0xa/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

delete legacy stuff and reformat

Browse source
This commit is contained in:
Grisha Shipunov 2025-01-11 03:55:19 +01:00
parent 595d4935de
commit 62e2519639
51 changed files with 714 additions and 1056 deletions
Download patch file Download diff file Expand all files Collapse all files

7
hosts/cloud/configuration.nix
View file

@ -1,4 +1,5 @@
{ ... }: {
{ ... }:
{
imports = [
./hardware-configuration.nix
./networking.nix
@ -9,6 +10,8 @@
networking.hostName = "cloud";
networking.domain = "oxapentane.com";
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJl9iYG5oHBq/poBn7Jf1/FGWWbAnbx+NKjs7qtT3uAK'' ];
users.users.root.openssh.authorizedKeys.keys = [
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJl9iYG5oHBq/poBn7Jf1/FGWWbAnbx+NKjs7qtT3uAK''
];
system.stateVersion = "24.11";
}

5
hosts/cloud/default.nix
View file

@ -1,5 +1,6 @@
{ ... }: {
imports= [
{ ... }:
{
imports = [
./configuration.nix
./hardware-configuration.nix
./networking.nix

14
hosts/cloud/hardware-configuration.nix
View file

@ -2,8 +2,16 @@
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.loader.grub.device = "/dev/sda";
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
boot.initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"xen_blkfront"
"vmw_pvscsi"
];
boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
fileSystems."/" = {
device = "/dev/sda1";
fsType = "ext4";
};
}

5
hosts/cloud/networking.nix
View file

@ -1,11 +1,12 @@
{ lib, ... }: {
{ lib, ... }:
{
networking.dhcpcd.enable = false;
networking.useNetworkd = true;
systemd.network.enable = true;
systemd.network = {
networks."30-uplink" = {
matchConfig.Name="enp1s0";
matchConfig.Name = "enp1s0";
networkConfig = {
Address = [
"188.245.196.27/32"

17
hosts/minime/configuration.nix
View file

@ -2,23 +2,26 @@
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
];
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# Enable the X11 windowing system.
services.xserver.enable = false;
system.stateVersion = "24.11"; # Did you read the comment?
}

3
hosts/minime/default.nix
View file

@ -1,4 +1,5 @@
{ ... }: {
{ ... }:
{
imports = [
./configuration.nix
./hardware-configuration.nix

93
hosts/minime/hardware-configuration.nix
View file

@ -1,59 +1,76 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.availableKernelModules = [
"xhci_pci"
"thunderbolt"
"nvme"
"usbhid"
"usb_storage"
"sd_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "zpool/nixos/root";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/" = {
device = "zpool/nixos/root";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/12CE-A600";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/12CE-A600";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
fileSystems."/nix" =
{ device = "zpool/nixos/nix";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/nix" = {
device = "zpool/nixos/nix";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/home" =
{ device = "zpool/data/home";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/home" = {
device = "zpool/data/home";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/var" =
{ device = "zpool/data/var";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/var" = {
device = "zpool/data/var";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/var/lib" =
{ device = "zpool/data/var/lib";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/var/lib" = {
device = "zpool/data/var/lib";
fsType = "zfs";
options = [ "zfsutil" ];
};
swapDevices =
[ {
swapDevices = [
{
device = "/dev/disk/by-partuuid/7e7d0e0b-90b7-465c-a022-089b38e0f16d";
randomEncryption = true;
} ];
}
];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;

3
hosts/minime/networking.nix
View file

@ -1,4 +1,5 @@
{ ... }: {
{ ... }:
{
networking.hostName = "minime"; # Define your hostname.
networking.useNetworkd = true;
networking.firewall.enable = true;

