From b9a581c63f898d95f4885a83141edc959c6cfdbd Mon Sep 17 00:00:00 2001 From: Garionion Date: Thu, 7 Jul 2022 11:15:52 +0200 Subject: [PATCH] feat: basic nix config structure --- common/common/default.nix | 64 +++++++++++ flake.nix | 25 +++++ hosts/pre-router/configuration.nix | 117 ++++++++++++++++++++ hosts/pre-router/coredns-unbound.patch | 13 +++ hosts/pre-router/dhcp.nix | 42 +++++++ hosts/pre-router/dns.nix | 40 +++++++ hosts/pre-router/hardware-configuration.nix | 38 +++++++ hosts/pre-router/ipv6.nix | 57 ++++++++++ hosts/pre-router/nginx.nix | 34 ++++++ hosts/pre-router/router.nix | 31 ++++++ users/garionion/default.nix | 15 +++ 11 files changed, 476 insertions(+) create mode 100644 common/common/default.nix create mode 100644 flake.nix create mode 100644 hosts/pre-router/configuration.nix create mode 100644 hosts/pre-router/coredns-unbound.patch create mode 100644 hosts/pre-router/dhcp.nix create mode 100644 hosts/pre-router/dns.nix create mode 100644 hosts/pre-router/hardware-configuration.nix create mode 100644 hosts/pre-router/ipv6.nix create mode 100644 hosts/pre-router/nginx.nix create mode 100644 hosts/pre-router/router.nix create mode 100644 users/garionion/default.nix diff --git a/common/common/default.nix b/common/common/default.nix new file mode 100644 index 0000000..5ee50ba --- /dev/null +++ b/common/common/default.nix @@ -0,0 +1,64 @@ +{ config, pkgs, ... }: + +{ + imports = + [ # + ]; + + # Set your time zone. + time.timeZone = "Europe/Berlin"; + networking.useDHCP = false; + networking.firewall.allowedTCPPorts = [ 19999 ]; + services.netdata.enable = true; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + console = { + font = "Lat2-Terminus16"; + keyMap = "de-latin1"; + }; + + programs.zsh = { + enable = true; + histSize = 10000; + autosuggestions.enable = true; + enableBashCompletion = true; + syntaxHighlighting.enable = true; + promptInit = '' + source ~/.zkbd/$TERM-''${''${DISPLAY:t}:-''$VENDOR-''$OSTYPE} + [[ -n ''${key[Left]} ]] && bindkey "''${key[Left]}" backward-char + [[ -n ''${key[Right]} ]] && bindkey "''${key[Right]}" forward-char + bindkey "''${key[Up]}" up-line-or-search + bindkey "''${key[Home]}" beginning-of-line + bindkey "''${key[End]}" end-of-line + bindkey "''${key[Delete]}" delete-char + function command_not_found_handler() { command-not-found $1 } + alias cat='bat' + eval "$(direnv hook zsh)" + eval "$(starship init zsh)" + ''; + }; + programs.starship.enable = true; + + programs.mtr.enable = true; + nix.settings = { + trusted-users = [ "@wheel" ]; + auto-optimise-store = true; + }; + nix.gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 14d"; + }; + nix.extraOptions = '' + min-free = ${toString (100 * 1024 * 1024)} + max-free = ${toString (1024 * 1024 * 1024)} + ''; + + services.openssh = { + enable = true; + passwordAuthentication = false; + kbdInteractiveAuthentication = false; + permitRootLogin = "yes"; + }; +} \ No newline at end of file diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..9c85ec5 --- /dev/null +++ b/flake.nix @@ -0,0 +1,25 @@ +{ + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + }; + outputs = { nixpkgs, ... }: { + colmena = { + + meta = { + nixpkgs = import nixpkgs { + system = "x86_64-linux"; + }; + }; + + + pre-router = { config, pkgs, ... }:{ + imports = [./hosts/pre-router/configuration.nix]; + deployment.targetHost = "lightbuffet.entr0py.cloud"; + deployment.keys = { + + }; + }; + + }; + }; +} \ No newline at end of file diff --git a/hosts/pre-router/configuration.nix b/hosts/pre-router/configuration.nix new file mode 100644 index 0000000..7918530 --- /dev/null +++ b/hosts/pre-router/configuration.nix @@ -0,0 +1,117 @@ +{ config, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ./router.nix + ./dhcp.nix + ./dns.nix + ./ipv6.nix + ./nginx.nix + ]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = "pre-router"; # Define your hostname. + + # Set your time zone. + time.timeZone = "Europe/Berlin"; + + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.useDHCP = false; + #networking.interfaces.ens18.useDHCP = false; + #networking.interfaces.ens19.useDHCP = false; + networking.firewall.allowedTCPPorts = [ 19999 ]; + services.netdata.enable = true; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + console = { + font = "Lat2-Terminus16"; + keyMap = "de-latin1"; + }; + + + users.users.garionion = { + isNormalUser = true; + shell = pkgs.zsh; + packages = with pkgs; [ + wget vim screen mtr iperf + htop dstat dnsutils nettools tcpdump + git bat starship direnv + ]; + hashedPassword = "$6$NMzXsfARs2HVA4iq$55uxWCANME/HsjIg9HmZyxqGwlr7RpJfCcMad2OhbmUiHhdnOh/v9TDwT3Vt0mu9HE37Fh3b1g2yyEa3Dxxg80"; + extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. + openssh.authorizedKeys.keys = ["ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAGw3Yuee8oSXSEqmoMzrqQrUizKV9sJbJMxAUC01wxvbxevAqFEpiGrznnu3K0HN3sfKItjqGkNDPDQ+mIlQwdwJAE0GyJIx9CMvo1RPugKSJ5rFh/vEgJTNMPaeYUb/L2rn3WEZHrZI5wwf+z4ljSHCVetAnaMKjk/+QQWgBHdvNImmA== gari@darwin"]; + }; + programs.zsh = { + enable = true; + histSize = 10000; + autosuggestions.enable = true; + enableBashCompletion = true; + syntaxHighlighting.enable = true; + promptInit = '' + source ~/.zkbd/$TERM-''${''${DISPLAY:t}:-''$VENDOR-''$OSTYPE} + [[ -n ''${key[Left]} ]] && bindkey "''${key[Left]}" backward-char + [[ -n ''${key[Right]} ]] && bindkey "''${key[Right]}" forward-char + bindkey "''${key[Up]}" up-line-or-search + bindkey "''${key[Home]}" beginning-of-line + bindkey "''${key[End]}" end-of-line + bindkey "''${key[Delete]}" delete-char + function command_not_found_handler() { command-not-found $1 } + alias cat='bat' + eval "$(direnv hook zsh)" + eval "$(starship init zsh)" + ''; + }; + programs.starship = { + enable = true; + settings = { + # add_newline = false; + # character = { + # success_symbol = "[➜](bold green)"; + # error_symbol = "[➜](bold red)"; + # }; + # package.disabled = true; + }; + }; + + programs.mtr.enable = true; + nix.settings = { + trusted-users = [ "@wheel" ]; + auto-optimise-store = true; + }; + nix.gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 14d"; + }; + nix.extraOptions = '' + min-free = ${toString (100 * 1024 * 1024)} + max-free = ${toString (1024 * 1024 * 1024)} + ''; + + # List services that you want to enable: + + services.openssh = { + enable = true; + passwordAuthentication = false; + kbdInteractiveAuthentication = false; + permitRootLogin = "yes"; + }; + + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "21.11"; # Did you read the comment? + +} \ No newline at end of file diff --git a/hosts/pre-router/coredns-unbound.patch b/hosts/pre-router/coredns-unbound.patch new file mode 100644 index 0000000..9792edd --- /dev/null +++ b/hosts/pre-router/coredns-unbound.patch @@ -0,0 +1,13 @@ +Index: plugin.cfg +IDEA additional info: +Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP +<+>UTF-8 +=================================================================== +diff --git a/plugin.cfg b/plugin.cfg +--- a/plugin.cfg (revision 4d1d9adb0ec125097466a4831f57a22069a0d638) ++++ b/plugin.cfg (revision 6a5782f32c139c6cec05341ffc530d05b0a44b06) +@@ -68,3 +68,4 @@ + whoami:whoami + on:github.com/coredns/caddy/onevent + sign:sign ++unbound:github.com/coredns/unbound \ No newline at end of file diff --git a/hosts/pre-router/dhcp.nix b/hosts/pre-router/dhcp.nix new file mode 100644 index 0000000..e7bdbd2 --- /dev/null +++ b/hosts/pre-router/dhcp.nix @@ -0,0 +1,42 @@ +{ config, pkgs, ...}: + +{ + services.kea.dhcp4 = { + enable = true; + settings = { + interfaces-config = { + interfaces = [ "ens19"]; + }; + lease-database = { + name = "/var/lib/kea/dhcp4.leases"; + persist = true; + type = "memfile"; + }; + subnet4 = [ + # Heimnetz + { + subnet = "10.42.10.1/24"; + pools = [ + { + pool = "10.42.10.50 - 10.42.10.240"; + } + ]; + option-data = [ + { + name = "routers"; + data = "10.42.10.1"; + } + { + name = "domain-name-servers"; + data = "10.42.10.1"; + } + { + name = "domain-name"; + data = "bula.entr0py.cloud"; + } + ]; + } + ]; + }; + }; +} \ No newline at end of file diff --git a/hosts/pre-router/dns.nix b/hosts/pre-router/dns.nix new file mode 100644 index 0000000..bdad68d --- /dev/null +++ b/hosts/pre-router/dns.nix @@ -0,0 +1,40 @@ +{ config, pkgs, lib, ...}: + +{ + networking.firewall.interfaces.ens19.allowedUDPPorts = [ 53 ]; + services.coredns = { + enable = true; + config = '' + .:53 { + log + cache + unbound + } + ''; + package = lib.fix (self: (pkgs.buildGoModule { + inherit (pkgs.coredns) pname version src postPatch; + + patches = pkgs.coredns.patches or [ ] ++ [ + ./coredns-unbound.patch + ]; + + buildInputs = [ pkgs.unbound ]; + + vendorSha256 = "sha256-48S1oT+5uT6d+AM8u93AOTbJkW3CLtaowGv+th3cfyM="; + + preBuild = '' + go generate + + postInstall () { + cp go.mod $out + } + ''; + + }).overrideAttrs(old: { + preBuild = '' + cp ${self.passthru.go-modules}/go.mod . + go generate + ''; + })); + }; +} \ No newline at end of file diff --git a/hosts/pre-router/hardware-configuration.nix b/hosts/pre-router/hardware-configuration.nix new file mode 100644 index 0000000..51f24d2 --- /dev/null +++ b/hosts/pre-router/hardware-configuration.nix @@ -0,0 +1,38 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/9f5666bc-eb56-400b-a8f2-5e860deebdc2"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/EA3E-948D"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/7934574a-acf8-48b9-8f59-f25080ddea70"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} \ No newline at end of file diff --git a/hosts/pre-router/ipv6.nix b/hosts/pre-router/ipv6.nix new file mode 100644 index 0000000..9bc919c --- /dev/null +++ b/hosts/pre-router/ipv6.nix @@ -0,0 +1,57 @@ +{ config, pkgs, ...}: + +{ + environment.systemPackages = with pkgs; [ + wireguard-tools + ]; + + networking = { + firewall.allowedUDPPorts = [ 51820 ]; + firewall.trustedInterfaces = [ "ens19"]; + iproute2.enable = true; + iproute2.rttablesExtraConfig = '' + 100 PUBLIC6 + ''; + wireguard.enable = true; + wireguard.interfaces = { + wg0 = { + ips = [ "fe80::42:10:1/64" ]; + privateKey = "SUPERSECRETKEY"; + listenPort = 51820; + allowedIPsAsRoutes = false; + postSetup = '' + ip -6 rule add from 2a01:4f8:1c0c:8221::/64 lookup PUBLIC6 + ip -6 route add default via