + [ + 8000 # dev stuff + factorio + stardewValley + 7777 + ]; + networking.firewall.allowedUDPPorts = + let + stardewValley = 24642; + factorio = 34197; + in + [ + 8000 # dev stuff + factorio + stardewValley + 7777 + ]; } diff --git a/packages/hosts/htpc.nix b/packages/hosts/htpc.nix index f1b1025..2e6321d 100644 --- a/packages/hosts/htpc.nix +++ b/packages/hosts/htpc.nix @@ -3,7 +3,8 @@ config, lib, ... -}: { +}: +{ networking.hostName = "htpc"; networking.networkmanager.enable = true; @@ -12,9 +13,18 @@ boot.loader.grub.device = "/dev/sda"; boot.loader.grub.useOSProber = true; - boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"]; - boot.initrd.kernelModules = ["8821au" "8812au"]; - boot.kernelModules = ["kvm-intel"]; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "usbhid" + "usb_storage" + "sd_mod" + ]; + boot.initrd.kernelModules = [ + "8821au" + "8812au" + ]; + boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ # pkgs.rtl8811au config.boot.kernelPackages.rtl8812au @@ -26,7 +36,7 @@ fsType = "ext4"; }; - swapDevices = []; + swapDevices = [ ]; hardware.bluetooth = { enable = true; diff --git a/packages/hosts/htpifour.nix b/packages/hosts/htpifour.nix index ddd0c0d..66d6932 100644 --- a/packages/hosts/htpifour.nix +++ b/packages/hosts/htpifour.nix @@ -5,7 +5,8 @@ outputs, modulesPath, ... -}: { +}: +{ nixpkgs.hostPlatform = "aarch64-linux"; networking.hostName = "htpifour"; @@ -31,11 +32,15 @@ console.enable = false; home-manager.users.daniel = { - imports = with outputs.homeManagerModules; [linux-desktop wallpaper-manager]; + imports = with outputs.homeManagerModules; [ + linux-desktop + wallpaper-manager + ]; }; - environment.systemPackages = with pkgs; - #with pkgs; + environment.systemPackages = + with pkgs; + #with pkgs; [ # libcec libraspberrypi @@ -59,17 +64,17 @@ nixpkgs.overlays = [ /* - nixos-22.05 - (self: super: { libcec = super.libcec.override { inherit (self) libraspberrypi; }; }) - nixos-22.11 - (self: super: {libcec = super.libcec.override {withLibraspberrypi = true;};}) + nixos-22.05 + (self: super: { libcec = super.libcec.override { inherit (self) libraspberrypi; }; }) + nixos-22.11 + (self: super: {libcec = super.libcec.override {withLibraspberrypi = true;};}) */ ]; # Workaround for GNOME autologin: https://github.com/NixOS/nixpkgs/issues/103746#issuecomment-945091229 /* - systemd.services."getty@tty1".enable = false; - systemd.services."autovt@tty1".enable = false; + systemd.services."getty@tty1".enable = false; + systemd.services."autovt@tty1".enable = false; */ # hardware @@ -82,7 +87,11 @@ boot = { kernelPackages = pkgs.linuxKernel.packages.linux_rpi4; - initrd.availableKernelModules = ["xhci_pci" "usbhid" "usb_storage"]; + initrd.availableKernelModules = [ + "xhci_pci" + "usbhid" + "usb_storage" + ]; loader = { grub.enable = false; generic-extlinux-compatible.enable = true; @@ -99,43 +108,43 @@ allowedTCPPorts = [ 22 # ssh ]; - allowedUDPPorts = []; + allowedUDPPorts = [ ]; }; }; /* - services.udev.extraRules = '' - # allow access to raspi cec device for video group (and optionally register it as a systemd device, used below) - SUBSYSTEM=="vchiq", GROUP="video", MODE="0660", TAG+="systemd", ENV{SYSTEMD_ALIAS}="/dev/vchiq" - ''; + services.udev.extraRules = '' + # allow access to raspi cec device for video group (and optionally register it as a systemd device, used below) + SUBSYSTEM=="vchiq", GROUP="video", MODE="0660", TAG+="systemd", ENV{SYSTEMD_ALIAS}="/dev/vchiq" + ''; - powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; - optional: attach a persisted cec-client to `/run/cec.fifo`, to avoid the CEC ~1s startup delay per command - scan for devices: `echo 'scan' > /run/cec.fifo ; journalctl -u cec-client.service` - set pi as active source: `echo 'as' > /run/cec.fifo` - systemd.sockets."cec-client" = { - after = ["dev-vchiq.device"]; - bindsTo = ["dev-vchiq.device"]; - wantedBy = ["sockets.target"]; - socketConfig = { - ListenFIFO = "/run/cec.fifo"; - SocketGroup = "video"; - SocketMode = "0660"; + optional: attach a persisted cec-client to `/run/cec.fifo`, to avoid the CEC ~1s startup delay per command + scan for devices: `echo 'scan' > /run/cec.fifo ; journalctl -u cec-client.service` + set pi as active source: `echo 'as' > /run/cec.fifo` + systemd.sockets."cec-client" = { + after = ["dev-vchiq.device"]; + bindsTo = ["dev-vchiq.device"]; + wantedBy = ["sockets.target"]; + socketConfig = { + ListenFIFO = "/run/cec.fifo"; + SocketGroup = "video"; + SocketMode = "0660"; + }; }; - }; - systemd.services."cec-client" = { - after = ["dev-vchiq.device"]; - bindsTo = ["dev-vchiq.device"]; - wantedBy = ["multi-user.target"]; - serviceConfig = { - ExecStart = ''${pkgs.libcec}/bin/cec-client -d 1''; - ExecStop = ''/bin/sh -c "echo q > /run/cec.fifo"''; - StandardInput = "socket"; - StandardOutput = "journal"; - Restart = "no"; + systemd.services."cec-client" = { + after = ["dev-vchiq.device"]; + bindsTo = ["dev-vchiq.device"]; + wantedBy = ["multi-user.target"]; + serviceConfig = { + ExecStart = ''${pkgs.libcec}/bin/cec-client -d 1''; + ExecStop = ''/bin/sh -c "echo q > /run/cec.fifo"''; + StandardInput = "socket"; + StandardOutput = "journal"; + Restart = "no"; + }; }; - }; */ hardware.graphics.driSupport32Bit = lib.mkForce false; diff --git a/packages/hosts/rascal.nix b/packages/hosts/rascal.nix index a7cf744..b58d1a2 100644 --- a/packages/hosts/rascal.nix +++ b/packages/hosts/rascal.nix @@ -2,13 +2,21 @@ config, modulesPath, ... -}: { +}: +{ imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "ehci_pci" "usbhid" "uas" "sd_mod"]; - boot.kernelModules = ["kvm-amd"]; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "ehci_pci" + "usbhid" + "uas" + "sd_mod" + ]; + boot.kernelModules = [ "kvm-amd" ]; fileSystems."