init

2025-04-11 07:44:12 +02:00 · 2025-04-11 07:44:12 +02:00 · b2186d35a0
commit b2186d35a0
13 changed files with 479 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,3 @@
+vars.nix
+ssh
+hardware-configuration.nix
--- a/configuration.nix
+++ b/configuration.nix
@ -0,0 +1,120 @@
+# Edit this configuration file to define what should be installed on
+# your system. Help is available in the configuration.nix(5) man page, on
+# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
+
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [ # Include the results of the hardware scan...
+      ./hardware-configuration.nix
+      # ...and additional configurations...
+      ./var_reg.nix 
+      ./vars.nix
+      ./users.nix
+      ./program-homemanager.nix
+      ./ssh.nix
+      ./docker.nix
+      ./keepalived.nix
+
+      ./nfs-mount.nix
+
+      ./wireguard.nix
+         
+    ];
+
+  # Use the systemd-boot EFI boot loader and enable that sweet zfs stuff.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+  # boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+  boot.supportedFilesystems = [ "nfs" ]; # "zfs"
+  boot.kernel.sysctl = { "net.ipv4.ip_forward" = 1; };
+  boot.kernel.sysctl = { "net.ipv6.conf.all.forwarding" = 1; };
+  boot.kernelModules = [ "rbd" "nbd" ];
+  # boot.zfs.forceImportRoot = false;
+  # boot.zfs.extraPools = [ "SERVICE" ];
+  # services.zfs.autoScrub.enable = true;
+  
+  networking.hostName = config.vars.hostname; # Define your hostname.
+  networking.hostId = config.vars.hostid; # Define your hostID - Needs to be unique!.
+  networking = {
+    interfaces.enp1s0 = {
+      ipv4.addresses = [{
+        address = config.vars.local_ip;
+        prefixLength = 24;
+      }];
+    };
+    defaultGateway = {
+      address = "192.168.178.1";
+      interface = "enp1s0";
+    };
+  };
+
+
+  # Set your time zone.
+  time.timeZone = "Europe/Berlin";
+
+  # Configure network proxy if necessary
+  # networking.proxy.default = "http://user:password@proxy:port/";
+  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
+
+
+  # Enable the X11 windowing system.
+  services.xserver.enable = false; 
+
+  # Enable CUPS to print documents.
+  services.printing.enable = false;
+
+  # Enable sound.
+  sound.enable = false;
+  hardware.pulseaudio.enable = false;
+
+  # Enable touchpad support (enabled default in most desktopManager).
+  services.libinput.enable = false;
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  security.sudo.wheelNeedsPassword = false;
+  users.defaultUserShell = pkgs.zsh;
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  environment.systemPackages = with pkgs; [
+  #   vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
+    wget
+    htop
+    ncdu
+    git
+    tmux
+    zsh
+    zoxide
+    fzf
+    # zrepl
+    wireguard-tools
+  ];
+
+  programs.tmux = {
+    enable = true;
+    clock24 = true;
+  };
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  networking.firewall.enable = false;
+
+  # Copy the NixOS configuration file and link it from the resulting system
+  # (/run/current-system/configuration.nix). This is useful in case you
+  # accidentally delete configuration.nix.
+  system.copySystemConfiguration = true;
+
+  # DO NOT TOUCH!!!!!!!!!!!!!!!!!!!!!!!!!!
+  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
+  system.stateVersion = "23.11"; # Did you read the comment?
