wanderer/infra
1
0
Fork 0
Code Issues 1 Pull Requests Releases Activity
development
infra/nix/hosts/wyse/configuration.nix
nixurtur e5b76c2d85
many stuffzz...
2026-01-05 23:09:19 +01:00

741 lines
19 KiB
Nix
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
config,
lib,
pkgs,
...
}:
let
tailnet = "tail530c7.ts.net";
usr = "wan";
hostName = "wyse";
in
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
(
let
username = "${usr}";
in
with username;
./disko-config.nix
)
./modules/promtail/promtail.nix
./modules/caddy.nix
./modules/coredns.nix
./modules/git.nix
./modules/netflow.nix
./modules/podman.nix
../../modules/base.nix
../../modules/dnscrypt.nix
# ../../modules/firejail.nix
../../modules/sanoid.nix
../../modules/zram.nix
];
sops = {
defaultSopsFile = ./secrets.yaml;
gnupg.sshKeyPaths = [ ];
age = {
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
generateKey = false;
};
secrets = {
rootPassphrase = {
neededForUsers = true;
};
wanPassphrase = {
neededForUsers = true;
};
dnscrypt-proxy-forwardingRules = {
sopsFile = lib.mkForce ./secrets.yaml;
restartUnits = [ "dnscrypt-proxy2.service" ];
};
dnscrypt-proxy-cloaked = {
#owner = "dnscrypt-proxy";
#group = "dnscrypt-proxy";
owner = config.systemd.services.dnscrypt-proxy2.serviceConfig.User;
group = config.systemd.services.dnscrypt-proxy2.serviceConfig.User;
restartUnits = [ "dnscrypt-proxy2.service" ];
};
sopsFile.owner = "root";
};
templates.sopsFile = {
owner = config.users.users.wan.name;
content = ''
${config.sops.placeholder.sopsFile}
'';
};
secrets.domainName = {
sopsFile = ../../secrets/net.yaml;
restartUnits = [ "promtail.service" ];
};
secrets."attic/netrc" = { };
};
# nixpkgs.currentSystem = "x86_64-linux";
nix.settings = {
trusted-users = [
"@wheel"
"root"
usr
];
netrc-file = config.sops.secrets."attic/netrc".path;
};
boot = {
enableContainers = true;
consoleLogLevel = 3;
kernelParams = [
# "spl.spl_hostid=deadb33f"
# "ip=dhcp"
"i915.enable_guc=2" # for 9th GPU generation and upwards, likely skylake.
"psmouse.synaptics_intertouch=1"
"consoleblank=600"
## forbid hibernation due to zfs-on-root --> no need to manually specify
## this as NixOS does adds by default when booting from zfs.
# "nohibernate" #
"systemd.log_level=notice"
"rd.udev.log_level=3"
"udev.log_priority=3"
# "boot.shell_on_fail"
];
kernelPackages = pkgs.linuxPackages_6_17;
# kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
kernel.sysctl = {
"dev.i915.perf_stream_paranoid" = 0;
};
loader = {
timeout = 7;
# Use the systemd-boot EFI boot loader.
systemd-boot = {
enable = true;
configurationLimit = 75;
netbootxyz.enable = true;
memtest86.enable = true;
};
efi.canTouchEfiVariables = true;
};
plymouth.enable = false;
tmp.useTmpfs = true;
tmp.cleanOnBoot = true;
supportedFilesystems = [ "zfs" ];
zfs.forceImportRoot = true;
kernelModules = [
"zfs"
"i915"
"kvm-intel"
"r8169"
"br_netfilter"
];
initrd = {
kernelModules = [
"zfs"
"i915"
"r8169"
];
# initrd.availableKernelModules = [ "nvme" "ehci_pci" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" "thinkpad_acpi" ];
availableKernelModules = [
"nvme"
"ehci_pci"
"xhci_pci"
"usb_storage"
"sd_mod"
"rtsx_pci_sdmmc"
"r8169"
"igb"
"e1000e"
"i915"
];
