feat: basic nix config structure

2022-07-07 11:15:52 +02:00 · 2022-07-07 11:15:52 +02:00 · b9a581c63f
commit b9a581c63f
parent 2987d84e27
11 changed files with 476 additions and 0 deletions
--- a/common/common/default.nix
+++ b/common/common/default.nix
@ -0,0 +1,64 @@
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [ #
+    ];
+
+  # Set your time zone.
+  time.timeZone = "Europe/Berlin";
+  networking.useDHCP = false;
+  networking.firewall.allowedTCPPorts = [ 19999 ];
+  services.netdata.enable = true;
+
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_US.UTF-8";
+  console = {
+    font = "Lat2-Terminus16";
+    keyMap = "de-latin1";
+  };
+
+  programs.zsh = {
+      enable = true;
+      histSize = 10000;
+      autosuggestions.enable = true;
+      enableBashCompletion = true;
+      syntaxHighlighting.enable = true;
+      promptInit = ''
+          source ~/.zkbd/$TERM-''${''${DISPLAY:t}:-''$VENDOR-''$OSTYPE}
+          [[ -n ''${key[Left]} ]] && bindkey "''${key[Left]}" backward-char
+          [[ -n ''${key[Right]} ]] && bindkey "''${key[Right]}" forward-char
+          bindkey "''${key[Up]}" up-line-or-search
+          bindkey "''${key[Home]}" beginning-of-line
+          bindkey "''${key[End]}" end-of-line
+          bindkey "''${key[Delete]}" delete-char
+          function command_not_found_handler() { command-not-found $1 }
+          alias cat='bat'
+          eval "$(direnv hook zsh)"
+          eval "$(starship init zsh)"
+      '';
+  };
+  programs.starship.enable = true;
+
+  programs.mtr.enable = true;
+  nix.settings = {
+        trusted-users = [ "@wheel" ];
+        auto-optimise-store = true;
+    };
+    nix.gc = {
+        automatic = true;
+        dates = "weekly";
+        options = "--delete-older-than 14d";
+    };
+    nix.extraOptions = ''
+        min-free = ${toString (100 * 1024 * 1024)}
+        max-free = ${toString (1024 * 1024 * 1024)}
+    '';
+
+  services.openssh = {
+        enable = true;
+        passwordAuthentication = false;
+        kbdInteractiveAuthentication = false;
+        permitRootLogin = "yes";
+    };
+}
--- a/flake.nix
+++ b/flake.nix
@ -0,0 +1,25 @@
+{
+    inputs = {
+        nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    };
+    outputs = { nixpkgs, ... }: {
+        colmena = {
+
+            meta = {
+                nixpkgs = import nixpkgs {
+                    system = "x86_64-linux";
+                };
+            };
+
+            
+            pre-router = { config, pkgs, ... }:{
+                imports = [./hosts/pre-router/configuration.nix];
+                deployment.targetHost = "lightbuffet.entr0py.cloud";
+                deployment.keys = {
+                    
+                };
+            };
+            
+        };
+    };
+}
--- a/hosts/pre-router/configuration.nix
+++ b/hosts/pre-router/configuration.nix
@ -0,0 +1,117 @@
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      ./router.nix
+      ./dhcp.nix
+      ./dns.nix
+      ./ipv6.nix
+      ./nginx.nix
+    ];
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "pre-router"; # Define your hostname.
+
+  # Set your time zone.
+  time.timeZone = "Europe/Berlin";
+
+  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
+  # Per-interface useDHCP will be mandatory in the future, so this generated config
+  # replicates the default behaviour.
