0xa/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

retire toaster and remove dead code

Browse source
This commit is contained in:
Grigory Shipunov 2023-08-05 20:48:58 +02:00
parent 8b8d90cec4
commit 9e5d5bd874
30 changed files with 0 additions and 1468 deletions
Download patch file Download diff file Expand all files Collapse all files

5
hosts/toaster/amd-new-pstate.nix
View file

@ -1,5 +0,0 @@
{ ... }:
{
# use new amd pstate driver
boot.kernelParams = [ "amd_pstate=active" ];
}

16
hosts/toaster/amd.nix
View file

@ -1,16 +0,0 @@
{ pkgs, config, ... }: {
boot.initrd.kernelModules = [ "amdgpu" ];
hardware.opengl = {
driSupport = true;
driSupport32Bit = true;
extraPackages = with pkgs; [
rocm-opencl-icd
rocm-opencl-runtime
amdvlk
];
extraPackages32 = with pkgs; [
driversi686Linux.amdvlk
];
};
}

63
hosts/toaster/default.nix
View file

@ -1,63 +0,0 @@
{ pkgs, ... }: {
imports = [
./amd.nix
./amd-new-pstate.nix
./hardware-configuration.nix
./irc.nix
./stateful-network.nix
./secrets.nix
./secure-boot.nix
./zfs.nix
];
nixpkgs.config.allowUnfree = true;
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
hardware.enableAllFirmware = true;
# update the firmware
services.fwupd.enable = true;
# Set your time zone.
time.timeZone = "Europe/Amsterdam";
# Select internationalisation properties.
i18n = {
defaultLocale = "en_US.UTF-8";
supportedLocales = [ "all" ];
};
users.users.grue = {
extraGroups = [
"wheel"
"video"
"plugdev"
"dialout"
"bluetooth"
"libvirtd"
];
group = "users";
home = "/home/grue";
isNormalUser = true;
uid = 1000;
};
programs.steam.enable = true;
environment.systemPackages = with pkgs; [
factorio
];
services.emacs.defaultEditor = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}

94
hosts/toaster/hardware-configuration.nix
View file

@ -1,94 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{
device = "toasterpool/nixos/root";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/nix" =
{
device = "toasterpool/nixos/nix";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/var" =
{
device = "toasterpool/userdata/var";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/var/lib" =
{
device = "toasterpool/userdata/var/lib";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/var/log" =
{
device = "toasterpool/userdata/var/log";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/home" =
{
device = "toasterpool/userdata/home";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/home/grue" =
{
device = "toasterpool/userdata/home/grue";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/7663-6239";
fsType = "vfat";
options = [ "X-mount.mkdir" ];
};
swapDevices = [
{
device = "/dev/disk/by-id/nvme-eui.ace42e002621ff2b2ee4ac0000000001-part2";
randomEncryption = true;
}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
networking.interfaces.enp1s0f0.useDHCP = lib.mkDefault true;
#networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# services.fprintd.enable = true;
}

9
hosts/toaster/irc.nix
View file

@ -1,9 +0,0 @@
{ config, pkgs, ... }: {
environment.systemPackages = [ pkgs.senpai ];
sops.secrets = {
"irc/senpai" = {
owner = config.users.users.grue.name;
};
};
}

