256 lines
6.1 KiB
Nix
256 lines
6.1 KiB
Nix
{
|
|
repoFlake,
|
|
pkgs,
|
|
lib,
|
|
config,
|
|
nodeFlake,
|
|
nodeName,
|
|
localDomainName,
|
|
system,
|
|
...
|
|
}: {
|
|
system.stateVersion = "23.11";
|
|
|
|
imports = [
|
|
nodeFlake.inputs.disko.nixosModules.disko
|
|
nodeFlake.inputs.srvos.nixosModules.mixins-terminfo
|
|
|
|
repoFlake.inputs.sops-nix.nixosModules.sops
|
|
|
|
../../snippets/nix-settings.nix
|
|
../../profiles/common/user.nix
|
|
|
|
nodeFlake.inputs.nixos-nftables-firewall.nixosModules.default
|
|
|
|
{
|
|
services.openssh.enable = true;
|
|
services.openssh.settings.PermitRootLogin = "yes";
|
|
|
|
users.commonUsers = {
|
|
enable = true;
|
|
enableNonRoot = false;
|
|
rootPasswordFile = config.sops.secrets.passwords-root.path;
|
|
};
|
|
|
|
sops.age.keyFile = "/etc/age.key";
|
|
sops.age.sshKeyPaths = [];
|
|
|
|
sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
|
|
sops.defaultSopsFormat = "yaml";
|
|
|
|
sops.secrets.passwords-root.neededForUsers = true;
|
|
}
|
|
|
|
# TODO: extract this into single-disk VM BIOS module
|
|
{
|
|
boot.loader.systemd-boot.enable = false;
|
|
boot.loader.grub.efiSupport = false;
|
|
|
|
# forcing seems required or else there's an error about duplicated devices
|
|
boot.loader.grub.devices = lib.mkForce ["/dev/sda"];
|
|
|
|
disko.devices.disk.sda = {
|
|
device = "/dev/sda";
|
|
type = "disk";
|
|
content = {
|
|
type = "gpt";
|
|
partitions = {
|
|
boot = {
|
|
size = "1M";
|
|
type = "EF02"; # for grub MBR
|
|
};
|
|
root = {
|
|
size = "100%";
|
|
content = {
|
|
type = "btrfs";
|
|
extraArgs = ["-f"]; # Override existing partition
|
|
subvolumes = {
|
|
# Subvolume name is different from mountpoint
|
|
"/rootfs" = {
|
|
mountpoint = "/";
|
|
};
|
|
"/nix" = {
|
|
mountOptions = ["noatime"];
|
|
mountpoint = "/nix";
|
|
};
|
|
"/boot" = {
|
|
mountpoint = "/boot";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
boot.initrd.kernelModules = [
|
|
"virtio_balloon"
|
|
"virtio_scsi"
|
|
"virtio_net"
|
|
"virtio_pci"
|
|
"virtio_ring"
|
|
"virtio"
|
|
"scsi_mod"
|
|
|
|
"virtio_blk"
|
|
"virtio_ring"
|
|
"ata_piix"
|
|
"pata_acpi"
|
|
"ata_generic"
|
|
];
|
|
}
|
|
];
|
|
|
|
# sops.secrets.ssh_host_ed25519_key = {
|
|
# sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
|
|
# format = "yaml";
|
|
|
|
# path = "/etc/ssh/ssh_host_ed25519_key";
|
|
# mode = "0600";
|
|
# };
|
|
# sops.secrets.ssh_host_ed25519_key_pub = {
|
|
# sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
|
|
# format = "yaml";
|
|
|
|
# path = "/etc/ssh/ssh_host_ed25519_key.pub";
|
|
# mode = "0600";
|
|
# };
|
|
# sops.secrets.ssh_host_rsa_key = {
|
|
# sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
|
|
# format = "yaml";
|
|
|
|
# path = "/etc/ssh/ssh_host_rsa_key";
|
|
# mode = "0600";
|
|
# };
|
|
# sops.secrets.ssh_host_rsa_key_pub = {
|
|
# sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
|
|
# format = "yaml";
|
|
|
|
# path = "/etc/ssh/ssh_host_rsa_key.pub";
|
|
# mode = "0644";
|
|
# };
|
|
|
|
boot = {
|
|
kernel = {
|
|
sysctl = {
|
|
"net.ipv4.conf.all.forwarding" = true;
|
|
"net.ipv6.conf.all.forwarding" = true;
|
|
};
|
|
};
|
|
};
|
|
|
|
networking = {
|
|
hostName = nodeName;
|
|
useNetworkd = true;
|
|
useDHCP = true;
|
|
usePredictableInterfaceNames = false;
|
|
|
|
# these will be configured via nftables
|
|
firewall.enable = lib.mkForce true;
|
|
firewall.allowedUDPPorts = [
|
|
config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort
|
|
];
|
|
|
|
nat = {
|
|
enable = true;
|
|
};