48
hosts/minime/zfs.nix
View file

@ -1,4 +1,10 @@
{ pkgs, lib, config, ... }: {
{
pkgs,
lib,
config,
...
}:
{
services.fstrim.enable = true;
services.zfs = {
autoSnapshot.enable = true;
@ -12,19 +18,21 @@
};
networking.hostId = "41ba28ff";
boot = {
kernelPackages = let
zfsCompatibleKernelPackages = lib.filterAttrs (
name: kernelPackages:
(builtins.match "linux_[0-9]+_[0-9]+" name) != null
&& (builtins.tryEval kernelPackages).success
&& (!kernelPackages.${config.boot.zfs.package.kernelModuleAttribute}.meta.broken)
kernelPackages =
let
zfsCompatibleKernelPackages = lib.filterAttrs (
name: kernelPackages:
(builtins.match "linux_[0-9]+_[0-9]+" name) != null
&& (builtins.tryEval kernelPackages).success
&& (!kernelPackages.${config.boot.zfs.package.kernelModuleAttribute}.meta.broken)
) pkgs.linuxKernel.packages;
latestKernelPackage = lib.last (
lib.sort (a: b: (lib.versionOlder a.kernel.version b.kernel.version)) (
builtins.attrValues zfsCompatibleKernelPackages
)
);
in latestKernelPackage;
)
);
in
latestKernelPackage;
supportedFilesystems = [ "zfs" ];
kernelParams = [ "nohibernate" ];
plymouth.enable = false;
@ -38,14 +46,24 @@
enable = true;
port = 2222;
hostKeys = [ /etc/secrets/initrd/ssh_host_rsa_key ];
authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJl9iYG5oHBq/poBn7Jf1/FGWWbAnbx+NKjs7qtT3uAK 0xa@toaster 2024-12-31" ];
authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJl9iYG5oHBq/poBn7Jf1/FGWWbAnbx+NKjs7qtT3uAK 0xa@toaster 2024-12-31"
];
};
postCommands = ''
zpool import -a
echo "zfs load-key -a; killall zfs" >> /root/.profile
zpool import -a
echo "zfs load-key -a; killall zfs" >> /root/.profile
'';
};
# support for network
boot.initrd.kernelModules = [ "igc" "i40e" "mt7921e" ];
boot.kernelModules = [ "igc" "i40e" "mt7921e" ];
boot.initrd.kernelModules = [
"igc"
"i40e"
"mt7921e"
];
boot.kernelModules = [
"igc"
"i40e"
"mt7921e"
];
}

23
hosts/toaster/amd.nix
View file

@ -1,4 +1,5 @@
{ pkgs, config, ... }: {
{ pkgs, config, ... }:
{
boot.initrd.kernelModules = [ "amdgpu" ];
boot.kernelParams = [
@ -6,14 +7,14 @@
"amd_pstate=active"
];
# hardware.graphics = {
# extraPackages = with pkgs; [
# rocm-opencl-icd
# rocm-opencl-runtime
# amdvlk
# ];
# extraPackages32 = with pkgs; [
# driversi686Linux.amdvlk
# ];
# };
# hardware.graphics = {
# extraPackages = with pkgs; [
# rocm-opencl-icd
# rocm-opencl-runtime
# amdvlk
# ];
# extraPackages32 = with pkgs; [
# driversi686Linux.amdvlk
# ];
# };
}

3
hosts/toaster/default.nix
View file

@ -1,4 +1,5 @@
{ pkgs, ... }: {
{ pkgs, ... }:
{
imports = [
./amd.nix
./hardware-configuration.nix

104
hosts/toaster/hardware-configuration.nix
View file

@ -1,54 +1,70 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"usb_storage"
"usbhid"
"sd_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
boot.zfs.extraPools = [ "zpool" ];
fileSystems."/" = {
device = "zpool/root";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/nix" = {
device = "zpool/nix";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/home" = {
device = "zpool/data/home";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/var" = {
device = "zpool/data/var";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/A170-F83D";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
boot.zfs.extraPools = [ "zpool" ];
fileSystems."/" =
{ device = "zpool/root";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/nix" =
{ device = "zpool/nix";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/home" =
{ device = "zpool/data/home";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/var" =
{ device = "zpool/data/var";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/A170-F83D";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices =
[ { device = "/dev/disk/by-partuuid/037518f2-9fa0-44f0-9550-745e27bf1c1f";
randomEncryption = true;}
];
swapDevices = [
{
device = "/dev/disk/by-partuuid/037518f2-9fa0-44f0-9550-745e27bf1c1f";
randomEncryption = true;
}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's

3
hosts/toaster/irc.nix
View file

@ -1,4 +1,5 @@
{ config, pkgs, ... }: {
{ config, pkgs, ... }:
{
environment.systemPackages = [ pkgs.senpai ];
sops.secrets = {