210
hosts/toaster/network-vpns.nix
View file

@ -1,210 +0,0 @@
{ config, ... }: {
systemd.network = {
# Wireguard
# Dump-dvb
netdevs."30-wg-dumpdvb" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-dumpdvb";
Description = "dvb.solutions enterprise network";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."wg/dvb".path;
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "WDvCObJ0WgCCZ0ORV2q4sdXblBd8pOPZBmeWr97yphY=";
Endpoint = "academicstrokes.com:51820";
AllowedIPs = [ "10.13.37.0/24" ];
PersistentKeepalive = 25;
};
}
];
};
networks."30-wg-dumpdvb" = {
matchConfig.Name = "wg-dumpdvb";
networkConfig = {
Address = "10.13.37.3/24";
IPv6AcceptRA = true;
};
routes = [
{ routeConfig = { Gateway = "10.13.37.1"; Destination = "10.13.37.0/24"; }; }
];
};
# oxalab
netdevs."10-wg-oxalab" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-oxalab";
Description = "lab of oxa";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."wg/oxalab".path;
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "5nCVC21BL+1r70OGwA4Q6Z/gcPLC3+ZF8sTurdn7N0E=";
Endpoint = "95.216.166.21:51820";
AllowedIPs = [ "10.66.66.0/24" ];
PersistentKeepalive = 25;
};
}
];
};
networks."10-wg-oxalab" = {
matchConfig.Name = "wg-oxalab";
networkConfig = {
Address = "10.66.66.10/24";
IPv6AcceptRA = true;
};
routes = [
{ routeConfig = { Gateway = "10.66.66.1"; Destination = "10.66.66.1/24"; }; }
];
};
# zentralwerk
netdevs."10-wg-zentralwerk" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-zentralwerk";
Description = "Tunnel to the best basement in Dresden";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."wg/zw".path;
RouteTable = "off";
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "PG2VD0EB+Oi+U5/uVMUdO5MFzn59fAck6hz8GUyLMRo=";
Endpoint = "81.201.149.152:1337";
AllowedIPs = [ "172.20.72.0/21" "172.22.90.0/24" "172.22.99.0/24" ];
PersistentKeepalive = 25;
};
}
];
};
networks."10-wg-zentralwerk" = {
matchConfig.Name = "wg-zentralwerk";
networkConfig = {
Address = "172.20.76.226/21";
IPv6AcceptRA = true;
DNS = "172.20.73.8";
Domains = [
"~hq.c3d2.de"
"~serv.zentralwerk.org"
"~hq.zentralwerk.org"
"~cluster.zentralwerk.org"
];
};
routes = [
{
routeConfig = {
Gateway = "172.20.76.225";
Destination = "172.20.72.0/21";
Metric = 1023;
};
}
{
routeConfig = {
Gateway = "172.20.76.225";
Destination = "172.20.90.0/24";
Metric = 1023;
};
}
{
routeConfig = {
Gateway = "172.20.76.225";
Destination = "172.22.99.0/24";
Metric = 1023;
};
}
];
};
# VPN
netdevs."10-wg-mullvad" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-mullvad";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."wg/mullvad".path;
FirewallMark = 34952; # 0x8888
RouteTable = "off";
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "BChJDLOwZu9Q1oH0UcrxcHP6xxHhyRbjrBUsE0e07Vk=";
Endpoint = "169.150.196.15:51820";
AllowedIPs = [ "0.0.0.0/0" "::0/0" ];
};
}
];
};
networks."10-wg-mullvad" = {
matchConfig.Name = "wg-mullvad";
address = [ "10.66.157.228/32" "fc00:bbbb:bbbb:bb01::3:9de3/128" ];
networkConfig = {
DNS = "10.64.0.1";
DNSDefaultRoute = true;
Domains = [ "~." ];
};
routes = map
(gate: {
routeConfig = {
Gateway = gate;
Table = 1000;
};
}) [
"0.0.0.0"
"::"
];
routingPolicyRules = [
{
routingPolicyRuleConfig = {
Family = "both";
FirewallMark = 34952; # 0x8888
InvertRule = true;
Table = "1000";
Priority = 100;
};
}
{
routingPolicyRuleConfig = {
Family = "both";
SuppressPrefixLength = 0;
Table = "main";
Priority = 90;
};
}
] ++ map
(net: {
# only route global addresses over VPN
routingPolicyRuleConfig = {
Priority = 80;
To = net;
};
}) [
# Mullvad endpoint
"169.150.196.15/32"
# "10.0.0.0/8"
"10.13.37.0/24"
"10.66.66.0/24"
# "172.16.0.0/12"
"172.16.0.0/12"
# "182.168.0.0/16"
"182.168.0.0/16"
# "fc00::/7"
];
};
};
}