/" = { device = "/dev/disk/by-uuid/2e2ad73a-6264-4a7b-8439-9c05295d903d"; @@ -25,26 +33,30 @@ device = "/dev/sda"; }; - users.groups.beefcake = {}; + users.groups.beefcake = { }; users.users = { beefcake = { isSystemUser = true; createHome = true; home = "/storage/backups/beefcake"; group = "beefcake"; - extraGroups = ["sftponly"]; - openssh.authorizedKeys.keys = - config.users.users.daniel.openssh.authorizedKeys.keys - ++ [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK7HrojwoyHED+A/FzRjYmIL0hzofwBd9IYHH6yV0oPO root@beefcake" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAOEI82VdbyR1RYqSnFtlffHBtHFdXO0v9RmQH7GkfXo restic@beefcake" - ]; + extraGroups = [ "sftponly" ]; + openssh.authorizedKeys.keys = config.users.users.daniel.openssh.authorizedKeys.keys ++ [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK7HrojwoyHED+A/FzRjYmIL0hzofwBd9IYHH6yV0oPO root@beefcake" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAOEI82VdbyR1RYqSnFtlffHBtHFdXO0v9RmQH7GkfXo restic@beefcake" + ]; }; daniel = { # used for restic backups isNormalUser = true; - extraGroups = ["users" "wheel" "video" "dialout" "uucp"]; + extraGroups = [ + "users" + "wheel" + "video" + "dialout" + "uucp" + ]; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAPLXOjupz3ScYjgrF+ehrbp9OvGAWQLI6fplX6w9Ijb daniel@lyte.dev" ]; @@ -68,7 +80,7 @@ firewall = { enable = true; allowPing = true; - allowedTCPPorts = [22]; + allowedTCPPorts = [ 22 ]; }; }; diff --git a/packages/hosts/router.nix b/packages/hosts/router.nix index 2707f49..873918e 100644 --- a/packages/hosts/router.nix +++ b/packages/hosts/router.nix @@ -4,15 +4,16 @@ # outputs, pkgs, ... -}: let +}: +let /* - NOTE: My goal is to be able to apply most of the common tweaks to the router - either live on the system for ad-hoc changes (such as forwarding a port for a - multiplayer game) or to tweak these values just below without reaching deeper - into the modules' implementation of these configuration values - NOTE: I could turn this into a cool NixOS module? - TODO: review https://francis.begyn.be/blog/nixos-home-router - TODO: more recent: https://github.com/ghostbuster91/blogposts/blob/a2374f0039f8cdf4faddeaaa0347661ffc2ec7cf/router2023-part2/main.md + NOTE: My goal is to be able to apply most of the common tweaks to the router + either live on the system for ad-hoc changes (such as forwarding a port for a + multiplayer game) or to tweak these values just below without reaching deeper + into the modules' implementation of these configuration values + NOTE: I could turn this into a cool NixOS module? + TODO: review https://francis.begyn.be/blog/nixos-home-router + TODO: more recent: https://github.com/ghostbuster91/blogposts/blob/a2374f0039f8cdf4faddeaaa0347661ffc2ec7cf/router2023-part2/main.md */ hostname = "router"; domain = "h.lyte.dev"; @@ -83,7 +84,8 @@ "net.ipv6.conf.${interfaces.wan.name}.use_tempaddr" = 2; # "net.ipv6.conf.${interfaces.wan.name}.addr_gen_mode" = 2; }; -in { +in +{ imports = [ { # hardware @@ -92,31 +94,34 @@ in { efi.canTouchEfiVariables = true; systemd-boot.enable = true; }; - initrd.availableKernelModules = ["xhci_pci"]; - initrd.kernelModules = []; - kernelModules = ["kvm-intel"]; - extraModulePackages = []; + initrd.availableKernelModules = [ "xhci_pci" ]; + initrd.kernelModules = [ ]; + kernelModules = [ "kvm-intel" ]; + extraModulePackages = [ ]; }; fileSystems."/" = { device = "/dev/disk/by-uuid/6ec80156-62e0-4f6f-b6eb-e2f588f88802"; fsType = "btrfs"; - options = ["subvol=root"]; + options = [ "subvol=root" ]; }; fileSystems."/nix" = { device = "/dev/disk/by-uuid/6ec80156-62e0-4f6f-b6eb-e2f588f88802"; fsType = "btrfs"; - options = ["subvol=nix"]; + options = [ "subvol=nix" ]; }; fileSystems."/home" = { device = "/dev/disk/by-uuid/6ec80156-62e0-4f6f-b6eb-e2f588f88802"; fsType = "btrfs"; - options = ["subvol=home"]; + options = [ "subvol=home" ]; }; fileSystems."