49
hosts/toaster/network/default.nix
View file

@ -1,4 +1,5 @@
{ lib, config, ... }: {
{ lib, config, ... }:
{
imports = [
./mullvad.nix
./dumpdvb.nix
@ -8,32 +9,34 @@
# Networkmanager shouldn't interfere with systemd managed interfaces
networking.networkmanager.unmanaged =
let
systemd_netdevs = lib.attrsets.attrValues (lib.attrsets.mapAttrs (_name: value: value.netdevConfig.Name) config.systemd.network.netdevs);
systemd_netdevs = lib.attrsets.attrValues (
lib.attrsets.mapAttrs (_name: value: value.netdevConfig.Name) config.systemd.network.netdevs
);
in
systemd_netdevs;
systemd.network = {
enable = true;
wait-online.enable = false; # uplink is managed by networkmanager
};
systemd.network = {
enable = true;
wait-online.enable = false; # uplink is managed by networkmanager
};
users.users."0xa".extraGroups = [ "networkmanager" ];
users.users."0xa".extraGroups = [ "networkmanager" ];
networking = {
hostName = "toaster";
firewall.enable = true;
wireguard.enable = true;
};
networking = {
hostName = "toaster";
firewall.enable = true;
wireguard.enable = true;
};
services.resolved = {
enable = true;
dnssec = "false";
fallbackDns = [
"9.9.9.9"
"2620:fe::fe"
"149.112.112.112"
"2620:fe::9"
];
};
services.resolved = {
enable = true;
dnssec = "false";
fallbackDns = [
"9.9.9.9"
"2620:fe::fe"
"149.112.112.112"
"2620:fe::9"
];
};
}
}

8
hosts/toaster/network/dumpdvb.nix
View file

@ -1,4 +1,5 @@
{ config, ... }: {
{ config, ... }:
{
systemd.network = {
# Wireguard
# Dump-dvb
@ -27,7 +28,10 @@
IPv6AcceptRA = true;
};
routes = [
{ Gateway = "10.13.37.1"; Destination = "10.13.37.0/24"; }
{
Gateway = "10.13.37.1";
Destination = "10.13.37.0/24";
}
];
};
};

99
hosts/toaster/network/mullvad.nix
View file

@ -1,10 +1,14 @@
{ config, lib, ... }: {
{ config, lib, ... }:
{
systemd.network =
let
pubkey = "BChJDLOwZu9Q1oH0UcrxcHP6xxHhyRbjrBUsE0e07Vk=";
pubkey = "BChJDLOwZu9Q1oH0UcrxcHP6xxHhyRbjrBUsE0e07Vk=";
endpoint = "169.150.196.15";
port = "51820";
addr = [ "10.74.16.48/32" "fc00:bbbb:bbbb:bb01::b:102f/128" ];
addr = [
"10.74.16.48/32"
"fc00:bbbb:bbbb:bb01::b:102f/128"
];
in
{
netdevs."10-wg-mullvad" = {
@ -21,7 +25,10 @@
{
PublicKey = pubkey;
Endpoint = "${endpoint}:${port}";
AllowedIPs = [ "0.0.0.0/0" "::0/0" ];
AllowedIPs = [
"0.0.0.0/0"
"::0/0"
];
}
];
};
@ -33,44 +40,52 @@
DNSDefaultRoute = true;
Domains = [ "~." ];
};
routes = map
(gate: {
Gateway = gate;
Table = 1000;
}) [
"0.0.0.0"
"::"
];
routes =
map
(gate: {
Gateway = gate;
Table = 1000;
})
[
"0.0.0.0"
"::"
];
routingPolicyRules = [ {
Family = "both";
FirewallMark = 34952; # 0x8888
InvertRule = true;
Table = "1000";
Priority = 100;
}
{
Family = "both";
SuppressPrefixLength = 0;
Table = "main";
Priority = 90;
} ] ++ map (net: {
# only route global addresses over VPN
Priority = 80;
To = net;
}) [
# Mullvad endpoint
"${endpoint}/32"
# "10.0.0.0/8"
"10.13.37.0/24"
# 0xa-mgmt
"10.89.87.0/24"
# "172.16.0.0/12"
"172.16.0.0/12"
# "182.168.0.0/16"
"182.168.0.0/16"
# "fc00::/7"
];
routingPolicyRules =
[
{
Family = "both";
FirewallMark = 34952; # 0x8888
InvertRule = true;
Table = "1000";
Priority = 100;
}
{
Family = "both";
SuppressPrefixLength = 0;
Table = "main";
Priority = 90;
}
]
++ map
(net: {
# only route global addresses over VPN
Priority = 80;
To = net;
})
[
# Mullvad endpoint
"${endpoint}/32"
# "10.0.0.0/8"
"10.13.37.0/24"
# 0xa-mgmt
"10.89.87.0/24"
# "172.16.0.0/12"
"172.16.0.0/12"
# "182.168.0.0/16"
"182.168.0.0/16"
# "fc00::/7"
];
};
};
};
}