57
hosts/toaster/network.nix
View file

@ -1,57 +0,0 @@
{ config, pkgs, ... }: {
environment.systemPackages = with pkgs; [ iwgtk ];
networking = {
hostName = "toaster";
firewall.enable = true;
networkmanager.enable = false;
useNetworkd = true;
wireguard.enable = true;
wireless.iwd.enable = true;
};
services.resolved = {
enable = true;
dnssec = "allow-downgrade";
fallbackDns = [
"9.9.9.9"
"2620:fe::fe"
"149.112.112.112"
"2620:fe::9"
];
};
# workaround for networkd waiting for shit
systemd.services.systemd-networkd-wait-online.serviceConfig.ExecStart = [
"" # clear old command
"${config.systemd.package}/lib/systemd/systemd-networkd-wait-online --any"
];
systemd.network = {
enable = true;
networks."10-ether" = {
matchConfig.MACAddress = "e8:80:88:2f:c6:70";
networkConfig = {
DHCP = "yes";
IPv6AcceptRA = true;
};
};
networks."10-dock" = {
matchConfig.Name = "enp5s0f4u1u1";
networkConfig = {
DHCP = "yes";
IPv6AcceptRA = true;
};
dhcpV4Config = { RouteMetric = 666; };
};
networks."10-wlan" = {
# matchConfig.MACAddress = "04:7b:cb:2a:aa:8c";
matchConfig.Name = "wlan0";
networkConfig = {
DHCP = "yes";
IPv6AcceptRA = true;
};
};
};
}

20
hosts/toaster/secrets.nix
View file

@ -1,20 +0,0 @@
{ config, ... }:
{
sops.defaultSopsFile = ../../secrets/toaster/secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets = {
"wg/zw" = {
owner = config.users.users.systemd-network.name;
};
"wg/dvb" = {
owner = config.users.users.systemd-network.name;
};
"wg/mullvad" = {
owner = config.users.users.systemd-network.name;
};
"wg/oxalab" = {
owner = config.users.users.systemd-network.name;
};
};
}

12
hosts/toaster/secure-boot.nix
View file

@ -1,12 +0,0 @@
{ pkgs, lib, ... }: {
boot = {
bootspec.enable = true;
loader.systemd-boot.enable = lib.mkForce false;
lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
};
environment.systemPackages = [ pkgs.sbctl ];
}

39
hosts/toaster/stateful-network.nix
View file

@ -1,39 +0,0 @@
{ pkgs, ... }: {
users.users.grue.extraGroups = [ "networkmanager" ];
networking = {
hostName = "toaster";
firewall.enable = true;
wireguard.enable = true;
};
services.resolved = {
enable = true;
dnssec = "allow-downgrade";
fallbackDns = [
"9.9.9.9"
"2620:fe::fe"
"149.112.112.112"
"2620:fe::9"
];
};
# fixup the rpfilter fucking up the networkmanager wireguard
networking.firewall = {
# if packets are still dropped, they will show up in dmesg
logReversePathDrops = true;
# wireguard trips rpfilter up
extraCommands = ''
ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN
ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN
ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 1337 -j RETURN
ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 1337 -j RETURN
'';
extraStopCommands = ''
ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN || true
ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN || true
ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 1337 -j RETURN || true
ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 1337 -j RETURN || true
'';
};
}

19
hosts/toaster/zfs.nix
View file

@ -1,19 +0,0 @@
{ pkgs, ... }: {
services.fstrim.enable = true;
services.zfs = {
autoSnapshot.enable = true;
trim.enable = true;
autoScrub = {
enable = true;
pools = [ "toasterpool" ];
};
};
networking.hostId = "dca22577";
boot = {
kernelPackages = pkgs.zfs.latestCompatibleLinuxPackages;
supportedFilesystems = [ "zfs" ];
kernelParams = [ "nohibernate" ];
plymouth.enable = false;
tmp.useTmpfs = true;
};
}