/boot" = { device = "/dev/disk/by-uuid/7F78-7AE8"; fsType = "vfat"; - options = ["fmask=0022" "dmask=0022"]; + options = [ + "fmask=0022" + "dmask=0022" + ]; }; nixpkgs.hostPlatform = "x86_64-linux"; powerManagement.cpuFreqGovernor = "performance"; @@ -131,22 +136,22 @@ in { sops = { defaultSopsFile = ../secrets/router/secrets.yml; age = { - sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; + sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; keyFile = "/var/lib/sops-nix/key.txt"; generateKey = true; }; secrets = { - netlify-ddns-password = {mode = "0400";}; + netlify-ddns-password = { + mode = "0400"; + }; }; }; services.deno-netlify-ddns-client = { passwordFile = config.sops.secrets.netlify-ddns-password.path; }; - boot.kernel.sysctl = - sysctl-entries - // { - }; + boot.kernel.sysctl = sysctl-entries // { + }; networking = { hostName = hostname; @@ -174,173 +179,175 @@ in { # the main meat and potatoes for most routers, the firewall configuration # TODO: IPv6 - nftables = let - inf = { - lan = interfaces.lan.name; - wan = interfaces.wan.name; + nftables = + let + inf = { + lan = interfaces.lan.name; + wan = interfaces.wan.name; + }; + in + { + enable = true; + checkRuleset = true; + flushRuleset = true; + ruleset = with inf; '' + table inet filter { + ## set LANv4 { + ## type ipv4_addr + ## flags interval + ## elements = { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } + ## } + ## set LANv6 { + ## type ipv6_addr + ## flags interval + ## elements = { fd00::/8, fe80::/10 } + ## } + ## TODO: maybe tailnet? + + ## chain my_input_lan { + ## udp sport 1900 udp dport >= 1024 meta pkttype unicast limit rate 4/second burst 20 packets accept comment "Accept UPnP IGD port mapping reply" + ## udp sport netbios-ns udp dport >= 1024 meta pkttype unicast accept comment "Accept Samba Workgroup browsing replies" + ## } + + chain input { + type filter hook input priority 0; policy drop; + + iif lo accept comment "Accept any localhost traffic" + ct state invalid drop comment "Drop invalid connections" + ct state established,related accept comment "Accept traffic originated from us" + + meta l4proto ipv6-icmp accept comment "Accept ICMPv6" + meta l4proto icmp accept comment "Accept ICMP" + ip protocol igmp accept comment "Accept IGMP" + + ip6 nexthdr icmpv6 icmpv6 type nd-router-solicit accept + ip6 nexthdr icmpv6 icmpv6 type nd-router-advert accept comment "Accept IPv6 router advertisements" + udp dport dhcpv6-client accept comment "IPv6 DHCP" + + ip6 nexthdr icmpv6 icmpv6 type { echo-request, nd-neighbor-solicit, nd-neighbor-advert, nd-router-solicit, nd-router-advert, mld-listener-query, destination-unreachable, packet-too-big, time-exceeded, parameter-problem } accept comment "Accept IPv6 ICMP and meta stuff" + ip protocol icmp icmp type { echo-request, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept comment "Accept IPv4 ICMP and meta stuff" + ip protocol icmpv6 accept + ip protocol icmp accept + meta l4proto ipv6-icmp counter accept + udp dport dhcpv6-client counter accept + + udp dport mdns ip6 daddr ff02::fb accept comment "Accept mDNS" + udp dport mdns ip daddr 224.0.0.251 accept comment "Accept mDNS" + + tcp dport 2201 accept comment "Accept SSH on port 2201" + tcp dport 53 accept comment "Accept DNS" + udp dport 53 accept comment "Accept DNS" + + tcp dport { 80, 443 } accept comment "Allow HTTP/HTTPS to server (see nat prerouting)" + udp dport { 80, 443 } accept comment "Allow QUIC to server (see nat prerouting)" + tcp dport { 22 } accept comment "Allow SSH to server (see nat prerouting)" + tcp dport { 25565 } accept comment "Allow Minecraft server connections (see nat prerouting)" + udp dport { 34197 } accept comment "Allow Factorio server connections (see nat prerouting)" + + iifname "${lan}" accept comment "Allow local network to access the router" + iifname "tailscale0" accept comment "Allow local network to access the router" + + ## ip6 saddr @LANv6 jump my_input_lan comment "Connections from private IP address ranges" + ## ip saddr @LANv4 jump my_input_lan comment "Connections from private IP address ranges" + + iifname "${wan}" counter drop comment "Drop all other unsolicited traffic from wan" + } + + chain output { + type filter hook output priority 0; + accept + } + + chain forward { + type filter hook forward priority 0; + accept + } + + ## chain forward { + ## type filter hook forward priority filter; policy drop; + + ## iifname { "${lan}" } oifname { "${wan}" } accept comment "Allow trusted LAN to WAN" + ## iifname { "tailscale0" } oifname { "${wan}" } accept comment "Allow trusted LAN to WAN" + ## iifname { "${wan}" } oifname { "${lan}" } ct state { established, related } accept comment "Allow established back to LAN" + ## } + } + + table ip nat { + chain prerouting { + type nat hook prerouting priority dstnat; + + iifname ${lan} accept + iifname tailscale0 accept + + iifname ${wan} tcp dport {22} dnat to ${hosts.beefcake.ip} + iifname ${wan} tcp dport {80, 443} dnat to ${hosts.beefcake.ip} + iifname ${wan} udp dport {80, 443} dnat to ${hosts.beefcake.ip} + iifname ${wan} tcp dport {26966} dnat to ${hosts.beefcake.ip} + iifname ${wan} tcp dport {25565} dnat to ${hosts.bald.ip} + iifname ${wan} udp dport {25565} dnat to ${hosts.bald.ip} + iifname ${wan} udp dport {34197} dnat to ${hosts.beefcake.ip} + } + + chain postrouting { + type nat hook postrouting priority 100; policy accept; + oifname "${wan}" masquerade + } + } + ''; }; - in { - enable = true; - checkRuleset = true; - flushRuleset = true; - ruleset = with inf; '' - table inet filter { - ## set LANv4 { - ## type ipv4_addr - ## flags interval - ## elements = { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } - ## } - ## set LANv6 { - ## type ipv6_addr - ## flags interval - ## elements = { fd00::/8, fe80::/10 } - ## } - ## TODO: maybe tailnet? - - ## chain my_input_lan { - ## udp sport 1900 udp dport >= 1024 meta pkttype unicast limit rate 4/second burst 20 packets accept comment "Accept UPnP IGD port mapping reply" - ## udp sport netbios-ns udp dport >= 1024 meta pkttype unicast accept comment "Accept Samba Workgroup browsing replies" - ## } - - chain input { - type filter hook input priority 0; policy drop; - - iif lo accept comment "Accept any localhost traffic" - ct state invalid drop comment "Drop invalid connections" - ct state established,related accept comment "Accept traffic originated from us" - - meta l4proto ipv6-icmp accept comment "Accept ICMPv6" - meta l4proto icmp accept comment "Accept ICMP" - ip protocol igmp accept comment "Accept IGMP" - - ip6 nexthdr icmpv6 icmpv6 type nd-router-solicit accept - ip6 nexthdr icmpv6 icmpv6 type nd-router-advert accept comment "Accept IPv6 router advertisements" - udp dport dhcpv6-client accept comment "IPv6 DHCP" - - ip6 nexthdr icmpv6 icmpv6 type { echo-request, nd-neighbor-solicit, nd-neighbor-advert, nd-router-solicit, nd-router-advert, mld-listener-query, destination-unreachable, packet-too-big, time-exceeded, parameter-problem } accept comment "Accept IPv6 ICMP and meta stuff" - ip protocol icmp icmp type { echo-request, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept comment "Accept IPv4 ICMP and meta stuff" - ip protocol icmpv6 accept - ip protocol icmp accept - meta l4proto ipv6-icmp counter accept - udp dport dhcpv6-client counter accept - - udp dport mdns ip6 daddr ff02::fb accept comment "Accept mDNS" - udp dport mdns ip daddr 224.0.0.251 accept comment "Accept mDNS" - - tcp dport 2201 accept comment "Accept SSH on port 2201" - tcp dport 53 accept comment "Accept DNS" - udp dport 53 accept comment "Accept DNS" - - tcp dport { 80, 443 } accept comment "Allow HTTP/HTTPS to server (see nat prerouting)" - udp dport { 80, 443 } accept comment "Allow QUIC to server (see nat prerouting)" - tcp dport { 22 } accept comment "Allow SSH to server (see nat prerouting)" - tcp dport { 25565 } accept comment "Allow Minecraft server connections (see nat prerouting)" - udp dport { 34197 } accept comment "Allow Factorio server connections (see nat prerouting)" - - iifname "${lan}" accept comment "Allow local network to access the router" - iifname "tailscale0" accept comment "Allow local network to access the router" - - ## ip6 saddr @LANv6 jump my_input_lan comment "Connections from private IP address ranges" - ## ip saddr @LANv4 jump my_input_lan comment "Connections from private IP address ranges" - - iifname "${wan}" counter drop comment "Drop all other unsolicited traffic from wan" - } - - chain output { - type filter hook output priority 0; - accept - } - - chain forward { - type filter hook forward priority 0; - accept - } - - ## chain forward { - ## type filter hook forward priority filter; policy drop; - - ## iifname { "${lan}" } oifname { "${wan}" } accept comment "Allow trusted LAN to WAN" - ## iifname { "tailscale0" } oifname { "${wan}" } accept comment "Allow trusted LAN to WAN" - ## iifname { "${wan}" } oifname { "${lan}" } ct state { established, related } accept comment "Allow established back to LAN" - ## } - } - - table ip nat { - chain prerouting { - type nat hook prerouting priority dstnat; - - iifname ${lan} accept - iifname tailscale0 accept - - iifname ${wan} tcp dport {22} dnat to ${hosts.beefcake.ip} - iifname ${wan} tcp dport {80, 443} dnat to ${hosts.beefcake.ip} - iifname ${wan} udp dport {80, 443} dnat to ${hosts.beefcake.ip} - iifname ${wan} tcp dport {26966} dnat to ${hosts.beefcake.ip} - iifname ${wan} tcp dport {25565} dnat to ${hosts.bald.ip} - iifname ${wan} udp dport {25565} dnat to ${hosts.bald.ip} - iifname ${wan} udp dport {34197} dnat to ${hosts.beefcake.ip} - } - - chain postrouting { - type nat hook postrouting priority 100; policy accept; - oifname "${wan}" masquerade - } - } - ''; - }; # NOTE: see flake.nix 'nnf.nixosModules.default' /* - nftables.firewall = let - me = config.networking.nftables.firewall.localZoneName; - in { - enable = true; - snippets.nnf-common.enable = true; + nftables.firewall = let + me = config.networking.nftables.firewall.localZoneName; + in { + enable = true; + snippets.nnf-common.enable = true; - zones = { - ${interfaces.wan.name} = { - interfaces = [interfaces.wan.name interfaces.lan.name]; + zones = { + ${interfaces.wan.name} = { + interfaces = [interfaces.wan.name interfaces.lan.name]; + }; + ${interfaces.lan.name} = { + parent = interfaces.wan.name; + ipv4Addresses = [cidr]; + }; + ## banned = { + ## ingressExpression = [ + ## "ip saddr @banlist" + ## "ip6 saddr @banlist6" + ## ]; + ## egressExpression = [ + ## "ip daddr @banlist" + ## "ip6 daddr @banlist6" + ## ]; + ## }; }; - ${interfaces.lan.name} = { - parent = interfaces.wan.name; - ipv4Addresses = [cidr]; - }; - ## banned = { - ## ingressExpression = [ - ## "ip saddr @banlist" - ## "ip6 saddr @banlist6" - ## ]; - ## egressExpression = [ - ## "ip daddr @banlist" - ## "ip6 daddr @banlist6" - ## ]; - ## }; - }; - rules = { - dhcp = { - from = "all"; - to = [hosts.beefcake.ip]; - allowedTCPPorts = [67]; - allowedUDPPorts = [67]; - }; - http = { - from = "all"; - to = [me]; - allowedTCPPorts = [80 443]; - }; - router-ssh = { - from = "all"; - to = [me]; - allowedTCPPorts = [2201]; - }; - server-ssh = { - from = "all"; - to = [hosts.beefcake.ip]; - allowedTCPPorts = [22]; + rules = { + dhcp = { + from = "all"; + to = [hosts.beefcake.ip]; + allowedTCPPorts = [67]; + allowedUDPPorts = [67]; + }; + http = { + from = "all"; + to = [me]; + allowedTCPPorts = [80 443]; + }; + router-ssh = { + from = "all"; + to = [me]; + allowedTCPPorts = [2201]; + }; + server-ssh = { + from = "all"; + to = [hosts.beefcake.ip]; + allowedTCPPorts = [22]; + }; }; }; - }; */ }; @@ -394,11 +401,11 @@ in { }; /* - WAN configuration requires DHCP to get addresses - we also disable some options to be certain we retain as much networking - control as we reasonably can, such as not letting the ISP determine our - hostname or DNS configuration - TODO: IPv6 (prefix delegation) + WAN configuration requires DHCP to get addresses + we also disable some options to be certain we retain as much networking + control as we reasonably can, such as not letting the ISP determine our + hostname or DNS configuration + TODO: IPv6 (prefix delegation) */ "40-${interfaces.wan.name}" = { matchConfig.Name = "${interfaces.wan.name}"; @@ -406,17 +413,17 @@ in { Description = "WAN network - connection to fiber ISP jack"; DHCP = true; /* - IPv6AcceptRA = true; - IPv6PrivacyExtensions = true; - IPForward = true; + IPv6AcceptRA = true; + IPv6PrivacyExtensions = true; + IPForward = true; */ }; dhcpV6Config = { /* - ForceDHCPv6PDOtherInformation = true; - UseHostname = false; - UseDNS = false; - UseNTP = false; + ForceDHCPv6PDOtherInformation = true; + UseHostname = false; + UseDNS = false; + UseNTP = false; */ PrefixDelegationHint = "::/56"; }; @@ -444,9 +451,9 @@ in { services.resolved.enable = false; /* - dnsmasq serves as our DHCP and DNS server - almost all the configuration should be derived from the values at the top of - this file + dnsmasq serves as our DHCP and DNS server + almost all the configuration should be derived from the values at the top of + this file */ services.dnsmasq = { enable = true; @@ -455,12 +462,16 @@ in { port = 53; /* - dhcp-authoritative = true; - dnssec = true; + dhcp-authoritative = true; + dnssec = true; */ enable-ra = true; - server = ["1.1.1.1" "9.9.9.9" "8.8.8.8"]; + server = [ + "1.1.1.1" + "9.9.9.9" + "8.8.8.8" + ]; domain-needed = true; bogus-priv = true; @@ -477,28 +488,36 @@ in { dhcp-host = [ ] - ++ (lib.attrsets.mapAttrsToList (name: { - ip, - identifier ? name, - time ? "12h", - ... - }: "${name},${ip},${identifier},${time}") - hosts); + ++ (lib.attrsets.mapAttrsToList ( + name: + { + ip, + identifier ? name, + time ? "12h", + ... + }: + "${name},${ip},${identifier},${time}" + ) hosts); address = [ "/${hostname}.${domain}/${ip}" ] - ++ (lib.lists.flatten (lib.attrsets.mapAttrsToList (name: { - ip, - additionalHosts ? [], - identifier ? name, - time ? "12h", - }: [ - "/${name}.${domain}/${ip}" - (lib.lists.forEach additionalHosts (h: "/${h}/${ip}")) - ]) - hosts)); + ++ (lib.lists.flatten ( + lib.attrsets.mapAttrsToList ( + name: + { + ip, + additionalHosts ? [ ], + identifier ? name, + time ? "12h", + }: + [ + "/${name}.${domain}/${ip}" + (lib.lists.forEach additionalHosts (h: "/${h}/${ip}")) + ] + ) hosts + )); # local domains local = "/lan/"; @@ -511,8 +530,8 @@ in { }; /* - since the home network reserves port 22 for ssh to the big server and to - gitea, the router uses port 2201 for ssh + since the home network reserves port 22 for ssh to the big server and to + gitea, the router uses port 2201 for ssh */ services.openssh.listenAddresses = [ { @@ -538,253 +557,253 @@ in { system.stateVersion = "24.05"; /* - NOTE: everything from here on is deprecated or old stuff + NOTE: everything from here on is deprecated or old stuff - TODO: may not be strictly necessary for IPv6? - TODO: also may not even be the best implementation? - services.radvd = { - enable = false; - ## NOTE: this config is just the default arch linux config I think and may - ## need tweaking? this is what I had on the arch linux router, though :shrug: - config = '' - interface lo - { - AdvSendAdvert on; - MinRtrAdvInterval 3; - MaxRtrAdvInterval 10; - AdvDefaultPreference low; - AdvHomeAgentFlag off; - - prefix 2001:db8:1:0::/64 + TODO: may not be strictly necessary for IPv6? + TODO: also may not even be the best implementation? + services.radvd = { + enable = false; + ## NOTE: this config is just the default arch linux config I think and may + ## need tweaking? this is what I had on the arch linux router, though :shrug: + config = '' + interface lo { - AdvOnLink on; - AdvAutonomous on; - AdvRouterAddr off; + AdvSendAdvert on; + MinRtrAdvInterval 3; + MaxRtrAdvInterval 10; + AdvDefaultPreference low; + AdvHomeAgentFlag off; + + prefix 2001:db8:1:0::/64 + { + AdvOnLink on; + AdvAutonomous on; + AdvRouterAddr off; + }; + + prefix 0:0:0:1234::/64 + { + AdvOnLink on; + AdvAutonomous on; + AdvRouterAddr off; + Base6to4Interface ppp0; + AdvPreferredLifetime 120; + AdvValidLifetime 