0
hosts/toaster/network/oxalab.nix
View file

107
hosts/toaster/network/zw.nix
View file

@ -1,56 +1,61 @@
{ config, ... }: {
# zentralwerk
systemd.network = {
netdevs."10-wg-zentralwerk" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-zentralwerk";
Description = "Tunnel to the best basement in Dresden";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."wg/zw".path;
RouteTable = "off";
};
wireguardPeers = [
{
PublicKey = "PG2VD0EB+Oi+U5/uVMUdO5MFzn59fAck6hz8GUyLMRo=";
Endpoint = "81.201.149.152:1337";
AllowedIPs = [ "172.20.72.0/21" "172.22.90.0/24" "172.22.99.0/24" ];
PersistentKeepalive = 25;
}
];
{ config, ... }:
{
# zentralwerk
systemd.network = {
netdevs."10-wg-zentralwerk" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-zentralwerk";
Description = "Tunnel to the best basement in Dresden";
};
networks."10-wg-zentralwerk" = {
matchConfig.Name = "wg-zentralwerk";
networkConfig = {
Address = "172.20.76.226/21";
IPv6AcceptRA = true;
DNS = "172.20.73.8";
Domains = [
"~hq.c3d2.de"
"~serv.zentralwerk.org"
"~hq.zentralwerk.org"
"~cluster.zentralwerk.org"
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."wg/zw".path;
RouteTable = "off";
};
wireguardPeers = [
{
PublicKey = "PG2VD0EB+Oi+U5/uVMUdO5MFzn59fAck6hz8GUyLMRo=";
Endpoint = "81.201.149.152:1337";
AllowedIPs = [
"172.20.72.0/21"
"172.22.90.0/24"
"172.22.99.0/24"
];
};
routes = [
{
Gateway = "172.20.76.225";
Destination = "172.20.72.0/21";
Metric = 1023;
}
{
Gateway = "172.20.76.225";
Destination = "172.20.90.0/24";
Metric = 1023;
}
{
Gateway = "172.20.76.225";
Destination = "172.22.99.0/24";
Metric = 1023;
}
PersistentKeepalive = 25;
}
];
};
networks."10-wg-zentralwerk" = {
matchConfig.Name = "wg-zentralwerk";
networkConfig = {
Address = "172.20.76.226/21";
IPv6AcceptRA = true;
DNS = "172.20.73.8";
Domains = [
"~hq.c3d2.de"
"~serv.zentralwerk.org"
"~hq.zentralwerk.org"
"~cluster.zentralwerk.org"
];
};
routes = [
{
Gateway = "172.20.76.225";
Destination = "172.20.72.0/21";
Metric = 1023;
}
{
Gateway = "172.20.76.225";
Destination = "172.20.90.0/24";
Metric = 1023;
}
{
Gateway = "172.20.76.225";
Destination = "172.22.99.0/24";
Metric = 1023;
}
];
};
}
};
}

3
hosts/toaster/secure-boot.nix
View file

@ -1,4 +1,5 @@
{ pkgs, lib, ... }: {
{ pkgs, lib, ... }:
{
boot = {
bootspec.enable = true;
loader.systemd-boot.enable = lib.mkForce false;

36
hosts/toaster/zfs.nix
View file

@ -1,4 +1,10 @@
{ pkgs, lib, config, ... }: {
{
pkgs,
lib,
config,
...
}:
{
services.fstrim.enable = true;
services.zfs = {
autoSnapshot.enable = true;
@ -10,19 +16,21 @@
};
networking.hostId = "dca22577";
boot = {
kernelPackages = let
zfsCompatibleKernelPackages = lib.filterAttrs (
name: kernelPackages:
(builtins.match "linux_[0-9]+_[0-9]+" name) != null
&& (builtins.tryEval kernelPackages).success
&& (!kernelPackages.${config.boot.zfs.package.kernelModuleAttribute}.meta.broken)
) pkgs.linuxKernel.packages;
latestKernelPackage = lib.last (
lib.sort (a: b: (lib.versionOlder a.kernel.version b.kernel.version)) (
builtins.attrValues zfsCompatibleKernelPackages
)
);
in latestKernelPackage;
kernelPackages =
let
zfsCompatibleKernelPackages = lib.filterAttrs (
name: kernelPackages:
(builtins.match "linux_[0-9]+_[0-9]+" name) != null
&& (builtins.tryEval kernelPackages).success
&& (!kernelPackages.${config.boot.zfs.package.kernelModuleAttribute}.meta.broken)
) pkgs.linuxKernel.packages;
latestKernelPackage = lib.last (
lib.sort (a: b: (lib.versionOlder a.kernel.version b.kernel.version)) (
builtins.attrValues zfsCompatibleKernelPackages
)
);
in
latestKernelPackage;
supportedFilesystems = [ "zfs" ];
kernelParams = [ "nohibernate" ];
plymouth.enable = false;