|
|
|
|
# Use the nftables firewall instead of the base nixos scripted rules.
|
|
# This flake provides a similar utility to the base nixos scripting.
|
|
# https://github.com/thelegy/nixos-nftables-firewall/tree/main
|
|
|
|
nftables = {
|
|
enable = true;
|
|
|
|
firewall = {
|
|
enable = true;
|
|
snippets.nnf-common.enable = true;
|
|
|
|
zones.wan = {
|
|
interfaces = ["eth0"];
|
|
};
|
|
zones.vpns = {
|
|
interfaces = ["wg0"];
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
sops.secrets.wg0-privatekey = {
|
|
mode = "440";
|
|
group = "systemd-network";
|
|
};
|
|
sops.secrets.wg0-peer0-psk = {
|
|
mode = "440";
|
|
group = "systemd-network";
|
|
};
|
|
sops.secrets.wg0-peer1-psk = {
|
|
mode = "440";
|
|
group = "systemd-network";
|
|
};
|
|
|
|
systemd.network.enable = true;
|
|
systemd.network.netdevs.wg0 = {
|
|
enable = true;
|
|
netdevConfig = {
|
|
Name = "wg0";
|
|
Kind = "wireguard";
|
|
};
|
|
wireguardConfig = {
|
|
ListenPort = 51820;
|
|
# PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM=
|
|
PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path;
|
|
};
|
|
wireguardPeers = [
|
|
{
|
|
wireguardPeerConfig = {
|
|
AllowedIPs = [
|
|
"10.0.0.1/32"
|
|
];
|
|
PersistentKeepalive = 15;
|
|
PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path;
|
|
PublicKey = "hsjIenUFV/FBqplIKxSL/Zn2zDAfojlIKHMxPA6RC04=";
|
|
};
|
|
}
|
|
|
|
{
|
|
wireguardPeerConfig = {
|
|
AllowedIPs = [
|
|
"10.0.0.2/32"
|
|
];
|
|
PersistentKeepalive = 15;
|
|
PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer1-psk.path;
|
|
PublicKey = "Ha5hsarCRO8LX9SrkopUeP14ebLdFgxXUC0ezrobax4=";
|
|
};
|
|
}
|
|
];
|
|
};
|
|
systemd.network.networks.wg0 = {
|
|
enable = true;
|
|
matchConfig.Name = "wg0";
|
|
address = [
|
|
"10.0.0.254/24"
|
|
];
|
|
};
|
|
|
|
environment.systemPackages = [
|
|
pkgs.ethtool
|
|
pkgs.neovim
|
|
|
|
(pkgs.writeShellScriptBin "dbg-ip" ''
|
|
echo links:
|
|
ip -br -c l
|
|
echo
|
|
echo addresses:
|
|
ip -br -c a
|
|
echo
|
|
echo vlans:
|
|
bridge -c vlan
|
|
'')
|
|
|
|
(pkgs.writeShellScriptBin "dbg-dnsmasq" ''
|
|
# get the rendered in-use config
|
|
pgrep -a dnsmasq | grep -Eo '[^ ]*conf' | xargs cat | grep -Eo '[^=]*conf' | xargs cat
|
|
'')
|
|
];
|
|
}
|