fe80::1 dev wg0 table PUBLIC6 + ''; + peers = [{ + publicKey = "Y++eB9SfU17zB4mJ/6AaN761tngXAyTNoVaPNKmuvls="; + allowedIPs = [ "::/0" ]; + endpoint = "78.47.183.82:51876"; + #endpoint = "gatekeeper.net.clerie.de:51876"; + persistentKeepalive = 25; + }]; + }; + }; + }; + boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1; + networking.interfaces.ens19.ipv6.addresses = [{ + address = "2a01:4f8:1c0c:8221::1"; + prefixLength = 64; + }]; + services.corerad = { + enable = true; + settings = { + interfaces = [ + { + name = "ens19"; + advertise = true; + prefix = [{ prefix = "2a01:4f8:1c0c:8221::/64";}]; + mtu = 1420; + }]; + debug = { + address = "localhost:9430"; + prometheus = true; + }; + }; + }; +} \ No newline at end of file diff --git a/hosts/pre-router/nginx.nix b/hosts/pre-router/nginx.nix new file mode 100644 index 0000000..82949f7 --- /dev/null +++ b/hosts/pre-router/nginx.nix @@ -0,0 +1,34 @@ +{ config, pkgs, ...}: + +{ + + networking.interfaces = { + ens20 = { + ipv4.addresses = [{ + address = "10.42.123.55"; + prefixLength = 24; + }]; + }; + }; + + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + security.acme.acceptTerms = true; + security.acme.defaults.email = "letsencrypt@entr0py.de"; + services.nginx = { + enable = true; + clientMaxBodySize = "400M"; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + }; + services.nginx.virtualHosts."lightbuffet.entr0py.cloud" = { # Gitea hostname + enableACME = true; # Use ACME certs + forceSSL = true; # Force SSL + locations."/" = { + proxyPass = "https://10.42.123.20:8006"; + proxyWebsockets = true; + }; + }; +} \ No newline at end of file diff --git a/hosts/pre-router/router.nix b/hosts/pre-router/router.nix new file mode 100644 index 0000000..7dc5f74 --- /dev/null +++ b/hosts/pre-router/router.nix @@ -0,0 +1,31 @@ +{ config, pkgs, ...}: + +{ + + environment.systemPackages = with pkgs; [ + ethtool # manage NIC settings (offload, NIC feeatures, ...) + conntrack-tools # view network connection states + ]; + + networking.firewall.interfaces.lan.allowedUDPPorts = [ 67 53 ]; + networking = { + nameservers = [ "141.24.40.3" "141.24.40.4" ]; + nat = { + enable = true; + extraCommands = "iptables -A INPUT -p icmp -j ACCEPT"; + externalInterface = "ens18"; + internalInterfaces = [ "ens19" ]; + }; + interfaces = { + ens19.useDHCP = false; + ens18.useDHCP = true; + # Handle the VLANs + ens19 = { + ipv4.addresses = [{ + address = "10.42.10.1"; + prefixLength = 24; + }]; + }; + }; + }; +} \ No newline at end of file diff --git a/users/garionion/default.nix b/users/garionion/default.nix new file mode 100644 index 0000000..e5d6b5c --- /dev/null +++ b/users/garionion/default.nix @@ -0,0 +1,15 @@ +{ config, pkgs, ... }: +{ + users.users.garionion = { + isNormalUser = true; + shell = pkgs.zsh; + packages = with pkgs; [ + wget vim screen mtr iperf + htop dstat dnsutils nettools tcpdump + git bat starship direnv + ]; + hashedPassword = "$6$NMzXsfARs2HVA4iq$55uxWCANME/HsjIg9HmZyxqGwlr7RpJfCcMad2OhbmUiHhdnOh/v9TDwT3Vt0mu9HE37Fh3b1g2yyEa3Dxxg80"; + extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. + openssh.authorizedKeys.keys = ["ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAGw3Yuee8oSXSEqmoMzrqQrUizKV9sJbJMxAUC01wxvbxevAqFEpiGrznnu3K0HN3sfKItjqGkNDPDQ+mIlQwdwJAE0GyJIx9CMvo1RPugKSJ5rFh/vEgJTNMPaeYUb/L2rn3WEZHrZI5wwf+z4ljSHCVetAnaMKjk/+QQWgBHdvNImmA== gari@darwin"]; + }; +} \ No newline at end of file