+ # DO NOT TOUCH!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+  nixpkgs.config.permittedInsecurePackages = [
+              ];
+
+}
+
--- a/docker.nix
+++ b/docker.nix
@ -0,0 +1,11 @@
+{ pkgs, ... }: {
+  virtualisation.docker = {
+    enable = true;
+    autoPrune = {
+      enable = true;
+      dates = "daily";
+    };
+    liveRestore = false;
+    package = pkgs.docker_27;
+  };
+}
--- a/keepalived.nix
+++ b/keepalived.nix
@ -0,0 +1,31 @@
+{ config, pkgs, ... }: {
+  services.keepalived = {
+    enable = true;
+    vrrpInstances = {
+      V4 = {
+        priority = config.vars.ka_priority;
+        interface = "enp1s0";
+        virtualRouterId = 69;
+        virtualIps = [
+          {
+            addr = config.vars.ka_addr_v4;
+          }
+        ]; 
+      }; 
+      V6 = {
+        priority = config.vars.ka_priority;
+        interface = "enp1s0";
+        virtualRouterId = 96;
+        virtualIps = [
+          {
+            addr = config.vars.ka_addr_v6;
+          }
+        ]; 
+      };
+    }; 
+  };
+}
+
+
+
+
--- a/nfs-mount.nix
+++ b/nfs-mount.nix
@ -0,0 +1,19 @@
+{ config, pkgs, ... }: {
+  
+  systemd.mounts = [{
+    type = "nfs";
+    mountConfig = {
+      Options = "noatime";
+    };
+    what = "${config.vars.nfs_server}:${config.vars.nfs_volume}";
+    where = config.vars.nfs_mount;
+  }];
+
+  systemd.automounts = [{
+    wantedBy = [ "multi-user.target" ];
+    automountConfig = {
+      TimeoutIdleSec = "600";
+    };
+    where = config.vars.nfs_mount;
+  }];
+}
--- a/program-homemanager.nix
+++ b/program-homemanager.nix
@ -0,0 +1,54 @@
+{ config, pkgs, ... }:
+let
+  home-manager = builtins.fetchTarball "https://github.com/nix-community/home-manager/archive/release-24.05.tar.gz";
+in
+{
+  imports = [
+    (import "${home-manager}/nixos")
+  ];
+  home-manager.users."${config.vars.username}" = {
+    /* The home.stateVersion option does not have a default and must be set */
+    home.stateVersion = "23.11";
+    /* Here goes the rest of your home-manager config, e.g. home.packages = [ pkgs.foo ]; */
+    programs.git = {
+      enable = true;
+      userName  = config.vars.hm_git_username;
+      userEmail = config.vars.usermail;    
+    }; 
+    programs.zoxide.enable = true;
+    programs.zoxide.enableZshIntegration = true;
+    programs.zsh.envExtra = ["LANG=en_US.UTF-8" "EDITOR='nano'"];
+    programs.ssh.matchBlocks = {
+      "nixconf" = {
+        hostname = "github.com";
+        user = "${config.vars.email}";
+        identityFile = "/home/${config.vars.username}/.ssh/id_nix";
+      };
+    };
+  };
+
+  programs.nix-ld.enable = true;
+  programs.zsh = {
+    enable = true;
+    syntaxHighlighting.enable = true;
+    enableCompletion = true;
+    autosuggestions.enable = true;
+    shellAliases = {
+      nixapply = "sudo nixos-rebuild switch";
+      nixupdate = "sudo nix-channel --update && sudo nixos-rebuild switch";
+      nixclean = "sudo nix-collect-garbage -d";
+      cp="rsync -ah --info=progress2";
+      sct="systemctl";
+      jct="journalctl";
+    };
+    ohMyZsh = {
+      enable = true;
+      plugins = [ "git" "python" "man" "command-not-found" "safe-paste" "tmux" "zoxide" "kubectl" "zsh-interactive-cd" ];
+      theme = "agnoster";
+      customPkgs = [
+        pkgs.nix-zsh-completions
+        # and even more...
+      ];
+    };
+  };
+}
--- a/ssh.nix
+++ b/ssh.nix
@ -0,0 +1,15 @@
+# Edit this configuration file to define what should be installed on
+# your system. Help is available in the configuration.nix(5) man page, on
+# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
+
+{ ... }:
+
+  {
+    services.openssh = {
+      enable = true;
+      settings.PasswordAuthentication = false;
+      settings.KbdInteractiveAuthentication = false;
+      settings.PermitRootLogin = "forced-commands-only";
+    };
+  }
+
--- a/unused/service-gluster.nix
+++ b/unused/service-gluster.nix
@ -0,0 +1,7 @@
+{ pkgs, ... }: {
+  
+  services.glusterfs = {
+    enable = true;
+    useRpcbind = true;
+  };
+}
--- a/unused/service-k3s.nix
+++ b/unused/service-k3s.nix
@ -0,0 +1,57 @@
+{config, pkgs, ... }:
+let
+  my-kubernetes-helm = with pkgs; wrapHelm kubernetes-helm {
+    plugins = with pkgs.kubernetes-helmPlugins; [
+      helm-secrets
+      helm-diff
+      helm-s3
+      helm-git
+    ];
+  };
+
+  my-helmfile = with pkgs; helmfile-wrapped.override {
+    inherit (my-kubernetes-helm.passthru) pluginsDir;
+  };
+in
+
+{   virtualisation.containerd.enable = true;
+    services.k3s = {
+      enable = true;
+      role = "server";
+      extraFlags = toString [
+        "--disable=servicelb"
+        "--disable=traefik"