+  networking.useDHCP = false;
+  #networking.interfaces.ens18.useDHCP = false;
+  #networking.interfaces.ens19.useDHCP = false;
+  networking.firewall.allowedTCPPorts = [ 19999 ];
+  services.netdata.enable = true;
+
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_US.UTF-8";
+  console = {
+    font = "Lat2-Terminus16";
+    keyMap = "de-latin1";
+  };
+
+
+  users.users.garionion = {
+        isNormalUser = true;
+        shell = pkgs.zsh;
+        packages =  with pkgs; [
+            wget vim screen mtr iperf
+            htop dstat dnsutils nettools tcpdump
+            git bat starship direnv
+        ];
+        hashedPassword = "$6$NMzXsfARs2HVA4iq$55uxWCANME/HsjIg9HmZyxqGwlr7RpJfCcMad2OhbmUiHhdnOh/v9TDwT3Vt0mu9HE37Fh3b1g2yyEa3Dxxg80";
+        extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
+        openssh.authorizedKeys.keys = ["ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAGw3Yuee8oSXSEqmoMzrqQrUizKV9sJbJMxAUC01wxvbxevAqFEpiGrznnu3K0HN3sfKItjqGkNDPDQ+mIlQwdwJAE0GyJIx9CMvo1RPugKSJ5rFh/vEgJTNMPaeYUb/L2rn3WEZHrZI5wwf+z4ljSHCVetAnaMKjk/+QQWgBHdvNImmA== gari@darwin"];
+    };
+    programs.zsh = {
+        enable = true;
+        histSize = 10000;
+        autosuggestions.enable = true;
+        enableBashCompletion = true;
+        syntaxHighlighting.enable = true;
+        promptInit = ''
+            source ~/.zkbd/$TERM-''${''${DISPLAY:t}:-''$VENDOR-''$OSTYPE}
+            [[ -n ''${key[Left]} ]] && bindkey "''${key[Left]}" backward-char
+            [[ -n ''${key[Right]} ]] && bindkey "''${key[Right]}" forward-char
+            bindkey "''${key[Up]}" up-line-or-search
+            bindkey "''${key[Home]}" beginning-of-line
+            bindkey "''${key[End]}" end-of-line
+            bindkey "''${key[Delete]}" delete-char
+            function command_not_found_handler() { command-not-found $1 }
+            alias cat='bat'
+            eval "$(direnv hook zsh)"
+            eval "$(starship init zsh)"
+        '';
+    };
+     programs.starship = {
+        enable = true;
+        settings = {
+        # add_newline = false;
+        # character = {
+        #   success_symbol = "[➜](bold green)";
+        #   error_symbol = "[➜](bold red)";
+        # };
+        # package.disabled = true;
+        };
+    };
+
+  programs.mtr.enable = true;
+  nix.settings = {
+        trusted-users = [ "@wheel" ];
+        auto-optimise-store = true;
+    };
+    nix.gc = {
+        automatic = true;
+        dates = "weekly";
+        options = "--delete-older-than 14d";
+    };
+    nix.extraOptions = ''
+        min-free = ${toString (100 * 1024 * 1024)}
+        max-free = ${toString (1024 * 1024 * 1024)}
+    '';
+
+  # List services that you want to enable:
+
+  services.openssh = {
+        enable = true;
+        passwordAuthentication = false;
+        kbdInteractiveAuthentication = false;
+        permitRootLogin = "yes";
+    };
+
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "21.11"; # Did you read the comment?
