{ repoFlake, pkgs, lib, config, nodeFlake, nodeName, localDomainName, system, ... }: { system.stateVersion = "23.11"; imports = [ nodeFlake.inputs.disko.nixosModules.disko nodeFlake.inputs.srvos.nixosModules.mixins-terminfo repoFlake.inputs.sops-nix.nixosModules.sops ../../snippets/nix-settings.nix ../../profiles/common/user.nix nodeFlake.inputs.nixos-nftables-firewall.nixosModules.default { services.openssh.enable = true; services.openssh.settings.PermitRootLogin = "yes"; users.commonUsers = { enable = true; enableNonRoot = false; rootPasswordFile = config.sops.secrets.passwords-root.path; }; sops.age.keyFile = "/etc/age.key"; sops.age.sshKeyPaths = []; sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; sops.defaultSopsFormat = "yaml"; sops.secrets.passwords-root.neededForUsers = true; } # TODO: extract this into single-disk VM BIOS module { boot.loader.systemd-boot.enable = false; boot.loader.grub.efiSupport = false; # forcing seems required or else there's an error about duplicated devices boot.loader.grub.devices = lib.mkForce ["/dev/sda"]; disko.devices.disk.sda = { device = "/dev/sda"; type = "disk"; content = { type = "gpt"; partitions = { boot = { size = "1M"; type = "EF02"; # for grub MBR }; root = { size = "100%"; content = { type = "btrfs"; extraArgs = ["-f"]; # Override existing partition subvolumes = { # Subvolume name is different from mountpoint "/rootfs" = { mountpoint = "/"; }; "/nix" = { mountOptions = ["noatime"]; mountpoint = "/nix"; }; "/boot" = { mountpoint = "/boot"; }; }; }; }; }; }; }; boot.initrd.kernelModules = [ "virtio_balloon" "virtio_scsi" "virtio_net" "virtio_pci" "virtio_ring" "virtio" "scsi_mod" "virtio_blk" "virtio_ring" "ata_piix" "pata_acpi" "ata_generic" ]; } ]; # sops.secrets.ssh_host_ed25519_key = { # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; # format = "yaml"; # path = "/etc/ssh/ssh_host_ed25519_key"; # mode = "0600"; # }; # sops.secrets.ssh_host_ed25519_key_pub = { # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; # format = "yaml"; # path = "/etc/ssh/ssh_host_ed25519_key.pub"; # mode = "0600"; # }; # sops.secrets.ssh_host_rsa_key = { # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; # format = "yaml"; # path = "/etc/ssh/ssh_host_rsa_key"; # mode = "0600"; # }; # sops.secrets.ssh_host_rsa_key_pub = { # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; # format = "yaml"; # path = "/etc/ssh/ssh_host_rsa_key.pub"; # mode = "0644"; # }; boot = { kernel = { sysctl = { "net.ipv4.conf.all.forwarding" = true; "net.ipv6.conf.all.forwarding" = true; }; }; }; networking = { hostName = nodeName; useNetworkd = true; useDHCP = true; usePredictableInterfaceNames = false; # these will be configured via nftables firewall.enable = lib.mkForce true; firewall.allowedUDPPorts = [ config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort ]; nat = { enable = true; }; # Use the nftables firewall instead of the base nixos scripted rules. # This flake provides a similar utility to the base nixos scripting. # https://github.com/thelegy/nixos-nftables-firewall/tree/main nftables = { enable = true; firewall = { enable = true; snippets.nnf-common.enable = true; zones.wan = { interfaces = ["eth0"]; }; zones.vpns = { interfaces = ["wg0"]; }; }; }; }; sops.secrets.wg0-privatekey = { mode = "440"; group = "systemd-network"; }; sops.secrets.wg0-peer0-psk = { mode = "440"; group = "systemd-network"; }; sops.secrets.wg0-peer1-psk = { mode = "440"; group = "systemd-network"; }; systemd.network.enable = true; systemd.network.netdevs.wg0 = { enable = true; netdevConfig = { Name = "wg0"; Kind = "wireguard"; }; wireguardConfig = { ListenPort = 51820; # PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM= PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path; }; wireguardPeers = [ { wireguardPeerConfig = { AllowedIPs = [ "10.0.0.1/32" ]; PersistentKeepalive = 15; PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path; PublicKey = "hsjIenUFV/FBqplIKxSL/Zn2zDAfojlIKHMxPA6RC04="; }; } { wireguardPeerConfig = { AllowedIPs = [ "10.0.0.2/32" ]; PersistentKeepalive = 15; PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer1-psk.path; PublicKey = "Ha5hsarCRO8LX9SrkopUeP14ebLdFgxXUC0ezrobax4="; }; } ]; }; systemd.network.networks.wg0 = { enable = true; matchConfig.Name = "wg0"; address = [ "10.0.0.254/24" ]; }; environment.systemPackages = [ pkgs.ethtool pkgs.neovim (pkgs.writeShellScriptBin "dbg-ip" '' echo links: ip -br -c l echo echo addresses: ip -br -c a echo echo vlans: bridge -c vlan '') (pkgs.writeShellScriptBin "dbg-dnsmasq" '' # get the rendered in-use config pgrep -a dnsmasq | grep -Eo '[^ ]*conf' | xargs cat | grep -Eo '[^=]*conf' | xargs cat '') ]; }