network = {
# This will use udhcp to get an ip address.
# Make sure you have added the kernel module for your network driver to `boot.initrd.availableKernelModules`,
# so your initrd can load it!
# Static ip addresses might be configured using the ip argument in kernel command line:
# https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt
enable = true;
ssh = {
enable = false;
# To prevent ssh clients from freaking out because a different host key is used,
# a different port for ssh is useful (assuming the same host has also a regular sshd running)
port = 2222;
# hostKeys paths must be unquoted strings, otherwise you'll run into issues with boot.initrd.secrets
# the keys are copied to initrd from the path specified; multiple keys can be set
# you can generate any number of host keys using
# `ssh-keygen -t ed25519 -N "" -f /path/to/ssh_host_ed25519_key`
# hostKeys = [/root/.initrd-ssh_host_ed25519_key];
hostKeys = [ /etc/secrets/initrd/ssh_host_ed25519_key ];
ignoreEmptyHostKeys = true;
authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIODmLwtQj6ylgdTPo1/H5jW7jsLzwaCTGdIsTQAdc896"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILPLzZkzWM+iiwRqbLX4+iyXSUqewojm74L7Zn2nSrAU"
];
};
};
};
# extraModprobeConfig = "options kvm_amd nested=1";
binfmt = {
emulatedSystems = [
# "wasm32-wasi"
"aarch64-linux"
];
};
};
environment.memoryAllocator.provider = "libc"; # default is libcm alt scudo, graphene-hardened
# environment.noXlibs = true; # graphical stuff breaks...
#environment.etc = {
# "walls/2020-August-11-Churning-Clouds-on-Jupiter.jpg".source =
# ./walls/2020-August-11-Churning-Clouds-on-Jupiter.jpg;
# "walls/PIA06254.jpg".source = ./walls/PIA06254.jpg;
# "walls/PIA20522enceladus.jpg".source = ./walls/PIA20522enceladus.jpg;
#};
#sound = {
# enable = true;
# mediaKeys = {enable = true;};
#};
environment = {
variables = {
EDITOR = "vim";
VISUAL = "vim";
NIXOS_OZONE_WL = "1";
NIXPKGS_ALLOW_UNFREE = "0";
TERMINAL = "kitty";
XDG_SESSION_TYPE = "wayland";
GDK_BACKEND = "wayland";
_JAVA_AWT_WM_NONREPARENTING = "1";
};
systemPackages = with pkgs; [
home-manager
openssl
libinput
dmidecode
fwupd
incron
bridge-utils
moreutils # moar better
wol
vim
helix
ranger
# zed-editor
git
fio
viddy # watch reimplementation
intel-gpu-tools
# XXX: renamed in 24.11
# onevpl-intel-gpu
vpl-gpu-rt
passage # pass w/ support for age encryption
pass-wayland
# passExtensions.pass-tomb
btrfs-progs
ntfs3g
cryptsetup
squashfsTools
sasquatch
libguestfs
gphoto2fs
# gnome's archive manager.
file-roller
httm # zfs time machine-like tool
htmlq # like jq, but for html
# httplz # a basic http server for hosting a folder
htmldoc # convert html top postscript and pdf
# http-prompt # An interactive command-line HTTP client featuring autocomplete and syntax highlighting
wireguard-tools
wget
curl
inetutils # telnet
httpx
traceroute
dublin-traceroute
mtr # a network diagnostic tool
# kitty
starship
zellij
zoxide
ripgrep-all # provides rga with support for pdfs, zip files and such.
fzf
fzy # a better fuzzy finder
skim # a command-line fuzzy finder written in Rust
ddh # a fast duplicate file finder
docfd # a multiline fuzzy document finder
zf # a fuzzy finder that prioritizes matches on filenames
skim # a rust fuzzy finder
fuzzel
nodePackages.json-diff
pandoc
fastfetch
freshfetch
ghfetch
w3m
lynx
# go_1_23
go_1_25
# rustc
# cargo
# sccache
python3.pkgs.pip
python3.pkgs.numpy
python3.pkgs.pandas
# bitwarden # XXX: issues on 2505
bitwarden-cli
rbw
# rofi-rbw-wayland
pinentry-curses # a dep of rbw. can also use pinentry (gtk2?).
bsd-finger
# poppler-utils
# zbar
# qrencode
# flatpak
# quickemu
sshpass
ssh-audit
sshchecker
ssh-key-confirmer
ssh-mitm
sshesame
pssh
ssh-to-age
lychee
notcurses
msgviewer # convert .msg to .eml
libpst # read outlook profile files
cmatrix
# qbittorrent
# immich-go
sdcv # console version of StarDict
# tmux
tmate
# circumflex # hackernews in the terminal
# obfs4 # tor client-bridge transport mechanism
sysstat
ioztat # storage load analysis fro openzfs
# turbovnc
pciutils
libva-utils
];
};
console.keyMap = "uk";
networking = {
# hostId = pkgs.lib.mkForce "00000000";
# hostId = "de47b33f";
hostId = "57f3d9f9";
inherit hostName;
# hostName = "z";
nftables.enable = true;
networkmanager.enable = true;
networkmanager.dns = "none";
dhcpcd.extraConfig = "nohook resolv.conf";
nameservers = [
"127.0.0.1"
"::1"
];
resolvconf.dnsSingleRequest = true;
resolvconf.extraOptions = [
"single-request-reopen"
"attempts:5"
"timeout:5"
# "rotate"
"ndots:1"
# Sets RES_NOCHECKNAME in _res.options, which disables the modern BIND
# checking of incoming hostnames and mail names for invalid characters such
# as underscore (_), non-ASCII, or control characters.
"no-check-names"
"trust-ad"
];
# interfaces.enp0s25.wakeOnLan.enable = true;
stevenblack.enable = true;
stevenblack.block = [
"fakenews"
"gambling"
];
firewall = {
allowPing = true;
checkReversePath = lib.mkForce false; # FIXME: fix the root issue instead.
