commit b2186d35a01a0174d0496481834bfff811c0adea Author: Steffen Date: Fri Apr 11 07:44:12 2025 +0200 init diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..a5e51a0 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +vars.nix +ssh +hardware-configuration.nix diff --git a/configuration.nix b/configuration.nix new file mode 100644 index 0000000..5c5c7ae --- /dev/null +++ b/configuration.nix @@ -0,0 +1,120 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ config, lib, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan... + ./hardware-configuration.nix + # ...and additional configurations... + ./var_reg.nix + ./vars.nix + ./users.nix + ./program-homemanager.nix + ./ssh.nix + ./docker.nix + ./keepalived.nix + + ./nfs-mount.nix + + ./wireguard.nix + + ]; + + # Use the systemd-boot EFI boot loader and enable that sweet zfs stuff. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + # boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; + boot.supportedFilesystems = [ "nfs" ]; # "zfs" + boot.kernel.sysctl = { "net.ipv4.ip_forward" = 1; }; + boot.kernel.sysctl = { "net.ipv6.conf.all.forwarding" = 1; }; + boot.kernelModules = [ "rbd" "nbd" ]; + # boot.zfs.forceImportRoot = false; + # boot.zfs.extraPools = [ "SERVICE" ]; + # services.zfs.autoScrub.enable = true; + + networking.hostName = config.vars.hostname; # Define your hostname. + networking.hostId = config.vars.hostid; # Define your hostID - Needs to be unique!. + networking = { + interfaces.enp1s0 = { + ipv4.addresses = [{ + address = config.vars.local_ip; + prefixLength = 24; + }]; + }; + defaultGateway = { + address = "192.168.178.1"; + interface = "enp1s0"; + }; + }; + + + # Set your time zone. + time.timeZone = "Europe/Berlin"; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + + # Enable the X11 windowing system. + services.xserver.enable = false; + + # Enable CUPS to print documents. + services.printing.enable = false; + + # Enable sound. + sound.enable = false; + hardware.pulseaudio.enable = false; + + # Enable touchpad support (enabled default in most desktopManager). + services.libinput.enable = false; + + # Define a user account. Don't forget to set a password with ‘passwd’. + security.sudo.wheelNeedsPassword = false; + users.defaultUserShell = pkgs.zsh; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. + wget + htop + ncdu + git + tmux + zsh + zoxide + fzf + # zrepl + wireguard-tools + ]; + + programs.tmux = { + enable = true; + clock24 = true; + }; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + networking.firewall.enable = false; + + # Copy the NixOS configuration file and link it from the resulting system + # (/run/current-system/configuration.nix). This is useful in case you + # accidentally delete configuration.nix. + system.copySystemConfiguration = true; + + # DO NOT TOUCH!!!!!!!!!!!!!!!!!!!!!!!!!! + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "23.11"; # Did you read the comment? + # DO NOT TOUCH!!!!!!!!!!!!!!!!!!!!!!!!!! + + nixpkgs.config.permittedInsecurePackages = [ + ]; + +} + diff --git a/docker.nix b/docker.nix new file mode 100644 index 0000000..3dc63d0 --- /dev/null +++ b/docker.nix @@ -0,0 +1,11 @@ +{ pkgs, ... }: { + virtualisation.docker = { + enable = true; + autoPrune = { + enable = true; + dates = "daily"; + }; + liveRestore = false; + package = pkgs.docker_27; + }; +} diff --git a/keepalived.nix b/keepalived.nix new file mode 100644 index 0000000..b8bc32d --- /dev/null +++ b/keepalived.nix @@ -0,0 +1,31 @@ +{ config, pkgs, ... }: { + services.keepalived = { + enable = true; + vrrpInstances = { + V4 = { + priority = config.vars.ka_priority; + interface = "enp1s0"; + virtualRouterId = 69; + virtualIps = [ + { + addr = config.vars.ka_addr_v4; + } + ]; + }; + V6 = { + priority = config.vars.ka_priority; + interface = "enp1s0"; + virtualRouterId = 96; + virtualIps = [ + { + addr = config.vars.ka_addr_v6; + } + ]; + }; + }; + }; +} + + + + diff --git a/nfs-mount.nix b/nfs-mount.nix new file mode 100644 index 0000000..50693e5 --- /dev/null +++ b/nfs-mount.nix @@ -0,0 +1,19 @@ +{ config, pkgs, ... }: { + + systemd.mounts = [{ + type = "nfs"; + mountConfig = { + Options = "noatime"; + }; + what = "${config.vars.nfs_server}:${config.vars.nfs_volume}"; + where = config.vars.nfs_mount; + }]; + + systemd.automounts = [{ + wantedBy = [ "multi-user.target" ]; + automountConfig = { + TimeoutIdleSec = "600"; + }; + where = config.vars.nfs_mount; + }]; +} diff --git a/program-homemanager.nix b/program-homemanager.nix new file mode 100644 index 0000000..a13d061 --- /dev/null +++ b/program-homemanager.nix @@ -0,0 +1,54 @@ +{ config, pkgs, ... }: +let + home-manager = builtins.fetchTarball "https://github.com/nix-community/home-manager/archive/release-24.05.tar.gz"; +in +{ + imports = [ + (import "${home-manager}/nixos") + ]; + home-manager.users."${config.vars.username}" = { + /* The home.stateVersion option does not have a default and must be set */ + home.stateVersion = "23.11"; + /* Here goes the rest of your home-manager config, e.g. home.packages = [ pkgs.foo ]; */ + programs.git = { + enable = true; + userName = config.vars.hm_git_username; + userEmail = config.vars.usermail; + }; + programs.zoxide.enable = true; + programs.zoxide.enableZshIntegration = true; + programs.zsh.envExtra = ["LANG=en_US.UTF-8" "EDITOR='nano'"]; + programs.ssh.matchBlocks = { + "nixconf" = { + hostname = "github.com"; + user = "${config.vars.email}"; + identityFile = "/home/${config.vars.username}/.ssh/id_nix"; + }; + }; + }; + + programs.nix-ld.enable = true; + programs.zsh = { + enable = true; + syntaxHighlighting.enable = true; + enableCompletion = true; + autosuggestions.enable = true; + shellAliases = { + nixapply = "sudo nixos-rebuild switch"; + nixupdate = "sudo nix-channel --update && sudo nixos-rebuild switch"; + nixclean = "sudo nix-collect-garbage -d"; + cp="rsync -ah --info=progress2"; + sct="systemctl"; + jct="journalctl"; + }; + ohMyZsh = { + enable = true; + plugins = [ "git" "python" "man" "command-not-found" "safe-paste" "tmux" "zoxide" "kubectl" "zsh-interactive-cd" ]; + theme = "agnoster"; + customPkgs = [ + pkgs.nix-zsh-completions + # and even more... + ]; + }; + }; +} diff --git a/ssh.nix b/ssh.nix new file mode 100644 index 0000000..4bea762 --- /dev/null +++ b/ssh.nix @@ -0,0 +1,15 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ ... }: + + { + services.openssh = { + enable = true; + settings.PasswordAuthentication = false; + settings.KbdInteractiveAuthentication = false; + settings.PermitRootLogin = "forced-commands-only"; + }; + } + diff --git a/unused/service-gluster.nix b/unused/service-gluster.nix new file mode 100644 index 0000000..9b5722c --- /dev/null +++ b/unused/service-gluster.nix @@ -0,0 +1,7 @@ +{ pkgs, ... }: { + + services.glusterfs = { + enable = true; + useRpcbind = true; + }; +} diff --git a/unused/service-k3s.nix b/unused/service-k3s.nix new file mode 100644 index 0000000..6b14754 --- /dev/null +++ b/unused/service-k3s.nix @@ -0,0 +1,57 @@ +{config, pkgs, ... }: +let + my-kubernetes-helm = with pkgs; wrapHelm kubernetes-helm { + plugins = with pkgs.kubernetes-helmPlugins; [ + helm-secrets + helm-diff + helm-s3 + helm-git + ]; + }; + + my-helmfile = with pkgs; helmfile-wrapped.override { + inherit (my-kubernetes-helm.passthru) pluginsDir; + }; +in + +{ virtualisation.containerd.enable = true; + services.k3s = { + enable = true; + role = "server"; + extraFlags = toString [ + "--disable=servicelb" + "--disable=traefik" + + "--flannel-backend=vxlan" + + "--tls-san=local_ip" + + "--node-external-ip=local_ip" + "--node-ip=local_ip" + "--advertise-address=local_ip" + ]; + token = "hehehehehehehehehehehehhe"; + serverAddr = "https://local_ip:6443"; + }; + environment.systemPackages = with pkgs; [ + k3s + my-kubernetes-helm + my-helmfile + openiscsi + kustomize + kubeseal + ]; + + systemd.services.k3s = { + wants = [ "containerd.service" ]; + after = [ "containerd.service" ]; + }; + systemd.tmpfiles.rules = [ + "L+ /usr/local/bin - - - - /run/current-system/sw/bin/" + ]; + + services.openiscsi = { + enable = true; + name = "${hostname}"; + }; +} diff --git a/unused/service-zrepl.nix b/unused/service-zrepl.nix new file mode 100644 index 0000000..bd3323a --- /dev/null +++ b/unused/service-zrepl.nix @@ -0,0 +1,37 @@ +{...}: + { + services.zrepl = { + + enable = true; + settings = { + global = { + logging = [{ + # use syslog instead of stdout because it makes journald happy + type = "syslog"; + format = "human"; + level = "info"; + }]; + }; + + jobs = [{ + type = "source"; + name = "siredward_pull"; + send = { + encrypted = true; + }; + serve = { + type = "stdinserver"; + client_identities = [ "siredward" ]; + }; + filesystems = { + "SERVICE/volumes" = true; + }; + snapshotting = { + type = "periodic"; + prefix = "SN_"; + interval = "1h"; + }; + }]; + }; + }; +} diff --git a/users.nix b/users.nix new file mode 100644 index 0000000..461cb6a --- /dev/null +++ b/users.nix @@ -0,0 +1,24 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ config, pkgs, ... }: { + + # Define a user account. Don't forget to set a password with ‘passwd’. + users.users.root = { + openssh.authorizedKeys.keyFiles = [ + ssh/auth_keys_root + ]; + }; + users.users.${config.vars.username} = { + isNormalUser = true; + extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. + openssh.authorizedKeys.keyFiles = [ + (builtins.toPath "/etc/nixos/ssh/auth_keys_${config.vars.username}") + ]; + # packages = with pkgs; [ + # firefox + # tree + # ]; + }; +} diff --git a/var_reg.nix b/var_reg.nix new file mode 100644 index 0000000..8f3f1f8 --- /dev/null +++ b/var_reg.nix @@ -0,0 +1,70 @@ +{ lib, ... }: +with lib; +{ + options.vars = { + + # WIREGUARD + wg_adress = mkOption { + type = types.str; + }; + wg_privateKey = mkOption { + type = types.str; + }; + wg_publicKey = mkOption { + type = types.str; + }; + wg_presharedKey = mkOption { + type = types.str; + }; + wg_endpoint = mkOption { + type = types.str; + }; + + # SYSTEM + username = mkOption { + type = types.str; + }; + usermail = mkOption { + type = types.str; + }; + local_ip = mkOption { + type = types.str; + }; + hostname = mkOption { + type = types.str; + }; + hostid = mkOption { + type = types.str; + }; + + + # KEEPALIVED + ka_addr_v4 = mkOption { + type = types.str; + }; + ka_addr_v6 = mkOption { + type = types.str; + }; + ka_priority = mkOption { + type = types.int; + }; + + + # Homemanager + hm_git_username = mkOption { + type = types.str; + }; + + + # NFS + nfs_server = mkOption { + type = types.str; + }; + nfs_volume = mkOption { + type = types.str; + }; + nfs_mount = mkOption { + type = types.str; + }; + }; +} diff --git a/wireguard.nix b/wireguard.nix new file mode 100644 index 0000000..8aafe14 --- /dev/null +++ b/wireguard.nix @@ -0,0 +1,31 @@ +{ config, pkgs, ... }: { + + networking.nat.enable = true; + networking.nat.externalInterface = "enp1s0"; + networking.nat.internalInterfaces = [ "wg0" ]; + + networking.wg-quick.interfaces = { + wg0 = { + address = [config.vars.wg_adress]; + mtu = 1350; + autostart = true; + postUp = '' + ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADE + ''; + postDown = '' + ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o enp1s0 + ''; + privateKey = config.vars.wg_privateKey; + peers = [{ + publicKey = config.vars.wg_publicKey; + presharedKey = config.vars.wg_presharedKey; + allowedIPs = [ "10.6.0.0/24" ]; + endpoint = config.vars.wg_endpoint; + persistentKeepalive = 25; + }]; + }; + }; +} +