Stefan Junker
e01290317a
a way to disable autostart for zerotier is beneficial to not accidentally connect on each boot while still being able to connect on demand
122 lines
2.7 KiB
Nix
122 lines
2.7 KiB
Nix
{
|
|
pkgs,
|
|
lib,
|
|
config,
|
|
nodeName,
|
|
repoFlake,
|
|
...
|
|
}: let
|
|
localTcpPorts = [
|
|
22
|
|
|
|
# syncthing
|
|
22000
|
|
|
|
# iperf3
|
|
5201
|
|
];
|
|
|
|
localUdpPorts = [
|
|
# syncthing
|
|
22000
|
|
21027
|
|
];
|
|
in {
|
|
nix.settings = {
|
|
substituters = [
|
|
];
|
|
trusted-public-keys = [
|
|
];
|
|
};
|
|
|
|
nix.distributedBuilds = true;
|
|
nix.buildMachines = [
|
|
{
|
|
hostName = repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost;
|
|
# TODO: make this a reference
|
|
sshUser = "nix-remote-builder";
|
|
protocol = "ssh-ng";
|
|
system = "x86_64-linux";
|
|
maxJobs = 32;
|
|
speedFactor = 100;
|
|
supportedFeatures = repoFlake.nixosConfigurations.steveej-t14.config.nix.settings.system-features ++ [];
|
|
}
|
|
|
|
{
|
|
hostName = repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost;
|
|
# TODO: make this a reference
|
|
sshUser = "nix-remote-builder";
|
|
protocol = "ssh-ng";
|
|
system = "aarch64-linux";
|
|
maxJobs = 32;
|
|
speedFactor = 100;
|
|
supportedFeatures = repoFlake.nixosConfigurations.router0-dmz0.config.nix.settings.system-features ++ [];
|
|
}
|
|
];
|
|
|
|
networking.networkmanager.enable = true;
|
|
|
|
networking.extraHosts = ''
|
|
'';
|
|
|
|
networking.bridges."virbr1".interfaces = [];
|
|
networking.interfaces."virbr1".ipv4.addresses = [
|
|
{
|
|
address = "10.254.254.254";
|
|
prefixLength = 24;
|
|
}
|
|
];
|
|
|
|
# needed to make wireguard managed by networkmanager route all traffic through it
|
|
networking.firewall.checkReversePath = false;
|
|
|
|
networking.firewall.enable = true;
|
|
services.openssh.openFirewall = false;
|
|
|
|
# TODO: upstream feature for inverse rule to work: `! --in-interface zt+`
|
|
networking.firewall.interfaces."eth+".allowedTCPPorts = localTcpPorts;
|
|
networking.firewall.interfaces."eth+".allowedUDPPorts = localUdpPorts;
|
|
networking.firewall.interfaces."wlan+".allowedTCPPorts = localTcpPorts;
|
|
networking.firewall.interfaces."wlan+".allowedUDPPorts = localUdpPorts;
|
|
|
|
networking.firewall.logRefusedConnections = false;
|
|
networking.usePredictableInterfaceNames = false;
|
|
|
|
services.fwupd.enable = true;
|
|
|
|
services.fprintd.enable = true;
|
|
security.pam.services = {
|
|
login.fprintAuth = true;
|
|
sudo.fprintAuth = true;
|
|
};
|
|
|
|
# virtualization
|
|
virtualisation = {
|
|
libvirtd = {enable = true;};
|
|
|
|
virtualbox.host = {
|
|
enable = false;
|
|
addNetworkInterface = false;
|
|
};
|
|
|
|
podman = {
|
|
enable = true;
|
|
dockerCompat = true;
|
|
# defaultNetwork.dnsname.enable = true;
|
|
};
|
|
};
|
|
|
|
services.samba.extraConfig = ''
|
|
# client min protocol = NT1
|
|
'';
|
|
|
|
security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"];
|
|
|
|
services.xserver.videoDrivers = lib.mkForce ["amdgpu"];
|
|
|
|
hardware.ledger.enable = true;
|
|
|
|
boot.binfmt.emulatedSystems = [
|
|
"aarch64-linux"
|
|
];
|
|
}
|