logReversePathDrops = true;
logRefusedConnections = true;
trustedInterfaces = [
"virbr0"
"podman+"
# "bro"
"tailscale0"
];
};
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
};
users.users = {
root = {
shell = pkgs.zsh;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBtG6NCgdLHX4ztpfvYNRaslKWZcl6KdTc1DehVH4kAL"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJaXmXbNegxiXLldy/sMYX8kCsghY1SGqn2FZ5Jk7QJw"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZbkw9vjCfbMPEH7ZAFq20XE9oIJ4w/HRIMu2ivNcej caelum's nixbldr key"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGKzPC0ZK4zrOEBUdu1KNThEleVb1T5Pl3+n3KB3o0b8 surtur's nixbldr key"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5u4sBsu4ZpVRHJ9J2CfQ4JoojsdfsS0WzaFgiMCOe5 loki's nixbldr key"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILPLzZkzWM+iiwRqbLX4+iyXSUqewojm74L7Zn2nSrAU"
];
# hashedPasswordFile = config.sops.secrets.rootPassphrase.path;
hashedPassword = "$y$j9T$yNhN6CYvKBWz/HnLv2gp//$0fFgtV4xzBijxWxUg1oTH74GoekdMK6UZUQWby5fZi4";
autoSubUidGidRange = true;
};
wan = {
isNormalUser = true;
createHome = true;
shell = pkgs.zsh;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBtG6NCgdLHX4ztpfvYNRaslKWZcl6KdTc1DehVH4kAL"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJaXmXbNegxiXLldy/sMYX8kCsghY1SGqn2FZ5Jk7QJw"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZbkw9vjCfbMPEH7ZAFq20XE9oIJ4w/HRIMu2ivNcej caelum's nixbldr key"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGKzPC0ZK4zrOEBUdu1KNThEleVb1T5Pl3+n3KB3o0b8 surtur's nixbldr key"
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOrlXIj3oWbWrFUZnhccd/uqM2D/yRiKOEwfD6xbngJ7 syncoid pull backups"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILPLzZkzWM+iiwRqbLX4+iyXSUqewojm74L7Zn2nSrAU"
];
hashedPasswordFile = config.sops.secrets.wanPassphrase.path;
extraGroups = [
"systemd-journal"
"wheel"
"networkmanager"
"kvm"
# "lp"
# "scanner"
"libvirtd"
# "render"
# "adbusers"
# "wireshark"
];
autoSubUidGidRange = true;
group = usr;
};
};
users.groups = {
wan = { };
wheel.members = [ usr ];
};
nix.registry = {
nixpkgs.to = {
type = "github";
owner = "nixos";
repo = "nixpkgs";
};
};
programs = {
adb.enable = false;
# https://nixos.wiki/wiki/Appimage
appimage.binfmt = false;
# responsiveness over 9000.
cfs-zen-tweaks.enable = true;
gnupg.agent = {
enable = false;
# pinentryFlavor = "curses"; # or "gnome3"
pinentryPackage = pkgs.pinentry-curses;
enableSSHSupport = false;
};
#ssh.startAgent = true;
# enabled in home-manager
# captive-browser.enable = true;
corectrl.enable = true;
# macOS compatibility;
# darling.enable = true;
direnv.enable = true;
# deprecated in 25.11
# file-roller.enable = true;
nano.enable = false;
vim.defaultEditor = true;
wireshark.enable = false;
# wshowkeys.enable = true;
};
security = {
sudo = {
enable = true;
# prevent's CVE-2021-3156-style exploits.
execWheelOnly = true;
# for wheel and root, kitty likes this.
keepTerminfo = true;
#extraConfig = ''
# Defaults lecture=always
# Defaults lecture_file=${./misc/groot.txt}
#'';
extraRules = [
{
commands = [
{
command = "${pkgs.systemd}/bin/systemctl suspend";
options = [ "NOPASSWD" ];
}
{
command = "${pkgs.systemd}/bin/reboot";
options = [ "NOPASSWD" ];
}
{
command = "${pkgs.systemd}/bin/poweroff";
options = [ "NOPASSWD" ];
}
];
groups = [ "wheel" ];
}
];
};
polkit.enable = true;
rtkit.enable = true;
};
systemd.services = {
zfs-zed.serviceConfig = {
LogLevelMax = "notice";
# StandardOutput = lib.mkForce "/dev/null";
StandardOutput = lib.mkForce "null";
StandardError = lib.mkForce "null";
};
tailscaled.serviceConfig = {
LogLevelMax = "notice";
# StandardOutput = "null";
LogsDirectory = "tailscaled";
StandardOutput = "append:%L/stdout.log";
};
NetworkManager-wait-online.serviceConfig.ExecStart = "${pkgs.coreutils}/bin/true";
};
services = {
atd.enable = true;
fstrim.enable = true;
# deprecated in 25.11
#logind = {
# lidSwitch = "ignore";
# lidSwitchDocked = "ignore";
# extraConfig = "HandlePowerKey=suspend";
#};