300; + }; + + route 2001:db0:fff::/48 + { + AdvRoutePreference high; + AdvRouteLifetime 3600; + }; + + RDNSS 2001:db8::1 2001:db8::2 + { + AdvRDNSSLifetime 30; + }; + + DNSSL branch.example.com example.com + { + AdvDNSSLLifetime 30; + }; }; - - prefix 0:0:0:1234::/64 - { - AdvOnLink on; - AdvAutonomous on; - AdvRouterAddr off; - Base6to4Interface ppp0; - AdvPreferredLifetime 120; - AdvValidLifetime 300; - }; - - route 2001:db0:fff::/48 - { - AdvRoutePreference high; - AdvRouteLifetime 3600; - }; - - RDNSS 2001:db8::1 2001:db8::2 - { - AdvRDNSSLifetime 30; - }; - - DNSSL branch.example.com example.com - { - AdvDNSSLLifetime 30; - }; - }; - ''; - }; - - TODO: old config, should be deleted ASAP - services.dnsmasq = { - enable = false; - settings = { - # server endpoints - listen-address = "::1,127.0.0.1,${ip}"; - port = "53"; - - # DNS cache entries - cache-size = "10000"; - - # local domain entries - local = "/lan/"; - domain = "lan"; - expand-hosts = true; - - dhcp-authoritative = true; - - conf-file = "/usr/share/dnsmasq/trust-anchors.conf"; - dnssec = true; - - except-interface = "${wan_if}"; - interface = "${lan_if}"; - - enable-ra = true; - - # dhcp-option = "121,${cidr},${ip}"; - - dhcp-range = [ - "lan,${dhcp_lease_space.min},${dhcp_lease_space.max},${netmask},10m" - "tag:${lan_if},::1,constructor:${lan_if},ra-names,12h" - ]; - - dhcp-host = [ - "${hosts.dragon.host},${hosts.dragon.ip},12h" - "${hosts.beefcake.host},${hosts.beefcake.ip},12h" - ]; - - # may need to go in /etc/hosts (networking.extraHosts), too? - address = [ - "/video.lyte.dev/192.168.0.9" - "/git.lyte.dev/192.168.0.9" - "/bw.lyte.dev/192.168.0.9" - "/files.lyte.dev/192.168.0.9" - "/vpn.h.lyte.dev/192.168.0.9" - "/.h.lyte.dev/192.168.0.9" - ]; - - server = [ - "${ip}" - "8.8.8.8" - "8.8.4.4" - "1.1.1.1" - "1.0.0.1" - ]; + ''; }; - }; - TODO: old config, should be deleted ASAP - nftables = { - enable = false; - flushRuleset = true; + TODO: old config, should be deleted ASAP + services.dnsmasq = { + enable = false; + settings = { + # server endpoints + listen-address = "::1,127.0.0.1,${ip}"; + port = "53"; - tables = { - filter = { - family = "inet"; - content = '' - chain input { - # type filter hook input priority filter; policy accept; - type filter hook input priority 0; + # DNS cache entries + cache-size = "10000"; - # anything from loopback interface - iifname "lo" accept + # local domain entries + local = "/lan/"; + domain = "lan"; + expand-hosts = true; - # accept traffic we originated - ct state { established, related } counter accept - ct state invalid counter drop + dhcp-authoritative = true; - # ICMP - ip6 nexthdr icmpv6 icmpv6 type { echo-request, nd-neighbor-solicit, nd-neighbor-advert, nd-router-solicit, nd-router-advert, mld-listener-query, destination-unreachable, packet-too-big, time-exceeded, parameter-problem } counter accept - ip protocol icmp icmp type { echo-request, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } counter accept - ip protocol icmpv6 counter accept - ip protocol icmp counter accept - meta l4proto ipv6-icmp counter accept - udp dport dhcpv6-client counter accept + conf-file = "/usr/share/dnsmasq/trust-anchors.conf"; + dnssec = true; - tcp dport { 64022, 22, 53, 67, 25565 } counter accept - udp dport { 64020, 22, 53, 67 } counter accept + except-interface = "${wan_if}"; + interface = "${lan_if}"; - ## iifname "iot" ip saddr $iot-ip tcp dport { llmnr } counter accept - ## iifname "iot" ip saddr $iot-ip udp dport { mdns, llmnr } counter accept - iifname "${lan_if}" tcp dport { llmnr } counter accept - iifname "${lan_if}" udp dport { mdns, llmnr } counter accept + enable-ra = true; - counter drop - } + # dhcp-option = "121,${cidr},${ip}"; - # allow all outgoing - chain output { - type filter hook output priority 0; - accept - } + dhcp-range = [ + "lan,${dhcp_lease_space.min},${dhcp_lease_space.max},${netmask},10m" + "tag:${lan_if},::1,constructor:${lan_if},ra-names,12h" + ]; - chain forward { - type filter hook forward priority 0; - accept - } - ''; - }; + dhcp-host = [ + "${hosts.dragon.host},${hosts.dragon.ip},12h" + "${hosts.beefcake.host},${hosts.beefcake.ip},12h" + ]; - nat = { - family = "ip"; - content = '' - set masq_saddr { - type ipv4_addr - flags interval - elements = { ${cidr} } - } + # may need to go in /etc/hosts (networking.extraHosts), too? + address = [ + "/video.lyte.dev/192.168.0.9" + "/git.lyte.dev/192.168.0.9" + "/bw.lyte.dev/192.168.0.9" + "/files.lyte.dev/192.168.0.9" + "/vpn.h.lyte.dev/192.168.0.9" + "/.h.lyte.dev/192.168.0.9" + ]; - map map_port_ipport { - type inet_proto . inet_service : ipv4_addr . inet_service - } - - chain prerouting { - iifname ${lan_if} accept - - type nat hook prerouting priority dstnat + 1; policy accept; - fib daddr type local dnat ip addr . port to meta l4proto . th dport map @map_port_ipport - - iifname ${wan_if} tcp dport { 22, 80, 443, 25565, 64022 } dnat to ${hosts.beefcake.ip} - iifname ${wan_if} udp dport { 64020 } dnat to ${hosts.beefcake.ip} - - ## iifname ${wan_if} tcp dport { 25565 } dnat to 192.168.0.244 - ## iifname ${wan_if} udp dport { 25565 } dnat to 192.168.0.244 - - ## router - iifname ${wan_if} tcp dport { 2201 } dnat to ${ip} - } - - chain output { - type nat hook output priority -99; policy accept; - ip daddr != 127.0.0.0/8 oif "lo" dnat ip addr . port to meta l4proto . th dport map @map_port_ipport - } - - chain postrouting { - type nat hook postrouting priority srcnat + 1; policy accept; - oifname ${lan_if} masquerade - ip saddr @masq_saddr masquerade - } - ''; + server = [ + "${ip}" + "8.8.8.8" + "8.8.4.4" + "1.1.1.1" + "1.0.0.1" + ]; }; }; - }; - TODO: also want to try to avoid using dhcpcd for IPv6 since systemd-networkd - should be sufficient? - dhcpcd = { - enable = false; - extraConfig = '' - duid + TODO: old config, should be deleted ASAP + nftables = { + enable = false; + flushRuleset = true; - ## No way.... https://github.com/NetworkConfiguration/dhcpcd/issues/36#issuecomment-954777644 - ## issues caused by guests with oneplus devices - noarp + tables = { + filter = { + family = "inet"; + content = '' + chain input { + # type filter hook input priority filter; policy accept; + type filter hook input priority 0; - persistent - vendorclassid + # anything from loopback interface + iifname "lo" accept - option domain_name_servers, domain_name, domain_search - option classless_static_routes - option interface_mtu - option host_name - #option ntp_servers + # accept traffic we originated + ct state { established, related } counter accept + ct state invalid counter drop - require dhcp_server_identifier - slaac private - noipv4ll - noipv6rs + # ICMP + ip6 nexthdr icmpv6 icmpv6 type { echo-request, nd-neighbor-solicit, nd-neighbor-advert, nd-router-solicit, nd-router-advert, mld-listener-query, destination-unreachable, packet-too-big, time-exceeded, parameter-problem } counter accept + ip protocol icmp icmp type { echo-request, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } counter accept + ip protocol icmpv6 counter accept + ip protocol icmp counter accept + meta l4proto ipv6-icmp counter accept + udp dport dhcpv6-client counter accept - static domain_name_servers=${ip} + tcp dport { 64022, 22, 53, 67, 25565 } counter accept + udp dport { 64020, 22, 53, 67 } counter accept - interface ${wan_if} - gateway - ipv6rs - iaid 1 - ## option rapid_commit - ## ia_na 1 - ia_pd 1 ${lan_if} + ## iifname "iot" ip saddr $iot-ip tcp dport { llmnr } counter accept + ## iifname "iot" ip saddr $iot-ip udp dport { mdns, llmnr } counter accept + iifname "${lan_if}" tcp dport { llmnr } counter accept + iifname "${lan_if}" udp dport { mdns, llmnr } counter accept + + counter drop + } + + # allow all outgoing + chain output { + type filter hook output priority 0; + accept + } + + chain forward { + type filter hook forward priority 0; + accept + } + ''; + }; + + nat = { + family = "ip"; + content = '' + set masq_saddr { + type ipv4_addr + flags interval + elements = { ${cidr} } + } + + map map_port_ipport { + type inet_proto . inet_service : ipv4_addr . inet_service + } + + chain prerouting { + iifname ${lan_if} accept + + type nat hook prerouting priority dstnat + 1; policy accept; + fib daddr type local dnat ip addr . port to meta l4proto . th dport map @map_port_ipport + + iifname ${wan_if} tcp dport { 22, 80, 443, 25565, 64022 } dnat to ${hosts.beefcake.ip} + iifname ${wan_if} udp dport { 64020 } dnat to ${hosts.beefcake.ip} + + ## iifname ${wan_if} tcp dport { 25565 } dnat to 192.168.0.244 + ## iifname ${wan_if} udp dport { 25565 } dnat to 192.168.0.244 + + ## router + iifname ${wan_if} tcp dport { 2201 } dnat to ${ip} + } + + chain output { + type nat hook output priority -99; policy accept; + ip daddr != 127.0.0.0/8 oif "lo" dnat ip addr . port to meta l4proto . th dport map @map_port_ipport + } + + chain postrouting { + type nat hook postrouting priority srcnat + 1; policy accept; + oifname ${lan_if} masquerade + ip saddr @masq_saddr masquerade + } + ''; + }; + }; + }; + + TODO: also want to try to avoid using dhcpcd for IPv6 since systemd-networkd + should be sufficient? + dhcpcd = { + enable = false; + extraConfig = '' + duid + + ## No way.... https://github.com/NetworkConfiguration/dhcpcd/issues/36#issuecomment-954777644 + ## issues caused by guests with oneplus devices + noarp + + persistent + vendorclassid + + option domain_name_servers, domain_name, domain_search + option classless_static_routes + option interface_mtu + option host_name + #option ntp_servers + + require dhcp_server_identifier + slaac private + noipv4ll + noipv6rs - interface ${lan_if} - static ip_address=${cidr} - static routers=${ip} static domain_name_servers=${ip} - ''; - }; + + interface ${wan_if} + gateway + ipv6rs + iaid 1 + ## option rapid_commit + ## ia_na 1 + ia_pd 1 ${lan_if} + + interface ${lan_if} + static ip_address=${cidr} + static routers=${ip} + static domain_name_servers=${ip} + ''; + }; */ } diff --git a/packages/hosts/thablet.nix b/packages/hosts/thablet.nix index f72bac9..aed8be9 100644 --- a/packages/hosts/thablet.nix +++ b/packages/hosts/thablet.nix @@ -3,7 +3,8 @@ lib, config, ... -}: { +}: +{ networking.hostName = "thablet"; boot.loader.systemd-boot.enable = true; @@ -17,7 +18,7 @@ environment.systemPackages = #with pkgs; - []; + [ ]; # https://wiki.archlinux.org/title/Lenovo_ThinkPad_X1_Yoga_(Gen_3)#Using_acpi_call systemd.services.activate-touch-hack = { @@ -25,7 +26,12 @@ description = "Touch wake Thinkpad X1 Yoga 3rd gen hack"; unitConfig = { - After = ["suspend.target" "hibernate.target" "hybrid-sleep.target" "suspend-then-hibernate.target"]; + After = [ + "suspend.target" + "hibernate.target" + "hybrid-sleep.target" + "suspend-then-hibernate.target" + ]; }; serviceConfig = { @@ -34,13 +40,26 @@ ''; }; - wantedBy = ["suspend.target" "hibernate.target" "hybrid-sleep.target" "suspend-then-hibernate.target"]; + wantedBy = [ + "suspend.target" + "hibernate.target" + "hybrid-sleep.target" + "suspend-then-hibernate.target" + ]; }; - boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "usb_storage" "sd_mod"]; - boot.initrd.kernelModules = []; - boot.kernelModules = ["kvm-intel" "acpi_call"]; - boot.extraModulePackages = with config.boot.kernelPackages; [acpi_call]; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "nvme" + "usb_storage" + "sd_mod" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ + "kvm-intel" + "acpi_call" + ]; + boot.extraModulePackages = with config.boot.kernelPackages; [ acpi_call ]; hardware = { cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; @@ -65,13 +84,21 @@ }; networking = { - firewall = let - terraria = 7777; - stardew-valley = 24642; - in { - allowedTCPPorts = [terraria stardew-valley]; - allowedUDPPorts = [terraria stardew-valley]; - }; + firewall = + let + terraria = 7777; + stardew-valley = 24642; + in + { + allowedTCPPorts = [ + terraria + stardew-valley + ]; + allowedUDPPorts = [ + terraria + stardew-valley + ]; + }; }; home-manager.users.daniel = { @@ -104,19 +131,21 @@ ]; }; - services.hypridle = let - secondsPerMinute = 60; - lockSeconds = 10 * secondsPerMinute; - in { - settings = { - listener = [ - { - timeout = lockSeconds + 55; - on-timeout = ''systemctl suspend''; - } - ]; + services.hypridle = + let + secondsPerMinute = 60; + lockSeconds = 10 * secondsPerMinute; + in + { + settings = { + listener = [ + { + timeout = lockSeconds + 55; + on-timeout = ''systemctl suspend''; + } + ]; + }; }; - }; wayland.windowManager.hyprland = { settings = { diff --git a/packages/hosts/thinker.nix b/packages/hosts/thinker.nix index a695440..5267d9c 100644 --- a/packages/hosts/thinker.nix +++ b/packages/hosts/thinker.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ networking.hostName = "thinker"; boot = { @@ -7,13 +8,17 @@ systemd-boot.enable = true; }; /* - sudo filefrag -v /swap/swapfile | awk '$1=="0:" {print substr($4, 1, length($4)-2)}' - the above won't work for btrfs, instead you need - btrfs inspect-internal map-swapfile -r /swap/swapfile - https://wiki.archlinux.org/title/Power_management/Suspend_and_hibernate#Hibernation_into_swap_file + sudo filefrag -v /swap/swapfile | awk '$1=="0:" {print substr($4, 1, length($4)-2)}' + the above won't work for btrfs, instead you need + btrfs inspect-internal map-swapfile -r /swap/swapfile + https://wiki.archlinux.org/title/Power_management/Suspend_and_hibernate#Hibernation_into_swap_file */ # kernelParams = ["boot.shell_on_fail"]; - initrd.availableKernelModules = ["xhci_pci" "nvme" "ahci"]; + initrd.availableKernelModules = [ + "xhci_pci" + "nvme" + "ahci" + ]; }; home-manager.users.daniel = { @@ -39,19 +44,21 @@ } ]; }; - services.hypridle = let - secondsPerMinute = 60; - lockSeconds = 10 * secondsPerMinute; - in { - settings = { - listener = [ - { - timeout = lockSeconds + 55; - on-timeout = ''systemctl suspend''; - } - ]; + services.hypridle = + let + secondsPerMinute = 60; + lockSeconds = 10 * secondsPerMinute; + in + { + settings = { + listener = [ + { + timeout = lockSeconds + 55; + on-timeout = ''systemctl suspend''; + } + ]; + }; }; - }; wayland.windowManager.hyprland = { settings = { diff --git a/packages/iosevkaLyteTerm.nix b/packages/iosevkaLyteTerm.nix index a869845..36aacfb 100644 --- a/packages/iosevkaLyteTerm.nix +++ b/packages/iosevkaLyteTerm.nix @@ -1,6 +1,9 @@ -{iosevka, ...}: let +{ iosevka, ... }: +let set = "LyteTerm"; -in ((iosevka.override { +in +( + (iosevka.override { inherit set; privateBuildPlan = '' @@ -122,8 +125,8 @@ in ((iosevka.override { question = 'smooth' punctuation-dot = 'round' ''; - }) - .overrideAttrs { + }).overrideAttrs + { buildPhase = '' export HOME=$TMPDIR runHook preBuild @@ -142,4 +145,5 @@ in ((iosevka.override { install "dist/$pname/WOFF2"/* "$wfontdir" runHook postInstall ''; - }) + } +) diff --git a/packages/iosevkaLyteTermSubset.nix b/packages/iosevkaLyteTermSubset.nix index c26bc06..5bf777d 100644 --- a/packages/iosevkaLyteTermSubset.nix +++ b/packages/iosevkaLyteTermSubset.nix @@ -9,8 +9,13 @@ pkgs.stdenvNoCC.mkDerivation { inherit (iosevkaLyteTerm) version; pname = "${iosevkaLyteTerm.pname}Subset"; - buildInputs = [parallel] ++ (with python311Packages; [fonttools brotli]); - PYTHONPATH = pkgs.python3.withPackages (pp: with pp; [brotli]); + buildInputs = + [ parallel ] + ++ (with python311Packages; [ + fonttools + brotli + ]); + PYTHONPATH = pkgs.python3.withPackages (pp: with pp; [ brotli ]); src = iosevkaLyteTerm; installPhase = ''