+
+}
--- a/hosts/pre-router/coredns-unbound.patch
+++ b/hosts/pre-router/coredns-unbound.patch
@ -0,0 +1,13 @@
+Index: plugin.cfg
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/plugin.cfg b/plugin.cfg
+--- a/plugin.cfg	(revision 4d1d9adb0ec125097466a4831f57a22069a0d638)
+++ b/plugin.cfg	(revision 6a5782f32c139c6cec05341ffc530d05b0a44b06)
+@@ -68,3 +68,4 @@
+ whoami:whoami
+ on:github.com/coredns/caddy/onevent
+ sign:sign
+unbound:github.com/coredns/unbound
--- a/hosts/pre-router/dhcp.nix
+++ b/hosts/pre-router/dhcp.nix
@ -0,0 +1,42 @@
+{ config, pkgs, ...}:
+
+{
+  services.kea.dhcp4 = {
+    enable = true;
+    settings = {
+      interfaces-config = {
+        interfaces = [ "ens19"];
+      };
+      lease-database = {
+        name = "/var/lib/kea/dhcp4.leases";
+        persist = true;
+        type = "memfile";
+      };
+      subnet4 = [
+        # Heimnetz
+        {
+          subnet = "10.42.10.1/24";
+          pools = [
+            {
+              pool = "10.42.10.50 - 10.42.10.240";
+            }
+          ];
+          option-data = [
+            {
+              name = "routers";
+              data = "10.42.10.1";
+            }
+            {
+              name = "domain-name-servers";
+              data = "10.42.10.1";
+            }
+            {
+              name = "domain-name";
+              data = "bula.entr0py.cloud";
+            }
+          ];
+        }
+      ];
+    };
+  };
+}
--- a/hosts/pre-router/dns.nix
+++ b/hosts/pre-router/dns.nix
@ -0,0 +1,40 @@
+{ config, pkgs, lib, ...}:
+
+{
+  networking.firewall.interfaces.ens19.allowedUDPPorts = [ 53 ];
+  services.coredns = {
+    enable = true;
+    config = ''
+      .:53 {
+        log
+        cache
+        unbound
+      }
+    '';
+    package = lib.fix (self: (pkgs.buildGoModule {
+      inherit (pkgs.coredns) pname version src postPatch;
+
+      patches = pkgs.coredns.patches or [ ] ++ [
+        ./coredns-unbound.patch
+      ];
+
+      buildInputs = [ pkgs.unbound ];
+
+      vendorSha256 = "sha256-48S1oT+5uT6d+AM8u93AOTbJkW3CLtaowGv+th3cfyM=";
+
+      preBuild = ''
+        go generate
+
+        postInstall () {
+          cp go.mod $out
+        }
+      '';
+
+    }).overrideAttrs(old: {
+      preBuild = ''
+        cp ${self.passthru.go-modules}/go.mod .
+        go generate
+      '';
+    }));
+  };
+}
--- a/hosts/pre-router/hardware-configuration.nix
+++ b/hosts/pre-router/hardware-configuration.nix
@ -0,0 +1,38 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/9f5666bc-eb56-400b-a8f2-5e860deebdc2";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/EA3E-948D";
+      fsType = "vfat";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/7934574a-acf8-48b9-8f59-f25080ddea70"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/pre-router/ipv6.nix
+++ b/hosts/pre-router/ipv6.nix
@ -0,0 +1,57 @@
+{ config, pkgs, ...}:
+
+{
+    environment.systemPackages = with pkgs; [
+        wireguard-tools
+    ];
+
+    networking = {
+        firewall.allowedUDPPorts = [ 51820 ];
+        firewall.trustedInterfaces = [ "ens19"];
+        iproute2.enable = true;
+        iproute2.rttablesExtraConfig = ''
+          100 PUBLIC6
+        '';
+        wireguard.enable = true;
+        wireguard.interfaces = {
+            wg0 = {
+                ips = [ "fe80::42:10:1/64" ];
+                privateKey = "SUPERSECRETKEY";
+                listenPort = 51820;
+                allowedIPsAsRoutes = false;
+                postSetup = ''
+                    ip -6 rule add from 2a01:4f8:1c0c:8221::/64 lookup PUBLIC6
+                    ip -6 route add default via fe80::1 dev wg0 table PUBLIC6