+
+	    "--flannel-backend=vxlan"
+
+        "--tls-san=local_ip"
+
+        "--node-external-ip=local_ip"
+        "--node-ip=local_ip"
+        "--advertise-address=local_ip"
+      ];
+     token = "hehehehehehehehehehehehhe";
+     serverAddr = "https://local_ip:6443";
+    };
+    environment.systemPackages = with pkgs; [ 
+      k3s 
+      my-kubernetes-helm
+      my-helmfile
+      openiscsi
+      kustomize
+      kubeseal
+    ];
+  
+    systemd.services.k3s = {
+      wants = [ "containerd.service" ];
+      after = [ "containerd.service" ];
+    };
+    systemd.tmpfiles.rules = [
+      "L+ /usr/local/bin - - - - /run/current-system/sw/bin/"
+    ];
+
+    services.openiscsi = {
+      enable = true;
+      name = "${hostname}";
+    };
+}
--- a/unused/service-zrepl.nix
+++ b/unused/service-zrepl.nix
@ -0,0 +1,37 @@
+{...}:
+ {
+  services.zrepl = {
+    
+    enable = true;
+    settings = {
+      global = {
+        logging = [{ 
+          # use syslog instead of stdout because it makes journald happy
+          type = "syslog";
+          format = "human";
+          level = "info";
+        }];
+      };
+
+      jobs = [{
+        type = "source";
+        name = "siredward_pull";
+        send = {
+          encrypted = true;
+        };
+        serve = {
+          type = "stdinserver";
+          client_identities = [ "siredward" ];
+        };
+        filesystems = {
+          "SERVICE/volumes" = true;
+        };
+        snapshotting = {
+          type = "periodic";
+          prefix = "SN_";
+          interval = "1h";
+        };  
+      }];
+    };
+  };
+}
--- a/users.nix
+++ b/users.nix
@ -0,0 +1,24 @@
+# Edit this configuration file to define what should be installed on
+# your system. Help is available in the configuration.nix(5) man page, on
+# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
+
+{ config, pkgs, ... }: {
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  users.users.root  = {
+    openssh.authorizedKeys.keyFiles = [
+      ssh/auth_keys_root
+    ];
+  };
+  users.users.${config.vars.username} = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
+    openssh.authorizedKeys.keyFiles = [
+      (builtins.toPath "/etc/nixos/ssh/auth_keys_${config.vars.username}")
+    ];
+  #   packages = with pkgs; [
+  #     firefox
+  #     tree
+  #   ];
+  };
+}
--- a/var_reg.nix
+++ b/var_reg.nix
@ -0,0 +1,70 @@
+{ lib, ... }:
+with lib;
+{
+  options.vars = {
+    
+    # WIREGUARD
+    wg_adress = mkOption {
+      type = types.str;
+    };
+    wg_privateKey = mkOption {
+      type = types.str;
+    };
+    wg_publicKey = mkOption {
+      type = types.str;
+    };
+    wg_presharedKey = mkOption {
+      type = types.str;
+    };
+    wg_endpoint = mkOption {
+      type = types.str;
+    };
+    
+    # SYSTEM
+    username = mkOption {
+      type = types.str;
+    };
+    usermail = mkOption {
+      type = types.str;
+    };
+    local_ip = mkOption {
+      type = types.str;
+    };
+    hostname = mkOption {
+      type = types.str;
+    };
+    hostid = mkOption {
+      type = types.str;
+    };
+    
+    
+    # KEEPALIVED
+    ka_addr_v4 = mkOption {
+      type = types.str;
+    };
+    ka_addr_v6 = mkOption {
+      type = types.str;
+    };
+    ka_priority = mkOption {
+      type = types.int;
+    };
+    
+    
+    # Homemanager    
+    hm_git_username = mkOption {
+      type = types.str;
+    };
+    
+    
+    # NFS
+    nfs_server = mkOption {
+      type = types.str;
+    };
+    nfs_volume = mkOption {
+      type = types.str;
+    };
+    nfs_mount = mkOption {
+      type = types.str;
+    };
+  };
+}
--- a/wireguard.nix
+++ b/wireguard.nix
@ -0,0 +1,31 @@
+{ config, pkgs, ... }: {
+
+  networking.nat.enable = true;
+  networking.nat.externalInterface = "enp1s0";
+  networking.nat.internalInterfaces = [ "wg0" ];
+  
+  networking.wg-quick.interfaces = {
+    wg0 = {
+      address = [config.vars.wg_adress];
+      mtu = 1350;
+      autostart = true;
+      postUp = ''
+        ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
+        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADE
+      '';
+      postDown = ''
+        ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
+        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o enp1s0
+      '';
+      privateKey = config.vars.wg_privateKey;
+      peers = [{
+        publicKey = config.vars.wg_publicKey;
+        presharedKey = config.vars.wg_presharedKey;
+        allowedIPs = [ "10.6.0.0/24" ];
+        endpoint = config.vars.wg_endpoint;
+        persistentKeepalive = 25;
+      }];
+    };
+  };
+}
+