# 25.11
logind.settings.Login = {
# don’t shutdown when power button is short-pressed.
HandleLidSwitch = "ignore";
HandlePowerKey = "suspend";
};
# nixos-cli.enable = true;
udev.extraRules = ''
# wol
ACTION=="add", SUBSYSTEM=="net", NAME=="en*", RUN+="${pkgs.ethtool}/bin/ethtool -s $name wol g"
'';
pipewire = {
enable = false;
alsa = {
enable = false;
support32Bit = true;
};
pulse.enable = false;
wireplumber.enable = false;
};
pulseaudio = {
enable = false;
# extraModules = [ pkgs.pulseaudio-modules-bt ];
};
gnome.gnome-keyring.enable = false;
# gnome.tracker.enable = false;
gnome.tinysparql.enable = false;
gvfs.enable = false;
printing.enable = false;
# printing.enable = false;
geoclue2.enable = true; # geolocation.
blueman.enable = false;
# dbus.enable = false;
# dnscrypt-proxy2.settings.cloaking_rules = config.sops.secrets.dnscrypt-proxy-cloaked.path;
dnscrypt-proxy2.settings.forwarding_rules = config.sops.secrets.dnscrypt-proxy-forwardingRules.path;
flatpak.enable = false;
power-profiles-daemon.enable = true;
prometheus = {
enable = false;
exporters = {
node = {
enable = true;
enabledCollectors = [
"logind"
"systemd"
"sysctl"
"network_route"
"zfs"
];
disabledCollectors = [
"arp"
"tapestats"
];
listenAddress = "${hostName}.${tailnet}";
port = 9100;
};
smartctl = {
enable = true;
listenAddress = "${hostName}.${tailnet}";
devices = [ "/dev/sda" ];
};
};
};
sanoid = {
enable = true;
interval = "*:0/5";
datasets = {
"zroot/userdata" = {
useTemplate = [ "frequent" ];
# recursive = "zfs";
recursive = true;
};
"zroot/system/nixos" = {
useTemplate = [ "production" ];
# recursive = "zfs";
recursive = true;
};
"zroot/local/nix" = {
useTemplate = [ "production" ];
};
};
};
syncthing = {
enable = false;
openDefaultPorts = true;
dataDir = "/home/${usr}/sync";
configDir = "/home/${usr}/.config/syncthing";
user = usr;
group = usr;
guiAddress = "127.0.0.1:8384";
};
# TS is enabled in the imported module, this is additional config.
tailscale = {
useRoutingFeatures = "both";
# accept-routes = true;
};
openssh.settings.AllowUsers = [
usr
"root"
];
# displayManager.defaultSession = "gnome";
zfs = {
trim.enable = true;
autoScrub = {
enable = true;
interval = "monthly";
};
};
};
virtualisation.libvirtd.enable = true;
# virtualisation.useSecureBoot = true;
# virtualisation.useBootLoader = true; # allows for testing of bootloader.
virtualisation.podman.enable = true;
# virtualisation.podman.storageDriver = "zfs";
hardware = {
cpu.intel.updateMicrocode = true;
enableRedistributableFirmware = true;
mcelog.enable = true;
bluetooth = {
enable = false;
# HSP & HFP daemon (apparently needs to be false now because of wire plumber)
hsphfpd.enable = false;
settings = {
General = {
Enable = "Source,Sink,Media,Socket";
};
};
};
intel-gpu-tools.enable = true;
# XXX: deprecated in 24.11
# opengl = {
graphics = {
# Mesa
enable = true;
# Vulkan
# XXX: deprecated in 24.11
# driSupport = true;
# extraPackages = with pkgs; [
# vaapiVdpau
# libvdpau-va-gl
# ];
# extraPackages = [
# pkgs.amdvlk
# ];
extraPackages = with pkgs; [
vpl-gpu-rt # for newer GPUs on NixOS >24.05 or unstable
# onevpl-intel-gpu # for newer GPUs on NixOS <= 24.05
intel-media-driver
# intel-media-sdk # for older GPUs
];
};
};
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
# Does not work with flakes - yetâ„¢.
system.copySystemConfiguration = false;
# system.stateVersion = lib.mkForce "23.11";
}
Reference in New Issue View Git Blame Copy Permalink