+                '';
+                peers = [{
+                    publicKey = "Y++eB9SfU17zB4mJ/6AaN761tngXAyTNoVaPNKmuvls=";
+                    allowedIPs = [ "::/0"  ];
+                    endpoint = "78.47.183.82:51876";
+                    #endpoint = "gatekeeper.net.clerie.de:51876";
+                    persistentKeepalive = 25;
+                }];
+            };
+        };
+    };
+    boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
+    networking.interfaces.ens19.ipv6.addresses = [{
+        address = "2a01:4f8:1c0c:8221::1";
+        prefixLength = 64;
+    }];
+    services.corerad = {
+        enable = true;
+        settings = {
+	        interfaces = [
+            {
+              name = "ens19";
+              advertise = true;
+              prefix = [{ prefix = "2a01:4f8:1c0c:8221::/64";}];
+              mtu = 1420;
+          }];
+          debug = {
+            address = "localhost:9430";
+            prometheus = true;
+          };
+      };
+   };
+}
--- a/hosts/pre-router/nginx.nix
+++ b/hosts/pre-router/nginx.nix
@ -0,0 +1,34 @@
+{ config, pkgs, ...}:
+
+{
+
+   networking.interfaces = {
+      ens20 = {
+        ipv4.addresses = [{
+          address = "10.42.123.55";
+          prefixLength = 24;
+        }];
+      };
+   };
+
+
+   networking.firewall.allowedTCPPorts = [ 80 443 ];
+   security.acme.acceptTerms = true;
+   security.acme.defaults.email = "letsencrypt@entr0py.de";
+   services.nginx = {
+    enable = true;
+    clientMaxBodySize = "400M";
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+   };
+   services.nginx.virtualHosts."lightbuffet.entr0py.cloud" = {    # Gitea hostname
+    enableACME = true; # Use ACME certs
+    forceSSL = true; # Force SSL
+    locations."/" = {
+      proxyPass = "https://10.42.123.20:8006";
+      proxyWebsockets = true;
+    };
+  };
+}
--- a/hosts/pre-router/router.nix
+++ b/hosts/pre-router/router.nix
@ -0,0 +1,31 @@
+{ config, pkgs, ...}:
+
+{
+
+  environment.systemPackages = with pkgs; [
+    ethtool             # manage NIC settings (offload, NIC feeatures, ...)
+    conntrack-tools     # view network connection states
+  ];
+
+  networking.firewall.interfaces.lan.allowedUDPPorts = [ 67 53 ];
+  networking = {
+    nameservers = [ "141.24.40.3" "141.24.40.4" ];
+    nat = {
+      enable = true;
+      extraCommands = "iptables -A INPUT -p icmp -j ACCEPT";
+      externalInterface = "ens18";
+      internalInterfaces = [ "ens19" ];
+    };
+    interfaces = {
+      ens19.useDHCP = false;
+      ens18.useDHCP = true;
+      # Handle the VLANs
+      ens19 = {
+        ipv4.addresses = [{
+          address = "10.42.10.1";
+          prefixLength = 24;
+        }];
+      };
+    };
+  };
+}
--- a/users/garionion/default.nix
+++ b/users/garionion/default.nix
@ -0,0 +1,15 @@
+{ config, pkgs, ... }:
+{
+  users.users.garionion = {
+        isNormalUser = true;
+        shell = pkgs.zsh;
+        packages =  with pkgs; [
+            wget vim screen mtr iperf
+            htop dstat dnsutils nettools tcpdump
+            git bat starship direnv
+        ];
+        hashedPassword = "$6$NMzXsfARs2HVA4iq$55uxWCANME/HsjIg9HmZyxqGwlr7RpJfCcMad2OhbmUiHhdnOh/v9TDwT3Vt0mu9HE37Fh3b1g2yyEa3Dxxg80";
+        extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
+        openssh.authorizedKeys.keys = ["ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAGw3Yuee8oSXSEqmoMzrqQrUizKV9sJbJMxAUC01wxvbxevAqFEpiGrznnu3K0HN3sfKItjqGkNDPDQ+mIlQwdwJAE0GyJIx9CMvo1RPugKSJ5rFh/vEgJTNMPaeYUb/L2rn3WEZHrZI5wwf+z4ljSHCVetAnaMKjk/+QQWgBHdvNImmA== gari@darwin"];
+    };
+}